Authentication and Access

Aptilo Access Controller

The Aptilo Access Controller™ (AC) forms part of a state-of-the-art solution from Aptilo Networks that facilitates the creation of carrier-class Wi-Fi services. The Aptilo AC, together with the Aptilo Service Management Platform™ (SMP) forms a comprehensive, seamless solution that creates unique capabilities for administration and control of services in wireless networks. It admits users to the Internet and controls their experience via granular policy enforcement.

Works in concert with Aptilo SMP

The Aptilo Access Controller™ (AC) gateway is purpose-built for access control, usage monitoring and policy enforcement in Wi-Fi networks enabled by the Aptilo Service Management Platform™. The Aptilo AC dynamically handles user sessions, QoS and routing from the local network to the Internet and features true client plug-and-play functionality.

  • Access Control
  • Monitoring
  • Wi-Fi Policy control

An access controller for every need

The same Aptilo AC software can be installed on two different certified standard hardware options:

  • A industry standard server (Std AC) handling 2,000 concurrent users
  • A eight server cluster (Macro AC)  – one load balancer, one backup node and six traffic taking nodes – with a totalcapacity of 12,000 concurrent users.

It is recommended to deploy the Aptilo AC either as redundant pairs with one backup node or in a redundant cluster with one backup node serving several traffic nodes.

Depending on the business model and integration level, the Aptilo Access Controller can either be locally, regionally or centrally placed in the network, catering to several separate sites.

The Aptilo Service Management Platform (SMP) is optimized for working hand-in-hand with the Aptilo Access Controller delivering true unique capabilities. Aptilo SMP also has specific adaptations for all leading access point controllers and high-performance gateways from our partners. The Aptilo AC can also be deployed behind existing third party access gateways to enable functionality that cannot otherwise be obtained.

Flexible deployment models

The Aptilo Access Controller software runs on standard hardware scaling from 2,000 to 12,000 concurrent users with real-life complex authentication and charging use cases. It can be either locally or centrally deployed in the network and connects to the Aptilo SMP via Internet or private LAN through secure VPN connections.

With a capacity of up to 12,000 concurrent sessions per Aptilo AC, we can provide a end-to-end solution for large scale carrier Wi-Fi networks, especially with a distributed deployment model. For networks with a central deployment model requiring hundreds of thousands concurrent users on a single gateway, we recommend a high-capacity access gateway from one of our partners for instance Cisco, Ericsson or Nokia.

Aptilo Access Controller architecture

Access Control and Policy enforcement

The Aptilo Access Controller is purpose-built for access control, usage monitoring and policy enforcement in Wi-Fi networks. It can look up policies from AAA and PCRF nodes via RADIUS pull. It runs on standard hardware and features true client plug-and-play functionality. The Aptilo AC dynamically handles user sessions, QoS and routing from the local network to the Internet. Together with the Service Profiles, defined in the Aptilo Service Management Platform (SMP), the Aptilo AC constitutes a powerful tool for handling differentiated services with prioritization of traffic on user-level.

Aptiloi AC enforces policies using Aptilo SMP Service ProfilesIn the sample Service Profile “Premium”, the main service is capped to 50 Mbit/s of total bandwidth allowance for the “premium” user. Listed below the main service are services that can be capped or defined as unlimited, these are prioritized within the main service. Optionally an additional service can be defined outside the main service and prioritized on the same level. This ensures that there is additional capacity left for e.g. real-time critical applications even if the bandwidth of the main service is consumed.

The automatic bandwidth balancer feature of the Aptilo AC distributes available bandwidth between all active sessions according to the priorities set in the service profiles. A service can be automatically throttled down to a certain capacity if the prepaid quota has been depleted to a specified level.

Multiple firewall rules can be defined and tied to a certain service profile. This allows a flexible control of the traffic based on the service profile e.g. to allow traffic on port 80 and 443 but deny everything else.

It is possible to specify in the service profile that the traffic must go through a specific WAN interface or VLAN. This feature is very useful for e.g. separating the private and public traffic in Smart City networks and to route to different Internet gateways in for instance a wholesale operation.

Other key features

Security

Secure environment for authentication and payment processing. SSL encrypted communication between the clients and the Aptilo system. Secure VPN tunnel to communicate between the Aptilo Access Controller and the Aptilo Service Management Platform. Firewall to protect from non-authorized usage. White listing (“Walled Garden”) and black listing of configurable sites.

IP-address spoofing protection through session window monitoring.

Ease of management

Support for remote software upgrade and updates. Aptilo AC also supports SNMP network management for single or multiple SNMP trap destinations. Access Points (AP) can be created in Aptilo SMP using the Aptilo AC MIB with the snmpwalk and snmpset commands. The Aptilo AC has SNMP integration towards access points for collection of usage statistics. The AC periodically fetches statistics from the access points, for example number of connected users per access point. This feature enables traffic pattern analysis down to AP level in the Wireless Network.

Traffic control

The Aptilo Access Controller blocks users from access to the external network until successful authentication and authorization are attained. It also supports distribution of client IP-addresses (DHCP). It offers custom DNS support to resolve user-defined host names to user-defined IP-address.