How to Configure NetScaler with Cisco Secure ACS for Radius Authentication with Group Extraction

How to Configure NetScaler with Cisco Secure ACS for Radius Authentication with Group Extraction

book

Article ID: CTX207726

calendar_today

Updated On:

Description

This article describes how to configure a NetScaler with Cisco Secure ACS for Radius authentication with Group extraction from Windows Active Directory using LDAP. 

This article has used Cisco Secure ACS 5.7 along with NetScaler version 10.5 Build 60.7.

Instructions

Configuring Cisco ACS to use Active Directory for authentication and map the groups authorization policies

  1. Add AD as an identity source by going to Users and Identity Stores > External Identity Stores > Active Directory.

  2. Click on Join/Test Connection.

    User-added image

  3. Add the AD server and user name / pass to connection with then click Join.  Once joined you will see Joined and Connected in the status as you see in the above screenshot.

    User-added image

  4. Next under the Directory Groups Tab click add and select the groups that will be used in conjunction with the Netscaler. You can click select and pick the groups to add.

    User-added image

  5. Next we need to add the authorization policies That we will use to pass the Radius Attribute for group extraction. Click create at the bottom of the page.

    User-added image

  6. Provide a Name and description. Recommended to use the same name as the group you will create on the NetScaler later. This is not the extracted attribute but makes for better understanding if they are the same.

    User-added image

  7. Click the radius attributes tab then add the Class Attribute with the value being the group name from AD. This will have to match the group name on the NetScaler we will create later as well. After you fill in the fields click Submit.

    User-added image

  8. Next we need to make sure the access policy we are using is utilizing the AD Identity. Under Access Policies select the access policy being used for this instance and under Identity change the Identity source to the AD source created earlier.

    User-added image

  9. Now under Authorization we will create rules to map the groups from AD so radius response will have attribute 25 set to the correct value for group extraction.

    User-added image

  10. Note we need to check to make sure AD1:ExternalGroups is selected under Customize so we have this as an available field for the conditions of this rule which is needed to get the group.

    User-added image

  11. Now click create and Under Conditions select AD then click Select to chose the group for this policy. Then under results select the Auth Profile created earlier that matches that group. This maps the AD group the user is part of to the Auth policy that has the Class Attribute that will be used on the NetScaler for Group extraction.

    User-added image

  12. Lastly we need to add the NetScaler that will need to authenticate to this server. Under Network Resources > Network Devices and AAA Clients Click Create.

  13. Next fill in all the fields that are required.

    User-added image

  14. This completes the config on the ACS. Make sure you add the auth policies for each group you need to use then a rule to match that group.

Configure the Netscaler to use the ACS server for authentication and extract the group from the class attribute.

  1. On the NetScaler we first add the Radius Server. Under System > Authentication > Radius click the servers Tab then click Add.

    User-added image

  2. In the first section fill out all the fields and in the second section enter a NAS ID and for the Group Attribute Type enter 25.

    User-added image

  3. Now click on the policies tab and add a policy.

    User-added image

  4. Give it a name and select the server we just created. For the expression add ns_true and then click create.

    User-added image

  5. As this is for auth of the NetScaler we need to bind it globally. Click on the Global Bindings.

  6. Then Add Binding using the policy that was just created.

    User-added image

    1. Click add Binding.

    2. Click > to select a policy.

      User-added image

    3. Select the Radius Policy and click OK.

      User-added image

    4. Click Bind.

      User-added image
      Now the policy is bound Globally

      User-added image

  7. Next we will add a group to the NetScaler with the appropiate Command Policy we want users in this group to have. Under NetScaler > System > User Administration > Groups click Add.

    User-added image

  8. Provide a group name that matches on of the groups mapped in ACS.

    User-added image

  9. Under Command Policies click insert and select the access for this group.

    User-added image

  10. Next click insert then create.

Run the following commands from NetScaler CLI to add the Radius Action and Policy then Bind Globally:
add authentication radiusAction pvl-acs01 -serverName 192.168.25.23 -serverPort 1812 -radKey Netscaler -radNASid Netscaler -radAttributeType 25 -accounting ON
add authentication radiusPolicy MarkB ns_true pvl-acs01
bind system global MarkB -priority 100

Issue/Introduction

This article describes how to configure a NetScaler with Cisco Secure ACS for Radius authentication with Group extraction from Windows Active Directory using LDAP.

