Customers who viewed this article also viewed

{{articleContentType(item.content_Type)}}

{{item.title}}

CTX125364

How to Configure NetScaler Gateway to use RADIUS and LDAP Authentication with Mobile/Tablet Devices

Applicable Products

  • NetScaler Gateway

Objective

This article describes how to configure NetScaler Gateway appliance to use RADIUS authentication as primary and LDAP authentication as secondary with mobile/tablet devices.

The configuration demonstrated in this article still allows all other connections to use LDAP first and RADIUS second.

When you configure two-factor authentication on Citrix Receiver for use with mobile/tablet devices, you must add the RSA SecureID (RADIUS authentication) as the primary authentication. But when users will get the prompt for Username and Password, Passcode on Receiver they will be putting LDAP first and RADIUS as second credentials. From administrator point of view it is a different configuration as compared to non-mobile configuration.

User-added image
 


Instructions

Complete the following procedure to configure NetScaler Gateway appliance to use RADIUS authentication as primary and LDAP authentication as secondary with mobile/tablet devices.

  1. From the Configuration Utility, select NetScaler Gateway > Policies > Authentication and create an authentication policy for LDAP and RSA for mobile devices and non-mobile devices. This is necessary to avoid a logic condition that could allow users to bypass the RADIUS authentication.

    User-added image

  2. Enter LDAP Server details after clicking add option under Servers tab for LDAP.

    User-added image

    User-added image

    For more details on how to configure authentication server refer to the section "Creating authentication Server" of How to Configure LDAP Authentication on NetScaler

    Create LDAP policy for the mobile devices by choosing the required LDAP Server.
    To bind this policy to only mobile devices, use the following expression:

    REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
     

    User-added image

    Click Expression Editor to create policy:

     User-added image

    User-added image

  3. Create a RADIUS policy and RADIUS Server for the mobile devices. 
    Navigate to RADIUS option from NetScaler Gateway > Policies > Authentication > RADIUS. Click Add under Server tab.

    User-added image

    Add the required details. The default port for RADIUS authentication is 1812.

    User-added image

    To bind this policy to only mobile devices, use the following expression:

    REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
     

    User-added image

  4. Follow the same step to create an LDAP policy for non-mobile devices. To bind this policy to only non-mobile devices, use the following expression:

    REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
     

    User-added image

    User-added image

  5. Create a RADIUS policy for non-mobile devices. To bind this policy to only non-mobile devices, use the following expression:

    REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

    User-added image

  6. Go to the Properties of the NetScaler Gateway Virtual Server and click the Authentication tab. On the Primary Authentication Policies, add the RSA_Mobile policy as top priority and the LDAP_NonMobile policy as secondary priority:

    User-added image

    User-added image

  7. On the Secondary Authentication Policies, add the LDAP_Mobile policy as top priority, followed by the RSA_NonMobile policy as secondary priority:

    User-added image

    Important! The session policy must have the correct Single Sign-on Credential Index, that is, it must be the LDAP credentials. For mobile devices, Credential Index under Session Profile > Client Experience should be set to Secondary which is LDAP.

    Therefore you need two session policies, one for mobile devices and the other for non-mobile devices.

    For mobile devices session policy and session profile will look as shown in the following screenshot.
    To create session policy, navigate to required virtual server and, click Edit, go to policy section and click + sign:

    User-added image

    User-added image

    Choose Session option from the drop-down.

    User-added image

    Enter the desired Session Policy name and click + to create a new profile. For mobile devices, Credential Index under Session Profile > Client Experience should be set to Secondary which is LDAP.

    User-added image

    User-added image

    User-added image

    For non-mobile device follow the same steps. Credential Index under Session Profile > Client Experience should be set to Primary which is LDAP.

    The expression should be changed to:

    REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
    

    User-added image

    To create new profile for non-mobile user,click + sign.

    User-added image

    User-added image

  8. Policies and profiles under the required virtual server will look similar to the following screen shot:

    User-added image

    9. Additionally on the StoreFront, under the NetScaler Gateway configuration set to use "Logon Type" = "Domain and Security token"

    User-added image


    User-added image




    ––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––


User-added image


Additional Resources

In NetScaler software release 10.1 and 10.5, the configuration utility has a new look. The navigation tree is reorganized and grouped according to the major features of the appliance.

CTX108876 - How to Configure LDAP Authentication on NetScaler
CTX113640 - How to Implement RSA Authentication for NetScaler Gateway
Citrix Documentation - How to configure RADIUS and LDAP Authentication for Mobile Devices


View Common Solutions