Replacing Juniper SBR in mobile APN authentication with Radiator

Like we have written before in our blog, Radiator AAA Server Software is currently being used in many projects to replace Juniper’s Steel-Belted RADIUS that is now reaching the end of support. Of course at the same time, many FTTH service providers, ISPs and mobile operators are always searching for new options when they prepare their network infrastructure for the future.

One specific use case where we have seen a lot of demand for Radiator is the RADIUS authentication needed in mobile networks. In mobile networks, RADIUS protocol is used when there are private, organization-specific APN (Access Point Name) network paths in use. For example, critical communications such as emergency services often require this kind of network segmentation to secure their operations.

In VoLTE/4G networks, PGW/GGSN components in mobile networks make RADIUS queries to RADIUS server (such as our Radiator), and RADIUS server then authenticates and authorizes the end user to a specific APN network path - that can for example be an enterprise-related private network.

What we have been recently doing with many customers is the replacement of RADIUS servers and the related business logic in mobile networks. These have been done both with Radiator AAA Server Software and with the consultation of our technical team. At the same time, these projects are often combined with different accounting use cases, storing of CDR records etc.

When preparing for the future and taking the course to 5G networks, either RADIUS or Diameter interfaces will be used for similar use cases. Radiator, with extensive support of different TLS-based EAP methods, is of course prepared for this use case with 5G networks as well.

Would you like to know more?

In case you are looking for a future-proof RADIUS and Diameter server for your mobile network, we are happy to provide more info - and discuss your use case. Just reach out to us at sales@radiatorsoftware.com and we can discuss further.

Cutting roaming costs and expanding coverage with Radiator SIM-based authentication.

Modern SIM-based devices, like smartphones and tablets, are able to join and switch between different networks automatically. This is especially valuable to mobile operators who want to offload data from their mobile network to a nearby Wi-Fi network, because Wi-Fi connections are significantly cheaper to operate. It also enables Wi-Fi providers to monetize their Wi-Fi net- works and provide services in partnership with mobile operators. In addition, with use of OpenRoaming or other Wi-Fi roaming services, it also provides a way to expand the coverage of carrier Wi-Fi.

Use cases for the SIM authentication include:

Wi-Fi Offloading:

In busy locations with high volumes of mobile traffic like sports stadiums, shopping malls, public transport hubs and underground metros, SIM-based devices can automatically switch from mobile data connections to local Wi-Fi networks. Transferring the data traffic to Wi-Fi networks reduces the load on the mobile network, which improves the coverage and the user experience. In addition, using Wi-Fi roaming services, such as Orion Wi-Fi or OpenRoaming, can further reduce costs when carriers can use these additional services for Wi-Fi offloading.

Voice over Wi-Fi

SIM-based devices can also switch voice calls from mobile networks to Wi-Fi networks, and this kind of call is known as Voice over Wi-Fi. As with data traffic, switching traffic from regular calls to Wi-Fi networks can help carriers and operators to reduce the load on the mobile network, enabling better call quality and continuity.

Wi-Fi Roaming

When a SIM-based device automatically joins a Wi-Fi network or switches to another one, this is called Wi-Fi roaming. Wi-Fi roaming is used to maintain an uninterrupted data connection when the user moves from location to location, or when the current Wi-Fi connection is overloaded or when the signal is weak. In these situations as well, using OpenRoaming and other Wi-Fi roaming services can expand the coverage for mobile carrier.

Wi-Fi SIM-based authentication is essential to making these capabilities work. Before a device is allowed to join a new Wi-Fi network, it must be authenticated using the IMSI*. For this reason, Wi-Fi SIM-based authentication is supported by the latest Android and iOS mobile devices. However, there are still some security issues with this type of authentication. As a result, mobile OS manufacturers are now pushing for even better security on Wi-Fi networks and they require IMSI Privacy Protection with all new OS versions.

How can Radiator help you in this?

The Radiator SIM Pack for Radiator AAA Server Software makes it easy for operators to enable IMSI Privacy Protection. It is the key component needed for secure and seamless switching between mobile and Wi-Fi networks using SIM-based authentication. The Radiator SIM Pack also provides all the functions required for a 3GPP AAA Server.

IMSI privacy is a key feature of the Radiator SIM Pack, and it provides server-side support for permanent identity protection during Wi-Fi SIM-based authentication, Wi-Fi offloading and VoWiFi, resulting in a higher quality user experience. You can read more about Radiator SIM Pack and IMSI Privacy protection from our IMSI Privacy whitepaper.

In addition to this, Radiator provides also all the services and products needed when joining to  Wi-Fi roaming services, such as OpenRoaming, or when connecting to mobile carrier infrastructure by using Diameter interfaces.

Would you like to know more?

If you would like to know more about Radiator, SIM authentication, IMSI Privacy, joining OpenRoaming etc., and how we can help you in your use case, you can always contact our team at info(a)radiatorsoftware.com. Looking forward to hearing from you!

*) In SIM-based mobile devices, like smart phones and tablets, the user’s unique identifier is stored on the SIM card in a standard format known as the International Mobile Subscriber Identifier, or IMSI for short.

