Jump to content
Welcome to our new Citrix community!

NetScaler Gateway Full VPN: How-To setup Authorization Policies


Imran Syed HTSV

Recommended Posts

Hi,

 

I am setting a new NSG Full VPN Gateway and when the “Default Authorization Action” is set to “Allow”, the Citrix VPN clients are able to connect to the internal resources (Servers) + access Internet via Proxy Server etc. But when the “Default Authorization Action” is set to “Deny” and the Authorization Policies are configured to allow specific traffic such as DNS, KMS, Proxy etc. (As shown below) and bound to a AAA Group, the VPN users are unable to access any resources over the VPN tunnel.

 

Any ideas would be highly appreciated...

 

add authorization policy KMS "CLIENT.IP.DST.EQ(X.X.X.X)&&CLIENT.TCP.DSTPORT.EQ(1688)" ALLOW

add authorization policy SCCM "CLIENT.IP.DST.EQ(X.X.X.X)" ALLOW

add authorization policy LDAP "CLIENT.IP.DST.EQ(X.X.X.X)||CLIENT.IP.DST.EQ(X.X.X.X)" ALLOW

add authorization policy Proxy "HTTP.REQ.HOSTNAME.EQ(\"wss.symantec.com/*\")||CLIENT.IP.DST.EQ(X.X.X.X)||CLIENT.IP.DST.EQ(X.X.X.X)||HTTP.REQ.IS_VALID" ALLOW

add authorization policy ADFS "CLIENT.IP.DST.EQ(X.X.X.X)||CLIENT.IP.DST.EQ(X.X.X.X)" ALLOW

add authorization policy DNS CLIENT.UDP.DNS.IS_ANYREC ALLOW

 

Link to comment
Share on other sites

It sounds like the user isn't being seen as a member of the AAA group. Firstly check that the AAA group is correctly configured including character case matches if using security group from AD. If you are using an AD security group make sure the LDAP group extraction is configured under your LDAP server settings.

 

You could run cat aaad.debug via putty, login then check you see the group memberships listed.

 

1. Connect to the Access Gateway Enterprise Edition command line interface with a Secure Shell (SSH) client such as PuTTY.

2. Run the following command to switch to the shell prompt: shell

3. Run the following command to change to the /tmp directory: cd /tmp

4. Run the following command to start the debugging process: cat aaad.debug

5. Log in and confirm in the putty session the users group membership.

Link to comment
Share on other sites

Hi Paul,

 

Thanks for your response. I've checked aaad.debug log (See below log file) and since the NSG's Primary Auth Method is a RADIUS Policy bound (See below screenshot), I don't see any LDAP related output in the aaad.debug.

 

image.png.5d46865701fe890902a9dd5d4d6273c0.png

 

In regards to the Security Group, we are using a separate AD Group and not "Domain Users" group as the AAA group.

 

root@XXX# cat /tmp/aaad.debug
Fri Nov 20 08:50:45 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[696]: main 0-0: timer 2 firing...
Fri Nov 20 08:50:55 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[696]: main 0-0: timer 2 firing...
Fri Nov 20 08:51:05 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[696]: main 0-0: timer 1 firing...
Fri Nov 20 08:51:05 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[696]: main 0-0: timer 2 firing...
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[901]: process_kernel_socket 0-560: partition id is 0
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[1123]: process_kernel_socket 0-560: ns_aaad_decrypt_auth not done
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[1163]: process_kernel_socket 0-560: call to authenticate
user :user01, vsid :13076, userlen 5
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[1222]: process_kernel_socket 0-560: call to authenticate
user :user01, vsid :13076, req_flags 2
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[5370]: start_cascade_auth 0-560: starting cascade authentication
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/name_resolver.c[38]: aaad_resolve_host_name 0-560: Starting async DNS for radiusLB.company.pri, in partition 0
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/name_resolver.c[140]: receive_async_dns_event 0-560: ri = 0x804d48338, ai = 0x0
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/name_resolver.c[193]: receive_async_dns_event 0-560: dns_ai_nextent returned EAGAIN
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/name_resolver.c[201]: receive_async_dns_event 0-560: Checking to see what we're waiting on.
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/name_resolver.c[205]: receive_async_dns_event 0-560: Waiting on receive
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[5722]: register_timer 0-560: setting timer 1317
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/name_resolver.c[236]: receive_async_dns_event 0-560: Continuing from EAGAIN
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[5799]: unregister_timer 0-560: releasing timer 1317
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/name_resolver.c[140]: receive_async_dns_event 0-560: ri = 0x804d48338, ai = 0x804d56408
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/name_resolver.c[177]: receive_async_dns_event 0-560: dns_ai_nextent found something...
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/radius_drv.c[772]: continue_radius_auth 0-560: RADIUS auth: Starting RADIUS authentication for user user01 @ X.X.X.X
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/radius_drv.c[671]: make_radius_request 0-560: RADIUS auth: Making radius request for user user01
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[5722]: register_timer 0-560: setting timer 1318
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/name_resolver.c[182]: receive_async_dns_event 0-560: Freeing info on completion.
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/name_resolver.c[63]: free_dns_info 0-560: Freeing ai
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/radius_drv.c[2061]: process_radius 0-560: Got RADIUS event
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[5799]: unregister_timer 0-560: releasing timer 1318
Fri Nov 20 08:51:07 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/radius_drv.c[2195]: process_radius 0-560: RADIUS auth: RADIUS challenges : user01
Fri Nov 20 08:51:14 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[901]: process_kernel_socket 0-561: partition id is 0
Fri Nov 20 08:51:14 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/radius_drv.c[671]: make_radius_request 0-561: RADIUS auth: Making radius request for user user01
Fri Nov 20 08:51:14 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[5722]: register_timer 0-561: setting timer 1319
Fri Nov 20 08:51:15 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/radius_drv.c[2061]: process_radius 0-561: Got RADIUS event
Fri Nov 20 08:51:15 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[5799]: unregister_timer 0-561: releasing timer 1319
Fri Nov 20 08:51:15 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/radius_drv.c[2126]: process_radius 0-561: RADIUS auth: RADIUS authentication successful for user: user01 from server X.X.X.X
Fri Nov 20 08:51:15 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/radius_drv.c[2128]: process_radius 0-561: extracted group string :(null)
Fri Nov 20 08:51:15 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[3983]: send_accept 0-561: sending accept to kernel for : user01
Fri Nov 20 08:51:15 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[696]: main 0-0: timer 2 firing...
Fri Nov 20 08:51:25 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[696]: main 0-0: timer 2 firing...
 

Link to comment
Share on other sites

There are ways to return AD group membership as part of a Radius Authentication however it is dependent on the Radius service you are using and some don't support it.

 

I'd suggest you setup and switch to LDAP authentication as you can just pass back the group membership and use that rather then Radius as the primary method. If there was a requirement that required the use of Radius as the primary form of authentication you could setup LDAP as a secondary auth policy to acquire the group membership.

Link to comment
Share on other sites

Thanks Paul,

 

We use Echidna Radius Solution and am unsure if they support retrieving AD Group membership (But I shall check on this). And as per Echidna's recommendation, the NSG vServer's primary auth needs to be RADIUS as Echidna talks to AD to authenticate the user's LDAP Creds as well.

 

I haven't tried the below to see if it works but I shall give it a go shortly.

 

If there was a requirement that required the use of Radius as the primary form of authentication you could setup LDAP as a secondary auth policy to acquire the group membership.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...