Configure Netscaler with FreeRadius integration to perform authorization based on group filtering

The goal of this document is to define a procedure for configuring Netscaler with FreeRadius integration to perform authorization based on group filtering. In order to achieve this, you need to modify the Radius action attached to the virtual server’s authentication policy and the session policy’s bound profile as follows:

1. From the main Netscaler menu, click on Security->AAA Application Traffic->Policies->Authentication->Advanced Policies:

   

2. Scroll down and click on Actions, then on RADIUS:

   

3. Click on the FreeRadius action to edit it:

   

4. In the next window click on More:

   

5. Scroll down until you find the Group Attribute Type field. Fill it with the value 11. As stated in any FreeRadius RFC (e.g. 2865), his corresponds to the attribute Filter-Id, which is used by Veridium to send the user’s groups list:

   

6. Scroll down and click on OK to save the configuration:

   

7. Next, we need to modify the session policy attached to the Netscaler FreeRadius virtual server in order to allow a certain group (ori groups) to login. For this, in the Netscaler main menu, go to Netscaler Gateway->Policies->Session

   

8. Click on the attached session policy to edit it:

   

9. In the next window, click the Edit button right next to the Profile field:

   

10. In the next window, click on Security, then on Advanced Settings:

    

11. Scroll down and, in the Groups Allowed To Login field, type the group (or groups, separated by a column or semi-column) which are allowed to access the resources published by this session policy:

    

12. Click on OK to save the configuration:

    

13. In the next window click on OK again to save the modifications:

    

14. In the end, don't forget to click the Save button in the main window to commit the changes: