Multi Domain Auth Proxy


#1

Hi,

I am looking to use Duo with Citrix CAG via a netscaler. We have more than one domain in the same forrest

thisdomain[dot]com
thatdomain[dot]com

and another domain in another forrest.

otherdomain[dot]com

All have full trust between them.

Reading the guide it says that for CAG the authproxy is required and that multi domain support is only for domains and child domains.

thisdomain[dot]com
thatdomain[dot]thisdomain[dot]com

Is this the case and if so is there any support for my situation?


#2

The scenario you’re describing sounds like three different forests (if the base DN follows the domain suffixes listed):

DC=thisdomain,DC=com
DC=thatdomain,DC=com
DC=otherdomain,DC=com

When defining the [ad_client] in the Authentication Proxy, you must set a search_dn, which can only be one value. You cannot specify these three distinct base DNs in one search_dn option for a given ad_client section.

What you could do is create multiple [ad_client] sections, each with the unique search_dn, and then create multiple [radius_server_iframe] sections, one for each [ad_client] and each using a unique RADIUS port. Then, add all three RADIUS servers/ports to your CAD for Duo authentication.

This assumes that CAG auth will continue trying primary authentication servers until one succeeds (as NetScaler Access Gateway does).

Bear in mind that Citrix Access Gateway is EOL, so we may only be able to provide limited support.