Describe how to configure Citrix Gateway appliance to use RADIUS authentication as first factor and LDAP authentication as second factor

The Storefront - Gateway Integration should be in place using 'Domain' Logon type in the Gateway configuration in the menu 'Manage Citrix Gateway'

---

Instructions

We are going to use an authentication profile in the ADC Gateway with Radius as first factor and LDAP as second factor

1. Configure a Radius server(Action) in Security > AAA - Application Traffic > Policies > Authentication >Advanced Policies > Actions > RADIUS > Actions, fill the details of the server and use the 'Test Radius Reachability' to validate the communication.  3. Configure a LDAP server(Action) in Security > AAA - Application Traffic > Policies > Authentication >Advanced Policies > Actions > LDAP > Actions, fill the details of the server and use the test, referer to the URL section for this configuration (LDAP authentication).

4.  Create a policy that will be bound to the LDAP server(Action) Security > AAA - Application Traffic > Policies > Authentication > Advanced > Policies > Authentication Policies. The policy will be bound to a Vserver and the rule of the policy will determine when the policy is triggered, to trigger the policy always use the expression 'true', but a filter by different conditions can be use.
5. Create a AAA Vserver Security > AAA - Application Traffic > Authentication Virtual Servers, as we are using this on the Gateway it will be non-addressable  5-1. Bind the same certificate that you have bound in the Gateway, this will set the AAA Vserver in 'UP' state, and bind the Radius and LDAP policies by selecting 'No Authentication Policy' under 'Advance Authentication Policies' , 'Add Binding'.
5-2. Place the radius policy (Step 2) in the first policy and click 'Add' under 'Select Next Factor'
5-3. In the menu of 'Authentication Policy Label' , after giving a name click 'Add' on 'Login Schema', in the 'Create Authentication Login Schema' menu, give it a name and leave the 'Authentication Schema' with 'noschema', expand 'More' and enable the checkbox 'Enable Single Sign On Credentials', then click 'Create', the LDAP credentials are the ones we will send to the Storefront for the SSO.
5-4 Click 'Continue', then click 'Done' in the 'Authentication Policy Label' section.
5-5. Bind the LDAP policy (Step 4) here by doing click on 'Click to select' under 'Select Policy' in the Section 'Policy Binding' then click 'Bind' in the bottom.
5-6. Click 'Done' 5-7. Click 'Bind' in the 'Policy binding' interface. 6. We now should have 1 'Authentication policy' bound to the AAA Vserver, in the right menu under 'Advanced Settings',  Select 'Login Schemas' and add a new one, In the 'Policy Binding' menu under 'Select Policy' click 'Add' .
6-1. Place a name and click 'Add' under 'Profile'. This is the only login screen that the user will see. 
6-2. Give a name to the Authentication Login Schema and click the pencil in 'Authentication Schema', click the directory 'LoginSchema' and find 'DualAuth.xml' then click 'Select' (This can be customized by click on edit but don't forget to click 'Select' after the customization), once you click 'Select' you will see the name of the Schema in the 'Authentication Schema' section.
6-3. Here we don't need the 'Enable Single Sign On Credentials' option enable (You can see it under 'More').
6-4 Click 'OK' in the 'Configure Authentication Login Schema Policy' menu.
 6-5. Click 'Bind' in the 'Policy Binding' menu. The schema should be bound to the AAA Vserver, and will be the only Login screen that the user will see.
7. Create a Authentication profile Security > AAA - Application Traffic > Authentication  Profile, and bind the AAA Vserver (Step 5) under 'Authentication Virtual Server'. Click 'Create'
8. Bind the Authentication Profile to the Gateway in the section 'Authentication Profile', this is an advance authentication policy, and it replace the Basic Authentication, Authentication Profile and Basic Authentication can not coexist together, leave only the  Authentication Profile and make sure to have all the policies in advance syntax in the Gateway.  9. The Gateway has all the necessary configuration to authenticate against the SF and use the LDAP credentials for the SSO. Go to the 'Citrix Storefront' application in the Storefront, open 'Manage Citrix Gateway' from the right menu, and validate in the configuration menu of the Gateway that 'Domain' is select as 'Logon Type'.
10. Test the access. Access to the Gateway URL, the first field is for the Radius password and the Second is for LDAP password which will be used for SSO in the Storefront. 
11. Authentication Validation: To validate the authentication process you can create a SSH session to the ADC, after login type 'shell' and then 'cat /tmp/aaad.debug', when you hit 'enter' the console will start recording the authentication process on ADC, in the browser access to the Gateway URL and authenticate,  in the console RADIUS will appear first and then LDAP.

How to Configure Gateway to Storefront with Advance Auth Radius first and then LDAP

Integrate NetScaler Gateway with StoreFront - https://docs.netscaler.com/en-us/citrix-gateway/current-release/integrate-citrix-gateway-with-citrix-products/integrate-with-storefront.html

Radius Authentication  - https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/citrix-adc-aaa-radius-authentication-policy.html ​​​​​​​

LDAP Authentication - https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/citrix-adc-aaa-ldap-authentication-policies ​​​​​​​

Authentication virtual server - https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/entities-of-authentication-authorization-auditing/authentication-virtual-server.html ​​​​​​​

Create and customize login schema - https://docs.netscaler.com/en-us/citrix-gateway/current-release/gateway-portal-customization/citrix-gateway-create-customize-login-schema.html

Troubleshoot authentication, authorization and auditing issues (aaad.debug) - https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/citrix-adc-aaa-troubleshooting.html ​​​​​​​

NetScaler Gateway, StoreFront and XenDesktop Integration Communication Workflow - https://support.citrix.com/article/CTX227054/netscaler-gateway-storefront-and-xendesktop-integration-communication-workflow ​​​​​​​