Product Documentation

How AAA Works

Aug 31, 2016

AAA provides security for a distributed internet environment by allowing any client with the proper credentials to connect securely to protected application servers from anywhere on the Internet. This feature incorporates the three security features of authentication, authorization, and auditing. Authentication enables the NetScaler ADC to verify the client's credentials, either locally or with a third-party authentication server, and allow only approved users to access protected servers. Authorization enables the ADC to verify which content on a protected server it should allow each user to access. Auditing enables the ADC to keep a record of each user's activity on a protected server.

To understand how AAA works in a distributed environment, consider an organization with an intranet that its employees access in the office, at home, and when traveling. The content on the intranet is confidential and requires secure access. Any user who wants to access the intranet must have a valid user name and password. To meet these requirements, the ADC does the following:
  • Redirects the user to the login page if the user accesses the intranet without having logged in.
  • Collects the user's credentials, delivers them to the authentication server, and caches them in a directory that is accessible through LDAP.
  • Verifies that the user is authorized to access specific intranet content before delivering the user's request to the application server.
  • Maintains a session timeout after which users must authenticate again to regain access to the intranet. (You can configure the timeout.)
  • Logs the user accesses, including invalid login attempts, in an audit log.
Authentication requires that several entities: the client, the NetScaler appliance, the external authentication server if one is used, and the application server, respond to each other when prompted by performing a complex series of tasks in the correct order. If you are using an external authentication server, this process can be broken down into the following fifteen steps.
  1. The client sends a GET request for a URL on the application server.
  2. The NetScaler appliance's traffic management virtual server redirects the request to the application server.
  3. The application server determines that the client has not been authenticated, and therefore sends an HTTP 200 OK response via the TM vserver to the client. The response contains a hidden script that causes the client to issue a POST request for /cgi/tm.
  4. The client sends a POST request for /cgi/tm.
  5. The NetScaler appliance's authentication virtual server redirects the request to the authentication server.
  6. The authentication server creates an authentication session, sets and caches a cookie that consists of the initial URL and the domain of the traffic management virtual server, and then sends an HTTP 302 response via the authentication virtual server, redirecting the client to /vpn/index.html.
  7. The client sends a GET request for /vpn/index.html.
  8. The authentication virtual server redirects the client to the authentication server login page.
  9. The client sends a GET request for the login page, enters credentials, and then sends a POST request with the credentials back to the login page.
  10. The authentication virtual server redirects the POST request to the authentication server.
  11. If the credentials are correct, the authentication server tells the authentication virtual server to log the client in and redirect the client to the URL that was in the initial GET request.
  12. The authentication virtual server logs the client in and sends an HTTP 302 response that redirects the client to the initially requested URL.
  13. The client sends a GET request for their initial URL.
  14. The traffic management virtual server redirects the GET request to the application server.
  15. The application server responds via the traffic management virtual server with the initial URL.

If you use local authentication, the process is similar, but the authentication virtual server handles all authentication tasks instead of forwarding connections to an external authentication server. The following figure illustrates the authentication process.

Figure 1. Authentication Process Traffic Flow

When an authenticated client requests a resource, the ADC, before sending the request to the application server, checks the user and group policies associated with the client account, to verify that the client is authorized to access that resource. The ADC handles all authorization on protected application servers. You do not need to do any special configuration of your protected application servers.

AAA-TM handles password changes for users by using the protocol-specific method for the authentication server. For most protocols, neither the user nor the administrator needs to do anything different than they would without AAA-TM. Even when an LDAP authentication server is in use, and that server is part of a distributed network of LDAP servers with a single designated domain administration server, password changes are usually handled seamlessly. When an authenticated client of an LDAP server changes his or her password, the client sends a credential modify request to AAA-TM, which forwards it to the LDAP server. If the user's LDAP server is also the domain administration server, that server responds appropriately and AAA-TM then performs the requested password change. Otherwise, the LDAP server sends AAA-TM an LDAP_REFERRAL response to the domain administration server. AAA-TM follows the referral to the indicated domain administration server, authenticates to that server, and performs the password change on that server.

When configuring AAA-TM with an LDAP authentication server, the system administrator must keep the following conditions and limitations in mind:

  • AAA-TM assumes that the domain administration server in the referral accepts the same bind credentials as the original server.
  • AAA-TM only follows LDAP referrals for password change operations. In other cases AAA-TM refuses to follow the referral.
  • AAA-TM only follows one level of LDAP referrals. If the second LDAP server also returns a referral, AAA-TM refuses to follow the second referral.

The ADC supports auditing of all states and status information, so you can see the details of what each user did while logged on, in chronological order. To provide this information, the appliance logs each event, as it occurs, either to a designated audit log file on the appliance or to a syslog server. Auditing requires configuring the appliance and any syslog server that you use.