Professional Documents
Culture Documents
CONTENTS
01 Huawei Agile Controller-Campus
11 Guest Manager
Product Overview
User terminals (information receivers) are not fixed in certain physical locations for services deriving from mobile
office, bring your own device (BYOD), and wireless local area network (WLAN). These types of services create the
following challenges on statically configured traditional networks:
1. How can a consistent experience be guaranteed for different user terminals regardless of location?
2. How can user rights, QoS priority, bandwidth, security, and other network policies be configured? Traditional
networks enable users to be bound to physical interfaces whereby the administrator manually configures
policies on the devices closest to users. Conversely, manual configuration cannot adapt to changes in user
locations. To meet the requirements of mobile users, networks must support dynamic resource allocation and
policy configuration; that is, network resources and policies must be able to migrate to users.
In Huawei xxx Solution, the Agile Controller intelligently works with network-wide devices and dynamically
schedules network-wide policies to provide free mobility for employees and flexible access for guests. In this
way, network can support services in a more agile way.
The Agile Controller-Campus (Agile Controller for short) is a user- and application-based unified policy control
system developed by Huawei. The Agile Controller centrally controls the network access rights, applications,
bandwidth, QoS, and security policies and provides Access Control Manager, Guest Manager, Terminal Security
Manager, Free Mobility Manager, and Service Chain Manager for enterprises.
Wired user PC
Access
DHCP DNS Patch
Laptop Server
......
Wireless user
Access Policy exchange:
Permission / Application
PAD / Bandwidth / QoS / Security
VPN user
Post-authentication domain
Policy Execution Device
Phone
After
NAC Intranet Internet
Guest
Printer Switch WLAN VPN gateway
Access
Office R&D MKT
data data data
O&M user Camera Router Firewall ......
Together with the network access device (NAD), this component controls the network
access of internal and external terminals and implements a unified access control policy. It
Access Control Manager
also provides flexible authentication and authorization policy management. This can meet
the service control needs of different enterprises.
Monitors terminal health and provides automatic recovery, software distribution, patch
Terminal Security
management, and resource management. It forces terminals to conform to enterprise
Manager
security policy, enhances ability to defend against attacks, and ensures network security.
In combination with Huawei's agile switches, next-generation firewalls (NGFWs), and SVN
gateways, this innovative and agile component provides policy orchestration based on
two-dimensional matrices. It allows the unified planning and automatic deployment of
Free Mobility Manager
permissions, applications, bandwidth, QoS, and security policy based on security groups.
It ensures that network-wide policies are uniform and allows users to enjoy the same user
experience while on the move.
This innovative and agile component allows the resource pooling of physical security
devices, screens specific physical forms and locations, and creates a security resource
Service Chain Manager center. It sends traffic to the security resource center according to service requirements,
where it is inspected and processed. This increases the usage rate of physical resources and
reduces network construction costs.
Product Characteristics
Highly Reliable and Flexible Architecture, Ensuring Service Continuity and Protecting
Customer Investment
• Supports the Windows and Linux operating systems and provides comprehensive high availability (HA)
solutions to ensure the stable operation of the network service.
• Supports distributed and hierarchical deployment modes with the flexible system architecture, enabling
flexible service-oriented expansion and protecting customer investment.
Product Architecture
Service Manager Performs service management. The system administrator completes user, service,
SM
(SM) and security policy configuration through the web management page.
Service Integrates RADIUS and Portal servers and associates with NADs such as switches
SC
Controller (SC) to complete client authentication and authorization.
Network Access
Device (NAD)
Switch Router WLAN VPN gateway Firewall
Client
Controller client Portal page Web Agent OS client
(Windows) (Windows/Linux/MAC/iOS/Android)
Operating Environment
Hardware Environment
Platform Configuration Requirements Recommended Server
NOTE
1. Each RH2288H or E9000 blade server can manage a maximum of 10,000 online users.
2. The Agile Controller manages a maximum of 100,000 online users with multiple servers or blade servers are deployed in
distributed/hierarchical mode.
3. If VMware 5.5 is selected, the configuration requirements are as follows:
Memory: 24 GB
CPU: 3 x 6 core CPUs
Mode: exclusive
Software Environment
Platform Optional Environment Recommended Environment
Component Overview
Advances in Information and Communication Technologies (ICT) mean that enterprise users require network
access from anywhere. However, enterprise information security is at risk when high numbers of mobile staff
and partners frequently use their own terminals (such as laptops) to access the enterprise's local area networks
(LANs). Unauthorized terminals may infect enterprise networks with viruses and, in worst case scenarios, phish
trade secrets.
