Microsoft UAG easily supports setting up two separate authentication factors.

Configuring the RADIUS server:

  • Install the IAS (Internet Authentication Service) or NPS (Network Policy Server on 2008 and higher)
  • In AuthLite config, go to Service Configuration -> IAS/NPS plugin
  • Enable IAS/NPS support on this server
  • Select "One factor PAP" and the checkbox to not require domain name.
  • Apply changes
  • Restart the AuthLite service and the IAS/NPS services to pick up those changes.  Or, restart the server.
  • In the IAS or NPS configuration panel on this server, set up the Citrix WI as a RADIUS client
  • Set the shared secret
  • Set up a connection policy that will use PAP authentication

Configuring UAG:

  • You probably already have Active Directory set up as an authentication service; this does not need to be changed.
  • In Admin->Authentication and Authorization Servers, add a RADIUS authentication server type
  • Configure this to point at the IAS/NPS RADIUS server and port, and set the shared secret.
  • In your trunk configuration's Authentication section, select "Require users to authenticate to each server", and "Authenticate to each server with the same user name"

There is one more important change you need to make. By default, password input fields in UAG are limited to 20 characters! AuthLite OTPs require 64 characters. Fortunately you can customize this value in UAG as shown in this technet article.

  • Begin with the file: InternalSite\inc\customDefault.inc
  • Copy it into the subfolder InternalSite\inc\CustomUpdate
  • In a text editor, open the new copy of the file.
  • Remove the comment block at the top, and the code block at the bottom that indicates it should be removed when used with CustomUpdate
  • The value PasswordLimit = 20 should be changed to at least 64
  • Save and close the changed file
  • Save and apply your UAG configuration