I'm running F5 v 16.1.2. I have managed to get Duo working normally using the document supplied by duo by configuring radius/duo via APM.
The problem I have is that when I try connecting via Citrix Workspace I do not get the duo push. I just get a duo prompt for a password which does not seem to work with any duo passcodes I have. The Duo push does not appear either.
On the F5 create a new Radius access profile in Access ›› Authentication : RADIUS with a custom port. I am assuming you are already using Radius port 1812 for the traditional iFrame with your Citrix Access Policy. After you create this open the branch in your Citrix Access Policy for Workspace click the plus sign in front of your resource box that has your DDCs, choose the authentication tab and add the Radius auth policy. For the AAA Server drop-down menu choose the profile you created
You need to set up the DUO authproxy.cfg file with the stanza [radius_server_auto]
[radius_server_auto2] ikey=xxxxxxx skey=xxxxxxxxx api_host=xxxxxx.duosecurity.com radius_ip_8=<F5 Self IPs> radius_secret_8=xxxxxxx radius_ip_9=<F5 Self IPs> radius_secret_9=xxxxxx port=<Port Number> Change this so it doesnt conflict with your iFrame setup client=<LDAP AUth> failmode=safe