Configuring Free Mobility
On traditional campus networks, network admission control (NAC) technology is used together with VLAN and ACL technologies to control network access permissions of users. These technologies need to be configured on a large number of authentication switches in advance, bringing huge workload for deployment and maintenance. The security group-based free mobility solution decouples service policies from IP addresses, and changes the one-step matching mechanism of access control policies to two-step matching. To be specific, security groups are first matched based on IP addresses, and access control policies are then matched based on security groups. The mappings between IP addresses and security groups can be dynamically updated based on IP address allocation. This allows users to access a campus network from any location, any VLAN, and any IP network segment, and network access permissions of the users can always be controlled.
Configuring Security Groups
Context
A security group is an entity unit for permission control. Users or network service resources are allocated to different security groups. The access permissions between security groups are configured to implement user permission management on the network. There are two types of security groups: dynamic security groups that are used for user authorization and static security groups that are used to allocate network service resources.
Configuration Tasks
Description |
Operation Procedure |
|---|---|
Configuring security groups |
Define security groups on the free mobility configuration page of iMaster NCE-Campus. |
Reference Links for iMaster NCE-Campus Operations
Configuring Resource Groups
Context
Administrators can specify static IP addresses of servers in security groups to add the servers to security groups. The controller then delivers the static bindings between security groups and servers' IP addresses to devices using NETCONF. However, service resources with overlapping IP addresses cannot be differentiated using security groups.
Resource groups are introduced to address the problem. IP addresses specified in resource groups can overlap, and resource groups can be configured as destination groups of inter-group access control policies.
Configuration Tasks
Description |
Operation Procedure |
|---|---|
Configuring resource groups |
Define resource groups on the free mobility configuration page of iMaster NCE-Campus. |
Reference Links for iMaster NCE-Campus Operations
Configuring Policy Control
Context
After security groups and resource groups are defined, tenant administrators can define inter-group network-wide access control policies based on the security groups and resource groups. The inter-group policies are presented in a policy matrix. After the policy matrix is defined, tenant administrators can configure policies for controlling access from the source security group to the destination security group or resource group based on the policy matrix.
Configuration Tasks
Description |
Operation Procedure |
|---|---|
Configuring policy control |
Create a policy matrix on the free mobility configuration page of iMaster NCE-Campus.
|
The policy matrix for the fabric scenario can be delivered only to the authentication control point configured on the Access Management page of the fabric network. In the centralized gateway solution where the border node functions as the native WAC, the authentication control point is not configured on the Access Management page of the fabric network. Therefore, you are advised to create two policy matrices with the same policies, each for the fabric scenario and site scenario. The policy matrix for the fabric scenario is delivered to the edge node, whereas that for the site scenario is delivered to the border node.
Reference Links for iMaster NCE-Campus Operations
Configuring IP-Security Group Entry Subscription
Context
Different from the traditional solution that uses IP address-based static ACL policies, the free mobility solution dynamically associates a user' IP address with a security group after the user is authenticated, and then generates a dynamic mapping entry (static security groups and resource groups are manually configured). The policy enforcement point obtains the mappings between IP addresses and security groups and implements user access control based on inter-group policies. The entry recording the mapping between an IP address and a security group is called an IP-security group entry.
When iMaster NCE-Campus authorizes a security group to an authenticated user, it records IP-security group entry information and delivers the information to the authentication point to which the user accesses during the authorization. If IP-security group entry subscription is not configured, authentication and policy enforcement must be performed by the same device. To implement security group-based unified policy control in scenarios where authentication points are separated from policy enforcement points or multiple authentication points are deployed, IP-security group entry subscription needs to be configured on policy enforcement points.
In the virtualization solution, the user authentication point and policy enforcement point are usually deployed on edge nodes. IP-security group entry information between different edge nodes can be synchronized through VXLAN packet headers, without the need to configure IP-security group entry subscription. However, in some scenarios, if a standalone WAC that acts as the wireless user authentication point is connected to a switch in off-path mode, you can configure IP-security group entry subscription for wireless user groups on the switch through the controller. This enables unified policy control for wired and wireless users on the switch.
Configuration Tasks
Description |
Operation Procedure |
|---|---|
Configuring IP-security group entry subscription |
Configure IP-security group entry subscription on the free mobility configuration page of iMaster NCE-Campus.
|