Agile Controller V100R002C00 Free Mobility

Free Mobility
www.huawei.com
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved.

Foreword
 With the development of enterprises and use of BYOD, users'

access locations, access methods, and IP addresses frequently
change. The ACL policies and VLAN allocation used on traditional
networks are based on IP addresses. Therefore, these user
policies must be changed with the change of users' IP addresses.
To address this issue, Huawei provides the Free Mobility
Solution. The Agile Controller is the key component of this
solution.
 This course describes the hardware and software components
and common networking of Free Mobility.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 3
Objectives
 On completion of this course, you will be able to

understand:
 Application Scenarios of Huawei Free Mobility Solution
 Implementation of Huawei Free Mobility Solution
 Deployment of Huawei Free Mobility Solution
 Troubleshooting of Huawei Free Mobility Solution
Contents
 Application Scenarios of Huawei Free Mobility Solution

 Implementation of Huawei Free Mobility Solution
 Deployment of Huawei Free Mobility Solution
Overview
 Traditional access control policies are implemented based on ACLs or VLANs and cannot be
decoupled from IP addresses. When IP addresses change, configurations of multiple devices
need to be changed. This may lead to heavy maintenance workload.
 Traditional QoS policies are deployed on the egress firewall to implement access control
based on IP addresses. However, QoS policies cannot be implemented when users' IP
addresses are not fixed.
 Free Mobility determines the access permission and executes QoS policies based on the
5W1H conditions, when users attempt to access networks.
Intranet Users Access Data Center Resources
or the Internet
Service resource • When Intranet users access data center resources or
the Internet, an aggregation switch functions as the
Firewall authentication control point and an egress firewall
functions as the policy execution point. The Agile
Agile Controller authorizes the users and determines the
Controller
matching QoS policies on the egress firewall based on
Aggregation
Switch the 5W1H conditions.
Authentication
control point
• The aggregation switch executes access control
policies, and the firewall executes access control
Access switch
policies and QoS policies. If uplink and downlink
bandwidths have been configured for the security
group, the authorization result takes effect at the
Fixed AP
terminal authentication control point (the aggregation switch)
Mobile only.
terminal
Mobile Users on Business Trips Access
Intranet Network Resources
• When mobile users on business trips access Intranet

Authentication
control point network resources, they connect to the Intranet through
VPNs. As the authentication control point for the VPN
Service resource
access, the firewall supports SSL VPN and L2TP over
IPSec.
• The firewall functions as the authentication control
point and executes access control policies and QoS
policies. After users pass authentication on the Agile
Firewall
Controller, the Agile Controller sends authorization
information to the firewall. The uplink and downlink
Agile Controller
bandwidths of security groups take effect on the
firewall.
VPN-based Free Mobility
DNS
Agile
Controller
• VPN access applies to large-scale
DC enterprises that have multiple branches.
Email server Code server There are only access and aggregation
layers, and the aggregation switch (usually
Authentication
control point the PE on the MPLS VPN) functions as the
authentication control point. Access control
Shenzhen Beijing
within a VPN is the same as that in the
PE PE scenario where Intranet users access data
center resources or the Internet.
VPN: Green VPN: Green
• In a VPN access scenario, security groups
area area are planned uniformly over the entire
network, and different policies need to be
configured for different VPNs. One user has
different network access permissions on
VPN: Yellow
area
VPN: Yellow
area
different VPNs. Apart from unified policies on
the entire network, you can also configure
local policies on a specific device separately.
Contents

Free Mobility Concepts
Policy matrix
Security group A C User priority
Free Mobility
5W1H authorization E D IP-group query
Three Steps of Free Mobility Deployment
Step 3: Automatic
system operation
Step 2: Define and
deploy group policies
Step 1: Define
security groups
1. Authentication: The Agile
Controller authenticates the
users who attempt to access the
1. Define group policies network based on the user
on the Agile Controller. identities.
• Experience policy 2. Authorization: The Agile
1. Define the security (forwarding priority of VIP Controller matches users against
group. group) authorization policies and
• Authorization policy security groups based on 5W1H.
2. Define the security
(whether inter-group The execution points add the
group.
access is allowed)
3. Define the device users' IP addresses to the
2. Deploy group policies.
group and add devices matching groups.
• The execution point
to groups. interconnects to the Agile
3. Execution: Based on the
Controller. mappings between IP addresses
• The Agile Controller and groups stored on network
automatically delivers the devices and the Agile Controller,
security groups and network devices identify the
group policies to the source and destination groups in
execution points. packets and enforce group
policies.
Security Group/Resource Group
A security group is a collection of users or resources. A security group to which no IP address is

bound is a user group. During authorization, users meeting certain conditions can be mapped to a
user group. A security group to which an IP address is bound is a resource group. The IP
addresses bound to different resource groups may overlap each other or different protocol port
numbers need to be specified for the same IP address.
Step 1-1: Define Groups on the Agile
Controller and Add Members to the Groups
User
Who Where What When How
Campus/ Laptop/PC
Employee Work hour
Branch Wired
Smart
VIP Holiday
Trip/ terminal Wireless
Hotel
Outsourcing Day/Night
Home Dumb VPN
employee
terminal
Authentication &
authorization binding group
Outsourcing
R&D Finance VIP BYOD VPN
employee
Step 1-2: Define Resource Groups on the
Agile Controller and Bind the IP Segment
Resource
IP binding group
Email server Voice server Code server Internet
Step 1-3: Define Device Groups on the Agile
Controller and Add Devices to the Groups
Beijing Nanjing Shenzhen
Yellow area
Red area
Green area
Step 2-1: Configure Universal and Local Policies
R&D group -> outsourcing group: permit

R&D group -> core documents: permit
Outsourcing group -> core documents:
deny
…
…
Yellow area
Guest -> Internet: permit

R&D group -> outsourcing group: permit
R&D group -> core documents: permit
Outsourcing group -> core documents: deny
…
Step 2-2: Agile Controller Delivers Security
Groups and Group Policies to Execution Points
Agile Controller Security Group
 Connect execution points to
Group Name Group ID the Agile Controller. When
R&D 10 connection is complete, the
Outsourcing 11 Agile Controller automatically
pushes security groups and
Email 12
group policies.
... ...  Pushed content only includes
group names, group IDs, and
Group Policy (Rights) IP addresses added to the
Email Voice groups through binding.
R&D √ √  Group policies are unrelated
Outsourcing ? √ to IP addresses.
 During the network
... ... ...
maintenance stage,
Group Policy (Experience) administrators can update the
security groups and policies of
VIP Group Priority
all execution points on the
CEO
entire network only by
CTO 6 modifying configurations on
... the Agile Controller.
Step 3: Automatic System Operation
1. The Agile Controller authenticates access users in a unified Agile Controller Server
manner. For example, a user attempts to access a branch
network.
2. The Agile Controller associates the user with the group in the
corresponding authorization policies according to the login
Firewall
situation of the user. DC
3. After the user is authenticated, the Agile Controller notifies the
authentication point of the group to which the user belongs.
4. The authentication point reports the IP address that the user
currently uses.
5. The Agile Controller associates the IP address with the group and
records the association relationship in an online user information Firewall
table.
6. After receiving the user's service packet, the authentication point
Authentication
identifies the source and destination groups in the packet, and point (switch)
executes the inter-group policies.
7. After receiving the user's service packet, non-authentication
points request the source and destination groups of the packet
from the Agile Controller.
8. Non-authentication points execute inter-group policies. Branch
Key Technology: User Authentication Process
802.1x/MAB/PPPoE/ PPP (L2TP VPN)/CA (SSL VPN) Portal
RADIUS HTTP CHAP RADIUS

Agile Controller
Authentication Agile Controller Portal Authentication
Terminal Terminal (RADIUS
point (RADIUS server) server point server)
A user submits
A user submits identity identity
information (user name, information
password, and certificate). (user name and
The authentication password). Request the Agile
CHAP
protocols to be used Controller to verify
Request the Agile authentication
depend on the the user identity
Controller to verify the
authentication methods. information. Query
user identity information. Query
local or
local or
external
external
Authentication is user
Authentication is user
successful/failed. database
successful/failed. database
(AD/
(AD/ Allow terminal to
Allow terminal to LDAP)
LDAP) Authentication is access the
Authentication is access the network if Authentication
successful/failed. successful/failed. network if
authentication is is successful/ authentication is
successful. failed. successful.
Key Technology: User Identity Verification
and Authorization Process
1. After a user is successfully authenticated, the Agile Controller
matches the user against authorization policies according to the
user's login situation.
2. The Agile Controller adds the user to the matching security group
according to the authorization policies and sends a RADIUS
packet carrying the security group information to the authentication
point.
3. The authentication point reports the user's IP address to the Agile
Controller.
4. The authentication point associates the user's IP address to a
group ID and records the information to the online user table.
5. The Agile Controller stores information about all online users, so it
can manage the online users, for example, modify user rights and
logs out users. In addition, the execution points can query the user
information on the Agile Controller.
Key Technology: Group Identification on
Authentication Points (Switches)
Agile
Server Scenario Source Group Destination Group
Controller
Static resources are abstracted as

resource groups on the Agile
The Agile Controller
Users access Controller, and ACL policies to
delivers the source
static specific IP segments are used to
group information
resources in control access from source security
about users during
the data center groups to static resources.
authentication.
Therefore, there is no need to
distinguish resource groups.
Users on the The Agile Controller

same delivers the source The Agile Controller delivers the
authentication group information destination group information about
Authentication point access about users during users during authentication.
and each other authentication.
authorization
 An unknown group (group 0) is predefined on the Agile Controller. If the
execution point cannot obtain the group information about a user, it adds
the user to the unknown group.
 When a locally authenticated user (for example, a user in group A)
accesses a remotely authenticated user, the switch cannot identify the
group information according to the destination IP address. Therefore, the
switch considers that group A attempts to access the unknown group,
and forwards the access traffic to the firewall.
Key Technology: Group Identification on Non-
authentication Points (Firewalls)
Scenario Source Group Destination Group
Agile
Controller Server
The firewall queries the group Static resources are
information matching the abstracted as resource
Users access source IP address in the groups on the Agile Controller,
static service packet on the Agile and ACL policies to specific IP
resources in Controller. The returned result segments are used to control
the data is stored on the firewall. access from source security
center Therefore, the query process groups to static resources.
is triggered by only the first Therefore, there is no need to
service packet of a user. distinguish resource groups.
The firewall queries the group information matching the source

Users on
and destination IP addresses in the service packet on the Agile
different
Controller.
authentication
The returned result is stored on the firewall. Therefore, the
points access
query process is triggered by only the first service packet of a
each other
user.
 When the firewall is used as the authentication point for VPN users, the source
group information is not queried on the Agile Controller. Instead, the Agile
Controller actively delivers group information during authentication and
authorization process.
 The firewall queries group information on the Agile Controller only when the
information cannot be found locally. (The group information is locally stored when
local authentication users go online, query results have been stored locally, and the
static binding relationships between IP addresses and groups are stored locally.)
Matching Products
Box switch
Switc S5720HI V200R008C00
h Chassis switch
S7700/S9700/S12700 V200R008C00
USG6300 series USG6310/6320/6330/6350/6360/6370/6380/6390

V500R001C00
USG6500 series
USG6510-SJJ/6530/6550/6570 V500R001C00
NGFW USG6600 series
6620/6630/6650/6660/6670/6680 V500R001C00
NGFW card
ET1D2FW00S00/ET1D2FW00S01/ET1D2FW00S02
V500R001C00
SVN5600 series
SVN5630/5660 V500R001C00
SVN
SVN5800 series
SVN5830/5850/5860/5880/5880-C V500R001C00
Hardware Specifications
CPU
Min Recommended CPU (Peak Number of
Component Name (Offpeak Disk Space
Memory Memory Hours) Components
Hours)
SM 1024 MB ≤ 1.2 GB ≤ 5% ≤ 50% 1.5 GB 1
AuthServer (SC
512 MB ≤ 1.4 GB ≤ 5% ≤ 50% 1.5 GB ≤ 50
server)
RadiusServer (SC
512 MB <1.2 GB ≤ 5% ≤ 50% 1.5 GB ≤ 50
server)
PortalServer (SC
512 MB ≤ 1.2 GB ≤ 5% ≤ 50% 1.5 GB ≤ 50
server)
≤ 2, one active
NetworkServer (SC
512 MB ≤ 1.2 GB ≤ 5% ≤ 50% 1.5 GB and one
server)
standby
3, database
Database 2 GB 2 GB ≤ 5% ≤ 50% 300 GB
mirroring
Software Specifications
Component Name Item Specification Remarks
Local account authentication 50 times per second

AuthServer Firewall authentication
External data source account 40 times per second
Local account 1000 times per second PAP/CHAP/EAP-MD5
RadiusServer EAP-PEAP-
Local account 100 times per second MSCHAPV2/EAP-PEAP-
GTC/EAP-TLS
External data source account 50 times per second
Local account
PortalServer 40 times per second ≤ 5%
External data source account
Device registration 2000 per minute The software can query

the group information
NetworkServer
1000 IP addresses per about 1000 IP addresses
IP-group query
second per second.
Database 2 GB 2 GB ≤ 5%
Contents

Free Mobility Configuration in a Campus
Access Scenario
 In the campus access scenario, access rights are the same

as long as the login user, time, place, terminal type, and
access mode meet conditions defined in the fast
authorization policy.
 Prerequisites: The 802.1X or Portal configuration has been
completed.
Configuring the XMPP
Switch configuration: Agile Controller configuration:
[HUAWEI] group-policy controller

10.10.10.10 password Admin@123 src-
ip 10.10.10.1
In the command, 10.10.10.10 indicates the Agile

Controller server IP address, Admin@123 is the same
as the password set on the Agile Controller, and
10.10.10.1 is the switch interface IP address for
communicating with the Agile Controller.
XMPP Overview
 Extensible Messaging and Presence Protocol
(XMPP), originally named Jabber, is an open-
standard real-time communications protocol
based on the Extensible Markup Language
(XML). It consists of a series of Internet
standards including RFC3920, RFC3921,
RFC3922, and RFC3923 issued by the Internet
Engineering Task Force (IETF).
 XMPP defines three roles: client, server, and
gateway. Communication can be implemented
between any two entities of them. The server
provides the client information recording,
connection management, and sends
information to different clients based routing
information. The gateway interconnects and
communicates with a heterogeneous instant
messaging system, including the SMS, MSN,
and ICQ. The basic network model of XMPP is
that a single client sets up a TCP/IP connection
to a single server to transmit XML messages.
 XMPP uses a TLS layer to ensure transmission
security. XMPP uses simple authentication and
security layer (SASL) to provide the
authentication function. XMPP messages can
be exchanged only after successful
authentication.
The Agile Controller functions as the XMPP server and all agile devices function as XMPP clients.
XMPP Protocol Used on the Agile Controller
Agile Controller
Switch
Agile Controller
Configure the XMPP

