GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 85

GESTS-Oct.2005

Design of Wireless LAN Applicative Solution for Internetworking with Public Land Mobile Networks

Toni Janevski1, Aleksandar Tudzarov1, Perivoje Stojanovski1, Meri Janevska2, Dusko Temkov1, Goce Stojanov1, Dusko Kantardziev2,

Tome Bogdanov2 and Mine Pavlovski2

1 Faculty of Electrical Engineering, Postal Code 1000,

Skopje, Republic of Macedonia tonij@etf.ukim.edu.mk

2 Mobimak AD, Postal Code 1000, Skopje, Republic of Macedonia

Abstract. Public Land Mobile Networks (PLMN) of 2.5 and 3rd generation of-fer Internet connectivity and IP-based services on wide coverage areas, but they lack bandwidth for demanding applications. On the other side, Wireless LANs (WLAN) offers many times higher data rates compared to cellular networks, but they can cover only small area spots. This situation leads to the requirement for internetworking between PLMN and WLAN, where WLAN shall be used to cover dense city areas called hotspots. In this paper we describe the design of our applicative solution for internetworking between PLM N and WLAN based on integrated authentication and accounting system. For such purpose we have developed two additional network nodes called WLAN Access Controller and WLAN Authentication, Authorization, and Accounting (AAA) Gateway. The developed applicative solution is targeted to provide cost-effective integration solution that is suitable for mobile operators that want to offer a WLAN service and to charge for its usage.

1 Introduction

Public Land Mobile Networks have wide coverage from a given base station and low bandwidth for Internet connectivity. Here, PLMN denotes all Public Land Mobile Networks, such as GSM, GPRS, EDGE and UMTS (as well as CDMA2000 in Americas).

Wireless LAN standards (e.g. IEEE 802.11 family) have higher bandwidth than to-day’s mobile networks (e.g. up to 11 Mbps for 802.11b, and up to 54 Mbps for 802.11a and 802.11g), but they lack large-scale coverage due to limited propagation. However, the WLAN systems are a good complement to the widespread 2.5G systems as well as 3G systems.

One may expect 2.5G or 3G to be the dominating large-scale coverage data transfer wireless system for some years to come and due to this , the combination of WLAN

86 Design of Wireless LAN Applicative Solution

GESTS-Oct.2005

and Public Land Mobile Network (PLMN) technology will use the best features of both systems.

High bandwidth WLANs are used for data transfer where they are available and PLMN is used where WLAN coverage is lacking. In other words, WLAN and PLMN should be able to complement each other and will probably not compete for the same users. The price for usage of WLAN should be smaller than price for usage of the same services (e.g. transferred data volume) over PLMN, thus forcing subscribers to use WLAN where it is available, and to use PLMN where WLAN is not available. Of course, such scenario is an excellent choice for mobile operators to additionally offer WLAN service, besides PLMN [1-16].

In the following part of this paper we describe overall design of the WLAN Appli-cative Solution for internetworking between PLMN and WLAN. The paper is organ-ized as follows. Next section gives an overview of the internetworking architecture. Section 3 describes the WLAN Access Controller. Web-login solution for WLAN users is given in Section 4. WLAN AAA Gateway is described in Section 5. Finally, Section 6 concludes the paper.

2 IP Backbone Network Infrastructure for WLAN

WLAN Applicative Solution consists of several network nodes that internetwork. Also, some of the WLAN network nodes require communication with existing systems of the PLMN network, such as Open Charging Interface (OCI) and SMS Gateway, which are two nodes of interconnection between the two systems, PLMN system and WLAN system.

WLAN Applicative Solution uses Universal Access Method (UAM), which was justified as preferred access method during the research and development [17]. In the case of UAM we have WLAN Access Controller as a gateway node between the WLAN network and the Internet, as shown in Fig. 1. Also, we have WLAN AAA Database, which is used for authentication of WLAN users as well as charging and billing for WLAN service.

Hence, to have a complete architecture for the WLAN Applicative Solution we need to have the following network nodes and servers:

• WLAN Access Controller (WLAN-AC) • WLAN AAA Database (charging and billing gateway) • RADIUS server (for AAA communication between WLAN-AC and WLAN

AAA Database) [15-16] • Web-server (for Web login interface) • DHCP server (for dynamical allocation of IP addresses to WLAN clients) • DNS server

On the other side we need WLAN access network, which is consisted of: • Access Points installed at hotspot locations, and • IP backbone transmission network for connecting the hotspot locations with

WLAN Access Controller. General IP network infrastructure strategy for WLAN solution is given in Fig. 1.

GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 87

GESTS-Oct.2005

Sec.Zone

WLAN Infrastructure Network

Internet(corporate data)

OpenSMS/SMSgateway

Hotspot 1

AP110.250.2.3

10.250.2.0/23 AP210.250.2.4

PLMNDMZ

Web-server

OCI/Merlinfront end

SMS O&MFirewall

DNS

PerimeterFirewall

wlan_router210.250.2.1

WLAN DMZ10.251.1.0/24

RADIUS server

10.250.1.0/24

WLANAccess

Controller

DHCP10.250.1.2

WLAN AAA Database

wlan_router110.250.1.10

Internet(customer data

WLAN, GPRS...)

Perimeterrouter

Wireless - Layer 3 mode

logical: 10.250.1.1physical: 10.240.1.1

10.251.1.1

Fig. 1. An example of IP backbone for PLMN-WLAN internetworking

3 WLAN Access Controller (WLAN-AC)

Most common method for controlling Internet access for WLAN networks is to filter packets based on IP address. This method is based on limiting the user’s access to only a set of designating destinations, which is usually web server with web-login page in the operator’s WLAN backbone network. This is referred to as browser redi-rection.

88 Design of Wireless LAN Applicative Solution

GESTS-Oct.2005

SMS handling

Username/password

RedirectAccess control

RADIUS client

WLAN Database Manager

Web-login

Popup browser

Accounting and billing

Merlin m-payment client

WLAN

database

PLMN Prepaid Billing System

PLMNPostpaid Billing System

Send SMS

Check for authorized/

unauthorized usersLogout request

Charge WLAN user account

For unauthorized users

AAAinformation

WLAN RADIUS server

Mer

lin m

-pay

men

t se

rver

HTTPS requests for real-time charging to PLMN prepaid

and postpaid users

AAA information

AAA

Popup initiation

For unauthorized users

Various controls

Storing usernames

and passwords

SMS Gateway

Send SMS via HTTP

Real-time m-payment

OpenSMS

Send /receive SMS via

OpenSMS

Fig. 2. Solution for PLMN-WLAN integration: software modules and interfaces

In our solution for WLAN network, we use packet filtering method for access con-trol in the network access control server based on the IP address assigned to the wire-less client. Wireless client can be any lap-top computer with built-in WLAN card or with PCMCIA WLAN card. The machine used for WLAN Access Control has two Ethernet cards, one on the side of the WLAN access network, and the second on the side to the external packet network (i.e. Internet). WLAN Access Controller is con-sisted of the following main logical modules:

• RADIUS client -for communication with RADIUS server • WLAN Access Control module -for controlling the access of WLAN clients • Redirection module -for redirection of unauthenticated users to the web-

login server • WLAN Access Controller main module

WLAN Access Controller also uses the following external module: • Web-login interface -used as user interface in the authentication process

The environment for the WLAN Access Controller and software modules are shown in Fig. 2.

WLAN-AC is working on IP-level i.e. network level. It acts as a gateway between WLAN network part and Internet link and servers farm. However, it provides possibil-ity to use different transmission options to connect hotspot locations to WLAN-AC, such as : leased lines 2 Mbps, ADSL, IP backbone with routers and switches, WiMAX (IEEE 802.16) or other wireless backbone technology, etc.

General WLAN Access Controller network configuration is shown in Fig. 3. The network configuration is consisted of the following interconnected parts:

• WLAN access network: these are hotspot locations, where each hotspot lo-cation has one or more WLAN Access Points (AP) connected to a local switch, which is connected to the transmission network via a router node;

GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 89

GESTS-Oct.2005

LAN on the WLAN side

RADIUSServer

LAN on the Internet side

WLAN Database

Web-server

DHCP server

Transmission network

WLAN access network

WLAN Access Controller

DNS

Fig. 3. General network configuration for WLAN Access Controller

• Transmission network: it includes all possible transmission solution for con-nection of hotspot location to WLAN Access Controller;

• Wired Local Area Network (LAN) on WLAN side: it is connected WLAN-AC and DHCP server, which dynamically assigns IP addresses to WLAN clients at hotspot locations;

• LAN on the Internet side: on this network are attached all other required servers for proper functioning of WLAN applicative solution, and they are: RADIUS server, Web-server, WLAN Database, as well as Domain Name Server (DNS).

4 Web-login solution

The Universal Access Method – UAM should be as simple as possible for WLAN users. It is worldwide practice to use web-login for the UAM. For the reason of sim-plicity in the UAM we want to avoid the user to type explicitly the HTTP-address of the web-login page. To be able to do this we use the WLAN Access Controller. These rules will redirect to web-login page every HTTP request that tries to go through the WLAN Access Controller to the Internet. All HTTP requests of users will be redi-rected to the web-login server.

The web-login server will get the original HTTP request. Since the requested URL will not be available at the local web-server (except in the case when the requested URL is the own one of the web-server), a default web-login page will be sent to the user.

The requested information from user will be username and password, which user should enter using the web-login page. After the successful authentication, new rules are added in the WLAN Access Controller for that user. These rules remove the redi-rection and the user has open access to the Internet.

At the moment when user is logged into WLAN, a popup window appears from the user’s browser. This popup window contains logout button and timer for the elapsed time from the session start . By pressing the logout button the user is able to log out of the WLAN network.

90 Design of Wireless LAN Applicative Solution

GESTS-Oct.2005

Also, there is an option for forced termination of the user connection due to some reason (e.g., no credit on WLAN prepaid account). For that purpose WLAN AAA Database sends disconnection request directly to WLAN Access Controller, which is listening for such requests on a port on Ethernet interface towards Internet. Discon-nection requests from WLAN Database restore redirection at the WLAN Access Con-troller for that user to the web-login page.

5 WLAN AAA Gateway

WLAN Billing functionality is built in WLAN AAA Gateway (i.e. WLAN Database). It is based on AAA information flow from WLAN Access Controller via RADIUS server to WLAN AAA Database, and vice versa.

The Billing of the WLAN users is based on triggering the events of storing ac-counting records from RADIUS server into WLAN AAA Database. Triggering hap-pens on three types of accounting records from WLAN Access Controller client via RADIUS server:

• Start Accounting; • Interim Accounting; • Stop Accounting.

In WLAN AAA Gateway the following types of users are defined: • PLMN/WLAN postpaid – these are existing PLMN postpaid users that will

subscribe to WLAN service as well; • PLMN/WLAN prepaid – these are existing PLMN prepaid users that will want

to use WLAN service and to be charged from their prepaid account; • WLAN prepaid – these are WLAN users that have bought WLAN prepaid

vouchers and have activated their WLAN account (includes those that are not prepaid or postpaid subscribers of the mobile operator, as well as all sub-scribers of the mobile operator which want to use WLAN vouchers).

However, PLMN/WLAN postpaid and PLMN/WLAN prepaid users are treated in the same manner, because real-time charging for these users is done through m-payment OCI system, which further communicates for respective billing systems, i.e. postpaid billing system for PLMN/WLAN postpaid users and prepaid billing system for PLMN/WLAN prepaid users.

There are two types of charging defined in the WLAN AAA Database: time-based charging, and volume-based charging. In the case of time-based charging user is charged at the session start (triggered by Start Accounting RADIUS record) in ad-vance for the first time interval, and further during the session triggered by every In-terim Accounting record stored in WLAN AAA Database from the RADIUS server at fixed time intervals (charging intervals). There is no charging of the user at the Ac-counting Stop message, because he will be already charged at the previous Account-ing message (either Start or Interim Accounting). In the case of volume-based charg-ing user is charged after each charging interval.

GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 91

GESTS-Oct.2005

RADIUS server

WLAN databaseAuthentication Procedure

Database tableTJ_WLAN_USERS

Database tableTJ_TARIFFS

Database tableTJ_VOUCHERS

Database tableTJ_REQUESTS

Database tableTJ_PARAMS

Database tableTJ_ERROR_LOG

Username/password check through database access -

interface

Check/Update voucher status and credit

Check/Update WLAN user status

WLAN AAA Database

Fig. 4. Authentication procedure in WLAN AAA Database

5.1 Authentication Procedure

WLAN AAA Gateway has a role in the authentication process for any user that want to login into WLAN network. For that purpose RADIUS server communicates with WLAN AAA Database and its Authentication procedure. Main tasks of the Au-thentication procedure are the following: validation of the username and password entered by the user through Web-login interface, checking whether the user is online (ON) or offline (OFF), handling voucher’s status.

The communication between RADIUS server and Authentication procedure from WLAN AAA Database is through WLAN database access-interface as shown in Fig. 4. RADIUS calls the Authentication procedure with input parameters: username and password, and receives positive or negative result from the procedure.

Even in the case when the username/check is positive, Authentication procedure returns negative result to RADIUS server in the following cases:

• Voucher is expired or has no credit; • User is online, and there are less than two charging intervals from the last

RADIUS accounting record;

92 Design of Wireless LAN Applicative Solution

GESTS-Oct.2005

Wireless clientMobile phone

WLAN databaseMSISDN+OTP

GSM/GPRS subscriber

SMS-Center

OTP

SMS-OTPSMS- Request OTP

Fig. 5. Authentication of MM WLAN users by using OTP

• User account cannot be charged due to an error in the system or due to com-munication interruption between WLAN AAA Database and m-payment Merlin system.

5.2 Authentication with OTP (One Time Password)

WLAN PLMN users are authenticated with SMS-OTP (SMS - One Time Password). PLMN user, either postpaid or prepaid, requests OTP with SMS with content “WLAN” sent to a predefined number in PLMN’s SMS Gateway. The Received SMS from SMS Gateway is stored in the database via an OpenSMS system. This event triggers a WLAN database trigger, which generates One Time Password (OTP) and sends the OTP to the user via SMS via HTTP interface of the SMS Gateway. Also, SMS can be sent by calling a function from OpenSMS (via database link) for sending SMS from the trigger. The trigger generates OTP as random string.

The authentication process with SMS-OTP for WLAN PLMN users is shown in Fig.5.

5.3 WLAN Billing System

WLAN Billing functionality is built in WLAN AAA Gateway (i.e. WLAN Database). It uses the AAA information flow from WLAN Access Controller via RADIUS server to WLAN AAA Database, and vice versa.

The Billing of the WLAN users is based on triggering the events of storing ac-counting records from RADIUS server into WLAN AAA Database. Triggering hap-pens on each accounting records from WLAN Access Controller client via RADIUS server (i.e. Start Accounting, Interim Accounting, and Stop Accounting). All account-ing messages are stored in WLAN database.

GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 93

GESTS-Oct.2005

WLAN RADIUS Server

WLAN usage

PLMN/WLAN postpaid subscriber

Postpaid Billing System

Monthly invoice

CDR

WLAN AAA server

Accounting data

WLAN Access Controller

Accounting data

Merlin m-payment serverm-charging

Fig. 6. PLMN/WLAN postpaid accounting deployment solution

To integrate time-based and volume-based accounting triggering is performed be-fore insert into the WLAN database. This was needed because in the case of volume-based charging “triggering before insert” is needed to check the current charged amount to the user’s account from the beginning of the session to be able to charge accurately.

Billing for PLMN/WLAN postpaid

Billing the PLMN users for WLAN services is related to how to handle accounting i.e. the process of gathering charging information about the user, processing it, and transferring the bill to the user.

