Citrix Native VPN Plugin allows login even when Duo push is declined

We have an SSL Gateway VPN configured and users connect via the native vpn plugin. The duo radius policy is configured to point to [radius_server_auto] as iframes aren’t support.

When a user logs in with their AD creds we are successfully receiving the Duo push notification to allow or reject. When we reject the login, the vpn connection successfully establishes the connection.

When we use an iframe policy, the web login works and performs as expected but via the native plugin the user can enter and random number and the connection completes successfully as well.

We are running the latest firmware build - NS13.0 82.41.nc and the latest Duo proxy client.

1 Like

This is a Citrix NetScaler/Access Gateway? Do you still have an ns_true expression in place that might be getting applied after the Duo RADIUS policies fail?

You can use aaad.debug output to watch an authentication on the Citrix gateway and see exactly what policies are getting applied to the logon.

If that doesn’t help I’d suggest contacting Duo Support. A support engineer can review your authentication policies and bindings with you.

Thanks. Yes this is a Netscaler Gateway. I have 2 policies, Radius & LDAP. Both configured with a priority of 100 and both set to ns_true. From the the debug logs i can see that the radius process completes successfully, followed by the ldap policy which is where the issue comes in:
process_radius 0-253: RADIUS auth: Authentication failed for user test001 from server ... - Invalid Credentials
start_ldap_auth 0-253: Starting LDAP auth

In my mind this should not be the case as they have the same priority? I’ve logged a support call but im yet to receive a response 3 days later :frowning:

I’ve managed to get it working. I looks like it an issue when you have your LDAP and radius policies bound to the Gateway. I unbound the LDAP policy so that only the Radius policy is bound and then configured LDAP auth under the Gateway global settings.