User Authentication and Policy Control Solution Design
Authentication Technology Selection
Common authentication technologies include 802.1X, MAC address, and Portal authentication. Table 3-13 lists the differences between these authentication modes.
Item |
802.1X Authentication |
MAC Address Authentication |
Portal Authentication |
|---|---|---|---|
Client requirement |
Required |
Not required |
Not required |
Advantage |
High security |
Requiring no client installation |
Flexible deployment |
Disadvantage |
Inflexible deployment |
The management is complex because MAC addresses need to be registered. |
Low security |
Application scenario |
Network authentication of office users with high security requirements |
Access authentication of dumb terminals such as printers and fax machines |
Network authentication of guests with high mobility and that carry a variety of terminals |
Based on the characteristics of these authentication technologies, 802.1X authentication is recommended for enterprise employees, Portal authentication for guests, and MAC address authentication for dumb terminals on medium- and large-sized campus networks.
If the customer wants to use more than one authentication mode on the same access point, the hybrid authentication mode is recommended. After the hybrid authentication mode is configured, terminals can access the network after passing any authentication mode. This mode is applicable to scenarios where one port is used for access of multiple types of users. For example, if a PC is connected to an IP phone, you can configure MAC address and 802.1X authentication for the IP phone and PC, respectively.
Policy Control Solution Design
Policy control is used to control the network resource access rights of access users. Currently, the traditional NAC solution and Huawei's free mobility solution are available for policy control. In the traditional NAC solution, VLANs and ACLs are delivered to authentication devices to implement access control. Huawei's innovative technical solution — free mobility solution — controls user network access rights through topology-agnostic security groups. The Huawei solution configures user policies based on the natural language, so users have no need to focus on network concepts like IP addresses and VLANs. Additionally, user policies are deployed by the controller in a unified manner, facilitating future maintenance. Table 3-14 shows the comparison between the two solutions.
Policy Control Solution |
Control Mode |
Characteristics |
Application Scenario |
|---|---|---|---|
Traditional NAC Solution |
VLAN + ACL |
|
User access locations are fixed. Permission policies are simple. |
Free mobility solution |
Security group + inter-group policy |
|
There are mobile office requirements, and users with different network permissions sit in the same place. The permission policies are complex. |
To sum up, it is recommended that free mobility be used as the policy control solution for large- and medium-sized campus networks. If the customer's existing campus networks do not support this solution, the traditional NAC solution is used.
Traditional NAC Solution Design
- Access Policy Authorization Design
In the traditional NAC solution, policy technologies include configuring static ACL policies on local devices and authorizing dynamic ACL policies through the authentication server. The essence of configuring static ACL-based policies on local devices is to map user policies to user IP addresses and plan ACL rules based on these IP addresses for management and control over user permissions. This policy approach applies to the scenario where the user network scale is small, the locations of user terminals are fixed, and policy requirements are simple. As the network scale increases and the policy requirements become more complex, it makes the configuration difficult to set and maintain. Therefore, for large- and medium-sized campus networks, you are advised to use the authentication server to authorize dynamic ACL policies. In this manner, terminals do not need to be strictly bound to IP addresses and VLAN information, making IP and VLAN planning flexible. When users are divided into multiple categories, you are advised to restrict the access locations of users. Users with different permissions access the Internet in the areas specified by the administrator. This approach ensures that only related policies need to be configured on devices in the specified areas. Otherwise, policy configuration and O&M will be difficult.
- Location Selection for Authentication Points and Policy Enforcement Points
The locations of authentication points and policy enforcement points are related to the selected authentication scheme.
- If 802.1X or MAC address authentication (Layer 2 authentication technologies) is used, the authentication point must be on the same network segment as the user host. It is recommended that the access device function as the authentication point and policy enforcement point. If the access layer supports transparent transmission of 802.1X packets, you are advised to deploy policy association. In this case, the gateway functions as the authentication point and policy control point, and the access device functions as the policy enforcement point. This reduces the complexity of policy deployment.
- If Portal authentication (Layer 3 authentication technology) is used, the authentication point can be deployed anywhere as long as it is routable to the user host. For this authentication scheme, you are advised to use the gateway as the authentication point and policy enforcement point. If policy association is deployed, use Layer 2 Portal authentication.
Free Mobility Solution Design
The free mobility solution allows a user to obtain the same network access policy regardless of the user's location and IP address changes on a campus network. When configuring a policy, the administrator does not need to pay attention to IP address ranges of different users, but only needs to focus on the logical access relationships between users and servers.
- Security Group Planning
Different from the traditional IP address-based ACL mode, free mobility is a user language-based solution that logically divides different types of network objects with different permissions into different security groups. Security groups map user types and server types one by one. By defining security groups, administrators can describe or organize the source and destination ends of traffic on the network using these groups. Security group planning determines the number of security groups to be created.
Security groups are divided into the following types based on network objects:
- Dynamic security group: It is comprised of users or terminals that can access the network only after authentication.
