< Home

Configuring the Connection Between the SACG and Service Controller

The SACG adopts the Service Controller to exchange user information and traffic control policies with the entire Agile Controller cluster. Therefore, to use the function of interworking with the Agile Controller, you should connect the SACG to the Service Controller.

Prerequisites

The SACG interworking is an integrated solution, and the FW serves as the SACG in the solution. This only describes how to configure the interworking between the FW and the SACG interworking system. For how to install and configure other components of the SACG interworking system, refer to the related documents of the Agile Controller products.

In the SACG interworking solution, the configurations of all the interfaces and security zones of the SACG involve the deployment mode. For details, see Deployment Modes of the SACG.

The SACG needs to use ACLs 3099 to 3999 to receive the rules delivered by the SACG interworking system. Therefore, before configuring the interworking with the Agile Controller, you should ensure that these ACLs are not referenced by other functions, and then run the undo rule command to clear the existing rules of the ACLs.

Context

No matter in which mode the SACG is deployed, either in-line mode or off-line mode, the SACG and Service Controller communicate with each other if they are routable at layer 3. Therefore, the connection configurations of the SACG and Service Controller are basically the same in both deployment modes.

Procedure

  1. In the user view, access the system view.

    system-view

  2. Optional: If the off-line mode is used, run this command to disable the stateful inspection function of the device.

    undo firewall session link-state check

    In off-line mode, the traffic in only one direction passes the device. Therefore, you should disable the stateful inspection function of the SACG. The stateful inspection-based functions of the FW are unavailable in off-line mode.

  3. Access the SACG configuration view.

    right-manager server-group

    Major configurations for interworking with the Agile Controller are implemented in this view.

  4. Set the default group number of ACL rules.

    default acl 3099

    The IP address of the Agile Controller can be added only after this command is executed.

    After the command is executed, the original rules of ACL 3099 are cleared, and the rules of ACL 3099 cannot be created manually.

    In the function of interworking with the Agile Controller, the device reserves ACLs 3099 to 3999 to carry the access rules delivered by Agile Controller servers. The user cannot define these rules by themselves. After the command is executed, the device locks ACLs 3099 to 3999, to ensure that the ACLs cannot be modified by the user.

    The rules in ACL 3099 are delivered by the Agile Controller to the SACG to permit the terminal device to access the pre-authentication domain. The user can access the pre-authentication domain only after the ACL is delivered. Delivering the ACL is the basis of authentication for the access user.

  5. Optional: Set the IP address used when the FW sends a connection request to the Agile Controller.

    local ip ip-address

    ip-address is an address existing on the FW such as the address of a physical interface or logical interface (loopback interface for example).

  6. Set the parameters of the Agile Controller.

    server ip ip-address [ port port-number ] [ shared-key key ]

    In this command, ip-address specifies the IP address of the Service Controller. port-number does not need to be re-specified unless the port number is modified on the Service Controller. key specifies the encryption key of the SACG for the communications with the Service Controller. The encryption key of the SACG must be consistent with that of the Service Controller, thus realizing the normal communications between the SACG and Service Controller.

    The device supports up to 32 Service Controllers.

    By default, the Service Controller communicates with port 3288 on the device.

    The default value of the pre-shared key is TSM_Security.

  7. Optional: If the Web-based non-Agent authentication mode is adopted for authentication, run this command to set the URL of the web page for user authentication in Web-based non-Agent authentication mode.

    right-manager authentication url web-url

    If no SA (Security Agent) software is installed on the terminal device, and the user accesses the web page without passing authentication, the user is forced to go to the specified page. In Web-based non-Agent authentication mode, you can run this command to push the authentication web page to the user.

    When several URLs are configured and multiple packets to be redirected reach the FW, the FW pushes these URLs in polling mode. The minimum used URL is preferentially selected for pushing each time.

    Note that the URL of this command is case sensitive.

  8. Enable the connection to the Agile Controller.

    right-manager server-group enable

    After the connection to the Agile Controller is enabled, ACLs 3100 to ACL 3999 cannot be configured manually. Before the connection to the Agile Controller is enabled, if the ACL contains rules or is used by other functions, you must clear the rules manually, and then cancel the applications in other functions. In this way, the connection to the Agile Controller can be enabled.

    After this command is executed, the device tries to connect to the Agile Controller immediately. After the connection succeeds, the device can receive the roles and role rules delivered by the Agile Controller.

  9. Optional: Enable the integrity verification function for packets communicated between the FW and the Agile Controller.

    integrity-check enable

    The integrity verification for packets communicated between the FW and the Agile Controller is disabled by default.

    This function can be enabled only when both the FW and the Agile Controller supports integrity verification. Otherwise, the FW cannot be connected to the Agile Controller.

    You are advised to enable this function to improve security of communication between the FW and the Agile Controller.

  10. Optional: Use the Service Controller's keep-alive function to control the emergency channel.

    The emergency channel function indicates that to prevent the fault that occurs in the SACG interworking system from affecting normal services, after certain conditions are met, you can grant the access terminal device all permissions to allow the terminal device to access the network. After the emergency channel is enabled, no authentication and authorization is implemented on the terminal device, thus the terminal device can access the network directly.

    1. Run the right-manager status-detect enable command to enable the existence detection function of the Service Controller.
    2. Run the right-manager server-group active-minimum server-number command to set the minimum number of Agile Controller servers connected to the device.

      After the existence detection function of the Service Controller is enabled, the SACG detects the Service Controllers that can be connected to on the network. If the number of Service Controllers connected to the device is smaller than active-minimum, the device enables the emergency channel to grant the user all permissions. When the fault is rectified, and the number of Service Controllers connected to the device is larger than or equal to active-minimum, the device disables the emergency channel to restore the original permission control.

      By default, active-minimum is set to 1.

  11. Optional: Use the health check function of third-party authentication servers to control the emergency channel.

    • Run the healthcheck healthcheck-name command to enable the health check function for third-party authentication servers.

    In SACG scenarios, some account and password information is stored on the Agile Controller, and some account and password information is stored on the third-party authentication server. When a user enters the account and password on the client to initiate an identity authentication request, if the account and password are stored on the Agile Controller, the Agile Controller authenticates the user. If the account and password are stored on the third-party authentication server, the AC-Campus will send the account information to the third-party server for authentication. The third-party server sends the authentication result to the AC-Campus. The AC-Campus authorizes the user based on the authentication result.

    In the scenario where user authentication is done on the Agile Controller, if the Service Controller detects that the number of active Agile Controller is smaller than the configured smallest value, the emergency channel is enabled. The Service Controller cannot detect whether the third-party authentication server is active. If an exception occurs, user authentication cannot be done on the third-party authentication server. In this case, the FW acting as the SACG needs to check the health of the third-party authentication server. If the health status of the third-party authentication server is Down, the FW enables the emergency channel, ensuring service continuity. After the fault is rectified, the emergency channel is automatically disabled, and the original permission control for the user is restored.

    The health check on third-party authentication servers takes effect only after the healthcheck enable command is used to enable the health check function. In addition, you must set related parameters. For details, see Configuring Health Check.

  12. Return to the system view.

    quit

  13. Access the interzone policy view.

    firewall interzone zone-name1 zone-name2

    • In off-line mode, the interzone of the security zones where the two interfaces on the SACG that are used for bypass deployment reside needs to be entered; that is, the Trust-Untrust interzone shown in Figure 1 needs to be entered.

    • In in-line mode:

      • If the emergency channel is enabled, the further commands need to be executed in two interzones respectively, namely, the interzone between the security zones where the user and the Service Controller reside and the interzone between the security zones where the user and the service system reside.

      • If the emergency channel is disabled, you can run the further commands in only the interzone between the security zones where the user and the Service Controller reside.

  14. Apply the SACG interworking policy in the interzone and enable the interworking function.

    apply packet-filter right-manager { inbound | outbound }

    Applying the function of interworking with the Agile Controller in the interzone indicates applying ACL 3099 in the interzone actually.

    As ACL 3099 is applied to receiving the rule that is delivered by the SACG interworking system to permit the user to access the resources in the pre-authentication domain, you should apply ACL 3099 in the interzone between the security zones where the terminal device and the pre-authentication domain reside.

    After the emergency channel is enabled, as ACL 3099 is also applied to receiving the rule that is delivered by the emergency channel to permit all users to access the resources in the post-authentication domain, you should apply ACL 3099 in two interzones, namely, the interzone between the security zones where the terminal device and the pre-authentication domain reside and the interzone where the terminal device and the post-authentication domain reside.

Parent Topic: Configuring SACG Interworking Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >