Different options for 3GPP Wi-Fi access
The 3GPP AAA server is located within the 3GPP HPLMN. For 3GPP Wi-Fi access, it provides authentication, authorization, policy enforcement and routing information to the packet gateways in the Wi-Fi core and mobile core.
It can perform EAP-SIM/AKA authentication, via the SIM-card, for an automatic and secure authentication of Wi-Fi enabled devices.
Furthermore, the operator may want to monetize their Wi-Fi network by opening it for public use. We have created the Aptilo SMP 3GPP AAA+™ for this purpose with added critical functionality to the 3GPP AAA. The additional features include captive portals, Wi-Fi AAA, Wi-Fi Policy & Charging and Wi-Fi subscriber management, the mobile operator can add additional revenue by allowing paying ad-hoc users as well as supporting all type of devices for offload.
Below we will discuss the role of the Aptilo SMP 3GPP AAA+ in different Wi-Fi access scenarios including all the 3GPP specified options for 3GPP Wi-Fi access.
1. Access with 3G core and local WLAN break-out
This option is currently the most deployed solution by operators doing EAP-SIM/AKA authentication. The option provides local traffic breakout for all clients at the Wi-Fi access gateway (such as the Aptilo Access Controller) and is based on standard RADIUS and EAP methods for authentication with HLR. The Wi-Fi access point requires support for 802.1x authentication with EAP-SIM/AKA. No additional 3GPP interfaces are required.
2. Access with 3G core (DPI)
All traffic from smartphones/tablets with EAP-SIM/AKA support is terminated at the Deep Packet Inspection (DPI) node in the 3G core network while traffic from non-SIM devices are directed to the Internet locally. This option uses standard RADIUS and EAP methods for authentication with HLR. The Wi-Fi access point requires support for 802.1x authentication with EAP-SIM/AKA. In this case the DPI is typically used by the operator also to inspect and enforce policies for 3G data services. No additional 3GPP interfaces are required.
3. Access with 3G core and WAG (GTP)
This option is partly aligned with 3GPP TS23.234 specifications with the introduction of the Wireless Access Gateway (WAG) node in the Wi-Fi core for access to the 3G core. The WAG, emulating an SGSN, establishes GTP tunnels for client traffic for EAP capable clients that are terminated in the GGSN. The 3GPP Wm interface is used for EAP client authentication with HLR and tunnel establishment. The Wi-Fi access point requires support for 802.1x authentication with EAP-SIM/AKA. A DPI can potentially also be used after the GGSN.
4. Access with 3G core (I-WLAN)
This option is aligned with 3GPP TS23.234 specs for “untrusted” access with 3G core. This option requires an EAP client in the device with IPSec support. No impact on the Wi-Fi core or Wi-Fi RAN, legacy Wi-Fi hotspot networks will work. IPSec tunnels will be terminated in the Tunnel Terminating Gateway (TTG) node – a new mobile core node introduced for this purpose. The TTG maps the IPSec tunnels into GTP tunnels terminated in the GGSN (GGSN can typically not terminate IPSec).
The 3GPP Wa interface is used for EAP client authentication with HLR and the Wm interface is used for tunnel mapping in the TTG.
This option will most likely be replaced by the “untrusted EPC” option in most practical implementations.
5. Trusted Wi-Fi access in EPC
This option is based on 3GPP specification TS23.402 with the introduction of the Trusted Wireless Access Gateway (TWAG) node. The TWAG establishes GTPv2, PMIP or MIP tunnel (the S2a interface) to the P-GW in the EPC core for all trusted traffic.
“Trusted” traffic will most likely mean an operator controlled Wi-Fi environment based on a Hotspot 2.0 compatible Wi-Fi Core with 802.1x and EAP authentication support to the HSS/HLR. The Wi-Fi access point requires support for 802.1x authentication and EAP-SIM/AKA methods. This option also requires support for EAP-SIM/AKA in the device.
The STa interface is mainly used for EAP client authentication with HSS and S2a option selection (which tunnel type to use). The S6b interface between 3GPP AAA and P-GW is used for tunnel authentication, static QoS and mobility (if applicable), etc. The 3GPP specification allow also for full or partial local breakout of Wi-Fi traffic at the TWAG in the Wi-Fi core.
6. Untrusted Wi-Fi access in EPC
This option is based on 3GPP spec TS23.402 with the introduction of the evolved Packet Data Gateway (ePDG) node. This option requires an EAP client in the device with IPSec support. No impact on the Wi-Fi core or Wi-Fi RAN, legacy Wi-Fi hotspot networks will work. IPSec tunnels will be terminated in the ePDG – a new mobile core node introduced for this purpose. The ePDG maps the IPSec tunnels into GTP or PMIP tunnels terminated in the Packet Gateway P-GW.
“Untrusted” will most likely mean a non-operator controlled network or partner network with a legacy Wi-Fi hotspot networks not supporting 802.1x.
The 3GPP SWa interface is mainly used for EAP client authentication with HSS. The SWm interface is used for additional authentication parameters including subscription profiles and S2b option selection (which tunnel type to use). The S6b interface is used between Wi-Fi AAA and P-GW for tunnel authentication, static QoS and mobility (if applicable), etc.