This article describes how to configure a Citrix® NetScaler device to authenticate users against an ESA Server. Before proceeding, verify that you've installed the RADIUS Server component of ESET Secure Authentication and can access the RADIUS service that allows external systems to authenticate users.
Before your Citrix® NetScaler device can use the ESA Server to authenticate users via RADIUS, it must be set up as a RADIUS client on the ESA Server. Next, your server running the ESA RADIUS service must be setup as a RADIUS Server on the Citrix® NetScaler device. Once these configurations have been specified, you can start logging into your Citrix® NetScaler device using ESA OTPs.
Step I - RADIUS client configuration
To allow the Citrix® NetScaler device to communicate with your ESA Server, you must configure the Citrix® NetScaler device as a RADIUS client on your ESA Server:
- Launch the ESA Management Console (found under Administrative Tools).
- Navigate to RADIUS Servers and locate the hostname of the server running the ESA RADIUS service.
- Right-click the hostname and select Add Client from the context menu.
- Configure a RADIUS client (see Figure 1-1).
- Click on OK - you will be prompted to restart the RADIUS Service, do so from the Services control panel.
ESA has now been configured to communicate with the Citrix® NetScaler device. You must now configure the Citrix® NetScaler device to communicate with the ESA Server.
Step II - Configuring your Citrix® NetScaler device
Follow the steps below:
- Login to your Citrix® NetScaler administrative interface.
- Expand Access Gateway → Virtual Servers, select your existing Access Gateway Virtual Server and click Open.
- In the Configure Access Gateway Virtual Server window, navigate to the Authentication tab.
- In the Authentication Policies section, select Primary and click Insert Policy.
- In the Configure Authentication Policy window, type a name for your policy (for example, ESA Authentication)
- Select General from the first drop-down menu and true from the second drop-down menu under Named Expressions
- Click Add Expression → New (next to Server) and set the following parameters to the values shown below:
- Name: ESA RADIUS
- IP Address: The IP Address of your ESA RADIUS Server
- Secret Key: As entered in Figure 1-1
- Confirm Secret Key: As above
- Password Encoding: PAP
- Click OK
- Click OK
- Click OK
- Click Save
Step III - Testing the connection
To test the newly configured connection:
- Navigate to the URL that you normally use for SSL VPN logins with your Citrix® NetScaler appliance.
- Enter the credentials of your test user. Make sure that you are using a user with Mobile Application 2FA using ESA enabled. When prompted for a password, append the OTP generated by the Mobile Application to your AD password. For example, if the user has an AD password of Esa123 and an OTP of 999111, you should type Esa123999111.
If you are unable to authenticate via the ESA RADIUS server, ensure you have performed the following steps:
- Run a smoke test against your RADIUS server, as per the “Verifying ESA RADIUS Functionality” document.
- If no faults were fixed and you are still unable to connect, revert to an existing sign-in configuration (that does not use 2FA) and verify that you are able to connect
- If you are still able to connect using the old settings, restore the new settings and verify that there is no firewall blocking UDP 1812 between you VPN device and your RADIUS server
- If you are still unable to connect, contact ESET technical support.