Jump to content


Photo

Netscaler Radius Rewrite and multiple vServers

Started by Marco Warnier , 11 September 2017 - 02:44 PM
5 replies to this topic

Marco Warnier Members

Marco Warnier
  • 5 posts

Posted 11 September 2017 - 02:44 PM

Hello all,

 

I am facing a small challenge due to the fact that the username in AD differs from the username in our RSA environment: I need to strip the first character from the AD username before sending it to the RSA server.

This can be done perfectly using a Radius Rewrite Action and Policy, but the policy can only be bound globally :(

Since there are multiple vServers configured and this is only required for one of the vservers, I am looking for a way to define the Radius Policy in such a way that it only applies for Radius requests for that specific vServer.

Can this be done via the Radius Rewrite Policy? For example by checking the URL (that belongs to the vServer)?

It might well be that that information is not present anymore when the Radius request is constructed on the Netscaler...

 

Another solution direction is to use an "unused" field in AD to store the RSA username, and extract that field for the Radius request; See method 2 from the link https://neil.spellings.net/2012/12/02/how-to-use-different-usernames-for-two-factor-authentication-on-access-gateway-advanced/

But I would prefer a solution that does not require a change in AD.

 

Thanks in advance for helping me out with this challenge!

 

Regards,

 

Marco



Paul Blitz Members

Paul Blitz
  • 4,004 posts

Posted 13 September 2017 - 04:28 PM

What makes you say that a rewrite policy can NOT be applied to a LBVserver?

 

I can't see anything to that effect in the docs, and if I create a LBVS of type Radius, I can bind rewrite policies to it.... or am I missing something here?



Marco Warnier Members

Marco Warnier
  • 5 posts

Posted 14 September 2017 - 07:46 AM

I tried to bind the Radius Rewrite policy to the VPN vServer and that was not allowed (got an error message).

The Citrix documentation I could find also shows the Radius Rewrite Policy is bound globally; see Radius Support for the Rewrite feature. This is also stated by the article I mentioned in my first post.

 

The solution direction I currently consider/want to try is to create a (local) Radius LB VIP for each VPN vServer, and check the destination IP of the Radius Request packet in the Radius Rewrite Policy. This way I can probably make a distinction for which vServer the Radius request belongs to. But this will only work if the Rewrite policy is checked before the LB VIP is applied; otherwise the Radius server IP will be the same (all VPN vServers use the same Radius server... Only the AD server differs)

 

Regards, Marco



Paul Blitz Members

Paul Blitz
  • 4,004 posts

Posted 14 September 2017 - 08:08 AM

Ah, ok, I was looking at LB Vservers.....  Yes, it seems you can only bind HTTP rewrites to a VPN vserver.

 

Is it maybe possible to refer to the vserver name as part of the PI syntax? Yes, using the destination IP might also be possible.... (not in a position to search the edocs right now)



Paul Blitz Members

Paul Blitz
  • 4,004 posts

Posted 14 September 2017 - 08:13 AM

Plan B: set up the radius to use a radius LBVS, then apply the rewrite to that LBVS???



Marco Warnier Members

Marco Warnier
  • 5 posts

Posted 14 September 2017 - 08:25 AM

Plan B: set up the radius to use a radius LBVS, then apply the rewrite to that LBVS???

That might work too; there is already a Radius LB VIP on the Netscaler... so I can create a new Radius LB VIP for the VPN vServer that requires the rewrite, bind that new LB VIP to the VPN vServer. And bind the Radius Rewrite policy to that new LB VIP.

 

Will provide feedback if this was a viable solution, Thanks!