Based on the award-winning Aptilo Service Management Platform™, the Aptilo SIM Authentication Server™ (SAS) plays a central role in the Aptilo mobile data offloading solution. It utilizes the same mechanism that is used in the mobile core to obtain a seamless and secure user experience when authenticating the user to the Wi-Fi network. If you need more functionality than just SIM-authentication such as portal functionality and Wi-Fi policy management, then please consider the Aptilo 3GPP AAA+ Server™.
EAP-SIM/AKA authentication server optimized for offloading
The Aptilo SAS is an authentication server performing EAP-SIM/AKA authentication optimized with the standard 3GPP AAA functionalities needed for an offloading scenario, enabling SIM authentication for any Wi-Fi network. Furthermore, the Aptilo mobile offloading solution supports a wide variety of alternative authentication methods for devices without SIM cards or lack of support for the EAP-SIM/AKA method.
The Aptilo SIM Authentication Server provides EAP-SIM/AKA (SIM/USIM-based) authentication for Wi-Fi users based on the information retrieved from the HLR or HSS in the mobile core.
How does EAP-SIM/AKA work?
The EAP-SIM/AKA method requires that the Wi-Fi network has support for 802.1x which encrypts the content of the communication – an important benefit as it gives a security level equivalent to the security in 3G/4G networks. The authentication – using the user credentials on the SIM-Card and the Extensible Authentication Protocol (EAP) - is made in three automatic steps that occur without any user interaction:
During the initialization, only EAP over LAN (EAPOL) 802.1x traffic is allowed between the client and the Wi-Fi access point. All other traffic like DHCP or HTTP is blocked.
The user credentials from the SIM card are delivered by the client to the Wi-Fi access point which in turn encapsulates an EAP authentication request in RADIUS and sends it to the Aptilo SAS. The Aptilo SAS contacts the HSS/HLR and retrieves the GSM/LTE authentication vectors that are used to authenticate the user. Upon successful authentication, Aptilo SAS sends the.generated encryption keys – used for protection of the Wi-Fi radio network – to the access point (AP).
The client needs to generate exactly the same encryption keys and validate the authentication vectors correctly through the SIM card in order to be admitted to the network.
Handling Policy and Charging
The Aptilo SAS can benefit from the specific pre-enabled integration with the Aptilo Service Management Platform™ (SMP) to deliver a carrier-class Hotspot 2.0-enabled Wi-Fi network that is integrated with the mobile core for authentication, policy control and charging. Aptilo SMP provides means for local storage of policies to be applied to the Wi-Fi access and also management of locally stored balance and quota for time/volume. These can be provisioned from the mobile operator’s existing systems and top-up portals via APIs. In addition to local storage of policies and charging, it also includes many highly flexible ways to integrate with the mobile core or the OSS/BSS for multiple policy look-ups through the Aptilo Service Glue™ functionality and to report usage in the form of CDR (Charging Data Records) for post-paid billing and real-time charging information for existing prepaid systems.
The Aptilo SMP can also act as an EAP-SIM concentrator so that the Aptilo SAS only needs to maintain one RADIUS client relation rather than one for every Wi-Fi AP.
Scalability and Availability
When automatically and actively offloading 3G/4G users, mobile operators need to handle Wi-Fi as a service that is as critical as mobile broadband.
This calls for an exceptionally scalable architecture with high availability. The Aptilo SAS caters to this as it is built on Aptilo’s new ALE architecture which takes the scalability and availability issue out of the equation with linear scalability and high availability including geographic redundancy.
The Aptilo SAS supports SNMP-based network management, which means that service providers can integrate this node into the overall NOC operations.
Flexible Connectivity to HSS/HLR in the Mobile Core
The Aptilo SIM Authentication Server can connect to existing SS7 networks with ease and can be delivered with an optional SS7 PCI-Express board. Additionally, to facilitate connection with next-generation IP networks, Aptilo’s SAS can handle SS7 over IP using the built-in support for SIGTRAN. The physical link for the IP-based SIGTRAN protocol and Diameter Wx is the native high-capacity IP network adapter in the server hardware. A multitude of SS7 and SIGTRAN protocols are supported to facilitate a smooth integration with the mobile core. Different national variants (ANSI, ITU, Chinese and Japanese) as well as hybrid variants are also supported. Authentication for both USIM- and SIM-based devices simultaneously provides a seamless migration path from older to newer devices.
With a dedicated SIM authentication server like the Aptilo SAS a service provider is presented with the most flexibility in terms of network topology. In a multi-HLR and -HSS environment the Aptilo SAS provides a central aggregation point for all Wi-Fi-based SIM authentication requests and is able to perform authentications to multiple HLR and HSS nodes from different vendors. Thanks to the central aggregation point, the SAS server is also able to connect with multiple different Wi-Fi systems that perform RADIUS signaling for the individual Wi-Fi networks.
It is also possible to deploy the Aptilo SAS co-located with each HLR/HSS and configure a connection to the Wi-Fi AAA from each of the Aptilo SAS nodes.