Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Netscaler and Fortiauthenticator for 2FA Citrix Access



We are implementing a PoC that integrates Wyse Thinclients + Netscaler / Citrix + Fortiauthenticator. We would need that Wyse thin clients ask the users for "user","password", and "token". Wyse thin clients are able to use two factor authentication logon configuring a .ini configuration file.


The problem that we have is related to Netscaler / Fortiauthenticator because we are trying to authenticate users to AD using LDAP and we have the following issue :


* Netscaler is configured with LDAP and RADIUS authentication policies, so Netscaler verifies user credentials ( not the token ) in the first authentication step. If credentials are wrong authentication is canceled. ( It's ok )


* If initial Netscaler LDAP authentication is ok, Netscaler is sending a Radius authentication request to Fortiauthenticator. But we have sniffed the Radius packet and is sending "user" and "token" as user's password. Fortiauthenticator tries to authenticate the user ( LDAP remote user ) to AD and it fails because the token code is not the user's AD password. Fortiauthenticator sends a Access-Reject packet to Netscaler and authentication is canceled.


* If I configure the Netscaler with only RADIUS authentication policy ( without LDAP ), Nestscaler is sending "user" and "password" correctly, and Fortiauthenticator sends a Radius challenge to Netscaler asking for the token code. If the token is correct authentication is allowed.


How can I configure Fortiauthenticator or Netscaler in order to make one of these goals ? :


* Netscaler with LDAP and RADIUS policy should first send user and password, and after the radius challenge, send the token code to fortiauthenticator. We have got it working only with a single RADIUS policy in Netscaler. When LDAP and RADIUS policies are configured, Netscaler only sends "user" + "token".




* Configure fortiauthenticator for LDAP user verification ( without password verification ) and token code verification, so the initial "user"+"token" radius request packet would be ok.


Any idea ?


Thank you very much.










Hi Ricard,

FortiAuthenticator (FAC) is able to auth user against the LDAP and then verify the token.

Token auth takes place only after user+pass is OK.


From my point of view you can:


1. remove Netscaler from authentication path, or offload all the authentication from Netscaler to FAC which can sync users from LDAP to 'Remote users' and assign them tokens, so user+pass will be authenticated towards LDAP, token auth locally

2. or you can sync users from LDAP to FAC + assign tokens, and set RADIUS Client to auth only user+token, so Netscaler can make his own user+pass LDAP verification and offload/chain token auth to FAC

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff


Hi Xsilver_FTNT.


We have imported LDAP users locally and it's working fine. ( Option 2 )


Thanks a lot!!



New Contributor



Recently I've deployed one 2FA with Nestscaler and Fortiauthenticator + LDAP, I've imported the LDAP users and the authentication with 2FA is working.The problem arrives whe the user password expires, How can I send the password renewal to the user?


My best regards and thank you in advance.

Top Kudoed Authors