Citrix Gateway

Configuring RADIUS Group Extraction

You can configure RADIUS authorization by using a method called group extraction. Configuring group extraction allows you to administer users on your RADIUS server instead of adding them to Citrix Gateway.

You configure RADIUS authorization by using an authentication policy and configuring the group vendor identifier (ID), the group attribute type, the group prefix, and a group separator. When you configure the policy, you add an expression, and then bind the policy either globally or to a virtual server.

Configuring RADIUS on Windows Server 2003

If you are using Microsoft Internet Authentication Service (IAS) for RADIUS authorization on Windows Server 2003, during configuration of Citrix Gateway, you need to provide the following information:

  • Vendor ID is the vendor-specific code that you entered in IAS.
  • Type is the vendor-assigned attribute number.
  • Attribute name is the type of attribute name that you defined in IAS. The default name is CTXSUserGroups=

If IAS is not installed on the RADIUS server, you can install it from Add or Remove Programs in Control Panel. For more information, see the Windows online Help.

To configure IAS, use the Microsoft Management Console (MMC) and install the snap-in for IAS. Follow the wizard, making sure you select the following settings:

  • Select local computer.
  • Select Remote Access Policies and create a custom policy.
  • Select Windows-Groups for the policy.
  • Select one of the following protocols:
    • Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAP v2)
    • Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP)
    • Challenge-Handshake Authentication Protocol (CHAP)
    • Unencrypted authentication (PAP, SPAP)
  • Select the Vendor-Specific Attribute.

    The Vendor-Specific Attribute needs to match the users whom you defined in the group on the server with the users on Citrix Gateway. To meet this requirement, you send the Vendor-Specific Attributes to Citrix Gateway. Make sure you select RADIUS=Standard.

  • The RADIUS default is 0. Use this number for the vendor code.

  • The vendor-assigned attribute number is 0.

    This is the assigned number for the User Group attribute. The attribute is in string format.

  • Select String for the Attribute format.

    The Attribute value requires the attribute name and the groups.

    For the Access Gateway, the attribute value is CTXSUserGroups=groupname. If two groups are defined, such as sales and finance, the attribute value is CTXSUserGroups=sales;finance. Separate each group with a semicolon.

  • Remove all other entries in the Edit Dial-in Profile dialog box, leaving the one that says Vendor-Specific.

After you configure the Remote Access Policy in IAS, you configure RADIUS authentication and authorization on Citrix Gateway.

When configuring RADIUS authentication, use the settings that you configured on the IAS server.

Configuring RADIUS for Authentication on Windows Server 2008

On Windows Server 2008, you configure RADIUS authentication and authorization by using the Network Policy Server (NPS), which replaces Internet Authentication Service (IAS). You can use Server Manager and add NPS as a role to install NPS.

When you install NPS, select the Network Policy Service. After installation, you can configure RADIUS settings for your network by starting the NPS from Administrative Services on the Start menu. When you open the NPS, you add Citrix Gateway as a RADIUS client and then configure server groups.

When you configure the RADIUS client, make sure you select the following settings:

  • For the vendor name, select RADIUS Standard.
  • Make note of the shared secret because you will need to configure the same shared secret on Citrix Gateway.

For the RADIUS groups, you need the IP address or host name of the RADIUS server. Do not change the default settings.

After you configure the RADIUS client and groups, you then configure settings in the following two policies:

  • Connection Request Policies where you configure the settings for the Citrix Gateway connection including the type of network server, the conditions for the network policy, and the settings for the policy.
  • Network Policies where you configure the Extensible Authentication Protocol (EAP) authentication and the vendor-specific attributes.

When you configure the connection request policy, select Unspecified for the type of network server. You then configure your condition by selecting NAS Port Type as the condition and Virtual (VPN) as the value.

When you configure a network policy, you need to configure the following settings:

  • Select Remote Access Server (VPN Dial-up) as the type of network access server.

  • Select Encrypted Authentication (CHAP) and Unencrypted Authentication (PAP and SPAP) for the EAP.

  • Select RADIUS Standard for the Vendor-Specific Attribute.

    The default attribute number is 26. This attribute is used for RADIUS authorization.

    Citrix Gateway needs the vendor-specific attribute to match the users defined in the group on the server with those on Citrix Gateway. This is done by sending the vendor-specific attributes to the Citrix Gateway.

  • Select String for the attribute format.

    The Attribute value requires the attribute name and the groups.

    For Citrix Gateway, the attribute value is CTXSUserGroups= groupname. If two groups are defined, such as sales and finance, the attribute value is CTXSUserGroups=sales;finance. Separate each group with a semicolon.

  • The separator is that which you used on the NPS to separate groups, such as a semicolon, a colon, a space, or a period.

When you are finished configuring the remote access policy in IAS, you can configure RADIUS authentication and authorization on Citrix Gateway.

Configuring RADIUS Group Extraction