Huawei Agile Controller-Campus Data Sheet PDF

Huawei Agile Controller-Campus
CONTENTS
01 Huawei Agile Controller-Campus
05 Access Control Manager
11 Guest Manager
15 Terminal Security Manager
17 Free Mobility Manager
21 Service Chain Manager

Product Overview
User terminals (information receivers) are not fixed in certain physical locations for services deriving from mobile
office, bring your own device (BYOD), and wireless local area network (WLAN). These types of services create the
following challenges on statically configured traditional networks:
1. How can a consistent experience be guaranteed for different user terminals regardless of location?
2. How can user rights, QoS priority, bandwidth, security, and other network policies be configured? Traditional
networks enable users to be bound to physical interfaces whereby the administrator manually configures
policies on the devices closest to users. Conversely, manual configuration cannot adapt to changes in user
locations. To meet the requirements of mobile users, networks must support dynamic resource allocation and
policy configuration; that is, network resources and policies must be able to migrate to users.
In Huawei xxx Solution, the Agile Controller intelligently works with network-wide devices and dynamically
schedules network-wide policies to provide free mobility for employees and flexible access for guests. In this
way, network can support services in a more agile way.
The Agile Controller-Campus (Agile Controller for short) is a user- and application-based unified policy control
system developed by Huawei. The Agile Controller centrally controls the network access rights, applications,
bandwidth, QoS, and security policies and provides Access Control Manager, Guest Manager, Terminal Security
Manager, Free Mobility Manager, and Service Chain Manager for enterprises.
User Terminals Network Facilities Service Resources
Before Pre-authentication domain

Policy Controller NAC
Wired user PC
Access
DHCP DNS Patch
Laptop Server
......
Wireless user
Access Policy exchange:
Permission / Application
PAD / Bandwidth / QoS / Security
VPN user
Post-authentication domain
Policy Execution Device
Phone
After
NAC Intranet Internet
Guest
Printer Switch WLAN VPN gateway
Access
Office R&D MKT
data data data
O&M user Camera Router Firewall ......
01/ Huawei Agile Controller-Campus

Functional Modules Function Overview
Together with the network access device (NAD), this component controls the network
access of internal and external terminals and implements a unified access control policy. It
Access Control Manager
also provides flexible authentication and authorization policy management. This can meet
the service control needs of different enterprises.
Provides full lifecycle guest management, including account application, approval,

distribution, authentication, auditing, and deregistration. It also supports the creation of
Guest Manager
visualized portals and guest authentication over social media. This can assist enterprises in
advertising and marketing.
Monitors terminal health and provides automatic recovery, software distribution, patch
Terminal Security
management, and resource management. It forces terminals to conform to enterprise
Manager
security policy, enhances ability to defend against attacks, and ensures network security.
In combination with Huawei's agile switches, next-generation firewalls (NGFWs), and SVN
gateways, this innovative and agile component provides policy orchestration based on
two-dimensional matrices. It allows the unified planning and automatic deployment of
Free Mobility Manager
permissions, applications, bandwidth, QoS, and security policy based on security groups.
It ensures that network-wide policies are uniform and allows users to enjoy the same user
experience while on the move.
This innovative and agile component allows the resource pooling of physical security
devices, screens specific physical forms and locations, and creates a security resource
Service Chain Manager center. It sends traffic to the security resource center according to service requirements,
where it is inspected and processed. This increases the usage rate of physical resources and
reduces network construction costs.
Product Characteristics
Centralized Control, Global Policy Orchestration, Service Experience Orientation

• Applies the SDN's centralized control concept to campus networks. The Agile Controller centrally controls
the users, services, and security policies, and dynamically schedules user rights, applications, bandwidth,
QoS, and security resources.
• Uniformly deploys network-wide policies, so that users can have the same rights and services when users
access the network from different time, locations, and terminals, implementing free mobility.
• Supports policy orchestration in natural language to shield differences of various devices, therefore the
maintenance personnel do not need to execute complicated commands.
Huawei Agile Controller-Campus /02

Openness and Interoperability, Speeding Up Service Innovation

• Interoperates with mainstream social media such as Facebook, Twitter, Google+, WeChat, Sina Weibo, QQ,
and QR code to simplify guest access and promote secondary marketing of enterprises.
• Provides northbound APIs to synchronize information about the networks, users, assets, and terminals,
helping enterprises develop valuable applications and speeding up service innovation.
Highly Reliable and Flexible Architecture, Ensuring Service Continuity and Protecting
Customer Investment
• Supports the Windows and Linux operating systems and provides comprehensive high availability (HA)
solutions to ensure the stable operation of the network service.
• Supports distributed and hierarchical deployment modes with the flexible system architecture, enabling
flexible service-oriented expansion and protecting customer investment.
Product Architecture
Management Is used in hierarchical management scenarios, is responsible for defining global

MC
Center (MC) policies, and monitors the SM and SC.
Service Manager Performs service management. The system administrator completes user, service,
SM
(SM) and security policy configuration through the web management page.
Service Integrates RADIUS and Portal servers and associates with NADs such as switches
SC
Controller (SC) to complete client authentication and authorization.
Network Access
Device (NAD)
Switch Router WLAN VPN gateway Firewall
Client
Controller client Portal page Web Agent OS client
(Windows) (Windows/Linux/MAC/iOS/Android)
Agile Controller Architecture
Operating Environment
Hardware Environment
Platform Configuration Requirements Recommended Server
CPU: 2*E5-2620 or higher

Huawei RH2288H rack server
Memory: 16 GB
Windows or
Hard disk: 3 x 300 GB
Huawei E9000 blade server
Network adapter: 4 x GE NICs

Memory: 16 GB
Single-node Linux or
Hard disk: 3 x 300 GB
Huawei E9000 blade server

Platform Configuration Requirements Recommended Server

Memory: 16 GB
Linux-HA +
Hard disk: 3 x 300 GB + disk array
Huawei S2600T disk array
NOTE
1. Each RH2288H or E9000 blade server can manage a maximum of 10,000 online users.
2. The Agile Controller manages a maximum of 100,000 online users with multiple servers or blade servers are deployed in
distributed/hierarchical mode.
3. If VMware 5.5 is selected, the configuration requirements are as follows:
Memory: 24 GB
CPU: 3 x 6 core CPUs
Mode: exclusive
Software Environment
Platform Optional Environment Recommended Environment
Windows Server 2008 R2 Standard SP1 64-bit

Windows Server 2012 R2 Standard 64-bit
Windows Server 2008 R2 Standard SP1 64-bit
Windows Windows Server 2012 Standard 64-bit
MSSQL Server 2008 Standard SP2 64-bit
MSSQL Server 2008 Standard SP2 64-bit
MSSQL Server 2012 R2 Standard 64-bit
SUSE Linux 11 SP3 64-bit SUSE Linux 11 SP3 64-bit

Linux
Oracle 11g R2 Oracle 11g R2
High Reliability Configuration

Dimension Windows Linux
Management Center Supported. Provides the active/standby

Not supported
(MC) switchover of HA based on Keepalived.
Service Manager Supported. Provides the active/standby

Not supported
(SM) switchover of HA based on Keepalived.
Supported. A resource pool is used to Supported. A resource pool is used to

Service Controller
implement backup, and N+1 SCs need to be implement backup, and N+1 SCs need to be
(SC)
deployed. deployed.
Supported. Uses the Real Application

Supported. Uses the SQL Server database
Clusters (RAC) to implement hot backup and
Database mirroring and the principal, mirror, and
the disk array needs to be deployed for data
witness databases need to be deployed.
storage.

Component Overview
Advances in Information and Communication Technologies (ICT) mean that enterprise users require network
access from anywhere. However, enterprise information security is at risk when high numbers of mobile staff
and partners frequently use their own terminals (such as laptops) to access the enterprise's local area networks
(LANs). Unauthorized terminals may infect enterprise networks with viruses and, in worst case scenarios, phish
trade secrets.
The maturity of WLAN technologies and prevalence of intelligent terminals prompt many enterprises to
allow employees intranet access through intelligent BYOD terminals. While enterprises are aiming to improve
employees' work efficiency and reduce mobile terminal costs, WLAN technologies on enterprise networks create
significant information security risks.
The Access Control component of the Huawei Agile Controller associates with network access control devices
to control access to enterprise networks from internal and external terminals. The component provides unified
access control policies, and flexibly manages authentication and authorization policies to meet different service
control requirements.

