Citrix NetScaler is a secure application, desktop and data access solution that provides granular application-level and device-level policy and action controls for administrators, while allowing users to work from anywhere. Citrix NetScaler gives IT administrators a single point of control and the tools they need to support regulatory compliance and the highest levels of information security across and outside the enterprise. At the same time, it empowers users with a single point of access—optimized for roles, apps, devices and networks—for the enterprise applications and data they need. While this unique combination of capabilities helps maximize the productivity of today’s mobile workforce, it also introduces a huge need for user authentication.
SMS PASSCODE acts as a plug-in to the Microsoft Windows Server-based network policy server (NPS), making it easy to install. If the network policy server role is installed on the selected Windows Server, the SMS PASSCODE installation automatically detects it, and provides the possibility to select to secure RADIUS clients, and makes the necessary changes to the NPS server for the SMS PASSCODE plug-in to work after installation.
SMS PASSCODE supports the use of connection request policies, to seamlessly integrate other systems into the RADIUS server, providing the flexibility to choose how the NPS handles connection requests and e.g. filter authentication requests based on CRPs.
Prepare Citrix NetScaler for SMS PASSCODE
This document outlines the configuration of Citrix Netscaler for SMS PASSCODE.
Pre-requisite to begin; you must have admin access to the Netscaler and Windows Server that is hosting the NPS.
Configuration of the Authentication RADIUS server for SMS PASSCODE
The Netscaler authentication server is where you manage the Server Configuration for Netscaler access to the RADIUS server
The authentication type: Radius
Time-out: 10 (optional)
Passcode Encoding: PAP
Shared secret must be the same secret as set in the NPS’s RADIUS client. Checkmark the “Send the Calling Station ID” in order to send the End User IP.
* “Send Calling station ID” is not present in Netscaler versions earlier than 10.1
Configuring RADIUS Protection on a Windows Server.
1. Configure all RADIUS clients in the usual way by specifying the NPS server as the RADIUS server. Please note that the RADIUS client in this context is referring to the Netscaler.
2. Start the NPS Management Console:
1. Search for nps.msc
2. Choose Network Policy Server
3. Shows the NPS Management Console
4. Now you must create all your RADIUS Client in the NPS Management Console. If you already have created your radius client, you can skip to step 9.
5. To create a RADIUS Client:
1. Right-click the RADIUS Clients node.
2. Select New RADIUS Client.
6. The New RADIUS Client dialog appears.
1. Enter a “friendly name” of the RADIUS Client
2. Enter the IP address of the RADIUS Client.
3. Enter and confirm the Shared Secret. It must match the shared secret configured on the RADIUS Client.
4. Click OK.
7. The RADIUS Client that you have created will appear in the right-hand panel.
8. Repeat steps 5-7 if you need to create more RADIUS Clients.
9. This completes the configuration of the NPS.
Because SMS PASSCODE can see the IP address its users are logging in from, the solution delivers a higher level of security for NetScaler. With this information the IT team can configure location-based authentication policies to allow users to log in with or without an OTP depending on whether they are logging in from a trusted network like the company headquarters, branch or home offices. In addition, SMS PASSCODE can identify fraudulent login attempts from non-trusted sites and completely block access from these networks.