Friday, October 15, 2021

Radiator provides IMSI privacy for EAP-SIM, EAP-AKA and EAP-AKA’ authentication

In many high traffic areas such as sports stadiums, shopping venues, or public transport hubs, mobile carriers may partner with the local Wi-Fi providers to improve coverage and user experience: mobile devices can be automatically connected to Wi-Fi instead of congested cellular network. Internationally, Wi-Fi roaming agreements also allow carriers to lower the cellular roaming costs. 

EAP-SIM, EAP-AKA and EAP-AKA’ are SIM-based Wi-Fi authentication methods used to achieve seamless offloading to carrier and partner Wi-Fi, with International Mobile Subscriber Identifier (IMSI) derived from the SIM card acting as a unique identifier for each user. 

On the first ever connection to such a Wi-Fi network, the mobile device communicates its permanent subscriber identity information (IMSI), which is then sent to the home operator for authentication. This identity is sent in the clear. A potential 3rd party adversary installing a Wi-Fi sniffer in the vicinity of such networks can harvest permanent identities and track users. This tracking can also be done by the venue or network owner when connecting to the Wi-Fi network. 

Because of this, mobile operating systems such as iOS15 will show the following warning when joining a Wi-Fi network without IMSI encryption: “your mobile subscriber identity will be exposed”. The similar situation can be seen from the pictures below. 

Privacy warning when authenticating to Wi-Fi network without IMSI encryption

 

Operators risk decreased user satisfaction for Wi-Fi offloading if transmitting IMSI in the open - it may cause users to feel their privacy is being compromised.

Radiator SIM Pack provides IMSI privacy protection 

The solution is to protect user privacy by implementing IMSI encryption for EAP-SIM, EAP-AKA and EAP-AKA’ authentication. As an operator, you can enable IMSI privacy easily: Radiator 3GPP AAA Server handles both encrypted and clear authentication requests. This means IMSI privacy can be offered to devices supporting it without affecting other users. 

Starting already from revision 2.5, Radiator SIM Pack supports IMSI encryption as specified in 3GPP S3-170116 document “Privacy Protection for EAP-AKA”, and WBA’s IMSI Privacy Protection for Wi-Fi – Technical Specification. The feature is already implemented by some of our operator customers to cover their AAA server encryption. 

The latest release of Radiator SIM Pack is available for new licensees and for licensed customers with valid download access. To find out if Radiator SIM Pack suits your needs, you can contact us at sales@radiatorsoftware.com and a member of our sales team will be happy to assist you. 

You can also contact us to renew your support contract and get access to the newest release. A full history of Radiator SIM Pack releases is available on our website.

Tuesday, October 5, 2021

Radiator and NCINGA - working together towards customer success

 

 

 

While Radiator has hundreds of operator customers all over the world, we also have an extensive network of integrator partners providing turn-key solutions for our customers. One of these trusted integrators is NCINGA.  As NCINGA is known to provide technology transformations in frontier markets, they also provide Radiator AAA solutions to operators and carriers especially in the APAC area.

This collaboration has provided solutions to customers both for fixed and wireless AAA. In
different use cases, the main focus in the cooperation has involved integrating Radiator
solutions with different vendor environments and network elements. Radiator is used for
example when applying policy and control functionalities for end user data plans.

    “With Radiator, we were able to quickly deliver complex AAA implementations. It was easy
    to configure and extend to the customers need. The Radiator Technical Support team made
    it even easier to implement & support with prompt responses and guidance.” 

    -Kokum Randeni, VP Sales, Ncinga

One of the key elements in the working model has been the flexibility in Radiator licensing:
the components needed by the customer can be tailored to the use case and number of
subscribers. This way the ROI for the customer can be ensured as they can add new
features of Radiator to use when needed.

For the customer, the operating model is quite easy and straightforward: NCINGA and their
team of experts provide the first level support and integration consultation, and the Radiator
team provides the product-related 2nd level support and consultation related to Radiator
specific configuration and other needs.

Would you like to know more about Radiator and NCINGA?

If you are looking for a carrier-grade AAA server with flexible options for different use cases,
please do not hesitate to contact our sales team at sales(a)radiatorsoftware.com. For
NCINGA, please contact their sales team at www.ncinga.net.


