OHCSCP1306 SACG Authentication ISSUE 3.0

SACG Authentication
www.huawei.com
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved.

Foreword
 Secure access control gateway (SACG) authentication applies to me
dium- and large-sized campuses that have complex network environm
ents and moderate requirements on network security. Firewalls are
often deployed on the network data center egress or network egres
s. Only a few firewalls need to be deployed and function as authe
ntication points. Therefore, the deployment is simple. In additio
n, the firewall provides client authentication and no-client auth
entication, facilitating management and maintenance. Moreover, an
emergency channel is supported, ensuring that services are not af
fected when the SC is faulty.
 This chapter describes the SACG authentication application scenar
ios, configuration, deployment, and troubleshooting.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 3
Objectives
 Upon completion of this course, you will be able to:
 Know SACG authentication principles and application sce
narios
 Have a good command of SACG authentication configuratio
n and deployment
 Have a good command of SACG authentication troubleshoot
ing
Contents
1. SACG Authentication Principles
2. SACG Authentication Configuration and Deployment
3. SACG Authentication Troubleshooting
SACG Authentication Scenario (1/2)
 The TSM system uses a firewall as the access control
device to perform identity authentication. Firewalls
are often deployed on the network data center egress
or network egress, facilitating the maintenance. SACG
authentication applies to medium- and large-sized cam
puses that have complex network environments and mode
rate requirements on network security.
SACG Authentication Scenario (2/2)
Pre-authentication domain Post-authentication

Agile Controller- domain
Campus DHCP Service system
SACG
Servers send resources to users.

Users request server resources.
SACG Deployment Mode (1/2)
Inline deployment

Campus DHC Service system
P
SACG
Servers send
resources to users.
Users request
server resources.
SACG Deployment Mode (2/2)
Bypass deployment

Campus DHC Service system
P
SACG Access device
Servers send
resources to users.
Users request
server resources.
Hardware SACG Authentication
 In hardware SACG authentication, the firewall is used as the acce
ss control device and deployed on the data center egress or netwo
rk egress, providing client authentication and no-client authenti
cation to ensure
Agilesecurity. domain
DHC
Controller- Service system
P
Campus
SACG Access device
Servers send resources to users.

Users request server resources.
Software SACG Authentication
 In software authentication, the AnyOffice is used as the software
SACG to perform identity authentication on users attempting to ac
cess networks.
Agile Controller- DHC domain
Campus Service system
P
Access device
AnyOffice Authentication data flow
SACG Authentication Process
Client SACG Controller

1 Request to synchronize the rules
of the pre-authentication domain,
and post-authentication domain
2 Deliver the requested rules

3 Send a request for
identity authentication
4 Return the identity authentication
result
5 Instruct the SACG to switch

the terminal's IP address to the
corresponding domain
6 Return the execution result
7 Access the network
Contents
 Inline Deployment
 Bypass Deployment
SACG Application Scenario
 The SACG uses a firewall as the access control device to perform
identity authentication on users attempting to access networks. T
he firewall is deployed on the data center egress or network egre
ss, facilitating the maintenance.
SACG application
scenario
Bypass deployment Inline deployment
Supports identity Applies to wired access Supports an emergency

authentication, and controls only and is mainly used channel and various client
the accessible domain based in medium- and large- types, including web,
on the check results. sized enterprises. AnyOffice, and Web Agent.
SACG Association in Inline Mode
 Currently, end users of an enterprise can directly access the ser
vice system in the data center. As core services increase in the
service system, the enterprise requires an access control system
and wants to provide security protection
Trust for intranet users
Antivirus server using
192.168.2.5/24
the firewall.
Patch server Service system
Untrust 192.168.2.3/24 172.16.1.10/24
SAC G1/0/1
G 10.1.1.1/24
G1/0/2 G1/0/3
10.1.6.1/24 192.168.1.1/24
DNS server SC-2

