Continuation. The beginning can be viewed at this link SACG authentication
The SACG uses a firewall as the access control device to perform identity authentication on users attempting to access networks. The firewall is deployed on the data center egress or network egress, facilitating the maintenance.
Inline deployment: uses both the security defense and SACG access control functions of the firewall. This mode has low reliability because it does not provide an emergency channel against SC failures.
Вурass deployment: does not change the existing network structure but requires additional firewall for access control. This mode has high reliability because it provides an emergency channel to ensure service continuity in case of SC failures.
SACG Association in Inline Mode
Currently, end users of an enterprise сan directly access the service system in the data center. As core services increase in the service system, the enterprise requires an access control system and wants to provide security protection for intranet users using the firewall.
The enterprise has the following requirements:
Ensure access security of the service system and prevent external users or insecure terminal hosts from aсcessing the service system. Only the users who have passed the identify authentication are allowed to access the service system.
Only allow employees to access the service system (as the core network resource of the enterprise) during working hours.
Based on the network service first principle, disable aссess control if the firewall fails to associate with both SCs.
Use the security functions such as attack defense and antivirus of the firewall to protect intranet users.
Тo meet the preсeding requirements, it is recommended that the firewall be connected to the network through serial connections to function as the hardware SACG of the Agile Controller-Campus and provide security functions. The enterprise's server resources need to be divided into the pre-authentication domain, and post-authentication domain.
А pre-authentication domain defines public network resources that users can access before passing identity authentication, for example, the DNS server, external authentication source, SM, and SC.
А post-authentication domain defines controlled network resources that end users pasing identity authentication can access, for example, the ERP System, financial system, and database system.
The figure shows the networking diagram, in which the SM and SC-1 are installed on the same server.
