Citrix ADC

Authentication policies

When users log on to the Citrix ADC or Citrix Gateway appliance, they are authenticated according to a policy that you create. An authentication policy comprises of an expression and an action. Authentication policies use Citrix ADC expressions.

After creating an authentication action and an authentication policy, bind it to an authentication virtual server and assign a priority to it. When binding it, also designate it as either a primary or a secondary policy. Primary policies are evaluated before secondary policies. In configurations that use both types of policy, primary policies are normally more specific policies while secondary policies are normally more general policies. It is intended to handle authentication for any user accounts that do not meet the more specific criteria. The policy defines the authentication type. A single authentication policy can be used for simple authentication needs and is typically bound at the global level. You can also use the default authentication type, which is local. If you configure local authentication, you must also configure users and groups on the appliance.

You can configure multiple authentication policies and bind them to create a detailed authentication procedure and virtual servers. For example, you can configure cascading and two-factor authentication by configuring multiple policies. You can also set the priority of the authentication policies to determine which servers and the order in which the appliance checks user credentials. An authentication policy includes an expression and an action. For example, if you set the expression to True value, when users log on, the action evaluates user logon to true and then users have access to network resources.

After you create an authentication policy, you bind the policy at either the global level or to virtual servers. When you bind at least one authentication policy to a virtual server, any authentication policies that you bound to the global level are not used when users log on to the virtual server, unless the global authentication type has a higher precedence than the policy bound to the virtual server.

When a user logs on to the appliance, authentication is evaluated in the following order:

  • The virtual server is checked for any bound authentication policies.
  • If authentication policies are not bound to the virtual server, the appliance checks for global authentication policies.
  • If an authentication policy is not bound to a virtual server or globally, the user is authenticated through the default authentication type.

If you configure LDAP and RADIUS authentication policies and want to bind the policies globally for two-factor authentication, you can select the policy in the configuration utility and then select if the policy is the primary or secondary authentication type. You can also configure a group extraction policy.

Note:

The Citrix ADC or the Citrix Gateway appliance encodes only UTF-8 characters for authentication, and it is not compatible with servers that use ISO-8859-1 characters.

Create an authentication policy

Create an authentication policy by using the GUI

  1. Navigate to Security > AAA - Application Traffic > Policies > Authentication, and then select the type of policy that you want to create. For Citrix Gateway, navigate to Citrix Gateway > Policies > Authentication.
  2. In the details pane, on the Policies tab, do one of the following:

    • To create a new policy, click Add.
    • To modify an existing policy, select the action, and then click Edit.
  3. In the Create Authentication Policy or Configure Authentication Policy dialog, type or select the values for the parameters.

    • Name — policy name (Cannot be changed for a previously configured action)
    • Authentication Typeauthtype
    • ServerauthVsName
    • Expression — rule (You enter expressions by first choosing the type of expression in the leftmost drop-down list beneath the Expression window, and then by typing your expression directly into the expression text area, or by clicking Add to open the Add Expression dialog box and using the drop-down lists in it to construct your expression.)
  4. Click Create or OK. The policy that you created appears in the Policies page.
  5. Click the Servers tab, and in the details pane do one of the following:

    • To use an existing server, select it, and then click.
    • To create a server, click Add, and follow the instructions.
  6. If you want to designate this policy as a secondary authentication policy, on the Authentication tab, click Secondary. If you want to designate this policy as a primary authentication policy, skip this step.
  7. Click Insert Policy.
  8. Choose the policy you want to bind to the authentication virtual server from the drop-down list.
  9. In the Priority column to the left, modify the default priority to ensure that the policy is evaluated in the proper order.
  10. Click OK. A message appears in the status bar, stating that the policy has been configured successfully.

Modify an authentication policy by using the GUI

You can modify configured authentication policies and profiles, such as the IP address of the authentication server or the expression.

  1. In the configuration utility, on the Configuration tab, expand Citrix Gateway > Policies > Authentication. Note: You can also configure the policy from Security > AAA - Application Traffic > Policies > Authentication, and then select the type of policy that you want to modify.
  2. In the navigation pane, under Authentication, select an authentication type.
  3. In the details pane, on the Servers tab, select a server and then click Open.

Remove an authentication policy by using the GUI

If you changed or removed an authentication server from your network, remove the corresponding authentication policy from Citrix Gateway.

  1. In the configuration utility, on the Configuration tab, expand Citrix Gateway > Policies \ > Authentication. Note: To configure from ADC, navigate Security > AAA - Application Traffic > Policies > Authentication, and then select the type of policy that you want to remove.
  2. In the navigation pane, under Authentication, select an authentication type.
  3. In the details pane, on the Policies tab, select a policy and then click Remove.

Create an authentication policy by using the CLI

At the command prompt, type the following commands:

add authentication negotiatePolicy <name> <rule> <reqAction>

show authentication localPolicy <name>

bind authentication vserver <name> -policy <policyname> [-priority <priority>][-secondary]]

show authentication vserver <name>
<!--NeedCopy-->

Example:

    > add authentication localPolicy Authn-Pol-1 ns_true
      Done
    > show authentication localPolicy
    1)      Name: Authn-Pol-1       Rule: ns_true          Request action: LOCAL   Done
    > bind authentication vserver Auth-Vserver-2 -policy Authn-Pol-1
    Done
    > show authentication vserver Auth-Vserver-2
        Auth-Vserver-2 (10.102.29.77:443) - SSL Type: CONTENT State: UP Client Idle
        Timeout: 180 sec Down state flush: DISABLED
        Disable Primary Vserver On Down : DISABLED
        Authentication : ON
        Current AAA Users: 0
        Authentication Domain: myCompany.employee.com
    1)  Primary authentication policy name:  Authn-Pol-1 Priority: 0
        Done
<!--NeedCopy-->

Modify an existing authentication policy by using the CLI

At the command prompt, type the following commands to modify an existing authentication policy:

set authentication localPolicy <name> <rule> [-reqaction <action>]<!--NeedCopy-->

Example

<!--NeedCopy-->

set authentication localPolicy Authn-Pol-1 ‘ns_true’


### Remove an authentication policy by using the CLI

At the command prompt, type the following command to remove an authentication policy:

<!--NeedCopy-->

rm authentication localPolicy


Example

<!--NeedCopy-->

rm authentication localPolicy Authn-Pol-1


### Bind an authentication policy

After you configure the authentication policies, you bind the policy either globally or to a virtual server. You can use either the configuration utility to bind an authentication policy.

To bind an authentication policy globally by using the configuration utility:

1.  In the configuration utility, on the Configuration tab, expand **Citrix Gateway \> Policies \ > Authentication**.
    Note: To configure from ADC, navigate **Security > AAA - Application Traffic > Policies > Authentication**
1.  Click an authentication type.
1.  In the details pane, on the Policies, tab, click a server and then in Action, click Global Bindings.
1.  On the Primary or Secondary tab, under Details, click Insert Policy.
1.  Under Policy Name, select the policy and then click OK.

    **Note:** When you select the policy, Citrix Gateway sets the expression to True value automatically.

To unbind a global authentication policy by using the configuration utility:

1.  In the configuration utility, on the Configuration tab, expand **Citrix Gateway \> Policies \ > Authentication**.
    Note: To configure from ADC, navigate **Security > AAA - Application Traffic > Policies > Authentication**
1.  On the Policies tab, in Action, click Global Bindings.
1.  In the Bind/Unbind Authentication Policies to Global dialog box, on the Primary or Secondary tab, in Policy Name, select the policy, click Unbind Policy, and then click OK.

## Add an authentication action

### Add an authentication action by using the command line interface

If you do not use LOCAL authentication, you need to add an explicit authentication action. At the command prompt, type the following command:

<!--NeedCopy-->

add authentication tacacsAction -serverip [-serverPort ][-authTimeout ][ ... ]


Example

<!--NeedCopy-->

add authentication tacacsaction Authn-Act-1 -serverip 10.218.24.65 -serverport 1812 -authtimeout 15 -tacacsSecret “minotaur” -authorization OFF -accounting ON -auditFailedCmds OFF -defaultAuthenticationGroup “users”


### Configure an authentication action by using the command line interface

To configure an existing authentication action, at the command prompt, type the following command:

<!--NeedCopy-->

set authentication tacacsAction -serverip [-serverPort ][-authTimeout ][ ... ]


Example

<!--NeedCopy-->

set authentication tacacsaction Authn-Act-1 -serverip 10.218.24.65 -serverport 1812 -authtimeout 15 -tacacsSecret “minotaur” -authorization OFF -accounting ON -auditFailedCmds OFF -defaultAuthenticationGroup “users”


### Remove an authentication action by using the command line interface

To remove an existing RADIUS action, at the command prompt, type the following command:

<!--NeedCopy-->

rm authentication radiusAction


Example

<!--NeedCopy-->

rm authentication tacacsaction Authn-Act-1


## The noAuth authentication

Citrix ADC appliance supports noAuth authentication capability that enables the customer to configure a defaultAuthenticationGroup parameter in the `noAuthAction` command, when a user performs this policy. The administrator can check for the presence of this group in user’s group to determine the user’s navigation through the noAuth policy.

### To configure a noAuth authentication by using the command line interface

At the command prompt, type;

<!--NeedCopy-->

add authentication noAuthAction [-defaultAuthenticationGroup ]


**Example:**

<!--NeedCopy-->

add authentication noAuthAction noauthact –defaultAuthenticationGroup mynoauthgroup


## Default global authentication types

When you installed Citrix Gateway and ran the Citrix Gateway wizard, you configured authentication within the wizard. This authentication policy is bound automatically to the Citrix Gateway global level. The authentication type you configure within the Citrix Gateway wizard is the default authentication type. You can change the default authorization type by running the Citrix Gateway wizard again or you can modify the global authentication settings in the configuration utility.

If you need to add other authentication types, you can configure authentication policies on Citrix Gateway and bind the policies to Citrix Gateway by using the configuration utility. When you configure authentication globally, you define the type of authentication, configure the settings, and set the maximum number of users that can be authenticated.

After configuring and binding the policy, you can set the priority to define which authentication type takes precedence. For example, you configure LDAP and RADIUS authentication policies. If the LDAP policy has a priority number of 10 and the RADIUS policy has a priority number of 15, the LDAP policy takes precedence, regardless of where you bind each policy. This is called cascading authentication.

You can select to deliver logon pages from the Citrix Gateway in-memory cache or from the HTTP server running on Citrix Gateway. If you choose to deliver the logon page from the in-memory cache, the delivery of the logon page from Citrix Gateway is faster than from the HTTP server. Choosing to deliver the logon page from the in-memory cache reduces the wait time when many users log on at the same time. You can only configure the delivery of logon pages from the cache as part of a global authentication policy.

You can also configure the network address translation (NAT) IP address that is a specific IP address for authentication. This IP address is unique for authentication and is not the Citrix Gateway subnet, mapped, or virtual IP addresses. This is an optional setting.

**Note:**
>
>You cannot use the Citrix Gateway wizard to configure SAML authentication.

You can use the Quick Configuration wizard to configure LDAP, RADIUS, and client certificate authentication. When you run the wizard, you can select from an existing LDAP or RADIUS server configured on Citrix Gateway. You can also configure the settings for LDAP or RADIUS. If you use two-factor authentication, Citrix recommends using LDAP as the primary authentication type.

### Configure default global authentication types

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway and then click Global Settings.
1.  In the details pane, under Settings, click Change authentication settings.
1.  In Maximum Number of Users, type the number of users who can be authenticated by using this authentication type.
1.  In NAT IP address, type the unique IP address for authentication.
1.  Select Enable static caching to deliver logon pages faster.
1.  Select Enable Enhanced Authentication Feedback to provide a message to users if authentication fails. The message users receive include password errors, account disabled or locked, or the user is not found, to name a few.
1.  In Default Authentication Type, select the authentication type.
1.  Configure the settings for your authentication type and then click OK.
<!--NeedCopy-->
Authentication policies