04_wifi hotspot service control design & case_2003

5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003

1/40Copyright 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1

WiFi Hotspot Service Control

Design & Case Study Overview

Simon Newstead

APAC Product Manager

[email protected]
mailto:[email protected]:[email protected]


2/40

2Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net

Agenda

Overview of different access models

Identifying the user location

Secure access options

Case studies (as we go)


3/40


MPLS

Backbone

WiFi control - access modelsPPPoE

WiFi User with

PPPoE client

(WinXP or 3rdparty)

Access

Controller

BRAS

Layer 2

Backhaul

Transport

(Bridged1483,

Metro E)

RADIUS

LNS*

PPPoE

connect ion

AAAA

Terminate PPP session into VR/VRF or

tunnel on via L2TP

Fine grained QoS / bandwidth control

Dynamic Policy Enforcement (COPS)

Lawful Intercept etc

Policy

Server


4/40


PPPoE access model - discussion

Pros:

Full per user control with inbuilt PPP mechanisms (authentication,keepalives etc.)

Individual policy control per user simplified

Wholesale is simplified and possible at layer 2 and layer 3

Leverages the broadband BRAS model used in DSLvirtually nochanges

Cons:

Requires external client software (maybe even with XP)no autolaunch by default

Only works in a bridged access environment; often not possible

Layer 3 access network requires use of native LAC client (BRAS actsas LNS or tunnel switch)client support issues


5/40


PPPoE access modelCase StudyJapanese Provider

WiFi Users with

PPPoE client

[email protected]

Access

Controller

BRAS

ATM

Bridged

1483

RADIUS

Mapping of user to VR based on

RADIUS, domain mapping

Bridging

DSL

modem

Hotspot

AP

Bridging

DSL

modem

Backbone

WiFi VR

ISP VR

DSL Users withPPPoE client

[email protected]

WiFi

operator

network


6/40


MPLS

Backbone

WiFi control - access modelsDHCP modelWeb Login

WiFi User with

inbuilt DHCP client.

Access

Controller

BRAS

Layer 2 or

Layer 3

Backhaul

(any)

External

DHCP

Server*DHCP

DHCP Server or Relay*Initial policy route to Web logon server

Fine grained QoS / bandwidth control

Dynamic Policies (COPS)

Accounting

Lawful Intercept etc

Policy Server /

Web Login Server


7/40


DHCP Web Login model - discussion

Pros

No external client softwareinbuilt DHCPlower barriers

Any access networkeg L3 wholesale DSL, routed Ethernet etc

Web Login provides extra options to operator (branding,advertising, location based content)

Cons:

Wholesale options restrictedeg- address allocationNAT introduces complications (ALGsupport etc), no tunnelling with L2TP

Greater security / DoS implicationsattack DHCP server, Webserver

No autologon by default (manual web login process)

Need to introduce mechanisms to enable per user control inDHCP environment (mimic PPP)


8/40


DHCP / Web login Case Study

Telstra Mobile

Mobile centric service, launched in August 2003

Available in hotspot locations throughout Australia

Target of 600 hotspot locations in 2004 (Qantas, McDonalds,Hilton etc)

International roaming through the Wireless Broadband Alliance

Time based billing; hourly rate

Login via a password delivered by SMS to a Telstra mobile

(credit card payment option for non-Telstra post-paid mobilecustomers)

Lowered barriers to uptake

No special WLAN subscription neededcasual pay-per-user

Captive portal logon using DHCPno client software required


9/40


User opens up webbrowser and triesto go to Google

Session directed

to captiveportal on policyserver

Choice to entermobile phonenumber orusername andpassword

Mobile phonenumber entered

How it works - Step One


10/40


One-time passwordsent via SMS tousers mobilephone

Received passwordentered intoportal page

Step Two


11/40


Upon successfulauthentication,captive portal isreleasedand original web

destination isloaded.

Mini-logoutwindow tofacilitate signoff.

