iMaster NCE-Campus V300R021C00

Free Mobility
Page 0 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Foreword
• With the development of enterprises and the emergence of BYOD, users no longer
access networks from fixed locations using fixed access modes and IP addresses.
However, traditional networks use ACLs and VLANs to manage user policies. As a
result, user policies need to be frequently changed and are difficult to maintain. To
solve this problem, Huawei CloudCampus Solution introduces free mobility.

• This document describes software and hardware components and common

networking applications of free mobility.

Page 1 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Objectives
• Upon completion of this course, you will be able to:
▫ Understand application scenarios of free mobility

▫ Understand implementation principles of free mobility

▫ Understand the implementation process of free mobility

▫ Master configuration and deployment methods of free mobility

▫ Master troubleshooting methods of free mobility

Page 2 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Contents
1. Background of Free Mobility

2. Principles of Free Mobility

3. Implementation of Free Mobility

4. Typical Application Scenarios of Free Mobility

Page 3 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Why Is Free Mobility Required?
 Requirement description:
Server A Server B 1. There are two types of terminal users (user group A and user group B) on
IP addresses IP addresses the campus network, and strict access control is required between them.
2. Strict access control is also required for some resources, such as server A
and server B, to control terminal users' access.
3. Mobile terminal users can access the campus network at any time and
have fixed access rights.
Note: A resource indicates a server or a type of services on the server, such as
User A User B FTP, web, and email services.
User group A User group B

Traditional solution: Free mobility solution:

Controls user access using address-based ACLs. Controls user access using user-based ACLs from the service
 ACL rules must be configured for each source and destination perspective.
network segment in user group A and user group B.  User terminals are authorized to different security groups during
 ACL rules must be configured based on host addresses for user authentication and authorization.
intra-subnet isolation.  Security group-based policies are configured on the policy
Disadvantages: enforcement device.
1. A large number of ACLs need to be configured, causing heavy  Users do not need to care about the IP addresses of terminals.
workload for configuration and maintenance. Advantages:
2. Maintenance personnel need to maintain the mapping 1. Network decoupling is implemented by user isolation.
between IP addresses and users in real time. Maintaining 2. Administrators can centrally deploy policies through iMaster NCE-
mobile terminals is more complex. Campus, simplifying O&M and easing maintenance.

Page 4 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Contents
1. Background of Free Mobility

2. Principles of Free Mobility

3. Implementation of Free Mobility

4. Typical Application Scenarios of Free Mobility

Page 5 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Key Roles and Traffic
Policy Key roles:
enforcement
 iMaster NCE-Campus: 1. interworks with authentication devices to authenticate
device
terminals and authorize security groups to terminals. 2. configures and delivers policies
Authentica such as ACLs and UCLs. 3. synchronizes IP-security group entries with policy
tion device enforcement devices.
 Core switch or policy enforcement device: 1. configures user ACLs, deploys access
Edge policies, and implements access control based on security groups. 2. configures IP-
device security group entries.
 Aggregation switch or authentication device: supports terminal access and
authentication.

Core Traffic:
switch 1. Authentication traffic (marked in yellow): The aggregation switch triggers
authentication and sends authentication packets (such as RADIUS and Portal packets)
to the authentication server (iMaster NCE-Campus). iMaster NCE-Campus can allocate
terminals into user groups (that is, authorize security groups). In this way, both iMaster
Aggregation NCE-Campus and authentication devices have mappings (IP-security group entries)
switch between terminal devices (IP addresses) and security groups.
2. North-south traffic (marked in blue): When a terminal accesses the Internet, the traffic
is mapped from the policy enforcement device to the corresponding security group
based on the source IP address (terminal IP address) and then matches the security
Access group-based ACL. If the action is permit, the terminal can access the Internet
device Note: If a device is not deployed as a policy enforcement point and an authentication
point, and no IP-security group entry is available on the policy enforcement point,
iMaster NCE-Campus needs to synchronize IP-security group entries with the policy
Terminal enforcement point.
3. East-west traffic (marked in red): When a terminal accesses another terminal, the
traffic is mapped from the policy enforcement device to the corresponding security
group based on the source and destination IP addresses and then matches the security
HQ Branch
group-based ACL. If the action is deny, both terminals can communicate.

Page 6 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Logical Architecture
Authentication and authorization
Service policy sub-system
sub-system
Define a group policy

Define a Synchronize the

Service global group group
management plane Administrator Authentication server Policy server iMaster NCE-Campus

Perform Authorize Report the Query user Deliver a group

authentication the group ID IP address information policy

Network device plane Authentication point Policy enforcement point

Perform access and

authentication

User plane User terminal Static resource

Inter-component communication
User service traffic

Page 7 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Security Group
Security group:
1. Security groups are the core of the free mobility solution. Dynamic users Non-authentication
users
Administrators can define user identities, configure policies, and Dumb terminals
Who Where What When How Server resources
match devices with policies based on security groups.
2. A security group has only the group ID and name, and can be Employee Campus/ Laptop Working Wired
Branch /PC hours

Binding
regarded as a set of permissions. VIP Trip/Hotel Smart
terminal
Holidays Wireless
static IP
3. A user who is added to a security group through dynamic Outsourcing Home Dumb Day/Night VPN
addresses
employee terminal

authorization takes precedence over a user who is manually added

Delivering security
to a security group. groups to devices

Special security groups:

 Unknown group: contains unknown and unauthenticated users along with specific
R&D Finance Outsourcing VIP Mobile office Dumb Non- Server
resources. group group group group group terminal authentication group
group user group

 Any group: contains any user or resource. Generally, this group is used to configure
default rules.
 Bypass group: If IP-security group channels between policy enforcement points and
iMaster NCE-Campus fail, traffic that does not match a security group matches the
specified bypass group and is controlled based on the configured policy. Tenant
administrators can specify one security group as the bypass group.

Page 8 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Resource Group
Scenario where resource groups are used:
1. IP address set 1 is bound to security group 2, and IP address set 2 is bound to security group 3. The two address sets overlap. The device cannot determine
the security group to which the overlapped IP addresses belong.
2. In such cases, resource groups are used. IP addresses specified in resource groups can overlap, and resource groups can be configured as destination groups
of inter-group control policies.

Characteristics:
1. A resource group can be configured as the destination group of a policy, but cannot be configured as the source group.
2. Policies need to be decomposed into corresponding IP addresses and delivered to switches instead of using the UCL group model.

Policy Model of iMaster NCE-Campus Policy Model of Switches

Security group 2:
Security IP address set 1 Security group -> Security group
group 1 Security group -> Security group
(UCL group model)
Security group 3: Security group -> Resource group
Security group -> IP address set 1
IP address set 2 (including IP address set 1 and IP
Security group -> IP address set 2
address set 2)

Page 9 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Policy Matrix
Inter-group control policies are present in a policy matrix. When a policy
matrix is configured, administrators can configure policies for controlling
access from a source security group to a destination security group or
Group policy resource group based on the policy matrix.
An inter-group control policy is used to control access between groups.
Source IP Destination
When a source security group is configured with policies for multiple
address 5 IP address 5
Source security Destination destination groups, administrators need to determine which policy is
Source IP Destination
group 1 security group 1 matched preferentially based on the policy priority. For example, if a
address 6 IP address 6
source security group is configured with policies for multiple destination
resource groups, considering that IP addresses specified in resource
Source security Destination
group 1 security group 2 groups may overlap, administrators can manually adjust the priority of a
specific policy to ensure that the policy is matched first.
Free mobility provides the following policy control capabilities based
on the matrix:
1. Supports access control policies from the source security group
Source security Destination
group 2 security group 2 to the destination security group.
2. Supports access control policies from the source security group
to the destination resource group.
3. Implements refined control based on 5-tuple in a pair of source
security groups and destination security groups or resource
groups, and supports priority adjustment.
4. Adjusts priorities of policies between different destination groups
in a source group.

Page 10 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 IP-Security Group Entry Subscription
1. iMaster NCE-Campus can authorize security groups to terminals. In this way, IP-security group entries (mappings between terminals and security groups)
are generated on both authentication devices (cloud switches) and iMaster NCE-Campus.
2. If a device is not deployed as a policy enforcement point or an authentication point, iMaster NCE-Campus needs to synchronize IP-security group entries to
the policy enforcement point in real time, which depends on the IP-security group entry subscription capability.
Supported Supported Not supported

RADIUS
relay
IP-security group entry IP-security group IP-security group
synchronization entry synchronization entry synchronization
Authentication Authentication Authentication

. . .
. . .
. . .

