CLI: Example for Configuring Agile Controller SSO Authenticating and AD Server Import for Internet Access Users

In this example, the FW serves as the egress gateway of an enterprise network; a Agile Controller server (Policy Center or Agile Controller) is used to authenticate users; user permission is controlled based on the organizational structure on an AD server.

Networking Requirements

An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1. Details are as follows:

AD and Agile Controller authentication systems are both deployed on the intranet. The AD server has the enterprise's organizational structure and account and password information about all users, and the Agile Controller server (Policy Center or Agile Controller) has synchronized the account information from the AD server.
Internet access users on the intranet include R&D employees and marketing employees.

Figure 1 Managing and authenticating internet access users through AD Server Import and Agile Controller SSO

The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:

Before the R&D and marketing employees access network resources, they must be authenticated by the Agile Controller server.
The FW controls user permissions through the organizational structure on the AD server.
For new employees, their information might be created on the AD server, but these users are not stored on the FW, after being authenticated, these users go online as temporary users in the organization structure on the AD server.

Configuration Roadmap

This example describes only how to configure user management and authentication.

Set AD server parameters on the FW to ensure that the FW can communicate properly with the AD server.
Create an authentication domain on the FW, set the name of the authentication domain to be the same as the name of the domain on the AD server.
Configure AD server import policies on the FW to import user information on the AD server to the FW.
Configure the new user option of the authentication domain. If an authenticated user does not exist on the FW, the user goes online as a temporary user in the organization structure on the AD server.
Add the FW on the Agile Controller server and configure the Agile Controller server on the FW to enable the FW and Agile Controller server to communicate.
Configure security policies on the FW to allow the FW to communicate with the AD server and Agile Controller server.
Set Agile Controller SSO parameters on the FW.
Because the FW is deployed between users and the Agile Controller server, authentication packets pass through the FW. Therefore, to implement SSO, configure an authentication policy to disable the FW from authenticating the authentication requests destined for the Agile Controller server and configure security policies to ensure normal communication between the FW and Agile Controller server.
On the FW, configure an authentication policy for users' service traffic and set the action to authentication exemption.

Data Planning

Item	Data	Description
AD server	Name: auth_server_ad Primary Authentication Server IP: 10.2.0.250 Port: 88 Primary Server Host Name: ad.cce.com Base DN/Port DN: dc=cce, dc=com LDAP Port: 389 Administrator DN: cn=Administrator,cn=users Administrator Password: Admin@123	On a FW, set the parameters for communication with an AD server. The parameter settings on the FW must be consistent with those on the AD server.
Agile Controller server	Service Name: auth_server_tsm Agile Controller IP Address: 10.2.0.251 Server Port: 8084 Encryption: AES128 Shared Key: Admin@123	On a FW, set the parameters for communication with a Agile Controller server. The parameter settings on the FW must be consistent with those on the Agile Controller server.
User information import policy	Name: policy_import Server Type: AD Server Name: auth_server_ad Import Type: All Target User Group: /cce.com Incremental Synchronization: 120 minutes Overwrite local user records when the current user exists	Import users and user groups from the AD server to the FW.
Security policy	Name: policy_sec_1 Source Zone: trust Destination Zone: local Source Address/Region: 10.3.0.0/24 Destination Address/Region: 10.2.0.251/32 Action: Permit	Configure a security policy for the Trust (intranet users) -> DMZ (Agile Controller server) interzone for users to be authenticated by the Agile Controller server.
	Name: policy_sec_2 Source Zone: local Destination Zone: dmz Action: Permit	Configure a security policy to allow the FW to communicate with an AD and Agile Controller server.
	Name: policy_sec_2 Source Zone: dmz Destination Zone: local Action: Permit
Authentication Policy	Name: auth_policy_tsm Source Zone: trust Destination Zone: dmz Source Address/Region: 10.3.0.0/24 Destination Address/Region: 10.2.0.251/32 Action: No authentication	To implement SSO, configure an authentication policy. This policy disables the FW from processing the authentication requests to the Agile Controller server.
Authentication Policy	Name: auth_policy_http Source Zone: trust Source Address/Region: 10.3.0.0/24 Action: Authentication exemption	Configure an authentication policy on the FW for users' service traffic and set the action to authentication exemption.

Procedure

Configure security policies to ensure the communication among the users, Agile Controller server, AD server, and FW.

Configure a security policy between the Trust zone (users) and DMZ (Agile Controller server) for users to get authenticated by the Agile Controller server.

