Citrix Netscaler Gateway Radius Configuration Guide Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Citrix Netscaler Gateway Radius Configuration Guide
Published: Nov 29, 2016   -   Updated: Jun 22, 2018



Citrix NetScaler Gateway integrates with Okta both directly using SAML or oAuth and indirectly using RADIUS. Using the Okta RADIUS Agent allows for authentication, including support for MFA to happen directly at the NetScaler Gateway login page. For authentication, the agent translates RADIUS authentication requests from NetScaler into Okta API calls that provide for user authentication. This guide explains how to configure Citrix NetScaler Gateway to use the Okta RADIUS Agent.

This guide has been verified with the following NetScaler Gateway versions:

  • Version 10.5.x

  • Version 11.0.x

  • Version 11.1.x

The following Citrix clients have been validated:

  • Citrix Web Receiver

  • Citrix Windows \ Mac Receiver

  • Citrix iOS \ Android Receiver

Supported Okta Features

Authentication with Okta Credentials via RADIUSYes 
Authentication with Okta Credentials via SAMLYes 
Multi-factor authentication via RADIUSYes 
Multi-factor authentication via SAMLYes  
Group memberships/Attributes via RADIUSYes **

** NetScaler will pass the username and password to storefront for AD group permissions

Configuring Okta

  • Download and install the RADIUS agent according to  Installing the Okta Radius Agent.

  • Download and install the AD agent according to Okta Active Directory Agent.

The Okta username prefix must match the AD user account name. 

For example if the AD account is JSMITH in the CORP domain and her NTLM is CORP/JSMITH and her UPN is jsmith@corp.local, then in Okta her username, which is always an email address, must be jsmith@<something>. The Okta login name suffix and AD FQDN suffix do not have to match but the prefix of the Okta login must match the AD username as NetScaler uses impersonation to pass the credentials the user enters to pass onto Citrix Storefront and Storefront must be able to match those credentials to AD.

Configuring Citrix NetScaler

Process Overview


  1. Log into the Citrix NetScaler admin interface with admin rights.

  2. Navigate to the Configuration tab

  3. From the Configurationpage, select + NetScaler Gateway + Policies + Authentication  + RADIUS.

  4. In the main body configuration for RADIUS select the Servers tab.

  5. Click the Add button:

    User-added image

    • In the form that opens, complete all sections, selecting either Server Name” or Server IP to use to define the server running the Okta RADIUS agent. The port number and secret key can be verified in the Okta RADIUS agent admin tool.

    • Click on the Details (or More) drop down and verify Password Encoding is set to pap.

      User-added image              User-added image

    • The available group settings and attributes can be used for Citrix permissions if needed.

    • Click OK to save the Server definition.

  6. Back in the RADIUS section, click on the Policies tab.

  7. Click on the Add button:

    User-added image

    • Give the policy a name. For the Server* drop down, select the Server Entry you just created.

    • In the Expression window, enter  ns_true  as the value. This will enable this policy to always be active when bound to a VIP. A more restrictive expression can be created to allow for more control over when this RADIUS policy is used and should be based on the customers need.

    • Click OK to save the policy.

      User-added image

  8. In the left hand tree, select Virtual Servers under NetScaler Gateway section.

  9. Locate the virtual server you wish to bind Okta RADIUS onto.

    • Highlight and select the Edit button:

      User-added image

    • Scroll to the Authentication section and unbind any existing policies and close the Authentication sub-window.

    • Back at the Virtual Server configuration screen, in the Authentication section, select the + (plus) on the right hand side of the section title:

      User-added image

    • In the Choose Policy option select RADIUS. In the Choose Type option select Primary. Click Continue:

      User-added image

    • In the Policy Binding section, click the > to select the RADIUS policy you created in section 7 above. Click the radial button to the left of the policy and click OK (or Select)xx

    • Set the Priority to 10 and click Bind.

      User-added image

    • Now back at the Virtual Server configuration screen scroll to the end and click on Done.

      User-added image

This completes the configuration, you can now test logins.

End User Experience

Your end users' experience should continue to be similar to before, except they will be prompted for an additional validation factor after the login with their AD credentials.

If they only have one MFA option setup, regardless of how many they have available to use they will only see that one active MFA after they login. NetScaler Gateway does not allow for the setup of MFA methods.

If they have multiple MFA options currently setup, they will first be prompted with a request to select their authentication method. They should only enter the number corresponding to their preferred choice. They will then be prompted with that authentication choice to complete.

End User Experience: Single-choice MFA Authentication

  1. Navigate to your VPN URL.

  2. Enter the Okta username and password.

  3. Click Logon.

  4. Answer the Okta MFA challenge.

End User Experience – Multi-choice MFA Authentication

  1. Navigate to your VPN URL.

  2. Enter Okta username and password.

  3. Click Logon.

  4. Respond to the MFA Choice screen.

  5. Answer the chosen MFA challenge.

End User Experience – MFA Methods Validated and Supported

  • Okta Verify Mobile App – Tested and validated.

  • Google Authenticator mobile app – Tested and validated.

  • SMS messaging – Tested and validated.

  • Security Question – Tested and validated.

  • Yubikey – Not yet tested.

Learn more about MFA in the MFA End User FAQ.

Additional Considerations

NetScaler Gateway does not support a user’s first time Okta setup. All users using Okta MFA at NetScaler gateway must first login to their Okta portal and configure their MFA. It is possible via Rewrite policies or CCS style sheet customizations to add links to the Gateway login page to direct first time users to their Okta login portal for initial registration.

NetScaler Gateway also does not currently have a solution for self-service password reset. Using Rewrite policies or page customizations, a link can be added to the Gateway login page to direct a user that is unable to login, to their Okta tenant password reset page.

Additional resources