Access Control Based On 802.1x (SRAN18.1 - Draft A)

SingleRAN
Access Control based on 802.1x

Feature Parameter Description
Issue Draft A
Date 2021-12-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2022. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://www.huawei.com
Email: support@huawei.com
Issue Draft A Copyright © Huawei Technologies Co., Ltd. i

(2021-12-30)
SingleRAN
Access Control based on 802.1x Feature Parameter
Description Contents
Contents
1 Change History.........................................................................................................................1
1.1 SRAN18.1 Draft A (2021-12-30)........................................................................................................................................ 1
2 About This Document.............................................................................................................2

2.1 General Statements................................................................................................................................................................ 2
2.2 Applicable RAT......................................................................................................................................................................... 2
2.3 Features in This Document.................................................................................................................................................. 3
3 Overview....................................................................................................................................4
4 Access Control based on 802.1x........................................................................................... 5
4.1 Principles.................................................................................................................................................................................... 5
4.1.1 Working Principles............................................................................................................................................................... 5
4.1.2 Protocol Stacks......................................................................................................................................................................7
4.1.3 Application of Access Control Based on 802.1x........................................................................................................ 8
4.1.3.1 Typical Network Topology............................................................................................................................................. 8
4.1.3.2 Auto-Discovery with Access Control based on 802.1x......................................................................................... 8
4.1.3.2.1 Automatic Base Station Deployment by PnP...................................................................................................... 8
4.1.3.2.2 Application on Existing Base Stations................................................................................................................. 11
4.2 Network Analysis.................................................................................................................................................................. 12
4.2.1 Benefits................................................................................................................................................................................. 12
4.2.2 Impacts.................................................................................................................................................................................. 12
4.3 Requirements......................................................................................................................................................................... 12
4.3.1 Licenses................................................................................................................................................................................. 12
4.3.2 Software................................................................................................................................................................................13
4.3.2.1 LOFD-003015 Access Control based on 802.1x................................................................................................... 13
4.3.2.2 MLOFD-003015 Access Control based on 802.1x............................................................................................... 13
4.3.2.3 TDLOFD-003015 Access Control based on 802.1x..............................................................................................14
4.3.2.4 FBFD-010023 Security Mechanism (Access Control based on 802.1x)....................................................... 14
4.3.2.5 Access Control based on 802.1x on the GSM Side............................................................................................. 14
4.3.2.6 Access Control based on 802.1x on the UMTS Side...........................................................................................14
4.3.3 Hardware.............................................................................................................................................................................. 15
4.3.4 Networking.......................................................................................................................................................................... 16
4.3.5 Others.................................................................................................................................................................................... 16
4.4 Operation and Maintenance............................................................................................................................................. 16
Issue Draft A Copyright © Huawei Technologies Co., Ltd. ii

(2021-12-30)
SingleRAN
Description Contents
4.4.1 When to Use....................................................................................................................................................................... 16

4.4.2 Data Configuration........................................................................................................................................................... 17
4.4.2.1 Data Preparation............................................................................................................................................................ 17
4.4.2.2 Using MML Commands............................................................................................................................................... 18
4.4.2.3 Using the MAE-Deployment...................................................................................................................................... 19
4.4.3 Activation Verification..................................................................................................................................................... 19
4.4.4 Network Monitoring......................................................................................................................................................... 19
5 Parameters.............................................................................................................................. 20
6 Counters.................................................................................................................................. 22
7 Glossary................................................................................................................................... 23
8 Reference Documents...........................................................................................................24
Issue Draft A Copyright © Huawei Technologies Co., Ltd. iii

(2021-12-30)
SingleRAN
Description 1 Change History
1 Change History
This chapter describes changes not included in the "Parameters", "Counters",

"Glossary", and "Reference Documents" chapters. These changes include:
● Technical changes
Changes in functions and their corresponding parameters
● Editorial changes
Improvements or revisions to the documentation
1.1 SRAN18.1 Draft A (2021-12-30)

This issue introduces the following changes to SRAN17.1 01 (2021-03-05).
Technical Changes
Change Description Parameter Change
Deleted the LMPT board. None
Editorial Changes
Revised descriptions in this document.
Issue Draft A Copyright © Huawei Technologies Co., Ltd. 1

(2021-12-30)
SingleRAN
Description 2 About This Document
2 About This Document
2.1 General Statements

Purpose
Feature Parameter Description documents are intended to acquaint readers with:
● The technical principles of features and their related parameters

● The scenarios where these features are used, the benefits they provide, and
the impact they have on networks and functions
● Requirements of the operating environment that must be met before feature
activation
● Parameter configuration required for feature activation, verification of feature
activation, and monitoring of feature performance
NOTE
This document only provides guidance for feature activation. Feature deployment and
feature gains depend on the specifics of the network scenario where the feature is
deployed. To achieve optimal gains, contact Huawei professional service engineers.
Software Interfaces
Any parameters, alarms, counters, or managed objects (MOs) described in Feature
Parameter Description documents apply only to the corresponding software
release. For future software releases, refer to the corresponding updated product
documentation.
2.2 Applicable RAT

This document applies to GSM, UMTS, LTE FDD, LTE TDD, NB-IoT, and New Radio
(NR).
For definitions of base stations described in this document, see section "Base
Station Products" in SRAN Networking and Evolution Overview.

(2021-12-30)
SingleRAN
Description 2 About This Document
2.3 Features in This Document

This document describes the following features.
RA Feature ID Feature Name Chapter/Section

T
LTE LOFD-0030 Access Control based 4 Access Control based on

FD 15 on 802.1x 802.1x
D
NB- MLOFD-00 Access Control based

IoT 3015 on 802.1x
LTE TDLOFD-0 Access Control based

TD 03015 on 802.1x
D
NR FBFD-0100 Security Mechanism

23 (Access Control Based
on 802.1x)

(2021-12-30)
SingleRAN
Description 3 Overview
3 Overview
IEEE 802.1x, complying with IEEE 802 standards for local area network (LAN)
access control, is an IEEE standard for port-based network access control. Port-
based network access control requires that the authentication access equipment in
the LAN perform identity authentication and access control on users or devices
that visit its ports. Only authenticated users or devices are allowed to access the
LAN through corresponding ports. Access control based on 802.1x prevents
unauthenticated users or devices from accessing the network, which ensures
transport network security.
To support access control based on 802.1x, Huawei base stations adopt
unidirectional authentication based on Extensible Authentication Protocol-
Transport Layer Security (EAP-TLS). The authentication is unidirectional because
only the authentication server authenticates digital certificates of base stations.
Figure 3-1 shows the network topology for access control based on 802.1x.
Figure 3-1 Network topology for access control based on 802.1x

(2021-12-30)
SingleRAN
Description 4 Access Control based on 802.1x
4 Access Control based on 802.1x
4.1 Principles
4.1.1 Working Principles

Access control based on 802.1x usually adopts the client-server architecture. The
authentication access equipment forwards authentication packets from users or
devices to the authentication server, and then the authentication server
authenticates the identities of the users or devices. After successful authentication,
the data flows of the users or devices can pass through the ports of the
authentication access equipment.
Access control based on 802.1x involves the following components:
● Authentication client (embedded with a supplicant system): is a device to be
authenticated, such as a base station, which initiates access control based on
802.1x. To support port-based access control, the authentication client needs
to support the Extensible Authentication Protocol over LAN (EAPoL).
● Authentication access equipment (embedded with an authenticator system):
is equipment (LAN switch, for example) that receives and forwards EAP
authentication packets between the base station and authentication server at
the Media Access Control (MAC) layer. The status of a controlled port
(authorized or unauthorized) is determined by the authentication result of the
authentication server.
● Authentication server (embedded with an authentication server system):
authenticates clients. Commonly used servers include Remote Authentication
Dial In User Service (RADIUS) servers and authentication, authorization and
accounting (AAA) servers. The RADIUS and AAA servers have the same
functions. This document uses the RADIUS server as an example.
Figure 4-1 shows the working principles of access control based on 802.1x.

