Authentication fails when using Dual auth (LDAP+RSA) on NetScaler.

Following initial troubleshooting steps can be performed:

1) Run aaad.debug log on NetScaler and see for any failures for LDAP or RSA Auth failure. Look for any messages like below:
 

process_radius Got RADIUS event
process_radius Received BAD_ACCESS_REJECT for: <username>
process_radius Sending reject.
send_reject_with_code Rejecting with error code 4001

Error code 4001 means "Invalid Credentials" .This confirms the issue is with RSA /RADIUS Auth on NetScaler and not the LDAP.

2) Then run the nstrace and filter with Radius server IP or use the filter "radius" in wireshark.

For successful RADIUS Authentication to work we should see below packets:

Access-Request -  From Netscaler to Radius server
Access-Accept    - From Radius server to NetScaler

3) If we see Access-Reject, then it seems more of an issue with RSA/RADIUS server.
4) Check if the Agent Host is added on the RSA server with Network address as NSIP of NetScaler.
5) If you see Access-Request going to backend server but no response coming. Then either the packet has not reached backend RADIUS server or backend server was not properly configured.

---

Problem Cause

Host Agent  IP was not created on RSA server

This article talks about the issue faced where authentication fails when using Dual auth (LDAP+RSA) on Netscaler. As dual LDAP + RSA both are used so how to find which auth caused the failure.

For Authentication related troubleshooting please refer below article:

http://support.citrix.com/article/CTX217145