SOLUTIONS FOR IMPLEMENTING CELLULAR TO WI-FI … · 7 Copyright © 2012 Juniper Networks, Inc....

SOLUTIONS FOR IMPLEMENTING CELLULAR TO WI-FI OFFLOAD

Hartmut Schroeder

September 2012

2 Copyright © 2012 Juniper Networks, Inc. www.juniper.net

Legal Statement

Statements of direction set forth Juniper Networks’ current

intention and are subject to change at any time without notice.

No purchases are contingent upon Juniper Networks

delivering any feature or functionality depicted in this presentation.


WHY WI-FI OFFLOAD?


GROWTH IN WIRELESS BROADBAND DATA CONTINUES

Growth fueled by: • Increased Smartphone Adoption

• Wireless Enabled Portable Devices

• Machine-to-Machine Mobile Devices Gartner predicted that tablet sales will grow 181% in

2011 to 54.8M, many of which are built to take

advantage of mobile 3G and 4G networks.

According to IDC we will reach 1 billion smart mobile

devices in 2013. Morgan Stanley tells us we will reach 10B

mobile devices in 2050.

181% TABLET

GROWTH

1B SMART MOBILE

DEVICES

http://www.gartner.com/it/page.jsp?id=1452614


WIRELESS BROADBAND ALLIANCE


3 STAGES OF WI-FI OFFLOAD

Offload

•Hard offload

•User driven

•Unmanaged

Optimize

•Auto-login

•User identity

•Secure

Integrate

•Policy driven

•Session mobility

•Fully transparent

Source: Heavy Reading

2010 2012 2014


REFERENCE ARCHITECTURE


KEY SOLUTION COMPONENTS

AUTHENTICATION

& SECURITY BACKHAUL & EDGE POLICY ENFORCEMENT

& CHARGING

• Security GW

• Video/Web

Optimization

• NAT/FW functions

• Server Load

Balancing

• Mobility GW functions

• Routing Functions

• VPN Gateway

Provides uniform user

experience with authentication,

security & policy enforcement

Provides secure traffic

termination and service

delivery functions

Provides support for network

based policy enforcement and

charging

SRC MX-3D JUNOS Pulse Client (optional)

• Mobile Security Suite

• VPN / secure tunneling

• Enforcement point for future policy

based capabilities and data

collection

SBR – CARRIER

• Single platform managing AAA

functions for all access

technologies

• High performance

• Reliable mobility

• High Availability

• Outdoor/Indoor

• Superior Planning

and Lifecycle Mgnt

• Direct and Central

Traffic breakout

Juniper WLAN • Ideal if WLAN traffic not backhauled to

GGSN / P-GW

• Leverages Juniper MX as PCEF

• QoS

• Service Mapping

• DPI

• Captive Portal

• Volume Tracking (VTA)

• Bandwidth limits

• Daily/Monthly usage

• Charging integration


OPEN AND SECURE ACCESS E2E ARCHITECTURE PHASE 1 (TODAY)

WLM

Internet

Open

802.1x

WLC AP

SBR SRC

Portal

SSR VTA

Auth-Check /

Service

Subs-Data

Base / HLR

Policy push

MX-BNG

Smartphone

Policy push Redirect IP

Ta Rad

JSRC Dia

Gi IP

Corba

SQL

SIGTRAN


Juniper MX as Wi-Fi Access Gateway acts as a PCEF for

CGNAT (leveraging MS-DPC)

DPI (leveraging MS-DPC)

Basic QoS / Hirachical QoS (leveraging MS-DPC)

Lawfull Interception Point for CC

DHCP-Server

SBR Carrier AAA with SSR SIM-Module for seemless

authentiaction with HLR for EAP-SIM/AKA

Session State Register for global, redundant Subscriber Knowledge

Juniper SRC (Session Resource Controller)

Captive Portal

Volume Tracking Application

Various Accounting Interfaces

Policy push to all Juniper core routers

Juniper Wireless WLA / WLC / WLM

Wi-Fi Access with Backhauling due to Central Switching

Complete Livecycle Management through RingMaster

JUNIPER VALUE PROPOSITION


UNIVERSAL EDGE


MX 3D: A NETWORK SERVICES PLATFORM

Ultimate in flexibility

Versatility of 4 platforms ensures there is a platform tailor made for every deployment model

L2 to L3 to L4-7 services

Support multiple services simultaneously without impacting performance

Industry-leading performance and scale

OPEX Savings Simplifies operations

30–50% more power efficient & 40% more space efficient

Embedded monitoring services to ensure SLAs are met

Unparalleled functional bundling that allows massive cost saving

Unparalleled packet processing performance

Separate control and data plane that scale independently


Services Flexibility for Mobile MX 3D with Trio is a Common Services Layer for IP Convergence

Common hardware, common software, investment protection

MX 3D

TWAG

Security-GW

S/P-GW

Backbone

Backhaul

Carrier Grade NAT

BNG

Firewall

Business Edge GGSN

Packet Core

Transport

Fixed Edge

Security

Datacenter

L2/L3 Switch SDG


Network-Integrated Apps. &

Services (Partners)

Network-Integrated Apps.

& Services (Juniper )

UNIVERSAL EDGE ENABLES NEW NETWORK

Router-Integrated Services

Cable Edge

Business Edge

Mobile Edge

Carrier Ethernet Aggregation

Video Distribution Networks DAA BGF Media Flow

StreamScope

eRM

Telchemy

ePM

IPS

Media

Enabler

Media Flow Controller

SRC Controller

MX 3D Series

Network Applications


JUNIPER WIRELESS


THE NONSTOP WIRELESS NETWORK

Single point of management

Active-active control

architecture

Self-organizing adds, moves

and changes

Self-repairing architecture

In service software upgrades

Full Featured Local switching


JUNIPER WLA SERIES ACCESS POINT FAMILY

Entry level 802.11n Indoor 11n Outdoor 11n

Single Radio Low Cost AP

WLA321

Dual Radio Entry-level AP

WLA322

2x2 MIMO Dual Radio

High Density

WLA522

WLA Series Highlights

Highest performance APs in the industry

Most cost effective APs in the industry

Full featured Intelligent switching

Spectrum analysis across the portfolio

Bridging and mesh

3 Stream MIMO

Dual Radio Max.

Performance

WLA532

Fu

ncti

on

ali

ty

3x3 MIMO Dual Radio All Weather

WLA632

WLA532

New

New


JUNIPER WLC SERIES CONTROLLER FAMILY

WLC Series Highlights

Simplest solution in the Industry

Highest Reliability in the industry

Only vendor with In-service upgrades

One software platform

Full Featured distributed deployment

4 12 16 32 128 192 256 512 64

4 AP

WLC2

WLC8

12 AP

16 - 128 11n AP 3-Stream

WLC800

Bra

nc

h

Ca

mp

us

En

terp

ris

e

16 - 256 11n AP 3-Stream

WLC880

64 - 512 11n AP

WLC2800

# of AP


Planning and Deployment 3D predictive planning tool Indoor and Outdoor network plan

Configuration and Verification Complete offline configuration System and service wizards Pushes configuration to WLCs

Monitoring and Reporting By user, radio, AP, WLC, SSID 30 day history aids compliance WIDS/WIPS integration

Location Aware Search by Location Roaming History Geo Fencing

BEST IN CLASS WLAN LIFE CYCLE MANAGEMENT

RingMaster


SBR CARRIER


SBR CARRIER: ENABLES SEAMLESS ACCESS

Steel Belted Radius

Seamless integration: Supports any SDM technology with any schema

Reduce operational cost: Single platform managing AAA functions for all access technologies

Reduce complexity: Single platform provides glue between network technologies and IT systems

CDMA

1xRTT/EvDO

GPRS UMTS

HSxPA

xDSL

FTTH

UMA

Femtocell

Public Wi-Fi

Fixed/Mobile

WiMAX

HLR RADIUS LDAP SQL


FLEXIBLE SDM INTEGRATION: ANY

CREDENTIAL, ANY DATABASE

Steel Belted Radius

HLR RADIUS LDAP SQL

HLR authentication

D’ authentication and authorization Interface

SIM and AKA

SS7 over E1/T1

SIGTRAN

MAP v2/v3

NO separate MAP-GW (installed on SBR)

ORACLE

LDAP

LDAP v2/v3

Load-balancing and failover

Any LDAP schema

Programmable searches with recursiveness

Scripting

Unparalleled performance

SQL

Generic SQL over JDBC


Any SQL schema

Stored procedure support

Oracle

Native oracle interface


Any SQL schema

Stored procedure support

Unparalled performance

RADIUS proxy

Carrier grade proxy engine

Weighted load-balancing and failover

Target health detection

Advanced filtering

Unparalled performance

Credentials:

Username/password

Certificate

SIM & USIM

SMS OTP

Token

Service-ID (eg. APN, DNIS …)


JUNIPER SRC


SRC ENABLES APPLICATION INTELLIGENT NETWORKING

Netw

ork

P

olic

y a

nd C

ontr

ol

Serv

ice

Internet IPTV Home VoIP

Data VPN Software as a Service

Videoconference

Data Center Core Edge

Service Activation / Reporting

Provisioning / Accounting

Applications Residential Services

Enterprise Services

SRC

Policy

Engine

C3000 C5000

Dynamic Provisioning

Filters, Captive Portal, Bandwidth,…

Resource Control

Call Admission control, QoS,…

Metering

Per service time & volume

Quota services


SRC USAGE TRACKING / ACCOUNTING OPTIONS

End user

Policy

SRC Subscriber

state & profile

Charging Systems

Traffic

Flat file

RADIUS

Custom Plug-in

VTA

VTA Plug-in Plu

g-in A

PI

MX

WLC 2800 Wi-Fi AP


ENHANCED SUBSCRIBER MANAGEMENT

Per subscriber accounting

Regular Enhanced

Per Service Accounting

Benefits:

• Usage based billing

• Congestion mitigation by de-prioritizing heavy users

Features

• Periodical collection of counters associated to SRC managed services

• Based on combination of 5-tuples or per application/application-groups

• Accounting record generation from SRC (flat files or RADIUS) – duration and volumes

• Multiple accounting sessions per subscriber

• Start, Stop and variable Interim

• Fair usage / quota services with Volume Tracking Application


OVERVIEW OF THE SRC VOLUME TRACKING APPLICATION

The SRC Volume-Tracking Application (SRC VTA) allows service providers to track and control the network usage of subscribers and services. You can control volume and time usage on a per-subscriber or per-service basis.

When a subscriber or service exceeds bandwidth limits (or quotas), the SRC VTA can take actions, including

directing the subscriber to a portal to activate additional services or

purchase additional bandwidth,

imposing rate limits on traffic,

sending an e-mail notification,

or charging extra for additional bandwidth consumed.

FUTURE PRODUCTS /

SOLUTIONS


HOTSPOT V2.0


IEEE 802.11U AND HOTSPOT V2.0 PART 1

IEEE 802.11u (Standardization finished Feb 2011)

Allows a Station (UE/Mobile) to query information about the WLAN and Network behind it before an Authentication is tried

Must be supported at WLAN-AP and UE/Mobile to work

Network Discovery and Selection component

Advertise Networks basic 11u capabilities in Beacons and Probe Response Frames to minimize Battery impact

– Access Type

– Venue Info

– HESSID

– supported Advertisement Protocols

– Roaming Consortium

– Emergency Call ongoing Alert

Generic Advertisement Service (GAS) for extended Queries

– Access Network Query Protocol (ANQP) and others (MIH)

QOS Map Set distribution

Tell the Mobile which QOS DSCP Marking to set for IP Traffic according to operators policy

Expedited Bandwidth Request (EBR) support

Emergency services

Emergency Call and Network Alert support at the link level



Hotspot V2.0 Goals

Improve end-user experience to level of cellular networks

Facilitate Wi-Fi offload

Facilitate Wi-Fi roaming agreements between hot spot operators/service providers

Deliverables

Technical Spec. (uses heavily 11u), Test Plan, Certification Program, Deployment Guide

Phase 1 (called “Passport”), Certification starts: mid-year 2012 – Access network discovery

– Security

Phase 2, Certification starts: mid-year 2013 – Operator Policy (TBD) Will it be ANDSF? At which Sublevel then?

– On-line Signup (TBD)

Phase 3, Certification starts: TBD probably mid-year 2014 – Scope isn’t defined

– proposals have been made around Wi-Fi offload issues and improved operations/monitoring.



Network Discovery (Phase 1)

New information elements (11u based)

Interworking, Advertisement Protocol, Roaming Consortium, BSS Load, WFA Peer to Peer

GAS/ANQP Protocols (11u based)

ANQP: Venue Name, Network Authentication Type, IP Address Type Availability, Network Access Identifier Realm List, 3GPPP MCC/MNC, Domain Name List

HS2.0 ANQP extensions: Operator Name, WAN Metrics, Connection Capability, NAI Home Realm Query

Note: Only a SUBSET of 11u will be certified in HS 2.0.

– QoS-Mapping Tests and Emergency Calls are not scope of HS2.0

Security (and Battery Life Extension) (Phase 1)

Certification includes 802.1x based WPA(2) Enterprise Authentication

EAP-TLS, EAP-TTLS (inner MS-CHAPv2), EAP-SIM/AKA (if the Device has a (U)SIM-Card it SHALL support this)

Certification does NOT include UE based Tunnels

Hotspot V2.0 certifies “sort-of” 3GPP “Trusted Access” Mobiles / UE’s only

Proxy ARP and Proxy Neighbor Discovery (802.11v)

Downstream Group Addressed Frame Forwarding

Peer to Peer Communication Blocking


3GPP TRUSTED ACCESS


WI-FI OFFLOAD USING S2A GTP (SAMOG)

Smartphone

Secure Simplified Access for Trusted Wi-Fi Networks

WLAN

Access

AP

Backhaul &

Packet Core Service

Complex

VPN

SDG PGW

GGSN

HA

Policy and Credential Servers

PCRF NetOpt

App ANDSF Credential

Mngt

SaMOG GW

GTP S2a

• Documented in TS 23.402 section 16 for 3GPP Rel 11

• 802.1x recommended to ensure air interface security (WPA)

• EAP-AKA credentials used to authenticate the UE

• Needed to get IMSI identity of the UE

• Allows HSS to pass information required for GTP management (including

target PGW)

• Needed for IP future address preservation

• Leverages standard GTP “Create/Modify” Session/Bearer messages

HSS/AAA

BENEFITS: • Avoids cost and overhead of IPsec

• Uses standard GTP based procedures

CAVEATS:

• Used only for trusted Wi-Fi networks

• TWAG must see UE-MAC (Layer2)

• IP-Address preservation comes in Rel. 12


TRUSTED WLAN ACCESS TO EVOLVED PACKET CORE ARCHITECTURE

No additional SW on UE / IP address Preservation (and no IKEv2/IPsec/ePDG)

SWw is a point-to-point IP link over 802.11 protected by 802.1X

Access Control enforced by Trusted WLAN on behalf of 3GPP operator (802.1X)

Default APN for Trusted WLAN PDN connection stored in subscription data

hPCRF

HSS

Trusted

WLAN Access

Network

PDN Gateway HPLMN

SWd

Non - 3GPP Networks

VPLMN

vPCRF

3GPP AAA Proxy

STa

3GPP AAA Server

S2a

S9

SGi Gx

S6b

Operator's IP S ervices

(e.g. IMS, PSS etc.)

Rx SWx

Gxc

S8

S6a

3GPP Access

Serving Gateway

SWw UE

S2a Mobility based On GTP and

WLAN access to EPC (SaMOG)


TRUSTED WLAN ACCESS INTERNAL FUNCTIONS

WLAN: APs terminating UE’s SWw 802.11 WLAN link

Authenticates UE with EAP-AKA

Provide integrity and/or confidentiality protection

Trusted WLAN Access Gateway (TWAG): Creates/Deletes S2a GTP tunnel

Default router and DHCP server

Enforces packet forwarding between UE’s SWw point-to-point IP link and S2a GTP tunnel based on UE MAC address

Trusted WLAN AAA Proxy (TWAP): AAA proxy b/w WLAN Access Network and 3GPP AAA Server/Proxy over STa

Binds UE subscription data (e.g. IMSI, APN) with UE MAC address

Notifies TWAG of UE L2 Attach to / Detach from WLAN

SWw

STa

Intranet / Internet

Trusted WLAN Access Network

S2a

WLAN

Trusted WLAN AAA

Proxy

Trusted WLAN

Access Gateway


TRUSTED WLAN ACCESS PDN & NSWO POINT-TO-POINT LINK MODEL

S2a PDN Connection

802.11 Bridging

DL: TWAG unicast to UE MAC

UE MAC

S2a-TEID

or NSWO

TWAG PDN GW AP/WLC

NSWO a.k.a. Local Break-Out

PDN1

PDN23

UL: AP/WLC force-forwards

802.11 Association Per PDN/NSWO

VLAN or GRE tunnel

UE1

UE2

UE3

UE4


TRUSTED WLAN ACCESS INITIAL ATTACH

Roaming Scenarios

UE AAA Proxy

PDN GW

HSS/ AAA hPCRF

3. Create Session Request

TWAN

2. Authentication & Authorization

5. Update PDN GW Address

2. EAP Authentication

1. Non-3GPP Specific Procedures

15. L3 Attach Completion

7. GTP Tunnel

6. Create Session Response

4. IP-CAN Session Establishment Procedure

vPCRF

9. L3 Attach

8. EAP authentication Completion

(B)

(A)

10. Create Session Request

12. Update PDN GW Address

14. GTP Tunnel

13. Create Session Response

11. IP-CAN Session Establishment Procedure

Two variants based on PDN:

A. IPv4, IPv6, IPv4v6,

based on successful

authentication event

(recommended)

B. IPv4 only,

based on DHCPv4

address request


4 Way Handshake

Diameter EAP Response

EAP Response from UE to WLC

EAP Response from UE to WLC

High Level SaMOG Call Flow

RADIUS EAP Response

(MAC, VLAN)

SaMOG

GatewayGGSN / PDN

Gateway

Internet

IEEE 802.11

Discovery

AAAWLAN

Controller

Access

Point

User

Equipment

Layer3 VPN

Diameter EAP Success

GTP Request Response

Acquired IP Address

RADIUS EAP Success EAP Success to UE

Derive PTK Derive PTK

Ready to use / OK to use

IEEE 802.11 AES Data Encryption

DHCP Request / Response

802.11 abg 802.11 in CAPWAP (VLAN, MAC) IP Packet

EAP Request to UE

Diameter EAP RequestRADIUS EAP RequestEAP Request to UE

Diameter EAP Response

Depending on EAP

method, from 0 to N

such EAP Request/

Response Exchange

This will be RADIUS in the first release

GTP-Traffic


TRUSTED WLAN ACCESS TO EVOLVED PACKET CORE MOTIVATION – PHASE 2 / REL-12

Desire for (missing) Additional Functions IP address preservation across handovers b/w 3GPP and WLAN

Concurrent Connectivity Multiple PDN connections

Concurrent 3GPP access & Trusted WLAN Access

Concurrent PDN Connectivity and Non-Seamless WLAN Offload

UE / NW Selection of APN & NSWO

Solution Space has 2 dimensions: UE / NW Signalling for APN/NSWO & attach/handover/detach

Layer 2: extensions to EAP-AKA or 802.11 ANQP

Layer 3: extensions to DHCP/DHCPv6

Per-PDN / NSWO Link Model Per-PDN/NSWO VLAN tagging

Per-PDN/NSWO MAC address on TWAG side


TRUSTED ACCESS VISION TOWARDS FMC

2G/3G RAN

GGSN

SaMOG based

TWAG

AAA

IP

Networks SGSN

HLR

Gn (GTP)