... ... ... ... ... ...

Cloud-managed devices perform RADIUS authentication In a scenario where iMaster NCE-Campus and cloud- In a scenario where a third-party RADIUS server is
on iMaster NCE-Campus (RADIUS server). The RADIUS managed devices are deployed, a third-party RADIUS used and iMaster NCE-Campus does not function as
server records users' IP-security group entries and server is used. iMaster NCE-Campus functions as a the RADIUS relay agent, the authentication point
synchronizes the entries to the IP-security group RADIUS relay agent to record users' IP-security group reports its IP-security group entries, and the IP-
component. The IP-security group component then entries. security group component then synchronizes the IP-
synchronizes IP-security group entries with the policy security group entries with the policy enforcement
enforcement point. point.

Page 11 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Contents
1. Background of Free Mobility

2. Principles of Free Mobility

3. Implementation of Free Mobility

4. Typical Application Scenarios of Free Mobility

Page 12 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Configuration Procedure of Free Mobility
Free mobility
configuration
Step 1
Plan security groups and
resource groups

Step 2

Authorize security groups

Step 3

Configure policy matrices

Step 4
(Optional) Configure IP-
security group entry
subscription

Page 13 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Step 1.1 Plan Security Groups

3
4

Key information:
1. Group ID: indicates the key index of a security group. Device configuration model:
2. Static security group: If a security group cannot be specified through dynamic
ucl-group 100 name Student
authorization, administrators can specify a security group by matching static
ucl-group ip 10.1.1.1 24 name Student
IP addresses. Static IP addresses in different security groups must be unique. ucl-group ip 10.1.2.1 24 name Student
3. Bypass group: Only one bypass group can be configured for a tenant. ucl-group ip 10.1.3.1 24 name Student
4. Unknown group: If no security group is matched, the unknown group is used
by default.

Page 14 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Step 1.2 Plan Resource Groups

Key information:
1. Resource group address pool: The IP addresses of different resource groups can be the same.
2. A server or a type of services on the server, such as FTP, web, and email services, can be defined as a resource group.

Page 15 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Step 2 Authorize Security Groups

Key information:
1. Security groups can be authorized to terminals based on 5W1H.
2. Security groups are selected in the authorization result.
1 Note:
1. When authorizing security groups to cloud managed switches, iMaster NCE-
Campus carries security group IDs in authorization packets. In this way, IP-
security group entries are generated on both iMaster NCE-Campus and
cloud managed switches.
2. When authorizing security groups to a third-party authentication device or a
standalone AC, iMaster NCE-Campus does not carry security group IDs in
authorization packets. In this case, iMaster NCE-Campus generates IP-
security group entries, and pushes the IP-security group entries to the policy
enforcement point through the IP-security group entry subscription
function.

Page 16 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Step 3.1 Configure Policy Matrices

2
Key information:
1. Administrators can create a maximum of 1000 policy matrices
on the Admission > Free Mobility > Policy Control page.
2. A policy matrix can be used for a site or fabric network.
1  Site: Users can select policy enforcement points and VPNs
to be deployed.
 Fabric: Users can select VNs. The device scope and VPN to
be deployed are determined by the VNs.
3. Administrators can configure a policy from a source security
group to a destination security group or resource group in
3
matrix or list mode.

Page 17 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Step 3.2 Configure Control Policies (1/2)

Key information:
1. In a policy matrix, if a source security group is configured with a policy to multiple destination groups, the priorities of
the destination groups can be adjusted.
2. Refined control rules can be configured in a policy for a pair of source and destination groups. Administrators can
specify traffic matching rules by configuring parameters such as the IP address, port number, or protocol.

