Citrix Gateway asking for Duo auth twice

I’ve gotten Duo authentication working on Citrix Gateway (v12) as well as OWA. The only weird thing is that when logging in through the Citrix Gateway, I have to tell it to send me a push or enter the code twice before letting me through. I’ve double checked the authorization policy and it’s only set to the Radius server. Any ideas where to look? OWA is still only asking for it once.

Here’s my proxy.cfg (with keys removed for obvious reasons): Duo -

Hi @mbiracree, I’m not seeing anything in your configuration that would cause this, and in trying to search online for related resources, I am having difficulty finding anything that would help resolve this. I recommend reaching out to our Duo Support team, so they can investigate further.

Hi Amy,

Thanks, I figured it out. I’ve previously setup 2FA using Google’s Authenticator which requires you to a daisy chained Authentication policies 1st for LDAP then 2nd for the 2FA. So I had set this new one up the same way, which called the Duo twice! Since Duo is a RADIUS authorization, it’s doesn’t need the 2 steps.



Ahh, that makes sense. Thanks, Mike! Appreciate you replying back to share the solution here in case anyone else runs into the same problem in the future.