Component Characteristics
Comprehensive Access Authentication Modes for Different Network Scenarios

Authentication Mode Characteristics Application Scenarios
Applies to small, medium, and large
• Enables the 802.1X function on a switch or AC.
campus networks with high security
• Implements Layer 2 isolation.
requirements. The Access Control
802.1X authentication • Complicates maintenance due to multiple
component can associate with Huawei all-
authentication points.
series Sx7 switches, routers, WLAN devices,
• Requires the switch to support 802.1X.
and third-party standard 802.1X switches.
• Enables the switch or AC to automatically
enable 802.1X or MAC address authentication
Applies to dumb terminals such as IP phones
MAC address authentication for different terminals.
and printers.
• Authenticates terminals on the authentication
server based on MAC addresses.
• Configures a combination of Portal and
MAC address authentication on devices
Applies to small, medium, and large
at the aggregation layer. Devices select
campus networks, especially in scenarios
authentication modes based on terminal type.
with no client installed.
Portal authentication The AC unifies wireless user authentication.
Associates with Huawei all series Sx7
• Makes clients optional on terminals based
switches, AR routers, WLAN devices, and
on service requirements.
third-party CMCC Portal-supported devices.
• Does not require access switches to support
802.1X.
• Connects the USG firewall to the router or
switch in bypass mode, and implements
terminal access control using policy-based
routing. There is no need to change network Applies to campus networks with a large
topology. number of third-party switches and routers.
SACG authentication
• Simplifies management and maintenance This authentication mode is especially
because there are few authentication points. suitable for campus network reconstruction.
• Positions the control point at the aggregation
or core layer, weakening Layer 2 control
capability.
The Agile Controller supports the following functions:

• 802.1X, Portal, MAC address, and SACG authentication
• PAP, CHAP, EAP-MD5, EAP-PEAP-MSCHAPV2, EAP-TLS, EAP-TTLS-PAP, and EAP-PEAP-GTC authentication
• Anonymous authentication, account authentication, certificate authentication, AD/LDAP associated
authentication, third-party database associated authentication, and RADIUS relay agent authentication
• Two-password (user name and password + mobile phone verification code) authentication
• Social media (Facebook, Twitter, Google+, Wechat, QQ, and Sina Weibo) authentication
• An escape mechanism. When an AD/LDAP server breaks down, users directly pass authentication.
Flexible, Refined, and Secure 5W1H-based Context Awareness Authorization

Dimension Description Example
Who User identity Administrative personnel, ordinary employees, VIP users, guests
Where Access location R&D area, non-R&D area, home
When Access time On-duty time, off-duty time, work days
Whose Device source Enterprise devices, BYOD devices
What Device type Windows, Linux, iOS, Android
How Access mode Wired, wireless, VPN, Internet

The Agile Controller supports the following functions:

• Supports authorization based on user groups, accounts, roles, SSIDs, time periods, terminal IP addresses,
terminal device groups, access device groups, and terminal compliance check results.
• Supports authorization based on the dynamic ACL, static ACL, VLAN, user group, and security group.
• Supports online duration control. Control the one-time online duration and accumulated online duration
within a specified period.
Satisfying Complex Enterprises with Hierarchical User Group Management Features

• Supports up to 20 user group levels to satisfy the requirements of enterprises with complex organizational
structures.
Flexible User Source Selection, Seamlessly Interconnection with Existing Enterprise Systems
• Allows users to create accounts on the Agile Controller. In addition, it can interconnect with mainstream AD,
Lightweight Directory Access Protocol (LDAP), RADIUS, and dynamic token systems.
Authentication System Built-in RADIUS

AD LDAP RADIUS Relay
Protocol Account Token
PAP YES YES YES YES Depends on the external system
CHAP YES NO NO NO Depends on the external system
EAP-PEAP-MSCHAPV2 YES YES NO NO Depends on the external system
EAP-MD5 YES NO NO NO Depends on the external system
EAP-TLS YES YES YES NO Depends on the external system
EAP-TTLS-PAP YES YES YES YES Depends on the external system
EAP-PEAP-GTC YES YES YES YES Depends on the external system
• Supports on-demand data synchronization or filtering to meet varied user requirements.

Intelligent Terminal Identification and Authentication

Page Customization for Permission Control on BYOD
Terminals
• Provides up to 200 types of terminal identification templates, and
supports multiple terminal identification modes. These include MAC
organizationally unique identifier (OUI), Dynamic Host Configuration
Protocol (DHCP) Option, Hypertext Transfer Protocol (HTTP) User-
Agent, and Simple Network Management Protocol (SNMP).
• Supports the following terminal identification modes: SNMP, User
Agent, DHCP, and MAC OUI.
• Supports various terminal types such as PCs, smartphones, tablets,
dumb terminals, IP phones, and printers.
• Supports Windows, Linux, MAC OS, Android, iOS, and Windows
Phone operating systems.
• Identifies information about vendors such as Huawei, Samsung,
Apple, HTC, and Lenovo.
Automatic 802.1X Configuration Delivery to Terminals

Using the Boarding Function
• Interworks with the Windows CA server to deliver certificates.
• Provides network access policies by terminal type and user group.
• Supports automatic device registration, manual report of device loss,
and restriction on lost devices.
• Supports terminals running Windows, Android, and iOS operating
systems.
Deployment Scenarios
802.1X Access Control

802.1X is enabled on the switches closest to
the terminals. Before the terminals can access
the network, customers need to deploy the Network
security agents or 802.1X clients provided by Agile Controller
the operating system on the terminals.
After the terminals pass 802.1X authentication,

the Agile Controller server delivers authorization
parameters such as VLANs and ACLs to
access switches, which control the network
802.1X switch
access permissions of terminals. MAC address
authentication is enabled to authenticate dumb
terminals, such as printers and IP phones, so
they can access the network. When dumb
terminals access the network, they automatically
trigger MAC address authentication to obtain
network access permission.

Portal Access Control

A combination of Portal and MAC address authentication is enabled on the gateway. Terminals can use web
authentication or the Agile Controller NAC client to access the network. Dumb terminals access the network by
MAC address authentication.
Network
Agile Controller
Portal switch
SACG Access Control

SACG access control is suitable for complex campus networks with a large number of third-party datacom
devices, such as switches and routers. The SACG device connects to the Layer 3 switch or a router in bypass
mode. Upstream traffic sent from terminals is redirected to the SACG by the packet redirection function
configured on the switch or by policy-based routing configured on the router. Filtered by the SACG, traffic is sent
back to the switch or router for forwarding.
Pre-authentication domain
Agile Controller server Agile Controller server

Network
Isolation domain
SACG Third-party antivirus server File server
Area A Post-authentication domain
Service server Service server

Auxiliary Devices
Device Role Device Type
• Huawei Sx7 switches

• Huawei AR routers
• Huawei WLAN ACs
Authentication device
• Huawei USG firewalls
• 802.1X switches from mainstream third-party vendors
• Third-party devices supporting the CMCC Portal protocol
Order Information
Item Remarks
Agile Controller Access Control Function Mandatory
Agile Controller Terminals of Access Control Function, Including 200 Access Terminals License Optional

Guest Manager
Guest Manager
Component Overview
The maturity of WLAN technologies and prevalence of intelligent terminals prompt many enterprises to open
their intranets for guests and partners. In public areas (such as, shopping malls, hotels, exhibition halls, chain
stores, scenic spots, business halls, and airport lounges), enormous advertising opportunities are created by the
huge number of users accessing WLAN.
The Guest Manager of the Huawei Agile Controller provides full lifecycle guest management functions, including
account application, approval, distribution, authentication, auditing, and deregistration. Guests can access the
network without registration, or using self-applied accounts, accounts applied by the administrator, or social
media accounts. for the component also supports graphical Portal page customization to flexibly push ads based
on the terminal location, type, and time period.
Unified Management on Employees and Guests to Reduce Enterprises' Construction

and IT O&M Costs
• Employee and guest access systems can be deployed on the same server or separately.

Guest Manager
Full Lifecycle Guest Management, Scenario-based Flexible Combination
Phase Options
• Registration-free
Registration • Self-help application
• Using accounts created by an administrator
• Automatic approval
• Administrator approval
Approval • Receptionist approval
• Approval through email activation
• Receptionist approval (QR code scanning)
• SMS (GPRS and SMS gateway)

Distribution • Email
• Web
• Authentication-free
• Account and password authentication
• Passcode
Authentication
• Mobile phone verification code authentication
• QR code authentication
• Social media authentication
• User login and logout audit

Audit and deregistration • Automatic deregistration after expiration
• Scheduled account deregistration
Prefect Portal Page Customization to Improve Brand Image

• Selects a system template based on scenarios and provides a page customization wizard.
• Supports customization of pages for PCs, tablets, and mobile phones, which include the authentication
page, authentication success page, user notice page, registration page, and registration success page.
• Supports the What You See Is What You Get (WYSIWYG) editor to edit texts, images, colors, hyperlinks,
buttons, dividing lines, and near video on demand (NVOD).

Guest Manager
• Supports functions of format painter, eraser, preview, and test.

• Supports multi-language templates, including simplified Chinese, traditional Chinese, English, German,
Spanish, Portuguese, and French.
Social Media Authentication, Facilitating Secondary Marketing of Enterprises

• Supports interconnection with Wechat, QQ, and Sina Weibo.
• Supports interconnection with Facebook, Twitter, and Google+.
Flexible Portal Page Pushing, Refining Message Pushing

• Supports page pushing based on SSIDs, locations (based on MAC addresses), time periods, terminal types,
and guest access modes.
Intelligent Terminals Unaware of Authentication and One-time Authentication for

Multiple Access Times
• Uses a combination of Portal and MAC address authentication for first access, and MAC address
authentication for subsequent access requests.
A combination of Portal and MAC address

authentication is enabled on the gateway.
Network
Terminals can use web authentication to
Agile Controller server
access the network.
Portal switch

Guest Manager
Auxiliary Devices
• Huawei Sx7 series switches with native ACs

• Huawei AR routers with native ACs
• Huawei WLAN ACs
• Third-party devices supporting the CMCC Portal protocol
Order Information
Item Remarks
Agile Controller Guest Management Function Mandatory
Agile Controller Guest Management Function, Including 200 Access Terminal Management License Optional

Terminal Security Manager
Component Overview
Security health assessments on access terminals are a key indicator of an enterprise's security management
capabilities. A large number of mobile staff and partners frequently use their own terminals (such as laptops)
to access enterprise LANs, which threatens enterprise information security. Unauthorized terminals may infect
enterprise networks with viruses, and acquire trade secrets.
The Terminal Security Management component of the Huawei Agile Controller strictly controls network access for
all terminal users, and enforces security policies to the users connected to the network. The component supports
terminal health checks, software distribution, patch management, and asset management to ensure that terminals
connected to the network possess self-defense capabilities and comply with enterprise security policies.
Terminal Security Management for Windows Clients, Forbidding Unauthorized Access

Terminal Compliance Check for Windows Terminals
• Checks the screen saver policies, registry policies, file sharing, antivirus software, software blacklist and
whitelist, redundant system accounts, ports in use, host names, runtime, weak passwords, automatic system
updates, Windows system settings, and operating system patches.

• Monitors local services, and DHCP settings

• Automatically repairs violated items, including the screen saver policies, registry policies, file sharing, antivirus
software, local services, DHCP settings, and operating system patches.
Windows Patch Management to Update Patches on the Agile Controller or Through

Association with the Windows Server Update Services (WSUS)
Software Distribution for Windows Clients, Including Patch Delivery, Execution, and
Removal
Asset Management for Manual or Automatic Terminal Asset Registration
The networking of the Terminal Security Management component is similar to that of the Access Control
component. Customers need to install the dedicated NAC client of the Agile Controller before they can enable
the terminal security management feature.
Auxiliary Devices
Terminal Operating System Version
• Microsoft Windows XP
• Microsoft Windows Vista
Windows • Microsoft Windows 7
• Microsoft Windows 8
• Microsoft Windows 8.1
Order Information
Item Remarks
Agile Controller Terminal Security Management Function Mandatory
Agile Controller Terminal Security Feature, Including 200 Terminals License Optional

Component Overview
With popularity of mobile office and BYOD applications, users need to access enterprise networks from the
HQ, branches, and even on business trips. Employees of different roles start to work in the same area, physical
locations of terminals are no longer fixed, and users frequently handle business on their own terminals.
Additionally, guests and partners access the intranet, resulting in an increasing number of user types and intranet
security risks as well. In such a case, isolation is necessary. It becomes a common concern for enterprises to
ensure consistent QoE for users who access networks using different terminals at different places and to isolate
the users for security.
The Free Mobility component of Huawei Agile Controller provides a security group–based policy mechanism
in addition to the traditional NAC to implement decoupling of user policies and IP addresses. Free Mobility
better meets the requirements of mobile office networks than isolation through port binding, VLAN, ACL, and
VPN technologies. In combination with Huawei's agile switches, NGFWs, and SVN gateways, Free Mobility
provides policy orchestration based on two-dimensional matrices. It allows the unified planning and automatic
deployment of permissions, applications, bandwidth, QoS, and security policy based on security groups. It
ensures that network-wide policies are uniform and allows users to enjoy the same user experience while on the
move.

