During the initialization, only EAP over LAN (EAPOL) 802.1x traffic is allowed between the client and the Wi-Fi access point. All other traffic like DHCP or HTTP is blocked.
SIM Authentication, also known as EAP-SIM/AKA, is all about a seamless and secure user experience. Users are automatically connected to an encrypted 802.1x Wi-Fi network.
SIM AUTHENTICATION FOR WI-FI AS SECURE AS MOBILE
One of the key benefits of using the SIM for authentication (EAP-SIM/AKA), is that both the authentication process as well as the data must be encrypted in the Wi-Fi network. Hence, the Wi-Fi network becomes as secure as the mobile network, learn more technical details below.
SEAMLESS SIM AUTHENTICATION FOR MOBILE
Key to a successful mobile data offloading strategy is ease of use with a seamless and secure user experience. SIM-based authentication is a powerful tool for achieving these goals. This is the method whereby mobile/cellular devices that have a SIM card use the same SIM card to authenticate the device for the Wi-Fi service. Users will just securely fly on to the Wi-Fi network.
EAP-SIM/AKA OPTIMIZED FOR WI-FI OFFLOAD
The Aptilo SMP SIM Authentication™ performs EAP-SIM/AKA authentication optimized with the standard 3GPP AAA functionalities needed for an offloading scenario, enabling SIM-based authentication for any Wi-Fi network. Furthermore, the Aptilo mobile offloading solution supports a wide variety of alternative authentication methods for devices without SIM cards or lack of support for the EAP-SIM/AKA method.
EAP-SIM AND EAP-AKA FOR MOBILE DEVICES
Based on the award-winning Aptilo Service Management Platform™ (SMP), the Aptilo SMP SIM Authentication™ utilizes the same mechanism that is used in the mobile core to obtain a seamless and secure user experience when authenticating the user to the Wi-Fi network. If you need more functionality than just automatic authentication through the SIM, such as captive portal functionality and Wi-Fi policy management, then please consider the Aptilo SMP 3GPP AAA+™ or benefit from the full functionality for a next-generation Wi-Fi hotspot with Aptilo SMP.
USING EXISTING MOBILE INFRASTRUCTURE
A mobile service provider can leverage the existing infrastructure for HLR/HSS by adding a dedicated EAP-SIM/AKA authentication function.
The Aptilo SMP SIM Authentication™ provides a means for authentication with the subscriber credentials in the SIM card. It provides EAP-SIM/AKA (SIM/USIM-based) authentication for Wi-Fi users based on the information retrieved from the existing HSS over the Diameter Wx interface (supporting 3GPP Release 7 and onwards). It can do the same with information from the HLR over the SS7/MAP D’/Gr’ interface (supporting 3GPP Release 6 and onwards).
It can also interact with existing core network systems such as PCRF and DPI and OSS/BSS systems such as CRM, to build advanced policies for the session. One example is to first authenticate the user seamlessly. Then engage them with a portal experience or send and SMS/e-mail, if policies for the current location and user type so dictates.
By using our vendor-agnostic solution, you can use the existing mobile infrastructure independent of HLR/HSS vendor and regardless of system generation.
SCALABILITY AND AVAILABILITY
When automatically and actively offloading 3G/4G users, mobile operators need to handle Wi-Fi as a service that is as critical as mobile broadband.
This calls for an exceptionally scalable architecture with high availability. Our solution caters to this as it is built on Aptilo’s new ALE architecture which takes the scalability and availability issue out of the equation with linear scalability and high availability including geographic redundancy.
It supports SNMP-based network management, which means that service providers can integrate this node into the overall NOC operations.
FLEXIBLE CONNECTIVITY TO HSS/HLR IN THE MOBILE CORE
The Aptilo SMP SIM Authentication can connect to existing SS7 networks with ease and can be delivered with an optional SS7 PCI-Express board. Additionally, to facilitate connection with next-generation IP networks, it can handle SS7 over IP using the built-in support for SIGTRAN. The physical link for the IP-based SIGTRAN protocol and Diameter Wx is the native high-capacity IP network adapter in the server hardware. A multitude of SS7 and SIGTRAN protocols are supported to facilitate a smooth integration with the mobile core. Different national variants (ANSI, ITU, Chinese and Japanese) as well as hybrid variants are also supported. Authentication for both USIM- and SIM-based devices simultaneously provides a seamless migration path from older to newer devices.
With a dedicated and purpose-built function for SIM-based authentication, a service provider is presented with the most flexibility in terms of network topology. In a multi-HLR and -HSS environment we provide a central aggregation point for all Wi-Fi-based SIM authentication requests and is able to perform authentications to multiple HLR and HSS nodes from different vendors. Thanks to the central aggregation point, it is also able to connect with multiple different Wi-Fi systems that perform RADIUS signaling for the individual Wi-Fi networks.
It is also possible to deploy co-located with each HLR/HSS and configure a connection to the Wi-Fi AAA from each of the authentication nodes.
HOW DOES EAP-SIM/AKA WORK?
The EAP-SIM/AKA method requires that the Wi-Fi network has support for 802.1x which encrypts the content of the communication – an important benefit as it gives a security level equivalent to the security in cellular networks. The authentication – using the user credentials on the SIM-card and the Extensible Authentication Protocol (EAP) – is made in three automatic steps that occur without any user interaction: