Date post: | 12-Oct-2015 |
Category: |
Documents |
Upload: | youssef-chorfi |
View: | 29 times |
Download: | 0 times |
Access Control based on 802.1x SRAN8.0
Feature Parameter Description
Issue Draft A
Date 2012-12-30
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: [email protected]
SingleRAN
Access Control based on 802.1x Contents
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
i
Contents
1 About This Document .............................................................................................................. 1-1
1.1 Scope ............................................................................................................................................ 1-1
1.2 Intended Audience......................................................................................................................... 1-1
1.3 Change History .............................................................................................................................. 1-1
2 Overview...................................................................................................................................... 2-1
3 Technical Description .............................................................................................................. 3-1
3.1 Operating Principle ........................................................................................................................ 3-1
3.2 Protocol Stacks .............................................................................................................................. 3-2
4 Application of Access Control based on 802.1x .............................................................. 4-1
4.1 Typical Network Topology .............................................................................................................. 4-1
4.2 Auto-Discovery with Access Control based on 802.1x .................................................................. 4-1
4.2.1 Automatic Base Station Deployment by PnP........................................................................ 4-1
4.2.2 Application on Existing Base Stations .................................................................................. 4-5
5 Related Features ....................................................................................................................... 5-1
5.1 Prerequisite Features .................................................................................................................... 5-1
5.2 Mutually Exclusive Features ......................................................................................................... 5-1
5.3 Impacted Features ........................................................................................................................ 5-1
6 Network Impact .......................................................................................................................... 6-1
6.1 System Capacity ........................................................................................................................... 6-1
6.2 Network Performance ................................................................................................................... 6-1
7 Engineering Guidelines ........................................................................................................... 7-1
7.1 When to Use Access Control based on 802.1x ............................................................................. 7-1
7.2 Required Information ..................................................................................................................... 7-1
7.3 Planning ........................................................................................................................................ 7-1
7.4 Deployment on the NodeB/eNodeB/eGBTS Side ......................................................................... 7-2
7.4.1 Requirements ....................................................................................................................... 7-2
7.4.2 Data Preparation................................................................................................................... 7-2
7.4.3 Precautions ........................................................................................................................... 7-3
7.4.4 Activation .............................................................................................................................. 7-3
7.4.5 Activation Observation .......................................................................................................... 7-5
7.4.6 Deactivation .......................................................................................................................... 7-5
7.5 Parameter Optimization ................................................................................................................ 7-6
7.6 Troubleshooting ............................................................................................................................. 7-6
8 Parameters.................................................................................................................................. 8-1
9 Counters ...................................................................................................................................... 9-1
10 Glossary .................................................................................................................................. 10-1
SingleRAN
Access Control based on 802.1x Contents
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
ii
11 Reference Documents ......................................................................................................... 11-1
SingleRAN
Access Control based on 802.1x 1 About This Document
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
1-1
1 About This Document
1.1 Scope
This document describes the Access Control based on 802.1x feature, including its basic principles, engineering guidelines, and parameters. Huawei eGBTSs, NodeBs, eNodeBs, and multimode base stations support this feature, whereas Huawei GBTSs do not.
eNodeB:LOFD-003015 Access Control based on 802.1x.
1.2 Intended Audience
This document is intended for personnel who:
Are familiar with GSM, UMTS, and LTE basics
Need to understand Access Control based on 802.1x
Maintain Huawei products
1.3 Change History
This section provides information about the changes in different document versions.
There are two types of changes, which are defined as follows:
Feature change: refers to a change in the Access Control based on 802.1x feature of a specific product version.
Editorial change: refers to a change in wording or the addition of information that was not described in the earlier version.
Document Versions
The document version is Draft A (2012-12-30).
Draft A (2012-12-30)
This is a draft for SRAN8.0.
SingleRAN
Access Control based on 802.1x 2 Overview
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
2-1
2 Overview
IEEE 802.1x is an IEEE standard for port-based network access control. It is part of the IEEE 802 group of networking protocols. With port-based network access control, the authentication access equipment in the local area network (LAN) performs identity authentication and access control on users or devices connected to its ports. Only the users or devices that can be authenticated are allowed to access the LAN through the ports. Access Control based on 802.1x prevents unauthorized users or devices from accessing the network, which ensures transport network security.
Huawei base stations support Access Control based on 802.1x. The authentication is unidirectional and is based on Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). That is, the authentication server performs unidirectional authentication on the digital certificates of base stations. Figure 2-1 shows the network topology for Access Control based on 802.1x.
Figure 2-1 Network topology for Access Control based on 802.1x
SingleRAN
Access Control based on 802.1x 3 Technical Description
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
3-1
3 Technical Description
3.1 Operating Principle
Access Control based on 802.1x usually adopts the client/server architecture, as shown in Figure 2-1. The authentication access equipment receives authentication packets from users or devices and then forwards the packets to the authentication server. The authentication server authenticates the identities of the users or devices. If the authentication succeeds, the data flow of the users or devices can pass through the ports of the authentication access equipment.
Access Control based on 802.1x involves the following components:
Authentication client (a device to be authenticated, such as a base station): initiates an 802.1x-based access control procedure. An authentication client is also referred to as a suppliant. To support port-based access control, the authentication client needs to support the Extensible Authentication Protocol over LAN (EAPoL).
Authentication access equipment (such as a LAN switch): receives and forwards EAP authentication packets between the base station and authentication server at the Media Access Control (MAC) layer. Authentication access equipment is also referred to as an authenticator. The authentication access equipment also controls the status (authorized or unauthorized) of controlled ports based on the authentication result at the authentication server.
Authentication server: performs authentication on clients. The servers commonly used are Remote Authentication Dial In User Service (RADIUS) and Authentication, Authorization and Accounting (AAA) servers.
NOTE
The functions of RADIUS and AAA servers are similar. This document uses the RADIUS server as an example to describe Access Control based on 802.1x.
Figure 3-1 shows the operating principle of Access Control based on 802.1x.
Figure 3-1 Operating principle of Access Control based on 802.1x
NOTE
Port access entity (PAE) is a port-related protocol entity that processes protocol packets during an authentication procedure.
SingleRAN
Access Control based on 802.1x 3 Technical Description
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
3-2
A physical Ethernet port of the authentication access equipment consists of two logical ports: one controlled port and one uncontrolled port:
Controlled port: A controlled port can be in the unauthorized or authorized state, depending on the authentication result at the authentication server.
A controlled port in the authorized state is in the bidirectional connectivity state and data flow can pass through the port.
A controlled port in the unauthorized state does not allow any data to pass through.
Uncontrolled port: An uncontrolled port is always in the bidirectional connectivity state. Only EAPoL packets can pass through an uncontrolled port. This ensures that the authentication client can always transmit and receive authentication packets.
During initial access, the base station is not authenticated, and therefore the controlled port is in the unauthorized state. At this point, only EAPoL packets can pass through the uncontrolled port and be sent to the authentication server. After the authentication server authenticates the base station and the authentication access equipment authorizes the controlled port, the controlled port becomes authorized and data from the base station can pass through the controlled port in the authorized state. This process ensures that only authorized users and devices can access the network.
Port-based access control can be based on a physical port (such as the MAC address) or a logical port (such as the VLAN). Huawei base stations support only port-based access control based on the MAC address. That is, the authentication message sent by a base station contains the MAC address of the Ethernet port that connects the base station to the transport network. If authentication succeeds, the authentication access equipment performs access control on data flow based on this MAC address.
For details about IEEE 802.1x-based access control, see IEEE 802[1].1X-2004.
3.2 Protocol Stacks
In IEEE 802.1x-based access control, the authentication client and the authentication server exchange authentication messages using the EAP protocol. Between the authentication client and the authentication access equipment, EAP data is encapsulated in EAPoL frames so that the data can be transmitted in the LAN. Between the authentication access equipment and the authentication server, EAPoL frames are re-encapsulated in EAP over RADIUS (EAPoR) frames so that the data can be transmitted using the RADIUS protocol.
Figure 3-2 shows the protocol stacks for Access Control based on 802.1x.
Figure 3-2 Protocol stacks for Access Control based on 802.1x
SingleRAN
Access Control based on 802.1x 3 Technical Description
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
3-3
Access Control based on 802.1x uses the EAP protocol for authentication. The EAP protocol supports multiple authentication methods. Huawei base stations adopt unidirectional EAP-TLS authentication, that is, the authentication server authenticates base stations using digital certificates. The AM parameter specifies the authentication method used by IEEE 802.1x-based access control.
In an IEEE 802.1x-based access control procedure, the base station sends its digital certificate to the RADIUS server in an EAPoL frame. The RADIUS server authenticates the base station by using the Huawei root certificate or the operator's root certificate.
For details about the EAP protocol, see RFC 3748.
For details about the EAP-TLS protocol, see RFC 2716.
SingleRAN
Access Control based on 802.1x 4 Application of Access Control based on 802.1x
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
4-1
4 Application of Access Control based on 802.1x
This chapter describes the application of IEEE 802.1x-based access control on a base station.
4.1 Typical Network Topology
To implement IEEE 802.1x-based access control, an authentication server and authentication access equipment (generally a LAN switch directly connected to the base station) supporting IEEE 802.1x-based access control, need to be deployed in the network. Because Huawei base station adopts unidirectional EAP-TLS authentication based on IEEE 802.1x and is preconfigured with Huawei-issued device certificates and Huawei root certificates before delivery, the authentication server needs to be preconfigured with the Huawei root certificate. Figure 4-1 shows a typical network topology for IEEE 802.1x-based access control.
Figure 4-1 Typical network topology for IEEE 802.1x-based access control
IEEE 802.1x-based access control of Ethernet ports can be activated by using the ACT DOT1X command and deactivated by using the DEA DOT1X command. By default, IEEE 802.1x-based access control is activated on Ethernet ports of base stations before delivery.
4.2 Auto-Discovery with Access Control based on 802.1x
4.2.1 Automatic Base Station Deployment by PnP
When Access Control based on 802.1x is activated in the network, a base station must pass the IEEE 802.1x-based authentication before automatic deployment by plug and play (PnP). To ensure the base station's adaptability to the network, after being powered on, Huawei base stations perform as follows depending on network conditions:
If the network supports IEEE 802.1x-based access control, and IEEE 802.1x-based access control is activated on the Ethernet port that connects the base station to the transport network:
The base station initiates an IEEE 802.1x-based access control procedure. After the IEEE 802.1x-based access control succeeds, the base station sends a Dynamic Host Configuration Protocol (DHCP) Discover packet to the authentication access equipment to start the DHCP procedure. After the DHCP procedure is complete, the automatic base station deployment procedure starts.
If the network supports IEEE 802.1x-based access control, but IEEE 802.1x-based access control is deactivated on the Ethernet port that connects the base station to the transport network:
The base station does not initiate an IEEE 802.1x-based access control procedure. Instead, the base station first sends a DHCP Discover packet and the DHCP module queries whether IEEE 802.1x-based access control is activated on the Ethernet port that connects the base station to the transport network. If IEEE 802.1x-based access control is deactivated and authentication is not
SingleRAN
Access Control based on 802.1x 4 Application of Access Control based on 802.1x
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
4-2
performed, the base station triggers an IEEE 802.1x-based access control procedure. Because the network uses IEEE 802.1x-based access control, the DHCP Discover packet cannot pass through the authentication access equipment, and therefore the DHCP procedure fails. The base station waits for the authentication result. After the IEEE 802.1x-based access control succeeds, the base station resends a DHCP Discover packet. After the DHCP procedure is complete, the automatic base station deployment procedure starts.
For example, the main control board of the base station has an incorrect configuration file, in which IEEE 802.1x-based access control is deactivated on the Ethernet port that connects the base station to the transport network. In this case, the DHCP procedure triggers the IEEE 802.1x-based access control procedure during automatic base station deployment.
If the network does not support IEEE 802.1x-based access control, and IEEE 802.1x-based access control is activated on the Ethernet port that connects the base station to the transport network:
The base station initiates the IEEE 802.1x-based access control procedure for three times at an interval of 25 seconds. If the base station does not receive any response from the network, the base station determines that the network does not support IEEE 802.1x-based access control. The base station then sends a DHCP Discover packet. The DHCP Discover packet can pass through the authentication access equipment. After the DHCP procedure is complete, the automatic base station deployment procedure starts.
The rest of this section describes automatic base station deployment by PnP in the preceding three scenarios.
NOTE
During automatic base station deployment by PnP, the IEEE 802.1x-based access control procedure uses the preconfigured Huawei-issued device certificate of the base station for authentication.
Scenario 1
Figure 4-2 shows automatic base station deployment when the network supports IEEE 802.1x-based access control and IEEE 802.1x-based access control is activated on the Ethernet port that connects the base station to the transport network.
SingleRAN
Access Control based on 802.1x 4 Application of Access Control based on 802.1x
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
4-3
Figure 4-2 Automatic base station deployment (1)
The automatic base station deployment procedure in this scenario is as follows:
1. After the base station is powered on, it sends an EAPoL-Start packet to the authentication access equipment, to initiate an IEEE 802.1x-based access control procedure.
2. The base station, authentication access equipment, and authentication server perform the IEEE 802.1x-based access control procedure. The base station can initiate the IEEE 802.1x-based access control procedure on the same Ethernet port a maximum of three times at an interval of 25 seconds.
3. If the IEEE 802.1x-based access control procedure succeeds, the base station initiates a DHCP procedure. After the DHCP procedure is complete, the automatic base station deployment procedure starts.
4. If the IEEE 802.1x-based access control procedure fails, the base station initiates a DHCP procedure. However, the base station does not receive any response to the DHCP procedure, and therefore the DHCP procedure fails. The base station attempts to initiate IEEE 802.1x-based access control and DHCP procedures on the next Ethernet port.
NOTE
In the IEEE 802.1x-based access control procedure, the EAPoL-Start packet is a multicast packet and its destination MAC address is 01-80-C2-00-00-03; other packets are unicast packets.
SingleRAN
Access Control based on 802.1x 4 Application of Access Control based on 802.1x
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
4-4
Scenario 2
Figure 4-3 shows automatic base station deployment when the network supports IEEE 802.1x-based access control but IEEE 802.1x-based access control is deactivated on the Ethernet port that connects the base station to the transport network.
Figure 4-3 Automatic base station deployment (2)
The automatic base station deployment procedure in this scenario is as follows:
1. After a base station is powered on, it sends a DHCP Discover packet to the authentication access equipment because IEEE 802.1x-based access control is deactivated on the Ethernet port that connects the base station to the transport network.
2. The DHCP module queries whether IEEE 802.1x-based access control is activated on the Ethernet port that connects the base station to the transport network. If IEEE 802.1x-based access control is deactivated and authentication is not performed, the base station triggers an IEEE 802.1x-based access control procedure on this Ethernet port.
3. Because the controlled port of the authentication access equipment is in the unauthorized state, the base station does not receive any DHCP response. The DHCP procedure fails. The base station waits for the authentication result.
4. When the IEEE 802.1x-based access control procedure succeeds, the base station resends a DHCP Discover packet through the Ethernet port. After the DHCP procedure is complete, the automatic base station deployment procedure starts.
SingleRAN
Access Control based on 802.1x 4 Application of Access Control based on 802.1x
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
4-5
Scenario 3
Figure 4-4 shows automatic base station deployment when the network does not support IEEE 802.1x-based access control and IEEE 802.1x-based access control is activated on the Ethernet port that connects the base station to the transport network.
Figure 4-4 Automatic base station deployment (3)
The automatic base station deployment procedure in this scenario is as follows:
1. After the base station is powered on, it initiates an IEEE 802.1x-based access control procedure. The base station resends the EAPoL-Start packet three times at an interval of 25 seconds but does not receive any response. Therefore, the base station determines that the network does not support IEEE 802.1x-based access control.
2. The base station sends a DHCP Discover packet to the authentication access equipment.
3. After the DHCP procedure is complete, the automatic base station deployment procedure starts.
4.2.2 Application on Existing Base Stations
After a base station obtains the configuration file, it restarts. If the state of its Ethernet port changes from DOWN to UP and IEEE 802.1x-based access control is activated on this Ethernet port, the base station initiates an IEEE 802.1x-based access control procedure. By default, IEEE 802.1x-based access control and SSL authentication use the same certificate:
If the certificate used for SSL authentication in the configuration file is set to the operator-issued device certificate, the IEEE 802.1x-based access control procedure uses the operator-issued device certificate to authenticate the base station.
If the certificate used for SSL authentication in the configuration file is set to the Huawei-issued device certificate, the IEEE 802.1x-based access control procedure uses Huawei-issued device certificate to authenticate the base station.
If the SSL authentication method is cryptonym authentication, by default the IEEE 802.1x-based access control procedure uses the Huawei-issued device certificate to authenticate the base station.
SingleRAN
Access Control based on 802.1x 4 Application of Access Control based on 802.1x
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
4-6
During base station deployment using a USB flash drive, the certificate used in the IEEE 802.1x-based access control procedure is specified in the configuration file. Because the base station is preconfigured with the Huawei-issued device certificate, the certificate for SSL authentication can be set only to Huawei-issued device certificate in the configuration file. If the certificate for SSL authentication is set to the operator-issued device certificate, the IEEE 802.1x-based access control procedure fails.
SingleRAN
Access Control based on 802.1x 5 Related Features
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
5-1
5 Related Features
5.1 Prerequisite Features
GBFD-113526 BTS Supporting PKI
WRFD-140210 NodeB PKI Support
LOFD-003010 Public Key Infrastructure(PKI)
GBFD-118601 Abis over IP
WRFD-050402 IP Transmission Introduction on Iub Interface
5.2 Mutually Exclusive Features
None
5.3 Impacted Features
None
SingleRAN
Access Control based on 802.1x 6 Network Impact
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
6-1
6 Network Impact
6.1 System Capacity
No impact.
6.2 Network Performance
When the Access Control based on 802.1x feature is enabled, the time for base station deployment by PnP is prolonged by about 75 seconds.
SingleRAN
Access Control based on 802.1x 7 Engineering Guidelines
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
7-1
7 Engineering Guidelines
This chapter describes how to deploy the Access Control based on 802.1x feature in a newly deployed network.
7.1 When to Use Access Control based on 802.1x
If the operator's transport network is located in an open network, the devices in the transport network are vulnerable to unauthorized access and malicious attacks. In this case, it is recommended that the Access Control based on 802.1x feature be activated to authenticate the users or devices that attempt to access the transport network. This feature prevents unauthorized users and devices from accessing the network and ensures transport network security.
The Access Control based on 802.1x feature uses the Huawei-issued device certificate to authenticate the base station. Therefore, the PKI feature also needs to be activated.
7.2 Required Information
Huawei base stations support only unidirectional EAP-TLS authentication and port-based access control based on the MAC address. Therefore, before you activate the Access Control based on 802.1x feature, check whether the authentication server supports unidirectional EAP-TLS authentication and whether the authentication access equipment supports port-based access control based on the MAC address.
If the customer requires that Access Control based on 802.1x use the Huawei-issued device certificate to authenticate the base station, the PKI feature does not need to be deployed in the network.
If the customer requires that Access Control based on 802.1x use the operator-issued device certificate to authenticate the base station, the PKI feature needs to be deployed in the network. For details about how to deploy the PKI feature, see PKI Feature Parameter Description.
7.3 Planning
Hardware Planning
NE Board Configuration Board That Provides a Port for Connecting to the Transport Network
Port Type
eGBTS UMPT UMPT Ethernet port
UMPT+UTRPc UTRPc Ethernet port
NodeB UMPT UMPT Ethernet port
UMPT+UTRPc UTRPc Ethernet port
eNodeB LMPT LMPT Ethernet port
UMPT UMPT Ethernet port
LMPT+UTRPc or UMPT+UTRPc UTRPc Ethernet port
Multimode base station
UMPT UMPT Ethernet port
LMPT LMPT Ethernet port
LMPT+UTRPc or UMPT+UTRPc UTRPc Ethernet port
SingleRAN
Access Control based on 802.1x 7 Engineering Guidelines
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
7-2
7.4 Deployment on the NodeB/eNodeB/eGBTS Side
Before you activate the Access Control based on 802.1x feature, configure the PKI feature as well as the related managed objects (MOs). For details about how to configure the PKI feature, see the "Engineering Guidelines" section in PKI Feature Parameter Description.
7.4.1 Requirements
Requirements for NEs:
An authentication server has been deployed in the network.
The authentication server supports the EAP protocol defined in RFC 3748 and supports EAP-TLS authentication.
The authentication server is preconfigured with the Huawei root certificate. If the customer requires that the operator-issued device certificate be used for authentication, the operator' root certificate must be preconfigured on the authentication server.
The authentication access equipment supports IEEE 802.1x-based access control and EAP packet processing.
The authentication access equipment supports port-based access control based on the MAC address.
Requirements for licenses:
The license for the PKI feature has been activated.
The license for the Access Control based on 802.1x feature has been activated.
Feature ID Feature Name License Control Item NE Sales Unit
LOFD-003015 Access Control based on 802.1x
Access Control based on 802.1x (per eNodeB)
eNodeB per eNodeB
7.4.2 Data Preparation
Table 7-1 lists the data that needs to be prepared before you activate the Access Control based on 802.1x feature.
NOTE
"-" in Table 7-1 indicates that there is no special requirement for setting the parameter. Set the parameter based on site requirements.
Table 7-1 Data to prepare before activating the Access Control based on 802.1x feature
MO Parameter Name Parameter ID Setting Notes Data Source
DOT1X Cabinet No. CN - Network plan
Subrack No. SRN -
Slot No. SN -
Subboard Type SBT -
Port No. PN -
SingleRAN
Access Control based on 802.1x 7 Engineering Guidelines
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
7-3
MO Parameter Name Parameter ID Setting Notes Data Source
Authentic Method AM This parameter indicates the authentication method used by the Access Control based on 802.1x feature. The feature supports EAP-TLS authentication.
NOTE
When you deploy this feature on a multimode base station, activate the feature only on the Ethernet port that connects the base station to the transport network. The data preparation and initial configuration of the multimode base station are the same as those of a single-mode base station.
When a base station is working normally, the certificate used by IEEE 802.1x-based access control is the same as that used by SSL authentication. For details about how to configure the certificate for SSL authentication, see the "Engineering Guidelines" section in SSL Feature Parameter Description. If no certificate is configured for SSL
authentication, IEEE 802.1x-based access control uses the Huawei-issued device certificate by default.
7.4.3 Precautions
None
7.4.4 Activation
This section uses the eNodeB as an example to describe how to activate Access Control based on 802.1x by using MML commands or the CME.
Using MML Commands
Run the MML command ACT DOT1X to activate Access Control based on 802.1x on the Ethernet port that connects the base station to the transport network.
MML Command Examples
//Activating Access Control based on 802.1x on the NodeB/eNodeB/eGBTS side
//Activating Access Control based on 802.1x on the Ethernet port that connects the base station to the
transport network
ACT DOT1X: CN=0, SRN=0, SN=7, SBT=BASE_BOARD, PN=0, AM=EAP-TLS;
Using the CME to Perform Single Configuration
Set parameters on the CME configuration interface according to the operation sequence described in Table 7-1. For instructions on how to perform the CME single configuration, see CME Single Configuration Operation Guide.
