Configuring NetScaler® AAA
To allow extra security with authentication on the load balancing features, we should use the Citrix NetScaler AAA feature. With the following steps, we can secure a load balancing virtual server with two-factor authentication based on Web Form authentication:
- Go to Security | AAA - Application Traffic | Policies | Sessions | Session Profiles, and click on Add.
Fill in the correct information based on the following explanation:
- Name: Select a decent name that responds to the AAA Session Profile, for example,
AAA-Pro-Session. - Session Time-out (mins): The timeout before Citrix NetScaler kills the session.
- Default Authorization Action: This can be
ALLOWorDENY. SelectALLOW. - Single Sign-on to Web Applications: Enable this if you want SSON in the backend.
- Credential Index: Use the primary or secondary authentication policy for SSON.
- Single Sign-on Domain: This will be the internal domain name from the AD or NDS.
- HTTPOnly Cookie: Allow only an HTTP session cookie, in which case the cookie cannot be accessed by scripts.
- Enable Persistent Cookie: You can enable or disable persistent SSO cookies for the traffic management (TM) session. A persistent cookie remains on the user device and is sent with each HTTP request.
- Persistent Cookie Validity: This is an integer specifying the number of minutes for which the persistent cookie remains valid.
- KCD Account: Kerberos constrains the delegation account name when using Kerberos authentication.
- Home Page: This is the web address of the home page that a user is displayed when the authentication vserver is bookmarked and used to log in.
- Name: Select a decent name that responds to the AAA Session Profile, for example,
- Go to Security | AAA - Application Traffic | Policies | Sessions | Session Policies, and click on Add:
- Name: Select a decent name that responds to the AAA Session Policy, for example,
AAA-Pol-Session. - Request Profile: Select the profile created in step 1.
- Expression: You can bind an expression. In this case, we use
ns_true.
- Name: Select a decent name that responds to the AAA Session Policy, for example,
- Go to Security | AAA - Application Traffic | Virtual Servers, and click on Add. Fill in the correct information based on this explanation:
- Name: Again, select a decent name that responds to the AAA virtual server, for example,
AAA-Srv-TwoFactor. - IP Address Type: Select IP address, or non addressable if you want to use the content switching method.
- Port: This is the AAA virtual server port. The default is
443. - Authentication Domain: This would be the domain from the public site, for example,
contoso.com.
- Name: Again, select a decent name that responds to the AAA virtual server, for example,
- Bind the certificate.
- Bind the session policy created in step 2.
- Bind the Basic Authentication Policies, Add
LDAPas Primary, and add theRADIUSas Secondary. Click on Continue. - Go to Security | AAA - Application Traffic | Authentication Profile, and click on Add. Fill in the correct information based on the explanations given here:
- Name: Select a decent name that responds to the AAA virtual server, for example,
AAA-AuthPol-TwoFactor - Authentication Host: This would be the FQDN where the NetScaler AAA virtual server would respond to, for example,
twofactor.contoso.com. - Choose Authentication Virtual Server Type: Choose
Authentication Virtual Server - Authentication Virtual Server: Select the
Authentication Virtual Servercreated in step 3 - Authentication Domain: This would be the domain from the public site, for example,
contoso.com - Authentication Level: Fill in the value as 1 if you are using one authentication method, and 2 if you are using two-factor authentication
- Name: Select a decent name that responds to the AAA virtual server, for example,
- Open the Load Balancing Virtual Server that you want to protect. Add the Authentication from the right-hand side of the page.
- Select Form Based Authentication or 401 Based Authentication. In this case, we're using Form Based Authentication. This is because we wish to use two-factor authentication:
- Authentication FQDN: This is the FQDN from the NetScaler AAA virtual server, for example,
twofactor.contoso.com.- Choose Authentication Virtual Server Type: Choose
Authentication Virtual Server - Authentication Virtual Server: Select the
Authentication Virtual Servercreated in step 3 - Authentication Profile: Select the
Authentication Policycreated in step 7
- Choose Authentication Virtual Server Type: Choose
- Now your Load Balancing Virtual Server is protected with the NetScaler AAA security:
