How to Configure DUO with Citrix NetScaler for ThinOS

Affected Operating Systems:

• Wyse ThinOS

Not Applicable

Table of contents

• Configuring Citrix NetScaler for DUO MFA
• ThinOS Configuration
• Troubleshooting Tips

Configuring Citrix NetScaler for DUO MFA

Instructions in this knowledge base article assume that you have already configured Citrix NetScaler for MFA. If you have not done so, you can find the Citrix NetScaler setup instructions for DUO at https://duo.com/docs/citrix_netscaler .

DUO AuthProxy.cfg File

As part of the above setup you create, or modify an AuthProxy.cfg file that defines the settings for the DUO RADIUS proxy. A working example of that file is mentioned below. This is a validated configuration from a lab environment. Other configurations may or may not work.

************************************************
AuthProxy.cfg File Contents Below
************************************************
[ad_client]
host=192.168.10.10 (Active Directory Server IP or Name)
service_account_username=administrator
service_account_password=Wyse#123
search_dn=dc=xen712,dc=citrix<

[radius_server_auto]
api_host=api-fb98f637.duosecurity.com (The API Host and Keys are account specific and retrieved through your DUO Portal (Figure 1).)
iKey=XXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXX
failmode=safe
client=ad_client
radius_ip_1=192.168.10.2
radius_secret_1=Wyse#123
port=1812
************************************************
AuthProxy.cfg File Contents Above
************************************************

Figure 1: (English Only) DUO API Host and Keys

Back to top

ThinOS Configuration

There is no special configuration that is required on the ThinOS side to support DUO MFA Push Authentication. Below is an example of a configuration from a lab environment.

************************************************
WNOS.ini File Contents Below
************************************************

Timeserver=192.5.41.40 TimeFormat="12-hour format" DateFormat=mm/dd/yyyy
TimeZone='GMT -06:00' ManualOverride=yes Daylight=yes Start=030307 End=110207
TimeZoneName="Central" DayLightName="Central"

SignOn=Yes
Securitypolicy=low
Domainlist=xen712
AddCertificate="CA Root Cert Xen712_citrix.cer"
PnliteServer=https://nsgatewat.xen712.citrix?Store Storefront=yes
************************************************
WNOS.ini File Contents Above
************************************************

ThinOS Authentication Method Note

DUO MFA has only been tested against and is known to be working with the application push method. Below are application notification examples that are received on the mobile device (Figure 2 & 3).

Figure 2: (English Only) Application notification example

Figure 3: (English Only) Application Full Screen Example

Notes on ThinOS Authentication Behavior with DUO Enabled

Successful login flow:

1. Enter credentials, and press enter.
2. Authenticating to NetScaler Message.
3. Duo Push to Phone.
4. Approve on Phone App.
5. Login Completes

Failed Login Behaviors

1. Credentials are verified first so bad credentials return an Invalid credential, please retry message.
2. A deny from the phone returns an Invalid credential, please retry message.

Troubleshooting Tips

If you do not receive the authentication prompt on the phone, first check the following things. If none of these are helpful reference DUO documentation and support for more information. http://www.duo.com

Duo Authentication Proxy Service is not Starting.

Ensure that the AuthProxy.cfg file contains no syntax errors and all the necessary information. If the service does not start with your file, attempt to start it with the example content above, and then modify it to meet your environment.

Review Authentication Logs On the NetScaler for Problems.

Below is a screenshot of where to find the logs in the NetScaler (Figure 4 & 5).

Figure 4: (English Only) logs in NetScaler

Figure 5: (English Only) Review the DUO Authentication Proxy Log for Problems