you can use FortiAuthenticator to provide two-factor authentication for basically any RADIUS client, as long as the RADIUS client can deal with the Access-Challenge/Access-Accept exchange (prompt the user for token, and then forward it back to FortiAuthenicator).
I couldn't find any dedicated configuration example for Citrix RADIUS clients, but the FortiAuthenticator configuration principally consists of these components:
- user database (called Realm), such as remote LDAP or local FortiAuthenticator DB
-> users need to be imported from the remote server and have a token assigned (or SMS/Email token set)
-> the remote authentication server (LDAP/RADIUS) needs to be created and then mapped to a realm
- RADIUS client entry
- RADIUS policy (to map the client to a specific realm)
If a RADIUS client sends an Access-Request that matches the according RADIUS client and policy, FortiAuthenticator will then trigger authentication against the specified realm (user database) and, if the user has a token assigned on FortiAuthenticator, send back an Access-Challenge for the token.
If you're not talking about Citrix as a RADIUS client, but an MFA solution BY Citrix (tokens provided by Citrix or something like this) FortiAuthenticator can proxy requests to another RADIUS server (which could host the Citrix MFA solution) but can't manage such tokens itself; it only really supports FortiToken (Cloud, Hardware, Mobile), Email, SMS and Yubikey as two-factor options to my knowledge.
You could reach out to your local Fortinet Sales partner to see what options there are with FortiAuthenticator, Citrix and MFA, they would be better suited to assess your requirements and make suggestions based off that.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.