Configuring Agile Controller SSO

This section describes how to configure Agile Controller Single Sign-On (SSO).

Context

Background

To implement Agile Controller (Policy Center or Agile Controller) SSO, perform the following configurations on the Agile Controller server and FW:

Agile Controller server

Set parameters for the Agile Controller server to communicate with the FW and configure the Agile Controller server to send the login and logout messages to the FW.
FW

Set a Agile Controller server and Agile Controller SSO parameters on a FW and configure the FW to receive the login and logout messages.

If a FW is deployed between the users and the Agile Controller server, authentication packets must pass through the FW. To apply the SSO function, configure an authentication policy to exempt the authentication packets from authentication. In addition, the authentication packets must pass the security check of the security policy of the FW. Therefore, the administrator needs to configure the following security policy on the FW:

Source Zone: indicates the security zone where the PC resides.
Destination Zone: indicates the security zone where the Agile Controller resides.
Destination Address: indicates the IP address of the Agile Controller.
Action: permit.

If a user is authenticated by the Agile Controller and the user information exists on the FW, the FW still verifies user attributes, such as the user status, expiration time, IP address binding, and whether users are allowed to share this account. Only the user who succeeds in the attribute verification can access network resources. For example, a user who is locked out cannot access network resources within the lockout duration even if the user is authenticated by the Agile Controller.

Procedure

Procedure

Configure the Agile Controller.

The following example describes Agile Controller. The user interface may vary with the version. For details, refer to the Policy Center or Agile Controller product documentation of a specific version.

Choose System Configuration > Server Configuration > Online Behavior Management Device.
Click Add.

Set parameters of the FW.

Parameter	Description
IP address	Destination IP address to which the Agile Controller sends user login and logout messages
Device Name	Device name of the FW
Port	Destination port to which the Agile Controller sends user login and logout messages
Key	Password used to encrypt packets during the communication between the Agile Controller and the FW
Encryption Algorithm	Use 3DES or AES128 to encrypt the packets transmitted between the FW and the Agile Controller. AES128 is securer than 3DES. NOTE: Each Agile Controller version may support different encryption algorithms. Before configuration, confirm whether the Agile Controller version supports the encryption algorithm and ensure that the encryption algorithms on both ends are the same.
Terminal IP Address List	IP address or subnet on which terminal users to be managed reside. The Agile Controller sends only the login and logout messages of the listed users to the FW.
Description	Description of the FW on the Agile Controller

Click OK.

Configure the FW.

Choose Object > User > a specific authentication domain and set Internet Access Authentication Mode to SSO authentication.
In SSO Settings, select the check box of Agile Controller SSO.

Configure Agile Controller SSO parameters.

Parameter	Description
Internet access after identity authentication	The Agile Controller system only identifies user identities.
Internet access after identity authentication and security check	The Agile Controller system identifies user identities and implements security check on the users.
Listening Port	Configure a listening port for the FW to receive the login and logout messages. The listening port must be the same as that specified on the Agile Controller.
Configure Agile Controller server	For details, see Configuring a Agile Controller Server. The Shared Key and Encryption value must be the same as the Key and Encryption specified on the Agile Controller server.
Synchronize Agile Controller Server Online User Information	In the Agile Controller SSO scenario, the online user information on the FW and the Agile Controller server is not synchronized because the Agile Controller server sends the loss of users' login messages to the FW or users age on the FW but do not log out from the Agile Controller server. After online user synchronization from a Agile Controller server is enabled, when traffic that has no matching online user entry passes through the FW or a user ages, the FW checks with the Agile Controller server on whether the corresponding online user exists based on the source IP address. If the user goes online on the Agile Controller server, the Agile Controller server sends a user login message to the FW so that the user goes online on the FW. The FW sends a query message to all Agile Controller servers configured on the FW and uses the key configured during the Agile Controller server configuration to encrypt query packets. A user goes online on the FW as long as the user goes online on one Agile Controller server. To use the online user information synchronization function of the Agile Controller server, configure the encryption algorithm of the shared key to AES128 and do not enable Enhanced Encryption when configuring the Agile Controller server. For details on how to configure the Agile Controller server, see the section Configuring a Agile Controller Server.
Address Range for the Query	Configure a source IP address range for online user synchronization from a Agile Controller server. Only the users whose source IP addresses are in the specified range can be queried and synchronized. The source IP address range must be consistent with the user IP address range configured for users who go online on the FW in Agile Controller SSO mode. The source IP address range is the IP address range specified in Terminal IP Address List when the FW is deployed on the Agile Controller server as a network access management device.
Query Rate	Configure the rate for the FW to send query packets to query online users from a Agile Controller server. If there are a large number of IP addresses to be queried, the Agile Controller server cannot process packets properly, and the FW performance is compromised. In this case, you can configure this parameter to set the rate for sending query packets. If the rate is too low, the login speed of users is low, affecting user experience. The default rate (200 times per second) is recommended for general use.
Per-IP Query Interval	Configure the query time interval of each source IP address in Address Range for the Query to prevent the FW from querying excessive invalid source IP addresses (those that fail to log in to the Agile Controller server) towards the Agile Controller server and therefore prevent the Agile Controller server performance from being compromised. For example, if you set the query interval to 20 seconds, each source IP address in Address Range for the Query can be queried only once within 20 seconds.
Maximum IP Queried Each Time	Set the maximum number of IP addresses contained in each query packet when the FW initiates online user query requests towards the Agile Controller server. This parameter effectively controls the number of source IP addresses in each query packet and adjusts the rate at which the FW receives login requests from the Agile Controller server to prevent a slow login rate or login processing queue congestion.

Optional: Configure Agile Controller SSO information synchronization. For details, see Managing Online Users.