CLI: Example for Configuring Agile Controller SSO for Internet Access Users (Users Proactively Access the Controller)

This section provides an example for configuring Agile Controller (Policy Center or Agile Controller) Single Sign On (SSO) for Internet access users when a FW works as an egress gateway. Users need to proactively access the Agile Controller portal authentication page and must be authenticated before accessing services.

Networking Requirements

An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1.

The Agile Controller identity authentication mechanism is enabled on the intranet, and information about users and user group is saved on a Agile Controller server.
Internet access users on the intranet include R&D employees and marketing employees.

Figure 1 Agile Controller SSO for Internet access users

The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:

Information about users and departments is saved on the FW and can be referenced by policies.
After passing the authentication by entering correct Agile Controller accounts and passwords, R&D employees and marketing employees can access network resources. R&D employees and marketing employees are identified by the user names they use for Agile Controller authentication.
If the Agile Controller accounts of new employees have been created on a Agile Controller server but not stored on a FW, the FW considers them as temporary users and assigns them permissions of the specified group.

Configuration Roadmap

This example describes only how to configure user management and authentication.

The configuration roadmap is as follows:

Add the FW on the Agile Controller server and configure the Agile Controller server on the FW to enable the FW and Agile Controller server to communicate.
Configure a policy to import user information from the Agile Controller server to the FW.
Set Agile Controller SSO parameters on the FW.
Set a new user authentication option for the default authentication domain. After a new user is authenticated, the user adopts the permission of the newuser group to access network resources.
To prevent repeated login to the Agile Controller server for authentication because of frequent timeouts during the working hours (such as eight hours), you need to set the user online timeout duration to 480 minutes.
On the FW, configure an authentication policy for users' service traffic and set the action to authentication exemption.
Because the FW is deployed between users and the Agile Controller server, authentication packets pass through the FW. Therefore, to implement SSO, configure an authentication policy to disable the FW from authenticating the authentication requests destined for the Agile Controller server and configure security policies to ensure normal communication between the FW and Agile Controller server.

Data Planning

Item	Data	Description
Agile Controller server	Service Name: auth_server_tsm Agile Controller IP Address: 10.2.0.50 Server Port: 8084 Encryption: AES128 Shared Key: Admin@123	On a FW, set the parameters for communication with a Agile Controller server. The parameter settings on the FW must be consistent with those on the Agile Controller server.
User information import policy	Name: policy_import Server Type: Agile Controller Server Name: auth_server_tsm Import Type: Import both users and user groups Target User Group: /default Automatic Synchronization from Server: 120 minutes Overwrite local user records when the current user exists	Import users from the Agile Controller server to the FW.
Parent group of new users	Name: newuser Parent Group: /default	As a temporary user, and use permission of this group newuser.
Agile Controller SSO	Agile Controller SSO: Enable Internet Access After Identity Authentication	Set SSO parameters on the FW and configure the FW to receive the user login and logout information from the Agile Controller server.

Procedure

Add the FW on the Agile Controller server.

The following example describes Agile Controller. The user interface may vary with the version. For details, refer to the Policy Center or Agile Controller product documentation of a specific version.
1. Choose System Configuration > Server Configuration > Online Behavior Management Device.
2. Click Add and set the following parameters.
  
  The Port must be the same as the Agile Controller SSO listening port on the FW. The default value is 8001.
  
  The Key and Encryption Algorithm must be the same as the shared key and encryption algorithm in 4.
  
  If the FWs work in hot standby mode, you need to add Online Behavior Management Device twice on the Agile Controller server. The IP Address parameters must be set respectively to the real IP addresses of the active and standby device interfaces connecting to the Agile Controller server.
3. Click OK.

Set interface IP addresses and assign interfaces to security zones on the FW. The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.

<FW> system-view
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit

Configure security policies to ensure the communication among the users, Agile Controller server, and FW.

Configure a security policy between the Trust zone (users) and DMZ (Agile Controller server) for users to get authenticated by the Agile Controller server.

[FW] security-policy
[FW-policy-security] rule name sec_policy_tsm
[FW-policy-security-rule-sec_policy_tsm] source-zone trust
[FW-policy-security-rule-sec_policy_tsm] source-address 10.3.0.0 24
[FW-policy-security-rule-sec_policy_tsm] destination-zone dmz
[FW-policy-security-rule-sec_policy_tsm] destination-address 10.2.0.0 24
[FW-policy-security-rule-sec_policy_tsm] action permit
[FW-policy-security-rule-sec_policy_tsm] quit

Configure security policies between the DMZ (TSM server) and Local zone for the Agile Controller server and FW to communicate.

[FW-policy-security] rule name local_policy_tsm_01
[FW-policy-security-rule-local_policy_tsm_01] source-zone local
[FW-policy-security-rule-local_policy_tsm_01] destination-zone dmz
[FW-policy-security-rule-local_policy_tsm_01] action permit
[FW-policy-security-rule-local_policy_tsm_01] quit
[FW-policy-security] rule name local_policy_tsm_02
[FW-policy-security-rule-local_policy_tsm_02] source-zone dmz
[FW-policy-security-rule-local_policy_tsm_02] destination-zone local
[FW-policy-security-rule-local_policy_tsm_02] action permit
[FW-policy-security-rule-local_policy_tsm_02] quit

Configure a security policy to allow users to access the Internet.

[FW-policy-security] rule name policy_sec_02
[FW-policy-security-rule-policy_sec_02] source-zone trust
[FW-policy-security-rule-policy_sec_02] source-address 10.3.0.0 24
[FW-policy-security-rule-policy_sec_02] destination-zone untrust
[FW-policy-security-rule-policy_sec_02] action permit
[FW-policy-security-rule-policy_sec_02] quit
[FW-policy-security] quit

On a FW, set the parameters for communication with a Agile Controller server.

The parameter settings on the FW must be consistent with those on the Agile Controller server. In most cases, the server port of Policy Center is 8080, and that of Agile Controller is 8084.

[FW] tsm-server template auth_server_tsm 
[FW-tsm-auth_server_tsm] tsm-server ip-address 10.2.0.50
[FW-tsm-auth_server_tsm] tsm-server port 8084
[FW-tsm-auth_server_tsm] tsm-server encryption-mode aes128 shared-key Admin@123
[FW-tsm-auth_server_tsm] test tsm-server template auth_server_tsm
[FW-tsm-auth_server_tsm] quit

Configure a policy to import user information from the Agile Controller server to the FW.

[FW-tsm-auth_server_tsm] user-manage import-policy policy_import from tsm  
[FW-import-policy_import] server template auth_server_tsm         
[FW-import-policy_import] server basedn root  
[FW-import-policy_import] destination-group /default 
[FW-import-policy_import] import-type user-group   
[FW-import-policy_import] import-override enable 
[FW-import-policy_import] time-interval 120

User information on the TSM server can be imported only to the default authentication domain.

Execute the import policy to import users to the FW.

[FW] execute user-manage import-policy policy_import

Create a parent group for new users on the FW.

[FW] user-manage group /default/newuser
[FW-usergroup-/default/newuser] quit

Set SSO parameters on the FW.

[FW] user-manage single-sign-on tsm
[FW-sso-tsm] enable
[FW-sso-tsm] quit
[FW] user-manage server-sync tsm
[FW-srv-sync-tsm] sync-address 10.3.0.0 24
[FW-srv-sync-tsm] enable
[FW-srv-sync-tsm] quit

Set a new user authentication option for the authentication domain.

