We configure external authentication in this section of the management interface:
NetScaler > System > Authentication
Besides simple local authentication (what we saw in the previous blog post), we can use LDAP (Active Directory is based on LDAP), RADIUS or TACACS. In this blog post, I'll use LDAP.
So what do we need to do?
- Designate an authentication server.
- Create a policy that directs authentication requests to that server.
- Bind that policy globally.
In "Other Settings", select the following values (if they are not already present):
We need to do the following:
- Provide a name for the policy.
- Designate the server we just created (click on the "down arrow" to show the choices).
- Select the "ns_true" policy expression (once again, click on the "down arrow" for choices).
Click on "Create".
Bind the authentication policy (globally)
Select the policy we just created by clicking on the arrow ("greater than" symbol):
And finally, "Done":
Interaction with Active Directory and testing
Back on the NetScaler, we go to the following section to create the system groups that are associated with their equivalent in Active Directory (click on "Add"):
NetScaler > System > User Administration > Groups
I create a system group with the exact same name as the corresponding group in Active Directory and then click on "Insert" to select a command policy:
Click on Create:
Note: I repeat the same process for the group "NetScaler_Admins_Read-Only".
I also add the user "Alex.Heyne" to the "NetScaler_Admins_Read-Only" group in Active Directory (no screenshot).
This is somewhat strange since Alex Heyne does have the "read-only" command policy and one would think he could at least read the version information. In any case, he cannot make changes (enabling new features, for example).
Moreover, he can make changes to the NetScaler configuration (no error message when he clicks OK):