Archive: How to Configure Web Interface 5.x for Radius Authentication using RSA ACE/Secure ID 6.x Server

  • CTX117965
  • Created On  Feb 04, 2010
  • Updated On  Mar 10, 2012
  • 1 found this helpful
  • Article
  • Topic : Authentication
This article is no longer maintained, its content refers to a discontinued product and may be out of date. Refer to the Discontinued Product Lifecycle or Active Citrix Product pages for more information on support schedules.


Web Interface 5.x for Windows now supports 2-factor authentication using Generic RADIUS.

Radius Authentication is configured in the Access Management Console under explicit, 2-factor authentication Method.

Multiple Radius servers can be configured for load balancing.

RADIUS protocol requires a shared secret that is known only to the RADIUS client (Web Interface in this case) and authenticating RADIUS server.

The shared secret is stored in a simple text file, radius_secret.txt, and contains only the secret. It is created manually by the administrator, and stored locally on each web server acting as a Radius client in the following path: ..\inetpub\wwwroot\sitepath\conf\radius_secret.txt.

Generic RADIUS configuration settings are used for both the Windows and UNIX versions of Web Interface.

SecurID and Safeword Radius servers are supported for both Windows and UNIX implementations.


Web Interface 5.x Configuration

1. Launch the Access Management Console on the Web Interface 5.x server and select the appropriate site. Under Common Tasks, select Configure Authentication methods > explicit.

2. Click Properties > Two-factor authentication, the select Radius from the dropdown list.

3. Configure multiple Radius servers for Load Balancing.

4. Create a radius_secret.txt file containing the secret only and place conf folder. Path - \inetpub\wwwroot\sitepath\conf\radius_secret.txt

RSA/SecurID 6.x Radius Configuration

1. On the RSA6.x server install the Radius authentication client.

2. Verify that the Radius services are started.

3. Launch the RSA Authentication Manager > RADIUS > Manage Radius Server.

4. Add a Radius client (Web Interface server).

5. Use the fully qualified domain name (FQDN) or NetBIOS name of the Web Interface server for Name. It must be resolvable on the Radius server to the IP address you enter.

6. Enter the Shared secret.

7. Client type (Make/Model) is Standard Radius.

8. Assuming the ACE/Server that authenticates users also acts as the RADIUS Server:

    a. Create an Agent Host for the local RADIUS server running in the RSA ACE/Server database.

b. When creating the Agent Host, set the name and IP address to that of the local server, and select Net OS Agent from the Agent type list. The local server must be assigned as the acting server.

9. Add each Web Interface server as an Agent Hosts with agent type Communication Server.

More Information

RSA Radius Server Administrator’s Guide

CTX116590 – Web Interface 5.0.1 Administrator's Guide

Share your comments or find out more about this topic

Citrix Forums

| Terms of Use | Privacy | Governance