Home > Configuration > AAA |
| AAA |
authentication, authorization, and accounting service configuration. |
Configuration APIs |
Use this method to creates a AAA group and verifies the configuration to ensure that it is correct. |
Use this method to add a Kerberos constrained delegation account. |
Use this method to adds an action (profile) for endpoint analysis (EPA) clients before authentication. |
Use this method to adds a preauthentication policy. The policy defines expressions to be evaluated by the endpoint analysis (EPA) tool. |
Use this method to creates a SSOProfile. |
Use this method to adds a local AAA user account and verifies the configuration to ensure that it is correct. |
Use this method to bind policy to aaa global. |
Use this method to bind windowsprofile to aaa global. |
Use this method to bind gotopriorityexpression to aaa group. |
Use this method to bind intranetapplication to aaa group. |
Use this method to bind intranetip to aaa group. |
Use this method to bind intranetip6 to aaa group. |
Use this method to bind policy to aaa group. |
Use this method to bind secureprivateaccessprofile to aaa group. |
Use this method to bind url to aaa group. |
Use this method to bind user to aaa group. |
Use this method to bind gotopriorityexpression to aaa user. |
Use this method to bind intranetapplication to aaa user. |
Use this method to bind intranetip to aaa user. |
Use this method to bind intranetip6 to aaa user. |
Use this method to bind policy to aaa user. |
Use this method to bind secureprivateaccessprofile to aaa user. |
Use this method to bind url to aaa user. |
Use this method to check Kerberos configuration. |
Use this method to get the current client certificate configuration on the Citrix ADC. |
Use this method to get a list of policies that are currently bound to Global on the Citrix ADC. |
Use this method to get the current configuration of a AAA group. |
Use this method to get KCD accounts. |
Use this method to get the current LDAP configuration on the Citrix ADC. |
Use this method to get the current AAA OTP global configuration. |
Use this method to get the current AAA global configuration. |
Use this method to get details of the specified preauthentication action. |
Use this method to get the current preauthentication configuration. |
Use this method to get the properties of either the specified preauthentication policy or (if none is specified) a list of all configured preauthentication policies. |
Use this method to get the current RADIUS configuration on the Citrix ADC. |
Use this method to get all AAA-TM/VPN connections that are bound to the specified user, group, IP address, or IP range. |
Use this method to get information about all SSO Profiles configured on the appliance. |
Use this method to get the Citrix ADC's current AAA TACACS+ configuration. |
Use this method to get the current configuration of a AAA user account. |
Use this method to terminates the specified AAA-TM/VPN session. |
Use this method to locks a AAA user account for 24 hours unless it is explicitly unlocked by unlock aaa user |
Use this method to removes the specified AAA group. |
Use this method to remove the KCD account. |
Use this method to removes a preauthentication action. NOTE: A preauthentication action cannot be removed if it is bound to a policy. |
Use this method to removes the specified preauthentication policy. |
Use this method to removes a SSO Profile from the appliance. |
Use this method to removes a local AAA user account and the associated configuration. |
Use this method to set this is the default group that is chosen when the authentication succeeds in addition to extracted groups. |
Use this method to set client certificate field that specifies the group, in the format |
Use this method to set client certificate field that contains the username, in the format |
Use this method to set cA Cert for UserCert or when doing PKINIT backchannel. |
Use this method to set username that can perform kerberos constrained delegation. |
Use this method to set enterprise Realm of the user. This should be given only in certain KDC deployments where KDC expects Enterprise username instead of Principal Name |
Use this method to set password for Delegated User. |
Use this method to set the path to the keytab file. If specified other parameters in this method need not be given |
Use this method to set kerberos Realm. |
