12-09-2017 04:00 PM
Hi,
I am looking to use Duo with Citrix CAG via a netscaler. We have more than one domain in the same forrest
thisdomain[dot]com
thatdomain[dot]com
and another domain in another forrest.
otherdomain[dot]com
All have full trust between them.
Reading the guide it says that for CAG the authproxy is required and that multi domain support is only for domains and child domains.
thisdomain[dot]com
thatdomain[dot]thisdomain[dot]com
Is this the case and if so is there any support for my situation?
Solved! Go to Solution.
12-11-2017 06:46 AM
The scenario you’re describing sounds like three different forests (if the base DN follows the domain suffixes listed):
DC=thisdomain,DC=com
DC=thatdomain,DC=com
DC=otherdomain,DC=com
When defining the [ad_client]
in the Authentication Proxy, you must set a search_dn
, which can only be one value. You cannot specify these three distinct base DNs in one search_dn
option for a given ad_client
section.
What you could do is create multiple [ad_client]
sections, each with the unique search_dn
, and then create multiple [radius_server_iframe]
sections, one for each [ad_client]
and each using a unique RADIUS port. Then, add all three RADIUS servers/ports to your CAD for Duo authentication.
This assumes that CAG auth will continue trying primary authentication servers until one succeeds (as NetScaler Access Gateway does).
Bear in mind that Citrix Access Gateway is EOL, so we may only be able to provide limited support.
12-11-2017 06:46 AM
The scenario you’re describing sounds like three different forests (if the base DN follows the domain suffixes listed):
DC=thisdomain,DC=com
DC=thatdomain,DC=com
DC=otherdomain,DC=com
When defining the [ad_client]
in the Authentication Proxy, you must set a search_dn
, which can only be one value. You cannot specify these three distinct base DNs in one search_dn
option for a given ad_client
section.
What you could do is create multiple [ad_client]
sections, each with the unique search_dn
, and then create multiple [radius_server_iframe]
sections, one for each [ad_client]
and each using a unique RADIUS port. Then, add all three RADIUS servers/ports to your CAD for Duo authentication.
This assumes that CAG auth will continue trying primary authentication servers until one succeeds (as NetScaler Access Gateway does).
Bear in mind that Citrix Access Gateway is EOL, so we may only be able to provide limited support.
10-17-2018 09:32 AM
When the radius server is the same for both forest domains (Cisco ISE) does the radius port have to be different from each [radius_server_auto] configuration?
10-17-2018 09:57 AM
You can’t have multiple RADIUS server sections listening on the same port, and each RADIUS server section can only use one primary authenticator config (the ad_client
).
10-17-2018 10:14 AM
Correct so I can have [ad_client] tied to [radius_server_auto] and [ad_client2] tied to [server_radius_auto2]
Both radius servers will be the same IP address but two different ports like 1812 and 5678. And that will work?
10-17-2018 10:30 AM
Yes, just make sure to include the port=whatever
line in your two RADIUS server sections.
10-17-2018 11:34 AM
I assume what I am running into is an issue with Cisco ISE and steering what usernames belong to what domain and what policy set they need to use. I think i will need to engage Cisco now.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: