Authentication and Access

Aptilo Access Controller

The Aptilo Access Controller™ (AC) forms part of a state-of-the-art solution from Aptilo Networks that facilitates the creation of carrier-class Wi-Fi services. The Aptilo AC, together with the Aptilo Service Management Platform™ (SMP) forms a comprehensive, seamless solution that creates unique capabilities for administration and control of services in wireless networks. It admits users to the Internet and controls their experience via granular policy enforcement.

Works in concert with Aptilo SMP

The Aptilo Access Controller™ (AC) gateway is purpose-built for access control, usage monitoring and policy enforcement in Wi-Fi networks enabled by the Aptilo Service Management Platform™. The Aptilo AC dynamically handles user sessions, QoS and routing from the local network to the Internet and features true client plug-and-play functionality.

  • Access Control
  • Monitoring
  • Wi-Fi Policy control

An access controller for every need

The same Aptilo AC software can be installed on two different certified standard hardware options:

  • A industry standard server (Std AC) handling 2,000 concurrent users
  • A eight server cluster (Macro AC)  – one load balancer, one backup node and six traffic taking nodes – with a totalcapacity of 12,000 concurrent users.

It is recommended to deploy the Aptilo AC either as redundant pairs with one backup node or in a redundant cluster with one backup node serving several traffic nodes.

Depending on the business model and integration level, the Aptilo Access Controller can either be locally, regionally or centrally placed in the network, catering to several separate sites.

The Aptilo Service Management Platform (SMP) is optimized for working hand-in-hand with the Aptilo Access Controller delivering true unique capabilities. Aptilo SMP also has specific adaptations for all leading access point controllers and high-performance gateways from our partners. The Aptilo AC can also be deployed behind existing third party access gateways to enable functionality that cannot otherwise be obtained.

Flexible deployment models

The Aptilo Access Controller software runs on standard hardware scaling from 2,000 to 12,000 concurrent users with real-life complex authentication and charging use cases. It can be either locally or centrally deployed in the network and connects to the Aptilo SMP via Internet or private LAN through secure VPN connections.

With a capacity of up to 12,000 concurrent sessions per Aptilo AC, we can provide a end-to-end solution for large scale carrier Wi-Fi networks, especially with a distributed deployment model. For networks with a central deployment model requiring hundreds of thousands concurrent users on a single gateway, we recommend a high-capacity access gateway from one of our partners for instance Cisco, Ericsson or Nokia.

Aptilo Access Controller

Access Control and Policy enforcement

The Aptilo Access Controller is purpose-built for access control, usage monitoring and policy enforcement in Wi-Fi networks. It can look up policies from AAA and PCRF nodes via RADIUS pull. It runs on standard hardware and features true client plug-and-play functionality. The Aptilo AC dynamically handles user sessions, QoS and routing from the local network to the Internet. Together with the Service Profiles, defined in the Aptilo Service Management Platform (SMP), the Aptilo AC constitutes a powerful tool for handling differentiated services with prioritization of traffic on user-level. .

Aptilo access controller service profilesIn the sample Service Profile “Premium”, the main service is capped to 8 Mbit/s of total bandwidth allowance for the “premium” user. Listed below the main service are services that can be capped or defined as unlimited, these are prioritized within the main service. Optionally an additional service can be defined outside the main service and prioritized on the same level. This ensures that there is additional capacity left for e.g. real-time critical applications even if the bandwidth of the main service is consumed.

The automatic bandwidth balancer feature of the Aptilo AC distributes available bandwidth between all active sessions according to the priorities set in the service profiles. A service can be automatically throttled down to a certain capacity if the prepaid quota has been depleted to a specified level.

Multiple firewall rules can be defined and tied to a certain service profile. This allows a flexible control of the traffic based on the service profile e.g. to allow traffic on port 80 and 443 but deny everything else.

It is possible to specify in the service profile that the traffic must go through a specific WAN interface or VLAN. This feature is very useful for e.g. separating the private and public traffic in Smart City networks and to route to different Internet gateways in for instance a wholesale operation.

Other key features

End-user Ease of use

Mobile client devices do not require other than a standard browser or supported client software to connect. The Aptilo Access Controller automatically redirects user to the captive portal providing necessary information to connect. The Aptilo Access Controller supports true Plug n’ Play and zero configuration i.e. it handles client devices with fixed IP-addresses or configured with common proxies, in addition to DHCP support for automatic network configuration. The Aptilo Access Controller does not require a public IP-address but can be placed behind firewall and/or NAT device. There is also an option to use a session window to provide an easy overview to the end-user of the service usage, logout and account top-up.

Security

Secure environment for authentication and payment processing. SSL encrypted communication between the clients and the Aptilo system. Secure VPN tunnel to communicate between the Aptilo Access Controller and the Aptilo Service Management Platform. Firewall to protect from non-authorized usage. White listing (“Walled Garden”) and black listing of configurable sites. Support for

IP-address spoofing protection through session window monitoring.

Flexibility

For hotspot service usage the Aptilo Access Controller can be installed distributed at the site or centralized higher up in the network to serve multiple sites. Dynamic captive portal pages enables separate look & feel and payment/pricing configuration for each separate location or through separate virtual LAN’s.

Ease of management

Support for remote software upgrade and updates. Aptilo AC also supports SNMP network management for single or multiple SNMP trap destinations. Access Points (AP) can be created in Aptilo SMP using the Aptilo AC MIB with the snmpwalk and snmpset commands. The Aptilo AC has SNMP integration towards access points for collection of usage statistics. The AC periodically fetches statistics from the access points, for example number of connected users per access point. This feature enables traffic pattern analysis down to AP level in the Wireless Network.

Traffic control

The Aptilo Access Controller blocks users from access to the external network until successful authentication and authorization are attained. It also supports distribution of client IP-addresses (DHCP). It offers custom DNS support to resolve user-defined host names to user-defined IP-address.

Authorization, authentication and accounting support

The authentication process enables client terminals to be authenticated without the installation of any special software other than a standard browser with Secure Sockets Layer (SSL) support. The Aptilo solution supports the following types of authentication:

  • RADIUS Server located in the Aptilo Service Management Platform
  • Remote RADIUS server interaction via RADIUS proxy
  • Roaming support through RADIUS proxy
  • Online Credit Card payments
  • Mobile Phone account charging
  • SMS-OTP (One-Time-Passwords)
  • Vouchers and Scratch Card
  • E-Vouchers
  • 802.1x ( MD-5, EAP-TLS, EAP-SIM, etc.)
  • Automatic MAC/Cookie-address login
  • Software based clients for automatic end-user access from various vendors and service providers (e.g. WISPr compatible clients, iPass, Boingo and Vodafone)
  • PMS (Property Management System) interaction for hotel room billing