Configuring Radius Authentication on Windows 2003 for Use with Citrix Access Gateway

RoyATokeshi
May 22, 2006 8:30 am

Citrix states in their article: CTX107495

Document ID: CTX107495, Created on: Aug 29, 2005, Updated: Oct 27, 2005

Products: Citrix Access Gateway 4.1, Citrix Access Gateway 4.0

Summary

This document provides information on how to configure Radius Authentication on Windows 2003 for use with Citrix Access Gateway. These steps were taken on a Windows 2003 Server with the Internet Authentication Service (IAS) component installed.

Procedure

1. Start the Microsoft Management Console (MMC) and add the Internet Authentication Service by choosing Add/Remove Snap-in from the console menu. Click Add and select the IAS Plug-In. Choose the Local Computer.

2. After the Snap-In is loaded, create a rule to allow the Access Gateway access to the Radius server.

3. Right-click the Clients Folder, and select New Client - give it an identifier when prompted – the FQDN of the Access Gateway Server is a good label – leave the Protocol as Radius.

4. Click Next and provide either the IP address or the FQDN of the Access Gateway appliance that will be connecting to this Radius server for authentication. Leave the Client-Version to RADIUS Standard and provide a Shared Secret that will allow the Access Gateway to authenticate to this Radius server.

5. Click Finish.

Select the Remote Access Policies:

1. Create a new Remote Policy and click Next when the Policy Wizard comes up:

2. Specify a custom policy, give it a policy name and click Next:

3. On the Policy Conditions Screen, select Add….

4. Select Windows-Groups and then click Add:

5. Use the wizard to select the Windows Groups you want to attach to this policy.After adding the users, select Grant remote access permission and select Next.

6. On the User Profile screen, select Edit Profile:

7. Select the Authentication tab and clear the Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and Microsoft Encrypted Authentication (MS-CHAP) selections.

8. Select Encrypted Authentication (CHAP) and Unencrypted Authentication (PAP, SPAP):

9. Go to the Advanced tab, remove the existing parameters and then select Add:

10. Scroll to the bottom of the RADIUS Standard list, select Vendor-Specific, and click Add.

11. Click Add on the Multivalued Attribute Information screen:

12. Leave the network access server vendor as RADIUS Standard, select Yes. It conforms., and then click Configure Attribute:

13. On the Configure VSA screen, leave the attribute number at 0, the format should be String, and then add CTXSUserGroups=My Users where My Users equals the Groups you have defined on the Citrix Access Gateway. Use a semicolon (;) to separate multiple groups.

14. Your Dial-in Profile should resemble this now:

15. Click OK. You will be given a warning message stating that you have selected one or more authentication methods. Click No to avoid opening the help dialog:

16. Click Next:

17. Click Finish to complete the policy wizard:

Configuring the Access Gateway for Radius Authentication

1. Launch the Access Gateway Administration Tool.

2. Select the Authentication tab.

3. Either delete the default realm and recreate it as Radius authentication or create a new realm.

The server IP address will be the Windows Server you configured to act as a Radius Server, the default RADIUS port is 1812, the shared secret is the secret you created when you added the Access Gateway server as a client in the IAS configuration above:

4. On the Authorization tab, leave the type as RADIUS Authorization, Vendor Code at 0, Vendor-assigned attribute number at 0, and for the Attribute Value Prefix, fill in only CTXSUserGroups=.

Troubleshooting

The Radius server must be able to access your Active Directory to authenticate users.

The Event Viewer on the Radius server will show successful and failed authentication attempts:

--------------------------------------------------------------------------------



Primary links

Custom Search

User login

Who's new

  • maczugaher
  • locksgydff
  • isotheces
  • ahundredyears7
  • Jacomijntjefu

Who's online

There are currently 0 users and 4 guests online.

KrissysCorner.com RuthSwensonLaw.com CreativeLizardProductions.com

DISCLAIMER:

None of this has anything to do with us, someone else is responsible for the entire thing, and we have no idea who or why. We do not know anything about it. It may be alien life forms for all we know: we haven't a clue. You cannot blame us for anything that may result from your visit. That was entirely your own personal choice, made by you of your own volition, and without our knowledge. We do not, after all, have any control over you and cannot by any stretch of the imagination be expected to accept or acknowledge, be it legally or morally, any accountability for decisions made by you on an independent basis, utilizing your own free will, and without our intervention. We are therefore in no way, shape, or form answerable to anyone for any consequences arising from the aforementioned or indeed any other actions, similar or otherwise, because it was not us that did, or did not do anything. It is not even remotely our fault, and we are in no way prepared or willing to accept any liability, not even slightly, ever. We are, in fact completely and utterly blameless, in that it is definitely not our concern, and no blame can possibly be laid at our doorstep, even if we had one, the possession of which we hereby reserve as being entirely our own free choice. The onus is not on us at all, and furthermore, never has been. The entire matter is wholly beyond our control, and completely out of our hands, each of which are washed scrupulously clean of the whole business. We are not accountable for anything at all, and we hereby categorically deny all responsibility for all that has ever, or will ever happen. Our innocence is therefore wholly beyond doubt and absolutely unimpeachable, and so cannot, under even the remotest or unlikeliest circumstances, be brought into question. By clicking either on a link on this site, clicking on a link that leads to this site, or by arriving at this site by natural or supernatural means, you are in effect accepting responsibility for the fact that it is all entirely your own fault, down to the most miniscule detail, and that you are wholly accountable for whatever outcome may arise as a consequence of the aforementioned action or actions insofar as they were undertaken personally by you on an entirely voluntary basis and without any persuasion, coercion or influence from any party or parties other than yourself. Don't come sniveling to us, we are only figments of your imagination. I also agree that if I am ever with a contributor to this website during mealtimes I agree to pay for any super-sizing of their meal, or at least a nice dessert or one of those foo-foo drinks with an umbrella or a monkey. By admitting to have seen the worthless spineless drivel on this website (also known as content)

I Agree Wholeheartedly and Without Reservation to the above. (Except maybe for that part about the monkey.)

All Your Base Are Belong To Us.

Soylent Green Is People!

Never make a bet with a Sicilian when Death is on the Line!

No. Really, I do agree.