access control based on 802.1x(sran10.1_01)

7/25/2019 Access Control Based on 802.1x(SRAN10.1_01)

1/33

SingleRAN

Access Control based on 802.1x

Feature Parameter Description

Issue 01

Date 2015-03-23

HUAWEI TECHNOLOGIES CO., LTD.


2/33

Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written

consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective

holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and the

customer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,

and recommendations in this document are provided "AS IS" without warranties, guarantees or

representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 01 (2015-03-23) Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

i
http://www.huawei.com/


3/33

Contents

1 About This Document.................................................................................................................. 1

1.1 Scope.............................................................................................................................................................................. 1

1.2 Intended Audience..........................................................................................................................................................2

1.3 Change History...............................................................................................................................................................2

1.4 Differences Between Base Station Types.......................................................................................................................3

2 Overview......................................................................................................................................... 4

3 Technical Description...................................................................................................................5

3.1 OperatingPrinciple.........................................................................................................................................................5

3.2 Protocol Stacks............................................................................................................................................................... 6

4 Application of Access Control based on 802.1x.......................................................................8

4.1 Typical Network Topology.............................................................................................................................................9

4.2 Auto-Discovery with Access Control based on 802.1x..................................................................................................9

4.2.1 Automatic Base Station Deployment by PnP..............................................................................................................94.2.2 Application on Existing Base Stations...................................................................................................................... 13

5 Related Features...........................................................................................................................14

6 Network Impact........................................................................................................................... 15

7 Engineering Guidelines............................................................................................................. 16

7.1 When to Use Access Control based on 802.1x.............................................................................................................17

7.2 Required Information................................................................................................................................................... 17

7.3 Planning........................................................................................................................................................................17

7.4 Deployment on the NodeB/eNodeB/eGBTS Side........................................................................................................18

7.4.1 Requirements.............................................................................................................................................................18

7.4.2 Data Preparation........................................................................................................................................................ 19

7.4.3 Precautions.................................................................................................................................................................20

7.4.4 Activation.................................................................................................................................................................. 20

7.4.5 Activation Observation..............................................................................................................................................22

7.4.6 Deactivation...............................................................................................................................................................23

7.5 Performance Monitoring...............................................................................................................................................23

7.6 Parameter Optimization................................................................................................................................................23

7.7 Troubleshooting............................................................................................................................................................23

8 Parameters.....................................................................................................................................25

SingleRAN

Access Control based on 802.1x Feature Parameter

Description Contents



ii


4/33

9 Counters........................................................................................................................................ 27

10 Glossary.......................................................................................................................................28

11 Reference Documents...............................................................................................................29

SingleRAN


Description Contents



iii


5/33

1About This Document

1.1 Scope

This document describes Access Control based on 802.1x, including its technical principles,

related features, network impact, and engineering guidelines.

This document covers the following features:

l LOFD-003015 Access Control based on 802.1x

l TDLOFD-003015 Access Control based on 802.1x

Table 1-1provides the definitions of base stations.

Table 1-1Base station definition

Base StationType

Definition

GBTS GBTS refers to a base station configured with a GTMU and maintained

through a base station controller.

eGBTS eGBTS refers to a base station configured with a GTMUb, UMPT_G, or

UMDU_G and directly maintained by the element management system

(EMS).

NodeB NodeB refers to a base station configured with a WMPT, UMPT_U, orUMDU_U.

eNodeB eNodeB refers to a base station configured with an LMPT, UMPT_L,

UMPT_T, UMDU_L, or UMDU_T.

SingleRAN


Description 1 About This Document



1


6/33

Base StationType

Definition

Co-MPT

Multimode Base

Station

Co-MPT multimode base station refers to a base station configured with

a UMPT_GU, UMDU_GU, UMPT_GL, UMDU_GL, UMPT_GT,

UMDU_GT, UMPT_UL, UMDU_UL, UMPT_UT, UMDU_UT,

UMPT_LT, UMDU_LT, UMPT_GUL, UMDU_GUL, UMPT_GUT,

UMDU_GUT, UMPT_ULT, UMDU_ULT, UMPT_GLT, UMDU_GLT,

UMPT_GULT, or UMDU_GULT. A co-MPT multimode base station

functionally corresponds to any combination of eGBTS, NodeB, and

eNodeB. For example, a co-MPT multimode base station configured

with a UMPT_GU or UMDU_GU functionally corresponds to the

combination of eGBTS and NodeB.

NOTE

Unless otherwise specified, the descriptions and examples of the UMPT in a co-

MPT base station also apply to the UMDU in a co-MPT base station.

Separate-MPTMultimode Base

Station

Separate-MPT multimode base station refers to a base station on whichdifferent modes use different main control boards. For example, a base

station configured with a GTMU and WMPT is called a separate-MPT

GSM and UMTS dual-mode base station.

NOTE

A UMDU cannot be used in a separate-MPT base station.

1.2 Intended Audience

This document is intended for personnel who:

l Need to understand the features described herein.

l Work with Huawei products

1.3 Change History

This section provides information about the changes in different document versions. There are

two types of changes, which are defined as follows:

l Feature change

Changes in features of a specific product versionl Editorial change

Changes in wording or addition of information that was not described in the earlier

version

SRAN10.1 01 (2015-03-23)

This issue does not include any changes.

SRAN10.1 Draft A (2015-01-15)

Compared with Issue 01 (2014-04-30) of SRAN9.0, Draft A (2015-01-15) of SRAN10.1includes the following changes.

SingleRAN





2


7/33

ChangeType

Change Description ParameterChange

Feature

change

Added the descriptions of 802.1x for a new type of

BBU, BBU3910A, and its board UMDU.

None

Added descriptions of eGBTSs that do not support the

Access Control based on 802.1x feature when being

configured with GTMUb boards. For details, see the

following sections:

l 1.1 Scope

l 7.4 Deployment on the NodeB/eNodeB/eGBTS

Side

None

Editorial

change

None None

1.4 Differences Between Base Station Types

Definition

The macro base stations described in this document refer to 3900 series base stations. These

base stations work in GSM, UMTS, or LTE mode, as listed in the section Scope.

The LampSite base stations described in this document refer to distributed base stations that

provide indoor coverage. These base stations work in UMTS or LTE mode but not in GSMmode.

The micro base stations described in this document refer to all integrated entities that work in

UMTS or LTE mode but not in GSM mode. Descriptions of boards, cabinets, subracks, slots,

and RRUs do not apply to micro base stations.

The following table defines the types of micro base stations.

Base Station Model RAT

BTS3202E LTE FDD

NOTE

The co-MPT and separate-MPT applications are irrelevant to single-mode micro base stations.

Feature Support by Macro, Micro, andLampSite Base Stations

None.

Function Implementation in Macro, Micro, and LampSite Base Stations

None.

SingleRAN





3


8/33

2OverviewIEEE 802.1x is an IEEE standard for port-based network access control. It is part of the IEEE

802 group of networking protocols. With port-based network access control, the

authentication access equipment in the local area network (LAN) performs identity

authentication and access control on users or devices connected to its ports. Only the users or

devices that can be authenticated are allowed to access the LAN through the ports. Access

Control based on 802.1x prevents unauthorized users or devices from accessing the network,

which ensures transport network security.

Huawei base stations support Access Control based on 802.1x. The authentication is

unidirectional and is based on Extensible Authentication Protocol-Transport Layer Security

(EAP-TLS). That is, the authentication server performs unidirectional authentication on the

digital certificates of base stations. Figure 2-1shows the network topology for Access Control

based on 802.1x.

Figure 2-1Network topology for Access Control based on 802.1x

SingleRAN


Description 2 Overview



4


9/33

3Technical Description

3.1 Operating Principle

Access Control based on 802.1x usually adopts the client/server architecture, as shown in

Figure 2-1. The authentication access equipment receives authentication packets from users

or devices and then forwards the packets to the authentication server. The authentication

server authenticates the identities of the users or devices. If the authentication succeeds, the

data flow of the users or devices can pass through the ports of the authentication access

equipment.

Access Control based on 802.1x involves the following components:

lAuthentication client (a device to be authenticated, such as a base station): initiates an802.1x-based access control procedure. An authentication client is also referred to as a

suppliant. To support port-based access control, the authentication client needs to support

the Extensible Authentication Protocol over LAN (EAPoL).

l Authentication access equipment (such as a LAN switch): receives and forwards EAP

authentication packets between the base station and authentication server at the Media

Access Control (MAC) layer. Authentication access equipment is also referred to as an

authenticator. The authentication access equipment also controls the status (authorized or

unauthorized) of controlled ports based on the authentication result at the authentication

server.

l Authentication server: performs authentication on clients. The servers commonly used

are Remote Authentication Dial In User Service (RADIUS) and Authentication,Authorization and Accounting (AAA) servers.

NOTE

The functions of RADIUS and AAA servers are similar. This document uses the RADIUS server as an

example to describe Access Control based on 802.1x.

