Citrix Systems CITRIX NETSCALER 9.3 Benutzerhandbuch
w
Password Authentication Protocol
w
Challenge-Handshake Authentication Protocol (CHAP)
w
Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP Version 1 and
Version 2)
Version 2)
If your deployment of the NetScaler is configured to use RADIUS authentication and
your RADIUS server is configured to use Password Authentication Protocol, you can
strengthen user authentication by assigning a strong shared secret to the RADIUS server.
Strong RADIUS shared secrets consist of random sequences of uppercase and lowercase
letters, numbers, and punctuation, and are at least 22 characters long. If possible, use
a random character generation program to determine RADIUS shared secrets.
your RADIUS server is configured to use Password Authentication Protocol, you can
strengthen user authentication by assigning a strong shared secret to the RADIUS server.
Strong RADIUS shared secrets consist of random sequences of uppercase and lowercase
letters, numbers, and punctuation, and are at least 22 characters long. If possible, use
a random character generation program to determine RADIUS shared secrets.
To further protect RADIUS traffic, assign a different shared secret to each NetScaler
appliance or virtual server. When you define clients on the RADIUS server, you can also
assign a separate shared secret to each client. If you do this, you must configure
separately each NetScaler policy that uses RADIUS authentication.
appliance or virtual server. When you define clients on the RADIUS server, you can also
assign a separate shared secret to each client. If you do this, you must configure
separately each NetScaler policy that uses RADIUS authentication.
Shared secrets are configured on the NetScaler when a RADIUS policy is created.
Configuring IP address extraction
You can configure the NetScaler to extract the IP address from a RADIUS server. When a
user authenticates with the RADIUS server, the server returns a framed IP address that
is assigned to the user. The following are attributes for IP address extraction:
user authenticates with the RADIUS server, the server returns a framed IP address that
is assigned to the user. The following are attributes for IP address extraction:
w
Allows a remote RADIUS server to supply an IP address from the internal network for
a user logged on to the NetScaler.
a user logged on to the NetScaler.
w
Allows configuration for any RADIUS attribute using the type ipaddress, including
those that are vendor encoded.
those that are vendor encoded.
When configuring the RADIUS server for IP address extraction, you configure the vendor
identifier and the attribute type.
identifier and the attribute type.
The vendor identifier enables the RADIUS server to assign an IP address to the client
from a pool of IP addresses that are configured on the RADIUS server. The vendor ID and
attributes are used to make the association between the RADIUS client and the RADIUS
server. The vendor ID is the attribute in the RADIUS response that provides the IP
address of the internal network. A value of zero indicates that the attribute is not
vendor encoded. The attribute type is the remote IP address attribute in a RADIUS
response. The minimum value is one and the maximum value is 255.
from a pool of IP addresses that are configured on the RADIUS server. The vendor ID and
attributes are used to make the association between the RADIUS client and the RADIUS
server. The vendor ID is the attribute in the RADIUS response that provides the IP
address of the internal network. A value of zero indicates that the attribute is not
vendor encoded. The attribute type is the remote IP address attribute in a RADIUS
response. The minimum value is one and the maximum value is 255.
A common configuration is to extract the RADIUS attribute framed IP address. The
vendor ID is set to zero or is not specified. The attribute type is set to eight.
vendor ID is set to zero or is not specified. The attribute type is set to eight.
To configure IP address extraction by using the configuration utility
1. In the navigation pane, expand System, and then click Authentication.
2. On the Policies tab, click Open.
3. In the Configure Authentication Policy dialog box, next to Server, click Modify.
4. Under Details, in Group Vendor Identifier, type the value.
Citrix NetScaler Administration Guide
43