Product Documentation

Authentication Policies

Aug 31, 2016
The NetScaler ADC can authenticate users with local user accounts or by using an external authentication server. The appliance supports the following authentication types:
LOCAL
Authenticates to the NetScaler by using a password, without reference to an external authentication server. User data is stored locally on the NetScaler appliance.
RADIUS
Authenticate to an external Radius server.
LDAP
Authenticates to an external LDAP authentication server.
TACACS

Authenticates to an external Terminal Access Controller Access-Control System (TACACS) authentication server.

After a user authenticates to a TACACS server, the NetScaler ADC connects to the same TACACS server for all subsequent authorizations. When a primary TACACS server is unavailable, this feature prevents delays while the ADC waits for the first TACACS server to time out before resending the authorization request to the second TACACS server.

Note: When authenticating through a TACACS server, AAA-TM logs only successfully executed TACACS commands, to prevent the logs from showing TACACS commands that were entered by users who were not authorized to execute them.
CERT
Authenticates to the NetScaler appliance by using a client certificate, without reference to an external authentication server.
NEGOTIATE
Authenticates to a Kerberos authentication server. If there is an error in Kerberos authentication, NetScaler uses NTLM authentication.
SAML
Authenticates to a server that supports the Security Assertion Markup Language (SAML).
SAMLIDP
Configures the NetScaler ADC to serve as a Security Assertion Markup Language (SAML) Identity Provider (IdP).
WEB
Authenticates to a web server, providing the credentials that the web server requires in an HTTP request and analyzing the web server response to determine that user authentication was successful.

An authentication policy is comprised of an expression and an action. Authentication policies use NetScaler expressions.

After creating an authentication action and an authentication policy, bind it to an authentication virtual server and assign a priority to it. When binding it, also designate it as either a primary or a secondary policy. Primary policies are evaluated before secondary policies. In configurations that use both types of policy, primary policies are normally more specific policies while secondary policies are normally more general policies intended to handle authentication for any user accounts that do not meet the more specific criteria.

To add an authentication action by using the command line interface

If you do not use LOCAL authentication, you need to add an explicit authentication action. To do this, at the command prompt, type the following command:

add authentication tacacsAction <name> -serverip <IP> [-serverPort <port>] [-authTimeout <positive_integer>] [ ... ]

Example

> add authentication tacacsaction Authn-Act-1 -serverip 10.218.24.65 -serverport 1812                   -authtimeout 15 -tacacsSecret "minotaur" -authorization OFF -accounting ON                  -auditFailedCmds OFF -defaultAuthenticationGroup "users"  Done

To configure an authentication action by using the command line interface

To configure an existing authentication action, at the command prompt, type the following command:

set authentication tacacsAction <name> -serverip <IP> [-serverPort <port>] [-authTimeout <positive_integer>] [ ... ]

Example

> set authentication tacacsaction Authn-Act-1 -serverip 10.218.24.65 -serverport 1812                   -authtimeout 15 -tacacsSecret "minotaur" -authorization OFF -accounting ON                  -auditFailedCmds OFF -defaultAuthenticationGroup "users"  Done

To remove an authentication action by using the command line interface

To remove an existing RADIUS action, at the command prompt, type the following command:

rm authentication radiusAction <name>

Example

> rm authentication tacacsaction Authn-Act-1  Done

To configure an authentication server by using the configuration utility

Note: In the configuration utility, the term server is used instead of action, but refers to the same task.
  1. Navigate to Security > AAA - Application Traffic > Policies > Authentication.
  2. In the details pane, on the Servers tab, do one of the following:
    • To create a new authentication server, click Add.
    • To modify an existing authentication server, select the server, and then click Open.
  3. In the Create Authentication Server or Configure Authentication Server dialog box, type or select values for the parameters.
    • Name*—radiusActionName (Cannot be changed for a previously configured action)
    • Authentication Type*—authtype (Set to RADIUS, cannot be changed)
    • IP Address*—serverip <IP>
    • IPV6*—Select the checkbox if the server IP is an IPv6 IP. (No command line equivalent.)
    • Port*—serverPort
    • Time-out (seconds)*—authTimeout
  4. Click Create or OK, and then click Close. The policy that you created appears in the Authentication Policies and Servers page.

To create and bind an authentication policy by using the command line interface

At the command prompt, type the following commands in the order shown to create and bind an authentication policy and verify the configuration:
  • add authentication negotiatePolicy <name> <rule> <reqAction>
  • show authentication localPolicy <name>
  • bind authentication vserver <name> -policy <policyname> [-priority <priority>] [-secondary]]
  • show authentication vserver <name>

Example

  > add authentication localPolicy Authn-Pol-1 ns_true   Done    > show authentication localPolicy  1)      Name: Authn-Pol-1       Rule: ns_true          Request action: LOCAL   Done  > bind authentication vserver Auth-Vserver-2 -policy Authn-Pol-1   Done  > show authentication vserver Auth-Vserver-2          Auth-Vserver-2 (10.102.29.77:443) - SSL Type: CONTENT          State: UP          Client Idle Timeout: 180 sec          Down state flush: DISABLED          Disable Primary Vserver On Down : DISABLED          Authentication : ON          Current AAA Users: 0          Authentication Domain: myCompany.employee.com    1)              Primary authentication policy name: Authn-Pol-1 Priority: 0   Done  

To modify an existing authentication policy by using the command line interface

At the command prompt, type the following commands to modify an existing authentication policy:
set authentication localPolicy <name> <rule> [-reqaction <action>]

Example

> set authentication localPolicy Authn-Pol-1 'ns_true'  Done

To remove an authentication policy by using the command line interface

At the command prompt, type the following command to remove an authentication policy:
rm authentication localPolicy <name>

Example

> rm authentication localPolicy Authn-Pol-1  Done

To configure and bind authentication policies by using the configuration utility

  1. Navigate to Security > AAA - Application Traffic > Policies > Authentication, and then select the type of policy that you want to create.
  2. In the details pane, on the Policies tab, do one of the following:
    • To create a new policy, click Add.
    • To modify an existing policy, select the action, and then click Edit.
  3. In the Create Authentication Policy or Configure Authentication Policy dialog, type or select values for the parameters.
    • Name*—policyname (Cannot be changed for a previously configured action)
    • Authentication Type*—authtype
    • Server*—authVsName
    • Expression*—rule (You enter expressions by first choosing the type of expression in the leftmost drop-down list beneath the Expression window, and then by typing your expression directly into the expression text area, or by clicking Add to open the Add Expression dialog box and using the drop-down lists in it to construct your expression.)
  4. Click Create or OK. The policy that you created appears in the Policies page.
  5. Click the Servers tab, and in the details pane do one of the following:
    • To use an existing server, select it, and then click .
    • To create a new server, click Add, and follow the instructions.
  6. If you want to designate this policy as a secondary authentication policy, on the Authentication tab, click Secondary. If you want to designate this policy as a primary authentication policy, skip this step.
  7. Click Insert Policy.
  8. Choose the policy you want to bind to the authentication virtual server from the drop-down list.
  9. In the Priority column to the left, modify the default priority as needed to ensure that the policy is evaluated in the proper order.
  10. Click OK. A message appears in the status bar, stating that the policy has been configured successfully.