Meet Radiator Software at Mobile World Congress 2025

As the telecom industry gears up for the biggest connectivity event of the year, we at Radiator Software are also preparing for Mobile World Congress 2025, taking place at Fira Gran Via in Barcelona from March 3–6, 2025.

At MWC25, we’ll be showcasing a new Radiator product release, designed to offer an unbeatable combination of flexibility, interoperability, and high performance for complex operator AAA deployments.

Meet our team of network authentication specialists to explore key AAA topics, including FTTH authentication, WiFi roaming, VoWiFi, IMSI Privacy, OpenRoaming, and more. Whether you’re an existing partner, a longtime customer, or new to Radiator, we’d love to connect at MWC25!

Schedule a meeting here: Google Form

How to update the new WBA Root CA chain for the Radiator OpenRoaming deployments?

WBA OpenRoaming certificates now issued or renewed using the new WBA Root Certificate Authority chain

At 00:00 UTC (beginning of the day) on 3rd of Febuary 2025 Wireless Broadband Alliance (WBA) switched to issuing OpenRoaming certificates using new WBA Root Certificate Authority (CA) chain. This means that all OpenRoaming certificates, which are renewed or issued on 3rd of February 2025 or later, use the new WBA Root CA chain. 

Although WBA planned and informed OpenRoaming Identity Providers (IdP) and Access Network Providers (ANP) about the planned change, there are OpenRoaming ANPs and IdPs, which have not updated their RADIUS/RadSec server configurations to accept both the old and new WBA root CA certificate chain for RadSec connections.

This means for example that IdP customers of the IdP using the new root chain issued certificate are not able to roam in the ANP networks, which do not accept IdP's new RadSec server certificate if it is issued by the new WBA Root CA chain. If an IdP does not accept the new WBA Root CA verified RadSec client certificates for connections originating from the ANP's Wi-Fi network, that IdP's customers are not able to roam into that ANP's Wi-Fi network.

If ANPs and IdPs do not update their inbound and outbound RADIUS/RadSec connections to accept both the old and new WBA Root CA chain certificates, when new OpenRoaming certificates are issued or old ones are renewed, gradually the roaming connections with those ANPs and IdPs deteriorate.

How to update Radiator OpenRoaming deployment to use the new WBA Root CA chain?

If you have deployed Radiator utilising the Radiator OpenRoaming Configuration Guide, updating your configuration to support the newer WBA Root CA chain certificate (or any other CA certificates) can be done by simply adding new certificates to CA directories in the configuration.

Radiator OpenRoaming Configuration Repository contains a template Radiator configuration tree to use to set up OpenRoaming deployment. These configuration files are intended to be installed to /etc/radiator directory with the sub-directories. 

Both the old and the new WBA Root CAs available from the Wireless Broadband Alliance PKI repository in text (PEM) and binary (DER) format under WBA Root CAs paragraph. The old WBA Root CA is aliased wba-root0 and the new WBA Root CA is aliased wba-root1. Both of these should be installed to the following directories:

• Directory for CA certificates used for verifying inbound OpenRoaming connections from other OpenRoaming ANPs to your server: /etc/radiator/certificates/radsec_inbound_openroaming/ca
• Directory for CA certificates used for verifying the OpenRoaming IdP server certificates for RadSec connections used to authenticate those IdPs users roaming in your network: /etc/radiator/certificates/etc/radiator/certificates/radsec_outbound_openroaming/ca

The retrieval and installation of the new WBA Root CA chain can be done with the following commands on most Linux distributions as a root user or using sudo.

First install the new WBA Root CA to the CA directory for verifying inbound OpenRoaming RadSec connections:

cd /etc/radiator/certificates/radsec_inbound_openroaming/ca
wget https://wballiance.com/wp-content/uploads/2024/05/wba-root1.pem
chown root:radiator wba-root1.pem
chmod 644 wba-root1.pem
openssl rehash -v .

And then install the new WBA Root CA to the CA directory for verifying the IdP servers responding to outbound OpenRoaming RadSec connections:

cd /etc/radiator/certificates/radsec_outbound_openroaming/ca
wget https://wballiance.com/wp-content/uploads/2024/05/wba-root1.pem
chown root:radiator wba-root1.pem
chmod 644 wba-root1.pem
openssl rehash -v .

After installing the certificates, it is recommended to restart the Radiator instances responsible of handling the connections with:

systemctl restart radiator@radsec_inbound_openroaming
systemctl restart radiator@radsec_outbound_openroaming

or all Radiator instances with:

systemctl restart radiator-instances

If you are deploying Radiator OpenRoaming Configuration from scratch, you should also download and install wba-root0.pem from the WBA PKI repository by following the above instructions but replacing the wget command, which retrieves the certificate with:

wget https://wballiance.com/wp-content/uploads/2024/05/wba-root1.pem

All other commands should be executed as described above for both directories.

As a result you now have a Radiator OpenRoaming configuration, which supports both the old and the new WBA Root CA chain. You can read more about Radiator OpenRoaming configuration from the Radiator OpenRoaming Configuration Guide. There are also new useful updates to the Radiator OpenRoaming configuration template files done in January 2025. 

How can I do this with other RADIUS servers?

How and where certificates are set up, depends on the RADIUS server vendor and the configuration, but you should look for ca_dir or CA directory support and instructions if you want to set up similar kind of setup.

Where can I get more help with Radiator OpenRoaming deployment?

Radiator Software provides expert services for Radiator OpenRoaming deployments. Please contact us via email: sales (at) radiatorsoftware.com .

Securing IoT networks with private APN

In today’s day and age, every machine around us is ‘smart’. Ranging from smart homes and wearables to more complex machines like cars, planes and industrial machinery, devices are connected with each other and with the internet to enhance user experience, control machines remotely and use other benefits of connectivity. This network of connected devices that communicate with each other and share information over the internet is often called Internet of Things, IoT for short.

Every one of these devices should be authenticated with secure methods when connecting to the internet, else a perpetrator can falsify data, steal information or gain access to networks through unsecure devices and networks. Companies can manage this and take control of their network by deploying a private access point name network, private APN for short.

What is private APN?

The Private APN service utilises operator’s SIM cards for radio network access, but separates the data traffic in operator’s P-GW (LTE core network packet gateway) by the access point name (e.g. internet.company instead of operator’s own access point name). These separate private access points may have their own parameters for authentication, accounting, IP networks, IP address allocation, connection parameters, traffic accounting, priorities, and other functionalities. Depending on the P-GW capabilities, it is possible to move some of these functionalities and information to a separate RADIUS service, which is provided either by the operator or company utilising the Private APN.

The choices of authentication method are between PAP and CHAP. As can be seen from the picture, the deployment does not need extensive infrastructure for the AAA, merely a basic Radiator AAA licence and a backend of choice (AD, SQL, REST etc.).

Enhance coverage of in-door devices with Radiator SIM Pack

The private APN functionality can also be enhanced with Radiator SIM Pack. If the IoT device also has Wi-Fi radio and functionality, it can also utilise Wi-Fi access whenever within range of the company’s Wi-Fi network. In this case, the authentication would be done directly with SIM-based authentication methods (EAP-AKA, EAP-AKA’) and the device will have access to the company network via Wi-Fi, like illustrated in the next picture.

The benefits of adapting Radiator SIM Pack lies in coverage. While the monitoring and other IoT devices might not need the biggest bandwidth, reliable cellular connection can be an issue for in-door solutions, for example in warehouses. With Radiator SIM Pack, the IoT devices will connect to the company network securely over Wi-Fi, ensuring reliable monitoring and metrics.

Want to know more?

If you are building an IoT device network or want to enhance the security of an existing IoT device network, Radiator is the solution for you.

For more information about Radiator licensing, technical details or for any questions, please do not hesitate to contact us sales@radiatorsoftware.com

Radiator for Libraries - Enable connection for patrons without extra provisioning

In recent years, libraries have evolved from venues where people come to pick up books into community places for people to read, study, work and much more. As most of these activities require reliable internet access, there is no denying that providing stable connectivity is becoming a requirement for modern libraries.

Hence why more and more libraries are looking at efficient and secure ways to enable connectivity for their patrons, while ensuring that that connection is not used for malicious business. Having an open Wi-Fi broadcasted across the library facilities is not the way to, and provisioning separate credentials for internet connection for all users visiting the library is a big hassle.

Radiator has got you covered. Radiator AAA server seamlessly integrates with existing Library management system (LMS, also known as Integrated library system, ILS) providing patrons connectivity utilising the credentials from LMS, used for lending books.

How does it work?

The key to library Wi-Fi authentication with Radiator lies on 3M™ Standard Interchange Protocol 2.0, known as the SIP2 protocol. The SIP2 protocol provides an interface between a library’s management system and library automation devices. This is the same protocol used for automated self-check devices for loaning and returning library books, and the parameters that can be used for self-lending can also be used for Wi-Fi access.

Radiator authenticates patrons based on their existing patron credential, for example library card number and PIN code. This means libraries do not need to provision and store separate Wi-Fi credentials for patrons. The basic version of this configuration is very simple and Radiator’s scripts handle the communication with the library system. Essentially, in the library system’s view, Radiator is a self-service loaning device among the others.

This integration also enables further functionality. Radiator can be configured to do that if the patron has outstanding fines or fees that exceed an agreed threshold, their Wi-Fi access will be declined upon login. This is done by Radiator’s scripts and is a toggleable option within the Radiator configuration file. The access can be tied to patron status or other patron information, for example age restriction can be applied.

Swift commercial process, flexible testing

Radiator is priced based on the number of servers, which makes a single library deployment very cost-effective. Radiator’s flexible evaluation licences allow you to set up a test system and see the solution working before making any commitments.

If you are interested in deploying a secure, robust and affordable solution for your library connectivity, please contact our sales team at sales@radiatorsoftware.com

Wifi Offloading POC with Radiator

 Recently, we have seen a significant increase in demand for our Wifi Offloading solutions and services. Many mobile operators are aiming for increased use of their own existing wifi infrastructure or the use of wifi infrastructure provided by 3rd party partners. This is done in many cases to expand especially indoor coverage in areas where 5G infrastructure has its limitations.

