Innovative Wi-Fi Offload Features

26 Aug

In a mobile data offloading scenario, policy decisions implemented at the mobile operator can be looked up from several locations and intelligently mapped to the corresponding parameters in the Wi-Fi network. Execution of advanced logic can then be done through Aptilo’s ServiceGlue functions to make sure that the desired actions are performed in the Wi-Fi network for the specific user.

 

Trusted 3GPP Wi-Fi access for non-SIM devices

One of the most popular 3GPP Wi-Fi Access scenarios is the trusted 3GPP Wi-Fi access. In this scenario, the user traffic is securely backhauled to the mobile core through a GTP (or MIP/PMIP) tunnel between the WAG/TWAG (Wireless Access Gateway) and the GGSN/P-GW.

In order for the WAG to setup the GTP tunnel it needs parameters that reside in the subscriber profile. This will in turn require knowledge about the user’s IMSI (the unique identifier for the SIM card) to be able to get the correct subscriber profile. For devices with SIM cards such as mobile phones this is quite straightforward as the IMSI and subscriber profile will be retrieved as part of the EAP-SIM/AKA authentication process.

Up to now, this scenario has only been possible for devices with SIM cards. This is a growing challenge as an average user frequently has a multitude of Wi-Fi enabled devices such as tablets, laptops and game consoles and very few of them are equipped with SIM cards.

Operators will most likely want to use the same subscriber profile for all of a user’s devices, i.e., using the subscriber profile for the “main device” – the mobile phone – across the board. However, GTP tunnel setup is not possible for non-SIM devices. When there is no SIM card, there is no IMSI for subscriber profile lookup.

The innovative features of the Aptilo Service Management Platform™ (SMP) allow operators to overcome this deficiency. The Aptilo SMP can carry out a lookup of the IMSI based on the user’s MSISDN (mobile number). The lookup is performed at the HLR/HSS via the MAP or Diameter protocol. Aptilo SMP can then retrieve the user’s subscriber profile from the HLR/HSS by providing the correct IMSI as an identifier in the communication with the HLR/HSS.

This opens up interesting possibilities when it comes to Wi-Fi offload. The subscriber profile provides the Aptilo SMP with the required parameters needed for a Wireless Access Gateway (WAG) to setup a GTP tunnel for all subscribers: those using SIM devices (normal EAP-SIM/AKA authentication) and also non-SIM devices using Aptilo’s innovation.

Allowing trusted 3GPP Wi-Fi access for non-SIM devices using manual login

With Aptilo Service Management Platform you can streamline services across all devices by allowing the trusted 3GPP Wi-Fi access also for non-SIM devices using manual login. This is how the magic works:

Print
Dark Green 1The user attaches to the Wi-Fi network with a non-SIM device. Aptilo SMP triggers the WAG to redirect
the user to a captive portal.

Dark-Blue 2The user enters his mobile phone number (MSISDN) at the portal.

Purple 3Aptilo SMP now has the MSISDN. Aptilo SMP sends a one-time password (OTP) to the user via SMS.

Orange 4The user logs in securely at the portal using the OTP

Light Green 5Aptilo SMP looks up the IMSI from HLR/HSS using the phone number (MSISDN) as identifier.

Red 6Aptilo SMP now has the IMSI. Aptilo SMP looks up the subscriber profile from HLR/HSS using the IMSI as identifier.

Brown 7Aptilo SMP sends a Change of Authorization (CoA) to the WAG through RADIUS with the required GTP tunnel setup information including the APN which has been retrieved from the subscriber profile.

Light Blue 8The WAG creates the GTP tunnel and admits access to the network for the user.

This method requires no additional configuration of the devices and will provide a very high login security; in fact using one-time password (OTP) via SMS offers a security level comparable with SIM authentication. However, the data traffic from the device to the WAG will normally not be encrypted.

Allowing trusted 3GPP Wi-Fi access for non-SIM devices using EAP-TTLS

This method requires some configuration of the non-SIM device as provisioning of a certificate, username and password is needed. This can be done over-the-air (OTA) using the operator’s existing infrastructure. With EAP-TTLS the connection becomes as secure as EAP-SIM/AKA because it requires that the Wi-Fi network run the 802.1x protocol. This means that the traffic between the device and the WAG will be encrypted.

There is only one problem: since the device lacks a SIM card there is no IMSI to be able to get the correct subscriber profile for the GTP tunnel setup. Aptilo Service Management platform can mitigate this problem by using the same principal method as described above.

Trusted 3GPP Wi-Fi access for non-SIM devices using EAP-TTLS

Dark Green 1The user attaches to the Wi-Fi network with a non-SIM device with EAP-TTLS. The device and WAG starts the EAP authentication negotiation.

Dark-Blue 2During the EAP negotiation the WAG performs RADIUS authentication with Aptilo SMP. In this process, the Aptilo SMP retrieves the mobile phone number (MSISDN) from the EAP-TTLS certificate. Aptilo SMP now has the MSISDN.

Light-Green 3Aptilo SMP looks up the IMSI from HLR/HSS using the phone number (MSISDN) as identifier.

Red 4Aptilo SMP now has the IMSI. Aptilo SMP looks up the subscriber profile from HLR/HSS using the IMSI as identifier.

Brown 5Aptilo SMP sends a Change of Authorization (CoA) to the WAG through RADIUS with the required GTP tunnel setup information including the APN which has been retrieved from the subscriber profile.

Light-Blue-6The WAG creates the GTP tunnel and admits access to the network for the user.

This method is as secure and automatic as EAP-SIM/AKA authentication and requires no user interaction. Some devices may not support EAP-TTLS so in practice both of the methods mentioned here must be used.

Source: http://www.aptilo.com/mobile-data-offloading/innovative-wifi-offload-features?goback=%2Egde_4863187_member_268100346#%21

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: