Configuring Default Global Authentication Types
When you installed NetScaler Gateway and ran the NetScaler Gateway wizard, you configured authentication within the wizard. This authentication policy is bound automatically to the NetScaler Gateway global level. The authentication type you configure within the NetScaler Gateway wizard is the default authentication type. You can change the default authorization type by running the NetScaler Gateway wizard again or you can modify the global authentication settings in the configuration utility.
If you need to add additional authentication types, you can configure authentication policies on NetScaler Gateway and bind the policies to NetScaler Gateway by using the configuration utility. When you configure authentication globally, you define the type of authentication, configure the settings, and set the maximum number of users that can be authenticated.
After configuring and binding the policy, you can set the priority to define which authentication type takes precedence. For example, you configure LDAP and RADIUS authentication policies. If the LDAP policy has a priority number of 10 and the RADIUS policy has a priority number of 15, the LDAP policy takes precedence, regardless of where you bind each policy. This is called cascading authentication.
You can select to deliver logon pages from the NetScaler Gateway in-memory cache or from the HTTP server running on NetScaler Gateway. If you choose to deliver the logon page from the in-memory cache, the delivery of the logon page from NetScaler Gateway is significantly faster than from the HTTP server. Choosing to deliver the logon page from the in-memory cache reduces the wait time when a large number of users log on at the same time. You can only configure the delivery of logon pages from the cache as part of a global authentication policy.
You can also configure the network address translation (NAT) IP address that is a specific IP address for authentication. This IP address is unique for authentication and is not the NetScaler Gateway subnet, mapped, or virtual IP addresses. This is an optional setting.
Note: You cannot use the NetScaler Gateway wizard to configure SAML authentication.
You can use the Quick Configuration wizard to configure LDAP, RADIUS, and client certificate authentication. When you run the wizard, you can select from an existing LDAP or RADIUS server configured on NetScaler Gateway. You can also configure the settings for LDAP or RADIUS. If you use two-factor authentication, Citrix recommends using LDAP as the primary authentication type.
To configure authentication globally
- In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
- In the details pane, under Settings, click Change authentication settings.
- In Maximum Number of Users, type the number of users who can be authenticated by using this authentication type.
- In NAT IP address, type the unique IP address for authentication.
- Select Enable static caching to deliver logon pages faster.
- Select Enable Enhanced Authentication Feedback to provide a message to users if authentication fails. The message users receive include password errors, account disabled or locked, or the user is not found, to name a few.
- In Default Authentication Type, select the authentication type.
- Configure the settings for your authentication type and then click OK.