Configuring Password Return with RADIUS

You can replace domain passwords with a one-time password that a token generates from a RADIUS server. When users log on to Citrix Gateway, they enter a personal identification number (PIN) and the passcode from the token. After Citrix Gateway validates their credentials, the RADIUS server returns the user’s Windows password to Citrix Gateway. Citrix Gateway accepts the response from the server and then uses the returned password for single sign-on instead of using the passcode that users typed during the logon. This password return with the RADIUS feature allows you to configure single sign-on without requiring users to recall their Windows password.

When users log on by using password return, they can access all allowed network resources in the internal network, including Citrix Endpoint Management, StoreFront, and the Web Interface.

To enable single sign-on by using returned passwords, you configure a RADIUS authentication policy on Citrix Gateway by using the Password Vendor Identifier and Password Attribute Type parameters. These two parameters return the user’s Windows password to Citrix Gateway.

Citrix Gateway supports Imprivata OneSign. The minimum required version of Imprivata OneSign is 4.0 with service pack 3. The default password vendor identifier for Imprivata OneSign is 398. The default password attribute type code for Imprivata OneSign is 5.

You can use other RADIUS servers for password return, such as RSA, Cisco, or Microsoft. Configure the RADIUS server to return the user single sign-on password in a vendor-specific attribute value pair. In a Citrix Gateway authentication policy, you must add the Password Vendor Identifier and Password Attribute Type parameters for these servers.

You can find a complete list of vendor identifiers on the Internet Assigned Numbers Authority (IANA) website. For example, the vendor identifier for RSA security is 2197, for Microsoft, it is 311, and for Cisco Systems, it is 9. The vendor-specific attribute that a vendor supports must be confirmed with the vendor. For example, Microsoft has published a list of vendor-specific attributes at Microsoft Vendor-specific RADIUS Attributes.

You can select any of the vendor-specific attributes to store the single sign-on password for users on the RADIUS server of the vendor. If you configure Citrix Gateway with the vendor identifier and attribute where the user password is stored on the RADIUS server, Citrix Gateway requests the value of the attribute in the access request packet that is sent to the RADIUS server. If the RADIUS server responds with the corresponding attribute-value pair in the access-accept packet, password return works regardless of the RADIUS server you use.

To configure single sign-on by using returned passwords:

  1. In the configuration utility, on the Configuration tab, expand Citrix Gateway > Policies \ > Authentication.
  2. In the navigation pane, click RADIUS.
  3. In the details pane, click Add.
  4. In the Create Authentication Policy dialog box, in Name, type a name for the policy.
  5. Next to Server, click New.
  6. In Name, type the name of the server.
  7. Configure the settings for the RADIUS server.
  8. In Password Vendor Identifier, type the vendor identifier that is returned by the RADIUS server. This identifier must have a minimum value of 1.
  9. In Password Attribute Type, type the attribute type that is returned by the RADIUS server in the vendor-specific AVP code. The value can range from 1 through 255.
  10. In the Create Authentication Policy dialog box, next to Named Expressions, select the expression, click Add Expression, click Create, and then click Close.
Configuring Password Return with RADIUS