Are you using an external authentication server for Citrix ADC management access login but you don’t want local users to be able to log in? Or do you want to know how to allow only specific system user to log in to management access?
In this blog post, we will look at ways to manage Citrix ADC management access and prevent local system users from logging in to management access. We will also review how to allow specific local system users to log in to management access when the external authentication server is configured in Citrix ADC.
Please note, local system users are the users created in the ADC appliance for management access. External users are the users created on the authentication server.
Disable Local System User to Log in to Management Access:
If external authentication is configured and, as an IT admin, you want to prevent the local system user from logging in to management access, you must configure system parameter with localAuth as DISABLED. Here’s how you do this:
CLI Configuration
At the command prompt, type the following:
set system parameter localAuth <ENABLED|DISABLED>
When localAuth is set as DISABLED in system parameter, the CLI will look like this:
GUI Configuration
- Navigate to Configuration -> System -> Settings -> Change Global System Settings.
- Under Command Line Interface, uncheck the Local Authentication
With this configuration, local system users will not be able to log in to Citrix ADC management access.
Please note, the external authentication server must be configured and must be reachable to disallow local system user authentication with localAuth disabled in system parameter. If the external server configured in Citrix ADC for management access is unreachable, local system users will be able to login. This supports recovery of the Citrix ADC appliance.
Allow Specific Local System Users to Log in to Management Access
Let’s look at the way where you can allow specific local system user access to ADC management access. Along with the external configuration added in ADC and localAuth as DISABLED in system parameter, you also need to configure externalAuth as DISABLED for the system user.
With externalAuth as disabled for a system user, this local system user will be able to login to management access as user will not be validated in external authentication server for authentication.
CLI Configuration
At the command prompt, type the following:
set system user <username> -externalAuth DISABLED
GUI Configuration:
- Navigate to Configuration -> System -> User Administration -> Users.
- Select the system user and click on
- The System User page will appear. Click on Edit wizard and uncheck the Enable External Authentication
With this configuration, the user test will be able to log in to Citrix ADC management access.
The following table shows the user login functionality for Citrix ADC management access with localAuth set as DISABLED in system parameter:
| Configuration | External Authentication server | Management access login |
| set system parameter -localAuth disabled
External authentication server configured for ADC management access |
Reachable from ADC | Local system user will not be able to login |
| set system parameter -localAuth disabled
External authentication server configured for ADC management access set system user <username> -externalAuth DISABLED |
Reachable from ADC | Local system user will not be able to login except for the user where externalAuth is set as DISABLED |
| set system parameter -localAuth disabled
External authentication server configured for ADC management access set system user <username> -externalAuth DISABLED |
Unreachable/DOWN | All local system user will be able to login |
In this blog post, I’ve shown you how to secure Citrix ADC management access by disallowing the local system user, as well as how to restrict management access to specific local system users. Check out our Citrix ADC documentation for more information on managing user accounts and our secure deployment guide to learn more about securing the deployment of your appliances.
