Authenticated Terminals Fail to Access Controlled Resources When the Agile Controller Associates with USG5120HSR to Provide the Authentication Function

Publication Date:  2015-10-14 Views:  821 Downloads:  0
Issue Description
1. SACG in inline mode



2. Symptom 
  • The IP address of PC1 is 10.14.40.4. An end user passes identity authentication on the web page on PC1, but fails to access network resources in the post-authentication domain. In addition, the authentication page is displayed when the end user attempts to access any website.
  • The IP address of PC2 is 10.14.40.3. After an end user passes identity authentication of AnyOffice on PC2, they can access network resources in the post-authentication domain.
3. Software Version

Agile Controller-Campus: V100R001C00SPC308
USG5120HSR firewall: V300R001C00SPC500

4. Key Configuration on the Firewall

right-manager server-group 
default acl 3099 
server ip 10.10.150.238 port 3288 shared-key %$%$UsR&JRz@pB_)f`*z5Zi>GKB9%$%$ 
right-manager server-group enable 
right-manager authentication url http://10.10.150.238:8080/portal 

policy interzone trust untrust outbound 
apply packet-filter right-manager
Handling Process
1. Log in to the Agile Controller using web authentication on PC1 and AnyOffice authentication on PC2. After successful authentication, run the display right-manager online-users command on the firewall to view online user information. The command output contains information about the user using AnyOffice authentication but not the user using web authentication.



2. Check the URL and port settings on the firewall. The information shows that the URL and port number are incorrect. Run the right-manager authentication url http://10.10.150.238:8084/auth command to set the URL and port number to http://10.10.150.238:8084/auth and then log in again. After successful web authentication, the end user can access network resources in the post-authentication domain.
Root Cause
The port number and parameter following the slash (/) in the URL pushed by the firewall differ from those in the switch's Portal link. Follow the instructions in the product documentation when configuring the URL.

The following describes URLs in common scenarios:

 Run the right-manager authentication url http://10.1.4.2:8088/download command to push a URL for downloading AnyOffice. In this command, 10.1.4.2 is the IP address of the Service Manager (SM).

 Run the right-manager authentication url http://10.1.4.2:8084/auth command to push a URL for web authentication for small-screen terminals. In this command, 10.1.4.2 is the IP address of the Service Controller (SC).

 Run the right-manager authentication url http://10.1.4.2:8084/newauth command to push a URL for web authentication for large-screen terminals. In this command, 10.1.4.2 is the IP address of the SC.
Solution
After the Policy Center is upgraded to the Agile Controller, the URL for web authentication changes when the system associates with the firewall.

 For association between the Policy Center and firewall, the web authentication URL must be set to http://10.10.150.238:8080/auth.
 For association between the Agile Controller and firewall, the web authentication URL must be set to http://10.10.150.238:8084/auth.

After the authentication page URL is changed from http://10.10.150.238:8080/portal to http://10.10.150.238:8084/auth on the firewall, authenticated terminals can access resources in the post-authentication domain.
Suggestions
When configuring the authentication page URL, follow instructions in the product documentation. If not, unexpected errors will occur, which will result in time-consuming troubleshooting.

Authentication results cannot be used as reference of users' authorized network access rights. Check the network access rights on the firewall or switch.

END