Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1809
Views
1
Helpful
3
Replies

DUO secondary auth and Citrix Native VPN client

clark-david
Level 1
Level 1

‎04-26-2020 03:03 PM

I can log into the Citrix Gateway Web interface and it will Auth against AD as primary and then Duo and secondary with the push. Everything works fine, I can even select full VPN access with the client and it will load client and connect.

If i try to launch the VPN connection directly from the client it fails. Even if I supply the DUO number in the secondary Auth box it still fails. Any ideas?

Version 12.0

Edition: Standard

Labels:
0 Helpful
3 Replies 3

Mark_H
Level 1
Level 1

‎09-04-2020 09:08 AM

Hi
Did you find a fix for this? I am getting the same issue having tried with both the netscaler alternate instructions and the nFactor article.
I get debug log entries like the following if I use the six-digit code (123456 in this example) and much the same if i enter the word push to try and prompt it to send a response

2020-09-04T16:47:04+0100 [duoauthproxy.lib.log#info] Sending request from 10.x.x.98 to radius_server_iframe
2020-09-04T16:47:04+0100 [duoauthproxy.lib.log#info] Received new request id 55 from (‘10.x.x.98’, 15442)
2020-09-04T16:47:04+0100 [duoauthproxy.lib.log#info] ((‘10.x.x.98’, 15442), testuser@test.co.uk, 55): Valid response to challenge issued at id 54
2020-09-04T16:47:04+0100 [duoauthproxy.lib.log#info] ((‘10.x.x.98’, 15442), testuser@test.co.uk, 55): Challenge Response: ‘123456’
2020-09-04T16:47:04+0100 [duoauthproxy.lib.log#info] http POST to https: //■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/tx/proxy_finish: auth_cookie=123456
2020-09-04T16:47:04+0100 [duoauthproxy.lib.log#info] ((‘10.x.x.98’, 15442), testuser@test.co.uk, 55): Returning response code 3: AccessReject

Thanks

Mark

0 Helpful

Mark_H
Level 1
Level 1

‎10-06-2020 03:05 AM

Quick update for anyone following. This is the response from Duo Support:

After some more investigation, I have found that the Citrix Gateway plug-in is not supported for the iFrame response. It is supported for the auto-push response. For auto-push, you will need to create an Authentication Policy formatted as provided below to target it

REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS

Amy2
Level 5
Level 5
In response to Mark_H

‎10-09-2020 09:02 AM

Hi Mark, thank you for following up to share your answer with the community! I’m glad support was able to help you sort this out.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents