Thursday, March 14, 2024

Meet Radiator team in Brisbane at IETF119

Radiator IETF 119

Radiator team continues the active engagement with RADIUS working groups at IETF and will be attending IETF 119 meeting in person at the Brisbane Convention and Exhibition Center 16 - 22 March 2024.

Staying at the forefront of industry developments is a top priority for Radiator development. As always, we are looking forward to working on RADIUS drafts and standards and implementing them in Radiator.

IETF RADIUS working groups

You can find the Radiator team at these sessions - click the links for the respective meeting materials and agendas.

  • RADIUS EXTensions (radextra)
  • EAP Method Update (emu)
  • MAC Address Device Identification for Network and Application Services (madinas)
  • Radext working group will be discussing reverse CoA and deprecating insecure practices in RADIUS. EMU group has Forward Secrecy for EAP-AKA on the agenda, and madinas group is addressing the current status of MAC randomisation. We also welcome Wireless Broadband Alliance presenting a document describing OpenRoaming protocols - for Radiator, we have released the Radiator OpenRoaming configuration guide on Github.

    For other IETF sessions, please see full meeting agenda here: https://datatracker.ietf.org/meeting/119/agenda

    Meet the team

    The point of contact is Radiator developer Heikki Vatiainen, whom you can find at the RADIUS working group sessions and around the venue. If you’re in Brisbane, come find us and say hi! Everyone else interested in Radiator development, please drop us an email!

    Friday, January 19, 2024

    Meet Radiator Software at Mobile World Congress 2024

    Like everyone else in the telecom industry, we’re busy preparing for the world’s largest connectivity event of the year: Mobile World Congress held at Fira Gran Via in Barcelona on 26th – 29th February 2024. We’re looking to catch up with old and new partners and customers in Barcelona!

    For MWC24, Radiator Software is showcasing Radiator solutions, which deliver a superb combo of flexibility, interoperability and performance to complex operator AAA deployments. We invite you to engage with our team of network authentication experts to discuss all things AAA: FTTH authentication, WiFi roaming, VoWiFi, IMSI Privacy, OpenRoaming, and more.

    Book a meeting here: Google Form

    Monday, January 8, 2024

    Radiator SIM Pack 2.9 released

    Recently, we have met increased demand for SIM authentication in different use cases and services. Radiator development is driven by the actual customer cases and we are now pleased to announce the release of Radiator SIM Pack version 2.9!

    Here are selected highlights from the new release:

    Cx support for EAP-SIM, EAP-AKA and EAP-AKA’ authentication

    Diameter Cx interface provides an alternative way of fetching the SIM authentication vectors when the standard SWx interface is not available from the MNO. Cx is an HSS interface that is typically used to authenticate users from the IMS side of the network, but Radiator can now also use it for SIM based Wi-Fi authentication.

    SIGTRAN location update features

    Support for MAP UpdateLocation, MAP UpdateGprsLocation and MAP CancelLocation have been implemented in SIGTRAN. Location update features make it possible to resolve the user MSISDN (i.e. mobile number) and use IMSI related profile for authorisation. As a result, different authorisation rules can be enforced based on the MSISDN, or mobile numbers can be included in logging, accounting and other customer specific requirements.

    Improved temporary identity generation

    Temporary Mobile Subscriber Identity or TMSI is a pseudonym for the subscriber’s actual identity, IMSI. Plain or encrypted IMSI is always used for the initial SIM authentication, but a temporary identity can be generated for the subsequent requests to make re-authentication faster and increase security. Radiator TMSI implementation has now been updated per recent 3GPP specification: the improved implementation no longer requires a SQL session database further enhancing the speed of re-authentication. Historical data is also retained better.

    For a full list of new features and changes, please see Radiator SIM Pack revision history.

    Trends in operator AAA cases

    In our recent projects with customers ranging from small private operators to major tier 1 carriers, we have seen these significant trends:

    • Demand for Wifi offloading and VoWiFi remains high for various reasons: coverage and capacity expansion, ease of congestion in high density areas, and cost saving, especially for saving international roaming costs.
    • Non-fixed backhaul connectivity cases (in-flight, train, maritime) cases are emerging.
    • New private LTE/5G operators need SIM authentication to add Wi-Fi networks to their offerings. Radiator is an integral part in different MVNE solutions in connecting the MVNO and MNO network elements.

    In addition, security requirements have increased. Demand for IMSI Privacy is driven by Android and iOS, and support for IMSI encryption is now a must for new offloading projects. RadSec is required for various roaming scenarios, including OpenRoaming. Both are supported by the Radiator SIM Pack - with a long track record of field proven production implementations.

    Would you like to know more?

    Radiator pre-sales team includes experienced engineers who can provide expertise for advanced Diameter and roaming use cases, including non-standard and custom cases.

    In addition to top tier technical support, we also provide a flexible licensing model to match your business case. Whether you have your own subscribers, IoT devices or roaming guests, you can grow your license at the same pace where your business grows - you can just buy add-on licensing as you are onboarding more SIM authentication or VoWiFi end users, for example.

    We always know that every customer case is different - so please do not hesitate to contact us at info@radiatorosoftware.com.

    Tuesday, December 19, 2023

    Radiator 4.28 released!

    We are pleased to announce the release of Radiator version 4.28! The latest release is full of stability, usability and interoperability features that make it easier than ever to run and maintain Radiator.

    New usability improvements

  • Multiple logging improvements for easier debugging
  • AuthBy REST and SIP2 improvements according to customer feedback
  • Ready to use profiles for Linux firewalls: firewalld (Red Hat, Alma Linux, Rocky Linux) and ufw (Ubuntu, Debian)
  • New attributes ensuring interoperability

    New vendor specific attributes included in the standard dictionary:

  • 3GPP release 17 and 5G internetworking attributes
  • Wi-Fi Alliance (WFA) Passpoint release 3 Hotspot 2.0 attributes
  • Wireless Broadband Alliance (WBA) attributes, used especially in OpenRoaming (latest from Github).
  • New vendor specific attributes for Aruba, Juniper, Meraki and PaloAlto, and new Huawei dictionary and attributes
  • More detailed changes can be found in the revision history. Radiator packages are available to download for current licensees from the downloads page and the Radiator repository.

    Would you like to know more?

    As always, you can contact our sales team at info(a)radiatorsoftware.com - we are happy to learn more about your use case and assist you!

    Thursday, December 7, 2023

    Radiator first setup walkthrough

    Radiator is a command line software which is controlled with a simple text file. The Radiator AAA reference manual and goodies directory contain a plethora of examples, but it might be daunting to find a good starting place.

    Installing Radiator

    Radiator runs on a wide range of platforms and there are platform specific installation packages as well as the full source code package available. Check out the installation instructions from Radiator AAA reference manual.

    The manual lists various system requirements, but the absolute minimum that is needed for a simple initial setup are Radiator installation package, Radiator Radius::UtilXS add-on and Perl. Perl is usually included in the most common Unix distributions, and for Windows the Radiator MSI package contains all of these!

    Running Radiator for the first time

    Once Radiator is installed, it is time to see that Radiator can be run. The deb, RPM and MSI installation packages all install Radiator so that it is controlled by the system. On the Unix side by systemd and on Windows as service. By default the installation also brings a Radiator configuration that can be used to verify the installation, that is the configuration is capable of receiving RADIUS authentication and accounting requests from within the system and always responds with accept.

