Web authentication
Authentication, authorization, and auditing is now able to authenticate a user to a web server, providing the credentials that the web server requires in an HTTP request and analyzing the web server response to determine that user authentication was successful. As with other types of authentication policies, a Web authentication policy is comprised of an expression and an action. After creating an authentication policy, you bind it to an authentication virtual server and assign a priority to it. When binding it, you also designate it as either a primary or a secondary policy.
To set up web-based authentication with a specific web server, first you create a web authentication action. Since authentication to web servers does not use a rigid format, you must specify exactly which information the web server requires and in which format when creating the action. To do this, you create an expression in Citrix ADC appliance default syntax that contains the following items:
- Server IP—The IP address of the authentication Web server.
- Server Port—The port of the authentication Web server.
- Authentication Rule—An expression in Citrix ADC appliance default syntax that contains the user’s credentials in the format that the Web server expects.
- Scheme—HTTP (for unencrypted web authentication) or HTTPS (for encrypted web authentication).
- Success Rule—An expression in Citrix ADC appliance default syntax that matches the web server response string that signifies that the user authenticated successfully.
For all other parameters, follow the normal rules for the add authentication action command.
Next you create a policy associated with that action. The policy is similar to an LDAP policy, and like LDAP policies uses Citrix ADC appliance syntax.
Note
These instructions assume that you are already familiar with the authentication requirements of the web server(s) to which you want to authenticate, and have already configured the web authentication server.
To configure a Web authentication action by using the command line interface
To create a web authentication action at the command line, at the command line type the following command:
add authentication webAuthAction <name> -serverIP <ip_addr|ipv6_addr|*> -serverPort <port|*> [-fullReqExpr <string>] -scheme ( http | https ) -successRule <expression> [-defaultAuthenticationGroup <string>][-Attribute1 <string>][-Attribute2 <string>] [-Attribute3 <string>][-Attribute4 <string>] [-Attribute5 <string>][-Attribute6 <string>] [-Attribute7 <string>][-Attribute8 <string>] [-Attribute9 <string>][-Attribute10 <string>] [-Attribute11 <string>][-Attribute12 <string>] [-Attribute13 <string>][-Attribute14 <string>] [-Attribute15 <string>][-Attribute16 <string>]
<!--NeedCopy-->
Example
add policy expression post_data "\"username=\" + http.REQ.BODY(1000).SET_TEXT_MODE(IGNORECASE).AFTER_STR(\"login=\").BEFORE_STR(\"&\") + \"&passwort=\" + http.REQ.BODY(1000).SET_TEXT_MODE(IGNORECASE).AFTER_STR(\"passwd=\")"
add policy expression length_post_data "(\"username= \" + http.REQ.BODY(1000).SET_TEXT_MODE(IGNORECASE).AFTER_STR(\"login=\").BEFORE_STR(\"&\") + \"passwort=\" + http.REQ.BODY(1000).SET_TEXT_MODE(IGNORECASE).AFTER_STR(\"passwd=\")).length"
add authentication webAuthAction webAuth_POST -serverIP 10.106.187.54 -serverPort 80 -fullReqExpr q{"POST /MyPHP/auth.php HTTP/" + http.req.version.major + "." + http.req.version.major + "\r\nAccept:*/*\r\nHost: 10.106.187.54\r\nReferer: http://10.106.187.54/MyPHP/auth.php\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\nContent-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: " + length_post_data + "\r\nConnection: Keep-Alive\r\n\r\n" + post_data} -scheme http -successRule "http.res.status.eq(200)"
<!--NeedCopy-->
To configure a Web authentication action by using the configuration utility
Note
In the configuration utility, the term server is used instead of action, but refers to the same task.
- Navigate to Security > AAA - Application Traffic > Policies > LDAP.
-
In the details pane, on the Servers tab, do one of the following:
- If you want to create a new web authentication action, click Add.
- If you want to modify an existing web authentication action, in the data pane select the action, and then click Edit.
- If you are creating a new web authentication action, in the Create Authentication Web server dialog box, Name text box, type a name for the new web authentication action. The name can be from one to 127 characters in length, and can consist of upper- and lowercase letters, numbers, and the hyphen (-) and underscore (_) characters. If you are modifying an existing web authentication action, skip this step. The name is read-only; you cannot change it.</span>
- In the Web Server IP Address text box, type the IPv4 or IPv6 IP address of the authentication web server. If the address is an IPv6 IP address, select the IPv6 check box first.
- In the Port text box, type the port number on which the web server accepts connections.
- Select HTTP or HTTPS in the Protocol drop-down list.
- In the HTTP Request Expression text area, type a PCRE-format regular expression that creates the web server request that contains the user’s credentials in the exact format expected by the authentication web server.
- In the Expression to validate the Authentication text area, type a Citrix ADC appliance default syntax expression that describes the information in the web server response that indicates that user authentication was successful.
- Fill out the remaining fields as described in the general authentication action documentation.
- Click OK.