A test site deployed TSM and then access pre-authentication domain, post-authentication domain and isolation domain normally, observe again after two hours later found it can’t access the post-authentication domain and isolation domain.
Check the authentication status of the terminal: authenticate successful
Check the linkage state of TSM server: SACG/SC communicate successful
Log in USG5100 checking account rules state: shows that the account rule is “role 0”, which is the pre-authentication domain strategy “ACL 3099”, therefore can’t access post-authentication domain.
Log in TSM management page inspecting rules application, found the department the user accounts in is the root department, strategy is set to "inherit the superior department strategy", after change it into "custom Settings" choose corresponding isolation domain and post-authentication domain, re-linkage SACG hardware.
Terminal authenticates again, can access the post-authentication domain normally, fault resumed.
Login SACG checking the rules when the fault appears, found that after terminal authentication through the post-authentication domain rules are not applied to the corresponding account, when linkage strategies it becomes no effective sometimes.
Root department is the top departments, there is no superior department strategy to inherit, so sometimes it will appear corresponding issued strategies are unable to identify, leading to control strategy failure, the top departments must choose custom strategy.