    See how to start Radiator service and run the test from the installation instructions:

    Developing own Radiator configuration

    The default configuration available right after Radiator installation is not particularly useful, seeing as it always responds with accept. To develop a proper Radiator configuration, suitable to your needs, check out the goodies directory available in /opt/radiator/radiator/goodies/ on Linux and in \Radiator\Radiator\goodies\ on Windows. Note that on Windows Radiator is automatically installed on the drive that has most space, so the directory can be C:\Radiator\Radiator\goodies\ but it could also be E:\Radiator\Radiator\goodies\

    Goodies contains full configuration examples, so when picking suitable starting point to your own configuration you can just copy the whole configuration from goodies as the default Radiator configuration /etc/radiator/radiator.conf on Linux or C:\Program Files\Radiator\radiator.conf on Windows. For example goodies/simple.cfg shows how to authenticate users from a file:

    1. Copy the goodies/simple.cfg as /etc/radiator/radiator.conf or as C:\Program Files\Radiator\radiator.conf
    2. The simple.cfg refers to users file, which is located to %D (check out more about special characters from this section of the reference manual)
    3. There is a default users file available in /opt/radiator/radiator/ on Linux and in \Radiator\Radiator\, which can be copied to /etc/radiator/ directory on Linux or C:\Program Files\Radiator\ on Windows.
    4. Have a look at the contents of the users to see the example users defined therein
    5. Now that the new configuration file and the file listing the users are on their place, it is time to restart Radiator so the new configuration is read: sudo systemctl start radiator on Linux and restart Radiator AAA Server service on Windows
    6. Whenever Radiator is restarted, it is a good practice to check out the Radiator log file in case there were any errors on the configuration. By default the log files are under /var/log/radiator/ on Linux or C:\Program Files\Radiator\ on Windows. Especially the Radiator process log file radiator.log should be checked as the possible errors could cause unexpected behavior or even leave Radiator unable to start.
    7. Test the configuration by running
      perl /opt/radiator/radiator/radpwtst -user mikem -password fred
      on Linux or on Windows:
      1. Click "Radiator Software" -> "Radiator configuration" on the Windows Start menu. This opens a Windows Explorer window that shows the contents of Radiator configuration and log directory under the "Program Files" folder.
      2. Double click "Perl command line" to open a Command Prompt window
      3. Run
        perl radpwtst -user mikem -password fred
    8. End result should be 3 OKs, as the radpwtst automatically sends one authentication request, one accounting start request and one accounting stop request.

    Working with source code package

    Although the recommended approach is to use the distribution specific Radiator packages, sometimes the source code package is the only option. The source code package can be unpackaged to any directory and it doesn’t automatically create any services. The simplest way to test the source code package is to run both Radiator server and radpwtst test from the command line.

    1. Take goodies/simple.cfg as starting point and copy it to one level up. Check the DbDir and DictionaryFile defined on the simple.cfg and edit both to point to the location where the source code package was extracted.
    2. Run radiusd from the command line:
      perl radiusd -foreground -log_stdout -trace 4 -config_file simple.cfg
    3. Leave the command line running so you can watch the logging, then open a second command line and run the test utility radpwtst:
      perl radpwtst -user mikem -password fred
      1. Have a look at the contents of the file called users to see the example users defined therein
    4. End result should be 3 OKs, as the radpwtst automatically sends one authentication request, one accounting start request and one accounting stop request.

    All done!

    You now have a basic Radiator installation and you are ready to start configuring Radiator your own use case. Check out these resources:

    • Radiator AAA reference manual
    • Configuration samples in Goodies directory included your distribution
    • Radiator Software FAQ

    For any questions, please reach out to us at info(a)radiatorsoftware.com. We’re always ready to discuss your use case and how to implement it with Radiator!

    Tuesday, November 21, 2023

    RADIUS news from IETF118

    Practically all current Wi-Fi controllers and APs for enterprise and carriers support RADIUS. Mobile network APN and DNN authentication, fixed line fiber-to-the-home gateways and other broadband equipment depend on RADIUS authentication. The industry that uses RADIUS is growing and the standardisation work is active proving RADIUS is in rude health.

