On Demand Citrix Nerds consulting services 24 hours a day!

Phone: 1-800-905-0005

Home > Documentation > NetScaler MFA Google/Microsoft Azure Authentication

Installation Documentation
NetScaler MFA/2FA Authentication with Google & Microsoft Azure

enable ns feature AAA

#Create LDAP Server and Policy
#REM Substitute your own Domain Controller IP address for what for what appears here as
#REM Substitute your own LDAP Base for what for what appears here as dc=mycorp,dc-com with for example dc=domain,dc=local
#REM Substitute your own LDAP Authentication account for what for what appears here as ldapserviceacct@mycorp.com (This is an Active Directory User service account that has a password that never expires)
#REM Substitute your own domain user password for what for what appears here as Password987!
add authentication ldapAction MFA_LDAP_Server -serverIP -serverPort 389 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ldapserviceacct@mycorp.com -ldapBindDnPassword Password987! -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType PlainText -passwdChange ENABLED
add authentication Policy MFA_LDAP_POL -rule true -action MFA_LDAP_Server

#Create RADIUS Servers and Policies
#REM Substitute your own RADIUS / NPS Server IP address for what for what appears here as and
#REM Substitute your own Share Secret for what for what appears here as 12345
add authentication radiusAction NPS_Google -serverIP -serverPort 1812 -radKey 12345
add authentication radiusAction NPS_Azure -serverIP -serverPort 1812 -authTimeout 10 -radKey 12345 -radNASid MFA -passEncoding mschapv2
add authentication Policy NPS_Google -rule "http.REQ.USER.IS_MEMBER_OF(\"MFA_Google\")" -action NPS_Google
add authentication Policy NPS_Azure -rule "http.REQ.USER.IS_MEMBER_OF(\"MFA_Azure\")" -action NPS_Azure

#Create Authentication Policies
#REM For this example, Active Directory Security Groups were created named MFA_None, MFA_Azure and MFA_Google (Case Sensitive)
#REM If a user is in MFA_None then no Multifactor Authentication is used
#REM If a user in in MFA_Azure or MFA_Google then Microsoft Authenticator or Google Authenticator is used
add authentication Policy MFA_None -rule "http.REQ.USER.IS_MEMBER_OF(\"MFA_None\")" -action NO_AUTHN
add authentication Policy MFA_Azure -rule "http.REQ.USER.IS_MEMBER_OF(\"MFA_Azure\")" -action NPS_Azure
add authentication Policy MFA_Google -rule "http.REQ.USER.IS_MEMBER_OF(\"MFA_Google\")" -action NPS_Google

add authentication policylabel Pass-Through -loginSchema LSCHEMA_INT
bind authentication policylabel Pass-Through -policyName NPS_Google -priority 80 -gotoPriorityExpression END
bind authentication policylabel Pass-Through -policyName NPS_Azure -priority 90 -gotoPriorityExpression END
bind authentication policylabel Pass-Through -policyName MFA_None -priority 100 -gotoPriorityExpression END

#Authentication Server
add authentication vserver MFA_AUTH_VSERVER SSL
add authentication authnProfile MFA_AUTH_POL -authnVsName MFA_AUTH_VSERVER
bind ssl vserver MFA_AUTH_VSERVER -certkeyName SSL
bind authentication vserver MFA_AUTH_VSERVER -policy MFA_LDAP_POL -priority 100 -nextFactor Pass-Through -gotoPriorityExpression NEXT

#Edit Netscaler Gateway VPN Virtual Server and remove LDAP from Basic Authentication and remove any RADIUS Policies here as well
#Add Authentiation Profile and select MFA_AUTH_POL
unbind vpn vserver VirtualServer -policy LDAP_Pol
set vpn vserver VirtualServer -authnProfile MFA_AUTH_POL