Authentication policies

Note

Citrix ADC appliance encodes only UTF-8 characters for authentication, and it is not compatible with servers that use ISO-8859-1 characters.

The Citrix ADC can authenticate users with local user accounts or by using an external authentication server. The appliance supports the following authentication types:

• LOCAL

  Authenticates to the Citrix ADC appliance by using a password, without reference to an external authentication server. User data is stored locally on the Citrix ADC appliance.

• RADIUS

  Authenticate to an external RADIUS server.

• LDAP

  Authenticates to an external LDAP authentication server.

• TACACS

  Authenticates to an external Terminal Access Controller Access-Control System (TACACS) authentication server.

  After a user authenticates to a TACACS server, the Citrix ADC connects to the same TACACS server for all subsequent authorizations. When a primary TACACS server is unavailable, this feature prevents any delay while the ADC waits for the first TACACS server to time out. It happens before resending the authorization request to the second TACACS server.

  Note

  When authenticating through a TACACS server, authentication, authorization, and auditing traffic management logs only successfully run TACACS commands. It prevents the logs from showing TACACS commands that are entered by users who were not authorized to run them.

Starting from NetScaler 12.0 Build 57.x, the Terminal Access Controller Access-Control System (TACACS) is not blocking the authentication, authorization, and auditing daemon while sending the TACACS request. The allow LDAP, and RADIUS authentication to proceed with the request. The TACACS authentication request resumes once the TACACS server acknowledges the TACACS request.

• CERT

  Authenticates to the Citrix ADC appliance by using a client certificate, without reference to an external authentication server.

• NEGOTIATE

  Authenticates to a Kerberos authentication server. If there is an error in Kerberos authentication, Citrix ADC uses NTLM authentication.

• SAML

  Authenticates to a server that supports the Security Assertion Markup Language (SAML).

• SAML IDP

  Configures the Citrix ADC to serve as a Security Assertion Markup Language (SAML) Identity Provider (IdP).

• WEB

  Authenticates to a web server, providing the credentials that the web server requires in an HTTP request and analyzing the web server response to determine that user authentication was successful.

An authentication policy comprises of an expression and an action. Authentication policies use Citrix ADC expressions.

After creating an authentication action and an authentication policy, bind it to an authentication virtual server and assign a priority to it. When binding it, also designate it as either a primary or a secondary policy. Primary policies are evaluated before secondary policies. In configurations that use both types of policy, primary policies are normally more specific policies while secondary policies are normally more general policies. It is intended to handle authentication for any user accounts that do not meet the more specific criteria.

To add an authentication action by using the command line interface

If you do not use LOCAL authentication, you need to add an explicit authentication action. At the command prompt, type the following command:

```add authentication tacacsAction -serverip [-serverPort ][-authTimeout ][ ... ]

Example

add authentication tacacsaction Authn-Act-1 -serverip 10.218.24.65 -serverport 1812 -authtimeout 15 -tacacsSecret “minotaur” -authorization OFF -accounting ON -auditFailedCmds OFF -defaultAuthenticationGroup “users” Done

## To configure an authentication action by using the command line interface To configure an existing authentication action, at the command prompt, type the following command: ```set authentication tacacsAction  -serverip  [-serverPort ][-authTimeout ][ ... ]

Example

> set authentication tacacsaction Authn-Act-1 -serverip 10.218.24.65 -serverport 1812 -authtimeout 15 -tacacsSecret "minotaur" -authorization OFF -accounting ON -auditFailedCmds OFF -defaultAuthenticationGroup "users" Done 

To remove an authentication action by using the command line interface

To remove an existing RADIUS action, at the command prompt, type the following command:

```rm authentication radiusAction

Example

rm authentication tacacsaction Authn-Act-1 Done

## To configure an authentication server by using the configuration utility > **Note** > > In the configuration utility, the term server is used instead of action, but refers to the same task. 1. Navigate to **Security > AAA - Application Traffic > Policies > Authentication**. 1. In the details pane, on the **Servers** tab, do one of the following: - To create a new authentication server, click **Add**. - To modify an existing authentication server, select the server, and then click **Open**. 1. In the **Create Authentication Server** or **Configure Authentication Server** dialog box, type or select the values for the parameters. - Name\*—radiusActionName (Cannot be changed for a previously configured action) - Authentication Type\*—authtype (Set to RADIUS, cannot be changed) - IP Address\*—serverip  - IPV6\*—Select the check box if the server IP is an IPv6 IP. (No command line equivalent.) - Port\*—serverPort - Time-out (seconds)\*—authTimeout 1. Click **Create** or **OK**, and then click **Close**. The policy that you created appears in the **Authentication Policies** and **Servers** page. ## To create and bind an authentication policy by using the command line interface At the command prompt, type the following commands in the order shown to create and bind an authentication policy and verify the configuration: - ```add authentication negotiatePolicy   

• 显示身份验证localPolicy <名称> < !--NeedCopy-->
• bind authentication vserver -policy [-priority ][-secondary]]
• show authentication vserver

Example

> add authentication localPolicy Authn-Pol-1 ns_true Done > show authentication localPolicy 1) Name: Authn-Pol-1 Rule: ns_true Request action: LOCAL Done > bind authentication vserver Auth-Vserver-2 -policy Authn-Pol-1 Done > show authentication vserver Auth-Vserver-2 Auth-Vserver-2 (10.102.29.77:443) - SSL Type: CONTENT State: UP Client Idle Timeout: 180 sec Down state flush: DISABLED Disable Primary Vserver On Down : DISABLED Authentication : ON Current AAA Users: 0 Authentication Domain: myCompany.employee.com 1) Primary authentication policy name: Authn-Pol-1 Priority: 0 Done 

To modify an existing authentication policy by using the command line interface

At the command prompt, type the following commands to modify an existing authentication policy:

```set authentication localPolicy [-reqaction ]

Example

set authentication localPolicy Authn-Pol-1 ‘ns_true’ Done```

To remove an authentication policy by using the command line interface

At the command prompt, type the following command to remove an authentication policy:

```rm authentication localPolicy

Example

rm authentication localPolicy Authn-Pol-1 Done

```

To configure and bind authentication policies by using the configuration utility

1. Navigate toSecurity > AAA - Application Traffic > Policies > Authentication, and then select the type of policy that you want to create.
2. In the details pane, on thePoliciestab, do one of the following:
   • To create a new policy, clickAdd.
   • To modify an existing policy, select the action, and then clickEdit.
3. In the Create Authentication Policy or Configure Authentication Policy dialog, type or select the values for the parameters.
   • Name— policy name (Cannot be changed for a previously configured action)
   • Authentication Type— authtype
   • 服务器— authVsName
   • Expression— rule (You enter expressions by first choosing the type of expression in the leftmost drop-down list beneath the Expression window, and then by typing your expression directly into the expression text area, or by clicking Add to open the Add Expression dialog box and using the drop-down lists in it to construct your expression.)
4. ClickCreateorOK. The policy that you created appears in the Policies page.
5. Click the服务器stab, and in the details pane do one of the following:
   • To use an existing server, select it, and then click.
   • To create a server, click Add, and follow the instructions.
6. If you want to designate this policy as a secondary authentication policy, on the Authentication tab, click Secondary. If you want to designate this policy as a primary authentication policy, skip this step.
7. ClickInsert Policy.
8. 选择你想绑定到authenti政策cation virtual server from the drop-down list.
9. In the优先级column to the left, modify the default priority to ensure that the policy is evaluated in the proper order.
10. ClickOK. A message appears in the status bar, stating that the policy has been configured successfully.