There are two options for handling PLMN/WLAN postpaid users: 1. Using the SMS-OTP authentication for PLMN/WLAN postpaid users and

real-time charging on user’s account via m-payment OCI 2. Charging an electronic voucher (e-voucher) to the user’s postpaid account

by the external application, this at the same time generates e-voucher in WLAN Database by calling appropriate WLAN Database function.

In this section we describe Option 1 from above, i.e. when PLMN/WLAN user is au-thenticated using SMS-OTP authentication.

The deployment solution for PLMN/WLAN users, which includes WLAN Access Controller, RADIUS server, WLAN Database, SMS-Center through SMS Gateway, and PLMN Open Charging Interface (i.e. m-payment system), is shown in Fig. 6.

In the case of WLAN postpaid users the user should be charged for WLAN usage on his monthly invoice.

94 Design of Wireless LAN Applicative Solution

GESTS-Oct.2005

Billing for PLMN/WLAN prepaid

In PLMN-WLAN network there are possible two types of prepaid users: one with PLMN vouchers and the other with WLAN vouchers . In this section we refer to the first one.

The difference between PLMN postpaid and prepaid users is made in the Open Charging Interface (m-payment system), which is external system to WLAN. For PLMN prepaid users the OCI requests credits in advance for WLAN usage from PLMN prepaid account.

One should note that considering WLAN Applicative Solution, there is no differ-ence in billing of PLMN/WLAN postpaid and PLMN/WLAN prepaid users.

Billing for WLAN prepaid

WLAN prepaid refers to prepaid users that are using WLAN vouchers. This cate-gory includes WLAN users that are not PLMN subscribers, but it may also include PLMN subscribers that use WLAN prepaid vouchers to access WLAN network. In general, there is simply no limitation about who can be a WLAN prepaid user.

In the case of a WLAN prepaid users, there is no intercommunication between nodes in PLMN network and nodes in WLAN segment. However, WLAN prepaid users share the same Internet access as PLMN/WLAN postpaid and PLMN/WLAN prepaid users.

Credentials (username and password) can be delivered to WLAN prepaid users in two different ways:

• Using electronic vouchers (e-vouchers); • Using printed vouchers (i.e. scratch-cards).

As usual with prepaid vouchers, all voucher numbers or username/password pairs of the vouchers are recorded into WLAN database. When a subscriber buys a voucher, he/she should enter credentials from the voucher into Web-login page. Then, WLAN system checks the entered credentials, and if a match is found, WLAN prepaid account is activated with a certain amount of credits (dependent upon the voucher type).

After the successful authentication user is granted access to the Internet. During the active session user credit is periodically updated at each RADIUS accounting record in WLAN database, and the number of credits is reduced for certain amount according to the usage of WLAN resources (either time or volume-based charging).

For time-based charging, at each RADIUS accounting record in the WLAN Data-base user’s credit is reduced for the amount that should be charged for the next charg-ing time interval (that is RADIUS Interim Accounting time period). For exa mple, for time-based charging, with charging interval equal to one minute, the user will be granted further usage of WLAN only when he has at least credits for another minute of usage. If the user has not enough credits for next charging interval, he/she will be disconnected by sending disconnect request from WLAN AAA Gateway directly to WLAN Access Controller.

GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 95

GESTS-Oct.2005

For volume-based charging of the prepaid WLAN users, the user’s credit is charged after each charging interval, which is different compared to time-based charg-ing. The charging is done after each Interim Accounting record and after Stop Ac-counting record from RADIUS server, because we cannot accurately estimate in ad-vance the amount of volume of data that will be sent/received by the user in the next charging interval.

6 Conclusion

In this paper we have described a design solution for PLMN-WLAN internetworking based on integrated system for authentication and accounting. The developed appli-cative solution includes two additional network nodes for WLAN deployment by a mobile operator, and they are WLAN Access Controller and WLAN AAA Gateway.

