Key Points of User Access Authentication Deployment

S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples(V100 and V200)

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Key Points of User Access Authentication Deployment

User access authentication aims to implement user authentication and policy-based control, which involves the following key nodes:

Authentication point: a device or node responsible for user access authentication.
Access point: a device or node that determines whether a terminal is allowed to access the network.
Group policy enforcement point: a device or node that executes group policies used in free mobility.

The conventional access control solution uses NAC authentication and ACLs, and defines an authentication control point on a campus network to perform access authentication and policy control on user terminals. Huawei's access control solution combines the conventional NAC solution with policy association and free mobility to provide a more refined division of device roles in campus network access control.

Authentication control point: authenticates users and interacts with an authentication server to implement authentication, authorization, and accounting. In the policy association solution, a CAPWAP tunnel is established between the authentication control point and authentication enforcement point to exchange user authentication requests and synchronize user entries.

Authentication enforcement point: controls user access in the policy association solution by allowing only successfully authenticated users to access the network, and transparently transmits user authentication packets to the authentication control point. User authorization policies can be manually configured on the authentication control point, which will be delivered to the authentication enforcement point.
Policy enforcement point: is a device that enforces control policies. Generally, the authentication control point also acts as the policy enforcement point. For example, in the conventional NAC authentication + ACL solution, an authentication server authorizes ACL information to authenticated users, and the authentication control point performs policy control on users based on the authorized ACL information.

This chapter provides typical examples for deploying user access authentication based on AC deployment solutions, authentication point locations, and policy-based control solutions.

Table 2-41 Key points of user access authentication deployment

Deployment Key Point	Description	Recommended Scenario
AC deployment	Determine the AC deployment solution (native AC, standalone AC, or ACU2 solution) to be used according to Campus Network Connectivity Deployment.	When the native AC solution is used, it is recommended that a switch that provides the native AC function be deployed as the gateway for wired and wireless users. When the standalone AC or ACU2 solution is used, a switch is deployed as the gateway for wired and wireless users. Alternatively, a switch is deployed as the gateway for wired users and a standalone AC or ACU2 card as the gateway for wireless users. In the examples where the standalone AC solution is used, a standalone AC or ACU2 card can be deployed as the gateway and authentication point for wireless users.
Wired and wireless authentication points	The devices functioning as user gateways are typically configured as authentication points.	In the standalone AC and ACU2 solutions, it is recommended that a switch be deployed as the gateway for wired users and a standalone AC or ACU2 card as the gateway for wireless users.
Policy-based control	Policy-based control solutions include NAC, free mobility, and policy association.	NAC applies to all scenarios that require authentication. Free mobility applies to campus access scenarios to control access rights based on accounts, terminal types, and access modes, ensuring consistent access rights regardless of users' locations. Policy association applies to large-scale campus networks with a large number of widely distributed access devices. If NAC authentication and user access policies are deployed on each access device, the configuration workload is heavy and policies cannot be flexibly adjusted. Policy association (aggregation or core switches function as authentication control points, and access switches function as authentication execution points) can be deployed to prevent users from communicating with each other through the access layer before they are authenticated. It can also obtain online user information such as the interfaces on which users go online and the VLANs to which users belong, facilitating maintenance and management.

Deployment Key Point

Description

Recommended Scenario

AC deployment

Determine the AC deployment solution (native AC, standalone AC, or ACU2 solution) to be used according to Campus Network Connectivity Deployment.

When the native AC solution is used, it is recommended that a switch that provides the native AC function be deployed as the gateway for wired and wireless users.

When the standalone AC or ACU2 solution is used, a switch is deployed as the gateway for wired and wireless users. Alternatively, a switch is deployed as the gateway for wired users and a standalone AC or ACU2 card as the gateway for wireless users. In the examples where the standalone AC solution is used, a standalone AC or ACU2 card can be deployed as the gateway and authentication point for wireless users.

Wired and wireless authentication points

The devices functioning as user gateways are typically configured as authentication points.

In the standalone AC and ACU2 solutions, it is recommended that a switch be deployed as the gateway for wired users and a standalone AC or ACU2 card as the gateway for wireless users.

Policy-based control

Policy-based control solutions include NAC, free mobility, and policy association.

NAC applies to all scenarios that require authentication.

Free mobility applies to campus access scenarios to control access rights based on accounts, terminal types, and access modes, ensuring consistent access rights regardless of users' locations.

Policy association applies to large-scale campus networks with a large number of widely distributed access devices. If NAC authentication and user access policies are deployed on each access device, the configuration workload is heavy and policies cannot be flexibly adjusted. Policy association (aggregation or core switches function as authentication control points, and access switches function as authentication execution points) can be deployed to prevent users from communicating with each other through the access layer before they are authenticated. It can also obtain online user information such as the interfaces on which users go online and the VLANs to which users belong, facilitating maintenance and management.

Translation

Español 日本語 Русский 简体中文

Download

Updated: 2023-07-29

Document ID: EDOC1000069520

Downloads: 41300

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

Related Version

Related Documents

Digital Signature File