Access Control Based on 802.1x(SRAN8.0_03)

SingleRAN

Access Control based on 802.1xFeature Parameter Description

Issue 03

Date 2014-03-31

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 03 (2014-03-31) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

Contents

1 About This Document..................................................................................................................11.1 Scope..............................................................................................................................................................................11.2 Intended Audience..........................................................................................................................................................11.3 Change History...............................................................................................................................................................11.4 Differences Between Base Station Types.......................................................................................................................2

2 Overview.........................................................................................................................................4

3 Technical Description...................................................................................................................53.1 Operating Principle.........................................................................................................................................................53.2 Protocol Stacks...............................................................................................................................................................6

4 Application of Access Control based on 802.1x.......................................................................84.1 Typical Network Topology............................................................................................................................................94.2 Auto-Discovery with Access Control based on 802.1x..................................................................................................94.2.1 Automatic Base Station Deployment by PnP..............................................................................................................94.2.2 Application on Existing Base Stations......................................................................................................................13

5 Related Features...........................................................................................................................14

6 Network Impact...........................................................................................................................15

7 Engineering Guidelines.............................................................................................................167.1 When to Use Access Control based on 802.1x.............................................................................................................177.2 Required Information...................................................................................................................................................177.3 Planning........................................................................................................................................................................177.4 Deployment on the NodeB/eNodeB/eGBTS Side........................................................................................................187.4.1 Requirements.............................................................................................................................................................187.4.2 Data Preparation........................................................................................................................................................197.4.3 Precautions.................................................................................................................................................................197.4.4 Activation..................................................................................................................................................................197.4.5 Activation Observation..............................................................................................................................................227.4.6 Deactivation...............................................................................................................................................................237.5 Performance Monitoring...............................................................................................................................................237.6 Parameter Optimization................................................................................................................................................237.7 Troubleshooting............................................................................................................................................................23

SingleRANAccess Control based on 802.1x Feature ParameterDescription Contents


ii

8 Parameters.....................................................................................................................................24

9 Counters........................................................................................................................................27

10 Glossary.......................................................................................................................................28

11 Reference Documents...............................................................................................................29

SingleRANAccess Control based on 802.1x Feature ParameterDescription Contents


iii

1 About This Document

1.1 ScopeThis document describes Access Control based on 802.1x, including its technical principles,related features, network impact, and engineering guidelines.

This document covers the following features:

LOFD-003015 Access Control based on 802.1x.

1.2 Intended AudienceThis document is intended for personnel who:

l Need to understand the features described herein.l Work with Huawei products

1.3 Change HistoryThis section provides information about the changes in different document versions. There aretwo types of changes, which are defined as follows:

l Feature changeChanges in features of a specific product version

l Editorial changeChanges in wording or addition of information that was not described in the earlier version

SRAN8.0 03 (2014-03-31)This issue includes the following changes.

SingleRANAccess Control based on 802.1x Feature ParameterDescription 1 About This Document


1

Change Type Change Description ParameterChange

Feature change None None

Editorial change Added the descriptions about the feature and functiondifferences between different site types. For details, seesection 1.4 Differences Between Base Station Types.

None

SRAN8.0 02 (2013-07-30)This issue includes the following changes.


Feature change None None

Editorial change Deleted the descriptions of micro base stations'support for Access Control based on 802.1x.

None

SRAN8.0 01 (2013-04-28)This issue does not include any changes.

SRAN8.0 Draft B (2013-04-10)This issue includes the following changes.


Feature change Added the descriptions of micro base stations'support for Access Control based on 802.1x.

None

Editorial change None None

SRAN8.0 Draft A (2012-12-30)This document is created for SRAN8.0.

1.4 Differences Between Base Station Types

Feature Support by Macro, Micro, and LampSite Base StationsNone.



2

Function Implementation in Macro, Micro, and LampSite Base StationsWorking in either UMTS only or LTE FDD only mode, micro base stations do not support GSM,multimode, co-MPT, or separate-MPT scenarios. As integrated entities, micro base stations donot involve such concepts as boards, cabinets, subracks, slots, or RRUs.



3

2 Overview

IEEE 802.1x is an IEEE standard for port-based network access control. It is part of the IEEE802 group of networking protocols. With port-based network access control, the authenticationaccess equipment in the local area network (LAN) performs identity authentication and accesscontrol on users or devices connected to its ports. Only the users or devices that can beauthenticated are allowed to access the LAN through the ports. Access Control based on 802.1xprevents unauthorized users or devices from accessing the network, which ensures transportnetwork security.

Huawei base stations support Access Control based on 802.1x. The authentication isunidirectional and is based on Extensible Authentication Protocol-Transport Layer Security(EAP-TLS). That is, the authentication server performs unidirectional authentication on thedigital certificates of base stations. Figure 2-1shows the network topology for Access Controlbased on 802.1x.

Figure 2-1 Network topology for Access Control based on 802.1x

SingleRANAccess Control based on 802.1x Feature ParameterDescription 2 Overview


4

3 Technical Description

3.1 Operating PrincipleAccess Control based on 802.1x usually adopts the client/server architecture, as shown in Figure2-1. The authentication access equipment receives authentication packets from users or devicesand then forwards the packets to the authentication server. The authentication serverauthenticates the identities of the users or devices. If the authentication succeeds, the data flowof the users or devices can pass through the ports of the authentication access equipment.

Access Control based on 802.1x involves the following components:

l Authentication client (a device to be authenticated, such as a base station): initiates an802.1x-based access control procedure. An authentication client is also referred to as asuppliant. To support port-based access control, the authentication client needs to supportthe Extensible Authentication Protocol over LAN (EAPoL).

l Authentication access equipment (such as a LAN switch): receives and forwards EAPauthentication packets between the base station and authentication server at the MediaAccess Control (MAC) layer. Authentication access equipment is also referred to as anauthenticator. The authentication access equipment also controls the status (authorized orunauthorized) of controlled ports based on the authentication result at the authenticationserver.

l Authentication server: performs authentication on clients. The servers commonly used areRemote Authentication Dial In User Service (RADIUS) and Authentication, Authorizationand Accounting (AAA) servers.

NOTE

The functions of RADIUS and AAA servers are similar. This document uses the RADIUS server as anexample to describe Access Control based on 802.1x.

Figure 3-1 shows the operating principle of Access Control based on 802.1x.

SingleRANAccess Control based on 802.1x Feature ParameterDescription 3 Technical Description


5

Figure 3-1 Operating principle of Access Control based on 802.1x

NOTE

Port access entity (PAE) is a port-related protocol entity that processes protocol packets during anauthentication procedure.

A physical Ethernet port of the authentication access equipment consists of two logical ports:one controlled port and one uncontrolled port:

l Controlled port: A controlled port can be in the unauthorized or authorized state, dependingon the authentication result at the authentication server.– A controlled port in the authorized state is in the bidirectional connectivity state and

data flow can pass through the port.– A controlled port in the unauthorized state does not allow any data to pass through.

l Uncontrolled port: An uncontrolled port is always in the bidirectional connectivity state.Only EAPoL packets can pass through an uncontrolled port. This ensures that theauthentication client can always transmit and receive authentication packets.

During initial access, the base station is not authenticated, and therefore the controlled port is inthe unauthorized state. At this point, only EAPoL packets can pass through the uncontrolled portand be sent to the authentication server. After the authentication server authenticates the basestation and the authentication access equipment authorizes the controlled port, the controlledport becomes authorized and data from the base station can pass through the controlled port inthe authorized state. This process ensures that only authorized users and devices can access thenetwork.

Port-based access control can be based on a physical port (such as the MAC address) or a logicalport (such as the VLAN). Huawei base stations support only port-based access control based onthe MAC address. That is, the authentication message sent by a base station contains the MACaddress of the Ethernet port that connects the base station to the transport network. Ifauthentication succeeds, the authentication access equipment performs access control on dataflow based on this MAC address.

For details about IEEE 802.1x-based access control, see IEEE 802[1].1x-2004.

3.2 Protocol StacksIn IEEE 802.1x-based access control, the authentication client and the authentication serverexchange authentication messages using the EAP protocol. Between the authentication client



6

and the authentication access equipment, EAP data is encapsulated in EAPoL frames so that thedata can be transmitted in the LAN. Between the authentication access equipment and theauthentication server, EAPoL frames are re-encapsulated in EAP over RADIUS (EAPoR)frames so that the data can be transmitted using the RADIUS protocol.

Figure 3-2 shows the protocol stacks for Access Control based on 802.1x.

Figure 3-2 Protocol stacks for Access Control based on 802.1x

Access Control based on 802.1x uses the EAP protocol for authentication. The EAP protocolsupports multiple authentication methods. Huawei base stations adopt unidirectional EAP-TLSauthentication, that is, the authentication server authenticates base stations using digitalcertificates. The AM parameter specifies the authentication method used by IEEE 802.1x-basedaccess control.

In an IEEE 802.1x-based access control procedure, the base station sends its digital certificateto the RADIUS server in an EAPoL frame. The RADIUS server authenticates the base stationby using the Huawei root certificate or the operator's root certificate.

For details about the EAP protocol, see RFC 3748.

For details about the EAP-TLS protocol, see RFC 2716.



7

4 Application of Access Control based on802.1x

This chapter describes the application of IEEE 802.1x-based access control on a base station.

SingleRANAccess Control based on 802.1x Feature ParameterDescription 4 Application of Access Control based on 802.1x


8

4.1 Typical Network TopologyTo implement IEEE 802.1x-based access control, an authentication server and authenticationaccess equipment (generally a LAN switch directly connected to the base station) supportingIEEE 802.1x-based access control, need to be deployed in the network. Because Huawei basestation adopts unidirectional EAP-TLS authentication based on IEEE 802.1x and ispreconfigured with Huawei-issued device certificates and Huawei root certificates beforedelivery, the authentication server needs to be preconfigured with the Huawei root certificate.Figure 4-1 shows a typical network topology for IEEE 802.1x-based access control.

Figure 4-1 Typical network topology for IEEE 802.1x-based access control

IEEE 802.1x-based access control of Ethernet ports can be activated by using the ACTDOT1X command and deactivated by using the DEA DOT1X command. By default, IEEE802.1x-based access control is activated on Ethernet ports of base stations before delivery.

4.2 Auto-Discovery with Access Control based on 802.1x

4.2.1 Automatic Base Station Deployment by PnPWhen Access Control based on 802.1x is activated in the network, a base station must pass theIEEE 802.1x-based authentication before automatic deployment by plug and play (PnP). Toensure the base station's adaptability to the network, after being powered on, Huawei basestations perform as follows depending on network conditions:

l If the network supports IEEE 802.1x-based access control, and IEEE 802.1x-based accesscontrol is activated on the Ethernet port that connects the base station to the transportnetwork:

The base station initiates an IEEE 802.1x-based access control procedure. After the IEEE802.1x-based access control succeeds, the base station sends a Dynamic Host ConfigurationProtocol (DHCP) Discover packet to the authentication access equipment to start the DHCPprocedure. After the DHCP procedure is complete, the automatic base station deploymentprocedure starts.

l If the network supports IEEE 802.1x-based access control, but IEEE 802.1x-based accesscontrol is deactivated on the Ethernet port that connects the base station to the transportnetwork:



9

The base station does not initiate an IEEE 802.1x-based access control procedure. Instead,the base station first sends a DHCP Discover packet and the DHCP module queries whetherIEEE 802.1x-based access control is activated on the Ethernet port that connects the basestation to the transport network. If IEEE 802.1x-based access control is deactivated andauthentication is not performed, the base station triggers an IEEE 802.1x-based accesscontrol procedure. Because the network uses IEEE 802.1x-based access control, the DHCPDiscover packet cannot pass through the authentication access equipment, and thereforethe DHCP procedure fails. The base station waits for the authentication result. After theIEEE 802.1x-based access control succeeds, the base station resends a DHCP Discoverpacket. After the DHCP procedure is complete, the automatic base station deploymentprocedure starts.For example, the main control board of the base station has an incorrect configuration file,inwhich IEEE 802.1x-based access control is deactivated on the Ethernet port that connectsthe base station to the transport network. In this case, the DHCP procedure triggers theIEEE 802.1x-based access control procedure during automatic base station deployment.

l If the network does not support IEEE 802.1x-based access control, and IEEE 802.1x-basedaccess control is activated on the Ethernet port that connects the base station to the transportnetwork:The base station initiates the IEEE 802.1x-based access control procedure for three timesat an interval of 25 seconds. If the base station does not receive any response from thenetwork, the base station determines that the network does not support IEEE 802.1x-basedaccess control. The base station then sends a DHCP Discover packet. The DHCP Discoverpacket can pass through the authentication access equipment. After the DHCP procedureis complete, the automatic base station deployment procedure starts.

The rest of this section describes automatic base station deployment by PnP in the precedingthree scenarios.

NOTE

During automatic base station deployment by PnP, the IEEE 802.1x-based access control procedure usesthe preconfigured Huawei-issued device certificate of the base station for authentication.

Scenario 1Figure 4-2 shows automatic base station deployment when the network supports IEEE 802.1x-based access control and IEEE 802.1x-based access control is activated on the Ethernet port thatconnects the base station to the transport network.



10

Figure 4-2 Automatic base station deployment (1)

The automatic base station deployment procedure in this scenario is as follows:

1. After the base station is powered on, it sends an EAPoL-Start packet to the authenticationaccess equipment, to initiate an IEEE 802.1x-based access control procedure.

2. The base station, authentication access equipment, and authentication server perform theIEEE 802.1x-based access control procedure. The base station can initiate the IEEE 802.1x-based access control procedure on the same Ethernet port a maximum of three times at aninterval of 25 seconds.

3. If the IEEE 802.1x-based access control procedure succeeds, the base station initiates aDHCP procedure. After the DHCP procedure is complete, the automatic base stationdeployment procedure starts.

4. If the IEEE 802.1x-based access control procedure fails, the base station initiates a DHCPprocedure. However, the base station does not receive any response to the DHCP procedure,and therefore the DHCP procedure fails. The base station attempts to initiate IEEE 802.1x-based access control and DHCP procedures on the next Ethernet port.

NOTE

In the IEEE 802.1x-based access control procedure, the EAPoL-Start packet is a multicast packet and itsdestination MAC address is 01-80-C2-00-00-03; other packets are unicast packets.

Scenario 2

Figure 4-3 shows automatic base station deployment when the network supports IEEE 802.1x-based access control but IEEE 802.1x-based access control is deactivated on the Ethernet portthat connects the base station to the transport network.



11



1. After a base station is powered on, it sends a DHCP Discover packet to the authenticationaccess equipment because IEEE 802.1x-based access control is deactivated on the Ethernetport that connects the base station to the transport network.

2. The DHCP module queries whether IEEE 802.1x-based access control is activated on theEthernet port that connects the base station to the transport network. If IEEE 802.1x-basedaccess control is deactivated and authentication is not performed, the base station triggersan IEEE 802.1x-based access control procedure on this Ethernet port.

3. Because the controlled port of the authentication access equipment is in the unauthorizedstate, the base station does not receive any DHCP response. The DHCP procedure fails.The base station waits for the authentication result.

4. When the IEEE 802.1x-based access control procedure succeeds, the base station resendsa DHCP Discover packet through the Ethernet port. After the DHCP procedure is complete,the automatic base station deployment procedure starts.

Scenario 3Figure 4-4 shows automatic base station deployment when the network does not support IEEE802.1x-based access control and IEEE 802.1x-based access control is activated on the Ethernetport that connects the base station to the transport network.



12



1. After the base station is powered on, it initiates an IEEE 802.1x-based access controlprocedure. The base station resends the EAPoL-Start packet three times at an interval of25 seconds but does not receive any response. Therefore, the base station determines thatthe network does not support IEEE 802.1x-based access control.

2. The base station sends a DHCP Discover packet to the authentication access equipment.3. After the DHCP procedure is complete, the automatic base station deployment procedure

starts.

4.2.2 Application on Existing Base StationsAfter a base station obtains the configuration file, it restarts. If the state of its Ethernet portchanges from DOWN to UP and IEEE 802.1x-based access control is activated on this Ethernetport, the base station initiates an IEEE 802.1x-based access control procedure. By default, IEEE802.1x-based access control and SSL authentication use the same certificate:

l If the certificate used for SSL authentication in the configuration file is set to the operator-issued device certificate, the IEEE 802.1x-based access control procedure uses the operator-issued device certificate to authenticate the base station.

l If the certificate used for SSL authentication in the configuration file is set to the Huawei-issued device certificate, the IEEE 802.1x-based access control procedure uses Huawei-issued device certificate to authenticate the base station.

l If the SSL authentication method is cryptonym authentication, by default the IEEE 802.1x-based access control procedure uses the Huawei-issued device certificate to authenticatethe base station.

NOTE

During base station deployment using a USB flash drive, the certificate used in the IEEE 802.1x-basedaccess control procedure is specified in the configuration file. Because the base station is preconfiguredwith the Huawei-issued device certificate, the certificate for SSL authentication can be set only to Huawei-issued device certificate in the configuration file. If the certificate for SSL authentication is set to theoperator-issued device certificate, the IEEE 802.1x-based access control procedure fails.



13

5 Related Features

Prerequisite Featuresl GBFD-113526 BTS Supporting PKIl WRFD-140210 NodeB PKI Supportl LOFD-003010 Public Key Infrastructure(PKI)l GBFD-118601 Abis over IPl WRFD-050402 IP Transmission Introduction on Iub Interface

Mutually Exclusive FeaturesNone

Impacted FeaturesNone

SingleRANAccess Control based on 802.1x Feature ParameterDescription 5 Related Features


14

6 Network Impact

System CapacityNo impact.

Network PerformanceWhen the Access Control based on 802.1x feature is enabled, the time for base stationdeployment by PnP is prolonged by about 75 seconds.

SingleRANAccess Control based on 802.1x Feature ParameterDescription 6 Network Impact


15

7 Engineering Guidelines

This chapter describes how to deploy the Access Control based on 802.1x feature in a newlydeployed network.

SingleRANAccess Control based on 802.1x Feature ParameterDescription 7 Engineering Guidelines


16

7.1 When to Use Access Control based on 802.1xIf the operator's transport network is located in an open network, the devices in the transportnetwork are vulnerable to unauthorized access and malicious attacks. In this case, it isrecommended that the Access Control based on 802.1x feature be activated to authenticate theusers or devices that attempt to access the transport network. This feature prevents unauthorizedusers and devices from accessing the network and ensures transport network security.

The Access Control based on 802.1x feature uses the Huawei-issued device certificate toauthenticate the base station. Therefore, the PKI feature also needs to be activated.

7.2 Required InformationHuawei base stations support only unidirectional EAP-TLS authentication and port-based accesscontrol based on the MAC address. Therefore, before you activate the Access Control based on802.1x feature, check whether the authentication server supports unidirectional EAP-TLSauthentication and whether the authentication access equipment supports port-based accesscontrol based on the MAC address.

l If the customer requires that Access Control based on 802.1x use the Huawei-issued devicecertificate to authenticate the base station, the PKI feature does not need to be deployed inthe network.

l If the customer requires that Access Control based on 802.1x use the operator-issued devicecertificate to authenticate the base station, the PKI feature needs to be deployed in thenetwork. For details about how to deploy the PKI feature, see PKI Feature ParameterDescription.

7.3 Planning

Hardware Planning

NE BoardConfiguration

Board That Provides a Port forConnecting to the TransportNetwork

Port Type

eGBTS UMPT UMPT Ethernetport

UMPT+UTRPc UTRPc Ethernetport

NodeB UMPT UMPT Ethernetport

UMPT+UTRPc UTRPc Ethernetport

eNodeB LMPT LMPT Ethernetport



17

NE BoardConfiguration

Board That Provides a Port forConnecting to the TransportNetwork

Port Type

UMPT UMPT Ethernetport

LMPT+UTRPc orUMPT+UTRPc

UTRPc Ethernetport

Multimodebase station

UMPT UMPT Ethernetport

LMPT LMPT Ethernetport

LMPT+UTRPc orUMPT+UTRPc

UTRPc Ethernetport

7.4 Deployment on the NodeB/eNodeB/eGBTS SideBefore you activate the Access Control based on 802.1x feature, configure the PKI feature aswell as the related managed objects (MOs). For details about how to configure the PKI feature,see the "Engineering Guidelines" section in PKI Feature Parameter Description.

7.4.1 Requirementsl Requirements for NEs:

– An authentication server has been deployed in the network.

– The authentication server supports the EAP protocol defined in RFC 3748 and supportsEAP-TLS authentication.

– The authentication server is preconfigured with the Huawei root certificate. If thecustomer requires that the operator-issued device certificate be used for authentication,the operator' root certificate must be preconfigured on the authentication server.

– The authentication access equipment supports IEEE 802.1x-based access control andEAP packet processing.

– The authentication access equipment supports port-based access control based on theMAC address.

l Requirements for licenses:

– The license for the PKI feature has been activated.

– The license for the Access Control based on 802.1x feature has been activated.

Feature ID Feature Name License ControlItem

NE Sales Unit

LOFD-003015

Access Controlbased on 802.1x

Access Control basedon 802.1x (pereNodeB)

eNodeB per eNodeB



18

7.4.2 Data PreparationTable 7-1 lists the data that needs to be prepared before you activate the Access Control basedon 802.1x feature.

NOTE

"-" in Table 7-1 indicates that there is no special requirement for setting the parameter. Set the parameterbased on site requirements.

Table 7-1 Data to prepare before activating the Access Control based on 802.1x feature

MO Parameter Name

Parameter ID

Setting Notes DataSource

DOT1X

CabinetNo.

CN - Network plan

SubrackNo.

SRN -

Slot No. SN -

SubboardType

SBT -

Port No. PN -

AuthenticMethod

AM This parameter indicates the authenticationmethod used by the Access Control based on802.1x feature. The feature supports EAP-TLSauthentication.

NOTE

l When you deploy this feature on a multimode base station, activate the feature only on the Ethernetport that connects the base station to the transport network. The data preparation and initialconfiguration of the multimode base station are the same as those of a single-mode base station.

l When a base station is working normally, the certificate used by IEEE 802.1x-based access control isthe same as that used by SSL authentication. For details about how to configure the certificate for SSLauthentication, see the "Engineering Guidelines" section in SSL Feature Parameter Description. If nocertificate is configured for SSL authentication, IEEE 802.1x-based access control uses the Huawei-issued device certificate by default.

7.4.3 PrecautionsNone

7.4.4 ActivationThis section uses the eNodeB as an example to describe how to activate Access Control basedon 802.1x by using MML commands or the CME.



19

Using MML Commands

Run the MML command ACT DOT1X to activate Access Control based on 802.1x on theEthernet port that connects the base station to the transport network.

MML Command Examples//Activating Access Control based on 802.1x on the NodeB/eNodeB/eGBTS side//Activating Access Control based on 802.1x on the Ethernet port that connects the base station to the transport networkACT DOT1X: CN=0, SRN=0, SN=7, SBT=BASE_BOARD, PN=0, AM=EAP-TLS;

Using the CME to Perform Single Configuration

Set parameters on the CME configuration interface according to the operation sequencedescribed in Table 7-1. For instructions on how to perform the CME single configuration, seeCME Single Configuration Operation Guide.

Using the CEM to Perform Batch Configuration for Newly Deployed Base Stations

Enter the values of the parameters listed in Table 7-2 into a summary data file, which alsocontains other data for the new base stations to be deployed. Then, import the summary data fileinto the CME for batch configuration.

The summary data file may be a scenario-specific file provided by the CME or a customizedfile, depending on the following conditions:

l The MOs in Table 7-2 are contained in a scenario-specific summary data file. In thissituation, set the parameters in the MOs, and then verify and save the file.

l Some MOs in Table 7-2 are not contained in a scenario-specific summary data file. In thissituation, customize a summary data file to include the MOs before you can set theparameters.

Table 7-2 MOs related to Access Control based on 802.1x

MO Sheet in theSummary Data File

Parameter Group Remarks

DOT1X Common Data Port No., ActiveSign, AuthenticMethod

l For an Ethernet port onwhich Access Control basedon 802.1X is activated, setthe Active Sign parameter toACTIVE.

l For an Ethernet port onwhich Access Control basedon 802.1X is deactivated, setthe Active Sign parameter toDEACTIVE and leave theAuthentic Methodparameter unspecified.



20

For instructions about performing batch configuration for each base station, see the followingsections in 3900 Series Base Station Initial Configuration Guide.

l For a NodeB: Creating NodeBs in Batchesl For an eNodeB: Creating eNodeBs in Batchesl For a separate-MPT multimode base station: Creating Separate-MPT Multimode Base

Stations in Batchesl For an eGBTS or a co-MPT multimode base station: Creating Co-MPT Base Stations in

Batches

NOTE

l eGBTS refers to a base station deployed with UMPT_G.

l NodeB refers to a base station deployed with WMPT or UMPT_U.

l eNodeB refers to a base station deployed with LMPT or UMPT_L.

l Co-MPT base station refers to a base station deployed with UMPT_GU, UMPT_GL, UMPT_UL, orUMPT_GUL, and it functionally corresponds to any combination of eGBTS, NodeB, and eNodeB. Forexample, Co-MPT base station deployed with UMPT_GU functionally corresponds to the combinationof eGBTS and NodeB.

l Separate-MPT multimode base station refers to a base station on which different modes use differentmain control boards. For example, base stations deployed with GTMU and WMPT are called separate-MPT GSM/UMTS dual-mode base station.

Using the CME to Perform Batch Configuration for Existing Base StationsBatch reconfiguration using the CME is the recommended method to activate a feature onexisting base stations. This method reconfigures all data, except neighbor relationships, formultiple base stations in a single procedure. The procedure is as follows:

Step 1 Choose CME > Advanced > Customize Summary Data File from the main menu of an M2000client, or choose Advanced > Customize Summary Data File from the main menu of a CMEclient, to customize a summary data file for batch reconfiguration.

NOTE

For context-sensitive help on a current task in the client, press F1.

Step 2 Export the NE data stored on the CME into the customized summary data file.l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS

Application > Export Data > Export Base Station Bulk Configuration Data from themain menu of the M2000 client, or choose SRAN Application > MBTS Application >Export Data > Export Base Station Bulk Configuration Data from the main menu of theCME client.

l For separate-MPT GSM-involved multimode base stations or GO base stations: ChooseCME > GSM Application > Export Data > eGBTS Bulk Configuration Data from themain menu of the M2000 client, or choose GSM Application > Export Data > ExporteGBTS Bulk Configuration Data from the main menu of the CME client.

l For separate-MPT UMTS-involved multimode base stations or UO base stations: ChooseCME > UMTS Application > Export Data > Export Base Station Bulk ConfigurationData from the main menu of the M2000 client, or choose UMTS Application > ExportData > Export Base Station Bulk Configuration Data from the main menu of the CMEclient.

l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose CME> LTE Application > Export Data > Export Base Station Bulk Configuration Data from



21

the main menu of the M2000 client, or choose LTE Application > Export Data > ExportBase Station Bulk Configuration Data from the main menu of the CME client.

Step 3 In the summary data file, set the parameters in the MOs listed in Table 7-2 and close the file.

Step 4 Import the summary data file into the CME.

l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTSApplication > Import Base Station Bulk Configuration Data from the main menu of theM2000 client, or choose SRAN Application > MBTS Application > Import Data > ImportBase Station Bulk Configuration Data from the main menu of the CME client.

l For separate-MPT GSM-involved multimode base stations or GO base stations: ChooseCME > GSM Application > Import Data > Import eGBTS Bulk Configuration Datafrom the main menu of the M2000 client, or choose GSM Application > Import Data >Import eGBTS Bulk Configuration Data from the main menu of the CME client.

l For separate-MPT UMTS-involved multimode base stations or UO base stations: ChooseCME > UMTS Application > Import Data > Import Base Station Bulk ConfigurationData from the main menu of the M2000 client, or choose UMTS Application > ImportData > Import Base Station Bulk Configuration Data from the main menu of the CMEclient.

l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose CME> LTE Application > Import Data > Import Base Station Bulk Configuration Data fromthe main menu of the M2000 client, or choose LTE Application > Import Data > ImportBase Station Bulk Configuration Data from the main menu of the CME client.

----End

7.4.5 Activation ObservationRun the DSP DOT1X command to query whether Access Control based on 802.1x is activatedon the Ethernet port that connects the base station to the transport network.

Check the value of the Authentic State parameter in the command output. If the value of thisparameter is Authenticate Succeed, the port has passed IEEE 802.1x-based authentication.

The following is an example:

DSP DOT1X: CN=0, SRN=0, SN=7, SBT=BASE_BOARD, PN=0;%%RETCODE = 0 Operation succeeded.Display 802.1x-------------- Cabinet No. = 0 Subrack No. = 0 Slot No. = 7 Subboard Type = Base Board Port No. = 0 Authentic Method = EAP-TLS authentic method Authentic State = Authenticate Succeed Authentic Succeed Number = 1 Fail Number = 0 Fail Reason = 0 Send EAP Packet Number = 7Receive EAP Packet Number = 7 Abnormal Packet Number = 0(Number of results = 1)



22

7.4.6 Deactivation

Using MML CommandsRun the MML command DEA DOT1X to deactivate Access Control based on 802.1x on theEthernet port that connects the base station to the transport network.

MML Command Examples//Deactivating Access Control based on 802.1xDEA DOT1X: SN=7, SBT=BASE_BOARD, PN=0;

Using the CME to Perform Single ConfigurationNone

Using the CME to Perform Batch ConfigurationThe procedure for feature deactivation is similar to that for feature activation. The only differenceis the parameter setting, which is described in Table 7-2.

7.5 Performance MonitoringNone

7.6 Parameter OptimizationNone

7.7 TroubleshootingAfter Access Control based on 802.1x is activated, the base station may report ALM-26831802.1x Authentication Failure.

For details about how to clear these alarms for each type of base station, see the following sectionsin 3900 Series Base Station Alarm Reference:

l "eGBTS Alarm Reference"l "NodeB Alarm Reference"l "eNodeB Alarm Reference"



23

8 Parameters

Table 8-1 Parameter description

Parameter ID NE MMLCommand

Feature ID Feature Name Description

AM BTS3900 ACT DOT1XDSP DOT1XLST DOT1X

None None Meaning:Indi-cates the IEEE802.1Xauthenticationmethod.Currently, onlyExtensibleAuthenticationProtocolTransport LayerSecurity (EAP-TLS), aunidirectionalauthenticationmethod, issupported.GUI ValueRange:EAP-TLS(EAP-TLSauthenticmethod)Unit:NoneActual ValueRange:EAP-TLSDefaultValue:EAP-TLS(EAP-TLSauthenticmethod)

SingleRANAccess Control based on 802.1x Feature ParameterDescription 8 Parameters


24



CN BTS3900 ACT DOT1XDEA DOT1XDSP DOT1XLST DOT1X

None None Meaning:Indi-cates the numberof the cabinetthat provides theport on whichIEEE 802.1Xauthentication isconfigured.GUI ValueRange:0~7Unit:NoneActual ValueRange:0~7Default Value:0

SRN BTS3900 ACT DOT1XDEA DOT1XDSP DOT1XLST DOT1X

None None Meaning:Indi-cates the numberof the subrackthat provides theport on whichIEEE 802.1Xauthentication isconfigured.GUI ValueRange:0~1Unit:NoneActual ValueRange:0~1Default Value:0

SN BTS3900 ACT DOT1XDEA DOT1XDSP DOT1XLST DOT1X

None None Meaning:Indi-cates the numberof the slot thatprovides the porton which IEEE802.1Xauthentication isconfigured.GUI ValueRange:0~7Unit:NoneActual ValueRange:0~7DefaultValue:None



25



SBT BTS3900 ACT DOT1XDEA DOT1XDSP DOT1XLST DOT1X

None None Meaning:Indi-cates the type ofsub-board thatprovides the porton which IEEE802.1Xauthentication isconfigured.GUI ValueRange:BASE_BOARD(BaseBoard),ETH_COVERBOARD(EthernetCover Board)Unit:NoneActual ValueRange:BASE_BOARD,ETH_COVERBOARDDefaultValue:None

PN BTS3900 ACT DOT1XDEA DOT1XDSP DOT1XLST DOT1X

None None Meaning:Indi-cates the numberof the port onwhich IEEE802.1Xauthentication isconfigured.GUI ValueRange:0~5Unit:NoneActual ValueRange:0~5DefaultValue:None



26

9 Counters

There are no specific counters associated with this feature.

SingleRANAccess Control based on 802.1x Feature ParameterDescription 9 Counters


27

10 Glossary

For the acronyms, abbreviations, terms, and definitions, see Glossary.

SingleRANAccess Control based on 802.1x Feature ParameterDescription 10 Glossary


28

11 Reference Documents

1. IETF RFC 3748, "Extensible Authentication Protocol (EAP)"2. IEEE Std 802.1x-2004, "Port-Based Network Access Control"3. IETF RFC 2716, "PPP EAP TLS Authentication Protocol"4. PKI Feature Parameter Description for SingleRAN5. SSL Feature Parameter Description for SingleRAN

SingleRANAccess Control based on 802.1x Feature ParameterDescription 11 Reference Documents


29