NetScaler AAA components

The basic components of AAA configuration include:

• Authentication Virtual Servers: These handle all authentication requests redirected by traffic management virtual servers, such as load balancing, content switching, or NetScaler Gateway virtual servers.

• Authentication Policies: An authentication policy consists of an expression that intercepts the client’s request and an action that points to an external authentication server. When users log in to the appliance, the authentication policy you define determines how they are authenticated. One or more authentication policies are typically bound to an authentication virtual server, which processes these policies to grant access to the application.

• Authorization Policies: These are configured to control access to network resources, either allowing or denying users based on predefined rules.

• Users and Groups: These define the user accounts and group memberships used in authentication and authorization policies.

• Authentication Profiles: These profiles define the settings for the authentication process, such as the methods and criteria for validating users. An authentication profile is useful when you want the same authentication settings to be used by multiple traffic management virtual servers, which specifies the authentication virtual server, the authentication host, the authentication domain, and the authentication level.

• Auditing Policies: These track and log events triggered during an authenticated session, helping maintain a record of actions performed during authentication.

AAA Login Process

1. Traffic Management Virtual Server: Incoming user traffic (e.g., from clients) is first intercepted by a traffic management virtual server, such as a Load Balancing, Content Switching, or NetScaler Gateway virtual server.
2. Redirection to Authentication: Since the user has not yet authenticated, the traffic management virtual server redirects the user to a AAA virtual server, which presents a login page. The login page collects the user’s credentials.
3. Authentication: The authentication policy bound to the AAA virtual server sends these credentials to an external authentication server for verification. The appliance then caches the credentials for future reference. Authentication policies are processed by the authentication virtual server to verify user credentials against an authentication server (e.g., LDAP, RADIUS).
4. Authorization: After successful authentication, authorization policies determine if the user has access to specific resources. These policies are evaluated by NetScaler AAA, considering factors like user groups, roles, IP addresses, device types, and more.
5. Session Management: Based on the outcome, access is granted or denied, and a session is created or terminated. The appliance maintains a session timeout, after which users must reauthenticate to regain access to the intranet.
6. Finally, audit logging is used to track invalid login attempts and other relevant events, which are recorded in an audit log. When the user session expires, the entire process is repeated, requiring the user to authenticate again.