Citrix NetScaler Authentication and Authorization

Citrix NetScaler Authentication and Authorization

NetScaler authentication and authorization functions are of two basic types.The users and groups functions allow you to define who has access to the NetScaler. Command policies allow you to define what parts of the NetScaler configuration a user or group is permitted to access and modify. In other words, command policies regulate which commands, command groups, and other elements NetScaler users and groups are permitted to use.

To configure authentication and authorization, you first define the users who have access to the NetScaler. After you have defined the users, you can organize them into groups. You then configure command policies to define the types of access, and assign the policies to users and/or groups.

In This Chapter

Defining Users

Defining Groups

Command Policies

Defining Users

Once you have changed the default password, no user can access the NetScaler until you create an account for that user. After you have defined your users by creating accounts for them, you might have to change passwords or remove user accounts.

Creating a User Account

To create a user account, you simply assign a user name and password. You use the parameters described in the following table.

Parameter :

User Name

Password

Specifies :

Name that the user enters to request access.

Password that the user enters to request access.

To create a user account, use either of the following procedures.

To add a user account using the configuration utility

1. In the navigation pane, expand System and click Users.

2. On the System Users page, Click Add.

3. In the Create System User dialog box, in the User Name text box, type a

name for the user (for example, johnd).

4. In the Password text box, type a password to assign to the user.

5. In the Confirm Password text box, again type the password that you have

typed in the Password text box.

6. Click Create and click Close.

To add a user account using the NetScaler command line

At the NetScaler command prompt, type:

add system user userName

Example

add system user johnd

Changing a User Password

The following table describes the parameter you set to change a user password on the NetScaler.

Parameter :

Password

Specifies :

The password you assign for the user account.

To change a user password, use either of the following procedures.

To change the user password using the configuration utility

1. In the navigation pane, expand System and click Users.

2. On the System Users page, select the user account for which you want to

change the password (for example, johnd) and click Change Password.

3. In the Password text box, type the new password.

4. In the Confirm Password text box, type the new password again.

5. Click OK.

To change the user password using the NetScaler command line At the NetScaler command prompt, type:

set system user userName newpassword

Example

set system user johnd johnd1

Removing User Accounts

You can remove user accounts if the policy assigned to your account allows you to do so, or if you log in to the nsroot account. The nsroot account cannot be removed.

To remove a user account, use either of the following procedures.

To remove a user account using the configuration utility

1. In the navigation pane, expand System and click Users.

2. On the System Users page, select the user account that you want to

remove. For example, johnd.

3. Click Remove. The Remove pop-up window appears.

4. Click Yes.

To remove a user using the NetScaler command line At the NetScaler command prompt, type:

rm system user userName

Example

rm system user johnd

Defining Groups

To define a group, you first create the group, then bind users to the group.

Adding Groups

The following table describes the parameter you set to create a group.

Parameter :

Group Name

Specifies :

Name for the group of NetScaler users..

Use either of the following procedures to add a group.

To add a group using the configuration utility

1. In the navigation pane, expand System and click Groups.

2. On the System Groups page, click Add.

3. In the Create System Group dialog box, in the Group Name text box, type a name for the group (for example, Managers).

4. Click Create, and click Close.

To add a group using the NetScaler command line At the NetScaler command prompt, type:

add system group groupName

Example

add system group Managers

Binding a User to a Group

You can bind each user account to more than one group. Binding user accounts to multiple groups may allow more flexibility when applying command policies. The following table describes the parameter you set to bind a user to a group.

Parameter :

User name

Specifies :

Name for the NetScaler user to be bound to the group.

To bind a user to a group, use either of the following procedures.

To bind a user to a group using the configuration utility

1. In the navigation pane, expand System and click Groups.

2. On the System Groups page, select a group and click Open.

3. In the Configure System Group dialog box, under Members section, select a user you want to bind to the group, from the Available Users list and click Add.

To bind a user to a group using the NetScaler command line At the NetScaler command prompt, type:

bind system group groupName userName

Example

bind system group Managers johnd

Removing Groups

All the users and command policies that are currently bound to the group should be unbound before removing a group.

To remove a group using the configuration utility

1. In the navigation pane, expand System and click Groups.

2. On the System Groups page, select the group that you want to remove. (for example, Managers).

3. Click Remove.

4. In the Remove pop-up, click Yes.

To remove a group using the NetScaler command line

rm system group groupName

Example

rm system group Managers

Command Policies

Command policies regulate which commands, command groups, vservers, and other elements NetScaler users and user groups are permitted to use. The NetScaler provides a set of built-in command policies, and you can configure custom policies. To apply the policies, you bind them to user and/or groups.

Here are the key points to keep in mind when defining and applying command policies.

• No global command policies may be created on the NetScaler. Command policies must be bound directly to NetScaler users and groups.

• Users or groups with no associated command policies are subject to the default DENY -ALL command policy, and will therefore be unable to execute any commands until the proper command policies are bound their accounts.

• All users inherit the policies of the groups to which they belong.

• You must assign a priority to a command policy when you bind it to a user account or group account. This enables the NetScaler to determine which policy has priority when two or more conflicting policies apply to the same user or group.

• The following commands are available by default to any any user and are unaffected by any command policies you specify:

help cli, show cli attribute, clear cli prompt, alias, unalias, batch, source, help, history, man, quit, exit, whoami, config, set cli mode, unset cli mode, show cli mode, set cli prompt, and show cli prompt.

Built-in Command Policies

Four default command policies are available on the NetScaler. The following table describes them.

Policy Name :

read-only

operator

network

superuser

Allows :

Read-only access to all show commands except show runningconfig, show ns.conf, and the show commands for the NetScaler command group.

Read-only access and access to commands to enable and disable services and servers or place them in ACCESSDOWN mode.

Full access except to NetScaler commands, the shell command, and the show ns.conf and sh runningconfig commands.

Full access. Same privileges as the nsroot user.

Creating Custom Command Policies

Regular expression support is offered for users with the resources to maintain more customized expressions and those deployments that require the flexibility that regular expressions offer. For most users, the built-in command policies should be sufficient. Users who need additional levels of control, but are unfamiliar with regular expressions, may want to use only simple expressions, such as those in the examples provided in this section, to maintain policy readability.

When you use a regular expression to create a command policy, keep the following in mind.

• When you use regular expressions to define commands that will be affected by a command policy, you must enclose the commands in double quotes. For example, if you want to create a command policy named allowShow that includes all commands that begin with show, you should type the following:

“^show .*$”

If you want to create a command policy that includes all commands that being with rm, you should type the following:

DENY “^rm .*$”

• Regular expressions used in command policies are case insensitive.

The following table gives examples of regular expressions:

Command Specification :

- “^rm\s+.*$”

- “^show\s+.*$”

- “^shell$”

- “^add\s+vserver\s+.*$”

- “^add\s+(lb\s+vserver)\s+ .*”

- “^set\s+lb\s+.*$”

Matches these Commands :

- All remove actions, because all remove actions begin with the rm string, followed by a space and additional parameters and flags.

- All show commands, because all show actions begin with the show string, followed by a space and additional parameters and flags.

- The shell command alone, but not combined with any other parameters or flags.

- All create a vserver actions, which consist of the add vserver command followed by a space and additional parameters and flags.

- All create an lb vserver actions, which consist of the add lb vserver command followed by a space and additional parameters and flags.

- All commands that configure load balancing settings at the command group level.