-
Getting Started with Citrix ADC
-
Deploy a Citrix ADC VPX instance
-
Apply Citrix ADC VPX configurations at the first boot of the Citrix ADC appliance in cloud
-
Install a Citrix ADC VPX instance on Microsoft Hyper-V servers
-
Install a Citrix ADC VPX instance on Linux-KVM platform
-
Prerequisites for Installing Citrix ADC VPX Virtual Appliances on Linux-KVM Platform
-
Provisioning the Citrix ADC Virtual Appliance by using OpenStack
-
Provisioning the Citrix ADC Virtual Appliance by using the Virtual Machine Manager
-
Configuring Citrix ADC Virtual Appliances to Use SR-IOV Network Interface
-
Configuring Citrix ADC Virtual Appliances to use PCI Passthrough Network Interface
-
Provisioning the Citrix ADC Virtual Appliance by using the virsh Program
-
Provisioning the Citrix ADC Virtual Appliance with SR-IOV, on OpenStack
-
Configuring a Citrix ADC VPX Instance on KVM to Use OVS DPDK-Based Host Interfaces
-
-
Deploy a Citrix ADC VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Configure a Citrix ADC VPX instance to use SR-IOV network interface
-
Configure a Citrix ADC VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a Citrix ADC VPX instance on Microsoft Azure
-
Network architecture for Citrix ADC VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a Citrix ADC VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Configure a Citrix ADC VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the Citrix high availability template with Azure ILB
-
Configure address pools (IIP) for a Citrix Gateway appliance
-
Upgrade and downgrade a Citrix ADC appliance
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
On-premises Citrix Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
RADIUS Support for the Rewrite Feature
-
-
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
-
-
-
Authentication and authorization for System Users
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Citrix ADC Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
-
-
Synchronizing Configuration Files in a High Availability Setup
-
Restricting High-Availability Synchronization Traffic to a VLAN
-
Understanding the High Availability Health Check Computation
-
Managing High Availability Heartbeat Messages on a Citrix ADC Appliance
-
Remove and Replace a Citrix ADC in a High Availability Setup
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已动态机器翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.
Este artigo foi traduzido automaticamente.
这篇文章已经过机器翻译.放弃
Translation failed!
RADIUS support for the rewrite feature
The Citrix ADC expressions language includes expressions that can extract information from and manipulate RADIUS messages in requests and responses. These expressions enable you to use the rewrite feature to modify portions of a RADIUS message before sending it to its destination. Your rewrite policies and actions can use any expression that is appropriate or relevant to a RADIUS message. The available expressions enable you to identify the RADIUS message type, extract any attribute-value pair (AVP) from the connection, and modify RADIUS AVPs. You can also create policy labels for RADIUS connections.
You can use the new RADIUS expressions in Rewrite rules for a number of purposes. For example, you could:
- Remove the domain\ portion of the RADIUS user-name AVP to simplify single sign-on (SSO).
- Insert a vendor-specific AVP, such as the MSISDN field used in telephone company operations to contain subscriber information.
You can also create policy labels to route specific types of RADIUS requests through a series of policies that are appropriate to those requests.
Note:
RADIUS for Rewrite has the following limitations:
- The Citrix ADC does not re-sign rewritten RADIUS requests or responses. If the RADIUS authentication server requires signed RADIUS messages, authentication will fail.
- The currently available RADIUS expressions do not work with RADIUS IPv6 attributes.
The Citrix ADC documentation for expressions that support RADIUS assumes familiarity with the basic structure and purpose of RADIUS communications. If you need more information about RADIUS, see your RADIUS server documentation or search online for an introduction to the RADIUS protocol.
Configuring Rewrite Policies for RADIUS
The following procedure uses the Citrix ADC command line to configure a rewrite action and policy and bind the policy to a rewrite-specific global bind point.
To configure a Rewrite action and policy, and bind the policy:
At the command prompt, type the following commands:
add rewrite action <actName> <actType>
add rewrite policy <polName> <rule> <actName>
-
bind rewrite policy <polName> <priority> <nextExpr> -type <bindPoint>
where<bindPoint>
represents one of the rewrite-specific global bind points.
