Authentication Virtual Server: AAA TM(traffic management) virtual server acts as an authentication portal for content switching and load balancing virtual servers prompting users through form based or 401 login page before they can access their resources.

AAA Process:

• User is redirected to form based or 401 login page using SSL.
• It then gathers user’s creds and pass them to authentication server and caches them in directory that’s accessible through LDAP.
• Checks for user’s permissions before granting access to resources.
• Enables session timeout, after which users should re-authenticate again to access resources.
• Maintains audit log of user’s access

AAA Traffic Flow (for sample app IE, to access intranet URL like sharepoint):

• Client tries to access TM vserver that requires authentication.
• TM vserver checks for a valid authentication cookie is present in the request.
• If no cookie is present, TM responds back with 302 redirect to AAA vserver.
• Client sends post to AAA TM vserver login page with their credentials.
• AAA sends these credentials to authentication server for validation.
• If user is validated successfully, AAA TM vserver checks if user is authorized to access the resource.
• If user is not authorized, AAA TM vserver responds back to client with access denied error. (Ex, if you don’t have access to sharepoint, you would get an access denied error from sharepoint server)
• If authorized, AAA TM vserver redirects client back to TM vserver along with authentic cookie.
• This cookie authenticates and authorizes the client to access app and provides timeout value for session link.
• Client makes request to original url along with authentication cookie.
• TM vserver checks cookie and passes request to application server.

AAA Policies:

Netscaler AAA TM vserver supports below authentication methods:

• Local
• Oauth
• RADIUS
• LDAP
• TACACS+
• CERT
• Negotiate
• Web
• SAML

If external authentication server is used, traffic is source from NSIP address. If authentication server is load balanced on netscaler, traffic is sourced from SNIP or MIP address.

Authentication policies can be created using basic or advanced policy tab in netscaler. You can nagivate to security\aaa application traffic\polices\authentication\basic policies\ldap\policies node or sytem\authentication\basic policies\ldap to create LDAP policy.

Basic authentication policies consist of classic expression and action. Action refers the authentication server that the credentials will be passed to, if there is a match with the expression. Classic policies can identify if a packet is coming from ip or ip range. Authentication policy dictates which authentication server will be used to authenticate a user to traffic management vserver.

Classic expression of “ns_true” will return true for all traffic. If you want to create a policy without any filtering and allowing all traffic, just enter ns_true in the policy expression column for basic policy.

If you are using advanced policy, it should be “true” to allow all traffic i.e., using the default policy, without any filtering.

Basic and advanced policies can be bound to one or more AAA TM virtual server.

AAA TM virtual servers support single, dual and multi factor authentication.

• Single factor authentication is using one authentication method. Eg: LDAP
• Dual factor combines two authentication methods like LDAP and radius.
• Multi-factor authentication enhances the security of an application by requiring users to provide multiple proofs of identify to gain access. The NetScaler appliance provides an extensible and flexible approach to configuring multi-factor authentication. This approach is called nFactor authentication. This is only supported from NetScaler 11.0 Build 62.x onwards.

Policy Authentication order:

Virtual server is checked for any authentication policies in the vserver first. If there are no policies configured, then Global authentication policies are checked and processed if any. If there are no policies configured anywhere, default global session policies are checked.

Authorization Policies:

Based on classic or default expression, authentication policies define whether or not an authorized user can access the requested resource or not. Authorization policies are bound to users and groups. Authorization policies are evaluated after authentication to grant or deny access to a resource.

Session Profile:

Session profiles are used to specify session timeouts. Default authorization settings, single sign on settings and credential index settings that are different from global session settings. Session timeout defines the time period when a user should re-authenticate to access the resource. Default authorization settings decides whether or not, to grant access to a user with no specific authorization policy.

Single sign on allows users to enter their credentials once to authentication vserver and gains access to any backend resources which requires a credential request. Netscaler caches username and password and uses them whenever it receives an authentication request from the resource/application.

Credential index option in session profile determines which authentication method to be used for single sign on. Session profile is bound to a session policy which can be created using classic or default expression. Session policies are then bound to user or group or AAA vserver or globally.

Session policies are evaluated after authorization to provide unique settings for accessing the resource such as the session length and SSO support.

Traffic Policies

Traffic policies are required when used form based or saml single sign on for protected applications. It can also be used to control logon processes for these apps. We can design our own form with our company’s logo using Form based SSO. Traffic policies are used where forms or SAML are used for SSO to applications.

SAML SSO can be used to configure on netscaler to authenticate to other netscaler. First create form/SAML SSO profile. Then create traffic profile and link it to sso profile created earlier. Create traffic policy and link to traffic profile. Finally bound the policy to AAA vserver.