This article describes how to set up Citrix Gateway to connect to remote desktops and applications with two-factor authentication.
Citrix Gateway supports multiple authentication and authorization methods for users, both locally and using different account providers.
Multifactor integrates with your hosted Citrix Gateway infrastructure to protect remote access with multi-factor authentication. Users will be able to self-register a second factor when logging in through a browser. When using Citrix Receiver or Workspace, the user is given the option of using one-time codes, push notifications or login by call.
Citrix Gateway was formerly called NetScaler Gateway. These instructions are suitable for both products.
Supported authentication methods:
U2F tokens (web)
Software OTP-tokens : Google Authenticator or Yandex.Key
- User connects to the desktop, enters login and password in Citrix Gateway, Receiver or Workspace;
- Citrix Gateway connects to the MultiFactor Radius Adapter component via the RADIUS protocol;
- The component checks the user's login and password in Active Directory and requests a second authentication factor;
- The user confirms the access request in the phone or enters a one-time code.
Before MultiFactor configuration ensure you have a working user authentication scheme in your Citrix Gateway.
To integrate Multifactor with your Citrix Gateway, you need to install MultiFactor RADIUS adapter (that acts as a RADIUS server) in your network perimeter.
- Choose existing or deploy a new server to install the Radius Adapter. The component is installed on any Windows server starting with version 2012 R2.
- Log in to your personal account, and go to Resources.
- Click on the "Add Resource" button and create a new Network Shield -> Other:
- Name: arbitrary
- Address: arbitrary
- Save the settings
Shared Secret, you will need them for further setup.
Radius Adapter Installation
The Radius Adapter can be installed on either a physical or a virtual host. We recommend a system with at least 1 CPU and 4 GB RAM (although even 1 GB is enough in most cases).
- Download the latest build from GitHub.
- Unpack the archive to a suitable folder
- The component's parameters are stored in the
MultiFactor.Radius.Adapter.exe.configfile in XML format. Open it in a text editor. It contains a sample configuration of the component, please see our documentation for a full list of parameters available.
Configuring the first authentication factor in the Adapter
In this step, you will configure the first authentication factor: the system in which the adapter will verify the user's password. In most cases, this means checking with the Active Directory or RADIUS server.
To check the first factor in Active Directory/LDAP you must set the
first-factor-authentication-source parameter's value to
<add key="first-factor-authentication-source" value="ActiveDirectory"/>
Configure the AD connection settings.
<add key="active-directory-domain" value="domain.local"/>
The following settings are optional:
<!--Check user's group membership (not checked if deleting setting)--> <add key="active-directory-group" value="VPN Users"/> <!--Require the second factor only from users in the specified group (second factor is required by all if the setting is removed)--> <add key="active-directory-2fa-group" value="2FA Users"/> <!--Use phone number from AD to send one-time code to SMS (not used if deleted setting)--> <!--add key="use-active-directory-user-phone" value="true"/--> <!--add key="use-active-directory-mobile-user-phone" value="true"/-->
If you enable the
use-active-directory-user-phone option, the component will use the phone recorded in the General tab. The format of the phone can be any.
use-active-directory-mobile-user-phone option is enabled, the component will use the phone recorded on the Telephones tab in the Mobile field. The format of the phone can also be anything.
To use a RADIUS server (e.g. Network Policy Server) to check the first factor, set the
first-factor-authentication-source option to
<add key="first-factor-authentication-source" value="ActiveDirectory"/>
Configure the connection settings to the RADIUS server:
<!-- Server address and port (UDP) --> <add key="nps-server-endpoint" value="192.168.0.10:1812"/> <!-- Shared secret to connect to RADIUS server and adapter --> <add key="radius-shared-secret" value="0000000000" />
Additionally, make sure that the RADIUS server is configured to accept authentication requests from the Adapter.
Configure the Adapter to work with Citrix Receiver or Workspace Client
NAS Identifier and
Shared Secret from the resource you created in Personal Area Multifactor
<!--the address of the Multifactor API --> <add key="multifactor-api-url" value="https://api.multifactor.ru"/> <!-- NAS Identifier from the resource created in the LC --> <add key="multifactor-nas-identifier" value="1"/> <!-- Shared Secret from an LK-created share --> <add key="multifactor-shared-secret" value="2"/>
Specify the IP address and host port where the Adapter itself will be located. If you put the Adapter on the same host as another RADIUS server, their ports should be different.
<!--Address and port (UDP) which will be used to connect to the RADIUS adapter --> <add key="adapter-server-endpoint" value="192.168.0.1:1812"/>
Launch the Adapter
The component can run in console mode or as a Windows service. To run in console mode, just run the application.
To install it as a Windows Service, start it with the
/i key as the Administrator
The component is installed in auto-startup mode by default on behalf of
To remove the Windows Service run with the
/u key as Administrator
Citix Gateway setup
- Go to the Citrix Gateway administrative interface.
- Go to Citrix Gateway → Virtual Servers in the left pane of the administrative interface.
- Select the desired Citrix Gateway Virtual Server and click Edit.
- On the "VPN Virtual Server" page, click the plus (+) sign next to Basic Authentication to add a new authentication policy.
- On the "Choose Type" page, select the RADIUS policy and Primary type from the drop-down menus and click Continue.
- On the next "Choose Type" screen, click the plus (+) sign next to "Policy Binding" → "Select Policy" checkbox.
- On the "Create Authentication RADIUS Policy" page, enter a name for the policy (for example, CitrixWebPortal) and then click the plus sign next to the "Server" field to create a new RADIUS server for clients connecting through the browser.
- On the Create Authentication RADIUS Server page, enter your Radius Adapter instance information:
|Name||CitrixWebPortal (or any convenient name)|
|Server Name or IP Address||Hostname or IP address of the server where the Adapter is located|
|Port||port from the |
|Secret Key||Radius secret from the |
|Confirm Secret Key||Radius secret from the adapter settings||radius-shared-secret|
Click Create to add the CitrixWebPortal RADIUS server and return to the Create Authentication RADIUS Policy page.
Click the Expression Editor link on the "Create Authentication RADIUS Policy" page to add a new expression with the value "true". This will enable the use of the second factor for all portal users.
Restrictions for individual groups and users
Citrix allows you to flexibly configure authentication policies for your users. For more information, see documentation for your version of Gateway or Netscaler.
- When you have filled in the Server and Expression information correctly, click Create to save the new CitrixWebPortal policy and return to the Choose Type page.
- Make sure that on the "Choose Type" page, the new authentication policy via RADIUS that you just created is selected. Set the priority under "Binding Details" to 100 and click Bind.
- Make sure that all new policies for Citrix Receiver, Workspace, or portal users are shown and bound in the correct order. Click Close to save the authentication policies.
Make sure you have two RADIUS policies as Primary Authentication. Remove the others or increase the priority of the Multifactor policies so that they are applied first, and click Done.
Save any changes you have made to the configuration.