Gregor Blaj Posted April 3, 2019 Share Posted April 3, 2019 Hello, I’m just wondering how a Netscaler Gateway behaves when there are multiple authentication policies which all evaluate to true. For example... Primary Auth LDAP Server 1 priority 10 LDAP Server 2 priority 20 Secondary Auth RADIUS Server 1 priority 10 RADIUS Server 2 priority 20 I understand a user logging into this resource needs to pass both primary and secondary auth, but is the request sent to both LDAP Servers and then both RADIUS Servers? If so, does the Netscaler take the response of the first LDAP server (and then a RADIUS server) to respond? How do the priorities impact this (if at all)? Traces show all policies get hit (when an expression is evaluated to true) but I’m not sure of what happens next. Cheers for any help. Link to comment Share on other sites More sharing options...
CarlStalhood Posted April 3, 2019 Share Posted April 3, 2019 NetScaler evaluates policies in priority order from each bank. If Priority 10 succeeds, then Priority 20 is skipped. If Priority 10 fails (e.g. user enters wrong password), then Priority 20 is tried. If both Priorities go to the same AD domain, the users will lock out prematurely. I prefer load balancing. https://www.carlstalhood.com/domain-controller-ldaps-load-balancing-netscaler-12/ Link to comment Share on other sites More sharing options...
Gregor Blaj Posted April 3, 2019 Author Share Posted April 3, 2019 7 hours ago, Carl Stalhood1709151912 said: NetScaler evaluates policies in priority order from each bank. If Priority 10 succeeds, then Priority 20 is skipped. If Priority 10 fails (e.g. user enters wrong password), then Priority 20 is tried. If both Priorities go to the same AD domain, the users will lock out prematurely. I prefer load balancing. https://www.carlstalhood.com/domain-controller-ldaps-load-balancing-netscaler-12/ Thanks Carl. What if multiple policies have the same priority? Link to comment Share on other sites More sharing options...
CarlStalhood Posted April 3, 2019 Share Posted April 3, 2019 I think it evaluates the policies in the order that you bound them (which one you bound first), but still evaluates them in the method I described. Link to comment Share on other sites More sharing options...
Gregor Blaj Posted April 3, 2019 Author Share Posted April 3, 2019 11 minutes ago, Carl Stalhood1709151912 said: I think it evaluates the policies in the order that you bound them (which one you bound first), but still evaluates them in the method I described. Cool, makes sense. I guess load balancing is preferable as requests are spread across auth servers, compared to just the one with highest priority getting hit. The trace put me off as I guess that shows which expressions evaluate to true, not necessarily which auth server was used. Link to comment Share on other sites More sharing options...
Paul Blitz Posted April 17, 2019 Share Posted April 17, 2019 Loadbalancing also means that, if LDAP1 is offline, instead of waiting for the 9 seconds timeout, the user is instantly authenticated by the other (up) LDAP server. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.