Web: Example for Configuring Security Policies Based on User Access Modes and Device Types

Networking Requirements

An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1.

The Agile Controller identity authentication mechanism is enabled on the intranet, and information about users and user group is saved on a Controller.
Intranet users can use different devices (such as PCs and mobile phones) and access modes (wireless access mode, wired access mode, through the Portal, and through the client that supports 802.1X authentication) for the authentication.
The Agile Controller server can identify users' access modes and device types and send them to the FW.

In this example, the Agile Controller is called Controller for short.

Figure 1 Networking diagram for configuring security policies

The enterprise requires that the FW use its user management and authentication mechanism to identify intranet IP addresses as users with different types of access devices in different access modes, and security policies be configured to implement access control based on users' access modes and device types. Requirements are as follows:

Users on the intranet can access HTTP services without proactively accessing the Agile Controller portal authentication page, because their HTTP requests will be automatically redirected to the Agile Controller portal authentication page.
After being authenticated by entering correct Agile Controller accounts and passwords, intranet users can access network resources.
Only the intranet users whose PCs are physically connected are allowed to access the Internet after being authenticated on the portal authentication page.

Configuration Roadmap

Complete user- and authentication-related configurations.

Add the FW on the Agile Controller server and configure the Agile Controller server on the FW to enable the FW and Agile Controller server to communicate.
Configure a policy to import user information from the Agile Controller server to the FW.
Set the URL of the redirected authentication page to the address of the Agile Controller portal authentication page for the users who directly access HTTP services.
Configure an authentication policy to authenticate users before they access the Internet.
Set Agile Controller SSO parameters on the FW.
Configure new user options in the authentication domain. After being authenticated, a new user goes online as a temporary user in a specified user group.
Because the FW is deployed between users and the Agile Controller server, authentication packets pass through the FW. Therefore, to implement SSO, configure an authentication policy to disable the FW from authenticating the authentication requests destined for the Agile Controller server and configure security policies to ensure normal communication between the FW and Agile Controller server.
Configure a security policy to ensure that users, the Agile Controller server, and the FW can communicate properly.

Complete access mode- and device type-based control configurations:

Import devices from the Agile Controller server to the FW.
Configure a security policy to allow the intranet users whose access mode is wired-portal and device type is pc device group to access the Internet.

Data Planning

Item	Data	Description
Agile Controller server	Service Name: auth_server_tsm Agile Controller IP Address: 10.2.0.50 Server Port: 8084 Encryption: AES128 Shared Key: Admin@123	On a FW, set the parameters for communication with a Agile Controller server. The parameter settings on the FW must be consistent with those on the Agile Controller server.
User information import policy	Name: policy_import Server Type: Agile Controller Server Name: auth_server_tsm Import Type: Import only users Target User Group: /default Full Synchronization: 120 minutes Overwrite local user records when the current user exists	Import users from the Agile Controller server to the FW.
Parent group of new users	After being authenticated, a new user goes online as a temporary user in the default user group.	All users passing Agile Controller authentication are new users for the FW.
Agile Controller authentication portal address	http://10.2.0.50:8080/portal	This address must be the same as the setting on the Agile Controller server.
Agile Controller SSO	Agile Controller SSO: Enable Internet Access After Identity Authentication	Set SSO parameters on the FW and configure the FW to receive the user login and logout information from the Agile Controller server.
Importing devices	Server name: auth_server_tsm If a device type exists, it overwrites the local record.	Only Agile Controller SSO devices can be imported.
Security policy 1	Name: policy_sec_tsm Source Zone: trust Destination Zone: dmz Source Address/Region: 10.3.0.0/24 Destination Address/Region: 10.2.0.50/32 Action: Permit	This policy is used to enable user authentication on the Agile Controller server.
Security policy 2	Name: policy_sec_tsm_1 Source Zone: local Destination Zone: dmz Action: Permit	This policy is used to allow communication between the Agile Controller server and FW.
Security policy 3	Name: policy_sec_tsm_2 Source Zone: dmz Destination Zone: local Action: Permit	This policy is used to allow communication between the Agile Controller server and FW.
Security policy 4	Name: policy_sec_dns Source Zone: trust Destination Zone: untrust Source Address/Region: 10.3.0.0/24 Service: DNS Action: Permit	This policy is used to permit the DNS packets for the HTTP service.
Security policy 5	Name: policy_sec_user Source Zone: trust Destination Zone: untrust Source Address/Region: 10.3.0.0/24 Access Mode: wired-portal Device: pc Action: Permit	This policy is used to allow the intranet users whose PCs are physically connected to access the Internet after being authenticated on the portal authentication page.

Procedure

Set the IP address and security zone of the interface.
1. Choose Network > Interface.
2. In Interface List, click of GE0/0/1.
  Set the parameters as follows for interface GigabitEthernet 0/0/1 and use default values for other parameters:
  
  Zone
  
  untrust
  
  Mode
  
  Routing
  
  IPv4
  
  Connection Type
  
  Static IP
  
  IP Address
  
  1.1.1.1/255.255.255.0
3. Click OK.
4. Repeat the previous steps to set the parameters of interface GE0/0/2 and GE0/0/3.
  Set the parameters as follows for interface GigabitEthernet 0/0/2 and use default values for other parameters:
  
  Zone
  
  dmz
  
  Mode
  
  Routing
  
  IPv4
  
  Connection Type
  
  Static IP
  
  IP Address
  
  10.2.0.1/255.255.255.0
  
  Set the parameters as follows for interface GigabitEthernet 0/0/3 and use default values for other parameters:
  
  Zone
  
  trust
  
  Mode
  
  Routing
  
  IPv4
  
  Connection Type
  
  Static IP
  
  IP Address
  
  10.3.0.1/255.255.255.0
Configure security policies to ensure the communication among the users, Agile Controller server, and FW.
1. Configure a security policy between the Trust zone (users) and DMZ (Agile Controller server) for users to get authenticated by the Agile Controller server.
  Choose Policy > Security Policy > Security Policy, click Add Security Policy and set the following parameters. Then click OK.
  
  Name
  
  sec_policy_tsm
  
  Source Zone
  
  trust
  
  Destination Zone
  
  dmz
  
  Source Address/Region
  
  10.3.0.0/24
  
  Destination Address/Region
  
  10.2.0.50/32
  
  Action
  
  Permit
  
  If the URL of the authentication page is a domain name and a DNS server for resolving the URL is deployed in the DMZ, you need to enable the DNS service from the Trust zone to DMZ.
2. Configure security policies between the DMZ (Agile Controller server) and Local zone for the Agile Controller server and FW to communicate.
  1. Click Add Security Policy and set the following parameters. Then click OK.
    
    Name
    
    local_policy_tsm_1
    
    Source Zone
    
    local
    
    Destination Zone
    
    dmz
    
    Action
    
    Permit
  2. Click Add Security Policy and set the following parameters. Then click OK.
    
    Name
    
    local_policy_tsm_2
    
    Source Zone
    
    dmz
    
    Destination Zone
    
    local
    
    Action
    
    Permit
3. Configure a security policy for the Trust (users) -> Untrust (Internet) interzone to permit DNS packets (resolving the URLs of HTTP services).
  Click Add Security Policy and set the following parameters. Then click OK.
  
  Name
  
  sec_policy_dns
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Source Address/Region
  
  10.3.0.0/24
  
  Service
  
  dns
  
  Action
  
  Permit
Add the FW on the Agile Controller server.

The Controller updates with versions. Therefore, in this example, the Controller configuration is for reference only. For details, refer to the configuration manual of the Controller.

Choose System > Server Configuration > Online Behavior Management Device, click Add and set the following parameters. Then click OK.

If the FWs work in hot standby mode, you need to add Online Behavior Management Device twice on the Agile Controller server. The IP Address parameters must be set respectively to the real IP addresses of the active and standby device interfaces connecting to the Agile Controller server.
On the FW, set the parameters for communication with a Agile Controller server.
Choose Object > Authentication Server > Agile Controller, click Add and set the following parameters. Then click OK.

The parameter settings on the FW must be consistent with those on the Agile Controller server. In most cases, the server port of Agile Controller is 8084.

Click Detect. In the dialog box that is displayed, click OK to check the connectivity to the Agile Controller server.
Configure a policy to import user information from the Agile Controller server to the FW.
1. Choose Object > User > User Import > Server Import, click Add and set the following parameters. Then click OK.
2. Click for policy_import. In the dialog box that is displayed, click OK to apply the import policy.
Configure the portal authentication page.
Choose Object > User > Authentication Option > User-Defined Portal, set the following parameters. Then click Apply.

The portal URL must be consistent with that of the Controller.
Configure the action in the authentication policy for users to access the Internet as authentication so that the users' HTTP service access traffic triggers authentication. Configure the action in the authentication policy for users to access the Agile Controller server as no-authentication so that the users' authentication packets can go through the FW to the Agile Controller server.
1. Choose Policy > Authentication Policy, click Add and set the following parameters. Then click OK.
  
  Name
  
  auth_policy_service
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Source Address/Region
  
  10.3.0.0/24
  
  Action
  
  Portal authentication
  
  Template Name
  
  portal
2. Click Add and set the following parameters. Then click OK.
  
  Name
  
  auth_policy_tsm
  
  Source Zone
  
  trust
  
  Destination Zone
  
  dmz
  
  Source Address/Region
  
  10.3.0.0/24
  
  Destination Address/Region
  
  10.2.0.50/32
  
  Action
  
  No authentication
Set SSO parameters and new user authentication option on the FW.
Choose Object > User > default, set the following parameters. Then click Apply.
Enable device identification on the Agile Controller server.
Choose Resource > Terminal > Parameter Setting. In Terminal Identification, select Enable.
Import devices from the Agile Controller server for security policies to reference.
Choose Object > Device > Device, click Edit. Then click Import.

The FW can import only Agile Controller SSO devices.

Click Object > Device > Device Group. You can view that imported devices have been added to the corresponding predefined device groups.
Configure a security policy to allow the intranet users whose access mode is wired-portal and device type is pc device group to access the Internet.
Choose Policy > Security Policy > Security Policy, click Add Security Policy and set the following parameters. Then click OK.

