< Home

Configuring Agile Controller SSO

This section describes how to configure Agile Controller Single Sign-On (SSO).

Context

To implement Agile Controller (Policy Center or Agile Controller) SSO, perform the following configurations on the Agile Controller server and FW:

  • Agile Controller server

    Set parameters for the Agile Controller server to communicate with the FW and configure the Agile Controller server to send the login and logout messages to the FW.

  • FW

    Set a Agile Controller server and Agile Controller SSO parameters on a FW and configure the FW to receive the login and logout messages.

If a FW is deployed between the users and the Agile Controller server, authentication packets must pass through the FW. To apply the SSO function, configure an authentication policy to exempt the authentication packets from authentication. In addition, the authentication packets must pass the security check of the security policy of the FW. Therefore, the administrator needs to configure the following security policy on the FW:

  • Source Zone: indicates the security zone where the PC resides.

  • Destination Zone: indicates the security zone where the Agile Controller server resides.

  • Destination Address: indicates the IP address of the Agile Controller.

  • Action: permit.

If a user is authenticated by the Agile Controller and the user information exists on the FW, the FW still verifies user attributes, such as the user status, expiration time, IP address binding, and whether users are allowed to share this account. Only the user who succeeds in the attribute verification can access network resources. For example, a user who is locked out cannot access network resources within the lockout duration even if the user is authenticated by the Agile Controller.

Procedure

  • Configure the Agile Controller.

    The following example describes Agile Controller. The user interface may vary with the version. For details, refer to the Policy Center or Agile Controller product documentation of a specific version.

    1. Choose System Configuration > Server Configuration > Online Behavior Management Device.
    2. Click Add.
    3. Set parameters of the FW.

      Parameter

      Description

      IP address

      Destination IP address to which the Agile Controller sends user login and logout messages

      Device Name

      Device name of the FW

      Port

      Destination port to which the Agile Controller sends user login and logout messages

      Key

      Password used to encrypt packets during the communication between the Agile Controller and the FW

      Encryption Algorithm

      Use 3DES or AES128 to encrypt the packets transmitted between the FW and the Agile Controller. AES128 is securer than 3DES.

      NOTE:

      Each Agile Controller version may support different encryption algorithms. Before configuration, confirm whether the Agile Controller version supports the encryption algorithm and ensure that the encryption algorithms on both ends are the same.

      Terminal IP Address List

      IP address or subnet on which terminal users to be managed reside. The Agile Controller sends only the login and logout messages of the listed users to the FW.

      Description

      Description of the FW on the Agile Controller

    4. Click OK.
  • Configure the FW.
    1. Configure a Agile Controller server.

      For details, see Configuring a Agile Controller Server. The Shared Key and Encryption value must be the same as the Key and Encryption specified on the Agile Controller.

    2. Access the Agile Controller SSO view from the system view.

      user-manage single-sign-on tsm

    3. Configure a listening port for the FW to receive the login and logout messages.

      port port-number

      The listening port must be the same as that specified on the Agile Controller.

    4. Enable Agile Controller SSO.

      enable

    5. Optional: Set the security level of Agile Controller SSO to Agile Controller identity authentication and security check.

      auth-level security-auth

      After passing the Agile Controller identity authentication, the user needs to pass the Agile Controller security check before being allowed to access network resources.

      The default security level of Agile Controller SSO is identity authentication. That is, they only need to pass the Agile Controller identity authentication to log in to the FW and access network resources.

    6. Optional: Configure online user synchronization from a Agile Controller server.

      In the Agile Controller SSO scenario, the online user information on the FW and the Agile Controller server is not synchronized because the Agile Controller server sends the loss of users' login messages to the FW or users age on the FW but do not log out from the Agile Controller server. After online user synchronization from a Agile Controller server is enabled, when traffic that has no matching online user entry passes through the FW or a user ages, the FW checks with the Agile Controller server on whether the corresponding online user exists based on the source IP address. If the user goes online on the Agile Controller server, the Agile Controller server sends a user login message to the FW so that the user goes online on the FW.

      The FW sends a query message to all Agile Controller servers configured on the FW and uses the key configured during the Agile Controller server configuration to encrypt query packets. A user goes online on the FW as long as the user goes online on one Agile Controller server.

      To use the online user information synchronization function of the Agile Controller server, configure the encryption algorithm of the shared key to AES128 and do not specify enhanced when configuring the Agile Controller server. For details on how to configure the Agile Controller server, see the section Configuring a Agile Controller Server.

      1. Access the view for online user synchronization from an Agile Controller server.

        user-manage server-sync tsm

      2. Configure a source IP address range for online user synchronization from a Agile Controller server.

        sync-address { address-set address-set-name | ip-address { mask-length | mask mask-address } | range { start-address end-address } }

        Only the users whose source IP addresses are in the specified range can be queried and synchronized.

      3. Optional:

        Configure the rate for the FW to send query packets to query online users from a Agile Controller server.

        sync-rate rate

        By default, the rate for sending query packets is 200 times per second.

      4. Optional:

        Set the query time interval for each source IP address.

        ip-sync-interval interval

        By default, the query time interval of each source IP address is 20 seconds.

      5. Optional:

        Set the maximum number of IP addresses contained in each query packet when the FW initiates online user query requests towards the Agile Controller server.

        max-packet-length number

        By default, each query packet contains a maximum of 50 IP addresses.

      6. Enables online user synchronization from a Agile Controller server.

        enable

      7. Optional: Configure Agile Controller SSO information synchronization. For details, see Configuring Online User Information Synchronization.

Parent Topic: Configuring SSO
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic