CLI: Example for Configuring Agile Controller SSO for Internet Access Users (Users' HTTP Services Are Redirected to the Controller)
This section provides an example for configuring Agile Controller (Policy Center or Agile Controller) Single Sign On (SSO) for Internet access users when a FW works as an egress gateway. In redirected authentication, users access HTTP services, and the FW then redirects the HTTP requests to the Agile Controller portal authentication page. After the authentication succeeds, the users continue to access services.
Networking Requirements
An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1.
- The Agile Controller identity authentication mechanism is enabled on the intranet, and information about users and user group is saved on a Agile Controller server.
- Internet access users on the intranet include R&D employees and marketing employees.
The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:
- R&D employees and marketing employees can access HTTP services without proactively accessing the Agile Controller portal authentication page, because their HTTP requests will be automatically redirected to the Agile Controller portal authentication page.
- After passing the authentication by entering correct Agile Controller accounts and passwords, R&D employees and marketing employees can access network resources. R&D employees and marketing employees are identified by the user names they use for Agile Controller authentication.
- The FW saves department information, not user information. The permissions of authenticated users are controlled on the basis of the groups they belong to.
Configuration Roadmap
This example describes only how to configure user management and authentication.
The configuration roadmap is as follows:
- Add the FW on the Agile Controller server and configure the Agile Controller server on the FW to enable the FW and Agile Controller server to communicate.
- Configure a policy to import group information from the Agile Controller server to the FW.
- Set Agile Controller SSO parameters on the FW.
- Set a new user authentication item for the authentication domain. New users are temporary users after being authenticated.
- Set the URL of the redirected authentication page to the address of the Agile Controller portal authentication page for the users that directly access HTTP services.
- Configure an authentication policy to authenticate users before they access the Internet.
- Because the FW is deployed between users and the Agile Controller server, authentication packets pass through the FW. Therefore, to implement SSO, configure an authentication policy to disable the FW from authenticating the authentication requests destined for the Agile Controller server and configure security policies to ensure normal communication between the users, FW and Agile Controller server.
Data Planning
| Item | Data | Description |
|---|---|---|
Agile Controller server |
On a FW, set the parameters for communication with a Agile Controller server. The parameter settings on the FW must be consistent with those on the Agile Controller server. |
|
User information import policy |
Import groups from the Agile Controller server to the FW. |
|
Parent group of new users |
New users preferentially use the permissions of their parent groups on the server. If their parent groups do not exist on the server, users use the permission of the /default group. |
All users passing Agile Controller authentication are new users for the FW. |
Agile Controller authentication portal address |
http://10.2.0.50:8080/portal |
This address must be the same as the setting on the Agile Controller server. |
Agile Controller SSO |
Set SSO parameters on the FW and configure the FW to receive the user login and logout information from the Agile Controller server. |
Procedure
- Add the FW on the Agile Controller server.
The following example describes Agile Controller. The user interface may vary with the version. For details, refer to the Policy Center or Agile Controller product documentation of a specific version.
- Click Add and set the following parameters.
The Port must be the same as the Agile Controller SSO listening port on the FW. The default value is 8001.
The Key and Encryption Algorithm must be the same as the shared key and encryption algorithm in 4.
If the FWs work in hot standby mode, you need to add Online Behavior Management Device twice on the Agile Controller server. The IP Address parameters must be set respectively to the real IP addresses of the active and standby device interfaces connecting to the Agile Controller server.
- Click Add and set the following parameters.
- Set interface IP addresses and assign interfaces to security zones on the FW. The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure
other interfaces based on the networking diagram.
<FW> system-view [FW] interface GigabitEthernet 0/0/3 [FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24 [FW-GigabitEthernet0/0/3] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/3 [FW-zone-trust] quit
- Configure security policies to ensure the communication among the users, Agile Controller server, and FW.
- Configure a security policy between the Trust zone (users) and DMZ (Agile Controller server) for users to get authenticated by the Agile Controller server.
[FW] security-policy [FW-policy-security] rule name sec_policy_tsm [FW-policy-security-rule-sec_policy_tsm] source-zone trust [FW-policy-security-rule-sec_policy_tsm] source-address 10.3.0.0 24 [FW-policy-security-rule-sec_policy_tsm] destination-zone dmz [FW-policy-security-rule-sec_policy_tsm] destination-address 10.2.0.0 24 [FW-policy-security-rule-sec_policy_tsm] action permit [FW-policy-security-rule-sec_policy_tsm] quit
If the URL of the authentication page is a domain name and a DNS server for resolving the URL is deployed in the DMZ, you need to enable the DNS service from the Trust zone to DMZ.
- Configure a security policy to allow users to access the Internet.
[FW-policy-security] rule name policy_sec_02 [FW-policy-security-rule-policy_sec_02] source-zone trust [FW-policy-security-rule-policy_sec_02] source-address 10.3.0.0 24 [FW-policy-security-rule-policy_sec_02] destination-zone untrust [FW-policy-security-rule-policy_sec_02] action permit [FW-policy-security-rule-policy_sec_02] quit [FW-policy-security] quit
Enable the DNS service for the Trust -> Untrust interzone to allow HTTP domain name resolution packets through.
- Configure a security policy between the Trust zone (users) and DMZ (Agile Controller server) for users to get authenticated by the Agile Controller server.
- On a FW, set the parameters for communication with a Agile Controller server.
The parameter settings on the FW must be consistent with those on the Agile Controller server. In most cases, the server port of Policy Center is 8080, and that of Agile Controller is 8084.
[FW] tsm-server auth_server_tsm [FW-tsm-auth_server_tsm] tsm-server ip-address 10.2.0.50 [FW-tsm-auth_server_tsm] tsm-server port 8084 [FW-tsm-auth_server_tsm] tsm-server encryption-mode aes128 shared-key Admin@123 [FW-tsm-auth_server_tsm] test tsm-server template auth_server_tsm [FW-tsm-auth_server_tsm] quit
- Configure a policy to import user information from the Agile Controller server to the FW.
[FW-tsm-auth_server_tsm] user-manage import-policy policy_import from tsm [FW-import-policy_import] server template auth_server_tsm [FW-import-policy_import] server basedn root [FW-import-policy_import] destination-group /default [FW-import-policy_import] import-type group [FW-import-policy_import] import-override enable [FW-import-policy_import] time-interval 120
User information on the Agile Controller server can be imported only to the default authentication domain.
- Execute the import policy to import users to the FW.
[FW] execute user-manage import-policy policy_import - Set SSO parameters on the FW.
[FW] user-manage single-sign-on tsm [FW-sso-tsm] enable [FW-sso-tsm] quit [FW] user-manage server-sync tsm [FW-srv-sync-tsm] sync-address 10.3.0.0 24 [FW-srv-sync-tsm] enable [FW-srv-sync-tsm] quit
- Set a new user authentication item for the authentication domain.
[FW] aaa [FW-aaa] domain default [FW-aaa-domain-default] service-type internetaccess [FW-aaa-domain-default] new-user add-temporary group /default auto-import policy_import [FW-aaa-domain-default] quit [FW-aaa] quit
- Configure the portal authentication page.
[FW] user-manage portal-template portal [FW-portal-template-portal] portal-url push information [FW-portal-template-portal] portal-url http://10.2.0.50:8080/portal
The portal URL must be consistent with that of the Controller.
- Configure the action in the authentication policy for users to access the Agile Controller server as no-authentication so that the users' authentication packets can go through the FW to the Agile
Controller server. Configure the action in the authentication policy for users to access the other services as portal authentication so that the users' HTTP service access traffic triggers authentication.
[FW] auth-policy [FW-policy-auth] rule name auth_policy_tsm [FW-policy-auth-rule-auth_policy_tsm] source-zone trust [FW-policy-auth-rule-auth_policy_tsm] destination-zone dmz [FW-policy-auth-rule-auth_policy_tsm] source-address 10.3.0.0 24 [FW-policy-auth-rule-auth_policy_tsm] destination-address 10.2.0.50 32 [FW-policy-auth-rule-auth_policy_tsm] action none [FW-policy-auth-rule-auth_policy_tsm] quit [FW-policy-auth] rule name auth_policy_service [FW-policy-auth-rule-auth_policy_service] source-zone trust [FW-policy-auth-rule-auth_policy_service] destination-zone untrust [FW-policy-auth-rule-auth_policy_service] source-address 10.3.0.0 24 [FW-policy-auth-rule-auth_policy_service] action auth portal-template portal
- After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.
Verification
- Run the display user-manage user and display user-manage group commands on the FW to display information about users and user groups.
- Access http://www.example.org/ as an R&D employee. The HTTP request is redirected to the authentication page. After entering the Agile Controller account and password, you can continue to access network resources.
- Access http://www.example.org/ as a marketing employee. The HTTP request is redirected to the authentication page. After entering the Agile Controller account and password, you can continue to access network resources.
- Run the display user-manage online-user command on the FW to display information about online users.
<FW> display user-manage online-user verbose Current Total Number: 1 -------------------------------------------------------------------------------- IP Address: 10.3.0.2 Login Time: 2015-01-21 14:58:36 Online Time: 00:00:49 State: Active TTL: 00:30:00 Left Time: 00:29:59 Access Type: local Authentication Mode: Single Sign-on Access Device Type: unknown <--packets: 0 bytes: 0 -->packets: 0 bytes: 0 Build ID: 0 User Name: user_0001 Parent User Group: /default/research --------------------------------------------------------------------------------
Configuration Scripts
# sysname FW # user-manage single-sign-on tsm enable user-manage portal-template portal 0 portal-url push information portal-url http://10.2.0.50:8080/portal # tsm-server template auth_server_tsm tsm-server encryption-mode aes128 shared-key %$%$|5<h@/062'gA|%:9CO.2/JA8%$%$ tsm-server ip-address 10.2.0.50 # security-policy rule name sec_policy_tsm source-zone trust destination-zone dmz source-address 10.3.0.0 24 destination-address 10.2.0.0 24 action permit rule name policy_sec_02 source-zone trust destination-zone untrust source-address 10.3.0.0 24 action permit rule name local_policy_tsm_01 source-zone local destination-zone dmz action permit rule name local_policy_tsm_02 source-zone dmz destination-zone trust action permit # auth-policy rule name auth_policy_tsm source-zone trust destination-zone dmz source-address 10.3.0.0 24 destination-address 10.2.0.50 32 action none rule name auth_policy_service source-zone trust destination-zone untrust source-address 10.3.0.0 24 action auth portal-template portal # user-manage server-sync tsm sync-address 10.3.0.0 24 enable # interface GigabitEthernet0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 10.2.0.1 255.255.255.0 # interface GigabitEthernet0/0/3 ip address 10.3.0.1 255.255.255.0 # firewall zone trust add interface GigabitEthernet0/0/3 # firewall zone untrust add interface GigabitEthernet0/0/1 # firewall zone dmz add interface GigabitEthernet0/0/2 # user-manage import-policy policy_import from tsm server template auth_server_tsm server basedn root destination-group /default import-type group import-override enable time-interval 120 # aaa domain default service-type internetaccess new-user add-temporary group /default auto-import policy_import # The following configuration is used to perform a one-time operation and not stored in the configuration profile. execute user-manage import-policy policy_import test tsm-server template auth_server_tsm