Product Documentation

Configuring the External Authentication Server

The Citrix NetScaler SDX Management Service can authenticate users with local user accounts or by using an external authentication server. The appliance supports the following authentication types:

  • Local—Authenticates to the Management Service by using a password, without reference to an external authentication server. User data is stored locally on the Management Service.
  • RADIUS—Authenticates to an external RADIUS authentication server.
  • LDAP—Authenticates to an external LDAP authentication server.
  • TACACS—Authenticates to an external Terminal Access Controller Access-Control System (TACACS) authentication server.

To configure an external authentication, specify the authentication type, and configure an authentication server.

Adding a RADIUS Server

To configure RADIUS authentication, specify the authentication type as RADIUS, and configure the RADIUS authentication server.

Management Service supports RADIUS challenge response authentication according to the RADIUS specifications. RADIUS users can be configured with a one-time password on RADIUS server. When the user logs on to SDX appliance the user is prompted to specify this one time password.

To add a RADIUS server

  1. On the Configuration tab, under System, expand Authentication, and then click Radius.
  2. In the details pane, click Add.
  3. In the Create Radius Server dialogue box, type or select values for the parameters:
    • Name*—Name of the server.
    • Server Name / IP Address*—FQDN or Server IP address.
      Note: DNS should be able to resolve the specified  fully qualified domain name (FQDN) to an IP address, and only the primary DNS is used to resolve the FQDN.  To manually set the primary DNS, see the section “Adding  a Primary DNS for FQDN Name Resolution.”
    • Port*—Port on which the RADIUS server is running. Default value: 1812.
    • Time-out*—Number of seconds the system will wait for a response from the RADIUS server. Default value: 3.
    • Secret Key*—Key shared between the client and the server. This information is required for communication between the system and the RADIUS server.
    • Enable NAS IP Address Extraction—If enabled, the system’s IP address (Management Service IP) is sent to the server as the “nasip” in accordance with the RADIUS protocol.
    • NASID—If configured, this string is sent to the RADIUS server as the “nasid” in accordance with the RADIUS protocol.
    • Group Prefix—Prefix string that precedes group names within a RADIUS attribute for RADIUS group extraction.
    • Group Vendor ID—Vendor ID for using RADIUS group extraction.
    • Group Attribute Type—Attribute type for RADIUS group extraction.
    • Group Separator—Group separator string that delimits group names within a RADIUS attribute for RADIUS group extraction.
    • IP Address Vendor Identifier—Vendor ID of the attribute in the RADIUS which denotes the intranet IP. A value of 0 denotes that the attribute is not vendor encoded.
    • IP Address Attribute Type—Attribute type of the remote IP address attribute in a RADIUS response.
    • Password Vendor Identifier—Vendor ID of the password in the RADIUS response. Used to extract the user password.
    • Password Attribute Type—Attribute type of the password attribute in a RADIUS response.
    • Password Encoding—How passwords should be encoded in the RADIUS packets traveling from the system to the RADIUS server. Possible values: pap, chap, mschapv1, and mschapv2.
    • Default Authentication Group—Default group that is chosen when the authentication succeeds in addition to extracted groups.
    • Accounting—Enable Management Service to log audit information with RADIUS server.
  4. Click Create, and then, click Close.

Adding an LDAP Authentication Server

To configure LDAP authentication, specify the authentication type as LDAP, and configure the LDAP authentication server.

To add an LDAP server

  1. On the Configuration tab, under System, expand Authentication, and then click LDAP.
  2. In the details pane, click Add.
  3. In the Create LDAP Server dialogue box, type or select values for the parameters:
    • Name*—Name of the server.

    • Server Name / IP Address*—FQDN or Server IP address.
      Note: DNS should be able to resolve the specified FQDN to an IP address, and only the primary DNS is used to resolve the FQDN.  To manually set the primary DNS, see the section “Adding  a Primary DNS for FQDN Name Resolution.”

    • Port*—Port on which the LDAP server is running. Default value: 389.

    • Time-out*—Number of seconds the system will wait for a response from the LDAP server.

    • Base DN—Base, or node where the LDAP search should start.

    • Type—Type of LDAP server. Possible values: Active Directory (AD) and Novell Directory Service (NDS).

    • Administrative Bind DN—Full distinguished name that is used to bind to the LDAP server.

    • Administrative Password—Password that is used to bind to the LDAP server.

    • Validate LDAP Certificate—Check this option to validate the certificate received from LDAP server.

    • LDAP Host Name—Hostname for the LDAP server. If the validateServerCert parameter is enabled, this parameter specifies the host name on the certificate from the LDAP server. A host-name mismatch causes a connection failure.

    • Server Logon Name Attribute—Name attribute used by the system to query the external LDAP server or an Active Directory.

