You can use the Citrix W.I.'s built-in ability to use 2 factor authentication, with AuthLite Split-mode users. Citrix will authenticate the username/password combo the same way you have it set currently, and then it will send the username and OTP over RADIUS to AuthLite for the second factor authentication.

Configuration you need in AuthLite:

• On each DC you want to use for authenticating Citrix users:
  • In AuthLite config, go to the RADIUS tab
  • Enable RADIUS service
  • Set port to 1812 unless you have another RADIUS service there already
  • Type a shared secret that you will also enter into Citrix later. Must be the same secret for all RADIUS services you'll be setting up this way
  • Select One factor PAP
  • Check the (new) "Permit requests that don't send the domain type" box
  • Apply changes
  • Restart the AuthLite service to pick up changes

An overview of settings you need in the Citrix Web Interface site:

• Authentication method: explicit
• Authentication type: windows
• Credential format: Domain user name only
• Display your domain name pre-populated, for convenience of users
• Two-factor authentication
  • Two-factor setting: RADIUS
  • Define radius servers and ports to AuthLite DC's with their AuthLite RADIUS service configured (see above)
• Make a text file (seriously) called "radius_secret.txt" containing only the shared secret text string you want to use for RADIUS.
• Put that text file in the Inetpub\Citrix\XenApp (or path to your W.I. site) \ conf folder.
• On the firewall between W.I. server and the DC's, you'll need to allow UDP 1812 so the RADIUS traffic can pass.

When you have all this done, loading the W.I. logon screen should display an additional field "passcode", into which the AuthLite OTP key can be tapped.

Related Topics