Product Documentation

RADIUS Authentication Policies

Aug 31, 2016

As with other types of authentication policies, a Remote Authentication Dial In User Service (RADIUS) authentication policy is comprised of an expression and an action. After creating an authentication policy, you bind it to an authentication virtual server and assign a priority to it. When binding it, you also designate it as either a primary or a secondary policy. However, setting up a RADIUS authentication policy has certain special requirements that are described below.

Normally you configure the NetScaler ADC to use the IP address of the authentication server during authentication. With RADIUS authentication servers, you can now configure the ADC to use the FQDN of the RADIUS server instead of its IP address to authenticate users. Using an FQDN can simplify an otherwise much more complex AAA configuration in environments where the authentication server might be at any of several IP addresses, but always uses a single FQDN. To configure authentication by using a server's FQDN instead of its IP address, you follow the normal configuration process except when creating the authentication action. When creating the action, you substitute the serverName parameter for the serverIP parameter.

Before you decide whether to configure the ADC to use the IP or the FQDN of your RADIUS server to authenticate users, consider that configuring AAA to authenticate to an FQDN instead of an IP address adds an extra step to the authentication process. Each time the ADC authenticates a user, it must resolve the FQDN. If a great many users attempt to authenticate simultaneously, the resulting DNS lookups might slow the authentication process.

Note: These instructions assume that you are already familiar with the RADIUS protocol and have already configured your chosen RADIUS authentication server.

For more information about setting up authentication policies in general, see "Authentication Policies." For more information about NetScaler expressions, which are used in the policy rule, see the Citrix NetScaler Policy Configuration and Reference Guide at "Policies and Expressions."

To add an authentication action for a RADIUS server by using the command line interface

If you authenticate to a RADIUS server, you need to add an explicit authentication action. To do this, at the command prompt, type the following command:

add authentication radiusAction <name> [-serverip <IP> | -serverName] <FQDN>] [-serverPort <port>] [-authTimeout <positive_integer>] {-radKey } [-radNASip ( ENABLED | DISABLED )] [-radNASid <string>] [-radVendorID <positive_integer>] [-radAttributeType <positive_integer>] [-radGroupsPrefix <string>] [-radGroupSeparator <string>] [-passEncoding <passEncoding>] [-ipVendorID <positive_integer>] [-ipAttributeType <positive_integer>] [-accounting ( ON | OFF )] [-pwdVendorID <positive_integer> [-pwdAttributeType <positive_integer>]] [-defaultAuthenticationGroup <string>] [-callingstationid ( ENABLED | DISABLED )]

Example

The following example adds a RADIUS authentication action named Authn-Act-1, with the server IP 10.218.24.65, the server port 1812, the authentication timeout 15 minutes, the radius key WareTheLorax, NAS IP disabled, and NAS ID NAS1.

> add authentication radiusaction Authn-Act-1 -serverip 10.218.24.65 -serverport 1812  
                -authtimeout 15 -radkey WareTheLorax -radNASip DISABLED -radNASid NAS1 
Done

The following example adds the same RADIUS authentication action, but using the server FQDN rad01.example.com instead of the IP.

> add authentication radiusaction Authn-Act-1 -serverName rad01.example.com -serverport 1812  
                -authtimeout 15 -radkey WareTheLorax -radNASip DISABLED -radNASid NAS1 
Done

To configure an authentication action for an external RADIUS server by using the command line

To configure an existing RADIUS action, at the NetScaler command prompt, type the following command:

set authentication radiusAction <name> [-serverip <IP> | -serverName] <FQDN>] [-serverPort <port>] [-authTimeout <positive_integer>] {-radKey } [-radNASip ( ENABLED | DISABLED )] [-radNASid <string>] [-radVendorID <positive_integer>] [-radAttributeType <positive_integer>] [-radGroupsPrefix <string>] [-radGroupSeparator <string>] [-passEncoding <passEncoding>] [-ipVendorID <positive_integer>] [-ipAttributeType <positive_integer>] [-accounting ( ON | OFF )] [-pwdVendorID <positive_integer> [-pwdAttributeType <positive_integer>]] [-defaultAuthenticationGroup <string>] [-callingstationid ( ENABLED | DISABLED )]

To remove an authentication action for an external RADIUS server by using the command line interface

To remove an existing RADIUS action, at the command prompt, type the following command:

rm authentication radiusAction <name>

Example

> rm authentication radiusaction Authn-Act-1 
Done

To configure a RADIUS server by using the configuration utility

Note: In the configuration utility, the term server is used instead of action, but refers to the same task.
  1. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Radius
  2. In the details pane, on the Servers tab, do one of the following:
    • To create a new RADIUS server, click Add.
    • To modify an existing RADIUS server, select the server, and then click Edit.
  3. In the Create Authentication RADIUS Server or Configure Authentication RADIUS Server dialog, type or select values for the parameters. To fill out parameters that appear beneath Send Calling Station ID, expand Details.
    • Name*—radiusActionName (Cannot be changed for a previously configured action)
    • Authentication Type*—authtype (Set to RADIUS, cannot be changed)
    • Server Name / IP Address*—Choose either Server Name or Server IP
      • Server Name*—serverName <FQDN>
      • IP Address*—serverIp <IP> If the server is assigned an IPv6 IP address, select the IPv6 check box.
    • Port*—serverPort
    • Time-out (seconds)*—authTimeout
    • Secret Key*—radKey (RADIUS shared secret.)
    • Confirm Secret Key*—Type the RADIUS shared secret a second time. (No command line equivalent.)
    • Send Calling Station ID—callingstationid
    • Group Vendor Identifier—radVendorID
    • Group Attribute Type—radAttributeType
    • IP Address Vendor Identifier—ipVendorID
    • pwdVendorID—pwdVendorID
    • Password Encoding—passEncoding
    • Default Authentication Group—defaultAuthenticationGroup
    • NAS ID—radNASid
    • Enable NAS IP address extraction—radNASip
    • Group Prefix—radGroupsPrefix
    • Group Separator—radGroupSeparator
    • IP Address Attribute Type—ipAttributeType
    • Password Attribute Type—pwdAttributeType
    • Accounting—accounting
  4. Click Create or OK. The policy that you created appears in the Servers page.