Citrix NetScaler supports authentication for load balancing and access gateway purposes. The load balancing authentication is called the authentication, authorization, and auditing (AAA) functionality in Citrix NetScaler. By enabling the AAA feature on the load balancing virtual server, you can provide an extra security layer. The load balancing feature is a good solution for reverse proxy deployments. Enabling AAA on load balancing provides the extra security that you prefer to use for some services. While implementing AAA, it's also possible to add extra security (for example, two-factor authentication) to services that support only active directory authentication. So, Outlook Web Access for Microsoft Exchange can be configured with Active Directory and two-factor authentication. The NetScaler AAA features will redirect a load balancing virtual server to the NetScaler AAA virtual server. After authentication, the client will be sent back to the load balancing virtual server and will show the configured backend environment. So, the client connects to the load balancing virtual server for the Microsoft Exchange; NetScaler will redirect the client to the NetScaler AAA virtual servers. The client needs to log in. After successful authentication, NetScaler sends the client back to the load balancing virtual server.
Citrix NetScaler supports a lot of different methods of authentication. These methods can be used for NetScaler Gateway authentication or for load balancing virtual servers. The most common authentication methods will be described in the following sections.
LDAP integration is a commonly used method of authentication in deployments. Almost all companies are using LDAP authentication in some way. In order to use LDAP authentication, there are some prerequisites, as follows:
After you have the answers to these question, you can start building the configuration.
Go to System | Authentication | LDAP | Servers, and click on Add. Fill in the correct information based on the following explanation:
Pol_Srv-LDAP-LDAPS1
.AD
for Microsoft Active Directory or NDS
if you're using Novell.contoso.com
domain would look like CN=Contoso Users,DC=CONTOSO,DC=COM
.domainusername
or the [email protected]
method.sAMAccountName
or UserPrincipalName
Active Directory / NDS attribute. Using the UserPrincipalName
value allows you to log in with the e-mail address. Otherwise, the username is required to log in.AAA_Allow
group in the support OU
to get the functionality to authenticate. The search filter would be memberOf=CN=AAA_Allow,OU=support,DC=contoso,DC=com
. When a user is a member of this group, they will have access; otherwise, Citrix NetScaler will block the authentication. The source of this is http://support.citrix.com/article/CTX111079.memberOf
.sAMAccountName
or UserPrincipalName
.After creating the LDAP servers, it's time to configure the LDAP Policies. These policies are necessary in order to bind it to a service. Depending on the configuration, there are many ways to configure it. With expressions, it is possible to, for example, allow access for specific client for a particular service. This will be done based on the source IP of the client and the destination IP for the particular service that you'd like to allow access to. The policy would be REQ.IP.SOURCEIP == 122.122.123.123 && REQ.IP.DESTIP == 192.168.100.14
. In this example, the client with IP address 122.122.123.123
will be able to log in with the service 192.168.100.14
.
It's also possible to add more than one LDAP authentication policy and bind them to the AAA or NetScaler Gateway authentication. This can be done by assigning priorities to the different policies. The LDAP policy with the lowest priority will be checked first to see whether the expression is matching. Otherwise, Citrix NetScaler will keep going down the list until it finds a match. If the policy matches but the server isn't responding within the configured timeout, Citrix NetScaler will automatically fill try the other expression.
Citrix NetScaler allows you to support two-factor authentication in many ways. The most commonly used way of two-factor authentication is by using the RADIUS protocol.
Most two-factor authentication providers support the RADIUS protocol because it's a standard protocol.
The RADIUS protocol uses a few codes to indicate the authentication step, as follows:
Code |
Assignment |
---|---|
|
Access-Request |
|
Access-Accept |
|
Access-Reject |
|
Accounting-Request |
|
Accounting-Response |
|
Access-Challenge |
Depending on what the RADIUS server sends back, Citrix NetScaler will allow or deny the access to log in.
Go to System | Authentication | RADIUS | Servers, and click on Add. Fill in the correct information based on the following explanation:
Pol_Srv-RADIUS-RADIUSS1
.0
indicates that the attribute is not vendor encoded.After creating the RADIUS servers, it's time to configure the RADIUS Policies. These policies are necessary for binding it to services.
It's also possible to add more than one RADIUS authentication policy and bind them to the AAA or NetScaler Gateway authentication. This can be done by assigning priorities to the different policies. The way of configuring is the same as that for binding the LDAP authentication policy.
Citrix wrote an article on how to configure Citrix NetScaler with Microsoft NPS. Microsoft NPS is the RADIUS server from Microsoft. A lot of third-party vendors have written plugins for NPS server. An article that can be used is http://support.citrix.com/article/CTX126691.