Skip to content

Citrix Netscaler

Alert

This is a interworking guide with Citrix Netscaler 12. If you If you want more detailed guides for different Netscaler or Citrix ADC please visit Carl Stalhoods Citrix guides or see Citrix official documentation. Citrix Documentation

Add Cisco RADIUS client in the Mideye Server

See section RADIUS clients in the reference guide.

Password-change using MS-CHAP-v2

Since Citrix Netscaler supports MS-CHAP-v2 as authentication protocol, users that are about to have their password expired can change their password when login on to the Citrix Netscaler portal. To enable this feature Mideye Server release 4.3.0 or higher is required. For detailed instruction how to enable MS-CHAP-V2 in Mideye Server follow this guide.

Web GUI - RADIUS

The following steps will describe how create a new RADIUS-server on your Netscaler Server, how to apply a RADIUS-Policy followed by binding the policy on a Virtual Gateway. At the bottom of this section, all CLI-commands are available that will perform the same configuration as from the webGUI.

Web GUI - Add a new RADIUS Server

  1. navigating to NetScaler Gateway → Policies → Authentication → RADIUS

  2. Select Server tab and click Add.

  3. Configure RADIUS Server

    • Name the RADIUS server: Mideye_RADIUS
    • Specify the IP address of the Mideye Server.
    • Use the port: 1812
    • Enter the secret key specified when you added the NetScalers as RADIUS clients on the Mideye erver.
    • Time-Out (seconds): 35
    • Click more.
    • Password Encoding, choose PAP or MS-CHAP-v2 depending on your environment.
    • Accounting: "OFF".
    • Authentication Server Retry: 1.
    • Click Test Connection.
    • If everything is working please proceed with "create"

Web GUI - Add a RADIUS Policy

  1. Add policy

    • Navigate to NetScaler Gateway → Policies → Authentication → RADIUS.

    • Select Policies tab and click Add.

  2. Configure RADIUS Policy

    • Name the RADIUS policy.
    • Select the RADIUS server created earlier. (Mideye_RADIUS)
    • Enter a suitable expression. Ex: ns_true
    • Click create.

  3. Bind policy to virtual gateway

    • Navigate to NetScaler Gateway → Virtual Servers

    Navigate to virtual server

    • Select the Virtual Server where users login and clock edit.

    • Scroll down to basic authentication and press + to add RADIUS policy.

    • Choose policy (RADIUS) and Type Primary.

    - Select the RADIUS policy created and bind it to the server.


    Click Bind and RADIUS Policy will be bound to current virtual server.

CLI - RADIUS

CLI - Add a new RADIUS server

add authentication radiusaction Mideye_RADIUS -serverip 172.16.0.100 \\
            -serverport 1812 -authtimeout 35 -radkey SUPER_SECRET_PW \\
            -radNASip DISABLED -authservRetry 1 -passEncoding pap

CLI - Create a RADIUS Policy

add authentication radiusPolicy Mideye_RADIUS_pol "ns_true" Mideye_RADIUS

CLI - Bind policy to Virtual Gateway

bind vpn vserver my_virtual_loginpoint -policy Mideye_RADIUS_pol -priority 101

Load balancing

This section describes how to add multiple Mideye servers behind one Netscaler. At the bottom of this section, all CLI-commands are available that will perform the same configuration as from the webGUI.

Web GUI - Load balancing

Enable Load balancing

  • Navigate to System → Settings, Configure Basic Features.

  • Navigate to Basic Features
  • Select Load Balancing and click "OK".

Create a server object

There must be at least one server object added for each Mideye Radius Server.

  • Navigate to Traffic Management → Load Balancing → Servers

Configure LB RADIUS Server

  • Click Add and specify the information for your Mideye servers.
  • Name*: Mideye_Server1
  • IPAddress: 172.16.0.100
  • Click Create and Add as many MideyeServers as preferred.

Create a Load Balancing Service

For each Server Object added in step 3 you need to create a service.

  • Navigate to Traffic Management → Load Balancing → Services

  • Click Add and specify the information for the service.
  • Service Name: Mideye_Server1_svc
  • Click Existing Server and select previously created object
  • Protocol: RADIUS
  • Port: 1812
  • Click Done.

Add a Monitor to the Load Balancing service

A monitor check if Mideye Server service is responding. The monitor needs to logon to the Mideye Service or check the health API. The monitor service checks what response code is sent from the Mideye Server. These two checks does not check the MideyeServer -→ MideyeSwitch communication.

  • Access Accept (0): The test user has access to the authenticated RADIUS server.
  • Access Reject (1): The test user exists but is rejected by Radius Server.

  • Access Reject (3): Internal Error. Account does not exist. Wrong password.

  • Navigate to Traffic Management → Load Balancing → Monitors

  • Click add to create a monitor. (Set Interval and Timeout times as preferred)
    • Name: Mideye_RADIUS
    • Type: Radius
    • Destination IP: 0 (this means it takes the IP from bound service)
    • Destination port: 0 (this means it takes the Port from bound service)
    • Retries: 1
  • Select the Special Parameters Tab
    • Remove response code 2 which is default.
    • Add response code 3.
    • Add a fake user name. (This will show up in Mideye Server Logs)
    • Add a fake password.
    • Add a shared secret for the radius client that the monitor should test. This Needs to be added to MideyeServer as well since its a real Radius Client that tries to logon to the server.
  • Click create to add the monitor.

Monitor Mideye Server Healthcheck

Mideye Server has a healthAPI that can be called with a HTTPS check.

Citrix documentation for monitoring ssl services

Bind a monitor to a load balancing service

  • Navigate to Traffic Management → Load Balancing → Services

Bind monitor to service

  • Click the previously created service and edit it.
  • Go to the bottom of the page and add a Monitor.

