Jump to content
Welcome to our new Citrix community!

Responder Policy don't get Hit post upgrade to 12.1 build 57.18


Recommended Posts

Hi Team,

I had to responder policy HTTP.REQ.USER.IS_MEMBER_OF("Group") with action redirect to site "https://work.com" working in 12.0. Post upgrade to 12.1, the redirect is broken. When I look a the policy, there is no hits to policy.

I read HTTP.REQ.USER is depreciated and to use AAA.USER. So I modified my policy AAA.USER.IS_MEMBER_OF("Group") and it did not the fix the issue. Called support and Tech believes it might be bug on that build but I tested on 13.0 firmware and experience is the same. Not really sure if this is a bug. 

 

Any thoughts or direction to help resolve this?

 

Thanks

CT

Link to comment
Share on other sites

If it is a bug, there may not be a lot to do without engineering involvement.

 

But assuming, for a second, its not a bug and related to config or other stuff that is fixable, then you would start with the following to confirm:

1)  Confirm user account in group membership is the one you expect.  

shell

cd /tmp

cat aaad.debug

During the user authentication output you can view the aaad.debug to confirm group extraction list.

If necessary compare group name and the group list on AD as well.

 

2) Verify the authentication policy or other details  didn't change. Setting in the LDAP policy such as nested group extraction, bind dn, or search filters might affect the group retrieval or valid authentication settings.

 

Double check the group membership in AD and the group name on ADC.  Check if Group in expression exactly matches Group Name (not display name) in AD (including case, just in case).

 

3) Confirm the responder policy settings, such as feature enabled, policy binding, and whether you are hitting an lb or cs or vpn vserver.  If lb or cs, are they still integrated with an authentication vserver or not.

 

Do you see any responder policy hits?

Can you change the criteria temporarily to anything else to see if a different group works or a non-AAA expression works.

 

 

 

Link to comment
Share on other sites

5 hours ago, Rhonda Rowland1709152125 said:

If it is a bug, there may not be a lot to do without engineering involvement.

 

But assuming, for a second, its not a bug and related to config or other stuff that is fixable, then you would start with the following to confirm:

1)  Confirm user account in group membership is the one you expect.  

shell

cd /tmp

cat aaad.debug

During the user authentication output you can view the aaad.debug to confirm group extraction list.

If necessary compare group name and the group list on AD as well.

 

2) Verify the authentication policy or other details  didn't change. Setting in the LDAP policy such as nested group extraction, bind dn, or search filters might affect the group retrieval or valid authentication settings.

 

Double check the group membership in AD and the group name on ADC.  Check if Group in expression exactly matches Group Name (not display name) in AD (including case, just in case).

 

3) Confirm the responder policy settings, such as feature enabled, policy binding, and whether you are hitting an lb or cs or vpn vserver.  If lb or cs, are they still integrated with an authentication vserver or not.

 

Do you see any responder policy hits?

Can you change the criteria temporarily to anything else to see if a different group works or a non-AAA expression works.

 

 

 

 

thanks for you inputs Rhonda. I should have provided more details in the original request, my apologies :)

 

#1. Yes, I already did run a aaad.debug to confirm the group extraction and the group is being listed when user log on.

#2. The NS are in HA pair, we just upgraded the secondary to 12.1 and observed the issue on upgraded node. If I fail back to 12.0 node in HA pair, it works.

#3. Feature is enabled, if not I will not be able to create responder policy. The responder policy is bound to Citrix Gateway

#4. No hits to the responder policy (I did mention that in original post). If I fail to node with 12.0, I do see hits on the responder policy. I have also tried with other group name for validation and different users

 

Hope this helps

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...