A NetScaler MAS supports a unified system of authentication, authorization, and accounting (AAA) protocols, including RADIUS, LDAP, and TACACS, in addition to supporting local servers for authenticating local users and groups. The unified support provides a common interface to authenticate and authorize all of the local and external AAA clients who are accessing the system. NetScaler MAS can authenticate users regardless of the actual protocols they to communicate with the system.
Cascading external authentication servers provides a continuous non-failing process for authenticating and authorizing external users. If authentication fails on the first authentication server, NetScaler MAS attempts to authenticate the user by using the second external authentication server, and so on. To enable cascading authentication, you need to add the external authentication servers to NetScaler MAS. You can add any type of the supported external authentication servers (RADIUS, LDAP, and TACACS). For example, if you want to add four external authentication servers for cascading authentication, you can add two RADIUS servers, one LDAP server, and one TACACS server, or all servers can be of RADIUS type. You can configure up to 32 external authentication servers in NetScaler MAS.
1. In NetScaler MAS, navigate to System > Authentication > Authentication Summary.
2. On the Authentication page, under the Authentication heading, click Authentication Configuration.
3. On the Authentication Configuration page, select EXTERNAL from the Server Type drop-down list (only external servers can be cascaded).
4. Click Insert, and on the External Servers page, select one or multiple authentication servers that you would like to cascade.
5. Click OK to close the page.
The selected servers are displayed on the Authentication Servers page as shown in the figure below.
You can also specify the order of authentication by using the icon next to the server names to move servers up or down the list.