Use this method to set salt expression used by Kerberos impersonation. When configured, this expression will be used for key derivation with AES-128 or AES-256 encryption types. For RC4 encryption, the salt is not used. If the salt expression is not set, the default behavior is to derive the salt value from the Kerberos principal. |
Use this method to set service SPN. When specified, this will be used to fetch kerberos tickets. If not specified, Citrix ADC will construct SPN using service fqdn |
Use this method to set sSL Cert (including private key) for Delegated User. |
Use this method to set realm of the user |
Use this method to set maximum number of seconds that the Citrix ADC waits for a response from the LDAP server. |
Use this method to set this is the default group that is chosen when the authentication succeeds in addition to extracted groups. |
Use this method to set attribute name used for group extraction from the LDAP server. |
Use this method to set base (the server and location) from which LDAP search methods should start. If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com. |
Use this method to set complete distinguished name (DN) string used for binding to the LDAP server. |
Use this method to set password for binding to the LDAP server. |
Use this method to set name attribute that the Citrix ADC uses to query the external LDAP server or an Active Directory. |
Use this method to set queries the external LDAP server to determine whether the specified group belongs to another group. |
Use this method to set accept password change requests. |
Use this method to set string to be combined with the default LDAP user search string to form the value to use when executing an LDAP search. For example, the following values: vpnallowed=true, ldaploginame=""samaccount"" when combined with the user-supplied username ""bob"", yield the following LDAP search string: ""(&(vpnallowed=true)(samaccount=bob)"" |
Use this method to set type of security used for communications between the Citrix ADC and the LDAP server. For the PLAINTEXT setting, no encryption is required. |
Use this method to set iP address of your LDAP server. |
Use this method to set port number on which the LDAP server listens for connections. |
Use this method to set attribute used by the Citrix ADC to query an external LDAP server or Active Directory for an alternative username. This alternative username is then used for single sign-on (SSO). |
Use this method to set subattribute name used for group extraction from the LDAP server. |
Use this method to set the type of LDAP server. |
Use this method to set to encrypt otp secret in AD or not. Default value is OFF |
Use this method to set maximum number of otp devices user can register. Default value is 4. Max value is 255 |
Use this method to set aAAD log level, which specifies the types of AAAD events to log in nsvpn.log. Available values function as follows: * EMERGENCY - Events that indicate an immediate crisis on the server. * ALERT - Events that might require action. * CRITICAL - Events that indicate an imminent server crisis. * ERROR - Events that indicate some type of error. * WARNING - Events that require action in the near future. * NOTICE - Events that the administrator should know about. * INFORMATIONAL - All but low-level events. * DEBUG - All events, in extreme detail. |
Use this method to set source IP address to use for traffic that is sent to the authentication server. |
Use this method to set audit log level, which specifies the types of events to log for cli executed methods. Available values function as follows: * EMERGENCY - Events that indicate an immediate crisis on the server. * ALERT - Events that might require action. * CRITICAL - Events that indicate an imminent server crisis. * ERROR - Events that indicate some type of error. * WARNING - Events that require action in the near future. * NOTICE - Events that the administrator should know about. * INFORMATIONAL - All but low-level events. * DEBUG - All events, in extreme detail. |
Use this method to set option to enable/disable API cache feature. |
Use this method to set parameter to enable/disable classic endpoints |
Use this method to set the default authentication server type. |
Use this method to set parameter to enable/disable default CSP header |
Use this method to set set by the DHCP client when the IP address was fetched dynamically. |
Use this method to set enhanced auth feedback provides more information to the end user about the reason for an authentication failure. The default value is set to NO. |
Use this method to set enables/Disables stickiness to authentication servers |
