-
Getting Started with NetScaler
-
Deploy a NetScaler VPX instance
-
Optimize NetScaler VPX performance on VMware ESX, Linux KVM, and Citrix Hypervisors
-
Apply NetScaler VPX configurations at the first boot of the NetScaler appliance in cloud
-
Configure simultaneous multithreading for NetScaler VPX on public clouds
-
Install a NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for installing NetScaler VPX virtual appliances on Linux-KVM platform
-
Provisioning the NetScaler virtual appliance by using OpenStack
-
Provisioning the NetScaler virtual appliance by using the Virtual Machine Manager
-
Configuring NetScaler virtual appliances to use SR-IOV network interface
-
Configure a NetScaler VPX on KVM hypervisor to use Intel QAT for SSL acceleration in SR-IOV mode
-
Configuring NetScaler virtual appliances to use PCI Passthrough network interface
-
Provisioning the NetScaler virtual appliance by using the virsh Program
-
Provisioning the NetScaler virtual appliance with SR-IOV on OpenStack
-
Configuring a NetScaler VPX instance on KVM to use OVS DPDK-Based host interfaces
-
-
Deploy a NetScaler VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Protect AWS API Gateway using the NetScaler Web Application Firewall
-
Configure a NetScaler VPX instance to use SR-IOV network interface
-
Configure a NetScaler VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a NetScaler VPX instance on Microsoft Azure
-
Network architecture for NetScaler VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a NetScaler VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Deploy a NetScaler high-availability pair on Azure with ALB in the floating IP-disabled mode
-
Configure a NetScaler VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the NetScaler high availability template with Azure ILB
-
Configure a high-availability setup with Azure external and internal load balancers simultaneously
-
Configure a NetScaler VPX standalone instance on Azure VMware solution
-
Configure a NetScaler VPX high availability setup on Azure VMware solution
-
Configure address pools (IIP) for a NetScaler Gateway appliance
-
Deploy a NetScaler VPX instance on Google Cloud Platform
-
Deploy a VPX high-availability pair on Google Cloud Platform
-
Deploy a VPX high-availability pair with external static IP address on Google Cloud Platform
-
Deploy a single NIC VPX high-availability pair with private IP address on Google Cloud Platform
-
Deploy a VPX high-availability pair with private IP addresses on Google Cloud Platform
-
Install a NetScaler VPX instance on Google Cloud VMware Engine
-
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
Web Application Firewall protection for VPN virtual servers and authentication virtual servers
-
On-premises NetScaler Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
-
Configure DNS resource records
-
Configure NetScaler as a non-validating security aware stub-resolver
-
Jumbo frames support for DNS to handle responses of large sizes
-
Caching of EDNS0 client subnet data when the NetScaler appliance is in proxy mode
-
Use case - configure the automatic DNSSEC key management feature
-
Use Case - configure the automatic DNSSEC key management on GSLB deployment
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 12: Configure Citrix Virtual Desktops for load balancing
-
Use case 13: Configure Citrix Virtual Apps and Desktops for load balancing
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
Use case 15: Configure layer 4 load balancing on the NetScaler appliance
-
-
-
-
-
Authentication and authorization for System Users
-
Configuring External User Authentication
-
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
External user authentication
Authentication service in a NetScaler appliance can be local or external. In external user authentication, the appliance uses an external server such as LDAP, RADIUS, or TACACS+ to authenticate the user. To authenticate an external user and grant the user access into the appliance, you must apply an authentication policy. The NetScaler system authentication uses Advanced authentication policies with advanced policy expressions. The Advanced authentication policies are also used for the system user management in a partitioned NetScaler appliance.
Note
If your appliance is still using Classic policies and its expressions, you must stop using it and migrate your Classic policy usage to the Advanced policy infrastructure.
Once you create an authentication policy, you must bind it to the system global entity. You can configure an external authentication server (for example, TACACS) by binding a single authentication policy to the system global entity. Or, you can configure a cascade of authentication servers by binding multiple policies to the system global entity.
Note
When an external user logs into the appliance, the system generates an error message, “User does not exist” in the
ns.log
file. The occurrence is because the system runs the systemuser_systemcmdpolicy_binding command to initialize the GUI for the user.
LDAP authentication (using external LDAP servers)
You can configure the NetScaler appliance to authenticate user access with one or more LDAP servers. LDAP authorization requires identical group names in the Active directory, on the LDAP server, and on the appliance. The characters and case must also be the same.
For more information about LDAP authentication policies, see LDAP authentication policies topic.
By default, LDAP authentication is secured by using the SSL/TLS protocol. There are two types of secure LDAP connections. In the first type, the LDAP server accepts the SSL/TLS connection on a port separate from the port used to accept clear LDAP connections. After users establish the SSL/TLS connection, LDAP traffic can be sent over the connection. The second type allows both unsecure and secure LDAP connections and the single port handles it on the server. In this scenario, to create a secure connection, the client first establishes a clear LDAP connection. Then the LDAP command StartTLS is sent to the server over the connection. If the LDAP server supports StartTLS, the connection is converted to a secure LDAP connection by using TLS.
The port numbers for LDAP connections are:
- 389 for unsecured LDAP connections
- 636 for secure LDAP connections
- 3268 for Microsoft unsecure LDAP connections
- 3269 for Microsoft secure LDAP connections
LDAP connections that use the StartTLS command use port number 389. If port numbers 389 or 3268 are configured on the appliance, it tries to use StartTLS to make the connection. If any other port number is used, connection attempts use SSL/TLS. If StartTLS or SSL/TLS cannot be used, the connection fails.
When configuring the LDAP server, the case of the alphabetic characters must match that on the server and on the appliance. If the root directory of the LDAP server is specified, all subdirectories are also searched to find the user attribute. In large directories, it can affect performance. For this reason, Citrix recommends that you use a specific organizational unit (OU).
The following table lists examples of the base distinguished name (DN).
LDAP server | Base DN |
---|---|
Microsoft Active Directory | DC=Citrix, DC=local |
Novell eDirectory | dc=Citrix, dc=net |
IBM Directory Server | cn=users |
Lotus Domino | OU=City, O=Citrix, C=US |
Sun ONE directory (formerly iPlanet) | ou=People, dc=Citrix, dc=com |
The following table lists examples of the bind distinguished name (DN).
LDAP server | Bind DN |
---|---|
Microsoft Active Directory | CN=Administrator, CN=Users, DC=Citrix, DC=local |
Novell eDirectory | cn=admin, dc=Citrix, dc=net |
IBM Directory Server | LDAP_dn |
Lotus Domino | CN=Notes Administrator, O=Citrix, C=US |
Sun ONE directory (formerly iPlanet) | uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot |
Configure LDAP user authentication by using the CLI
Complete the following steps to configure LDAP authentication for external users
Configure LDAP policy
At the command prompt, do the following:
Step 1: Create an LDAP action.
add authentication ldapAction <name> {-serverIP <ip_addr|ipv6_addr|*> | {-serverName <string>}} >] [-authTimeout <positive_integer>] [-ldapBase <string>] [-ldapBindDn <string>] {-ldapBindDnPassword } [-ldapLoginName <string>] [-groupAttrName <string>] [-subAttributeName <string>]
Example:
add authentication ldapAction ldap_act -serverIP <IP> -authTimeout 30 -ldapBase "CN=xxxxx,DC=xxxx,DC=xxx" -ldapBindDn "CN=xxxxx,CN=xxxxx,DC=xxxx,DC=xxx" -ldapBindDnPassword abcd -ldapLoginName sAMAccountName -groupattrName memberOf -subAttributeName CN
For parameter description, see Authentication and authorization command reference topic.
Step 2: Create a classic LDAP policy.
add authentication ldapPolicy <name> <rule> [<reqAction>]
Example:
add authentication ldappolicy ldap_pol_classic ns_true ldap_act
Note
You can configure using a classic or an advanced LDAP policy but Citrix recommends you to use an advanced authentication policy because classic policies are deprecated from the NetScaler 13.0 release onwards.
Step 3: Create an advanced LDAP policy
add authentication Policy <name> <rule> [<reqAction>]
Example:
add authentication policy ldap_pol_advance -rule true -action ldap_act
Step 4: Bind the LDAP policy to system global
At the command line prompt, do the following:
bind system global <policyName> [-priority <positive_integer]
Example:
bind system global ldap_pol_advanced -priority 10
Configure LDAP user authentication by using the NetScaler GUI
- Navigate to System > Authentication > Advanced Policies > Policy.
- Click Add to create an authentication policy of type LDAP.
- Click Create and Close.
Bind an authentication policy to the system global for LDAP authentication using the NetScaler GUI
- Navigate to System > Authentication > Advanced Policies > Authentication PoliciesPolicy.
- In the details pane, click Global Bindings to create system global authentication policy binding.
- Click Global Bindings.
- Select an authentication profile.
- Select the LDAP policy.
-
In the System Global Authentication Policy Binding page, set the following parameters:
- Select Policy.
- Binding Details
- Click Bind and Done.
- Click Global Bindings to confirm that the policy bounded to the system global.
Determining attributes in the LDAP directory
If you need help with determining your LDAP directory attributes, you can easily look them up with the free LDAP browser from Softerra.
You can download the LDAP browser from the Softerra LDAP Administrator website at <http://www.ldapbrowser.com>
. After the browser is installed, set the following attributes:
- The host name or IP address of your LDAP server.
- The port of your LDAP server. The default is 389.
- The base DN field can be left blank.
- The information provided by the LDAP browser can help you determine the base DN needed for the Authentication tab.
- The Anonymous Bind check determines whether the LDAP server requires user credentials for the browser to connect to it. If the LDAP server requires credentials, leave the check box cleared.
After completing the settings, the LDAP browser displays the profile name in the left pane and connects to the LDAP server.
For more information, see LDAP topic.
Key-based authentication support for LDAP users
With key-based authentication, you can now fetch the list of public keys that are stored on the user object in the LDAP server through SSH. The NetScaler appliance during the role-based authentication (RBA) process must extract public SSH keys from the LDAP server. The retrieved public key, which is compatible with SSH, must allow you to log in through the RBA method.
A new attribute “sshPublicKey” is introduced in the “add authentication ldapAction” and “set authentication ldapAction” commands. By using this attribute, you can obtain the following benefits:
- Can store the retrieved public key, and the LDAP action uses this attribute to retrieve SSH key information from the LDAP server.
- Can extract attribute names of up to 24 KB.
Note
The external authentication server, such as LDAP is used only to retrieve SSH key information. It is not used for the authentication purpose.
Following is an example of the flow of events through SSH:
- SSH daemon sends an AAA_AUTHENTICATE request with password field empty to authentication, authorization, and auditing daemon port.
- If LDAP is configured to store the SSH public key, authentication, authorization, and auditing responds with the
sshPublicKey
attribute along with other attributes. - SSH daemon verifies these keys with the client keys.
- SSH daemon passes user name in the request payload, and authentication, authorization, and auditing returns the keys specific to this user along with generic keys.
To configure the sshPublicKey attribute, at the command prompt type the following commands:
-
With add operation, you can add “sshPublicKey” attribute while configuring the
ldapAction
command.add authentication ldapAction <name> {-serverIP <ip_addr|ipv6_addr|*> | {-serverName <string>}} [-serverPort <port>] … [-Attribute1 <string>] … [-Attribute16 <string>][-sshPublicKey <string>][-authentication off]<!--NeedCopy-->
-
With set operation, you can configure “sshPublicKey” attribute to an already added ldapAction command.
set authentication ldapAction <name> [-sshPublicKey <string>][-authentication off]<!--NeedCopy-->
RADIUS authentication (using external RADIUS servers)
You can configure the NetScaler appliance to authenticate user access with one or more RADIUS servers. If you are using RSA SecurID, SafeWord, or Gemalto Protiva products, use a RADIUS server.
For more information about RADIUS authentication policies, see RADIUS authentication.
Your configuration might require using a network access server IP address (NAS IP) or a network access server identifier (NAS ID). When configuring the appliance to use a RADIUS authentication server, use the following guidelines:
- If you enable use of the NAS IP, the appliance sends its configured IP address to the RADIUS server, rather than the source IP address used in establishing the RADIUS connection.
- If you configure the NAS ID, the appliance sends the identifier to the RADIUS server. If you do not configure the NAS ID, the appliance sends its host name to the RADIUS server.
- When the NAS IP address is enabled, the appliance ignores any NAS ID that it used for communicating with the RADIUS server.
Configure RADIUS user authentication by using the CLI
At the command prompt, do the following:
Step 1: Create an RADIUS action
add authentication radiusaction <name> -serverip <ip> -radkey <key> -radVendorID <id> -radattributetype <value>
Where,
radVendorID
RADIUS vendor ID attribute, used for RADIUS group extraction.
radAttributeType
RADIUS attribute type, used for RADIUS group extraction.
Example:
add authentication radiusaction RADserver531 rad_action -serverip 1.1.1.1 -radkey key123 -radVendorID 66 -radattributetype 6
Step 2: Create a classic RADIUS policy.
add authentication radiusPolicy <name> <rule> [<reqAction>]
Example:
add authentication radiuspolicy radius_pol_classic ns_true radius_act
Note
You can configure using a classic or an advanced RADIUS policy. Citrix recommends you to use the advanced authentication policy because classic policies are deprecated from the NetScaler 13.0 release onwards.
Step 3: Create an advanced RADIUS policy
add authentication policy <policyname> -rule true -action <radius action name>
Example:
add authentication policy rad_pol_advanced -rule true -action radserver531rad_action
Step 4: Bind the RADIUS policy to the system global.
bind system global <policyName> -priority <positive_integer
Example:
bind system global radius_pol_advanced -priority 10
Configure RADIUS user authentication by using the GUI
- Navigate to System > Authentication > Advanced Policies > Policy.
- Click Add to create an authentication policy of type RADIUS.
- Click Create and Close.
Bind the authentication policy to the system global for RADIUS authentication by using the GUI
- Navigate to System > Authentication > Advanced Policies > Policy.
- In the details pane, click Global Bindings to create system global authentication policy binding.
-
Click Global Bindings.
- Select RADIUS.
-
In the System Global Authentication Policy Binding page, set the following parameters:
- Select a policy.
- Binding Details.
- Click Bind and Close.
-
Click Global Bindings to confirm that the policy is bound to the system global.
Choose RADIUS user authentication protocols
The NetScaler appliance supports implementations of RADIUS that are configured to use any of several protocols for user authentication, including:
- Password Authentication Protocol
- Challenge-Handshake Authentication Protocol (CHAP)
- Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP Version 1 and Version 2)
If your deployment is configured to use RADIUS authentication and your RADIUS server is configured with a Password Authentication Protocol. You can strengthen user authentication by assigning a strong shared secret to the RADIUS server. Strong RADIUS shared secrets consist of random sequences of uppercase and lowercase letters, numbers, and punctuation, and are minimum 22 characters in length. If possible, use a random character generation program to determine RADIUS shared secrets.
To further protect RADIUS traffic, assign a different shared secret to each appliance or virtual server. When you define clients on the RADIUS server, you can also assign a separate shared secret to each client. Also, you must configure separately each policy that uses RADIUS authentication.
Configure IP address extraction
You can configure the appliance to extract the IP address from a RADIUS server. When a user authenticates with the RADIUS server, the server returns a framed IP address that is assigned to the user. The following are attributes for IP address extraction:
- Allows a remote RADIUS server to supply an IP address from the internal network for a user logged on to the appliance.
- Allows configuration for any RADIUS attribute using the type ip-address, including that are vendor encoded.
When configuring the RADIUS server for IP address extraction, you configure the vendor identifier and the attribute type.
The vendor identifier enables the RADIUS server to assign an IP address to the client from a pool of IP addresses that are configured on the RADIUS server. The vendor ID and attributes are used to make the association between the RADIUS client and the RADIUS server. The vendor ID is the attribute in the RADIUS response that provides the IP address of the internal network. A value of zero indicates that the attribute is not vendor encoded. The attribute type is the remote IP address attribute in a RADIUS response. The minimum value is one and the maximum value is 255.
