< Home

Configuring a Agile Controller Server

This section describes how to configure a Agile Controller server in a Agile Controller SSO scenario.

Context

In the Agile Controller SSO scenario, you must set parameters for a FW to communicate with a Agile Controller server so that user information on the Agile Controller server can be imported to the FW.

Procedure

  1. In the system view, create a Agile Controller server template and access the Agile Controller server template view.

    tsm-server template template-name

  2. Set the IP address of the Agile Controller server.

    tsm-server ip-address ip-address &<1-10>

    You can set a maximum of 20 Agile Controller server IP addresses in each Agile Controller server template. The FW attempts to connect to these IP addresses in the order that they were added until one of the attempts succeeds.

  3. Specify a Agile Controller server port.

    tsm-server port port

    The default port for a Agile Controller server is 8084.

  4. Configure the shared key of the Agile Controller server.

    tsm-server [ encryption-mode { 3des | aes128 [ enhanced ] } ] shared-key shared-key

    The default algorithm for encrypting shared keys is AES128.

    The packets transmitted between the FW and the Agile Controller server are encrypted through 3DES or AES128. AES128 is securer than 3DES. 3DES and AES128 are symmetric encryption algorithms, and therefore the encryption modes and shared keys specified on the two ends must be the same.

    When AES128 is used as the encryption algorithm, you can specify the enhanced keyword to use AES128 enhanced encryption which is more secure.

    Each Agile Controller version may support different encryption modes. Before configuration, confirm whether the Agile Controller version supports the encryption mode and ensure that the encryption modes on both ends are the same.

  5. Optional: Configure the IP address to be used by the FW to proactively access the Agile Controller server.

    firewall source-ip ip-address

    By default, when the FW proactively access the Agile Controller server (to detect the connectivity of the Agile Controller server or import users/user groups/devices from the Agile Controller server), the FW uses the IP address of the packet outgoing interface to access the Agile Controller server.

    If you manually specify the source IP address. Then the FW will use the IP address to access the Agile Controller server. Note that the IP address of the FW configured on the Agile Controller server must be the same as this IP address.

    In dual-system hot backup deployment, do not specify a virtual IP address as the source IP address. If you specify a virtual IP address as the source IP address, the active device can import users or user groups from the Agile Controller server, but the standby device cannot.

  6. Return to the system view.

    quit

  7. Test the connectivity between the FW and the Agile Controller server.

    test tsm-server template template-name

Parent Topic: Configuring Authentication Servers Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >