ADC CLI Commands

authentication-vserver

The following operations can be performed on “authentication-vserver”:

rm stat rename enable unbind unset disable add bind show set

rm authentication vserver

Removes an authentication virtual server.

Synopsis

rm authentication vserver @ ...

Arguments

name Name of the authentication virtual server to remove.

Example

rm vserver authn_vip

stat authentication vserver

Displays statistics about the specified authentication virtual server. If no authentication virtual server is specified, displays statistics for all authentication virtual servers that are currently configured on the Citrix ADC.

Synopsis

stat authentication vserver [] \[-detail] \[-fullValues] \[-ntimes <positive\_integer>] \[-logFile <input\_filename>] \[-clearstats \( basic | full )]

Arguments

name Name of the authentication virtual server.

detail Specifies detailed output (including more statistics). The output can be quite voluminous. Without this argument, the output will show only a summary.

fullValues Specifies that numbers and strings should be displayed in their full form. Without this option, long strings are shortened and large numbers are abbreviated

ntimes The number of times, in intervals of seven seconds, the statistics should be displayed. Default value: 1 Minimum value: 0

logFile The name of the log file to be used as input.

clearstats Clear the statsistics / counters

Possible values: basic, full

Output

count devno stateflag

Counters

IP address (IP) The IP address on which the service is running.

Port (port) The port on which the service is running.

Vserver protocol (Protocol) Protocol associated with the vserver

State Current state of the server. There are seven possible values: UP(7), DOWN(1), UNKNOWN(2), BUSY(3), OFS(Out of Service)(4), TROFS(Transition Out of Service)(5), TROFS_DOWN(Down When going Out of Service)(8)

Requests (Req) Total number of requests received on this service or virtual server. (This applies to HTTP/SSL services and servers.)

Responses (Rsp) Number of responses received on this service or virtual server. (This applies to HTTP/SSL services and servers.)

Request bytes (Reqb) Total number of request bytes received on this service or virtual server.

Response bytes (Rspb) Number of response bytes received by this service or virtual server.

rename authentication vserver

Rename an authentication virtual server.

Synopsis

rename authentication vserver @ @

Arguments

name Current name of the authentication virtual server.

newName New name of the authentication virtual server. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, ‘my authentication policy’ or “my authentication policy”).

Example

rename authentication vserver av1 av_new

enable authentication vserver

Enables an authentication virtual server that is disabled. Note: Virtual servers, when added, are normally enabled by default.

Synopsis

enable authentication vserver @

Arguments

name Name of the virtual server to enable.

Example

enable vserver authentication1

unbind authentication vserver

Unbinds the specified policy from the specified authentication virtual server.

Synopsis

unbind authentication vserver [-policy [-secondary] [-groupExtraction] [-type ]] [-portaltheme ]

Arguments

name Name of the virtual server.

policy Name of the policy to be unbound.

secondary Applicable only to classic authentication policy

groupExtraction Applicable only to classic authentication policy

type Bind point from which to unbind the policy.

Possible values: REQUEST, RESPONSE, ICA_REQUEST, OTHERTCP_REQUEST, AAA_REQUEST, AAA_RESPONSE

portaltheme Name of Theme to be unbound from authentication vserver

unset authentication vserver

Removes the settings of an existing authentication virtual server. Attributes for which a default value is available revert to their default values. Refer to the set authentication vserver command for descriptions of the parameters..Refer to the set authentication vserver command for meanings of the arguments.

Synopsis

unset authentication vserver [-maxLoginAttempts] [-authentication] [-comment] [-appflowLog] [-failedLoginTimeout] [-certkeyNames] [-SameSite]

disable authentication vserver

Disables an authentication virtual server, taking it out of service.

Synopsis

disable authentication vserver @

Arguments

name Name of the virtual server to disable. Notes:

  1. The Citrix ADC still responds to ARP and/or ping requests for the IP address of disabled virtual servers.
  2. Because the virtual server configuration still exists on the Citrix ADC, you can reenable the virtual server.

Example

disable vserver authn_vip

add authentication vserver

Creates an authentication virtual server.

Synopsis

add authentication vserver \[ \[-range <positive\_integer>]] \[] \[-state \( ENABLED | DISABLED )] \[-authentication \( ON | OFF )] \[-comment ] \[-td <positive\_integer>] \[-appflowLog \( ENABLED | DISABLED )] \[-maxLoginAttempts <positive\_integer> \[-failedLoginTimeout ]] \[-certkeyNames ] \[-SameSite ]

Arguments

name Name for the new authentication virtual server. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Can be changed after the authentication virtual server is added by using the rename authentication vserver command.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my authentication policy” or ‘my authentication policy’).

serviceType Protocol type of the authentication virtual server. Always SSL.

Possible values: SSL Default value: SSL

IPAddress IP address of the authentication virtual server, if a single IP address is assigned to the virtual server.

range If you are creating a series of virtual servers with a range of IP addresses assigned to them, the length of the range. The new range of authentication virtual servers will have IP addresses consecutively numbered, starting with the primary address specified with the IP Address parameter. Default value: 1 Minimum value: 1

port TCP port on which the virtual server accepts connections.

state Initial state of the new virtual server.

Possible values: ENABLED, DISABLED Default value: ENABLED

authentication Require users to be authenticated before sending traffic through this virtual server.

Possible values: ON, OFF Default value: ON

comment Any comments associated with this virtual server.

td Integer value that uniquely identifies the traffic domain in which you want to configure the entity. If you do not specify an ID, the entity becomes part of the default traffic domain, which has an ID of 0. Minimum value: 0 Maximum value: 4094

appflowLog Log AppFlow flow information.

Possible values: ENABLED, DISABLED Default value: ENABLED

maxLoginAttempts Maximum Number of login Attempts Minimum value: 1 Maximum value: 255

failedLoginTimeout Number of minutes an account will be locked if user exceeds maximum permissible attempts Minimum value: 1

certkeyNames Name of the certificate key that was bound to the corresponding SSL virtual server as the Certificate Authority for the device certificate

SameSite SameSite attribute value for Cookies generated in AAATM context. This attribute value will be appended only for the cookies which are specified in the builtin patset ns_cookies_samesite

Possible values: None, LAX, STRICT

Example

The following example creates an authentication vserver named myauthenticationvip which supports SSL portocol and with AAA functionality enabled: vserver myauthenticationvip SSL 65.219.17.34 443 -aaa ON

bind authentication vserver

Binds authentication policies to an authentication virtual server.

Synopsis

bind authentication vserver [-policy [-priority ] [-secondary] [-groupExtraction] [-nextFactor ] [-gotoPriorityExpression ] [-type ]] [-portaltheme ]

Arguments

name Name of the authentication virtual server to which to bind the policy.

policy Name of the policy to bind to the virtual server.

priority Positive integer specifying the priority of the policy. A lower number specifies a higher priority. Policies are evaluated in the order of their priorities, and the first policy that matches the request is applied. Must be unique within the list of policies bound to the authentication virtual server.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, ‘my authentication policy’ or “my authentication policy”). Minimum value: 0

secondary Applicable only while bindind classic authentication policy as advance authentication policy use nFactor

groupExtraction Applicable only while bindind classic authentication policy as advance authentication policy use nFactor

nextFactor Applicable only while binding advance authentication policy as classic authentication policy does not support nFactor

gotoPriorityExpression Applicable only to advance authentication policy. Expression or other value specifying the next policy to be evaluated if the current policy evaluates to TRUE. Specify one of the following values:

  • NEXT - Evaluate the policy with the next higher priority number.
  • END - End policy evaluation.
  • USE_INVOCATION_RESULT - Applicable if this policy invokes another policy label. If the final goto in the invoked policy label has a value of END, the evaluation stops. If the final goto is anything other than END, the current policy label performs a NEXT.
  • An expression that evaluates to a number. If you specify an expression, the number to which it evaluates determines the next policy to evaluate, as follows:
  • If the expression evaluates to a higher numbered priority, the policy with that priority is evaluated next.
  • If the expression evaluates to the priority of the current policy, the policy with the next higher numbered priority is evaluated next.
  • If the expression evaluates to a priority number that is numerically higher than the highest numbered priority, policy evaluation ends. An UNDEF event is triggered if:
  • The expression is invalid.
  • The expression evaluates to a priority number that is numerically lower than the current policy’s priority.
  • The expression evaluates to a priority number that is between the current policy’s priority number (say, 30) and the highest priority number (say, 100), but does not match any configured priority number (for example, the expression evaluates to the number 85). This example assumes that the priority number increments by 10 for every successive policy, and therefore a priority number of 85 does not exist in the policy label.

type Bind point to which to bind the policy. Applies only to rewrite and cache policies. If you do not set this parameter, the policy is bound to REQ_DEFAULT or RES_DEFAULT, depending on whether the policy rule is a response-time or a request-time expression.

