Tuesday, May 27, 2025

Radiator, Entitlement Servers and eSIM provisioning

We recommend viewing this post in our new website's integrated blog section instead.

What is eSIM and which devices support eSIMs?

An eSIM is a standardised, remotely programmable digital circuit in a mobile device. Electronics with built-in eSIMs include phones and tablets, companion devices such as smart watches and other wearables, and also enterprise devices such as cellular-connected PCs, automotives and various IoT devices.

What are Entitlement Servers?

The Entitlement Servers, also known as Entitlement Configuration Servers (ECS), are used to communicate the availability of services such as eSIMs, VoWiFi and Voice-over-Cellular to the client devices. Most importantly, Entitlement Servers provide the applicable entitlement configurations enabling the services on the mobile devices.

How does eSIM provisioning work?

The process of activating an eSIM is called On-device Service Activation (ODSA) and it’s specified by GSMA. To initiate eSIM provisioning, the eSIM capable device requests eSIM entitlement configuration from the mobile operator’s Entitlement Server, which in turn starts EAP-AKA dialog with the 3GPP AAA server to authenticate the subscriber. The process may also include subscription transfer when switching to a new device, or a device check to prevent eSIM activation on stolen or fraudulent devices. When all the steps are successful, the Entitlement Server sends the entitlement configuration to the mobile device.

How Radiator fits in?

Radiator SIM Pack is a flexible 3GPP AAA solution that provides multiple interfaces for the EAP-AKA authentication. With the Entitlement Server, Radiator can use EAP over RADIUS, or EAP over Diameter, such as SWa, SWm, STa and Diameter-EAP applications. For connecting with the operator’s subscriber servers, Radiator supports Diameter SWx, Wx, Cx and S6a/S6d interfaces, SIGTRAN, REST API and other APIs.

This flexibility allows mobile operators to easily introduce eSIM support using their existing HSS or HLR, and also makes Radiator a great solution for MNVOs who rely on the authentication interfaces provided by the parent MNO.

How the authentication works

The above figure shows the eSIM provisioning flow (ODSA) and the various interfaces supported by the Radiator for the EAP-AKA authentication part. If you require yet another method, please contact Radiator team: we can often make it happen.

Radiator offering

Radiator Software provides on-prem software licenses for the Radiator SIM Pack 3GPP AAA solution, and expert services to assist with the customer specific configuration and integration with the other network elements. To learn more about Radiator SIM Pack and to discuss your use case, please contact the Radiator team.

Wednesday, April 30, 2025

Understanding fixed-line network architecture

As broadband connectivity continues to serve as a backbone of modern digital infrastructure, the mechanisms that enable secure and efficient access are more important than ever. Whether delivered over copper lines (xDSL), high-speed fiber networks (FTTH) or a mixture of both, fixed-line internet services rely on a well-orchestrated authentication and provisioning system to ensure that subscribers are correctly identified, authorized, and serviced.

In this post, we’ll break down the high-level architecture of fixed-line networks and identify the key software components and their responsibilities.

Fixed-Line Authentication: A High-Level View

Both Asymmetric Digital Subscriber Line (xDSL) and Optical fibre networks share a similar back-end architecture when it comes to authentication and user management. While the access technologies differ — xDSL using DSLAMs and FTTH using Optical Line Terminals (OLTs) — the authentication flow typically follows these core stages:

1. User Initiation via CPE

When a user powers on their home router or modem, known as the Customer Premises Equipment (CPE), it initiates a connection to the broadband provider’s access network. The CPE is typically configured to use PPP over Ethernet (PPPoE) or IPoE (IP over Ethernet) with DHCP for session establishment.

2. Access Aggregation

From the CPE, traffic is routed through aggregation devices; digital subscriber line access multiplexers (DSLAM) in xDSL networks and optical line terminals (OLT) in optical fibre networks.

These devices forward traffic to Broadband Network Gateways (BNGs), also known as Broadband Remote Access Servers (BRAS). The BNG is the first IP-level point of access for the user, and is responsible for IP address assignment either with a built-in or external DHCP server.

3. Authentication via AAA server

Once the session request reaches the BNG, it performs user authentication with the AAA server with the RADIUS protocol.

The BNG sends credentials (typically a circuit ID or other unique identifier, which are automatically sent from CPE) to a RADIUS server, which validates the connection and authorises it by setting line parameters from central subscriber database.

4. Provisioning and IP Assignment

Here is where user provisioning comes into play. User provisioning is typically done by the Subscriber Management System (SMS) or more broadly, the OSS/BSS (Operations Support System / Business Support System). This is the software layer responsible for:

  • User creation and activation
  • Service profile assignment (e.g., bandwidth, VLAN tags)
  • Authentication credential management (integration with subscriber database)
  • Customer lifecycle management (e.g., suspension, upgrades, disconnection)

The OSS/BSS typically interfaces with the subscriber database, where the provisioned user information is stored for authentication and authorisation. Modern systems may use automation platforms like Ansible, NetConf, or TR-069 for zero-touch provisioning of CPE devices, especially in FTTH environments.

Summary of Core Software Components

Component Role
CPE Initiates session; endpoint for the user
BNG/BRAS Handles session control and IP management with DHCP / RADIUS server
RADIUS server Authenticates and authorizes user sessions against a subscriber database
DHCP server Assigns IP addresses (can be built-in into BNG)
Subscriber management system (OSS/BSS) Central provisioning engine for user services, integrates with subscriber database

Looking to deploy a fixed-line network?

Radiator Software offers commercially supported ISP-grade RADIUS servers for all types of fixed-line networks. Whether a greenfield deployment or a migration from existing AAA server setup, Radiator is the product for you.For more details, please e-mail us sales@radiatorsoftware.com

Thursday, March 27, 2025

We are pleased to announce the release of Radiator Carrier Module version 1.9. Radiator Carrier Module is the Radiator Diameter server component and provides the basis for all our Diameter extensions. The new 1.9 release includes major fixes and improvements for the Radiator Diameter server.

New usability improvements

  • Fix Unix stream server to correctly set socket file number to avoid causing high CPU usage in GBA/BSF.
  • Fix and enhance decoding of 3GPP-User-Location-Info and decoding of 3GPP-MS-Timezone. 3GPP-User-Location-Info is no longer decoded in place. The decoded value is instead added as OSC-3GPP-User-Location-Info.
  • Fix a memory leak caused by timed out Diameter answers.

A full list of changes can be found in the revision history.

Who should update? 

Radiator Carrier Module 1.9 is recommended for all Radiator deployments with Diameter features enabled. The new release is available for all customers with active support contracts for Radiator Service Provider Pack, Radiator SIM Pack, Radiator Policy and Charging Pack and Radiator GBA/BSF Pack. You can find the Radiator Carrier downloads and repositories at the Radiator downloads page. 

Would you like to know more?

As always, you can contact the Radiator team at info(a)radiatorsoftware.com – we are happy to learn more about your use case and assist you!

Monday, March 3, 2025

Radiator 10 performance with EAP-TLSv1.3

With people’s ever-increasing online activity, communication service providers are faced with increasingly growing performance requirements for their networks. And while computing power grows as well, not all software can utilise the resources and scale to meet these increasing performance requirements.

We’ve closely monitored the feedback from our existing and prospective customers, and designed and built a new policy engine, Radiator 10, from ground up to handle the highest performance requirements, setting the bar for what the performance of a modern RADIUS server should look like.

We conducted a case study to showcase how our product excels in EAP-TLS authentication, demonstrating its ability to process an industry-leading number of authentication transactions per second. In this case study, we showcase how our solution not only enhances security but also delivers unparalleled authentication speed, ensuring smooth and secure access for thousands of users simultaneously.

