ADC

User identity management

An increasing number of security breaches and the growing popularity of mobile devices has emphasized the need to ensure that use of the external internet is compliant with the corporate policies. Only authorized users must be allowed access to external resources provisioned by the corporate personnel. Identity Management makes it possible by verifying the identity of a person or a device. It does not determine what tasks the individual can take or what files the individual can see.

An SSL forward proxy deployment identifies the user before allowing access to the internet. All requests and responses from the user are inspected. User activity is logged, and records are exported to the Citrix Application Delivery Management (ADM) for reporting. In Citrix ADM, you can view the statistics about the user activities, transactions, and bandwidth consumption.

By default, only the user’s IP address is saved, but you can configure the feature to record more details about the user. You can use this identity information to create richer internet usage policies for specific users.

The Citrix ADC appliance supports the following authentication modes for an explicit-proxy configuration.

  • Lightweight Directory Access Protocol (LDAP). Authenticates the user through an external LDAP authentication server. For more information, see LDAP Authentication Policies.
  • RADIUS. Authenticates the user through an external RADIUS server. For more information, see RADIUS Authentication Policies.
  • TACACS+. Authenticates the user through an external Terminal Access Controller Access-Control System (TACACS) authentication server. For more information, see Authentication Policies.
  • Negotiate. Authenticates the user through a Kerberos authentication server. If there is an error in Kerberos authentication, the appliance uses NTLM authentication. For more information, see Negotiate Authentication Policies.

For transparent proxy, only IP-based LDAP authentication is supported. When a client request is received, the proxy authenticates the user by checking an entry for the client IP address in the active directory. It then creates a session based on the user IP address. However, if you configure the ssoNameAttribute in an LDAP action, a session is created by using the user name instead of the IP address. Classic policies are not supported for authentication in a transparent proxy setup.

Note

For explicit proxy, you must set the LDAP login name to sAMAccountName. For transparent proxy, you must set the LDAP login name to networkAddress and attribute1 to sAMAccountName.

Example for explicit proxy:

add authentication ldapAction swg-auth-action-explicit -serverIP 10.105.157.116 -ldapBase "CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDn "CN=Administrator,CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDnPassword freebsd123$ -ldapLoginName sAMAccountName
<!--NeedCopy-->

Example for transparent proxy:

add authentication ldapAction swg-auth-action-explicit -serverIP 10.105.157.116 -ldapBase "CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDn "CN=Administrator,CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDnPassword freebsd123$ -ldapLoginName networkAddress -authentication disable -Attribute1 sAMAccountName
<!--NeedCopy-->

Set up user authentication by using the CLI

At the command prompt type:

add authentication vserver <vserver name> SSL

bind ssl vserver <vserver name> -certkeyName <certkey name>

add authentication ldapAction <action name> -serverIP <ip_addr> -ldapBase <string> -ldapBindDn <string> -ldapBindDnPassword -ldapLoginName <string>

add authentication Policy <policy name> -rule <expression> -action <string>

bind authentication vserver <vserver name> -policy <string> -priority <positive_integer>

set cs vserver <name> -authn401 ON -authnVsName <string>
<!--NeedCopy-->

Arguments:

Vserver name:

Name of the authentication virtual server to which to bind the policy.

Maximum Length: 127

serviceType:

Protocol type of the authentication virtual server. Always SSL.

Possible values: SSL

Default value: SSL

Action name:

Name for the new LDAP action. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the LDAP action is added. The following requirement applies only to the CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my authentication action” or ‘my authentication action’).

Maximum Length: 127

serverIP:

IP address assigned to the LDAP server.

ldapBase:

Base (node) from which to start LDAP searches. If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com. Maximum Length: 127

ldapBindDn:

Full distinguished name (DN) that is used to bind to the LDAP server.

Default: cn=Manager,dc=netscaler,dc=com

Maximum Length: 127

ldapBindDnPassword:

Password used to bind to the LDAP server.

Maximum Length: 127

ldapLoginName:

LDAP login name attribute. The Citrix ADC appliance uses the LDAP login name to query external LDAP servers or Active Directories. Maximum Length: 127

Policy name:

Name for the advance AUTHENTICATION policy. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after an AUTHENTICATION policy is created. The following requirement applies only to the CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my authentication policy” or ‘my authentication policy’).

Maximum Length: 127

rule:

Name of the rule, or a default syntax expression, that the policy uses to determine whether to attempt to authenticate the user with the AUTHENTICATION server.

Maximum Length: 1499

action:

Name of the authentication action to be performed if the policy matches.

Maximum Length: 127

priority:

Positive integer specifying the priority of the policy. A lower number specifies a higher priority. Policies are evaluated in the order of their priorities, and the first policy that matches the request is applied. Must be unique within the list of policies bound to the authentication virtual server.

Minimum value: 0

Maximum Value: 4294967295

Example:

add authentication vserver swg-auth-vs SSL

Done

bind ssl vserver explicit-auth-vs -certkeyName ns-swg-ca-certkey

Done

add authentication ldapAction swg-auth-action-explicit -serverIP 192.0.2.116 -ldapBase "CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDn "CN=Administrator,CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDnPassword zzzzz -ldapLoginName sAMAccountName

Done

add authenticationpolicy swg-auth-policy -rule true -action swg-auth-action-explicit
Done

bind authentication vserver swg-auth-vs -policy swg-auth-policy -priority 1

Done

set cs vserver testswg -authn401 ON -authnVsName swg-auth-vs

Done
<!--NeedCopy-->

Enable user name logging by using the CLI

At the command prompt, type:

set appflow param -AAAUserName ENABLED
<!--NeedCopy-->

Arguments:

AAAUserName

Enable AppFlow authentication, authorization, and auditing user name logging.

Possible values: ENABLED, DISABLED

Default value: DISABLED

Example:

set appflow param -AAAUserName ENABLED
<!--NeedCopy-->
User identity management