Home Search Center Encyclopedia

What Is iConnect?

iConnect is an ecosystem at the network layer in the Huawei CloudCampus Solution to implement plug-and-play and access security of Internet of Things (IoT) terminals.

Why Do We Need iConnect?

IoT networks, such as a Building Automation System (BAS), are usually constructed earlier than campus networks. Therefore, a campus network needs to support IoT network commissioning.

Some IoT devices, such as access control devices and connected thermostats, have no available GUI. Therefore, the requirements for IoT device installation and commissioning personnel are high. In addition, after IoT terminals access a campus network, they are faced with security risks, for example, spoofing attacks on access control systems, turnstiles, and cameras. Therefore, these terminals need to apply for digital certificates. However, operations for loading digital certificates are complex.

iConnect is introduced to resolve the preceding problems. When IoT terminals run the iConnect ecosystem, they are referred to as iConnect terminals. With the iConnect function, an iConnect SSID can be created on a WLAN. After an iConnect terminal connects to the WLAN, it automatically associates with this SSID and thereby implements plug-and-play. Furthermore, the iConnect terminal automatically applies for and loads a digital certificate, eliminating the need for manual import. This simplifies installation and configuration, and improves deployment efficiency.

What Are Application Scenarios of iConnect?

In Figure 1-2, STAs connect to the network through an AP. SwitchA is an access switch, and SwitchB supports the native AC function. iConnect terminals also need to connect to the network. The network plan needs to meet the following requirements:
  • IP addresses of STAs are dynamically assigned by a DHCP server.

  • iConnect terminals can go online without being authenticated, and Portal authentication is performed on STAs.

Networking diagram of authentication exemption for iConnect terminals
Networking diagram of authentication exemption for iConnect terminals

How Does iConnect Work?

iConnect Electronic Identity Information

An iConnect URL is an extension of a Manufacturer Usage Description (MUD) URL.

MUD is defined in RFC 8520 and provides a means for terminals to clarify their identities and network functionality they require to function properly. MUD was initially designed for network access control and is being gradually applied to other fields. RFC 8520 also defines an MUD URL, from which an MUD file is available. This file contains the terminal identity and required network functionality, based on which network access rights are granted to terminals.

Figure 1-3 shows the format of an iConnect URL derived from the MUD URL.

Format of an iConnect URL
Format of an iConnect URL

Figure 1-4 shows the format of electronic identity information.

Format of electronic identity information
Format of electronic identity information
Table 1-1 Description of fields in the electronic identity information

Field

Length

Description

IC

2 characters

The value is fixed at IC.

Version number

1 character

The value can contain only digits 1 to 9 and uppercase letters A to F.

Vendor name

4-8 characters

The value is case-sensitive and can contain only letters, for example, Huawei.

Product name

4-8 characters

The value is case-sensitive and can contain only digits and letters, for example, AR502H.

Terminal type

0-16 characters

The value is case-sensitive and can contain only digits and letters, for example, GW.

SN

0-32 characters

This field indicates the serial number of a terminal. The value is case-sensitive and can contain only digits and letters.

Local Authentication for iConnect Terminals

NAC is required for most terminals, but not iConnect terminals. Therefore, you can configure the function of allowing iConnect terminals to go online without authentication.

Figure 1-5 shows the local authentication process for an iConnect terminal.

Local authentication process for an iConnect terminal
Local authentication process for an iConnect terminal
  1. An iConnect terminal associates with an iConnect SSID to connect to the WLAN.
  2. The AP sends a CAPWAP packet carrying the terminal's identity information (iConnect URL) to the device.
  3. The device identifies the terminal as an iConnect terminal based on its identity information. If the device has been configured to allow iConnect terminals to go online without authentication, the device keeps the terminal online. If the received packet does not carry any iConnect URL or the device is not configured to allow iConnect terminals to go online without authentication, the terminal needs to complete the non-iConnect terminal authentication process.

RADIUS Authentication for iConnect Terminals

If the function of allowing iConnect terminals to go online without authentication is disabled on the device, RADIUS authentication can be performed on iConnect terminals.

The device sends a RADIUS packet carrying the electronic identity information of an iConnect terminal in Huawei proprietary RADIUS attribute 26-202 (HW-MUD-URL) to the RADIUS server.

The RADIUS server determines whether a terminal is an iConnect terminal based on the HW-MUD-URL attribute. If the terminal is an iConnect terminal, the RADIUS server searches for the corresponding authorization policy based on the user account and encapsulates an authentication response packet with this policy. For an iConnect terminal, you are advised to configure a redirection-related RADIUS attribute (such as HW-Redirect-ACL or HW-Portal-URL). In this way, the iConnect terminal will be redirected to a URL to download an EAP-TLS certificate after being authenticated successfully. After the certificate is downloaded, EAP-TLS authentication is triggered for the terminal.

Figure 1-6 shows the RADIUS authentication process for an iConnect terminal.
RADIUS authentication process for an iConnect terminal
RADIUS authentication process for an iConnect terminal
  1. An iConnect terminal associates with an iConnect SSID to connect to the WLAN.
  2. The AP sends a CAPWAP packet carrying the terminal's identity information (iConnect URL) to the device.
  3. The device sends a RADIUS authentication request packet carrying the iConnect terminal's identity information to the RADIUS server.
  4. When receiving the authentication request packet, the RADIUS server identifies the terminal as an iConnect terminal based on the terminal identity information carried in the HW-MUD-URL attribute. The device then searches for the authorization policy (for example, RADIUS attribute HW-Redirect-ACL) corresponding to the user account, encapsulates an authentication response packet with the policy, and sends the packet to the device.
  5. The device executes the authorization policy carried in the authentication response packet. In this example, the device delivers a redirection policy after the terminal is successfully authenticated.
  6. The terminal is redirected to the specified URL (typically the Portal page URL provided by the RADIUS server) to download the digital certificate. After the digital certificate is downloaded, EAP-TLS authentication is performed on the iConnect terminal.
About This Topic
  • Author: Zhu Yue
  • Updated on: 2022-01-20
  • Views: 916
  • Average rating: