Access control is disabled because SACG configure wrong “right-manager server-group active-num” on Secospace TSM

Publication Date:  2012-09-12 Views:  336 Downloads:  0
Issue Description
An office finishes installation of Secospace TSM, and does the test. Find that client can access to post-authentication domain whether it is authenticated or not authenticated. The access control is disabled.
Alarm Information
Handling Process
1. Checked the status of server by using command “display right-manager server-group”, the result is active. So the cooperation is successful.
2. Checked the configuration, ACL 3099 applied in domain.
3. Checked the dialog table, and found that data go through SACG.
4. Used command “display acl 3099”, and found emergency channel is open. Checked again and found “right-manager server-group active-num 2”, but user had 1 PC, delete this setting, and problem is solved.
Root Cause
1. Failed to cooperation with SACG
2. In post-authentication domain, ACL 3099 didn’t apply.
3. Policy routing is disabled, so user data didn’t go through SACG.
Command “right-manager server-group active-num” is the minimum number of TSM server which connected with USG. When active server is less than this number, SACG would open emergency channel.