Using the CEM to Perform Batch Configuration for Newly Deployed Base Stations
Enter the values of the parameters listed in Table 7-2 into a summary data file, which also contains other data for the new base stations to be deployed. Then, import the summary data file into the CME for batch configuration.
The summary data file may be a scenario-specific file provided by the CME or a customized file, depending on the following conditions:
SingleRAN
Access Control based on 802.1x 7 Engineering Guidelines
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
7-4
The MOs in Table 7-2 are contained in a scenario-specific summary data file. In this situation, set the parameters in the MOs, and then verify and save the file.
Some MOs in Table 7-2 are not contained in a scenario-specific summary data file. In this situation, customize a summary data file to include the MOs before you can set the parameters.
Table 7-2 MOs related to Access Control based on 802.1x
MO Sheet in the Summary Data File
Parameter Group
Remarks
DOT1X Common Data Port No., Active Sign, Authentic Method
For an Ethernet port on which Access Control based on 802.1x is activated, set the Active Sign parameter to ACTIVE.
For an Ethernet port on which Access Control based on 802.1x is deactivated, set the Active Sign parameter to DEACTIVE and leave the Authentic Method parameter unspecified.
The following documents describe the detailed procedure for batch configuration for each mode:
Section "Creating eGBTSs (by Using a Summary Data File) in GSM eGBTS Initial Configuration Guide.
Section "Configuring a NodeB (GUI Mode) in UMTS NodeB Initial Configuration Guide.
Section "Initially Configuring eNodeBs in Batches" in LTE eNodeB Initial Configuration Guide.
eGBTS refers to a base station deployed with UMPT_G.
NodeB refers to a base station deployed with WMPT or UMPT_U.
eNodeB refers to a base station deployed with LMPT or UMPT_L.
Co-MPT multimode base station refers to a base station deployed with UMPT_GU, UMPT_GL, UMPT_UL, or UMPT_GUL, and it functionally corresponds to any combination of eGBTS, NodeB, and eNodeB. For example, Co-MPT multimode base station deployed with UMPT_GU functionally corresponds to the combination of eGBTS and NodeB.
Separate-MPT multimode base station refers to a base station on which different modes use different main control
boards. For example, base stations deployed with GTMU and WMPT are called separate-MPT GSM/UMTS dual-mode base station.
Using the CME to Perform Batch Configuration for Existing Base Stations
Batch reconfiguration using the CME is the recommended method to activate a feature on existing base stations. This method reconfigures all data, except neighbor relationships, for multiple base stations in a single procedure. The procedure is as follows:
Step 1 Choose CME > Customize Summary Data File from the main menu of an M2000 client, or choose Advanced > Customize Summary Data File from the main menu of a CME client, to customize a summary data file for batch reconfiguration.
NOTE
For context-sensitive help on a current task in the client, press F1.
Step 2 Choose CME > Base Station Bulk Configuration > Export Data from the main menu of the M2000 client, or choose Advanced > Base Station Bulk Configuration > Export Data from the
SingleRAN
Access Control based on 802.1x 7 Engineering Guidelines
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
7-5
main menu of the CME client, to export the base station data stored on the CME into the customized summary data file.
Step 3 In the summary data file, set the parameters in the MOs listed in Table 7-2 and close the file.
Step 4 Choose CME > Base Station Bulk Configuration > Import Data from the main menu of the M2000 client, or choose Advanced > Base Station Bulk Configuration > Import Data from the main menu of the CME client, to import the summary data file into the CME.
----End
7.4.5 Activation Observation
Run the DSP DOT1X command to query whether Access Control based on 802.1x is activated on the Ethernet port that connects the base station to the transport network.
Check the value of the Authentic State parameter in the command output. If the value of this parameter is Authenticate Succeed, the port has passed IEEE 802.1x-based authentication.
The following is an example:
DSP DOT1X: CN=0, SRN=0, SN=6, SBT=BASE_BOARD, PN=0;%%RETCODE = 0 Operation succeeded.
Display 802.1x
--------------
Cabinet No. = 0
Subrack No. = 0
Slot No. = 7
Subboard Type = Base Board
Port No. = 0
Active Sign = Active
Authentic Method = EAP-TLS authentic method
Authentic State = Authenticate Succeed
Authentic Succeed Number = 1
Fail Number = 0
Fail Reason = 0
Send EAP Packet Number = 7
Receive EAP Packet Number = 7
Abnormal Packet Number = 0
(Number of results = 1)
7.4.6 Deactivation
Using MML Commands
Run the MML command DEA DOT1X to deactivate Access Control based on 802.1x on the Ethernet port that connects the base station to the transport network.
MML Command Examples
//Deactivating Access Control based on 802.1x
DEA DOT1X: SN=7, SBT=BASE_BOARD, PN=0;
Using the CME to Perform Single Configuration
None
SingleRAN
Access Control based on 802.1x 7 Engineering Guidelines
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
7-6
Using the CME to Perform Batch Configuration
The procedure for feature deactivation is similar to that for feature activation. The only difference is the parameter setting, which is described in Table 7-2.
7.5 Parameter Optimization
None
7.6 Troubleshooting
After Access Control based on 802.1x is activated, the base station may report ALM-26831 802.1x Authentication Failure.
For details about how to locate and analyze the problem, see the following documents:
eGBTS Alarm Reference
NodeB Alarm Reference
eNodeB Alarm Reference
SingleRAN
Access Control based on 802.1x 8 Parameters
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
8-1
8 Parameters
Table 8-1 Parameter description
Parameter ID
NE MML Command
Feature ID Feature Name
Description
AM DBS3900 WCDMA/BTS3900 WCDMA/BTS3900A WCDMA/BTS3900L WCDMA/BTS3900AL WCDMA
ACT DOT1X
None None Meaning:Indicates the IEEE 802.1X authentication method. Currently, only Extensible Authentication Protocol Transport Layer Security (EAP-TLS), a unidirectional authentication method, is supported.
GUI Value Range:EAP-TLS(EAP-TLS authentic method)
Actual Value Range:EAP-TLS
Unit:None
Default Value:EAP-TLS(EAP-TLS authentic method)
CN DBS3900 WCDMA/BTS3900 WCDMA/BTS3900A WCDMA/BTS3900L WCDMA/BTS3900AL WCDMA
ACT DOT1X
DEA DOT1X
None None Meaning:Indicates the number of the cabinet that provides the port on which IEEE 802.1X authentication is configured.
GUI Value Range:0~7
Actual Value Range:0~7
Unit:None
Default Value:0
PN DBS3900 WCDMA/BTS3900 WCDMA/BTS3900A WCDMA/BTS3900L WCDMA/BTS3900AL WCDMA
ACT DOT1X
DEA DOT1X
None None Meaning:Indicates the number of the port on which IEEE 802.1X authentication is configured.
GUI Value Range:0~5
Actual Value Range:0~5
Unit:None
Default Value:None
SBT DBS3900 WCDMA/BTS3900 WCDMA/BTS3900A WCDMA/BTS3900L WCDMA/BTS3900AL WCDMA
ACT DOT1X
DEA DOT1X
None None Meaning:Indicates the type of sub-board that provides the port on which IEEE 802.1X authentication is configured.
GUI Value Range:BASE_BOARD(Base Board), ETH_COVERBOARD(Ethernet Cover Board)
Actual Value Range:BASE_BOARD,
SingleRAN
Access Control based on 802.1x 8 Parameters
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
8-2
Parameter ID
NE MML Command
Feature ID Feature Name
Description
ETH_COVERBOARD
Unit:None
Default Value:None
SN DBS3900 WCDMA/BTS3900 WCDMA/BTS3900A WCDMA/BTS3900L WCDMA/BTS3900AL WCDMA
ACT DOT1X
DEA DOT1X
None None Meaning:Indicates the number of the slot that provides the port on which IEEE 802.1X authentication is configured.
GUI Value Range:0~7
Actual Value Range:0~7
Unit:None
Default Value:None
SRN DBS3900 WCDMA/BTS3900 WCDMA/BTS3900A WCDMA/BTS3900L WCDMA/BTS3900AL WCDMA
ACT DOT1X
DEA DOT1X
None None Meaning:Indicates the number of the subrack that provides the port on which IEEE 802.1X authentication is configured.
GUI Value Range:0~1
Actual Value Range:0~1
Unit:None
Default Value:0
SingleRAN
Access Control based on 802.1x 9 Counters
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
9-1
9 Counters
There are no specific counters associated with this feature.
SingleRAN
Access Control based on 802.1x 10 Glossary
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
10-1
10 Glossary
For the acronyms, abbreviations, terms, and definitions, see Glossary.
