How to Configure NetScaler Gateway to authenticate using MFA (NPS) RADIUS server

---

Instructions

Assuming that the Azure server configuration is done as per the Microsoft documents, follow the following steps for the MFA authentication with NetScaler Gateway:

Configure an NetScaler Gateway Virtual server that will send RADIUS authentication requests to the Azure MFA server.

1. Log in to the administration interface for the SSL VPN appliance.

2. On the dashboard, click the Configurations tab.

3. Navigate to NetScaler Gateway|Virtual Servers. 

4. Select the virtual server that will be used for MFA.

5. Click Edit.

6. On the VPN Virtual Server page, navigate to Authentication and click the + symbol.

7. The pane to add a new policy opens.

8. Complete the following in the Policies pane: Choose Policy – select RADIUS. Choose Type – select Primary. Continue – click to add RADIUS policy. 

9. On the Policy Binding panel, complete the following: Priority – enter 100.  Select Policy – click the + symbol to add a new policy binding.

10. The Create Authentication RADIUS Policy pane opens. Complete the following: Name – enter a descriptive name for the new RADIUS policy. Server – click the + symbol to add a new RADIUS server.

11. On the Create Authentication RADIUS Server screen, complete the following:
    Name – enter a friendly name to identify the Azure MFA server as the RADIUS server.

12. Select an option to use for connecting to the MFA server:
    • Server Name – select to designate the MFA server’s computer name in the Server Name field below.
    • Server IP – select to designate the MFA server’s IP Address in the field below.
13. Port – enter the port number used for authentication communication on the MFA Server. Defaults are 1812 or 1645.
14. Time-out (seconds) – it is important to set a sufficient length of time for users to authenticate. 30 seconds is a common duration but may need to be adjusted. For example, large organizations might need more time to accommodate a higher volume of requests.
15. Secret Key – enter the security passphrase created to encrypt communication between MFA and the NetScaler VPX.
16. Confirm Secret Key – confirm the same key passphrase.
17. Click Create to save server configuration and return to the Create Authentication RADIUS Policy pane.
18. Expression – enter NS_TRUE. This is required to enable and authenticate all devices through the new policy.
19. Click Create to save the policy configuration.
20. Click Bind to append the RADIUS policy configuration.

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

How to Configure NetScaler Gateway to authenticate using MFA (NPS) RADIUS server