- Static security group: It is comprised of terminals using fixed IP addresses, including data center servers, interfaces of network devices, and users who access the network using fixed IP addresses without authentication.
A security group can be bound to not only multiple authorization rules to indicate dynamic users but also multiple IP addresses or IP network segments to indicate static resources. Differences between the two binding modes are as follows:
- The IP addresses of users in dynamic security groups are not fixed and are dynamically bound to security groups after user authentication. After user accounts are de-registered, such binding relationships are dynamically canceled. Mapping relationships between users' IP addresses and security groups take effect only when the users are online. Network devices can obtain mapping relationships between IP addresses and security groups (also called IP-security group entries) through authentication points or proactive query from the controller.
- IP addresses of static security groups are fixed. Mapping relationships between IP addresses and security groups are defined by administrators on the controller and then synchronized to the policy enforcement point.
The best solution for designing a server security group is to ensure that servers of the same type or security level are deployed on the same network segment based on proper IP address planning. In addition, ensure that ports on the same server do not provide services of different security levels. For example, do not use one server to provide public network services for the Internet and provide limited resource storage services for the intranet. Otherwise, security groups are hard to define and data leakage may occur.
Security Group Policy Planning
A security group policy can directly reflect whether two security groups can communicate with each other. When planning a security group policy, you only need to set the security group policy between two groups to permit or deny based on whether the two groups can communicate with each other. The administrator can configure permission policies through an intuitive policy matrix on the controller.
Take the policy direction into account when planning security group policies. Generally, inbound and outbound packets are transmitted between two terminals.
Traffic from A to B and traffic from B to A are not related to each other. Huawei switches match policies for traffic from A to B and from B to A separately to determine whether to forward the traffic. Therefore, only the source and destination security groups of packets are checked during policy enforcement. If access from A to B is permitted and from B to A is denied, all packets sent from A to B will be permitted, and all packets sent from B to A will be discarded regardless of whether A or B initiates the access. The default policy of switches is permit.
Network access usually requires bidirectional communication. Therefore, to simplify management, you only need to consider the permissions for user security groups to access other users and servers when planning security group policies.
- To prevent users from accessing a security group, you only need to configure a unidirectional deny rule.
- To allow users to access a security group, you only need to configure a unidirectional permit rule.
Assume that A and C are user groups, and B and D are server groups. Members in group A can communicate with those in groups C and D, while members in group C can only communicate with those in group D. Members of group A or group C can communicate within their groups. The corresponding policy design is shown in Table 3-15. The communication between B and D does not pass through the campus network and does not need to be planned. In this case, the policy design between B and D is displayed as NA in the following table. In cells filled with Empty, no policy is configured, or the permit/deny policy is configured, which does not influence the control effect.
Table 3-15 Policy planPolicy
A
B
C
D
A
Permit
Deny
Permit
Permit
B
Empty
NA
Empty
NA
C
Deny
Deny
Permit
Permit
D
Empty
NA
Empty
NA
The controller allows administrators to configure a rule from a group to the Any group (that is, default permissions of the group), reducing the number of policies that need to be defined and thereby simplifying policy configuration. For example, as described in Table 3-15, an administrator simply needs to configure a policy for denying access from group A to group B so that access from group A to the Any group is permitted.
- Location Selection for Authentication Points and Policy Enforcement PointsTypically, the user gateway functions as the authentication point and policy enforcement point with the free mobility function deployed. Major reasons are as follows:
- There are a large number of access switches. Configuring the authentication function on each access switch requires a heavy workload and leads to difficulties in management.
- The controller needs to synchronize permission policies to policy enforcement points. If access switches are used as authentication points, the number of policy enforcement points will be greatly increased. This increases the workload and difficulty of device management on the controller and prolongs the policy synchronization time.
To prevent users on a Layer 2 network connected to an upstream user gateway from communicating with each other, you can configure Layer 2 isolation. In this way, communication traffic of the users must pass through the user gateway.
When the free mobility function is deployed, if multiple policy enforcement points exist or authentication points are separated from policy enforcement points, you need to configure IP-security group entry subscription to synchronize IP-security group entries of authentication users between different policy enforcement points and between authentication points and policy enforcement points. For details about the planning, see Table 3-16.
Table 3-16 IP-security group entry subscription configuration planUser Gateway Location
IP-Security Group Entry Subscription
Description
Core switch
Not required. The core switch functions as the only authentication point and policy enforcement point and can synchronize all IP-security group entries.
- If a standalone WAC that acts as the wireless user authentication point is connected to the core switch in off-path mode, you can use the controller to configure IP-security group entry subscription for wireless user groups on the core switch. This enables unified policy control for wired and wireless users on the core switch.
- If the authentication point connected to the user gateway does not support free mobility, you can use the controller to configure IP-security group entry subscription for the authentication users of the authentication point on the user gateway. This helps achieve unified policy control on the user gateway.
Aggregation switch
Required. Different aggregation switches function as authentication points and policy enforcement points. The IP-security group entries of authentication users are synchronized between the aggregation switches through subscription.