Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4325
Views
65
Helpful
2
Replies

ISE Configuration for Netscaler RBAC

Go to solution
ChristopherCraddock66504
Level 1
Level 1

‎03-03-2022 07:27 AM

Dear Community,

I need some assistance with an ISE configuration for Netscaler logins. The Netscaler uses RBAC with command policies such as "superuser", "network" and "sysadmin". I am having a heck of a time trying to figure out how to configure the ISE policy elements (TACACS Command Sets, TACACS Profile or Radius Authorization Profile) to return a TACACS or Radius response that will tell the Netscaler to give a certain user a certain command policy set.

 

I have had some success with a TACACS Command Set using the "Permit any command not listed below" option that will allow the user to have full control when logged in. However, every command attempt is sent back to ISE for authorization, making the tacacs logs pretty chatty when moving through the Netscaler GUI. I am wondering if anyone out there has had a similar issue configuring ISE for Netscaler logins. Any assistance you can provide is helpful.

 

Thank you. 

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
ChristopherCraddock66504
Level 1
Level 1
In response to balaji.bandi

‎03-03-2022 08:38 AM

Balaji,

 

Thank you! I think I figured it out using Radius. This article was very helpful https://discussions.citrix.com/topic/408710-citrix-adc-radius-group-extraction/. From a high level here is what I did:

 

***Create a device group for the Netscaler:

 

-Work Centers -> Network Resources -> Network Device groups. I called this group "Netscalers" and put it under the "All Device Types" umbrella.

 

***Add the Netscaler as a Network resource:

 

-Work Centers-> Device Administration -> Network Resources. Configure all the typical Radius information using the new "Netscaler" device type as the device type. Typically the Netscaler IP (NSIP) will be used as the IP address for this purpose.

 

***Configure a Radius Authentication Policy in the Netscaler:

 

-In the Netscaler when creating the Radius server object, be sure to enter the Group Attribute Type of "25" as this will be used in the Radius Authorization Profile in ISE to send back the attribute linking the user login to the command policy set (superuser, readonly etc). (Netscaler image attached)

 

***Configure the Command Policy set Group in the Netscaler

 

-In the Netscaler go to System --> User Administration --> Groups. Create a superuser group, I called mine "Citrix Admins" and bound the "superuser" command policy set to it. Repeat this process for all other RBAC types you wish. I created another one called "Citrix RO" and bound the "read-only" policy to it.

 

***Create the Radius Authorization Profile in ISE

 

-In ISE go to Work Centers -->Network Access --> Policy Elements --> Results --> Authorization Profiles. Here is where we tell ISE to send back the Radius response telling the Netscaler which command policy set we want the user to have. Click "Add" and give the profile a name (Citrix Admins) for example. Toward the bottom in Advanced Attribute Settings select Radius-->Class--[25] and in the value section type in the name of the command policy group you created in the Netscaler in the previous step. In my case the name of the group is "Citrix Admins". Create separate Authorization policies for any other Command Policy Groups you created in the previous step. In my case, I created another one called "Citrix RO". (Radius Auth image attached)

 

***Create the Authentication and Authorization Policy in ISE

 

-In ISE go to Work Centers --> Network Access --> Policy Sets. Add a new policy. we are using the Network Device type as the condition so in this case use Device: Device Type EQUALS Netscaler. In the Authorization policy portion of the Policy Set, we are using the AD group of the user as the condition to dictate what Radius Authorization profile they get. So if the user is in an AD group that needs full access they will get "Citrix Admins" if they're in another group that only needs Read Only access they will get "Citrix RO"

 

I hope this was useful! 

 

 

 

View solution in original post

Preview file
14 KB
Preview file
14 KB
2 Replies 2

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-03-2022 07:37 AM

it is bit tricky and this required some testing what command you looking to allow :

 

below example give some process and understanding:

 

https://support.citrix.com/article/CTX220024

https://support.citrix.com/article/CTX207726

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
ChristopherCraddock66504
Level 1
Level 1
In response to balaji.bandi

‎03-03-2022 08:38 AM

Balaji,

 

Thank you! I think I figured it out using Radius. This article was very helpful https://discussions.citrix.com/topic/408710-citrix-adc-radius-group-extraction/. From a high level here is what I did:

 

***Create a device group for the Netscaler:

 

-Work Centers -> Network Resources -> Network Device groups. I called this group "Netscalers" and put it under the "All Device Types" umbrella.

 

***Add the Netscaler as a Network resource:

 

-Work Centers-> Device Administration -> Network Resources. Configure all the typical Radius information using the new "Netscaler" device type as the device type. Typically the Netscaler IP (NSIP) will be used as the IP address for this purpose.

 

***Configure a Radius Authentication Policy in the Netscaler:

 

-In the Netscaler when creating the Radius server object, be sure to enter the Group Attribute Type of "25" as this will be used in the Radius Authorization Profile in ISE to send back the attribute linking the user login to the command policy set (superuser, readonly etc). (Netscaler image attached)

 

***Configure the Command Policy set Group in the Netscaler

 

-In the Netscaler go to System --> User Administration --> Groups. Create a superuser group, I called mine "Citrix Admins" and bound the "superuser" command policy set to it. Repeat this process for all other RBAC types you wish. I created another one called "Citrix RO" and bound the "read-only" policy to it.

 

***Create the Radius Authorization Profile in ISE

 

-In ISE go to Work Centers -->Network Access --> Policy Elements --> Results --> Authorization Profiles. Here is where we tell ISE to send back the Radius response telling the Netscaler which command policy set we want the user to have. Click "Add" and give the profile a name (Citrix Admins) for example. Toward the bottom in Advanced Attribute Settings select Radius-->Class--[25] and in the value section type in the name of the command policy group you created in the Netscaler in the previous step. In my case the name of the group is "Citrix Admins". Create separate Authorization policies for any other Command Policy Groups you created in the previous step. In my case, I created another one called "Citrix RO". (Radius Auth image attached)

 

***Create the Authentication and Authorization Policy in ISE

 

-In ISE go to Work Centers --> Network Access --> Policy Sets. Add a new policy. we are using the Network Device type as the condition so in this case use Device: Device Type EQUALS Netscaler. In the Authorization policy portion of the Policy Set, we are using the AD group of the user as the condition to dictate what Radius Authorization profile they get. So if the user is in an AD group that needs full access they will get "Citrix Admins" if they're in another group that only needs Read Only access they will get "Citrix RO"

 

I hope this was useful! 

 

 

 

Preview file
14 KB
Preview file
14 KB
Customers Also Viewed These Support Documents