192.168.3.3/24 192.168.1.3/24
SM&SC-1
DM 192.168.1.2/24
Z
Configuration Procedure
Configuration procedure
Configuration planning
Basic configuration
Firewall configuration
Agile Controller-Campus
configuration
Configure the Firewall - Configure
Basic Data
 Configure the firewall.
 Configure the firewall's interface IP addresses and sec
urity zones.
 Configure security policies to permit traffic as requir
ed.
 Configure a security policy for the Local-DMZ interzone, en
abling the firewall to communicate with the SCs.
 Configure a security policy for the Local-Untrust interzone
, enabling the firewall to push web authentication pages to
users.
Configure the Firewall - Associati
on with the Agile Controller-Campu
s Choose Network > TSM Interworking > Basic Configuration. On the Configure

TSM Basic Parameter page, click the TSM Server List tab, and add an SC se
rver.
 Configure web authentication URLs. If the AnyOffice is not installed on a
terminal, a web authentication page is pushed to the end user.
 Apply TSM interworking policies between zones. The system matches interwo
rking policies when end users attempt to access server resources.
Configure the Agile Controller-Cam
pus - Add a Firewall
 Choose Policy > Permission Control > Hardware SACG > Hardw
are SACG Configuration. On the Hardware SACG tab page, cli
ck Add.
Configure the Agile Controller-Campus - Pr
e-authentication Domain and Post-authentica
tion Domain
 On the Pre_authentication Domain tab page, click Add, and add resources to the pr
e-authentication domain.
 On the Controlled Domain tab page, click Add, and add the post-authentication reso
urces to the controlled domain.
pus - Controlled Domain Rules
 On the Post authentication Domain tab page, click Add, add resources that end
users can access only in working hours, and select Permit access to only cont
rolled domain resources in the list.
 Add resources that end users cannot access in non-working hours and select Pr
ohibit access to only controlled domain resources in the list according to th
e preceding steps.
1 2
pus - SACG Policy Group
 Configure a time range during which employees can access related
resources. Choose Policy > Permission Control > Policy Element >
Schedule, and click Add.
 Configure an SACG policy group. Choose Policy > Permission Contro
l > Hardware SACG > Hardware SACG Policy Group, and click Add.
 Apply the SACG policy group to
1 an account/user group or an IP add3
ress segment.
Verify the Result
 If a user successfully passes identity authentication, the user can acces
s the service system in working hours but not in non-working hours.
 On the firewall, choose Network > TSM Interworking > Basic Configuration.
On the TSM Server List tab page, check whether the running status of the
Agile Controller-Campus is Connected.
 On the firewall, choose Network > TSM Interworking > Online User and Netw
ork > TSM Interworking > Role, and check information about online users a
nd user roles respectively.
 On the Agile Controller-Campus, choose Resource > User > Online User Mana
gement, and check user login information.
 If a severe violation is detected on a terminal host, the terminal host c
annot access networks and a message is displayed, indicating that it need
s to be repaired. After being repaired, the terminal host can access netw
orks.
Contents
SACG Association in Bypass Mode
 Currently, end users of an enterprise can directly access the service sys
tem in the data center. As core services increase in the service system,
the enterprise requires an access control system.
DNS server SM&SC-1
192.168.3.3/24 192.168.1.2/24
Service system
172.16.1.10/24
Post-authentication Pre-authentication
domain domain
SC-2
Trust 192.168.1.3/24
E1/0/3 Gateway egress

