With NetScaler 14.1, Citrix started to allow binding Web Application Firewall (WAF) policies to the gateway and to a AAA vServer or a Gateway. Why does it make sense to bind a WAF to the gateway? The more popular Citrix NetScaler became, the greater the interest of hackers in NetScaler grew. And NetScaler is now a very widely used tool for remote access. Due to the increased interest of hackers...
RADIUS on Citrix ADC / NetScaler
© image: Wikipedia Two and a half years ago, I have written an article about LDAP. I always planned to add an article about RADIUS as well, but I never did. Today, I had to troubleshoot a RADIUS problem, so I did the necessary traces. It is a DUO server, but most other servers behave similarly. Here we go! What is RADIUS RADIUS (Remote Authentication Dial-In User Service) is a protocol to...
AAA-default settings changed with Citrix ADC (NetScaler) 13 built 41.20
Yesterday I upgraded to NetScaler 13 built 41.20. Everything worked fine. No problems. But out of a sudden, my Exchange deployment failed to authenticate (I did it following Julian Mooren’s outstanding deployment guide). I did some further investigation and found all my other AAA servers don’t authenticate, even though the outcome of authentication requests was positive. I always saw...
Citrix ADC / NetScaler: two factors from outside, single factor inside
last update: September 25th 2019 I was recently asked: Johannes, is it possible to orun the same AAA server, from the inside with single factor, from the outside with two factor authentication? Of course it is. That’s how you do: Prerequisites My test environment contains of a lb vServer (lb_vsrv_colors). I created a AAA vServer aaa_multifactor_ath. There is a content switching vServer...
Citrix ADC (NetScaler) 13: Pre-authenticating to TCP based services
photo by geralt (pixabay.com) last update: January 5th 2020 Recently I had to find a solution to block all connections to a TCP based service (SSH, TCP port 22), except of connections from IP addresses that pr-eauthenticated using a AAA vServer. This is something, most firewalls can do, but a Citrix ADC / NetScaler can’t. Ok, it can do, or would you think, I’ll write a blog about me failing...
Debugging Authentication problems in Citrix ADC / NetScaler using the aaad.debug file
last update: October 2nd 2018 This is the second part of debugging logon. The first one, a network trace about LDAP, may be found here. Citrix ADC / NetScaler logs all events related to AAA (authentication, authorization, auditing) to /tmp/aaad.debug You need to be nsroot or superuser to successfully log on to the BSD shell. This is a requirement to change to BSD shell. Change to the /tmp...
LDAP and Citrix ADC / NetScaler
last update: November 3rd 2020 This is the first part of debugging logon problems. The second one, an explanation of aaad.debug log, may be found here. Recently I had to debug LDAP authentication on Citrix ADC / NetScaler and I started digging deeper. I wanted to know how LDAP authentication really works, so I did what I always do in a case like that: I started with a network trace. Attention: in...
Using Citrix NetScaler ADC as a SAML IDP and SAML SP
last update: 2023/02/03 Tested with NetScaler 11, Citrix ADC 12.1 and 13.0 I needed to use a Citrix ADC (NetScaler) both, as a SAML identity provider (IDP) and service provider (SP). So I set up my test environment accordingly. What my test environment looked like: You see, I created two admin partitions on my Citrix NetScaler ADC, one for the service provider (SP partition), containing both, the...