Authentication policies 编辑

When users log on to the Citrix ADC or Citrix Gateway appliance, they are authenticated according to a policy that you create. An authentication policy comprises an expression and an action. Authentication policies use Citrix ADC expressions.

After creating an authentication action and an authentication policy, bind it to an authentication virtual server and assign a priority to it. When binding it, also designate it as either a primary or a secondary policy. Primary policies are evaluated before secondary policies. In configurations that use both types of policy, primary policies are normally more specific policies while secondary policies are normally more general policies. It is intended to handle authentication for any user accounts that do not meet the more specific criteria. The policy defines the authentication type. A single authentication policy can be used for simple authentication needs and is typically bound at the global level. You can also use the default authentication type, which is local. If you configure local authentication, you must also configure users and groups on the appliance.

You can configure multiple authentication policies and bind them to create a detailed authentication procedure and virtual servers. For example, you can configure cascading and two-factor authentication by configuring multiple policies. You can also set the priority of the authentication policies to determine which servers and the order in which the appliance checks user credentials. An authentication policy includes an expression and an action. For example, if you set the expression to True value, when users log on, the action evaluates user logon to true and then users have access to network resources.

After you create an authentication policy, you bind the policy at either the global level or to virtual servers. When you bind at least one authentication policy to a virtual server, any authentication policies that you bound to the global level are not used when users log on to the virtual server, unless the global authentication type has a higher precedence than the policy bound to the virtual server.

When a user logs on to the appliance, authentication is evaluated in the following order:

• The virtual server is checked for any bound authentication policies.
• If authentication policies are not bound to the virtual server, the appliance checks for global authentication policies.
• If an authentication policy is not bound to a virtual server or globally, the user is authenticated through the default authentication type.

If you configure LDAP and RADIUS authentication policies and want to bind the policies globally for two-factor authentication, you can select the policy in the configuration utility and then select if the policy is the primary or secondary authentication type. You can also configure a group extraction policy.

Note:

The Citrix ADC or the Citrix Gateway appliance encodes only UTF-8 characters for authentication, and it is not compatible with servers that use ISO-8859-1 characters.

Create an authentication policy

Create an authentication policy by using the GUI

1. Navigate to Security > AAA - Application Traffic > Policies > Authentication, and then select the type of policy that you want to create. For Citrix Gateway, navigate to Citrix Gateway > Policies > Authentication.

2. In the details pane, on the Policies tab, do one of the following:

   • To create a new policy, click Add.
   • To modify an existing policy, select the action, and then click Edit.

3. In the Create Authentication Policy or Configure Authentication Policy dialog, type or select the values for the parameters.

   • Name — policy name (Cannot be changed for a previously configured action)
   • Authentication Type — authtype
   • Server — authVsName
   • Expression — rule (You enter expressions by first choosing the type of expression in the leftmost drop-down list beneath the Expression window, and then by typing your expression directly into the expression text area, or by clicking Add to open the Add Expression dialog box and using the drop-down lists in it to construct your expression.)
4. Click Create or OK. The policy that you created appears in the Policies page.

5. Click the Servers tab, and in the details pane do one of the following:

   • To use an existing server, select it, and then click.
   • To create a server, click Add, and follow the instructions.
6. If you want to designate this policy as a secondary authentication policy, on the Authentication tab, click Secondary. If you want to designate this policy as a primary authentication policy, skip this step.
7. Click Insert Policy.
8. Choose the policy you want to bind to the authentication virtual server from the drop-down list.
9. In the Priority column to the left, modify the default priority to ensure that the policy is evaluated in the proper order.
10. Click OK. A message appears in the status bar, stating that the policy has been configured successfully.

Modify an authentication policy by using the GUI

You can modify configured authentication policies and profiles, such as the IP address of the authentication server or the expression.

1. In the configuration utility, on the Configuration tab, expand Citrix Gateway > Policies > Authentication. Note: You can also configure the policy from Security > AAA - Application Traffic > Policies > Authentication, and then select the type of policy that you want to modify.
2. In the navigation pane, under Authentication, select an authentication type.
3. In the details pane, on the Servers tab, select a server and then click Open.

Remove an authentication policy by using the GUI

If you changed or removed an authentication server from your network, remove the corresponding authentication policy from Citrix Gateway.

1. In the configuration utility, on the Configuration tab, expand Citrix Gateway > Policies > Authentication. Note: To configure from ADC, navigate Security > AAA - Application Traffic > Policies > Authentication, and then select the type of policy that you want to remove.
2. In the navigation pane, under Authentication, select an authentication type.
3. In the details pane, on the Policies tab, select a policy and then click Remove.

Create an authentication policy by using the CLI

At the command prompt, type the following commands:

add authentication negotiatePolicy <name> <rule> <reqAction>

show authentication localPolicy <name>

bind authentication vserver <name> -policy <policyname> [-priority <priority>][-secondary]]

show authentication vserver <name>
<!--NeedCopy-->