authentication vserver

The following operations can be performed on "authentication vserver":

add | rm | set | unset | bind | unbind | enable | disable | show | stat | rename

add authentication vserver

Creates an authentication virtual server.

Synopsys

add authentication vserver <name> <serviceType> [<IPAddress> [-range <positive_integer>]] [<port>] [-state ( ENABLED | DISABLED )] [-authentication ( ON | OFF )] [-AuthenticationDomain <string>] [-comment <string>] [-td <positive_integer>] [-appflowLog ( ENABLED | DISABLED )] [-maxLoginAttempts <positive_integer> [-failedLoginTimeout <mins>]]

Arguments

name

Name for the new authentication virtual server.

Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Can be changed after the authentication virtual server is added by using the rename authentication vserver command.

The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my authentication policy" or 'my authentication policy').

serviceType

Protocol type of the authentication virtual server. Always SSL.

Possible values: SSL

Default value: SSL

IPAddress

IP address of the authentication virtual server, if a single IP address is assigned to the virtual server.

range

If you are creating a series of virtual servers with a range of IP addresses assigned to them, the length of the range.

The new range of authentication virtual servers will have IP addresses consecutively numbered, starting with the primary address specified with the IP Address parameter.

Default value: 1

Minimum value: 1

port

TCP port on which the virtual server accepts connections.

state

Initial state of the new virtual server.

Possible values: ENABLED, DISABLED

Default value: ENABLED

authentication

Require users to be authenticated before sending traffic through this virtual server.

Possible values: ON, OFF

Default value: ON

AuthenticationDomain

Fully-qualified domain name (FQDN) of the authentication virtual server.

comment

Any comments associated with this virtual server.

td

Integer value that uniquely identifies the traffic domain in which you want to configure the entity. If you do not specify an ID, the entity becomes part of the default traffic domain, which has an ID of 0.

Minimum value: 0

Maximum value: 4094

appflowLog

Log AppFlow flow information.

Possible values: ENABLED, DISABLED

Default value: ENABLED

maxLoginAttempts

Maximum Number of login Attempts

Minimum value: 1

Maximum value: 255

failedLoginTimeout

Number of minutes an account will be locked if user exceeds maximum permissible attempts

Minimum value: 1

Example

The following example creates an authentication vserver named myauthenticationvip which supports SSL portocol and with AAA functionality enabled: vserver myauthenticationvip SSL 65.219.17.34 443 -aaa ON

rm authentication vserver

Removes an authentication virtual server.

Synopsys

rm authentication vserver <name>@ ...

Arguments

name

Name of the authentication virtual server to remove.

Example

rm vserver authn_vip

set authentication vserver

Modifies the specified parameters of an existing authentication virtual server.

Synopsys

set authentication vserver <name> [-IPAddress <ip_addr|ipv6_addr|*>] [-authentication ( ON | OFF )] [-AuthenticationDomain <string>] [-comment <string>] [-appflowLog ( ENABLED | DISABLED )] [-maxLoginAttempts <positive_integer>] [-failedLoginTimeout <mins>]

Arguments

name

Name of the virtual server to modify.

IPAddress

IP address of the authentication virtual server, if a single IP address is assigned to the virtual server.

authentication

Require users to be authenticated before sending traffic through this virtual server.

Possible values: ON, OFF

Default value: ON

AuthenticationDomain

Fully-qualified domain name (FQDN) of the authentication virtual server.

comment

Any comments associated with this virtual server.

appflowLog

Log AppFlow flow information.

Possible values: ENABLED, DISABLED

Default value: ENABLED

maxLoginAttempts

Maximum Number of login Attempts

Minimum value: 1

Maximum value: 255

failedLoginTimeout

Number of minutes an account will be locked if user exceeds maximum permissible attempts

Minimum value: 1

unset authentication vserver

Removes the settings of an existing authentication virtual server. Attributes for which a default value is available revert to their default values. Refer to the set authentication vserver command for descriptions of the parameters..Refer to the set authentication vserver command for meanings of the arguments.

Synopsys

unset authentication vserver <name> [-AuthenticationDomain] [-maxLoginAttempts] [-authentication] [-comment] [-appflowLog]

bind authentication vserver

Binds authentication policies to an authentication virtual server.

Synopsys

bind authentication vserver <name> [-policy <string> [-priority <positive_integer>] [-secondary] [-groupExtraction] [-nextFactor <string>] [-gotoPriorityExpression <expression>]]

Arguments

name

Name of the authentication virtual server to which to bind the policy.

policy

Name of the policy to bind to the virtual server.

priority

Positive integer specifying the priority of the policy. A lower number specifies a higher priority. Policies are evaluated in the order of their priorities, and the first policy that matches the request is applied. Must be unique within the list of policies bound to the authentication virtual server.

The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, 'my authentication policy' or "my authentication policy").

Minimum value: 0

secondary

Applicable only while bindind classic authentication policy as advance authentication policy use nFactor

groupExtraction

Applicable only while bindind classic authentication policy as advance authentication policy use nFactor

nextFactor

Applicable only while binding advance authentication policy as classic authentication policy does not support nFactor

gotoPriorityExpression

Applicable only to advance authentication policy. Expression or other value specifying the next policy to be evaluated if the current policy evaluates to TRUE. Specify one of the following values:

• NEXT - Evaluate the policy with the next higher priority number.

• END - End policy evaluation.

• USE_INVOCATION_RESULT - Applicable if this policy invokes another policy label. If the final goto in the invoked policy label has a value of END, the evaluation stops. If the final goto is anything other than END, the current policy label performs a NEXT.

• A default syntax expression that evaluates to a number.

If you specify an expression, the number to which it evaluates determines the next policy to evaluate, as follows:

• If the expression evaluates to a higher numbered priority, the policy with that priority is evaluated next.

• If the expression evaluates to the priority of the current policy, the policy with the next higher numbered priority is evaluated next.

• If the expression evaluates to a priority number that is numerically higher than the highest numbered priority, policy evaluation ends.

An UNDEF event is triggered if:

• The expression is invalid.

• The expression evaluates to a priority number that is numerically lower than the current policy's priority.

• The expression evaluates to a priority number that is between the current policy's priority number (say, 30) and the highest priority number (say, 100), but does not match any configured priority number (for example, the expression evaluates to the number 85). This example assumes that the priority number increments by 10 for every successive policy, and therefore a priority number of 85 does not exist in the policy label.

unbind authentication vserver

Unbinds the specified policy from the specified authentication virtual server.

Synopsys

unbind authentication vserver <name> [-policy <string> [-secondary] [-groupExtraction]]

Arguments

name

Name of the virtual server.

policy

Name of the policy to be unbound.

secondary

Applicable only to classic authentication policy

groupExtraction

Applicable only to classic authentication policy

enable authentication vserver

Enables an authentication virtual server that is disabled. Note: Virtual servers, when added, are normally enabled by default.

Synopsys

enable authentication vserver <name>@

Arguments

name

Name of the virtual server to enable.

Example

enable vserver authentication1

disable authentication vserver

Disables an authentication virtual server, taking it out of service.

Synopsys

disable authentication vserver <name>@

Arguments

name

Name of the virtual server to disable.

Notes:

1. The NetScaler appliance still responds to ARP and/or ping requests for the IP address of disabled virtual servers.

2. Because the virtual server configuration still exists on the NetScaler appliance, you can reenable the virtual server.

Example

disable vserver authn_vip

show authentication vserver

Displays the configuration of the specified authentication virtual server.If no authentication virtual server is specified, displays a list of all authentication virtual servers that are currently configured on the NetScaler appliance.

Synopsys

show authentication vserver [<name>]show authentication vserver stats - alias for 'stat authentication vserver'

Arguments

name

Name of the authentication virtual server.

