Well, the nsroot account does have full privileges, and should not be given to anyone. There is a way to provide your Netscaler administrators different access types to the management interface.
On this post we’ll cover the use of “Radius” or “LDAP” authentication for this matter. The scenario is basically the same, regardless on which authentication method you chose.
Start by creating an authentication server (LDAP or Radius)
Note! x.x.x.x is the IP to your Domain Controller or Contentswitch IP where you hide your domain controllers behind
add authentication ldapAction Admin_Auth_Action -serverIP x.x.x.x -ldapBase “dc=envokeit,dc=com” -ldapBindDn sa-ldap@envokeit.com -ldapBindDnPassword hdhh44hh54b33 -encrypted -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -ssoNameAttribute samAccountName
Create an authentication policy (using a custom rule or simply use “ns_true“) and link it to the server you just created
add authentication ldapPolicy Admin_Auth_Policy ns_true Admin_Auth_Action
Next, you need to configure a system group (LDAP group) that your administrators are members of, and assign the appropriate command policy level (there are 9 levels on Netscaler 11). In this case we will be using the “Superuser” privileges
add system group Netscaler_Admin_Group -promptString Administrators -timeout 1800
bind system group Netscaler_Admin_Group -policyName superuser 10
Finally, you need to bind your new authentication policy globally
bind system global Admin_Auth_Policy -priority 10