Configuring the authentication virtual server
To configure authentication, authorization, and auditing, first configure an authentication virtual server to handle authentication traffic. Next, bind an SSL certificate-key pair to the virtual server to enable it to handle SSL connections. For additional information about configuring SSL and creating a certificate-key pair, see SSL certificates.
To configure an authentication virtual server by using the command line interface
To configure an authentication virtual server and verify the configuration, at the command prompt type the following commands in the order shown:
-
add authentication vserver <name> ssl <ipaddress><!--NeedCopy-->
-
show authentication vserver <name><!--NeedCopy-->
-
bind ssl certkey <certkeyName><!--NeedCopy-->
-
show authentication vserver <name><!--NeedCopy-->
-
set authentication vserver <name><!--NeedCopy-->
-
show authentication vserver <name><!--NeedCopy-->
Example
add authentication vserver Auth-Vserver-2 SSL 10.102.29.77 443 Done<!--NeedCopy-->
show authentication vserver Auth-Vserver-2 Auth-Vserver-2 (10.102.29.77:443) - SSL Type: CONTENT State: DOWN[Certkey not bound] Client Idle Timeout: 180 sec Down state flush: DISABLED Disable Primary Vserver On Down : DISABLED Authentication : ON Current AAA Users: 0 Done<!--NeedCopy-->
bind ssl certkey Auth-Vserver-2 Auth-Cert-1 Done<!--NeedCopy-->
show authentication vserver Auth-Vserver-2 Auth-Vserver-2 (10.102.29.77:443) - SSL Type: CONTENT State: UP Client Idle Timeout: 180 sec Down state flush: DISABLED Disable Primary Vserver On Down : DISABLED Authentication : ON Current AAA Users: 0 Done<!--NeedCopy-->
show authentication vserver Auth-Vserver-2 Auth-Vserver-2 (10.102.29.77:443) - SSL Type: CONTENT State: DOWN[Certkey not bound] Client Idle Timeout: 180 sec Down state flush: DISABLED Disable Primary Vserver On Down : DISABLED Authentication : ON Current AAA Users: 0 Done<!--NeedCopy-->
Note
The Authentication Domain parameter is deprecated. Use Authentication Profile for setting domain wide cookies.
To configure an authentication virtual server by using the configuration utility
- Navigate to Security > AAA - Application Traffic > Virtual Servers.
- In the details pane, do one of the following:
- To create a new authentication virtual server, click Add.
- To modify an existing authentication virtual server, select the virtual server, and then click Edit. The Configuration dialog opens with the Basic Settings area expanded.
- Specify values for the parameters as follows (asterisk indicates a required parameter):
- Name*—name (Cannot be changed for a previously created virtual server)
- IP Address Type*
- IP Address*—IP address of the authentication virtual server
- Port*—TCP port on which the virtual server accepts connections.
- Failed login timeout—failedLoginTimeout (Seconds allowed before login fails and user must start login process again.)
- Max login attempts—maxLoginAttempts (Number of login attempts allowed before user is locked out)
Note
The authentication virtual server uses only the SSL protocol and port 443, so those options are greyed out. Any options that are not mentioned are not relevant and should be ignored.
- Click Continue to display the Certificates area.
- In the Certificates area, configure any SSL certificates you want to use with this virtual server.
- To configure a CA certificate, click the arrow on the right of CA Certificate to display the CA Cert Key dialog box, select the certificate you want to bind to this virtual server, and click Save.
- To configure a server certificate, click the arrow on the right of Server Certificate, and follow the same process as for CA certificate.
- Click Continue to display the Advanced Authentication Policies area.
- If you want to bind an advanced authentication policy to the virtual server, click the arrow on the right side of the line to display the Authentication Policy dialog box, choose the policy that you want to bind to the server, set the priority, and then click OK.
- Click Continue to display the Basic Authentication Policies area.
- If you want to create a basic authentication policy and bind it to the virtual server, click the plus sign to display the Policies dialog box, and follow the prompts to configure the policy and bind it to this virtual server.
- Click Continue to display the 401-Based Virtual Servers area.
- In the 401-Based Virtual Servers area, configure any load balancing or content switching virtual servers that you want to bind to this virtual server.
- To bind a load balancing virtual server, click the arrow to the right of LB virtual server to display the LB Virtual Servers dialog box, and follow the prompts.
- To bind a content switching virtual server, click the arrow to the right of CS virtual server to display the CS Virtual Servers dialog box, and follow the same process as to bind an LB virtual server.
- If you want to create or configure a group, in the Groups area click the arrow to display the Groups dialog box, and follow the prompts.
- Review your settings, and when you are finished, click Done. The dialog box closes. If you created a new authentication virtual server, it now appears in the Configuration window list.
Configuring a noAuth authentication
Citrix ADC appliance now supports noAuth authentication capability that enables the customer to configure a defaultAuthenticationGroup parameter in noAuthAction command, when a user performs this policy. The administrator can check for the presence of this group in user’s group to determine user’s navigation through noAuth policy.
To configure a noAuth authentication by using the command line interface
add authentication noAuthAction <name> [-defaultAuthenticationGroup <string>]
Example
add authentication noAuthAction noauthact –defaultAuthenticationGroup mynoauthgroup