OCS PCRF

Non HLR

based SDM

Trusted Access

EAP-SIM/AKA

Trusted Access

EAP-TTLS

BRAS

Any Access

Network

Set-Top

DHCP

CPE

PPPoX

Portal

Internet access APN


JUNOS PULSE WI-FI MANAGER MODULE


WHY USE CLIENT TECHNOLOGY FOR WI-FI OFFLOAD?

Does OS natively provide tunneling?

If the answer to ANY question is “no”, then a client is required!

Does OS support selective tunneling

& confidentiality?

Does OS support policy-based

control of network selection and

application routing?

Does OS support management of

more than just Wi-Fi authentication

credentials? 3rd party roaming?


End User Quality of Experience

Wi-Fi Offloading can help.

However….

Solution must be 100% seamless and

transparent to the end user

Completely automated

Zero end user intervention

No compromise on quality of connection

No compromise on device performance

ELSE


End User/Device

(UE) The Network

Enhances end user

Quality of Experience

Junos Pulse + Pulse Wi-Fi Manager

bridges the gap between the

network and the end device

Significantly enhancing end the

quality of experience (QoE) while

still offering control to the carrier or

enterprise

Junos Pulse & Wi-Fi Offload

Pulse manages 3G/Wi-Fi

interactions based on pre-

defined policy

Pulse Wi-Fi

Manager (PWM)

Junos Pulse


PULSE WI-FI MANAGER ANDROID SUPPORT ONLY IN PHASE 1

Manage Wi-Fi

Wi-Fi Provisioning

- Push & manage Wi-Fi profiles

- Use on-device supplicant

Location & Device Aware

- User location (city level)

- Device type (iOS/Android)

- e.g. User in Austin provisioned with

SSID A & SSID B, User in San Jose

provisioned for SSID A only

Automatic credential

management

- Addresses gap for non EAP-

SIM/AKA enabled Android

devices

Smart Wi-Fi On/Off

Turn Wi-Fi On/Off on the device

based on location

- Balance UX with Wi-Fi attach

- Automate action or notify user

- e.g. Enable/Disable Wi-Fi based on

proximity to malls, stadiums etc

based on “3G Cell broadcast ID”

information

App Notification

Discourage Offload for walled

garden applications

e.g. Notify user and allow them to

switch to 3G/4G when they run

certain walled gardened applications.

VPN tunnel

Setup VPN tunnel from client based

on Wi-Fi type etc.

- Secure air link

- Enable Wall garden access via

backhaul

- No IKEv2 (SSL VPN)

*Scale factors must be considered

Reporting

Measure ROI & plan capacity

- Bytes offloaded on Wi-Fi

- Time spent on Wi-fi

- Apps used, type of device etc.

- By SSID, AP, Location


BTS SGSN

HLR

RNC GGSN

Wi-Fi AP

Pulse Wi-Fi

Manager (PWM)

Firewall

Internet

AAA

(e.g. SBR)

Junos Pulse

Phone boots

up. Pulse

starts running

on the device

Pulse contacts

Wi-Fi Manager

over 3G/4G

network to get

policies

Policy gets downloaded

to device over 3G/4G

network. Policy includes

Wi-Fi profiles,

credentials, location,

application & other

criteria etc.

Pulse takes

action on device

based on Policy

User connects to Wi-Fi

based on Policy. Policy

controls when & how

user is offloaded.

Policy also dictates what

happens after offload (e.g. setup

VPN over insecure Wi-Fi)

Pulse Wi-Fi Offload workflow

Try to use an 802.1x

based Authentication

with the AAA


BTS SGSN

HLR

RNC GGSN

Wi-Fi AP

802.1x SSID

Pulse Wi-Fi

Manager (PWM)

Firewall

Internet

AAA

(e.g. SBR)

Junos Pulse

Phone boots

up. Pulse

starts running

on the device

Pulse collects

IMSI + MSISDN

and contacts Wi-

Fi Manager over

3G/4G network

to get policies

Policy gets downloaded

to device over 3G/4G

network. Policy includes

Wi-Fi profiles,

credentials, location,

application & other

criteria etc.

Pulse takes

action on device

based on Policy

User connects to Wi-Fi

based on Policy. Policy

controls when & how

user is offloaded.

Trusted Wi-Fi Access Gateway

(SaMOG) forwards Layer 2

Traffic into GTP towards GGSN

Pulse Wi-Fi Offload including Trusted Access

Use 802.1x Authentication

with the AAA based on

PEAP or EAP-TTLS

T-WAG

SaMOG

Access-Accept has

IMSI + MSISDN

from PWM DB


PROVIDER ROAMING & WHOLESALE


EAP-IDENTITY BASED ROAMING EXAMPLE (W. CLEARING HOUSE)

Smartphone

User

Wi-Fi AP

Internet Subscriber DB

or HLR

Subscribers

Home AAA

MetroNetwork

Wi-Fi AP

Wi-Fi AP

WLC 2800

Visited AAA

Clearing House AAA

1.) Subscriber moves to a Visited Network and attaches to next Wi-Fi AP.

2.) AP directs all Traffics through Metro (or Internet) to Wi-Fi Controller at Visited Network

3.) Wi-Fi Controller notice a new attachment and asks the UE for the EAP-Identity to start the EAP negotiation

4.) UE answers and starts EAP-Exchange with EAP-Identifier

5.) Wi-Fi Controller creates Radius Request to local (Visited) AAA

6.) Realm Part of User NAI identifies request can’t be authenticated local -> Proxy forward to Clearing House AAA

7.) Clearing House AAA identifies Home AAA and forwards request.

8.) Home AAA analyses request (he may answer with a challenge which will case a few more interactions back and

forth before he can make a final conclusion)

9.) Home AAA authenticates Subscriber on Database/HLR and sends back Access-Accept (with a Profile to be used)

10.) Answer get’s routed back the same way to VAAA (which analyses the Profile setting and may override it)

11.) Wi-Fi Controller get’s Access-Accept with negotiated Cryptographic Keys and starts the $-Way Handshake with

the UE to secure the Air interface (AES-CCMP)

12.) Wi-Fi Controller generates Radius Accounting Information to be forwarded (VAAA to HAAA via Clearing House)


EXAMPLE ROAMING - VPLS BASED

HAAA

IP

Networks

H-HLR/HSS

Pulse

Manager

VPLS based

Roaming

WAG

VAAA

Proxy

SWd Home Network

Visited Network

VAAA to add VLAN attribute per Home

Network on returned Access-Accept

WLAN AP

WLAN AP

WLAN WLC

MAC / VLAN


ROAMING TRUSTED LOCAL SAMOG

H-GGSN

H-PGW

HAAA

IP

Networks

H-HLR/HSS

Pulse

Manager

OCS PCRF

Gp/GTP based

GRX roaming

Visited WiFi

Access Gateway

(SaMOG)

VAAA

Proxy

SWd

Home Network

Visited Network

WLAN AP

WLAN AP

WLAN WLC MAC / L2


ROAMING TRUSTED HOME SAMOG VPLS

H-GGSN

H-PGW

HAAA

IP

Networks

H-HLR/HSS

Pulse

Manager

OCS PCRF

VPLS based

Roaming

Home WiFi

Access Gateway

(SaMOG)

VAAA

Proxy

SWd Home Network

Visited Network

VAAA to add VLAN attribute per Home

Network on returned Access-Accept

WLAN AP

WLAN AP

WLAN WLC

MAC / VLAN

Date post:	15-May-2018
Category:	Documents
Upload:	habao
View:	216 times
Download:	2 times

SOLUTIONS FOR IMPLEMENTING CELLULAR TO WI-FI … · 7 Copyright © 2012 Juniper Networks, Inc....

Documents