This article provides information about the responder after Authentication, Authorization, and Auditing (AAA) feature for NetScaler appliance 10.5 Beta Release.

Responder after Authentication, Authorization, and Auditing (AAA) Feature Explained

Responder after AAA is a feature to customize error strings that aaatm module renders.
When Access Gateway or AAA-TM modules process requests, an error such as authorization failure or backend server inaccessible is returned. NetScaler appliance may encounter various issues such as allocation failures, C2C failures, failures while processing incoming packets, and so on. In each of these cases, NetScaler sends errors. Some of the errors are unclear such as “Internal server error 29”. Sometimes, customers may want to customize these errors for the user. In a packet engine, the errors that occur when AG/AAA-TM module processes requests are classified as follows:

• ERR_AAA_GENERIC: For generic or unclassified errors
• ERR_AAA_ALLOC: alloc failures
• ERR_AAA_C2C: C2c issues
• ERR_AAA_POLICY: policy engine issues (mostly PE policies)
• ERR_AAA_CONFIG: missing config found at runtime
• ERR_AAA_IIP: issues while handling IIP connections or iip allocations or transfer login
• ERR_AAA_AUTHN: authentication errors
• ERR_AAA_REASSEMBLY: reassembly issues
• ERR_AAA_NOSERVICE: general server down issues; server not reachable etc.
• ERR_AAA_UNAUTHORIZED: authorization fail or authenticated requests without cookie
• ERR_AAA_BAD_REQUEST: bad request (mostly in CVPN)
• ERR_AAA_PAGE_NOT_FOUND: invalid requests (mostly in CVPN)
• ERR_UNKNOWN: unknown category. Mostly a place holder
• ERR_AAA_SAML: errors represents all errors while processing SAML.

When these issues occur, set the responder policies to send the customized errors. An example scenario and the corresponding configuration are provided here for each of these error types:

ERR_AAA_UNAUTHORIZED

This error is seen when there is an unauthorized access to the resource, or there are authenticated requests without cookie, and the HTTP 403 forbidden message is seen.

CLI Usage

add expression e3 "SYS.ERROR.CATEGORY.EQ(ERR_AAA_UNAUTHORIZED)"
add responder action respondwith respondwith “user is unauthorized to access this resource”
add responder policy respondwith e3 respondwith
bind responder global respondwith 1 

ERR_AAA_NOSERVICE

This error is seen when there are server down issues like server not reachable or backend server inaccessible and so on.

CLI Usage

> add expression e3 "SYS.ERROR.CATEGORY.EQ(ERR_AAA_NOSERVICE)"
> add responder action respwith respondwith '" Back end Server is DOWN/unreachable""'
> add responder policy respolicy e3 respwith
>bind responder global respolicy 1

ERR_AAA_CONFIG

This error is seen when there are runtime configuration issues for which HTTP 500 error code is seen.
Configure TMvs for 401 authentication for which the authnvs does not exist:

Craft responder policy as follows:

> add expression e3 "SYS.ERROR.CATEGORY.EQ(ERR_AAA_CONFIG)"
 Done
> add responder action respwith respondwith '" Configuration issue,kindly chk your Config and try again""'
 Done
> add responder policy respolicy e3 respwith
 Done
> bind responder global respolicy 1
 Done
3. Login to LB TM.  

ERR_AAA_AUTHN

This error is seen when there are authentication failures or user credentials are incorrect. Logon with incorrect credentials on the AGEE/AAA-TM login page.

Craft responder policy as follows:

add expression e3 "SYS.ERROR.CATEGORY.EQ(ERR_AAA_AUTHN)"
add responder action respwith respondwith '" User Credentials are  incorrect""'
add responder policy respolicy e3 respwith
bind responder global respolicy 1. 

ERR_AAA_ALLOC

The error code is related  to random failures of memory, NSB, PCB, B64 and all such allocations. For example, a previous allocation is not cleared when the second one fails.

Craft responder policy as follows:

add expression e3 "SYS.ERROR.CATEGORY.EQ(ERR_AAA_ALLOC)"
add responder action respwith respondwith '" Allocation failure /Issue on the Netscaler device""'
add responder policy respolicy e3 respwithbind
bind responder global respolicy 1 

ERR_AAA_C2C

C2C errors can arise in NetScaler when there are C2C communication issue arising due to timing, configuration modification, configuration distribution, and so on.