Use this method to set the default state of VPN Static Page caching. Static Page caching is enabled by default. |
Use this method to set parameter to enable/disable EPA v2 functionality |
Use this method to set first time user mode determines which configuration options are shown by default when logging in to the GUI. This setting is controlled by the GUI. |
Use this method to set parameter to set/reset HttpOnly Flag for NSC_AAAC/NSC_TMAS cookies in nfactor |
Use this method to set parameter to encrypt login information for nFactor flow |
Use this method to set maximum number of concurrent users allowed to log on to VPN simultaneously. |
Use this method to set this will set maximum number of Questions to be asked for KB Validation. Default value is 2, Max Value is 6 |
Use this method to set maximum Number of login Attempts |
Use this method to set this will set the maximum deflate size in case of SAML Redirect binding. |
Use this method to set persistent storage of unsuccessful user login attempts |
Use this method to set this will set the threshold time in days for password expiry notification. Default value is 0, which means no notification is sent |
Use this method to set sameSite attribute value for Cookies generated in AAATM context. This attribute value will be appended only for the cookies which are specified in the builtin patset ns_cookies_samesite |
Use this method to set on enabling this option, the Citrix ADC will send the security insight records to the configured collectors when request comes to Authentication endpoint. * If cs vserver is frontend with Authentication vserver as target for cs action, then record is sent using Authentication vserver name. * If vpn/lb/cs vserver are configured with Authentication ON, then then record is sent using vpn/lb/cs vserver name accordingly. * If authentication vserver is frontend, then record is sent using Authentication vserver name. |
Use this method to set frequency at which a token must be verified at the Authorization Server (AS) despite being found in cache. |
Use this method to set entities for which WAF Protection need to be applied. Available settings function as follows: * DEFAULT - AUTH, VPN and PORTAL Protections are enabled. This is the default value for wafProtection * AUTH - Endpoints used for Authentication applicable for both AAATM, IDP, GATEWAY use cases. * VPN - Endpoints used for Gateway use cases. * PORTAL - Endpoints related to web portal. * DISABLED - No Endpoint WAF protection. Currently supported only in default partition |
Use this method to set parameter to enable/disable webview endpoints |
Use this method to set this is the default group that is chosen when the EPA check succeeds. |
Use this method to set string specifying the path(s) and name(s) of the files to be deleted by the endpoint analysis (EPA) tool. |
Use this method to set string specifying the name of a process to be terminated by the endpoint analysis (EPA) tool. |
Use this method to set allow or deny logon after endpoint analysis (EPA) results. |
Use this method to set string specifying the path(s) to and name(s) of the files to be deleted by the EPA tool, as a string of between 1 and 1023 characters. |
Use this method to set string specifying the name of a process to be terminated by the EPA tool. |
Use this method to set deny or allow login on the basis of end point analysis results. |
Use this method to set name of the Citrix ADC named rule, or an expression, to be evaluated by the EPA tool. |
Use this method to set name of the action that the policy is to invoke when a connection matches the policy. |
Use this method to set the new rule to be associated with the policy. |
Use this method to set configure the RADIUS server state to accept or refuse accounting messages. |
Use this method to set configure the RADIUS server state to accept or refuse authentication messages. |
Use this method to set number of retry by the Citrix ADC before getting response from the RADIUS server. |
Use this method to set maximum number of seconds that the Citrix ADC waits for a response from the RADIUS server. |
Use this method to set send Calling-Station-ID of the client to the RADIUS server. IP Address of the client is sent as its Calling-Station-ID. |
Use this method to set this is the default group that is chosen when the authentication succeeds in addition to extracted groups. |
Use this method to set iP attribute type in the RADIUS response. |
Use this method to set vendor ID attribute in the RADIUS response. If the attribute is not vendor-encoded, it is set to 0. |
