Citrix Gateway Radius Configuration Guide

Configuring the Citrix Gateway to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.

1. Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
2. Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
3. For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

In this step, add the Citrix Gateway app from the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. and apply settings specific to your deployment. In this section we will configure the following:

• Authentication configuration

• UDP Port

• Secret Key

• Application Username Format

Note: The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations. For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. information to the firewall.

1. In Okta, navigate to Applications > Applications> Add Application, search for Citrix Gateway, and then click Add Application

   

    

2. Enter a unique name.

3. Provide the following Sign On values:

   • Authentication: Retaining this default button allows Okta to perform primary authentication.

   • UDP Port: Required. Each RADIUS app has a unique number. Enter it here.

   • Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Citrix Gateway app.

   • Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.

4. After completing the setup, assign the app to the users/groups that require access.

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

Process Overview

• If there is not currently a Gateway VIP configured, see Integrate on the Citrix site.
• Create a RADIUS authentication policy.
• Bind the RADIUS policy as the only primary policy to the gateway VIP.

Procedures

1. Log into the Citrix Gateway adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. interface with admin rights.
2. Navigate to the Configuration tab
3. From the Configuration page, select + Citrix Gateway + Policies + Authentication + RADIUS.
4. In the main body configuration for RADIUS select the Servers tab.
5. Click the Add button, as shown below.

   

6. In the form that opens, complete all sections, selecting either Server Name or Server IP to use to define the server running the Okta RADIUS agent. The port number and secret key can be verified in the Okta RADIUS agent admin tool.
7. Click on the Details (or More) drop down and verify Password Encoding is set to pap.

   

   

   • The available group settings and attributes can be used for Citrix permissions if needed.
   • Click OK to save the Server definition.
8. Back in the RADIUS section, click on the Policies tab.
9. Click on the Add button, as shown below.

   

• Give the policy a name. For the Server* drop down, select the Server Entry you just created.
• In the Expression window, enter ns_true for the value. This setting sets this policy to be active whenever it is bound to a VIP. You can create a more restrictive expression to allow for more control over when this RADIUS policy is used, as required by customer need.
• Click OK to save the policy.

  

10. In the left hand tree, select Virtual Servers under the Citrix Gateway section.
11. Locate the virtual server onto which you want to bind Okta RADIUS onto.

• Select the Edit button, as shown below.

  

• Scroll to the Authentication section and unbind any existing policies and close the Authentication sub-window.
• Back in the Virtual Server configuration screen, in the Authentication section, select the + (plus) on the right hand side of the section title, as shown below.

  

• In the Choose Policy option select RADIUS. In the Choose Type option select Primary, and then, click Continue, as shown below.

  

• In the Policy Binding section, click the > to select the RADIUS policy that you created in section 7, above. Click the radial button to the left of the policy and click OK (or Select).
• Set the Priority to 10 and click Bind, as shown below.

  

• Finally, in the Virtual Server configuration screen scroll to the end, and click Done, as shown below.

  

This completes the configuration, You can begin sign-in testing.

Your end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins.' experience should continue to be similar to before, except they will be prompted for an additional validation factor after the login with their AD credentials.

If they only have one MFA option setup, regardless of how many they have available to use they will only see that one active MFA after they login. Citrix Gateway does not allow for the setup of MFA methods.

If they have multiple MFA options currently setup, they will first be prompted with a request to select their authentication method. They should only enter the number corresponding to their preferred choice. They will then be prompted with that authentication choice to complete.

End User Experience: Single-choice MFA Authentication

1. Navigate to your VPN URL.
2. Enter the Okta username and password.
3. Click Logon.
4. Answer the Okta MFA challenge.

End User Experience – Multi-choice MFA Authentication

1. Navigate to your VPN URL.
2. Enter Okta username and password.
3. Click Logon.
4. Respond to the MFA Choice screen.
5. Answer the chosen MFA challenge.

End User Experience – MFA Methods Validated and Supported

• Okta Verify Mobile App – Tested and validated.
• Google Authenticator mobile app – Tested and validated.
• SMS messaging – Tested and validated.
• Security Question – Tested and validated.
• Yubikey – Not yet tested.

See MFA for more information on multifactor authentication.

Citrix Gateway does not support a user’s first time Okta setup. All users using Okta MFA at Citrix gateway must first login to their Okta portal and configure their MFA. It is possible via Rewrite policies or CCS style sheet customizations to add links to the Gateway login page to direct first time users to their Okta login portal for initial registration.

Citrix Gateway also does not currently have a solution for self-service password reset. Using Rewrite policies or page customizations, a link can be added to the Gateway login page to direct a user that is unable to login, to their Okta tenant password reset page.

Citrix Documentation: Citrix Gateway Product Documentation

Okta Support - Installing the Okta RADIUS Agent

Okta Support - Sign-on Policies: Authentication