May 24, 2018
Users can be authenticated either internally by Citrix Application Delivery Management (ADM), externally by an authenticating server, or both. If local authentication is used, the user must be in the Citrix ADM security database. If the user is authenticated externally, the user’s “external name” should match the external user identity registered with the authenticating server, depending on the selected authentication protocol.
Citrix ADM supports external authentication by means of RADIUS, LDAP and TACACS protocols. This unified support provides a common interface to authenticate and authorize all the local and external authentication, authorization and accounting (AAA) server users who are accessing the system. Citrix ADM can authenticate users regardless of the actual protocols they use to communicate with the system. When a user attempts to access a Citrix ADM implementation that is configured for external authentication, the requested application server sends the user name and password to the RADIUS, LDAP or TACACS server for authentication. If the authentication is successful, the corresponding protocol is used to identify the user in Citrix ADM.
You can authenticate your users in Citrix ADM in two ways:
- By using Citrix ADM local servers
- By using external authentication servers
The following flow chart shows the workflow to follow when you are authenticating local or external users:
Configuring external authentication servers
Citrix ADM supports various protocols to provide external Authentication, Authorization, and Accounting (AAA) services.
Citrix ADM sends all authentication, authorization, and accounting (AAA) service requests to the remote RADIUS, LDAP, or TACACS+ server. The remote AAA server receives the request, validates the request, and sends a response back to Citrix ADM. When configured to use a remote RADIUS, TACACS+, or LDAP server for authentication, Citrix ADM becomes a RADIUS, TACACS+, or LDAP client. In any of these configurations, authentication records are stored in the remote host server database. Login and logout account name, assigned permissions, and time-accounting records are also stored on the AAA server for each user.
Additionally, you can use the internal database of Citrix ADM to authenticate users locally. You create entries in the database for users and their passwords and default roles. You can also create groups of servers for specific types of authentication. The list of servers in a server group is an ordered list. The first server in the list is always used unless it is unavailable, in which case the next server in the list is used. You can configure servers of different types in a group, and you can also include the internal database as a fallback authentication backup to the configured list of AAA servers.
Configuring a RADIUS authentication server
You can configure Citrix ADM to authenticate user access with one or more RADIUS servers. Your configuration might require using a network access server IP (NAS IP) address or a network access server identifier (NAS ID). When configuring Citrix ADM to use a RADIUS authentication server, use the following guidelines:If you enable use of the NAS IP address, the appliance sends its configured IP address to the RADIUS server, rather than sending the source IP address used in establishing the RADIUS connection.
- If you configure the NAS ID, the appliance sends the identifier to the RADIUS server. If you do not configure the NAS ID, the appliance sends its host name to the RADIUS server.
- If you enable the NAS IP address, the appliance ignores any NAS ID that is configured, and uses the NAS IP to communicate with the RADIUS server.
To configure a RADIUS authentication server:
- In Citrix ADM, navigate to System > Authentication > RADIUS.
- On the RADIUS page, click Add.
- On the Create RADIUS Server page, set the parameters and click Create to add the server to the list of RADIUS authentication servers. The following parameters are mandatory:
- Name. Name of the RADIUS server.
- Server Name / IP Address. Server name or IP address of the RADIUS server.
- Port. By default, port 1812 is used for RADIUS authentication. You can specify a different port number if necessary.
- Time-out (seconds). Time, in seconds, that the Citrix ADM system waits for a response from the RADIUS server.
- Secret Key. Any alphanumeric expression. This is the key that is shared between Citrix ADM and the RADIUS server to enable communication.
- Click Details to expand the section and set the additional parameters, and then click Create.
Configuring an LDAP authentication server
You can configure the Citrix ADM to authenticate user access with one or more LDAP servers. LDAP authorization requires identical group names in Active Directory, on the LDAP server, and on Citrix ADM. The characters and case must also match.
To configure an LDAP authentication server:
- In Citrix ADM, navigate to System > Authentication > LDAP.
- On the LDAP page, click Add.
- On the Create LDAP Server page, set the parameters and click Create to add the server to the list of LDAP authentication servers. The following parameters are mandatory:
- Name. Name of the LDAP server.
- Server Name / IP Address. Server name or IP address of the LDAP server.
- Security Type. Type of communication required between the system and the LDAP server. Select from the drop-down list. If plain text communication is inadequate, you can choose encrypted communication by selecting either Transport Layer Security (TLS) or SSL.
- Port. By default, port 389 is used for LDAP authentication. You can specify a different port number if necessary.
- Server Type. Select Active Directory (AD) or Novell Directory Service (NDS) as the type of LDAP server.
- Time-out (seconds). Time, in seconds for which the Citrix ADM system waits for a response from the LDAP server.
You can provide additional details. You can also validate the LDAP certificate by selecting the Validate LDAP Certificate check box and specifying the host name to be entered on the certificate. Some of the additional parameters you can add are Domain Nameserver (DN) details for queries against a directory service, default authentication group, group attributes, and other attributes.
The base DN is usually derived from the Bind DN by removing the user name and specifying the group to which the users belong. In Administrator Bind DN text box, type the administrator bind DN for queries to the LDAP directory.
Examples of syntax for base DN are:
Examples of syntax for bind DN are:
firstname.lastname@example.org (for Active Directory)
The group name and the name of the users that you define in Citrix ADM must be similar to those configured on the LDAP server.
