18 Dec
NETSCALER SECURITY - BUILT-IN SECURITY FEATURES, CONSOLIDATE AND SIMPLFY INFRSTUCTURE THUS ELIMINATING THE NEED TO PURCHASE MULTIPLE POINT SOLUTIONS.

NETSCALER - A STAND ALONE PRODUCT - CLOUD SOFTWARE GROUP.

Documentation - Technical Part 3

Authentication, authorization, and auditing application traffic

Many companies restrict website access to valid users only and control the level of access permitted to each user. The authentication, authorization, and auditing feature allows a site administrator to manage access controls with the NetScaler appliance instead of managing these controls separately for each application. 

Doing authentication on the appliance also permits sharing this information across all websites within the same domain that are protected by the appliance.

To use authentication, authorization, and auditing, configure authentication virtual servers to handle the authentication process and traffic management virtual servers to handle the traffic to web applications that require authentication. In addition configure the DNS to assign FQDNs to each virtual server. After configuring the virtual servers, configure a user account for each user that will authenticate via the NetScaler appliance, and optionally create groups and assign user accounts to groups. 

After creating user accounts and groups, configure policies that tell the appliance how to authenticate users, which resources to allow users to access, and how to log user sessions. To put the policies into effect, bind each policy globally, to a specific virtual server, or to the appropriate user accounts or groups. 

After configuring the policies, customize user sessions by configuring session settings and binding your session policies to the traffic management virtual server. 

Finally, if the intranet uses client certs, set up the client certificate configuration.

To understand how authentication, authorization, and auditing works in a distributed environment, consider an organization with an intranet that its employees' access in the office, at home, and when traveling. 

The content on the intranet is confidential and requires secure access. Any user who wants to access the intranet must have a valid user name and password. To meet these requirements, the ADC does the following:

  • Redirects the user to the login page if the user accesses the intranet without having logged in.
  • Collects the user’s credentials, delivers them to the authentication server, and caches them in a directory that is accessible through the Lightweight Directory Access Protocol (LDAP). For more information, see Determining Attributes in Your LDAP Directory.
  • Verifies that the user is authorized to access specific intranet content before delivering the user’s request to the application server.
  • Maintains a session timeout after which users must authenticate again to regain access to the intranet. (You can configure the timeout.)
  • Logs the user accesses, including invalid login attempts, in an audit log.

Supported authentication types

  • Local
  • LDAP
  • RADIUS
  • SAML
  • TACACS+
  • Client certificate authentication (including smart card authentication)
  • Web
  • Advanced authentication
  • Forms based authentication
  • 401 based authentication
  • Native OTP
  • Push notification
  • Email OTP
  • reCaptcha

NetScaler Gateway also supports RSA SecurID, Gemalto Protiva, and SafeWord. Use a RADIUS server to configure these types of authentication.

Before configuring authentication, authorization, and auditing, it is important to be familiar with and understand how to configure load balancing, content switching, and SSL on the NetScaler appliance.

Authentication without authorization

Authorization specifies the network resources to which users have access when they log on to the appliance. The default setting for authorization is to deny access to all network resources. 

Citrix recommends using the default global setting and then creating authorization policies to define the network resources users can access.

Configure authorization on the appliance by using an authorization policy and expressions. After an authorization policy is created, it can bind it to the users or groups that are configured on the appliance.

It can configure the appliance to use authentication only, without authorization. When configure authentication without authorization, the appliance does not perform a group authorization check. The policies that configure for the user or group are assigned to the user.

Enabling authentication, authorization, and auditing

To use the authentication, authorization, and auditing feature, it must be enabled. Configure authentication, authorization, and auditing entities—such as the authentication and traffic management virtual servers—before enabling the authentication, authorization, and auditing feature, but the entities do not function until the feature is enabled.

To enable authentication, authorization, and auditing by using the CLI

At the command prompt, type the following commands to enable authentication, authorization, and auditing and verify the configuration:

enable ns feature AAA 

To enable authentication, authorization, and auditing by using the GUI

  1. Navigate to System > Settings.
  2. In the details pane, under Modes and Features, click Change Basic Features.
  3. In the Configure Basic Features dialog box, select the Authentication, Authorization and Auditing check box.
  4. Click OK.

Disabling Authentication

If the deployment does not require authentication, it can be disabled. Therefore it is possible to disable authentication for each virtual server that does not require authentication.

IMPORTANT:


Important: Citrix recommends disabling authentication with caution. If not using an external authentication server, create local users and groups to allow the appliance to authenticate users. Disabling authentication stops the use of authentication, authorization, and accounting features that control and monitor connections to the appliance. When users type a web address to connect to the appliance, the logon page does not appear.

To disable authentication

  1. Navigate to Configuration > NetScaler Gateway > Virtual Servers.
  2. In the details pane, click a virtual server, and then click Open.
  3. In the Basic Settings page, clear the Enable Authentication check box.



Comments
* The email will not be published on the website.