Access Control Based On 802.1x (SRAN9.0 - 01)

SingleRAN
Access Control based on 802.1x

Feature Parameter Description
Issue 01
Date 2014-04-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2016. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2014-04-30) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
Access Control based on 802.1x Feature Parameter
Description Contents
Contents
1 About This Document.................................................................................................................. 1

1.1 Scope.............................................................................................................................................................................. 1
1.2 Intended Audience.......................................................................................................................................................... 2
1.3 Change History............................................................................................................................................................... 2
1.4 Differences Between Base Station Types....................................................................................................................... 3
2 Overview......................................................................................................................................... 4
3 Technical Description...................................................................................................................5
3.1 Operating Principle.........................................................................................................................................................5
3.2 Protocol Stacks............................................................................................................................................................... 6
4 Application of Access Control based on 802.1x....................................................................... 8

4.1 Typical Network Topology............................................................................................................................................. 9
4.2 Auto-Discovery with Access Control based on 802.1x..................................................................................................9
4.2.1 Automatic Base Station Deployment by PnP.............................................................................................................. 9
4.2.2 Application on Existing Base Stations...................................................................................................................... 13
5 Related Features...........................................................................................................................14
5.1 Features Related to Access Control based on 802.1x on the GSM Side...................................................................... 15
5.2 Features Related to Access Control based on 802.1x on the UMTS Side....................................................................15
5.3 LOFD-003015 Access Control based on 802.1x..........................................................................................................16
5.4 TDLOFD-003015 Access Control based on 802.1x.................................................................................................... 16
6 Network Impact........................................................................................................................... 17
7 Engineering Guidelines............................................................................................................. 18
7.1 When to Use Access Control based on 802.1x.............................................................................................................19
7.2 Required Information................................................................................................................................................... 19
7.3 Deployment.................................................................................................................................................................. 19
7.3.1 Requirements............................................................................................................................................................. 19
7.3.2 Precautions.................................................................................................................................................................21
7.3.3 Data Preparation and Feature Activation...................................................................................................................21
7.3.4 Activation Observation..............................................................................................................................................24
7.3.5 Deactivation...............................................................................................................................................................25
7.4 Performance Monitoring...............................................................................................................................................25
7.5 Parameter Optimization................................................................................................................................................ 25
Issue 01 (2014-04-30) Huawei Proprietary and Confidential ii

SingleRAN
Description Contents
7.6 Troubleshooting............................................................................................................................................................ 25
8 Parameters..................................................................................................................................... 26
9 Counters........................................................................................................................................ 28
10 Glossary....................................................................................................................................... 29
11 Reference Documents............................................................................................................... 30
Issue 01 (2014-04-30) Huawei Proprietary and Confidential iii

SingleRAN
Description 1 About This Document
1 About This Document
1.1 Scope
This document describes Access Control based on 802.1x, including its technical principles,
related features, network impact, and engineering guidelines.
This document covers the following features:
l LOFD-003015 Access Control based on 802.1x
l TDLOFD-003015 Access Control based on 802.1x
Table 1-1 provides the definitions of base stations.
Table 1-1 Base station definitions

Base Station Definition
Name
GBTS A base station configured with a GTMU, GTMUb, or GTMUc and

maintained through a base station controller.
eGBTS A base station configured with a UMPT_G.
NodeB A base station configured with a WMPT or UMPT_U.
eNodeB A base station configured with an LMPT or UMPT_L.
Co-MPT A base station configured with a UMPT_GU, UMPT_GL, UMPT_UL,

multimode base UMPT_GT, UMPT_UT, UMPT_GUL, UMPT_GUT, or UMPT_GULT.
station A co-MPT multimode base station functionally corresponds to any
physical combination of eGBTS, NodeB, and eNodeB. For example, a
co-MPT multimode base station configured with a UMPT_GU
functionally corresponds to the physical combination of eGBTS and
NodeB.
Separate-MPT A base station on which each mode uses its separate main control board.
multimode base For example, a base station configured with a GTMU and WMPT is
station called a separate-MPT GSM/UMTS dual-mode base station.
Issue 01 (2014-04-30) Huawei Proprietary and Confidential 1

SingleRAN
1.2 Intended Audience

This document is intended for personnel who:
l Need to understand the features described herein.

l Work with Huawei products
1.3 Change History

This section provides information about the changes in different document versions. There are
two types of changes, which are defined as follows:
l Feature change
Changes in features of a specific product version
l Editorial change
Changes in wording or addition of information that was not described in the earlier
version
SRAN9.0 01 (2014-04-30)
This issue does not include any changes.
SRAN9.0 Draft B (2014-02-28)

This issue includes the following changes.
Change Change Description Parameter

Type Change
Feature None None

change
Editorial Added the descriptions about the feature and function None
change differences between different site types. For details,
see section 1.4 Differences Between Base Station
Types.
SRAN9.0 Draft A (2014-01-20)

Compared with 02 (2013-07-30) of SRAN8.0, Draft A (2014-01-20) of SRAN9.0 includes the
following changes.

Type Change
Feature Added the LTE TDD mode support the Access Control None
change based on 802.1x feature.

SingleRAN

Type Change
Huawei mobile network management system M2000 None

is renamed U2000.
Editorial None None

change
1.4 Differences Between Base Station Types

Definition
The macro base stations described in this document refer to 3900 series base stations. These
base stations work in GSM, UMTS, or LTE mode, as listed in the section Scope.
The LampSite base stations described in this document refer to distributed base stations that
provide indoor coverage. These base stations work in UMTS or LTE mode but not in GSM
mode.
The micro base stations described in this document refer to all integrated entities that work in
UMTS or LTE mode but not in GSM mode. Descriptions of boards, cabinets, subracks, slots,
and RRUs do not apply to micro base stations.
The following table defines the types of micro base stations.
Base Station Model RAT
BTS3803E UMTS
BTS3902E UMTS
BTS3202E LTE FDD
BTS3203E LTE FDD
BTS3205E LTE TDD
NOTE
The co-MPT and separate-MPT applications are irrelevant to single-mode micro base stations.
Feature Support by Macro, Micro, and LampSite Base Stations

None
Function Implementation in Macro, Micro, and LampSite Base Stations

None

SingleRAN
Description 2 Overview
2 Overview
IEEE 802.1x is an IEEE standard for port-based network access control. It is part of the IEEE
802 group of networking protocols. With port-based network access control, the
authentication access equipment in the local area network (LAN) performs identity
authentication and access control on users or devices connected to its ports. Only the users or
devices that can be authenticated are allowed to access the LAN through the ports. Access
Control based on 802.1x prevents unauthorized users or devices from accessing the network,
which ensures transport network security.
Huawei base stations support Access Control based on 802.1x. The authentication is
unidirectional and is based on Extensible Authentication Protocol-Transport Layer Security
(EAP-TLS). That is, the authentication server performs unidirectional authentication on the
digital certificates of base stations. Figure 2-1shows the network topology for Access Control
based on 802.1x.
Figure 2-1 Network topology for Access Control based on 802.1x

SingleRAN
Description 3 Technical Description
3 Technical Description
3.1 Operating Principle

Access Control based on 802.1x usually adopts the client/server architecture, as shown in
Figure 2-1. The authentication access equipment receives authentication packets from users
or devices and then forwards the packets to the authentication server. The authentication
server authenticates the identities of the users or devices. If the authentication succeeds, the
data flow of the users or devices can pass through the ports of the authentication access
equipment.
Access Control based on 802.1x involves the following components:
l Authentication client (a device to be authenticated, such as a base station): initiates an
802.1x-based access control procedure. An authentication client is also referred to as a
suppliant. To support port-based access control, the authentication client needs to support
the Extensible Authentication Protocol over LAN (EAPoL).
l Authentication access equipment (such as a LAN switch): receives and forwards EAP
authentication packets between the base station and authentication server at the Media
Access Control (MAC) layer. Authentication access equipment is also referred to as an
authenticator. The authentication access equipment also controls the status (authorized or
unauthorized) of controlled ports based on the authentication result at the authentication
server.
l Authentication server: performs authentication on clients. The servers commonly used
are Remote Authentication Dial In User Service (RADIUS) and Authentication,
Authorization and Accounting (AAA) servers.
NOTE
The functions of RADIUS and AAA servers are similar. This document uses the RADIUS server as an
example to describe Access Control based on 802.1x.
Figure 3-1 shows the operating principle of Access Control based on 802.1x.

SingleRAN
Figure 3-1 Operating principle of Access Control based on 802.1x
NOTE
Port access entity (PAE) is a port-related protocol entity that processes protocol packets during an
authentication procedure.
A physical Ethernet port of the authentication access equipment consists of two logical ports:
one controlled port and one uncontrolled port:
l Controlled port: A controlled port can be in the unauthorized or authorized state,

depending on the authentication result at the authentication server.
– A controlled port in the authorized state is in the bidirectional connectivity state and
data flow can pass through the port.
– A controlled port in the unauthorized state does not allow any data to pass through.
l Uncontrolled port: An uncontrolled port is always in the bidirectional connectivity state.
Only EAPoL packets can pass through an uncontrolled port. This ensures that the
authentication client can always transmit and receive authentication packets.
During initial access, the base station is not authenticated, and therefore the controlled port is
in the unauthorized state. At this point, only EAPoL packets can pass through the
uncontrolled port and be sent to the authentication server. After the authentication server
authenticates the base station and the authentication access equipment authorizes the
controlled port, the controlled port becomes authorized and data from the base station can
pass through the controlled port in the authorized state. This process ensures that only
authorized users and devices can access the network.
Port-based access control can be based on a physical port (such as the MAC address) or a
logical port (such as the VLAN). Huawei base stations support only port-based access control
based on the MAC address. That is, the authentication message sent by a base station contains
the MAC address of the Ethernet port that connects the base station to the transport network.
If authentication succeeds, the authentication access equipment performs access control on
data flow based on this MAC address.
For details about IEEE 802.1x-based access control, see IEEE 802[1].1x-2004.
3.2 Protocol Stacks