The maturity of WLAN technologies and prevalence of intelligent terminals prompt many enterprises to
allow employees intranet access through intelligent BYOD terminals. While enterprises are aiming to improve
employees' work efficiency and reduce mobile terminal costs, WLAN technologies on enterprise networks create
significant information security risks.
The Access Control component of the Huawei Agile Controller associates with network access control devices
to control access to enterprise networks from internal and external terminals. The component provides unified
access control policies, and flexibly manages authentication and authorization policies to meet different service
control requirements.
Component Characteristics
Flexible User Source Selection, Seamlessly Interconnection with Existing Enterprise Systems
• Allows users to create accounts on the Agile Controller. In addition, it can interconnect with mainstream AD,
Lightweight Directory Access Protocol (LDAP), RADIUS, and dynamic token systems.
Deployment Scenarios
Network
Agile Controller
Portal switch
Pre-authentication domain
Isolation domain
Auxiliary Devices
Order Information
Item Remarks
Agile Controller Terminals of Access Control Function, Including 200 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 500 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 1000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 2000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 5000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 10000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 50000 Access Terminals License Optional
Guest Manager
Component Overview
The maturity of WLAN technologies and prevalence of intelligent terminals prompt many enterprises to open
their intranets for guests and partners. In public areas (such as, shopping malls, hotels, exhibition halls, chain
stores, scenic spots, business halls, and airport lounges), enormous advertising opportunities are created by the
huge number of users accessing WLAN.
The Guest Manager of the Huawei Agile Controller provides full lifecycle guest management functions, including
account application, approval, distribution, authentication, auditing, and deregistration. Guests can access the
network without registration, or using self-applied accounts, accounts applied by the administrator, or social
media accounts. for the component also supports graphical Portal page customization to flexibly push ads based
on the terminal location, type, and time period.
Component Characteristics
Phase Options
• Registration-free
Registration • Self-help application
• Using accounts created by an administrator
• Automatic approval
• Administrator approval
Approval • Receptionist approval
• Approval through email activation
• Receptionist approval (QR code scanning)
• Authentication-free
• Account and password authentication
• Passcode
Authentication
• Mobile phone verification code authentication
• QR code authentication
• Social media authentication
• Supports customization of pages for PCs, tablets, and mobile phones, which include the authentication
page, authentication success page, user notice page, registration page, and registration success page.
• Supports the What You See Is What You Get (WYSIWYG) editor to edit texts, images, colors, hyperlinks,
buttons, dividing lines, and near video on demand (NVOD).
Deployment Scenarios
Auxiliary Devices
Order Information
Item Remarks
Agile Controller Guest Management Function, Including 200 Access Terminal Management License Optional
Agile Controller Guest Management Function, Including 500 Access Terminal Management License Optional
Agile Controller Guest Management Function, Including 1000 Access Terminal Management License Optional
Agile Controller Guest Management Function, Including 2000 Access Terminal Management License Optional
Agile Controller Guest Management Function, Including 5000 Access Terminal Management License Optional
Agile Controller Guest Management Function, Including 1000 Access Terminal Management License Optional
Agile Controller Guest Management Function, Including 50000 Access Terminal Management License Optional
Component Overview
Security health assessments on access terminals are a key indicator of an enterprise's security management
capabilities. A large number of mobile staff and partners frequently use their own terminals (such as laptops)
to access enterprise LANs, which threatens enterprise information security. Unauthorized terminals may infect
enterprise networks with viruses, and acquire trade secrets.
The Terminal Security Management component of the Huawei Agile Controller strictly controls network access for
all terminal users, and enforces security policies to the users connected to the network. The component supports
terminal health checks, software distribution, patch management, and asset management to ensure that terminals
connected to the network possess self-defense capabilities and comply with enterprise security policies.
Component Characteristics
Deployment Scenarios
The networking of the Terminal Security Management component is similar to that of the Access Control
component. Customers need to install the dedicated NAC client of the Agile Controller before they can enable
the terminal security management feature.
Auxiliary Devices
• Microsoft Windows XP
• Microsoft Windows Vista
Windows • Microsoft Windows 7
• Microsoft Windows 8
• Microsoft Windows 8.1
Order Information
Item Remarks
Agile Controller Terminal Security Feature, Including 200 Terminals License Optional
Agile Controller Terminal Security Feature, Including 500 Terminals License Optional
Agile Controller Terminal Security Feature, Including 1000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 2000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 5000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 10000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 50000 Terminals License Optional
Component Overview
With popularity of mobile office and BYOD applications, users need to access enterprise networks from the
HQ, branches, and even on business trips. Employees of different roles start to work in the same area, physical
locations of terminals are no longer fixed, and users frequently handle business on their own terminals.