Additional Information

Troubleshooting

You can view the aaa.debug logs from NetScaler CLI to see what is happening with the authentication.
Here you can see a good authentication with group extraction. Here user reds23 authenticated and group NetScaler was extracted which exists on the NeScaler and allows full privileges.
  
Sat Feb 27 01:23:57 2016
 /home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/radius_drv.c[728]: continue_radius_auth attempting to auth reds23 @ 192.168.25.23
Sat Feb 27 01:23:57 2016
 /home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/naaad.c[2923]: register_timer setting timer 19198
Sat Feb 27 01:23:57 2016
 /home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/name_resolver.c[175]: receive_async_dns_event Freeing info on completion.
Sat Feb 27 01:23:57 2016
 /home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/name_resolver.c[55]: free_dns_info Freeing ai
Sat Feb 27 01:23:57 2016
 /home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/radius_drv.c[1896]: process_radius Got RADIUS event
Sat Feb 27 01:23:57 2016
 /home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/naaad.c[2992]: unregister_timer releasing timer 19198
Sat Feb 27 01:23:57 2016
 /home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/radius_drv.c[1939]: process_radius radius accepts : reds23
Sat Feb 27 01:23:57 2016
 /home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/radius_drv.c[1941]: process_radius extracted group string :Netscaler
CACS:pvl-acs01/245778838/2088
 
Sat Feb 27 01:23:57 2016
 /home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/naaad.c[1965]: send_accept sending accept to kernel for : reds23

Here you can see that user dwilliams was allowed to logon but the group extracted does not match a group on the NetScaler so this user is not permited to see anything or execute any commands as they have no privileges.

Sat Feb 27 01:27:52 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/radius_drv.c[728]: continue_radius_auth attempting to auth dwilliams @ 192.168.25.23
Sat Feb 27 01:27:52 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/naaad.c[2923]: register_timer setting timer 19247
Sat Feb 27 01:27:52 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/name_resolver.c[175]: receive_async_dns_event Freeing info on completion.
Sat Feb 27 01:27:52 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/name_resolver.c[55]: free_dns_info Freeing ai
Sat Feb 27 01:27:52 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/radius_drv.c[1896]: process_radius Got RADIUS event
Sat Feb 27 01:27:52 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/naaad.c[2992]: unregister_timer releasing timer 19247
Sat Feb 27 01:27:52 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/radius_drv.c[1939]: process_radius radius accepts : dwilliams
Sat Feb 27 01:27:52 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/radius_drv.c[1941]: process_radius extracted group string :CACS:pvl-acs01/245778838/2137

Sat Feb 27 01:27:52 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/naaad.c[1965]: send_accept sending accept to kernel for : dwilliams

In this example user bob is rejected since he is either not a valid users in Active Directory or entered incorrect credentials

Sat Feb 27 01:29:35 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/radius_drv.c[728]: continue_radius_auth attempting to auth bob @ 192.168.25.23
Sat Feb 27 01:29:35 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/naaad.c[2923]: register_timer setting timer 19251
Sat Feb 27 01:29:35 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/name_resolver.c[175]: receive_async_dns_event Freeing info on completion.
Sat Feb 27 01:29:35 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/name_resolver.c[55]: free_dns_info Freeing ai
Sat Feb 27 01:29:35 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/radius_drv.c[1896]: process_radius Got RADIUS event
Sat Feb 27 01:29:35 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/naaad.c[2992]: unregister_timer releasing timer 19251
Sat Feb 27 01:29:35 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/radius_drv.c[1988]: process_radius Received RAD_ACCESS_REJECT for: bob
Sat Feb 27 01:29:35 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/radius_drv.c[1996]: process_radius Sending reject.
Sat Feb 27 01:29:35 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/naaad.c[2262]: send_reject_with_code Rejecting with error code 4001
Sat Feb 27 01:29:35 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/naaad.c[2289]: send_reject_with_code Not trying cascade again
Sat Feb 27 01:29:35 2016
/home/build/rs_105_60_4_RTM/usr.src/netscaler/aaad/naaad.c[2291]: send_reject_with_code sending reject to kernel for : bob
Powered by Wolken Software