In IEEE 802.1x-based access control, the authentication client and the authentication server
exchange authentication messages using the EAP protocol. Between the authentication client

SingleRAN
and the authentication access equipment, EAP data is encapsulated in EAPoL frames so that
the data can be transmitted in the LAN. Between the authentication access equipment and the
authentication server, EAPoL frames are re-encapsulated in EAP over RADIUS (EAPoR)
frames so that the data can be transmitted using the RADIUS protocol.
Figure 3-2 shows the protocol stacks for Access Control based on 802.1x.
Figure 3-2 Protocol stacks for Access Control based on 802.1x
Access Control based on 802.1x uses the EAP protocol for authentication. The EAP protocol
supports multiple authentication methods. Huawei base stations adopt unidirectional EAP-
TLS authentication, that is, the authentication server authenticates base stations using digital
certificates. The AM parameter specifies the authentication method used by IEEE 802.1x-
based access control.
In an IEEE 802.1x-based access control procedure, the base station sends its digital certificate
to the RADIUS server in an EAPoL frame. The RADIUS server authenticates the base station
by using the Huawei root certificate or the operator's root certificate.
For details about the EAP protocol, see RFC 3748.
For details about the EAP-TLS protocol, see RFC 2716.

SingleRAN
Description 4 Application of Access Control based on 802.1x
4 Application of Access Control based on

802.1x
This chapter describes the application of IEEE 802.1x-based access control on a base station.

SingleRAN
4.1 Typical Network Topology

To implement IEEE 802.1x-based access control, an authentication server and authentication
access equipment (generally a LAN switch directly connected to the base station) supporting
IEEE 802.1x-based access control, need to be deployed in the network. Because Huawei base
station adopts unidirectional EAP-TLS authentication based on IEEE 802.1x and is
preconfigured with Huawei-issued device certificates and Huawei root certificates before
delivery, the authentication server needs to be preconfigured with the Huawei root certificate.
Figure 4-1 shows a typical network topology for IEEE 802.1x-based access control.
Figure 4-1 Typical network topology for IEEE 802.1x-based access control
IEEE 802.1x-based access control of Ethernet ports can be activated by using the ACT
DOT1X command and deactivated by using the DEA DOT1X command. By default, IEEE
802.1x-based access control is activated on Ethernet ports of base stations before delivery.
4.2 Auto-Discovery with Access Control based on 802.1x
4.2.1 Automatic Base Station Deployment by PnP

When Access Control based on 802.1x is activated in the network, a base station must pass
the IEEE 802.1x-based authentication before automatic deployment by plug and play (PnP).
To ensure the base station's adaptability to the network, after being powered on, Huawei base
stations perform as follows depending on network conditions:
l If the network supports IEEE 802.1x-based access control, and IEEE 802.1x-based
access control is activated on the Ethernet port that connects the base station to the
transport network:
The base station initiates an IEEE 802.1x-based access control procedure. After the IEEE
802.1x-based access control succeeds, the base station sends a Dynamic Host
Configuration Protocol (DHCP) Discover packet to the authentication access equipment
to start the DHCP procedure. After the DHCP procedure is complete, the automatic base
station deployment procedure starts.
l If the network supports IEEE 802.1x-based access control, but IEEE 802.1x-based
access control is deactivated on the Ethernet port that connects the base station to the
transport network:
The base station does not initiate an IEEE 802.1x-based access control procedure.
Instead, the base station first sends a DHCP Discover packet and the DHCP module

