Working Mechanism

Table 1 compares Agile Controller-Campus and iMaster NCE-Campus when they interwork with switches to implement free mobility. For details about the working mechanisms, see Figure 1 and Figure 2.

Figure 1 shows the working mechanism of free mobility when Agile Controller-Campus is used.

Figure 1 Working mechanism of free mobility when Agile Controller-Campus is used

1. On the web UI of Agile Controller-Campus, an administrator creates a user account and user control list (UCL) group, adds the user account to the UCL group, and defines the access control policy (also known as the group policy) for the user based on the UCL group. Users can only access the network after being authenticated.
2. Agile Controller-Campus delivers the UCL group and access control policy configured by the administrator to all associated switches, enabling the switches to identify the UCL group to which the user belongs. The administrator can also deploy some service policies based on security groups on these switches.
3. Authentication of the user starts. During the authentication, Agile Controller-Campus associates the user with the UCL group based on the user login information. After the authentication succeeds, Agile Controller-Campus delivers the group to which the user belongs as the authorization result to the authentication device. Agile Controller-Campus collects IP addresses of all online users.
4. The user accesses the network. After receiving user packets, the switch attempts to identify security groups to which the source and destination IP addresses of the packets correspond, and enforces UCL group-based policies for packets.

Figure 2 shows the working mechanism of free mobility when iMaster NCE-Campus is used.

Figure 2 Working mechanism of free mobility when iMaster NCE-Campus is used

1. On the web UI of a controller, an administrator creates a user account and UCL group, adds the user account to the UCL group, and defines the network access policy (that is, group policy) for the user based on the UCL group. All users can access the network only after being authenticated.
2. iMaster NCE-Campus delivers the UCL group configured by the administrator to all associated switches (policy enforcement device and authentication devices), enabling the switches to identify the UCL group to which the user belongs.
3. The policy enforcement device requests to set up an IP-GROUP channel with iMaster NCE-Campus.
4. Authentication of the user starts. During the authentication, iMaster NCE-Campus associates the user with the UCL group based on the user login information. After the authentication succeeds, iMaster NCE-Campus collects IP addresses of all online users.
5. iMaster NCE-Campus pushes UCL group entry information (the group to which the user belongs is delivered as the authorization result) to the policy enforcement device through the IP-GROUP channel, and records the mapping between UCL groups and the source and destination IP addresses.
6. The user accesses the network. After receiving user packets, the policy enforcement device attempts to identify security groups to which the source and destination IP addresses of the packets correspond, and enforces UCL group-based policies for packets.

A UCL group is called a security group on Agile Controller-Campus or iMaster NCE-Campus .

UCL groups identify the user types. An administrator can add the users requiring the same access control policy to the same UCL group, and configure an access control policy for the group. Compared with the solution in which access control policies are deployed for each user, the UCL group-based access control solution greatly reduces the administrator's workload.