Numéro d’article: 000133339
Not Applicable
Instructions in this knowledge base article assume that you have already configured Citrix NetScaler for MFA. If you have not done so, you can find the Citrix NetScaler setup instructions for DUO at https://duo.com/docs/citrix_netscaler .
As part of the above setup you create, or modify an AuthProxy.cfg file that defines the settings for the DUO RADIUS proxy. A working example of that file is mentioned below. This is a validated configuration from a lab environment. Other configurations may or may not work.
************************************************ AuthProxy.cfg File Contents Below ************************************************ [ad_client] host=192.168.10.10 (Active Directory Server IP or Name) service_account_username=administrator service_account_password=Wyse#123 search_dn=dc=xen712,dc=citrix< [radius_server_auto] api_host=api-fb98f637.duosecurity.com (The API Host and Keys are account specific and retrieved through your DUO Portal (Figure 1).) iKey=XXXXXXXXXX skey=XXXXXXXXXXXXXXXXXXXX failmode=safe client=ad_client radius_ip_1=192.168.10.2 radius_secret_1=Wyse#123 port=1812 ************************************************ AuthProxy.cfg File Contents Above ************************************************
Figure 1: (English Only) DUO API Host and Keys
There is no special configuration that is required on the ThinOS side to support DUO MFA Push Authentication. Below is an example of a configuration from a lab environment.
************************************************ WNOS.ini File Contents Below ************************************************ Timeserver=192.5.41.40 TimeFormat="12-hour format" DateFormat=mm/dd/yyyy TimeZone='GMT -06:00' ManualOverride=yes Daylight=yes Start=030307 End=110207 TimeZoneName="Central" DayLightName="Central" SignOn=Yes Securitypolicy=low Domainlist=xen712 AddCertificate="CA Root Cert Xen712_citrix.cer" PnliteServer=https://nsgatewat.xen712.citrix?Store Storefront=yes ************************************************ WNOS.ini File Contents Above ************************************************
DUO MFA has only been tested against and is known to be working with the application push method. Below are application notification examples that are received on the mobile device (Figure 2 & 3).
Figure 2: (English Only) Application notification example
Figure 3: (English Only) Application Full Screen Example
Successful login flow:
Failed Login Behaviors
If you do not receive the authentication prompt on the phone, first check the following things. If none of these are helpful reference DUO documentation and support for more information. http://www.duo.com
Ensure that the AuthProxy.cfg file contains no syntax errors and all the necessary information. If the service does not start with your file, attempt to start it with the example content above, and then modify it to meet your environment.
Below is a screenshot of where to find the logs in the NetScaler (Figure 4 & 5).
Figure 4: (English Only) logs in NetScaler
Figure 5: (English Only) Review the DUO Authentication Proxy Log for Problems
Citrix Software, Wyse ThinOS, Wyse ThinOS Lite (Xenith)
15 Aug 2023
6
Solution