SingleRAN
queries whether IEEE 802.1x-based access control is activated on the Ethernet port that
connects the base station to the transport network. If IEEE 802.1x-based access control is
deactivated and authentication is not performed, the base station triggers an IEEE
802.1x-based access control procedure. Because the network uses IEEE 802.1x-based
access control, the DHCP Discover packet cannot pass through the authentication access
equipment, and therefore the DHCP procedure fails. The base station waits for the
authentication result. After the IEEE 802.1x-based access control succeeds, the base
station resends a DHCP Discover packet. After the DHCP procedure is complete, the
automatic base station deployment procedure starts.
For example, the main control board of the base station has an incorrect configuration
file, in which IEEE 802.1x-based access control is deactivated on the Ethernet port that
connects the base station to the transport network. In this case, the DHCP procedure
triggers the IEEE 802.1x-based access control procedure during automatic base station
deployment.
l If the network does not support IEEE 802.1x-based access control, and IEEE 802.1x-
based access control is activated on the Ethernet port that connects the base station to the
transport network:
The base station initiates the IEEE 802.1x-based access control procedure for three times
at an interval of 25 seconds. If the base station does not receive any response from the
network, the base station determines that the network does not support IEEE 802.1x-
based access control. The base station then sends a DHCP Discover packet. The DHCP
Discover packet can pass through the authentication access equipment. After the DHCP
procedure is complete, the automatic base station deployment procedure starts.
NOTE
During automatic base station deployment by PnP, the IEEE 802.1x-based access control procedure uses
the preconfigured Huawei-issued device certificate of the base station for authentication.
The rest of this section describes automatic base station deployment by PnP in the preceding
three scenarios.
Scenario 1
Figure 4-2 shows automatic base station deployment when the network supports IEEE
802.1x-based access control and IEEE 802.1x-based access control is activated on the
Ethernet port that connects the base station to the transport network.

SingleRAN
Figure 4-2 Automatic base station deployment (1)
The automatic base station deployment procedure in this scenario is as follows:

1. After the base station is powered on, it sends an EAPoL-Start packet to the
authentication access equipment, to initiate an IEEE 802.1x-based access control
procedure.
2. The base station, authentication access equipment, and authentication server perform the
IEEE 802.1x-based access control procedure. The base station can initiate the IEEE
802.1x-based access control procedure on the same Ethernet port a maximum of three
times at an interval of 25 seconds.
3. If the IEEE 802.1x-based access control procedure succeeds, the base station initiates a
DHCP procedure. After the DHCP procedure is complete, the automatic base station
deployment procedure starts.
4. If the IEEE 802.1x-based access control procedure fails, the base station initiates a
DHCP procedure. However, the base station does not receive any response to the DHCP
procedure, and therefore the DHCP procedure fails. The base station attempts to initiate
IEEE 802.1x-based access control and DHCP procedures on the next Ethernet port.
NOTE
In the IEEE 802.1x-based access control procedure, the EAPoL-Start packet is a multicast packet and its
destination MAC address is 01-80-C2-00-00-03; other packets are unicast packets.
Scenario 2
Figure 4-3 shows automatic base station deployment when the network supports IEEE
802.1x-based access control but IEEE 802.1x-based access control is deactivated on the

SingleRAN

1. After a base station is powered on, it sends a DHCP Discover packet to the
authentication access equipment because IEEE 802.1x-based access control is
deactivated on the Ethernet port that connects the base station to the transport network.
2. The DHCP module queries whether IEEE 802.1x-based access control is activated on the
Ethernet port that connects the base station to the transport network. If IEEE 802.1x-
based access control is deactivated and authentication is not performed, the base station
triggers an IEEE 802.1x-based access control procedure on this Ethernet port.
3. Because the controlled port of the authentication access equipment is in the unauthorized
state, the base station does not receive any DHCP response. The DHCP procedure fails.
The base station waits for the authentication result.
4. When the IEEE 802.1x-based access control procedure succeeds, the base station resends
a DHCP Discover packet through the Ethernet port. After the DHCP procedure is
complete, the automatic base station deployment procedure starts.
Scenario 3
Figure 4-4 shows automatic base station deployment when the network does not support
IEEE 802.1x-based access control and IEEE 802.1x-based access control is activated on the

SingleRAN
1. After the base station is powered on, it initiates an IEEE 802.1x-based access control
procedure. The base station resends the EAPoL-Start packet three times at an interval of
25 seconds but does not receive any response. Therefore, the base station determines that
the network does not support IEEE 802.1x-based access control.
2. The base station sends a DHCP Discover packet to the authentication access equipment.
3. After the DHCP procedure is complete, the automatic base station deployment procedure
starts.
4.2.2 Application on Existing Base Stations

After a base station obtains the configuration file, it restarts. If the state of its Ethernet port
changes from DOWN to UP and IEEE 802.1x-based access control is activated on this
Ethernet port, the base station initiates an IEEE 802.1x-based access control procedure. By
default, IEEE 802.1x-based access control and SSL authentication use the same certificate:
l If the certificate used for SSL authentication in the configuration file is set to the
operator-issued device certificate, the IEEE 802.1x-based access control procedure uses
the operator-issued device certificate to authenticate the base station.
l If the certificate used for SSL authentication in the configuration file is set to the
Huawei-issued device certificate, the IEEE 802.1x-based access control procedure uses
the Huawei-issued device certificate to authenticate the base station.
l If the SSL authentication method is cryptonym authentication, by default the IEEE
802.1x-based access control procedure uses the Huawei-issued device certificate to
authenticate the base station.
NOTE
During base station deployment using a USB flash drive, the certificate used in the IEEE 802.1x-based
access control procedure is specified in the configuration file. Because the base station is preconfigured
with the Huawei-issued device certificate, the certificate for SSL authentication can be set only to
Huawei-issued device certificate in the configuration file. If the certificate for SSL authentication is set
to the operator-issued device certificate, the IEEE 802.1x-based access control procedure fails.

