Jump to content
Welcome to our new Citrix community!

Netscaler VPN AD Multiple groups requiring access, multiple groups not requiring access

Recommended Posts

Hi Folks
I have a large site with many different groups. I have working Netscaler VPN gateways and I need to restrict one of them to allow members of 10-11 different AD groups (Departments, eg DEP_$ABC) to logon while denying the rest of the organization.  I had a look at Authorization groups but there is a limit of 5. Is there any way of doing this?

Link to comment
Share on other sites

Basically, yes. Multiple ways.  But one you could put the allowed groups into a new group for "allowed vpn users" and change either the authentication policy using search filters to reject authentication from accounts outside of that group, or use authorization policies to restrict rights when they come in.  You can still manage either behavior per group; but a few nested groups might be easier than lots of individual group behavior.  


High-level notes below. If you need examples, i can dig some up later.



If its an authentication allow/deny behavior, meaning some succeed at authe and others are denied and don't get past login attempt

1) change the scope of the authentication policy:

a) Change BindDN to a specific container or OU where all users/groups "allowed" exist and where the "denied" do not; instead of the full Domain base dn.  (not always practical though)

b) Keep usual "domain" binddn and use the searchfilter field to incorporate LDAP filters. Either create a specific group that all the "vpnallowed" user accounts belong to (or if using nested group extraction that their groups belong too).  Or a user parameter or some other mechanism.

Basically if you bind DN is for the domain-wide (dc=domain,dc=com) but you have a search filter specified, you are making the authentication requirements "accounts in domain AND with search criteria requirement".  These accounts can log in. Accounts outside the search filter will be treated as a denied login.


A couple of search filter examples:

https://support.citrix.com/article/CTX111079 - one group only

https://support.citrix.com/article/CTX123782) - advanced example with nfactor visualizer and search filter.

https://www.citrixguru.com/2016/01/04/lab-part-19-configure-active-directory-authenticationldap-with-citrix-netscaler-11/ (older search filter example)


The tool tip in the authe policy for "search filter" gives some other parameter examples.


2) Let everyone login, but regulate allow/deny decisions with authorization policies.  You mentioned a limit on authorization groups that the authe policy can dump people in, but you can do authorization controls multiple ways that aren't dependent on the authe policy assigning an authentication group (or authorization group).

However, authorization decisions occur after login, which means all accounts in the scope of the authe policy come in with valid credentials, but then you decide if they get rights or not. A "denied all" user, will connect to VPN but be unable to do or access anything.

Authorization decisions can be assigned by:

a) session policies to vpn vserver (with a group-based expression filter) which can easily account for multiple groups.  (** this method can be easiest with the new advanced policies that can filter based on aaa groups).  But if you have a lot of group level settings or rights that vary, the aaa group/authorization policies can be more flexible...see next).

b) authorization policies assigned to aaa user/aaa groups only and you can have as many groups as you need. 

(Both of these methods (a) and (b) assume you are doing group extraction and defining the AD group names on the gateway as AAA group names. )

You can create default "DENY" authorizations policies. And then only grant "ALLOW" rights when needed. So, anyone you don't explicitly allow is denied.


This can also be combined with granular authorization rules that govern what destination ips/ports (networks) the vpn can reach for these users if needed.












Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...