Citrix ADC

Users and groups

After configuring the authentication, authorization, and auditing basic setup, you create users and groups. You first create a user account for each person who authenticates via the Citrix ADC appliance. If you are using local authentication controlled by the Citrix ADC appliance itself, you create local user accounts and assign passwords to each of those accounts.

You also create user accounts on the Citrix ADC appliance if you are using an external authentication server. In this case, however, each user account must exactly match an account for that user on the external authentication server, and you do not assign passwords to the user accounts that you create on the Citrix ADC. The external authentication server manages the passwords for users that authenticate with the external authentication server.

If you are using an external authentication server, you can still create local user accounts on the Citrix ADC appliance if, for example, you want to allow temporary users (such as visitors) to log in but do not want to create entries for those users on the authentication server. You assign a password to each local user account, just as you would if you were using local authentication for all user accounts.

Each user account must be bound to policies for authentication and authorization. To simplify this task, you can create one or more groups and assign user accounts to them. You can then bind policies to groups instead of individual user accounts.

Configure policies with groups

After you configure groups, you can use the Group dialog box to apply policies and settings that specify user access. If you are using local authentication, you create users and add them to groups that are configured on Citrix Gateway. The users then inherit the settings for that group.

You can configure the following policies or settings for a group of users in the Group dialog box:

  • Users
  • Authorization policies
  • Auditing policies
  • Session policies
  • Traffic policies
  • Bookmarks
  • Intranet applications
  • Intranet IP addresses

In your configuration, you might have users that belong to more than one group. In addition, each group might have one or more bound session policies, with different parameters configured. Users that belong to more than one group inherit the session policies assigned to all the groups to which the user belongs. To ensure which session policy evaluation takes precedence over the other, you must set the priority of the session policy.

For example, you have group1 that is bound with a session policy configured with the home page www.homepage1.com. Group2 is bound with a session policy configured with home page www.homepage2.com. When these policies are bound to respective groups without a priority number or with a same priority number, the home page that appears to users who belong to both the groups depends on which policy is processed first. By setting a lower priority number, which gives higher precedence, for the session policy with home page www.homepage1.com, you can ensure that users who belong to both the groups receive the home page www.homepage1.com.

If session policies do not have a priority number assigned or have the same priority number, precedence is evaluated in the following order:

  • User
  • Group
  • Virtual server
  • Global

If policies are bound to the same level, without a priority number or if the policies have the same priority number, the order of evaluation is per the policy bind order. Policies that are bound first to a level receive precedence over policies bound later.

If we have a user bound to multiple groups with each group having IIP bound, the user can get free IP from any of the bound groups.

Create users and groups

Configure authentication, authorization, and auditing local users by using the GUI

  1. Navigate to Security > AAA - Application Traffic > Users From Citrix Gateway, expand Citrix Gateway > User Administration, and then click AAA Users.
  2. In the details pane, do one of the following:

    • To create a new user account, click Add.
    • To modify an existing user account, select the user account, and then click Open.
  3. In the Create AAA User dialog box, in the User Name text box, type a name for the user.
  4. If creating a locally authenticated user account, clear the External Authentication check box and provide a local password that the user uses to log on.
  5. Click Create or OK, and then click Close. A message appears in the status bar, stating that the user has been configured successfully.

Configure authentication, authorization, and auditing local groups and add users to them by using the configuration utility

  1. Navigate to Security > AAA - Application Traffic > Groups From Citrix Gateway, expand Citrix Gateway > User Administration, and then click AAA Groups.
  2. In the details pane, do one of the following:
    • To create a new group, click Add.
    • To modify an existing group, select the group, and then click Edit.
  3. If you are creating a new group, in the Create AAA Group dialog box, in the Group Name text box, type a name for the group.
  4. In the Advanced area to the right, click AAA Users.

    • To add a user to the group, select the user, and then click Add.
    • To remove a user from the group, select the user, and then click Remove.
    • To create a new user account and add it to the group, click the Plus icon, and then follow the instructions in “To configure authentication, authorization, and auditing local users by using the configuration utility.”
  5. Click Create or OK. The group that you created appears in the AAA Groups page.

Delete a group by using the GUI

You can also delete user groups from Citrix Gateway.

  1. Navigate to Security > AAA - Application Traffic > Groups From Citrix Gateway, expandCitrix Gateway > User Administration, and then click AAA Groups. In the details pane, select the group, and then click Remove.

Configure authentication, authorization, and auditing local users by using the CLI

At the command prompt, type the following commands:

add aaa group <groupname>

bind aaa group <groupname> -username <username>

Example:

add aaa group group-2

bind aaa group group-2 -username user-2

Remove users from an authentication, authorization, and auditing group by using the command line interface

At the command prompt, unbind users from the group by typing the following command once for each user account that is bound to the group:

unbind aaa group <groupname> -username <username>```

Example:

unbind aaa group group-hr -username user-hr-1

Remove an authentication, authorization, and auditing group by using the command line interface

First remove all users from the group. Then, at the command prompt, type the following command to remove a Citrix ADC AAA group and verify the configuration:

rm aaa group <groupname>

Example:

rm aaa group group-hr

Note

You cannot add a user name with domain if the user name is already added without domain. If the user name with domain is added first followed by the same user name without domain, then the Citrix ADC appliance adds the user name to the user list.

The following example shows adding a user name with domain is not permitted if the same user name is added without domain.

> add aaa user u47985
Done
> show aaa users
1)   UserName: u47985
Done
> add aaa user u47985@domain.com
ERROR: User already exists

The following example shows if the user name with domain is added first followed by the same user name without domain, then the Citrix ADC appliance adds the user name to the user list.

> add aaa user u47985@domain.com
Done
> add aaa user u47985
Done
> sh aaa user
1)   UserName: u47985@domain.com
2)   UserName: u47985
Users and groups