[FW] aaa
[FW-aaa] domain default
[FW-aaa-domain-default] service-type internetaccess
[FW-aaa-domain-default] new-user add-temporary group /default/newuser
[FW-aaa-domain-default] quit
[FW-aaa] quit

Set the online user timeout duration to 480 minutes.
```
[FW] user-manage online-user aging-time 480
```
Configure the action in the authentication policy for users to access the Agile Controller server as no-authentication so that the users' authentication packets can go through the FW to the Agile Controller server. Configure the action in the authentication policy for users' service traffic to authentication exemption so that the FW can obtain user information through SSO.
```
[FW] auth-policy
[FW-policy-auth] rule name auth_policy_tsm
[FW-policy-auth-rule-auth_policy_tsm] source-zone trust
[FW-policy-auth-rule-auth_policy_tsm] destination-zone dmz 
[FW-policy-auth-rule-auth_policy_tsm] source-address 10.3.0.0 24
[FW-policy-auth-rule-auth_policy_tsm] destination-address 10.2.0.50 32
[FW-policy-auth-rule-auth_policy_tsm] action none
[FW-policy-auth-rule-auth_policy_tsm] quit
[FW-policy-auth] rule name auth_policy_service
[FW-policy-auth-rule-auth_policy_service] source-zone trust
[FW-policy-auth-rule-auth_policy_service] source-address 10.3.0.0 24
[FW-policy-auth-rule-auth_policy_service] action exempt-auth
[FW-policy-auth-rule-auth_policy_service] quit
```
If the action of the authentication policy is set to authentication exemption, the FW obtains user information through SSO and permits the traffic when user information fails to be obtained during SSO authentication. If the network has high security requirements, set the action of the authentication policy to portal authentication. Then the FW will implement portal authentication on the users failing the SSO authentication.
After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.

Verification

Run the display user-manage user and display user-manage group commands on the FW to display information about users and user groups.
R&D employees can access network resources after successful logins based on Agile Controller accounts and passwords.
Marketing employees can access network resources after successful logins based on Agile Controller accounts and passwords.

Run the display user-manage online-user command on the FW to display information about online users.

<FW> display user-manage online-user verbose            
 Current Total Number: 1                                                        
--------------------------------------------------------------------------------                                      
 IP Address: 10.3.0.2                                                        
 Login Time: 2015-01-21 14:58:36  Online Time: 00:00:49                         
 State: Active  TTL: 00:30:00  Left Time: 00:29:59                              
 Access Type: local                                                             
 Authentication Mode: Single Sign-on                                          
 Access Device Type: unknown
 <--packets: 0 bytes: 0  -->packets: 0 bytes: 0                                 
 Build ID: 0
 User Name: user_0001 Parent User Group: /default/research 
--------------------------------------------------------------------------------

Configuration Scripts

#
 sysname FW
# 
 user-manage online-user aging-time 480
 user-manage single-sign-on tsm
  enable
#
tsm-server template auth_server_tsm 
 tsm-server encryption-mode aes128 shared-key %$%$|5<h@/062'gA|%:9CO.2/JA8%$%$
 tsm-server ip-address 10.2.0.50
# 
security-policy
 rule name sec_policy_tsm  
  source-zone trust 
  destination-zone dmz
  source-address 10.3.0.0 24
  destination-address 10.2.0.0 24
  action permit
 rule name local_policy_tsm_01
  source-zone local
  destination-zone dmz
  action permit 
 rule name local_policy_tsm_02
  source-zone dmz
  destination-zone local
  action permit 
 rule name policy_sec_02    
  source-zone trust
  source-address 10.3.0.0 24     
  destination-zone untrust
  action permit
#
auth-policy
 rule name auth_policy_tsm
  source-zone trust
  destination-zone dmz 
  source-address 10.3.0.0 24
  destination-address 10.2.0.50 32
  action none
 rule name auth_policy_service
  source-zone trust
  source-address 10.3.0.0 24
  action exempt-auth
#
user-manage server-sync tsm
 sync-address 10.3.0.0 24
 enable
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
firewall zone trust
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 add interface GigabitEthernet0/0/2
#
user-manage import-policy policy_import from tsm    
 server template auth_server_tsm         
 server basedn root
 destination-group /default 
 import-type user-group   
 import-override enable 
 time-interval 120
# 
aaa
 domain default   
  service-type internetaccess
  new-user add-temporary group /default/newuser

# The following configuration is used to perform a one-time operation and not stored in the configuration profile.
 execute user-manage import-policy policy_import
 user-manage group /default/newuser
 test tsm-server template auth_server_tsm