How to cascade external authentication servers

A NetScaler MAS supports a unified system of authentication, authorization, and accounting (AAA) protocols, including RADIUS, LDAP, and TACACS, in addition to supporting local servers for authenticating local users and groups. The unified support provides a common interface to authenticate and authorize all of the local and external AAA clients who are accessing the system. NetScaler MAS can authenticate users regardless of the actual protocols they to communicate with the system.

Cascading external authentication servers provides a continuous non-failing process for authenticating and authorizing external users. If authentication fails on the first authentication server, NetScaler MAS attempts to authenticate the user by using the second external authentication server, and so on. To enable cascading authentication, you need to add the external authentication servers to NetScaler MAS. You can add any type of the supported external authentication servers (RADIUS, LDAP, and TACACS). For example, if you want to add four external authentication servers for cascading authentication, you can add two RADIUS servers, one LDAP server, and one TACACS server, or all servers can be of RADIUS type. You can configure up to 32 external authentication servers in NetScaler MAS.

Configuring cascading external authentication servers

  1. In NetScaler MAS, navigate to System > Authentication.

  2. On the Authentication page, click Authentication Configuration.

  3. On the Authentication Configuration page, select EXTERNAL from the Server Type drop-down list (only external servers can be cascaded).

  4. Click Insert, and on the External Servers page, select one or multiple authentication servers that you would like to cascade.

  5. Select Enable fallback local authentication if you want the local authentication to take over if the external authentication fails.

  6. Click OK to close the page.

The selected servers are displayed under External Servers as shown in the figure below.

You can also specify the order of authentication by using the  icon next to the server names to move servers up or down the list.

localized image

How to cascade external authentication servers