Usage billed tousers mobilephone bill once finished

Step Three


12/40


Allow greater flexibility of services eg-

Free access to Internet for 15 mins without login or

Internet access only, mail port blockedor

Internet access but only at 64kbpsor Walled garden content only

Bandwidth can be dynamically increased and restrictionsmoved on user authentication and login

Also helps protect against abusive or Worm users (eg-dynamically limit users down on sliding window basis;consumed more than x MB in past 15 mins)

Dynamic Policies


13/4013Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net

Per user control in a DHCPenvironment

Objective - make an IP host on single aggregated interface appearlike its own IP interface

Treat hosts as separate logical (demultixed) IP interfacesaka Subscriber Interfaces

Individual policy control on subscriber interface (linked topolicy server)eg filters, bandwidth control

Ties into DHCP dynamically

VLAN

101

L3 Switch

User A:192.168.1.1

User B:192.168.1.2

Subscriber Interface AIP Demux 192.168.1.1

Rate Limit Internet to 512k

Subscriber Interface BIP Demux 192.168.1.2

Rate Limit Internet to 2MPrioritise VoIP to strict

priority queueAdd firewall policies

Access

Controller

BRAS



AccessController

BRAS

1. IP assignments through DHCP & subscriber interface come up Dynamic SI

DHCP relay point

Upstream RouterRouting

LayerAP

GE GE GEFE

2. HTTP redirected and show the portal web page

3. Input subscriber ID and password

Radius

Weblogin- PolicyServer

Switch Layer

4. Radius authentication

4. Download policies

Internet & service access

inbuiltDHCPserver

1. (Access the portal & click on logout button) or (DHCP lease expired)

WEB login sequence

WEB logout sequence

2. Radius accounting

2. (Reset policies) or (Delete subscriber interface) Dynamic SI

Generic Web Loginprocess



Location informationwhy??

Generates portal pages based on hotspot location

Enables targeted advertising. eg- promotions for the owner of thehotspot location, revenue sharing (charging models) etc

HotspotCafe

Hotspot

Train Station

Portal - Free access

to timetables, fares..

Portal - Freesports news..

AccessController

BRAS

Weblogin- PolicyServer



Location informationhow?

PPPoE model

Easylayer 2 circuit per hotspot to AC/BRAS

RADIUS will contain NAS Port ID etcmap back

centrally

DHCP model (rely on relay to provide)

Gateway address (GiAddr field)

Option 82 information, suboptions (ala RADIUSVSAs)

Or even layer 3 GRE tunnel back if access networkcant provide info required (also simplifies routing)



Side topicrouting back to WiFi userin DHCP environment

Use location based info to allocate users from addresspools; one pool per

Aggregate routes

Static, redistributed to IGP; simplified

Central pools ok but..

Require DHCP relay to store state - snoop addresscoming back from the server in DHCP offer / ACK

Also requires redistribution into IGP; scaling issueswith that



Secure access

Why?

Various access vulnerabilities in simple models

Session hijacking / spoofing, man in the middle

Two main approaches:

IPSEC tunneling model 802.1x/EAP



MPLS

Backbone

WiFi secured accessIPSEC option

WiFi User with

inbuilt IPSEC client

Eg- Win2k, WinXP

Access

Controller

BRAS

Any Backhaul

Transport

RADIUS

LNS*

L2TP/IPSEC

connect ion

(RFC3193)

Terminate IPSEC

BRAS control of PPP session

Policy

Server



IPSEC WiFi access

Pros No external client softwareinbuilt into Windows

PPP model gives full per user control(eg- terminate IPSEC and tunnel on L2TP)

Integrates well into a VPN environment; usersessions terminated to MPLS VPNs at AC/BRAS (PE)

Can use digital certificates to ensure identity (serverand maybe clients also)

Cons:

Client issuesoverhead, PDA support(eg- WinCE today only supports MSCHAPv2?)



IPSEC WiFi accessJapan Case Study

Integration of VPN access for mobile corporate users regardless of

access type

Outsource remote access management from corporates, and aggregate

users in a layer 3 VPNcommon point of subscriber management

Network diagram:

Access Controller

- BRAS (PE)

WiFi User with native

Windows Client

IPSEC / L2TP

(RFC 3193)

3G and 2G users

MPLS

Backbone

LAC

GGSN

Native

L2TP

Users mapped into

corpo rate VPNs

VRFs

PE

Corp HQ CE

GE VLAN



MPLSBackbone

WiFi secured access802.1/EAP option

WiFi User with

EAP/802.1x client

eg- WinXP, iPass,

Odyssey..

Access

Controller

BRAS

Any Backhaul

Transport

RADIUSEAPoL

802.1x

PolicyServer

EAP/RADIUS

EAP

AP

Note- DHCP happens after EAP authentication



Option - Authentication using802.1X and EAP on 802.11 - overview

RADIUS

Server

EAPOW-Start

EAP-Response/Identity

Radius-Access-Challenge

EAP-Response (credentials)

Access blocked

Association

Radius-Access-Accept

EAP-Request/Identity

EAP-Request

Radius-Access-Request

Radius-Access-Request

RADIUS

EAPOW

802.11802.11 Associate-Request

EAP-Success

Access allowedEAPOW-Key (WEP..)

802.11 Associate-Response

Source:

Microsoft



EAP/802.1x WiFi access

Pros

EAP/802.1x built into WinXP

Flexible authentication architecturemany different EAP optionseg- GSM SIM using EAP/SIM, EAP-MD5, LEAP, Smartcards etc

Can handle interAP roaming with 802.11f Adopted in the corporate market

Cons:

Doesnt address core network / VPN portion, just secures access

layer Today uses session keys vs temporal (WPA, coming in 802.11i)

Need smarts to keep per user control in the network without doublelogon



Maintaining subscriber control when using802.1x/EAP environment

RADIUS relay concept 802.1x access points have Radius client, EAP messages encapsulated in Radius messages

Host MAC addressin the calling-station-attribute

Radius relay (BRAS) uses @domain nameto forward Radius request to an external EAP capable Radiusproxy or server

BRAS relay stores Host MAC address (and maybe user)and awaits authorization data (VR to use, IPpool/address to use, filters, etc)

DHCP request, based on thehost MAC address,creates subscriber interface in proper context allocatesIP address, assign default policies. Policy server control with no Web login

Access point creates Radius authentication and accounting (stop)

RadiusRelay

DHCP

802.1x AP

Any Backhaul

Transport

Policy

Server

RADIUS

Server



Summary

Which access model?

PPPoE is nice, but often not practical

DHCPweb login models now can provide good peruser control, and location info etc

Where am I? Location information

Key for WiFi business modelseg- generate content based on location (virtualised)

Security

IPSEC is a good end-end mechanism, integration withVPNs

EAP is flexible and useful in access, but needs to tie inwith core network and per user control



Thank you!

Contact: [email protected]
mailto:[email protected]:[email protected]



802.11 variants

802.11a 5.4MHz, OFDM, 54 Mbps, 10+ channels

802.11b 2.4GHz, DSSS, 11 Mbps, 3 channels

802.11d Enhancements to meet country specific regulations

802.11e Quality of Service

802.11f Inter-Access Point Protocol, handover between close APs

802.11g 2.4GHz, OFDM, 54Mbps, 3 channels

802.11h Specifically for 5GHz; power control and frequency selection

802.11i Security framework, reference to 802.1x and EAP

See PowerPoint comments page below for more details



Wireless LAN Technologies

802.11b 802.11a HiperLAN2

2.4 GHz

Public5 GHz / Public / Private 5 GHz

Worldwide US/AP Europe

1-11 Mbps 20-54 Mbps (1-2 yrs)

100+ Mbps (future) 20-54 Mbps (1-2 yrs)

Freq.Band

Coverage

DataRate

802.11g

2.4 GHz

Public

Worldwide

1-54 Mbps



PWLAN and Security

WEP encryption (Wireless Equivalent Protocol) much criticized inenterprise

Also it uses static keys which is not valid for PWLAN as keyswould need to be published

802.1x and EAP delivers improved security for PWLAN

Introduces dynamic keys at start of session, and PWLANsessions are short lived (unlike enterprise)

802.11i

Uses 802.1x which uses EAP and allows dynamic keys

Firmware upgrade for TKIP then hardware upgrade for improvedAES encryption

Poses transition complexity for existing user base

WPA (Wi-Fi Protected Access) is an interim step to 802.11i

Uses 802.1x and EAP and TKIP but no AES


31/40


802.1x Overview

Make up for deficiencies in WEP which uses static keys

IEEE 802.1x-2001: Port-Based Network Access Control

Prior to authentication traffic is restricted to the authentication server

RFC 2284 (1998): PPP Extensible Authentication Protocol (EAP)

EAP encapsulated in Radius for transport to EAP enabled AAAserver

Many variations EAP/TLS and EAP-PEAP supported by Microsoft,MD5, OTP, LEAP (Cisco), and SIM (GSM Subscriber Identity

Module) IEEE 802.11i Framework Specification

Specifies use of 802.1x and EAP for authentication and encryptionkey

New encryption in access point


32/40


PWLAN and Mobile

3GPP standards org defined five scenarios for PWLAN integration with 3G

From common authentication to seamless handover of voice service

Specified 802.1x based authentication

Part of 3GPP Release 6, specified in TS 23.234

But, real deployments are occurring well in advance of 3GPP R6so:

GSM Association WLAN Task Force issued guidelines for pre Release 6

Wed based login initially transitioning to 3GPP release 6 spec

A SIM located in WLAN cards will use authentication based on EAP/SIM

Eg- Use of SIM dongle

EAP to SS7 gateways will allow mobile HLR / HSSs to authenticate the WLAN card


33/40


Authenticating against the GSM HLR

Existing database with all mobile subscriber information

Existing provisioning and customer care systems are used

EAP/SIM can offer GSM equivalent authentication andencryption

Gateway between RADIUS/IP and MAP/SS7 is required

Eg Funk Software Steel Belted Radius/SS7 Gateway

Ulticom Signalware SS7 software

Sun server E1/T1 interface card An overview of the product is in this attachment:

Major vendors Ericsson, Siemens, Nokia all have or aredeveloping their own offer


34/40


802.1x EAP/SIM authentication from HLRTransparent RADIUS relay

BRAS AC,

(RADIUS Relay)AuthenticatorRADIUS/SS-7

GW HLR

EAPoL

RADIUS

RADIUSGr Interface

DHCP Discover

Client

DHCP Request

DHCP Offer

DHCP Ack {address = End

User address from GGSN}

Client -

Authentication

Client

IP Address

Assignment

GW HLRMAPSS7


35/40


Tight integration proposed by 3GPP

GGSNAccess Controller,

RADIUS RelayAuthenticatorRADIUS/SS-7

GW HLR

EAPoLRADIUS

RADIUSGr Interface

Create PDP Context {IP, transparent mode APN,

IMSI/NSAPI, MSISDN, dynamic address requested}

Create PDP Context Response {End User Address}

DHCP Discover

Client

DHCP Request

DHCP Offer

DHCP Ack {address = End User

address from GGSN} Lease

expiration

Delete PDP Context Request

Client -

Authentication

Client

IP Address

Assignment

GGSN

HLR

GPRS Tunneling Protocol


36/40


Real time handover

Many access typesWLAN, 3G, GPRS

Mobile IP could provide reasonable real-time macro roamingbetween cellular and WLAN access types (also alternates such as802.16/WiMax)

Supported for dual mode CPE/handsets

Eg- Dual Mode NEC cellphone with WLAN as trialed in DoCoMo

PDAs with WLAN and CDMA 1x/EVDO or GPRS/WCDMA

Notebooks with cellular data or dual mode cards

Off the shelf client software available todayIPUnplugged, Birdstep

Challenges- VoIP, WLAN automated logon (eg- 802.1x could solvethis), applications/OS can handle address changes


37/40


Overview of Mobile IPv4 (RFC2002)

1. MN discovers Foreign Agent (FA)

2. MN obtains COA (FA - Care Of Address)

3. MN registers with FA which relays registration to HA

4. HA tunnels packets from CN to MN through FA

5. FA forwards packets from MN to CN or reverse tunnels through HA(RFC3024)

HAFA

1. and 2. 3.

MN

CN

5. 4.

Internet


38/40


Mobile IP Interworking with UMTS/GPRS

Recommends use of FA Care Of Addresses (CoA), not collocated, to conserve IPv4addresses

Source:

3GPP


39/40


Registration Process to GGSN FA

5. Activate PDP

Context Accept

(no PDP address)

4. Create PDP

Context Response

(no PDP address)

2. Activate PDP

Context Request

( APN=MIPv4FA )

IPv4 - Registration UMTS/GPRS + MIP , FA care-of address

TE MTHome

NetworkSGSN GGSN/FA

3. Create PDPContext Request

( APN=MIPv4FA )

6. Agent Advertisement

7. MIP Registration Request

9. MIP Registration Reply

10. MIP Registration Reply

1. AT Command (APN)

8. MIP Registration Request

A. Select suitable GGSN


40/40

Overview of Mobile IPv6Removes need for external FA in future 3GPP systems

1. MN obtains IP address using stateless or stateful autoconfiguration

2. MN registers with HA

3. HA tunnels packets from CN to MN

4. MN sends packets directly to CN or via tunnel to HA

Binding Update from MN to CN removes HA from path.

HA

1. 2.

MN

CN

4. 3.

Internet

04_wifi hotspot service control design & case_2003

Documents