XMPP Server connection parameters
and the shared key.
Configure the XMPP

connection parameters
and the shared key.
Register with the Agile
XMPP exchange Controller.
Layer 3 network
Check the
device validity.
Negotiate and set up a
long TCP connection.
Deploy policies.
Firewall Switch
Exchange XML data
XMPP Client XMPP Client packets.
Configuring a Pre-security Domain
Choose Policy > Permission Control > Security Group > Intranet Configuration and configure
a pre-security domain. Users can access resources in the pre-security domain before being
authenticated, without matching access control policies.
Configuring a Security Group and a Resource
Group
Choose Policy > Permission Control > Security Choose Policy > Permission Control > Security
Group > Security Group Management. Group > Resource Group Management.
A security group bound to no IP address represents If an IP address is bound to different security groups or
users and is used as the source security group in an refined resource control (based on protocols or ports) is
access control policy. A security group bound to IP required, use a resource group to represent resources
addresses represents resources and is used as the and configure it as the destination security group in an
destination security group in an access control access control policy.
policy.
Binding Users to a Security Group
Choose Policy > Permission Control > Quick Authentication and authorize rights in a security
group to users who meet specific conditions. The configuration binds users to the security group.
Configuring Access Control Policies
Choose Policy > Free Mobility > Permission Control and create access control policies
between security groups.
Global Policy: On this tab page, you can create and deploy an access control policy on all
devices or for a specified device group.
Local Policy: On this tab page, you can create and deploy an access control policy on a specified
device.
Access control policies on a device consist of common and local policies.
Checking the Configuration
 Run the display group-policy status command on the switch to check the connection
between the switch and Agile Controller.
 Run the display acl all command on the switch to check deployment of access control
policies.
 Run the display ucl-group all command on the switch to check deployment of security
groups.
Configuring QoS Policies
 You can add QoS policies for remote campus network access.
 Choose Policy > Free Mobility > User QoS Policy, set the QoS priority of the VIP security
group, and apply the policy to the network egress firewall.
1 Select the security group to

which QoS policies will be
applied.
Select a queue.
2
3
Select the device to which
the policies will be applied.
4
Currently, QoS policies can only be applied to NGFW.
VPN Access Scenario Configuration
 After adding devices to the Agile Controller, group and manage the devices by VPN.
 In global parameters, set the free mobility configuration mode to VPN and add a policy for
each VPN device group.
 To configure a special access control policy for a device, click the Local Policy tab.
Reference
 Agile Controller-Campus V100R002C00 Product Document

ation
http://support.huawei.com/enterprise/productsupport?
lang=en&idAbsPath=7919710|9856717|21430820|
21298801|21085964&pid=21085964
Thank you
www.huawei.com

Agile Controller V100R002C00 Free Mobility

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Agile Controller V100R002C00 Free Mobility

Uploaded by

Copyright:

Available Formats

Free Mobility

Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved.

 With the development of enterprises and use of BYOD, users'

 On completion of this course, you will be able to

 Application Scenarios of Huawei Free Mobility Solution

• When mobile users on business trips access Intranet

 Application Scenarios of Huawei Free Mobility Solution

Security group A C User priority

5W1H authorization E D IP-group query

A security group is a collection of users or resources. A security group to which no IP address is

Who Where What When How

Email server Voice server Code server Internet

R&D group -> outsourcing group: permit

Guest -> Internet: permit

802.1x/MAB/PPPoE/ PPP (L2TP VPN)/CA (SSL VPN) Portal

RADIUS HTTP CHAP RADIUS

Static resources are abstracted as

Users on the The Agile Controller

The firewall queries the group information matching the source

USG6300 series USG6310/6320/6330/6350/6360/6370/6380/6390

SM 1024 MB ≤ 1.2 GB ≤ 5% ≤ 50% 1.5 GB 1

Local account authentication 50 times per second

Local account 1000 times per second PAP/CHAP/EAP-MD5

External data source account 50 times per second

Device registration 2000 per minute The software can query

 Application Scenarios of Huawei Free Mobility Solution

 In the campus access scenario, access rights are the same

Switch configuration: Agile Controller configuration:

[HUAWEI] group-policy controller

In the command, 10.10.10.10 indicates the Agile

Configure the XMPP

Configure the XMPP

1 Select the security group to

 Agile Controller-Campus V100R002C00 Product Document

You might also like