Wednesday, November 16, 2022

Radiator team take part in RADIUS extensions working group reboot

With the Remote Authentication Dial-In User Service (RADIUS) standard in its early 30s, it continues to be the go-to protocol for network authentication use cases. With the IETF drafting RADIUS protocol’s standard RFC 2058 in the year 1997, RADIUS has seen continuous development even though Diameter (RFC 6733) was developed to be its intended successor. Since then, RADIUS has held a strong ground in networking authentication and Diameter has become de facto standard in the TELCO field.

RADIUS is still alive and the way to keep it current with the latest security requirements such as TLS 1.3 is by cooperation of many players in the field in joint standardisation of the protocol. Last week our technical team took part in the reboot of the RADIUS extensions working group at IETF 115 meeting in London.

Some highlights from the proposed future agenda for standardisation are updating RFC 6614 RADIUS over TLS (RadSec) and developing RADIUS protocol and extensions further towards current security requirements: for example SRadius draft, Extended ID and Reverse Change of Authorisation over RadSec.

What is SRadius?

SRadius is essentially a RADIUS packet transport profile, which would mandate TLS transport and remove the previous reliance on MD5 attribute obfuscation and packet signing. This is an important change as MD5 has been proven insecure (RFC 6151) and should no longer be used. SRadius implementation would then be FIPS-140 compliant while old RADIUS is not.

Why RADIUS should be secured with TLS?

Even with the use of current EAP authentication methods, RADIUS accounting messages can and are still sent in plain text format. This accounting information can include sensitive information such as user location attributes, which are open to eavesdropping by man-in-the-middle attacks without any encryption in-between. RADIUS over TLS protocol (RadSec, RFC 6614) tunnels this information with TLS. Both RadSec and SRadius secure the transport with TLS.

The working group reboot received interest and positive feedback from many stakeholders in the field working on both commercial and non-commercial RADIUS projects. There is unanimous support across the field that rebooting the RADIUS extensions working group is necessary for the future development of RADIUS. We are looking forward to working on RADIUS drafts and standards and implementing them in Radiator.

Want to know more?

Friday, November 4, 2022

Radiator Service Provider Pack 1.8 released!

We are happy to announce that Radiator Service Provider Pack (formerly known as Radiator Carrier Pack) has been released!

The main new development is a new Diameter relay functionality. With Diameter relay, incoming Diametet traffic load can be distributed to multiple instances. The workers can be optionally made visible only as a single Diameter node to the rest of the Diameter nodes. This enhances Diameter performance when Radiator is used as 3GPP AAA server or in other use cases. For the relay functionality, we have also provided configuration examples, for Radiator SIM Pack, Radiator 3GPP AAA Server and Radiator Policy and Charging Pack.

At the same time, new release contains performance enhancements for Diameter protocol and enhanced logging for Diameter request and answers messages. More info can be found out from Radiator Service Provider Pack revision history.

Would you like to know more?

If you would like to know more about Radiator Service Provider Pack and how it could be used in your use case, please contact our team at info(a)radiatorsoftware.com

Friday, October 28, 2022

Using Radiator as the flexible, powerful AAA for FTTH service providers

 
Recently, we have seen a big rise in the number with projects where service providers are implementing new FTTH (Fibre to the Home) services – using different PON (Passive optical network) technologies, such as GPON, XG-PON1, XGS-PON. Based on different estimates for consumer services in the industry, high-performance fibre access is needed more than ever.

Because of this, one the most common new use cases for Radiator AAA server software, and especially to our Radiator Service Provider Pack is the flexible and high-powered AAA for FTTH operators – that may also run fixed line and WiFi hotspot operations at the same time. With our flexible licensing options, these Radiator installations can be run either by service providers themselves, or they can use a managed service provided by a 3rd party.



Often these enterprise use cases also include private APN (Access Point Name) service for their enterprise customers. We are happy to tell more about our experiences on providing Radiator to different environments and use cases.

With the experience from a wide range of use cases, the key benefit of Radiator is flexibility in different network infrastructures – especially when integrating AAA with different technological generations. Readymade configurations are available, as well as support for different back-ends and logging and management solutions. As we are actively participating in different standardisation efforts, Radiator is always up-to-date with the latest industry practices and security developments.

Would you like to know more? 

We are always happy to help you with your use case. Please contact our sales team at sales(a)radiatorsoftware.com for more information.

Tuesday, September 27, 2022

Radiator Policy and Charging Pack - apply credit control for your prepaid and postpaid data plans

One of our key products for service providers is Radiator Policy and Charging Pack.

Radiator Policy and Charging Pack extends Radiator by allowing direct connections to your 3GPP infrastructure through Diameter interfaces - a protocol commonly used in telecommunication networks.

The existing authentication, authorization and accounting features in Radiator are available for Diameter – RADIUS integration in Radiator Policy of Charging Pack. With this, examples of use include Wi-Fi offloading, integrating Diameter online and offline charging with RADIUS based infrastructure, integrating RADIUS accounting with Diameter online and offline charging - and much more.

How it is used by our customers

In many use cases operators and carriers have a need to expand their mobile data coverage with Wi-Fi hotspots and other Wi-Fi networks where authentication can be connected to their infrastructure with roaming. This way they can complement their mobile service with for example Wi-Fi offloading or Voice over WiFi  - at the same time keeping in track the data use of their subscribers.

With its RADIUS to Diameter conversion, Radiator Policy and Charging pack enables you to apply credit control in your network using RADIUS accounting, both with prepaid and postpaid data plans. When using prepaid data plans, the credit control features will enforce that subscriber data is limited to the amount they have paid.

Also, the credit control policies can be done in a way that the end of quota will be handled based on your business needs. For example, the customer network access can be throttled and directed to purchase additional data for renewed access. 