Additionally, guests and partners access the intranet, resulting in an increasing number of user types and intranet
security risks as well. In such a case, isolation is necessary. It becomes a common concern for enterprises to
ensure consistent QoE for users who access networks using different terminals at different places and to isolate
the users for security.
The Free Mobility component of Huawei Agile Controller provides a security group–based policy mechanism
in addition to the traditional NAC to implement decoupling of user policies and IP addresses. Free Mobility
better meets the requirements of mobile office networks than isolation through port binding, VLAN, ACL, and
VPN technologies. In combination with Huawei's agile switches, NGFWs, and SVN gateways, Free Mobility
provides policy orchestration based on two-dimensional matrices. It allows the unified planning and automatic
deployment of permissions, applications, bandwidth, QoS, and security policy based on security groups. It
ensures that network-wide policies are uniform and allows users to enjoy the same user experience while on the
move.
Component Characteristics
Security Group-based Policy Control Mechanism, More Suitable for Mobile Office Network
• Replaces the traditional isolation methods that use port binding, VLAN, ACL, and VPN technologies,
providing efficient policy planning.
• Works with agile switches, NGFWs, and VPN gateways to ensure uniform network-wide policies.
• Supports user group–based isolation when employees of different roles work in the same area.
Deployment Scenarios
The Free Mobility component has no special networking requirements, provided that there are reachable IP
routes between the Agile Controller server and associated network devices. Generally, the Agile Controller server
is connected to the agile core switch in bypass mode.
L2 SW L2 SW Internet access
Branch Branch
AR AR
Data center
WAN/Internet
Campus egress
NGFW/SVN
Agile Controller
Agile core
LSW
Converged access
LSW AP AP LSW
Auxiliary Devices
Order Information
Item Remarks
Component Overview
Traditional security solutions used on enterprise campus networks and data center networks define network
borders. They are deployed on security devices such as firewalls, anti-DDoS, antivirus (AV) software, the intrusion
prevention system (IPS), and data loss prevention (DLP) devices on borders with different security levels. As
network scale expands, users connect to networks using more diverse access methods. Traditional security
deployment results in an exponential increase in cost as a result. In addition, many customers determine the
number of security devices they need to purchase based on two to five times the peak-hour rates. However,
high-performance security devices, such as firewalls, IPS, and anti-DDoS have low resource utilization rates,
which wastes resources.
The Huawei Agile Controller Service Chain component virtualizes physical security devices to shield device
models and locations. All security devices form a security resource center. The component directs service flows
to the security resource center based on service requirements to improve use the utilization rate of physical
resources and reduce costs.
Component Characteristics
• Defines service flows based on the source and destination user groups, source and destination port numbers,
and protocol.
Deployment Scenarios
Three hardware parts are required to provide the Service Chain function:
• Agile Controller service server: functions as the Service Chain subsystem, which completes service logic
configuration on service chains.
• Orchestration device: must be a Huawei agile switch. The switch identifies service traffic and redirects the
traffic to the service devices in the sequence specified by the service chain. There must be reachable IP routes
between the orchestration device and service devices.
• Service device: processes the service flows redirected to it. The service and orchestration devices work at
Layer 3, and are connected through GRE tunnels. Service devices can be connected to the core router or the
core or aggregation switch based on the following principles:
Core layer: defines service flows based on IP information to shorten the traffic transmission path.
Aggregation layer: defines service flows based on user information if the customer can accept circuitous
transmission path.
Service chain 1
Service chain 2
NMS center
Agile Controller Campus egress
Firewall
Online behavior
Data center
management
Antivirus
Aggregation layer
Access layer
Internal
Guest area Dept A Dept B public area
Application layer
Auxiliary Devices
Order Information
Item Remarks
Trademark Notice
, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.
Other trademarks, product, service and company names mentioned are the property of their respective owners.
The information in this document may contain predictive statements including, Huawei Industrial Base
without limitation, statements regarding the future financial and operating results, Bantian Longgang
future product portfolio, new technology, etc. There are a number of factors Shenzhen 518129, P.R. China
that could cause actual results and developments to differ materially from those Tel: +86-755-28780808
expressed or implied in the predictive statements. Therefore, such information Version No.: M3-032102-20160607-C-1.0
is provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice. e.huawei.com