Security Group-based Policy Control Mechanism, More Suitable for Mobile Office Network
• Replaces the traditional isolation methods that use port binding, VLAN, ACL, and VPN technologies,
providing efficient policy planning.
• Works with agile switches, NGFWs, and VPN gateways to ensure uniform network-wide policies.
• Supports user group–based isolation when employees of different roles work in the same area.
Policy Planning Based on Two-Dimensional Matrices and One-Click Network-Wide

Deployment
Context Awareness–based Authorization and 5W1H Configuration Experience

Security Group–based Hierarchical QoS Policies to Ensure Service Experience
Global and Local Policies, Deploying Different Policies on a Single Device

BGP/MPLS VPN Networking, Deploying Different Policies for VPNs
The Free Mobility component has no special networking requirements, provided that there are reachable IP
routes between the Agile Controller server and associated network devices. Generally, the Agile Controller server
is connected to the agile core switch in bypass mode.
L2 SW L2 SW Internet access
Branch Branch
AR AR
Data center
WAN/Internet
Campus egress
NGFW/SVN
Agile Controller
Agile core
LSW
Agile aggregation Server NMS

LSW
Converged access
LSW AP AP LSW

Auxiliary Devices
• Modular switch: S7700/9700/12700 in V200R006C00 or later

• Fixed switch: S5720HI in V200R006C00 or later
• NGFW: USG63/65/66 in V1R00100C20 or later
• VPN gateway: SVN 56/58 in V200R003C00 or later
Order Information
Item Remarks
Agile Controller Free Mobility Function Mandatory

Service Chain Manager
Component Overview
Traditional security solutions used on enterprise campus networks and data center networks define network
borders. They are deployed on security devices such as firewalls, anti-DDoS, antivirus (AV) software, the intrusion
prevention system (IPS), and data loss prevention (DLP) devices on borders with different security levels. As
network scale expands, users connect to networks using more diverse access methods. Traditional security
deployment results in an exponential increase in cost as a result. In addition, many customers determine the
number of security devices they need to purchase based on two to five times the peak-hour rates. However,
high-performance security devices, such as firewalls, IPS, and anti-DDoS have low resource utilization rates,
which wastes resources.
The Huawei Agile Controller Service Chain component virtualizes physical security devices to shield device
models and locations. All security devices form a security resource center. The component directs service flows
to the security resource center based on service requirements to improve use the utilization rate of physical
resources and reduce costs.

Resource Virtualization, Service Flow-based Resource Scheduling to Implement Full

Security Protection
• Improves hardware utilization efficiency and reduces customer investment.
Comprehensive Service Flow Management to Define Service Flows Based on IP Address

or 5-fold User Group Information
• Defines service flows based on the source and destination IP addresses, source and destination port numbers,
and protocol.
• Defines service flows based on the source and destination user groups, source and destination port numbers,
and protocol.

Role-based Service Chain Resource Management

• Enables service devices to be defined as a firewall, virus wall or online behavior management device.
• Enables the administrator to set up a GRE tunnel between an orchestration device (switch) and a service
device to redirect service traffic to the specified service device for security monitoring.
Service Chain Creation Based on Service Flows to Provide Differentiated Security

Policies for Different Services
• Configured service chain orchestration policies are displayed on the GUI, allowing administrators to rearrange
service chains by simply dragging service devices.
Three hardware parts are required to provide the Service Chain function:
• Agile Controller service server: functions as the Service Chain subsystem, which completes service logic
configuration on service chains.
• Orchestration device: must be a Huawei agile switch. The switch identifies service traffic and redirects the
traffic to the service devices in the sequence specified by the service chain. There must be reachable IP routes
between the orchestration device and service devices.
• Service device: processes the service flows redirected to it. The service and orchestration devices work at
Layer 3, and are connected through GRE tunnels. Service devices can be connected to the core router or the
core or aggregation switch based on the following principles:
Core layer: defines service flows based on IP information to shorten the traffic transmission path.
Aggregation layer: defines service flows based on user information if the customer can accept circuitous
transmission path.

