Jump to content
Welcome to our new Citrix community!

Authenticate NetScaler system administrators with RADIUS and Cisco ISE

Recommended Posts



Have anyone successfully used Cisco ISE to authenticate NetScaler system administrators with RADIUS? I've seen various old guides to use RADIUS with Windows NPS and Cisco ACS with TACACS+ but none with Cisco ISE and RADIUS. I've managed to authenticate but I only get read only access (see the attached picture), not superuser access. There are also tons of guides for NetScaler Gateway but I guess that is not applicable since I'm interested only in system administrator access to the NetScaler appliance, not user authentication to XenApp/XenDesktop.



  • I've configured my RADIUS (ISE) server in System > Authentication > RADIUS > Servers with IP, port and PSK. The Test Connection button works fine.
  • I've configured an Authentication Policy for RADIUS and chosen the ISE box configured above. Expression is ns_true. The policy is globally bound. (There is also a local policy, globally bound, with the expression ns_true using a higher prioriy number).
  • ISE is configured to use Active Directory as an identity source.
  • ISE is configured with the build-in Authorization Profile "PermitAccess". I know it needs to be modified, but I don't know which AV-pairs to use. I think I should use Vendor Specific (Radius Standard AV pair 26) and then enter some magic value containing "superuser" or something.

I've encountered some posts mentioning "group extraction" but I really don't know how to configure it in this case. I've done it using LDAP and NetScaler Gateway some years ago but never in the case of RADIUS and superuser access to the appliance.


Link to comment
Share on other sites

  • 3 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...