Skip to content

Configure Mideye MFA for Citrix ADC (NetScaler) RADIUS Auth

This guide describes how to integrate Citrix ADC (formerly NetScaler) with Mideye Server for multi-factor authentication using RADIUS.

| Component | Supported versions | |---|---| | NetScaler / Citrix ADC | 12.x, 13.x, 14.x (current) | | NetScaler Gateway | All versions supporting Classic authentication policies | | Policy engine | Classic authentication (all versions) | | Mideye Server | 4.3.0+ (5.x+ recommended) |


User → Citrix Gateway (NetScaler ADC) → RADIUS Policy → Mideye Server → MFA Validation
  1. User connects to the NetScaler Gateway Virtual Server (SSL VPN portal or ICA Proxy).
  2. Gateway evaluates the bound RADIUS authentication policy.
  3. The policy triggers the RADIUS action, which sends an Access-Request to Mideye Server on UDP 1812.
  4. Mideye validates credentials against the user repository and initiates the second factor (OTP, push, etc.).
  5. Mideye returns Access-Accept or Access-Reject to the Gateway.

  • Mideye Server reachable from the NetScaler ADC on UDP port 1812
  • A RADIUS client configured in Mideye Server for the ADC's NSIP or SNIP address
  • Shared secret agreed between Mideye and the ADC
  • RADIUS timeout set to ≥ 35 seconds (required for MFA flows where the user needs time to respond)
  • Password encoding: PAP (default) or MS-CHAPv2 (if password change is required)

1. Add NetScaler as a RADIUS client in Mideye Server

Section titled “1. Add NetScaler as a RADIUS client in Mideye Server”

Before configuring the ADC, add its IP address as a RADIUS client in Mideye Server. Use the IP address that the ADC uses to originate RADIUS traffic — typically the NSIP (NetScaler IP) or a SNIP (Subnet IP), depending on your network topology.

See RADIUS Clients in the reference guide.


The RADIUS action (also called a RADIUS server in the GUI) defines the connection to Mideye Server.

Terminal window
add authentication radiusAction Mideye_RADIUS \
-serverIP 172.16.0.100 \
-serverPort 1812 \
-authTimeout 35 \
-radKey <shared-secret> \
-radNASip DISABLED \
-authservRetry 1 \
-passEncoding pap

| Parameter | Value | Notes | |---|---|---| | -serverIP | Mideye Server IP | | | -serverPort | 1812 | Default RADIUS port | | -authTimeout | 35 | Must be ≥ 35s for MFA flows | | -radKey | Shared secret | Must match Mideye RADIUS client config | | -radNASip | DISABLED | Unless your setup requires NAS IP | | -authservRetry | 1 | Number of retries on failure | | -passEncoding | pap | Use mschapv2 if password change is needed |


The policy determines when the RADIUS action is evaluated. For most deployments, use ns_true to evaluate all authentication requests.

Terminal window
add authentication radiusPolicy Mideye_RADIUS_pol ns_true Mideye_RADIUS
  • ns_true — matches all requests. Replace with a more specific expression if needed (e.g., group-based or source-IP-based).

4. Bind the policy to a Gateway Virtual Server

Section titled “4. Bind the policy to a Gateway Virtual Server”

Bind the RADIUS policy to the Gateway Virtual Server that handles user logins.

Terminal window
bind vpn vserver <your_gateway_vserver> \
-policy Mideye_RADIUS_pol \
-priority 100

Replace <your_gateway_vserver> with the name of your Gateway Virtual Server.


Always save the running configuration to survive reboots:

Terminal window
save ns config

MS-CHAPv2 password change support (optional)

Section titled “MS-CHAPv2 password change support (optional)”

If users need to change expired passwords during login, configure the RADIUS action to use MS-CHAPv2 instead of PAP:

Terminal window
set authentication radiusAction Mideye_RADIUS -passEncoding mschapv2

Requirements:

  • Mideye Server 4.3.0 or later
  • MS-CHAPv2 enabled in the Mideye directory configuration

See Network Policy Servers in the Mideye reference guide.


NetScaler Gateway can send RADIUS accounting messages (session start/stop) to Mideye Server. This requires:

  1. A RADIUS authentication policy pointing to the accounting server (can be the same Mideye Server).
  2. A session policy that references the RADIUS accounting policy.
  3. Binding the session policy to the Gateway Virtual Server or globally.

See Configuring RADIUS user accounting in the NetScaler documentation for step-by-step instructions.


Multiple domains with login dropdown (optional)

Section titled “Multiple domains with login dropdown (optional)”

For environments with multiple authentication domains, you can add a domain dropdown to the login page using a Rewrite policy that injects domain choices via a Set-Cookie header. Each domain maps to a separate RADIUS policy with a cookie-matching expression.

Terminal window
# Create a rewrite action that inserts domain choices as a cookie
add rewrite action Insert_domain_dropdown_action insert_http_header Set-Cookie \
"\"userDomains=Domain1,Domain2,Domain3;path=/;Secure\""
# Create a rewrite policy that triggers on the login page
add rewrite policy Insert_domain_dropdown_policy \
"HTTP.REQ.URL.CONTAINS(\"/vpn/index.html\")" \
Insert_domain_dropdown_action
# Bind the rewrite policy to the Gateway Virtual Server
bind vpn vserver <your_gateway_vserver> \
-policy Insert_domain_dropdown_policy \
-priority 100 \
-type RESPONSE

Change each RADIUS policy expression to match the selected domain cookie:

Terminal window
# Policy for Domain1
set authentication radiusPolicy Domain1_RADIUS_pol \
"REQ.HTTP.HEADER Cookie CONTAINS Domain1"
# Policy for Domain2
set authentication radiusPolicy Domain2_RADIUS_pol \
"REQ.HTTP.HEADER Cookie CONTAINS Domain2"

If you have multiple Mideye Server nodes, use RADIUS load balancing on the ADC to distribute authentication requests and provide high availability.

See the dedicated guide: Citrix ADC – RADIUS Load Balancing.


| Symptom | Check | |---|---| | Authentication times out | Verify authTimeout is ≥ 35 seconds on the RADIUS action | | "Authentication failed" immediately | Shared secret mismatch — compare the ADC action and Mideye RADIUS client configuration | | OTP never arrives | Verify UDP 1812 connectivity between ADC and Mideye Server | | Test Connection fails in GUI | Check NSIP/SNIP routing to Mideye Server; verify firewall rules | | MS-CHAPv2 password change not working | Verify Mideye Server ≥ 4.3.0 and MS-CHAPv2 is enabled in directory configuration | | Policy not evaluated | Verify the RADIUS policy is bound to the correct Virtual Server with type Primary | | RADIUS accounting not logging | Verify session policy is bound and RADIUS client in Mideye accepts accounting (same IP, same secret) |

Terminal window
# Show RADIUS action configuration
show authentication radiusAction Mideye_RADIUS
# Show RADIUS policy and hit count
show authentication radiusPolicy Mideye_RADIUS_pol
# Show Gateway Virtual Server bindings
show vpn vserver <your_gateway_vserver>
# Test RADIUS authentication from ADC shell (nsapimgr)
# Note: This sends a real RADIUS request — use a test account
shell nsapimgr -ys call=ns_radius_test -serverip=172.16.0.100 \
-serverport=1812 -secret=<shared-secret> -user=testuser -pass=testpass