ADC CLI Commands

aaa-parameter

The following operations can be performed on “aaa-parameter”:

unset set show

unset aaa parameter

Resets the global AAA parameter settings on the Citrix ADC. Attributes for which a default value is available revert to their default values. See the set aaa parameter command for descriptions of the parameters..Refer to the set aaa parameter command for meanings of the arguments.

Synopsis

unset aaa parameter [-enableStaticPageCaching] [-enableEnhancedAuthFeedback] [-defaultAuthType] [-maxAAAUsers] [-aaadnatIp] [-maxLoginAttempts] [-enableSessionStickiness] [-maxSamlDeflateSize] [-persistentLoginAttempts] [-pwdExpiryNotificationDays] [-maxKBQuestions] [-aaaSessionLoglevel] [-aaadLoglevel] [-dynAddr] [-ftMode] [-loginEncryption] [-SameSite] [-APITokenCache] [-tokenIntrospectionInterval] [-defaultCSPHeader] [-httpOnlyCookie] [-enhancedEPA] [-wafProtection] [-securityInsights]

set aaa parameter

Sets the global AAA configuration. Any configuration settings made at this level overrides configuration settings for the authentication server.

Synopsis

set aaa parameter [-enableStaticPageCaching ( YES NO )] [-enableEnhancedAuthFeedback ( YES NO )] [-defaultAuthType ] \[-maxAAAUsers <positive\_integer>] \[-maxLoginAttempts <positive\_integer> \[-failedLoginTimeout ]] \[-aaadnatIp <ip\_addr *>] [-enableSessionStickiness ( YES NO )] [-aaaSessionLoglevel ] \[-aaadLoglevel ] \[-dynAddr \( ON OFF )] [-ftMode ] \[-maxSamlDeflateSize <positive\_integer>] \[-persistentLoginAttempts \( ENABLED DISABLED )] [-pwdExpiryNotificationDays ] [-maxKBQuestions ] [-loginEncryption ( ENABLED DISABLED )] [-SameSite ] \[-APITokenCache \( ENABLED DISABLED )] [-tokenIntrospectionInterval ] [-defaultCSPHeader ( ENABLED DISABLED )] [-httpOnlyCookie ( ENABLED DISABLED )] [-enhancedEPA ( ENABLED DISABLED )] [-wafProtection ...] \[-securityInsights \( ENABLED DISABLED )]

Arguments

enableStaticPageCaching The default state of VPN Static Page caching. Static Page caching is enabled by default.

Possible values: YES, NO Default value: YES

enableEnhancedAuthFeedback Enhanced auth feedback provides more information to the end user about the reason for an authentication failure. The default value is set to NO.

Possible values: YES, NO Default value: NO

defaultAuthType The default authentication server type.

Possible values: LOCAL, LDAP, RADIUS, TACACS, CERT Default value: LOCAL

maxAAAUsers Maximum number of concurrent users allowed to log on to VPN simultaneously. Minimum value: 1

maxLoginAttempts Maximum Number of login Attempts Minimum value: 1

failedLoginTimeout Number of minutes an account will be locked if user exceeds maximum permissible attempts Minimum value: 1 Maximum value: 525600

aaadnatIp Source IP address to use for traffic that is sent to the authentication server.

enableSessionStickiness Enables/Disables stickiness to authentication servers

Possible values: YES, NO Default value: NO

aaaSessionLoglevel Audit log level, which specifies the types of events to log for cli executed commands. Available values function as follows:

  • EMERGENCY - Events that indicate an immediate crisis on the server.
  • ALERT - Events that might require action.
  • CRITICAL - Events that indicate an imminent server crisis.
  • ERROR - Events that indicate some type of error.
  • WARNING - Events that require action in the near future.
  • NOTICE - Events that the administrator should know about.
  • INFORMATIONAL - All but low-level events.
  • DEBUG - All events, in extreme detail.

Possible values: EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFORMATIONAL, DEBUG Default value: DEFAULT_LOGLEVEL_AAA

aaadLoglevel AAAD log level, which specifies the types of AAAD events to log in nsvpn.log. Available values function as follows:

  • EMERGENCY - Events that indicate an immediate crisis on the server.
  • ALERT - Events that might require action.
  • CRITICAL - Events that indicate an imminent server crisis.
  • ERROR - Events that indicate some type of error.
  • WARNING - Events that require action in the near future.
  • NOTICE - Events that the administrator should know about.
  • INFORMATIONAL - All but low-level events.
  • DEBUG - All events, in extreme detail.

Possible values: EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFORMATIONAL, DEBUG Default value: INFORMATIONAL

dynAddr Set by the DHCP client when the IP address was fetched dynamically.

Possible values: ON, OFF Default value: OFF

ftMode First time user mode determines which configuration options are shown by default when logging in to the GUI. This setting is controlled by the GUI.

Possible values: ON, HA, OFF Default value: ON

maxSamlDeflateSize This will set the maximum deflate size in case of SAML Redirect binding. Minimum value: 0

persistentLoginAttempts Persistent storage of unsuccessful user login attempts

Possible values: ENABLED, DISABLED Default value: DISABLED

pwdExpiryNotificationDays This will set the threshold time in days for password expiry notification. Default value is 0, which means no notification is sent Minimum value: 0

maxKBQuestions This will set maximum number of Questions to be asked for KB Validation. Default value is 2, Max Value is 6 Minimum value: 2 Maximum value: 6

loginEncryption Parameter to encrypt login information for nFactor flow

Possible values: ENABLED, DISABLED Default value: DISABLED

SameSite SameSite attribute value for Cookies generated in AAATM context. This attribute value will be appended only for the cookies which are specified in the builtin patset ns_cookies_samesite

Possible values: None, LAX, STRICT

APITokenCache Option to enable/disable API cache feature.