With Radiator, the essential product is Radiator SIM Pack that provides the integration between key components in wifi network and mobile core for WiFi Offloading. In this blog, we are clarifying how this kind of concept can be easily evaluated in different networks - as we are currently engaged heavily in these kinds of projects.

How Wifi Offloading Proof of Concept can be implemented?

For this kind of Wifi Offloading Proof of Concept (POC), a small number of steps are needed.

1. Firstly, you will need access to relevant wifi controllers / access gateways, in order to configure the RADIUS traffic to be configured towards Radiator SIM Pack. With this, seamless SIM authentication (with EAP-SIM/EAP-AKA/EAP-AKA’ for example) can be implemented.

2. As a next step, you will need to install the evaluation version from relevant Radiator packages: Radiator AAA Server Software, Radiator Carrier Module and Radiator SIM Module, along with the UtilXS component. The packages exist for all recent versions of RedHat based systems, Ubuntu and Debian.

3. After the installation, our team will provide you with the necessary configuration in order to configure traffic towards your subscriber data source. For HSS, Diameter SWx interface is the standard. Radiator can also use Diameter S6d, Cx or Wx interfaces. When using HLR, Radiator connects with GSM MAP with SIGTRAN. If the subscriber data is stored in more than one location, Radiator can authenticate SIMs from multiple backends. SIM authentication uses IMSI, and Radiator can optionally fetch user MSISDN (phone number) for billing purposes. 

4. Lastly, you will need to have access to the carrier profiles for the mobile phones or other end user devices so that automatic wifi authentication can be done. The methods for this differ a bit with Android and iOS devices: for Android, there are developer tools available for your own testing. For iOS, you need assistance from Apple. For both cases, we are happy to provide assistance.

As can be seen, successful WiFi Offload POC requires a bit of cooperation internally in the organization of the mobile operator. However, at the same time the needed configuration is typically something that can be done with limited effort - and with the assistance from us. As we have already deployed tens of successful WiFi offloading and VoWiFi installations, most challenges (and how to overcome them) are familiar to us.

What are the next steps?

If you are interested in WiFi offloading, please do not hesitate to contact us. Please fill out our contact form or contact sales@radiatorsoftware.com, and we are happy to help you with the next steps.

Meet Radiator team at IETF121 in Dublin

Image credit: Bob Linsdell, O'Connell Bridge & River Liffey, Dublin

The Radiator team will be attending IETF 121 meeting at the Convention Centre Dublin 2 - 8 November 2024. Staying at the forefront of industry developments is a top priority for Radiator development. As always, we are looking forward to working on RADIUS drafts and standards, and catching up with industry people. 

IETF RADIUS working groups 

You can find the Radiator team at these sessions - click the links for the respective meeting materials and agendas. 

• IETF Hackathon on Saturday 
• RADIUS EXTensions (radextra) 
• EAP Method Update (emu) 
• Transport Layer Security (tls) 
• Security Area Open Meeting (saag) 

For other IETF sessions, please see full meeting agenda here: https://datatracker.ietf.org/meeting/121/agenda 

Meet the team 

You can find Radiator developer Heikki Vatiainen and managing director Karri Huhtanen at the working group sessions and around the venue. If you’re in Dublin, come find us and say hi! Everyone else interested in the Radiator roadmap or meeting recaps, please drop us an email.

Radiator Software and Altice Labs announce partnership

Altice Labs, a technology company that is at the forefront of global innovative solutions in telecommunications, networks, and digital services, alongside Radiator Software, a Finnish company which provides AAA (RADIUS/Diameter Authentication, Authorization and Accounting) software products and services for Service Providers and Enterprises, announced a partnership enabling both organizations to jointly deliver end-to-end solutions to Service Providers and Enterprises.

This partnership will allow Altice Labs and Radiator Software to combine efforts to improve efficiency by eliminating barriers and accelerating delivery, thereby enhancing the value of products and solutions for both organizations. One of the key use cases that Radiator Software and Altice Labs can provide together includes WiFi offload and Voice-over-WiFi solutions, among others.

Jaakko Stenhäll, Director of Business Development at Radiator Software, highlighted that, “with Altice Labs, we are able to complement our Radiator AAA offering with excellent technical knowledge on different customer needs and also world-class support on various markets - bringing great value to our mutual customers”.

Tiago Pereira, Director of Global Business Development at Altice Labs, commented, “we are looking forward to partnering with Radiator Software, bringing our extensive experience, knowledge and technical expertise on network and service management and control. This is an area where Altice Labs has been present for more than 20 years, with its own products and solutions”.

For Cleverson Novo, Managing Director of Open Labs - Altice Labs branch in Brazil, “this area has gained huge importance in the Latin America market, with Service Providers leveraging their Wi-Fi networks as a complement to traditional cellular networks“.

Together, both companies are paving the way to the future, exploring new marketing opportunities and business growth.