Service chain 1
Service chain 2
NMS center
Agile Controller Campus egress
Firewall
Online behavior
Data center
management
Antivirus
Service chain node
Aggregation layer
Access layer
Internal
Guest area Dept A Dept B public area
Application layer
Auxiliary Devices
Orchestration device • Chassis switch: S77/97/127 V2R6C00 and later versions
• Firewall: USG63/65/66 V1R1C20 and later versions

Service device
• Juniper device: SRX210
Order Information
Item Remarks
Agile Controller Free Mobility Function Mandatory
Agile Controller Service Chain Function Mandatory

Copyright © Huawei Technologies Co., Ltd. 2016. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademark Notice
, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.
Other trademarks, product, service and company names mentioned are the property of their respective owners.
General Disclaimer HUAWEI TECHNOLOGIES CO., LTD.
The information in this document may contain predictive statements including, Huawei Industrial Base
without limitation, statements regarding the future financial and operating results, Bantian Longgang
future product portfolio, new technology, etc. There are a number of factors Shenzhen 518129, P.R. China
that could cause actual results and developments to differ materially from those Tel: +86-755-28780808
expressed or implied in the predictive statements. Therefore, such information Version No.: M3-032102-20160607-C-1.0
is provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice. e.huawei.com

Huawei Agile Controller-Campus Data Sheet PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Huawei Agile Controller-Campus Data Sheet PDF

Uploaded by

Copyright:

Available Formats

Huawei Agile Controller-Campus

05 Access Control Manager

15 Terminal Security Manager

17 Free Mobility Manager

21 Service Chain Manager

Huawei Agile Controller-Campus

User Terminals Network Facilities Service Resources

Before Pre-authentication domain

01/ Huawei Agile Controller-Campus

Functional Modules Function Overview

Provides full lifecycle guest management, including account application, approval,

Centralized Control, Global Policy Orchestration, Service Experience Orientation

Huawei Agile Controller-Campus /02

Openness and Interoperability, Speeding Up Service Innovation

Management Is used in hierarchical management scenarios, is responsible for defining global

Agile Controller Architecture

CPU: 2*E5-2620 or higher

CPU: 2*E5-2620 or higher

03/ Huawei Agile Controller-Campus

Platform Configuration Requirements Recommended Server

CPU: 2*E5-2620 or higher

Windows Server 2008 R2 Standard SP1 64-bit

SUSE Linux 11 SP3 64-bit SUSE Linux 11 SP3 64-bit

High Reliability Configuration

Management Center Supported. Provides the active/standby

Service Manager Supported. Provides the active/standby

Supported. A resource pool is used to Supported. A resource pool is used to

Supported. Uses the Real Application

Huawei Agile Controller-Campus /04

Access Control Manager

05/ Huawei Agile Controller-Campus

Comprehensive Access Authentication Modes for Different Network Scenarios

The Agile Controller supports the following functions:

Flexible, Refined, and Secure 5W1H-based Context Awareness Authorization

Huawei Agile Controller-Campus /06

The Agile Controller supports the following functions:

Satisfying Complex Enterprises with Hierarchical User Group Management Features

Authentication System Built-in RADIUS

PAP YES YES YES YES Depends on the external system

CHAP YES NO NO NO Depends on the external system

EAP-PEAP-MSCHAPV2 YES YES NO NO Depends on the external system

EAP-MD5 YES NO NO NO Depends on the external system

EAP-TLS YES YES YES NO Depends on the external system

EAP-TTLS-PAP YES YES YES YES Depends on the external system

EAP-PEAP-GTC YES YES YES YES Depends on the external system

• Supports on-demand data synchronization or filtering to meet varied user requirements.

07/ Huawei Agile Controller-Campus

Intelligent Terminal Identification and Authentication

Automatic 802.1X Configuration Delivery to Terminals

802.1X Access Control

the operating system on the terminals.

After the terminals pass 802.1X authentication,

Huawei Agile Controller-Campus /08

Portal Access Control

SACG Access Control

Agile Controller server Agile Controller server

SACG Third-party antivirus server File server

Area A Post-authentication domain

Service server Service server

09/ Huawei Agile Controller-Campus

Device Role Device Type

• Huawei Sx7 switches

Agile Controller Access Control Function Mandatory