Users and groups

After configuring the authentication, authorization, and auditing basic setup, you create users and groups. You first create a user account for each person who authenticates via the Citrix ADC appliance. If you are using local authentication controlled by the Citrix ADC appliance itself, you create local user accounts and assign passwords to each of those accounts.

You also create user accounts on the Citrix ADC appliance if you are using an external authentication server. In this case, however, each user account must exactly match an account for that user on the external authentication server, and you do not assign passwords to the user accounts that you create on the Citrix ADC. The external authentication server manages the passwords for users that authenticate with the external authentication server.

If you are using an external authentication server, you can still create local user accounts on the Citrix ADC appliance if, for example, you want to allow temporary users (such as visitors) to log in but do not want to create entries for those users on the authentication server. You assign a password to each local user account, just as you would if you were using local authentication for all user accounts.

Each user account must be bound to policies for authentication and authorization. To simplify this task, you can create one or more groups and assign user accounts to them. You can then bind policies to groups instead of individual user accounts.

Configure policies with groups

After you configure groups, you can use theGroupdialog box to apply policies and settings that specify user access. If you are using local authentication, you create users and add them to groups that are configured on Citrix Gateway. The users then inherit the settings for that group.

You can configure the following policies or settings for a group of users in theGroupdialog box:

• Users
• Authorization policies
• Auditing policies
• Session policies
• Traffic policies
• Bookmarks
• Intranet applications
• Intranet IP addresses

In your configuration, you might have users that belong to more than one group. In addition, each group might have one or more bound session policies, with different parameters configured. Users that belong to more than one group inherit the session policies assigned to all the groups to which the user belongs. To ensure which session policy evaluation takes precedence over the other, you must set the priority of the session policy.

For example, you have group1 that is bound with a session policy configured with the home page www.homepage1.com. Group2 is bound with a session policy configured with home page www.homepage2.com. When these policies are bound to respective groups without a priority number or with a same priority number, the home page that appears to users who belong to both the groups depends on which policy is processed first. By setting a lower priority number, which gives higher precedence, for the session policy with home page www.homepage1.com, you can ensure that users who belong to both the groups receive the home page www.homepage1.com.

If session policies do not have a priority number assigned or have the same priority number, precedence is evaluated in the following order:

• User
• Group
• Virtual server
• Global

如果政策是绑定到相同的水平,没有一个priority number or if the policies have the same priority number, the order of evaluation is per the policy bind order. Policies that are bound first to a level receive precedence over policies bound later.

If we have a user bound to multiple groups with each group having IIP bound, the user can get free IP from any of the bound groups.

Create users and groups

配置身份验证、授权和审计ing local users by using the GUI

1. Navigate toSecurity > AAA - Application Traffic > Users从Citrix网关,扩大Citrix Gateway > User Administration, and then clickAAA Users.

2. In the details pane, do one of the following:

   • To create a new user account, clickAdd.
   • To modify an existing user account, select the user account, and then clickOpen.
3. In theCreate AAA Userdialog box, in theUser Nametext box, type a name for the user.
4. If creating a locally authenticated user account, clear theExternal Authenticationcheck box and provide a local password that the user uses to log on.
5. ClickCreateorOK, and then clickClose. A message appears in the status bar, stating that the user has been configured successfully.

配置身份验证、授权和审计ing local groups and add users to them by using the configuration utility

1. Navigate toSecurity > AAA - Application Traffic > Groups从Citrix网关,扩大Citrix Gateway > User Administration, and then clickAAA Groups.
2. In the details pane, do one of the following:
   • To create a new group, clickAdd.
   • To modify an existing group, select the group, and then clickEdit.
3. If you are creating a new group, in theCreate AAA Groupdialog box, in theGroup Nametext box, type a name for the group.

4. In theAdvancedarea to the right, clickAAA Users.

   • To add a user to the group, select the user, and then clickAdd.
   • To remove a user from the group, select the user, and then clickRemove.
   • To create a new user account and add it to the group, click thePlusicon, and then follow the instructions in “To configure authentication, authorization, and auditing local users by using the configuration utility.”
5. ClickCreateorOK. The group that you created appears in theAAA Groupspage.

Delete a group by using the GUI

You can also delete user groups from Citrix Gateway.

1. Navigate toSecurity > AAA - Application Traffic > Groups从Citrix网关,扩大CitrixGateway > User Administration,and then clickAAA Groups. In the details pane, select the group, and then click Remove.

配置身份验证、授权和审计ing local users by using the CLI

At the command prompt, type the following commands:

add aaa group  bind aaa group  -username  

Example:

add aaa group group-2 bind aaa group group-2 -username user-2 

Remove users from an authentication, authorization, and auditing group by using the command line interface

At the command prompt, unbind users from the group by typing the following command once for each user account that is bound to the group:

unbind aaa group  -username 

**Example:** 

unbind aaa group group-hr -username user-hr-1

### Remove an authentication, authorization, and auditing group by using the command line interface First remove all users from the group. Then, at the command prompt, type the following command to remove a Citrix ADC AAA group and verify the configuration: 

rm aaa group

**Example:** 

rm aaa group group-hr

> **Note** > >You cannot add a user name with domain if the user name is already added without domain. If the user name with domain is added first followed by the same user name without domain, then the Citrix ADC appliance adds the user name to the user list. The following example shows adding a user name with domain is not permitted if the same user name is added without domain. 

添加aaa用户u47985完成显示1)UserNam aaa级用户e: u47985 Done add aaa user u47985@domain.com ERROR: User already exists ```

The following example shows if the user name with domain is added first followed by the same user name without domain, then the Citrix ADC appliance adds the user name to the user list.

> add aaa user u47985@domain.com Done > add aaa user u47985 Done > sh aaa user 1) UserName: u47985@domain.com 2) UserName: u47985

```