Configure Citrix Netscaler gateway to interoperate with Okta via RADIUS
The Citrix Gateway integrates with Okta via RADIUS or SAML 2.0. Using the Okta RADIUS Agent allows for authentication, including support for MFA to happen directly at the Citrix Gateway login page. For authentication, the agent translates RADIUS authentication requests from Citrix Gateway into Okta API calls that provide for user authentication.
This guide details how to configure Citrix Gateway to use the Okta RADIUS Server Agent.
To integrate using SAML 2.0:
- In Okta, navigate to Applications > Applications> Add Application, search for Citrix Gateway SAML ,
- Click Add Application and add the Citrix Gateway SAML app in.
For information on how to configure the Citrix Gateway for SAML 2.0 see Configure SAML 2.0 for Citrix NetScaler Gateway.
Before installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity:
|Okta RADIUS Agent||Okta Identity Cloud||TCP/443
|Configuration and authentication traffic|
|Client Gateway||Okta RADIUS Agent||UDP/1812 RADIUS (Default, may be changed in RADIUS app install and configuration)||RADIUS traffic between the gateway (client) and the RADIUS Agent (server)|
See Citrix Gateway supported versions, clients, features and factors for a complete list of supported version, factor and related information.
Only a single Okta Verify device should be enrolled. Enrolling second and subsequent Okta Verify devices may cause undefined or unexpected behavior.
|Download the RADIUS agent||
|Install the Okta RADIUS Agent.|
|Configure optional settings||
- Citrix Gateway does not support a user’s first time Okta setup. All users using Okta MFA at Citrix gateway must first login to their Okta portal and configure MFA. It is possible via Rewrite policies or CCS style sheet customizations to add links to the Gateway login page to direct first time users to their Okta login portal for initial registration.
- Citrix Gateway also does not currently have a solution for self-service password reset. Using Rewrite policies or page customizations, a link can be added to the Gateway login page to direct a user that is unable to login, to their Okta tenant password reset page.