Page 18 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Step 3.2 Configure Control Policies (2/2)
Inter-group refined rule list:
1. Source IP address 1, source port 1, protocol 1, destination
port 1, destination IP address 1, and action 1
Destination
Source 2. Source IP address 2, source port 2, protocol 2, destination security
port 2, destination IP address 2, and action 2
security ... group or
N. Source IP address N, source port N, protocol N, destination
group port N, destination IP address N, and action N
resource
group Note: One source security group
corresponds to one ACL resource.
Default action: permit or deny

Source security group -> destination security group: Number of rules = Number of rules in destination group 1 + Number of rules in destination group 2 + ... (Number of rules in a destination group = Number of refined control rules + 1)
acl rule 6000
rule 1 {action 1} {protocol 1} source ucl-group {source group 1} {source IP address 1} source-port {source port 1} destination ucl-group {destination group 1} {destination IP address 1} destination-port {destination port 1}
rule 2 {action 2} {protocol 2} source ucl-group {source group 1} {source IP address 1} source-port {source port 2} destination ucl-group {destination group 1} {destination IP address 2} destination-port {destination port 2}
rule N {action 3} {protocol 3} source ucl-group {source group 1} {source IP address 3} source-port {source port 3} destination ucl-group {destination group 1} {destination IP address 3} destination-port {destination port 3}
rule N+1 {default action} source ucl-group {source group 1} destination ucl-group {destination group 1}

rule N+2 {action 1} {protocol 1} source ucl-group {source group 1} {source IP address 1} source-port {source port 1} destination ucl-group {destination group 2} {destination IP address 1} destination-port {destination port 1}
rule N+3 {action 2} {protocol 2} source ucl-group {source group 1} {source IP address 1} source-port {source port 2} destination ucl-group {destination group 2} {destination IP address 2} destination-port {destination port 2}
rule N+4 {action 3} {protocol 3} source ucl-group {source group 1} {source IP address 3} source-port {source port 3} destination ucl-group {destination group 2} {destination IP address 3} destination-port {destination port 3}
rule 2N+1 {default action} source ucl-group {source group 1} destination ucl-group {destination group 2}

(Take a switch as an example) Source security group -> destination resource group (assuming that the resource group has two IP addresses, IPx and IPy): Number of rules = Number of IP addresses in the resource group x (Number of
refined control rules + 1)
acl rule 6000
rule 1 {action 1} {protocol 1} source ucl-group {source group 1} {source IP address 1} source-port {source port 1} destination {destination IP address x} destination-port {destination port 1}
rule 2 {action 1} {protocol 1} source ucl-group {source group 1} {source IP address 1} source-port {source port 1} destination {destination IP address y} destination-port {destination port 1}
rule 2N-1 {action N} {protocol N} source ucl-group {source group 1} {source IP address N} source-port {source port N} destination {destination IP address x} destination-port {destination port N}
rule 2N {action N} {protocol N} source ucl-group {source group 1} {source IP address N} source-port {source port N} destination {destination IP address y} destination-port {destination port N}
rule 2N+1 {default action} source ucl-group {source group 1} destination {destination IP address x}
rule 2N+2 {default action} source ucl-group {source group 1} destination {destination IP address y}

Page 19 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 (Optional) Step 4.1 Configure IP-Security
Group Entry Subscription

Key information:
1. Subscribed device: Multiple policy enforcement devices can subscribe to IP-security group entries.
2. Push node: Administrators can select the authentication component at the HQ or in a branch as the push node to push IP-security
group entries.
3. Security group: scope of IP-security group entries that are subscribed, which match the entries related to the selected security group.
4. Subscribed subnet: Entries to be subscribed are matched based on the IP subnet.
5. If both the security group and subscribed subnet are configured, the union set is used.

Page 20 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 (Optional) Step 4.2 Implement IP-Security
Group Entry Subscription in Different Scenarios
New user going-online
IP-security group Authentication Policy enforcement Policy enforcement Authentication
When a new user goes online, the authentication component notifies the IP-security group component component point (switch) point (firewall) point
component of new IP-security group entry through the DMQ component. The IP-security group
component then pushes the new IP-security group entry to the policy enforcement point.
User going-offline 1. Perform
authentication.
When a user goes offline, the DMQ component notifies the IP-security group component of
3. Report IP-security
deleting entries. The IP-security group component then pushes packets to be deleted to the group entries to the 2. Authorize
IP-security group security groups.
policy enforcement point.
component.
User IP address change
When the authentication component detects the user IP address change, the DMQ component
notifies the IP-security group component of deleting old entries, adding new entries, and
synchronizing the change to the policy enforcement point.
User security group change
4. Push new entries to the policy
When a user is online and the security group changes, the authentication component sends a enforcement point.
CoA packet to the authentication point. The authentication component also requires the DMQ
component to report changed data to the IP-security group component. The IP-security group
component then synchronizes the data to the policy enforcement point.
User re-authentication
This scenario is similar to the scenario where the user IP address and user security group are
changed.
Key information:
User roaming
1. All IP-security group entries of iMaster NCE-Campus can be
If the user IP address changes during roaming, the implementation process is similar to that
periodically or manually synchronized with devices to ensure entry
used in the user IP address change scenario.
consistency.

Page 21 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 (Optional) Step 4.3 Perform Horizontal Scaling
of IP-Security Group Entry Subscription
iMaster NCE-Campus +
authentication component

HQ 1

Authentication component

Branch
2

Solution description:
1. A device establishes a NETCONF channel with the HQ, and all configuration services are delivered by the HQ.
2. A branch user is authenticated by the authentication component in the branch and user entries are generated.
3. The authentication component in the branch establishes an HTTP/2 channel with the authentication component at the HQ and synchronizes the
user entries to the authentication component at the HQ.
4. The authentication component at the HQ synchronizes the entries synchronized from other branches to authentication component in the branch.
5. The policy enforcement point sets up an HTTP/2 connection with the authentication component in the branch, and the authentication
component in the branch then pushes IP-security group entries to other devices.

Page 22 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Contents
1. Background of Free Mobility

2. Principles of Free Mobility

3. Implementation of Free Mobility

4. Typical Application Scenarios of Free Mobility

Page 23 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Typical Scenario 1: Wireless Devices or
Third-Party Devices Function as
Authentication Devices
IP-security group
Description: iMaster NCE- entry synchronization
Campus
1. Currently, the WAC does not support free mobility and ECMP
Authentication
cannot function as a policy enforcement device. Access
2. If authentication devices are not provided by Huawei: authentication point
Policy
 iMaster NCE-Campus functions as the RADIUS server enforcement point
or RADIUS relay agent. It only generates IP-security
group entries but does not deliver them to devices. iStack
 iMaster NCE-Campus delivers the IP-security group
entries to the policy enforcement point. Third-party
device
 The policy enforcement point performs policy control
for forwarded traffic.

Campus A Campus B

Page 24 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Typical Scenario 2: IP-Security Group Entry
Synchronization and VXLAN Scenarios
Mechanism: When VXLAN packets are encapsulated on the source VTEP and the packets can Authentication
control point
match security group information, the VTEP encapsulates group IDs in the VXLAN packets and iMaster
Policy NCE-
sends the VXLAN packets to the destination VTEP. The destination VTEP then performs policy enforcement Campus

control based on the matched destination group information. point

Sub-scenario 1: The authentication point and policy enforcement point are deployed at the
aggregation layer (east-west control).
The IP-security group entry subscription function is not required.
Sub-scenario 2: The authentication point is deployed at the aggregation layer, and the policy
enforcement point is deployed at the core layer (north-south control). The destination groups of Fabric
policies at the core layer are static security groups or resource groups.
The IP-security group entry subscription function is not required. iStack
Layer 3 Native AC
Scenario 3: A standalone AC is deployed, the WAC functions as the wireless authentication
Layer 2
point, and the wired authentication point and policy enforcement point are deployed at the
Eth-Trunk
aggregation layer. Policy
association

IP-security group entry synchronization is required. Devices need to subscribe to only wireless-
related security groups and network segments
Scenario 4: A standalone AC is deployed, the WAC functions as the wireless authentication
point, the wired authentication point is deployed at the aggregation layer, and the east-west
policy enforcement point is deployed at the core layer.
IP-security group entry synchronization is required. Devices need to subscribe to all IP-security
group entries related to the policy.

Page 25 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Summary
• Application scenarios of free mobility
▫ User access to the data center and mutual access between users

• Implementation of free mobility

▫ 5W1H-based authorization and policy matrix

Page 26 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Recommendations
• https://support.huawei.com/enterprise/productsupport?lang=en&pid=21085964&idAb
sPath=7919710|9856717|7923123|9858914|21085964

Page 27 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
 Thank You
www.huawei.com

Page 28 Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.