Citrix ADC (formerly NetScaler) VPX Load Balancer

Citrix ADC (formerly NetScaler) VPX Load Balancer

Following are the steps to configure TACACS+ for Citrix ADC Load Balancer
  1. The NetScaler OS can use Role Based Access Control for local and remote authorization services, however it is difficult for the Roles to be read from TACACS+, so we will use the Shell section in authorization.xml to define privileges in this example. 
  2. This example is for a read-write user and a read-only user. More granular control for user privilege in between those can be accomplished by configuring permit or deny statements in the authorization file.
  3.  The Citrix documentation uses the Web UI based configuration utility for general device management and configuration changes. We have included the matching CLI commands below the graphical instructions.
  4. Note this configuration is specifically for the ADC load balancer and may or may not apply to previous versions of the NetScaler appliance.
Qualified OS Version
NetScaler NS13.0

Configure TACACS+ in the Web UI

Configure TACACS.net Server Profile and Policy

From the home page, click on the Configuration tab and use the drop down menus to navigate to System Authentication > Basic Policies > TACACS



In the TACACS policy page, select the Servers tab and click [Add] to open the configuration window.



Enter the details of your TACACS.net server and click "Create".
Note that Authorization and Accounting are optionally configurable.
These should both be set to "ON" so the TACACS.net server can be
used to set privileges and logs can be utilized appropriately.



Return to the TACACS policy page and this time click [Add] to create a new policy to authenticate to the TACACS+ server.





Give your TACACS+ policy a name and assign it the TACACS.net server profile previously created. Enter the string "ns_true" in the Expression box and click Create.



Now the policy needs to be bound to the global system authentication. Start by selecting the Global Bindings box on the TACACS policy page.



Then click on the Select Policy box to choose the TACACS.net server policy and click [Bind] when finished.







Configure TACACS+ in the CLI

Configure TACACS.net Server Profile and Policy

Define the TACACS.net server configuration:
> add authentication tacacsAction <name> [-serverIP <ip_addr>] [-serverPort port>] [-authTimeout <positive_integer>] [-tacacsSecret <string>] [-authorization ( ON | OFF )] [-accounting ( ON | OFF )]

Create the TACACS+ authentication policy:
> add authentication tacacsPolicy <policy name> -rule ns_true -reqAction <server name>

Bind the TACACS+ server policy to authentication method:
bind system global <policy name> -priority <integer>

Configure TACACS.net

Note that the AutoExec and Services section have no effect on user access or privileges.
The user is first authenticated by the TACACS+ server. Each command is authorized prior to execution. 

Authorization.xml

This configuration will grant read-write privileges. 

<Shell> 
      <Permit>.*</Permit>
</Shell>

This configuration will grant read-only privileges with access to the GUI dashboard.

<Shell> 
      <Permit>stat ns</Permit>
      <Permit>stat protocol tcp</Permit>
      <Permit>.*show.*</Permit>
      <Deny>.*</Deny>
</Shell>

Troubleshooting and verification

Use the built in connection testing tool


CLI commands
> show tacacsParams
> show tacacsPolicy

References

NetScaler OS TACACS+ Configuration
  1. https://support.citrix.com/article/CTX113820
ADC Authentication Policies
  1. https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/configure-aaa-policies/ns-aaa-setup-policies-authntcn-tsk.html