(2021-12-30)
SingleRAN
Figure 4-1 Working principles of access control based on 802.1x
NOTE
Port access entity (PAE) is a port-related protocol entity that processes protocol packets
during an authentication procedure.
A physical Ethernet port of the authentication access equipment can be used as

both a controlled port and an uncontrolled port:
● Controlled port: A controlled port can be in the unauthorized or authorized

state, depending on the authentication result at the authentication server.
– A controlled port in the authorized state is bidirectionally connected and
normal data flows can pass through the port.
– A controlled port in the unauthorized state forbids any data to pass
through.
● Uncontrolled port: An uncontrolled port is always in the bidirectional
connectivity state, allowing only EAPoL packets to pass through. This ensures
that an authentication client can always transmit and receive authentication
packets.
When initially visiting the transport network, a base station is not authenticated.
The controlled port is in the unauthorized state, and only EAPoL packets can be
sent to the authentication server through the uncontrolled port of the
authentication access equipment. After the authentication server authenticates
the base station and the authentication access equipment authorizes the
controlled port, the controlled port changes into the authorized state and data
from the base station can pass through the controlled port. This process ensures
that only authenticated users and devices can visit the network.
Port-based access control can involve either a physical port (such as that identified
by its MAC address) or a logical port (such as that of a VLAN). Huawei base
stations support only port-based access control involving MAC addresses. In this
case, an authentication message sent by a base station contains the MAC address
of an Ethernet port that connects the base station to the transport network. After
successful authentication, the authentication access equipment performs access
control on data flows using this MAC address.
For details about access control based on 802.1x, see IEEE 802.1x-2004.

(2021-12-30)
SingleRAN
4.1.2 Protocol Stacks

To implement access control based on 802.1x, the authentication client and server
exchange authentication messages using the EAP protocol. Between the
authentication client and authentication access equipment, EAP data is
encapsulated into EAPoL packets and then transmitted over the LAN. Between the
authentication access equipment and authentication server, EAP data is
encapsulated into EAP over RADIUS (EAPoR) packets and then transmitted using
the RADIUS protocol.
Figure 4-2 shows the protocol stacks for access control based on 802.1x.
Figure 4-2 Protocol stacks for access control based on 802.1x
Access control based on 802.1x uses the EAP protocol for identity authentication.
The EAP protocol supports multiple authentication methods. Huawei base stations
adopt unidirectional EAP-TLS authentication, indicating that only the
authentication server authenticates base stations using digital certificates.
During access control based on 802.1x, a base station sends an EAPoL packet
containing its digital certificate to the RADIUS server. The RADIUS server
authenticates the base station using Huawei root certificate or the operator's root
certificate. In this procedure, EAP-TLS unidirectional authentication is used, which
is specified by DOT1X.AM (5G gNodeB, LTE eNodeB) (old model)/
DOT1XAUTH.AM (5G gNodeB, LTE eNodeB) (new model).
When the base station serves as the EAP-TLS client in access control based on
802.1x, it supports TLS1.2. Table 4-1 lists the cipher suites supported by the base
station in this scenario.
Table 4-1 Cipher suites supported by the base station when it functions as the
EAP-TLS client in access control based on 802.1x
SN SSL Cipher Suite
1 ECDHE_ECDSA_AES_256_GCM_SHA384
2 ECDHE_RSA_AES_256_GCM_SHA384
3 DHE_RSA_AES_256_GCM_SHA384

(2021-12-30)
SingleRAN
SN SSL Cipher Suite
4 ECDHE_ECDSA_AES_128_GCM_SHA256
5 ECDHE_RSA_AES_128_GCM_SHA256
6 DHE_RSA_AES_128_GCM_SHA256
For details about the EAP protocol, see RFC 3748.
For details about the EAP-TLS protocol, see RFC 2716.
4.1.3 Application of Access Control Based on 802.1x
4.1.3.1 Typical Network Topology

To implement access control based on 802.1x on a network, an authentication
server and authentication access equipment (generally a LAN switch that is
directly connected to a base station) supporting access control based on 802.1x
are required. Because Huawei base stations adopt unidirectional EAP-TLS
authentication for access control based on 802.1x and have been preconfigured
with Huawei-issued device certificates and Huawei root certificate before delivery,
the authentication server needs to be preconfigured with Huawei root certificate.
Figure 4-3 shows a typical network topology for access control based on 802.1x.
Figure 4-3 Typical network topology for access control based on 802.1x
Access control based on 802.1x can be activated on Ethernet ports using the ACT
DOT1X (old model)/ACT DOT1XAUTH (new model) command and deactivated
using the DEA DOT1X (old model)/DEA DOT1XAUTH (new model) command.
4.1.3.2 Auto-Discovery with Access Control based on 802.1x
4.1.3.2.1 Automatic Base Station Deployment by PnP

