© 1999-2017 Citrix Systems, Inc. All rights reserved. p.152https://docs.citrix.com
Configuring Authentication and Authorization Settings
Oct 04 , 2016
Authentication with the NetScaler SDX Management Service can be local or external. With external authentication, the
Management Service grants user access on the basis of the response from an external server. The Management Service
supports the following external authentication protocols:
Remote Authentication Dial In User Service (RADIUS)
Terminal Access Controller Access-Control System (TACACS)
Lightweight Directory Access Protocol (LDAP)
The Management Service also supports authentication requests from SSH. The SSH authentication supports only
keyboard-interactive authentication requests. The authorization of SSH users is limited to Superuser privileges only. Users
with readonly privileges cannot log on through SSH.
To configure authentication, specify the authentication type, and configure an authentication server.
Authorization through the Management Service is local. The Management Service supports two levels of authorization.
Users with superuser privileges are allowed to perform any action on the management service. Users with readonly privileges
are allowed to perform only read operations. The authorization of SSH users is limited to superuser privileges only. Users
with readonly privileges cannot log on through SSH.
Authorization for RADIUS and LDAP is supported by group extraction. You can set the group extraction attributes during
the configuration of RADIUS or LDAP servers on the Management Service. The extracted group name is matched with the
group names on the Management Service to determine the privileges given to the user. A user can belong to multiple
groups. In that case, if any group to which the user belongs has superuser privileges, the user has superuser privileges. A
Default Authentication group attribute can be set during configuration. This group is considered along with the extracted
groups for authorization.
In the case of TACACS authorization, the TACACS server administrator must permit a special command, superuser for a user
who is to have superuser privileges and deny this command for users with readonly privileges. When a user logs on to
NetScaler SDX appliance, the Management Service checks if the user has permission to execute this command and if the
user has permission, the user is assigned the superuser privileges else the user is assigned readonly privileges.
Adding a User Group
Groups are logical sets of users that need to access common information or perform similar kinds of tasks. You can
organize users into groups defined by a set of common operations. By providing specific permissions to groups rather than
individual users, you can save time when creating new users.
If you are using external authentication servers for authentication, groups in NetScaler SDX can be configured to match
groups configured on authentication servers. When a user belonging to a group whose name matches a group on an
authentication server, logs on and is authenticated, the user inherits the settings for the group in NetScaler SDX appliance.
To add a user group
1. On the Configuration tab, under System, expand Administration, and then click Groups.
2. In the details pane, click Add.
3. In the Create System Group dialogue box, set the following parameters:
Name— Name of the Group. Maximum length: 128
To Next Page
Loading...
Need help?
General
