Jump to content
Welcome to our new Citrix community!

Authentication for VPN

Recommended Posts

I have a LDAP VPN service.

But i need an another VPN but for local user auth. But only specific local user. i have 10 users in local.

I see that i can use a group (aaa Groups)

But how can i specific a Group in Auth for VPN service?

I need some help about that.

Can anyone help me with that?


Link to comment
Share on other sites

There are a couple of ways to limit authentication to only members of certain groups and have those outside the groups "fail authentication" as opposed to dealing with it post-authentication as a failed authorization event.


In general (for other scenarios, than the one you presented):

For LDAP Policies, you can change scope of authentication accounts by changing either the base DN from the domain string (dc=demo,dc=com) to a specific OU or Group string.  This would restrict athentication to only users/groups in the specific subset of the domain identified.


The other way to change scope of an LDAP policy, is to leave the Base DN the domain (dc=demo,dc=local) and then use an LDAP search filter to change the scope to an OU, group, or accounts with specific parameters.


For your specific scenario:

For you to use the LOCAL accounts, that won't work. But since you only need to account for a limited number of accounts, the other way to do this is via the Session Policy/Profile in use on the vpn vserver. Security > Advanced settings::Groups Allowed to Login.  Set this field to the allowed Local AAA Group you are using (can take multiple groups, fyi).  Then only accounts in this group will be allowed to login; accounts not a member will fail. Will for local groups or AD-based group extraction group names if needed.


Example shown below.

Note: I demo'd everything with advanced autho/session policies but classic authentication policies. If you need everything advanced, it would take AAA integration.  If you have a mixture of classic engine autho/session policies in use for your other vpn, you will need to be all classic or all advanced on the session policy side.  (Classic goes away in 13.1; so adjustments might be needed.)


So, for your vpn2 that will be local accounts only:

#1)  create vpn vserver

add vpn vserver vpn_vsrv_demo2 ssl <vip> 443

bind ssl vserver vpn_vsrv_demo2 -certkey <certkeyname>

#2) create AAA users with passwords as LOCAL accounts; be sure to disable the "external authentication" option (in GUI) if you want them actually managed as local accounts.  If done this way; these usernames SHOULD NOT overlap with existing LDAP account names.  This means local password supplied when creating the account.

#3) create aaa group whose name does not overlap with AD account group names to avoid conflicts (and I'll use ns_<name> to reminde me that it is a ns local group)

add aaa user nsAdmin1 -password

add aaa user nsAdmin2 -password

#4) for this demo nsadmin3 will not be in the final allowed group.add aaa group nsVPNAdmins
bind aaa group nsVPNAdmins -userName nsadmin2
bind aaa group nsVPNAdmins -userName nsadmin1


#5) For authorizations, you can either do it at the session policy bound to vpn vserver2 or as authorization policies bound to the AAA group. Just to limit access to members of this group only; I've set the authorization policy at the group level (there are multiple other  ways to accomplish this)

add authorization policy autho_pol_allowedvpn2 true ALLOW

bind aaa group nsVPNAdmins -policy autho_pol_allowedvpn2 -priority 100 -gotoPriorityExpression END


#6)  Finally, the local authentication policy and the session policy to limit groups:

# additional session policy settings may be needed for vpn access requirements; split tunnel/intranet app settings/and additional authorization policies for what to connect over vpn...

add authentication localPolicy authe_pol_localonly ns_true
bind vpn vserver vpn_vsrv_demo2 -policy authe_pol_localonly -priority 100
add vpn sessionAction session_prof_localadminsonly
-allowedLoginGroups nsVPNAdmins
add vpn sessionPolicy session_pol_localadminsonly true session_prof_localadminsonly
bind vpn vserver vpn_vsrv_demo2 -policy session_pol_localadminsonly -priority 100 -gotoPriorityExpression NEXT -type REQUEST


#6b) If you need to list multiple groups in the Allowed Login Groups field, a comma-separated list with no spaces can be used:
add vpn sessionAction session_prof_localadminsonly -transparentInterception OFF -clientlessVpnMode ON -allowedLoginGroups "nsVPNAdmins,nsVPNAdmins2"



This should point you in the right direction; update if you need more details.







Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...