When access control based on 802.1x is activated on the network, a base station
must be authenticated based on 802.1x before automatic deployment by plug and
play (PnP). To ensure that the base station adapts to the network, Huawei base
stations support deployment by PnP in the following scenarios:

(2021-12-30)
SingleRAN
NOTE
During automatic base station deployment by PnP, base stations are authenticated for
access control based on 802.1x using the preconfigured Huawei-issued device certificates.
Scenario 1
Figure 4-4 shows automatic base station deployment when the network supports
access control based on 802.1x and access control based on 802.1x is activated on
the Ethernet port that connects the base station to the transport network.
Figure 4-4 Automatic base station deployment (1)
The procedure is as follows:

1. After a base station is powered on, it sends an EAPoL-Start packet to the
authentication access equipment to initiate access control based on 802.1x.
2. The base station, authentication access equipment, and authentication server
perform access control based on 802.1x. The base station can initiate access
control based on 802.1x on the same Ethernet port for a maximum of three
times at an interval of 25 seconds.
3. If access control based on 802.1x is successful, the base station initiates a
DHCP procedure. After the DHCP procedure is complete, the automatic base
station deployment procedure starts.
4. If access control based on 802.1x fails, the base station initiates a DHCP
procedure but fails to receive any response, leading to a DHCP procedure
failure. The base station attempts to initiate access control based on 802.1x
and a DHCP procedure on the next Ethernet port in round-robin mode.

(2021-12-30)
SingleRAN
NOTE
During access control based on 802.1x, the EAPoL-Start packet is a multicast packet and its
destination MAC address is 01-80-C2-00-00-03; other packets are unicast packets.
Scenario 2
Figure 4-5 shows automatic base station deployment when the network supports
access control based on 802.1x but access control based on 802.1x is deactivated
on the Ethernet port that connects the base station to the transport network.
1. After a base station is powered on, it sends DHCP Discover packets to the
authentication access equipment because access control based on 802.1x is
deactivated on the Ethernet port that connects the base station to the
transport network.
2. The base station queries whether access control based on 802.1x is activated
on the Ethernet port that connects the base station to the transport network.
If access control based on 802.1x is deactivated and authentication is not
performed, the base station triggers access control based on 802.1x on this
Ethernet port.
3. Because the controlled port of the authentication access equipment is in the
unauthorized state, the base station cannot receive any response to the DHCP
Discover packets, leading to a DHCP procedure failure. The base station waits
for the authentication result.

(2021-12-30)
SingleRAN
4. If access control based on 802.1x is successful, the base station retransmits

DHCP Discover packets through the Ethernet port. After the DHCP procedure
is complete, the automatic base station deployment procedure starts.
Scenario 3
Figure 4-6 shows automatic base station deployment when the network does not
support access control based on 802.1x and access control based on 802.1x is
activated on the Ethernet port that connects the base station to the transport
network.

1. After a base station is powered on, it initiates access control based on 802.1x.
The base station sends an EAPoL-Start packet three consecutive times at an
interval of 25 seconds but does not receive any response. Therefore, the base
station determines that the network does not support access control based on
802.1x.
2. The base station sends DHCP Discover packets to the authentication access
equipment.
3. After the DHCP procedure is complete, the automatic base station
deployment procedure starts.
4.1.3.2.2 Application on Existing Base Stations

After a base station obtains the configuration file, it restarts. If the state of its
Ethernet port changes from DOWN to UP and 802.1x-based access control is
activated on this Ethernet port, the base station initiates an 802.1x-based access
control procedure. By default, 802.1x-based access control and SSL authentication
use the same certificate:
● If the certificate used for SSL authentication in the configuration file is set to
the operator-issued device certificate, the 802.1x-based access control
procedure uses the operator-issued device certificate to authenticate the base
station.

