Authentication and Access

3GPP Wi-Fi Access

Operators need to set policies in order to control the service and charging for offloaded users (in addition to those in the 3G/LTE data network) and maintain a fair usage policy.

Overview of 3GPP options for Wi-Fi access

The 3GPP standard defines two types of access; trusted and untrusted non-3GPP access. Non-3GPP access includes access from for instance Wi-Fi, WiMAX, fixed and CDMA networks.

Trusted 3GPP Wi-Fi access

Trusted non-3GPP Wi-Fi access was first introduced with the LTE standard in 3GPP Release 8 (2008). Trusted access is often assumed to be an operator-built Wi-Fi access with encryption in the Wi-Fi radio access network (RAN) and a secure authentication method. However,  it is always up to the home operator to decide what is to be considered trusted. In practice the Wi-Fi access network must support the following features to be considered trusted:

  • 802.1x-based authentication which in turn also requires encryption of the RAN
  • 3GPP-based network access using EAP method for authentication
  • IPv4 and/or IPv6

Trusted 3GPP Wi-Fi Access

In a trusted access, the device (UE) is connected through a TWAG (Trusted Wireless Access Gateway) in the Wi-Fi core. The TWAG is in turn connected directly with the P-GW (Packet Gateway) in the Evolved Packet Core (EPC) through a secure tunnel (GTP, MIP or PMIP).

A similar concept is also used in non-EPC 3G networks where a WAG (Wireless Access Gateway) is connected with the GGSN through a secure GTP tunnel.

Parameters in the subscriber profile are needed in order to setup the GTP tunnel. This will normally in turn require knowledge about the user’s IMSI (unique SIM card identifier). Therefore trusted 3GPP Wi-Fi access is not possible for devices without SIM cards. However, Aptilo’s innovative 3GPP Wi-Fi Access unified solution make the impossible possible providing trusted 3GPP access for all kinds of devices.

Untrusted 3GPP Wi-Fi access

The untrusted model was first introduced in the Wi-Fi specification in 3GPP Release 6 (2005). At that time it was rare with Wi-Fi access points with advanced security features. Hence Wi-Fi was considered open and unsecured by default. Untrusted access includes any type of Wi-Fi access that the operator has no control over such as public hotspots, subscribers’ home Wi-Fi and Corporate Wi-Fi. It also includes Wi-Fi access that does not provide sufficient security mechanisms such as authentication and radio link encryption.

Untrusted 3GPP Wi-Fi Access

The untrusted model requires no changes to the Wi-Fi RAN (Radio Access Network) but has an impact on the device side which requires an IPSec client in the device. The device is connected directly to the ePDG (Evolved Packet Data Gateway) in the EPC through a secure IPSec tunnel. The ePDG is connected to the P-GW where each user session is transported through a secure tunnel (GTP or PMIP).

A similar concept is also used in non-EPC 3G networks where the device is connected to a TTG (Tunnel Termination Gateway) through a secure IPSec tunnel. The TTG is in turn connected to the GGSN via GTP.

Because the communication is secured end-to-end between the device and EPC, this option can be used with any Wi-Fi network.

The untrusted 3GPP Wi-Fi access model is used for Wi-Fi Calling. This means that smartphone voice (VoWiFi) calls will work over any Wi-Fi connection, even the subscriber’s own network at home. Learn more about Aptilo’s Wi-Fi Calling solution.

IP mobility with session continuity in 3GPP Wi-Fi access

Dual-radio device will require a client based solution on the end-user device to provide full IP mobility between the networks. IP mobility within the same radio network can be provided without a client. Many popular applications on the smartphones are today designed in a way that make them resilient for network changes such as change of IP-address. This allows for an seamless end-user experience even while moving between for instance the 3G or LTE network over to Wi-Fi.

Different options for 3GPP Wi-Fi access

The 3GPP AAA server is located within the 3GPP HPLMN. For 3GPP Wi-Fi access, it provides authentication, authorization, policy enforcement and routing information to the packet gateways in the Wi-Fi core and mobile core.
It can perform EAP-SIM/AKA authentication, via the SIM-card, for an automatic and secure authentication of Wi-Fi enabled devices.

Furthermore, the operator may want to monetize their Wi-Fi network by opening it for public use. We have created the Aptilo SMP 3GPP AAA+™ for this purpose with added critical functionality to the 3GPP AAA. The additional features include captive portalsWi-Fi AAA, Wi-Fi Policy & Charging and Wi-Fi subscriber management, the mobile operator can add additional revenue by allowing paying ad-hoc users as well as supporting all type of devices for offload.

Below we will discuss the role of the Aptilo SMP 3GPP AAA+ in different Wi-Fi access scenarios including all the 3GPP specified options for 3GPP Wi-Fi access.

