October 29, 2013

Citrix NetScaler Troubleshoot Authentication

Purpose:
This post explains one method of validating authentication while using a Citrix NetScaler.  I use this all the time when setting up Access Gateway but it could be used for any authentication purpose.

Symptom:
When setting up Access Gateway for the first time it can be tricky determining where your authentication is going wrong.  NetScaler provides a laundry list of authentication options but I will just be testing LDAP lookup.

Resolution:
We can use the CLI to view the AAA log for a live view of the processing.  SSH to the NetScaler IP (NSIP) and logon.  Type "shell" and Enter.  Once in the shell, type "cat /tmp/aaad.debug" and Enter.


Depending on traffic to your NetScaler, you may see a lot of messages or none at all.  Either way, you will see live authentication information.  This is invaluable to find out where in the process it is all going wrong or right.  Below you'll see the user name is sagelike.com is authenticating via LDAP and three groups have been retrieved.  The most important line is the last, where we see the accept being sent.  At this point, the user has been successfully been authenticated and the process will move to the next step.  For Access Gateway, this is typically using single sign-on to authenticate the user to Citrix Web Interface.



Cause:
An incorrect logon typically gives you very little feedback. This is the best method I have found to get more detailed information.

SageLike Post ID: SL0004

Applies to:
NetScaler 9.2
NetScaler 9.3
NetScaler 10.0
NetScaler 10.1
Maybe others

References:
CTX114999 - How to Troubleshoot Authentication with aaad.debug