NetScaler AAA Policies
Website Visitors:AAA Policies:
Authentication policies can be created using basic or advanced policy tab in netscaler. You can nagivate to security\aaa application traffic\polices\authentication\basic policies\ldap\policies node or sytem\authentication\basic policies\ldap to create LDAP policy.
Basic authentication policies consist of classic expression and action. Action refers the authentication server that the credentials will be passed to, if there is a match with the expression. Classic policies can identify if a packet is coming from ip or ip range. Authentication policy dictates which authentication server will be used to authenticate a user to traffic management vserver.
Classic expression of “ns_true” will return true for all traffic. If you want to create a policy without any filtering and allowing all traffic, just enter ns_true in the policy expression column for basic policy.
If you are using advanced policy, it should be “true” to allow all traffic i.e., using the default policy, without any filtering.
Basic and advanced policies can be bound to one or more AAA TM virtual server.
AAA TM virtual servers support single, dual and multi factor authentication.
- Single factor authentication is using one authentication method. Eg: LDAP
- Dual factor combines two authentication methods like LDAP and radius.
- Multi-factor authentication enhances the security of an application by requiring users to provide multiple proofs of identify to gain access. The NetScaler appliance provides an extensible and flexible approach to configuring multi-factor authentication. This approach is called nFactor authentication. This is only supported from NetScaler 11.0 Build 62.x onwards.
If external authentication server is used, traffic is source from NSIP address. If authentication server is load balanced on netscaler, traffic is sourced from SNIP or MIP address.
Policy Authentication order:
Virtual server is checked for any authentication policies in the vserver first. If there are no policies configured, then Global authentication policies are checked and processed if any. If there are no policies configured anywhere, default global session policies are checked.
Authorization Policies:
Based on classic or default expression, authentication policies define whether or not an authorized user can access the requested resource or not. Authorization policies are bound to users and groups. Authorization policies are evaluated after authentication to grant or deny access to a resource.
Session Profile:
Session profiles are used to specify session timeouts. Default authorization settings, single sign on settings and credential index settings that are different from global session settings. Session timeout defines the time period when a user should re-authenticate to access the resource. Default authorization settings decides whether or not, to grant access to a user with no specific authorization policy.
Single sign on allows users to enter their credentials once to authentication vserver and gains access to any backend resources which requires a credential request. Netscaler caches username and password and uses them whenever it receives an authentication request from the resource/application.
Credential index option in session profile determines which authentication method to be used for single sign on. Session profile is bound to a session policy which can be created using classic or default expression. Session policies are then bound to user or group or AAA vserver or globally.
Session policies are evaluated after authorization to provide unique settings for accessing the resource such as the session length and SSO support.
Traffic Policies
Traffic policies are required when used form based or saml single sign on for protected applications. It can also be used to control logon processes for these apps. We can design our own form with our company’s logo using Form based SSO. Traffic policies are used where forms or SAML are used for SSO to applications.
SAML SSO can be used to configure on netscaler to authenticate to other netscaler. First create form/SAML SSO profile. Then create traffic profile and link it to sso profile created earlier. Create traffic policy and link to traffic profile. Finally bound the policy to AAA vserver.
Want to learn more on Citrix Automations and solutions???
Subscribe to get our latest content by email.