Summary This article describes how to configure RADIUS Authentication on Windows Server 2008 for use with Citrix Web Interface 5.x.

These steps are performed on Windows Server 2008 with the Network Policy and Access Services (formerly known as Internet Authentication Service) role installed.

Requirements To configure RADIUS on Windows Server 2008 you must have the following components:

• Citrix Web Interface 5.x.• Windows Server 2008 with Network Policy and Access Services role installed.

Note: For Web Interface 5.2 or later, there is a new requirement to configure RADIUS authentication as a second factor authentication, which is the RADIUS NAS-IDENTIFIER. This new requirement was introduced to comply with RADIUS RFC 2865. However, it is NOT mandatory to configure the RADIUS server to check for RADIUS NAS-IDENTIFIER as a condition. For more information regarding this requirement, refer to Citrix eDocs – Web Interface.

Web Interface 5.3 is used for the purpose of this article.

Procedure From Windows Server 2008

1. Open the Server Manager and select Roles > Install New Role Service.

2. Select Network Policy and Access Services > Network Policy Server and clickInstall.

Page 1

How to Configure Citrix Web Interface 5.x with

Microsoft Network Policy Server (RADIUS) Using Windows Server 2008

Page 2

3. Create a RADIUS Client and configure a Network Policy to allow RADIUS

authentication over Citrix Access Gateway. To launch the Network Policy Server, go to Start > All Programs > Administrative Tools > Network Policy Server.

4. Under RADIUS Clients and Servers, right-click RADIUS clients and select New RADIUS Client.

5. Complete the fields specified in the following screen shot. For Vendor Name, leave the option default which is RADIUS Standard and Click OK.

Page 3

6. Configure the Network Policies. Right-click Network Policies and click New.

7. Enter a Policy Name and set the Type of network access server to Unspecified and

then select Next. Page 4

8. Under Specify Conditions, click Add, select User Groups > Add Groups and enter the Domain Users Group that should be allowed to authenticate using RADIUS.

Page 5

9. Select Access Granted and click Next.

Page 6

10. Under Configure Authentication Methods, select Unencrypted authentication (PAP, SPAP) only. Any other authentication methods should be unchecked. Then, click Next.

Page 7

11. The Configure Constraints window is optional for this implementation. Click Next.

Page 8

12. Under Configure Settings > RADIUS Attributes > Standard, remove the Framed-Protocol and Service-Type attributes.

Page 9

13. Click Next. Then, confirm that the Network Policy settings are correct. Click Finish.

Page 10

14. Ensure under Processing Order, the Network Policy has the appropriate priority.

Page 11

From Citrix Web Interface 5.x 1. Launch the Citrix Web Interface Management console.

2. Create a Web Interface site using the Authentication Point > At Web Interface.

3. Go to Authentication Methods > Explicit > Properties > Two-factor Authentication.

4. From the drop-down menu, select RADIUS.

5. Enter the RADIUS server IP Address and port number.

6. Close the Web Interface Management console.

7. Go to C:\inetpub\wwwroot\Citrix\<site_name>\conf folder and create a file calledradius_secret.txt.

Page 12

8. Open this text file and enter the RADIUS shared secret passcode.

9. Save the file and close it.

10. For Web Interface 5.2 or later: Go to C:\inetpub\wwwroot\Citrix\<site_name>\ folder and open the file Web.config with a text editor like Notepad. On Java application servers, the file is web.xml file.

11. Search for line # 102 or the following parameter: <add key="RADIUS_NAS_IDENTIFIER" value="" />

Page 13

12. For value, enter any alphanumeric value longer than 3 characters.

13. Save the Web.config file and test your Web Interface site.

More Information Citrix eDocs - Web Interface Administrator’s Guide

Page 14