G1/0/1 E1/0/4 10.1.3.1/24
10.1.4.2/24 10.1.4.1/24
SACG
10.1.5.2/24 10.1.5.1/24
G1/0/2 E1/0/5 E1/0/6
10.1.6.1/24
Untrust
Configuration Procedure
Configuration procedure
Configuration planning
Basic configuration
Switch traffic diversion

configuration
SACG parameter
setting on the firewall
SACG association parameter
setting SACG parameter setting
on the Agile Controller-
Campus
Configure Basic Data for Network C
onnectivity
 Configure basic data for network connectivity.
 Configure the VLAN and IP address on the switch.
 Configure the firewall.
 Configure the firewall's interface IP addresses and securit
y zones.
 Configure security policies to permit traffic as required.
 Disable the session status detection function.
Configure the Switch to Divert Tra
ffic
 Configure the switch. Use the port redirection functi
on to forward the traffic received by the switch from
terminal hosts to the firewall through Ethernet 1/0/5
.
[Switch] acl 3000
[Switch-acl-adv-3000] rule 0 permit ip source 10.1.6.0 0.0.0.255
[Switch] interface Ethernet 1/0/6

[Switch-Ethernet1/0/6] traffic-redirect inbound acl 3000 ip-nexthop
10.1.5.2
Configure the Firewall - Traffic I
njection
 Configure a static route for injecting the detected traffi
c from the firewall to the switch. The next hop of the rou
te is the IP address of the interface on the switch connec
ting to GE1/0/1.
Configure the Firewall - Associati
on with the Agile Controller-Campu
s Choose Network > TSM Interworking > Basic Configuration. On the Configure

TSM Basic Parameter page, click the TSM Server List tab, and add an SC se
rver.
 Configure web authentication URLs. If the AnyOffice is not installed on a
terminal, a web authentication page is pushed to the end user.
 Apply TSM interworking policies between zones. The system matches interwo
rking policies when end users attempt to access server resources.
pus - Add a Firewall
 Choose Policy > Permission Control > Hardware SACG > Hardware SAC
G Configuration. On the Hardware SACG tab page, click Add.
Configure the Agile Controller-Campus - Pr
e-authentication Domain and Post-authentica
tion Domain
 On the Pre authentication Domain tab page, click Add, and add resources t
o the pre-authentication domain.
 On the Controlled Domain tab page, click Add, and add the post-authentica
tion resources to the controlled domain.
3
1
pus - Controlled Domain Rules
 On the Post_authentication Domain tab page, click Add, add resources that end user
s can access only in working hours, and select Permit access to only controlled do
main resources in the list.
 Add resources that end users cannot access in non-working hours and select Prohibi
t access to only controlled domain resources in the list according to the precedin
g steps.
1 2
pus - SACG Policy Group
 Configure a time range. Choose Policy > Permission Control > Policy Elem
ent > Schedule, and click Add.
 Configure an SACG policy group. Choose Policy > Permission Control > Hard
ware SACG > Hardware SACG Policy Group, and click Add.
 Apply the SACG policy group to an account/user group or an IP address seg
ment.
1 3
Verify the Result
 If a user successfully passes identity authentication, the user can acces
s the service system in working hours but not in non-working hours.
 On the firewall, choose Network > TSM Interworking > Basic Configuration.
On the TSM Server List tab page, check whether the running status of the
Agile Controller-Campus is Connected.
 On the firewall, choose Network > TSM Interworking > Online User and Netw
ork > TSM Interworking > Role, and check information about online users a
nd user roles respectively.
 On the Agile Controller-Campus, choose Resource > User > Online User Mana
gement, and check user login information.
 If a severe violation is detected on a terminal host, the terminal host c
annot access networks and a message is displayed, indicating that it need
s to be repaired. After being repaired, the terminal host can access netw
orks.
Contents
Hardware SACG Access Fault
 To locate and rectify the hardware SACG access fault, perform operations
according to the following SACG
flowchart.
authentication fails
Check the association between the authentication

control device and the Agile Controller-Campus
Check the configuration Check the configuration on
on the Agile Controller- the authentication control
Campus device
Check the connectivity Check whether the SC
between the SC and address and port are correct
authentication control device
Check whether the

