No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding Policy Association

Understanding Policy Association

Network Architecture

Figure 6-1 shows the policy association network architecture, which consists of three roles: terminal, access device, and control device.

Figure 6-1  Network architecture of policy association
  • Terminal: provides human-machine interfaces for user authentication and resource access. The terminals include PCs, laptops, tablets, and dumb terminals.
  • Access device: a policy enforcement point to implement network access policies for users.
  • Control device: a policy control point to authenticate users and control their access policies.

Control devices and access devices use control and provisioning of wireless access point (CAPWAP) tunnels to establish connections. In addition, control devices and access devices use CAPWAP tunnels to complete user association, transmit messages, deliver user authorization policies, and synchronize user information.


Figure 6-2 shows the policy association process.

Figure 6-2  Policy association process
  1. A control device establishes a CAPWAP tunnel with an access device.
  2. After detecting the access of a new user, the access device creates a user association table and saves basic information such as the user and access port.
  3. The access device sends a user association request to the control device.
  4. The control device creates the user association entry, saves mapping between the user and access device, and sends a user association response to notify the access device of successful association.
  5. The user initiates an authentication request to the control device. The access device forwards the authentication packet between the user and control device.
  6. The control device deletes the user association entry. After the authentication succeeds, the control device generates a complete user entry. At the same time, the control device sends a user authorization request notification to the access device, and delivers the network access policy for the user.
  7. The access device saves the user association entry, enables the specified network access rights for the user, and sends an authorization response to the control device.
  8. The user accesses the specified network resources.

The preceding process occurs after the CAPWAP tunnel is established between the control device and access device. The establishment step is not mentioned in the previous process.

Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 131455

Downloads: 62

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next