On Demand Citrix Nerds consulting services 24 hours a day!

Phone: 1-800-905-0005

Home > Documentation > Netscaler DUO MFA

Installation Documentation
Netscaler DUO Multi Factor Authenticaiton (MFA)

#Notes on getting started with DUO setup on Netscaler version 13.0 and 13.1
#Replace ikey, skey and api_host values below with those obtained from your DUO account
#Replace 192.168.1.11 with IP address of your domain controller
#Replace duo_service with a DUO account you create in Active Directory
#Replace dc=mycorp,dc=com with your Active Directory domain information
#Replace radius_secret & radKey value of Secret123 with secret you create
#Replace 192.168.1.20 with the NSIP of your Netscaler (Management IP)
#Replace 192.168.1.14 with the IP address of the DUO Authentication Proxy Server
#Replace CorpTheme with name of portal theme which is bound to virtual server


#01. Create a DUO account and Login to https://duo.com
#02. DUO Pane select Applications and select Protect an Application
#03. Search for Citrix Netscaler, select Citrix Gateway (Netscaler) and click Protect
#04. Note Integration key (IKEY), Secret key, API Hostname and click Save
ikey=DIVIY8U889EMROS3POVU
skey=tzY5dGuw2pnc4jwVImJXYYeUJdOeBXshC1GiP05W
api_host=api-c1dc27ca.duosecurity.com
#05. Install DUO Proxy host on Windows server
https://dl.duosecurity.com/duoauthproxy-latest.exe
#06. Configure Proxy: Windows (64-bit) C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg
#START Configuration - Replace entire contents of authproxy.cfg with this configuration information after modifying with correct values
[ad_client]
host=192.168.1.11
service_account_username=duo_service
service_account_password=Password987!
search_dn=dc=mycorp,dc=com

[cloud]
ikey=DIVIY8U889EMROS3POVU
skey=tzY5dGuw2pnc4jwVImJXYYeUJdOeBXshC1GiP05W
api_host=api-c1dc27ca.duosecurity.com
service_account_username=duo_service
service_account_password=Password987!

[radius_server_iframe]
type=citrix_netscaler_rfwebui
ikey=DIVIY8U889EMROS3POVU
skey=tzY5dGuw2pnc4jwVImJXYYeUJdOeBXshC1GiP05W
api_host=api-c1dc27ca.duosecurity.com
failmode=safe
client=ad_client
radius_ip_1=192.168.1.20
radius_secret_1=Secret123
port=1812

[radius_server_auto]
ikey=DIVIY8U889EMROS3POVU
skey=tzY5dGuw2pnc4jwVImJXYYeUJdOeBXshC1GiP05W
api_host=api-c1dc27ca.duosecurity.com
failmode=safe
client=ad_client
radius_ip_1=192.168.1.20
radius_secret_1=Secret123
port=18120
#END CONFIGURATION
#07. Services - start Duo Security Authentication Proxy Service
#08. Portal Theme must be RFWebUI or based off the RFWebUI template (this is important for DUO to function properly)
#09. Commands to add RADIUS Actions and Policies on Netscaler
#Confirm value for radius_secret_1=Secret123 from authproxy.cfg is used for -radKey in two radiusAction's
add authentication radiusAction DUO_RADIUSCitrixWeb -serverIP 192.168.1.14 -serverPort 1812 -authTimeout 60 -radKey Secret123
add authentication radiusAction DUO_RADIUSCitrixReceiver -serverIP 192.168.1.14 -serverPort 18120 -authTimeout 60 -radKey Secret123
add authentication radiusPolicy DUO_RADIUSCitrixWebPolicy "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" DUO_RADIUSCitrixWeb
add authentication radiusPolicy DUO_RADIUSCitrixReceiverPolicy "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" DUO_RADIUSCitrixReceiver
#10. Bind DUO RADIUS policies to appropriate Virtual Server
bind vpn vserver VirtualServer -policy DUO_RADIUSCitrixReceiverPolicy -priority 90
bind vpn vserver VirtualServer -policy DUO_RADIUSCitrixWebPolicy -priority 110 -secondary
#11. Commands to add LDAP Policies on Netscaler and Bind to appropriate Virtual Server
unbind vpn vserver VirtualServer -policy LDAP_Pol
add authentication ldapPolicy DUO_LDAPCitrixWebPolicy "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" LDAP_Server
add authentication ldapPolicy DUO_LDAPCitrixReceiverPolicy "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" LDAP_Server
bind vpn vserver VirtualServer -policy DUO_LDAPCitrixWebPolicy -priority 100
bind vpn vserver VirtualServer -policy DUO_LDAPCitrixReceiverPolicy -priority 100 -secondary
#12. Modify Session Profile
set vpn sessionAction AC_OS_Receiver -ssoCredential SECONDARY
#13. Surpress Password 2 field on main logon page using rewrite policy
enable ns feature rewrite
add rewrite action RWA-RES-REMOVE_2ND_PASSWORD replace_all "HTTP.RES.BODY(99999)" "\"\\r\\n\"+\n\"<style type=\\\"text/css\\\">\\r\\n\"+\n\"[for=\\\"passwd1\\\"] { display: none;}\\r\\n\"+\n\"#passwd1 { display: none; }\\r\\n\"+\n\"</style>\\r\\n\"+\n\"\\r\\n\"+\n\"</body>\\r\\n\"+\n\"</html>\\r\\n\"" -search "text(\"</body>\n</html>\")"
add rewrite policy RWP-RES-REMOVE_2ND_PASSWORD "HTTP.REQ.URL.PATH.CONTAINS(\"/logon/themes/CorpTheme/index.html\")" RWA-RES-REMOVE_2ND_PASSWORD
bind vpn vserver VirtualServer -policy RWP-RES-REMOVE_2ND_PASSWORD -priority 100 -gotoPriorityExpression END -type RESPONSE
#14. Save Configuration by clicking save icon or save config from command line
#15. Test by using web browser with virtual server FQDN (IE. https://citrix.mycorp.com)
Enter username and password
Select DUO Push (recommended) or Passcode