SingleRAN
Access Control based on 802.1x 11 Reference Documents
Issue Draft A (2012-12-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
11-1
11 Reference Documents
[1] IETF RFC 3748, "Extensible Authentication Protocol (EAP)"
[2] IEEE Std 802.1x-2004, "Port-Based Network Access Control"
[3] IETF RFC 2716, "PPP EAP TLS Authentication Protocol"
[4] SingleRAN PKI Feature Parameter Description
1 About This Document1.1 Scope1.2 Intended Audience1.3 Change HistoryDocument VersionsDraft A (2012-12-30)
2 OverviewFigure 2-1 Network topology for Access Control based on 802.1x
3 Technical Description3.1 Operating PrincipleFigure 3-1 Operating principle of Access Control based on 802.1x
3.2 Protocol StacksFigure 3-2 Protocol stacks for Access Control based on 802.1x
4 Application of Access Control based on 802.1x4.1 Typical Network TopologyFigure 4-1 Typical network topology for IEEE 802.1x-based access control
4.2 Auto-Discovery with Access Control based on 802.1x4.2.1 Automatic Base Station Deployment by PnPScenario 1Figure 4-2 Automatic base station deployment (1)1. After the base station is powered on, it sends an EAPoL-Start packet to the authentication access equipment, to initiate an IEEE 802.1x-based access control procedure.2. The base station, authentication access equipment, and authentication server perform the IEEE 802.1x-based access control procedure. The base station can initiate the IEEE 802.1x-based access control procedure on the same Ethernet port a maximum of...3. If the IEEE 802.1x-based access control procedure succeeds, the base station initiates a DHCP procedure. After the DHCP procedure is complete, the automatic base station deployment procedure starts.4. If the IEEE 802.1x-based access control procedure fails, the base station initiates a DHCP procedure. However, the base station does not receive any response to the DHCP procedure, and therefore the DHCP procedure fails. The base station attempts t...
Scenario 2Figure 4-3 Automatic base station deployment (2)1. After a base station is powered on, it sends a DHCP Discover packet to the authentication access equipment because IEEE 802.1x-based access control is deactivated on the Ethernet port that connects the base station to the transport network.2. The DHCP module queries whether IEEE 802.1x-based access control is activated on the Ethernet port that connects the base station to the transport network. If IEEE 802.1x-based access control is deactivated and authentication is not performed, the ...3. Because the controlled port of the authentication access equipment is in the unauthorized state, the base station does not receive any DHCP response. The DHCP procedure fails. The base station waits for the authentication result.4. When the IEEE 802.1x-based access control procedure succeeds, the base station resends a DHCP Discover packet through the Ethernet port. After the DHCP procedure is complete, the automatic base station deployment procedure starts.
Scenario 3Figure 4-4 Automatic base station deployment (3)1. After the base station is powered on, it initiates an IEEE 802.1x-based access control procedure. The base station resends the EAPoL-Start packet three times at an interval of 25 seconds but does not receive any response. Therefore, the base statio...2. The base station sends a DHCP Discover packet to the authentication access equipment.3. After the DHCP procedure is complete, the automatic base station deployment procedure starts.
4.2.2 Application on Existing Base Stations
5 Related Features5.1 Prerequisite Features5.2 Mutually Exclusive Features5.3 Impacted Features
6 Network Impact6.1 System Capacity6.2 Network Performance
7 Engineering Guidelines7.1 When to Use Access Control based on 802.1x7.2 Required Information7.3 PlanningHardware Planning
7.4 Deployment on the NodeB/eNodeB/eGBTS Side7.4.1 Requirements7.4.2 Data PreparationTable 7-1 Data to prepare before activating the Access Control based on 802.1x feature
7.4.3 Precautions7.4.4 ActivationUsing MML CommandsMML Command ExamplesUsing the CME to Perform Single ConfigurationUsing the CEM to Perform Batch Configuration for Newly Deployed Base StationsTable 7-2 MOs related to Access Control based on 802.1x
Using the CME to Perform Batch Configuration for Existing Base StationsStep 1 Choose CME > Customize Summary Data File from the main menu of an M2000 client, or choose Advanced > Customize Summary Data File from the main menu of a CME client, to customize a summary data file for batch reconfiguration.Step 2 Choose CME > Base Station Bulk Configuration > Export Data from the main menu of the M2000 client, or choose Advanced > Base Station Bulk Configuration > Export Data from the main menu of the CME client, to export the base station data stored o...Step 3 In the summary data file, set the parameters in the MOs listed in Table 7-2 and close the file.Step 4 Choose CME > Base Station Bulk Configuration > Import Data from the main menu of the M2000 client, or choose Advanced > Base Station Bulk Configuration > Import Data from the main menu of the CME client, to import the summary data file into the...
7.4.5 Activation Observation7.4.6 DeactivationUsing MML CommandsMML Command ExamplesUsing the CME to Perform Single ConfigurationUsing the CME to Perform Batch Configuration
7.5 Parameter Optimization7.6 Troubleshooting
8 ParametersTable 8-1 Parameter description
9 Counters10 Glossary11 Reference Documents[1] IETF RFC 3748, "Extensible Authentication Protocol (EAP)"[2] IEEE Std 802.1x-2004, "Port-Based Network Access Control"[3] IETF RFC 2716, "PPP EAP TLS Authentication Protocol"[4] SingleRAN PKI Feature Parameter Description