No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
CloudCampus Solution V100R019C10 Deployment Guide for Large- and Medium-Sized Campus Networks (Virtualization Scenario)
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Access Management

Configuring Access Management

Context

Configuring access management for the fabric is to configure authentication control points and plan access point resources for VN creation. The wired access point resource refers to switch interfaces connected by terminals, and the wireless access point resource refers to SSIDs connected by terminals. Access management configuration for the fabric varies depending on the gateway solution, as described in Table 4-7.

Table 4-7 Differences of access management configuration for the fabric in different gateway solutions

Gateway Solution Type

Recommended Fabric Networking

Configuration Description

Centralized gateway

VXLAN deployed across core and access layers
  • Generally, the authentication control point for wired user access is deployed on the edge node and is configured during access management configuration for the fabric.
  • The authentication control point for wireless user access is deployed on the WAC, which is the border node if the native WAC-capable border node is used. To configure access management for the authentication control point, you need to log in to the WAC's web system.

Distributed gateway

VXLAN deployed across core and aggregation layers
  • If the recommended native WAC-capable edge node (aggregation switch) is used as the WAC, it is recommended that the edge node be used as the unified authentication control point for wired and wireless users.
  • The authentication templates to be bound to wired and wireless access points can be configured in Configuring Authentication Templates for User Access. During access management configuration for the fabric, you can:
    • Bind an authentication template to a wired access port.
    • Configure the mapping between a wireless SSID and an authentication template. After the configuration is complete, iMaster NCE-Campus delivers the authentication template configuration to the edge node that functions as the WAC. To bind an authentication template to an SSID on an AP, log in to the web system of the WAC.
  • Generally, policy association is deployed on the authentication control point (edge node). An AP can establish a CAPWAP tunnel with an edge node through the management VLAN for policy association and go online on the edge node. No additional management VLAN is required.
  • During access management configuration for the fabric, three connection types are defined for access ports of switches: fabric extended switch, fabric extended AP, and terminal. The fabric extended AP and fabric extended switch are mainly used during policy association configuration. With policy association, ports can dynamically negotiate to allow packets carrying the management VLAN tag for policy association.
  • If the type of the AP port connected to a switch is set to the fabric extended AP, the management VLAN auto-negotiation function cannot be deployed on the port.
  • In the centralized gateway solution, policy association is not deployed. Therefore, you do not need to select a connection type for the AP port connected to a switch (edge node).

Configuration Tasks

Description

Operation Procedure

Configuring access management for the fabric (centralized gateway)
  1. Select the location of an authentication control point.
  2. Set the connection type on the port connecting the authentication control point to the user terminal, and select the authentication template to be bound.

Configuring access management for the fabric (distributed gateway)
  1. Configure the management VLAN and management IP address for policy association on the authentication control point.
  2. Configure the port connection type for the authentication control point. Select the authentication template to be bound to the port connected to the user terminal and the port connected to the extended switch.
  3. Configure the port connection type for the policy enforcement point. Enable Inherit Authentication Template on Authentication Control Point Port for the port connected to the user terminal.
  4. Configure the mapping between SSIDs and authentication templates in the wireless access configuration.

Reference Links for iMaster NCE-Campus Operations

Translation
简体中文
Download
Updated: 2021-04-29

Document ID: EDOC1100141248

Views: 125341

Downloads: 509

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :