Professional Documents
Culture Documents
Agile Controller V100R002C00 Free Mobility
Agile Controller V100R002C00 Free Mobility
www.huawei.com
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 3
Objectives
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 4
Contents
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 5
Overview
Traditional access control policies are implemented based on ACLs or VLANs and cannot be
decoupled from IP addresses. When IP addresses change, configurations of multiple devices
need to be changed. This may lead to heavy maintenance workload.
Traditional QoS policies are deployed on the egress firewall to implement access control
based on IP addresses. However, QoS policies cannot be implemented when users' IP
addresses are not fixed.
Free Mobility determines the access permission and executes QoS policies based on the
5W1H conditions, when users attempt to access networks.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 6
Intranet Users Access Data Center Resources
or the Internet
Service resource • When Intranet users access data center resources or
the Internet, an aggregation switch functions as the
Firewall authentication control point and an egress firewall
functions as the policy execution point. The Agile
Agile Controller authorizes the users and determines the
Controller
matching QoS policies on the egress firewall based on
Aggregation
Switch the 5W1H conditions.
Authentication
control point
• The aggregation switch executes access control
policies, and the firewall executes access control
Access switch
policies and QoS policies. If uplink and downlink
bandwidths have been configured for the security
group, the authorization result takes effect at the
Fixed AP
terminal authentication control point (the aggregation switch)
Mobile only.
terminal
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 7
Mobile Users on Business Trips Access
Intranet Network Resources
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 8
VPN-based Free Mobility
DNS
Agile
Controller
• VPN access applies to large-scale
DC enterprises that have multiple branches.
Email server Code server There are only access and aggregation
layers, and the aggregation switch (usually
Authentication
control point the PE on the MPLS VPN) functions as the
authentication control point. Access control
Shenzhen Beijing
within a VPN is the same as that in the
PE PE scenario where Intranet users access data
center resources or the Internet.
VPN: Green VPN: Green
• In a VPN access scenario, security groups
area area are planned uniformly over the entire
network, and different policies need to be
configured for different VPNs. One user has
different network access permissions on
VPN: Yellow
area
VPN: Yellow
area
different VPNs. Apart from unified policies on
the entire network, you can also configure
local policies on a specific device separately.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 9
Contents
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 10
Free Mobility Concepts
Policy matrix
Free Mobility
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 11
Three Steps of Free Mobility Deployment
Step 3: Automatic
system operation
Step 2: Define and
deploy group policies
Step 1: Define
security groups
1. Authentication: The Agile
Controller authenticates the
users who attempt to access the
1. Define group policies network based on the user
on the Agile Controller. identities.
• Experience policy 2. Authorization: The Agile
1. Define the security (forwarding priority of VIP Controller matches users against
group. group) authorization policies and
• Authorization policy security groups based on 5W1H.
2. Define the security
(whether inter-group The execution points add the
group.
access is allowed)
3. Define the device users' IP addresses to the
2. Deploy group policies.
group and add devices matching groups.
• The execution point
to groups. interconnects to the Agile
3. Execution: Based on the
Controller. mappings between IP addresses
• The Agile Controller and groups stored on network
automatically delivers the devices and the Agile Controller,
security groups and network devices identify the
group policies to the source and destination groups in
execution points. packets and enforce group
policies.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 12
Security Group/Resource Group
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 13
Step 1-1: Define Groups on the Agile
Controller and Add Members to the Groups
User
Campus/ Laptop/PC
Employee Work hour
Branch Wired
Smart
VIP Holiday
Trip/ terminal Wireless
Hotel
Outsourcing Day/Night
Home Dumb VPN
employee
terminal
Authentication &
authorization binding group
Outsourcing
R&D Finance VIP BYOD VPN
employee
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 14
Step 1-2: Define Resource Groups on the
Agile Controller and Bind the IP Segment
Resource
IP binding group
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 15
Step 1-3: Define Device Groups on the Agile
Controller and Add Devices to the Groups
Beijing Nanjing Shenzhen
Yellow area
Red area
Green area
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 16
Step 2-1: Configure Universal and Local Policies
Yellow area
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 17
Step 2-2: Agile Controller Delivers Security
Groups and Group Policies to Execution Points
Agile Controller Security Group
Connect execution points to
Group Name Group ID the Agile Controller. When
R&D 10 connection is complete, the
Outsourcing 11 Agile Controller automatically
pushes security groups and
Email 12
group policies.
... ... Pushed content only includes
group names, group IDs, and
Group Policy (Rights) IP addresses added to the
Email Voice groups through binding.
R&D √ √ Group policies are unrelated
Outsourcing ? √ to IP addresses.
During the network
... ... ...
maintenance stage,
Group Policy (Experience) administrators can update the
security groups and policies of
VIP Group Priority
all execution points on the
CEO
entire network only by
CTO 6 modifying configurations on
... the Agile Controller.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 18
Step 3: Automatic System Operation
1. The Agile Controller authenticates access users in a unified Agile Controller Server
manner. For example, a user attempts to access a branch
network.
2. The Agile Controller associates the user with the group in the
corresponding authorization policies according to the login
Firewall
situation of the user. DC
3. After the user is authenticated, the Agile Controller notifies the
authentication point of the group to which the user belongs.
4. The authentication point reports the IP address that the user
currently uses.
5. The Agile Controller associates the IP address with the group and
records the association relationship in an online user information Firewall
table.
6. After receiving the user's service packet, the authentication point
Authentication
identifies the source and destination groups in the packet, and point (switch)
executes the inter-group policies.
7. After receiving the user's service packet, non-authentication
points request the source and destination groups of the packet
from the Agile Controller.
8. Non-authentication points execute inter-group policies. Branch
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 19
Key Technology: User Authentication Process
A user submits
A user submits identity identity
information (user name, information
password, and certificate). (user name and
The authentication password). Request the Agile
CHAP
protocols to be used Controller to verify
Request the Agile authentication
depend on the the user identity
Controller to verify the
authentication methods. information. Query
user identity information. Query
local or
local or
external
external
Authentication is user
Authentication is user
successful/failed. database
successful/failed. database
(AD/
(AD/ Allow terminal to
Allow terminal to LDAP)
LDAP) Authentication is access the
Authentication is access the network if Authentication
successful/failed. successful/failed. network if
authentication is is successful/ authentication is
successful. failed. successful.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 20
Key Technology: User Identity Verification
and Authorization Process
1. After a user is successfully authenticated, the Agile Controller
matches the user against authorization policies according to the
user's login situation.
2. The Agile Controller adds the user to the matching security group
according to the authorization policies and sends a RADIUS
packet carrying the security group information to the authentication
point.
3. The authentication point reports the user's IP address to the Agile
Controller.
4. The authentication point associates the user's IP address to a
group ID and records the information to the online user table.
5. The Agile Controller stores information about all online users, so it
can manage the online users, for example, modify user rights and
logs out users. In addition, the execution points can query the user
information on the Agile Controller.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 21
Key Technology: Group Identification on
Authentication Points (Switches)
Agile
Server Scenario Source Group Destination Group
Controller
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 22
Key Technology: Group Identification on Non-
authentication Points (Firewalls)
Scenario Source Group Destination Group
Agile
Controller Server
The firewall queries the group Static resources are
information matching the abstracted as resource
Users access source IP address in the groups on the Agile Controller,
static service packet on the Agile and ACL policies to specific IP
resources in Controller. The returned result segments are used to control
the data is stored on the firewall. access from source security
center Therefore, the query process groups to static resources.
is triggered by only the first Therefore, there is no need to
service packet of a user. distinguish resource groups.
When the firewall is used as the authentication point for VPN users, the source
group information is not queried on the Agile Controller. Instead, the Agile
Controller actively delivers group information during authentication and
authorization process.
The firewall queries group information on the Agile Controller only when the
information cannot be found locally. (The group information is locally stored when
local authentication users go online, query results have been stored locally, and the
static binding relationships between IP addresses and groups are stored locally.)
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 23
Matching Products
Box switch
Switc S5720HI V200R008C00
h Chassis switch
S7700/S9700/S12700 V200R008C00
SVN5600 series
SVN5630/5660 V500R001C00
SVN
SVN5800 series
SVN5830/5850/5860/5880/5880-C V500R001C00
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 24
Hardware Specifications
CPU
Min Recommended CPU (Peak Number of
Component Name (Offpeak Disk Space
Memory Memory Hours) Components
Hours)
AuthServer (SC
512 MB ≤ 1.4 GB ≤ 5% ≤ 50% 1.5 GB ≤ 50
server)
RadiusServer (SC
512 MB <1.2 GB ≤ 5% ≤ 50% 1.5 GB ≤ 50
server)
PortalServer (SC
512 MB ≤ 1.2 GB ≤ 5% ≤ 50% 1.5 GB ≤ 50
server)
≤ 2, one active
NetworkServer (SC
512 MB ≤ 1.2 GB ≤ 5% ≤ 50% 1.5 GB and one
server)
standby
3, database
Database 2 GB 2 GB ≤ 5% ≤ 50% 300 GB
mirroring
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 25
Software Specifications
Component Name Item Specification Remarks
RadiusServer EAP-PEAP-
Local account 100 times per second MSCHAPV2/EAP-PEAP-
GTC/EAP-TLS
Local account
PortalServer 40 times per second ≤ 5%
External data source account
Database 2 GB 2 GB ≤ 5%
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 26
Contents
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 27
Free Mobility Configuration in a Campus
Access Scenario
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 28
Configuring the XMPP
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 29
XMPP Overview
Extensible Messaging and Presence Protocol
(XMPP), originally named Jabber, is an open-
standard real-time communications protocol
based on the Extensible Markup Language
(XML). It consists of a series of Internet
standards including RFC3920, RFC3921,
RFC3922, and RFC3923 issued by the Internet
Engineering Task Force (IETF).
XMPP defines three roles: client, server, and
gateway. Communication can be implemented
between any two entities of them. The server
provides the client information recording,
connection management, and sends
information to different clients based routing
information. The gateway interconnects and
communicates with a heterogeneous instant
messaging system, including the SMS, MSN,
and ICQ. The basic network model of XMPP is
that a single client sets up a TCP/IP connection
to a single server to transmit XML messages.
XMPP uses a TLS layer to ensure transmission
security. XMPP uses simple authentication and
security layer (SASL) to provide the
authentication function. XMPP messages can
be exchanged only after successful
authentication.
The Agile Controller functions as the XMPP server and all agile devices function as XMPP clients.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 30
XMPP Protocol Used on the Agile Controller
Agile Controller
Switch
Agile Controller
Deploy policies.
Firewall Switch
Exchange XML data
XMPP Client XMPP Client packets.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 31
Configuring a Pre-security Domain
Choose Policy > Permission Control > Security Group > Intranet Configuration and configure
a pre-security domain. Users can access resources in the pre-security domain before being
authenticated, without matching access control policies.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 32
Configuring a Security Group and a Resource
Group
Choose Policy > Permission Control > Security Choose Policy > Permission Control > Security
Group > Security Group Management. Group > Resource Group Management.
A security group bound to no IP address represents If an IP address is bound to different security groups or
users and is used as the source security group in an refined resource control (based on protocols or ports) is
access control policy. A security group bound to IP required, use a resource group to represent resources
addresses represents resources and is used as the and configure it as the destination security group in an
destination security group in an access control access control policy.
policy.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 33
Binding Users to a Security Group
Choose Policy > Permission Control > Quick Authentication and authorize rights in a security
group to users who meet specific conditions. The configuration binds users to the security group.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 34
Configuring Access Control Policies
Choose Policy > Free Mobility > Permission Control and create access control policies
between security groups.
Global Policy: On this tab page, you can create and deploy an access control policy on all
devices or for a specified device group.
Local Policy: On this tab page, you can create and deploy an access control policy on a specified
device.
Access control policies on a device consist of common and local policies.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 35
Checking the Configuration
Run the display group-policy status command on the switch to check the connection
between the switch and Agile Controller.
Run the display acl all command on the switch to check deployment of access control
policies.
Run the display ucl-group all command on the switch to check deployment of security
groups.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 36
Configuring QoS Policies
You can add QoS policies for remote campus network access.
Choose Policy > Free Mobility > User QoS Policy, set the QoS priority of the VIP security
group, and apply the policy to the network egress firewall.
3
Select the device to which
the policies will be applied.
4
Currently, QoS policies can only be applied to NGFW.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 37
VPN Access Scenario Configuration
After adding devices to the Agile Controller, group and manage the devices by VPN.
In global parameters, set the free mobility configuration mode to VPN and add a policy for
each VPN device group.
To configure a special access control policy for a device, click the Local Policy tab.
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 38
Reference
Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 39
Thank you
www.huawei.com