NetScaler AAA Components and Login Process
Website Visitors:NetScaler AAA components
The basic components of AAA configuration include:
-
Authentication Virtual Servers: These handle all authentication requests redirected by traffic management virtual servers, such as load balancing, content switching, or NetScaler Gateway virtual servers.
-
Authentication Policies: An authentication policy consists of an expression that intercepts the client’s request and an action that points to an external authentication server. When users log in to the appliance, the authentication policy you define determines how they are authenticated. One or more authentication policies are typically bound to an authentication virtual server, which processes these policies to grant access to the application.
-
Authorization Policies: These are configured to control access to network resources, either allowing or denying users based on predefined rules.
-
Users and Groups: These define the user accounts and group memberships used in authentication and authorization policies.
-
Authentication Profiles: These profiles define the settings for the authentication process, such as the methods and criteria for validating users. An authentication profile is useful when you want the same authentication settings to be used by multiple traffic management virtual servers, which specifies the authentication virtual server, the authentication host, the authentication domain, and the authentication level.
-
Auditing Policies: These track and log events triggered during an authenticated session, helping maintain a record of actions performed during authentication.
-
AAA vServer: Entry point for initial evaluation.
-
Factor: An authentication step, such as LDAP, within the authentication process.
-
Policy label: A collection of policies for the current factor.
-
Login schema: An XML file defining the user interface, specifying input fields to gather and assign to different factors.
-
Virtual server label: Entry point for client traffic, acting as an implicit policy label that can be bound with different types of policies.
-
Next factor: Determines what should happen if a given authentication succeeds. If no next factor is defined, the authentication process concludes for that user.
-
No-auth policy: A built-in policy that always returns success with no authentication result.
-
Passthrough factor or label: Indicates that the AAA subsystem should continue using already obtained credentials without prompting the user again.
AAA Login Process
- Traffic Management Virtual Server: Incoming user traffic (e.g., from clients) is first intercepted by a traffic management virtual server, such as a Load Balancing, Content Switching, or NetScaler Gateway virtual server.
- Redirection to Authentication: Since the user has not yet authenticated, the traffic management virtual server redirects the user to a AAA virtual server, which presents a login page. The login page collects the user’s credentials.
- Authentication: The authentication policy bound to the AAA virtual server sends these credentials to an external authentication server for verification. The appliance then caches the credentials for future reference. Authentication policies are processed by the authentication virtual server to verify user credentials against an authentication server (e.g., LDAP, RADIUS).
- Authorization: After successful authentication, authorization policies determine if the user has access to specific resources. These policies are evaluated by NetScaler AAA, considering factors like user groups, roles, IP addresses, device types, and more.
- Session Management: Based on the outcome, access is granted or denied, and a session is created or terminated. The appliance maintains a session timeout, after which users must reauthenticate to regain access to the intranet.
- Finally, audit logging is used to track invalid login attempts and other relevant events, which are recorded in an audit log. When the user session expires, the entire process is repeated, requiring the user to authenticate again.
Want to learn more on Citrix Automations and solutions???
Subscribe to get our latest content by email.