Use this method to set control whether the Message-Authenticator attribute is included in a RADIUS Access-Request packet. |
Use this method to set enable password encoding in RADIUS packets that the Citrix ADC sends to the RADIUS server. |
Use this method to set vendor ID of the password in the RADIUS response. Used to extract the user password. |
Use this method to set attribute type for RADIUS group extraction. |
Use this method to set group separator string that delimits group names within a RADIUS attribute for RADIUS group extraction. |
Use this method to set prefix string that precedes group names within a RADIUS attribute for RADIUS group extraction. |
Use this method to set the key shared between the RADIUS server and clients. Required for allowing the Citrix ADC to communicate with the RADIUS server. This is mandatory parameter. |
Use this method to set send the Network Access Server ID (NASID) for your Citrix ADC to the RADIUS server as the nasid part of the Radius protocol. |
Use this method to set send the Citrix ADC IP (NSIP) address to the RADIUS server as the Network Access Server IP (NASIP) part of the Radius protocol. |
Use this method to set vendor ID for RADIUS group extraction. |
Use this method to set iP address of your RADIUS server. |
Use this method to set port number on which the RADIUS server listens for connections. |
Use this method to set send Tunnel Endpoint Client IP address to the RADIUS server. |
Use this method to set password with which the user logs on. Required for Single sign on to external server. |
Use this method to set name for the user. Must begin with a letter, number, or the underscore (_) character, and must contain only alphanumeric, hyphen (-), period (.), hash (#), space ( ), at (@), equal (=), colon (:), and underscore characters. CLI Users: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my group" or 'my group'). |
Use this method to set send accounting messages to the TACACS+ server. |
Use this method to set the option for sending accounting messages to the TACACS+ server. |
Use this method to set use streaming authorization on the TACACS+ server. |
Use this method to set maximum number of seconds that the Citrix ADC waits for a response from the TACACS+ server. |
Use this method to set this is the default group that is chosen when the authentication succeeds in addition to extracted groups. |
Use this method to set tACACS+ group attribute name.Used for group extraction on the TACACS+ server. |
Use this method to set iP address of your TACACS+ server. |
Use this method to set port number on which the TACACS+ server listens for connections. |
Use this method to set key shared between the TACACS+ server and clients. Required for allowing the Citrix ADC to communicate with the TACACS+ server. |
Use this method to set password with which the user logs on. Required for any user account that does not exist on an external authentication server. If you are not using an external authentication server, all user accounts must have a password. If you are using an external authentication server, you must provide a password for local user accounts that do not exist on the authentication server. This is mandatory parameter. |
Use this method to unbind policy from aaa global. |
Use this method to unbind windowsprofile from aaa global. |
Use this method to unbind intranetapplication from aaa group. |
Use this method to unbind intranetip from aaa group. |
Use this method to unbind intranetip6 from aaa group. |
Use this method to unbind policy from aaa group. |
Use this method to unbind secureprivateaccessprofile from aaa group. |
Use this method to unbind url from aaa group. |
Use this method to unbind user from aaa group. |
Use this method to unbind intranetapplication from aaa user. |
Use this method to unbind intranetip from aaa user. |
Use this method to unbind intranetip6 from aaa user. |
Use this method to unbind policy from aaa user. |
Use this method to unbind secureprivateaccessprofile from aaa user. |
Use this method to unbind url from aaa user. |
Use this method to unlocks a AAA user account which has been locked earlier for exceeding login attempts. |
Remove aaa certParams defaultauthenticationgroup setting. |
Remove aaa certParams groupnamefield setting. |
Remove aaa certParams usernamefield setting. |
Remove aaa kcdAccount cacert setting. |
Remove aaa kcdAccount delegateduser setting. |
Remove aaa kcdAccount enterpriserealm setting. |
