In the Huawei free mobility solution based on iMaster NCE-Campus,IP-security groupsare used to associate user identities with IP addresses so that consistent security policies can be enforced regardless of user location. Apolicy enforcement point (PEP)must obtain IP-security group entries to correctly match traffic against security policies.

When the policy enforcement pointis not an authentication point, it cannot directly learn user identity information during access authentication. In this scenario, one supported method is to configureIP-security group entry subscriptionon iMaster NCE-Campus. After subscription is configured, iMaster NCE-Campus pushes the corresponding IP-security group entries to the policy enforcement point, which matches option A.

Another valid approach in this case is described in option B. If the authentication point and policy enforcement point are separate devices, theauthentication point can push IP-security group entriesto the policy enforcement point after successful user authentication. This ensures that enforcement devices receive real-time identity information.

If the policy enforcement pointalso functions as an authentication point, it can directly interact with iMaster NCE-Campus. In this scenario, iMaster NCE-Campusproactively pushes IP-security group entriesto the device, as stated in option C.

Option D is incorrect because iMaster NCE-Campus does not push IP-security group entries indiscriminately in all scenarios. The distribution mechanism depends on the role of the device and whether subscription or authentication-based pushing is configured.

Therefore, the correct answers are A, B, and C.