Professional Documents
Culture Documents
OHCSCP1308 Agile Network ISSUE 3.0
OHCSCP1308 Agile Network ISSUE 3.0
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 1
Agile Network
www.huawei.com
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 4
Contents
1. Principles of the Agile Network Solution
2. Configurations of Agile Features
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 5
Limitations of Traditional Network
s
Limitations of IP-based campus network
access authentication
Large
workloads of
Uncontrollable Inconsistent
access control
access rights user
and policy
experience
deployment
Manually configuring Access rights are bound to Users cannot obtain the
access control policies IP addresses. When a user same priority and
based on the IP addresses moves or the IP address bandwidth when they
and VLANs requires heavy changes, user rights are connect to the network
workloads and is difficult to difficult to control. from different locations.
maintenance.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 6
Breakthrough of Agile Network
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 7
Application Scenarios of Free Mobi
lity
Mobile employee
Agile
HQ Branch Controller
campus
FW Resource
SSID SSID guest
employee
DC
Employee Guest
Agile
Controller
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 8
Free Mobility and Admission Contro
l
The Free Mobility function provides a special access control mode
. This function grants specified rights to users based on the acc
ess location, access time, access mode, and terminal type. Users
enjoy the same rights and network experience as long as the acces
s conditions remain unchanged.
Home Location
Campus or Hotel or
Dumb
Grant rights
PC or Paid or Terminal type
terminal
User
Workday or Holiday or Day/Night Time
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 9
Logical Architecture of Free Mobil
ity Access Control
Authentication and Service policy
authorization sub-system sub-system
reported user
Authentication
IP address of
Deliver
Authorization Query user
group
(Group ID) information
policies
Policy
Network device Authentication
enforcement
plane point
point
Authentication
and access
User Static
User plane terminal resource
Inter-component communication
User service traffic
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 10
Free Mobility Deployment
Step3: System runs
automatically
Step2: Define and
deploy group
policies
Step1: Define a
security group
1. Authentication: When a user tries to
access a network, the authentication
server authenticates the identity.
1. Define group policies 2. Authorization: The authentication
Experience policy (VIP server matches the authorization
group forwarding priority) policies based on the matching
1. Define a security group Permission policy (whether conditions and authorizes the user
2. Add group members: inter-group communication group. The enforcement point device
Dynamic type: is allowed) dynamically adds the IP addresses of
selecting a user 2. Deploy group policies users to the group.
Static type: The enforcement point 3. Execution: Based on the mapping
configuring a fixed IP interconnects with the policy relationships between groups and IP
address or network server. addresses stored on the local host and
segment The policy server the authentication server, network
automatically delivers devices identify the source and
security groups and group destination group information of
policies to the device. packets, and then match and execute
group policies.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 11
Contents
1. Principles of the Agile Network Solution
2. Configurations of Agile Features
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 12
Free Mobility in the Campus Access
Scenario
Employees in the campus have fixed access and mobile access requirements,
demanding consistent bandwidth, forwarding priority, and rights for acces
sing the DC and Internet, regardless of their locations and access modes.
Authentication point for wired and wireless users is deployed on the core
DNS Firewall
switches. DMZ G1/0/3
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 13
Configuration Flowchart
Configuration Flowchart
Configuration plan
Basic configuration
Firewall configuration
Agile Controller-Campus
configuration
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 15
Firewall Configuration - Basic Con
figuration
Configure the access switch.
Allocate VLANs.
Configure transparent transmission of 802.1X authentication pa
ckets.
Configure the core switch.
Configure interfaces and VLANs, and enable the DHCP server fun
ction.
Configure the default route and set the next hop to the IP add
ress of the interface connecting the firewall and the core swi
tch.
Configure parameters of the Agile Controller-Campus system to
provide wireless access.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 16
Core Switch Configuration - RADIUS
Interconnection Parameters
Configure RADIUS interconnection parameters.
[S12700] radius-server template rd_temp // Create a RADIUS server
template.
[S12700-radius-rd_temp] radius-server authentication 10.10.11.2 1812
source ip-address 10.10.10.1
[S12700-radius-rd_temp] radius-server accounting 10.10.11.2 1813 source
ip-address 10.10.10.1
[S12700-radius-rd_temp] radius-server shared-key cipher Admin@123
[S12700] radius-server authorization 10.10.11.2 shared-key cipher
Admin@123
[S12700] aaa
[S12700-aaa] authentication-scheme auth // Create an authentication
scheme auth.
[S12700-aaa-authen-auth] authentication-mode radius
[S12700-aaa] accounting-scheme acco // Create an accounting scheme acco.
[S12700-aaa-accounting-acco] accounting-mode radius
[S12700-aaa-accounting-acco] accounting realtime 15
[S12700-aaa] domain default
[S12700-aaa-domain-default] radius-server rd_temp
[S12700-aaa-domain-default] authentication-scheme auth
[S12700-aaa-domain-default] accounting-scheme acco
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 17
Core Switch Configuration - Portal
Interconnection Parameters
Configure Portal interconnection parameters.
[S12700] web-auth-server web_temp // Create a Portal server template.
[S12700-web-auth-server-web_temp] server-ip 10.10.11.2
[S12700-web-auth-server-web_temp] source-ip 10.10.10.1
[S12700-web-auth-server-web_temp] port 50200
// Specify the port number used by the Portal server. The fixed port
number is 50200.
[S12700-web-auth-server-web_temp] shared-key cipher Admin@123
[S12700-web-auth-server-web_temp] url http://access.example.com/portal
// Specify the URL of the pushed Portal page.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 18
Core Switch Configuration - Enable
Wired Authentication
Enable 802.1X and Portal authentication for wired access.
[S12700] interface gigabitEthernet 1/0/10
[S12700-GigabitEthernet1/0/10] authentication dot1x portal
// Configure 802.1X + Portal authentication.
[S12700-GigabitEthernet1/0/10] dot1x authentication-method eap //
Configure 802.1X authentication in EAP mode.
[S12700-GigabitEthernet1/0/10] web-auth-server web_temp direct //
Configure Layer 2 Portal authentication.
[S12700-GigabitEthernet1/0/10] domain name default force
// Set the domain default as the forcible authentication domain for
users going online through the interface.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 19
Firewall Configuration - Agile Contr
oller-Campus Interconnection Paramet
ers
On the firewall, choose Object > Authentication Server > RADIUS to config
ure XMPP interconnection parameters for interconnection with the Agile Co
ntroller-Campus server.
Create a RADIUS server (that is, the Agile Controller-Campus).
Choose System > Agile Network Configuration. After completing the configu
ration, click Apply.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 22
Agile Controller-Campus Configurat
ion - Add Core Switches
Choose Resource > Device > Device Management.
1
Click Add to add a core switch.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 23
Agile Controller-Campus Configurat
ion - Add Firewalls
Choose Resource > Device > Device Management.
Click Add to add a firewall. 1
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 24
Agile Controller-Campus Configurat
ion - Deploy the Security Zone
Choose Policy > Permission Control > Security Group > Intranet Co
nfiguration to add fixed and mobile terminal IP address pools to
the intranet segment, and add IP addresses of the DNS server, the
Agile Controller-Campus server, and the core switch VLANIF 11 to
the pre-security domain.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 25
Agile Controller-Campus Configurat
ion - Deploy Access Right Control
Choose Policy > Free Mobility > Security Object Configuration > Applicati
on Group to create a non_work application group, and add the work-unrelat
ed applications to the group.
Choose System > Terminal Configuration > Global Parameters, and set Servi
ce Mobility Configuration Mode to All Devices.
Choose Policy > Free Mobility > Policy Configuration > Permission Contro
l to add a general policy.
1 2
3 4
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 26
Agile Controller-Campus Configurat
ion - Deploy QoS Policies
Choose Policy > Free Mobility > Policy Configuration > QoS Policy.
Click QoS Guarantee Priority and select High. On the displayed page, set
the minimum total bandwidth to 10 Mbit/s.
Drag the VIP, email server, and the Internet security groups to the High
area, and set the packet priority to cs7. The VIP security group maps to
the email server and Internet security groups.
1
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 27
Verification
Use the VIP account Andy and common account Jack to separately perform au
thentication. After the authentication, run the following steps for verif
ication:
On the Agile Controller-Campus, choose Resource > User > Online User Management
to view users' login information and security groups.
On a core switch, run the display access-user command to view online users.
On a core switch, run the display access-user user-id user ID command to view u
sers' login information, including their authentication methods (802.1X authent
ication or Portal authentication), terminal IP addresses, uplink and downlink b
andwidth, and corresponding security groups. The user ID can be obtained from t
he online users viewed in the preceding operation.
On a firewall, choose Object > Agile Security Group > Agile Security Group to v
iew the number of online users in a security group. Click an online user to vie
w the terminal IP address and the user group of the user.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 28
Quiz
1. Which of the following disadvantages does IP-based campus networks have?
( )
A. Heavy workload of access control and policy deployment
B. Difficult access right control
C. Inconsistent user experience
D. Limited number of IP addresses
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 29
Summary
Principles of the Agile Network Solution
Configurations of Agile Features
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 30
Thank You
www.huawei.com