Access Control Based On 802.1x (SRAN15.1 - 01)

SingleRAN
Access Control based on 802.1x

Feature Parameter Description
Issue 01
Date 2019-06-06
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2019. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. i

SingleRAN
Access Control based on 802.1x Feature Parameter
Description Contents
Contents
1 Change History.............................................................................................................................. 1
1.1 SRAN15.1 01 (2019-06-06)........................................................................................................................................... 1
1.2 SRAN15.1 Draft B (2019-03-18)................................................................................................................................... 1
1.3 SRAN15.1 Draft A (2018-12-30)................................................................................................................................... 1
2 About This Document.................................................................................................................. 3

2.1 General Statements......................................................................................................................................................... 3
2.2 Applicable RAT.............................................................................................................................................................. 3
2.3 Features in This Document.............................................................................................................................................3
3 Overview......................................................................................................................................... 5
4 Access Control based on 802.1x...................................................................................................6
4.1 Principles........................................................................................................................................................................ 6
4.1.1 Operating Principle......................................................................................................................................................6
4.1.2 Protocol Stacks............................................................................................................................................................ 7
4.1.3 Application of Access Control based on 802.1x......................................................................................................... 8
4.1.3.1 Typical Network Topology....................................................................................................................................... 8
4.1.3.2 Auto-Discovery with Access Control based on 802.1x............................................................................................9
4.1.3.2.1 Automatic Base Station Deployment by PnP........................................................................................................ 9
4.1.3.2.2 Application on Existing Base Stations................................................................................................................ 13
4.2 Network Analysis......................................................................................................................................................... 13
4.2.1 Benefits...................................................................................................................................................................... 13
4.2.2 Impacts.......................................................................................................................................................................13
4.3 Requirements................................................................................................................................................................ 13
4.3.1 Licenses..................................................................................................................................................................... 13
4.3.2 Software.....................................................................................................................................................................14
4.3.2.1 LOFD-003015 Access Control based on 802.1x....................................................................................................14
4.3.2.2 MLOFD-003015 Access Control based on 802.1x................................................................................................ 14
4.3.2.3 TDLOFD-003015 Access Control based on 802.1x.............................................................................................. 15
4.3.2.4 FBFD-010023 Security Mechanism (Access Control based on 802.1x)................................................................15
4.3.2.5 Access Control based on 802.1x on the GSM Side................................................................................................ 15
4.3.2.6 Access Control based on 802.1x on the UMTS Side............................................................................................. 16
4.3.3 Hardware................................................................................................................................................................... 16
4.3.4 Networking................................................................................................................................................................ 17
Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. ii

SingleRAN
Description Contents
4.3.5 Others.........................................................................................................................................................................18
4.4 Operation and Maintenance..........................................................................................................................................18
4.4.1 When to Use.............................................................................................................................................................. 18
4.4.2 Data Configuration.................................................................................................................................................... 18
4.4.2.1 Data Preparation..................................................................................................................................................... 18
4.4.2.2 Using MML commands..........................................................................................................................................20
4.4.2.3 Using the CME....................................................................................................................................................... 20
4.4.3 Activation Verification.............................................................................................................................................. 21
4.4.4 Network Monitoring.................................................................................................................................................. 21
5 Parameters..................................................................................................................................... 22
6 Counters........................................................................................................................................ 23
7 Glossary......................................................................................................................................... 24
8 Reference Documents................................................................................................................. 25
Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. iii

SingleRAN
Description 1 Change History
1 Change History
This section describes changes not included in the "Parameters", "Counters", "Glossary", and
"Reference Documents" chapters. These changes include:
l Technical changes
Changes in functions and their corresponding parameters
l Editorial changes
Improvements or revisions to the documentation
1.1 SRAN15.1 01 (2019-06-06)

This issue does not include any changes.
1.2 SRAN15.1 Draft B (2019-03-18)

This issue includes the following changes.
Technical Changes
Change Description Parameter Change
Added support for NR by 3900 series base None

stations and DBS3900 LampSite. For
details, see 4.3.3 Hardware.
Editorial Changes
None
1.3 SRAN15.1 Draft A (2018-12-30)

This issue introduces the following changes to SRAN13.1 01 (2018-04-10).
Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. 1

SingleRAN
Description 1 Change History
Technical Changes
Change Description Parameter Change
Added a new transmission configuration Added parameters:

model. For details, see the following l GTRANSPARA.TRANSCFGMODE
sections:
l DOT1XAUTH.AM
4.1.2 Protocol Stacks
l DOT1XAUTH.DOT1XAUTHID
4.1.3.1 Typical Network Topology
l DOT1XAUTH.PT
4.4.2 Data Configuration
l DOT1XAUTH.PORTID
Added support for New Radio (NR). None
Editorial Changes
Reorganized this document using a new template.

SingleRAN
Description 2 About This Document
2 About This Document
2.1 General Statements

Purpose
Feature Parameter Description documents are intended to acquaint readers with:
l The technical principles of features and their related parameters
l The scenarios where these features are used, the benefits they provide, and the impact
they have on networks and functions
l Requirements of the operating environment that must be met before feature activation
l Parameter configuration required for feature activation, verification of feature activation,
and monitoring of feature performance
NOTE
This document only provides guidance for feature activation. Feature deployment and feature
gains depend on the specifics of the network scenario where the feature is deployed. To achieve
the desired gains, contact Huawei professional service engineers.
Software Interfaces
Any parameters, alarms, counters, or managed objects (MOs) described in Feature Parameter
Description documents apply only to the corresponding software release. For future software
releases, refer to the corresponding updated product documentation.
2.2 Applicable RAT

This document applies to GSM, UMTS, LTE FDD, LTE TDD, NB-IoT, and New Radio (NR).
For definitions of base stations described in this document, see section "Base Station
Products" in SRAN Networking and Evolution Overview Feature Parameter Description.
2.3 Features in This Document

This document describes the following features.

SingleRAN
Description 2 About This Document
Feature ID Feature Name Section
LOFD-00301 Access Control based on 4 Access Control based on 802.1x

5 802.1x
MLOFD-003 Access Control based on

015 802.1x
TDLOFD-003 Access Control based on

015 802.1x
FBFD-01002 Security Mechanism (Access

3 Control Based on 802.1x)

SingleRAN
Description 3 Overview
3 Overview
IEEE 802.1x is an IEEE standard for port-based network access control. It is part of the IEEE
802 group of networking protocols. With port-based network access control, the
authentication access equipment in the local area network (LAN) performs identity
authentication and access control on users or devices connected to its ports. Only the users or
devices that can be authenticated are allowed to access the LAN through the ports. Access
Control based on 802.1x prevents unauthorized users or devices from accessing the network,
which ensures transport network security.
Huawei base stations support Access Control based on 802.1x. The authentication is
unidirectional and is based on Extensible Authentication Protocol-Transport Layer Security
(EAP-TLS). That is, the authentication server performs unidirectional authentication on the
digital certificates of base stations. Figure 3-1 shows the network topology for Access
Control based on 802.1x.
Figure 3-1 Network topology for Access Control based on 802.1x

SingleRAN
Description 4 Access Control based on 802.1x
4 Access Control based on 802.1x
4.1 Principles
4.1.1 Operating Principle

Access Control based on 802.1x usually adopts the client/server architecture, as shown in
Figure 3-1. The authentication access equipment receives authentication packets from users
or devices and then forwards the packets to the authentication server. The authentication
server authenticates the identities of the users or devices. If the authentication succeeds, the
data flow of the users or devices can pass through the ports of the authentication access
equipment.
Access Control based on 802.1x involves the following components:
l Authentication client (a device to be authenticated, such as a base station): initiates an
802.1x-based access control procedure. An authentication client is also referred to as a
suppliant. To support port-based access control, the authentication client needs to support
the Extensible Authentication Protocol over LAN (EAPoL).
l Authentication access equipment (such as a LAN switch): receives and forwards EAP
authentication packets between the base station and authentication server at the Media
Access Control (MAC) layer. Authentication access equipment is also referred to as an
authenticator. The authentication access equipment also controls the status (authorized or
unauthorized) of controlled ports based on the authentication result at the authentication
server.
l Authentication server: performs authentication on clients. The servers commonly used
are Remote Authentication Dial In User Service (RADIUS) and Authentication,
Authorization and Accounting (AAA) servers.
NOTE
The functions of RADIUS and AAA servers are similar. This document uses the RADIUS server as an
example to describe Access Control based on 802.1x.
Figure 4-1 shows the operating principle of Access Control based on 802.1x.

SingleRAN
Figure 4-1 Operating principle of Access Control based on 802.1x
NOTE
Port access entity (PAE) is a port-related protocol entity that processes protocol packets during an
authentication procedure.
A physical Ethernet port of the authentication access equipment consists of two logical ports:
one controlled port and one uncontrolled port:
l Controlled port: A controlled port can be in the unauthorized or authorized state,

depending on the authentication result at the authentication server.
– A controlled port in the authorized state is in the bidirectional connectivity state and
data flow can pass through the port.
– A controlled port in the unauthorized state does not allow any data to pass through.
l Uncontrolled port: An uncontrolled port is always in the bidirectional connectivity state.
Only EAPoL packets can pass through an uncontrolled port. This ensures that the
authentication client can always transmit and receive authentication packets.
During initial access, the base station is not authenticated, and therefore the controlled port is
in the unauthorized state. At this point, only EAPoL packets can pass through the
uncontrolled port and be sent to the authentication server. After the authentication server
authenticates the base station and the authentication access equipment authorizes the
controlled port, the controlled port becomes authorized and data from the base station can
pass through the controlled port in the authorized state. This process ensures that only
authorized users and devices can access the network.
Port-based access control can be based on a physical port (such as the MAC address) or a
logical port (such as the VLAN). Huawei base stations support only port-based access control
based on the MAC address. That is, the authentication message sent by a base station contains
the MAC address of the Ethernet port that connects the base station to the transport network.
If authentication succeeds, the authentication access equipment performs access control on
data flow based on this MAC address.
For details about IEEE 802.1x-based access control, see IEEE 802[1].1x-2004.
4.1.2 Protocol Stacks

In IEEE 802.1x-based access control, the authentication client and the authentication server
exchange authentication messages using the EAP protocol. Between the authentication client
and the authentication access equipment, EAP data is encapsulated in EAPoL frames so that

SingleRAN
the data can be transmitted in the LAN. Between the authentication access equipment and the
authentication server, EAPoL frames are re-encapsulated in EAP over RADIUS (EAPoR)
frames so that the data can be transmitted using the RADIUS protocol.
Figure 4-2 shows the protocol stacks for Access Control based on 802.1x.
Figure 4-2 Protocol stacks for Access Control based on 802.1x
Access Control based on 802.1x uses the EAP protocol for authentication. The EAP protocol
supports multiple authentication methods. Huawei base stations adopt unidirectional EAP-
TLS authentication, that is, the authentication server authenticates base stations using digital
certificates.
In an IEEE 802.1x-based access control procedure, the base station sends its digital certificate
to the RADIUS server in an EAPoL frame. The RADIUS server authenticates the base station
by using Huawei root certificate or the operator's root certificate. In this procedure, EAP-TLS
unidirectional authentication is used, which is specified by DOT1X.AM (old model)/
DOT1XAUTH.AM (new model).
For details about the EAP protocol, see RFC 3748.
For details about the EAP-TLS protocol, see RFC 2716.
4.1.3 Application of Access Control based on 802.1x

This chapter describes the application of IEEE 802.1x-based access control on a base station.
4.1.3.1 Typical Network Topology

To implement IEEE 802.1x-based access control, an authentication server and authentication
access equipment (generally a LAN switch directly connected to the base station) supporting
IEEE 802.1x-based access control, need to be deployed in the network. Because Huawei base
station adopts unidirectional EAP-TLS authentication based on IEEE 802.1x and is
preconfigured with a Huawei-issued device certificate and a Huawei root certificate before
delivery, the authentication server needs to be preconfigured with the Huawei root certificate.
Figure 4-3 shows a typical network topology for IEEE 802.1x-based access control.

SingleRAN
Figure 4-3 Typical network topology for IEEE 802.1x-based access control
IEEE 802.1x-based access control of Ethernet ports can be activated by using the ACT
DOT1X (old model)/ACT DOT1XAUTH (new model) command and deactivated by using
the DEA DOT1X (old model)/DEA DOT1XAUTH (new model) command. By default,
IEEE 802.1x-based access control is activated on Ethernet ports of base stations before
delivery.
4.1.3.2 Auto-Discovery with Access Control based on 802.1x
4.1.3.2.1 Automatic Base Station Deployment by PnP

When Access Control based on 802.1x is activated in the network, a base station must pass
the IEEE 802.1x-based authentication before automatic deployment by plug and play (PnP).
To ensure the base station's adaptability to the network, after being powered on, the base
station performs as follows depending on network conditions:
l If the network supports IEEE 802.1x-based access control, and IEEE 802.1x-based
access control is activated on the Ethernet port that connects the base station to the
transport network:
The base station initiates an IEEE 802.1x-based access control procedure. After the IEEE
802.1x-based access control succeeds, the base station sends a Dynamic Host
Configuration Protocol (DHCP) Discover packet to the authentication access equipment
to start the DHCP procedure. After the DHCP procedure is complete, the automatic base
station deployment procedure starts.
l If the network supports IEEE 802.1x-based access control, but IEEE 802.1x-based
access control is deactivated on the Ethernet port that connects the base station to the
transport network:
The base station does not initiate an IEEE 802.1x-based access control procedure.
Instead, the base station first sends a DHCP Discover packet and the DHCP module
queries whether IEEE 802.1x-based access control is activated on the Ethernet port that
connects the base station to the transport network. If IEEE 802.1x-based access control is
deactivated and authentication is not performed, the base station triggers an IEEE
802.1x-based access control procedure. Because the network uses IEEE 802.1x-based
access control, the DHCP Discover packet cannot pass through the authentication access
equipment, and therefore the DHCP procedure fails. The base station waits for the
authentication result. After the IEEE 802.1x-based access control succeeds, the base
station resends a DHCP Discover packet. After the DHCP procedure is complete, the
automatic base station deployment procedure starts.
For example, the main control board of the base station has an incorrect configuration
file, in which IEEE 802.1x-based access control is deactivated on the Ethernet port that

SingleRAN
connects the base station to the transport network. In this case, the DHCP procedure
triggers the IEEE 802.1x-based access control procedure during automatic base station
deployment.
l If the network does not support IEEE 802.1x-based access control, and IEEE 802.1x-
based access control is activated on the Ethernet port that connects the base station to the
transport network:
The base station initiates the IEEE 802.1x-based access control procedure for three times
at an interval of 25 seconds. If the base station does not receive any response from the
network, the base station determines that the network does not support IEEE 802.1x-
based access control. The base station then sends a DHCP Discover packet. The DHCP
Discover packet can pass through the authentication access equipment. After the DHCP
procedure is complete, the automatic base station deployment procedure starts.
NOTE
During automatic base station deployment by PnP, the IEEE 802.1x-based access control procedure uses
the preconfigured Huawei-issued device certificate of the base station for authentication.
The rest of this section describes automatic base station deployment by PnP in the preceding
three scenarios.
Scenario 1
Figure 4-4 shows automatic base station deployment when the network supports IEEE
802.1x-based access control and IEEE 802.1x-based access control is activated on the
Ethernet port that connects the base station to the transport network.
Figure 4-4 Automatic base station deployment (1)

SingleRAN
The automatic base station deployment procedure in this scenario is as follows:

1. After the base station is powered on, it sends an EAPoL-Start packet to the
authentication access equipment, to initiate an IEEE 802.1x-based access control
procedure.
2. The base station, authentication access equipment, and authentication server perform the
IEEE 802.1x-based access control procedure. The base station can initiate the IEEE
802.1x-based access control procedure on the same Ethernet port for a maximum of three
times at an interval of 25 seconds.
3. If the IEEE 802.1x-based access control procedure succeeds, the base station initiates a
DHCP procedure. After the DHCP procedure is complete, the automatic base station
deployment procedure starts.
4. If the IEEE 802.1x-based access control procedure fails, the base station initiates a
DHCP procedure. However, the base station does not receive any response to the DHCP
procedure, and therefore the DHCP procedure fails. The base station attempts to initiate
IEEE 802.1x-based access control and DHCP procedures on the next Ethernet port.
NOTE
In the IEEE 802.1x-based access control procedure, the EAPoL-Start packet is a multicast packet and its
destination MAC address is 01-80-C2-00-00-03; other packets are unicast packets.
Scenario 2
Figure 4-5 shows automatic base station deployment when the network supports IEEE
802.1x-based access control but IEEE 802.1x-based access control is deactivated on the

SingleRAN
1. After a base station is powered on, it sends a DHCP Discover packet to the
authentication access equipment because IEEE 802.1x-based access control is
deactivated on the Ethernet port that connects the base station to the transport network.
2. The DHCP module queries whether IEEE 802.1x-based access control is activated on the
Ethernet port that connects the base station to the transport network. If IEEE 802.1x-
based access control is deactivated and authentication is not performed, the base station
triggers an IEEE 802.1x-based access control procedure on this Ethernet port.
3. Because the controlled port of the authentication access equipment is in the unauthorized
state, the base station does not receive any DHCP response. The DHCP procedure fails.
The base station waits for the authentication result.
4. If the IEEE 802.1x-based access control procedure succeeds, the base station resends a
DHCP Discover packet through the Ethernet port. After the DHCP procedure is
complete, the automatic base station deployment procedure starts.
Scenario 3
Figure 4-6 shows automatic base station deployment when the network does not support
IEEE 802.1x-based access control and IEEE 802.1x-based access control is activated on the
1. After the base station is powered on, it initiates an IEEE 802.1x-based access control
procedure. The base station sends the EAPoL-Start packet for three times at an interval
of 25 seconds but does not receive any response. Therefore, the base station determines
that the network does not support IEEE 802.1x-based access control.
2. The base station sends a DHCP Discover packet to the authentication access equipment.
3. After the DHCP procedure is complete, the automatic base station deployment procedure
starts.

SingleRAN
4.1.3.2.2 Application on Existing Base Stations

After a base station obtains the configuration file, it restarts. If the state of its Ethernet port
changes from DOWN to UP and IEEE 802.1x-based access control is activated on this
Ethernet port, the base station initiates an IEEE 802.1x-based access control procedure. By
default, IEEE 802.1x-based access control and SSL authentication use the same certificate:
l If the certificate used for SSL authentication in the configuration file is set to the
operator-issued device certificate, the IEEE 802.1x-based access control procedure uses
the operator-issued device certificate to authenticate the base station.
l If the certificate used for SSL authentication in the configuration file is set to the
Huawei-issued device certificate, the IEEE 802.1x-based access control procedure uses
the Huawei-issued device certificate to authenticate the base station.
l If the SSL authentication method is cryptonym authentication, by default the IEEE
802.1x-based access control procedure uses the Huawei-issued device certificate to
authenticate the base station.
NOTE
During base station deployment using a USB flash drive, the certificate used in the IEEE 802.1x-based
access control procedure is specified in the configuration file. Because the base station is preconfigured
with the Huawei-issued device certificate, the certificate for SSL authentication can be set only to
Huawei-issued device certificate in the configuration file. If the certificate for SSL authentication is set
to the operator-issued device certificate, the IEEE 802.1x-based access control procedure fails.
4.2 Network Analysis
4.2.1 Benefits
Access control based on 802.1x prevents unauthorized users or devices from accessing the
network, which ensures transport network security.
4.2.2 Impacts
Network Impact
When the Access Control based on 802.1x feature is enabled, the time for base station
deployment by PnP is prolonged by about 75 seconds.
Function Impacts
None
4.3 Requirements
4.3.1 Licenses
The license controlling Access Control based on 802.1x needs to be activated only for FDD,
TDD, and NB-IoT eNodeBs. No license is required for GBTSs, eGBTSs, NodeBs, and
gNodeBs.

SingleRAN
Feature ID Feature Model License NE Sales

Name Control Item Unit
Name
LOFD-003015 Access LT1S000AC Access Control eNodeB per

Control based C00 based on eNodeB
on 802.1x 802.1x (FDD)
MLOFD-00301 Access ML1S000A Access Control eNodeB per

5 Control based CC00 based on eNodeB
on 802.1x 802.1x (NB-
IoT)
TDLOFD-0030 Access LT1ST00A Access Control eNodeB per

15 Control based CC00 based on eNodeB
on 802.1x 802.1x (TDD)
4.3.2 Software
Before activating this function, ensure that its prerequisite functions have been activated and
mutually exclusive functions have been deactivated. For detailed operations, see the relevant
feature documents.
4.3.2.1 LOFD-003015 Access Control based on 802.1x
Prerequisite Functions
RAT Function Name Function Switch Reference
LTE FDD Public Key None PKI

Infrastructure (PKI)
Mutually Exclusive Functions

None
4.3.2.2 MLOFD-003015 Access Control based on 802.1x
NB-IoT Public Key None PKI


SingleRAN

None
4.3.2.3 TDLOFD-003015 Access Control based on 802.1x
LTE TDD Public Key None PKI


None
4.3.2.4 FBFD-010023 Security Mechanism (Access Control based on 802.1x)
None

None
4.3.2.5 Access Control based on 802.1x on the GSM Side
GSM BTS Supporting PKI None PKI
GSM Abis over IP None IPv4 Transmission

None

SingleRAN
4.3.2.6 Access Control based on 802.1x on the UMTS Side
UMTS NodeB PKI Support None PKI
UMTS IP Transmission None IPv4 Transmission

Introduction on Iub
Interface

None
4.3.3 Hardware
Base Station Models

RAT Base Station Model
GSM 3900 and 5900 series base stations
UMTS l 3900 and 5900 series base stations

l DBS3900 LampSite and DBS5900 LampSite
l BTS3911E
LTE l 3900 and 5900 series base stations

l DBS3900 LampSite and DBS5900 LampSite
l BTS3912E
l BTS3911E
NR l 3900 and 5900 series base stations. 3900 series base stations must be
configured with the BBU3910.
l DBS3900 LampSite and DBS5900 LampSite. DBS3900 LampSite
must be configured with the BBU3910.
Boards
NE Type Board Configuration Type of Port
Connecting to the
Transport Network
eGBTS The UMPT/UMDU/GTMUc provides a Ethernet port

transmission port.

SingleRAN
NE Type Board Configuration Type of Port

Connecting to the
Transport Network
UMPT+UTRPc, with the UTRPc providing a Ethernet port

transmission port
NodeB The UMPT/UMDU/MDUC provides a Ethernet port

transmission port.
UMPT+UTRPc, with the UTRPc providing a Ethernet port

transmission port
eNodeB The LMPT provides a transmission port. Ethernet port
The UMPT/UMDU provides a transmission Ethernet port

port.
LMPT/UMPT+UTRPc, with the UTRPc Ethernet port

providing a transmission port
gNodeB The UMPT provides a transmission port. Ethernet port
Multimode The UMPT/UMDU/MDUC provides a Ethernet port

base transmission port.
station NOTE
The MDUC supports only GSM and UMTS dual-
mode.
The LMPT provides a transmission port. Ethernet port
UMPT/LMPT+UTRPc, with the UTRPc Ethernet port

providing a transmission port
NOTE
eGBTSs configured with GTMUb boards do not support the Access Control based on 802.1x feature.
eGBTSs described in this document are not configured with GTMUb boards.
RF Modules
N/A
4.3.4 Networking
l An authentication server has been deployed in the network.
l The authentication server supports the EAP protocol defined in RFC 3748 and supports
EAP-TLS authentication.
l The authentication server is preconfigured with the Huawei root certificate. If the
customer requires that the operator-issued device certificate be used for authentication,
the operator' root certificate must be preconfigured on the authentication server.
l The authentication access equipment supports IEEE 802.1x-based access control and
EAP packet processing.

SingleRAN
l The authentication access equipment supports port-based access control based on the
MAC address.
4.3.5 Others
None
4.4 Operation and Maintenance

This section describes how to deploy the Access Control based on 802.1x feature in a newly
deployed network.
Before you activate the Access Control based on 802.1x feature, configure the PKI feature as
well as the related managed objects (MOs). For details about how to configure the PKI
feature, see the "Engineering Guidelines" section in PKI.
4.4.1 When to Use

If the operator's transport network is located in an open network, the devices in the transport
network are vulnerable to unauthorized access and malicious attacks. In this case, it is
recommended that the Access Control based on 802.1x feature be activated to authenticate the
users or devices that attempt to access the transport network. This feature prevents
unauthorized users and devices from accessing the network and ensures transport network
security.
The Access Control based on 802.1x feature uses the Huawei-issued device certificate to
authenticate the base station. Therefore, the PKI feature also needs to be activated.
4.4.2 Data Configuration

Huawei base stations support only unidirectional EAP-TLS authentication and port-based
access control based on the MAC address. Therefore, before you activate the Access Control
based on 802.1x feature, check whether the authentication server supports unidirectional
EAP-TLS authentication and whether the authentication access equipment supports port-
based access control based on the MAC address.
l If the customer requires that Access Control based on 802.1x use the Huawei-issued
device certificate to authenticate the base station, the PKI feature does not need to be
deployed in the network.
l If the customer requires that Access Control based on 802.1x use the operator-issued
device certificate to authenticate the base station, the PKI feature needs to be deployed in
the network. For details about how to deploy the PKI feature, see PKI.
4.4.2.1 Data Preparation

NOTE
"-" in this section indicates that there is no special requirement for setting the parameters. Set the
parameters based on site requirements.
Table 4-1 lists the data to be prepared before you activate the Access Control based on 802.1x
feature when GTRANSPARA.TRANSCFGMODE is set to OLD (the DOT1X MO).

