Product Documentation

Primary authentication

You can configure authentication servers such as RADIUS or TACACS+ to authenticate remote users logging on to Citrix SD-WAN Center. Primary authentication is the first authenticating factor for remote users when two-factor authentication is enabled. For more information, see Two-factor authentication.  

Note

Ensure that user accounts are created on the required authentication servers.

RADIUS authentication server

To use RADIUS authentication, you must specify and configure at least one RADIUS server. Optionally, you configure redundant backup servers, up to a maximum of three RADIUS servers. The servers are checked sequentially, starting with the server listed first in the Servers section. Ensure that the required user accounts are created on the RADIUS authentication server.

Note

User accounts that use RADIUS authentication are read-only accounts. Their users can view reports and the dashboard. These accounts do not have any administrative privileges.

To enable and configure RADIUS authentication:

  1. In the Citrix SD-WAN Center web interface, navigate to Administration > User/Authentication Settings.

  2. In the Primary Authentication > RADIUS Authentication section, select the Enable RADIUS Authentication check box.  

    Note

    If TACACS+ authentication is already enabled, it gets disabled.

  3. In the Timeout field, enter the time interval (in seconds) to wait for an authentication response from the RADIUS server.

    The timeout value should be less than or equal to 10 seconds.

  4. In the Server Key field, enter a secret key to use when connecting to the RADIUS servers.

  5. In the Confirm Server Key fields, reenter the secret key.

    Note

    The Timeout and Server Key settings are applied to all configured servers.

  6. Select Enable Two-factor, to enable two-factor authentication.

    Note

    The Enable Two-factor option appears only when the secondary authentication server is configured.

    Configure a secondary authentication server, either RADIUS, or TACAS+. For more information, see Secondary authentication.

  7. Click the plus icon (+) next to Servers to add a RADIUS server.

  8. In the IP Address field, enter the host IP address for the RADIUS server.

  9. In the Port field, enter the port number for RADIUS server. The default port number is 1812.

    localized image

  10. Click Apply.

  11.  Click Verify to verify the connection to the RADIUS server. The Verify RADIUS Server Settings dialog box appears.

    localized image

  12. Enter a valid username and password for the authentication servers, and click Verify.

To configure more servers, repeat the steps 7 through 12.

TACACS+ authentication server

To use TACACS+, you must specify and configure at least one TACACS+ server. Optionally, you configure redundant backup servers, up to a maximum of three TACACS+ servers. The servers are checked sequentially, starting with the server listed first in the Servers section. Ensure that the required user accounts are created on the TACACS+ authentication server.

To enable and configure TACACS+ authentication:

  1. In the Citrix SD-WAN Center web interface, navigate to Administration > User/Authentication Settings.

  2. In the Primary Authentication > TACACS+ Authentication section, select the Enable TACACS+ Authentication check box.  

    Note

    If RADIUS authentication is already enabled, it gets disabled.

  3. In the Timeout field, enter the time interval (in seconds) to wait for an authentication response from the TACACS+ server.

    The timeout value should be less than or equal to 10 seconds.

  4. In the Authentication Type field, select the encryption method to use to send the username and password to the TACACS+ server.

  5. In the Server Key field, enter a secret key to use when connecting to the TACACS+ servers.

  6. In the Confirm Server Key fields, reenter the secret key.

    Note

    The Timeout, Authentication Type, and Server Key settings are applied to all the configured servers.

  7. Select Enable Two-factor, to enable two-factor authentication.

    Note

    The Enable Two-factor option appears only when the secondary authentication server is configured.

    Configure a secondary authentication server, either RADIUS, or TACAS+. For more information, see Secondary authentication.

  8. Click the plus icon (+) next to Servers to add a TACACS+ server.

  9. In the IP Address field, enter the host IP address for the TACACS+ server.

  10. In the Port field, enter the port number for TACACS+ server. The default port number is 49.

    localized image

  11. Click Apply.

  12.  Click Verify to verify the connection to the RADIUS server. The Verify TACACS+ Server Settings dialog box appears.

    localized image

  13. Enter a valid username and password for the authentication servers, and click Verify.

    To configure more servers, repeat the steps 8 through 13.

Primary authentication