Citrix continues to add radius to its remote access products. Radius is a great protocol. It is simple and very standard.
Configure Citrix Web Interface to support Radius
Radius Authentication is configured in the Access Management Console under explicit, 2-factor authentication Method.
- Launch the Access Management Console on the Web Interface 5.x server and select the appropriate site. Under Common Tasks, select Configure Authentication methods > explicit.
- Click Properties > Two-factor authentication, the select Radius from the dropdown list.
- Create a radius_secret.txt file containing the secret only and place in the conf folder. Path - \inetpub\wwwroot\sitepath\conf\radius_secret.txt
Add the Citrix Web Interface server to the WiKID Strong Authentication server.
On the WiKID Server, be sure to enable Radius:
- Click on the 'Configuration' tab in the WiKIDAdmin web interface.
- Click on 'Enable Protocols'
- If Radius is not Enabled, click on it.
- You should be able to leave the settings as is and click 'Initialize'.
Next we add a specific network client for the Citrix Web Interface server:
- Click on the 'Network Client' Tab
- Click on 'Create New Network' Client
- Create a name such as "Citrix Web Interface server"
- Choose a WiKID domain to the network client
- Select 'Radius' as the protocol
- Click 'Add'
- On the next page, enter the Shared Secret created above. Leave the Return Attributes empty (unless you know what you're doing)
- Click 'Add NC'
- From a terminal window, stop and start the WiKID Strong Authentication Server. This will open up the firewall port to the new network client.
Configure Mutual HTTPS Authentication for Additional Security
The WiKID Strong Authentication System supports strong mutual authentication for SSL services such as the Citrix Web Interface server. Strong mutual HTTPS authentication will thwart network-based MITM attacks which are increasingly simple due to DNS problems and the prevalence of public WiFi networks.
To add mutual authentication for your Citrix Web Interface users:
- Go to the WiKID domain page and edit the domain used for the Citrix Web Interface server.
- Enter the URL of the SSL312 portal in the "Registered URL" box.
- Click Update
When you click "Update", the WiKID server will grab the SSL certificate for the SSL312 and store it. When a user generates an one-time password for that domain, the hash and the registered URL will be delivered with the OTP. The token will go out over the user's connection to the registered URL and get and hash the SSL certificate. If the hashes match, the token presents the OTP, copies it to the clipboard and launches the default browser to the correct URL. Quite simple for the user! If they don't match, there is a MITM and an error is presented.