Citrix

How to Implement RSA Authentication for Access Gateway Enterprise Edition

  • CTX113640
  • Created onMay 08, 2014
  • Updated onMay 23, 2014
Article Topic Configuration

Objective

This article describes how to implement RSA authentication for Access Gateway Enterprise Edition. 

Note: This article assumes basic RADIUS knowledge and familiarity with the NetScaler command line interface (CLI) and Access Gateway Enterprise Edition.

Background

This article describes the following RADIUS integrations with RSA:
  • RSA version 6.1, which is shipped with the Steel-Belted Radius (SBR) server component

  • RSA version 6.0 and earlier, which has an RSA ACE/Server daemon

Note: Both the RSA ACE/Server daemon and the SBR component can be installed on a running RSA server. Consult your product documentation for more information on how to complete this task.

Instructions

The following procedure details how to configure Access Gateway Enterprise Edition with RSA Authentication Manager Version 6.1 and Steel-Belted Radius installed on a Windows server:

RSA server configuration steps

Note: If the RSA RADIUS Server component is not installed, consult the RSA RADIUS Server 6.1 Administrator’s Guide for further instructions.
  1. On the RSA server, go to Start > Programs > RSA Security and launch RSA Authentication Manager Host Mode. The RSA Authentication Manager 6.1 Administrator window opens.

  2. Go to RADIUS and choose Manage RADIUS Server in the drop-down menu.
    The RSA RADIUS -- Powered by Steel-Belted Radius (RSA) window opens.

    User-added image

  3. In the right pane of the RSA RADIUS window, right-click RADIUS Clients and click Add. The Add RADIUS Client window opens.

    User-added image
  4. Provide the following configuration settings:

    • Name: Type the name of the Access Gateway Server.

    • Description: Type a description (not mandatory).

    • IP Address: Type the NetScaler IP (NSIP) address of the Access Gateway.

    • Shared secret: Type the shared secret between Access Gateway and the RADIUS server.

    • Make/model: Choose - Standard Radius - from the drop-down menu.

  5. Click OK. The Add RADIUS Client window closes.

  6. Close the RSA RADIUS – Powered by Steel-Belted Radius (RSA) window.

  7. In the RSA Authentication Manager Host Mode window, click Agent Host and choose Add Agent Host.

    User-added image
  8. Configure the following settings for your Access Gateway device:

    • Name: Provide the Fully Qualified Domain Name (FQDN) of the Access Gateway device. After providing the FQDN, press the TAB key and the Network address field should populate itself.

    • Network address: If this field does not populate itself, provide the NSIP of the Access Gateway.

    • Agent Type: Select Communication Server.

      Select the Open to All Locally Known Users check box. If all the users imported on the RSA server are not allowed, click User Activations... and import the users that are allowed to authenticate through the Access Gateway.

  9. If not already present, create an Agent Host entry for the RSA server itself.  Refer to the following screen shot:

    User-added image
  10. Configure the following settings for your RSA server:

    • Name: Provide the FQDN of the RSA server. After providing the FQDN, press TAB and the Network Address window should populate itself.

    • Network Address: If it does not self-populate, provide the IP address of the RSA server.

    • Agent Type: Select RADIUS Server.

Additional configuration steps on the RSA server

  1. Import users (through Lightweight Directory Access Protocol (LDAP) synchronization) or create local users.

  2. Assign token to users.

  3. Consult your RSA product documentation for more information on how to finalize the RSA server configuration. 

Access Gateway configuration steps

  1. In the Citrix Access Gateway Enterprise Edition Configuration Utility, go to Access Gateway > Policies and select Authentication.

  2. On the right pane in the Authentication window, click Add. The Create Authentication Server window opens. Refer to the following screen shot:

  3. Select Radius and then choose Server in the right pane.

    User-added image

    User-added image

  4. Configure the following settings for the Access Gateway to connect to the RADIUS server:
    • Name: Type a name for the configured authentication server

    • Authentication Type: Select RADIUS.

    • IP Address: Type the IP address of the RSA server.

    • RADIUS Key: Provide the key configured as the Shared Secret in the RSA RADIUS Client configuration.

  5. Click Create. The Create Authentication Server window closes. An entry with the name of your authentication server should appear in the right pane of the GUI.

  6. Click the Policies tab and click Add. The Create Authentication Policy window opens. Refer to the following screen shot:

    User-added image

    User-added image
  7. Configure the following settings for the authentication policy:

    • Name: Type a name for the authentication policy.

    • Authentication Type: Select RADIUS.

    • Server: Select the authentication server configured in Step 3.

    • Named Expressions: Click the right drop-down menu next to General and select ns_true. Click Add Expression. The "ns_true" string should appear in the Preview Expression window.

