Access Control Design
Overall Access Control Design
In the traditional NAC solution, NAC authentication and ACL policies are implemented. For a campus network, an authentication control point is defined to perform access authentication and policy control on user terminals connected to the campus network. Huawei's access control solution combines the traditional NAC solution with policy association and free mobility to refine the division of device roles in campus network access control.
- Authentication control point: authenticates users and interacts with an authentication server to implement authentication, authorization, and accounting. In the policy association solution, a CAPWAP tunnel is established between the authentication control point and authentication enforcement point to exchange user authentication requests and synchronize user entries.
- Authentication enforcement point: controls user access in the policy association solution. Users can access the network only after being authenticated successfully. In addition, the authentication enforcement point transparently transmits user authentication packets to the authentication control point. The authentication control point can be configured to deliver user authorization policies to the authentication enforcement point.
- Policy enforcement point: is a device that enforces control policies. Generally, the authentication control point functions as the policy enforcement point. For example, in the traditional NAC solution based on NAC authentication and ACL policies, an authentication server authorizes ACL information to authenticated users. The authentication control point then performs policy control on users accessing the network based on the authorized ACL information. The authentication control point and policy enforcement point can be deployed separately. In the following example, a standalone WAC is connected to the core switch in off-path mode; the standalone WAC functions as the wireless authentication control point, and the core switch functions as the wireless policy enforcement point.
Figure 2-56 shows the user access control design for the centralized gateway solution using the recommended networking modes.
NAC Server Selection
In the centralized gateway solution, iMaster NCE-Campus delivers service configurations to campus network devices and implements automatic network deployment. iMaster NCE-Campus can also function as a NAC server, removing the need to deploy an additional NAC server for network access control. When iMaster NCE-Campus functions as a NAC server, it provides the following access control functions:
- Built-in RADIUS server and Portal server components: These components support 802.1X authentication, Portal authentication, MAC address authentication, and MAC address-prioritized Portal authentication.
- Multiple Portal authentication modes: Portal authentication supports user name and password authentication, SMS authentication, and third-party social media authentication.
- Terminal identification: iMaster NCE-Campus can implement automatic MAC address authentication based on terminal identification.
- Free mobility: iMaster NCE-Campus can deliver security group policies to the policy enforcement point, removing the need to configure security group policies on the policy enforcement point. iMaster NCE-Campus can also function as a RADIUS server and allows administrators to specify security group information when configuring authorization results.
Authentication Control Point Selection
In the centralized gateway solution, the authentication control point is deployed as follows:
- It is recommended that the authentication control point for wired user access be deployed on the edge node. When configuring access management for a fabric, you need to configure the authentication control point for wired user access. For details, see "Access Management Design" in Fabric Network Design.
- The authentication control point for wireless user access is deployed on the WAC. For details about the planning and design of the authentication control point for wireless user access, see "WLAN Admission Design" in WLAN Design.
In the centralized gateway solution, you are advised to deploy a VXLAN across core and access layers for fabric networking. If the VXLAN is deployed across core and aggregation layers (for example, in the device reuse and reconstruction scenario), policy association can be deployed between an aggregation switch (functioning as an edge node) and access switch.
- The edge node functions as the authentication control point to authenticate users and control access switches on executing user access policies.
- The access switch functions as the authentication enforcement point to control user access. Users can access the network only after being authenticated successfully.
Authentication Enforcement Point Selection
In the centralized gateway solution, the authentication enforcement point is deployed as follows:
- It is recommended that the wired authentication enforcement point be deployed on an access switch on the campus network so that the access switch can control access of wired user terminals. In the centralized gateway solution, you are advised to deploy a VXLAN across core and access layers for fabric networking. In this way, the edge node can function as both the authentication control point and authentication enforcement point. In a few network device reuse scenarios, the VXLAN is deployed across core and aggregation layers, and an aggregation switch functions as the edge node. In this deployment mode, policy association can be deployed between the edge node and access switch. In this way, the wired authentication control point does not need to be moved down from the edge node to the access switch, the number of wired authentication control points does not increase, and the wired authentication enforcement point that controls access of wired user terminals still sits on the access switch.
- Policy association is designed based on the traditional "WAC + Fit AP" architecture for access control. In this architecture, WACs function as wireless authentication control points and APs as wireless authentication enforcement points. Wireless user authentication information is synchronized between WACs and APs through CAPWAP tunnels. The AP prevents unauthorized users from accessing the campus network.
Policy Enforcement Point Selection
In the centralized gateway solution, the policy enforcement point is deployed as follows:
- It is recommended that the edge node be configured as both the wired authentication control point and wired policy enforcement point to deploy security group policies for free mobility. iMaster NCE-Campus can dynamically generate IP-security group entries and deliver the entries to the edge node based on the security group information configured in the authorization result of wired users. The edge node then enforces security group policies for authorized wired users based on the IP-security group entries.
