ADC

Authentication policies

Note

Citrix ADC appliance encodes only UTF-8 characters for authentication, and it is not compatible with servers that use ISO-8859-1 characters.

The Citrix ADC can authenticate users with local user accounts or by using an external authentication server. The appliance supports the following authentication types:

  • LOCAL

    Authenticates to the Citrix ADC appliance by using a password, without reference to an external authentication server. User data is stored locally on the Citrix ADC appliance.

  • RADIUS

    Authenticate to an external RADIUS server.

  • LDAP

    Authenticates to an external LDAP authentication server.

  • TACACS

    Authenticates to an external Terminal Access Controller Access-Control System (TACACS) authentication server.

    After a user authenticates to a TACACS server, the Citrix ADC connects to the same TACACS server for all subsequent authorizations. When a primary TACACS server is unavailable, this feature prevents any delay while the ADC waits for the first TACACS server to time out. It happens before resending the authorization request to the second TACACS server.

    Note

    When authenticating through a TACACS server, authentication, authorization, and auditing traffic management logs only successfully run TACACS commands. It prevents the logs from showing TACACS commands that are entered by users who were not authorized to run them.

Starting from NetScaler 12.0 Build 57.x, the Terminal Access Controller Access-Control System (TACACS) is not blocking the authentication, authorization, and auditing daemon while sending the TACACS request. The allow LDAP, and RADIUS authentication to proceed with the request. The TACACS authentication request resumes once the TACACS server acknowledges the TACACS request.

  • CERT

    Authenticates to the Citrix ADC appliance by using a client certificate, without reference to an external authentication server.

  • NEGOTIATE

    Authenticates to a Kerberos authentication server. If there is an error in Kerberos authentication, Citrix ADC uses NTLM authentication.

  • SAML

    Authenticates to a server that supports the Security Assertion Markup Language (SAML).

  • SAML IDP

    Configures the Citrix ADC to serve as a Security Assertion Markup Language (SAML) Identity Provider (IdP).

  • WEB

    Authenticates to a web server, providing the credentials that the web server requires in an HTTP request and analyzing the web server response to determine that user authentication was successful.

An authentication policy comprises of an expression and an action. Authentication policies use Citrix ADC expressions.

After creating an authentication action and an authentication policy, bind it to an authentication virtual server and assign a priority to it. When binding it, also designate it as either a primary or a secondary policy. Primary policies are evaluated before secondary policies. In configurations that use both types of policy, primary policies are normally more specific policies while secondary policies are normally more general policies. It is intended to handle authentication for any user accounts that do not meet the more specific criteria.

To add an authentication action by using the command line interface

If you do not use LOCAL authentication, you need to add an explicit authentication action. At the command prompt, type the following command:

```add authentication tacacsAction -serverip [-serverPort ][-authTimeout ][ ... ]


Example

add authentication tacacsaction Authn-Act-1 -serverip 10.218.24.65 -serverport 1812 -authtimeout 15 -tacacsSecret “minotaur” -authorization OFF -accounting ON -auditFailedCmds OFF -defaultAuthenticationGroup “users” Done


## To configure an authentication action by using the command line interface

To configure an existing authentication action, at the command prompt, type the following command:

```set authentication tacacsAction <name> -serverip <IP> [-serverPort <port>][-authTimeout <positive_integer>][ ... ]<!--NeedCopy-->

Example

> set authentication tacacsaction Authn-Act-1 -serverip 10.218.24.65 -serverport 1812                   -authtimeout 15 -tacacsSecret "minotaur" -authorization OFF -accounting ON -auditFailedCmds OFF -defaultAuthenticationGroup "users"
Done
<!--NeedCopy-->