    The latest Internet Engineering Task Force (IETF) meeting was held earlier this month in Prague, Czechia - with the Radiator team in attendance. RADIUS work is mainly done by the RADIUS EXTensions (radext) working group. The current radext draft documents are related to security enhancements, protocol extensions, maintenance and best practices.

    TLS-PSK and RADIUS 1.1

    TLS-PSK for RADIUS over TLS and DTLS (also known as RadSec) draft is moving towards the publication phase. The draft has completed its development within the working group. The intended status for the draft is to become an Informational RFC. TLS-PSK greatly eases the configuration of RadSec by using Pre-Shared Keys with TLS instead of certificates.

    Closely following the TLS-PSK draft is the draft for RADIUS Version 1.1. This draft is currently in the working group last call phase before it moves on towards publication. With RADIUS Version 1.1, the obsolete methods for RADIUS integrity and authentication are replaced by TLS and DTLS.

    RadSec update and depreciation of insecure methods

    Other work still in the draft development phase includes an update to RadSec. The update obsoletes the current RFCs for RADIUS over TLS (RFC 6614) and RADIUS over DTLS (RFC 7360) by merging them into a single specification. The draft obsoletes TLS 1.1 and earlier versions, requires TLS-PSK for servers, clarifies the use of DTLS, TLS session resumption, certificate verification and other topics.

    Security of RADIUS is updated by a draft that deprecates insecure transport and authentication methods. The draft discusses the problems with unencrypted UDP and TCP transports and common RADIUS authentication methods, such as CHAP. The draft formally deprecates a number of ways these are currently insecurely used. Use of TLS or IPsec transport is now mandated and scope of UDP and TCP transports is reduced.These unsecured transports can be used in secure networks only.

    RadSec CoA and Roaming support enhancements

    RADIUS dynamic authorisation is updated by a draft that defines how to use existing RadSec connections to send change of authorization (CoA) requests. This allows easier CoA deployments in environments where firewalls, routing or other reasons make it hard to send requests towards a RADIUS client. This specification documents the existing usage that is already implemented by a number of server and client vendors.

    Roaming support enhancements are defined in a draft that is currently in working group adoption phase. These enhancements include RADIUS request routing loop detection, remote realm status check and RADIUS request path discovery. This draft is likely approved as a working group draft before the end of the year.

    The radext working group is also helping other IETF working groups with draft reviews, liaison work with other organisations, such as Wireless Broadband Alliance (WBA). The working group may continue to work on other documents after the current ones are finished.

    What do I gain as a Radiator user?

    The new functionality becomes available in Radiator when the drafts are nearing completion. For example TLS-PSK support is made available with the existing RadSec support allowing the Radiator customers to choose between PSK and certificate authentication. As a Radiator user, you will directly benefit from the work we do in the IETF. This will ensure your authentication service stays current and secure and follows the latest standards.

    Want to know more?

    For status of all current drafts and the working group in general, see https://datatracker.ietf.org/wg/radext/documents/

    If you want to know more about Radiator team’s involvement in standardisation or discuss Radiator roadmap items from these drafts, please contact info@radiatorsoftware.com

    Thursday, November 2, 2023

    Meet Radiator team in Prague at IETF118

    Radiator team continues the active engagement with RADIUS working groups at IETF and the team will also be attending IETF 118 meeting in Prague next week. You’ll find us at these sessions:

    • Hackathon
    • RADIUS EXTensions (radextra)
    • EAP Method Update (emu)
    • MAC Address Device Identification for Network and Application Services (madinas)
    See full meeting agenda here: https://datatracker.ietf.org/meeting/118/agenda/

    Meet the team

    Radiator team is staying at the Hilton Prague event venue throughout the whole event and our engineers are available to discuss any authentication related topics. Just look for the people with Radiator hoodies!


    Want to know more?

    Stay tuned for meeting recap and the latest standardisation highlights - we’ll be posting another blog right after the team is back home.