Authentication, Authorization, and Auditing (AAA) group membership does not function as expected and users are displayed with denied access to SSL VPN and AAA pages.

In this scenario the requirement is to restrict the access to AAA and SSL VPN to specific Active Directory group. You can add a new user to the existing group but the existing users in that group are not getting authorized. The user credentials fails with a message to contact the system administrator.

Note: The following are the two user accounts that are discussed as an example in this article, both user accounts are part of the dept group Department on the Active Directory.

• User

• User1

To resolve this issue, complete the following workaround:

Configure both accounts, User and User1 with Domain Users and dept in Active Directory. Now with Domain Users as the primary group,NetScaler can extract the dept group.

From aaad.debug

ns# cat /tmp/aaad.debug
Sun Oct 14 01:19:29 2012
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[614]: process_kernel_socket call to authenticate
user :user, vsid :9055
Sun Oct 14 01:19:29 2012
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[124]: start_ldap_auth attempting to auth user @ 10.217.130.227
Sun Oct 14 01:19:29 2012
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[415]: recieve_ldap_bind_event receive ldap bind event

Sun Oct 14 01:19:29 2012
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[770]: recieve_ldap_user_search_event built group string for user of:dept

Sun Oct 14 01:19:29 2012
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1466]: send_accept sending accept to kernel for : user

Problem Cause

The Active Directory group which was set as primary group is not used for group extraction. All the other groups associated with the user account are extracted. This is not a bug or issue on a NetScaler appliance. This is as per  Active Directory design. Active Directory does not return its primary group as a group therefore the primary group cannot be extracted by a NetScaler appliance. This is true even if you make the Department group as a primary group instead of Domain users. In the search filter on the NetScaler LDAP search filter column you might have to modify the search rule as follows:
memberof=CN=domain users,dc=lab, dc=sumagee, dc=com

Because the primary group is dept only, Domain Users group is extracted by the NetScaler appliance.

Troubleshooting Methodology

This environment has a specific group called dept configured in the Active Directory. An LDAP policy is configured on the NetScaler appliance with the following settings with a specific search filter looking for dept as the object name:

However, with the preceding search filter, existing users are not getting authenticated. In the Active Directory, if a new user was created with dept as a group they are able to log on successfully. For example, user1 was created as a test user to log on with the following settings on the Active Directory:

On the NetScaler appliance it is found that the dept group is getting extracted for user1.

From aaad.debug

ns# cat /tmp/aaad.debug
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[124]: start_ldap_auth attempting to auth user1 @ 10.217.130.227
Sun Oct 14 01:01:17 2012
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[415]: recieve_ldap_bind_event receive ldap bind event

Sun Oct 14 01:01:17 2012
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[770]: recieve_ldap_user_search_event built group string for user1 of:dept

Sun Oct 14 01:01:17 2012
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1466]: send_accept sending accept to kernel for : user1

Here the actual user who is denied access during logon to both SSL VPN and AAA pages is tested. The LDAP policy that is used for authentication has the same filtering for the dept object name on the NetScaler appliance from preceding aaad.debug.

From aaad.debug

ns# cat /tmp/aaad.debug
Sun Oct 14 01:06:36 2012
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[614]: process_kernel_socket call to authenticate
user :user, vsid :9055
Sun Oct 14 01:06:36 2012
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[124]: start_ldap_auth attempting to auth user @ 10.217.130.227
Sun Oct 14 01:06:36 2012
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[415]: recieve_ldap_bind_event receive ldap bind event

Sun Oct 14 01:06:36 2012
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[685]: recieve_ldap_user_search_event ldap_first_entry returned null, user not found
Sun Oct 14 01:06:36 2012
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1562]: send_reject sending reject to kernel for : user

The following screen shot is from the Active Directory which indicates that the user is a part of dept group:

The following observations are made:

• The only difference between User1 and User accounts in Active Directory is that User1 account is also a part of Domain users and User account is not part of Domain users. However, both the accounts are part of the dept group.

• For User1 account the primary group is set to Domain Users and for User account the primary group is set to dept. The User1 account group extraction is successful showing dept in aaad.debug. However, Domain Users are not extracted.

• Though User account is part of the dept group, it does not extract the group in aaad.debug.