You can replace domain passwords with a one-time password that a token generates from a RADIUS server. When users log on to NetScaler Gateway, they enter a personal identification number (PIN) and the passcode from the token. After NetScaler Gateway validates their credentials, the RADIUS server returns the user’s Windows password to NetScaler Gateway. NetScaler Gateway accepts the response from the server and then uses the returned password for single sign-on instead of using the passcode that users typed during logon. This password return with RADIUS feature allows you to configure single sign-on without requiring users to recall their Windows password.
When users log on by using password return, they can access all of the allowed network resources in the internal network, including App Controller, StoreFront, and the Web Interface.
To enable single sign-on by using returned passwords, you configure a RADIUS authentication policy on NetScaler Gateway by using the Password Vendor Identifier and Password Attribute Type parameters. These two parameters return the user’s Windows password to NetScaler Gateway.
NetScaler Gateway supports Imprivata OneSign. The minimum required version of Imprivata OneSign is 4.0 with service pack 3. The default password vendor identifier for Imprivata OneSign is 398. The default password attribute type code for Imprivata OneSign is 5.
You can use other RADIUS servers for password return, such as RSA, Cisco, or Microsoft. You must configure the RADIUS server to return the user single sign-on password in a vendor-specific attribute value pair. In an NetScaler Gateway authentication policy, you must add the Password Vendor Identifier and Password Attribute Type parameters for these servers.
You can find a complete list of vendor identifiers on the Internet Assigned Numbers Authority (IANA) web site. For example, the vendor identifier for RSA security is 2197, for Microsoft, it is 311, and for Cisco Systems, it is 9. The vendor-specific attribute that a vendor supports must be confirmed with the vendor. For example, Microsoft has published a list of vendor-specific attributes at Microsoft Vendor-specific RADIUS Attributes.
You can select any of the vendor-specific attributes to store the single sign-on password for users on the RADIUS server of the vendor. If you configure NetScaler Gateway with the vendor identifier and attribute where the user password is stored on the RADIUS server, NetScaler Gateway requests the value of the attribute in the access request packet that is sent to the RADIUS server. If the RADIUS server responds with the corresponding attribute-value pair in the access-accept packet, password return works regardless of the RADIUS server you use.