Jump to content
Welcome to our new Citrix community!

NetScaler AAA using ClearPass Policy Manager

Joshua McGillis

Recommended Posts

Hi, folks. First off, apologies if this is in the wrong topic. But, to jump right in:


Has anyone successfully configured ClearPass Policy Manager for authentication and authorization for a NetScaler appliance?


The specifics:


Trying to use ClearPass to manage AAA for our NetScaler. Previously, we were using LDAP authentication and were leveraging System Groups to restrict commands/access. I wanted to use TACACS+ going forward, but now know that TACACS+ does not appear to support Group Extraction for external  users (I do not want to create a local user on CPPM). This presents me with a couple of different options.


1) I can manually define the permitted commands on the TACACS+/CPPM server. 100% okay with this, however, I'm not sure how to read (convert?) the existing command policy expressions into "permit ns xxxxx" commands. I'd like to keep them 1:1 if possible.


2) In THIS particular thread, someone indicates that I can use TACACS+ to authenticate and then leverage the existing LDAP config for authorization. Followed the instructions in THIS document, but I'm unsure how to verify if/which command policy has been applied to logged in users (is there a CLI show command for this or something?).


3) Drop TACACS+ altogether and start using RADIUS


Open to suggestions. Also, very curious is anyone has successfully implemented their NetScaler with CPPM. I'm finding a lot of very odd behavior between services in CPPM regarding the Enforcement profiles and authorization that's been wildly inconsistent. Some documentation I've come across seems to suggest that only Cisco ACS is compatible.


Using NS11.1, Build 55.10, if that's relevant.




Edit: and for what it's worth, my preference would to keep both authentication and authorization within ClearPass.

Edited by jmcgsv
tiny amount of add'l info / preferences
Link to comment
Share on other sites

  • 1 year later...
  • 2 weeks later...
On 10/10/2019 at 1:50 AM, Yuvy Ruhee said:

Great work. Have you also been able to setup second factor (MFA) on clearpass as well?


Nope, and I don't recall if that's something we really tried for. Ultimately, we started using Cisco ISE for TACACS+, which we do have MFA configured for the devices that require it. Using ISE, I was also able to extract groups from AD and forward them to the Netscalers as a Group Member object to use the existing regex permissions. MFA for the Netscalers proved to be pretty touchy, since I found that issuing a ctrl+Z while in CLI causes the session to re-auth -- for some reason -- which then fires off another MFA push/text/call whatever. 


We are still using CP for all of our 802.1x services though.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...