[FW] security-policy
[FW-policy-security] rule name policy_sec_1
[FW-policy-security-rule-sec_policy_tsm] source-zone trust
[FW-policy-security-rule-sec_policy_tsm] source-address 10.3.0.0 24
[FW-policy-security-rule-sec_policy_tsm] destination-zone dmz
[FW-policy-security-rule-sec_policy_tsm] destination-address 10.2.0.251 32
[FW-policy-security-rule-sec_policy_tsm] action permit
[FW-policy-security-rule-sec_policy_tsm] quit

Configure a security policy for the DMZ (where the AD and Agile Controller servers reside) -> Local interzone to allow the AD and Agile Controller servers communicate with the FW.

[FW-policy-security] rule name policy_sec_2
[FW-policy-security-rule-local_policy_tsm_01] source-zone local
[FW-policy-security-rule-local_policy_tsm_01] destination-zone dmz
[FW-policy-security-rule-local_policy_tsm_01] action permit
[FW-policy-security-rule-local_policy_tsm_01] quit
[FW-policy-security] rule name policy_sec_3
[FW-policy-security-rule-local_policy_tsm_02] source-zone dmz
[FW-policy-security-rule-local_policy_tsm_02] destination-zone local
[FW-policy-security-rule-local_policy_tsm_02] action permit
[FW-policy-security-rule-local_policy_tsm_02] quit

Set AD server parameters on the FW.

The parameter settings on the FW must be consistent with those on the AD server.

[FW] ad-server template auth_server_ad             
[FW-ad-auth_server_ad] ad-server authentication 10.2.0.250 88 no-ssl       
[FW-ad-auth_server_ad] ad-server authentication base-dn dc=cce,dc=com
[FW-ad-auth_server_ad] ad-server authentication manager cn=administrator,cn=users Admin@123
[FW-ad-auth_server_ad] ad-server authentication host-name ad.cce.com
[FW-ad-auth_server_ad] ad-server authentication ldap-port 389      
[FW-ad-auth_server_ad] ad-server user-filter sAMAccountName         
[FW-ad-auth_server_ad] ad-server group-filter ou

If you are unfamiliar with the AD server and cannot provide the server name or Base DN values, you can use the AD Explorer software downloaded from Internet to connect to the AD server to query the attribute values. The mappings between the server attributes and parameters on the FW are as follows.

Use the user name and password that are configured on the AD server to check the connectivity to the AD server.

[FW-ad-auth_server_ad] test-aaa testname testpassword ad-template auth_server_ad
[FW-ad-auth_server_ad] quit

Add the FW on the Agile Controller server.

The following example describes Agile Controller V100R002C10. The user interface may vary with the version. For details, refer to the Policy Center or Agile Controller product documentation of a specific version.

Choose System Configuration > Server Configuration > Online Behavior Management Device. Click Add and set the following parameters.

The FW uses port 8001 to receive user online and offline messages sent from the Agile Controller server.

If the FWs work in hot standby mode, you need to add Online Behavior Management Device twice on the Agile Controller server. The IP Address parameters must be set respectively to the real IP addresses of the active and standby device interfaces connecting to the Agile Controller server.

On a FW, set the parameters for communication with a Agile Controller server.

The parameter settings on the FW must be consistent with those on the Agile Controller server. In most cases, the server port of Policy Center is 8080, and that of Agile Controller is 8084.

[FW] tsm-server template auth_server_tsm 
[FW-tsm-auth_server_tsm] tsm-server ip-address 10.2.0.251
[FW-tsm-auth_server_tsm] tsm-server port 8084
[FW-tsm-auth_server_tsm] tsm-server encryption-mode aes128 shared-key Admin@123
[FW-tsm-auth_server_tsm] quit
[FW] test tsm-server template auth_server_tsm
Server detection succeeded.

Create an authentication domain on the FW.

[FW] aaa
[FW-aaa] domain cce.com
[FW-aaa-domain-cce.com] service-type internetaccess
[FW-aaa-domain-cce.com] quit
[FW-aaa] quit

Configure a policy to import user information from the AD server to the FW.

[FW] user-manage import-policy policy_import from ad 
[FW-import-policy_import] server template auth_server_ad
[FW-import-policy_import] server basedn dc=cce,dc=com
[FW-import-policy_import] import-type all
[FW-import-policy_import] destination-group /cce.com
[FW-import-policy_import] import-override enable 
[FW-import-policy_import] sync-mode incremental schedule interval 120
[FW-import-policy_import] quit

In a scenario where the authentication server is isolated from the import server, the import type must contain the user, In this example, the import type is set to all users, user groups, and security groups.

Apply the import policy to import users to the FW.

