Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Issue 03
Date 2017-09-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Contents
2 Overview......................................................................................................................................... 4
3 Technical Description...................................................................................................................5
3.1 Operating Principle.........................................................................................................................................................5
3.2 Protocol Stacks............................................................................................................................................................... 6
5 Related Features...........................................................................................................................14
5.1 Access Control based on 802.1x on the GSM Side...................................................................................................... 14
5.2 Access Control based on 802.1x on the UMTS Side................................................................................................... 14
5.3 LOFD-003015 Access Control based on 802.1x..........................................................................................................15
5.4 MLOFD-003015 Access Control based on 802.1x...................................................................................................... 15
5.5 TDLOFD-003015 Access Control based on 802.1x.................................................................................................... 15
6 Network Impact........................................................................................................................... 17
7 Engineering Guidelines............................................................................................................. 18
7.1 When to Use................................................................................................................................................................. 18
7.2 Required Information................................................................................................................................................... 18
7.3 Deployment.................................................................................................................................................................. 19
7.3.1 Requirements............................................................................................................................................................. 19
7.3.2 Precautions.................................................................................................................................................................20
7.3.3 Data Preparation and Feature Activation...................................................................................................................20
7.3.3.1 Data Preparation..................................................................................................................................................... 20
7.3.3.2 Using the CME....................................................................................................................................................... 21
8 Parameters..................................................................................................................................... 24
9 Counters........................................................................................................................................ 26
10 Glossary....................................................................................................................................... 27
11 Reference Documents............................................................................................................... 28
1.1 Scope
This document describes Access Control based on 802.1x, including its technical principles,
related features, network impact, and engineering guidelines.
This document covers the following features:
l LOFD-003015 Access Control based on 802.1x
l MLOFD-003015 Access Control based on 802.1x
l TDLOFD-003015 Access Control based on 802.1x
Unless otherwise specified, in this document, LTE, eNodeB, and eRAN always include FDD,
TDD, and NB-IoT. The "L", "T", and "M" in RAT acronyms refer to LTE FDD, LTE TDD,
and LTE NB-IoT, respectively.
For definitions of base stations described in this document, see section "Base Station
Products" in SRAN Networking and Evolution Overview Feature Parameter Description.
SRAN12.1 03 (2017-09-30)
This issue includes the following changes.
SRAN12.1 02 (2017-06-29)
This issue includes the following changes.
Feature Added the support for NB-IoT by the BTS3912E. For None
change details, see 1.4 Differences Between Base Station
Types.
SRAN12.1 01 (2017-03-08)
This issue includes the following changes.
Among micro base stations, only BTS3912Es support NB-IoT. LampSite base stations do not
support NB-IoT.
2 Overview
IEEE 802.1x is an IEEE standard for port-based network access control. It is part of the IEEE
802 group of networking protocols. With port-based network access control, the
authentication access equipment in the local area network (LAN) performs identity
authentication and access control on users or devices connected to its ports. Only the users or
devices that can be authenticated are allowed to access the LAN through the ports. Access
Control based on 802.1x prevents unauthorized users or devices from accessing the network,
which ensures transport network security.
Huawei base stations support Access Control based on 802.1x. The authentication is
unidirectional and is based on Extensible Authentication Protocol-Transport Layer Security
(EAP-TLS). That is, the authentication server performs unidirectional authentication on the
digital certificates of base stations. Figure 2-1shows the network topology for Access Control
based on 802.1x.
3 Technical Description
The functions of RADIUS and AAA servers are similar. This document uses the RADIUS server as an
example to describe Access Control based on 802.1x.
Figure 3-1 shows the operating principle of Access Control based on 802.1x.
NOTE
Port access entity (PAE) is a port-related protocol entity that processes protocol packets during an
authentication procedure.
A physical Ethernet port of the authentication access equipment consists of two logical ports:
one controlled port and one uncontrolled port:
During initial access, the base station is not authenticated, and therefore the controlled port is
in the unauthorized state. At this point, only EAPoL packets can pass through the
uncontrolled port and be sent to the authentication server. After the authentication server
authenticates the base station and the authentication access equipment authorizes the
controlled port, the controlled port becomes authorized and data from the base station can
pass through the controlled port in the authorized state. This process ensures that only
authorized users and devices can access the network.
Port-based access control can be based on a physical port (such as the MAC address) or a
logical port (such as the VLAN). Huawei base stations support only port-based access control
based on the MAC address. That is, the authentication message sent by a base station contains
the MAC address of the Ethernet port that connects the base station to the transport network.
If authentication succeeds, the authentication access equipment performs access control on
data flow based on this MAC address.
For details about IEEE 802.1x-based access control, see IEEE 802[1].1x-2004.
and the authentication access equipment, EAP data is encapsulated in EAPoL frames so that
the data can be transmitted in the LAN. Between the authentication access equipment and the
authentication server, EAPoL frames are re-encapsulated in EAP over RADIUS (EAPoR)
frames so that the data can be transmitted using the RADIUS protocol.
Figure 3-2 shows the protocol stacks for Access Control based on 802.1x.
Access Control based on 802.1x uses the EAP protocol for authentication. The EAP protocol
supports multiple authentication methods. Huawei base stations adopt unidirectional EAP-
TLS authentication, that is, the authentication server authenticates base stations using digital
certificates.
In an IEEE 802.1x-based access control procedure, the base station sends its digital certificate
to the RADIUS server in an EAPoL frame. The RADIUS server authenticates the base station
by using the Huawei root certificate or the operator's root certificate. The DOT1X.AM
parameter specifies the authentication method used by IEEE 802.1x-based access control.
For details about the EAP protocol, see RFC 3748.
For details about the EAP-TLS protocol, see RFC 2716.
This chapter describes the application of IEEE 802.1x-based access control on a base station.
Figure 4-1 Typical network topology for IEEE 802.1x-based access control
IEEE 802.1x-based access control of Ethernet ports can be activated by using the ACT
DOT1X command and deactivated by using the DEA DOT1X command. By default, IEEE
802.1x-based access control is activated on Ethernet ports of base stations before delivery.
l If the network supports IEEE 802.1x-based access control, and IEEE 802.1x-based
access control is activated on the Ethernet port that connects the base station to the
transport network:
The base station initiates an IEEE 802.1x-based access control procedure. After the IEEE
802.1x-based access control succeeds, the base station sends a Dynamic Host
Configuration Protocol (DHCP) Discover packet to the authentication access equipment
to start the DHCP procedure. After the DHCP procedure is complete, the automatic base
station deployment procedure starts.
l If the network supports IEEE 802.1x-based access control, but IEEE 802.1x-based
access control is deactivated on the Ethernet port that connects the base station to the
transport network:
The base station does not initiate an IEEE 802.1x-based access control procedure.
Instead, the base station first sends a DHCP Discover packet and the DHCP module
queries whether IEEE 802.1x-based access control is activated on the Ethernet port that
connects the base station to the transport network. If IEEE 802.1x-based access control is
deactivated and authentication is not performed, the base station triggers an IEEE
802.1x-based access control procedure. Because the network uses IEEE 802.1x-based
access control, the DHCP Discover packet cannot pass through the authentication access
equipment, and therefore the DHCP procedure fails. The base station waits for the
authentication result. After the IEEE 802.1x-based access control succeeds, the base
station resends a DHCP Discover packet. After the DHCP procedure is complete, the
automatic base station deployment procedure starts.
For example, the main control board of the base station has an incorrect configuration
file, in which IEEE 802.1x-based access control is deactivated on the Ethernet port that
connects the base station to the transport network. In this case, the DHCP procedure
triggers the IEEE 802.1x-based access control procedure during automatic base station
deployment.
l If the network does not support IEEE 802.1x-based access control, and IEEE 802.1x-
based access control is activated on the Ethernet port that connects the base station to the
transport network:
The base station initiates the IEEE 802.1x-based access control procedure for three times
at an interval of 25 seconds. If the base station does not receive any response from the
network, the base station determines that the network does not support IEEE 802.1x-
based access control. The base station then sends a DHCP Discover packet. The DHCP
Discover packet can pass through the authentication access equipment. After the DHCP
procedure is complete, the automatic base station deployment procedure starts.
NOTE
During automatic base station deployment by PnP, the IEEE 802.1x-based access control procedure uses
the preconfigured Huawei-issued device certificate of the base station for authentication.
The rest of this section describes automatic base station deployment by PnP in the preceding
three scenarios.
Scenario 1
Figure 4-2 shows automatic base station deployment when the network supports IEEE
802.1x-based access control and IEEE 802.1x-based access control is activated on the
Ethernet port that connects the base station to the transport network.
1. After the base station is powered on, it sends an EAPoL-Start packet to the
authentication access equipment, to initiate an IEEE 802.1x-based access control
procedure.
