Citrix NetScaler Gateway Radius Configuration Guide
The Citrix NetScaler Gateway now integrates with Okta via RADIUS or SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. 2.0. Using the Okta RADIUS AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. allows for authentication, including support for MFA to happen directly at the NetScaler Gateway login page. For authentication, the agent translates RADIUS authentication requests from NetScaler into Okta API calls that provide for user authentication. This guide explains how to configure Citrix NetScaler Gateway to use the Okta RADIUS Agent.
This guide details how to configure Citrix NetScaler Gateway to use the Okta RADIUS Server Agent.
If you want to integrate with Okta via SAML 2.0, add the Citrix NetScaler Gateway SAML appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. in Okta by navigating to the Applications tab, select Applications > Add Application, search for Citrix NetScaler Gateway, then click Add.
This guide has been verified with the following NetScaler Gateway versions:
- Version 10.5.x
- Version 11.x
- Version 12.x
- Version 13.0.x
The following Citrix clients have been validated:
- Citrix Web Receiver
- Citrix Windows \ Mac Receiver
- Citrix iOS \ Android Receiver
Supported Okta Features
The following Okta features are supported:
- AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. with Okta Credentials via RADIUS
- Authentication with Okta Credentials via SAML
- Multi-factor authentication via RADIUS
- Multi-factor authentication via SAML
- Group memberships/Attributes via RADIUS – NetScaler passes the username and password to storefront for AD group permissions
Configuring the Citrix Netscaler to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.
- Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
- Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
- For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.
After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity
|Okta RADIUS Agent||Okta Identity Cloud||tcp/443
|Configuration and authentication traffic|
|Citrix Netscaler||Okta RADIUS Agent||udp/1812 RADIUS (actual port number defined in next step)||RADIUS traffic between the firewall (clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. ) and the RADIUS Agent (server)|
In this step, add the Citrix Netscaler (RADIUS) app from the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. and apply settings specific to your deployment. In this section we will configure the following:
- Authentication configuration
Application Username Format
Note: The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations. For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.
There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. information to the firewall.
- In Okta, navigate to Applications > Applications> Add Application, search for Citrix Netscaler (RADIUS), and then click Add Application:
- Enter a unique name.
Provide the following Sign On values:
- Authentication: Retaining this default button allows Okta to perform primary authentication.
UDP Port: Required. Each RADIUS app has a unique number. Enter it here.
Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Citrix Netscaler (RADIUS) app.
Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.
- After completing the setup, assign the app to the users/groups that require access.
For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.
- If there is not currently a Gateway VIP configured, see Integrate on the Citrix site.
- Create a RADIUS authentication policy.
- Bind the RADIUS policy as the only primary policy to the gateway VIP.
- Log into the Citrix NetScaler adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. interface with admin rights.
- Navigate to the Configuration tab
- From the Configurationpage, select + NetScaler Gateway + Policies + Authentication + RADIUS.
- In the main body configuration for RADIUS select the Servers tab.
- Click the Add button, as shown below.
- In the form that opens, complete all sections, selecting either Server Name or Server IP to use to define the server running the Okta RADIUS agent. The port number and secret key can be verified in the Okta RADIUS agent admin tool.
- Click on the Details (or More) drop down and verify Password Encoding is set to pap.
- The available group settings and attributes can be used for Citrix permissions if needed.
- Click OK to save the Server definition.
- Back in the RADIUS section, click on the Policies tab.
- Click on the Add button, as shown below.
- Give the policy a name. For the Server* drop down, select the Server Entry you just created.
- In the Expression window, enter ns_true for the value. This setting sets this policy to be active whenever it is bound to a VIP. You can create a more restrictive expression to allow for more control over when this RADIUS policy is used, as required by customer need.
- Click OK to save the policy.
- In the left hand tree, select Virtual Servers under the NetScaler Gateway section.
- Locate the virtual server onto which you want to bind Okta RADIUS onto.
- Select the Edit button, as shown below.
- Scroll to the Authentication section and unbind any existing policies and close the Authentication sub-window.
- Back in the Virtual Server configuration screen, in the Authentication section, select the + (plus) on the right hand side of the section title, as shown below.
- In the Choose Policy option select RADIUS. In the Choose Type option select Primary, and then, click Continue, as shown below.
- In the Policy Binding section, click the > to select the RADIUS policy that you created in section 7, above. Click the radial button to the left of the policy and click OK (or Select).
- Set the Priority to 10 and click Bind, as shown below.
- Finally, in the Virtual Server configuration screen scroll to the end, and click Done, as shown below.
This completes the configuration, You can begin sign-in testing.
Your end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control.' experience should continue to be similar to before, except they will be prompted for an additional validation factor after the login with their AD credentials.
If they only have one MFA option setup, regardless of how many they have available to use they will only see that one active MFA after they login. NetScaler Gateway does not allow for the setup of MFA methods.
If they have multiple MFA options currently setup, they will first be prompted with a request to select their authentication method. They should only enter the number corresponding to their preferred choice. They will then be prompted with that authentication choice to complete.
End User Experience: Single-choice MFA Authentication
- Navigate to your VPN URL.
- Enter the Okta username and password.
- Click Logon.
- Answer the Okta MFA challenge.
End User Experience – Multi-choice MFA Authentication
- Navigate to your VPN URL.
- Enter Okta username and password.
- Click Logon.
- Respond to the MFA Choice screen.
- Answer the chosen MFA challenge.
End User Experience – MFA Methods Validated and Supported
- Okta Verify Mobile App – Tested and validated.
- Google Authenticator mobile app – Tested and validated.
- SMS messaging – Tested and validated.
- Security Question – Tested and validated.
- Yubikey – Not yet tested.
See MFA for more information on multifactor authentication.
NetScaler Gateway does not support a user’s first time Okta setup. All users using Okta MFA at NetScaler gateway must first login to their Okta portal and configure their MFA. It is possible via Rewrite policies or CCS style sheet customizations to add links to the Gateway login page to direct first time users to their Okta login portal for initial registration.
NetScaler Gateway also does not currently have a solution for self-service password reset. Using Rewrite policies or page customizations, a link can be added to the Gateway login page to direct a user that is unable to login, to their Okta tenant password reset page.
Citrix – NetScaler Gateway setup Guide: http://docs.citrix.com/en-us/netscaler-gateway/10-5.html
Citrix – NetScaler Rewrite policies Guide: http://docs.citrix.com/en-us/netscaler/10-5/ns-appexpert-con-10/ns-rewrite-wrapper-con.html
Okta Support - Installing the Okta RADIUS Agent
Okta Support - Sign-on Policies: Authentication