Aptilo Networks firmly believes in and adheres to standards. However, real-world deployments often call for pragmatic and truly innovative solutions. In this section you will find some of the innovative Wi-Fi offload features that make Aptilo stand out from the crowd.
With the Aptilo ServiceGlue™ functionality, new customer-adapted logic can be added through configuration. Aptilo ServiceGlue features an intelligent database interface and flexible configurable rule set-based functions.
In a mobile data offloading scenario, policy decisions implemented at the mobile operator can be looked up from several locations and intelligently mapped to the corresponding parameters in the Wi-Fi network. Execution of advanced logic can then be done through Aptilo’s ServiceGlue functions to make sure that the desired actions are performed in the Wi-Fi network for the specific user.
Streamlining Wi-Fi services across all types of devices
A typical subscriber today has several Wi-Fi-only devices (no 3G/4G support) such as tablets, laptops and gaming consoles. Service providers have to cater also to all these devices in order to win the subscriber’s loyalty. This will make subscribers more “sticky” to the service and reduce churn.
To create the best experience for subscribers, providers of Wi-Fi services strive to deliver as secure and automatic authentication (login) as possible. The most secure and automatic authentication mechanism for Wi-Fi in use today and frequently utilized for mobile phones is the Extensible Authentication Protocol (EAP). EAP-SIM/AKA authentication uses the credentials in the device’s SIM card for authentication while EAP-TLS and EAP-TTLS are based on certificates in the device and/or server.
Support for SIM authentication (EAP-SIM/AKA) is a prerequisite for 3GPP Wi-Fi access, but far from all mobile phones support EAP-SIM/AKA. Support is dependent on the mobile phone’s operating system (OS) and may even vary between different phone models using the same OS. This challenge may be a deal-breaker for deployment of trusted 3GPP Wi-Fi access because mobile operators cannot streamline services across all different mobile phone models.
In addition, the ever-growing number of Wi-Fi-only devices without SIM cards and devices that are not suitable for use with certificates has become a real challenge as they cannot be authenticated using an EAP authentication method.
Aptilo 3GPP Wi-Fi Access Unified Solution
The 3GPP Wi-Fi access standard requires use of SIM authentication (EAP-SIM/AKA) where policies are retrieved from the subscriber profile in the HLR/HSS during the authentication process. These policies are crucial for the Wi-Fi service and include things such as APN and parameters for setting up the individual GTP tunnel for backhauling the user’s traffic to the mobile core.
Aptilo SMP already enables 3GPP Wi-Fi access for mobile phones with SIM cards using EAP-SIM/AKA. Aptilo SMP now extends 3GPP Wi-Fi access support to all Wi-Fi devices including those with SIM cards but lacking support for SIM authentication (EAP-SIM/AKA). This innovation utilizes the highly secure EAP-TTLS/PEAP authentication method instead of EAP-SIM/AKA while retrieving policies from the subscriber profile in HLR/HSS as if it was an EAP-SIM/AKA authentication. In other words, Aptilo makes 3GPP Wi-Fi access possible in real-world deployments by adding support also for devices lacking SIM authentication capabilities which currently is 60-70% of the installed base if we include Wi-Fi only tablets.
The Aptilo 3GPP Wi-Fi Access Unified Solution for streamlining Wi-Fi services across all types of devices was shortlisted for the Wireless Broadband Alliance (WBA) Best Wi-Fi Technology Innovation Award 2013. Below we will describe more about how these features can be used in real-world deployments.
The Aptilo 3GPP Wi-Fi access Unified Solution works for any of the 3GPP Wi-Fi access methods. One of the most popular methods is the trusted 3GPP Wi-Fi access. In this method, the user traffic is securely backhauled to the mobile core through a GTP (or MIP/PMIP) tunnel between the WAG/TWAG (Wireless Access Gateway) and the GGSN/P-GW.
GTP tunneling for EAP-SIM/AKA enabled devices
In order for the WAG/TWAG to setup the GTP tunnel it needs parameters that reside in the subscriber profile. This will in turn require knowledge about the user’s IMSI (the unique identifier for the SIM card) to be able to get the correct subscriber profile. SIM authentication is part of the trusted 3GPP Wi-Fi access and the IMSI and subscriber profile with the GTP parameters will be retrieved as part of the EAP-SIM/AKA process with the Aptilo SMP (the green path above). The Aptilo SMP will then provide the WAG/TWAG will all necessary parameters to setup the GTP tunnel for the individual device.