2. The base station, authentication access equipment, and authentication server perform the
IEEE 802.1x-based access control procedure. The base station can initiate the IEEE
802.1x-based access control procedure on the same Ethernet port a maximum of three
times at an interval of 25 seconds.
3. If the IEEE 802.1x-based access control procedure succeeds, the base station initiates a
DHCP procedure. After the DHCP procedure is complete, the automatic base station
deployment procedure starts.
4. If the IEEE 802.1x-based access control procedure fails, the base station initiates a
DHCP procedure. However, the base station does not receive any response to the DHCP
procedure, and therefore the DHCP procedure fails. The base station attempts to initiate
IEEE 802.1x-based access control and DHCP procedures on the next Ethernet port.
NOTE
In the IEEE 802.1x-based access control procedure, the EAPoL-Start packet is a multicast packet and its
destination MAC address is 01-80-C2-00-00-03; other packets are unicast packets.
Scenario 2
Figure 4-3 shows automatic base station deployment when the network supports IEEE
802.1x-based access control but IEEE 802.1x-based access control is deactivated on the
Ethernet port that connects the base station to the transport network.
1. After a base station is powered on, it sends a DHCP Discover packet to the
authentication access equipment because IEEE 802.1x-based access control is
deactivated on the Ethernet port that connects the base station to the transport network.
2. The DHCP module queries whether IEEE 802.1x-based access control is activated on the
Ethernet port that connects the base station to the transport network. If IEEE 802.1x-
based access control is deactivated and authentication is not performed, the base station
triggers an IEEE 802.1x-based access control procedure on this Ethernet port.
3. Because the controlled port of the authentication access equipment is in the unauthorized
state, the base station does not receive any DHCP response. The DHCP procedure fails.
The base station waits for the authentication result.
4. If the IEEE 802.1x-based access control procedure succeeds, the base station resends a
DHCP Discover packet through the Ethernet port. After the DHCP procedure is
complete, the automatic base station deployment procedure starts.
Scenario 3
Figure 4-4 shows automatic base station deployment when the network does not support
IEEE 802.1x-based access control and IEEE 802.1x-based access control is activated on the
Ethernet port that connects the base station to the transport network.
1. After the base station is powered on, it initiates an IEEE 802.1x-based access control
procedure. The base station resends the EAPoL-Start packet three times at an interval of
25 seconds but does not receive any response. Therefore, the base station determines that
the network does not support IEEE 802.1x-based access control.
2. The base station sends a DHCP Discover packet to the authentication access equipment.
3. After the DHCP procedure is complete, the automatic base station deployment procedure
starts.
l If the certificate used for SSL authentication in the configuration file is set to the
operator-issued device certificate, the IEEE 802.1x-based access control procedure uses
the operator-issued device certificate to authenticate the base station.
l If the certificate used for SSL authentication in the configuration file is set to the
Huawei-issued device certificate, the IEEE 802.1x-based access control procedure uses
the Huawei-issued device certificate to authenticate the base station.
l If the SSL authentication method is cryptonym authentication, by default the IEEE
802.1x-based access control procedure uses the Huawei-issued device certificate to
authenticate the base station.
NOTE
During base station deployment using a USB flash drive, the certificate used in the IEEE 802.1x-based
access control procedure is specified in the configuration file. Because the base station is preconfigured
with the Huawei-issued device certificate, the certificate for SSL authentication can be set only to
Huawei-issued device certificate in the configuration file. If the certificate for SSL authentication is set
to the operator-issued device certificate, the IEEE 802.1x-based access control procedure fails.
5 Related Features
Impacted Features
None
Impacted Features
None
Impacted Features
None
Impacted Features
None
Impacted Features
None
6 Network Impact
System Capacity
No impact.
Network Performance
When the Access Control based on 802.1x feature is enabled, the time for base station
deployment by PnP is prolonged by about 75 seconds.
7 Engineering Guidelines
This chapter describes how to deploy the Access Control based on 802.1x feature in a newly
deployed network.
7.3 Deployment
NOTE
eGBTSs configured with GTMUb boards do not support the Access Control based on 802.1x feature.
eGBTSs described in this document are not configured with GTMUb boards.
Before you activate the Access Control based on 802.1x feature, configure the PKI feature as
well as the related managed objects (MOs). For details about how to configure the PKI
feature, see the "Engineering Guidelines" section in PKI Feature Parameter Description.
7.3.1 Requirements
Other Features
For details, see 5 Related Features.
Hardware
NE Type Board Configuration Type of Port
Connecting to the
Transport Network
License
Feature ID Feature License License NE Sales
Name Control Control Item Unit
Item ID Name
Other Requirements
l An authentication server has been deployed in the network.
l The authentication server supports the EAP protocol defined in RFC 3748 and supports
EAP-TLS authentication.
l The authentication server is preconfigured with the Huawei root certificate. If the
customer requires that the operator-issued device certificate be used for authentication,
the operator' root certificate must be preconfigured on the authentication server.
l The authentication access equipment supports IEEE 802.1x-based access control and
EAP packet processing.
l The authentication access equipment supports port-based access control based on the
MAC address.
7.3.2 Precautions
None
NOTE
"N/A" in Table 7-1 indicates that there is no special requirement for setting the parameter. Set the
parameter based on site requirements.
Table 7-1 Data to be prepared before activating the Access Control based on 802.1x feature
NOTE
l When deploying this feature on a multimode base station, activate the feature only on the Ethernet
port that connects the base station to the transport network. The data preparation and initial
configuration of the multimode base station are the same as those of a single-mode base station.
l When a base station is working normally, the certificate used by IEEE 802.1x-based access control
is the same as that used by SSL authentication. For details about how to configure the certificate for
SSL authentication, see the "Engineering Guidelines" section in SSL Feature Parameter
Description. If no certificate is configured for SSL authentication, IEEE 802.1x-based access control
uses the Huawei-issued device certificate by default.
Single configuration CME Management > CME Guidelines > Getting Started with
the CME > Introduction to Data Configuration Operations
Batch eGBTS CME Management > CME Guidelines > GSM Application
configuration Management > Base Station Related Operations > Importing
and Exporting eGBTS Data for Batch Reconfiguration
Batch NodeB CME Management > CME Guidelines > UMTS Application
configuration Management > NodeB Related Operations > Importing and
Exporting NodeB Data for Batch Configuration
Batch eNodeB CME Management > CME Guidelines > LTE Application
configuration Management > eNodeB Related Operations > Importing and
Exporting eNodeB Data for Batch Configuration
7.3.5 Deactivation
Using MML Commands
Run the MML command DEA DOT1X to deactivate Access Control based on 802.1x on the
Ethernet port that connects the base station to the transport network.
8 Parameters
DOT1X AM ACT LOFD-0 Access Meaning: Indicates the IEEE 802.1X authentication
DOT1X 03015/ Control method. Currently, only Extensible Authentication
DSP MLOFD based on Protocol Transport Layer Security (EAP-TLS), a
DOT1X -003015 802.1x unidirectional authentication method, is supported.
/ GUI Value Range: EAP-TLS(EAP-TLS authentic
LST TDLOF
DOT1X method)
D-00301
5 Unit: None
Actual Value Range: EAP-TLS
Default Value: EAP-TLS(EAP-TLS authentic method)
DOT1X CN ACT None None Meaning: Indicates the number of the cabinet that
DOT1X provides the port on which IEEE 802.1X
DEA authentication is configured.
DOT1X GUI Value Range: 0~7
DSP Unit: None
DOT1X Actual Value Range: 0~7
LST Default Value: 0
DOT1X
DOT1X SRN ACT None None Meaning: Indicates the number of the subrack that
DOT1X provides the port on which IEEE 802.1X
DEA authentication is configured.
DOT1X GUI Value Range: 0~1
DSP Unit: None
DOT1X Actual Value Range: 0~1
LST Default Value: 0
DOT1X
DOT1X SN ACT None None Meaning: Indicates the number of the slot that
DOT1X provides the port on which IEEE 802.1X
DEA authentication is configured.
DOT1X GUI Value Range: 0~7
DSP Unit: None
DOT1X Actual Value Range: 0~7
LST Default Value: None
DOT1X
DOT1X SBT ACT None None Meaning: Indicates the type of sub-board that provides
DOT1X the port on which IEEE 802.1X authentication is
DEA configured.
DOT1X GUI Value Range: BASE_BOARD(Base Board),
DSP ETH_COVERBOARD(Ethernet Cover Board)
DOT1X Unit: None
LST Actual Value Range: BASE_BOARD,
DOT1X ETH_COVERBOARD
Default Value: None
DOT1X PN ACT None None Meaning: Indicates the number of the port on which
DOT1X IEEE 802.1X authentication is configured.
DEA GUI Value Range: 0~5
DOT1X Unit: None
DSP Actual Value Range: 0~5
DOT1X
Default Value: None
LST
DOT1X
9 Counters
10 Glossary
11 Reference Documents