Alerts     Sign In
Rate this Article:
You must be signed in to rate again
 Article Feedback Print View
Alternate Languages: N/A

How Does Group Extraction for RADIUS Work in NetScaler Version 5.2?

Document ID: CTX109741   /   Created On: Jun 26, 2006   /   Updated On: Jun 26, 2006
Average Rating: not yet rated

Q: How does group extraction for RADIUS work in NetScaler version 5.2?

A: Starting with a little background with RADIUS: RADIUS has a few standard attributes, but it is designed to be extensible using vendor dictionaries. Vendor dictionaries are simply files that have a vendor ID in them followed by a number of attributes. A sample file looks like this:

#
# Misc dictionary.
#

VENDOR usr 1

#
# Misc attributes
#

ATTRIBUTE RandomIPAddr 1 ipaddr usr
ATTRIBUTE RandomIPAddr2 2 ipaddr usr
ATTRIBUTE RandomNumber 3 integer usr
ATTRIBUTE GroupName 4 string usr
ATTRIBUTE RandomString 5 string usr
ATTRIBUTE RandomString2 6 string usr

The vendor ID must be unique amongst the vendor dictionaries imported into the customer's RADIUS server. The attribute values must be unique for that particular vendor. Some RADIUS servers offer GUIs for importing this data and/or allow you to create a new dictionary using their tools. Many allow you to import a dictionary so long as it is a text file that follows the above ("Citron") format.

With the dictionary defined, the administrator must use the attribute in each user's configuration. If the administrator is using FreeRADIUS, the attribute definition looks like this:

sshah Auth-Type := Local, User-Password == "mypassword"
GroupName = "marketing"

In the above vendor dictionary, the Vendor-ID is 1 and the Attribute-ID for "GroupName" is 4.

NetScaler and RADIUS group extraction:

When configuring the RADIUS server using the set aaa radiusparams command, the -radVendorID <positive_integer> and -radAttributeType <positive_integer> tell the NetScaler what vendor dictionary to use ("Vendor-ID") and what attribute within the vendor dictionary to use ("Attribute-ID"). Thus, a radius server running on 10.2.1.11:1812 with the secret set to "nsrulez" and the above example dictionary uses:

set aaa radiusparams -serverip 10.2.1.11 -serverport 1812 -radkey nsrulez -radVendorID 1 -radAttributeType 4

Now define the expressions necessary to allow the users to access the 10.3.0.0/16 and the 10.4.0.0/16 networks:

add expression inside10_3 VPNSERVICE EQ 10.3.0.0 -netmask 255.255.0.0
add expression inside10_4 VPNSERVICE EQ 10.4.0.0 -netmask 255.255.0.0

If all the users have a GroupName = "ALL", define the group in the NetScaler using:

add aaa group ALL -NonHttpRule inside10_3 || inside10_4 -ActionNonHttp allow


This document applies to:

Search
Knowledge Center
Advanced Search
XenApp
XenApp Plugins (Clients)
XenServer
XenDesktop
NetScaler Application Delivery
Access Gateway
EdgeSight
Provisioning Server
WANScaler
Password Manager
>> View All Products
Browse and search our Beta library. Planning, installation, maintenance, and readme info merged into one collection.
©1999-2009 Citrix Systems, Inc. All rights reserved.