SingleRAN
Table 4-1 Data to be prepared for activating the Access Control based on 802.1x feature (old
model)
Parameter Parameter ID Setting Notes
Name
Cabinet No. DOT1X.CN -
Subrack No. DOT1X.SRN -
Slot No. DOT1X.SN -
Subboard Type DOT1X.SBT -
Port No. DOT1X.PN -
Authentic DOT1X.AM This parameter indicates the

Method authentication method used by the
feature. This feature supports EAP-TLS
authentication.
Table 4-2 lists the data to be prepared before you activate the Access Control based on 802.1x
feature when GTRANSPARA.TRANSCFGMODE is set to NEW (the DOT1XAUTH MO).
Table 4-2 Data to be prepared for activating the Access Control based on 802.1x feature (new
model)
Parameter Parameter ID Setting Notes
Name
802.1x DOT1XAUTH.DOT1XAUT -
Authentication HID
ID
Port Type DOT1XAUTH.PT -
Port ID DOT1XAUTH.PORTID -
Authentic DOT1XAUTH.AM This parameter indicates the

Method authentication method used by the
feature. This feature supports EAP-TLS
authentication.

SingleRAN
NOTE
l When deploying this feature on a multimode base station, activate the feature only on the Ethernet
port that connects the base station to the transport network. The data preparation and initial
configuration of the multimode base station are the same as those of a single-mode base station.
l When a base station is working normally, the certificate used by IEEE 802.1x-based access control
is the same as that used by SSL authentication. For details about how to configure the certificate for
SSL authentication, see the "Engineering Guidelines" section in SSL. If no certificate is configured
for SSL authentication, IEEE 802.1x-based access control uses the Huawei-issued device certificate
by default.
4.4.2.2 Using MML commands
Activation Command Examples

Run the MML command ACT DOT1X (old model)/ACT DOT1XAUTH (new model) to
activate Access Control based on 802.1x on the Ethernet port that connects the base station to
the transport network.
The following is an MML command example when GTRANSPARA.TRANSCFGMODE is

set to OLD:
//Activating Access Control based on 802.1x on the Ethernet port that connects
the NodeB/eNodeB/gNodeB/eGBTS to the transport network
ACT DOT1X: CN=0, SRN=0, SN=7, SBT=BASE_BOARD, PN=0, AM=EAP-TLS;

set to NEW:
//Activating Access Control based on 802.1x on the Ethernet port that connects
the NodeB/eNodeB/gNodeB/eGBTS to the transport network
ACT DOT1XAUTH: DOT1XAUTHID=0, PT=ETH, PORTID=0, AM=EAP-TLS;
Deactivation Command Examples

Run the MML command DEA DOT1X (old model)/DEA DOT1XAUTH (new model) to
deactivate Access Control based on 802.1x on the Ethernet port that connects the base station
to the transport network.

set to OLD:
//Deactivating Access Control based on 802.1x
DEA DOT1X: SN=7, SBT=BASE_BOARD, PN=0;

set to NEW:
//Deactivating Access Control based on 802.1x
DEA DOT1XAUTH: DOT1XAUTHID=0;
4.4.2.3 Using the CME

This feature can be activated using the CME. This section uses the eNodeB as an example.
For detailed operations, see CME-based Feature Configuration or the CME online help (click
in an active CME window).

SingleRAN
Configuration CME Online Help

Type
Single configuration CME Management > CME Guidelines > Getting Started with
the CME > Introduction to Data Configuration Operations
Batch eGBTS CME Management > CME Guidelines > GSM Application
configuration Management > Base Station Related Operations > Importing
and Exporting eGBTS Data for Batch Reconfiguration
Batch NodeB CME Management > CME Guidelines > UMTS Application
configuration Management > NodeB Related Operations > Importing and
Exporting NodeB Data for Batch Configuration
Batch eNodeB CME Management > CME Guidelines > LTE Application
configuration Management > eNodeB Related Operations > Importing and
Exporting eNodeB Data for Batch Configuration
Batch gNodeB CME Management > CME Guidelines > NR Application

configuration Management > gNodeB Related Operations > Importing and
Exporting gNodeB Data for Batch Configuration
4.4.3 Activation Verification

Run the DSP DOT1X (old model)/DSP DOT1XAUTH (new model) command to query
whether Access Control based on 802.1x is activated on the Ethernet port that connects the
base station to the transport network. Check the value of the Authentic State parameter in the
command output. If the value of this parameter is Authenticate Succeed, the port has passed
IEEE 802.1x-based authentication.
The following figure shows an example of the command output:
Figure 4-7 DSP DOTIX command output
4.4.4 Network Monitoring