RADIUS Expressions for Rewrite
In a rewrite configuration, you can use the following Citrix ADC expressions to refer to various portions of a RADIUS request or response.
Identifying the Type of Connection:
-
RADIUS.IS_CLIENT
Returns TRUE if the connection is a RADIUS client (request) message.
-
RADIUS.IS_SERVER
Returns TRUE if the connection is a RADIUS server (response) message.
Request Expressions:
-
RADIUS.REQ.CODE
Returns the number that corresponds to the RADIUS request type. A derivative of the num_at class. For example, a RADIUS access request would return 1 (one). A RADIUS accounting request would return 4.
-
RADIUS.REQ.LENGTH
Returns the length of the RADIUS request, including the header. A derivative of the num_at class.
-
RADIUS.REQ.IDENTIFIER
Returns the RADIUS request identifier, a number assigned to each request that allows the request to be matched to the corresponding response. A derivative of the num_at class.
-
RADIUS.REQ.AVP(<AVP Code No>).VALUE
Returns the value of first occurrence of this AVP as a string of type text_t.
-
RADIUS.REQ.AVP(<AVP code no>).INSTANCE(instance number)
Returns the specified instance of the AVP as a string of type RAVP_t. A specific RADIUS AVP can occur multiple times in a RADIUS message. INSTANCE (0) returns the first instance, INSTANCE (1) returns second instance, and so on, up to sixteen instances.
-
RADIUS.REQ.AVP(<AVP code no>).VALUE(instance number)
Returns the value of specified instance of the AVP as a string of type text_t.
-
RADIUS.REQ.AVP(<AVP code no>).COUNT
Returns the number of instances of a specific AVP in a RADIUS connection, as an integer.
-
RADIUS.REQ.AVP(<AVP code no>).EXISTS
Returns TRUE if the specified type of AVP exists in the message, or FALSE if it does not.
Response Expressions:
RADIUS response expressions are identical to RADIUS request expressions, except that RES replaces REQ.
Typecasts of AVP Values:
The ADC supports expressions to typecast RADIUS AVP values to the text, integer, unsigned integer, long, unsigned long, ipv4 address, ipv6 address, ipv6 prefix and time data types. The syntax is the same as for other Citrix ADC typecast expressions.
Example:
The ADC supports expressions to typecast RADIUS AVP values to the text, integer, unsigned integer, long, unsigned long, ipv4 address, ipv6 address, ipv6 prefix and time data types. The syntax is the same as for other Citrix ADC typecast expressions.
RADIUS.REQ.AVP(8).VALUE(0).typecast_ip_address_at
AVP Type Expressions:
The Citrix ADC supports expressions to extract RADIUS AVP values by using the assigned integer codes described in RFC2865 and RFC2866. You can also use text aliases to accomplish the same task. Some examples follow.
-
RADIUS.REQ.AVP (1).VALUE or RADIUS.REQ.USERNAME.value
Extracts the RADIUS user-name value.
-
RADIUS.REQ.AVP (4). VALUE or RADIUS.REQ. ACCT\_SESSION\_ID.value
Extracts the Acct-Session-ID AVP (code 44) from the message.
-
RADIUS.REQ.AVP (26). VALUE or RADIUS.REQ.VENDOR\_SPECIFIC.VALUE
Extracts the vendor-specific value.
The values of most commonly-used RADIUS AVPs can be extracted in the same manner.
RADIUS Bind Points:
Four global bind points are available for policies that contain RADIUS expressions.
-
RADIUS_REQ_OVERRIDE
Priority/override request policy queue.
-
RADIUS_REQ_DEFAULT
Standard request policy queue.
-
RADIUS_RES_OVERRIDE
Priority/override response policy queue.
-
RADIUS_RES_DEFAULT
Standard response policy queue.
RADIUS Rewrite-Specific Expressions:
-
RADIUS.NEW_AVP
Returns the specified RADIUS AVP as a string.
-
RADIUS.NEW_AVP_INTEGER32
Returns the specified RADIUS AVP as an integer.
-
RADIUS.NEW_AVP_UNSIGNED32
Returns the specified RADIUS AVP as an unsigned integer.
-
RADIUS.NEW_VENDOR_SPEC_AVP(<ID>, <definition>)
Adds the specified extended vendor specific AVPs to the connection. For
<ID>
, substitute a long number. For<definition>
, substitute a string that contains the data for the AVP. -
RADIUS.REQ.AVP_START
Returns the location between the end of the RADIUS header and the start of the AVPs. Used in rewrite actions.
Example:
add rewrite action insert1 insert_after radius.req.avp_start radius.new_avp(33, "NEW AVP")
-
RADIUS.REQ.AVP_END
Returns the location at the end of radius message (or in other words end of all AVPs) in radius message. Used when performing rewrite actions.
Example:
add rewrite action insert2 insert_before radius.req.avp_end "radius.new_avp(33, \"NEW AVP\")"
-
RADIUS.REQ.AVP_LIST
Returns the location at the start of the AVPs in a RADIUS message, and the length of the RADIUS message, excluding the header. In other words, returns all AVPs in a RADIUS message. Used to perform Rewrite actions.
Example:
add rewrite action insert3 insert_before_all radius.req.avp_list "radius.new_avp(33, \"NEW AVP\")" -search "avp(33)"
Valid Rewrite-Action Types for RADIUS:
The Rewrite action types that can be used with RADIUS expressions are:
- INSERT_AFTER
- INSERT_BEFORE
- INSERT_AFTER_ALL
- INSERT_BEFORE_ALL
- DELETE
- DELETE_ALL
- REPLACE
- REPLACE_ALL
All INSERT_ actions
can be used to insert a RADIUS AVP into a RADIUS connection.
Use Cases
Following are use cases for RADIUS with rewrite.
Rewriting the User-Name AVP
To configure the rewrite feature to remove the Domain\ string from the RADIUS user-name AVP, begin by creating a rewrite REPLACE action as shown in the example below. Use the action in a Rewrite policy that selects all RADIUS requests. Bind the policy to a global bind point. When you do so, set the priority the appropriate level to allow any block or reject policies to take effect first, but ensure that all requests that are not blocked or rejected are rewritten. Set the Goto Expression (gotoPriorityExpr) to NEXT to continue policy evaluation, and attach the policy to the RADIUS_REQ_DEFAULT queue.
Example:
add rewrite action rwActRadiusDomainDel replace radius.req.user_name q/RADIUS.NEW_AVP(1,RADIUS.REQ.USER_NAME.VALUE.AFTER_STR(" "))/
add rewrite policy RadiusRemoveDomainPol true rwActRadiusDomainDel
Note:
The rewrite policy for RADIUS is not applicable to a gateway virtual server. If a gateway virtual server is used a load balancing then RADIUS needs to be configured and the rewrite policy needs to be bound to a RADIUS load balancing virtual server.
Inserting a Vendor-Specific AVP
To configure Rewrite action to insert a Vendor-Specific AVP containing the contents of the MSISDN field, begin by creating a rewrite INSERT action that inserts the MSISDN field into the request. Use the action in a Rewrite policy that selects all RADIUS requests. bind the policy to global, setting the priority to an appropriate level and the other parameters as shown in the following example.
Example:
add rewrite action rwActRadiusInsMSISDN insert_after radius.req.avp_start RADIUS.NEW_VENDOR_SPEC_AVP(<VENDOR ID>, "RADIUS.NEW_AVP(<Attribute Code>, <MSISDN>)")
add rewrite policy rwPolRadiusInsMSISDN true rwActRadiusInsMSISDN
bind rewrite global rwPolRadiusInsMSISDN 100 NEXT -type RADIUS_REQ_DEFAULT
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select Do Not Agree to exit.