[FW] execute user-manage import-policy policy_import

Set the new user option for the authentication domain on the FW.

[FW] aaa
[FW-aaa] domain cce.com
[FW-aaa-domain-cce.com] new-user add-temporary group /cce.com auto-import policy_import
[FW-aaa-domain-cce.com] quit
[FW-aaa] quit

Set SSO parameters on the FW.

[FW] user-manage single-sign-on tsm
[FW-sso-tsm] enable

Configure the action in the authentication policy for users to access the Agile Controller server as no-authentication so that the users' authentication packets can go through the FW to the Agile Controller server. Configure the action in the authentication policy for users' service traffic to authentication exemption so that the FW can obtain user information through SSO.
```
[FW] auth-policy
[FW-policy-auth] rule name auth_policy_tsm
[FW-policy-auth-rule-auth_policy_tsm] source-zone trust
[FW-policy-auth-rule-auth_policy_tsm] destination-zone dmz 
[FW-policy-auth-rule-auth_policy_tsm] source-address 10.3.0.0 24
[FW-policy-auth-rule-auth_policy_tsm] destination-address 10.2.0.251 32
[FW-policy-auth-rule-auth_policy_tsm] action none 
[FW-policy-auth-rule-auth_policy_tsm] quit
[FW-policy-auth] rule name auth_policy_http
[FW-policy-auth-rule-auth_policy_service] source-zone trust
[FW-policy-auth-rule-auth_policy_service] source-address 10.3.0.0 24
[FW-policy-auth-rule-auth_policy_service] action exempt-auth
[FW-policy-auth-rule-auth_policy_service] quit
```
If the action of the authentication policy is set to authentication exemption, the FW obtains user information through SSO and permits the traffic when user information fails to be obtained during SSO authentication. If the network has high security requirements, set the action of the authentication policy to portal authentication. Then the FW will implement portal authentication on the users failing the SSO authentication.
After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.

Configuration Verification

Run the display user-manage user and display user-manage group commands on the FW to display information about users and user groups.
R&D and marketing employees enter their domain accounts and passwords for the Agile Controller authentication. After the authentication succeeds, they can access network resources.
A new employee enters the user name and password for Agile Controller authentication. After the authentication succeeds, they can access network resources, and their organizational structures are automatically added to the FW.
Run the display user-manage online-user command on the FW to display information about online users. Users log in on the FW and the organizational structure corresponding to the AD server.

Configuration Script

 sysname FW
# 
 user-manage single-sign-on tsm 
  enable
#          
ad-server template auth_server_ad        
 ad-server authentication 10.2.0.250 88 no-ssl        
 ad-server authentication base-dn dc=cce,dc=com        
 ad-server authentication manager cn=Administrator,cn=users %$%$KkGx/U}ir%TKvDU["/u$N/&z%$%$
 ad-server authentication host-name ad.cce.com          
 ad-server authentication ldap-port 389            
 ad-server user-filter sAMAccountName         
 ad-server group-filter ou 
#
tsm-server template auth_server_tsm 
 tsm-server encryption-mode aes128 shared-key %$%$|5<h@/062'gA|%:9CO.2/JA8%$%$
 tsm-server ip-address 10.2.0.251
#        
security-policy
 rule name policy_sec_1
  source-zone trust
  destination-zone local
  source-address 10.3.0.0 24
  destination-address 10.2.0.251 32 
  action permit  
 rule name policy_sec_2
  source-zone local   
  destination-zone dmz  
  action permit   
 rule name policy_sec_3
  source-zone dmz   
  destination-zone local  
  action permit   
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
 #
aaa
 domain cce.com
  service-type internetaccess
  internet-access mode single-sign-on
  reference user current-domain 
  new-user add-temporary group /cce.com auto-import policy_import
 #
#
auth-policy
 rule name auth_policy_tsm
  source-zone trust
  destination-zone dmz
  source-address 10.3.0.0 24
  destination-address 10.2.0.251 32
  action none
 rule name auth_policy_http
  source-zone trust
  source-address 10.3.0.0 24
  action exempt-auth
#            
 user-manage import-policy policy_import from ad
 server template auth_server_ad  
 server basedn dc=cce,dc=com     
 destination-group /cce.com    
 user-attribute sAMAccountName   
 user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer)))
 group-filter (|(objectclass=organizationalUnit)(ou=*))
 import-type all     
 import-override enable    
 sync-mode incremental schedule interval 120

# The following configuration is used to perform a one-time operation and not stored in the configuration profile.
 execute user-manage import-policy policy_import
 test-aaa testname testpassword ad-template auth_server_ad
 test tsm-server template auth_server_tsm