Skip to main content

How do I configure my Citrix® Access Gateway device for use with ESET Secure Authentication? - Kennisbank / ESET Secure Authentication - ESET Tech Center

How do I configure my Citrix® Access Gateway device for use with ESET Secure Authentication?

Authors list


Citrix® Access Gateway is an SSL VPN gateway providing secure access to networks. This article describes how to configure a Citrix® Access Gateway device to authenticate users against an ESA Server. Before proceeding, verify that you've installed the RADIUS Server component of ESET Secure Authentication and can access the RADIUS service that allows external systems to authenticate users.

Before your Citrix® Access Gateway device can use the ESA Server to authenticate users via RADIUS, it must be set up as a RADIUS client on the ESA Server. Next, your server running the ESA RADIUS service must be setup as a RADIUS Server on the Citrix® Access Gateway device. Once these configurations have been specified, you can start logging into your Citrix® Access Gateway device using ESA OTPs.


This integration guide utilizes VPN does not validate AD user name and password VPN type for this particular VPN appliance. If you wish to utilize other VPN type, refer to generic description of VPN typesand verify with the vendor if the VPN appliance supports it.

Step I - RADIUS client configuration

To allow the Citrix® Access Gateway device to communicate with your ESA Server, you must configure the Citrix® Access Gateway device as a RADIUS client on your ESA Server:

  1. Launch the ESA Management Console (found under Administrative Tools).
  2. Navigate to RADIUS Servers and locate the hostname of the server running the ESA RADIUS service.
  3. Right-click the hostname and select Add Client from the context menu.
  4. Configure a RADIUS client (see Figure 1-1)
  5. Click OK - you will be prompted to restart the RADIUS Service, do so from the Services control panel.

Configuring your RADIUS client

  • To prevent locking any existing, non-2FA enabled AD users out of your VPN we recommend that you allow Active Directory passwords without OTPs during the transitioning phase. It is also recommended that you limit VPN access to a security group (for example VPNusers).
  • Make sure that the check box next to Mobile Application OTPs is selected.

Figure 1-1

ESA has now been configured to communicate with the Citrix® Access Gateway device. You must now configure the Citrix® Access Gateway device to communicate with the ESA Server.

Step II - Configuring your Citrix® Access Gateway device

Follow the steps below:

  1. Log into your Citrix® Access Gateway admin interface.
  2. Navigate to Management → Authentication Profiles.
  3. Click Add and select RADIUS.
  4. In the RADIUS Properties window, enter a Profile Name (for example, ESA RADIUS).
  5. Click New (below the Servers list) and set the following parameters to the values shown below:
    1. Server: The IP Address of your ESA RADIUS server
    2. Shared Secret: Your RADIUS shared secret (see Figure 1-1)
    3. Confirm Secret: Repeat your shared seceret
    4. Click OK.
    5. Click Save.
  6. Navigate to Management → Logon Points.
  7. Click Add (or Edit an existing logon point).
  8. Select ESA RADIUS under Authentication Profiles.
  9. Click Save

Step III - Testing the connection

To test the newly configured connection:

  1. Navigate to the URL that you normally use for SSL VPN logins with your Citrix® Access Gateway appliance.
  2. Enter the credentials of your test user. Make sure you are using an account with Mobile Application 2FA using ESA enabled. When prompted for a password, append the OTP generated by the Mobile Application to your AD password. For example, if the user has an AD password of Esa123 and an OTP of 999111, you should type Esa123999111.



If you are unable to authenticate via the ESA RADIUS server, ensure you have performed the following steps:

  1. Run a smoke test against your RADIUS server, as per the Verifying ESA RADIUS Functionality.
  2. If no faults were fixed and you are still unable to connect, revert to an existing sign-in configuration (that does not use 2FA) and verify that you are able to connect
  3. If you are still able to connect using the old settings, restore the new settings and verify that there is no firewall blocking UDP 1812 between you VPN device and your RADIUS server
  4. If you are still unable to connect, contact ESET technical support.


Reactie toevoegen

Please log in or register to submit a comment.

Need a password reminder?