GTP tunneling for devices lacking support for EAP-SIM/AKA
The innovative features of the Aptilo Service Management Platform (SMP) allow operators to overcome the need for SIM authentication support (EAP-SIM/AKA) in the device in order to obtain the subscriber profile for GTP tunnel setup. The Aptilo SMP can retrieve the user’s subscriber profile by using the MSISDN (mobile number) rather than the IMSI (SIM card ID) as an identifier while using EAP-TTLS rather than EAP-SIM/AKA for security (the orange path above), contact us to learn more about how this is done.
This opens up interesting possibilities when it comes to Wi-Fi offload. The subscriber profile provides the Aptilo SMP with the required parameters needed for a Wireless Access Gateway (WAG/TWAG) to setup a GTP tunnel for the full ecosystem of mobile devices, including mobile phones with SIM cards but lacking EAP-SIM/AKA support. With Aptilo’s innovation, these devices can use a modified version of the trusted 3GPP Wi-Fi access security, one with GTP tunnel but without SIM authentication. This is a good option when service providers need to balance security with the important issues of user convenience and streamlining their services.
The development of this feature in Aptilo SMP is the result of service provider requirements received by us and our partner Ericsson. The functionality has been verified with Ericsson Wi-Fi Gateway which supports advanced mobile core integration and has also already been successfully tested with Ericsson Wi-Fi Controller.
Aptilo’s ‘trusted’ 3GPP Wi-Fi access for non-SIM authentication can be combined with the patent-pending location-based multi-device login described below. This innovation addresses the fact that it is not always practical or even possible to do an EAP authentication and offers a more secure MAC-based authentication as an alternative for a seamless user login experience.
Aptilo location-based multi-device login
The best practice for login to Wi-Fi networks is utilizing the Extensible Authentication Protocol (EAP) as it is the most secure and automatic login mechanism in use today. EAP-SIM/AKA authentication is based on the credentials in the device’s SIM card while EAP-TLS and EAP-TTLS are based on certificates.
But, what about the multitude of Wi-Fi-only devices without SIM cards or devices that are not suitable for use with certificates? An appealing authentication mechanism for these devices is to use the unique Media Access Control address (MAC) of the device for authentication.
This mechanism provides a seamless user experience with automatic login to the Wi-Fi network and is often used as a re-authentication mechanism for short-term accounts at Wi-Fi hotspots.
However, since MAC addresses can be spoofed MAC-based authentication is not commonly used by service providers as the primary authentication mechanism for long-term accounts. For example, an imposter can retrieve the MAC address from a legitimate user. The imposter can then manipulate his/her own device to present the stolen MAC address identity and use the Wi-Fi service without paying for it. This may cause a significant burden on the customer care team to investigate frauds. What if it were possible to make MAC authentication more secure?
With Aptilo it is!
Location-based multi-device login principal concept
The location-based multi-device login is a patent-pending Aptilo invention which allows mobile operators to achieve a greater level of security for MAC-based authentication of devices in Wi-Fi networks. It makes an automatic MAC-based authentication for multiple devices more secure by tying them to an active mobile phone, belonging to the same subscriber, which is already authenticated via a secure EAP method at the same location.
Aptilo’s location-based multi-device login simply turns a user’s EAP-SIM/AKA-enabled mobile phone with SIM card into a location-based “security key” for the device(s) that use the less-secure MAC authentication mechanism. Mobile phones without SIM cards can also serve as a “security key” using EAP-TLS or EAP-TTLS.
The following basic scenarios can exist when a subscriber enters the range of a Wi-Fi network:
A. The subscriber’s mobile phone is active and authenticated via a secure EAP method at the same location as the user and his/her other Wi-Fi devices. In this case Aptilo SMP will allow the automatic MAC-based authentication at the same location for all other devices belonging to the same subscriber and registered and tied to the mobile phone.
B. If the subscriber’s mobile phone is unable to be authenticated (could be switched off or Wi-Fi turned off) then Aptilo SMP will not allow MAC-based authentication for the other devices. The devices may be reverted to a manual login at a portal. If security policy allows, the first device authenticated can then serve as the “security key” allowing access through MAC-based authentication for all other devices belonging to the user.
