Product Documentation

Configuring users and groups

After configuring the authentication, authorization, and auditing basic setup, you create users and groups. You first create a user account for each person who will authenticate via the Citrix ADC appliance. If you are using local authentication controlled by the Citrix ADC appliance itself, you create local user accounts and assign passwords to each of those accounts.

You also create user accounts on the Citrix ADC appliance if you are using an external authentication server. In this case, however, each user account must exactly match an account for that user on the external authentication server, and you do not assign passwords to the user accounts that you create on the Citrix ADC. The external authentication server manages the passwords for users that authenticate with the external authentication server.

If you are using an external authentication server, you can still create local user accounts on the Citrix ADC appliance if, for example, you want to allow temporary users (such as visitors) to log in but do not want to create entries for those users on the authentication server. You assign a password to each local user account, just as you would if you were using local authentication for all user accounts.

Each user account must be bound to policies for authentication and authorization. To simplify this task, you can create one or more groups and assign user accounts to them. You can then bind policies to groups instead of individual user accounts.

To create a local Authentication, authorization, and auditing user account by using the command line interface

At the command prompt, type the following commands to create a local Authentication, authorization, and auditing user account and verify the configuration:

  • add aaa user <username> [–password <password>]

  • show aaa user

    Example

> add aaa user user-2 -password emptybag
 Done
> show aaa user
1) UserName: user-1
2) UserName: user-2
 Done

To change the password for an existing authentication, authorization, and auditing local user account by using the command line interface

At the command prompt, type the following command and, when prompted, type the new password:

set aaa user <username>

Example

> set aaa user user-2
Enter password:
Done

To configure authentication, authorization, and auditing local users by using the configuration utility

  1. Navigate to Security > AAA - Application Traffic > Users
  2. In the details pane, do one of the following:
    • To create a new user account, click Add.
    • To modify an existing user account, select the user account, and then click Open.
  3. In the Create AAA User dialog box, in the User Name text box, type a name for the user.
  4. If creating a locally authenticated user account, clear the External Authentication check box and provide a local password that the user will use to log on
  5. Click Create or OK, and then click Close. A message appears in the status bar, stating that the user has been configured successfully.

To create authentication, authorization, and auditing local groups and add users to them by using the command line interface

At the command prompt, type the following commands. Type the first command one time, and type the second command once for each user:

  • add aaa group <groupname>

  • show aaa group

    Example

     > add aaa group group-2
     Done
     > show aaa group
     1)      GroupName: group-1
     2)      GroupName: group-2
     Done
    
  • bind aaa group <groupname> -username <username>

    Example

     > bind aaa group group-2 -username user-2
      Done
     > show aaa group group-2
             GroupName: group-2
             UserName: user-2
      Done
    

To remove users from an authentication, authorization, and auditing group by using the command line interface

At the command prompt, unbind users from the group by typing the following command once for each user account that is bound to the group:

  • unbind aaa group <groupname> -username <username>

    Example

      unbind aaa group group-hr -username user-hr-1
      Done
    

To remove an authentication, authorization, and auditing group by using the command line interface

First remove all users from the group. Then, at the command prompt, type the following command to remove an AAA group and verify the configuration:

  • rm aaa group <groupname>
  • show aaa group

    Example

     rm aaa group group-hr
     Done
     show aaa group
     1)  GroupName: group-1
     2)  GroupName: group-finance
     Done
    

To configure authentication, authorization, and auditing local groups and add users to them by using the configuration utility

  1. Navigate to Security > AAA - Application Traffic > Groups
  2. In the details pane, do one of the following:
    • To create a new group, click Add.
    • To modify an existing group, select the group, and then click Edit.
  3. If you are creating a new group, in the Create AAA Group dialog box, in the Group Name text box, type a name for the group.
  4. In the Advanced area to the right, click AAA Users.

    • To add a user to the group, select the user, and then click Add.
    • To remove a user from the group, select the user, and then click Remove.
    • To create a new user account and add it to the group, click the Plus icon, and then follow the instructions in “To configure authentication, authorization, and auditing local users by using the configuration utility.”
  5. Click Create or OK. The group that you created appears in the AAA Groups page.