AAA Authentication methods:
Netscaler supports 7 methods of authentication.
- Local: user account should be created locally on the netscaler. Authentication takes place without contacting external authentication server.
- LDAP: LDAP often uses Microsoft AD to validate users. It has 3 authentication types: Plaintext, SSL and TLS.
- Plaintext uses 389 for communication. Sends credentials in plain text.
- Secure LDAP or LDAPS uses port 636 and supports SSL and TLS encryption. Netscaler supports password changes through AAA vserver provided if connection is over 636 and uses certificate. When allowing password change, it may be necessary to enable “validate LDAP server certificate” option. Specify FQDN for LDAP server in LDAP hostname field. Use test connection option to verify connection is established successfully.
- RADIUS: used as second factor in two-factor implementation. Netscaler appliance is configured as client in radius server. Netscaler is added as a client on radius server using NSIP or SNIP of netscaler based on whether or not RADIUS server is load balanced. It usually listens on port 1812. Radius server can be added to netscaler using FQDN or ip address. Password encoding should be provided by radius provider to configure server correctly on the netscaler.
- OAuth: Open Id connect offloads authentication to external authentication vendors like google, Facebook and twitter.
- Users make request to TM Vserver. They are redirected to AAA TM vserver for authentication. User sends request to AAA TM vserver.
- AAA TM vserver redirects user’s request to third party authorization server like google.
- Users are redirected to third party authorization server where they are prompted to enter their google credentials. Next, the third party authorization server validates users and sends a grant code to user’s request and redirect them back to netscaler AAA TM vserver.
- Users present their grant code to AAA TM vserver. Netscaler then sends this grant code to third party authorization server for validation. Third party authorization server validates the grant code and exchanges it for an access token.
- Using Open id connect, netscaler requests the user identity by sending id token from access token back to third party authorization server.
- Third party authentication server returns user identity to AAA TM vsever.
- AAA TM vserver authenticated user at this point and returns AAA cookie along with redirect back to TM vserver.
- User request resource hosted on TM vserver along with AAA cookie.
- TM vserver checks AAA cookie and allows access to the backend resource.
Note: Users are redirected to third party authentication servers. Once they are authenticated there, token is sent ot netscaler. It is not in this way that Users submit their credentials to netscaler and netscaler validates them.
- TACACS+: Terminal access controller access control systems – protocol intended to access unix terminals. Default port is udp 49. Similar to radius, tacacs+ uses secret key. You can use test connection button to test the connectivity.
- CERT: Uses authentication profile rather than an authentication server. Prompts user for their client certificate. When client provides the certificate, netscaler checks this certificate with root CA certificate as part of initial SSL handshake. Cert authentication uses profile which specifies what attributes to extract after user is authenticated. We can also configure 2 factor authentication. AAA TM vserver should have client authentication option enabled and client certificate option set as mandatory or optional. CA certificate that issues client certificate should be bound to the virtual server.
- Web: netscaler can authenticate users to a Web Authentication server, providing the credentials that the web server requires in an HTTP request and subsequently analyzing the web server response to determine that user authentication was successful. For this you should have an expression in the policy to validate the authentication.
Note: The Web authentication policy is deprecated from NetScaler 12.0 build 56.20 onwards and as an alternative, Citrix recommends you to use the advanced authentication policy (“add authentication Policy”). You can also use the nspepi utility tool for the conversion.
- The NetScaler appliance receives a request from a client.
- The traffic management (load balancing or content switching) virtual server on the NetScaler sends a challenge to the client.
- To respond to the challenge, the client gets a Kerberos ticket.
- The client sends the Authentication Server of the KDC a request for a ticket-granting ticket (TGT) and receives the TGT.
- The client sends the TGT to the Ticket Granting Server of the KDC and receives a Kerberos ticket.
SAML (Security Assertion Markup Language):
When organizations provide access to third party authentication providers, SAML can be used to single sign-on organization’s employees to these applications. SAML allows for total separation of identity and service providers. Netscaler appliance can be deployed as a SAML service provider (SP) and as a SAML identity provider (IDP).
- When a user wants to access a resource, they submit their request to service provider. (Netscaler can be deployed as SAML SP).
- SP redirects unauthenticated users to SAML IDP with SAML request.
- SAML IDP prompts users to enter creds
- SAML IDP validates their creds against user database like ad
- When user is validated, SAML IDP sends SAML response back to SAML SP to grant access to resource.
- User can access any resource that SP has available without having to re-authenticate each time for each application.
Note: The SAML authentication policy is deprecated from NetScaler 12.0 build 56.20 onwards and as an alternative, Citrix recommends you to use the advanced authentication policy (“add authentication Policy”). You can also use the nspepi utility tool for the conversion.
Netscaler SAML Setup:
- Specify the redirect URL for IDP.
- Create SAML policy and select SAML action.
- Congifure AAA-TM virtual server for service provider and bind the SAML policy.
- Configure load balancing vserver and add SAML based authentication to it.
Methods such as Certificate, Negotiate, oAuth and SAML SP authentication do not require user to submit their username and password directly to netscaler. Single Sign on requires netscaler to cache username and password of user for authentication to backend applications.