Configure RSA RADIUS monitoring on NetScaler

Ok, so this one is pretty easy and speaks for itself for the most part but can have some pitfalls while configuring.

In this example we are going to assume that the RSA backend is already in place and functioning properly.

Why

A good question is why would you want to. When you leave the monitoring to default which would be tcp-default it marks the server up as it response to a tcp connection. That would simply not be enough, we need to make sure that the RSA RADIUS Service is actually up and ready to accept connections.

Prerequisites

Make sure you have an account configured in RSA Authentication Manager that is authorized to send the response that you want to retrieve from the RSA Radius service. More on the RADIUS Response codes later on and why you would like to use a valid account.

Next to the account we are assuming that authentication is working properly and the Citrix NetScaler IP is added in RSA as a host that is allowed the use RSA Radius Authentication.

Read more of this post

Publish RSA Self-Service Console through NetScaler

This week I was at a customer which would like to publish the RSA Self Service Console so that users can self-service their RSA tokens, passwords and accounts and create some sort of redundancy with multiple RSA Authentication Servers. RSA has limited documentation on publishing the RSA Self-Service Console using a reverse proxy, especially Citrix NetScaler.

First of all, what you need to be aware of is that the RSA Servers works in a Primary/Replica model in which only the Primary can be written to by users, all other RSA Servers are read-only replica’s. So you can not use the replica servers for changing tokens, resetting passwords or enabling accounts. Replica’s can only be used for authenticating purposes.

Read more of this post