Authentication, authorization, and auditing application traffic
Many companies restrict website access to valid users only, and control the level of access permitted to each user. The authentication, authorization, and auditing feature allows a site administrator to manage access controls with the Citrix ADC appliance instead of managing these controls separately for each application. Doing authentication on the appliance also permits sharing this information across all websites within the same domain that are protected by the appliance.
To use authentication, authorization, and auditing, you must configure authentication virtual servers to handle the authentication process and traffic management virtual servers to handle the traffic to web applications that require authentication. You also configure your DNS to assign FQDNs to each virtual server. After configuring the virtual servers, you configure a user account for each user that will authenticate via the Citrix ADC appliance, and optionally you create groups and assign user accounts to groups. After creating user accounts and groups, you configure policies that tell the appliance how to authenticate users, which resources to allow users to access, and how to log user sessions. To put the policies into effect, you bind each policy globally, to a specific virtual server, or to the appropriate user accounts or groups. After configuring your policies, you customize user sessions by configuring session settings and binding your session policies to the traffic management virtual server. Finally, if your intranet uses client certs, you set up the client certificate configuration.
To understand how authentication, authorization, and auditing works in a distributed environment, consider an organization with an intranet that its employees access in the office, at home, and when traveling. The content on the intranet is confidential and requires secure access. Any user who wants to access the intranet must have a valid user name and password. To meet these requirements, the ADC does the following:
- Redirects the user to the login page if the user accesses the intranet without having logged in.
Collects the user’s credentials, delivers them to the authentication server, and caches them in a directory that is accessible through the Lightweight Directory Access Protocol (LDAP). For more information, see Determining Attributes in Your LDAP Directory.
- Verifies that the user is authorized to access specific intranet content before delivering the user’s request to the application server.
- Maintains a session timeout after which users must authenticate again to regain access to the intranet. (You can configure the timeout.)
- Logs the user accesses, including invalid login attempts, in an audit log.
Supported authentication types
- Client certificate authentication (including smart card authentication)
- Advanced authentication
- Forms based authentication
- 401 based authentication
- Native OTP
- Push notification
- Email OTP
Citrix Gateway also supports RSA SecurID, Gemalto Protiva, and SafeWord. You use a RADIUS server to configure these types of authentication.
Before configuring authentication, authorization, and auditing, you must be familiar with and understand how to configure load balancing, content switching, and SSL on the Citrix ADC appliance.
Authentication without authorization
Authorization specifies the network resources to which users have access when they log on to the appliance. The default setting for authorization is to deny access to all network resources. Citrix recommends using the default global setting and then creating authorization policies to define the network resources users can access.
You configure authorization on the appliance by using an authorization policy and expressions. After you create an authorization policy, you can bind it to the users or groups that you configured on the appliance.
You can configure the appliance to use authentication only, without authorization. When you configure authentication without authorization, the appliance does not perform a group authorization check. The policies that you configure for the user or group are assigned to the user.
Enabling authentication, authorization, and auditing
To use the authentication, authorization, and auditing feature, you must enable it. You can configure authentication, authorization, and auditing entities—such as the authentication and traffic management virtual servers—before you enable the authentication, authorization, and auditing feature, but the entities do not function until the feature is enabled.
At the command prompt, type the following commands to enable authentication, authorization, and auditing and verify the configuration:
enable ns feature AAA
- Navigate to System > Settings.
- In the details pane, under Modes and Features, click Change Basic Features.
- In the Configure Basic Features dialog box, select the Authentication, Authorization and Auditing check box.
- Click OK.
If your deployment does not require authentication, you can disable it. You can disable authentication for each virtual server that does not require authentication.
Important: Citrix recommends disabling authentication with caution. If you are not using an external authentication server, create local users and groups to allow the appliance to authenticate users. Disabling authentication stops the use of authentication, authorization, and accounting features that control and monitor connections to the appliance. When users type a web address to connect to the appliance, the logon page does not appear.
- Navigate to Configuration > Citrix Gateway > Virtual Servers.
- In the details pane, click a virtual server, and then click Open.
- In the Basic Settings page, clear the Enable Authentication check box.