Radiator AAA hardware requirements

In many of our new deployment projects, we face the common question “How much CPU, RAM and disk space does Radiator need for x users?” While conservative estimates can be given, there is much more to this question than a simple figure.

The requirements of the system depend on the use case, backend, and implementation. In this blog post we will go over the variables and why it actually is misleading from us to give an answer to this question - but at the same time, we are always happy to help you with the hardware correct sizing.

Use case

There are major differences between the requirements for different authentication methods. The differences can be divided to two: Number of transactions per authentication, and number of interim-accounting transactions per session. One PEAP or EAP-TTLS request can consist of many messages, while a fixed-line authorisation has less transactions.

In reality, AAA servers are usually not the hold-up. Database latency is often the limit for AAA server performance. The database just does not respond in time when the load is high enough. In networking authentication, some use cases are read-heavy and some write-heavy on the database. To allow for better system performance, the database model should be optimised based on the demand for writes over reads or the other way around. What can and should be done is separate VMs for Radiator and the database. It is always better to run AAA server and database on separate servers.

Implementation

Network design plays an important role in ensuring your Radiator setup is sized sufficiently. Radiator can be configured to run as a loadbalancer for other Radiator instances. While there also are other loadbalancer options, a setup loadbalanced with Radiator loadbalancer configuration has better throughput than one without loadbalancing.

The requirements

In conclusion, there are many factors that affect the system performance, and sizing Radiator depends heavily on the use case and preferred architecture. However, a conservative starting point that we give customers is that each Radiator instance requires 1 vCPU and 0.5 GB RAM and it runs around 1000 TPS. This may heavily vary depending on the use case.

As for disk space, Radiator itself takes around 20 MB of disk space. This does not take into account requirements of the operating system and log data generated by Radiator. However, the Radiator logs can be shipped off to another log host machine to assure the Radiator host’s disk is not filled with log data.

Radiator OpenRoaming Configuration Guide now available!

We are happy to announce that Radiator OpenRoaming Configuration Guide is now available!

What is OpenRoaming?

WBA OpenRoaming™ is a global Wi-Fi roaming federation service that enables an automatic and secure connection to Wi-Fi among a network of roaming partners that all adhere to the OpenRoaming™ framework. It provides a new global standards-led approach, removing public-guest Wi-Fi connectivity barriers and bringing greater convenience and security to the wireless ecosystem, enabling new business models. See more from Wireless Broadband Alliance website.

What is the Radiator OpenRoaming Configuration Guide?

You can find the guide from Radiator OpenRoaming Configuration Repository.

The Radiator OpenRoaming Configuration Repository has ready-to-use/adapted configurations for implementing OpenRoaming ANP or IdP RADIUS/RADSEC server with the Radiator AAA server software.

If you are already an operator or organisation with existing Wi-Fi roaming and authentication infrastructure the Radiator OpenRoaming configurations are designed to be able to connect your existing RADIUS servers to OpenRoaming with minimal changes to your production configuration.

The Radiator OpenRoaming configurations also support prioritizing static roaming agreements for specific realms over OpenRoaming Dynamic Peer Discovery as well as last resort default authentication targets.

How can Radiator Software help you?

As seen from the configuration guide, Radiator AAA Server Software is suited perfectly for joining OpenRoaming. Additionally, our product portfolio brings more features to mobile operators, carriers and other enterprises that want to benefit from Wi-Fi roaming. For example, our Radiator SIM Pack software provides the features needed for SIM authentication (with EAP-SIM, EAP-AKA and EAP-AKA’ authentication methods), providing also the features needed for IMSI Privacy when roaming.

Our team is also happy to help when doing the configuration work for joining OpenRoaming. We can also arrange workshops or provide remote consultation - in addition to the email support provided with the product.

Would you like to know more?

If you would like to know more, our team is available for a meeting in the Wireless Global Congress Americas in Las Vegas 19th - 22nd of June 2023. There will also be a Radiator Software webinar introducing the configuration guide and configuration templates on the 8th of June with more information at our webinars page. And as always, you can of course reach out to our team at info(a)radiatorsoftware.com.

Radiator RADIUS for library Wi-Fi authentication

Radiator AAA server is known for its flexibility when it comes to unique use cases. This flexibility comes from the variety of supported protocols, authentication backends and logging destinations that are available in Radiator AAA server as an off-the-shelf product. This blog post will dig deeper into Radiator integration with library management systems and the 3M’s SIP2 protocol.

Library Guest Wi-Fi Authentication

Previous Radiator blog posts have gone over how network authentication works for enterprises and hotels. Today’s blog post will look at how Radiator can utilise existing library management systems to authenticate library Wi-Fi access for customers (often known as patrons). In its essence, Radiator will utilise patrons’ existing library card credentials for the authentications. Typically these credentials are used to loan and return books. This method has many benefits. First, it gives library patrons easy access to the internet without handing a common public password. Second, the internet access can be modified or disallowed based on patron status or information, for example age restrictions can be applied.

