Configuring RADIUS Authentication

You can configure Citrix Gateway to authenticate user access with one or more RADIUS servers. If you are using RSA SecurID, SafeWord, or Gemalto Protiva products, each of these products is configured by using a RADIUS server.

Your configuration might require using a network access server IP address (NAS IP) or a network access server identifier (NAS ID). When configuring Citrix Gateway to use a RADIUS authentication server, use the following guidelines:

  • If you enable use of the NAS IP, the appliance sends its configured IP address to the RADIUS server, rather than the source IP address used in establishing the RADIUS connection.
  • If you configure the NAS ID, the appliance sends the identifier to the RADIUS server. If you do not configure the NAS ID, the appliance sends its host name to the RADIUS server.
  • When you enable the NAS IP, the appliance ignores any NAS ID that is configured using the NAS IP to communicate with the RADIUS server.

Configuring Gemalto Protiva

Protiva is a strong authentication platform that Gemalto developed to use the strengths of Gemalto’s smart card authentication. With Protiva, users log on with a user name, password, and a one-time password that the Protiva device generates. Similar to RSA SecurID, the authentication request is sent to the Protiva authentication server and the server either validates or rejects the password. To configure Gemalto Protiva to be compatible with Citrix Gateway, use the following guidelines:

  • Install the Protiva server.
  • Install the Protiva SAS Agent Software, that extends the Internet Authentication Server (IAS), on a Microsoft IAS RADIUS server. Make sure you note the IP address and port number of the IAS server.
  • Configure a RADIUS authentication profile on Citrix Gateway and enter the settings of the Protiva server.

Configuring SafeWord

The SafeWord product line provides secure authentication using a token-based passcode. After the user enters the passcode, SafeWord immediately invalidates the passcode and it cannot be used again. When you configure the SafeWord server, you need the following information:

  • The IP address of Citrix Gateway. The IP address must be the same IP address that you configured in the RADIUS server client configuration. Citrix Gateway uses the internal IP address to communicate with the RADIUS server. When you configure the shared secret, use the internal IP address. If you configure two appliances for high availability, use the virtual internal IP address.
  • A shared secret.
  • The IP address and port of the SafeWord server. The default port number is 1812.
Configuring RADIUS Authentication