If you plan to deploy the on-demand password based authentication in your user base using Deepnet T-Pass, then you will have to configure your Citrix NetScaler to work in the Two-Step Logon mode. In the Two-Step Logon process, Netscaler will use your DualShield Radius server as the primary authentication server. Your DualShield server will be responsible for verifying both users’ AD password and one-time passwords. There should be no secondary authentication servers. Please note that for on-demand password you must use two-step logon, but for one-time password you can use either one-step or two-step logon. 

Edit Logon Procedure

In the DualShield Management Console, edit the logon procedure for your NetScaler application. You will need to define two logon steps: the first step requires users to enter their static password (AD password), which will also trigger the DualShield server to send the user’s on-demand password. The second step will then ask users to enter their on-demand password.

Configure Citrix NetScaler

1. Navigate to NetScaler Gateway | Virtual Servers
2. Select the virtual sever you wish to configure and double click it
3. Click the “Authentication” tab
4. Select the “Primary” tab
5. Unbind the current authentication server if any
6. Bind the following policies
   
   

Configure Citrix Receiver

Test Logon in Web Browser

Navigate to the Citrix NetScaler Access Gateway logon page:

Enter your username and your AD password.

Your DualShield server will send an on-demand password via the delivery channel defined in your T-Pass policy, e.g. SMS text message or email message.

NetScaler will then prompt you to enter your T-Pass one-time password:  

Test Logon in Citrix Receiver

Once your AD password is authenticated, DualShield Server will send an on-demand password via the delivery channel defined in your T-Pass policy.

Citrix Receiver will then prompt you to enter your T-Pass one-time password.

Related Articles

• MFA for VPN