Authenticating with client certificates
Web sites that contain sensitive content, such as online banking websites or websites with employee personal information, sometimes require client certificates for authentication. To configure AAA to authenticate users on the basis of client-side certificate attributes, you first enable client authentication on the traffic management virtual server and bind the root certificate to the authentication virtual server. Then, you implement one of two options. You can configure the default authentication type on the authentication virtual server as CERT, or you can create a certificate action that defines what the NetScaler appliance must do to authenticate users on the basis of a client certificate. In either case, your authentication server must support CRLs. You configure the ADC to extract the user name from the SubjectCN field or another specified field in the client certificate.
When the user tries to log on to an authentication virtual server for which an authentication policy is not configured, and a global cascade is not configured, the user name information is extracted from the specified field of the certificate. If the required field is extracted, the authentication succeeds. If the user does not provide a valid certificate during the SSL handshake, or if the user name extraction fails, authentication fails. After it validates the client certificate, the ADC presents a logon page to the user.
The following procedures assume that you have already created a functioning AAA configuration, and therefore they explain only how to enable authentication by using client certificates. These procedures also assume that you have obtained your root certificate and client certificates and have placed them on the ADC in the /nsconfig/ssl directory.
To configure the AAA client certificate parameters by using the command line interface
At the command prompt, type the following commands, in the order shown, to configure the certificate and verify the configuration:
add ssl certKey <certkeyName> -cert <certFile> -key <keyFile> -password -inform <inform> -expiryMonitor <expiryMonitor> -notificationPeriod <notificationPeriod>
bind ssl certKey <certkeyName> -vServer <certkeyName> -CA -crlCheck Mandatory
show ssl certKey [<certkeyName>]
set aaa parameter -defaultAuthType CERT
show aaa parameter
set aaa certParams -userNameField "Subject:CN"
show aaa certParams
To configure the AAA client certificate parameters by using the configuration utility
- Navigate to Security > AAA - Application Traffic > Virtual Servers.
- In the details pane, select the virtual server that you want to configure to handle client certificate authentication, and then click Edit.
- On the Configuration page, under Certificates, click the right arrow (>) to open the CA Cert Key installation dialog.
- In the CA Cert Key dialog box, click Insert.
- In the CA Cert Key - SSL Certificates dialog box, click Install.
- In the Install Certificate dialog box, set the following parameters, whose names correspond to the CLI parameter names as shown:
- Certificate-Key Pair Name*—certkeyName
- Certificate File Name—certFile
- Key File Name—keyFile
- Certificate Format—inform
- Certificate Bundle—bundle
- Notify When Expires—expiryMonitor
- Notification Period—notificationPeriod
- Click Install, and then click Close.
- In the CA Cert Key dialog box, in the Certificate list, select the root certificate.
- Click Save.
- Click Back to return to the main configuration screen.
- Navigate to Security > AAA - Application Traffic > Policies > Authentication > CERT.
- In the details pane, select the policy you want to configure to handle client certificate authentication, and then click Edit.
- In the Configure Authentication CERT Policy dialog, Server drop-down list, select the virtual server you just configured to handle client certificate authentication.
- Click OK. A message appears in the status bar, stating that the configuration completed successfully.
Support to notify number of unsuccessful login attempts
The NetScaler appliance can now log the number of unsuccessful login attempts made from the last successful log on. The feature works only if the persistentLoginAttempts option is enabled on the appliance. By default, the option is disabled on the NetScaler appliance.
A NetScaler administrator can use this information to verify if any unauthorized attempts have occurred on a secured external user account.
To use this feature, at the NetScaler appliance command prompt, type:
set aaa parameter [–maxloginAttempts <value> [-failedLoginTimeout <value>]] -persistentLoginAttempts (ENABLED | DISABLED)
set aaa parameter –maxLoginAttempts 4 –failedLoginTimeout 3 –persistentLoginAttempts ENABLED