< Home

Web: Example for Configuring Agile Controller SSO for Internet Access Users (Users Proactively Access the Controller)

This section provides an example for configuring Agile Controller (Policy Center or Agile Controller) Single Sign On (SSO) for Internet access users when a FW works as an egress gateway. Users need to proactively access the Agile Controller portal authentication page and must be authenticated before accessing services.

Networking Requirements

An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1.

  • The Agile Controller identity authentication mechanism is enabled on the intranet, and information about users and user group is saved on a Agile Controller server.
  • Internet access users on the intranet include R&D employees and marketing employees.
Figure 1 Agile Controller SSO for Internet access users

The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:

  • Information about users and departments is saved on the FW and can be referenced by policies.
  • After passing the authentication by entering correct Agile Controller accounts and passwords, R&D employees and marketing employees can access network resources. R&D employees and marketing employees are identified by the user names they use for Agile Controller authentication.
  • If the Agile Controller accounts of new employees have been created on a Agile Controller server but not stored on a FW, the FW considers them as temporary users and assigns them permissions of the specified group.

Configuration Roadmap

This example describes only how to configure user management and authentication.

The configuration roadmap is as follows:

  1. Add the FW on the Agile Controller server and configure the Agile Controller server on the FW to enable the FW and Agile Controller server to communicate.
  2. Configure a policy to import user information from the Agile Controller server to the FW.
  3. Set Agile Controller SSO parameters on the FW.
  4. Set a new user authentication option for the default authentication domain. After a new user is authenticated, the user adopts the permission of the newuser group to access network resources.
  5. To prevent repeated login to the Agile Controller server for authentication because of frequent timeouts during the working hours (such as eight hours), you need to set the user online timeout duration to 480 minutes.
  6. On the FW, configure an authentication policy for users' service traffic and set the action to authentication exemption.
  7. Because the FW is deployed between users and the Agile Controller server, authentication packets pass through the FW. Therefore, to implement SSO, configure an authentication policy to disable the FW from authenticating the authentication requests destined for the Agile Controller server and configure security policies to ensure normal communication between the FW and Agile Controller server.

Data Planning

Item Data Description

Agile Controller server

  • Service Name: auth_server_tsm

  • Agile Controller IP Address: 10.2.0.50

  • Server Port: 8084

  • Encryption: AES128

  • Shared Key: Admin@123

On a FW, set the parameters for communication with a Agile Controller server.

The parameter settings on the FW must be consistent with those on the Agile Controller server.

User information import policy

  • Name: policy_import

  • Server Type: Agile Controller

  • Server Name: auth_server_tsm

  • Import Type: Import both users and user groups

  • Target User Group: /default

  • Automatic Synchronization from Server: 120 minutes

  • Overwrite local user records when the current user exists

Import users from the Agile Controller server to the FW.

Parent group of new users

  • Name: newuser

  • Parent Group: /default

As a temporary user, and use permission of this group newuser.

Agile Controller SSO

  • Agile Controller SSO: Enable

  • Internet Access After Identity Authentication

Set SSO parameters on the FW and configure the FW to receive the user login and logout information from the Agile Controller server.

Procedure

  1. Add the FW on the Agile Controller server.

    The following example describes Agile Controller. The user interface may vary with the version. For details, refer to the Policy Center or Agile Controller product documentation of a specific version.

    1. Choose System Configuration > Server Configuration > Online Behavior Management Device.
    2. Click Add and set the following parameters.

      The Port must be the same as the Agile Controller SSO listening port on the FW in 6.

      The Key and Encryption Algorithm must be the same as the shared key and encryption algorithm in 4.

      If the FWs work in hot standby mode, you need to add Online Behavior Management Device twice on the Agile Controller server. The IP Address parameters must be set respectively to the real IP addresses of the active and standby device interfaces connecting to the Agile Controller server.

    3. Click OK.
  2. Choose Network > Interface, set IP addresses for interfaces and assign the interfaces to security zones.

    The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.

    Zone

    trust

    IP Address

    10.3.0.1/24

  3. Choose Policy > Security Policy > Security Policy, click Add to configure security policies.
    1. Configure a security policy between the Trust zone (users) and DMZ (Agile Controller server) for users to get authenticated by the Agile Controller server.

      Name

      sec_policy_tsm

      Source Zone

      trust

      Destination Zone

      dmz

      Source Address

      10.3.0.0/24

      Destination Address

      10.2.0.0/24

      Action

      Permit

    2. Configure security policies between the DMZ (Agile Controller server) and Local zone for the Agile Controller server and FW to communicate.

      Name

      local_policy_tsm_01

      Source Zone

      local

      Destination Zone

      dmz

      Action

      Permit

      Name

      local_policy_tsm_02

      Source Zone

      dmz

      Destination Zone

      local

      Action

      Permit

    3. Configure a security policy to allow users to access the Internet.

      Name

      policy_sec_02

      Source Zone

      trust

      Destination Zone

      untrust

      Source Address

      10.3.0.0/24

      Action

      Permit

  4. On a FW, choose Object > Authentication Server > Agile Controller, click Add to set the parameters for communication with a Agile Controller server.

    The parameter settings on the FW must be consistent with those on the Agile Controller server. In most cases, the server port of Policy Center is 8080, and that of Agile Controller is 8084.

    Click Detect. In the dialog box that is displayed, click OK to check the connectivity to the Agile Controller server.

  5. On a FW, choose Object > User > User Import > Server Import, click Add to configure a policy to import user information from the Agile Controller server to the FW.

    User information on the Agile Controller server can be imported only to the default authentication domain.

  6. Choose Object > User > default, configure Agile Controller SSO and click Apply.

    In this step, click Configure on the right of Server Import Policy. A dialog box is displayed. Click Import Immediately corresponding to policy_import. After the import is complete, the user groups and users on the Agile Controller server are displayed in User/User Group/Security Group Management List.

  7. Choose Object > User > Authentication Option, set the online user timeout duration to 480 minutes.
  8. Choose Object > User > Authentication Policy, click Add to configure authentication policies. Configure the action in the authentication policy for users to access the Agile Controller server as no-authentication so that the users' authentication packets can go through the FW to the Agile Controller server. Configure the action in the authentication policy for users' service traffic to authentication exemption so that the FW can obtain user information through SSO.

    Name

    auth_policy_tsm

    Source Zone

    Trust

    Destination Zone

    dmz

    Source Address/Region

    10.3.0.0/24

    Destination Address/Region

    10.2.0.50/32

    Action

    No authentication

    Name

    auth_policy_service

    Source Zone

    Trust

    Source Address/Region

    10.3.0.0/24

    Action

    Authentication exemption

    If the action of the authentication policy is set to authentication exemption, the FW obtains user information through SSO and permits the traffic when user information fails to be obtained during SSO authentication. If the network has high security requirements, set the action of the authentication policy to portal authentication. Then the FW will implement portal authentication on the users failing the SSO authentication.

  9. After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.

Verification

  • R&D employees can access network resources after successful logins based on Agile Controller accounts and passwords.
  • Marketing employees can access network resources after successful logins based on Agile Controller accounts and passwords.
  • On the FW, choose Object > User > Online User to see information about online users.

Configuration Scripts

#
 sysname FW
# 
 user-manage online-user aging-time 480
 user-manage single-sign-on tsm
  enable
#
tsm-server template auth_server_tsm 
 tsm-server encryption-mode aes128 shared-key %$%$|5<h@/062'gA|%:9CO.2/JA8%$%$
 tsm-server ip-address 10.2.0.50
# 
security-policy
 rule name sec_policy_tsm  
  source-zone trust 
  destination-zone dmz
  source-address 10.3.0.0 24
  destination-address 10.2.0.0 24
  action permit
 rule name local_policy_tsm_01
  source-zone local
  destination-zone dmz
  action permit 
 rule name local_policy_tsm_02
  source-zone dmz
  destination-zone local
  action permit 
 rule name policy_sec_02    
  source-zone trust
  source-address 10.3.0.0 24     
  destination-zone untrust
  action permit
#
auth-policy
 rule name auth_policy_tsm
  source-zone trust
  destination-zone dmz 
  source-address 10.3.0.0 24
  destination-address 10.2.0.50 32
  action none
 rule name auth_policy_service
  source-zone trust
  source-address 10.3.0.0 24
  action exempt-auth
#
user-manage server-sync tsm
 sync-address 10.3.0.0 24
 enable
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
firewall zone trust
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 add interface GigabitEthernet0/0/2
#
user-manage import-policy policy_import from tsm    
 server template auth_server_tsm         
 server basedn root
 destination-group /default 
 import-type user-group   
 import-override enable 
 time-interval 120
# 
aaa
 domain default   
  service-type internetaccess
  internet-access mode single-sign-on
  new-user add-temporary group /default/newuser

# The following configuration is used to perform a one-time operation and not stored in the configuration profile.
 execute user-manage import-policy policy_import
 user-manage group /default/newuser
 test tsm-server template auth_server_tsm
Parent Topic: User Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >