Web: Example for Configuring Agile Controller SSO Authenticating and AD Server Import for Internet Access Users
In this example, the FW serves as the egress gateway of an enterprise network; a Agile Controller server (Policy Center or Agile Controller) is used to authenticate users; user permission is controlled based on the organizational structure on an AD server.
Networking Requirements
An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1. Details are as follows:
- AD and Agile Controller authentication systems are both deployed on the intranet. The AD server has the enterprise's organizational structure and account and password information about all users, and the Agile Controller server (Policy Center or Agile Controller) has synchronized the account information from the AD server.
- Internet access users on the intranet include R&D employees and marketing employees.
The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:
- Before the R&D and marketing employees access network resources, they must be authenticated by the Agile Controller server.
- The FW controls user permissions through the organizational structure on the AD server.
- For new employees, their information might be created on the AD server, but these users are not stored on the FW, after being authenticated, these users go online as temporary users in the organization structure on the AD server.
Configuration Roadmap
This example describes only how to configure user management and authentication.
- Set AD server parameters on the FW to ensure that the FW can communicate properly with the AD server.
- Create an authentication domain on the FW, set the name of the authentication domain to be the same as the name of the domain on the AD server.
- Configure AD server import policies on the FW to import user information on the AD server to the FW.
- Configure the new user option of the authentication domain. If an authenticated user does not exist on the FW, the user goes online as a temporary user in the organization structure on the AD server.
- Add the FW on the Agile Controller server and configure the Agile Controller server on the FW to enable the FW and Agile Controller server to communicate.
- Configure security policies on the FW to allow the FW to communicate with the AD server and Agile Controller server.
- Set Agile Controller SSO parameters on the FW.
- Because the FW is deployed between users and the Agile Controller server, authentication packets pass through the FW. Therefore, to implement SSO, configure an authentication policy to disable the FW from authenticating the authentication requests destined for the Agile Controller server and configure security policies to ensure normal communication between the FW and Agile Controller server.
- On the FW, configure an authentication policy for users' service traffic and set the action to authentication exemption.
Data Planning
Item |
Data |
Description |
|---|---|---|
AD server |
On a FW, set the parameters for communication with an AD server. The parameter settings on the FW must be consistent with those on the AD server. |
|
Agile Controller server |
On a FW, set the parameters for communication with a Agile Controller server. The parameter settings on the FW must be consistent with those on the Agile Controller server. |
|
User information import policy |
Import users and user groups from the AD server to the FW. |
|
Security policy |
Configure a security policy for the Trust (intranet users) -> DMZ (Agile Controller server) interzone for users to be authenticated by the Agile Controller server. |
|
Configure a security policy to allow the FW to communicate with an AD and Agile Controller server. |
||
Authentication Policy |
To implement SSO, configure an authentication policy. This policy disables the FW from processing the authentication requests to the Agile Controller server. |
|
Configure an authentication policy on the FW for users' service traffic and set the action to authentication exemption. |
Procedure
- Configure security policies to ensure the communication among the users, Agile Controller server, AD server, and FW.
- Set AD server parameters on the FW.
- Click Add and set the following parameters.
The parameter settings on the FW must be consistent with those on the AD server.
For the V600R007C20 version, whether to enable SSL for AD authentication cannot be configured on the web UI. When you configure the AD server on the web UI, SSL (ldap-over-ssl) is enabled by default. In this mode, LDAP over SSL must also be enabled on the AD server. For details, see the operating system guide of the AD server. To disable SSL (no-ssl), click CLI Console in the lower right corner of the web page. On the CLI configuration page that is displayed, run the ad-server authentication 10.2.0.250 88 no-ssl command in the corresponding AD server template view. From V600R007C20SPC100, you can configure whether to enable SSL for AD authentication on the Web UI. The following uses no-ssl as an example.
If you are unfamiliar with the AD server and cannot provide the server name or Base DN values, you can use the AD Explorer software downloaded from Internet to connect to the AD server to query the attribute values. The mappings between the server attributes and parameters on the FW are as follows.
- Click Add and set the following parameters.
- Add the FW on the Agile Controller server.
The following example describes Agile Controller V100R002C10. The user interface may vary with the version. For details, refer to the Policy Center or Agile Controller product documentation of a specific version.
Choose . Click Add and set the following parameters.
The FW uses port 8001 to receive user online and offline messages sent from the Agile Controller server.
If the FWs work in hot standby mode, you need to add Online Behavior Management Device twice on the Agile Controller server. The IP Address parameters must be set respectively to the real IP addresses of the active and standby device interfaces connecting to the Agile Controller server.
- On a FW, set the parameters for communication with a Agile Controller server.
- Choose . Click Add and set the following parameters.
The parameter settings on the FW must be consistent with those on the Agile Controller server. In most cases, the server port of Policy Center is 8080, and that of Agile Controller is 8084.
- Choose . Click Add and set the following parameters.
- On a FW, choose , click Add to create an authentication domain.
- Configure a policy to import user information from the AD server to the FW.
- Click Add and set the following parameters. Use the default values for the filtering parameters.
In a scenario where the authentication server is isolated from the import server, the import type must contain the user, In this example, the import type is set to all users, user groups, and security groups.
- Click Add and set the following parameters. Use the default values for the filtering parameters.
- Configure the cce.com authentication domain on the FW.
- Set the following parameters.
Click Configure on the right of Server Import Policy. A dialog box is displayed. Click Import Immediately corresponding to policy_import. After the import is complete, the user groups and users on the AD server are displayed in User/User Group/Security Group Management List.
- Set the following parameters.
- Choose , click Add to create an authentication policy.
Name
auth_policy_tsm
Source Zone
trust
Destination Zone
dmz
Source Address/Region
10.3.0.0/24
Destination Address/Region
10.2.0.251/32
Action
No authentication
Name
auth_policy_service
Source Zone
trust
Source Address/Region
10.3.0.0/24
Action
Authentication exemption
If the action of the authentication policy is set to authentication exemption, the FW obtains user information through SSO and permits the traffic when user information fails to be obtained during SSO authentication. If the network has high security requirements, set the action of the authentication policy to portal authentication. Then the FW will implement portal authentication on the users failing the SSO authentication.
- After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.
Configuration Verification
- R&D and marketing employees enter their domain accounts and passwords for the Agile Controller authentication. After the authentication succeeds, they can access network resources.
- A new employee enters the user name and password for Agile Controller authentication. After the authentication succeeds, they can access network resources, and their organizational structures are automatically added to the FW.
- On the FW Web UI, choose to see if there is information about online users. Users log in on the FW and the organizational structure corresponding to the AD server.
Configuration Script
# sysname FW # user-manage single-sign-on tsm enable # ad-server template auth_server_ad ad-server authentication 10.2.0.250 88 no-ssl ad-server authentication base-dn dc=cce,dc=com ad-server authentication manager cn=Administrator,cn=users %$%$KkGx/U}ir%TKvDU["/u$N/&z%$%$ ad-server authentication host-name ad.cce.com ad-server authentication ldap-port 389 ad-server user-filter sAMAccountName ad-server group-filter ou # tsm-server template auth_server_tsm tsm-server encryption-mode aes128 shared-key %$%$|5<h@/062'gA|%:9CO.2/JA8%$%$ tsm-server ip-address 10.2.0.251 # security-policy rule name policy_sec_1 source-zone trust destination-zone local source-address 10.3.0.0 24 destination-address 10.2.0.251 32 action permit rule name policy_sec_2 source-zone local destination-zone dmz action permit rule name policy_sec_3 source-zone dmz destination-zone local action permit # interface GigabitEthernet0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 10.2.0.1 255.255.255.0 # interface GigabitEthernet0/0/3 ip address 10.3.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/2 # aaa domain cce.com service-type internetaccess internet-access mode single-sign-on reference user current-domain new-user add-temporary group /cce.com auto-import policy_import # # auth-policy rule name auth_policy_tsm source-zone trust destination-zone dmz source-address 10.3.0.0 24 destination-address 10.2.0.251 32 action none rule name auth_policy_http source-zone trust source-address 10.3.0.0 24 action exempt-auth # user-manage import-policy policy_import from ad server template auth_server_ad server basedn dc=cce,dc=com destination-group /cce.com user-attribute sAMAccountName user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer))) group-filter (|(objectclass=organizationalUnit)(ou=*)) import-type all import-override enable sync-mode incremental schedule interval 120 # The following configuration is used to perform a one-time operation and not stored in the configuration profile. execute user-manage import-policy policy_import test-aaa testname testpassword ad-template auth_server_ad test tsm-server template auth_server_tsm