Jump to content
Welcome to our new Citrix community!

How do authentication policies work?


Gregor Blaj

Recommended Posts

Hello,

 

I’m just wondering how a Netscaler Gateway behaves when there are multiple authentication policies which all evaluate to true. For example...

 

Primary Auth

LDAP Server 1 priority 10

LDAP Server 2 priority 20

 

Secondary Auth

RADIUS Server 1 priority 10

RADIUS Server 2 priority 20

 

I understand a user logging into this resource needs to pass both primary and secondary auth, but is the request sent to both LDAP Servers and then both RADIUS Servers? If so, does the Netscaler take the response of the first LDAP server (and then a RADIUS server) to respond? How do the priorities impact this (if at all)?

 

Traces show all policies get hit (when an expression is evaluated to true) but I’m not sure of what happens next. 

 

Cheers for any help. 

Link to comment
Share on other sites

NetScaler evaluates policies in priority order from each bank. If Priority 10 succeeds, then Priority 20 is skipped. If Priority 10 fails (e.g. user enters wrong password), then Priority 20 is tried. If both Priorities go to the same AD domain, the users will lock out prematurely. I prefer load balancing. https://www.carlstalhood.com/domain-controller-ldaps-load-balancing-netscaler-12/

Link to comment
Share on other sites

7 hours ago, Carl Stalhood1709151912 said:

NetScaler evaluates policies in priority order from each bank. If Priority 10 succeeds, then Priority 20 is skipped. If Priority 10 fails (e.g. user enters wrong password), then Priority 20 is tried. If both Priorities go to the same AD domain, the users will lock out prematurely. I prefer load balancing. https://www.carlstalhood.com/domain-controller-ldaps-load-balancing-netscaler-12/

 

Thanks Carl. What if multiple policies have the same priority?

Link to comment
Share on other sites

11 minutes ago, Carl Stalhood1709151912 said:

I think it evaluates the policies in the order that you bound them (which one you bound first), but still evaluates them in the method I described.

 

Cool, makes sense. 

 

I guess load balancing is preferable as requests are spread across auth servers, compared to just the one with highest priority getting hit.

 

The trace put me off as I guess that shows which expressions evaluate to true, not necessarily which auth server was used. 

Link to comment
Share on other sites

  • 2 weeks later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...