Instructions for Setting Up Secondary Authentication for NetScaler Duo

Instructions for Setting Up Secondary Authentication for NetScaler Duo



Duo Security integrates with your on-premises NetScaler to provide two-factor authentication for remote access logins. Duo supports self-service enrollment and Duo Prompt through a web browser for Citrix Gateway login. Additionally, for Citrix Receiver or Workspace connections, Duo supports passcodes, phone, and push authentication.

The configuration allows Duo to act as a secondary RADIUS authentication server for Citrix Gateways. Primary authentication is handled by the Citrix Gateway connecting directly to Active Directory, LDAP, or other identity stores. Duo adds two-factor authentication while maintaining features like AD password resets.

To set up Duo two-factor authentication for Citrix Gateway, two basic RADIUS authentication policies need to be configured. One policy enables Duo’s interactive enrollment and authentication prompts for browser-based logins, while the other automatically sends authentication requests via push notification or phone call for Receiver or Workspace client logins.

Connectivity Requirements:
– Communication with Duo’s service occurs over SSL TCP port 443.
– Avoid restricting outbound access using IP addresses in firewall configurations due to changing IP addresses.
– As of June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites.

First steps involve understanding Duo administration concepts, setting up a working primary authentication configuration, and installing a local Duo proxy service on the network. The installation of the Duo Authentication Proxy is recommended on specific operating systems.

Key configuration steps include creating a new section in the Duo Authentication Proxy configuration file for Citrix NetScaler and adding details such as the integration key, secret key, API hostname, and more.

Finally, configuring policies on the Citrix Gateway involves adding RADIUS policies for secondary authentication. These policies need to be bound in the correct order and verified before saving the configuration.

Additional steps may include modifying the sign-in page on Citrix NetScaler and testing the setup to ensure successful integration with Duo two-factor authentication.

For troubleshooting or further assistance, users can refer to the provided troubleshooting tips, FAQs, and knowledge base articles or contact support. A network diagram illustrates the flow of the authentication process involving Citrix Gateway and Duo Security.

Article Source
https://duo.com/docs/citrix-netscaler-alt