The Delivered Security Check Policy Does Not Take Effect During Portal Authentication Using the AnyOffice

Publication Date:  2015-10-31 Views:  534 Downloads:  0
Issue Description
The Agile Controller associates with the S7700 switch to control terminals' network access permission. Terminals have the AnyOffice installed and connect to the network in Portal access mode.

An administrator adds a new terminal security check policy, for example, permitting terminals without the 360 antivirus software installed to access only resources defined in ACL 3005. The related authorization policy is delivered based on the ACL number, and the ACL is configured on the switch. 

An end user attempts to connect to the network using a terminal without the 360 antivirus software installed. After the user passes identity authentication, the check result shows that the terminal fails the security check. A related authorization result is delivered, but the authorization result does not take effect.

The authorization rule configuration is as follows:



The authorization result configuration is as follows:



The security policy configuration is as follows:



The configuration on the switch is as follows:


acl number 3005  
description portal 
rule 5 permit ip destination 10.233.128.0 0.0.0.255 
rule 10 deny ip 

web-auth-server HJNY_Controller 
server-ip 10.233.128.68 
port 50200 
shared-key cipher %@%@Yx9!5V)xj'/wS1C;e,,-JO$*%@%@ 
url http://10.233.128.68:8080/portal 

interface Vlanif165 
description WLAN_Guest_user 
ip address 10.233.165.254 255.255.255.0 
web-auth-server HJNY_Controller direct 
authentication portal  
#
Handling Process
Step 1 Connect a user to the network in both wired and wireless mode. The user packets carry the same VLAN tag. The user can pass identity authentication, the policy is successfully delivered, and the authorization result with the ACL defining accessible resources takes effect.

Step 2 Use Wireshark to compare packets obtained in the wired and wireless access modes. The result shows that the Agile Controller delivers the ACL number for user authorization in both modes.



Run the following command on the device to view access user information.

[HJNY-7706-1]dis access-user user-id 26493 

Basic: 
  User ID                         : 26493 
  User name                       : kevin 
  Domain-name                     : default                         
  User MAC                        : d0df-9acf-0d5c 
  User IP address                 : 10.233.165.18 
  User vpn-instance               : - 
  User access Interface           : Wlan-Dbss2:77 
  User vlan event                 : Success        
  QinQVlan/UserVlan               : 0/165 
  User access time                : 2015/06/24 17:00:24 
  User accounting session ID      : HJNY-77000000000001652d8c93026493 
  Option82 information            : - 
  User access type                : WEB   
  AP ID                           : 20 
  AP name                         : ap-20 
  Radio ID                        : 0 
  AP MAC                          : 9404-9ce2-1060 
  SSID                            : HJNY_Guest 
  Online time                     : 386(s) 
  Work group ID                   : default 
  User forward slot               : 1/2 2/2 
  Web-server IP address           : 10.233.128.68 
  Dynamic ACL number(Effective)   : 3005  //The device has received the ACL number from the server.

AAA: 
  User authentication type        : WEB authentication 
  Current authentication method   : RADIUS 
  Current authorization method    : - 
  Current accounting method       : RADIUS

Step 3 The analysis shows that the fault occurs on the wireless side. The possible causes are as follows:
  • The device version has a bug.
  • The ACL delivered on the wireless side does not take effect.
Step 4 Check the configuration of the AP to which the user terminal connects. The ACL 3005 configuration is unavailable. Run the commit ap 20 command to re-deliver the ACL configuration to the AP, and attempt to connect to the network in the wireless mode again. The authorization policy takes effect.

----End
Root Cause
If the ACL configuration is not re-delivered to the AP after being configured on a switch, the authorization policy delivered by the Agile Controller does not take effect.
Suggestions
After an access control policy is configured for controlling user access in the wireless mode, the access control device such as a switch or AC needs to deliver the configuration to the AP to make the configuration take effect. After the global ACL configuration changes on the access device, the configuration needs to be re-delivered to the AP; otherwise, the ACL does not take effect.

END