Citrix Gateway supported versions, clients, features, and factors

Supported versions

This guide has been verified with the following Citrix Gateway versions:

• Version 10.5.x
• Version 11.x
• Version 12.x
• Version 13.0.x

Supported clients

The following Citrix clients have been validated:

• Citrix Web Receiver
• Citrix Windows \ Mac Receiver
• Citrix iOS \ Android Receiver

Supported features

The following Okta features are supported:

• Authentication with Okta Credentials via RADIUS
• Authentication with Okta Credentials via SAML
• Multi-factor authentication via RADIUS
• Multi-factor authentication via SAML
• Group memberships/Attributes via RADIUS – passes the username and password to storefront for AD group permissions

Supported factors

The size of the challenge message can be too large for the RADIUS prompt if you let users enroll too many factors. Okta recommends that you enroll no more than eight factors at a given time.

Okta supports the following factors for RADIUS apps:

MFA Factor	Password Authentication Protocol (PAP)	Extensible Authentication Protocol - Generic Token Card (EAP-GTC)	Extensible Authentication Protocol - Tunneled Transport Layer Security (EAP-TTLS)
Custom TOTP Authentication	Supported	Supported	Supported - as long as challenge is avoided. For example MFA only or "Password, passcode".
Duo(Push, SMS, and Passcode only)	Supported	Supported	Duo passcode only.
Email	Supported	Supported	Supported when the string "EMAIL" is initially sent. Refer to associated note.
Google Authenticator	Supported	Supported	Supported - as long as challenge is avoided. For example MFA only or "Password, passcode".
Okta Verify (TOTP and PUSH)	Supported	Supported	Supported - as long as challenge is avoided. For example: MFA-only or "Password, MFA" for TOTP. Push can work with primary authentication with MFA as the push challenge is sent out-of-band.
Okta Verify (number challenge)	Not supported	Not supported	Not supported
RSA Token/ On-prem MFA	Supported	Supported	Supported - as long as challenge is avoided. For example MFA only or "Password, passcode".
Security Question	Supported (Password and MFA only)	Supported (Password + MFA only).	Not supported
SMS authentication	Supported	Supported	Supported when the string "SMS" is sent. Refer to associated note.
Symantec VIP	Supported	Supported	Supported - as long as challenge is avoided. For example MFA only or "Password, passcode".
Voice Call	Supported	Supported	Supported when the string "CALL" is sent. Refer to associated note.
YubiKey	Supported	Supported	Supported - as long as challenge is avoided. For example MFA only or "Password, passcode".

RADIUS supports three authentication methods:

• Password + MFA: Primary authentication using password, then the user is prompted to select factors to complete the authentication.
• MFA Only: Instead of password, users enter either One Time Passcode, or one of “EMAIL”, “SMS”, “CALL”, “PUSH” (case insensitive).
• Password, Passcode: Password entered immediately followed by passcode in a request.
  Must be in the same request, for example: Abcd1234,879890” or “Abcd1234,SmS”.

Protocols support the following authentication methods:

Protocol	Supports
PAP	Password and MFA, MFA, "Password and passcode".
EAP-TTLS	MFA only, "Password and passcode".
EAP-GTC	Password and MFA, MFA only, "Password and passcode".