Possible values: REQUEST, RESPONSE, ICA_REQUEST, OTHERTCP_REQUEST, AAA_REQUEST, AAA_RESPONSE

portaltheme Portal theme to be bound to Authentication vserver

show authentication vserver

Displays the configuration of the specified authentication virtual server. If no authentication virtual server is specified, displays a list of all authentication virtual servers that are currently configured on the Citrix ADC.

Synopsis

show authentication vserver [] show authentication vserver stats - alias for 'stat authentication vserver'

Arguments

name Name of the authentication virtual server.

Output

IPAddress The Virtual IP address of the authentication vserver.

td Integer value that uniquely identifies the traffic domain in which you want to configure the entity. If you do not specify an ID, the entity becomes part of the default traffic domain, which has an ID of 0.

IPAddress The IP address of the authentication server.

value Indicates whether or not the certificate is bound or if SSL offload is disabled.

port The virtual TCP port of the authentication vserver.

range The range of authentication vserver IP addresses. The new range of authentication vservers will have IP addresses consecutively numbered, starting with the primary address specified with the argument.

serviceType The authentication vserver’s protocol type, Currently the only possible value is SSL.

type The type of Virtual Server, e.g. CONTENT based or ADDRESS based.

state The current state of the Virtual server, e.g. UP, DOWN, BUSY, etc.

status Whether or not this vserver responds to ARPs and whether or not round-robin selection is temporarily in effect.

cacheType Virtual server’s cache type. The options are: TRANSPARENT, REVERSE and FORWARD.

redirect The cache redirect policy. The valid redirect policies are: l.CACHE - Directs all requests to the cache. 2.POLICY - Applies cache redirection policy to determine whether the request should be directed to the cache or origin. This is the default setting. 3.ORIGIN - Directs all requests to the origin server.

precedence This argument is used only when configuring content switching on the specified virtual server. This is applicable only if both the URL and RULE-based policies have been configured on the same virtual server. It specifies the type of policy (URL or RULE) that takes precedence on the content switching virtual server. The default setting is RULE. lURL - In this case, the incoming request is matched against the URL-based policies before the rule-based policies. lRULE - In this case, the incoming request is matched against the rule-based policies before the URL-based policies. For all URL-based policies, the precedence hierarchy is: 1.Domain and exact URL 2.Domain, prefix and suffix 3.Domain and suffix 4.Domain and prefix 5.Domain only 6.Exact URL 7.Prefix and suffix 8.Suffix only 9.Prefix only 10.Default

redirectURL The URL where traffic is redirected if the virtual server in system becomes unavailable. WARNING!Make sure that the domain you specify in the URL does not match the domain specified in the -d domainName argument of the ###add cs policy### command. If the same domain is specified in both arguments, the request will be continuously redirected to the same unavailable virtual server in the system. If so, the user may not get the requested content.

authentication Indicates whether or not authentication is being applied to incoming users to the VPN.

curAAAUsers The number of current users logged in to this vserver.

AuthenticationDomain The domain of the authentication cookie set by Authentication vserver

policyName The name of the policy, if any, bound to the authentication vserver.

policy The name of the policy, if any, bound to the authentication vserver.

serviceName The name of the service, if any, to which the vserver policy is bound.

weight Weight for this service, if any. This weight is used when the system performs load balancing, giving greater priority to a specific service. It is useful when the services bound to a virtual server are of different capacity.

cacheVserver The name of the default target cache virtual server, if any, to which requests are redirected.

backupVServer The name of the backup vpn virtual server for this vpn virtual server.

cltTimeout The idle time, if any, in seconds after which the client connection is terminated.

