CTX113820
NetScaler Gateway
NetScaler Gateway_all
Authentication,Configuration
2016-04-15
2015-02-09
This article describes how to configure a Cisco Secure Access Control Server 3.3 to be used to authenticate NetScaler user accounts and manage authorized ...

Objective

This article describes how to configure a Cisco Secure Access Control Server (ACS) 3.3 to be used to authenticate NetScaler user accounts and manage authorized command sets through Terminal Access Controller Access-Control System Plus (TACACS+). This allows to administer the users on the corresponding TACACS+ server instead of having to add them to NetScaler.


Instructions

To configure external authentication using TACACS+, complete the following procedures:

  1. Configuring Cisco ACS for TACACS+ Authentication and Authorization

  2. Configuring NetScaler

Configuring Cisco ACS for TACACS+ Authentication and Authorization

  1. From the menu buttons on the left pane, click Network Configuration.

  2. Add the NetScaler IP as the AAA Client and configure the appropriate TACACS key.

  3. Select TACACS+ (Cisco IOS) from the Authenticate Using drop down menu.

    User-added image

  4. To select an existing group and give it a descriptive name, click Group Setup in the left menu and then click Rename Group.

    User-added image

  5. Type the desired name in the Group field to rename group and then click Submit.

    User-added image

  6. Select the Command check-box and type a command in the field below it (for example, show).

    User-added image

    Note: Allow the following commands to open the administration GUI without receiving an error:

    - permit ns version

    - permit ns hostname

    - permit ssl fips

    - permit ns license

    - permit ns config

    - permit ns feature

    - permit ns hostname

    User-added image

  7. Add a permitted argument for that command (such as version) and select the Permit radio button under Unmatched Cisco IOS Commands and Unlisted Arguments. This allows any commands that are not Cisco specific and/or unspecified to run on NetScaler.
    Note: Restrictive or permissive command sets can be configured based on the group's role.

  8. Click User Setup. Type the user name that will be authenticated by the TACACS server in the User field and click Add/Edit.

    User-added image

  9. Type the password for the user in the Password and Confirm Password fields. Select the appropriate group in the Group to which the user is assigned drop-down menu, and then click Submit.

    User-added image

Configuring NetScaler

Cisco ACS is configured to authenticate users and authorize commands. NetScaler must be configured to send the authentication and authorization requests.

  1. Go to System > Authentication and add a server.

  2. Specify the IP address of the ACS server and the appropriate TACACS key as defined in the network configuration of the ACS.

    User-added image

  3. Use the following command to configure the TACACS authentication server from the command line (in this example TAC is the server name).
    > add authentication tacacsAction TAC –serverIP 172.16.1.200 –tacacsSecret secret

     add authentication tacacsAction <name> [-serverIP <ip_addr>] [-serverPort port>] [-authTimeout <positive_integer>] [-tacacsSecret <string>] [-authorization ( ON | OFF )] [-accounting ( ON | OFF )]
  4. Create the TACACS policy and set the expression to ns_true.

    User-added image

  5. Issue the following command to configure this from the command line (in this example, TAC_Pol is the name of the policy).
    > add authentication tacacsPolicy TAC_Pol ns_true

  6. To bind the policy globally, select the Active check-box next to the policy.

    User-added image

  7. Issue the following command:
    >bind system global TAC_Pol -priority 1


Additional Resources

The following is the sample output from the /tmp/aaad.debug file.

  • The user is first authenticated:

     "Mon Jun 25 14:05:10 2007 /usr/home/build/rs_80_45_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[ 359]: process_kernel_socket call to authenticate user :shoosoo, vsid :86 Mon Jun 25 14:05:10 2007 /usr/home/build/rs_80_45_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/tacplus_ drv.c[273]: start_tacplus_auth attempting to auth shoosoo @ 172.16.1.200 Mon Jun 25 14:05:10 2007 Mon Jun 25 14:05:10 2007 /usr/home/build/rs_80_45_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[ 1142]: send_accept sending accept to kernel for : shoosoo"
  • Each command is authorized by the ACS:

     Mon Jun 25 14:05:10 2007 /usr/home/build/rs_80_45_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[ 394]: process_kernel_socket call to authorize user :shoosoo, command:shell, vsid:86 Mon Jun 25 14:05:10 2007/usr/home/build/rs_80_45_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/tacplus_ drv.c[224]: start_tacplus_authorize attempting to auth shoosoo: @ 172.16.1.200 Mon Jun 25 14:06:02 2007 /usr/home/build/rs_80_45_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[394]: process_kernel_socketcall to authorize user :shoosoo, command:show ns runningConfig, vsid:86 Mon Jun 25 14:06:02 2007 /usr/home/build/rs_80_45_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/tacplus_drv.c[224]: start_tacplus_athorize attempting to auth shoosoo: @ 172.16.1.200Mon Jun 25 14:06:02 2007
  • The authentication is passed from Wireshark:

    User-added image

  • The authorization request and response for commands:

    User-added image

    Note: The user is first authenticated by the TACACS+ server. Each command is authorized prior to execution. Because each command is authorized by the TACACS+ server, no group extraction exists.


Applicable Products


 

Join the conversation

Citrix Discussions

Open a case

Citrix Support

特别说明


本文来源为Citrix.com所有,翻译后版权归翻译者所有.如需转载请注明出处.

文档版本


.

广告招租


最新留言


.

广告招租


.