A common configuration is to extract the RADIUS attribute framed IP address. The vendor ID is set to zero or is not specified. The attribute type is set to eight.
Group extraction for RADIUS by using the GUI
- Navigate to System > Authentication > Advanced Policies > Radius, and select a policy.
- Select or create RADIUS policy.
-
In the Configure Authentication RADIUS Server page, set the following parameters.
- Group Vendor Identifier
- Group Attribute Type
- Click OK and Close.
TACACS+ authentication (using external TACACS+ servers)
Important
Citrix recommends you do not modify any TACACS related configurations when you run a “clear ns config” command.
TACACS related configuration related to advanced policies is cleared and reapplied when the
RBAconfig
parameter is set to NO in “clear ns config” command for advanced policy.When the
RBAconfig
parameter is set to NO as part of the “clear config” operation, NetScaler retains the management access sessions, in addition to retaining the RBA configurations and TACACS policies.
You can configure a TACACS+ server for authentication. Similar to RADIUS authentication, TACACS+ uses a secret key, an IP address, and the port number. The default port number is 49. To configure the appliance to use a TACACS+ server, provide the server IP address and the TACACS+ secret. You must specify port only when the server port number in use is something other than the default port number of 49.
For more information, see TACACS authentication.
Configure TACACS+ authentication by using the GUI
- Navigate to System > Authentication > Advanced Policies > Policy.
- Click Add to create an authentication policy of type TACACS.
- Click Create and Close.
After the TACACS+ server settings are configured on the appliance, bind the policy to the system global entity.
Bind authentication policies to the system global entity by using the CLI
When the authentication policies are configured, bind the policies to the system global entity.
At the command line prompt, do the following:
bind system global <policyName> [-priority <positive_integer>]
Example:
bind system global pol_classic -priority 10
Also, read the Citrix article, CTX113820 to know about external authentication using TACACS.
Bind authentication policies to the system global entity by using the GUI
- Navigate to System > Authentication > Advanced Policies > Authentication Policies > Policy.
- In the details pane, click Global Bindings to create system global authentication policy binding.
-
Click Global Bindings.
- Select the TACACS policy.
-
In the System Global Authentication Policy Binding page, set the following parameters:
- Select Policy.
- Binding Details
- Click Bind and Close.
-
Click Global Bindings to confirm the policy bounded to the system global.
For more information about TACACS group extraction, read Citrix article CTX220024.
Display number of unsuccessful logon attempts for external users
The NetScaler appliance displays the number of invalid login attempts to the external user when you attempt at least one unsuccessful login before successfully logging on to the NetScaler management console.
Note
Currently, NetScaler supports only keyboard interactive authentication for external users with the “persistentLoginAttempts” parameter enabled in the system parameter.
At the command prompt, type:
set aaa parameter -maxloginAttempts <value> -failedLoginTimeout <value> -persistentLoginAttempts (ENABLED | DISABLED )]
Example:
set aaa parameter –maxloginAttempts 5 -failedLoginTimeout 4 –persistentLoginAttempts ENABLED
Following msg will be seen to external user when he tries 1 invalid login attempt before successfully login to the ADC management access.
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
###############################################################################
# #
# WARNING: Access to this system is for authorized users only #
# Disconnect IMMEDIATELY if you are not an authorized user! #
# #
###############################################################################
WARNING! The remote SSH server rejected X11 forwarding request.
Last login: Mon Aug 24 17:09:00 2020 from 10.10.10.10
The number of unsuccessful login attempts since the last successful login : 1
Done
>
The number of unsuccessful login attempts since the last successful login : 1
Done
>
<!--NeedCopy-->
Share
Share
In this article
- LDAP authentication (using external LDAP servers)
- Key-based authentication support for LDAP users
- RADIUS authentication (using external RADIUS servers)
- TACACS+ authentication (using external TACACS+ servers)
- Bind authentication policies to the system global entity by using the CLI
- Display number of unsuccessful logon attempts for external users
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.