Citrix Access Gateway Standard 5.x

From Swivel Knowledgebase Wiki

Contents 1 Introduction 2 Prerequisites 3 Baseline 4 Architecture 5 Installation 6 PINsafe Configuration 6.1 Configuring the RADIUS server 6.2 Setting up the RADIUS NAS 7 Setting up PINsafe Dual Channel Transports 8 Citrix Access Gateway Standard Edition Integration 8.1 CAG RADIUS Properties 8.2 CAG logon Point Properties 9 Additional Installation Options 10 Verifying the Installation 11 Uninstalling the PINsafe Integration 12 Troubleshooting 13 Known Issues and Limitations 14 Additional Information

Introduction

This document covers the integration of PINsafe with the Citrix Access Gateway Standard edition. The standard edition allows authentication using SMS, Email, Mobile Phone applet, PINsafe Taskbar, but does not allow the single channel image to be embedded into the login page. To allow the single channel image to be embedded into the login page, the following options are available:

• Advanced Access Controller is required, see Citrix Access Gateway Advanced 4.x
• Proxy the login request to a Web Interface login Citrix Access Gateway Web Interface Proxy

Prerequisites

PINsafe 3.x

Citrix Access Gateway 5.x

Baseline

PINsafe 3.8

CAG Standard 5.0.3

Architecture

Authentications are made against the PINsafe using RADIUS.

Installation

PINsafe Configuration

Configuring the RADIUS server

Configure the RADIUS settings using the RADIUS configuration page in the PINsafe Administration console. In this example (see diagram below) the RADIUS Mode is set to ‘Enabled’ and the HOST IP (the PINsafe server) is set to 0.0.0.0. (leaving the field empty has the same result). This means that the server will answer all RADIUS requests received by the server regardless of the IP address that they were sent to.

Note: for appliances, the PINsafe VIP should not be used as the server IP address, see VIP on PINsafe Appliances

Setting up the RADIUS NAS

Set up the NAS using the Network Access Servers page in the PINsafe Administration console. Enter a name for the Citrix Gateway. The IP address has been set to the IP of the VPN appliance, and the secret ‘secret’ assigned that will be used on both the PINsafe server and VPN RADIUS configuration.

You can specify an EAP protocol if required, others CHAP, PAP and MSCHAP will be supported. All users will be able to authenticate via this NAS unless to restrict authentication to a specific repository group.

Setting up PINsafe Dual Channel Transports

See Transport Configuration

Citrix Access Gateway Standard Edition Integration

Follow the Citrix Access Gateway Standard Edition Administration guide to configure RADIUS authentication.

CAG RADIUS Properties

On the CAG Configuration, configure one or more PINsafe instances as a RADIUS server.

CAG logon Point Properties

Configure PINsafe as an authentication server. PINsafe would usually be configured as a secondary authentication server with AD as the primary authentication server using RADIUS. In this example Single Sign ON is being used to the Citrix Web Interface, and has been created as a basic logon point.

Additional Installation Options

Verifying the Installation

Browse to the CAG login page and enter username, AD Password and OTC from the SMS or Mobile Phone Client. Check the PINsafe logs to ensure that a RADIUS request has been seen.

Uninstalling the PINsafe Integration

Troubleshooting

Known Issues and Limitations

Additional Information

For additional features use the Advanced Access Controller. This allows customised login pages and the Single Channel Turing Image authentication, see Citrix Access Gateway Advanced 4.x