AuthBy SIP2

The key to library Wi-Fi authentication with Radiator lies on 3M™ Standard Interchange Protocol 2.0, known as the SIP2 protocol. The SIP2 protocol provides an interface between a library’s management system and library automation devices. The original use case for this protocol was and generally still is automated self-check devices for loaning and returning library books. However, this protocol can also be utilised for network authentication within the library, which is where Radiator comes in.

Radiator has a specific authentication function for this functionality. In Radiator AAA server Reference Manual Section 3.93., the function and its usage is explained. authenticates patrons based on their username and password, for example library card number and PIN code. The basic version of this configuration is very simple and Radiator’s scripts handle the communication with the library system. Essentially, In the library system’s view, Radiator is a self-service loaning device among the others.

This integration also enables further functionality. Radiator can be configured to do that if the patron has outstanding fines or fees that exceed an agreed threshold, their Wi-Fi access will be declined upon login. This is done by Radiator’s scripts and is a toggleable option within the Radiator configuration file. The access can be tied to patron status or other patron information, for example age restriction can be applied.

Want to know more?

Would you be interested in getting your library a stable, proven and affordable Wi-Fi authentication solution? Please contact us sales@radiatorsoftware.com for more information on both commercial and technical matters.

Testing the solution is also an option. We offer a 30-day evaluation licences for testing purposes and Radiator evaluation comes with thorough documentation and resources like well documented example configurations and our reference manual. To get started with a Radiator evaluation, please fill the form at our evaluation page.

New release: Radiator VNF Flex 2023.1.1 is available!

Great news! We are happy to announce that as a part of our development efforts a new release for Radiator VNF Flex is now available - Radiator VNF Flex 2023.1.1. As always, this development work has been done with close interaction with our carrier customers that have given valuable feedback when testing and implementing new features.

A sneak peek to the sales demo of Radiator VNF Flex. More visuals of the product can be found in the user guide.

 

New features and related material

During 2023, our team has developed several key feature to new Radiator VNF Flex releases - and release Radiator VNF Flex 2023.1.1 includes all the following:

• AlmaLinux 9.2 as base for the Radiator VNF Flex Image
• Radiator AAA Server Software 4.27-1 included
• Possibility to integrate Radiator VNF Manager with LDAP to allow authenticating to GUI and CLI with domain user accounts
• Possibility to use specific mirror for AlmaLinux repositories
• Includes hardenings for Radiator VNF Manager and Radiator VNF hosts
• Unneeded services removed
• Radiator VNF Manager internal firewall tightened
• Usability improvement: requirement for the Radiator VNF Flex configuration file to have unique radiator_configuration and enhancements configuration_source file names within the Radiator VNF Manager has been removed

In addition to the features implemented to the Radiator VNF Flex, we also provide extensive documentation and material for our customers interested in Radiator VNF Flex. For example, we have also published following materials to different user groups:

• Radiator VNF Manager user guide »  (for day-to-day operations)
• Radiator VNF Manager advanced user guide » (for administrative functions)
• Radiator VNF Manager Deployment and Configuration guide » (for deployments and when planning new implementations)
  
  

 Would you like to know more?

If you are interested in Radiator VNF Flex or in other Radiator products please contact our sales team at info(a)radiatorsoftware.com. We are happy to give a technical demo and discuss how we can help you with your use case.

Radiator as Steel-Belted RADIUS Replacement

Recently we have received many inquiries on whether Radiator AAA would be a good solution for replacing Juniper’s Steel-Belted RADIUS. As the aforementioned SBR has reached End of Engineering date in February, its support ending in September and with seemingly no alternative from the OEM, many operators are looking to replace their existing SBR setups with alternative established robust AAA solution. If you are among these companies, Radiator AAA is the solution for you.

Why choose Radiator AAA?

Known for its reliability and flexibility, Radiator AAA has been in the market for decades. Radiator is an actively developed and support AAA server with RADIUS and TACACS+ functionalities. With modules, Radiator AAA can also be complemented with Diameter relay, SIM-based authentication and other mobile network functionalities.

Like SBR, Radiator AAA Server offers support for both Linux, Windows and Solaris installations with various different operating systems (See our Supported Platforms for more information. Radiator has extensive support for different databases and authentication backends (SQL-based, LDAP, AD etc.) as well as support for MFA solutions with TOTP capable authenticators and tokens (Google and MS authenticator, Yubikey, DIGIPASS etc.)

The Radiator technical team consists of experts with vast experience in migration from other AAA solutions. We offer migration support and configuration assistance so you do not need to worry about meeting project schedule before SBR EoSL. Radiator can integrate with existing database and in nearly all cases no changes to schema are needed.

Like Steel-Belted RADIUS, Radiator AAA has multi-vendor support and can be installed flexibly on different platforms on physical or virtual machines. With Radiator, you can compile your AAA use cases under one product: RADIUS, Diameter, TACACS+, SIGTRAN, you name it, we have it!

Want to know more?

For any questions or other inquiries about Radiator as SBR replacement, please contact sales@radiatorsoftware.com