NetScaler supports AAA framework for Traffic Management (TM) virtual servers (henceforth called vserver) by leveraging various AAA features supported by authentication subsystem. The server used for authentication is called "authentication vserver" or AAA vserver.

There a different ways of deploying AAA-TM solution. Original incarnation of AAA-TM deployments (NetScaler firmware versions predating 10.1) comprised of a pair of TM and Authentication vserver. That is, for every TM vserver, one would need to configure an authentication vserver. However, all the TM vservers could reside behind a Content Switching (CS) vserver, reducing number of public endpoints to two.

Beginning 10.1 releases of NetScaler, users can take advantage of "authentication profiles" feature to use one authentication vserver for multiple TM vservers. At the heart of it, "authentication profiles" allow every TM vserver to achieve its own authentication schemes while leveraging single authentication vserver. This is depicted in the following diagram:

However, there are some complexities associated with this model especially when some TM vservers require single factor and others require multiple factors. This is addressed with new feature called "nFactor" that is supported with 11.0 release of NetScaler. The nFactor gives a fresh perspective to authentication, streamlines the authentication flow and provides great flexibility during authentication. Scope of nFactor is beyond current document and readers are advised to refer to nFactor Deployment Guides for more details.

With the 11.0 version of NetScaler, it is possible to consolidate the above picture to one public endpoint by having authentication vserver slide adjacent to TM vserver so that there is one public end point, and in turn one certificate. This is depicted in the following diagram:

Requirements

• NetScaler version 11.0 build 64.34 or later.

Details

New behavior is achieved by allowing authentication vserver to be one of the target servers of CS vserver. This means that CS profile will now allow for an authentication vserver to be specified as the target server.

Once the configuration is in place, administrator would need to configure a CS policy to divert appropriate traffic to authentication vserver.

Configuration

add authentication vserver auth  SSL 1.1.1.1 443 - This could be non-addressable (0.0.0.0) port as well
add cs action csaction-auth-vserver -targetVserver auth - This is the authentication vserver
add cs policy cspolicy-auth-vserver –rule "http.req.url.eq(\"/\").not && (is_vpn_url||HTTP.REQ.URL.STARTSWITH(\"/nf/auth/\"))" –action csaction-auth-vserver
bind cs vserver cs-ssl –policyName cspolicy-auth-vserver –priority 10

Rest of the configuration is similar to normal CS configuration. It is omitted for brevity.
DO not forget to add Authentication on the CS and set up the correct Authentication FQDN if using Form Based Authentication.

Advantages

There are multiple advantages to this model. Obviously this model avoids multiple public endpoints and multiple certificates (or wildcard certificates). It also avoids opening another IP/port at firewall.In addition, the authentication vserver described can be configured with advanced authentication policies or nFactor to achieve true multi-tenancy and flexibility. There are lot of deployment guides on that subject and users are advised to refer to them.

nFactor Deployment Guides

Once administrator configures AAA-TM with a single IP as described in the preceding section, the following links can be used to configure specific deployment cases using nFactor.

• CTX201706 - nFactor - Get Two Passwords Up Front then Pass-Through in Next Factor on NetScaler

• CTX201742 - nfactor - Group Extraction Followed by LDAP/Certificate Authentication Based on Group Membership on NetScaler

• CTX201725 - nFactor - SAML Followed by LDAP/Certificate Authentication Based on SAML Attribute Extraction on NetScaler

• CTX201731 - nFactor - SAML in First Factor then Group Extraction Followed by LDAP/Certificate Authentication on NetScaler

• CTX201727 - nFactor - Prefilling username from Certificate on NetScaler

• CTX201734 - nfactor - Certificate Authentication Followed by Group Extraction for 401 Enabled LB/TM Virtual Server on NetScaler

• CTX201726 - nFactor - Username and Two Passwords with Group Extraction in Third Factor on NetScaler

• CTX201730 - nFactor - Certificate Fallback to LDAP in Same Cascade with One Virtual Server for Certificate and LDAP Authentication on NetScaler

• CTX201760 - nFactor - Domain Drop-Down in First Factor then Different Policy Evaluations Based on Groups

• CTX201752 - nFactor - LDAP in First Factor and WebAuth in Second Factor

• CTX216728 - nFactor - Check for Presence of User Certificate and Go Through LDAP Else Go Through LDAP+OTP