Figure 3-1shows the operating principle of Access Control based on 802.1x.

SingleRAN


Description 3 Technical Description



5


10/33

Figure 3-1Operating principle of Access Control based on 802.1x

NOTE

Port access entity (PAE) is a port-related protocol entity that processes protocol packets during an

authentication procedure.

A physical Ethernet port of the authentication access equipment consists of two logical ports:

one controlled port and one uncontrolled port:

l Controlled port: A controlled port can be in the unauthorized or authorized state,

depending on the authentication result at the authentication server.

A controlled port in the authorized state is in the bidirectional connectivity state and

data flow can pass through the port.

A controlled port in the unauthorized state does not allow any data to pass through.

l Uncontrolled port: An uncontrolled port is always in the bidirectional connectivity state.Only EAPoL packets can pass through an uncontrolled port. This ensures that the

authentication client can always transmit and receive authentication packets.

During initial access, the base station is not authenticated, and therefore the controlled port is

in the unauthorized state. At this point, only EAPoL packets can pass through the

uncontrolled port and be sent to the authentication server. After the authentication server

authenticates the base station and the authentication access equipment authorizes the

controlled port, the controlled port becomes authorized and data from the base station can

pass through the controlled port in the authorized state. This process ensures that only

authorized users and devices can access the network.

Port-based access control can be based on a physical port (such as the MAC address) or alogical port (such as the VLAN). Huawei base stations support only port-based access control

based on the MAC address. That is, the authentication message sent by a base station contains

the MAC address of the Ethernet port that connects the base station to the transport network.

If authentication succeeds, the authentication access equipment performs access control on

data flow based on this MAC address.

For details about IEEE 802.1x-based access control, see IEEE 802[1].1x-2004.

3.2 Protocol Stacks

In IEEE 802.1x-based access control, the authentication client and the authentication serverexchange authentication messages using the EAP protocol. Between the authentication client

SingleRAN





6


11/33

and the authentication access equipment, EAP data is encapsulated in EAPoL frames so that

the data can be transmitted in the LAN. Between the authentication access equipment and the

authentication server, EAPoL frames are re-encapsulated in EAP over RADIUS (EAPoR)

frames so that the data can be transmitted using the RADIUS protocol.

Figure 3-2shows the protocol stacks for Access Control based on 802.1x.

Figure 3-2Protocol stacks for Access Control based on 802.1x

Access Control based on 802.1x uses the EAP protocol for authentication. The EAP protocol

supports multiple authentication methods. Huawei base stations adopt unidirectional EAP-

TLS authentication, that is, the authentication server authenticates base stations using digital

certificates. TheAMparameter specifies the authentication method used by IEEE 802.1x-

based access control.

In an IEEE 802.1x-based access control procedure, the base station sends its digital certificate

to the RADIUS server in an EAPoL frame. The RADIUS server authenticates the base station

by using the Huawei root certificate or the operator's root certificate.

For details about the EAP protocol, see RFC 3748.

For details about the EAP-TLS protocol, see RFC 2716.

SingleRAN





7


12/33

4Application of Access Control based on802.1x

This chapter describes the application of IEEE 802.1x-based access control on a base station.

SingleRAN


Description 4 Application of Access Control based on 802.1x



8


13/33

4.1 Typical Network Topology

To implement IEEE 802.1x-based access control, an authentication server and authentication

access equipment (generally a LAN switch directly connected to the base station) supporting

IEEE 802.1x-based access control, need to be deployed in the network. Because Huawei base

station adopts unidirectional EAP-TLS authentication based on IEEE 802.1x and is

preconfigured with Huawei-issued device certificates and Huawei root certificates before

delivery, the authentication server needs to be preconfigured with the Huawei root certificate.

Figure 4-1shows a typical network topology for IEEE 802.1x-based access control.

Figure 4-1Typical network topology for IEEE 802.1x-based access control

IEEE 802.1x-based access control of Ethernet ports can be activated by using the ACT

DOT1Xcommand and deactivated by using the DEA DOT1X command. By default, IEEE

802.1x-based access control is activated on Ethernet ports of base stations before delivery.

4.2 Auto-Discovery with Access Control based on 802.1x

4.2.1 Automatic Base Station Deployment by PnP

When Access Control based on 802.1x is activated in the network, a base station must pass

the IEEE 802.1x-based authentication before automatic deployment by plug and play (PnP).