To remove an authentication action by using the command line interface

To remove an existing RADIUS action, at the command prompt, type the following command:

```rm authentication radiusAction


Example

rm authentication tacacsaction Authn-Act-1 Done


## To configure an authentication server by using the configuration utility

> **Note**
>
> In the configuration utility, the term server is used instead of action, but refers to the same task.

1.  Navigate to **Security > AAA - Application Traffic > Policies > Authentication**.
1.  In the details pane, on the **Servers** tab, do one of the following:
    -  To create a new authentication server, click **Add**.
    -  To modify an existing authentication server, select the server, and then click **Open**.
1.  In the **Create Authentication Server** or **Configure Authentication Server** dialog box, type or select the values for the parameters.
    -  Name\*—radiusActionName (Cannot be changed for a previously configured action)
    -  Authentication Type\*—authtype (Set to RADIUS, cannot be changed)
    -  IP Address\*—serverip </IP>
    -  IPV6\*—Select the check box if the server IP is an IPv6 IP. (No command line equivalent.)
    -  Port\*—serverPort
    -  Time-out (seconds)\*—authTimeout
1.  Click **Create** or **OK**, and then click **Close**. The policy that you created appears in the **Authentication Policies** and **Servers** page.

## To create and bind an authentication policy by using the command line interface

At the command prompt, type the following commands in the order shown to create and bind an authentication policy and verify the configuration:

-  ```add authentication negotiatePolicy <name> <rule> <reqAction><!--NeedCopy-->
  • show authentication localPolicy <name><!--NeedCopy-->
  • bind authentication vserver <name> -policy <policyname> [-priority <priority>][-secondary]]<!--NeedCopy-->
  • show authentication vserver <name><!--NeedCopy-->

Example


  > add authentication localPolicy Authn-Pol-1 ns_true   Done
  > show authentication localPolicy
  1)      Name: Authn-Pol-1       Rule: ns_true          Request action: LOCAL   Done
  > bind authentication vserver Auth-Vserver-2 -policy Authn-Pol-1
  Done
  > show authentication vserver Auth-Vserver-2          Auth-Vserver-2 (10.102.29.77:443) - SSL Type: CONTENT State: UP Client Idle Timeout: 180 sec Down state flush: DISABLED          Disable Primary Vserver On Down : DISABLED          Authentication : ON          Current AAA Users: 0          Authentication Domain: myCompany.employee.com
  1)  Primary authentication policy name: Authn-Pol-1 Priority: 0
  Done

<!--NeedCopy-->

To modify an existing authentication policy by using the command line interface

At the command prompt, type the following commands to modify an existing authentication policy:

```set authentication localPolicy [-reqaction ]


Example

set authentication localPolicy Authn-Pol-1 ‘ns_true’ Done ```

To remove an authentication policy by using the command line interface

At the command prompt, type the following command to remove an authentication policy:

```rm authentication localPolicy


Example

rm authentication localPolicy Authn-Pol-1 Done

```

To configure and bind authentication policies by using the configuration utility

  1. Navigate to Security > AAA - Application Traffic > Policies > Authentication, and then select the type of policy that you want to create.
  2. In the details pane, on the Policies tab, do one of the following:
    • To create a new policy, click Add.
    • To modify an existing policy, select the action, and then click Edit.
  3. In the Create Authentication Policy or Configure Authentication Policy dialog, type or select the values for the parameters.
    • Name — policy name (Cannot be changed for a previously configured action)
    • Authentication Type — authtype
    • Server — authVsName
    • Expression — rule (You enter expressions by first choosing the type of expression in the leftmost drop-down list beneath the Expression window, and then by typing your expression directly into the expression text area, or by clicking Add to open the Add Expression dialog box and using the drop-down lists in it to construct your expression.)
  4. Click Create or OK. The policy that you created appears in the Policies page.
  5. Click the Servers tab, and in the details pane do one of the following:
    • To use an existing server, select it, and then click.
    • To create a server, click Add, and follow the instructions.
  6. If you want to designate this policy as a secondary authentication policy, on the Authentication tab, click Secondary. If you want to designate this policy as a primary authentication policy, skip this step.
  7. Click Insert Policy.
  8. Choose the policy you want to bind to the authentication virtual server from the drop-down list.
  9. In the Priority column to the left, modify the default priority to ensure that the policy is evaluated in the proper order.
  10. Click OK. A message appears in the status bar, stating that the policy has been configured successfully.