Forum Discussion
CirrusSSO stopped working when Radius auth is added
Hi, we have deployed citrix VIPs using iApp template (f5.citrix_vdi.v2.3.0) using APM policy.
But,if I add radius authentication (sms auth provider) after AD authentication and before SSO credentials mapping, the SSO stops working. Can it be related to redirect to page waiting for token for radius authentication and then the POST with credentials sent to servers is not working correctly? When I remove radius box from virtual policy editor, SSO works fine again.
Thanks for any tip, Zdenek
7 Replies
Yann_Desmarest_Nacreous
Hello,
If you are using Wyze terminals or receiver clients, I think that SMS authentication is not supported by the client side.
But when you access your citrix apps using the webtop, it should works. Pay attention that the session.logon.last.username variable will be used by the radius auth. So that you need to save the username in an extra variable before radius auth occurs (e.g. session.logon.last.username1) and change the SSO Credential mapping username to fit that change
ZdendaHi, I've tested it and verified session.logon.last.username through message box and it stayed the same all the time. It means that it is not changed during Radius auth process.
Yann_DesmarestHello,
If you are using Wyze terminals or receiver clients, I think that SMS authentication is not supported by the client side.
But when you access your citrix apps using the webtop, it should works. Pay attention that the session.logon.last.username variable will be used by the radius auth. So that you need to save the username in an extra variable before radius auth occurs (e.g. session.logon.last.username1) and change the SSO Credential mapping username to fit that change
- ZdendaHi, I've tested it and verified session.logon.last.username through message box and it stayed the same all the time. It means that it is not changed during Radius auth process.
APM policy for SecurID and RADIUS look similar, you would have to change the logon pages and authentication objects to use RADIUS server AAA object rather then SecurID. The manual configuration section of the deployment guide deployment guide lists the various APM policy's created by the iApp (Beginning on page 62) if you would like to try the setup manually. I would suggest running the iApp using the SecurID two factor option and then modify the noted portions to use RADIUS AAA profile rather than SecurID.
- Zdenda
Resolved.
I had Radius auth just after AD auth and Radius authentication rewrited session.logon.last.password variable. So I saved it to session.logon.last.password1 before Radius was called and when Radius auth is done, I restored saved value back to session.logon.last.password so SSO can use correct password. Maybe there is more elegant version, but this works, so am happy :).
Stanislas_Piro2Cumulonimbus
Hi,
Radius auth does not rewrite password, it requires password to be stored in session.logon.last.password.
It seems that your VPE tree is:
Logon (User / AD password) --> AD Auth --> Logon (SMS password) --> Radius Auth --> SSO Credential mappingit is the second logon page which replace password.
You can change box order to put SSO credential mapping before Radius Auth:
Logon (User / AD password) --> AD Auth --> SSO Credential mapping --> Logon (SMS password) --> Radius Auth
