How to Implement RSA Authentication by using the RADIUS Protocol for Access Gateway Standard Edition

How to Implement RSA Authentication by using the RADIUS Protocol for Access Gateway Standard Edition

book

Article ID: CTX121983

calendar_today

Updated On:

Description

This document contains information about implementing the RSA authentication by using the Remote Authentication Dial In User Service (RADIUS) protocol for Access Gateway Standard Edition.

Instructions

The following components are required on the network to complete the procedures in this document:

  • An RSA server on either UNIX or Windows operating system

  • Any of the following Citrix Access Gateway software:
    Citrix Access Gateway Standard Edition release 4.6
    Citrix Access Gateway Standard Edition release 4.5.8

  • Additionally, you must have the basic knowledge of RADUIS protocol and Administration Tools for the RSA ACE Authentication Server.

To implement the RSA authentication by using the RADIUS protocol for Access Gateway Standard Edition, complete the following procedures:

    Configuring the RSA Server

    To configure the RSA server to implement the RSA authentication by using the RADIUS protocol for Access Gateway Standard Edition, complete the following procedure:

    Note: If you do not have the RSA RADIUS Server component installed on the network, then refer to the RSA ACE/Server 6.0 for Windows Installation Guide for instructions.

    1. On the RSA server, select RSA ACE Server from the Programs menu.

    2. Select Database Administration - Host Mode from the RSA ACE Server menu.

    3. Click Agent Host in the RSA Authentication Manager Host Mode dialog box.

    4. Click Add Agent Host.

    5. In the Add Agent Host dialog box, complete the following instructions to specify the values for the respective fields:

      • Name: Specify the fully qualified domain name (FQDN) of the Access Gateway appliance. After specifying the FQDN, press Tab.

      • Network Address: The value for the Network Address field is automatically populated. However, if this field does not have a value, then specify the NetScaler IP (NSIP) of the Access Gateway appliance.

      • Agent Type: Select the Communication Server option from the Agent Type list.

      • Select the Open to All Locally Known Users option. If you do not want to allow all the users imported to the RSA server, then click User Activations and import the users that are allowed to authenticate through the Access Gateway.

      • Ensure the Node Secret Created option is not selected. This option is automatically selected when the first time a user from the Access Gateway is authenticated by the RADIUS Server. You can verify this later by opening the properties of the Agent Host and observing that the Node Secret Created option is selected.

      The following screen shot displays the sample values for the various fields in the Add Agent Host dialog box:

      User-added image

    6. Click OK.

    7. If not already created, then create an Agent Host entry for the RSA server by repeating Steps 3 and 4.

    8. In the Add Agent Host dialog box, complete the following instructions to specify the values for the respective fields:

      • Name: Specify the FQDN of the RSA server. After specifying the FQDN, press Tab.

      • Network Address: The value for the Network Address field is automatically populated. However, if this field does not have a value, then specify the IP address of the RSA server.

      • Agent Type: Select the Net OS Agent option from the Agent Type list.

      The following screen shot displays the sample values for the various fields in the Add Agent Host dialog box:

      User-added image

    9. Click OK.

    Changing the Default Port of the RSA Server

    By default, the RSA ACE/Server daemon listens to the User Datagram Protocol (UDP) port 1645. It is not mandatory to change the port. However, the Access Gateway Standard Edition enables you to set the value for the listener port of the RADIUS server.

    To change the default port configured on the SRA server for RADIUS, complete the following procedure:

    1. On the RSA server, select RSA ACE Server from the Programs menu.

    2. Select Configuration Tools from the RSA ACE Server menu.

    3. Select Configuration Management from the Configuration Tools menu.

    4. In the RSA ACE/Server Configuration Management dialog box, click Edit.

    5. Read the instructions available in the Reminder dialog box and click OK.

    6. In the Services group, type the required port number in the Post Number fields for RADIUS, such as 1812 as shown in the following screenshot:

      User-added image
    7. Click OK.
    8. Open the Service node and restart the RSA ACE/Server RADIUS daemon.

    Configuring the Access Gateway Standard Edition

    To configure the Access Gateway Standard Edition to implement the RSA authentication by using the RADIUS protocol for Access Gateway Standard Edition, complete the following procedure:

    1. Activate the Authentication tab.

    2. Type the name of the authentication realm in the Realm name field.
      Note: The site has multiple authentication realms, then specify the name that identifies the RADIUM realm. Realm names are case sensitive and can contain embedded spaces.

    3. Select the One Source option.

    4. Click Add.

    5. Select the RADIUS Authentication option from the Authentication type list.

    6. Click OK.

    7. In the IP address field of the dialog box for the authentication realm, specify the IP address of the RSA/ACE Authentication Server running the RADIUS daemon.

    8. In the Port field, specify the port number you have configured for the RSA server, such as 1812.

    9. In the Server Secret field, type the RADIUS server secret as shown in the following screen shot:

      User-added image

    10. The server secret is configured manually on the RADIUS server and on the Access Gateway.
      Important!: Ensure that you use a strong server secret. A strong secret is the one that is at least eight characters and includes a combination of letters, numbers, and symbols.

    11. If you use a secondary RADIUS server, enter specify its details in the Secondary RADIUS Server Settings section.

    12. Click Submit.

      Issue/Introduction

      This article describes how to implement the RSA authentication by using the Remote Authentication Dial In User Service (RADIUS) protocol for Access Gateway Standard Edition.
      Powered by Wolken Software