To ensure the base station's adaptability to the network, after being powered on, Huawei base

stations perform as follows depending on network conditions:

l If the network supports IEEE 802.1x-based access control, and IEEE 802.1x-based

access control is activated on the Ethernet port that connects the base station to the

transport network:

The base station initiates an IEEE 802.1x-based access control procedure. After the IEEE

802.1x-based access control succeeds, the base station sends a Dynamic Host

Configuration Protocol (DHCP) Discover packet to the authentication access equipment

to start the DHCP procedure. After the DHCP procedure is complete, the automatic base

station deployment procedure starts.

l If the network supports IEEE 802.1x-based access control, but IEEE 802.1x-based

access control is deactivated on the Ethernet port that connects the base station to the

transport network:

The base station does not initiate an IEEE 802.1x-based access control procedure.Instead, the base station first sends a DHCP Discover packet and the DHCP module

SingleRAN





9


14/33

queries whether IEEE 802.1x-based access control is activated on the Ethernet port that

connects the base station to the transport network. If IEEE 802.1x-based access control is

deactivated and authentication is not performed, the base station triggers an IEEE

802.1x-based access control procedure. Because the network uses IEEE 802.1x-based

access control, the DHCP Discover packet cannot pass through the authentication access

equipment, and therefore the DHCP procedure fails. The base station waits for the

authentication result. After the IEEE 802.1x-based access control succeeds, the base

station resends a DHCP Discover packet. After the DHCP procedure is complete, the

automatic base station deployment procedure starts.

For example, the main control board of the base station has an incorrect configuration

file, in which IEEE 802.1x-based access control is deactivated on the Ethernet port that

connects the base station to the transport network. In this case, the DHCP procedure

triggers the IEEE 802.1x-based access control procedure during automatic base station

deployment.

l If the network does not support IEEE 802.1x-based access control, and IEEE 802.1x-

based access control is activated on the Ethernet port that connects the base station to the

transport network:

The base station initiates the IEEE 802.1x-based access control procedure for three times

at an interval of 25 seconds. If the base station does not receive any response from the

network, the base station determines that the network does not support IEEE 802.1x-

based access control. The base station then sends a DHCP Discover packet. The DHCP

Discover packet can pass through the authentication access equipment. After the DHCP

procedure is complete, the automatic base station deployment procedure starts.

The rest of this section describes automatic base station deployment by PnP in the preceding

three scenarios.

NOTE

During automatic base station deployment by PnP, the IEEE 802.1x-based access control procedure uses

the preconfigured Huawei-issued device certificate of the base station for authentication.

Scenario 1

Figure 4-2shows automatic base station deployment when the network supports IEEE

802.1x-based access control and IEEE 802.1x-based access control is activated on the

Ethernet port that connects the base station to the transport network.

SingleRAN





10


15/33

Figure 4-2Automatic base station deployment (1)

The automatic base station deployment procedure in this scenario is as follows:

1. After the base station is powered on, it sends an EAPoL-Start packet to the

authentication access equipment, to initiate an IEEE 802.1x-based access controlprocedure.

2. The base station, authentication access equipment, and authentication server perform the

IEEE 802.1x-based access control procedure. The base station can initiate the IEEE

802.1x-based access control procedure on the same Ethernet port a maximum of three

times at an interval of 25 seconds.

3. If the IEEE 802.1x-based access control procedure succeeds, the base station initiates a

DHCP procedure. After the DHCP procedure is complete, the automatic base station

deployment procedure starts.

4. If the IEEE 802.1x-based access control procedure fails, the base station initiates a

DHCP procedure. However, the base station does not receive any response to the DHCP

procedure, and therefore the DHCP procedure fails. The base station attempts to initiate

IEEE 802.1x-based access control and DHCP procedures on the next Ethernet port.

NOTE

In the IEEE 802.1x-based access control procedure, the EAPoL-Start packet is a multicast packet and its

destination MAC address is 01-80-C2-00-00-03; other packets are unicast packets.

Scenario 2

Figure 4-3shows automatic base station deployment when the network supports IEEE

802.1x-based access control but IEEE 802.1x-based access control is deactivated on the


SingleRAN





11


16/33



1. After a base station is powered on, it sends a DHCP Discover packet to the

authentication access equipment because IEEE 802.1x-based access control is

deactivated on the Ethernet port that connects the base station to the transport network.

2. The DHCP module queries whether IEEE 802.1x-based access control is activated on the

Ethernet port that connects the base station to the transport network. If IEEE 802.1x-

based access control is deactivated and authentication is not performed, the base station

triggers an IEEE 802.1x-based access control procedure on this Ethernet port.

3. Because the controlled port of the authentication access equipment is in the unauthorized

state, the base station does not receive any DHCP response. The DHCP procedure fails.

The base station waits for the authentication result.

4. When the IEEE 802.1x-based access control procedure succeeds, the base station resends

a DHCP Discover packet through the Ethernet port. After the DHCP procedure is

complete, the automatic base station deployment procedure starts.

Scenario 3

Figure 4-4shows automatic base station deployment when the network does not support

IEEE 802.1x-based access control and IEEE 802.1x-based access control is activated on the


SingleRAN





12


17/33



1. After the base station is powered on, it initiates an IEEE 802.1x-based access control

procedure. The base station resends the EAPoL-Start packet three times at an interval of

25 seconds but does not receive any response. Therefore, the base station determines that

the network does not support IEEE 802.1x-based access control.

2. The base station sends a DHCP Discover packet to the authentication access equipment.

3. After the DHCP procedure is complete, the automatic base station deployment procedure

starts.

4.2.2 Application on Existing Base Stations

After a base station obtains the configuration file, it restarts. If the state of its Ethernet port

changes from DOWN to UP and IEEE 802.1x-based access control is activated on this

Ethernet port, the base station initiates an IEEE 802.1x-based access control procedure. By

default, IEEE 802.1x-based access control and SSL authentication use the same certificate:

l If the certificate used for SSL authentication in the configuration file is set to the

operator-issued device certificate, the IEEE 802.1x-based access control procedure uses

the operator-issued device certificate to authenticate the base station.

l If the certificate used for SSL authentication in the configuration file is set to the

Huawei-issued device certificate, the IEEE 802.1x-based access control procedure uses

Huawei-issued device certificate to authenticate the base station.

l If the SSL authentication method is cryptonym authentication, by default the IEEE802.1x-based access control procedure uses the Huawei-issued device certificate to

authenticate the base station.

NOTE

During base station deployment using a USB flash drive, the certificate used in the IEEE 802.1x-based

access control procedure is specified in the configuration file. Because the base station is preconfigured

with the Huawei-issued device certificate, the certificate for SSL authentication can be set only to

Huawei-issued device certificate in the configuration file. If the certificate for SSL authentication is set

to the operator-issued device certificate, the IEEE 802.1x-based access control procedure fails.

SingleRAN





13


18/33

5Related FeaturesPrerequisite Features

l GBFD-113526 BTS Supporting PKI

l WRFD-140210 NodeB PKI Support

l LOFD-003010 Public Key Infrastructure(PKI)

l TDLOFD-003010 Public Key Infrastructure(PKI)

l GBFD-118601 Abis over IP

l WRFD-050402 IP Transmission Introduction on Iub Interface

Mutually Exclusive Features

None

Impacted Features

None

SingleRAN


Description 5 Related Features



14


19/33

6Network ImpactSystem Capacity

No impact.

Network Performance

When the Access Control based on 802.1x feature is enabled, the time for base station

deployment by PnP is prolonged by about 75 seconds.

SingleRAN


Description 6 Network Impact



15


20/33

7Engineering GuidelinesThis chapter describes how to deploy the Access Control based on 802.1x feature in a newly

deployed network.

SingleRAN


Description 7 Engineering Guidelines



16


21/33

7.1 When to Use Access Control based on 802.1x

If the operator's transport network is located in an open network, the devices in the transport

network are vulnerable to unauthorized access and malicious attacks. In this case, it is

recommended that the Access Control based on 802.1x feature be activated to authenticate the

users or devices that attempt to access the transport network. This feature prevents

unauthorized users and devices from accessing the network and ensures transport network

security.

The Access Control based on 802.1x feature uses the Huawei-issued device certificate to

authenticate the base station. Therefore, the PKI feature also needs to be activated.

7.2 Required Information

Huawei base stations support only unidirectional EAP-TLS authentication and port-basedaccess control based on the MAC address. Therefore, before you activate the Access Control

based on 802.1x feature, check whether the authentication server supports unidirectional

EAP-TLS authentication and whether the authentication access equipment supports port-

based access control based on the MAC address.

l If the customer requires that Access Control based on 802.1x use the Huawei-issued

device certificate to authenticate the base station, the PKI feature does not need to be

deployed in the network.

l If the customer requires that Access Control based on 802.1x use the operator-issued

device certificate to authenticate the base station, the PKI feature needs to be deployed in

the network. For details about how to deploy the PKI feature, seePKI Feature

Parameter Description.

7.3 Planning

Hardware Planning

NE Board Configuration Board That Provides aPort for Connecting tothe TransportNetwork

Port Type

eGBTS UMPT or UMDU UMPT or UMDU Ethernet port

UMPT+UTRPc UTRPc Ethernet port

NodeB UMPT or UMDU UMPT or UMDU Ethernet port

UMPT+UTRPc UTRPc Ethernet port

eNodeB LMPT LMPT Ethernet port

UMPT or UMDU UMPT or UMDU Ethernet port

LMPT+UTRPc or

UMPT+UTRPc

UTRPc Ethernet port

SingleRAN





17


22/33

NE Board Configuration Board That Provides aPort for Connecting tothe TransportNetwork

Port Type

Multimode

base station

UMPT or UMDU UMPT or UMDU Ethernet port

LMPT LMPT Ethernet port

LMPT+UTRPc or

UMPT+UTRPc

UTRPc Ethernet port

7.4 Deployment on the NodeB/eNodeB/eGBTS Side

NOTE

eGBTSs configured with GTMUb boards do not support the Access Control based on 802.1x feature.

eGBTSs described in this document are not configured with GTMUb boards.

Before you activate the Access Control based on 802.1x feature, configure the PKI feature as

well as the related managed objects (MOs). For details about how to configure the PKI

feature, see the "Engineering Guidelines" section inPKI Feature Parameter Description.

7.4.1 Requirements

l Requirements for NEs:

An authentication server has been deployed in the network.

The authentication server supports the EAP protocol defined in RFC 3748 and

supports EAP-TLS authentication.

The authentication server is preconfigured with the Huawei root certificate. If the

customer requires that the operator-issued device certificate be used for

authentication, the operator' root certificate must be preconfigured on the

authentication server.

The authentication access equipment supports IEEE 802.1x-based access control

and EAP packet processing.

The authentication access equipment supports port-based access control based on

the MAC address.

l Requirements for licenses: The license for the PKI feature has been activated.

The license for the Access Control based on 802.1x feature has been activated.

SingleRAN





18


23/33

Feature ID FeatureName

LicenseControlItem ID

LicenseControlItem Name

NE SalesUnit

LOFD-00301

5

Access

Control

based on

802.1x

LT1S000A

CC00

Access

Control

based on

802.1x (per

eNodeB)

Macro

eNode

B/

LampSi

te

eNode

B/

BTS32

02E

per

eNodeB

TDLOFD-00

3015

Access

Control

based on

802.1x

LT1ST00

ACC00

Access

Control

based on

802.1x (per

eNodeB)

LTE

TDD

eNode

B

per

eNodeB

7.4.2 Data Preparation

Table 7-1lists the data that needs to be prepared before you activate the Access Control based

on 802.1x feature.

NOTE

"-" in Table 7-1indicates that there is no special requirement for setting the parameter. Set the parameter

based on site requirements.

Table 7-1Data to be prepared before activating the Access Control based on 802.1x feature

MO ParameterName

Parameter ID Setting Notes DataSource

DOT1X Cabinet No. CN - Netwo

rk

planSubrack No. SRN -

Slot No. SN -

Subboard Type SBT -

Port No. PN -

SingleRAN





19


24/33

MO ParameterName

Parameter ID Setting Notes DataSource

Authentic Method AM This parameter

indicates the

authentication

method used by

the Access

Control based on

802.1x feature.

This feature

supports EAP-

TLS

authentication.

NOTE

l When you deploy this feature on a multimode base station, activate the feature only on the Ethernet

port that connects the base station to the transport network. The data preparation and initial

configuration of the multimode base station are the same as those of a single-mode base station.

l When a base station is working normally, the certificate used by IEEE 802.1x-based access control

is the same as that used by SSL authentication. For details about how to configure the certificate for

SSL authentication, see the "Engineering Guidelines" section in SSL Feature Parameter

Description. If no certificate is configured for SSL authentication, IEEE 802.1x-based access control

uses the Huawei-issued device certificate by default.

7.4.3 PrecautionsNone

7.4.4 Activation

This section uses the eNodeB as an example to describe how to activate Access Control based

on 802.1x by using MML commands or the CME.

Using MML Commands

Run the MML command ACT DOT1X to activate Access Control based on 802.1x on the


MML Command Examples//Activating Access Control based on 802.1x on the NodeB/eNodeB/eGBTS side

//Activating Access Control based on 802.1x on the Ethernet port that connects

the base station to the transport networkACT DOT1X: CN=0, SRN=0, SN=7, SBT=BASE_BOARD, PN=0, AM=EAP-TLS;

Using the CME to Perform Single Configuration

Set parameters on the CME configuration interface according to the operation sequence

described in Table 7-1. For instructions on how to perform the CME single configuration, seeCME Single Configuration Operation Guide.