(2021-12-30)
SingleRAN
● If the certificate used for SSL authentication in the configuration file is set to
the Huawei-issued device certificate, the 802.1x-based access control
procedure uses the Huawei-issued device certificate to authenticate the base
station.
● If the SSL authentication adopts the anonymous authentication mode, the
802.1x-based access control procedure uses the Huawei-issued device
certificate by default to authenticate the base station.
NOTE
Access control based on 802.1x does not support ED25519 certificates. If a base station
is configured with an ED25519 certificate, identity authentication based on 802.1x will
fail.
4.2 Network Analysis
4.2.1 Benefits
Access control based on 802.1x prevents unauthenticated users or devices from
accessing the network, which ensures transport network security.
4.2.2 Impacts
Network Impacts
When access control based on 802.1x is enabled, the time for base station
deployment by PnP is extended by about 75s.
Function Impacts
None
4.3 Requirements
4.3.1 Licenses
The license controlling access control based on 802.1x needs to be activated only
for FDD, TDD, and NB-IoT eNodeBs. This function is not under license control on
the GBTS, eGBTS, NodeB, and gNodeB.
RA Feature Feature Model License NE Sales

T ID Name Control Unit
Item Name
LTE LOFD-00 Access LT1S000 Access eNodeB per

FD 3015 Control ACC00 Control eNodeB
D based on based on
802.1x 802.1x
(FDD)

(2021-12-30)
SingleRAN
RA Feature Feature Model License NE Sales

T ID Name Control Unit
Item Name
LTE MLOFD- Access ML1S000 Access eNodeB per

CIo 003015 Control ACC00 Control eNodeB
T based on based on
802.1x 802.1x (NB-
IoT)
LTE TDLOFD- Access LT1ST00 Access eNodeB per

TD 003015 Control ACC00 Control eNodeB
D based on based on
802.1x 802.1x
(TDD)
4.3.2 Software
Before activating this function, ensure that its prerequisite functions have been
activated and mutually exclusive functions have been deactivated. For detailed
operations, see the relevant feature documents.
4.3.2.1 LOFD-003015 Access Control based on 802.1x
Prerequisite Functions
RAT Function Name Function Switch Reference
LTE FDD Public Key None PKI

Infrastructure (PKI)
Mutually Exclusive Functions

None
4.3.2.2 MLOFD-003015 Access Control based on 802.1x
NB-IoT Public Key None PKI


None

(2021-12-30)
SingleRAN
4.3.2.3 TDLOFD-003015 Access Control based on 802.1x
LTE TDD Public Key None PKI


None
4.3.2.4 FBFD-010023 Security Mechanism (Access Control based on 802.1x)
None

None
4.3.2.5 Access Control based on 802.1x on the GSM Side
GSM BTS Supporting PKI None PKI

GSM Abis over IP None IPv4 Transmission

None
4.3.2.6 Access Control based on 802.1x on the UMTS Side
UMTS NodeB PKI Support None PKI

UMTS IP Transmission None IPv4 Transmission
Introduction on Iub
Interface

(2021-12-30)
SingleRAN

None
4.3.3 Hardware
Base Station Models
RAT Base Station Model
GSM 3900 and 5900 series base stations
UMTS ● 3900 and 5900 series base stations

● DBS3900 LampSite and DBS5900 LampSite
LTE ● 3900 and 5900 series base stations

● DBS3900 LampSite and DBS5900 LampSite
NR ● 3900 and 5900 series base stations. 3900 series base stations
must be configured with the BBU3910.
● DBS3900 LampSite and DBS5900 LampSite. DBS3900
LampSite must be configured with the BBU3910. Only NR
TDD is supported.
Boards
NE Type Board Configuration Type of Port
Connecting to the
Transport Network
eGBTS The UMPT/UMDU provides a Ethernet port

transmission port.
eGBTS UMPT+UTRPc, with the UTRPc providing Ethernet port

a transmission port
NodeB The UMPT/UMDU/MDUC provides a Ethernet port

transmission port.
NodeB UMPT+UTRPc, with the UTRPc providing Ethernet port

a transmission port
eNodeB The UMPT/UMDU provides a Ethernet port

transmission port.
gNodeB The UMPT provides a transmission port. Ethernet port

(2021-12-30)
SingleRAN
NE Type Board Configuration Type of Port

Connecting to the
Transport Network
Multimod The UMPT/UMDU/MDUC provides a Ethernet port

