Aptilo SIM Authentication

Aptilo SIM Authentication

Wi-Fi as secure as the mobile network

One of the key benefits of using SIM authentication (EAP-SIM/AKA) is that both the authentication process as well as the data must be encrypted in the Wi-Fi network. Hence, the Wi-Fi network becomes as secure as the mobile network, learn more technical details below.

Seamless Wi-Fi authentication of mobile devices

Key to a successful mobile data offloading strategy is ease of use with a seamless and secure user experience. SIM-based authentication is a powerful tool for achieving these goals. This is the method whereby mobile/cellular devices that have a SIM card use the same SIM card to authenticate the device for the Wi-Fi service. Users will just securely fly on to the Wi-Fi network.

Aptilo SMP SIM Authentication Simplified

EAP-SIM/AKA authentication optimized for offloading

The Aptilo SMP SIM Authentication™ performs EAP-SIM/AKA authentication optimized with the standard 3GPP AAA functionalities needed for an offloading scenario, enabling SIM authentication for any Wi-Fi network. Furthermore, the Aptilo mobile offloading solution supports a wide variety of alternative authentication methods for devices without SIM cards or lack of support for the EAP-SIM/AKA method.

EAP-SIM and EAP-AKA authentication for mobile devices

Based on the award-winning Aptilo Service Management Platform™ (SMP), the Aptilo SMP SIM Authentication™ utilizes the same mechanism that is used in the mobile core to obtain a seamless and secure user experience when authenticating the user to the Wi-Fi network. If you need more functionality than just SIM-authentication such as captive portal functionality and Wi-Fi policy management, then please consider the Aptilo SMP 3GPP AAA+™ or benefit from the full functionality for a next-generation Wi-Fi hotspot with Aptilo SMP.

Aptilo SIM Authentication EAP-SIM and EAP-AKA

SIM authentication using existing mobile infrastructure

A mobile service provider can leverage the existing infrastructure for HLR/HSS by adding a dedicated EAP-SIM/AKA authentication function.

The Aptilo SMP SIM Authentication™ provides a means for authentication with the subscriber credentials in the SIM card. It provides EAP-SIM/AKA (SIM/USIM-based) authentication for Wi-Fi users based on the information retrieved from the existing HSS over the Diameter Wx interface (supporting 3GPP Release 7 and onwards). It can do the same with information from the HLR over the SS7/MAP D’/Gr’ interface (supporting 3GPP Release 6 and onwards).

Aptilo SMP SIM Aurthentication can also interact with existing core network systems such as PCRF and DPI and OSS/BSS systems such as CRM, to build advanced policies for the session. One example is to first authenticate the user with a seamless SIM authentication. Then engage them with a portal experience or send and SMS/e-mail, if policies for the current location and user type so dictates.

By using the vendor-agnostic Aptilo SMP SIM Authentication™, you can use the existing mobile infrastructure independent of HLR/HSS vendor and regardless of system generation.

Scalability and Availability

When automatically and actively offloading 3G/4G users, mobile operators need to handle Wi-Fi as a service that is as critical as mobile broadband.

This calls for an exceptionally scalable architecture with high availability. The Aptilo SMP SIM Authentication™ caters to this as it is built on Aptilo’s new ALE architecture which takes the scalability and availability issue out of the equation with linear scalability and high availability including geographic redundancy.

The Aptilo SMP SIM Authentication supports SNMP-based network management, which means that service providers can integrate this node into the overall NOC operations.

Flexible Connectivity to HSS/HLR in the Mobile Core

The Aptilo SMP SIM Authentication can connect to existing SS7 networks with ease and can be delivered with an optional SS7 PCI-Express board. Additionally, to facilitate connection with next-generation IP networks, it can handle SS7 over IP using the built-in support for SIGTRAN. The physical link for the IP-based SIGTRAN protocol and Diameter Wx is the native high-capacity IP network adapter in the server hardware. A multitude of SS7 and SIGTRAN protocols are supported to facilitate a smooth integration with the mobile core. Different national variants (ANSI, ITU, Chinese and Japanese) as well as hybrid variants are also supported. Authentication for both USIM- and SIM-based devices simultaneously provides a seamless migration path from older to newer devices.

Flexible Connectivity to HSS/HLR in the Mobile Core

With a dedicated SIM authentication function like the Aptilo SMP SIM Authentication a service provider is presented with the most flexibility in terms of network topology. In a multi-HLR and -HSS environment the Aptilo SMP SIM Authentication provides a central aggregation point for all Wi-Fi-based SIM authentication requests and is able to perform authentications to multiple HLR and HSS nodes from different vendors. Thanks to the central aggregation point, it is also able to connect with multiple different Wi-Fi systems that perform RADIUS signaling for the individual Wi-Fi networks.

It is also possible to deploy the Aptilo SMP SIM Authentication co-located with each HLR/HSS and configure a connection to the Wi-Fi AAA from each of the Aptilo SMP SIM Authentication nodes.

How does EAP-SIM/AKA work?

The EAP-SIM/AKA method requires that the Wi-Fi network has support for 802.1x which encrypts the content of the communication – an important benefit as it gives a security level equivalent to the security in 3G/4G networks. The authentication – using the user credentials on the SIM-card and the Extensible Authentication Protocol (EAP) – is made in three automatic steps that occur without any user interaction:

EAP-SIM AKA Process

  • During the initialization, only EAP over LAN (EAPOL) 802.1x traffic is allowed between the client and the Wi-Fi access point. All other traffic like DHCP or HTTP is blocked.

  • The user credentials from the SIM card are delivered by the client to the Wi-Fi access point which in turn encapsulates an EAP authentication request in RADIUS and sends it to the Aptilo SMP SIM Authentication. The Aptilo SMP SIM Authentication contacts the HSS/HLR through the SS7/MAP or Diameter D’/Gr’ interface and retrieves the GSM/LTE authentication vectors that are used to authenticate the user. Upon successful authentication, Aptilo SMP SIM Authentication sends the generated encryption keys, used for protection of the Wi-Fi radio network, to the access point (AP).

  • The client needs to generate exactly the same encryption keys and validate the authentication vectors correctly through the SIM card in order to be admitted to the network.