Outputs

IPAddress

The IP address of the authentication server.

td

Integer value that uniquely identifies the traffic domain in which you want to configure the entity. If you do not specify an ID, the entity becomes part of the default traffic domain, which has an ID of 0.

value

Indicates whether or not the certificate is bound or if SSL offload is disabled.

port

The virtual TCP port of the authentication vserver.

range

The range of authentication vserver IP addresses. The new range of authentication vservers will have IP addresses consecutively numbered, starting with the primary address specified with the <ipaddress> argument.

serviceType

The authentication vserver's protocol type, Currently the only possible value is SSL.

type

The type of Virtual Server, e.g. CONTENT based or ADDRESS based.

state

Initial state of the new virtual server.

status

Whether or not this vserver responds to ARPs and whether or not round-robin selection is temporarily in effect.

cacheType

Virtual server's cache type. The options are: TRANSPARENT, REVERSE and FORWARD.

redirect

The cache redirect policy.

The valid redirect policies are:

l. CACHE - Directs all requests to the cache.

1. POLICY - Applies cache redirection policy to determine whether the request should be directed to the cache or origin. This is the default setting.

2. ORIGIN - Directs all requests to the origin server.

precedence

This argument is used only when configuring content switching on the specified virtual server. This is applicable only

if both the URL and RULE-based policies have been configured on the same virtual server.

It specifies the type of policy (URL or RULE) that takes precedence on the content switching virtual server. The default setting is RULE.

l URL - In this case, the incoming request is matched against the URL-based policies before the rule-based policies.

l RULE - In this case, the incoming request is matched against the rule-based policies before the URL-based policies.

For all URL-based policies, the precedence hierarchy is:

1. Domain and exact URL

2. Domain, prefix and suffix

3. Domain and suffix

4. Domain and prefix

5. Domain only

6. Exact URL

7. Prefix and suffix

8. Suffix only

9. Prefix only

10. Default

redirectURL

The URL where traffic is redirected if the virtual server in system becomes unavailable. WARNING! Make sure that the domain you specify in the URL does not match the domain specified in the -d domainName argument of the ###add cs policy### command. If the same domain is specified in both arguments, the request will be continuously redirected to the same unavailable virtual server in the system. If so, the user may not get the requested content.

authentication

Indicates whether or not authentication is being applied to incoming users to the VPN.

curAAAUsers

The number of current users logged in to this vserver.

AuthenticationDomain

Fully-qualified domain name (FQDN) of the authentication virtual server.

rule

The name of the rule, or expression, if any, that policy for the authentication server is to use. Rules are combinations of Expressions. Expressions are simple conditions, such as a test for equality, applied to operands, such as a URL string or an IP address. Expression syntax is described in the Installation and Configuration Guide. The default rule is ns_true.

policyName

The name of the policy, if any, bound to the authentication vserver.

policy

The name of the policy, if any, bound to the authentication vserver.

serviceName

The name of the service, if any, to which the vserver policy is bound.

weight

Weight for this service, if any. This weight is used when the system performs load balancing, giving greater priority to a specific service. It is useful when the services bound to a virtual server are of different capacity.

cacheVserver

The name of the default target cache virtual server, if any, to which requests are redirected.

backupVServer

The name of the backup vpn virtual server for this vpn virtual server.

cltTimeout

The idle time, if any, in seconds after which the client connection is terminated.

soMethod

VPN client applications are allocated from a block of Intranet IP addresses.

That block may be exhausted after a certain number of connections. This switch specifies the

method used to determine whether or not a new connection will spillover, or exhaust, the allocated block of

Intranet IP addresses for that application. Possible values are CONNECTION or DYNAMICCONNECTION.

CONNECTION means that a static integer value is the hard limit for the spillover threshold. The spillover

threshold is described below. DYNAMICCONNECTION means that the spillover threshold is set according to

the maximum number of connections defined for the vpn vserver.

soThreshold

VPN client applications are allocated from a block of Intranet IP addresses.

That block may be exhausted after a certain number of connections.

The value of this option is number of client connections after which the Mapped IP address is used

as the client source IP address instead of an address from the allocated block of Intranet IP addresses.

soPersistence

Whether or not cookie-based site persistance is enabled for this VPN vserver. Possible values are 'ConnectionProxy', HTTPRedirect, or NONE

soPersistenceTimeOut

The timeout, if any, for cookie-based site persistance of this VPN vserver.

priority

The priority, if any, of the vpn vserver policy.

downStateFlush

Perform delayed clean up of connections on this vserver.

actType

disablePrimaryOnDown

Tells whether traffic will continue reaching backup vservers even after primary comes UP from DOWN state.

Listenpolicy

Listenpolicy configured for authentication vserver

Listenpriority

Priority of listen policy for authentication vserver

tcpProfileName

The name of the TCP profile.

httpProfileName

Name of the HTTP profile.

comment

Any comments associated with this virtual server.

policySubType

stateflag

flags

appflowLog

Log AppFlow flow information.

vstype

Virtual Server Type, e.g. Load Balancing, Content Switch, Cache Redirection

ngname

Nodegroup devno to which this authentication vsever belongs to

maxLoginAttempts

Maximum Number of login Attempts

failedLoginTimeout

Number of minutes an account will be locked if user exceeds maximum permissible attempts

secondary

Bind the authentication policy to the secondary chain.

Provides for multifactor authentication in which a user must authenticate via both a primary authentication method and, afterward, via a secondary authentication method.

Because user groups are aggregated across authentication systems, usernames must be the same on all authentication servers. Passwords can be different.

groupExtraction

Bind the Authentication policy to a tertiary chain which will be used only for group extraction. The user will not authenticate against this server, and this will only be called if primary and/or secondary authentication has succeeded.

nextFactor

On success invoke label.

gotoPriorityExpression

Expression specifying the priority of the next policy which will get evaluated if the current policy rule evaluates to TRUE.

devno

count

Example

show authentication vserver

stat authentication vserver

Displays statistics about the specified authentication virtual server. If no authentication virtual server is specified, displays statistics for all authentication virtual servers that are currently configured on the NetScaler appliance.

Synopsys

stat authentication vserver [<name>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>] [-clearstats ( basic | full )]

Arguments

name

Name of the authentication virtual server.

detail

Specifies detailed output (including more statistics). The output can be quite voluminous. Without this argument, the output will show only a summary.

fullValues

Specifies that numbers and strings should be displayed in their full form. Without this option, long strings are shortened and large numbers are abbreviated

ntimes

The number of times, in intervals of seven seconds, the statistics should be displayed.

Default value: 1

Minimum value: 0

logFile

The name of the log file to be used as input.

clearstats

Clear the statsistics / counters

Possible values: basic, full

Outputs

count

devno

stateflag

Outputs

IP address (IP)

The IP address on which the service is running.

Port (port)

The port on which the service is running.

Vserver protocol (Protocol)

Protocol associated with the vserver

State

Current state of the server. Possible values are UP, DOWN, UNKNOWN, OFS(Out of Service), TROFS(Transition Out of Service), TROFS_DOWN(Down When going Out of Service)

Requests (Req)

Total number of requests received on this service or virtual server. (This applies to HTTP/SSL services and servers.)

Responses (Rsp)

Number of responses received on this service or virtual server. (This applies to HTTP/SSL services and servers.)

Request bytes (Reqb)

Total number of request bytes received on this service or virtual server.

Response bytes (Rspb)

Number of response bytes received by this service or virtual server.

Related Commands

• stat authentication Policy
• stat authentication samlIdPPolicy
• stat authentication policylabel
• stat authentication loginSchemaPolicy

rename authentication vserver

Rename an authentication virtual server.

Synopsys

rename authentication vserver <name>@ <newName>@

Arguments

name

Current name of the authentication virtual server.

newName

New name of the authentication virtual server.

Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters.

The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, 'my authentication policy' or "my authentication policy").

Example

rename authentication vserver av1 av_new