This article describes how to configure Radius Authentication/Authorization on Windows 2008 server for use with NetScaler Gateway.

These steps are performed on a Windows 2008 Server with the Network Policy and Access Services (formerly known as Internet Authentication Service) role installed.

Requirements

To configure Radius on Windows 2008 server you must have the following components:

• Citrix Access Gateway (currently called as NetScaler Gateway) 8.x, 9.x, 10.x Enterprise Edition.

• Windows 2008 Server with Network Policy and Access Services role installed.

Note: For this article, Access Gateway Enterprise version 9.2 build 45.7.cl is used.

Instructions

Windows 2008 Server

Complete the following steps on Windows 2008 Server:

1. Open the Server Manager and select Roles > Install new Role Service.

2. Select Network Policy and Access Services > Network Policy Server > Install.

   

   

3. When installed, create a Radius Client and configure a Network Policy to allow Radius authentication through NetScaler Gateway. To launch the Network Policy Server go to Start > All Programs > Administrative Tools > Network Policy Server.

4. Under Radius Clients and Servers, right-click Radius clients and select New Radius Client.

   

5. Fill out the fields specified in the following screen shot. For Vendor name, leave the default option, which is RADIUS Standard. Click OK. 
   Note: The IP address to enter is the NetScaler IP (NSIP).

   

6. Configure the Network Policies. Right-click Network Policies and click New.

   

7. Enter a Policy Name and ensure to set the Type of network access server to Unspecified, then select Next.

   

8. Under Specify Conditions, click Add, select User Groups > Add Groups and enter the Domain Users Group that should be allowed to authenticate using Radius.

   

   

9. (Optional) You can also add an NAS Identifier policy.

   

   

   

10. Select Access Granted and click Next.

    

11. Under Configure Authentication Methods, select the desired authentication method. This example uses Microsoft Encrypted Authentication version 2 (MS-CHAP-v2). Click Next.

    

12. The Configure Constraints window is optional for this implementation. Click Next.

    

13. Under Configure Settings > Radius Attributes > Standard, both attributes Framed-Protocol and Service-Type can be removed or left as is. This example leaves them as is.

    

14. Add a Class attribute to return the value of CAG in order to restrict authentication only to users member of CAG group in the NetScaler Gateway.

    

15. Enter a String value of name CAG.

    

16. Verify that the RADIUS attributes are correct. Click Next.

    

17. Confirm that your Network Policy settings are correct. Click Finish.

    

18. Ensure under Processing Order, your Network Policy has the appropriate priority.

    

NetScaler Gateway

1. Create an Authentication Profile for RADIUS authentication.

2. Configure the authentication server matching the RADIUS settings created on the RADIUS server.

   

   Notes:

   • Secret Key must match with the Shared Secret entered at Step 5.

   • Group Attribute Type must match with the attribute number from Step 15.

   • Password Encoding must match with the Authentication Method selected at Step 11.

3. ​Create a Group called CAG or use the name which is stated at Steps 14 and 15.

   

4. Bind user(s) to the group, if you prefer. Otherwise, bind an Auditing/Session/Traffic policy to the group.

   

   

CTX124420 - How to Configure Radius Authentication/Authorization on Windows 2008 for Use on Citrix Access Gateway Standard Edition