User identity management
An increasing number of security breaches and the growing popularity of mobile devices has emphasized the need to ensure that use of the external internet is compliant with the corporate policies and only authorized users access external resources provisioned by the corporate personnel. Identity Management makes this possible by verifying the identity of a person or a device. It does not determine what tasks the individual can take or what files the individual can see.
A Secure Web Gateway (SWG) deployment identifies the user before allowing access to the internet. All requests and responses from the user are inspected. User activity is logged, and records are exported to the Citrix Application Delivery Management (ADM) for reporting. In Citrix ADM, you can view the statistics about the user activities, transactions, and bandwidth consumption.
By default, only the user’s IP address is saved, but you can configure the Citrix SWG appliance to record more details about the user, and use this identity information to create richer internet usage policies for specific users.
The Citrix ADC appliance supports the following authentication modes for an explicit-proxy configuration.
- Lightweight Directory Access Protocol (LDAP). Authenticates the user through an external LDAP authentication server. For more information, see LDAP Authentication Policies.
- RADIUS. Authenticates the user through an external RADIUS server. For more information, see RADIUS Authentication Policies.
- TACACS+. Authenticates the user through an external Terminal Access Controller Access-Control System (TACACS) authentication server. For more information, see Authentication Policies.
- Negotiate. Authenticates the user through a Kerberos authentication server. If there is an error in Kerberos authentication, appliance uses NTLM authentication. For more information, see Negotiate Authentication Policies.
For transparent proxy, only IP-based LDAP authentication is currently supported. When a client request is received, the proxy authenticates the user by checking an entry for the client IP address in the active directory, and creates a session based on the user IP address. However, if you configure the ssoNameAttribute in an LDAP action, a session is created by using the username instead of the IP address. Classic policies are not supported for authentication in a transparent proxy setup.
Note
For explicit proxy, you must set the LDAP login name to
sAMAccountName
. For transparent proxy, you must set the LDAP login name tonetworkAddress
andattribute1
tosAMAccountName
.
Example for explicit proxy:
add authentication ldapAction swg-auth-action-explicit -serverIP 10.105.157.116 -ldapBase "CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDn "CN=Administrator,CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDnPassword freebsd123$ -ldapLoginName sAMAccountName
<!--NeedCopy-->
Example for transparent proxy:
add authentication ldapAction swg-auth-action-explicit -serverIP 10.105.157.116 -ldapBase "CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDn "CN=Administrator,CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDnPassword freebsd123$ -ldapLoginName networkAddress -authentication disable -Attribute1 sAMAccountName
<!--NeedCopy-->
Set up user authentication by using the Citrix SWG CLI
At the command prompt type:
add authentication vserver <vserver name> SSL
bind ssl vserver <vserver name> -certkeyName <certkey name>
add authentication ldapAction <action name> -serverIP <ip_addr> -ldapBase <string> -ldapBindDn <string> -ldapBindDnPassword -ldapLoginName <string>
add authentication Policy <policy name> -rule <expression> -action <string>
bind authentication vserver <vserver name> -policy <string> -priority <positive_integer>
set cs vserver <name> -authn401 ON -authnVsName <string>
<!--NeedCopy-->
Arguments:
Vserver name:
Name of the authentication virtual server to which to bind the policy.
Maximum Length: 127
serviceType:
Protocol type of the authentication virtual server. Always SSL.
Possible values: SSL
Default value: SSL
Action name:
Name for the new LDAP action. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the LDAP action is added. The following requirement applies only to the CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my authentication action” or ‘my authentication action’).
Maximum Length: 127
serverIP:
IP address assigned to the LDAP server.
ldapBase:
Base (node) from which to start LDAP searches. If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com. Maximum Length: 127
ldapBindDn:
Full distinguished name (DN) that is used to bind to the LDAP server.
Default: cn=Manager,dc=netscaler,dc=com
Maximum Length: 127
ldapBindDnPassword:
Password used to bind to the LDAP server.
Maximum Length: 127
ldapLoginName:
LDAP login name attribute. The Citrix ADC appliance uses the LDAP login name to query external LDAP servers or Active Directories. Maximum Length: 127
Policy name:
Name for the advance AUTHENTICATION policy. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after AUTHENTICATION policy is created. The following requirement applies only to the CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my authentication policy” or ‘my authentication policy’).
Maximum Length: 127
rule:
Name of the rule, or a default syntax expression, that the policy uses to determine whether to attempt to authenticate the user with the AUTHENTICATION server.
Maximum Length: 1499
action:
Name of the authentication action to be performed if the policy matches.
Maximum Length: 127
priority:
Positive integer specifying the priority of the policy. A lower number specifies a higher priority. Policies are evaluated in the order of their priorities, and the first policy that matches the request is applied. Must be unique within the list of policies bound to the authentication virtual server.
Minimum value: 0
Maximum Value: 4294967295
Example:
add authentication vserver swg-auth-vs SSL
Done
bind ssl vserver explicit-auth-vs -certkeyName ns-swg-ca-certkey
Done
add authentication ldapAction swg-auth-action-explicit -serverIP 192.0.2.116 -ldapBase "CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDn "CN=Administrator,CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDnPassword zzzzz -ldapLoginName sAMAccountName
Done
add authenticationpolicy swg-auth-policy -rule true -action swg-auth-action-explicit Done
bind authentication vserver swg-auth-vs -policy swg-auth-policy -priority 1
Done
set cs vserver testswg -authn401 ON -authnVsName swg-auth-vs
Done
<!--NeedCopy-->
Enable user name logging by using the Citrix SWG CLI
At the command prompt, type:
set appflow param -AAAUserName ENABLED
<!--NeedCopy-->
Arguments:
AAAUserName
Enable AppFlow AAA user name logging.
Possible values: ENABLED, DISABLED
Default value: DISABLED
Example:
set appflow param -AAAUserName ENABLED
<!--NeedCopy-->