Authenticating with client certificates

Web sites that contain sensitive content, such as online banking websites or websites with employee personal information, sometimes require client certificates for authentication. To configure authentication, authorization, and auditing to authenticate users on the basis of client-side certificate attributes, you first enable client authentication on the traffic management virtual server and bind the root certificate to the authentication virtual server. Then, you implement one of two options. You can configure the default authentication type on the authentication virtual server as CERT, or you can create a certificate action that defines what the Citrix ADC must do to authenticate users on the basis of a client certificate. In either case, your authentication server must support CRLs. You configure the ADC to extract the user name from the SubjectCN field or another specified field in the client certificate.

When the user tries to log on to an authentication virtual server for which an authentication policy is not configured, and a global cascade is not configured, the user name information is extracted from the specified field of the certificate. If the required field is extracted, the authentication succeeds. If the user does not provide a valid certificate during the SSL handshake, or if the user name extraction fails, authentication fails. After it validates the client certificate, the ADC presents a logon page to the user.

The following procedures assume that you have already created a functioning authentication, authorization, and auditing configuration, and therefore they explain only how to enable authentication by using client certificates. These procedures also assume that you have obtained your root certificate and client certificates and have placed them on the ADC in the /nsconfig/ssl directory.

To configure the authentication, authorization, and auditing client certificate parameters by using the command line interface

At the command prompt, type the following commands, in the order shown, to configure the certificate and verify the configuration:

• add ssl certKey -cert -key -password -inform -expiryMonitor -notificationPeriod

• bind ssl certKey -vServer -CA -crlCheck Mandatory

• show ssl certKey []

• set aaa parameter -defaultAuthType CERT

• show aaa parameter

• set aaa certParams -userNameField "Subject:CN"

• show aaa certParams

To configure the authentication, authorization, and auditing client certificate parameters by using the configuration utility

1. Navigate toSecurity > AAA - Application Traffic > Virtual Servers.
2. In the details pane, select the virtual server that you want to configure to handle client certificate authentication, and then clickEdit.
3. On the配置page, underCertificates, click the right arrow (>) to open the CA Cert Key installation dialog.
4. In theCA Cert Keydialog box, clickInsert.
5. In theCA Cert Key - SSL Certificatesdialog box, clickInstall.
6. In theInstall Certificatedialog box, set the following parameters, whose names correspond to the CLI parameter names as shown:
   • Certificate-Key Pair Name*—certkeyName
   • Certificate File Name—certFile
   • Key File Name—keyFile
   • Certificate Format—inform
   • Password—password
   • Certificate Bundle—bundle
   • Notify When Expires—expiryMonitor
   • Notification Period—notificationPeriod
7. ClickInstall, and then clickClose.
8. In theCA Cert Keydialog box, in theCertificatelist, select the root certificate.
9. ClickSave.
10. ClickBackto return to the main configuration screen.
11. Navigate toSecurity > AAA - Application Traffic > Policies > Authentication > CERT.
12. In the details pane, select the policy you want to configure to handle client certificate authentication, and then clickEdit.
13. In theConfigure Authentication CERT Policydialog, Server drop-down list, select the virtual server you just configured to handle client certificate authentication.
14. ClickOK. A message appears in the status bar, stating that the configuration completed successfully.

Support to notify number of unsuccessful login attempts

Citrix ADC设备现在可以日志的数量unsuccessful login attempts made from the last successful log on. The feature works only if the persistentLoginAttempts option is enabled on the appliance. By default, the option is disabled on the Citrix ADC appliance.

A Citrix ADC administrator can use this information to verify if any unauthorized attempts have occurred on a secured external user account.

To use this feature, at the Citrix ADC command prompt, type:

```set aaa parameter [–maxloginAttempts [-failedLoginTimeout ]] -persistentLoginAttempts (ENABLED | DISABLED)

**Example:** ```set aaa parameter –maxLoginAttempts 4 –failedLoginTimeout 3 –persistentLoginAttempts ENABLED