Configuring the Free Mobility Function
Pre-configuration Task
The free mobility solution controls network access rights of users. Before the free mobility function is configured on switches, one or several of 802.1X, MAC address, Portal authentication modes must have been configured in NAC unified mode.
Context
The free mobility function must be configured on each authentication device to implement the free mobility solution.
For details about the configuration on a controller, see the HUAWEI Agile Controller-Campus Product Documentation or Huawei iMaster NCE-Campus Product Documentation.
Procedure
- Configure routes between the device and controller.
You are advised to configure static routes or OSPF dynamic routes to implement communication between the device and controller. For details, see "Static Route Configuration" and "OSPF Configuration" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - IP Unicast Routing.
- Perform the following configurations based on the controller type:
- When Agile Controller-Campus is used, run the following command in the system view:
Run group-policy controller ip-address1 [ port-number1 ] [ backup ip-address2 [ port-number2 ] ] password password [ src-ip ip-address3 ] [ vpn-instance vpn-instance-name ]
The free mobility function is enabled.
By default, the free mobility function is disabled.
- When iMaster NCE-Campus is used, run the following commands in the system view:
- Run ip-group service ip-address ip-address [ port port-number ] pki-realm-name pki-realm-name
The IP address of the controller is configured.
By default, no controller IP address is configured.
- Run ip-group service timer heart-beat interval
The interval for sending IP-GROUP channel heartbeat packets is configured.
By default, IP-GROUP channel heartbeat packets are sent at an interval of 5 minutes.
- Run ip-group service timer reconnection interval
The IP-GROUP channel reconnection interval is configured.
By default, the IP-GROUP channel reconnection interval is 1 minute.
- Run ip-group service timer down-delay interval
A delay in responding to the IP-GROUP channel interruption event is configured.
By default, the delay in responding to the IP-GROUP channel interruption event is 30 seconds.
- Run ip-group service timer up-delay interval
A delay in responding to the IP-GROUP channel Up event is configured.
By default, the delay in responding to the IP-GROUP channel Up event is 30 seconds.
- Run ip-group service ip-address ip-address [ port port-number ] pki-realm-name pki-realm-name
- When Agile Controller-Campus is used, run the following command in the system view:
- Configure a security group on the controller.
When the controller delivers a UCL group name that is not supported by the switch, for example, this group name contains Chinese characters or special characters, the switch cannot parse the group name. A UCL group name that can be supported by the switch must be consistent with the value of group-name in the ucl-group group-index [ name group-name ] command, cannot be -, --, a, an, or any, and cannot contain any of the following characters: / \ : * ? " < > | @ ' %. Therefore, when configuring a UCL group name on the controller, do not use Chinese characters or special characters.
- Configure group policies on the controller.
- Save the configuration on the controller.
Saving the configuration on a controller is similar to running the save command on the device, which saves all the device configurations (including security groups, access control policies, and QoS policies deployed on the controller) to the configuration file.
If security groups, access control policies, and QoS policies are saved to the device's configuration file, these configurations can be directly restored from the configuration file after the device restarts, and do not need to be requested from the controller. Otherwise, user authentication fails after the device restarts because security groups, access control policies, and QoS policies are not deployed on the device.