None

SingleRAN
Description 5 Parameters
5 Parameters
The following hyperlinked EXCEL files of parameter reference match the software version
with which this document is released.
l Node Parameter Reference: contains device and transport parameters.
l eNodeBFunction Parameter Reference: contains all parameters related to radio access
functions, including air interface management, access control, mobility control, and radio
resource management.
NOTE
You can find the EXCEL files of parameter reference for the software version used on the live network
from the product documentation delivered with that version.
FAQ: How do I find the parameters related to a certain feature from parameter
reference?
Step 1 Open the EXCEL file of parameter reference.
Step 2 On the Parameter List sheet, filter the Feature ID column. Click Text Filters and choose
Contains. Enter the feature ID, for example, LOFD-001016 or TDLOFD-001016.
Step 3 Click OK. All parameters related to the feature are displayed.
----End

SingleRAN
Description 6 Counters
6 Counters
The following hyperlinked EXCEL files of performance counter reference match the software
version with which this document is released.
l Node Performance Counter Summary: contains device and transport counters.
l eNodeBFunction Performance Counter Summary: contains all counters related to radio
access functions, including air interface management, access control, mobility control,
and radio resource management.
NOTE
You can find the EXCEL files of performance counter reference for the software version used on the live
network from the product documentation delivered with that version.
FAQ: How do I find the counters related to a certain feature from performance counter
reference?
Step 1 Open the EXCEL file of performance counter reference.
Step 2 On the Counter Summary(En) sheet, filter the Feature ID column. Click Text Filters and
choose Contains. Enter the feature ID, for example, LOFD-001016 or TDLOFD-001016.
Step 3 Click OK. All counters related to the feature are displayed.
----End

SingleRAN
Description 7 Glossary
7 Glossary
For the acronyms, abbreviations, terms, and definitions, see Glossary.

SingleRAN
Description 8 Reference Documents
8 Reference Documents
1. IETF RFC 3748, "Extensible Authentication Protocol (EAP)"

2. IEEE Std 802.1x-2004, "Port-Based Network Access Control"
3. RFC 2716
4. RFC 3748
5. PKI for SingleRAN

Access Control Based On 802.1x (SRAN15.1 - 01)

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Access Control Based On 802.1x (SRAN15.1 - 01)

Hochgeladen von

Copyright:

Verfügbare Formate

SingleRAN

Access Control based on 802.1x

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. i

2 About This Document.................................................................................................................. 3

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. ii

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. iii

1.1 SRAN15.1 01 (2019-06-06)

1.2 SRAN15.1 Draft B (2019-03-18)

Added support for NR by 3900 series base None

1.3 SRAN15.1 Draft A (2018-12-30)

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. 1

Added a new transmission configuration Added parameters:

Added support for New Radio (NR). None

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. 2

2 About This Document

2.1 General Statements

2.2 Applicable RAT

2.3 Features in This Document

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. 3

Feature ID Feature Name Section

LOFD-00301 Access Control based on 4 Access Control based on 802.1x

MLOFD-003 Access Control based on

TDLOFD-003 Access Control based on

FBFD-01002 Security Mechanism (Access

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. 4

Figure 3-1 Network topology for Access Control based on 802.1x

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. 5

4 Access Control based on 802.1x

4.1.1 Operating Principle

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. 6

Figure 4-1 Operating principle of Access Control based on 802.1x

l Controlled port: A controlled port can be in the unauthorized or authorized state,

4.1.2 Protocol Stacks

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. 7

Figure 4-2 Protocol stacks for Access Control based on 802.1x

For details about the EAP protocol, see RFC 3748.

For details about the EAP-TLS protocol, see RFC 2716.

4.1.3 Application of Access Control based on 802.1x

4.1.3.1 Typical Network Topology

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. 8

4.1.3.2 Auto-Discovery with Access Control based on 802.1x

4.1.3.2.1 Automatic Base Station Deployment by PnP

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. 9

Figure 4-4 Automatic base station deployment (1)

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. 10

The automatic base station deployment procedure in this scenario is as follows:

Figure 4-5 Automatic base station deployment (2)

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. 11

The automatic base station deployment procedure in this scenario is as follows:

Figure 4-6 Automatic base station deployment (3)

The automatic base station deployment procedure in this scenario is as follows:

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. 12

4.1.3.2.2 Application on Existing Base Stations

4.2 Network Analysis

Issue 01 (2019-06-06) Copyright © Huawei Technologies Co., Ltd. 13

Feature ID Feature Model License NE Sales

LOFD-003015 Access LT1S000AC Access Control eNodeB per

MLOFD-00301 Access ML1S000A Access Control eNodeB per

TDLOFD-0030 Access LT1ST00A Access Control eNodeB per

4.3.2.1 LOFD-003015 Access Control based on 802.1x