Free Mobility Overview
In an enterprise network, different network access policies can be deployed for users on access devices to meet different network access requirements. The application of mobile office and BYOD technologies brings frequent changes of users' physical locations and IP addresses. Therefore, the original network control solution based on physical ports and IP addresses cannot ensure consistency of network access experience. For example, the network access policy of a user does not change when the user's physical location changes.
The free mobility solution allows a user to obtain the same network access policy regardless of the user's location and IP address changes in an agile network.
The switches must be associated with Agile Controllers in the free mobility solution. An administrator only needs to uniformly deploy network access policies on Agile Controllers for users, and deliver the policies to all associated switches. After that, a user can obtain the same access policy no matter how the user's physical location and IP address change.
Configuration Notes
l Free mobility is supported only in NAC unified mode.
l The following table lists the products and versions supporting the free mobility solution.
Product Type |
Product Name |
Version |
RADIUS server |
Agile Controller |
V100R001C00 |
Portal server |
Agile Controller |
V100R001C00 |
Access switch |
Common switches supporting 802.1X authentication. The S2750 is taken as an example. |
V200R006C00 and later versions |
Core switch |
Agile switches supporting native AC, such as the S12700. |
V200R006C00 and later versions |
The following table lists the mapping between switches and APs. The AP7110DN-AGN is taken as an example.
Software Version |
Product Model |
AP Model and Version |
V200R006C00 |
S12700 |
V200R005C00: AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, and AP7110SN-GN |
V200R007C00 |
S12700 |
V200R005C10: AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN, AP8030DN, and AP8130DN V200R005C20: AP7030DE and AP9330DN |
l If the core switch has been associated with an Agile Controller and has free mobility configured, perform the following steps to delete historical data and reconfigure the core switch.
1. Run the undo group-policy controller command in the system view to disable free mobility and disconnect the switch from the Agile Controller.
2. Run the undo acl all command to delete the access control policy.
3. Run the undo ucl-group ip all command to delete IP addresses bound to security groups.
4. Run the undo ucl-group all command to delete security groups.
5. Return to the user view and run the save command. The system automatically deletes the configured version number.
Networking Requirements
Employees in an enterprise connect to the network in wired and wireless modes and are authenticated using 802.1X or Portal authentication.
The employees do not work in fixed locations and want to obtain the same rights after being authenticated regardless of their access locations.
Figure 1-1 Networking
Requirement analysis
As shown in Figure 1-1, the agile core switch S12700 (supporting native AC) functions as the authentication point and the access switch is a common switch.
You can configure 802.1X authentication and Portal authentication on the core switch so that wired and wireless users can connect to the network after being authenticated by the core switch.
You can configure free mobility so that users have the same rights and experience regardless of their access locations.
Network Data Plan
Table 1-1 Network data plan
Item |
Data |
Description |
VLAN plan |
ID: 11 IP address: 192.168.11.254/24 |
The core switch uses this VLAN to communicate with the Agile Controller. |
ID: 12 IP address: 192.168.12.254/24 |
The core switch uses this VLAN to manage APs. |
|
ID: 13 IP address: 192.168.13.254/24 |
The core switch uses this VLAN to provide wireless access services. |
|
ID: 14 IP address: 192.168.14.254/24 |
The core switch uses this VLAN to provide wired access services. |
|
Core switch (S12700) |
Interface number: GE1/0/11 IDs of allowed VLANs: 11 |
This interface allows packets from planned VLANs to pass through. |
Interface number: GE1/0/12 IDs of allowed VLANs: 12, 14 |
This interface allows packets from the wired access service VLAN and APs' management VLAN to pass through. |
|
Access switch |
Interface number: GE0/0/1 IDs of allowed VLANs: 12, 14 |
This interface connects to GE1/0/12 on the core switch S12700. |
