When using AAA, I usualy setup a ContentSwitch that integrates a non addressable AAA vserver. The policy leading to this VServer is one of those things that I found over-complicated. The “is_vpn_url” policy expression is interfering too much with the contentswitch (my opinion).
When using AAA, I always use Authentication Profiles; this eases up the configuration and prevents mistakes. It also causes a cookie to be created during logon called “NCS_TMAP”, that is destroyed after logon. I found two requests that did not contain this cookie, yet should be handled by AAA: /cgi/tm?xxxxxxxxx and /cgi/selfauth?xxxxxxx
This said, I created a policy-expression: PE_AAA_AUTH: HTTP.REQ.URL.PATH.EQ(“/cgi/tm”) || HTTP.REQ.URL.PATH.EQ(“/cgi/selfauth”) || HTTP.REQ.COOKIE.NAME_VALUE(“NSC_TMAP”).EQ(“”).NOT
If PE_AAA_AUTH evaluates TRUE, the request is send to the AAA VServer; I normaly give this policy a very low priority on the contentswitch (say 10). If FALSE, you should process the request on the loadbalancing vservers bound to the contentswitch.
Websites using a cgi path or a logon path etc…. now can be integrated with AAA using the same FQDN (hurrah!!)
Again, this only works if you use authentication profiles consistently and on a AAA VServer logonpoint (all UAG functionality has been removed).
Snippet:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
add policy expression PE_AAA_Auth "HTTP.REQ.URL.PATH.EQ(\"/cgi/tm\") || HTTP.REQ.URL.PATH.EQ(\"/cgi/selfauth\") || HTTP.REQ.COOKIE.NAME_VALUE(\"NSC_TMAP\").EQ(\"\").NOT" add cs action CSA_AAA -targetVserver VS_AAA add cs policy CSP_AAA -rule PE_AAA_Auth -action CSA_AAA add cs vserver CS_T1_SSL SSL O1.O2.O3.O4 443 -cltTimeout 180 bind cs vserver CS_T1_SSL -policyName CSP_AAA -priority 10 bind cs vserver CS_T1_SSL -policyName CSP_FULL_LAN -priority 100 bind cs vserver CS_T1_SSL -policyName CSP_FRST_LAN -priority 101 bind cs vserver CS_T1_SSL -policyName CSP_FQDN_LAN -priority 102 bind cs vserver CS_T1_SSL -policyName CSP_WILD_LAN -priority 103 bind cs vserevr CS_T1_SSL -policyname CSP_FULL_DEF -priority 110 bind cs vserver CS_T1_SSL -policyName CSP_FRST_DEF -priority 111 bind cs vserver CS_T1_SSL -policyName CSP_FQDN_DEF -priority 112 bind cs vserver CS_T1_SSL -policyName CSP_WILD_DEF -priority 113 bind cs vserver CS_T1_SSL -lbvserver VS_NOSVC_SSL |
(the Contentswitch is configured using Core-Logic version 10.3, being released soon in a theater near you)..
Try it and have fun with it…
Very nice. I had to do something simular before when using NetScaler as a SAML iDP.
I’m very curious by way about what has changed in the Core Logic since version 9.
Hi Rene,
my new post should start answer your question: https://netscalerrocks.com/netscaler/netscaler-core-logic-10-3-changes-enhancements/