Product Documentation

User Identity Management

Jul 19, 2017

An increasing number of security breaches and the growing popularity of mobile devices has emphasized the need to ensure that use of the external internet is compliant with the corporate policies and only authorized users access external resources provisioned by the corporate personnel. Identity Management makes this possible by verifying the identity of a person or a device. It does not determine what tasks the individual can take or what files the individual can see.

A Secure Web Gateway (SWG) deployment identifies the user before allowing access to the internet. All requests and responses from the user are inspected. User activity is logged, and records are exported to the NetScaler Management and Analytics System (MAS) for reporting. In NetScaler MAS, you can view the statistics about the user activities, transactions, and bandwidth consumption.

By default, only the user’s IP address is saved, but you can configure the NetScaler SWG appliance to record more details about the user, and use this identity information to create richer internet usage policies for specific users. 

The NetScaler appliance supports the following authentication modes for an explicit-proxy configuration.

  • Lightweight Directory Access Protocol (LDAP). Authenticates the user through an external LDAP authentication server. For more information, see LDAP Authentication Policies.
  • RADIUS. Authenticates the user through an external RADIUS server. For more information, see RADIUS Authentication Policies.
  • TACACS+. Authenticates the user through an external Terminal Access Controller Access-Control System (TACACS) authentication server. For more information, see Authentication Policies.
  • Negotiate. Authenticates the user through a Kerberos authentication server. If there is an error in Kerberos authentication, NetScaler uses NTLM authentication. For more information, see Negotiate Authentication Policies.

For transparent proxy, only IP-based LDAP authentication is currently supported. When a client request is received, the proxy authenticates the user by checking an entry for the client IP address in the active directory, and creates a session based on the user IP address. However, if you configure the ssoNameAttribute in an LDAP action, a session is created by using the username instead of the IP address.

Note

For explicit proxy, you must set the LDAP login name to sAMAccountName. For transparent proxy,  you must set the LDAP login name to networkAddress and attribute1 to sAMAccountName.

Example for Explicit Proxy Copy

add authentication ldapAction swg-auth-action-explicit -serverIP 10.105.157.116 -ldapBase "CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDn "CN=Administrator,CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDnPassword freebsd123$ -ldapLoginName sAMAccountName

Example for Transparent Proxy Copy

add authentication ldapAction swg-auth-action-explicit -serverIP 10.105.157.116 -ldapBase "CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDn "CN=Administrator,CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDnPassword freebsd123$ -ldapLoginName networkAddress -authentication disable -Attribute1 sAMAccountName

To set up user authentication by using the NetScaler SWG CLI

At the command prompt type:

add authentication vserver <vserver name> SSL

add authentication ldapAction <action name> -serverIP <ip_addr> -ldapBase <string> -ldapBindDn <string>

-ldapBindDnPassword -ldapLoginName <string>

add authentication Policy <policy name> -rule <expression> -action <string>

bind authentication vserver <vserver name> -policy <string> -priority <positive_integer>

set cs vserver <name> -authn401 ON -authnVsName <string>

Arguments

Vserver name

              Name of the authentication virtual server to which to bind the policy.

              Maximum Length: 127

serviceType

              Protocol type of the authentication virtual server. Always SSL.

              Possible values: SSL

              Default value: SSL

Action name

              Name for the new LDAP action. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the LDAP action is added. The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my authentication action" or 'my authentication action').

Maximum Length: 127

serverIP

              IP address assigned to the LDAP server.

ldapBase

              Base (node) from which to start LDAP searches. If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com.  Maximum Length: 127

ldapBindDn

              Full distinguished name (DN) that is used to bind to the LDAP server.

              Default: cn=Manager,dc=netscaler,dc=com

Maximum Length: 127

ldapBindDnPassword

              Password used to bind to the LDAP server. 

Maximum Length: 127

ldapLoginName

              LDAP login name attribute. The NetScaler appliance uses the LDAP login name to query external LDAP servers or Active Directories.  Maximum Length: 127

Policy name

              Name for the advance AUTHENTICATION policy. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after AUTHENTICATION policy is created. The following requirement applies only to the NetScaler CLI:

              If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my authentication policy" or 'my authentication policy').

Maximum Length: 127

rule

              Name of the NetScaler named rule, or a default syntax expression, that the policy uses to determine whether to attempt to authenticate the user with the AUTHENTICATION server. 

Maximum Length: 1499

action

              Name of the authentication action to be performed if the policy matches.

Maximum Length: 127

priority

              Positive integer specifying the priority of the policy. A lower number specifies a higher priority. Policies are evaluated in the order of their priorities, and the first policy that matches the request is applied. Must be unique within the list of policies bound to the authentication virtual server. 

Minimum value: 0

Maximum Value: 4294967295

Example Copy

add authentication vserver swg-auth-vs SSL

Done

add authentication ldapAction swg-auth-action-explicit -serverIP 192.0.2.116 -ldapBase "CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDn "CN=Administrator,CN=Users,DC=CTXNSSFB,DC=COM" -ldapBindDnPassword zzzzz -ldapLoginName sAMAccountName

Done

add authenticationpolicy swg-auth-policy -rule true -action swg-auth-action-explicit                                                                                   Done

bind authentication vserver swg-auth-vs -policy swg-auth-policy -priority 1

Done

set cs vserver testswg -authn401 ON -authnVsName swg-auth-vs

Done

To enable user name logging by using the NetScaler SWG CLI

At the command prompt, type:

 set appflow param -AAAUserName ENABLED

Arguments

 AAAUserName

              Enable AppFlow AAA user name logging.

              Possible values: ENABLED, DISABLED

              Default value: DISABLED

Example Copy

set appflow param -AAAUserName ENABLED