Citrix SD-WAN Center

Secondary authentication

Secondary authentication is configured to enable Two-factor authentication for local and remote user accounts. You can configure either the RADIUS or TACACS+ authentication server as the secondary authenticating serve. For more information, see Two-factor authentication.  

Note

Ensure that user accounts are created on the required authentication servers. The user account password is to be used as the second factor in the Citrix SD-WAN Center login sequence.

Secondary RADIUS authentication server

To use RADIUS authentication, you must specify and configure at least one RADIUS server. Optionally, you configure redundant backup servers, up to a maximum of three RADIUS servers. The servers are checked sequentially, starting with the server listed first in the Servers section. Ensure that the required user accounts are created on the RADIUS authentication server.

To enable and configure RADIUS authentication:

  1. In the Citrix SD-WAN Center web interface, navigate to Administration > User/Authentication Settings.

  2. In the Secondary Authentication > RADIUS Authentication section, select the Enable Secondary RADIUS Authentication check box.  

    Note

    If TACACS+ authentication is already enabled, it gets disabled.

  3. In the Timeout field, enter the time interval (in seconds) to wait for an authentication response from the RADIUS server.

    The timeout value should be less than or equal to 60 seconds.

  4. In the Server Key field, enter a secret key to use when connecting to the RADIUS servers.

  5. In the Confirm Server Key fields, reenter the secret key.

    Note

    The Timeout and Server Key settings are applied to all configured servers.

  6. Click the plus icon (+) next to Servers to add a RADIUS server.

  7. In the IP Address field, enter the host IP address for the RADIUS server.

  8. In the Port field, enter the port number for RADIUS server. The default port number is 1812.

    localized image

  9. Click Apply.

  10.  Click Verify to verify the connection to the RADIUS server. The Verify Secondary RADIUS Server Settings dialog box appears.

    localized image

  11. Enter a valid username and password for the authentication servers, and click Verify.

To configure more servers, repeat the steps 6 through 11.

Secondary TACACS+ authentication server

To use TACACS+, you must specify and configure at least one TACACS+ server. Optionally, you configure redundant backup servers, up to a maximum of three TACACS+ servers. The servers are checked sequentially, starting with the server listed first in the Servers section. Ensure that the required user accounts are created on the TACACS+ authentication server.

To enable and configure TACACS+ authentication:

  1. In the SD-WAN Center web interface, navigate to Administration > User/Authentication Settings.

  2. In the Secondary Authentication > TACACS+ Authenticationsection, select the Enable Secondary TACACS+ Authentication check box.  

    Note

    If RADIUS authentication is already enabled, it gets disabled.

  3. In the Timeout field, enter the time interval (in seconds) to wait for an authentication response from the TACACS+ server.

    The timeout value should be less than or equal to 60 seconds.

  4. In the Authentication Type field, select the encryption method to use to send the username and password to the TACACS+ server.

  5. In the Server Key field, enter a secret key to use when connecting to the TACACS+ servers.

  6. In the Confirm Server Key fields, reenter the secret key.

    Note

    The Timeout, Authentication Type, and Server Key settings are applied to all the configured servers.

  7. Click the plus icon (+) next to Servers to add a TACACS+ server.

  8. In the IP Address field, enter the host IP address for the TACACS+ server.

  9. In the Port field, enter the port number for TACACS+ server. The default port number is 49

    localized image

  10. Click Apply.

  11.  Click Verify to verify the connection to the RADIUS server. The Verify TACACS+ Server Settings dialog box appears.

    localized image

  12. Enter a valid username and password for the authentication servers, and click Verify.

    To configure more servers, repeat the steps 7 through 12.

Secondary authentication