Free Mobility

Fundamentals

Traditional campus networks use ACLs to control user policies. ACL-based policy configuration depends on the networking, IP address planning, and VLAN planning. ACL rules are changed when the network topology, VLAN planning, IP address planning, and user location changes. Therefore, user policy configuration cannot be decoupled from the physical network. This results in poor flexibility and pool maintainability in policy control.

Against this backdrop, Huawei provides the free mobility solution that implements policy control based on user identities. This solution ensures that consistent access policies are enforced for users on the campus network regardless of their access locations and IP addresses. The free mobility solution abstracts IP-based policies into user language-based policies, which are implemented based on security groups. It also abstracts network objects of the same type requiring the same access rights into one security group. For example, users in the R&D department require the same rights to access network resources, so an R&D group can be defined for hosts in the R&D department. Similarly, a printer group can be defined for all printers in the enterprise.

After defining security groups to classify network objects, you can configure security group policies to define network services that the security groups can use. On iMaster NCE-Campus, the administrator uniformly plans network services for security groups on a two-dimensional matrix, including access rights and applications. The free mobility solution solves the problems facing traditional campus networks in the following modes:

• Decoupling service policies from IP addresses: On iMaster NCE-Campus, the administrator can divide network-wide users and resources into different security groups from multiple dimensions. When performing policy matching, the policy enforcement device first matches the source and destination IP addresses of packets with source and destination security groups, and then matches the group policies predefined by the administrator based on the source and destination security groups. Based on the dynamic mappings between IP addresses and security groups, all the terminal- and IP address-based service policies on traditional campus networks can be transformed to security group-based policies. When predefining service policies, the administrator does not need to concern about the actual IP addresses of user terminals. This means that service policies are completely decoupled from IP addresses.
• Centralized management of user authentication information: iMaster NCE-Campus centrally manages users' authentication and access information and obtains mappings between network-wide terminals and IP addresses.
• Centralized policy management: iMaster NCE-Campus is not only the authentication center of a campus network, but also the management center of service policies. The administrator can manage network-wide policies on iMaster NCE-Campus in a unified manner. After being configured for once, these service policies can be automatically delivered to policy enforcement devices on the entire network.

As shown in Figure 1-14, Host 1 in the R&D department is allowed to access Host 2 in the marketing department. If the traditional ACL-based policy control solution is used, when the access location and IP address of Host 2 change, the ACL policy needs to be reconfigured on Edge 1. In the free mobility solution, Host 1 belongs to G1, and Host 2 belongs to G2. The configured security group policies are irrelevant to IP addresses. When the access location and IP address of Host 2 change, the security group policy on Edge 1 does not need to be reconfigured.

Figure 1-14 Comparison between the traditional ACL-based policy control and free mobility solutions

Implementation

Figure 1-15 shows the implementation process of the free mobility solution on iMaster NCE-Campus.

Figure 1-15 Implementation process of the free mobility solution

1. An administrator creates security groups and group policies on iMaster NCE-Campus.
2. iMaster NCE-Campus delivers the security groups and group policies to the policy enforcement point. The security groups and group policies take effect only after they are deployed on devices.
3. When iMaster NCE-Campus functions as an authentication server, the configured authorization result can contain security group information. After a user passes authentication, iMaster NCE-Campus delivers information about the security group to be authorized to the authentication control point. The authentication control point generates a dynamic mapping table between the user terminal's IP address and security group.
4. After the user passes authentication, iMaster NCE-Campus obtains the user terminal IP address and also generates a dynamic mapping table between the user terminal IP address and security group based on security group authorization information. When the user terminal IP address changes due to a location change or re-authentication, iMaster NCE-Campus automatically updates this mapping table through packet exchange.
5. Generally, the policy enforcement point and authentication control point are located on the same device, and a dynamic mapping table between IP addresses and security groups on the device. If the policy enforcement point and authentication control point are located on difference devices, they need to synchronize the dynamic mapping table between IP addresses and security groups from iMaster NCE-Campus.
6. When a service flow initiated by the user passes through the policy enforcement point, the policy enforcement point parses the source and destination IP addresses of the service flow, searches the dynamic mapping table between IP addresses and security groups for the security group information based on the user terminal IP address, and enforces the corresponding group policy.