In most of the environments its straight forward to configure RADIUS authentication on the Citrix ADC. But sometimes it can be challenging especially when the RADIUS server needs to receive the username in a specific format. Lets have a short example.
RADIUS Server #1 – Expecting: sAMAccountName
Name Expression: userA
RADIUS Server #2 – Expecting: “USERDOMAIN” + “sAMAccountName” + “@Realm”
Name Expression: corp\userA@CTX
Scenario 1 is a no-brainer and needs no special configuration. But how are we supposed to handle Scenario 2? I guess a lot of people are thinking (including my past me) this only can be handled with nFactor. I like the nFactor framework but isn’t it kind of an overkill for this requirement? There must be another way right?
Since the NetScaler Firmware 10.5e it is possible to manipulate RADIUS messages with the AppExpert Rewrite feature. Important: This will only work if the RADIUS server does not require signed messages otherwise the authentication will fail.
We just need to do some rewriting magic on a Load Balancing vServer with the type “RADIUS”.
|
1 2 3 |
add rewrite action rw_act_radius replace RADIUS.REQ.USER_NAME q/RADIUS.NEW_AVP(1,"corp\\" + RADIUS.REQ.USER_NAME + "@CTX")/ add rewrite policy rw_pol_radius true rw_act_radius bind lb vserver lb_vsrv_radius_1812 -policyName rw_pol_radius -priority 100 -gotoPriorityExpression END -type REQUEST |
Afterwards the RADIUS authentication is working and we do not need to bother about going the nFactor road. Sometimes you should not over-complicate things and keep IT simple.
Hope this helps someone who is facing the same challenge.