Interface number: GE0/0/3 ID of allowed VLAN: 14 |
This interface provides wired access and allows packets from the wired access service VLAN to pass through. |
|
Interface number: GE0/0/5 IDs of allowed VLANs: 12 |
This interface provides wireless access and allows packets from the APs' management VLAN to pass through. |
|
Server |
Agile Controller: 192.168.11.1 |
The Service Manager (SM) and Service Controller (SC) are installed on the same server. The SC functions as both the RADIUS server and Portal server. |
Email server 1: 192.168.11.100 Email server 2: 192.168.11.101 |
- |
|
DNS server: 192.168.11.200 |
– |
Service Data Plan
Table 1-2 Service data plan
Item |
Data |
Description |
Core switch (S12700) |
RADIUS authentication server: l IP address: 192.168.11.1 l Port number: 1812 l RADIUS shared key: Admin@123 |
l The SC of the Agile Controller integrates the RADIUS server and Portal server. Therefore, IP addresses of the authentication server, accounting server, and Portal server are the SC's IP address. l Configure a RADIUS accounting server to collect user login and logout information. The port numbers of the authentication server and accounting server must be the same as the authentication and accounting port numbers of the RADIUS server. On the Agile Controller, the fixed RADIUS authentication and accounting port numbers are 1812 and 1813 respectively, and the fixed Portal server port number is 50200. |
RADIUS accounting server: l IP address: 192.168.11.1 l Port number: 1813 l RADIUS shared key: Admin@123 l Accounting interval: 15 minutes |
||
Portal server: l IP address: 192.168.11.1 l Port number: 50200 l Shared key: Admin@123 |
||
XMPP password: Admin@123 |
The configuration is the same as that on the Agile Controller. |
|
Agile Controller |
Core switch's IP address: 192.168.11.254 |
This IP address is the IP address of VLANIF 11. |
RADIUS parameters: l Device: Huawei Quidway series l RADIUS authentication key: Admin@123 l RADIUS accounting key: Admin@123 l Real-time accounting interval: 15 minutes |
The configuration is the same as that on the core switch. |
|
Portal parameters: l Port number: 2000 l Portal key: Admin@123 l IP addresses of access terminals Wireless terminal: 192.168.13.0/24 Wired terminal: 192.168.14.0/24 |
||
XMPP password: Admin@123 |
The configuration is the same as that on the core switch. |
|
Department: Employee |
Assume that the department Employee exists under ROOT. Configure free mobility for the department Employee in this example. |
|
Security group: Employee_Group Email server: l Email server 1: 192.168.11.100 l Email server 2: 192.168.11.101 |
Use fast authorization to authorize the security group Employee_Group to the employee department. |
|
Post-authentication domain |
Email servers |
Employees can access the email servers after being authenticated. |
Pre-authentication domain |
DNS server |
Employees can send domain names to the DNS server for resolution before being authenticated. |
Configuration Roadmap
Configure the core switch.
1. Switch the NAC configuration mode to unified mode.
2. Configure interfaces and VLANs, and enable the DHCP server function.
3. Configure parameters for interconnection with the RADIUS server.
4. Configure parameters for interconnection with the Portal server.
5. Configure the access authentication point for fixed PCs.
6. Configure an authentication-free rule.
7. Configure AC system parameters to provide wireless access.
8. Configure XMPP parameters for interconnection with the Agile Controller and enable free mobility.
Configure the access switch.
1. Configure interfaces and VLANs to implement network communication.
2. Configure the switch to transparently transmit 802.1X packets.
In this example, an access switch exists between users and the core switch functioning as the authentication point, and transparently transmits packets. To ensure that users can pass 802.1X authentication, configure the access switch to transparently transmit 802.1X packets (EAP packets in this example because EAP mode is used).
Configure the Agile Controller.
1. Configure RADIUS, Portal, and XMPP parameters, and add the core switch.
2. Configure security groups Employee_Group and Email_Server to indicate users and resources, respectively.
3. Use fast authorization to authorize the security group Employee_Group to the employee department. Employees are mapped to the security group Employee_Group after being authenticated.
4. Configure an access control policy to allow Employee_Group to access Email_Server.