On a traditional non-virtualized network where multiple authentication control points exist, configure IP-security group entry subscription to synchronize IP-security group entry information between different authentication control points. This ensures that the authentication control points can implement access control based on security group policies across authentication control points when they function as policy enforcement points. On a virtualized network, you do not need to configure IP-security group entry subscription because the VXLAN header encapsulated in user packets carries security group information when user packets are forwarded across authentication control points.
- It is recommended that the border node be used as the wireless policy enforcement point for deploying security group policies for free mobility.
- In the recommended networking where the border node functions as the native WAC, you should configure the border node as both the wireless authentication control point and wireless policy enforcement point for deploying security group policies for free mobility. iMaster NCE-Campus can dynamically generate IP-security group entries and deliver the entries to the border node based on the security group information configured in the authorization result of wireless users. The border node then enforces security group policies for authorized wireless users based on the IP-security group entries.
- In device reuse scenarios, if the existing WAC does not support the free mobility function, the border node to which the WAC connects in off-path mode can be used as the wireless policy enforcement point for deploying security group policies for free mobility. When the border node functions as the wireless policy enforcement point, it is not a wireless authentication control point and cannot obtain IP-security group entry information through user authentication and authorization. Therefore, you need to enable IP-security group entry subscription on the border node.
User Authentication Mode Selection
Common authentication technologies include 802.1X, MAC address, and Portal authentication. Table 2-26 compares these authentication modes and describes their applicable terminal types.
Item |
802.1X Authentication |
MAC Address Authentication |
Portal Authentication |
|---|---|---|---|
Client |
Required |
Not required |
Not required |
Advantage |
High security |
|
Flexible deployment |
Disadvantage |
Inflexible deployment |
MAC address registration required, making management complex |
Low security |
Applicable terminal type |
Employees' terminals that need to access the office network and have high security requirements |
Dumb terminals such as printers and fax machines |
Guest terminals: Generally, guests move frequently, and terminal types are complex. |
MAC address-prioritized Portal authentication: After a user terminal passes Portal authentication, the authentication server caches the user terminal address within a specified period. During this period, the user can directly access the network, without entering the user name and password, as long as they pass MAC address authentication.
Use MAC address-prioritized Portal authentication for guest terminals to improve network experience of guests.
Policy Control Solution Design
Policy control is to control the permissions of users on network resource access. Currently, the traditional NAC solution and Huawei's free mobility solution are available for policy control. Table 2-27 compares the two solutions.
Policy Control Solution |
Control Mode |
Characteristics |
Application Scenario |
|---|---|---|---|
Traditional NAC solution |
VLAN + ACL |
|
|
Free mobility solution |
Security group + inter-group policy |
Administrators do not need to pay attention to IP address and VLAN assignment. User policies are configured on the controller based on security groups and are automatically delivered to all authentication devices, eliminating the need to perform complex configuration. |
|
The free mobility solution is recommended for policy control on large- and medium-sized campus networks. If the existing campus network of the customer does not support the free mobility solution, use the traditional NAC solution.
Traditional NAC Solution Design
In the traditional NAC solution, policies fall into two categories: static ACL policies on local devices and dynamic ACL policies authorized by the NAC server. Essentially, configuring static ACL policies on local devices is to map user policies to user IP addresses and plan ACL rules based on these IP addresses for management and control over user permissions. This type of policy applies to the scenario where the user network scale is small, locations of user terminals are fixed, and policy requirements are simple. As the network scale increases and policy requirements become complex, configuring such policies can be very complex and difficult to maintain. Therefore, for large- and medium-sized campus networks, you are advised to use the NAC server to authorize dynamic ACL policies. With this approach, terminals do not need to be strictly bound to IP addresses and VLANs, making IP and VLAN planning flexible, as shown in Figure 2-57. When different types of users are present, you are advised to restrict access locations of the users. That is, users with different permissions access the Internet from their respective areas specified by the administrator. This ensures that only related policies need to be configured on devices in these areas. Otherwise, it will be difficult to configure policies and perform O&M.
Free Mobility Solution Design
Different from the traditional IP address-based ACL mode, free mobility is a user language-based solution that logically divides different types of network objects with distinct permissions into different security groups. Each security group maps one user type and one server type. Then, you can define policies for users in different security groups to communicate for access control, as shown in Figure 2-58.
iMaster NCE-Campus provides an intuitive policy matrix to allow the administrator to configure security group policies and deliver the policies to policy control points. Assume that A and C are user groups, and B and D are server groups. Members in group A can communicate with those in groups C and D, while members in group C can only communicate with those in group D. Members of group A or group C can communicate within their groups. The corresponding policy design is shown in Table 2-28. The communication between B and D does not pass through the campus network and does not need to be planned. In this case, the policy design between B and D is displayed as NA in the following table. In cells filled with Empty, no policy is configured, or the permit/deny policy is configured, which does not influence the control effect.
Source/Destination Security Group |
A |
B |
C |
D |
|---|---|---|---|---|
A |
Permit |
Deny |
Permit |
Permit |
B |
Empty |
NA |
Empty |
NA |
C |
Deny |
Deny |
Permit |
Permit |
D |
Empty |
NA |
Empty |
NA |
iMaster NCE-Campus allows administrators to configure a rule from a group to the Any group (that is, default permissions of the group), reducing the number of policies that need to be defined and thereby simplifying policy configuration. For example, as described in Table 2-28, an administrator simply needs to configure a policy for denying access from group A to group B so that access from group A to the Any group is permitted.
Terminal Identification Design
On large- and medium-sized campus networks, access terminals include PCs, mobile phones, as well as dumb terminals such as IP phones, printers, and IP cameras. A large number of terminals of different types need to access the campus network, making it difficult to manage them. To ease terminal management, the terminal identification solution offers diversified terminal identification methods. With iMaster NCE-Campus, you can view the summary information about terminals on the entire campus network, including their terminal type and operating system. Based on this information, iMaster NCE-Campus can perform refined management on terminals from multiple dimensions, for example, collecting statistics on and displaying traffic by terminal type and delivering specified authorization policies. Additionally, dumb terminals that usually use MAC address authentication can be automatically admitted through terminal identification, reducing manual configuration workload.
Terminal Identification Method Design
To display terminal types and perform access management based on the terminal types through iMaster NCE-Campus, the network administrator needs to perform the following operations:
- Collect the types of terminals on the network, such as PCs, mobile phones, printers, IP cameras, and access control devices.
- Check whether Portal authentication is deployed on the network.
- Check whether the IP addresses of the terminals are dynamically assigned by the DHCP server or statically assigned.
Based on the collected information, traverse the items one by one according to Table 2-29 and select the required terminal identification method. Multiple methods can be selected to identify terminals. You are advised to enable the following passive fingerprint-based identification methods: MAC OUI, HTTP UserAgent, DHCP option, LLDP, and mDNS. It is recommended that Nmap be disabled by default because its identification period is long. If the preceding passive fingerprint-based identification methods cannot meet requirements, enable Nmap.
Identification Method |
Identifiable Terminal Type |
Application Scenario |
|---|---|---|
MAC OUI |
All IP terminals (identifying only the device manufacturer) |
Common scenarios (authentication, non-authentication, and dynamic/static IP address assignment scenarios) |
HTTP UserAgent |
Mobile phone, tablet, PC, workstation Intelligent audio/video terminal |
Portal authentication scenarios |
DHCP Option |
Mobile phone, tablet, PC, workstation IP camera, IP phone, printer |
Dynamic IP address assignment scenarios |
LLDP |
IP phone, IP camera, network device |
Common scenarios (authentication, non-authentication, and dynamic/static IP address assignment scenarios) |
mDNS |
Apple device, printer, IP camera |
Common scenarios (authentication, non-authentication, and dynamic/static IP address assignment scenarios) |
SNMP Query |
Network device, printer |
On-premises scenarios |
NMAP |
PC, workstation Printer, phone, IP camera |
On-premises scenarios |
Table 2-30 describes the configuration process of each terminal identification method in the virtualization solution for large- and medium-sized campus networks.
Identification Method |
iMaster NCE-Campus Side |
Network Side |
|---|---|---|
MAC OUI |
Enable the terminal identification function. |
- |
HTTP UserAgent |
Enable the terminal identification function. |
Enable the terminal identification information reporting function. |
DHCP Option |
Enable the terminal identification function. |
|
LLDP |
Enable the terminal identification function. |
This function is enabled by default. |
mDNS |
Enable the terminal identification function. |
|
SNMP Query |
|
- |
Nmap |
|
- |
Terminal Control Policy Design
Terminal identification enables iMaster NCE-Campus to deliver control policies to different types of terminals based on information such as the terminal type, operating system, or manufacturer. The administrator needs to perform the following operations:
- Enable the terminal identification function for the network.
- Configure user access authentication. Authentication and authorization rules are matched based on the identified terminal type.
- Plan authorization policies on iMaster NCE-Campus based on terminal types and deliver corresponding policies after users are authenticated.
Table 2-31 shows an example of policy authorization based on the terminal type, operating system, or manufacturer. For dumb terminals that use MAC address authentication, such as printers, IP phones, and IP cameras, the automatic admission function based on terminal identification can be used. With this function enabled, dumb terminals can be plug-and-play and automatically access the network, eliminating the need to manually enter their MAC addresses on iMaster NCE-Campus.
Condition |
Admission Policy |
Authorization Policy |
|---|---|---|
Operating system 1 |
User admission |
Authorize ACL 1 |
Operating system 2 |
User admission |
Authorize ACL 2 |
Terminal type: printer |
Automatic admission |
Authorize VLAN 10 |
Terminal type: IP camera |
Automatic admission |
Authorize VLAN 20 |
Terminal type: IP phone |
Automatic admission |
Authorize VLAN 30; DSCP 48 |
Terminal type: access control device |
Automatic admission |
Authorize VLAN 40 |
Manufacturer 1 |
User admission |
Authorize ACL 100 |
When terminal identification is used together with the VLAN authorization policy, you can disable pre-connection in 802.1X and MAC address authentication scenarios to prevent IP address re-assignment to terminals.