Free Mobility

Definition

The free mobility solution allows a user to obtain the same network access policy regardless of the user's location and IP address.

On an enterprise network, different network access policies can be configured for users on access devices to meet diversified network access requirements. On traditional campus networks, the network access rights of users are controlled using the NAC technology along with VLAN and ACL technologies, and cannot be decoupled from IP addresses. When a user's IP address changes, configuration on multiple devices needs to be changed accordingly, which causes heavy maintenance workload.

The free mobility solution solves the following problems facing traditional campus networks:

1. Decoupling of service policies from IP addresses

   Administrators can divide users and resources on the entire network into different security groups and resource groups in multiple dimensions on iMaster NCE-Campus. When predefining service policies, administrators do not need to consider users' actual IP addresses. This decouples service policies from IP addresses.

2. Centralized management of user information

   iMaster NCE-Campus centrally manages authentication and login information about users and obtains mappings between users and users' IP addresses. Non-authentication point devices on the network can synchronize IP-Group entries from iMaster NCE-Campus, and iMaster NCE-Campus delivers the source and destination group information about packets to devices.

3. Centralized policy management

   iMaster NCE-Campus is not only the authentication center on campus networks, but also the management center of service policies. Administrators can centrally manage service policies on policy enforcement points through iMaster NCE-Campus. After being configured for once, these service policies can be automatically delivered to policy enforcement points on the network.

Fundamentals

The free mobility solution defines security groups to match user traffic and enforces specific policies for different types of user traffic. Therefore, comprehensive IP-Group entries must be available on policy enforcement points. This requires that a switch be deployed as both a policy enforcement point and an authentication point.

Figure 5-48 Fundamentals of free mobility when a switch deployed as both a policy enforcement point and an authentication point

1. The administrator configures inter-group control policies on the entire network. iMaster NCE-Campus delivers the policies along with involved security groups and resource groups to the switch which functions as both a policy enforcement point and an authentication point. The switch generates ACLs based on the policies.
2. When a user initiates an authentication request, the switch forwards the authentication request to iMaster NCE-Campus. After the authentication succeeds, iMaster NCE-Campus authorizes a security group to the user based on 5W1H conditions and returns the mapping between the user and security group to the switch.
3. The user accesses a service.
4. When service access traffic arrives at the switch, the switch enforces an inter-group control policy and determines the service resources accessible to the user based on the security group to which the user belongs and policy matrix.

The solution with the authentication point and policy enforcement point deployed on the same device has strict requirements on the network scale and maintenance, and cannot meet complex network requirements. IP-Group entry synchronization can solve this problem. That is, iMaster NCE-Campus synchronizes all user information to policy enforcement points in real time, decoupling policy enforcement points from authentication control points to which users access.

Figure 5-49 Fundamentals of free mobility when different devices are deployed as policy enforcement points and authentication points

Typical Scenario

When switches connect to iMaster NCE-Campus, free mobility can be implemented under multiple authentication points. In Figure 3, wired and wireless terminals access the network through aggregation switches, and the aggregation switches function as authentication points. Considering that users connected to different authentication points need to communicate with each other, the core switch functions as a policy enforcement point. After the administrator configures security groups and inter-group control policies on iMaster NCE-Campus, iMaster NCE-Campus delivers the configurations to the aggregation switches and core switch. Since an authentication point and a policy enforcement point are deployed on different switches, you need to enable IP-Group entry subscription on the policy enforcement point.

iMaster NCE-Campus delivers security group information to the authentication points and policy enforcement point after delivering security groups and inter-group control policies to them. After the user is authenticated, iMaster NCE-Campus sends the authorization result to the policy enforcement point based on the configured authorization rules. The policy enforcement point then permits or denies access from the security group to which the user belongs based on the inter-group control policies.

Figure 5-50 Free mobility deployment in a campus access scenario

1. Configure access authentication on authentication points, including authentication rules, authorization rules, authorization results, and access configuration of authentication points. For details, see Admission Configuration.
2. Define security groups or security groups and resource groups to classify users based on their attributes.
3. Define a policy matrix based on the defined security groups and resource groups, set access permissions for different users, and deliver inter-group control policies to the policy enforcement point.
4. If authentication points and policy enforcement points are deployed on different devices, synchronize IP-Group entries to the policy enforcement points.

Context

A security group contains a collection of communicating objects on the network. iMaster NCE-Campus authorizes specific security groups to users based on 5W1H conditions. Alternatively, administrators can specify users' IP addresses in security groups. Security groups are authorized to users through Huawei proprietary RADIUS attributes (Attribute 26 to Attribute 160).

The priority of a user who is added to a security group through dynamic authorization is higher than that of a user who is manually added to a security group. For example, if the user with IP1 is manually added to security group 1 and is added to security group 2 through RADIUS, an authentication point adds the user to security group 2.

By default, the unknown group and any group are preset on iMaster NCE-Campus. The unknown group contains unknown and unauthenticated users along with specific resources while the any group contains any user or resource. Generally, the any group is used to configure default rules. The any group can be configured only as a destination group and cannot be configured as a source group.

Procedure

1. Choose Admission > Free Mobility > Security Group from the main menu. Click Create to create a security group.

2. Click Import to import security groups in batches using an Excel template.
3. Click Export to export security groups in batches using an Excel template.

Parameter Description

Context

Administrators can specify static IP addresses of servers in security groups to add the servers to security groups. iMaster NCE-Campus then delivers the static bindings between security groups and servers' IP addresses to devices using NETCONF. However, service resources with overlapped IP addresses cannot be differentiated based on security groups.

In such cases, resource groups come to rescue. IP addresses specified in resource groups can overlap, and resource groups can be configured as destination groups of inter-group control policies.

Dumb terminals, data center servers, and authentication-free users do not need to be authenticated when they access the network. Therefore, they cannot be authorized by AAA. In this case, administrators need to specify their static IP addresses in resource groups to add them to resource groups.

However, after resource groups are configured, a policy corresponding to each IP address rather than a resource group will be generated on policy enforcement points. As a result, there are a large number of policies generated on policy enforcement points.

Procedure

1. Choose Admission > Free Mobility > Resource Group from the main menu. Click Create to create a resource group.

2. Click Export to export resource groups in batches using an Excel template.
3. Click Import to import resource groups in batches using an Excel template.

Parameter Description

Context

Tenant administrators can define inter-group control policies based on security groups and resource groups on the entire network. The policies are present in a policy matrix. After a policy matrix is configured, you can configure an inter-group control policy from a source security group to a destination security group or resource group based on the policy matrix.

An inter-group control policy controls the access rights from the source group to the destination group. When a security group is configured with policies to multiple destination groups, you need to determine which inter-group control policy is matched preferentially based on the policy priority. For example, if a security group is configured with policies to multiple destination resource groups, considering that IP addresses specified in resource groups may overlap, you can manually adjust the priority of a certain inter-group control policy to ensure that the policy is matched first.

If you specify the unknown group as the source and the any group as the destination and set Default rights to Deny in an inter-group control policy, devices will be disconnected and services on the devices are interrupted. Check whether a policy that allows access from the unknown group to the southbound IP address of iMaster NCE-Campus is configured. If not, configure such a policy.

Procedure (Matrix Mode)

1. Choose Admission > Free Mobility > Policy Control from the main menu. Click to create a policy matrix.

2. Click in the upper right corner and select the matrix mode.
3. Select a source security group and a destination group, and click in the box where the destination group column and source group row meet. Alternatively, click and select source security groups and destination groups to create multiple inter-group control policies in batches. If no control policy is configured between a source security group and a destination group, users who match the source security group are allowed to access the destination group by default.

4. Select a specific policy matrix, and click to deploy inter-group control policies on policy enforcement points.
5. To modify an inter-group control policy in a policy matrix, move the cursor over the policy and click . The policy modification page is displayed. After the policy is modified, click to redeploy the policy.
6. After a policy matrix is configured, click Custom View and click Create. Create a custom view. Only the inter-group control policies of a specified source security group and destination group are displayed.

Follow-up Procedure

• Click to modify a policy matrix.
• Click to delete a policy matrix.
• Select a row or column, and click Delete to delete the inter-group control policies in the selected row or column in batches.

Procedure (List Mode)

1. Choose Admission > Free Mobility > Policy Control from the main menu. Click to create a policy matrix.

2. Click in the upper right corner and select the list mode.
3. Click Create. On the page that is displayed, select source security groups and destination groups to create inter-group control policies in batches. If no control policy is configured between a source security group and a destination group, users who match the source security group are allowed to access the destination group by default.

4. If a source security group is configured with policies to multiple destination groups, you can adjust the priority of a policy that matches a specific destination group to ensure that the policy is matched first. By default, the priority of an inter-group control policy in descending manner is as follows: Policy destined to a security group > Policy destined to a resource group > Policy destined to the unknown group > Policy destined to the any group. To adjust the priority of an inter-group control policy, select the desired policy, click next to the priority value, and set a new priority value.
5. After inter-group control policies are configured, select the specified policy matrix and click to deploy the created policies on policy enforcement points.
6. To modify an inter-group control policy in a policy matrix, move the cursor over the policy and click . The policy modification page is displayed. After the policy is modified, click to redeploy the policy.

Follow-up Procedure

• Click to modify a policy matrix.
• Click to delete a policy matrix.

Parameter Description

Context

On a fabric, a VXLAN network is constructed between user access devices and network resource access devices, and VXLAN packets on the network carry the information about security groups to which authenticated users belong. When an authenticated user accesses network resources through VXLAN tunnels, a network resource access device decapsulates the VXLAN packets forwarded on the network, identifies the security group to which the user belongs, and authorizes the user using a locally configured inter-group control policy. In such cases, IP-security group entry subscription is not required.

On an agile campus network, if authentication points and policy enforcement points are deployed on different devices, IP-security group entries of authenticated users need to be synchronized to policy enforcement points. In this case, tenant administrators need to configure IP-security group entry subscription on iMaster NCE-Campus, that is, enable iMaster NCE-Campus to synchronize IP-security group entries of a subnet or security group to a specific policy enforcement point.

When users initiate authentication requests and access authentication points, the authentication points send the requests to the authentication server using RADIUS. The authentication server then authorizes security groups to the users, records the mappings between users' IP addresses and security groups, and then sends the IP-security group entries to the IP-security group component of iMaster NCE-Campus through the HTTP/2 channel. The IP-security group component then delivers the IP-security group entries to specific policy enforcement points if IP-security group entry subscription is configured.

Procedure

1. Choose Admission > Free Mobility > IP-Security Group Subscription from the main menu. Click Create to configure IP-security group entry subscription.

2. Click Full Delivery to deliver all IP-security group entries to the policy enforcement points added to the IP-security group entry subscription list.
3. Choose Admission > Free Mobility > IP-Security Group Entry from the main menu to view IP-security group entries.

Parameter Description