Yes. Duo Authentication Proxy version 3.1.0 added support for showing the Duo browser prompt in the NetScaler RFWebUI theme. You must specify this theme in your authproxy.cfg file's
[radius_server_iframe] section using the syntax
type=citrix_netscaler_rfwebui. Refer to the complete instructions here.
A change to IE 11 resulted in incompatibility with some versions of Citrix NetScaler. The issue is addressed by NetScaler Gateway versions 9.3.66.x and 10.1.123.x and later. For additional information about the incompatibility, or to see the workaround for NetScaler Gateway versions that do not include the fix, please read IE11 Compatibility got you down? at the Citrix site.
If your NetScaler version is 10.1.123.x or later and IE 11 is displaying a blank authentication page, you may need to force the browser out of "quirks" mode. To do this, add the following line to the beginning of the NetScaler's /netscaler/ns_gui/vpn/index.html file (it may be at /var/ns_gui_custom/ns_gui/vpn/index.html if you're using a custom theme), immediately under the <HEAD> tag.
<META http-equiv="X-UA-Compatible" content="IE=edge">
Finally, ensure that IE is not showing the site in Compatibility View
Yes, when the NetScaler is configured with RADIUS listeners for both Citrix Receiver and Access Gateway browser access on different ports. This configuration is described in detail in the NetScaler primary and alternate instructions.
If you deploy Duo using our alternate configuration, iOS and Android Receiver users may not authenticate successfully. Per Citrix, it is necessary to perform RADIUS authentication before LDAP in Receiver mobile connections. You will need to configure the ordering of your authentication policies as follows:
Please see the Citrix article for more information and configuration instructions.
Yes, when delivered via NetScaler Gateway. You cannot add Duo RADIUS two-factor authentication directly to Storefront logins.
NetScaler devices have a hard-coded timeout of about three minutes, which closes the login session when the timeout is reached. This timeout is not currently a configurable option, but that may change in a future NetScaler firmware release.
Password concatenation is when you append a comma followed by a Duo passcode or the name of a Duo factor to the end of your Active Directory password, like "mypass123,123456". If you have configured your NetScaler to pass primary authentication on to Storefront, and then enter a concatenated password and passcode in Receiver, the login fails. This is because the NetScaler is passing the entire password + passcode string to Storefront as your AD password.
If you need to support logins to Storefront from Receiver using a passcode we recommend you deploy our alternate NetScaler configuration. This will add an additional "Passcode" field to the Receiver login prompt, where you can enter a passcode or the name of a Duo factor. See our guide for Receiver for more.
Yes, click here for documentation.
Yes, click here for documentation. Note that CAG is an EOL product.