No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Enterprise
Worldwide
Huawei Global - English
Search
Support Documentation
S12700 and S12700E V200R019C10 Configuration Guide - Free Mobility and Service Chain

This document describes the configurations of Free Mobility and Service Chain.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Free Mobility Function

Configuring the Free Mobility Function

Pre-configuration Task

The free mobility solution controls network access rights of users. Before the free mobility function is configured on switches, one or several of 802.1X, MAC address, Portal, or PPPoE authentication modes must have been configured in NAC unified mode. For details, see "NAC Configuration (Unified Mode)" or "PPPoE Configuration" in the S12700 and S12700E V200R019C10 Configuration Guide - User Access and Authentication.

Even if PPPoE authentication is used, the NAC configuration mode needs to be switched to unified mode.

Context

The free mobility function must be configured on each authentication device to implement the free mobility solution.

For details about the configuration on a controller, see the HUAWEI Agile Controller-Campus Product Documentation or HUAWEI iMaster NCE-Campus Product Documentation.

Procedure

  1. Configure routes between the device and controller.

    You are advised to configure static routes or OSPF dynamic routes to implement communication between the device and controller. For details, see "Static Route Configuration" and "OSPF Configuration" in the S12700 and S12700E V200R019C10 Configuration Guide - IP Unicast Routing.

  2. Perform the following configurations based on the controller type:

    • When Agile Controller-Campus is used, run the following command in the system view:

      Run group-policy controller ip-address1 [ port-number1 ] [ backup ip-address2 [ port-number2 ] ] password password [ src-ip ip-address3 ] [ vpn-instance vpn-instance-name ]

      The free mobility function is enabled.

      By default, the free mobility function is disabled.

    • When iMaster NCE-Campus is used, run the following commands in the system view:
      1. Run ip-group service ip-address ip-address [ port port-number ] pki-realm-name pki-realm-name

        The IP address of a controller is configured.

        By default, no controller IP address is configured.

      2. Run ip-group service timer heart-beat interval

        The interval for sending IP-GROUP channel heartbeat packets is configured.

        By default, IP-GROUP channel heartbeat packets are sent at an interval of 5 minutes.

      3. Run ip-group service timer reconnection interval

        The IP-GROUP channel reconnection interval is configured.

        By default, the IP-GROUP channel reconnection interval is 1 minute.

      4. Run ip-group service timer down-delay interval

        A delay in responding to the IP-GROUP channel interruption event is configured.

        By default, the delay in responding to the IP-GROUP channel interruption event is 30 seconds.

      5. Run ip-group service timer up-delay interval

        A delay in responding to the IP-GROUP channel Up event is configured.

        By default, the delay in responding to the IP-GROUP channel Up event is 30 seconds.

  3. Configure a security group on the controller.

    When the controller delivers a UCL group name that is not supported by the switch, for example, this group name contains Chinese characters or special characters, the switch cannot parse the group name. A UCL group name that can be supported by the switch must be consistent with the value of group-name in the ucl-group group-index [ name group-name ] command, cannot be -, --, a, an, or any, and cannot contain any of the following characters: / \ : * ? " < > | @ ' %. Therefore, when configuring a UCL group name on the controller, do not use Chinese characters or special characters.

  4. Configure group policies on the controller.
  5. Save the configuration on the controller.

    Saving the configuration on a controller is similar to running the save command on the device, which saves all the device configurations (including security groups, access control policies, and QoS policies deployed on the controller) to the configuration file.

    If security groups, access control policies, and QoS policies are saved to the device's configuration file, these configurations can be directly restored from the configuration file after the device restarts, and do not need to be requested from the controller. Otherwise, user authentication fails after the device restarts because security groups, access control policies, and QoS policies are not deployed on the device.

Verifying the Configuration

  • Run the display group-policy status command to check the status of the controller associated with the device.
Translation
简体中文
Download
Updated: 2022-05-20

Document ID: EDOC1100126917

Views: 10473

Downloads: 47

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :