Академический Документы
Профессиональный Документы
Культура Документы
www.huawei.com
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 3
Objectives
Upon completion of this course, you will be able to:
Know SACG authentication principles and application sce
narios
Have a good command of SACG authentication configuratio
n and deployment
Have a good command of SACG authentication troubleshoot
ing
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 4
Contents
1. SACG Authentication Principles
2. SACG Authentication Configuration and Deployment
3. SACG Authentication Troubleshooting
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 5
SACG Authentication Scenario (1/2)
The TSM system uses a firewall as the access control
device to perform identity authentication. Firewalls
are often deployed on the network data center egress
or network egress, facilitating the maintenance. SACG
authentication applies to medium- and large-sized cam
puses that have complex network environments and mode
rate requirements on network security.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 6
SACG Authentication Scenario (2/2)
SACG
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 7
SACG Deployment Mode (1/2)
Inline deployment
SACG
Servers send
resources to users.
Users request
server resources.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 8
SACG Deployment Mode (2/2)
Bypass deployment
Servers send
resources to users.
Users request
server resources.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 9
Hardware SACG Authentication
In hardware SACG authentication, the firewall is used as the acce
ss control device and deployed on the data center egress or netwo
rk egress, providing client authentication and no-client authenti
Pre-authentication domain Post-authentication
cation to ensure
Agilesecurity. domain
DHC
Controller- Service system
P
Campus
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 10
Software SACG Authentication
In software authentication, the AnyOffice is used as the software
SACG to perform identity authentication on users attempting to ac
cess networks.
Pre-authentication domain Post-authentication
Agile Controller- DHC domain
Campus Service system
P
Access device
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 11
SACG Authentication Process
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 12
Contents
1. SACG Authentication Principles
2. SACG Authentication Configuration and Deployment
Inline Deployment
Bypass Deployment
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 14
SACG Application Scenario
The SACG uses a firewall as the access control device to perform
identity authentication on users attempting to access networks. T
he firewall is deployed on the data center egress or network egre
ss, facilitating the maintenance.
SACG application
scenario
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 15
SACG Association in Inline Mode
Currently, end users of an enterprise can directly access the ser
vice system in the data center. As core services increase in the
service system, the enterprise requires an access control system
and wants to provide security protection
Trust for intranet users
Antivirus server using
192.168.2.5/24
the firewall.
Patch server Service system
Untrust 192.168.2.3/24 172.16.1.10/24
SAC G1/0/1
G 10.1.1.1/24
G1/0/2 G1/0/3
10.1.6.1/24 192.168.1.1/24
SM&SC-1
DM 192.168.1.2/24
Z
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 16
Configuration Procedure
Configuration procedure
Configuration planning
Basic configuration
Firewall configuration
Agile Controller-Campus
configuration
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 18
Configure the Firewall - Configure
Basic Data
Configure the firewall.
Configure the firewall's interface IP addresses and sec
urity zones.
Configure security policies to permit traffic as requir
ed.
Configure a security policy for the Local-DMZ interzone, en
abling the firewall to communicate with the SCs.
Configure a security policy for the Local-Untrust interzone
, enabling the firewall to push web authentication pages to
users.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 19
Configure the Firewall - Associati
on with the Agile Controller-Campu
s Choose Network > TSM Interworking > Basic Configuration. On the Configure
TSM Basic Parameter page, click the TSM Server List tab, and add an SC se
rver.
Configure web authentication URLs. If the AnyOffice is not installed on a
terminal, a web authentication page is pushed to the end user.
Apply TSM interworking policies between zones. The system matches interwo
rking policies when end users attempt to access server resources.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 20
Configure the Agile Controller-Cam
pus - Add a Firewall
Choose Policy > Permission Control > Hardware SACG > Hardw
are SACG Configuration. On the Hardware SACG tab page, cli
ck Add.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 21
Configure the Agile Controller-Campus - Pr
e-authentication Domain and Post-authentica
tion Domain
On the Pre_authentication Domain tab page, click Add, and add resources to the pr
e-authentication domain.
On the Controlled Domain tab page, click Add, and add the post-authentication reso
urces to the controlled domain.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 22
Configure the Agile Controller-Cam
pus - Controlled Domain Rules
On the Post authentication Domain tab page, click Add, add resources that end
users can access only in working hours, and select Permit access to only cont
rolled domain resources in the list.
Add resources that end users cannot access in non-working hours and select Pr
ohibit access to only controlled domain resources in the list according to th
e preceding steps.
1 2
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 23
Configure the Agile Controller-Cam
pus - SACG Policy Group
Configure a time range during which employees can access related
resources. Choose Policy > Permission Control > Policy Element >
Schedule, and click Add.
Configure an SACG policy group. Choose Policy > Permission Contro
l > Hardware SACG > Hardware SACG Policy Group, and click Add.
Apply the SACG policy group to
1 an account/user group or an IP add3
ress segment.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 24
Verify the Result
If a user successfully passes identity authentication, the user can acces
s the service system in working hours but not in non-working hours.
On the firewall, choose Network > TSM Interworking > Basic Configuration.
On the TSM Server List tab page, check whether the running status of the
Agile Controller-Campus is Connected.
On the firewall, choose Network > TSM Interworking > Online User and Netw
ork > TSM Interworking > Role, and check information about online users a
nd user roles respectively.
On the Agile Controller-Campus, choose Resource > User > Online User Mana
gement, and check user login information.
If a severe violation is detected on a terminal host, the terminal host c
annot access networks and a message is displayed, indicating that it need
s to be repaired. After being repaired, the terminal host can access netw
orks.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 25
Contents
1. SACG Authentication Principles
2. SACG Authentication Configuration and Deployment
Inline Deployment
Bypass Deployment
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 26
SACG Association in Bypass Mode
Currently, end users of an enterprise can directly access the service sys
tem in the data center. As core services increase in the service system,
the enterprise requires an access control system.
DNS server SM&SC-1
192.168.3.3/24 192.168.1.2/24
Service system
172.16.1.10/24
Post-authentication Pre-authentication
domain domain
SC-2
Trust 192.168.1.3/24
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 27
Configuration Procedure
Configuration procedure
Configuration planning
Basic configuration
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 29
Configure Basic Data for Network C
onnectivity
Configure basic data for network connectivity.
Configure the VLAN and IP address on the switch.
Configure the firewall.
Configure the firewall's interface IP addresses and securit
y zones.
Configure security policies to permit traffic as required.
Disable the session status detection function.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 30
Configure the Switch to Divert Tra
ffic
Configure the switch. Use the port redirection functi
on to forward the traffic received by the switch from
terminal hosts to the firewall through Ethernet 1/0/5
.
[Switch] acl 3000
[Switch-acl-adv-3000] rule 0 permit ip source 10.1.6.0 0.0.0.255
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 31
Configure the Firewall - Traffic I
njection
Configure a static route for injecting the detected traffi
c from the firewall to the switch. The next hop of the rou
te is the IP address of the interface on the switch connec
ting to GE1/0/1.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 32
Configure the Firewall - Associati
on with the Agile Controller-Campu
s Choose Network > TSM Interworking > Basic Configuration. On the Configure
TSM Basic Parameter page, click the TSM Server List tab, and add an SC se
rver.
Configure web authentication URLs. If the AnyOffice is not installed on a
terminal, a web authentication page is pushed to the end user.
Apply TSM interworking policies between zones. The system matches interwo
rking policies when end users attempt to access server resources.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 33
Configure the Agile Controller-Cam
pus - Add a Firewall
Choose Policy > Permission Control > Hardware SACG > Hardware SAC
G Configuration. On the Hardware SACG tab page, click Add.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 34
Configure the Agile Controller-Campus - Pr
e-authentication Domain and Post-authentica
tion Domain
On the Pre authentication Domain tab page, click Add, and add resources t
o the pre-authentication domain.
On the Controlled Domain tab page, click Add, and add the post-authentica
tion resources to the controlled domain.
3
1
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 35
Configure the Agile Controller-Cam
pus - Controlled Domain Rules
On the Post_authentication Domain tab page, click Add, add resources that end user
s can access only in working hours, and select Permit access to only controlled do
main resources in the list.
Add resources that end users cannot access in non-working hours and select Prohibi
t access to only controlled domain resources in the list according to the precedin
g steps.
1 2
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 36
Configure the Agile Controller-Cam
pus - SACG Policy Group
Configure a time range. Choose Policy > Permission Control > Policy Elem
ent > Schedule, and click Add.
Configure an SACG policy group. Choose Policy > Permission Control > Hard
ware SACG > Hardware SACG Policy Group, and click Add.
Apply the SACG policy group to an account/user group or an IP address seg
ment.
1 3
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 37
Verify the Result
If a user successfully passes identity authentication, the user can acces
s the service system in working hours but not in non-working hours.
On the firewall, choose Network > TSM Interworking > Basic Configuration.
On the TSM Server List tab page, check whether the running status of the
Agile Controller-Campus is Connected.
On the firewall, choose Network > TSM Interworking > Online User and Netw
ork > TSM Interworking > Role, and check information about online users a
nd user roles respectively.
On the Agile Controller-Campus, choose Resource > User > Online User Mana
gement, and check user login information.
If a severe violation is detected on a terminal host, the terminal host c
annot access networks and a message is displayed, indicating that it need
s to be repaired. After being repaired, the terminal host can access netw
orks.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 38
Contents
1. SACG Authentication Principles
2. SACG Authentication Configuration and Deployment
3. SACG Authentication Troubleshooting
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 39
Hardware SACG Access Fault
To locate and rectify the hardware SACG access fault, perform operations
according to the following SACG
flowchart.
authentication fails
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 40
On the Firewall, Check the Associa
tion Status with the SC
Run the display right-manager server-group command to chec
k the association status between the firewall and SC.
<FW> system-view
[FW] right-manager server-group
[FW-rightm] display right-manager server-group
Server-state: Enable
Server-number: 1
Server-ip-address port state master
10.1.4.2 3288 inactive Y
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 41
On the Firewall, Check the SC IP A
ddress and Port
On the firewall, choose Network > TSM Interworking > Basic Config
uration, and check the basic configuration of the SC.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 42
On the Firewall, Apply the Interzo
ne Policy
On the firewall, choose Network > TSM Interworking > Policy, and
apply the association policy between the Trust zone to which the
uplink interface belongs and the Untrust zone to which the downli
nk interface belongs.
Click Add, and add an association policy. Compared with the forwa
rding policy, the association policy needs to take effect prefere
ntially.
After the configuration is complete, on the firewall, choose Netw
ork > TSM Interworking > Online User, and check whether online us
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved.
ers exist. If no online user exists, check Page 43
whether status detecti
On the Firewall, Disable Status De
tection
On the firewall, choose System > Advanced Settings, and check the
configuration of Status Detection.
Deselect Enable for TCP Status Detection and ICMP Status Detectio
n, and then click Apply to disable status detection.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 44
On the Firewall, Check Whether Any
Traffic Passes Through
Run the display firewall session table command to che
ck whether the traffic from end users passes through
the firewall.
If the session information of end users is not record
ed on the firewall, the traffic from end users does n
ot pass through the firewall.
Check whether the Layer 3 switch diverts the traffic
from end users to the firewall through the policy-bas
ed routing or port redirection function.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 45
On the Agile Controller-Campus, Ch
eck the SACG Status
On the Agile Controller-Campus, click Dashboard, and check the SA
CG status.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 46
On the Agile Controller-Campus, Ch
eck the Association with the Firew
all
Choose Policy > Permission
Control > Hardware SACG >
Hardware SACG Configuratio
n, and check whether the b
asic configuration of the
firewall is correct.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 47
Quiz
1. Which of the following devices is generally used as the SACG fo
r networking? ( )
A. Router
B. Switch
C. Firewall
D. NIP
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 48
Summary
SACG Authentication Principles
SACG Authentication Configuration and Deployment
Inline Deployment
Bypass Deployment
SACG Authentication Troubleshooting
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 49
Thank You
www.huawei.com