This article describes how to use NetScaler SNIP for authentication server communication.

Background

Authentication server communication on NetScaler is by default done using the NetScaler IP (NSIP). So, apart from it being used for management purposes, it is also used as a source IP for LDAP, RADIUS, SAML and similar AAA protocols. But, in some cases, such as a firewall blocking the NSIP or, configuring RADIUS client for NetScaler in HA (high availability) mode, a subnet IP (SNIP) can be used as a Source IP address for traffic that is sent to the authentication server instead of an NSIP. This can be set in NetScaler as discussed below.

Instructions

Note: Configuring aaadnatIp, enables the use of one IP address as the source IP address always for the authentication traffic. Please note the following:

• It requires a new IP address to be configured, as this option cannot use the existing NSIP or the existing SNIPs in the system.
• Important: Do not create a new SNIP under System -> Network -> IPs before setting aaadnatIp, otherwise, you'll encounter the error "Address already in use."

A. From the NetScaler GUI

1. Login to the NetScaler GUI and navigate to the following: Configuration tab - >NetScaler Gateway -> Global Settings -> Change authentication AAA settings (under Authentication Settings tab)

   

2. Enter the value of SNIP in the NAT IP Address field and click on OK

   

   The SNIP has been set for authentication(AAA) server communication.

B. From the CLI

1. .Open a command line editor and login to the NetScaler
   ssh nsroot@<NetScaler IP>

2. Run the following command
   set aaa parameter -aaadnatIp <ip_addr>

   

   The SNIP has been set for authentication(AAA) server communication.

Note: If this param (aaadnatip) is configured, it will be used as the source of all the traffic going from NetScaler (aaad/nsspe) to authentication server instead of NSIP/SNIP/MIP.