RADIUS news from IETF118

Practically all current Wi-Fi controllers and APs for enterprise and carriers support RADIUS. Mobile network APN and DNN authentication, fixed line fiber-to-the-home gateways and other broadband equipment depend on RADIUS authentication. The industry that uses RADIUS is growing and the standardisation work is active proving RADIUS is in rude health.

The latest Internet Engineering Task Force (IETF) meeting was held earlier this month in Prague, Czechia - with the Radiator team in attendance. RADIUS work is mainly done by the RADIUS EXTensions (radext) working group. The current radext draft documents are related to security enhancements, protocol extensions, maintenance and best practices.

TLS-PSK and RADIUS 1.1

TLS-PSK for RADIUS over TLS and DTLS (also known as RadSec) draft is moving towards the publication phase. The draft has completed its development within the working group. The intended status for the draft is to become an Informational RFC. TLS-PSK greatly eases the configuration of RadSec by using Pre-Shared Keys with TLS instead of certificates.

Closely following the TLS-PSK draft is the draft for RADIUS Version 1.1. This draft is currently in the working group last call phase before it moves on towards publication. With RADIUS Version 1.1, the obsolete methods for RADIUS integrity and authentication are replaced by TLS and DTLS.

RadSec update and depreciation of insecure methods

Other work still in the draft development phase includes an update to RadSec. The update obsoletes the current RFCs for RADIUS over TLS (RFC 6614) and RADIUS over DTLS (RFC 7360) by merging them into a single specification. The draft obsoletes TLS 1.1 and earlier versions, requires TLS-PSK for servers, clarifies the use of DTLS, TLS session resumption, certificate verification and other topics.

Security of RADIUS is updated by a draft that deprecates insecure transport and authentication methods. The draft discusses the problems with unencrypted UDP and TCP transports and common RADIUS authentication methods, such as CHAP. The draft formally deprecates a number of ways these are currently insecurely used. Use of TLS or IPsec transport is now mandated and scope of UDP and TCP transports is reduced.These unsecured transports can be used in secure networks only.

RadSec CoA and Roaming support enhancements

RADIUS dynamic authorisation is updated by a draft that defines how to use existing RadSec connections to send change of authorization (CoA) requests. This allows easier CoA deployments in environments where firewalls, routing or other reasons make it hard to send requests towards a RADIUS client. This specification documents the existing usage that is already implemented by a number of server and client vendors.

Roaming support enhancements are defined in a draft that is currently in working group adoption phase. These enhancements include RADIUS request routing loop detection, remote realm status check and RADIUS request path discovery. This draft is likely approved as a working group draft before the end of the year.

The radext working group is also helping other IETF working groups with draft reviews, liaison work with other organisations, such as Wireless Broadband Alliance (WBA). The working group may continue to work on other documents after the current ones are finished.

What do I gain as a Radiator user?

The new functionality becomes available in Radiator when the drafts are nearing completion. For example TLS-PSK support is made available with the existing RadSec support allowing the Radiator customers to choose between PSK and certificate authentication. As a Radiator user, you will directly benefit from the work we do in the IETF. This will ensure your authentication service stays current and secure and follows the latest standards.

Want to know more?

For status of all current drafts and the working group in general, see https://datatracker.ietf.org/wg/radext/documents/

If you want to know more about Radiator team’s involvement in standardisation or discuss Radiator roadmap items from these drafts, please contact info@radiatorsoftware.com

Meet Radiator team in Prague at IETF118

Radiator team continues the active engagement with RADIUS working groups at IETF and the team will also be attending IETF 118 meeting in Prague next week. You’ll find us at these sessions:

• Hackathon
• RADIUS EXTensions (radextra)
• EAP Method Update (emu)
• MAC Address Device Identification for Network and Application Services (madinas)

See full meeting agenda here: https://datatracker.ietf.org/meeting/118/agenda/

Meet the team

Radiator team is staying at the Hilton Prague event venue throughout the whole event and our engineers are available to discuss any authentication related topics. Just look for the people with Radiator hoodies!

Want to know more?

Stay tuned for meeting recap and the latest standardisation highlights - we’ll be posting another blog right after the team is back home.

Meet the Radiator Team at WGC EMEA and Network X in Paris!

We are delighted to announce that Radiator Software will be exhibiting at the top connectivity events of the season: WGC EMEA and Network X co-located at Porte de Versailles conference centre in Paris on 23 – 26 October 2023.

Wireless Global Congress EMEA 23 – 26 October

The Radiator team will participate in the WBA Members-Only Sessions on 23 and 24 Oct, and the WGC EMEA Open Congress on 25 and 26 Oct. Backed with 20 years of roaming experience, Radiator team can help you deploy RadSec, OpenRoaming, In-Flight Connectivity, and IMSI Privacy with best in class security.

For more information about Wireless Global Congress EMEA 2023, please see the official event website: https://www.wirelessglobalcongress.com/wgc-emea-2023/

Network X 24 – 26 October

Network X event brings together Broadband World Forum, 5G World and Telco Cloud. For service providers of all kinds, Radiator provides a flexible AAA solution for fixed broadband, wireless, and WiFi offloading including VoWiFi.

For more information about the Network X event, please see the official website: https://networkxevent.com/

Meet with Radiator team

We extend an invitation to all WGC EMEA and Network X attendees to visit Radiator Software booth F19. Here, you can engage Radiator experts for insightful discussions on latest advancements in network authentication, WiFi and mobile convergence and how Radiator unifies RADIUS and Diameter infrastructure.

To schedule a meeting or simply ask a question, please leave a message and we will get back to you. See you in Paris!

Replacing Juniper SBR in mobile APN authentication with Radiator

Like we have written before in our blog, Radiator AAA Server Software is currently being used in many projects to replace Juniper’s Steel-Belted RADIUS that is now reaching the end of support. Of course at the same time, many FTTH service providers, ISPs and mobile operators are always searching for new options when they prepare their network infrastructure for the future.

One specific use case where we have seen a lot of demand for Radiator is the RADIUS authentication needed in mobile networks. In mobile networks, RADIUS protocol is used when there are private, organization-specific APN (Access Point Name) network paths in use. For example, critical communications such as emergency services often require this kind of network segmentation to secure their operations.

In VoLTE/4G networks, PGW/GGSN components in mobile networks make RADIUS queries to RADIUS server (such as our Radiator), and RADIUS server then authenticates and authorizes the end user to a specific APN network path - that can for example be an enterprise-related private network.

What we have been recently doing with many customers is the replacement of RADIUS servers and the related business logic in mobile networks. These have been done both with Radiator AAA Server Software and with the consultation of our technical team. At the same time, these projects are often combined with different accounting use cases, storing of CDR records etc.

When preparing for the future and taking the course to 5G networks, either RADIUS or Diameter interfaces will be used for similar use cases. Radiator, with extensive support of different TLS-based EAP methods, is of course prepared for this use case with 5G networks as well.

Would you like to know more?

In case you are looking for a future-proof RADIUS and Diameter server for your mobile network, we are happy to provide more info - and discuss your use case. Just reach out to us at sales@radiatorsoftware.com and we can discuss further.

Cutting roaming costs and expanding coverage with Radiator SIM-based authentication.

Modern SIM-based devices, like smartphones and tablets, are able to join and switch between different networks automatically. This is especially valuable to mobile operators who want to offload data from their mobile network to a nearby Wi-Fi network, because Wi-Fi connections are significantly cheaper to operate. It also enables Wi-Fi providers to monetize their Wi-Fi net- works and provide services in partnership with mobile operators. In addition, with use of OpenRoaming or other Wi-Fi roaming services, it also provides a way to expand the coverage of carrier Wi-Fi.

Use cases for the SIM authentication include:

Wi-Fi Offloading:

In busy locations with high volumes of mobile traffic like sports stadiums, shopping malls, public transport hubs and underground metros, SIM-based devices can automatically switch from mobile data connections to local Wi-Fi networks. Transferring the data traffic to Wi-Fi networks reduces the load on the mobile network, which improves the coverage and the user experience. In addition, using Wi-Fi roaming services, such as Orion Wi-Fi or OpenRoaming, can further reduce costs when carriers can use these additional services for Wi-Fi offloading.

Voice over Wi-Fi

SIM-based devices can also switch voice calls from mobile networks to Wi-Fi networks, and this kind of call is known as Voice over Wi-Fi. As with data traffic, switching traffic from regular calls to Wi-Fi networks can help carriers and operators to reduce the load on the mobile network, enabling better call quality and continuity.

Wi-Fi Roaming

When a SIM-based device automatically joins a Wi-Fi network or switches to another one, this is called Wi-Fi roaming. Wi-Fi roaming is used to maintain an uninterrupted data connection when the user moves from location to location, or when the current Wi-Fi connection is overloaded or when the signal is weak. In these situations as well, using OpenRoaming and other Wi-Fi roaming services can expand the coverage for mobile carrier.

Wi-Fi SIM-based authentication is essential to making these capabilities work. Before a device is allowed to join a new Wi-Fi network, it must be authenticated using the IMSI*. For this reason, Wi-Fi SIM-based authentication is supported by the latest Android and iOS mobile devices. However, there are still some security issues with this type of authentication. As a result, mobile OS manufacturers are now pushing for even better security on Wi-Fi networks and they require IMSI Privacy Protection with all new OS versions.

How can Radiator help you in this?

The Radiator SIM Pack for Radiator AAA Server Software makes it easy for operators to enable IMSI Privacy Protection. It is the key component needed for secure and seamless switching between mobile and Wi-Fi networks using SIM-based authentication. The Radiator SIM Pack also provides all the functions required for a 3GPP AAA Server.

