Citrix Netscaler Advanced guide for

SMS PASSCODE
SMS PASSCODE 2014

Citrix Netscaler Advanced guide for SMS PASSCODE

Citrix Netscaler Advanced guide for SMS

PASSCODE.
This document outlines configuration scenarios with SMS PASSCODE and Citrix
Netscaler.

Pre-requisites
In the Netscaler, you must have configured a virtual server with an authentication server set
up with Radius Authentication. In the virtual server, it is possible to set authentication
policies.

Configuration of the Authentication server with Radius for

SMS PASSCODE
The Authentication server must be configures with Radius. You can create an
authentication server here System-> Authentication ->Radius".
You should create it here if also the Netscaler should use the Radius authentication server.
If the virtual servers only will use the Radius authentication server, then please navigate
here Netscaler Gateway-> Policies->Authentication->Radius.
In the pane in the right side, choose add. Now click new to create the Radius
authentication server.

Page 2 of 13

Citrix Netscaler Advanced guide for SMS PASSCODE

The authentication type: Radius

Time-out: 10 seconds (optional)
Passcode Encoding: PAP
Send Calling Station ID should be check marked, if you want to use location aware
authentication.
Shared secret must be the same secret as set in the MS radius server radius client (For
configurations of the MS radius server please refer to the SMS PASSCODE administrators
guide).

Page 3 of 13

Citrix Netscaler Advanced guide for SMS PASSCODE

Now if you are ready to modify your virtual servers authentication policy

Page 4 of 13

Citrix Netscaler Advanced guide for SMS PASSCODE

Once you opened your virtual server, you are able to edit the policies.
This is how you should setup you session policy if you only use Radius authentication.
You are now able to edit or create a new session policy.

If you only use Radius authentication, your session policy should look like this:
(if you are publishing a Citrix Web Interface and not Storefront, then the Web Interface Address
should most likely look like this: http//IPadress/Citrix/PNAgent/config.xml)

Page 5 of 13

Citrix Netscaler Advanced guide for SMS PASSCODE

Authorization with Radius and SMS PASSCODE

If you need to extract groups with Radius, please make sure that you match Vendor code
(SMS PASSCODE) with Group Vendor identifier in the CAG, Attribute number with Group
attribute type, prefix with group prefix, and separator with group separator.
It is highly recommended to limit the group search to relevant groups, by adding the
relevant groups in the SMS PASSCODE configuration tool.

For further information regarding the authorization pane in the SMS PASSCODE
configuration tool, please refer to the SMS PASSCODE administrators guide.

Page 6 of 13

Citrix Netscaler Advanced guide for SMS PASSCODE

Configure SMS PASSCODE for co-existence with

a token solution like RSA
SMS PASSCODE can co-exist with token solutions like RSA.
Scenario 1
Your token solution uses radius authentication. You configure radius forwarding from the
SMS PASSCODE radius server to the Token solution radius server. This is the most
common scenario. SMS PASSCODE users are resolved directly from the Radius server (1)
that forwards the Token Users to the Token Radius server (2).

In the SMS PASSCODE configuration tool, you set a regular expression that denies the
token code. In example this expression for numbers: ^\d*$

Page 7 of 13

Citrix Netscaler Advanced guide for SMS PASSCODE

Scenario 2
You control usage by Netscaler Authentication policies.

You add 2 Authentication policies, one for SMS PASSCODE Radius and one for the Token
solution authentication. The SMS PASSCODE authentication policy must be inserted
before (lower number) the Token solution authentication policy.
When a SMS PASSCODE User is logging on (1), the user authenticates at the SMS
PASSCODE Radius server. The Token solution user (2) is logging on; the user is at first
authenticated with the SMS PASSCODE Radius authentication policy, which denies the
user access, because the user is not a SMS PASSCODE User. An access-Deny is then
sent back to the Netscaler, and the Netscaler will now try the next in line authentication
policy, which is the Token solution authentication policy. Now the user will be able to gain
access.

Page 8 of 13

Citrix Netscaler Advanced guide for SMS PASSCODE

Configure settings for the Citrix receiver for iPad/iPhone

with Citrix receiver 5.6+.
Please refer to section Configure Citrix Receiver for iPad/iPhone with Citrix Receiver
version older than 5.6+ if you Citrix receiver is older than version 5.6+
Introduction of Challenge response in Citrix Receiver 5.6.0 for iDevices, eliminated the
need for the SMS PASSCODE App.
To configure the Citrix Receiver, please open it, navigate to settings, and choose Accounts
from the menu.

Page 9 of 13

Citrix Netscaler Advanced guide for SMS PASSCODE

To add an account please click on the + sign.

Now enter the URL of your Citrix Access Gateway Enterprise Edition / Netscaler, and click
on Next.

Page 10 of 13

Citrix Netscaler Advanced guide for SMS PASSCODE

Fill in the information; leave Security Token as OFF, and save the configuration.

Now you are ready to use your Citrix Receiver. Your experience should look like this (This
window will show if the password has not been saved or if it is not allowed to store the
password).

Page 11 of 13

Citrix Netscaler Advanced guide for SMS PASSCODE

You should now receive your One Time Passcode, and enter this. If the code correctly
entered, you click OK, and you will gain access.

If you are using Citrix Receiver for Android, the configuration should look like this:

Page 12 of 13

Citrix Netscaler Advanced guide for SMS PASSCODE

Configure iPad/iPhone for Web Interface

To authenticate over the web interface with Citrix receiver for iPad requires:

Citrix Receiver for iPad version 4.2 or newer

Citrix Web Interface version 5.4 or newer

When you authenticate with Citrix Receiver for iPad over the web interface the SMS
PASSCODE
If the web site is configures with ns_true in policies, then this will work out of the box.

About SMS PASSCODE

SMS PASSCODE is the leading technology in two- and multi-factor authentication using your mobile phone. To protect
against the rise in internet based identity theft hitting both consumers and corporate employees, SMS PASSCODE offers
a stronger authentication via the mobile phone SMS service compared to traditional alternatives. SMS PASSCODE
installs in minutes and is much easier to implement and administer with the added benefit that users find it an intuitively
smart way to gain better protection. The solution offers out-of-the-box protection of standard login systems such as
Citrix, Cisco, Microsoft, VMware View, Juniper and other IPsec and SSL VPN systems as well as web sites. Installed at
thousands of sites, this is a proven patent pending technology. In the last years, SMS PASSCODE has been named to
the Gartner Group Magic Quadrant on User Authentication, awarded twice to the prestigious Red Herring 100 most
interesting tech companies list, a Secure Computing Magazine Top 5 Security Innovator, InfoSecurity Guide Best twofactor authentication, a Citrix Solution of the Year Finalist, White Bull top 30 EMEA companies, a Gazelle 2010, 2011,
2012 and 2013 Fast Growth firm and a ComOn most promising IT company Award. For more information visit:
www.smspasscode.com or our blog at blog.smspasscode.com.

Page 13 of 13