Gateway

Configuring RADIUS user accounting

Citrix Gateway can send user-session start and stop messages to your RADIUS accounting server. The messages, which are sent for each user session, include a subset of the attributes defined in RFC2866. Table 1 lists the supported attributes and the types of RADIUS accounting messages (RAD_START and RAD_STOP) in which they are sent. Table 2 lists the predefined values that can be assigned to the Acct-Terminate-Cause attribute, and the corresponding Citrix Gateway events.

Table 1. Supported RADIUS Attributes

Attribute Meaning RAD_START RAD_STOP
User-Name Name of user associated with the session. X X
Session-Id The Citrix ADC session ID. X X
Acct-Session-Time Session duration seconds. X
Acct-Terminate-Cause Reason for account termination (see the next table). X

Table 2. RADIUS Termination Causes

Citrix ADC Logout Method RADIUS Termination Cause
LOGOUT_SESSN_TIMEDOUT RAD_TERM_SESSION_TIMEOUT
LOGOUT_SESSN_INITIATEDBYUSER RAD_TERM_USER_REQUEST
LOGOUT_SESSN_KILLEDBYADMIN RAD_TERM_ADMIN_RESET
LOGOUT_SESSN_TLOGIN RAD_TERM_NAS_REQUEST
LOGOUT_SESSN_MAXLICRCHD RAD_TERM_NAS_REQUEST
LOGOUT_SESSN_CLISECCHK_FAILED RAD_TERM_NAS_REQUEST
LOGOUT_SESSN_PREAUTH_CHANGED RAD_TERM_NAS_REQUEST
LOGOUT_SESSN_COOKIE_MISMATCH RAD_TERM_NAS_REQUEST
LOGOUT_SESSS_DHT RAD_TERM_NAS_REQUEST
LOGOUT_SESSS_2FACTOR_FAIL RAD_TERM_NAS_REQUEST
LOGOUT_SESSN_ICALIC RAD_TERM_NAS_REQUEST
LOGOUT_SESSN_INTERNALERR RAD_TERM_NAS_ERROR
Other RAD_TERM_NAS_ERROR

Configuration of RADIUS user accounting requires the creation of a pair of policies. The first policy is a RADIUS authentication policy that designates a RADIUS server to which to send accounting messages. The second is a session policy that uses the RADIUS accounting policy as its action.

To configure RADIUS user accounting, you must:

  1. Create a RADIUS policy to define the RADIUS accounting server. The accounting server can be the same server that you use for RADIUS authentication.
  2. Create a session policy, using the RADIUS policy as an action that specifies the RADIUS user accounting server.
  3. Bind the session policy either globally, so that it applies to all traffic, or to a Citrix Gateway virtual server, so that it applies only to traffic flowing through that virtual server.

To create a RADIUS policy

  1. In the configuration utility, in the navigation pane, expand the Citrix Gateway node, and then Policies.
  2. Expand Authentication and select RADIUS.
  3. In the details pane, on the Policies tab, click Add.
  4. Enter a name for the policy.
  5. Select a server from the Server menu, or click the + icon and follow the prompts to add a RADIUS server.
  6. In the Expression pane, from the Saved Policy Expressions menu, select ns_true.
  7. Click Create.

To create a session policy

After configuring a RADIUS policy that specifies the RADIUS accounting server, create a session policy that applies this accounting server in an action, as follows:

  1. In the configuration utility, in the navigation pane, expand the Citrix Gateway node, and then Policies.
  2. Select Session.
  3. In the main details pane, select Add.
  4. Enter a name for the policy.
  5. In the Action menu, click the + icon to add a session action.
  6. Enter a name for the session action.
  7. Click the Client Experience tab.
  8. In the Accounting Policy menu, select the RADIUS policy that you created earlier.
  9. Click Create.
  10. In the Expression pane, from the Saved Policy Expressions menu, select ns_true.
  11. Click Create.

To bind the session policy globally

  1. In the configuration utility, in the navigation pane, expand the Citrix Gateway node, and then Policies.
  2. Select Session.
  3. From the Action menu in the main details pane, select Global Bindings.
  4. Click Bind.
  5. In the Policies pane, select the session policy that you created earlier, and then click Insert.
  6. In the Policies listings, click the Priority entry for the session policy and enter a value from 0 to 64000.
  7. Click OK.

To bind the session policy to a Citrix Gateway virtual server

  1. In the configuration utility, in the navigation pane, expand the Citrix Gateway node, and then select Virtual Servers.
  2. In the main details pane, select a virtual server, and then click Edit.
  3. In the Policies pane, click the + icon to select a policy.
  4. From the Choose Policy menu, select Session, and make sure that Request is selected in the Choose Type menu.
  5. Click Continue.
  6. Click Bind.
  7. In the Policies pane, select the session policy that you created earlier, and then click Insert.
  8. Click OK.
Configuring RADIUS user accounting