Overview of Policy Association

Definition

Policy association provides a solution to contradiction between policy strengths and complexity on large campus networks. In the solution, user access policies are centrally managed on the gateway devices and enforced by gateway and authentication access devices.

Purpose

On traditional networks, NAC is configured at the access layer. The authentication access device is the authentication point that controls and manages access users. However, a large-sized network may have the following problems:

• There are a large number of authentication access devices, which make the configuration complex and O&M difficult.
• The large number of authentication access devices increase the pressure on the connected servers.
• Users access the network at fixed positions.

Moving the authentication point from the access layer to the aggregation or core layer can address the preceding problems. The gateway is the authentication control device that authenticates and manages users. This reduces the number of authentication points on the network and simplifies authentication access device configurations. However, moving the authentication point to upper layers may cause the following problems:

• Authentication access devices cannot transparently transmit BPDUs, so 802.1x authentication cannot be used. The Layer 2 transparent transmission function must be configured.
• The authentication point cannot control the mutual access between the users in the same VLAN on an authentication access device.
• The administrator does not know the access positions of users, so fault locating is difficult.
• The gateway cannot immediately detect user logoff, and the detection process increases workload on the gateway.

The policy association solution is introduced to address these problems. After policy association is configured, authentication access devices can transparently transmit BPDUs and report user logoff and user access positions in real time. In addition, the authentication control device requests authentication access devices to enforce user access policies, thus controlling user access to the network.