Web: Example for Configuring Agile Controller SSO for Internet Access Users (Users' HTTP Services Are Redirected to the Controller)
This section provides an example for configuring Agile Controller (Policy Center or Agile Controller) Single Sign On (SSO) for Internet access users when a FW works as an egress gateway. In redirected authentication, users access HTTP services, and the FW then redirects the HTTP requests to the Agile Controller portal authentication page. After the authentication succeeds, the users continue to access services.
Networking Requirements
An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1.
- The Agile Controller identity authentication mechanism is enabled on the intranet, and information about users and user group is saved on a Agile Controller server.
- Internet access users on the intranet include R&D employees and marketing employees.
The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:
- R&D employees and marketing employees can access HTTP services without proactively accessing the Agile Controller portal authentication page, because their HTTP requests will be automatically redirected to the Agile Controller portal authentication page.
- After passing the authentication by entering correct Agile Controller accounts and passwords, R&D employees and marketing employees can access network resources. R&D employees and marketing employees are identified by the user names they use for Agile Controller authentication.
- The FW saves department information, not user information. The permissions of authenticated users are controlled on the basis of the groups they belong to.
Configuration Roadmap
This example describes only how to configure user management and authentication.
The configuration roadmap is as follows:
- Add the FW on the Agile Controller server and configure the Agile Controller server on the FW to enable the FW and Agile Controller server to communicate.
- Configure a policy to import group information from the Agile Controller server to the FW.
- Set Agile Controller SSO parameters on the FW.
- Set a new user authentication option for the authentication domain. New users are temporary users after being authenticated.
- Set the URL of the redirected authentication page to the address of the Agile Controller portal authentication page for the users that directly access HTTP services.
- Configure an authentication policy to authenticate users before they access the Internet.
- Because the FW is deployed between users and the Agile Controller server, authentication packets pass through the FW. Therefore, to implement SSO, configure an authentication policy to disable the FW from authenticating the authentication requests destined for the Agile Controller server and configure security policies to ensure normal communication between the users, FW and Agile Controller server.
Data Planning
Item |
Data |
Description |
|---|---|---|
Agile Controller server |
On a FW, set the parameters for communication with a Agile Controller server. The parameter settings on the FW must be consistent with those on the Agile Controller server. |
|
User information import policy |
Import groups from the Agile Controller server to the FW. |
|
Parent group of new users |
New users preferentially use the permissions of their parent groups on the server. If their parent groups do not exist on the server, users use the permission of the /default group. |
All users passing Agile Controller authentication are new users for the FW. |
Agile Controller authentication portal address |
http://10.2.0.50:8080/portal |
This address must be the same as the setting on the Agile Controller server. |
Agile Controller SSO |
Set SSO parameters on the FW and configure the FW to receive the user login and logout information from the Agile Controller server. |
Procedure
- Add the FW on the Agile Controller server.
The following example describes Agile Controller. The user interface may vary with the version. For details, refer to the Policy Center or Agile Controller product documentation of a specific version.
- Click Add and set the following parameters.
If the FWs work in hot standby mode, you need to add Online Behavior Management Device twice on the Agile Controller server. The IP Address parameters must be set respectively to the real IP addresses of the active and standby device interfaces connecting to the Agile Controller server.
- Click Add and set the following parameters.
- Choose , set IP addresses for interfaces and assign the interfaces to security zones.
The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.
Zone
trust
IP Address
10.3.0.1/24
- Choose , click Add to configure security policies.
- Configure a security policy between the Trust zone (users) and DMZ (Agile Controller server) for users to get authenticated by the Agile Controller server.
Name
sec_policy_tsm
Source Zone
trust
Destination Zone
dmz
Source Address
10.3.0.0/24
Destination Address
10.2.0.0/24
Action
Permit
If the URL of the authentication page is a domain name and a DNS server for resolving the URL is deployed in the DMZ, you need to enable the DNS service from the Trust zone to DMZ.
- Configure a security policy to allow users to access the Internet.
Name
policy_sec_02
Source Zone
trust
Destination Zone
untrust
Source Address
10.3.0.0/24
Action
Permit
Enable the DNS service for the Trust -> Untrust interzone to allow HTTP domain name resolution packets through.
- Configure a security policy between the Trust zone (users) and DMZ (Agile Controller server) for users to get authenticated by the Agile Controller server.
- On a FW, choose , click Add to set the parameters for communication with a Agile Controller server.
The parameter settings on the FW must be consistent with those on the Agile Controller server. In most cases, the server port of Policy Center is 8080, and that of Agile Controller is 8084.
Click Detect. In the dialog box that is displayed, click OK to check the connectivity to the Agile Controller server.
- On a FW, choose , click Add to configure a policy to import user information from the Agile Controller server to the FW.
User information on the Agile Controller server can be imported only to the default authentication domain.
- Choose , configure Agile Controller SSO and click Apply.
Click Configure on the right of Server Import Policy. A dialog box is displayed. Click Import Immediately corresponding to policy_import. After the import is complete, the user groups and users on the Agile Controller server are displayed in User/User Group/Security Group Management List.
- Choose , Set Portal server URL to Agile Controller portal authentication page.
The portal URL must be consistent with that of the Controller.
- Choose , click Add to configure authentication policies.
- After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.
Verification
- Access http://www.example.org/ as an R&D employee. The HTTP request is redirected to the authentication page. After entering the Agile Controller account and password, you can continue to access network resources.
- Access http://www.example.org/ as a marketing employee. The HTTP request is redirected to the authentication page. After entering the Agile Controller account and password, you can continue to access network resources.
- On the FW, choose to see information about online users.
Configuration Scripts
# sysname FW # user-manage single-sign-on tsm enable user-manage portal-template portal 0 portal-url push information portal-url http://10.2.0.50:8080/portal # tsm-server template auth_server_tsm tsm-server encryption-mode aes128 shared-key %$%$|5<h@/062'gA|%:9CO.2/JA8%$%$ tsm-server ip-address 10.2.0.50 # security-policy rule name sec_policy_tsm source-zone trust destination-zone dmz source-address 10.3.0.0 24 destination-address 10.2.0.0 24 action permit rule name policy_sec_02 source-zone trust destination-zone untrust source-address 10.3.0.0 24 action permit rule name local_policy_tsm_01 source-zone local destination-zone dmz action permit rule name local_policy_tsm_02 source-zone dmz destination-zone trust action permit # user-manage server-sync tsm sync-address 10.3.0.0 24 enable # auth-policy rule name auth_policy_tsm source-zone trust destination-zone dmz source-address 10.3.0.0 24 destination-address 10.2.0.50 32 action none rule name auth_policy_service source-zone trust destination-zone untrust source-address 10.3.0.0 24 action auth portal-template portal # interface GigabitEthernet0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 10.2.0.1 255.255.255.0 # interface GigabitEthernet0/0/3 ip address 10.3.0.1 255.255.255.0 # firewall zone trust add interface GigabitEthernet0/0/3 # firewall zone untrust add interface GigabitEthernet0/0/1 # firewall zone dmz add interface GigabitEthernet0/0/2 # user-manage import-policy policy_import from tsm server template auth_server_tsm server basedn root destination-group /default import-type group import-override enable time-interval 120 # aaa domain default service-type internetaccess internet-access mode single-sign-on new-user add-temporary group /default auto-import policy_import # The following configuration is used to perform a one-time operation and not stored in the configuration profile. execute user-manage import-policy policy_import test tsm-server template auth_server_tsm