This article describes the NetScaler Authentication, Authorization, and Auditing (AAA) network traffic flow logic for external authentication servers.

The following is the network traffic flow logic that the NetScaler appliance follows for the AAA traffic that is generated from FreeBSD for external authentication servers. These modes are dependent on the network reachability of the external authentication servers.

External Authentication Server is Reachable on the NetScaler IP (NSIP) Subnet

The NetScaler appliance uses the NSIP as the source IP address only for the authentication traffic, even if there are additional Subnet IP addresses (SNIP) present in other subnets or networks.

External Authentication Server is Reachable on the NSIP Subnet with SNIPs

The NetScaler appliance uses the NSIP as the source IP address for the authentication traffic, and does not follow the Round Robin method if there is a SNIP in the same network as that of NSIP.

External Authentication Server is Reachable on the SNIP Network but Not on the NSIP Network

The NetScaler appliance uses the SNIP as the source IP address for the authentication traffic. When there is more than one SNIP present in the same subnet then the appliance follows the Round Robin method between the SNIPs configured in the same SNIP network. The NSIP is not used.

This Round Robin method for the SNIP cannot be changed, and the appliance cannot be configured to use only one SNIP as the source IP address when there are multiple SNIPs present in the same network or subnet. Therefore, when there are multiple SNIPs present in the same subnet, the authentication traffic uses all the SNIPs in a Round Robin mode as a source IP address destined to the external authentication servers.

Configuring aaadnatIp

Configuring aaadnatIp, enables the use of one IP address as the source IP address always for the authentication traffic. It requires a new IP address to be configured, as this option cannot use the existing NSIP or the existing SNIPs in the system.

Run the following command to configure aaadnatIp:
> set aaa parameter -aaadnatIp 10.1.1.1
> show aaa parameter

For more information refer to Citrix Documentation.

Configured AAA parameters:

DefaultAuthType: LOCAL MaxAAAUsers: 5
AAAD nat ip : 10.1.1.1
nsapimgr -ys  skip_proxying_bsd_traffic=1

With this command the NetScaler appliance does not proxy FreeBSD traffic and forwards the network traffic to the wire without any changes to the packet such as source IP address and creates a NAT session while going out.

The newly configured IP is used as a source IP address regardless of the authentication server being reachable on NSIP or SNIP networks.

From NetScaler 11.1 you can also use the following command to skip proxying FreeBSD traffic:
set L2Param -skipProxyingBsdTraffic ENABLED