traffic between zones
is permitted
Check whether the session

Check whether the key of
status detection function of
the SM is the same as that
the firewall is disabled
of the authentication control
device
Check whether any traffic
passes through the
firewall
The fault is rectified
On the Firewall, Check the Associa
tion Status with the SC
 Run the display right-manager server-group command to chec
k the association status between the firewall and SC.
<FW> system-view
[FW] right-manager server-group
[FW-rightm] display right-manager server-group
Server-state: Enable
Server-number: 1
Server-ip-address port state master
10.1.4.2 3288 inactive Y
 If the SC server is in an abnormal state or in inactive st

ate, association between the firewall and SC is abnormal.
On the Firewall, Check the SC IP A
ddress and Port
 On the firewall, choose Network > TSM Interworking > Basic Config
uration, and check the basic configuration of the SC.
 Settings of basic TSM parameters take effect only after Apply is

clicked.
 The preceding figure indicates that the connection state of a TSM
server is inactive.
On the Firewall, Apply the Interzo
ne Policy
 On the firewall, choose Network > TSM Interworking > Policy, and
apply the association policy between the Trust zone to which the
uplink interface belongs and the Untrust zone to which the downli
nk interface belongs.
 Click Add, and add an association policy. Compared with the forwa
rding policy, the association policy needs to take effect prefere
ntially.
 After the configuration is complete, on the firewall, choose Netw
ork > TSM Interworking > Online User, and check whether online us
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved.
ers exist. If no online user exists, check Page 43
whether status detecti
On the Firewall, Disable Status De
tection
 On the firewall, choose System > Advanced Settings, and check the
configuration of Status Detection.
 Deselect Enable for TCP Status Detection and ICMP Status Detectio
n, and then click Apply to disable status detection.
On the Firewall, Check Whether Any
Traffic Passes Through
 Run the display firewall session table command to che
ck whether the traffic from end users passes through
the firewall.
 If the session information of end users is not record
ed on the firewall, the traffic from end users does n
ot pass through the firewall.
 Check whether the Layer 3 switch diverts the traffic
from end users to the firewall through the policy-bas
ed routing or port redirection function.
On the Agile Controller-Campus, Ch
eck the SACG Status
 On the Agile Controller-Campus, click Dashboard, and check the SA
CG status.
 Click Suggest, and make adjustment according to the prompts.
On the Agile Controller-Campus, Ch
eck the Association with the Firew
all
 Choose Policy > Permission
Control > Hardware SACG >
Hardware SACG Configuratio
n, and check whether the b
asic configuration of the
firewall is correct.
Quiz
1. Which of the following devices is generally used as the SACG fo
r networking? ( )
A. Router
B. Switch
C. Firewall
D. NIP
2. Which of the following are SACG deployment modes? ( )

A. Hardware SACG deployment
B. Software SACG deployment
C. Inline deployment
D. Bypass deployment
Summary
 SACG Authentication Principles
 SACG Authentication Configuration and Deployment
 SACG Authentication Troubleshooting
Thank You
www.huawei.com

OHCSCP1306 SACG Authentication ISSUE 3.0

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

OHCSCP1306 SACG Authentication ISSUE 3.0

Загружено:

Авторское право:

Доступные форматы

SACG Authentication

Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved.

Pre-authentication domain Post-authentication

Servers send resources to users.

Pre-authentication domain Post-authentication

Pre-authentication domain Post-authentication

SACG Access device

SACG Access device

Servers send resources to users.

AnyOffice Authentication data flow

Client SACG Controller

2 Deliver the requested rules

5 Instruct the SACG to switch

6 Return the execution result

7 Access the network

3. SACG Authentication Troubleshooting

Bypass deployment Inline deployment

Supports identity Applies to wired access Supports an emergency

DNS server SC-2

3. SACG Authentication Troubleshooting

E1/0/3 Gateway egress

Switch traffic diversion

[Switch] interface Ethernet 1/0/6

Check the association between the authentication

Check whether the

Check whether the session

The fault is rectified

 If the SC server is in an abnormal state or in inactive st

 Settings of basic TSM parameters take effect only after Apply is

 Click Suggest, and make adjustment according to the prompts.

2. Which of the following are SACG deployment modes? ( )

Вам также может понравиться