Citrix Branch Repeater Authentication with Cisco TACACS+

I have been looking about for documentation on how to configure TACACS authentication with a Citrix Branch Repeater, however so far I have only been able to find documentation for NetScaler. So I have setup a LAB and decided to write the documentation myself.

For those who cannot be bothered to read this post there is a video link at the bottom of this post with a walkthrough.

 

My LAB

VMWARE Server Running Windows Server Standard 2003 SP2 + Trial Version of ACS3.2 from Cisco

ESX Server 4.1 Running CitrixBranchRepeaterVPX-RC-5.6.1.43 Trial from Citrix via the VMWARE Virtual Appliance Marketplace.

ACS Server 192.168.1.50
Citrix Branch Repeater 192.168.1.223

 

Citrix Branch Repeater

This could not be easier. Simpler goto [Security]->[Manage Users]

  • Select the TACACS+ Authentication TAB
  • Click the Checkbox [Enable TACACS+ Authentication]
  • Enter your ACS IP Address [Your ACS IP address]
  • Authntication port : [49] Default
  • Your Shared Secret :[Your Secret Key]
  • Use Encryption : [Checked by Default]

Click [Update]

ACS Sever

On Network Configuration

  • Click [Add Entry]
  • AAA Client Hostname : [A hostname, does not have to match the CBR]
  • AAA IP Address :[The actual IP address of the CBR]
  • Key :[Your Shared Secret]
  • Authenticate Using [TACACS+ (CiscoIOS) - Default
  • Other check boxes are left blank
  • Click [Submit+Restart]

 

If you already have a TACACS user account, try logging into the CBR and you should have read only access, so does anyone with a TACACS account apparently!

 

User Setup

Nothing special, except the user needs to be assigned to a group with EXEC access and level 15 privileges before they can have full admin access to the CBR.

 

Group setup

You need to:

  • Check [Shell (exec)]
  • Check [Privedge Level] and set to [15]
  • Click [submit + restart]

Note: You could also set this up against the individual user.

 

Logout and back into the CBR and now you should have full admin access.

 

Here is a video of how to do this.

CBR and TACACS+

 

Summary

I was not able to find any documentation on how to configure the Citrix Branch Repeater with Cisco’s TACACS+ so I have setup a lab and worked it out for myself. What I would say it that setting up EXEC mode and Priveledge 15 could break the way you currently logon to devices using TACACS+, so be careful.

 

 

 

Subscribe For Weekly Updates by Email

Get a Weekly Summary of Latest Articles and Posts to your Email Inbox Every Sunday

Thanks for signing up. Look for the email from MailChimp & make sure you confirm your email address. You may need to check your spam or gmail settings to be sure of receiving the email.

Note: You can unsubscribe at any time using the link at the bottom of every email.