Networking requirements
A company deploys an Agile Controller server group on the network, and at the same time deploys a FW at the network egress in a bypass mode, as shown in Figure 1. The requirements are:
?Different user roles can access different network resources (configured on the Agile Controller server).
? After the user role changes, the corresponding available network resources are updated immediately.
Operating steps
1. Turn off the session state detection function. (Because in the bypass mode, only one direction of traffic will pass through the SACG, so the status detection function of the SACG needs to be disabled. The functions based on the status detection on the FW are not available in the bypass mode.)
<FW>system-view [FW] undo firewall session link-state check
2. Configure the IP address and security zone of each interface.
[FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet0/0/1] ip address 10.1.3.6 255.255.255.0 [FW-GigabitEthernet0/0/1] quit [FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ip address 10.1.2.4 255.255.255.0 [FW-GigabitEthernet 0/0/2] quit [FW] firewall zone trust [FW-zone-Trust] add interface GigabitEthernet 0/0/1 [FW-zone-Trust] quit [FW] firewall zone untrust [FW-zone-Untrust] add interface GigabitEthernet 0/0/2 [FW-zone-Untrust] quit
3. Configure the security policy.
[FW] security-policy [FW-security-policy] rule name sec_policy01 [FW-security-policy-sec_policy01] source-address 192.168.1.0 mask 255.255.255.0 [FW-security-policy-sec_policy01] source-zone trust [FW-security-policy-sec_policy01] destination-zone local [FW-security-policy-sec_policy01] action permit [FW-security-policy-sec_policy01] quit [FW-security-policy] rule name sec_policy02 [FW-security-policy-sec_policy02] source-zone local [FW-security-policy-sec_policy02] destination-zone untrust [FW-security-policy-sec_policy02] action permit [FW-security-policy-sec_policy02] quit [FW-security-policy] quit
4. Configure SACG.
# Enter the FW and SACG configuration view, and specify the default ACL rule group number.
[FW] right-manager server-group [FW-rightm] default acl 3099
# Add the Agile Controller to the FW so that the FW can connect to the Agile Controller for linkage. Since there are two Agile Controllers, you need to execute the server ip command twice to add two Agile Controllers.
[FW-rightm] server ip 10.1.4.2 port 3288 shared-key TSM_Security [FW-rightm] server ip 10.1.4.3 port 3288 shared-key TSM_Security
# Configure proxyless web authentication. When a terminal user without SACG proxy installed tries to access the network, the FW can automatically push the Web authentication page to the terminal host, which is convenient for the terminal user to perform identity authentication through the Web page.
[FW-rightm] right-manager authentication url http://10.1.4.2:8080/webauth [FW-rightm] right-manager authentication url http://10.1.4.3:8080/webauth
# Enable the server group so that the FW immediately connects to the Agile Controller to send an linkage request. After the connection is successful, the device can receive roles and role rules issued by the Agile Controller.
[FW-rightm] right-manager server-group enable
# Configure the escape route function, and set the minimum number of Agile Controllers to 1. In this way, when the FW can successfully connect to one or more Agile Controllers, the SACG authentication test will be performed normally. When the FW cannot be connected to any Agile Controller, an escape channel is opened to allow all user terminals to access the controlled network. This prevents end users from being unable to access the network due to failures of the Agile Controller.
[FW-rightm] right-manager status-detect enable [FW-rightm] right-manager server-group active-minimun 1 [FW-rightm] quit
# Apply the linkage policy in the inbound direction of Trust and Untrust, so that the terminal host can communicate with the pre-authentication domain normally, and at the same time, the release rules of the escape channel can be correctly delivered to the Trust and Untrust domains.
[FW] firewall interzone trust untrust [FW-interzone-trust-untrust] apply packet-filter right-manager inbound [FW-interzone-trust-untrust] quit
# Configure a static route for re-injecting detected traffic from the FW to the switch. The next hop of this route should be the IP address of the interface of the switch connected to GigabitEthernet0/0/1. Because GigabitEthernet0/0/1 is the interface connecting the FW to the post-authentication domain, the FW needs to forward traffic from this interface to the post-authentication domain after security detection to ensure service running.
[FW] ip route-static 0.0.0.0 0.0.0.0 10.1.3.7
5. Optional: Configure third-party server health checks.
There are multiple user accounts in the SACG scenario. Some account password information is stored in the Agile Controller, and some are stored in the third-party authentication server. The user enters the account password on the client to initiate an identity authentication request. If the account password entered by the user is stored in the Agile Controller, the authentication will be completed directly in the Agile Controller; if the account password entered by the user is stored in the third-party authentication server , the Agile Controller sends the account information to the third-party authentication server for authentication. After the authentication is completed, the authentication result is returned to the Agile Controller, and authorization is performed based on the authentication result.
In the scenario where user authentication is completed on the Agile Controller, when the service controller detects that the number of active Agile Controllers is less than the configured minimum value, the escape channel is enabled. However, the third-party authentication server cannot use the Agile Controller for survival check. If an exception occurs, the authentication on this server cannot be completed. At this time, the FW needs to perform a health check as the SACG. When it detects that the health check status is DOWN, the device will open an escape channel to avoid affecting normal services. After the fault is recovered, the escape channel will be automatically closed and the original authority control will be restored.
The IP address of the third-party server in the pre-authentication domain is 10.1.4.4, the port number is 80, the detection protocol is HTTP, and the detection packet is sent from interface GigabitEthernet 0/0/1.
[FW] healthcheck enable [FW] healthcheck name hchk1 [FW-healthcheck-hchk1] least active-linknumber 1 [FW-healthcheck-hchk1] destination 10.1.4.4 interface GigabitEthernet 0/0/1 protocol http destination-port 80 [FW-healthcheck-hchk1] quit [FW] right-manager server-group [FW-rightm] healthcheck hchk1
6. Optional: Add the uplink and downlink interfaces GigabitEthernet 0/0/2 and GigabitEthernet 0/0/1 to the same Link-group.
[FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] link-group 1 [FW-GigabitEthernet 0/0/2] quit [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet0/0/1] link-group 1 [FW-GigabitEthernet0/0/1]
7. Configure the Agile Controller.
Add the connection parameters of the SACG device on the Agile Controller, configure the pre-authentication domain and post-authentication domain, and create user information.
Result Verification
Run the display right-manager server-group command on the FW to check the Agile Controller status.
<FW> display right-manager server-group Server group state: Enable Server number: 2 Server ip address Port State Master 10.1.4.2 3288 active Y 10.1.4.3 3288 active N
If the state is displayed as active, it means that the Agile Controller is successfully connected and the configuration is successful.
After closing the Agile Controller of 10.1.4.2, the status of the master of 10.1.4.3 is displayed as Y, and the connection status is normal, indicating that the SACG can work normally when at least one Agile Controller is successfully connected.
