Category Archives: Citrix ADC

Citrix ADC Vulnerability CVE-2019-19781

Citrix ADC Vulnerability CVE-2019-19781

Last Wednesday I got an update email from the Citrix Heroes community ran by DJ Eshelman about a new vulnerability which has been found with Citrix ADC appliances.  Fortunately my home lab hasn’t been powered up much this past few weeks but today I decided to apply the mitigation steps to my VPX in case.

Continue reading Citrix ADC Vulnerability CVE-2019-19781

SMS2 4 – Configuring Citrix NetScaler Radius Load Balancing

SMS2 4 – Configuring Citrix NetScaler Radius Load Balancing

This section of the documentation provides the steps necessary to configure Radius Load Balancing on a Citrix NetScaler HA Pair.

As with most configurations of a NetScaler HA Pair, the configuration is only performed on the Primary Node of the pair and then replicated automatically to the Secondary Node.

Configuring Raidus Load Balancing on a Citrix NetScaler consists of the following steps which will be explained in further detail in this section :-

  1. Creating a Radius Load Balancing Monitor
  2. Creating the Radius Server Servicies
  3. Creating a Radius Load Balancing vServer
  4. Creating a Radius Authentication Server and Profile
  5. Applying the Radius Profile to the Access Gateway vServer
  6. Saving the new configuration

Creating a Radius Load Balancing Monitor

The first part of the configuration is to create a Radius Load Balancing Monitor on the NetScaler by performing the following steps :-

  • Logon to the Primary Node NetScaler Web Gui as an AdministrativeAccount
  • Expand the Load Balancing branch in the Left Hand pane
  • Click on the Monitors branch under Load Balancing and then click on the Add button
  • When prompted enter a Name for the new Monitor
  • Click on the Special Parameters tab and set the User Name to anAccount on the Active Directory Domain.

For the configuration of this test environment I used the Service Account created for the SMS2 installation

  • Set the Password to the Password of the Active Directory Account choosen
  • Set the Radius Key to the Shared Secret Key set up on the Radius Servers

N.B. In order for this to work correctly both Radius Servers must be using expecting the same Shared Secret key

  • Under the Response Codes section click on Add, select 3-Access-Reject from the list, and then click on Add
  • Click on OK to create the new Radius Load Balancing Monitor

Creating the Radius Server Services

The next part of the configuration is to create the Radius Server Load Balancing Services for the two Radius Servers by performing the following steps :-

  • If necessary, Expand the Load Balancing branch in the Left Hand pane
  • Click on the Services branch under Load Balancing and then click on the Add button
  • When prompted enter a Service Name for the new Service
  • Set the Server to the IP Address of the Radius Server
  • Set the Protocol to RADIUS and the Port to 1812
  • Select the newly created Radius Monitor the list of Available Monitors and click on Add to apply it to the Service
  • Click on OK to create the new Radius Server Service

Perform the steps above to configure a Radius Server Service for the second Radius Server

Creating A Radius Load Balancing vServer

The next part of the configuraiton is to create the Radius Load Balancing vServer by performing the following steps :-

  • If necessary, Expand the Load Balancing branch in the Left Hand pane
  • Click on the Virtual Servers branch under Load Balancing and then click on the Add button
  • When prompted enter a Name for the new Virtual Server
  • Set the Protocol to RADIUS and the Port to 1812
  • Set the IP Address to the address required for the new Virtual Server
  • In the Services Section select both the newly created Radius Services created in the previous section
  • Click on the Method and Persistence tab
  • Under the LB Method section change the Method to Token

o    In the Rule box enter CLIENT.UDP.RADIUS.USERNAME

  • Under the Persistence section change the Persistence to RULE

o    Confirm that the Rule shown is CLIENT.UDP.RADIUS.USERNAME as set for the LB Method Rule

  • Click on Create to create the new Radius Load Balancing vServer

Creating a Radius Authentication Server and Profile

The next part of the configuraiton is to create the Radius Authenication Server and Profile by performing the following steps :-

  • Expand the Access Gateway branch in the Left Hand pane
  • Expand the Policies branch and then the Authentication branch
  • Click on the Radius branch and then click on the Servers tab
  • Click on the Add button and when prompted enter a Name for theAuthentication Server
  • Set the IP Address to the IP Address of the Radius Load Balancing vServer created in the previous section
  • If necessary, set the Port to 1812
  • Enter the Radius Shared Secret configured for the NetScaler in both the Secret Key and Confirm Secret Key settings
  • Click on Create to create the new Radius Authentication Server
  • Click on the Policies Tab and then click on the Add button
  • When prompted enter a Name for the new Radius Authentication Policy
  • Select the Radius Server created in the previous steps as the Server
  • Set the Expression to ns_true
  • Click on Create to create the new Radius Authentication Policy

Applying the Radius Authentication Profile to the Access Gateway vServer

The next part of the configuration is to apply the newly created Radius Authentication Policy to the Access Gateway vServer by performing the following steps :-

  • If necessary, Expand the Access Gateway branch in the Left Hand pane
  • Click on the Virtual Server branch and then open the Virtual Serveryou wish to apply Radius Authentication to
  • Click on the Authentication Tab and then under the Authentication Policies section click on Secondary
  • Click on the Insert Policy button and select the Radius Profile created in the previous section
  • Click on OK to apply the changes

Saving the configuration

The last part of the configuration is to save the new configuration on the NetScaler by performing the following steps :-

  • Click on the Save button and when prompted “Do you want to save the running configuration?” click on Yes
  • Once the configuration is saved and you are prompted “Configuration Saved Successfully” click on OK