C. The subscriber’s mobile phone is active and authenticated via a secure EAP method, but at a different location. This could be the case when an imposter has spoofed the MAC address. In this case Aptilo SMP will not allow MAC-based authentication for the other devices. The devices may be reverted to a manual login at a portal.
With Aptilo’s location-based multi-device login, service providers will be able to use the less-secure but very useful MAC authentication because imposters must be present at the same location as the legitimate user in order to succeed. This reduces threats to an acceptable level for many service providers.
Once the mobile device used as a “security key” is authenticated via an EAP method, any number of MAC authentication devices can be automatically authenticated. The user experience will be totally seamless with automatic authentication of all devices.
This feature can be used in combination with the ‘trusted’ 3GPP Wi-Fi access feature mentioned above for non-SIM devices in order to provide an automatic login for the user while using GTP tunnelling. Below we will describe in more detail how this concept works.
Tying a subscriber’s new Wi-Fi device to his/her mobile phone
At the very first login with a new “MAC authentication device,” the device needs to be registered to and tied by Aptilo SMP to the subscriber and his/her more-secure EAP-enabled mobile phone. This is done through a manual login with a one-time password delivered via SMS.
The subscriber attaches to the Wi-Fi network with a new Wi-Fi device. Aptilo SMP triggers the Access Gateway (i.e. Aptilo Access Controller™ or third-party gateway) to redirect the user to a captive portal.
The user enters his mobile phone number at the portal.
Aptilo SMP now has the mobile phone number and sends a one-time password (OTP) to the user via SMS.
The user logs in securely at the portal using the one-time password.
The new device has now been securely verified as belonging to the same subscriber as the mobile phone. It is registered as a sub-device to the mobile phone – serving as the main device – in Aptilo SMP’s hierarchical account structure.
The subscriber is granted access to the Wi-Fi network with his/her new device which now is tied logically in Aptilo SMP to the mobile phone of the same subscriber.
Multi-device login with mobile phone as location-based “security key”
For all consecutive logins with the “MAC authentication devices,” i.e. the devices tied as sub-devices to the mobile phone, Aptilo SMP will check whether the EAP-enabled mobile phone – serving as location-based “security key” – has been successfully authenticated at the same location. “Same location” can be defined by the service provider as a group of Wi-Fi access points down to a single access point. If, and only if, the mobile phone is authenticated at the same location will the Aptilo SMP allow access through the automatic MAC authentication for all devices tied to the mobile phone.
For each “MAC authentication device” the following login process will be performed:
The device attaches to the Wi-Fi network and sends a DHCP message to the DHCP Server to request an IP-address.
The DHCP Server – which can be a function in the Access Gateway as in the case of Aptilo AC – sends a RADIUS access request to Aptilo SMP with the device’s MAC-address as username.
Aptilo SMP checks whether the MAC address has been registered. If so, Aptilo SMP will find the main device – the mobile phone – that is tied to the device and check if it is active and authenticated through EAP at the same location.
Since all devices arrive at the location at the same time with the user, Aptilo SMP must give the mobile phone time to authenticate. Thus steps 1-3 are repeated for a configurable time e.g. 1 minute. If Aptilo SMP detects that the mobile phone is active and authenticated with an EAP method at the same location, the MAC authentication device is admitted to the Internet step 4-6a. If not, the repeated process 1-3 will time out and Aptilo SMP will redirect the device to a portal for manual login as a “backup alternative” step 4-6b.
If the mobile phone is active and has been authenticated at the same location the Aptilo SMP will send a RADIUS accept to the DHCP Server and optionally an IP address to allocate to the device. If not, the device should be redirected to the portal, so Aptilo SMP will add a redirect profile to the RADIUS accept message.
The DHCP Server sends the IP address allocation to the device.
If the mobile phone is active and authenticated at the same location as the device, the device is allowed access to the network automatically without any user interaction.
If the mobile phone is not active and authenticated at the same location as the device, the access gateway will redirect the user to the portal according to the redirect profile. The user will have to manually login in this case.
If the EAP-enabled mobile device is not available and security policy allows, it is possible to use the first device in the hierarchical account structure that is logged in, manually via a portal, as the location-based “security key” allowing all other devices that are tied to the same user access through MAC authentication.