Note: While configuring a RADIUS or LDAP server, in the Details section, you can enter the name of a default authentication group. This default group is chosen to authorize the user when the authentication succeeds irrespective of the fact that the user is tied to a group or not. The user then receives a combination of permissions configured on this default group and the other groups whether the user is assigned to the group or not.
Configuring TACACS authentication server
TACACS, like RADIUS and LDAP, handles remote authentication services for network access.
Configuring a TACACS authentication server:
- In Citrix ADM, navigate to System > Authentication > TACACS.
- On the TACACS page, click Add.
- On the Create TACACS Server page, enter the following details:
- Name of the TACACS server
- IP address of the TACACS server
- Port and timeout (in seconds)
- The key that is shared by the system and the TACACS server for communication.
- Select Accounting if you want the appliance to log audit information with TACACS server.
- Click Create.
Configuring local authentication of users in Citrix ADM
If you are using local authentication, create users and then add them to groups that you create on Citrix ADM. After configuring users and groups, you can apply authorization and session policies, create bookmarks, specify applications, and specify the IP address of file shares and servers to which users have access.
To configure local authentication in Citrix ADM:
- In Citrix ADM, navigate to System > Authentication, and click Authentication Configuration.
- On the Authentication Configuration page, select LOCAL from the Server Type drop-down box, and click OK.
Configuring external authentication in Citrix ADM
When you configure external authentication servers in Citrix ADM, the user groups that are authenticated on those external servers are imported into Citrix ADM. You do not need to create users on Citrix ADM. The users are managed on the external servers from Citrix ADM. But you must ensure that the permission levels that the user groups have on the external authentication servers are maintained in Citrix ADM. Citrix ADM performs the authorization of users by assigning group permissions for access to specific load balancing virtual servers and to specific applications on the system. If an authentication server is later removed from the system, the groups and users will be automatically removed from the system.
To configure external authentication in Citrix ADM:
- In Citrix ADM, navigate to System > Authentication, and click Authentication Configuration.
- On the Authentication Configuration page, select EXTERNAL from the Server Type drop-down list.
- Click Insert.
- On the External Servers page, select an authentication server. Optionally, you can select multiple authentication servers to cascade.
Note: Only external servers can be cascaded.
- Select Enable fallback local authentication if you want the local authentication to take over if the external authentication fails.
- Click OK to close the page.
The selected servers are displayed on the Authentication Servers page.
You can also specify the order of authentication by using the icon next to the server names to move servers up or down the list.
Configuring groups in Citrix ADM
Citrix ADM allows you to authenticate and authorize your users by creating groups and adding the users to the groups. A group can have either “admin” or “read-only” permissions and all users in that group will receive equal permissions.
In Citrix ADM, a group is defined as a collection of users having similar permissions. A group can have one or multiple roles. A user is defined as an entity that can have access based on the permissions assigned. A user can belong to one or more groups.
You can create local groups in Citrix ADM and use local authentication for the users in the groups. If you are using external servers for authentication, configure the groups on Citrix ADM to match the groups configured on authentication servers in the internal network. When a user logs on and is authenticated, if a group name matches a group on an authentication server, the user inherits the settings for the group on Citrix ADM.
After you configure groups, you can apply authorization and session policies, create bookmarks, specify applications, and specify the IP addresses of file shares and servers to which the user has access.
If you are using local authentication, create users and add them to groups that are configured on Citrix ADM. The users then inherit the settings for those groups.
Note: If the users are members of an Active Directory group, the name of the group and the names of the users on Citrix ADM must be the same as in the Active Directory group.
To configure user groups in Citrix ADM:
In Citrix ADM, navigate to System > User Administration > Groups.
On the Groups page, click Add to create a group. By default, two groups are created in Citrix ADM, with permissions set to admin and read only. You can add your users to these groups, or you can create other groups for your users.
On the Group Settings tab on the Create System Group page, type the name of the group, and set Roles either as admin or read-only. You can select Configure User Session Timeout to set a timeout limit for the user sessions logged in for that group.
Note: Make sure that the name of the user group created on Citrix ADM is the same as as on the external authentication servers. If not, the system will not recognize the group, and the group members will not be extracted into the system.
In the Authorization Settings tab, select the required groups. Click Create Group.
In the Assign Users tab, select the users that you want to add to the group. The users are added to this table when you configure users in Configuring Users in Citrix ADM.
When you finish creating a group in the system, all the users in the external authentication server are extracted into the system. If the group name matches the group name on the external authentication server, the user inherits all the authorization definitions when logged on to the system.
Configuring users in Citrix ADM
You can create user accounts locally on Citrix ADM to supplement the users on authentication servers. For example, you might want to create local user accounts for temporary users, such as consultants or visitors, without creating an entry for those users on the authentication server. If you are locally authenticating users that are present on external authentication servers, make sure that the same users are present on both the authenticating servers and Citrix ADM.
To configure users in Citrix ADM:
- In Citrix ADM, navigate to System > User Administration > Users.
- On the Users page, click Add to add users to Citrix ADM.
- On the Create System User page, set the following parameters:
- User Name. Name of the user
- Password. Password that the user will use to log on to Citrix ADM
- Enable External Authentication. If this is not enabled, the user will be authenticated as a local user.
- Configure User Session Timeout. Time for which a user can remain active. This time period can be set in minutes or hours.
In the Groups table, select the group to which to add the user. The group members are added to this table when you configure groups in Configuring User Groups in Citrix ADM.
- Click Create.
Note: If the users are on Active Directory, make sure that the group name in Citrix ADM is same as the one for the Active Directory group on the external server.