ADC

Client source IP address tracking

NetScaler supports validating the client IP address after validating the NSC_TMAS cookie to ensure that requests are generated from the same client IP address. If a client request comes from a different source IP, even with a valid session cookie, the session is discarded, and the user will be prompted to log in again. This adds an extra layer of security and verification to the authentication process.

Configure client source IP address tracking for sessions

To support this functionality, two new PI expressions AAA.USER.SOURCEIP and AAA.USER.SOURCEIPV6 is introduced. These expressions return the source IPV4/IPV6 address stored in the AAA-TM or AAA Session. You can create an authorization policy to validate the client’s source IP address for each request that comes with a cookie by using these expressions.

Note:

The AAA.USER.SOURCEIP and AAA.USER.SOURCEIPV6 expressions are only available in NetScaler 14.1-25.x, 13.1- 53. x, 13.1-37 FIPS and later releases.

To configure authorization policy using PI expressions:

At the command prompt, type:

add authorization policy <policy_name> <expression> <action>

Example:

add lb vserver <LB_VS> HTTP <LB-VIP> <PORT> -AuthenticationHost <AUTH_VIP> -Authentication ON
add authentication vserver <AUTH_VS> SSL <Auth-VIP> <PORT>
add authorization policy  validateClientIP "AAA.USER.SOURCEIP.EQ(CLIENT.IP.SRC).NOT" DENY
bind lb vserver <LB_VS> -policy validateClientIP -priority 1
<!--NeedCopy-->
Client source IP address tracking