1. Wi-Fi access with 3G core and local WLAN break-out

This option is currently the most deployed solution by operators doing EAP-SIM/AKA authentication. The option provides local traffic breakout for all clients at the Wi-Fi access gateway (such as the Aptilo Access Controller) and is based on standard RADIUS and EAP methods for authentication with HLR. The Wi-Fi access point requires support for 802.1x authentication with EAP-SIM/AKA. No additional 3GPP interfaces are required.

Wi-Fi access with 3G core and local WLAN break-out

2. Wi-Fi access with 3G core (DPI)

All traffic from smartphones/tablets with EAP-SIM/AKA support is terminated at the Deep Packet Inspection (DPI) node in the 3G core network while traffic from non-SIM devices are directed to the Internet locally. This option uses standard RADIUS and EAP methods for authentication with HLR. The Wi-Fi access point requires support for 802.1x authentication with EAP-SIM/AKA. In this case the DPI is typically used by the operator also to inspect and enforce policies for 3G data services. No additional 3GPP interfaces are required.

Wi-Fi access with 3G core (DPI)

3. Wi-Fi access with 3G core and WAG (GTP)

This option is partly aligned with 3GPP TS23.234 specifications with the introduction of the Wireless Access Gateway (WAG) node in the Wi-Fi core for access to the 3G core. The WAG, emulating an SGSN, establishes GTP tunnels for client traffic for EAP capable clients that are terminated in the GGSN. The 3GPP Wm interface is used for EAP client authentication with HLR and tunnel establishment. The Wi-Fi access point requires support for 802.1x authentication with EAP-SIM/AKA. A DPI can potentially also be used after the GGSN.

Wi-Fi access with 3G core and WAG (GTP)

4. Wi-Fi access with 3G core (I-WLAN)

This option is aligned with 3GPP TS23.234 specs for “untrusted” access with 3G core. This option requires an EAP client in the device with IPSec support. No impact on the Wi-Fi core or Wi-Fi RAN, legacy Wi-Fi hotspot networks will work. IPSec tunnels will be terminated in the Tunnel Terminating Gateway (TTG) node – a new mobile core node introduced for this purpose. The TTG maps the IPSec tunnels into GTP tunnels terminated in the GGSN (GGSN can typically not terminate IPSec).

The 3GPP Wa interface is used for EAP client authentication with HLR and the Wm interface is used for tunnel mapping in the TTG.

This option will most likely be replaced by the “untrusted EPC” option in most practical implementations.

Wi-Fi access with 3G core (I-WLAN)

5. Trusted Wi-Fi access in EPC

This option is based on 3GPP specification TS23.402 with the introduction of the Trusted Wireless Access Gateway (TWAG) node. The TWAG establishes GTPv2, PMIP or MIP tunnel (the S2a interface) to the P-GW in the EPC core for all trusted traffic.

“Trusted” traffic will most likely mean an operator controlled Wi-Fi environment based on a Hotspot 2.0 compatible Wi-Fi Core with 802.1x and EAP authentication support to the HSS/HLR. The Wi-Fi access point requires support for 802.1x authentication and EAP-SIM/AKA methods. This option also requires support for EAP-SIM/AKA in the device.

The STa interface is mainly used for EAP client authentication with HSS and S2a option selection (which tunnel type to use). The S6b interface between 3GPP AAA and P-GW is used for tunnel authentication, static QoS and mobility (if applicable), etc. The 3GPP specification allow also for full or partial local breakout of Wi-Fi traffic at the TWAG in the Wi-Fi core.

Trusted Wi-Fi access in EPC

6. Untrusted Wi-Fi access in EPC

This option is based on 3GPP spec TS23.402 with the introduction of the evolved Packet Data Gateway (ePDG) node. This option requires an EAP client in the device with IPSec support. No impact on the Wi-Fi core or Wi-Fi RAN, legacy Wi-Fi hotspot networks will work. IPSec tunnels will be terminated in the ePDG – a new mobile core node introduced for this purpose. The ePDG maps the IPSec tunnels into GTP or PMIP tunnels terminated in the Packet Gateway P-GW.

“Untrusted” will most likely mean a non-operator controlled network or partner network with a legacy Wi-Fi hotspot networks not supporting 802.1x.

The 3GPP SWa interface is mainly used for EAP client authentication with HSS. The SWm interface is used for additional authentication parameters including subscription profiles and S2b option selection (which tunnel type to use). The S6b interface is used between Wi-Fi AAA and P-GW for tunnel authentication, static QoS and mobility (if applicable), etc.

Untrusted Wi-Fi access in EPC

  • Aptilo CEO Paul Mikkelsen in YBLTV interview
    What's next in Carrier Wi-Fi?
    Aptilo's Paul Mikkelsen at CTIA 2015
  • Why wait for 5G webinar
    Webinar: Why wait for 5g?
    View On-Demand
  • Download more information
    Download More Information

What customers say about us

People from all over the world will flock to Brazil to celebrate the World Cup and 2016 Olympics. The ability to offload mobile data to Wi-Fi will ease network congestion significantly and increase data speeds, for an exceptional user experience.

Rafael Marques
Rafael MarquesMarketing Director at TIM Intelig