Product Documentation

Configuring Authorization Policies

When you configure an authorization policy, you can set it to allow or deny access to network resources in the internal network. For example, to allow users access to the 10.3.3.0 network, use the following expression:

REQ.IP.DESTIP==10.3.0.0 -netmask 255.255.0.0

Authorization policies are applied to users and groups. After a user is authenticated, Citr Gateway performs a group authorization check by obtaining the user’s group information from either an RADIUS, LDAP, or TACACS+ server. If group information is available for the user, NetScaler Gateway checks the network resources allowed for the group.

To control which resources users can access, you must create authorization policies. If you do not need to create authorization policies, you can configure default global authorization.

If you create an expression within the authorization policy that denies access to a file path, you can only use the subdirectory path and not the root directory. For example, use fs.path contains “\\dir1\\dir2” instead of fs.path contains “\\rootdir\\dir1\\dir2”. If you use the second version in this example, the policy fails.

After you configure the authorization policy, you then bind it to a user or group as shown in the tasks below.

By default, authorization polices are validated first against policies that you bind to the virtual server and then against policies bound globally. If you bind a policy globally and want the global policy to take precedence over a policy that you bind to a user, group or virtual server, you can change the priority number of the policy. Priority numbers start at zero. A lower priority number gives the policy higher precedence.

For example, if the global policy has a priority number of one and the user has a priority of two, the global authentication policy is applied first.

To configure an authorization policy:

  1. In the configuration utility, on the Configuration tab, expand NetScaler Gateway > Policies > Authorization.
  2. In the details pane, click Add.
  3. In Name, type a name for the policy.
  4. In Action, select Allow or Deny.
  5. In Expression, click Expression Editor.
  6. To start to configure the expression, click Select and choose the necessary elements. Click Donewhen your expression is complete.
  7. Click Create.

To bind an authorization policy to a user by using the configuration utility:

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > User Administration and then click AAA Users.
  2. In the details pane, select a user and then click Open.
  3. On the Authorization tab, click Insert Policy.
  4. Under Policy Name, double-click the policy.
  5. Under Priority, set the priority number and then click OK.

To bind an authorization policy to a group by using the configuration utility:

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > User Administration and then click AAA Groups.
  2. In the details pane, select a group and then click Open.
  3. On the Authorization tab, click Insert Policy.
  4. Under Policy Name, double-click the policy.
  5. Under Priority, set the priority number and then click OK.

Configuring Authorization Policies

In this article