On more technical level, the functionality is shown in the flowchart below. Please note, how Radiator Policy and Charging Pack is situated to integrate RADIUS and Diameter interfaces, and is connected to WiFi controllers or BNG devices and with Online Charging System (OCS) or with Policy and Charging Rules Function (PCRF).

Flow chart showing the credit control functionality of Radiator Policy and Charging Pack
 

As Radiator Policy and Charging Pack is highly extensible for different customer cases, we are happy to tell you more about how your use case can be implemented. In addition, it can be integrated with other Radiator products (such Radiator SIM Pack for EAP-SIM, EAP-AKA and EAP-AKA' authentication), and we are happy to share our expertise in this as well.

Woud you like to know more?

If you would like to know more about Radiator Policy and Charging Pack and how it can be used in your use case, please contact our team at info(a)radiatorsoftware.com


Wednesday, August 10, 2022

Cisco ACS is reaching end of life - Radiator has got you covered

As announced already some time ago, Cisco will no longer support either the hardware or the software of their Access Control System (Cisco ACS) product line. If your network administration still runs Cisco ACS, it’s time to take action and upgrade it into a product with a clear future for updates and support. Radiator AAA Server software, often referred to as the Swiss Army Knife of AAA Servers, can pick up from there.

As mentioned in a previous Radiator Cookbook post in 2018, Radiator AAA Server Software offers TACACS+ support and can be integrated with existing hardware to replace current solution’s TACACS+ and RADIUS functionalities. This means that Radiator can replace the authentication functions Cisco ACS did in your previous system. All that is required is an external database for user credentials that Radiator integrates to.


Radiator is actively developed, with multiple updates per year, so continuous support for your solution is given. And most importantly, Radiator’s support team consists of experienced professionals who have developed and actively develop Radiator AAA, so your support requests are always handled by capable RADIUS and TACACS+ experts.

These same professionals will be handling the transition work from ACS to Radiator AAA, if you so wish. Our technical team consists of experienced seniors with vast experience in enterprise, ISP, CSP and other AAA solution integrations and have done these transition projects even before the EOL was announced.

Radiator, being a flexible AAA Server with TACACS+ support, can replace ACS’s TACACS+ and RADIUS functions. Radiator does not have the built-in database, but rather integrates to a customer’s existing database. If need be, we are happy this database solution through our partner. The flexibility of Radiator also includes multi-vendor support for NAS devices. This means that changing NAS devices will not be troubled by vendor lock-in.

Want to know more?

If you want to know more about Radiator AAA Server software as the flexible and supported replacement for Cisco ACS, do not hesitate to contact our sales team sales(at)radiatorsoftware.com.

Thursday, July 14, 2022

Radiator supports EAP-TLS 1.3

One of the most used authentication methods for Radiator users is EAP-TLS. It is widely supported among wireless vendors and the support for EAP-TLS is needed for different certifications for wireless authentication. Radiator has supported different versions of EAP-TLS from the start. As we want to be in the forefront of industry standards, we are happy to announce that Radiator now supports EAP-TLS 1.3 - our team has also been involved in the standardisation work for EAP-TLS and other TLS-based EAP methods.

What is new in EAP-TLS 1.3?

The key feature in EAP-TLS 1.3 is increased privacy and security. Like the RFC document says “TLS 1.3 is in large part a complete remodeling of the TLS handshake protocol including a different message flow, different handshake messages, different key schedule, different cipher suites, different resumption mechanism, different privacy protection, and different record padding.” This new remodeled TLS handshake protocol ensures faster TLS connections as well as patches previous security errors TLS 1.2 had.

Especially important in this new version for EAP-TLS is that no information about the underlying peer identity is disclosed. In other words this means that with EAP-TLS 1.3 the certificate of the user is delivered encrypted. In previous versions of EAP-TLS the client certificate was delivered without encryption, providing a possibility of tracking the users. This has been an issue for some users of EAP-TLS discouraging its deployment. To increase the security of your organization, Radiator configuration allows you to enable EAP-TLS 1.3 for devices that support it, while the earlier versions of EAP-TLS are still available for older devices. Radiator AAA Server Software and its modules are actively developed and updated to support state-of-the-art AAA security features. With the most recent Radiator SIM Pack patch, Radiator now supports IMSI Privacy as well - as one of the few AAA software vendors. So, in short, Radiator is committed to stay in the frontlines of all AAA security features at all times.

Would you like to know more?

While the support for TLS v1.3 in some operating systems varies, the Radiator implementation of TLS v1.3 and EAP-TLS is currently available in the testing branch of Radiator, but will be included in the next stable release as well. If ou are interested please test and give us feedback about the implementation.

If you want to know more about Radiator and EAP-TLS 1.3, please do not hesitate to contact our sales team at info(a)radiatorsoftware.com. For full list of Radiator technical features, you can also visit the Radiator AAA Server Software product page.

Wednesday, June 22, 2022

Radiator FAQ page out now!

You have asked, and we have answered. In the past years working with Radiator AAA, we have encountered hundreds of interesting questions in support e-mails and calls, RFPs and in other inquiries. We have collected some of the more frequently asked questions onto a FAQ page, which has recently been published. Go check it out at https://faq.radiatorsoftware.com!

What topics are covered?

The FAQ page contains answers to great variety of questions about Radiator AAA Server Software. Currently the FAQ covers our core product, Radiator AAA Server Software. At the first stage, the FAQ page focuses on Radiator AAA Server Software, our core product. We will gradually push updates and expand the FAQ based on feedback and the needs of our audience, to include our modules and general questions about Radiator Software as a company.

What if my question is not in the FAQ?

If you do not find the question that is on your mind on the FAQ page, however, please do not hesitate to contact us via e-mail to info (at) radiatorsoftware.com.