-
Getting Started with Citrix NetScaler
-
Deploy a Citrix NetScaler VPX instance
-
Install a Citrix NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for Installing NetScaler VPX Virtual Appliances on Linux-KVM Platform
-
Provisioning the NetScaler Virtual Appliance by using OpenStack
-
Provisioning the NetScaler Virtual Appliance by using the Virtual Machine Manager
-
Configuring NetScaler Virtual Appliances to Use SR-IOV Network Interface
-
Configuring NetScaler Virtual Appliances to use PCI Passthrough Network Interface
-
Provisioning the NetScaler Virtual Appliance by using the virsh Program
-
-
Deploying NetScaler VPX Instances on AWS
-
Upgrade and downgrade a NetScaler appliance
-
-
-
-
-
-
Overriding Static Proximity Behavior by Configuring Preferred Locations
-
Example of a Complete Parent-Child Configuration Using the Metrics Exchange Protocol
-
Configuring Global Server Load Balancing for DNS Queries with NAPTR records
-
Using the EDNS0 Client Subnet Option for Global Server Load Balancing
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Use source IP address of the client when connecting to the server
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
-
-
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已动态机器翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.
Este artigo foi traduzido automaticamente.
这篇文章已经过机器翻译.放弃
Translation failed!
RADIUS authentication policies
As with other types of authentication policies, a Remote Authentication Dial In User Service (RADIUS) authentication policy comprises of an expression and an action. After creating an authentication policy, you bind it to an authentication virtual server and assign a priority to it. When binding it, you also designate it as either a primary or a secondary policy. However, setting up a RADIUS authentication policy has certain special requirements that are described in the following section.
Normally you configure the NetScaler appliance to use the IP address of the authentication server during authentication. With RADIUS authentication servers, you can now configure the ADC to use the FQDN of the RADIUS server instead of its IP address to authenticate users. Using an FQDN can simplify an otherwise much more complex AAA configuration in environments where the authentication server might be at any of several IP addresses, but always uses a single FQDN. To configure authentication by using a server’s FQDN instead of its IP address, you follow the normal configuration process except when creating the authentication action. When creating the action, you substitute the serverName parameter for the serverIP parameter.
Before you decide whether to configure the NetScaler appliance to use the IP or the FQDN of your RADIUS server to authenticate users, consider that configuring AAA to authenticate to an FQDN instead of an IP address adds an extra step to the authentication process. Each time the ADC authenticates a user, it must resolve the FQDN. If a great many users attempt to authenticate simultaneously, the resulting DNS lookups might slow the authentication process.
Note
These instructions assume that you are already familiar with the RADIUS protocol and have already configured your chosen RADIUS authentication server.
For more information about setting up authentication policies in general, see Authentication Policies. For more information about NetScaler appliance expressions, which are used in the policy rule, see Policies and Expressions.
To add an authentication action for a RADIUS server by using the command line interface
If you authenticate to a RADIUS server, you need to add an explicit authentication action. At the command prompt, type the following command:
add authentication radiusAction <name> [-serverip <IP> | -serverName] <FQDN>][-serverPort <port>] [-authTimeout <positive_integer>] {-radKey } [-radNASip ( ENABLED | DISABLED )][-radNASid <string>] [-radVendorID <positive_integer>][-radAttributeType <positive_integer>][-radGroupsPrefix <string>] [-radGroupSeparator <string>][-passEncoding <passEncoding>][-ipVendorID <positive_integer>] [-ipAttributeType <positive_integer>][-accounting ( ON | OFF )][-pwdVendorID <positive_integer> [-pwdAttributeType <positive_integer>]] [-defaultAuthenticationGroup <string>] [-callingstationid ( ENABLED | DISABLED )]
The following example adds a RADIUS authentication action named Authn-Act-1, with the server IP 10.218.24.65, the server port 1812, the authentication timeout 15 minutes, the RADIUS key WareTheLorax, NAS IP disabled, and NAS ID NAS1.
> add authentication radiusaction Authn-Act-1 -serverip 10.218.24.65 -serverport 1812 -authtimeout 15 -radkey WareTheLorax -radNASip DISABLED -radNASid NAS1
Done
The following example adds the same RADIUS authentication action, but using the server FQDN rad01.example.com instead of the IP.
> add authentication radiusaction Authn-Act-1 -serverName rad01.example.com -serverport 1812 -authtimeout 15 -radkey WareTheLorax -radNASip DISABLED -radNASid NAS1
Done
RADIUS authentication might fail if both authentication and accounting actions are configured on the same server port in “radiusAction” command.
To overcome the preceding conditions, Citrix recommends you to use different commands for RADIUS authentication and accounting.
-
For RADIUS authentication, configure the authservRetry parameter with default value 3.
set authentication radiusAction Authn-Act-1 -serverip 10.218.24.65 –serverport 1812 -authservRetry 3
-
For RADIUS accounting, configure the authservRetry parameter with the value 1.
set authentication radiusAction Authn-Act-1 -serverip 10.218.24.65 –serverport 1813 -authservRetry 1
To configure an authentication action for an external RADIUS server by using the command line
To configure an existing RADIUS action, at the command prompt, type the following command:
set authentication radiusAction <name> [-serverip <IP> | -serverName] <FQDN>][-serverPort <port>] [-authTimeout <positive_integer>] {-radKey } [-radNASip ( ENABLED | DISABLED )][-radNASid <string>] [-radVendorID <positive_integer>][-radAttributeType <positive_integer>][-radGroupsPrefix <string>] [-radGroupSeparator <string>][-passEncoding <passEncoding>][-ipVendorID <positive_integer>] [-ipAttributeType <positive_integer>][-accounting ( ON | OFF )][-pwdVendorID <positive_integer> [-pwdAttributeType <positive_integer>]] [-defaultAuthenticationGroup <string>] [-callingstationid ( ENABLED | DISABLED )]
To remove an authentication action for an external RADIUS server by using the command line interface
To remove an existing RADIUS action, at the command prompt, type the following command:
rm authentication radiusAction <name>
Example
> rm authentication radiusaction Authn-Act-1
Done
To configure a RADIUS server by using the configuration utility
Note
In the configuration utility, the term server is used instead of action, but refers to the same task.
- Navigate to Security > AAA - Application Traffic > Policies > Authentication > Radius
- In the details pane, on the Servers tab, do one of the following:
- To create a new RADIUS server, click Add.
- To modify an existing RADIUS server, select the server, and then click Edit.
- In the Create Authentication RADIUS Server or Configure Authentication RADIUS Server dialog, type or select the values for the parameters. To fill out parameters that appear beneath Send Calling Station ID, expand Details.
- Name*—radiusActionName (Cannot be changed for a previously configured action)
- Authentication Type*—authtype (Set to RADIUS, cannot be changed)
- Server Name / IP Address*—Choose either Server Name or Server IP
- Server Name*—serverName <FQDN>
- IP Address*—serverIp <IP> If the server is assigned an IPv6 IP address, select the IPv6 check box.
- Port*—serverPort
- Time-out (seconds)*—authTimeout
- Secret Key*—radKey (RADIUS shared secret.)
- Confirm Secret Key*—Type the RADIUS shared secret a second time. (No command line equivalent.)
- Send Calling Station ID—callingstationid
- Group Vendor Identifier—radVendorID
- Group Attribute Type—radAttributeType
- IP Address Vendor Identifier—ipVendorID
- pwdVendorID—pwdVendorID
- Password Encoding—passEncoding
- Default Authentication Group—defaultAuthenticationGroup
- NAS ID—radNASid
- Enable NAS IP address extraction—radNASip
- Group Prefix—radGroupsPrefix
- Group Separator—radGroupSeparator
- IP Address Attribute Type—ipAttributeType
- Password Attribute Type—pwdAttributeType
- Accounting—accounting
- Click Create or OK. The policy that you created appears in the Servers page.
Share
Share
In this article
- To add an authentication action for a RADIUS server by using the command line interface
- To configure an authentication action for an external RADIUS server by using the command line
- To remove an authentication action for an external RADIUS server by using the command line interface
- To configure a RADIUS server by using the configuration utility
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select Do Not Agree to exit.