Application Delivery Management

Enable external authentication servers and fallback options

Fallback option enables local authentication to take over if the external server authentication fails. A user configured on both NetScaler Console and external authentication server can log on to NetScaler Console, even if the configured external authentication servers are down or not reachable. To ensure fallback authentication work:

  • Non-nsroot users must be able to access NetScaler Console if external server is down or not reachable

  • You must add at least one external server

NetScaler Console also supports a unified system of authentication, authorization, and accounting (AAA) protocols (LDAP, RADIUS, and TACACS), along with local authentication. This unified support provides a common interface to authenticate and authorize all users and external AAA clients accessing the system.

NetScaler Console can authenticate users regardless of the actual protocols they to communicate with the system. Cascading external authentication servers provides a continuous non-failing process for authenticating and authorizing external users. If authentication fails on the first authentication server, NetScaler Console attempts to authenticate the user by using the second external authentication server, and so on. To enable cascade authentication, you must add the external authentication servers in NetScaler Console. You can add any type of the supported external authentication servers (RADIUS, LDAP, and TACACS).

For example, consider that you want to add four external authentication servers and configured two RADIUS servers, one LDAP server, and one TACACS server. NetScaler Console attempts to authenticate with the external servers, based on the configurations. In this example scenario, NetScaler Console attempts to:

  • Connect with the first RADIUS server

  • Connect with the second RADIUS server, if the authentication has failed with first RADIUS server

  • Connect with the LDAP server, if the authentication has failed with both RADIUS servers

  • Connect with the TACACS server, if the authentication has failed with both RADIUS servers and LDAP server.

Note

You can configure up to 32 external authentication servers in NetScaler Console.

Configure fallback and cascade external servers

  1. Navigate to Settings > Authentication.

  2. On the Authentication page, click Settings

  3. On the Authentication Configuration page, select EXTERNAL from the Server Type list (only external servers can be cascaded).

  4. Click Insert, and on the External Servers page, select one or multiple authentication servers to cascade.

  5. Select the Enable fallback local authentication check box if you want the local authentication to take over if the external authentication fails.

  6. Select the Log external group information check box if you want to capture the external user group information in the system audit log.

  7. Click OK to close the page.

    The selected servers are displayed under External Servers:

    External servers

You can also specify the order of authentication by using the icon next to the server names to move servers up or down the list.

Enable external authentication servers and fallback options