Issue:-
Many time we face issue in Citrix Netscaler gateway that we have two factor authentication enabled with Primary as LDAP or something and Secondary as Radius with One time password.
The main catch here is that OTP will only be provided to the user once they are authenticated to LDAP.
Problem:-
The problem we face here is that Netscaler on the first screen itself ask for Username/ Password and Passcode ( OTP) but since the user is not yet authenticated hence they can't provide the OTP.
The desired answer is we need to hide the second password field not shown to the user. There are many ways to do this on the Browser but there is no way to do this on the Citrix Receiver.
Solution:-
1. Your Receiver version should be 4.4 or above for this.
Many time we face issue in Citrix Netscaler gateway that we have two factor authentication enabled with Primary as LDAP or something and Secondary as Radius with One time password.
The main catch here is that OTP will only be provided to the user once they are authenticated to LDAP.
Problem:-
The problem we face here is that Netscaler on the first screen itself ask for Username/ Password and Passcode ( OTP) but since the user is not yet authenticated hence they can't provide the OTP.
The desired answer is we need to hide the second password field not shown to the user. There are many ways to do this on the Browser but there is no way to do this on the Citrix Receiver.
Solution:-
1. Your Receiver version should be 4.4 or above for this.
2. Then go to Netscaler using WinSCP or any other SFTP tool or vi editor and
Edit the
/netscaler /ns_gui/vpn/index.html file
3. Add this line to the file
<META
http-equiv="X-Citrix-AM-GatewayAuthType" content="SMS">
below <META http-equiv="Content-Type" content="text/html;
charset=UTF-8">
As you can see below
<!DOCTYPE
html PUBLIC "-//W3C//DTD XDEV_HTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta
http-equiv="X-UA-Compatible" content="IE=edge">
<title>Netscaler
Gateway</title>
<link
rel="SHORTCUT ICON" href="/vpn/images/AccessGateway.ico"
type="image/vnd.microsoft.icon">
<META
http-equiv="X-Citrix-AM-GatewayAuthType" content="SMS">
below <META http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<META
http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<META
content=noindex,nofollow,noarchive name=robots>
<link
href="/vpn/js/rdx/core/css/rdx.css" rel="stylesheet"
type="text/css"/>
And it started working
fine and you will notice the passcode field is hidden as shown below
After entering password
in the second screen it shows the OTP asked by the radius.
This is only supported from Window Receiver for now and not for Android/iOS
ReplyDeleteHello,
DeleteI have also set up 2FA with OTP on Netscaler.
In the browser it works great but in the Citrix Receiver it doesn't. If I try to hide the second field as shown above, Radius gives an Access-Challenge, but Citrix Receiver is just displaying a message as if I have written a wrong password.
If I leave all the fields on one form, Radius sends an Access-Accepted and I have an OK login.
I would like to have the passcode entered as a second step as shown above, but it seems to me that Citrix Receiver is just "reading" the Access-Challenge as a failed login.
Could you tell me how you configured the Netscaler for having 2FA on Citrix Receiver and give me some hints on what I should double-check in my setup?
Thanks,
Mihai
It seems your radius server is using PAP authentication. Can you try changing it to MSCHAP. in that case it should work
Delete