Configuring Free Mobility
On traditional campus networks, network admission control (NAC) technology is used together with VLAN and ACL technologies to control network access permissions of users. These technologies need to be configured on a large number of authentication switches in advance, bringing huge workload for deployment and maintenance. The security group-based free mobility solution decouples service policies from IP addresses, and changes the one-step matching mechanism of access control policies to two-step matching. To be specific, security groups are first matched based on IP addresses, and access control policies are then matched based on security groups. The mappings between IP addresses and security groups can be dynamically updated based on IP address allocation. This allows users to access a campus network from any location, any VLAN, and any IP network segment, and network access permissions of the users can always be controlled.
Configuring Security Groups
Context
A security group is an entity unit for permission control. Users or network service resources are allocated to different security groups. The access permissions between security groups are configured to implement user permission management on the network. There are two types of security groups: dynamic security groups that are used for user authorization and static security groups that are used to allocate network service resources.
Configuration Tasks
Task Description |
Deployment Procedure |
|---|---|
Configuring security groups |
Configuring Resource Groups
Context
Administrators can specify static IP addresses of servers in security groups to add the servers to security groups. The controller then delivers the static bindings between security groups and servers' IP addresses to devices using NETCONF. However, service resources with overlapping IP addresses cannot be differentiated using security groups.
Resource groups are introduced to address the problem. IP addresses specified in resource groups can overlap, and resource groups can be configured as destination groups of inter-group access control policies.
Configuration Tasks
Task Description |
Deployment Procedure |
|---|---|
Configuring resource groups |
Configuring Policy Control
Context
After security groups and resource groups are defined, tenant administrators can define inter-group network-wide access control policies based on the security groups and resource groups. The inter-group policies are presented in a policy matrix. After the policy matrix is defined, tenant administrators can configure policies for controlling access from the source security group to the destination security group or resource group based on the policy matrix.
Configuration Tasks
Task Description |
Deployment Procedure |
|---|---|
Configuring policy control |
Configuring IP-Security Group Entry Subscription
Context
Different from the traditional solution that uses IP address-based static ACL policies, the free mobility solution dynamically associates a user' IP address with a security group after the user is authenticated, and then generates a dynamic mapping entry (static security groups and resource groups are manually configured). The policy enforcement device obtains the mappings between IP addresses and security groups and implements user access control based on inter-group policies. The entry recording the mapping between an IP address and a security group is called an IP-security group entry.
When iMaster NCE-Campus authorizes a security group to an authenticated user, it records IP-security group entry information and delivers the information to the authentication device to which the user accesses during the authorization. If IP-security group entry subscription is not configured, authentication and policy enforcement must be performed by the same device. To implement security group-based unified policy control in scenarios where authentication points are separated from policy enforcement points or multiple authentication points are deployed, IP-security group entry subscription needs to be configured on policy enforcement points.
Configuration Tasks
Task Description |
Deployment Procedure |
|---|---|
Configuring IP-security group entry subscription |