Application Scenarios for Policy Association

To control and manage access users, NAC authentication and user access policies need to be deployed for access control. Large campus networks have many widely distributed authentication access devices. If NAC authentication and user access policies are deployed on each authentication access device, the huge workload and inflexible policy adjustment cause contradiction between policy strengths and complexity. To resolve this problem, deploy policy association to implement centralized policy control and distributed policy execution, as shown in Figure 1.

Figure 1 Deploying policy association on large campus networks

The gateway functions as the authentication control device, on which NAC authentication and user access policies are deployed in a centralized manner. In this way, the same configuration does not need to be performed on each authentication access device, which simplifies the device configuration and management. The authentication control device and authentication access devices use CAPWAP tunnels to communicate with each other. The authentication control device authenticates users and controls network access policies for users, while the authentication access devices carry out these network access policies.