    • Search Filter—String to be combined with the default LDAP user search string to form the value. For example, vpnallowed=true with ldaploginame samaccount and the user-supplied username bob would yield an LDAP search string of: (&(vpnallowed=true)(samaccount=bob).

    • Group Attribute—Attribute name for group extraction from the LDAP server.

    • Sub Attribute Name—Subattribute name for group extraction from the LDAP server.

    • Security Type—Type of encryption for communication between the appliance and the authentication server. Possible values:

      PLAINTEXT: No encryption required.

      TLS: Communicate using TLS protocol.

      SSL: Communicate using SSL Protocol

    • Default Authentication Group—Default group that is chosen when the authentication succeeds in addition to extracted groups.

    • Referrals—Enable following of LDAP referrals received from LDAP server.

    • Maximum LDAP Referrals—Maximum number of LDAP referrals to follow.

    • Enable Change Password—Allow user to modify the password if the password expires. You can change the password only when the Security Type configured is TLS or SSL.

    • Enable Nested Group Extraction—Enable Nested Group extraction feature.

    • Maximum Nesting Level—Number of levels at which group extraction is allowed.

    • Group Name Identifier—Name that uniquely identifies a group in LDAP server.

    • Group Search Attribute—LDAP group search attribute. Used to determine to which groups a group belongs.

    • Group Search Subattribute—LDAP group search subattribute. Used to determine to which groups a group belongs.

    • Group Search Filter—String to be combined with the default LDAP group search string to form the search value.

  4. Click Create, and then click Close.

SSH public key authentication support for LDAP users

The SDX appliance can now authenticate the LDAP users through SSH public key authentication for logon. The list of public keys is stored on the user object in the LDAP server. During authentication, SSH extracts the SSH public keys from the LDAP server. The logon succeeds if any of the retrieved public key works with SSH.

The same attribute name of the extracted public key must be present in both LDAP server and in the Citrix NetScaler SDX appliance.

Important

For key-based authentication, you must specify a location of the public keys by setting the value of Authorizedkeysfile in /etc/sshd_config file in the following aspect:

AuthorizedKeysFile .ssh/authorized_keys

System User. You can specify the location of public keys for any system user by setting the value of Authorizedkeysfile in /etc/sshd_config file.

LDAP Users. The retrieved public key is stored in the /var/pubkey/<user_name>/tmp_authorized_keys-<pid>. The <pid> is the unique number added to differentiate between concurrent SSH requests from the same user. This is the temporary location to hold the public key during the authentication process. The public key is removed from the system once authentication is complete.

To login with the user, run the following command from the shell prompt:

$ ssh –i <private key> <username>@<IPAddress>

To configure LDAP server by using the GUI:

  1. Navigate to System > Authentication > LDAP.
  2. On the LDAP page, click **Servers** tab.
  3. Click any of the available LDAP servers.
  4. On the Configure Authentication LDAP Server page, check the Authentication checkbox for authentication purpose.

SSH-LDAP-public-key

Note

Uncheck the Authentication check box to use “sshPublicKeys” for authentication of LDAP users.

Adding a Primary DNS for FQDN Name Resolution

If you define a RADIUS or  an LDAP server by using the FQDN of the server rather than its IP address, you must manually set the primary DNS to resolve the server name, either by using the GUI or CLI.

To set the primary DNS by using the GUI, go to System > Network Configuration > DNS.

To set the primary DNS by using the CLI, follow these steps.

  1. Open a Secure Shell (SSH) console.
  2. Log on to the Citrix NetScaler SDX appliance by using the nsroot/nsroot credentials.
  3. Run the networkconfig command.
  4. Select the appropriate menu and update the DNS IPv4 Address , and save the changes.

If you run the networkconfig command again, you’ll see the updated DNS adddress.

Adding a TACACS Server

To configure TACACS authentication, specify the authentication type as TACACS, and configure the TACACS authentication server.

To add a TACACS server

  1. On the Configuration tab, under System, expand Authentication, and then click TACACS.
  2. In the details pane, click Add.
  3. In the Create TACACS Server dialogue box, type or select values for the parameters:
    • Name—Name of the TACAS server
    • IP Address—IP address of the TACACS server
    • Port—Port on which the TACACS Server is running. Default value: 49
    • Time-out—Maximum number of seconds the system will wait for a response from the TACACS server
    • TACACS Key —Key shared between the client and the server. This information is required for the system to communicate with the TACACS server
    • Accounting—Enables Management Service to log audit information with TACACAS server.
    • Default Authentication Group—Default group that is chosen when the authentication succeeds in addition to extracted groups.
  4. Click Create, and then click Close.

Configuring the External Authentication Server