Classic Authentication Schemes will soon be deprecated in Citrix Netscaler and should be replaced with nFactor AAA.

Here is a quick tutorial on how to configure nFactor Authentication.

Security > AAA Application Traffic > Policies > Authentication > Basic Policies > RADIUS

Select Servers > Add

Name RADIUS_Server

Server IP xxxx

Secret

Also test the radius reachability

Security > AAA Application Traffic > Policies > Authentication > Basic Policies > LDAP

Select Servers > Add

Fill in all the information that apply to your domain

Security > AAA – Application Traffic, Policies, Authentication, Advanced Policies > Policy. Then, click “Add”

Do the same thing for RADIUS

Create AAA virtual server

Configuration > Security > AAA – Application Traffic > Virtual Servers

Import private certificate and root cert

Click on “No Authentication Policy”

Select Policy LDAP_Pol

Click on Select next to “Next Factor”

Add an authentication policy label

Continue

Policy Binding > Select RADIUS_Pol

Goto Expression > Select END and BIND the authentication Policy Label

Done

BIND

Continue

Add a login schema on the right side

Select “No Login Schema”

Select Policy

Bind and Done

Add nFactor to the Gateway virtual server

Citrix Gateway > Virtual Servers > select VIP > Add Authentication Profile on the right

Create > Ok > Done

If you get this error after logging in, you have to enable SSO on the Authentication Template

Go to Security > AAA Application Traffic > Login Schema > lschema_dual_factor_builtin > … Edit

Edit the profile again

Click on the pencil

> More > Check Enable Single Sign On Credentials > OK > OK

References:

https://community.citrix.com/tech-zone/build/deployment-guides/gateway-mfa/#_=_