NetScaler Gateway Authentication Scenario 1:

Gateway Page would present the authentication to be done in 2 factor. First the user enters the LDAP username and password.
Now there would be 2 options either user can do the touch authentication present in the MFA Application or else can wait for the Radius authentication. 
Touch Authentication or Radius Authentication works fine if the process is completed within 30 seconds or else there would be timeout for the authentication.

NetScaler Gateway Authentication Scenario 2:

RADIUS server takes longer than the configured NATPCB timeout (default 4seconds) to respond. In the RADIUS server response, you will see an Accept, however on the ADC logs you will see REJECT.

1. To change the timeout value: Go to Systems > Settings > (Extreme Right) Change Timeout Values > NATPCB New Connection Idle Time-out (secs).
2. Increase the value of "NATPCB New Connection Idle Time-out (secs)" to the value where we can expect the Radius Access- Request Challenge to complete.

set ns timeout -NewConnIdleTimeOut 20