Citrix ADC 13.0

User account and password management

Citrix ADC enables you to manage user accounts and password configuration. Following are some of the activities that you can perform for a system user account or nsroot administrative user account on the appliance.

  • System user account lockout
  • Lock system user account for management access
  • Unlock a locked system user account for management access
  • Disable management access for system user account
  • Force password change for nsroot administrative users
  • Remove sensitive files in a system user account
  • strong password configuration for system users

System user account lockout

To configure the system user lockout functionality with invalid login attempts, you must configure maxloginAttempts and failedLoginTimeout values in the user parameter.

At the command prompt, type:

set aaa parameter -maxloginAttempts <value> -failedLoginTimeout <value>

Example:

set aaa parameter -maxloginAttempts 3 -failedLoginTimeout 10

Configure system user account lockout by using the GUI

  1. Navigate to Configuration > Security > AAA-Application Traffic > Authentication Settings > Change authentication AAA Settings.
  2. In the Configure AAA Parameter page, set the following parameters:

    1. Max Login Attempts. The maximum number of logon attempts allowed for the user to try.
    2. Failed Login Timeout. The maximum number of invalid logon attempts by the user.
  3. Click OK.

GUI configuration for system user account lockout

When you set the parameters, the user account gets locked for 10 minutes for three or more invalid login attempts. Also, the user cannot log on even with valid credentials for 10 minutes.

Note:

If a locked user tries to log on to the appliance, an error message, RBA Authentication Failure: maxlogin attempt reached for test. displays.

Lock system user account for management access

The Citrix ADC appliance enables you to lock a system user for 24 hours and deny access to the user.

Citrix ADC appliance supports the configuration for both system user and external users.

Note:

The feature is supported only if you disable the persistentLoginAttempts option in the aaa parameter.

At the command prompt type:

set aaa parameter –persistentLoginAttempts DISABLED

Now, to lock a user account, at the command prompt, type:

lock aaa user test

Lock system user account by using the GUI

  1. Navigate to Configuration > Security > AAA-Application Traffic > Authentication Settings > Change authentication AAA Settings.

GUI procedure to lock system user account

  1. In Configure AAA Parameter, in the Persistent Login Attempts list, select DISABLED.
  2. Navigate to System > User Administration > Users.
  3. Select a user.
  4. In the Select Action list, select Lock.

Select lock option

Note:

The Citrix ADC GUI does not have an option to lock external users. To lock an external user, the ADC administrator must use the CLI. When a locked system user (locked with lock authentication, authorization, and auditing user command) attempts to log in to Citrix ADC, the appliance displays an error message, “RBA Authentication Failure: User test is locked down for 24 hours.”

When a user is locked to log on to management access, console access is exempted. Locked user is able to log on to console.

Unlock a locked system user account for management access

System users and external users can be locked for 24 hours using the lock authentication, authorization, and auditing user command.

Note:

The ADC appliance allows admins to unlock the locked user and the feature does not require any settings in “persistentloginAttempts” command.

At the command prompt, type:

unlock aaa user test

Configure system user unlock by using the GUI

  1. Navigate to System > User Administration > Users.
  2. Select a user.
  3. Click Unlock.

    Configure system user unlock

The Citrix ADC GUI only lists system users created in the ADC, so there is no option in the GUI to unlock external users. To unlock an external user, the nsroot administrator must use the CLI.

Disable management access for system user account

When external authentication is configured on the appliance and as an admin you prefer to deny access to system users to log on to management access, you must disable the localAuth option in system parameter.

At the command prompt, type the followin g:

set system parameter localAuth <ENABLED|DISABLED>

Example:

set system parameter localAuth DISABLED

Disable management access to system user by using the GUI

  1. Navigate to Configuration > System > Settings > Change Global System Settings.
  2. In Command Line Interface (CLI) section, unselect the Local Authentication check box.

    GUI procedure to disable management access to system user

By disabling the option, local system users cannot log on to ADC management access.

Note:

External authentication server must be configured and reachable to disallow local system user authentication in system parameter. If external server configured in ADC for management access is unreachable, local system users can log on to the appliance. The behavior is set up for recovery purpose.

Force password change for administrative users

For nsroot secured authentication, the Citrix ADC appliance prompts the user to change the default password to a new one if the forcePasswordChange option is enabled in the system parameter. You can change your nsroot password either from CLI or GUI, on your first login with the default credentials.

At the command prompt, type:

set system parameter -forcePasswordChange ( ENABLED | DISABLED )

SSH session example for NSIP:

ssh nsroot@1.1.1.1
Connecting to 1.1.1.1:22...
Connection established.
To escape to local shell, press Ctrl+Alt+].
###############################################################################
WARNING: Access to this system is for authorized users only #
Disconnect IMMEDIATELY if you are not an authorized user! #

###############################################################################
Please change the default NSROOT password.
Enter new password:
Please re-enter your password:
Done

System user lockout configuration

To prevent brute force security attacks, you can configure user lockout configuration. The configuration enables a network administrator to prevent a system user to log on to a Citrix ADC appliance and also unlock the user account before the lock period expires.

At the command prompt, type:

set aaa parameter -maxloginAttempts <value> -failedLoginTimeout <value>

Example:

set aaa parameter -maxloginAttempts 3 -failedLoginTimeout 10

Configure system user lockout configuration by using the GUI

  1. Navigate to Configuration > Security > AAA-Application Traffic > Authentication Settings > Change authentication AAA Settings.
  2. In Configure AAA Parameter page, set the following parameters:

    1. Max Login Attempts. The maximum number of logon attempts allowed for the user to try.
    2. Failed Login Timeout. The maximum number of invalid logon attempts by the user.
  3. Click OK.

Configure system user lockout

When you set the parameters, the user account is locked for 10 minutes if there are more than three invalid login attempts. Also, the user cannot log on even with valid credentials for 10 minutes.

Note:

If a locked user tries to log on to the appliance, an error message, “RBA Authentication Failure: maxlogin attempt reached for test.” displays.

Remove sensitive files in a system user account

To manage sensitive data such as authorized keys and public keys for a system user account, you must enable the removeSensitiveFiles option. The commands that remove sensitive files when the system parameter is enabled are:

  • rm cluster instance
  • rm cluster node
  • rm high availability node
  • clear config full
  • join cluster
  • add cluster instance

At the command prompt, type:

set system parameter removeSensitiveFiles ( ENABLED | DISABLED )

Example:

set system parameter -removeSensitiveFiles ENABLED

Strong password configuration for system users

For secured authentication, the Citrix ADC appliance prompts system users and administrators to set strong passwords to log on to the appliance. The password must be long and must be a combination of:

  • one lower case character.
  • one upper case character
  • one numeric character.
  • one special character.

At the command prompt, type:

set system parameter -strongpassword <value> -minpasswordlen <value>

Where,

Strongpassword. After enabling strong password (enable all / enablelocal all the passwords or sensitive information must have - at least 1 Lower case character, at least 1 Upper case character, at least 1 numeric character, at least 1 special character. Exclude the list in enablelocal is - NS_FIPS, NS_CRL, NS_RSAKEY, NS_PKCS12, NS_PKCS8, NS_LDAP, NS_TACACS, NS_TACACSACTION, NS_RADIUS, NS_RADIUSACTION, NS_ENCRYPTION_PARAMS. So no Strong Password checks are performed on these ObjectType commands for the system user.

Possible values: enableall, enablelocal, disabled Default value: disabled

minpasswordlen. Minimum length of the system user password. When the strong password is enabled by default, the minimum length is 4. User entered value can be greater than or equal to 4. Default minimum value is 1 when the strong password is disabled. Maximum value is 127 in both cases.

Minimum value: 1 Maximum value: 127

Example:

set system parameter -strongpassword enablelocal -minpasswordlen 6