Remove aaa kcdAccount kcdpassword setting. |
Remove aaa kcdAccount keytab setting. |
Remove aaa kcdAccount saltexpression setting. |
Remove aaa kcdAccount servicespn setting. |
Remove aaa kcdAccount usercert setting. |
Remove aaa kcdAccount userrealm setting. |
Remove aaa ldapParams authtimeout setting. |
Remove aaa ldapParams defaultauthenticationgroup setting. |
Remove aaa ldapParams groupattr setting. |
Remove aaa ldapParams groupnameidentifier setting. |
Remove aaa ldapParams groupsearchattribute setting. |
Remove aaa ldapParams groupsearchfilter setting. |
Remove aaa ldapParams groupsearchsubattribute setting. |
Remove aaa ldapParams ldapbase setting. |
Remove aaa ldapParams ldapbinddn setting. |
Remove aaa ldapParams ldapbinddnpassword setting. |
Remove aaa ldapParams ldaplogin setting. |
Remove aaa ldapParams maxnestinglevel setting. |
Remove aaa ldapParams nestedgroupextraction setting. |
Remove aaa ldapParams passwdchange setting. |
Remove aaa ldapParams searchfilter setting. |
Remove aaa ldapParams sectype setting. |
Remove aaa ldapParams serverip setting. |
Remove aaa ldapParams serverport setting. |
Remove aaa ldapParams ssonameattribute setting. |
Remove aaa ldapParams subattribute setting. |
Remove aaa ldapParams svrtype setting. |
Remove aaa otpparameter encryption setting. |
Remove aaa otpparameter maxotpdevices setting. |
Remove aaa parameter aaadloglevel setting. |
Remove aaa parameter aaadnatip setting. |
Remove aaa parameter aaasessionloglevel setting. |
Remove aaa parameter apitokencache setting. |
Remove aaa parameter classicendpoints setting. |
Remove aaa parameter defaultauthtype setting. |
Remove aaa parameter defaultcspheader setting. |
Remove aaa parameter dynaddr setting. |
Remove aaa parameter enableenhancedauthfeedback setting. |
Remove aaa parameter enablesessionstickiness setting. |
Remove aaa parameter enablestaticpagecaching setting. |
Remove aaa parameter enhancedepa setting. |
Remove aaa parameter ftmode setting. |
Remove aaa parameter httponlycookie setting. |
Remove aaa parameter loginencryption setting. |
Remove aaa parameter maxaaausers setting. |
Remove aaa parameter maxkbquestions setting. |
Remove aaa parameter maxloginattempts setting. |
Remove aaa parameter maxsamldeflatesize setting. |
Remove aaa parameter persistentloginattempts setting. |
Remove aaa parameter pwdexpirynotificationdays setting. |
Remove aaa parameter samesite setting. |
Remove aaa parameter securityinsights setting. |
Remove aaa parameter tokenintrospectioninterval setting. |
Remove aaa parameter wafprotection setting. |
Remove aaa parameter webviewendpoints setting. |
Remove aaa preauthenticationaction defaultepagroup setting. |
Remove aaa preauthenticationaction deletefiles setting. |
Remove aaa preauthenticationaction killprocess setting. |
Remove aaa preauthenticationparameter deletefiles setting. |
Remove aaa preauthenticationparameter killprocess setting. |
Remove aaa preauthenticationparameter preauthenticationaction setting. |
Remove aaa preauthenticationparameter rule setting. |
Remove aaa radiusParams accounting setting. |
Remove aaa radiusParams authentication setting. |
Remove aaa radiusParams authservretry setting. |
Remove aaa radiusParams authtimeout setting. |
Remove aaa radiusParams callingstationid setting. |
Remove aaa radiusParams defaultauthenticationgroup setting. |
Remove aaa radiusParams ipattributetype setting. |
Remove aaa radiusParams ipvendorid setting. |
Remove aaa radiusParams messageauthenticator setting. |
Remove aaa radiusParams passencoding setting. |
Remove aaa radiusParams pwdattributetype setting. |
Remove aaa radiusParams pwdvendorid setting. |
Remove aaa radiusParams radattributetype setting. |
Remove aaa radiusParams radgroupseparator setting. |
Remove aaa radiusParams radgroupsprefix setting. |
Remove aaa radiusParams radnasid setting. |
Remove aaa radiusParams radnasip setting. |
Remove aaa radiusParams radvendorid setting. |
Remove aaa radiusParams serverip setting. |
Remove aaa radiusParams serverport setting. |
Remove aaa radiusParams tunnelendpointclientip setting. |
Remove aaa tacacsParams accounting setting. |
Remove aaa tacacsParams auditfailedcmds setting. |
Remove aaa tacacsParams authorization setting. |
Remove aaa tacacsParams authtimeout setting. |
Remove aaa tacacsParams defaultauthenticationgroup setting. |
Remove aaa tacacsParams groupattr setting. |
Remove aaa tacacsParams serverip setting. |
Remove aaa tacacsParams serverport setting. |
Remove aaa tacacsParams tacacssecret setting. |