Configure Mideye MFA for Citrix ADC (NetScaler) RADIUS Auth

This guide describes how to integrate Citrix ADC (formerly NetScaler) with Mideye Server for multi-factor authentication using RADIUS.

Branding

Citrix renamed NetScaler to Citrix ADC, and the product documentation has moved from docs.citrix.com to docs.netscaler.com. The CLI commands and concepts remain the same across branding changes. This guide uses “NetScaler” and “Citrix ADC” interchangeably.

Applies to

Component	Supported versions
NetScaler / Citrix ADC	12.x, 13.x, 14.x (current)
NetScaler Gateway	All versions supporting Classic authentication policies
Policy engine	Classic authentication (all versions)
Mideye Server	4.3.0+ (5.x+ recommended)

Classic vs Advanced (nFactor)

This guide uses the Classic Policy Engine (add authentication radiusAction / add authentication radiusPolicy), which works on all supported ADC versions. NetScaler 13.x and 14.x also support Advanced Authentication (nFactor) for complex multi-factor flows — nFactor uses different policy binding syntax but the same RADIUS action objects. See the NetScaler nFactor documentation for details.

---

Architecture

User → Citrix Gateway (NetScaler ADC) → RADIUS Policy → Mideye Server → MFA Validation

1. User connects to the NetScaler Gateway Virtual Server (SSL VPN portal or ICA Proxy).
2. Gateway evaluates the bound RADIUS authentication policy.
3. The policy triggers the RADIUS action, which sends an Access-Request to Mideye Server on UDP 1812.
4. Mideye validates credentials against the user repository and initiates the second factor (OTP, push, etc.).
5. Mideye returns Access-Accept or Access-Reject to the Gateway.

---

Prerequisites

• Mideye Server reachable from the NetScaler ADC on UDP port 1812
• A RADIUS client configured in Mideye Server for the ADC’s NSIP or SNIP address
• Shared secret agreed between Mideye and the ADC
• RADIUS timeout set to ≥ 35 seconds (required for MFA flows where the user needs time to respond)
• Password encoding: PAP (default) or MS-CHAPv2 (if password change is required)

---

1. Add NetScaler as a RADIUS client in Mideye Server

Before configuring the ADC, add its IP address as a RADIUS client in Mideye Server. Use the IP address that the ADC uses to originate RADIUS traffic — typically the NSIP (NetScaler IP) or a SNIP (Subnet IP), depending on your network topology.

See RADIUS Clients in the reference guide.

---

2. Create a RADIUS authentication action

The RADIUS action (also called a RADIUS server in the GUI) defines the connection to Mideye Server.

CLI

add authentication radiusAction Mideye_RADIUS \
  -serverIP 172.16.0.100 \
  -serverPort 1812 \
  -authTimeout 35 \
  -radKey <shared-secret> \
  -radNASip DISABLED \
  -authservRetry 1 \
  -passEncoding pap

Parameter	Value	Notes
-serverIP	Mideye Server IP
-serverPort	1812	Default RADIUS port
-authTimeout	35	Must be ≥ 35s for MFA flows
-radKey	Shared secret	Must match Mideye RADIUS client config
-radNASip	DISABLED	Unless your setup requires NAS IP
-authservRetry	1	Number of retries on failure
-passEncoding	pap	Use mschapv2 if password change is needed

GUI

1. Navigate to NetScaler Gateway → Policies → Authentication → RADIUS.
2. Select the Servers tab and click Add.
3. Configure:
   • Name: Mideye_RADIUS
   • Server IP: Mideye Server IP address
   • Port: 1812
   • Secret Key: shared secret (must match Mideye)
   • Time-Out (seconds): 35
4. Click More to expand advanced settings:
   • Password Encoding: PAP (or MS-CHAPv2)
   • Accounting: OFF (unless RADIUS accounting is required — see RADIUS accounting below)
   • Authentication Server Retry: 1
5. Click Test Connection to verify RADIUS connectivity.
6. Click Create.

---

3. Create a RADIUS authentication policy

The policy determines when the RADIUS action is evaluated. For most deployments, use ns_true to evaluate all authentication requests.

CLI

add authentication radiusPolicy Mideye_RADIUS_pol ns_true Mideye_RADIUS

• ns_true — matches all requests. Replace with a more specific expression if needed (e.g., group-based or source-IP-based).

GUI

1. Navigate to NetScaler Gateway → Policies → Authentication → RADIUS.
2. Select the Policies tab and click Add.
3. Configure:
   • Name: Mideye_RADIUS_pol
   • Server: select Mideye_RADIUS (the action created in step 2)
   • Expression: ns_true
4. Click Create.

---

4. Bind the policy to a Gateway Virtual Server

Bind the RADIUS policy to the Gateway Virtual Server that handles user logins.

CLI

bind vpn vserver <your_gateway_vserver> \
  -policy Mideye_RADIUS_pol \
  -priority 100

Replace <your_gateway_vserver> with the name of your Gateway Virtual Server.

GUI

1. Navigate to NetScaler Gateway → Virtual Servers.
2. Select the Virtual Server where users log in and click Edit.
3. Scroll to Basic Authentication and click + to add a policy.
4. Set:
   • Choose Policy: Mideye_RADIUS_pol
   • Choose Type: Primary
5. Click Bind.
6. Click Done and save the configuration.

---

5. Save the configuration

Always save the running configuration to survive reboots:

save ns config

---

MS-CHAPv2 password change support (optional)

If users need to change expired passwords during login, configure the RADIUS action to use MS-CHAPv2 instead of PAP:

set authentication radiusAction Mideye_RADIUS -passEncoding mschapv2

Requirements:

• Mideye Server 4.3.0 or later
• MS-CHAPv2 enabled in the Mideye directory configuration

See Network Policy Servers in the Mideye reference guide.

Caution

When using MS-CHAPv2, some RADIUS reject messages from Mideye may not be displayed to the user. The NetScaler may show its own generic error messages instead.

---

RADIUS accounting (optional)

NetScaler Gateway can send RADIUS accounting messages (session start/stop) to Mideye Server. This requires:

1. A RADIUS authentication policy pointing to the accounting server (can be the same Mideye Server).
2. A session policy that references the RADIUS accounting policy.
3. Binding the session policy to the Gateway Virtual Server or globally.

See Configuring RADIUS user accounting in the NetScaler documentation for step-by-step instructions.

Note

Mideye Server requires a unique RADIUS client IP per NetScaler. Multiple shared secrets with the same IP and different ports are not supported.

---

Multiple domains with login dropdown (optional)

For environments with multiple authentication domains, you can add a domain dropdown to the login page using a Rewrite policy that injects domain choices via a Set-Cookie header. Each domain maps to a separate RADIUS policy with a cookie-matching expression.

Create the rewrite action and policy

# Create a rewrite action that inserts domain choices as a cookie
add rewrite action Insert_domain_dropdown_action insert_http_header Set-Cookie \
  "\"userDomains=Domain1,Domain2,Domain3;path=/;Secure\""

# Create a rewrite policy that triggers on the login page
add rewrite policy Insert_domain_dropdown_policy \
  "HTTP.REQ.URL.CONTAINS(\"/vpn/index.html\")" \
  Insert_domain_dropdown_action

# Bind the rewrite policy to the Gateway Virtual Server
bind vpn vserver <your_gateway_vserver> \
  -policy Insert_domain_dropdown_policy \
  -priority 100 \
  -type RESPONSE

Map RADIUS policies to domains

Change each RADIUS policy expression to match the selected domain cookie:

# Policy for Domain1
set authentication radiusPolicy Domain1_RADIUS_pol \
  "REQ.HTTP.HEADER Cookie CONTAINS Domain1"

# Policy for Domain2
set authentication radiusPolicy Domain2_RADIUS_pol \
  "REQ.HTTP.HEADER Cookie CONTAINS Domain2"

Caution

Avoid domain names that are substrings of each other (e.g., Contoso, Contoso_Internal). The CONTAINS expression for Contoso would match all three. Use distinct, non-overlapping names.

---

Load balancing multiple Mideye Servers

If you have multiple Mideye Server nodes, use RADIUS load balancing on the ADC to distribute authentication requests and provide high availability.

See the dedicated guide: Citrix ADC – RADIUS Load Balancing.

---

Troubleshooting

Symptom	Check
Authentication times out	Verify authTimeout is ≥ 35 seconds on the RADIUS action
”Authentication failed” immediately	Shared secret mismatch — compare the ADC action and Mideye RADIUS client configuration
OTP never arrives	Verify UDP 1812 connectivity between ADC and Mideye Server
Test Connection fails in GUI	Check NSIP/SNIP routing to Mideye Server; verify firewall rules
MS-CHAPv2 password change not working	Verify Mideye Server ≥ 4.3.0 and MS-CHAPv2 is enabled in directory configuration
Policy not evaluated	Verify the RADIUS policy is bound to the correct Virtual Server with type Primary
RADIUS accounting not logging	Verify session policy is bound and RADIUS client in Mideye accepts accounting (same IP, same secret)

Useful CLI commands

# Show RADIUS action configuration
show authentication radiusAction Mideye_RADIUS

# Show RADIUS policy and hit count
show authentication radiusPolicy Mideye_RADIUS_pol

# Show Gateway Virtual Server bindings
show vpn vserver <your_gateway_vserver>

# Test RADIUS authentication from ADC shell (nsapimgr)
# Note: This sends a real RADIUS request — use a test account
shell nsapimgr -ys call=ns_radius_test -serverip=172.16.0.100 \
  -serverport=1812 -secret=<shared-secret> -user=testuser -pass=testpass

---

Related links

Mideye documentation

• RADIUS Clients — configure Mideye Server to accept requests from NetScaler
• RADIUS Integrations — authentication flows and supported auth types
• Authentication Types — all supported Mideye authentication methods
• Network Policy Servers — MS-CHAPv2 and password change configuration
• Citrix ADC – RADIUS Load Balancing — load balance multiple Mideye Servers

Official NetScaler documentation

• Configuring RADIUS Authentication (Gateway 14.1) — RADIUS authentication overview
• To configure RADIUS authentication — step-by-step GUI instructions
• Choosing RADIUS Authentication Protocols — PAP, CHAP, MS-CHAPv1/v2
• Configuring RADIUS user accounting — session start/stop messages
• nFactor for Gateway Authentication — Advanced authentication policies
• Carl Stalhood’s Citrix Gateway RADIUS guide — community reference with detailed screenshots