I have been looking about for documentation on how to configure TACACS authentication with a Citrix Branch Repeater, however so far I have only been able to find documentation for NetScaler. So I have setup a LAB and decided to write the documentation myself.
For those who cannot be bothered to read this post there is a video link at the bottom of this post with a walkthrough.
My LAB
VMWARE Server Running Windows Server Standard 2003 SP2 + Trial Version of ACS3.2 from Cisco
ESX Server 4.1 Running CitrixBranchRepeaterVPX-RC-5.6.1.43 Trial from Citrix via the VMWARE Virtual Appliance Marketplace.
ACS Server | 192.168.1.50 |
Citrix Branch Repeater | 192.168.1.223 |
Citrix Branch Repeater
This could not be easier. Simpler goto [Security]->[Manage Users]
- Select the TACACS+ Authentication TAB
- Click the Checkbox [Enable TACACS+ Authentication]
- Enter your ACS IP Address [Your ACS IP address]
- Authntication port : [49] Default
- Your Shared Secret :[Your Secret Key]
- Use Encryption : [Checked by Default]
Click [Update]
ACS Sever
On Network Configuration
- Click [Add Entry]
- AAA Client Hostname : [A hostname, does not have to match the CBR]
- AAA IP Address :[The actual IP address of the CBR]
- Key :[Your Shared Secret]
- Authenticate Using [TACACS+ (CiscoIOS) – Default
- Other check boxes are left blank
- Click [Submit+Restart]
If you already have a TACACS user account, try logging into the CBR and you should have read only access, so does anyone with a TACACS account apparently!
User Setup
Nothing special, except the user needs to be assigned to a group with EXEC access and level 15 privileges before they can have full admin access to the CBR.
Group setup
You need to:
- Check [Shell (exec)]
- Check [Privedge Level] and set to [15]
- Click [submit + restart]
Note: You could also set this up against the individual user.
Logout and back into the CBR and now you should have full admin access.
Here is a video of how to do this.
Summary
I was not able to find any documentation on how to configure the Citrix Branch Repeater with Cisco’s TACACS+ so I have setup a lab and worked it out for myself. What I would say it that setting up EXEC mode and Priveledge 15 could break the way you currently logon to devices using TACACS+, so be careful.
Kudos. I haven’t been very impressed with Citrix docs – for Wanscaler and Netscaler.