Name

sec_policy_user

Source Zone

trust

Destination Zone

untrust

Source Address/Region

10.3.0.0/24

Access Mode

wired-portal

Device

pc

Action

Permit

Zone	untrust
Mode	Routing
IPv4
Connection Type	Static IP
IP Address	1.1.1.1/255.255.255.0

Zone	dmz
Mode	Routing
IPv4
Connection Type	Static IP
IP Address	10.2.0.1/255.255.255.0

Zone	trust
Mode	Routing
IPv4
Connection Type	Static IP
IP Address	10.3.0.1/255.255.255.0

Name	sec_policy_tsm
Source Zone	trust
Destination Zone	dmz
Source Address/Region	10.3.0.0/24
Destination Address/Region	10.2.0.50/32
Action	Permit

Name	local_policy_tsm_1
Source Zone	local
Destination Zone	dmz
Action	Permit

Name	local_policy_tsm_2
Source Zone	dmz
Destination Zone	local
Action	Permit

Name	sec_policy_dns
Source Zone	trust
Destination Zone	untrust
Source Address/Region	10.3.0.0/24
Service	dns
Action	Permit

Name	auth_policy_service
Source Zone	trust
Destination Zone	untrust
Source Address/Region	10.3.0.0/24
Action	Portal authentication
Template Name	portal

Name	auth_policy_tsm
Source Zone	trust
Destination Zone	dmz
Source Address/Region	10.3.0.0/24
Destination Address/Region	10.2.0.50/32
Action	No authentication

Name	sec_policy_user
Source Zone	trust
Destination Zone	untrust
Source Address/Region	10.3.0.0/24
Access Mode	wired-portal
Device	pc
Action	Permit

Configuration Verification

On the FW Web UI, choose Object > User > default to see if the configured user objects are available.
On the FW Web UI, choose Object > User > Online User to see if there is information about online users.

Wired intranet users can use browsers on PCs to access the Internet after portal authentication. However, in other conditions, they cannot access the Internet, as shown in the following table.

**Table 1** Verification of intranet user access to the Internet under different conditions
Device	wired-802.1x	wireless-802.1x	wired-portal	wireless-portal
PC	N	N	Y	N
Other devices	N	N	N	N

Y indicates that intranet users can access the Internet, and N indicates that they cannot access the Internet.
wired-802.1x indicates wired Internet access from clients that support 802.1x authentication. wireless-802.1x indicates wireless Internet access from clients that support 802.1x authentication. wired-portal indicates wired Internet access from clients after portal authentication. wireless-portal indicates wireless Internet access from clients after portal authentication.

Configuration Scripts

#
 sysname FW
# 
 user-manage single-sign-on tsm
  enable
 user-manage portal-template portal 0
  portal-url http://10.2.0.50:8080/portal
#
tsm-server template auth_server_tsm 
 tsm-server encryption-mode aes128 shared-key %$%$|5<h@/062'gA|%:9CO.2/JA8%$%$
 tsm-server ip-address 10.2.0.50
#                                                                               
interface GigabitEthernet0/0/1                                                  
 ip address 1.1.1.1 255.255.255.0                                        
#                                                                               
interface GigabitEthernet0/0/2                                                  
 ip address 10.2.0.1 255.255.255.0                                        
#                                                                               
interface GigabitEthernet0/0/3                                                  
 ip address 10.3.0.1 255.255.255.0                                        
#                                                                               
firewall zone trust                                                             
 add interface GigabitEthernet0/0/3                                             
#                                                                               
firewall zone untrust                                                           
 add interface GigabitEthernet0/0/1                                             
#                                                                               
firewall zone dmz                                                           
 add interface GigabitEthernet0/0/2          
#                                                                               
security-policy
 rule name policy_sec_tsm  
  source-zone trust 
  destination-zone dmz
  source-address 10.3.0.0 24
  destination-address 10.2.0.50 32
  action permit
 rule name policy_sec_dns  
  source-zone trust 
  destination-zone untrust
  source-address 10.3.0.0 24
  service dns
  action permit
 rule name policy_sec_tsm_1
  source-zone local
  destination-zone dmz
  action permit 
 rule name policy_sec_tsm_2
  source-zone dmz
  destination-zone local
  action permit 
 rule name policy_sec_user
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 24
  access-authentication wired-portal
  device-classification device-group pc
  action permit 
#
auth-policy
 rule name auth_policy_tsm
  source-zone trust
  destination-zone dmz 
  source-address 10.3.0.0 24
  destination-address 10.2.0.50 32
  action none
 rule name auth_policy_service
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 24
  action auth portal-template portal
#
 user-manage import-policy policy_import from tsm    
 server template auth_server_tsm         
 server basedn root  
 destination-group /default 
 import-type user   
 import-override enable 
 time-interval 120
# 
aaa
 domain default   
  service-type internetaccess
  new-user add-temporary group /default

# The following configuration takes effect only one time and is not saved into the configuration file.
 execute user-manage import-policy policy_import
 update device-category tsm-server template auth_server_tsm import-overwrite
 test tsm-server template auth_server_tsm