SingleRAN





20


25/33

Using the CME to Perform Batch Configuration for Newly Deployed BaseStations

Enter the values of the parameters listed in Table 7-2into a summary data file, which also

contains other data for the new base stations to be deployed. Then, import the summary data

file into the CME for batch configuration.

The summary data file may be a scenario-specific file provided by the CME or a customized

file, depending on the following conditions:

l The MOs in Table 7-2are contained in a scenario-specific summary data file. In this

situation, set the parameters in the MOs, and then verify and save the file.

l Some MOs in Table 7-2are not contained in a scenario-specific summary data file. In

this situation, customize a summary data file to include the MOs before you can set the

parameters.

Table 7-2MOs related to Access Control based on 802.1xMO Sheet in the

Summary DataFile

Parameter Group Remarks

DOT1

X

Common Data See Table 7-1. None

For instructions about performing batch configuration for each base station, see the following

sections in 3900 Series Base Station Initial Configuration Guide.

l For a NodeB: Creating NodeBs in Batches

l For an eNodeB: Creating eNodeBs in Batches

l For a separate-MPT multimode base station: Creating Separate-MPT Multimode Base

Stations in Batches

l For an eGBTS or a co-MPT multimode base station: Creating Co-MPT Base Stations in

Batches

Using the CME to Perform Batch Configuration for Existing Base Stations

Batch reconfiguration using the CME is the recommended method to activate a feature on

existing base stations. This method reconfigures all data, except neighbor relationships, for

multiple base stations in a single procedure.

The procedure is as follows:

Step 1 Choose CME > Advanced > Customize Summary Data Filefrom the main menu of anU2000 client, or choose Advanced> Customize Summary Data Filefrom the main menu of

a CME client, to customize a summary data file for batch reconfiguration.

NOTE

For context-sensitive help on a current task in the client, press F1.

Step 2 Export the NE data stored on the CME into the customized summary data file.

l

For co-MPT multimode base stations: Choose CME > SRAN Application > MBTSApplication > Export Data > Export Base Station Bulk Configuration Datafrom the

SingleRAN





21


26/33

main menu of the U2000 client, or choose SRAN Application > MBTS Application >

Export Data > Export Base Station Bulk Configuration Datafrom the main menu of

the CME client.

l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose

CME > GSM Application > Export Data > eGBTS Bulk Configuration Datafromthe main menu of the U2000 client, or choose GSM Application > Export Data >

Export eGBTS Bulk Configuration Data from the main menu of the CME client.

l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose

CME > UMTS Application > Export Data > Export Base Station Bulk

Configuration Datafrom the main menu of the U2000 client, or choose UMTS

Application > Export Data > Export Base Station Bulk Configuration Datafrom the

main menu of the CME client.

l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose

CME > LTE Application > Export Data > Export Base Station Bulk Configuration

Datafrom the main menu of the U2000 client, or choose LTE Application > Export

Data > Export Base Station Bulk Configuration Datafrom the main menu of the

CME client.

Step 3 In the summary data file, set the parameters in the MOs listed in Table 7-2and close the file.

Step 4 Import the summary data file into the CME.

l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS

Application > Import Base Station Bulk Configuration Datafrom the main menu of

the U2000 client, or choose SRAN Application > MBTS Application > Import Data >

Import Base Station Bulk Configuration Datafrom the main menu of the CME client.

l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose

CME > GSM Application > Import Data > Import eGBTS Bulk Configuration Data

from the main menu of the U2000 client, or choose GSM Application > Import Data >Import eGBTS Bulk Configuration Datafrom the main menu of the CME client.

l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose

CME > UMTS Application > Import Data > Import Base Station Bulk

Configuration Datafrom the main menu of the U2000 client, or choose UMTS

Application > Import Data > Import Base Station Bulk Configuration Datafrom the

main menu of the CME client.

l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose

CME > LTE Application > Import Data > Import Base Station Bulk Configuration

Datafrom the main menu of the U2000 client, or choose LTE Application > Import

Data > Import Base Station Bulk Configuration Datafrom the main menu of the

CME client.

----End

7.4.5 Activation Observation

Run the DSP DOT1Xcommand to query whether Access Control based on 802.1x is

activated on the Ethernet port that connects the base station to the transport network.

Check the value of theAuthentic Stateparameter in the command output. If the value of this

parameter is Authenticate Succeed, the port has passed IEEE 802.1x-based authentication.

