Skip to content

aaa-user

The following operations can be performed on "aaa-user":

add| rm| set| unlock| bind| lock| show| unbind|

add aaa user

Adds a local AAA user account and verifies the configuration to ensure that it is correct.

Synopsis

add aaa user {-password }

Arguments

userName Name for the user. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the user is added.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my aaa user" or "my aaa user").

password Password with which the user logs on. Required for any user account that does not exist on an external authentication server. If you are not using an external authentication server, all user accounts must have a password. If you are using an external authentication server, you must provide a password for local user accounts that do not exist on the authentication server.

Example

add aaa user johndoe -password abcd add aaa user johndoe -password The above example adds user johndoe with password abcd for first case, password supplied on prompt for second case

rm aaa user

Removes a local AAA user account and the associated configuration.

Synopsis

rm aaa user

Arguments

userName Name of the AAA user account to remove.

set aaa user

Configures the password for an existing local AAA user account. This command prompts you for a new password. NOTE: AAA does not request confirmation of the new password, so you might want to test the new password before sending it to the user.

Synopsis

set aaa user

Arguments

userName Name of the local AAA user account.

password Password with which the user logs on. Required for any user account that does not exist on an external authentication server. If you are not using an external authentication server, all user accounts must have a password. If you are using an external authentication server, you must provide a password for local user accounts that do not exist on the authentication server.

Example

set aaa user johndoe password abcd The above command sets the password for johndoe to abcd

unlock aaa user

Unlocks a AAA user account which has been locked earlier for exceeding login attempts.

Synopsis

unlock aaa user

Arguments

userName Name of the AAA user account to unlock.

bind aaa user

Binds a policy to the specified user account.

Synopsis

bind aaa user [-policy [-priority ] [-type ] [-gotoPriorityExpression ]] [-intranetApplication ] [-urlName ] [-intranetIP []] [-intranetIP6 []]

Arguments

userName User account to which to bind the policy.

policy Name for the policy that you are creating. Must begin with a letter, number, or the underscore character (_), and must consist only of letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore characters. Cannot be changed after the policy is added.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my policy" or "my policy").

priority Integer specifying the priority of the policy. A lower number indicates a higher priority. Policies are evaluated in the order of their priority numbers. Maximum value for default syntax policies is 2147483647 and for classic policies max priority is 64000. Minimum value: 0 Maximum value: 2147483647

type Bindpoint to which the policy is bound.

Possible values: REQUEST, UDP_REQUEST, DNS_REQUEST, ICMP_REQUEST Default value: REQUEST

intranetApplication Name of the intranet VPN application to which the policy applies.

urlName URL of the intranet application to which you are binding the policy.

intranetIP IP address of the intranet application to which you are binding the policy.

netmask Subnet mask for the IP range in which the intranet application to which you are binding the policy resides. Required if the intranet application has multiple IP addresses bound to it. Not needed if the intranet application resides on a single IP address.

gotoPriorityExpression Expression or other value specifying the next policy to evaluate if the current policy evaluates to TRUE. Specify one of the following values: * NEXT - Evaluate the policy with the next higher priority number. * END - End policy evaluation. * USE_INVOCATION_RESULT - Applicable if this policy invokes another policy label. If the final goto in the invoked policy label has a value of END, the evaluation stops. If the final goto is anything other than END, the current policy label performs a NEXT. * An expression that evaluates to a number. If you specify an expression, the number to which it evaluates determines the next policy to evaluate, as follows: * If the expression evaluates to a higher numbered priority, the policy with that priority is evaluated next. * If the expression evaluates to the priority of the current policy, the policy with the next higher numbered priority is evaluated next. * If the expression evaluates to a number that is larger than the largest numbered priority, policy evaluation ends. An UNDEF event is triggered if: * The expression is invalid. * The expression evaluates to a priority number that is numerically lower than the current policy's priority. * The expression evaluates to a priority number that is between the current policy's priority number (say, 30) and the highest priority number (say, 100), but does not match any configured priority number (for example, the expression evaluates to the number 85). This example assumes that the priority number increments by 10 for every successive policy, and therefore a priority number of 85 does not exist in the policy label.

intranetIP6 IP6 address of the intranet application to which you are binding the policy.

numaddr Number of addresses for the IPv6 range in which the intranet application to which you are binding the policy resides. Required if the intranet application has multiple IPv6 addresses bound to it. Not needed if the intranet application resides on a single IPv6 address. Minimum value: 1

Example

To bind intranetip to the user joe: bind aaa user joe -intranetip 10.102.1.123

lock aaa user

Locks a AAA user account for 24 hours unless it is explicitly unlocked by unlock aaa user ###Synopsis

lock aaa user

Arguments

userName Name of the AAA user account to lock.

show aaa user

Displays the current configuration of a AAA user account.

Synopsis

show aaa user [] [-loggedIn]

Arguments

userName Name of the user who has the account.

loggedIn Show whether the user is logged in or not.

Output

groupName The group name

policy The policy Name.

priority Integer specifying the priority of the policy. A lower number indicates a higher priority. Policies are evaluated in the order of their priority numbers. Maximum value for default syntax policies is 2147483647 and for classic policies max priority is 64000.

intranetApplication Name of the intranet VPN application to which the policy applies.

urlName The intranet url.

actType intranetIP The Intranet IP bound to the user

netmask The netmask for the Intranet IP

intranetIP6 The Intranet IP6 bound to the user

numaddr Numbers of ipv6 address bound starting with intranetip6

policySubType stateflag password Password with which the user logs on. Required for any user account that does not exist on an external authentication server. If you are not using an external authentication server, all user accounts must have a password. If you are using an external authentication server, you must provide a password for local user accounts that do not exist on the authentication server.

gotoPriorityExpression Expression specifying the priority of the next policy which will get evaluated if the current policy rule evaluates to TRUE.

type Bindpoint to which the policy is bound.

devno count

Example

Example

show aaa user joe UserName: joe IntranetIP: 10.102.1.123

   Bound to groups:
            GroupName: engg

Done

unbind aaa user

Unbinds a policy from the specified user account.

Synopsis

unbind aaa user [-policy [-type ]] [-intranetApplication ] [-urlName ] [-intranetIP []] [-intranetIP6 []]

Arguments

userName Name of the user account from which to unbind the policy.

policy Name of the policy to unbind.

type Bindpoint to which the policy is bound.

Possible values: REQUEST, UDP_REQUEST, DNS_REQUEST, ICMP_REQUEST Default value: REQUEST

intranetApplication Name of the intranet VPN application from which you are unbinding the policy.

urlName URL of the intranet application from which you are unbinding the policy.

intranetIP Intranet IP address of the application from which you are unbinding the policy.

netmask Subnet mask for the IP range in which the intranet application from which you are unbinding the policy resides. Required if the intranet application has multiple IP addresses bound to it. Not needed if the intranet application resides on a single IP address.

intranetIP6 IP6 address of the intranet application to which you are binding the policy.

numaddr Number of addresses for the IPv6 range in which the intranet application to which you are binding the policy resides. Required if the intranet application has multiple IPv6 addresses bound to it. Not needed if the intranet application resides on a single IP address. Minimum value: 1

Example

unbind AAA user joe -intranetip 10.102.1.123

Was this article helpful?