IMSI privacy is a key feature of the Radiator SIM Pack, and it provides server-side support for permanent identity protection during Wi-Fi SIM-based authentication, Wi-Fi offloading and VoWiFi, resulting in a higher quality user experience. You can read more about Radiator SIM Pack and IMSI Privacy protection from our IMSI Privacy whitepaper.

In addition to this, Radiator provides also all the services and products needed when joining to  Wi-Fi roaming services, such as OpenRoaming, or when connecting to mobile carrier infrastructure by using Diameter interfaces.

Would you like to know more?

If you would like to know more about Radiator, SIM authentication, IMSI Privacy, joining OpenRoaming etc., and how we can help you in your use case, you can always contact our team at info(a)radiatorsoftware.com. Looking forward to hearing from you!

*) In SIM-based mobile devices, like smart phones and tablets, the user’s unique identifier is stored on the SIM card in a standard format known as the International Mobile Subscriber Identifier, or IMSI for short.

Radiator AAA hardware requirements

In many of our new deployment projects, we face the common question “How much CPU, RAM and disk space does Radiator need for x users?” While conservative estimates can be given, there is much more to this question than a simple figure.

The requirements of the system depend on the use case, backend, and implementation. In this blog post we will go over the variables and why it actually is misleading from us to give an answer to this question - but at the same time, we are always happy to help you with the hardware correct sizing.

Use case

There are major differences between the requirements for different authentication methods. The differences can be divided to two: Number of transactions per authentication, and number of interim-accounting transactions per session. One PEAP or EAP-TTLS request can consist of many messages, while a fixed-line authorisation has less transactions.

In reality, AAA servers are usually not the hold-up. Database latency is often the limit for AAA server performance. The database just does not respond in time when the load is high enough. In networking authentication, some use cases are read-heavy and some write-heavy on the database. To allow for better system performance, the database model should be optimised based on the demand for writes over reads or the other way around. What can and should be done is separate VMs for Radiator and the database. It is always better to run AAA server and database on separate servers.

Implementation

Network design plays an important role in ensuring your Radiator setup is sized sufficiently. Radiator can be configured to run as a loadbalancer for other Radiator instances. While there also are other loadbalancer options, a setup loadbalanced with Radiator loadbalancer configuration has better throughput than one without loadbalancing.

The requirements

In conclusion, there are many factors that affect the system performance, and sizing Radiator depends heavily on the use case and preferred architecture. However, a conservative starting point that we give customers is that each Radiator instance requires 1 vCPU and 0.5 GB RAM and it runs around 1000 TPS. This may heavily vary depending on the use case.

As for disk space, Radiator itself takes around 20 MB of disk space. This does not take into account requirements of the operating system and log data generated by Radiator. However, the Radiator logs can be shipped off to another log host machine to assure the Radiator host’s disk is not filled with log data.

Radiator OpenRoaming Configuration Guide now available!

We are happy to announce that Radiator OpenRoaming Configuration Guide is now available!

What is OpenRoaming?

WBA OpenRoaming™ is a global Wi-Fi roaming federation service that enables an automatic and secure connection to Wi-Fi among a network of roaming partners that all adhere to the OpenRoaming™ framework. It provides a new global standards-led approach, removing public-guest Wi-Fi connectivity barriers and bringing greater convenience and security to the wireless ecosystem, enabling new business models. See more from Wireless Broadband Alliance website.

What is the Radiator OpenRoaming Configuration Guide?

You can find the guide from Radiator OpenRoaming Configuration Repository.

The Radiator OpenRoaming Configuration Repository has ready-to-use/adapted configurations for implementing OpenRoaming ANP or IdP RADIUS/RADSEC server with the Radiator AAA server software.

If you are already an operator or organisation with existing Wi-Fi roaming and authentication infrastructure the Radiator OpenRoaming configurations are designed to be able to connect your existing RADIUS servers to OpenRoaming with minimal changes to your production configuration.

The Radiator OpenRoaming configurations also support prioritizing static roaming agreements for specific realms over OpenRoaming Dynamic Peer Discovery as well as last resort default authentication targets.

How can Radiator Software help you?

As seen from the configuration guide, Radiator AAA Server Software is suited perfectly for joining OpenRoaming. Additionally, our product portfolio brings more features to mobile operators, carriers and other enterprises that want to benefit from Wi-Fi roaming. For example, our Radiator SIM Pack software provides the features needed for SIM authentication (with EAP-SIM, EAP-AKA and EAP-AKA’ authentication methods), providing also the features needed for IMSI Privacy when roaming.

Our team is also happy to help when doing the configuration work for joining OpenRoaming. We can also arrange workshops or provide remote consultation - in addition to the email support provided with the product.

Would you like to know more?

If you would like to know more, our team is available for a meeting in the Wireless Global Congress Americas in Las Vegas 19th - 22nd of June 2023. There will also be a Radiator Software webinar introducing the configuration guide and configuration templates on the 8th of June with more information at our webinars page. And as always, you can of course reach out to our team at info(a)radiatorsoftware.com.