How To: Configure Multi Factor Authentication (MFA) for NetScaler (ADC) administration.

How To: Configure Multi Factor Authentication (MFA) for NetScaler (ADC) administration.

book

Article ID: CTX583419

calendar_today

Updated On:

Description

Configure Multi Factor Authentication (MFA) to harden security login for NetScaler administration.

Instructions

Follow the below steps to configure MFA (LDAP + RADIUS) via CLI for NetScaler administration:

Complete the following steps by using the command line interface:
 
  1. Add authentication action for LDAP policy.
add authentication ldapaction <ldap action name> -serverip <IP> -ldapbase <> -ldapbinddn <binddn name> -ldapbinddnpassword <password> -ldaploginname <loginname> -groupattrname <grp attribute name> -subAttributename <string>-ssoNameAttribute <string>
Example: 
add authentication ldapaction ldapact1 -serverip 1.1.1.1 -ldapbase base -ldapbindDn name -ldapbindDNpassword password -ldapLoginName name -groupAttrName name -subAttributeName name -ssoNameAttribute name
  1. Add authentication policy for LDAP policy.
add authentication policy <ldap policy name> -rule true -action <ldap action name>
Example: 
add authentication policy pol1 -rule true -action ldapact1
  1. Add authentication action for RADIUS policy.
add authentication radiusaction <rad action name> -serverip <rad server ip> -radkey <key> -radVendorID <ID>-radattributetype <rad attribute type>
Example: 
add authentication radiusaction radact1 -serverip 1.1.1.1 -radkey 123 -radVendorID 1234 -radAttributeType 2
  1. Add authentication policy for RADIUS policy.
add authentication policy <radius policy name> -rule true -action <rad action name>
Example: 
add authentication policy radpol11 -rule true -action radact1
  1. Add system user group for NetScaler admin access (must match group name on AD).
add system group <groupName> [-promptString <string>] [-timeout <secs>]
Example: 
add system group NetscalerAdmins
  1. Bind command policy to system group.
bind system group <groupName> -policyName <policyName> <priority>
Example: 
bind system group NetscalerAdmins -policyName superuser 100
  1. Add authentication login schema.
add authentication loginSchema <login schema name> -authenticationSchema <login schema XML file path>
Example: 
add authentication loginSchema radschema -authenticationSchema LoginSchema/OnlyPassword.xml
  1. Add authentication policy label with login schema.
add authentication policylabel <labelName> [-type ( AAATM_REQ | RBA_REQ )] [-comment <string>][-loginSchema <string>]
Example: 
add authentication policylabel label1 -type RBA_REQ -loginSchema radschema
  1. Bind authentication policy label to RADIUS server.
bind authentication policylabel <labelName> -policyName <string> -priority <positive_integer> [-gotoPriorityExpression <expression>][-nextFactor <string>]
Example: 
bind authentication policylabel label1 -policyName radpol11 -priority 1
  1. Bind system global authentication for LDAP policy.
bind system global ldappolicy -priority <priority> -nextFactor <policy label name>
Example: 
bind system global pol11 -priority 1 -nextFactor label1




**Note: Two factor authentication feature works only from NetScaler 12.1 build 51.16 onwards.**

Powered by Wolken Software