Case study

The performance tests were conducted on standard-sized Google Compute Engine machines using a bash script to repeatedly execute the eapol_test tool for EAP-TLS authentication. The testing was done with two deployments, one for RADIUS/UDP and one for RadSec.

In the RADIUS/UDP deployment, the Client instances sent direct EAP-TLS authentication requests to authenticating Radiator 10 instance. In the RadSec deployment, Client instances sent RADIUS EAP-TLS authentication requests to Radiator 10 proxy instances, which proxied the requests over RadSec to an authenticating Radiator 10 instance.

For more information about the test setups, please see the case study paper here.

Results

The tests concluded that on the test setup, Radiator 10 could process over 4200 RADIUS EAP-TLSv1.3 requests per second. With parallel RadSec connections from four proxy instances, Radiator processed over 9900 EAP-TLSv1.3 authentications per second. With an average EAP-TLS request requiring 8.4 total RADIUS packet exchanges, this means that Radiator 10 exchanged over 83 000 RADIUS packets per second over the 3 500 000 EAP-TLS authentication test set.

For more results and considerations, please see the case study paper here.

If you have questions about the performance testing, or want to discuss how Radiator 10 products, Radiator Policy Server and Radiator Core, could help you scale up your deployment, please do not hesitate to contact sales@radiatorsoftware.com

Thursday, February 27, 2025

Introducing Radiator 10 products: Radiator Core and Radiator Policy Server

For the last 25 years, Radiator AAA has been a cornerstone of network authentication for thousands of companies across all continents and industries. There are few things it can not do when it comes to integration interfaces, backends, authentication methods and logging extensions. We’ve closely listened to feedback from existing and prospective customers, and in order to meet the demands and latest drivers in the market, and after years of development we are proud to announce a completely rewritten policy engine Radiator 10. Designed from the beginning with performance and security in mind by the same engineers who’ve worked with Radiator deployments for years. Developed with Rust, assuring asynchronous processing and concurrent queries with multi-threadding, security and continuity, Radiator products continue to be the reliable cornerstone of your network’s security that help you scale your business now and in the future.

Radiator Core

Radiator Core is our Radiator 10 product aimed towards ISPs and other service provider customers. It features full RADIUS support, with proven performance for the largest deployments (see case study). Radiator Core features a dashboard for monitoring, REST API for upstream and downstream integration with high extendability for different logging solutions. At the start of March, Radiator team will be present at MWC2025 with a demo of Radiator Core. If you want to book a demo meeting, please contact us using this form or via email sales(a)radiatorsoftware.com.

Radiator Policy Server

Radiator Policy Server is our next-generation product aimed for enterprise customers. It includes full RADIUS and TACACS+ functionality, with latest functionality like enterprise Wi-Fi authentication with TLS1.3 support, RadSec and ENTRA ID authentication. The all-new user interface provides a dashboard for monitoring, option for user and client management with the built-in database, as well as options for licence and certificate management. We are currently taking up pilot enterprise customers who want to leverage the performance and functionality of Radiator Policy Server, for both greenfield deployments and as migrations from existing AAA server setups. We are currently expanding the use case base of Radiator Policy Server based on our experiences on Radiator AAA. If you are interested in joining the pilot, please contact us at email sales(a)radiatorsoftware.com.


What does this mean for existing customers?

Radiator 10 is the platform for our new product line, but at the same time Radiator AAA server products remain under active development. We also continue to offer multi-year support renewals for existing Radiator 4 based products, such as Radiator AAA Server Software, Radiator SIM Pack and others.  For customers looking to take advantage of Radiator 10 products’ enhanced features, we are happy to discuss the options based on your customer needs - also providing cost-effective ways to utilize our Radiator 10 product line as well. For inquiries in new Radiator Policy Server or Radiator Core deployments or renewal of your existing Radiator AAA deployment’s support contract, please contact sales(a)radiatorsoftware.com