soMethod VPN client applications are allocated from a block of Intranet IP addresses. That block may be exhausted after a certain number of connections. This switch specifies the method used to determine whether or not a new connection will spillover, or exhaust, the allocated block of Intranet IP addresses for that application. Possible values are CONNECTION or DYNAMICCONNECTION. CONNECTION means that a static integer value is the hard limit for the spillover threshold. The spillover threshold is described below. DYNAMICCONNECTION means that the spillover threshold is set according to the maximum number of connections defined for the vpn vserver.

soThreshold VPN client applications are allocated from a block of Intranet IP addresses. That block may be exhausted after a certain number of connections. The value of this option is number of client connections after which the Mapped IP address is used as the client source IP address instead of an address from the allocated block of Intranet IP addresses.

soPersistence Whether or not cookie-based site persistance is enabled for this VPN vserver. Possible values are ‘ConnectionProxy’, HTTPRedirect, or NONE

soPersistenceTimeOut The timeout, if any, for cookie-based site persistance of this VPN vserver.

priority The priority, if any, of the vpn vserver policy.

downStateFlush Perform delayed clean up of connections on this vserver.

type Bindpoint to which the policy is bound.

actType disablePrimaryOnDown Tells whether traffic will continue reaching backup vservers even after primary comes UP from DOWN state.

Listenpolicy Listenpolicy configured for authentication vserver

Listenpriority Priority of listen policy for authentication vserver

tcpProfileName The name of the TCP profile.

httpProfileName Name of the HTTP profile.

comment Any comments associated with this virtual server.

policySubType stateflag flags appflowLog Log AppFlow flow information.

vstype Virtual Server Type, e.g. Load Balancing, Content Switch, Cache Redirection

state Initial state of the new virtual server.

ngname Nodegroup devno to which this authentication vsever belongs to

maxLoginAttempts Maximum Number of login Attempts

failedLoginTimeout Number of minutes an account will be locked if user exceeds maximum permissible attempts

secondary Bind the authentication policy to the secondary chain. Provides for multifactor authentication in which a user must authenticate via both a primary authentication method and, afterward, via a secondary authentication method. Because user groups are aggregated across authentication systems, usernames must be the same on all authentication servers. Passwords can be different.

groupExtraction Bind the Authentication policy to a tertiary chain which will be used only for group extraction. The user will not authenticate against this server, and this will only be called if primary and/or secondary authentication has succeeded.

nextFactor On success invoke label.

gotoPriorityExpression Expression specifying the priority of the next policy which will get evaluated if the current policy rule evaluates to TRUE.

portaltheme Theme for Authentication virtual server Login portal

noDefaultBindings to determine if the configuration will have default ssl CIPHER and ECC curve bindings

certkeyNames Name of the certificate key that was bound to the corresponding SSL virtual server as the Certificate Authority for the device certificate

SameSite SameSite attribute value for Cookies generated in AAATM context. This attribute value will be appended only for the cookies which are specified in the builtin patset ns_cookies_samesite

devno count

Example

show authentication vserver

set authentication vserver

Modifies the specified parameters of an existing authentication virtual server.

Synopsis

set authentication vserver \[-IPAddress <ip\_addr|ipv6\_addr|\*>] \[-authentication \( ON | OFF )] \[-comment ] \[-appflowLog \( ENABLED | DISABLED )] \[-maxLoginAttempts <positive\_integer>] \[-failedLoginTimeout ] \[-certkeyNames ] \[-SameSite ]

Arguments

name Name of the virtual server to modify.

IPAddress IP address of the authentication virtual server, if a single IP address is assigned to the virtual server.

authentication Require users to be authenticated before sending traffic through this virtual server.

Possible values: ON, OFF Default value: ON

comment Any comments associated with this virtual server.

appflowLog Log AppFlow flow information.

Possible values: ENABLED, DISABLED Default value: ENABLED

maxLoginAttempts Maximum Number of login Attempts Minimum value: 1 Maximum value: 255

failedLoginTimeout Number of minutes an account will be locked if user exceeds maximum permissible attempts Minimum value: 1

certkeyNames Name of the certificate key that was bound to the corresponding SSL virtual server as the Certificate Authority for the device certificate

SameSite SameSite attribute value for Cookies generated in AAATM context. This attribute value will be appended only for the cookies which are specified in the builtin patset ns_cookies_samesite

Possible values: None, LAX, STRICT