Does the Auth Proxy support multiple domains in different forests?


I am looking to use Duo with Citrix CAG via a netscaler. We have more than one domain in the same forrest


and another domain in another forrest.


All have full trust between them.

Reading the guide it says that for CAG the authproxy is required and that multi domain support is only for domains and child domains.


Is this the case and if so is there any support for my situation?

The scenario you’re describing sounds like three different forests (if the base DN follows the domain suffixes listed):


When defining the [ad_client] in the Authentication Proxy, you must set a search_dn, which can only be one value. You cannot specify these three distinct base DNs in one search_dn option for a given ad_client section.

What you could do is create multiple [ad_client] sections, each with the unique search_dn, and then create multiple [radius_server_iframe] sections, one for each [ad_client] and each using a unique RADIUS port. Then, add all three RADIUS servers/ports to your CAD for Duo authentication.

This assumes that CAG auth will continue trying primary authentication servers until one succeeds (as NetScaler Access Gateway does).

Bear in mind that Citrix Access Gateway is EOL, so we may only be able to provide limited support.

When the radius server is the same for both forest domains (Cisco ISE) does the radius port have to be different from each [radius_server_auto] configuration?

You can’t have multiple RADIUS server sections listening on the same port, and each RADIUS server section can only use one primary authenticator config (the ad_client).

Correct so I can have [ad_client] tied to [radius_server_auto] and [ad_client2] tied to [server_radius_auto2]

Both radius servers will be the same IP address but two different ports like 1812 and 5678. And that will work?

Yes, just make sure to include the port=whatever line in your two RADIUS server sections.

I assume what I am running into is an issue with Cisco ISE and steering what usernames belong to what domain and what policy set they need to use. I think i will need to engage Cisco now.