The following is an example:

DSP DOT1X: CN=0, SRN=0, SN=7, SBT=BASE_BOARD, PN=0;%%RETCODE = 0 Operation succeeded.

SingleRAN





22


27/33

Display 802.1x

-------------- Cabinet No. = 0

Subrack No. = 0

Slot No. = 7

Subboard Type = Base Board

Port No. = 0 Authentic Method = EAP-TLS authentic method

Authentic State = Authenticate SucceedAuthentic Succeed Number = 1

Fail Number = 0

Fail Reason = 0

Send EAP Packet Number = 7Receive EAP Packet Number = 7

Abnormal Packet Number = 0

(Number of results = 1)

7.4.6 Deactivation

Using MML CommandsRun the MML command DEA DOT1X to deactivate Access Control based on 802.1x on the


MML Command Examples//Deactivating Access Control based on 802.1x

DEA DOT1X: SN=7, SBT=BASE_BOARD, PN=0;

Using the CME to Perform Single Configuration

None

Using the CME to Perform Batch Configuration

The procedure for feature deactivation is similar to that for feature activation. The only

difference is the parameter setting, which is described in Table 7-2.

7.5 Performance Monitoring

None

7.6 Parameter OptimizationNone

7.7 Troubleshooting

After Access Control based on 802.1x is activated, the base station may report ALM-26831

802.1x Authentication Failure.

For details about how to clear these alarms for each type of base station, see the following

sections in 3900 Series Base Station Alarm Reference:

l "eGBTS Alarm Reference"

SingleRAN





23


28/33

l "NodeB Alarm Reference"

l "eNodeB Alarm Reference"

SingleRAN





24


29/33

8ParametersTable 8-1Parameters

MO Parameter ID

MMLCommand

FeatureID

FeatureName

Description

DOT1X AM ACT

DOT1X

DSP

DOT1X

LST

DOT1X

None None Meaning: Indicates the IEEE 802.1X authentication

method. Currently, only Extensible Authentication

Protocol Transport Layer Security (EAP-TLS), a

unidirectional authentication method, is supported.

GUI Value Range: EAP-TLS(EAP-TLS authentic

method)

Unit: None

Actual Value Range: EAP-TLS

Default Value: EAP-TLS(EAP-TLS authentic method)

DOT1X CN ACT

DOT1X

DEA

DOT1X

DSP

DOT1X

LST

DOT1X

None None Meaning: Indicates the number of the cabinet that

provides the port on which IEEE 802.1X

authentication is configured.

GUI Value Range: 0~7

Unit: None

Actual Value Range: 0~7

Default Value: 0

DOT1X SRN ACT

DOT1X

DEA

DOT1X

DSP

DOT1X

LST

DOT1X

None None Meaning: Indicates the number of the subrack that




Unit: None


Default Value: 0

SingleRAN


Description 8 Parameters



25


30/33

MO Parameter ID

MMLCommand

FeatureID

FeatureName

Description

DOT1X SN ACT

DOT1X

DEA

DOT1X

DSP

DOT1X

LST

DOT1X

None None Meaning: Indicates the number of the slot that




Unit: None


Default Value: None

DOT1X SBT ACT

DOT1X

DEADOT1X

DSP

DOT1X

LST

DOT1X

None None Meaning: Indicates the type of sub-board that provides

the port on which IEEE 802.1X authentication is

configured.

GUI Value Range: BASE_BOARD(Base Board),

ETH_COVERBOARD(Ethernet Cover Board)

Unit: None

Actual Value Range: BASE_BOARD,

ETH_COVERBOARD

Default Value: None

DOT1X PN ACT

DOT1X

DEA

DOT1XDSP

DOT1X

LST

DOT1X

None None Meaning: Indicates the number of the port on which

IEEE 802.1X authentication is configured.


Unit: None


Default Value: None

SingleRAN


Description 8 Parameters



26


31/33

9CountersThere are no specific counters associated with this feature.

SingleRAN


Description 9 Counters



27


32/33

10GlossaryFor the acronyms, abbreviations, terms, and definitions, see Glossary.

SingleRAN


Description 10 Glossary



28


33/33

11Reference Documents1. IETF RFC 3748, "Extensible Authentication Protocol (EAP)"

2. IEEE Std 802.1x-2004, "Port-Based Network Access Control"

3. IETF RFC 2716, "PPP EAP TLS Authentication Protocol"

4. PKI Feature Parameter Descriptionfor SingleRAN

5. SSL Feature Parameter Descriptionfor SingleRAN

SingleRAN


Description 11 Reference Documents