As with other types of authentication policies, a Remote Authentication Dial In User Service (RADIUS) authentication policy is comprised of an expression and an action. After creating an authentication policy, you bind it to an authentication virtual server and assign a priority to it. When binding it, you also designate it as either a primary or a secondary policy. However, setting up a RADIUS authentication policy has certain special requirements that are described below.
Normally you configure the NetScaler ADC to use the IP address of the authentication server during authentication. With RADIUS authentication servers, you can now configure the ADC to use the FQDN of the RADIUS server instead of its IP address to authenticate users. Using an FQDN can simplify an otherwise much more complex AAA configuration in environments where the authentication server might be at any of several IP addresses, but always uses a single FQDN. To configure authentication by using a server's FQDN instead of its IP address, you follow the normal configuration process except when creating the authentication action. When creating the action, you substitute the serverName parameter for the serverIP parameter.
Before you decide whether to configure the ADC to use the IP or the FQDN of your RADIUS server to authenticate users, consider that configuring AAA to authenticate to an FQDN instead of an IP address adds an extra step to the authentication process. Each time the ADC authenticates a user, it must resolve the FQDN. If a great many users attempt to authenticate simultaneously, the resulting DNS lookups might slow the authentication process.
For more information about setting up authentication policies in general, see "Authentication Policies." For more information about NetScaler expressions, which are used in the policy rule, see the Citrix NetScaler Policy Configuration and Reference Guide at "Policies and Expressions."
If you authenticate to a RADIUS server, you need to add an explicit authentication action. To do this, at the command prompt, type the following command:
The following example adds a RADIUS authentication action named Authn-Act-1, with the server IP 10.218.24.65, the server port 1812, the authentication timeout 15 minutes, the radius key WareTheLorax, NAS IP disabled, and NAS ID NAS1.
> add authentication radiusaction Authn-Act-1 -serverip 10.218.24.65 -serverport 1812 -authtimeout 15 -radkey WareTheLorax -radNASip DISABLED -radNASid NAS1 Done
The following example adds the same RADIUS authentication action, but using the server FQDN rad01.example.com instead of the IP.
> add authentication radiusaction Authn-Act-1 -serverName rad01.example.com -serverport 1812 -authtimeout 15 -radkey WareTheLorax -radNASip DISABLED -radNASid NAS1 Done
To configure an existing RADIUS action, at the NetScaler command prompt, type the following command:
To remove an existing RADIUS action, at the command prompt, type the following command:
> rm authentication radiusaction Authn-Act-1 Done