With the Netscaler 10.5 release came a new feature: Web Authentication. This feature allows us to use a web service to authenticate users. This basically means the Netscaler does a web request to a server and based on the response of that server accepts or denies the users authentication request.
A web authentication policy requires five items to function:
- Server IP–the IP address of the webserver.
- Server Port–the port to which the request is sent.
- Scheme–HTTP or HTTPS.
- Authentication rule–the authentication request in Netscaler default syntax.
- Success Rule–an expression that tells us when authentication is successful.
The first three do not require much explanation, but the last two are a bit more complicated.
Authentication rule
In order to create a authentication rule it is important to know what de authentication web service expects. Most form based authentication is based on a user submitting credentials through a form. The form contains the fields and uses a POST Method to send its information to the server.
Here’s an example of a post request:
|
1 |
This request sends login=test and passwd=test123 to authtest.php. But with this request every user would be named test and their password would be test123.
Normally using Netscaler default syntax HTTP.REQ.USER.NAME would hold the username associated with the request, but it remains empty. HTTP.REQ.USER.PASSWD also remains empty. In order to get the username and password we will have to extract it from the original request. Which looks like this: login=<entered username>&passwd=<entered password>.
Extracting the username:
|
1 |
HTTP.REQ.BODY(HTTP.REQ.CONTENT_LENGTH).TYPECAST_LIST_T('&').get(0).AFTER_STR("=") |
And the password:
|
1 |
HTTP.REQ.BODY(HTTP.REQ.CONTENT_LENGTH).TYPECAST_LIST_T('&').get(1).AFTER_STR("=") |
Edited: Changed the extraction to the suggested method by ehoneycutt, thanks for the suggestion.
Using a TYPECAST_LIST_T will also work when a secondary authentication method is selected on the authentication vserver.
When POSTing data to the authentication webserver, I used the variables: username and password instead of login and passwd. These can be changed to whatever is required by the authenticating webserver.
The request in Netscaler default syntax looks like this:
|
1 |
"POST /authtest.php HTTP/1.1\r\n" + "Host: www.test.local\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + HTTP.REQ.CONTENT_LENGTH + "\r\n\r\n" + "username=" + HTTP.REQ.BODY(100).BEFORE_STR("&").AFTER_STR("=") + "&" + "password=" + HTTP.REQ.BODY(100).AFTER_STR("&").AFTER_STR("=") + "\r\n\r\n" |
Now all we need is the Success rule.
Success rule
The Success rule is an expression that tells us whether the authentication was successful or not. I tested using a simple php script that return either “SUCCESS” or “FAILURE”. My Success rule look like this:
|
1 |
HTTP.RES.BODY(100).SET_TEXT_MODE(IGNORECASE).CONTAINS("success") |
How to
Below the commands to create a vserver and bind the policies to it. Don’t forget to setup the LB vserver to require authentication.
|
1 2 3 4 5 6 7 8 9 10 11 |
add authentication vserver vserver_auth SSL 192.168.27.169 443 -AuthenticationDomain netscalerrocks.com add authentication webAuthAction srv_webauthentication -serverIP 192.168.27.128 -serverPort 80 -fullReqExpr q{"POST /authtest.php HTTP/1.1\r\n" + "Host: www.test.local\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + HTTP.REQ.CONTENT_LENGTH + "\r\n\r\n" + "username=" + HTTP.REQ.BODY(100).BEFORE_STR("&").AFTER_STR("=") + "&" + "password=" + HTTP.REQ.BODY(100).AFTER_STR("&").AFTER_STR("=") + "\r\n\r\n"} -scheme http -successRule "HTTP.RES.BODY(100).SET_TEXT_MODE(IGNORECASE).CONTAINS(\"success\")" -defaultAuthenticationGroup test add authentication webAuthPolicy pol_auth_webauth01 -rule ns_true -action srv_webauthentication bind authentication vserver vserver_auth -policy pol_auth_webauth01 -priority 100 |
I’ve also made some screenshot’s to help configure this.
Nice article.
I would suggest a switch to TYPECAST_LIST_T for extracting values in order to deal with situations where you could have PASSWD as well as PASSWD1.
HTTP.REQ.BODY(HTTP.REQ.CONTENT_LENGTH).TYPECAST_LIST_T(‘&’).get(1).AFTER_STR(“=”)
Thanks,
That’s a great suggestion, I updated the article.
Hi Pim,
Thanks for the write-up. I have a question though. does this work with NetScaler Standard licenses or would you still need an Enterprise license to make use of AAA features of NS?
The article is based on having the AAA feature. So yes, you do need at least an Enterpise license.
i got the successfully implemented this .. for me .. authentication success rules is that i get http 302 redirection where url contains token… .
i don’t know how to get this 302 redirection over end user response..