WLAN Access Controller performs user access control from the WLAN side, and collects data for user activity, which are further used to charge the user for the service. User interface for authentication purposes is the Web-login interfaces, which is con-trolled by the WLAN Access Controller. Integration between WLAN segment and PLMN is established via WLAN AAA Gateway, which is capable to accomplish real-time charging for existing PLMN subscribers, either prepaid or postpaid, as well as to perform charging to WLAN prepaid users. The latter can be WLAN users with printed or electronic vouchers (e-vouchers).

The proposed system is already tested in practice and it is completely functional as it was designed.

Finally, the design solution described in this paper provides possibility for instant and low cost deployment of WLAN service by mobile operators.

References

[1] Alcatel, “Public Wireless LAN for Mobile Operators: WLAN beyond the enterprise”, White paper, 2003.

[2] M. T. Bostrom, A. Norefors, “Ericsson Mobile Operator WLAN”, Release 1 Technical Description, February 2002.

[3] Telia HomeRun, http://www.homerun.telia.com, accessed June 2004. [4] BT Openzone, http://www.btopenzone.com, accessed June 2004. [5] T-Mobile US, http://www.t-mobile.com/hotspot/, accessed June 2004. [6] M. Buddhikot et al., “Integration of 802.11 and Third-Generation Wireless Data Net-

works”, Infocom 2003, San Francisco, USA, March 30 – April 3, 2002. [7] Toni Janevski, “Traffic Analysis and Design of Wireless IP Networks”, Artech House

Inc., Boston, USA, 2003. [8] Intel, “Wireless LAN (WLAN) End To End Guidelines for Enterprises and Public Hot-

Spot Service Providers”, Release 1.0, October 2002. [9] IEEE 802.1X standard, “IEEE standard for local and metropolitan area networks – Port-

Based Access Control”, July 2001.

96 Design of Wireless LAN Applicative Solution

GESTS-Oct.2005

[10] IEEE 802.1Q standard, “IEEE standard for local and metropolitan area networks - Vir-tual Bridged Local Area Networks”, May 7, 2002.

[11] Frank Ohrtman, Konrad Roeder, “Wi-Fi Handbook: Building 802.11b Wireless Net-works”, McGraw-Hill, 2003.

[12] IEEE 802.1X standard, “IEEE standard for local and metropolitan area networks – Port-Based Access Control”, July 2001.

[13] J. Edney, W.A. Arbaugh, “Real 802.11 Security: Wi-Fi Protected Access and 802.11i”, Addison Wesley, July 2003.

[14] ETSI TS 101 393 – Digital cellular telecommunications system (Phase 2+); General Packet Radio Service (PLMN); PLMN Charging, 3GPP TS 12.15 version 7.7.0 Release 1998.

[15] C. Rigney, S. Willens, A. Rubens, W. Simpson, “Remote Dial-In User Authentication Service (RADIUS)”, RFC 2865, June 2000.

[16] C. Rigney, “RADIUS Accounting”, RFC 2866, June 2000. [17] T. Janevski, “AAA System for PLMN-WLAN Internetworking”, Journal of Communi-

cations and Networks (JCN), Special Issue on “Towards the Next Generation Mobile Communications”, pp.192-206, Volume 7, Number 2, June 2005.

Biography

Toni Janevski was born in Skopje, Republic of Macedonia, on October 15, 1972. He received the B.Sc. degree in Electrical Engineering and the M.Sc. and the Ph.D. degrees in Electrical Engineering from the University “Sv. Kiril i Metodij”, Skopje, R. Macedonia, in 1996, 1999, and 2001 respectively. From 1996 to 1999 he was with Mobimak GSM mobile operator in R. Macedonia. From October 1999 he is with Faculty of Elec-trical Engineering in Skopje. From July 2001 to November 2001, he was at IBM T.J. Watson Research Center, New York, USA. He has written the book ''Traffic Analysis and Design of Wireless IP Networks'', published by Artech House Inc. in 2003. He is an Assistant Professor at the Faculty of Electrical Engineering, University “Sv. Kiril i Metodij”, Skopje. His research interests are in wireless and mobile net-works, Quality of Service, network planning and dimensioning, traffic theory and internetworking. He is Senior Member of IEEE.