ADC

RADIUS authentication policies

As with other types of authentication policies, a Remote Authentication Dial In User Service (RADIUS) authentication policy comprises of an expression and an action. After creating an authentication policy, you bind it to an authentication virtual server and assign a priority to it. When binding it, you also designate it as either a primary or a secondary policy. However, setting up a RADIUS authentication policy has certain special requirements that are described in the following section.

Normally you configure the Citrix ADC to use the IP address of the authentication server during authentication. With RADIUS authentication servers, you can now configure the ADC to use the FQDN of the RADIUS server instead of its IP address to authenticate users. Using an FQDN can simplify an otherwise much more complex authentication, authorization, and auditing configuration in environments where the authentication server might be at any of several IP addresses, but always uses a single FQDN. To configure authentication by using a server’s FQDN instead of its IP address, you follow the normal configuration process except when creating the authentication action. When creating the action, you substitute the serverName parameter for the serverIP parameter.

Before you decide whether to configure the Citrix ADC to use the IP or the FQDN of your RADIUS server to authenticate users, consider that configuring authentication, authorization, and auditing to authenticate to an FQDN instead of an IP address adds an extra step to the authentication process. Each time the ADC authenticates a user, it must resolve the FQDN. If a great many users attempt to authenticate simultaneously, the resulting DNS lookups might slow the authentication process.

Note

These instructions assume that you are already familiar with the RADIUS protocol and have already configured your chosen RADIUS authentication server.

For more information about setting up authentication policies in general, see Authentication Policies. For more information about Citrix ADC appliance expressions, which are used in the policy rule, see Policies and Expressions.

To add an authentication action for a RADIUS server by using the command line interface

If you authenticate to a RADIUS server, you need to add an explicit authentication action. To do this, at the command prompt, type the following command:

```add authentication radiusAction [-serverip | -serverName] ][-serverPort ] [-authTimeout ] {-radKey } [-radNASip ( ENABLED | DISABLED )][-radNASid ] [-radVendorID ][-radAttributeType ][-radGroupsPrefix ] [-radGroupSeparator ][-passEncoding ][-ipVendorID ] [-ipAttributeType ][-accounting ( ON | OFF )][-pwdVendorID [-pwdAttributeType ]] [-defaultAuthenticationGroup ] [-callingstationid ( ENABLED | DISABLED )]


The following example adds a RADIUS authentication action named **Authn-Act-1**, with the server IP **10.218.24.65**, the server port **1812**, the authentication timeout **15** minutes, the radius key **WareTheLorax**, NAS IP disabled, and NAS ID **NAS1**.

add authentication radiusaction Authn-Act-1 -serverip 10.218.24.65 -serverport 1812 -authtimeout 15 -radkey WareTheLorax -radNASip DISABLED -radNASid NAS1 Done


The following example adds the same RADIUS authentication action, but using the server FQDN **rad01.example.com** instead of the IP.

add authentication radiusaction Authn-Act-1 -serverName rad01.example.com -serverport 1812 -authtimeout 15 -radkey WareTheLorax -radNASip DISABLED -radNASid NAS1 Done


RADIUS authentication might fail if both authentication and accounting actions are configured on the same server port in “radiusAction” command.

To overcome the preceding conditions, Citrix recommends you to use different commands for RADIUS authentication and accounting.

-  For RADIUS authentication, configure the **authservRetry** parameter with default value 3.

    -  ```set authentication radiusAction Authn-Act-1 -serverip 10.218.24.65 –serverport 1812 -authservRetry 3<!--NeedCopy-->
  • For RADIUS accounting, configure the authservRetry parameter with the value 1.

    • set authentication radiusAction Authn-Act-1 -serverip 10.218.24.65 –serverport 1813 -authservRetry 1<!--NeedCopy-->

To configure an authentication action for an external RADIUS server by using the command line

To configure an existing RADIUS action, at the command prompt, type the following command:

```set authentication radiusAction [-serverip | -serverName] ][-serverPort ] [-authTimeout ] {-radKey } [-radNASip ( ENABLED | DISABLED )][-radNASid ] [-radVendorID ][-radAttributeType ][-radGroupsPrefix ] [-radGroupSeparator ][-passEncoding ][-ipVendorID ] [-ipAttributeType ][-accounting ( ON | OFF )][-pwdVendorID [-pwdAttributeType ]] [-defaultAuthenticationGroup ] [-callingstationid ( ENABLED | DISABLED )]


