On Demand Citrix Nerds consulting services 24 hours a day!
Phone: 1-800-905-0005
Home > Documentation > Netscaler DUO MFA
Installation Documentation
Netscaler DUO Multi Factor Authenticaiton (MFA)
#Replace ikey, skey and api_host values below with those obtained from your DUO account
#Replace 192.168.1.11 with IP address of your domain controller
#Replace duo_service with a DUO account you create in Active Directory
#Replace dc=mycorp,dc=com with your Active Directory domain information
#Replace radius_secret & radKey value of Secret123 with secret you create
#Replace 192.168.1.20 with the NSIP of your Netscaler (Management IP)
#Replace 192.168.1.14 with the IP address of the DUO Authentication Proxy Server
#Replace CorpTheme with name of portal theme which is bound to virtual server
#01. Create a DUO account and Login to https://duo.com
#02. DUO Pane select Applications and select Protect an Application
#03. Search for Citrix Netscaler, select Citrix Gateway (Netscaler) and click Protect
#04. Note Integration key (IKEY), Secret key, API Hostname and click Save
ikey=DIVIY8U889EMROS3POVU
skey=tzY5dGuw2pnc4jwVImJXYYeUJdOeBXshC1GiP05W
api_host=api-c1dc27ca.duosecurity.com
#05. Install DUO Proxy host on Windows server
https://dl.duosecurity.com/duoauthproxy-latest.exe
#06. Configure Proxy: Windows (64-bit) C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg
#START Configuration - Replace entire contents of authproxy.cfg with this configuration information after modifying with correct values
[ad_client]
host=192.168.1.11
service_account_username=duo_service
service_account_password=Password987!
search_dn=dc=mycorp,dc=com
[cloud]
ikey=DIVIY8U889EMROS3POVU
skey=tzY5dGuw2pnc4jwVImJXYYeUJdOeBXshC1GiP05W
api_host=api-c1dc27ca.duosecurity.com
service_account_username=duo_service
service_account_password=Password987!
[radius_server_iframe]
type=citrix_netscaler_rfwebui
ikey=DIVIY8U889EMROS3POVU
skey=tzY5dGuw2pnc4jwVImJXYYeUJdOeBXshC1GiP05W
api_host=api-c1dc27ca.duosecurity.com
failmode=safe
client=ad_client
radius_ip_1=192.168.1.20
radius_secret_1=Secret123
port=1812
[radius_server_auto]
ikey=DIVIY8U889EMROS3POVU
skey=tzY5dGuw2pnc4jwVImJXYYeUJdOeBXshC1GiP05W
api_host=api-c1dc27ca.duosecurity.com
failmode=safe
client=ad_client
radius_ip_1=192.168.1.20
radius_secret_1=Secret123
port=18120
#END CONFIGURATION
#07. Services - start Duo Security Authentication Proxy Service
#08. Portal Theme must be RFWebUI or based off the RFWebUI template (this is important for DUO to function properly)
#09. Commands to add RADIUS Action and Policy on Netscaler
#Confirm value for radius_secret_1=Secret123 from authproxy.cfg is used for -radKey in two radiusAction's
add authentication radiusAction DUO_CitrixWeb -serverIP 192.168.1.14 -serverPort 1812 -authTimeout 60 -radKey Secret123
add authentication radiusAction DUO_CitrixReceiver -serverIP 192.168.1.14 -serverPort 18120 -authTimeout 60 -radKey Secret123
add authentication radiusPolicy DUOCitrixWebPolicy "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" DUO_CitrixWeb
add authentication radiusPolicy DUOCitrixReceiverPolicy "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" DUO_CitrixReceiver
#10. Bind DUO RADIUS policies to appropriate Vitual Server
bind vpn vserver VirtualServer -policy DUOCitrixWebPolicy -priority 100 -secondary
bind vpn vserver VirtualServer -policy DUOCitrixReceiverPolicy -priority 110 -secondary
#11. Select Basic Authentication, Primary Authentication, Unbind LDAP policy and Close
#12. Surpress Password 2 field on main logon page using rewrite policy
enable ns feature rewrite
add rewrite action RWA-RES-REMOVE_2ND_PASSWORD replace_all "HTTP.RES.BODY(99999)" "\"\\r\\n\"+\n\"<style type=\\\"text/css\\\">\\r\\n\"+\n\"[for=\\\"passwd1\\\"] { display: none;}\\r\\n\"+\n\"#passwd1 { display: none; }\\r\\n\"+\n\"</style>\\r\\n\"+\n\"\\r\\n\"+\n\"</body>\\r\\n\"+\n\"</html>\\r\\n\"" -search "text(\"</body>\n</html>\")"
add rewrite policy RWP-RES-REMOVE_2ND_PASSWORD "HTTP.REQ.URL.PATH.CONTAINS(\"/logon/themes/CorpTheme/index.html\")" RWA-RES-REMOVE_2ND_PASSWORD
bind vpn vserver VirtualServer -policy RWP-RES-REMOVE_2ND_PASSWORD -priority 100 -gotoPriorityExpression END -type RESPONSE
#13. Save Configuration by clicking save icon or save config from command line
#14. Test by using web browser with virtual server FQDN (IE. https://citrix.mycorp.com)
Enter username and password
Select DUO Push (recommended) or Passcode