e base transmission port.
station NOTE
The MDUC supports only GSM and UMTS
dual-mode.
Multimod UMPT+UTRPc, with the UTRPc providing Ethernet port

e base a transmission port
station
RF Modules
This function does not depend on RF modules.
4.3.4 Networking
● An authentication server has been deployed in the network.
● The authentication server supports the EAP protocol defined in RFC 3748 and
supports EAP-TLS authentication.
● The authentication server is preconfigured with Huawei root certificate. If the
customer requires that the operator-issued device certificate be used for
authentication, the operator's root certificate must be preconfigured on the
authentication server.
● The authentication access equipment supports access control based on 802.1x
and EAP packet processing.
● The authentication access equipment supports port-based access control
based on the MAC address.
4.3.5 Others
None
4.4 Operation and Maintenance
4.4.1 When to Use

If the operator's transport network is an open network, the devices in the
transport network are vulnerable to unauthorized access and malicious attacks. In
this case, it is recommended that access control based on 802.1x be activated to
authenticate the users or devices that attempt to access the transport network.
This prevents unauthenticated users and devices from accessing the network and
ensures transport network security.
Access control based on 802.1x uses Huawei-issued device certificate to
authenticate base stations. Therefore, PKI also needs to be activated.

(2021-12-30)
SingleRAN
4.4.2 Data Configuration

Huawei base stations support only unidirectional EAP-TLS authentication and port-
based access control based on the MAC address. Therefore, before you activate
access control based on 802.1x, check whether the authentication server supports
unidirectional EAP-TLS authentication and whether the authentication access
equipment supports port-based access control based on the MAC address.
● If the customer requires that access control based on 802.1x use Huawei-
issued device certificate to authenticate base stations, PKI does not need to be
deployed in the network.
● If the customer requires that access control based on 802.1x use the operator-
issued device certificate to authenticate base stations, PKI needs to be
deployed in the network. For details about how to deploy PKI, see PKI.
4.4.2.1 Data Preparation

NOTE
"-" in this section indicates that there is no special requirement for setting the parameters.
Set the parameters according to network plans.
Table 4-2 lists the data to be prepared in the DOT1X MO before you activate
access control based on 802.1x when the GTRANSPARA.TRANSCFGMODE (5G
gNodeB, LTE eNodeB) parameter is set to OLD.
Table 4-2 Data to be prepared for activating access control based on 802.1x (old
model)
Parameter Parameter ID Setting Notes
Name
Cabinet No. DOT1X.CN (5G gNodeB, -

LTE eNodeB)
Subrack No. DOT1X.SRN (5G gNodeB, -
LTE eNodeB)
Slot No. DOT1X.SN (5G gNodeB, -
LTE eNodeB)
Subboard DOT1X.SBT (5G gNodeB, -
Type LTE eNodeB)
Port No. DOT1X.PN (5G gNodeB, -
LTE eNodeB)
Authentic DOT1X.AM (5G gNodeB, This parameter indicates the
Method LTE eNodeB) authentication method used in
access control based on 802.1x.
This parameter can be set to
support EAP-TLS authentication.
Table 4-3 lists the data to be prepared in the DOT1XAUTH MO before you
activate access control based on 802.1x when the

(2021-12-30)
SingleRAN
GTRANSPARA.TRANSCFGMODE (5G gNodeB, LTE eNodeB) parameter is set to

NEW.
Table 4-3 Data to be prepared for activating access control based on 802.1x (new
model)
Parameter Parameter ID Setting Notes

Name
802.1x DOT1XAUTH.DOT1XAUT -
Authenticatio HID (5G gNodeB, LTE
n ID eNodeB)
Port Type DOT1XAUTH.PT (5G -
gNodeB, LTE eNodeB)
Port ID DOT1XAUTH.PORTID (5G -
gNodeB, LTE eNodeB)
Authentic DOT1XAUTH.AM (5G This parameter indicates the
Method gNodeB, LTE eNodeB) authentication method used in
access control based on 802.1x.
This parameter can be set to
support EAP-TLS authentication.
NOTE
● When deploying this feature on a multimode base station, activate the feature only on
the Ethernet port that connects the base station to the transport network. The data
preparation and initial configuration of the multimode base station for feature
deployment are the same as those of a single-mode base station.
● When a base station is working normally, the certificate used in access control based on
802.1x is the same as that used by SSL authentication. For details about how to
configure the certificate for SSL authentication, see the "Data Configuration" section in
SSL. If no certificate is configured for SSL authentication, access control based on 802.1x
uses Huawei-issued certificates by default.
4.4.2.2 Using MML Commands
Activation Command Examples