SingleRAN
Description 5 Related Features
5 Related Features
Prerequisite Features
l GBFD-113526 BTS Supporting PKI
l WRFD-140210 NodeB PKI Support
l LOFD-003010 Public Key Infrastructure(PKI)
l TDLOFD-003010 Public Key Infrastructure(PKI)
l GBFD-118601 Abis over IP
l WRFD-050402 IP Transmission Introduction on Iub Interface
Mutually Exclusive Features

None
Impacted Features
None

SingleRAN
5.1 Features Related to Access Control based on 802.1x on

the GSM Side
Feature ID Feature Name Description
GBFD-113526 BTS Supporting PKI -
GBFD-118601 Abis over IP -

None
Impacted Features
None
5.2 Features Related to Access Control based on 802.1x on

the UMTS Side
WRFD-140210 NodeB PKI Support -
WRFD-050402 IP Transmission Introduction on Iub Interface -

None
Impacted Features
None

SingleRAN
5.3 LOFD-003015 Access Control based on 802.1x

LOFD-003010 Public Key Infrastructure(PKI) -

None
Impacted Features
None
5.4 TDLOFD-003015 Access Control based on 802.1x

TDLOFD-003010 Public Key Infrastructure(PKI) -

None
Impacted Features
None

SingleRAN
Description 6 Network Impact
6 Network Impact
System Capacity
No impact.
Network Performance
When the Access Control based on 802.1x feature is enabled, the time for base station
deployment by PnP is prolonged by about 75 seconds.

SingleRAN
Description 7 Engineering Guidelines
7 Engineering Guidelines
This chapter describes how to deploy the Access Control based on 802.1x feature in a newly
deployed network.

SingleRAN
7.1 When to Use Access Control based on 802.1x

If the operator's transport network is located in an open network, the devices in the transport
network are vulnerable to unauthorized access and malicious attacks. In this case, it is
recommended that the Access Control based on 802.1x feature be activated to authenticate the
users or devices that attempt to access the transport network. This feature prevents
unauthorized users and devices from accessing the network and ensures transport network
security.
The Access Control based on 802.1x feature uses the Huawei-issued device certificate to
authenticate the base station. Therefore, the PKI feature also needs to be activated.
7.2 Required Information

Huawei base stations support only unidirectional EAP-TLS authentication and port-based
access control based on the MAC address. Therefore, before you activate the Access Control
based on 802.1x feature, check whether the authentication server supports unidirectional
EAP-TLS authentication and whether the authentication access equipment supports port-
based access control based on the MAC address.
l If the customer requires that Access Control based on 802.1x use the Huawei-issued
device certificate to authenticate the base station, the PKI feature does not need to be
deployed in the network.
l If the customer requires that Access Control based on 802.1x use the operator-issued
device certificate to authenticate the base station, the PKI feature needs to be deployed in
the network. For details about how to deploy the PKI feature, see PKI Feature
Parameter Description.
7.3 Deployment
Before you activate the Access Control based on 802.1x feature, configure the PKI feature as
well as the related managed objects (MOs). For details about how to configure the PKI
feature, see the "Engineering Guidelines" section in PKI Feature Parameter Description.
7.3.1 Requirements
Other Features
For details, see 5 Related Features.
Hardware
NE Type Board Configuration Type of Port
Connecting to the
Transport Network
eGBTS The UMPT provides a transmission port. Ethernet port

SingleRAN
NE Type Board Configuration Type of Port

Connecting to the
Transport Network
UMPT+UTRPc, with the UTRPc providing a Ethernet port

transmission port
NodeB The UMPT provides a transmission port. Ethernet port
UMPT+UTRPc, with the UTRPc providing a Ethernet port

transmission port
eNodeB The LMPT provides a transmission port. Ethernet port
The UMPT provides a transmission port. Ethernet port
LMPT/UMPT+UTRPc, with the UTRPc Ethernet port

providing a co-transmission port
Multimod The UMPT provides a transmission port. Ethernet port

e base
station The LMPT provides a transmission port. Ethernet port
UMPT/LMPT+UTRPc, with the UTRPc Ethernet port

providing a transmission port
License
Feature ID Feature License License NE Sales
Name Control Control Item Unit
Item ID Name
LOFD-003015 Access LT1S000AC Access Control Macro per

Control based C00 based on eNodeB/ eNodeB
on 802.1x 802.1x (per LampSit
eNodeB) e
eNodeB/
BTS320
2E
TDLOFD-0030 Access LT1ST00A Access Control LTE per

15 Control based CC00 based on TDD eNodeB
on 802.1x 802.1x (per eNodeB
eNodeB)
Other Requirements
l An authentication server has been deployed in the network.
l The authentication server supports the EAP protocol defined in RFC 3748 and supports
EAP-TLS authentication.

SingleRAN
l The authentication server is preconfigured with the Huawei root certificate. If the
customer requires that the operator-issued device certificate be used for authentication,
the operator' root certificate must be preconfigured on the authentication server.
l The authentication access equipment supports IEEE 802.1x-based access control and
EAP packet processing.
l The authentication access equipment supports port-based access control based on the
MAC address.
7.3.2 Precautions
None
7.3.3 Data Preparation and Feature Activation
Data Preparation
Table 7-1 lists the data that needs to be prepared before you activate the Access Control based
on 802.1x feature.
NOTE
"-" in Table 7-1 indicates that there is no special requirement for setting the parameter. Set the parameter
based on site requirements.
Table 7-1 Data to be prepared before activating the Access Control based on 802.1x feature
MO Parameter Parameter ID Setting Notes Data

Name Sourc
e
DOT1X Cabinet No. CN - Netwo

rk
Subrack No. SRN - plan
Slot No. SN -
Subboard Type SBT -
Port No. PN -
Authentication AM This parameter

Method indicates the
authentication
method used by
the Access
Control based on
802.1x feature.
This feature
supports EAP-
TLS
authentication.

SingleRAN
NOTE
l When deploying this feature on a multimode base station, activate the feature only on the Ethernet
port that connects the base station to the transport network. The data preparation and initial
configuration of the multimode base station are the same as those of a single-mode base station.
l When a base station is working normally, the certificate used by IEEE 802.1x-based access control
is the same as that used by SSL authentication. For details about how to configure the certificate for
SSL authentication, see the "Engineering Guidelines" section in SSL Feature Parameter
Description. If no certificate is configured for SSL authentication, IEEE 802.1x-based access control
uses the Huawei-issued device certificate by default.
Using MML Commands

This section uses the eNodeB as an example to describe how to activate Access Control based
on 802.1x using MML commands.
Step 1 Run the MML command ACT DOT1X to activate Access Control based on 802.1x on the
----End
MML Command Examples

This section uses the eNodeB as an example to describe how to activate Access Control based
on 802.1x using MML commands.
//Activating Access Control based on 802.1x on the NodeB/eNodeB/eGBTS side
//Activating Access Control based on 802.1x on the Ethernet port that connects
the base station to the transport network
ACT DOT1X: CN=0, SRN=0, SN=7, SBT=BASE_BOARD, PN=0, AM=EAP-TLS;
Using the CME
Using the CME to Perform Single Configuration

Set parameters on the CME configuration interface according to the operation sequence
described in Table 7-1. For instructions on how to perform the CME single configuration, see
CME Single Configuration Operation Guide.
Using the CME to Perform Batch Configuration for Newly Deployed Base
Stations
Enter the values of the parameters listed in Table 7-2 into a summary data file, which also
contains other data for the new base stations to be deployed. Then, import the summary data
file into the CME for batch configuration.
The summary data file may be a scenario-specific file provided by the CME or a customized
file, depending on the following conditions:
l The MOs in Table 7-2 are contained in a scenario-specific summary data file. In this
situation, set the parameters in the MOs, and then verify and save the file.
l Some MOs in Table 7-2 are not contained in a scenario-specific summary data file. In
this situation, customize a summary data file to include the MOs before you can set the
parameters.

SingleRAN
Table 7-2 MOs related to Access Control based on 802.1x

MO Sheet in the Parameter Group Rema
Summary Data rks
File
DOT1 Common Data See Table 7-1. None

X
For instructions about performing batch configuration for each base station, see the following
sections in 3900 Series Base Station Initial Configuration Guide.
l For a NodeB: Creating NodeBs in Batches

l For an eNodeB: Creating eNodeBs in Batches
l For a separate-MPT multimode base station: Creating Separate-MPT Multimode Base
Stations in Batches
l For an eGBTS or a co-MPT multimode base station: Creating Co-MPT Base Stations in
Batches
Using the CME to Perform Batch Configuration for Existing Base Stations
Batch reconfiguration using the CME is the recommended method to activate a feature on
existing base stations. This method reconfigures all data, except neighbor relationships, for
multiple base stations in a single procedure.
Step 1 Choose CME > Advanced > Customize Summary Data File from the main menu of an
U2000 client, or choose Advanced > Customize Summary Data File from the main menu of
a CME client, to customize a summary data file for batch reconfiguration.
NOTE
For context-sensitive help on a current task in the client, press F1.
Step 2 Export the NE data stored on the CME into the customized summary data file.
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Export Data > Export Base Station Bulk Configuration Data from the
main menu of the U2000 client, or choose SRAN Application > MBTS Application >
Export Data > Export Base Station Bulk Configuration Data from the main menu of
the CME client.
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Export Data > eGBTS Bulk Configuration Data from
the main menu of the U2000 client, or choose GSM Application > Export Data >
Export eGBTS Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Export Data > Export Base Station Bulk
Configuration Data from the main menu of the U2000 client, or choose UMTS
Application > Export Data > Export Base Station Bulk Configuration Data from the
main menu of the CME client.
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose
CME > LTE Application > Export Data > Export Base Station Bulk Configuration Data
from the main menu of the U2000 client, or choose LTE Application > Export Data >
Export Base Station Bulk Configuration Data from the main menu of the CME client.

SingleRAN
Step 3 In the summary data file, set the parameters in the MOs listed in Table 7-2 and close the file.
Step 4 Import the summary data file into the CME.

l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Import Base Station Bulk Configuration Data from the main menu of
the U2000 client, or choose SRAN Application > MBTS Application > Import Data >
Import Base Station Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Import Data > Import eGBTS Bulk Configuration Data
from the main menu of the U2000 client, or choose GSM Application > Import Data >
Import eGBTS Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Import Data > Import Base Station Bulk
Configuration Data from the main menu of the U2000 client, or choose UMTS
Application > Import Data > Import Base Station Bulk Configuration Data from the
main menu of the CME client.
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose
CME > LTE Application > Import Data > Import Base Station Bulk Configuration
Data from the main menu of the U2000 client, or choose LTE Application > Import
Data > Import Base Station Bulk Configuration Data from the main menu of the
CME client.
----End
7.3.4 Activation Observation

Run the DSP DOT1X command to query whether Access Control based on 802.1x is
activated on the Ethernet port that connects the base station to the transport network.
Check the value of the Authentic State parameter in the command output. If the value of this
parameter is Authenticate Succeed, the port has passed IEEE 802.1x-based authentication.
The following is an example:
DSP DOT1X: CN=0, SRN=0, SN=7, SBT=BASE_BOARD, PN=0;%%
RETCODE = 0 Operation succeeded.
Display 802.1x
--------------
Cabinet No. = 0
Subrack No. = 0
Slot No. = 7
Subboard Type = Base Board
Port No. = 0
Authentic Method = EAP-TLS authentic method
Authentic State = Authenticate Succeed
Authentic Succeed Number = 1
Fail Number = 0
Fail Reason = 0
Send EAP Packet Number = 7
Receive EAP Packet Number = 7
Abnormal Packet Number = 0
(Number of results = 1)

SingleRAN
7.3.5 Deactivation
Using MML Commands
Run the MML command DEA DOT1X to deactivate Access Control based on 802.1x on the
MML Command Examples

//Deactivating Access Control based on 802.1x
DEA DOT1X: SN=7, SBT=BASE_BOARD, PN=0;
Using the CME to Perform Single Configuration

None
Using the CME to Perform Batch Configuration

For details, see Using the CME.
7.4 Performance Monitoring

None
7.5 Parameter Optimization

None
7.6 Troubleshooting
After Access Control based on 802.1x is activated, the base station may report the following
alarm to facilitate fault diagnosis:
l ALM-26831 802.1x Authentication Failure
After this alarm is reported, maintenance personnel need to find the cause and clear the
alarm according to the alarm information.
For details about how to clear this alarm for each type of base station, see the following
sections in 3900 Series Base Station Alarm Reference:
– "eGBTS Alarm Reference" for an eGBTS
– "NodeB Alarm Reference" for a NodeB
– "eNodeB Alarm Reference" for an eNodeB

SingleRAN
Description 8 Parameters
8 Parameters
Table 8-1 Parameters

Parame NE MML Feature Feature Description
ter ID Comma ID Name
nd
AM BTS390 ACT None None Meaning: Indicates the IEEE 802.1X authentication
0, DOT1X method. Currently, only Extensible Authentication
BTS390 DSP Protocol Transport Layer Security (EAP-TLS), a
0 DOT1X unidirectional authentication method, is supported.
WCDM GUI Value Range: EAP-TLS(EAP-TLS authentic
A, LST
DOT1X method)
BTS390
0 LTE Unit: None
Actual Value Range: EAP-TLS
Default Value: EAP-TLS(EAP-TLS authentic method)
CN BTS390 ACT None None Meaning: Indicates the number of the cabinet that
0, DOT1X provides the port on which IEEE 802.1X
BTS390 DEA authentication is configured.
0 DOT1X GUI Value Range: 0~7
WCDM
A, DSP Unit: None
BTS390 DOT1X Actual Value Range: 0~7
0 LTE LST Default Value: 0
DOT1X
SRN BTS390 ACT None None Meaning: Indicates the number of the subrack that
WCDM
A, DSP Unit: None
0 LTE LST Default Value: 0
DOT1X

SingleRAN
Description 8 Parameters
Parame NE MML Feature Feature Description

ter ID Comma ID Name
nd
SN BTS390 ACT None None Meaning: Indicates the number of the slot that
WCDM
A, DSP Unit: None
0 LTE LST Default Value: None
DOT1X
SBT BTS390 ACT None None Meaning: Indicates the type of sub-board that provides
0, DOT1X the port on which IEEE 802.1X authentication is
BTS390 DEA configured.
0 DOT1X GUI Value Range: BASE_BOARD(Base Board),
WCDM ETH_COVERBOARD(Ethernet Cover Board)
A, DSP
BTS390 DOT1X Unit: None
0 LTE LST Actual Value Range: BASE_BOARD,
DOT1X ETH_COVERBOARD
Default Value: None
PN BTS390 ACT None None Meaning: Indicates the number of the port on which
0, DOT1X IEEE 802.1X authentication is configured.
BTS390 DEA GUI Value Range: 0~5
0 DOT1X
WCDM Unit: None
A, DSP Actual Value Range: 0~5
BTS390 DOT1X
Default Value: None
0 LTE LST
DOT1X

SingleRAN
Description 9 Counters
9 Counters
There are no specific counters associated with this feature.

SingleRAN
Description 10 Glossary
10 Glossary
For the acronyms, abbreviations, terms, and definitions, see Glossary.

SingleRAN
Description 11 Reference Documents
11 Reference Documents
1. IETF RFC 3748, "Extensible Authentication Protocol (EAP)"

2. IEEE Std 802.1x-2004, "Port-Based Network Access Control"
3. IETF RFC 2716, "PPP EAP TLS Authentication Protocol"
4. PKI Feature Parameter Description for SingleRAN
5. SSL Feature Parameter Description for SingleRAN


Access Control Based On 802.1x (SRAN9.0 - 01)

Uploaded by

Copyright:

Available Formats

Access Control Based On 802.1x (SRAN9.0 - 01)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Access Control Based On 802.1x (SRAN9.0 - 01)

Uploaded by

Copyright:

Available Formats

SingleRAN

Access Control based on 802.1x

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2014-04-30) Huawei Proprietary and Confidential i

1 About This Document.................................................................................................................. 1

4 Application of Access Control based on 802.1x....................................................................... 8

Issue 01 (2014-04-30) Huawei Proprietary and Confidential ii

Issue 01 (2014-04-30) Huawei Proprietary and Confidential iii

1 About This Document

Table 1-1 Base station definitions

GBTS A base station configured with a GTMU, GTMUb, or GTMUc and

eGBTS A base station configured with a UMPT_G.

NodeB A base station configured with a WMPT or UMPT_U.

eNodeB A base station configured with an LMPT or UMPT_L.

Co-MPT A base station configured with a UMPT_GU, UMPT_GL, UMPT_UL,

Issue 01 (2014-04-30) Huawei Proprietary and Confidential 1

1.2 Intended Audience

l Need to understand the features described herein.

1.3 Change History

SRAN9.0 Draft B (2014-02-28)

Change Change Description Parameter

Feature None None

SRAN9.0 Draft A (2014-01-20)

Change Change Description Parameter

Issue 01 (2014-04-30) Huawei Proprietary and Confidential 2

Change Change Description Parameter

Huawei mobile network management system M2000 None

Editorial None None

1.4 Differences Between Base Station Types

The following table defines the types of micro base stations.

Base Station Model RAT

BTS3202E LTE FDD

BTS3203E LTE FDD

BTS3205E LTE TDD

Feature Support by Macro, Micro, and LampSite Base Stations

Function Implementation in Macro, Micro, and LampSite Base Stations

Issue 01 (2014-04-30) Huawei Proprietary and Confidential 3

Figure 2-1 Network topology for Access Control based on 802.1x

Issue 01 (2014-04-30) Huawei Proprietary and Confidential 4

3.1 Operating Principle

Issue 01 (2014-04-30) Huawei Proprietary and Confidential 5

Figure 3-1 Operating principle of Access Control based on 802.1x

l Controlled port: A controlled port can be in the unauthorized or authorized state,

3.2 Protocol Stacks

Issue 01 (2014-04-30) Huawei Proprietary and Confidential 6

Figure 3-2 Protocol stacks for Access Control based on 802.1x

Issue 01 (2014-04-30) Huawei Proprietary and Confidential 7

4 Application of Access Control based on

Issue 01 (2014-04-30) Huawei Proprietary and Confidential 8

4.1 Typical Network Topology

4.2 Auto-Discovery with Access Control based on 802.1x

4.2.1 Automatic Base Station Deployment by PnP

Issue 01 (2014-04-30) Huawei Proprietary and Confidential 9

Issue 01 (2014-04-30) Huawei Proprietary and Confidential 10

Figure 4-2 Automatic base station deployment (1)

The automatic base station deployment procedure in this scenario is as follows:

Issue 01 (2014-04-30) Huawei Proprietary and Confidential 11