Jump to content
Welcome to our new Citrix community!

Citrix ADC SDX/VPX/LOM Management Console Access Using Radius


Recommended Posts

  • 3 months later...



I had to do this recently using Cisco ISE, here is how I did it. I was able to get group extraction to work using this method:


This article was very helpful 


https://discussions.citrix.com/topic/408710-citrix-adc-radius-group-extraction/. From a high level here is what I did:


***Create a device group for the Netscaler in ISE:


-Work Centers -> Network Resources -> Network Device groups. I called this group "Netscalers" and put it under the "All Device Types" umbrella.


***Add the Netscaler as a Network resource in ISE:


-Work Centers-> Device Administration -> Network Resources. Configure all the typical Radius information using the new "Netscaler" device type as the device type. Typically the Netscaler IP (NSIP) will be used as the IP address for this purpose.


***Configure a Radius Authentication Policy in the Netscaler***


-In the Netscaler when creating the Radius server object, be sure to enter the Group Attribute Type of "25" as this will be used in the Radius Authorization Profile in ISE to send back the attribute linking the user login to the command policy set (superuser, readonly etc). (Netscaler image attached)


***Configure the Command Policy set Group in the Netscaler***


-In the Netscaler go to System --> User Administration --> Groups. Create a superuser group, I called mine "Citrix Admins" and bound the "superuser" command policy set to it. Repeat this process for all other RBAC types you wish. I created another one called "Citrix RO" and bound the "read-only" policy to it.


***Create the Radius Authorization Profile in ISE***


-In ISE go to Work Centers -->Network Access --> Policy Elements --> Results --> Authorization Profiles. Here is where we tell ISE to send back the Radius response telling the Netscaler which command policy set we want the user to have. Click "Add" and give the profile a name (Citrix Admins) for example. Toward the bottom in Advanced Attribute Settings select Radius-->Class--[25] and in the value section type in the name of the command policy group you created in the Netscaler in the previous step. In my case the name of the group is "Citrix Admins". Create separate Authorization policies for any other Command Policy Groups you created in the previous step. In my case, I created another one called "Citrix RO". (Radius Auth image attached)


***Create the Authentication and Authorization Policy in ISE


-In ISE go to Work Centers --> Network Access --> Policy Sets. Add a new policy. we are using the Network Device type as the condition so in this case use Device: Device Type EQUALS Netscaler. In the Authorization policy portion of the Policy Set, we are using the AD group of the user as the condition to dictate what Radius Authorization profile they get. So if the user is in an AD group that needs full access they will get "Citrix Admins" if they're in another group that only needs Read Only access they will get "Citrix RO"


I hope this was useful! 

Radius Auth.png

Netscaler Image.png

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...