Possible values: ENABLED, DISABLED Default value: DISABLED

tokenIntrospectionInterval Frequency at which a token must be verified at the Authorization Server (AS) despite being found in cache. Minimum value: 0

defaultCSPHeader Parameter to enable/disable default CSP header

Possible values: ENABLED, DISABLED Default value: DISABLED

httpOnlyCookie Parameter to set/reset HttpOnly Flag for NSC_AAAC/NSC_TMAS cookies in nfactor

Possible values: ENABLED, DISABLED Default value: DISABLED

enhancedEPA Parameter to enable/disable EPA v2 functionality

Possible values: ENABLED, DISABLED Default value: DISABLED

wafProtection Entities for which WAF Protection need to be applied. Available settings function as follows:

  • AUTH - Endpoints used for Authentication applicable for both AAATM, IDP, GATEWAY use cases.
  • VPN - Endpoints used for Gateway use cases.
  • DISABLED - No Endpoint WAF protection. Currently supported only in default partition

securityInsights On enabling this option, the Citrix ADC will send the security insight records to the configured collectors when request comes to Authentication endpoint.

  • If cs vserver is frontend with Authentication vserver as target for cs action, then record is sent using Authentication vserver name.
  • If vpn/lb/cs vserver are configured with Authentication ON, then then record is sent using vpn/lb/cs vserver name accordingly.
  • If authentication vserver is frontend, then record is sent using Authentication vserver name.

Possible values: ENABLED, DISABLED Default value: DISABLED

Example

set aaa parameter -defaultAuthType RADIUS -maxAAAUSers 100

show aaa parameter

Displays the current AAA global configuration.

Synopsis

show aaa parameter

Arguments

Output

enableStaticPageCaching Indicates if static page caching is enabled or not.

enableEnhancedAuthFeedback Indicates whether enhanced auth feedback is enabled or not.

defaultAuthType The default authentication server type.

maxAAAUsers The maximum number of concurrent users allowed to log into the system at any time.

aaadnatIp The natIp to be used for the AAA traffic

maxLoginAttempts Maximum Number of login Attempts

failedLoginTimeout Number of minutes an account will be locked if user exceeds maximum permissible attempts

enableSessionStickiness Enables/Disables stickiness to authentication servers

aaaSessionLoglevel Audit log level, which specifies the types of events to log for cli executed commands. Available values function as follows:

  • EMERGENCY - Events that indicate an immediate crisis on the server.
  • ALERT - Events that might require action.
  • CRITICAL - Events that indicate an imminent server crisis.
  • ERROR - Events that indicate some type of error.
  • WARNING - Events that require action in the near future.
  • NOTICE - Events that the administrator should know about.
  • INFORMATIONAL - All but low-level events.
  • DEBUG - All events, in extreme detail.

aaadLoglevel AAAD log level, which specifies the types of AAAD events to log in nsvpn.log. Available values function as follows:

  • EMERGENCY - Events that indicate an immediate crisis on the server.
  • ALERT - Events that might require action.
  • CRITICAL - Events that indicate an imminent server crisis.
  • ERROR - Events that indicate some type of error.
  • WARNING - Events that require action in the near future.
  • NOTICE - Events that the administrator should know about.
  • INFORMATIONAL - All but low-level events.
  • DEBUG - All events, in extreme detail.

dynAddr Set by the DHCP client when the IP address was fetched dynamically.

ftMode First time user mode determines which configuration options are shown by default when logging in to the GUI. This setting is controlled by the GUI.

maxSamlDeflateSize This will set the maximum deflate size in case of SAML Redirect binding.

persistentLoginAttempts Persistent storage of unsuccessful user login attempts

pwdExpiryNotificationDays This will set the threshold time in days for password expiry notification. Default value is 0, which means no notification is sent

maxKBQuestions This will set maximum number of Questions to be asked for KB Validation. Default value is 2, Max Value is 6

builtin Flag to determine if aaa param is built-in or not

feature The feature to be checked while applying this config

loginEncryption Parameter to encrypt login information for nFactor flow

SameSite SameSite attribute value for Cookies generated in AAATM context. This attribute value will be appended only for the cookies which are specified in the builtin patset ns_cookies_samesite

APITokenCache Option to enable/disable API cache feature.

tokenIntrospectionInterval Frequency at which a token must be verified at the Authorization Server (AS) despite being found in cache.

defaultCSPHeader Parameter to enable/disable default CSP header

httpOnlyCookie Parameter to set/reset HttpOnly Flag for NSC_AAAC/NSC_TMAS cookies in nfactor

enhancedEPA Parameter to enable/disable EPA v2 functionality

wafProtection Entities for which WAF Protection need to be applied. Available settings function as follows:

  • AUTH - Endpoints used for Authentication applicable for both AAATM, IDP, GATEWAY use cases.
  • VPN - Endpoints used for Gateway use cases.
  • DISABLED - No Endpoint WAF protection. Currently supported only in default partition

securityInsights On enabling this option, the Citrix ADC will send the security insight records to the configured collectors when request comes to Authentication endpoint.

  • If cs vserver is frontend with Authentication vserver as target for cs action, then record is sent using Authentication vserver name.
  • If vpn/lb/cs vserver are configured with Authentication ON, then then record is sent using vpn/lb/cs vserver name accordingly.
  • If authentication vserver is frontend, then record is sent using Authentication vserver name.

Example

show aaa parameter Configured AAA parameters DefaultAuthType: LDAP MaxAAAUsers: 5 Done

aaa-parameter