Run the ACT DOT1X (old model)/ACT DOT1XAUTH (new model) command to
activate access control based on 802.1x on the Ethernet port that connects the
base station to the transport network.
The following is an MML command example when the

GTRANSPARA.TRANSCFGMODE parameter is set to OLD:
//Activating access control based on 802.1x on the Ethernet port that connects the NodeB/eNodeB/gNodeB/
eGBTS to the transport network
ACT DOT1X: CN=0, SRN=0, SN=7, SBT=BASE_BOARD, PN=0, AM=EAP-TLS;

GTRANSPARA.TRANSCFGMODE parameter is set to NEW:

(2021-12-30)
SingleRAN
//Activating access control based on 802.1x on the Ethernet port that connects the NodeB/eNodeB/gNodeB/
eGBTS to the transport network
ACT DOT1XAUTH: DOT1XAUTHID=0, PT=ETH, PORTID=0, AM=EAP-TLS;
Deactivation Command Examples

Run the DEA DOT1X (old model)/DEA DOT1XAUTH (new model) command to
deactivate access control based on 802.1x on the Ethernet port that connects the
base station to the transport network.
GTRANSPARA.TRANSCFGMODE parameter is set to OLD:
//Deactivating access control based on 802.1x
DEA DOT1X: CN=0, SRN=0, SN=7, SBT=BASE_BOARD, PN=0;

GTRANSPARA.TRANSCFGMODE parameter is set to NEW:
//Deactivating access control based on 802.1x
DEA DOT1XAUTH: DOT1XAUTHID=0;
4.4.2.3 Using the MAE-Deployment

For detailed operations, see Feature Configuration Using the MAE-Deployment.
4.4.3 Activation Verification

Run the DSP DOT1X (old model)/DSP DOT1XAUTH (new model) command to
query whether access control based on 802.1x is activated on the Ethernet port
that connects the base station to the transport network. Check the value of the
Authentic State parameter in the command output. If the value of this parameter
is Authenticate Succeed, access control based on 802.1x has been activated on
the port.
The following figure shows an example of the command output:
Figure 4-7 DSP DOT1X command output
4.4.4 Network Monitoring

None

(2021-12-30)
SingleRAN
Description 5 Parameters
5 Parameters
The following hyperlinked EXCEL files of parameter documents match the

software version with which this document is released.
● Node Parameter Reference: contains device and transport parameters.
● eNodeBFunction Parameter Reference: contains all parameters related to
radio access functions, including air interface management, access control,
mobility control, and radio resource management.
● eNodeBFunction Used Reserved Parameter List: contains the reserved
parameters that are in use and those that have been disused.
● gNodeBFunction Parameter Reference: contains all parameters related to
radio access functions, including air interface management, access control,
● gNodeBFunction Used Reserved Parameter List: contains the reserved
parameters that are in use and those that have been disused.
NOTE
You can find the EXCEL files of parameter reference and used reserved parameter list for
the software version used on the live network from the product documentation delivered
with that version.
FAQ 1: How do I find the parameters related to a certain feature from

parameter reference?
Step 1 Open the EXCEL file of parameter reference.
Step 2 On the Parameter List sheet, filter the Feature ID column. Click Text Filters and
choose Contains. Enter the feature ID.
Step 3 Click OK. All parameters related to the feature are displayed.
----End
FAQ 2: How do I find the information about a certain reserved parameter

from the used reserved parameter list?
Step 1 Open the EXCEL file of the used reserved parameter list.
Step 2 On the Used Reserved Parameter List sheet, use the MO, Parameter ID, and BIT
columns to locate the reserved parameter, which may be only a bit of a parameter.

(2021-12-30)
SingleRAN
Description 5 Parameters
View its information, including the meaning, values, impacts, and product version
in which it is activated for use.
----End

(2021-12-30)
SingleRAN
Description 6 Counters
6 Counters
The following hyperlinked EXCEL files of performance counter reference match the
software version with which this document is released.
● Node Performance Counter Summary: contains device and transport counters.
● eNodeBFunction Performance Counter Summary: contains all counters related
to radio access functions, including air interface management, access control,
● gNodeBFunction Performance Counter Summary: contains all counters related
to radio access functions, including air interface management, access control,
NOTE
You can find the EXCEL files of performance counter reference for the software version used
on the live network from the product documentation delivered with that version.
FAQ: How do I find the counters related to a certain feature from

performance counter reference?
Step 1 Open the EXCEL file of performance counter reference.

Step 2 On the Counter Summary(En) sheet, filter the Feature ID column. Click Text
Filters and choose Contains. Enter the feature ID.
Step 3 Click OK. All counters related to the feature are displayed.
----End

(2021-12-30)
SingleRAN
Description 7 Glossary
7 Glossary
For the acronyms, abbreviations, terms, and definitions, see Glossary.

(2021-12-30)
SingleRAN
Description 8 Reference Documents
8 Reference Documents
1. IETF RFC 3748, "Extensible Authentication Protocol (EAP)"

2. IETF RFC 2716, "PPP EAP TLS Authentication Protocol"
3. IEEE Std 802.1x-2004, "Port-Based Network Access Control"
4. PKI for SingleRAN
5. SSL for SingleRAN
6. SRAN Networking and Evolution Overview for SingleRAN
7. IPv4 Transmission for SingleRAN

(2021-12-30)

Access Control Based On 802.1x (SRAN18.1 - Draft A)

Uploaded by

Copyright:

Available Formats

Access Control Based On 802.1x (SRAN18.1 - Draft A)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Access Control Based On 802.1x (SRAN18.1 - Draft A)

Uploaded by

Copyright:

Available Formats

SingleRAN

Access Control based on 802.1x

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue Draft A Copyright © Huawei Technologies Co., Ltd. i

2 About This Document.............................................................................................................2

Issue Draft A Copyright © Huawei Technologies Co., Ltd. ii

4.4.1 When to Use....................................................................................................................................................................... 16

Issue Draft A Copyright © Huawei Technologies Co., Ltd. iii

This chapter describes changes not included in the "Parameters", "Counters",

1.1 SRAN18.1 Draft A (2021-12-30)

Deleted the LMPT board. None

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 1

2 About This Document

2.1 General Statements

● The technical principles of features and their related parameters

2.2 Applicable RAT

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 2

2.3 Features in This Document

RA Feature ID Feature Name Chapter/Section

LTE LOFD-0030 Access Control based 4 Access Control based on

NB- MLOFD-00 Access Control based

LTE TDLOFD-0 Access Control based

NR FBFD-0100 Security Mechanism

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 3

Figure 3-1 Network topology for access control based on 802.1x

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 4

4 Access Control based on 802.1x

4.1.1 Working Principles

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 5

Figure 4-1 Working principles of access control based on 802.1x

A physical Ethernet port of the authentication access equipment can be used as

● Controlled port: A controlled port can be in the unauthorized or authorized

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 6

4.1.2 Protocol Stacks

Figure 4-2 Protocol stacks for access control based on 802.1x

SN SSL Cipher Suite

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 7

SN SSL Cipher Suite

For details about the EAP protocol, see RFC 3748.

For details about the EAP-TLS protocol, see RFC 2716.

4.1.3 Application of Access Control Based on 802.1x

4.1.3.1 Typical Network Topology

4.1.3.2 Auto-Discovery with Access Control based on 802.1x

4.1.3.2.1 Automatic Base Station Deployment by PnP

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 8

Figure 4-4 Automatic base station deployment (1)

The procedure is as follows:

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 9

Figure 4-5 Automatic base station deployment (2)

The procedure is as follows:

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 10

4. If access control based on 802.1x is successful, the base station retransmits

Figure 4-6 Automatic base station deployment (3)

The procedure is as follows:

4.1.3.2.2 Application on Existing Base Stations

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 11

4.2 Network Analysis