Deployment Guide: Learn how to configure Citrix Gateway to use nFactor to authenticate against a RADIUS server for MFA
How to Configure Citrix Gateway to use nFactor to authenticate against a RADIUS server for Multi Factor Authentication (MFA).
This article covers how to configure Citrix ADC Gateway to use nFactor authentication for LDAP and RADIUS-based multifactor authentication and general troubleshooting techniques.
In this article, we assume your Citrix ADC has a Citrix Gateway implementation and RADIUS and LDAP servers.
This article also recommends connecting to your RADIUS and LDAP servers via local load balancing virtual servers, and assumes the load balancers have already been created. You can learn more about creating load-balancing virtual servers here and about configuring RADIUS persistence on a load balancer here.
RADIUS Communication Overview
The RADIUS communication flow begins with an Access-Request packet from the client, in this case the Citrix ADC. The RADIUS server validates the client and authenticate the credentials received within the Access-Request. After validation, the RADIUS server responds with an Access-Accept, Reject, or a Challenge asking for further details from the user.
RADIUS servers have a list of valid clients and a shared secret for each. A RADIUS server usually ignore requests from invalid clients, but some implementations return authentication failures. The shared secret encrypts the password component of the credentials. When the shared secret is wrong, the server always rejects passwords because they don’t decrypt to the correct value.
By default, Citrix ADC sends RADIUS authentication requests from the NSIP of the active HA node and targets a single RADIUS server.
Rather than define the NSIPs of both ADCs in an HA pair as clients on your RADIUS servers, Citrix recommends the ADC send authentication requests via a local Load Balancing virtual server. The Load Balancing virtual server also adds resilience to your setup.
When Citrix ADC sends RADIUS requests via a local Load Balancing virtual server, the requests leave the ADC via a SNIP. SNIPs are floating IP addresses and are only available on the current primary HA node.
When using a Load Balancing (LB) virtual server, the NSIPs of the primary and secondary HA nodes make a request to a local VIP. The LB VIP sends to the RADIUS server using the HA pair’s SNIP.
RADIUS Troubleshooting tools
While most RADIUS implementations are performed without, it can be helpful to understand the most common troubleshooting tools.
The “/tmp/aaad.debug” authentication debug pipe on the Citrix ADC
You can view authentication events on the Citrix ADC by entering the BSH shell with “shell” and then viewing the aaad.debug pipe with “cat /tmp/aaad.debug”.
You can find more information on “aaad.debug” here: https://support.citrix.com/article/CTX114999
NTRadPing is a third-party RADIUS testing tool you can use to generate RADIUS authentication requests and watch the response. You can download NTRadPing here:
Using NTRadPing, you can send RADIUS authentication requests directly from your client to the RADIUS server and ensure that it’s fully operational. On the RADIUS server, you’ll have to define your client’s IP address and a shared secret. You’ll also need firewall rules to let your client talk to the RADIUS server.
You can also use NTRadPing to send authentication requests to the LB virtual server on the ADC, which relays them to the RADIUS server. Since these requests come from the ADC, you’ll need the same shared secret in NTRadPing as ADC. You’ll also need firewall rules to let the client talk to the ADC’s RADIUS LB virtual server.
By testing each component separately, the test will isolate where a failure is occurring. Suppose you can send successful requests manually using the ADC’s RADIUS. In that case, you know the problem is with something before that, like the RADIUS server definition on your ADC, and you can focus your efforts.
NTRadPing consists of two files that you extract into the same directory from its compressed zip. On launch, NTRadPing prompts for:
- The RADIUS server and port
- The RADIUS secret
- A user name and password
- The Authentication request type
Depending on the test you’re performing, you’ll use the RADIUS server IP address or that of the ADC’s LB virtual server as the destination. Most commonly, on port 1812.
Set a RADIUS secret for your client if you’re sending queries directly. If you’re sending queries via the ADC’s LB virtual server to imitate authentication requests from Gateway, use the same shared secret as you have configured the ADC to use. The user name and password fields contain the credentials you expect the ADC to send to the RADIUS server on your behalf. Usually, the “password” field contains the user’s MFA token value.
When you click “Send,” NTRadPing sends an authentication request from your computer to the specified destination and displays the response (typically an Access-Accept or Access-Reject).
You can examine the RADIUS request and response inside WireShark if you take a packet trace on the Citrix ADC during the authentication process.
WireShark is the world’s foremost and widely used network protocol analyzer. WireShark is free and available without here.
In WireShark, you’ll see an Access-Request packet followed by either an Access-Accept, Access-Reject, or Access-Challenge response. Missing responses often indicate a communication problem such as absent firewall rules or the RADIUS server not having a definition for the client.
Assuming that the configuration on your RADIUS servers is already complete, follow the following steps for the MFA authentication with Citrix Gateway:
Enable the Authentication, Authorization, and Auditing (AAA) feature
- If the AAA feature isn’t already enabled, navigate to, Security > AAA – Application Traffic, and right-click to enable the feature.
Add Authentication Servers
Populate details of your RADIUS server
Citrix recommends you don’t target an individual RADIUS server, but instead, target your Load Balancing virtual server. As such, use your RADIUS LB’s VIP as the Server IP in this page. The Secret Key must match the value on your RADIUS server for the ADC’s SNIP.
Populate details of your LDAP target
Like RADIUS, Citrix recommends that you use a local Load Balancing (LB) virtual server as the destination. As such, use the VIP of your LDAP LB virtual server as the Server IP on this page.
Add Advanced Authentication Policies
Create a AAA virtual server
- Enter the following information and click OK.
- Click “Bind” at the bottom of the “Policy Binding” screen.
Apply a Login Schema that presents the user with a user name, password, and passcode field
Note: The “lschema_dual_factor_builtin” policy was added in ADC 13.0 firmware. If you’re using an earlier release then you need to create a policy. You can find instructions explaining how to create a policy here.
Configure your Gateway virtual server to use the new AAA server
If you come across any authentication challenges, please refer to the troubleshooting section of this document.
If you prefer to configure the ADC using the CLI, the following configuration script completes all necessary steps.
# 1. Enable AAA en ns feature aaa # 2. Creating LDAP Server add authentication ldapAction LDAP_for_Gateway -serverIP LDAP_LB_IP -serverPort 636 -ldapBase "DC=citrix,DC=lab" -ldapBindDn email@example.com -ldapBindDnPassword PASSWORD -ldapLoginName sAMAccountName -groupAttrName memberOf # 3. Creating LDAP Policy add authentication Policy LDAP_Pol -rule true -action LDAP_for_Gateway # 4. Creating RADIUS Server add authentication radiusAction RADIUS_Server -serverIP 192.168.1.100 -serverPort 1812 -radKey sharedsecret # 5. Create RADIUS Policy add authentication Policy RADIUS_Pol -rule true -action RADIUS_Server # 6. Create a PolicyLabel triggering the RADIUS Policy add authentication policylabel RADIUS_PolicyLabel -loginSchema LSCHEMA_INT bind authentication policylabel RADIUS_PolicyLabel -policyName RADIUS_Pol -priority 100 # 7. Create the AAA virtual server add authentication vserver nFactorAuthvServer SSL 0.0.0.0 # 8. Bind an SSL certificate to the AAA virtual server bind ssl vserver nFactorAuthvServer -certkeyName "Example Cert" # 9. Bind the LDAP policy and RADIUS PolicyLabel to the AAA virtual server bind authentication vserver nFactorAuthvServer -policy LDAP_Pol -priority 100 -nextFactor RADIUS_PolicyLabel -gotoPriorityExpression NEXT # 10. Bind the builtin Login Schema for dual factor authentication to the AAA virtual server bind authentication vserver nFactorAuthvServer -policy lschema_dual_factor_builtin -priority 100 -gotoPriorityExpression END # 11. Create an Authentication Profile attached to the AAA virtual server add authentication authnProfile MFA_Authentication_Profile -authnVsName nFactorAuthvServer # 12. Configure your existing Gateway virtual server to use the Authentication Profile set vpn vserver "Steven Demo Gateway" -authnprofile "MFA_Authentication_Profile" <!--NeedCopy-->
In this article
- RADIUS Communication Overview
- RADIUS Troubleshooting tools
- GUI Instructions
- Add Advanced Authentication Policies
- Create a AAA virtual server
- Apply a Login Schema that presents the user with a user name, password, and passcode field
- Configure your Gateway virtual server to use the new AAA server
- Perform testing
- CLI Instructions