Free mobility is a solution that allows a user to obtain the same network access policy regardless of the user’s location and IP address changes.
Benefits
- Simplified network planning: The administrator does not need to consider IP addresses of users when configuring policies.
- Enhanced control capability: User authentication information can be synchronized between network devices.
- Improved management efficiency: The administrator does not need to configure devices one by one.
Configuring the Free Mobility Function
Pre-configuration Task
The free mobility solution controls network access rights of users. Before the free mobility function is configured on switches, one or several of 802.1X, MAC address, Portal authentication modes must have been configured in NAC unified mode.
Context
The free mobility function must be configured on each authentication device to implement the free mobility solution.
For details about the configuration on a controller, see the HUAWEI Agile Controller-Campus Product Documentation or Huawei iMaster NCE-Campus Product Documentation.
Procedure
- Configure routes between the device and controller.
You are advised to configure static routes or OSPF dynamic routes to implement communication between the device and controller. For details, see “Static Route Configuration” and “OSPF Configuration” in the S2720, S5700, and S6700 V200R019C10 Configuration Guide – IP Unicast Routing.
- Perform the following configurations based on the controller type:
- WhenAgile Controller-Campus is used, run the following command in the system view:
Run group-policy controller ip-address1 [ port-number1 ] [ backup ip-address2 [ port-number2 ] ] password password [ src-ip ip-address3 ] [ vpn-instance vpn-instance-name ]
The free mobility function is enabled.
By default, the free mobility function is disabled.
- WheniMaster NCE-Campus is used, run the following commands in the system view:
- Runip-group service ip-address ip-address [ port port-number ] pki-realm-name pki-realm-name
The IP address of the controller is configured.
By default, no controller IP address is configured.
- Runip-group service timer heart-beat interval
The interval for sending IP-GROUP channel heartbeat packets is configured.
By default, IP-GROUP channel heartbeat packets are sent at an interval of 5 minutes.
- Runip-group service timer reconnection interval
The IP-GROUP channel reconnection interval is configured.
By default, the IP-GROUP channel reconnection interval is 1 minute.
- Runip-group service timer down-delay interval
A delay in responding to the IP-GROUP channel interruption event is configured.
By default, the delay in responding to the IP-GROUP channel interruption event is 30 seconds.
- Runip-group service timer up-delay interval
A delay in responding to the IP-GROUP channel Up event is configured.
By default, the delay in responding to the IP-GROUP channel Up event is 30 seconds.
- Configure a security group on the controller.
When the controller delivers a UCL group name that is not supported by the switch, for example, this group name contains Chinese characters or special characters, the switch cannot parse the group name. A UCL group name that can be supported by the switch must be consistent with the value of group-name in the ucl-group group-index [ name group-name ] command, cannot be -, –, a, an, or any, and cannot contain any of the following characters: / \ : * ? ” < > | @ ‘ %. Therefore, when configuring a UCL group name on the controller, do not use Chinese characters or special characters.
- Configure group policies on the controller.
- Save the configuration on the controller.
Saving the configuration on a controller is similar to running the save command on the device, which saves all the device configurations (including security groups, access control policies, and QoS policies deployed on the controller) to the configuration file.
If security groups, access control policies, and QoS policies are saved to the device’s configuration file, these configurations can be directly restored from the configuration file after the device restarts, and do not need to be requested from the controller. Otherwise, user authentication fails after the device restarts because security groups, access control policies, and QoS policies are not deployed on the device.
Verifying the Configuration
- Run thedisplay group-policy status command to check the status of the controller associated with the device.