Citrix Gateway Radius Configuration Guide

The Citrix Gateway now integrates with Okta via RADIUS or SAML 2.0. Using the Okta RADIUS Agent allows for authentication, including support for MFA to happen directly at the Citrix Gateway login page. For authentication, the agent translates RADIUS authentication requests from Citrix Gateway into Okta API calls that provide for user authentication. This guide explains how to configure Citrix Gateway to use the Okta RADIUS Agent.

This guide details how to configure Citrix Gateway to use the Okta RADIUS Server Agent.

If you want to integrate with Okta via SAML 2.0, add the Citrix Gateway SAML app in Okta by navigating to the Applications tab, select Applications > Add Application, search for Citrix Gateway, then click Add.

This guide has been verified with the following Citrix Gateway versions:

  • Version 10.5.x
  • Version 11.x
  • Version 12.x
  • Version 13.0.x

The following Citrix clients have been validated:

  • Citrix Web Receiver
  • Citrix Windows \ Mac Receiver
  • Citrix iOS \ Android Receiver

Supported Okta Features

The following Okta features are supported:

  • Authentication with Okta Credentials via RADIUS
  • Authentication with Okta Credentials via SAML
  • Multi-factor authentication via RADIUS
  • Multi-factor authentication via SAML
  • Group memberships/Attributes via RADIUS – passes the username and password to storefront for AD group permissions

Configuring the Citrix Gateway to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.

  1. Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
  2. Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
  3. For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud tcp/443
http		 Configuration and authentication traffic
Citrix Gateway Okta RADIUS Agent udp/1812 RADIUS (actual port number defined in next step) RADIUS traffic between the firewall (client) and the RADIUS Agent (server)

In this step, add the Citrix Gateway app from the OIN and apply settings specific to your deployment. In this section we will configure the following:

  • Authentication configuration

  • UDP Port

  • Secret Key

  • Application Username Format

Info

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending Groups information to the firewall.

  1. In Okta, navigate to Applications > Applications> Add Application, search for Citrix Gateway, and then click Add Application

     

  2. Enter a unique name.

  3. Provide the following Sign On values:

    • Authentication: Retaining this default button allows Okta to perform primary authentication.

    • UDP Port: Required. Each RADIUS app has a unique number. Enter it here.

    • Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Citrix Gateway app.

    • Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.

  4. After completing the setup, assign the app to the users/groups that require access.

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

Gateway

Process Overview

  • If there is not currently a Gateway VIP configured, see Integrate on the Citrix site.
  • Create a RADIUS authentication policy.
  • Bind the RADIUS policy as the only primary policy to the gateway VIP.

Procedures

  1. Log into the Citrix Gateway admin interface with admin rights.
  2. Navigate to the Configuration tab
  3. From the Configuration page, select + Citrix Gateway + Policies + Authentication + RADIUS.
  4. In the main body configuration for RADIUS select the Servers tab.
  5. Click the Add button, as shown below.

  6. In the form that opens, complete all sections, selecting either Server Name or Server IP to use to define the server running the Okta RADIUS agent. The port number and secret key can be verified in the Okta RADIUS agent admin tool.
  7. Click on the Details (or More) drop down and verify Password Encoding is set to pap.

    • The available group settings and attributes can be used for Citrix permissions if needed.
    • Click OK to save the Server definition.
  8. Back in the RADIUS section, click on the Policies tab.
  9. Click on the Add button, as shown below.

  • Give the policy a name. For the Server* drop down, select the Server Entry you just created.
  • In the Expression window, enter ns_true for the value. This setting sets this policy to be active whenever it is bound to a VIP. You can create a more restrictive expression to allow for more control over when this RADIUS policy is used, as required by customer need.
  • Click OK to save the policy.

  1. In the left hand tree, select Virtual Servers under the Citrix Gateway section.
  2. Locate the virtual server onto which you want to bind Okta RADIUS onto.
  • Select the Edit button, as shown below.

  • Scroll to the Authentication section and unbind any existing policies and close the Authentication sub-window.
  • Back in the Virtual Server configuration screen, in the Authentication section, select the + (plus) on the right hand side of the section title, as shown below.

  • In the Choose Policy option select RADIUS. In the Choose Type option select Primary, and then, click Continue, as shown below.

  • In the Policy Binding section, click the > to select the RADIUS policy that you created in section 7, above. Click the radial button to the left of the policy and click OK (or Select).
  • Set the Priority to 10 and click Bind, as shown below.

  • Finally, in the Virtual Server configuration screen scroll to the end, and click Done, as shown below.

This completes the configuration, You can begin sign-in testing.

Your end users' experience should continue to be similar to before, except they will be prompted for an additional validation factor after the login with their AD credentials.

If they only have one MFA option setup, regardless of how many they have available to use they will only see that one active MFA after they login. Citrix Gateway does not allow for the setup of MFA methods.

If they have multiple MFA options currently setup, they will first be prompted with a request to select their authentication method. They should only enter the number corresponding to their preferred choice. They will then be prompted with that authentication choice to complete.

 

End User Experience: Single-choice MFA Authentication

  1. Navigate to your VPN URL.
  2. Enter the Okta username and password.
  3. Click Logon.
  4. Answer the Okta MFA challenge.

End User Experience – Multi-choice MFA Authentication

  1. Navigate to your VPN URL.
  2. Enter Okta username and password.
  3. Click Logon.
  4. Respond to the MFA Choice screen.
  5. Answer the chosen MFA challenge.

End User Experience – MFA Methods Validated and Supported

  • Okta Verify Mobile App – Tested and validated.
  • Google Authenticator mobile app – Tested and validated.
  • SMS messaging – Tested and validated.
  • Security Question – Tested and validated.
  • Yubikey – Not yet tested.

See MFA for more information on multifactor authentication.

Citrix Gateway does not support a user’s first time Okta setup. All users using Okta MFA at Citrix gateway must first login to their Okta portal and configure their MFA. It is possible via Rewrite policies or CCS style sheet customizations to add links to the Gateway login page to direct first time users to their Okta login portal for initial registration.

Citrix Gateway also does not currently have a solution for self-service password reset. Using Rewrite policies or page customizations, a link can be added to the Gateway login page to direct a user that is unable to login, to their Okta tenant password reset page.

Citrix Documentation: Citrix Gateway Product Documentation

Okta Support - Installing the Okta RADIUS Agent

Okta Support - Sign-on Policies: Authentication