Product Documentation

Configuring the External Authentication Server

May 04, 2017

The NetScaler Insight Center appliance can authenticate users with local user accounts or by using an external authentication server. The appliance supports the following authentication types:

  • Local—Authenticates to the NetScaler Insight Center appliance by using a password, without reference to an external authentication server. User data is stored locally on theNetScaler Insight Center appliance.
  • RADIUS—Authenticates to an external RADIUS authentication server.
  • LDAP—Authenticates to an external LDAP authentication server.
  • TACACS—Authenticates to an external Terminal Access Controller Access-Control System (TACACS) authentication server.

To configure an external authentication, specify the authentication type, and configure an authentication server.

Adding a RADIUS Server

Updated: 2014-04-08

To configure RADIUS authentication, specify the authentication type as RADIUS, and configure the RADIUS authentication server.

NetScaler Insight Center supports RADIUS challenge response authentication according to the RADIUS specifications. RADIUS users can be configured with a one-time password on RADIUS server. When the user logs on to NetScaler Insight Center appliance, the user is prompted to specify this one time password.

To add a RADIUS server

  1. On the Configuration tab, under System, expand Authentication, and then click Radius.
  2. In the details pane, click Add.
  3. In the Create Radius Server dialogue box, type or select values for the parameters:
    • Name*—Name of the server.
    • IP Address*—Server IP address.
    • Port*—Port on which the RADIUS server is running. Default value: 1812.
    • Time-out*—Number of seconds the system will wait for a response from the RADIUS server. Default value: 3.
    • Secret Key*—Key shared between the client and the server. This information is required for communication between the system and the RADIUS server.
    • Enable NAS IP Address Extraction—If enabled, the system's IP address is sent to the server as the "nasip" in accordance with the RADIUS protocol.
    • NASID—If configured, this string is sent to the RADIUS server as the "nasid" in accordance with the RADIUS protocol.
    • Group Prefix—Prefix string that precedes group names within a RADIUS attribute for RADIUS group extraction.
    • Group Vendor ID—Vendor ID for using RADIUS group extraction.
    • Group Attribute Type—Attribute type for RADIUS group extraction.
    • Group Separator—Group separator string that delimits group names within a RADIUS attribute for RADIUS group extraction.
    • IP Address Vendor Identifier—Vendor ID of the attribute in the RADIUS which denotes the intranet IP. A value of 0 denotes that the attribute is not vendor encoded.
    • IP Address Attribute Type—Attribute type of the remote IP address attribute in a RADIUS response.
    • Password Vendor Identifier—Vendor ID of the password in the RADIUS response. Used to extract the user password.
    • Password Attribute Type—Attribute type of the password attribute in a RADIUS response.
    • Password Encoding—How passwords should be encoded in the RADIUS packets traveling from the system to the RADIUS server. Possible values: pap, chap, mschapv1, and mschapv2.
    • Default Authentication Group—Default group that is chosen when the authentication succeeds in addition to extracted groups.
  4. Click Create, and then, click Close.

Adding an LDAP Authentication Server

Updated: 2014-06-10

To configure LDAP authentication, specify the authentication type as LDAP, and configure the LDAP authentication server.

To add an LDAP server

  1. On the Configuration tab, under System, expand Authentication, and then click LDAP.
  2. In the details pane, click Add.
  3. In the Create LDAP Server dialogue box, type or select values for the parameters:
    • Name*—Name of the server.
    • IP Address*—Server IP address.
    • Port*—Port on which the LDAP server is running. Default value: 389.
    • Time-out*—Number of seconds the system will wait for a response from the LDAP server.
    • Base DN—Base, or node where the LDAP search should start.
    • Type—Type of LDAP server. Possible values: Active Directory (AD) and Novell Directory Service (NDS).
    • Administrative Bind DN—Full distinguished name that is used to bind to the LDAP server.
    • Administrative Password—Password that is used to bind to the LDAP server.
    • Confirm Administrative Password—Password that is used to bind to the LDAP server.
    • Validate LDAP Certificate—Check this option to validate the certificate received from LDAP server.
    • LDAP Host Name—Hostname for the LDAP server. If the validateServerCert parameter is enabled, this parameter specifies the host name on the certificate from the LDAP server. A host-name mismatch causes a connection failure.
    • Server Logon Name Attribute—Name attribute used by the system to query the external LDAP server or an Active Directory.
    • Search Filter—String to be combined with the default LDAP user search string to form the value. For example, vpnallowed=true with ldaploginame samaccount and the user-supplied username bob would yield an LDAP search string of: (&(vpnallowed=true)(samaccount=bob).
    • Group Attribute—Attribute name for group extraction from the LDAP server.
    • Sub Attribute Name—Subattribute name for group extraction from the LDAP server.
    • Security Type—Type of encryption for communication between the appliance and the authentication server. Possible values:

      PLAINTEXT: No encryption required.

      TLS: Communicate using TLS protocol.

      SSL: Communicate using SSL Protocol

    • Default Authentication Group—Default group that is chosen when the authentication succeeds in addition to extracted groups.
    • Referrals—Enable following of LDAP referrals received from LDAP server.
    • Enable Change Password—Allow user to modify the password if the password expires. You can change the password only when the Security Type configured is TLS or SSL.
    • Enable Nested Group Extraction—Enable Nested Group extraction feature.
    • Maximum Nesting Level—Number of levels at which group extraction is allowed.
    • Group Name Identifier—Name that uniquely identifies a group in LDAP server.
    • Group Search Attribute—LDAP group search attribute. Used to determine to which groups a group belongs.
    • Group Search Subattribute—LDAP group search subattribute. Used to determine to which groups a group belongs.
    • Group Search Filter—String to be combined with the default LDAP group search string to form the search value.
  4. Click Create, and then click Close.

Adding a TACACS Server

Updated: 2014-04-08

To configure TACACS authentication, specify the authentication type as TACACS, and configure the TACACS authentication server.

To add a TACACS server

  1. On the Configuration tab, under System, expand Authentication, and then click TACACS.
  2. In the details pane, click Add.
  3. In the Create TACACS Server dialogue box, type or select values for the parameters:
    • Name—Name of the TACAS server
    • IP Address—IP address of the TACACS server
    • Port—Port on which the TACACS Server is running. Default value: 49
    • Time-out—Maximum number of seconds the system will wait for a response from the TACACS server
    • TACACS Key —Key shared between the client and the server. This information is required for the system to communicate with the TACACS server
    • Confirm TACACS Key —Key shared between the client and the server. This information is required for the system to communicate with the TACACS server
    • Default Authentication Group—Default group that is chosen when the authentication succeeds in addition to extracted groups.
  4. Click Create, and then click Close.