Citrix SD-WAN

Administrative interface

You can manage and maintain your Citrix SD-WAN appliances using the following administrative options using Citrix SD-WAN Orchestrator service. For more information, see Appliance settings.

  • User accounts
  • RADIUS server
  • TACACS+ server
  • HTTPS Cert
  • HTTPS Settings
  • Miscellaneous

User accounts

You can add new user accounts and manage the existing user accounts under Configuration > Appliance Settings > Administrator Interface page > User Accounts tab.

You can choose to authenticate the newly added user accounts either locally by the SD-WAN appliance or remotely. User accounts that are authenticated remotely, are authenticated through RADIUS or TACACS+ authentication servers.

User roles

The following user roles are supported:

  • Viewer: Viewer account is a read-only account with access to Dashboard, Reporting, and Monitoring pages.

  • Admin: Admin account has the administrative privileges and read-write access to all the sections.

    A super administrator (admin) has the following privileges:

    • Can export the configuration to the change management inbox to perform a configuration and software update to the network.
    • Can also toggle the read-write access of the Network and Security Admins.
    • Maintains both network and security related settings.
  • Security Admin: A security administrator has the read-write access only for the firewall and security related settings, while having read-only access to the remaining sections. Security administrator also has the capability to enable or disable write access to the firewall for other users except the super administrator (admin).

  • Network Admin: A network administrator has read-write permissions to all the sections and can fully provision a branch except for the firewall and security related settings. The hosted firewall node is not available for the network administrator. In this case, the network administrator must import a new configuration.

Both network administrator and security administrator can make changes to the configuration and also deploy them on the network.

NOTE

The network administrator and security administrator cannot add or delete user accounts. They can only edit their own account passwords.

User settings

Add a user

To add a user, click Add User in the Manage Users section. Provide the User Name and Password. Select the user role from the User Level drop-down list and click Apply.

You can also delete a user account, if needed. Deleting a user also deletes the local files belonging to that user. To delete, under Manage Users section, select the user from the User Name drop-down list and click Delete Selected User.

User settings

Change password of a user

The administrator role can change the password of a user account that is authenticated locally by the SD-WAN appliance.

To change the password, under Change Local User Password section, select the user from the User Name drop-down list. Enter the current password and the new password. Click Change Password.

RADIUS server

You can configure an SD-WAN appliance to authenticate user access with one or a maximum of three RADIUS servers. The default port is 1812.

To configure the RADIUS server:

  1. Navigate to Configuration > Appliance Settings > Administrator Interface > RADIUS.

  2. Select the Enable RADIUS check box.

  3. Enter the Server IP Address and Authentication Port. A maximum of three server IP addresses can be configured.

    NOTE

    To configure an IPv6 address, ensure that the RADIUS server is also configured with an IPv6 address.

  4. Enter the Server Key and confirm.

  5. Enter the Timeout value in seconds.

  6. Click Save.

You can also test the RADIUS server connection. Enter the User Name and Password. Click Verify.

Legacy UI RADIUS server

TACACS+ server

You can configure a TACACS+ server for authentication. Similar to RADIUS authentication, TACACS+ uses a secret key, an IP address, and the port number. The default port number is 49.

To configure the TACACS+ server:

  1. Navigate to Configuration > Appliance Settings > Administrator Interface > TACACS+.

  2. Select the Enable TACACS+ check box.

  3. Enter the Server IP Address and Authentication Port. A maximum of three server IP addresses can be configured.

    NOTE

    To configure an IPv6 address, ensure that the TACACS+ server is also configured with an IPv6 address.

  4. Select PAP or ASCII as the Authentication Type.

    • PAP: Uses Password Authentication Protocol (PAP) to strengthen user authentication by assigning a strong shared secret to the TACACS+ server.

    • ASCII: Uses the ASCII character set to strengthen user authentication by assigning a strong shared secret to the TACACS+ server.

  5. Enter the Server Key and confirm.

  6. Enter the Timeout value in seconds.

  7. Click Save.

You can also test the TACACS+ server connection. Enter the User Name and Password. Click Verify.

Legacy UI TACACS+ server

Administrative interface