Craft responder policy as follows:

add expression e3 "SYS.ERROR.CATEGORY.EQ(ERR_AAA_C2C)"
add responder action respwith respondwith '" c2c issues with the Device""'
add responder policy respolicy e3 respwith
bind responder global respolicy 1
Done

ERR_AAA_REASSEMBLY

The Internet Protocol allows IP fragmentation so that the datagrams can be fragmented to pass over a link with a smaller MTU than the original datagram size.

NetScaler does one of the two reassembly actions: BRIDGE (fragments are forwarded without reassembly) or ASSEMBLE (fragments are reassembled before processing). 

If the TCP/UDP header is fragmented, fragments are reassembled till the complete TCP header is available. After NetScaler has full TCP header, two actions are possible for the fragmented packets:

• ASSEMBLE: packets are reassembled and processed
• BRIDGE: process the fragments in order

Craft responder policy as follows:

add expression e3 "SYS.ERROR.CATEGORY.EQ(ERR_AAA_REASSEMBLY)"
add responder action respwith respondwith '" NS reassembly issues""'
add responder policy respolicy e3 respwith
bind responder global respolicy 1

ERR_AAA_POLICY

This issue is seen when there are some issues related to PE authentication policies.

Craft responder policy as follows:

add expression e3 "SYS.ERROR.CATEGORY.EQ(ERR_AAA_POLICY)"
add responder action respwith respondwith '" Authentication Policy issue""'
add responder policy respolicy e3 respwith
bind responder global respolicy 1 

ERR_AAA_GENERIC

The error code is applied if no major error category number is defined. The err_generic happens for normal or traditional VPN errors that are not classified. For example, logon issues.

Craft responder policy as follows:

add expression e3 "SYS.ERROR.CATEGORY.EQ(ERR_AAA_GENERIC)"
add responder action respwith respondwith '" Generic issue/s""'
add responder policy respolicy e3 respwith
bind responder global respolicy 1 

ERR_AAA_BAD_REQUEST

The issue is seen when a user is trying to access a AAATM /AGEE virtual server with an incorrect syntax.

Craft responder policy as follows:

add expression e3 "SYS.ERROR.CATEGORY.EQ(ERR_AAA_BAD_REQUEST)"
add responder action respwith respondwith '" Bad Request.Pl modify the request to proceed""'
add responder policy respolicy e3 respwith
bind responder global respolicy 1     

ERR_AAA_PAGE_NOT_FOUND

The issue is seen when a user is trying to access a resource that does not exist.

Craft responder policy as follows:

add expression e3 "SYS.ERROR.CATEGORY.EQ(ERR_AAA_PAGE_NOT_FOUND)"
add responder action respwith respondwith '" Resource /webpage you requested doesn’t exist”’
add responder policy respolicy e3 respwith
bind responder global respolicy 1

ERR_UNKNOWN

Unknown is a placeholder for unclassified errors for future use. For example, if a larger number is defined and PI enum for that classification is not defined.

Craft responder policy as follows:

add expression e3 "SYS.ERROR.CATEGORY.EQ(ERR_UNKNOWN)"
add responder action respwith respondwith '" Unknown Issue"'
add responder policy respolicy e3 respwith
bind responder global respolicy 1 

ERR_AAA_IIP

This error occurs when the NetScaler uses the IIP for VPN connection or the connection to the web server or any application server some issue arises during IIP login or user session transfer.

Craft responder policy as follows:

add expression e3 "SYS.ERROR.CATEGORY.EQ(ERR_AAA_IIP")
add responder action respwith respondwith '" Issue with IIP allocation/IIP transfer issues"'
add responder policy respolicy e3 respwith
bind responder global respolicy 1

ERR_AAA_SAML

This category of errors represents all errors while processing SAML (Secure Assertion Markup Language) messages. Note: This option is currently available via CLI only and will be added to GUI following the Enhancement#NSHELP-19136

Craft responder policy as follows:

add expression e3 "SYS.ERROR.CATEGORY.EQ(ERR_AAA_SAML)"
add responder action respwith respondwith '" Issue with SAML (Secure Assertion Markup Language) assertion/SAML response"'
add responder policy respolicy e3 respwith
bind responder global respolicy 1

 

This article provides information about the responder after AAA feature for NetScaler appliance starting with 10.5 release