Terminal Identification and Policy Automation Design

On large- and medium-sized campus networks, access terminals include smart terminals (such as PCs and mobile phones) and dumb terminals (such as IP phones, printers, and IP cameras). Currently, terminal management on campus networks faces the following challenges:

1. The network management system (NMS) can only display the IP and MAC addresses of access terminals, but cannot identify what the specific terminal is. As a result, the NMS cannot manage network terminals in a refined manner.
2. Network service configurations and policies required vary according to different types of terminals. Consequently, the administrator needs to manually configure different service configurations and policies for each type of service terminals, resulting in complex service deployment and operations.

To tackle the preceding challenges, Huawei offers the terminal identification and automatic policy delivery solution, which supports the following functions:

1. iMaster NCE-Campus can display the type, system, and other information of network-wide terminals, for example, dumb terminals including printers, IP cameras, e-cards, and access control devices, as well as collect statistics and display traffic by terminal type.
2. The administrator does not need to manually configure different services and policies for each type of dumb terminals such as IP phones, printers, and IP cameras on the campus network. iMaster NCE-Campus is able to auto-identify terminals and deliver corresponding admission policies and service configurations to them.

To deploy the terminal identification and automatic policy delivery solution, the network administrator needs to design terminal identification methods and terminal policies.

The terminal management function of iMaster NCE-Campus can help identify terminals and display the terminal type, operating system, and manufacturer.

The following table describes terminal identification methods.

Passive fingerprint-based identification: Network devices collect fingerprints of terminal packets and report the fingerprints to the SDN controller for terminal type identification.

Active scanning and identification: The SDN controller actively detects or scans terminals, and identifies terminal types based on feedback information from the terminals.

When terminals access the network, iMaster NCE-Campus can automatically identify the type, operating system, and manufacturer of the terminals, either by actively scanning terminal information or by using the information collected and reported by network devices.

To display terminal types and perform network management based on the terminal types through iMaster NCE-Campus, the network administrator needs to perform the following operations:

1. Collect the types of terminals on the network, such as PCs, mobile phones, printers, IP cameras, and access control devices.
2. Check whether Portal authentication is deployed on the network.
3. Check whether the IP addresses of the terminals are dynamically assigned by the DHCP server or statically assigned.

Based on the collected information, traverse the items listed in the following table and select the required terminal identification methods. All the identification methods that meet requirements must be enabled.

Determine the terminal identification methods that need to be enabled on iMaster NCE-Campus based on the preceding information. If the network administrator cannot determine the required terminal identification methods, the following methods for passive fingerprint-based identification are recommended: MAC OUI, HTTP UserAgent, DHCP Option, LLDP, and mDNS.

It is recommended that Nmap be disabled by default because its identification period is long. If the preceding methods for passive fingerprint-based identification cannot meet requirements, enable Nmap.

The network administrator can enable terminal identification and its dependent functions on corresponding devices through iMaster NCE-Campus. Refer to the following table for more information.

• In non-authentication scenarios, the controller can display information about wired terminals only after the ARP snooping function is enabled on access devices.
• In the deployment scenario where iMaster NCE-Campus communicates with access devices through a NAT device, the terminal identification methods SNMP Query and Nmap are not supported.
• When deploying the terminal identification methods SNMP Query and Nmap, ensure that iMaster NCE-Campus can communicate with terminals.

The network administrator can use iMaster NCE-Campus to automatically deliver policies to terminals, without the need to manually configure different services and policies for each type of service terminals. Terminal policies can be delivered based on the terminal type, operating system, or manufacturer.

The administrator needs to perform the following operations:

1. Enable automatic policy delivery based on terminal types to authorize policies depending on access authentication. Access authentication must be deployed on access switches and APs. For details about how to select an access authentication mode, see Authentication Technology Selection. MAC address authentication needs to be enabled on access switches and APs in scenarios where dumb terminals are present.
2. Enable the terminal identification function for the network. For details, see the preceding section.
3. Sort out the types of terminals that require automatic policy delivery on the network, design corresponding authorization policies, and configure the policies on iMaster NCE-Campus.

For details about the policy design logic, refer to the following table.

It is recommended that admission and authorization policies be automatically delivered to dumb terminals (such as printers, IP phones, and IP cameras) based on terminal types. This helps implement automatic service provisioning and plug-and-play for dumb terminals.

Figure 3-19 illustrates the process of automatic policy delivery based on terminal types.

Figure 3-19 Process of automatic policy delivery based on terminal types

On the iMaster NCE-Campus web UI, the administrator enables the terminal identification function, selects terminal types, and specifies corresponding policies. When a terminal accesses the network, the network device can collect the fingerprint information of the terminal and report the information to iMaster NCE-Campus. Then iMaster NCE-Campus automatically matches the information against the terminal fingerprint database, identifies the terminal type, and delivers the corresponding admission and authorization policies to the terminal based on the policies defined by the administrator.

When terminal identification is used together with the VLAN authorization policy, you can disable pre-connection in 802.1X and MAC address authentication scenarios to prevent IP address re-assignment.