The purpose of this blog post is to explain the two modes of Duo integration with the NetScaler, to point out the pros and cons of each method, and to explain the different configurations needed for NetScaler and StoreFront when using each mode. I will not go into the configuration of the Duo proxy itself, as that is covered quite well (except where noted – see below) in the online Duo documentation (links below).
Having said that, there is one extremely important Duo configuration issue that I must mention. Do NOT use Notepad when editing the authproxy.cfg file! Use either Notepad++ or Wordpad. The impetus in creating this document was caused by wasting a good portion of the day bouncing back and forth between Citrix Tech Support and Duo Tech Support, when the only thing wrong was that Notepad inserted extra line breaks (one right in the middle of the RADIUS secret key!) in the config file.
Mode 1 – ad_client
In this mode, Duo performs ALL authentication. It communicates with Active Directory to validate the AD password, and, once validated, sends the user the push, call, or SMS. Duo configuration for this mode is explained here: https://duo.com/docs/citrix_netscaler.
In this configuration, the NetScaler needs only 2 RADIUS profiles and policies – one for Web access, and the other for Receiver access. Both are defined as PRIMARY - there are no secondary profiles/policies. The above link explains the profiles and policies in detail. Take note that the port for the Receiver authentication server should be different (e.g. 18120) than the standard RADIUS port (1812) used for the Web authentication server, and must match the port defined in the Duo config file.
One important point omitted by the Duo documentation is the configuration of StoreFront. When using ad_client mode, you must ensure that the Logon Type in the StoreFront Gateway Appliance Authentication Settings is set to Domain.
Users see only a single password field for both web and Receiver, so you do not need to hide the second password field (for the web), and there is much less confusion when using Receiver.
You also only need to define 2 RADIUS policies, making configuration slightly easier.
Since authentication is not being handled by the NetScaler, users cannot change passwords using this method.
Mode 2 – duo_only_client (referred to in Duo documentation as the Alternate Configuration)
In this mode, the NetScaler performs Active Directory authentication, with Duo handling only the 2nd factor (RADIUS) authentication – hence the name duo_only_client. This mode is a bit more complicated to set up on the NetScaler. While the Duo documentation of this mode (https://duo.com/docs/citrix_netscaler-alt) explains the Duo portion of the setup well, do NOT use this document to set up your NetScaler policies. This document describes setting up two SECONDARY RADIUS policies, which will NOT work if you are using Receiver. Instead, refer to the following Duo article: https://duo.com/docs/citrix_netscaler-faq (see the section: Why might mobile Receiver clients have issues authenticating with Duo?). This will refer you to the following Citrix KB article: http://support.citrix.com/article/CTX125364, which explains how and why you need to set up 2 LDAP and 2 RADIUS policies and profiles. Note that the session profile for the Receiver must have the Credential Index set to SECONDARY.
Again, the Duo documentation omits the setup of StoreFront. When using duo_only_client mode, you must ensure that the Logon Type in the StoreFront Gateway Appliance Authentication Settings is set to Domain and security token.
If you leave the Logon Type at the default Domain setting, logon via the web will work (since this setting is not used by the NetScaler), but Receiver (which does use this setting) will not work.
Since the NetScaler is performing Active Directory authentication, users may change their password (as long as the LDAP authentication server is using either TLS or SSL – not PLAINTEXT).
Using this mode, users will see two password prompts for web and Receiver:
While the unused second password field may be hidden for the web (see the Duo alternate configuration link above), this requires modification of the NetScaler source files - unsupported by Citrix, and, if not done carefully, may corrupt your NetScaler configuration. The second password field for the Receiver may NOT be hidden, and the user must enter a valid Duo factor name (push – recommended, or phone) into that field. This can get quite confusing for users. The NetScaler configuration for this mode is also a bit more complicated.