Add the monitor

  • Remove the ping-default monitor binding

Remove ping monitor

  • Add Mideye_RADIUS monitor and click close.
  • Click done and services are ready.

Add monitor

  • When monitors are up and RADIUS traffic is reaching the MideyeServer. Both service states should be UP.

Verify that State is up

Mideyeserver are showing the monitor logs.

User: ‘fake_user’, NAS ID: ‘Netscaler’, State: ‘null’, Session ID: ’12’
Performing user authentication for user: fake_user, on NAS ID: Netscaler
Code: ‘9019’, Msg: ‘Invalid user or password.’
Could not find user ‘fake_user’
Unsuccessful authentication

Creating a virtual server

  • Navigate to Traffic Management → Load Balancing → Virtual Servers

  • Click add to create a Virtual server.
  • Name: Mideye_LB_vsrv
  • Protocol: RADIUS
  • IP Address Type: IP IPAddress
  • IP Address:
  • Port: 1812

Add a virtual Server

Binding Services to the Virtual Server

  • Navigate to Traffic Management → Load Balancing → Virtual Servers
  • Edit the Virtual server you want to bind services to.

Edit the virtual Server

  • Click on Load Balancing Virtual Server Service Binding.

Loadbalance the virtual server

  • Bind the two Mideye LoadBalancing Services.

Bind the two services

Add persistence setting so each server request goes to the same service.

Make the server requests persistence

  • Set the rule to be bound to SOURCEIP.

Change persistence to "SOURCEIP"

  • Click OK and Done. Refresh the Virtual Servers page and State and Services should be marked as green.

Using LB RADIUS server for logins.

Follow the steps in Add a RADIUS-Server and add the LB Virtual server as a radius server.

CLI

CLI – Enable Load balancing

> enable ns feature LoadBalancing

CLI – Create a server object

> add server [name] [IPAddress | [domain]

example:

> add server Mideye_Server1 52.174.122.65

> add server Mideye_Server2 13.93.2.199

CLI – Create a Load Balancing Service

```
> add service [name] [ServerName] [ServiceType] [port]

example:

```
> add service Mideye_Server1_svc Mideye_Server1 RADIUS 1812
> add service Mideye_Server2_svc Mideye_Server2 RADIUS 1812
```

CLI – Add a Monitor to the Load Balancing service

Look at the Official Citrix documentation for full syntax. Example needs to be one line in the Netscaler CLI. https://docs.citrix.com/ja-jp/netscaler/11/reference/netscaler-command-reference/lb/lb-monitor.html

example:

> add lb monitor Mideye_RADIUS2 RADIUS -respCode 3 -userName fake_user
-password secret -encrypted -encryptmethod ENCMTHD_3 -radKey 12345678
-encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -retries 1

CLI – Bind a Monitor to a Load Balancing service

> bind service Mideye_Server1_svc -monitorName Mideye_RADIUS
> bind service Mideye_Server2_svc -monitorName Mideye_RADIUS

CLI – Creating a virtual server

> add lb vserver [name] [serviceType] [ip] [port]

example:

> add lb vserver Mideye_LB_vsrv RADIUS 172.16.3.199 1812
-persistenceType SOURCEIP -cltTimeout 120

CLI – Bind Service to Virtual Server

> bind lb vserver [name] [serviceName]

example:

> bind lb vserver Mideye_LB_vsrv Mideye_Server1_svc
> bind lb vserver Mideye_LB_vsrv Mideye_Server2_svc

CLI – Verify configuration

> show server [serverName]

Add Drop-Down for multiple domain logons

  • Navigate to AppExpert → Rewrite → Rewrite → Actions
  • Add the domains that should be in the drop down list.
  • Type: INSERT_HTTP_HEADER
  • Header Name: Set-Cookie
  • Expression: "userDomains=Domain1,Domain2,Domain3;path=/;Secure"

Add domain

  • Navigate to AppExpert → Rewrite → Rewrite → Policies
  • Add the information needed as shown in the example below:
  • Name: Insert_domain_dropdown_policy
  • Action: Select previously created action
  • Expression: HTTP.REQ.URL.CONTAINS("/vpn/index.html")

Add policy

Add policy to Netscaler Gateway Virtual Server

  • Navigate to NetScaler Gateway → NetScaler Gateway Virtual Servers.
  • Edit the Virtual Server you want to add dropdown to.
  • Scroll down to Policies and press + sign to bind a policy.

Add the policy to Netscaler Gateway

  • Click Continue.
  • Select the dropdown policy created earlier.

Bind the policy

  • Click on Bind.
  • Scroll to the end of the page and click on done.
  • Make sure to save the recent changes.

Connect a RADIUS policy to dropdown domain.

  • Navigate to NetScaler GatewayPoliciesAuthenticationRadius
  • Select the RADIUS Policy that is used for Domain1
  • Change the expression to mach domain name created earlier: REQ.HTTP.HEADER Cookie CONTAINS Domain1

Connect the policy

Now the radius policy will only trigger if HTTP HEADER Cookie contains Domain1. It will contain Domain1 if user has selected Domain1 from the drop down menu.

Note

If the names are similar they can collide. Example: if domain in dropdown is named Contoso Contoso_internal Contoso_External. The policy that is looking for Contoso will trigger on all three choices because all choices has Contoso in the name.

Radius Accounting

To use Mideye Server as a radius accounting server.

Note

Mideye Server needs to have one unique Netscaler IP in shared secrets. Multiple shared secrets with same ip and different ports are not supported at the moment.

  1. Enable accounting in the Netscaler Radius Server (Action)
  2. Select the same Radius server in the Netscaler Session policy.