  8. Click Create. The Create Authentication Policy window closes. An entry with the name of the policy appears in the right pane.

  9. In the left pane, go to Access Gateway > Virtual Servers.

  10. Double-click the VPN vserver that you want to use RSA authentication. The Configure VPN Virtual Server window opens.

  11. In the Configure Access Gateway Virtual Server window, click on the Authentication tab.

  12. In the Authentication window, select the Primary radio button as the primary authentication mechanism.

  13. The authentication policy created in Step 6 should appear.

  14. Bind the policy to your Access Gateway Virtual Server by selecting the policy from drop-down list.

    User-added image

Corresponding CLI configuration steps

  1. Add the RADIUS authentication server by issuing the following commands:

    Add authentication radiusAction <name> -serverIP <IP> -radKey <key> -encrypted
    add authentication radiusAction SBR_RSA -serverIP 10.10.0.27 -radKey people –encrypted
  2. Add a RADIUS policy and choose the existing RADIUS server configured above by issuing the following commands:

    add authentication radiusPolicy <name> <expression> <RADIUS server>
    add authentication radiusPolicy RSA_Pol1 ns_true SBR_RSA
  3. Bind the session policy to a VPN vserver by issuing the following commands:

    bind vpn vserver <name> -policy <policy name>
    bind vpn vserver testvpn -policy RSA_Pol1

The following procedure details how to configure Access Gateway, Enterprise Edition with RSA ACE/Server version 6.0 and the RSA ACE/Server RADIUS deamon:

RSA ACE/Server version-specific settings

The RSA ACE/Server deamon listens on User Datagram Protocol (UDP) port 1645 by default. The following procedure describes how to change the listener port. Changing the RADIUS listener port is not required; the Access Gateway allows you to set the port value for the listener port of the RADIUS server.

RSA server configuration

If you do not have the RSA RADIUS Server component installed, consult the RSA ACE/Server 6.0 for Windows Installation Guide for instructions.

  1. On the RSA server, go to Start > Programs > RSA ACE Server and click Database Administration - Host Mode.

  2. In the RSA Authentication Manager Host Mode window, click Agent Host and choose Add Agent Host.

    User-added image
  3. Configure the following settings for your Access Gateway device:

    • Name: Provide the FQDN of the Access Gateway device. After providing the FQDN, press TAB. The Network Address field should populate itself.

    • Network Address: If this field does not populate itself, provide the NSIP of the Access Gateway.

    • Agent Type: Select Communication Server.
      Select the Open to All Locally Known Users check box. If not all the users imported on the RSA server are allowed, click User Activations... and import the users that are allowed to authenticate through the Access Gateway.

  4. Click Assign/Change Encryption Key... The Assign/Change Encryption Key window opens. In the Key field, provide the shared RADIUS key between the Access Gateway and the RSA RADIUS component.

    User-added image
  5. Create an Agent Host entry for the RSA server itself if it has not been created already.

  6. In the RSA Authentication Manager Host Mode window, click Agent Host and choose Add Agent Host.

    User-added image
  7. Configure the following settings for your RSA server:

    • Name: Provide the FQDN of the RSA server. After providing the FQDN, press TAB. The Network Address field should populate itself.

    • Network Address: If this field does not populate itself, provide the IP address of the RSA server.

    • Agent Type: Select Net OS Agent.

Complete the following procedure if you need to change the default port configured on the RSA server for RADIUS:
  1. Go to Start > Programs > RSA ACE Server > Configuration Tools and click Configuration Management.

  2. The RSA ACE/Server Configuration Management window opens. Click Edit. A REMINDER window opens with further instructions.

  3. Read the instructions and click OK. The RSA ACE/Server Configuration Management window opens.

  4. In the Services section, type 1812 in the RADIUS field under the Port Number column. Refer to the following screen shot:

    User-added image
  5. Click OK to save the settings and close the window.

  6. Open the Service node and restart the RSA ACE/Server RADIUS deamon.

Additional Resources

For Access Gateway-related configuration information, refer to the procedure outlined in the Access Gateway configuration steps section of this article.

Applicable Products

Automatic translation

Important: This article was translated by an automatic translation system (also referred to as Machine Translation, or MT) and has not been translated or reviewed by people. Citrix offers a machine translated version of this article to allow for greater access to the support content. However, automatic translation is not always perfect and may contain errors of vocabulary, syntax or grammar. Citrix is not responsible for inconsistencies, errors or damage incurred as a result of the use of MT articles from our customers.Thank you.
Click here to see the English version of this article.
Languages
Was this helpful?
Thank you for your feedback

Share your comments or find out more about this topic

Citrix Forums