## To remove an authentication action for an external RADIUS server by using the command line interface

To remove an existing RADIUS action, at the command prompt, type the following command:

```rm authentication radiusAction <name><!--NeedCopy-->

Example


> rm authentication radiusaction Authn-Act-1
Done

<!--NeedCopy-->

To configure a RADIUS server by using the configuration utility

Note

In the configuration utility, the term server is used instead of action, but refers to the same task.

  1. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Radius
  2. In the details pane, on the Servers tab, do one of the following:
    • To create a new RADIUS server, click Add.
    • To modify an existing RADIUS server, select the server, and then click Edit.
  3. In the Create Authentication RADIUS Server or Configure Authentication RADIUS Server dialog, type or select the values for the parameters. To fill out parameters that appear beneath Send Calling Station ID, expand Details.
    • Name*—radiusActionName (Cannot be changed for a previously configured action)
    • Authentication Type*—authtype (Set to RADIUS, cannot be changed)
    • Server Name / IP Address*—Choose either Server Name or Server IP
      • Server Name*—serverName <FQDN>
      • IP Address*—serverIp <IP> If the server is assigned an IPv6 IP address, select the IPv6 check box.
    • Port*—serverPort
    • Time-out (seconds)*—authTimeout
    • Secret Key*—radKey (RADIUS shared secret.)
    • Confirm Secret Key*—Type the RADIUS shared secret a second time. (No command line equivalent.)
    • Send Calling Station ID—callingstationid
    • Group Vendor Identifier—radVendorID
    • Group Attribute Type—radAttributeType
    • IP Address Vendor Identifier—ipVendorID
    • pwdVendorID—pwdVendorID
    • Password Encoding—passEncoding
    • Default Authentication Group—defaultAuthenticationGroup
    • NAS ID—radNASid
    • Enable NAS IP address extraction—radNASip
    • Group Prefix—radGroupsPrefix
    • Group Separator—radGroupSeparator
    • IP Address Attribute Type—ipAttributeType
    • Password Attribute Type—pwdAttributeType
    • Accounting—accounting
  4. Click Create or OK. The policy that you created appears in the Servers page.

Support to pass through RADIUS attribute 66 (Tunnel-Client-Endpoint)

The Citrix ADC appliance now allows the pass-through of RADIUS attribute 66 (Tunnel-Client-Endpoint) during RADIUS authentication. It helps the second-factor authentication to receive the clients IP address from entrusting to make risk-based authentication decisions.

A new attribute “tunnelEndpointClientIP” is introduced in both “add authentication radiusAction” and “set radiusParams” command.

To use this feature, at the Citrix ADC appliance command prompt, type:

  • add authentication radiusAction <name> {-serverIP <ip_addr|ipv6_addr|*> | {-serverName <string>}} [-serverPort <port>] … [-tunnelEndpointClientIP (ENABLED|DISABLED)]<!--NeedCopy-->
  • set radiusParams {-serverIP <ip_addr|ipv6_addr|*> |{-serverName <string>}} [-serverPort<port>] … [-tunnelEndpointClientIP(ENABLED|DISABLED)]<!--NeedCopy-->

Example

  • add authentication radiusAction radius -severIP 1.217.22.20 -serverName FQDN -serverPort 1812 -tunnelEndpointClientIp ENABLED<!--NeedCopy-->
  • set radiusParams -serverIp 1.217.22.20 -serverName FQDN1 -serverPort 1812 -tunnelEndpointClientIP ENABLED<!--NeedCopy-->

Support for validating end-to-end RADIUS authentication

The Citrix ADC appliance can now validate end-to-end RADIUS authentication through GUI. To validate this feature, a new “test” button is introduced in GUI. A Citrix ADC appliance administrator can use this feature to achieve the following benefits:

  • Consolidates the complete flow (packet engine – AAA daemon – external server) to provide better analysis
  • Reduces time on validating and troubleshooting issues related to individual scenarios

You have two options to configure and view the test results of RADIUS end-to-end authentication by using the GUI.

From system option

  1. Navigate to System > Authentication > Basic Policies > RADIUS, click Servers tab.
  2. Select the available RADIUS action from the list.
  3. On the Configure Authentication RADIUS Server page, you have two options under Connections Settings section.
  4. To check the RADIUS server connection, click Test RADIUS Reachability tab.
  5. To view the end-to-end RADIUS authentication, click Test End User Connection link.

From Authentication option

  1. Navigate to Authentication > Dashboard, select the available RADIUS action from the list.
  2. On the Configure Authentication RADIUS Server page, you have two options under Connections Settings section.
  3. To check the RADIUS server connection, click Test RADIUS Reachability tab.
  4. To view the end-to-end RADIUS authentication status, click Test End User Connection link.