Citrix Integration

General Overview

This guide explains the configuration of multi-factor authentication (MFA) for Citrix Gateway utilizing Mirket as the identity provider. Prior configuration and deployment of Citrix Gateway are required before setting up MFA with Mirket.

Citrix Gateway offers various MFA configuration modes. In this integration, we'll configure Citrix Gateway to authenticate local Mirket users using the PAP authenticate protocol.

Note: Use the MS-CHAPv2 authentication protocol when configuring Citrix Gateway to authenticate with users pulled from Active Directory. Also, make sure that NPS is installed, as the MS-CHAPv2 protocol does not support OTP.

To enable RADIUS authentication with Citrix Gateway, you'll need to install and set up the Mirket. The Mirket acts as a RADIUS server and should be installed within a network that has both Internet connectivity and access to your RADIUS clients.

This integration was tested with version NS13.1: Build 12.11.nc of Citrix ADC, where Citrix Gateway is a component of Citrix ADC.

Preparation Steps

Before proceeding with these procedures, ensure the following:

  • You've completed the installation and configuration of the Mirket (go to Mirket Installation Steps).

  • End-users can access the Citrix Gateway.

Configuring Citrix Gateway

RADIUS Authentication Policy and Server Creation

  • Access the Citrix Gateway administrator web console.

  • Select the Configuration tab and go to Citrix Gateway > Policies > Authentication > RADIUS.

  • Click on Add and enter a policy name in the Name field.

  • Click on the Add option next to the Server field.

  • Enter a server name in the Name field. Then choose the Server IP option.

  • Input the IP address of the Mirket (RADIUS server) in the IP Address field.

  • Input the port number for communication with the Mirket (RADIUS server) in the Port field. The default gateway port is 1812.

  • Assign a shared secret key to identify your RADIUS client in the Secret Key and Confirm Secret Key fields. Make sure to use the same shared secret key while configuring your RADIUS client resource in Mirket.

  • Input 30 in the Time-out field. Then click on Create.

  • Choose the "ns_true" option from the Saved Policy Expressions dropdown list.

  • Then click on the Create option to complete the process.

  • If a warning about classic authentication policies pops up, click on OK.

Connect RADIUS to the Virtual Server

  • Select the Configuration tab and go to Citrix Gateway > Virtual Servers. Then select your virtual server. You can refer to the Citrix documentation for creating a virtual server.

  • Click on Edit. Then click the "+" icon next to the Basic Authentication field.

  • Choose the "RADIUS" option from the Choose Policy dropdown list.

  • Choose the "Primary" option from the Choose Type dropdown list. Then click on Continue.

  • Click on the ">" icon next to the Select Policy field under the Policy Binding section.

  • Select the RADIUS policy that was previously created. Then click on the "Select" option.

  • Then, click on Bind.

Configure Mirket

To enable Mirket to receive authentication requests from Citrix Gateway, follow these steps:

  • Define Citrix Gateway as a RADIUS client resource within Mirket.

  • Create an authentication policy for the Citrix Gateway RADIUS client resource or include it in an existing authentication policy.

  • Attach the Citrix Gateway resource to the Mirket Radius.

Add a Citrix as Resource in Mirket with Mirket Radius Gateway

Before starting, ensure that you have installed Mirket Radius Gateway. To add a Radius Client to the Mirket Radius Gateway, follow these steps:

  • First, navigate to the directory C:\MirketRadius and open the config.json file.

  • Fill in the gateway and radiusClientList fields according to the provided specifications to ensure accurate and secure network configuration.

    • samName: Enter the SAM name of the gateway. In Mirket, user identification is done using the SAM (Security Account Manager) name. This is preferred over the standard username. This username is used for authentication and access controls. Please provide your domain name, such as 'mirket'.

    • authenticationPort: Enter the authentication port value you set for the gateway. The default value is 1812.

    • accountingPort: Enter the accounting port value you specified for the gateway. The default value is 1813.

    • gatewayIp: Enter the IP address of the server where the Mirket is installed.

    • ipAddress: Enter the IP address of your firewall.

    • secretKey: Enter your secret key. This secret key is used to link your radius client and radius server, so ensure they are identical.

  • Once you've made the necessary changes to the config.json file, save and close it. Note: You can add multiple RADIUS clients.

  • After completing the configuration, restart the 'Mirket Radius Gateway Service'.

User and Group configuration on Mirket

To set up multifactor authentication, make sure you have at least one user group in Mirket.

If it is preferred to use a local user, first create a local group and then create a local user and make the user a member of the group.

If it is preferred to use LDAP users, the priority LDAP group is created by pulling users from Active Directory or OpenLDAP in Mirket.

Add a Radius Rules to Mirket

Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP etc.).

First, you should follow these steps:

  • Select Rules > Radius Rules.

  • Click on Add New.

  • Enter a rule name in the Name field.

  • Enter the rule description in the Description field.

  • Select the group to which the rule applies from the Group dropdown list.

  • Select the provider to which the rule applies from the Provider dropdown list.

  • Select the authorization profile to which the rule applies from the Authorization dropdown list.

  • Click on Save to confirm settings.

Test the Integration

To validate the integration between Mirket MFA and your Citrix Gateway, perform authentication using a mobile token on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication.

In this example, we illustrate the use of the Approve/Deny authentication method.

  • Go to the login page of the virtual server in a web browser.

  • Enter your Mirket username and password.

  • Click on Log On. Then, select the 'Approve' option(found in the Mirket mobile app) immediately and make sure it doesn't time out.

Related Topics

Radius Clients

Radius Rules

Local Group Configuration

Local Users Configuration

LDAP Group Configuration

LDAP Users

PreviousBarracuda CloudGen Firewall IntegrationNextCisco ASA Integration

Last updated