Citrix ADC – Rewriting the RADIUS Username?

In most of the environments its straight forward to configure RADIUS authentication on the Citrix ADC. But sometimes it can be challenging especially when the RADIUS server needs to receive the username in a specific format. Lets have a short example.

RADIUS Server #1 – Expecting: sAMAccountName
Name Expression: userA

RADIUS Server #2 – Expecting: “USERDOMAIN” + “sAMAccountName” + “@Realm”
Name Expression: corp\userA@CTX

Scenario 1 is a no-brainer and needs no special configuration. But how are we supposed to handle Scenario 2? I guess a lot of people are thinking (including my past me) this only can be handled with nFactor. I like the nFactor framework but isn’t it kind of an overkill for this requirement? There must be another way right?

Since the NetScaler Firmware 10.5e it is possible to manipulate RADIUS messages with the AppExpert Rewrite feature. Important: This will only work if the RADIUS server does not require signed messages otherwise the authentication will fail.

We just need to do some rewriting magic on a Load Balancing vServer with the type “RADIUS”.

Afterwards the RADIUS authentication is working and we do not need to bother about going the nFactor road. Sometimes you should not over-complicate things and keep IT simple.

Hope this helps someone who is facing the same challenge.







Leave a Reply

Your email address will not be published. Required fields are marked *