Configuring advanced authentication policies

If you know exactly how you want an authentication policy to be configured, you can use the advanced authentication policy dialog to create the policy quickly.

To configure an advanced authentication policy by using the configuration utility

  1. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies, and then select Policy.
  2. In the details pane do one of the following:
    • To create a new policy, click Add.
    • To modify an existing policy, select the policy, and then click Edit.
  3. In the Create Authentication Policy or Configure Authentication Policy dialog box, type or select values for the parameters.
    • Name - The policy name. Cannot be changed for a previously configured policy.
    • Action Type - The policy type: Cert, Negotiate, LDAP, RADIUS, SAML, SAMLIDP, TACACS, or WEBAUTH.
    • Action - The authentication action (profile) to associate with the policy. You can choose an existing authentication action, or click the plus and create a new action of the proper type.
    • Log Action - The audit action to associate with the policy. You can choose an existing audit action, or click the plus and create a new action.
    • Expression - The rule that selects connections to which you want to apply the action that you specified. The rule can be simple (“true” selects all traffic) or complex. You enter expressions by first choosing the type of expression in the leftmost drop-down list beneath the Expression window, and then by typing your expression directly into the expression text area, or by clicking Add to open Add Expression dialog box and using the drop-down lists in it to construct your expression.)
    • Comment - You can type a comment that describes the type of traffic that this authentication policy will apply to. Optional.
  4. Click Create or OK, and then click Close. If you created a policy, that policy appears in the Authentication Policies and Servers page.

Configuring the expressions to check for the user associated group

Citrix ADC appliance now provides an option for the user to check the following possibilities:

  • Check if the current user belongs to any of the mentioned group.
  • Check if the current user is a member of all the groups.

The following two new expressions are introduced to check the user associated group:

  • Is_member_of_any - You can use this expression to check if the current user belongs to any of the mentioned group in the associated patset.

To configure the Is_member_of_any expression by using the CLI

At the command prompt, type:

-  add policy patset groups_patset
-  bind patset groups_patset mygroup1
-  bind patset groups_patset mygroup2
-  add expression any_group_check   "aaa.user.is_member_of_any(\"groups_patset\")"

Note

The above expression returns true if the user belongs either to mygroup1 or mygroup2.

  • Is_member_of_all - You can use this expression to check if the user is member of all the groups that are referred by the patset.

To configure the Is_member_of_all expression by using the CLI

At the command prompt, type:

-  add policy patset groups_patset
-  bind patset groups_patset mygroup1
-  bind patset groups_patset mygroup2
-  add expression any_group_check "aaa.user.is_member_of_all(\"groups_patset\")"

Note

The above expression returns true if the user belongs to both mygroup1 and mygroup2.