Examples of Radiator use include carrier-grade AAA, Wi-Fi offloading, integrating Diameter
online and offline charging with RADIUS-based infrastructure, integrating RADIUS
accounting with Diameter online and offline charging and much more. On top of that, our
support team has wide experience of various carrier use cases in different environments.

Tuesday, September 21, 2021

Customer reference: Salt Mobile SA using Radiator Telco Pack

Salt Mobile SA uses Radiator for their Diameter interfaces

 

Swiss mobile operator Salt Mobile SA (Salt), one of the top operators in Switzerland, has been using Radiator Telco Pack since late 2020 for their 2 million customers. The use case in Salt has evolved from initial use of Radiator Enterprise Pack to the use of Radiator Telco Pack. 

 

The flexibility of Radiator licensing models has provided cost-efficient, step-by-step licensing where additional modules have been added when needed. 


Salt has been using Radiator products for several years. Nowadays, Salt uses Telco Pack for the charging and accounting of their customers' pre-paid and post-paid plans. Radiator Telco Pack provides the Diameter Gy and Gx interfaces specified by the 3GPP to implement this:


“We use Radiator for our DATA and SMS real-time charging (using Gy Diameter protocol). It sits between our core network elements (SMSC/GGSN) and our online charging system. All our DATA and SMS traffic (national and roaming ) is controlled using this flow. On top of that we use the control function (Gx) to apply throttling on the DATA flow for roaming.” 

-Annaick Rinderknecht, Devops Manager, IT, Salt Mobile

Would you like to know more? 


If you are looking for a carrier-grade AAA server with flexible options for different use cases, please do not hesitate to contact our sales team. 


For example, in the use case mentioned, Radiator Telco Pack extends Radiator by allowing direct connections to your 3GPP infrastructure through Diameter interfaces – a protocol commonly used in telecommunication systems. Radiator Telco pack includes support for different policy and charging related interfaces and implementations specified by the 3GPP.

Examples of use include Wi-Fi offloading, integrating Diameter online and offline charging with RADIUS based infrastructure, integrating RADIUS accounting with Diameter online and offline charging and much more.

Our support team has wide experience of various carrier use cases in different environments and we are happy to help you in all your AAA needs.

Wednesday, February 3, 2021

Radiator SIM Module 2.6 released

We are pleased to announce the release 2.6 of Radiator SIM Module. This release includes 3GPP emergency call support and overall enhanced 3GPP AAA Server support, as well as a number of enhancements and bug fixes. 

Customers with valid download access contracts can download updated software packages from our downloads site. Please note that Radiator 4.24 or later and Radiator Carrier Module 1.6 or later are required. 

If you would like to renew your download access contract, or need professional assistance with updating or migrating, please contact sales@radiatorsoftware.com and a member of our sales team will be happy to assist.

Revision 2.6 detailed updates and fixes:

  • Invalid APN formats are now rejected early.
  • Included APN match in S6b authorisation checks.
  • Fixed a crash in 3GPP AAA Server triggered by retransmitted messages.
  • Updated identity handling with IMSI encryption based on observed client behaviour.
  • RAT-Type for SWx requests is now set to the value received over SWm defaulting to VIRTUAL. Previously WLAN was always used by 3GPP AAA Server.
  • 3GPP-Charging-Characteristics is now copied to SWm answers when available. Subscription-Id was not added to SWm AAA messages after the user profile was updated by HSS with Push-Profile Request.
  • AAA-Failure-Indication is now sent over SWx to HSS. Previously the VSA was ignored when received from an ePDG.
  • Terminal-Information is now added to SWx requests as required by 29.273 version 13 and later.
  • Enhanced 3GPP AAA Server support to cover 29.273 version 15.4.0. The main behaviour change is S6b triggered PGW registration which is no longer done as often. This was clarified in 29.273 13.4.0 correction CP-160220 CR 0457.
  • Emergency services for authenticated users are now supported by 3GPP AAA Server. Support for emergency services needs to be enabled with a new configuration flag parameter EmergencyServices. When EmergencyServices parameter is set and SQL is used for a session database, one new column and SQL query modifications are needed.
  • Updated 3GPPP AAA Server SWm, SWx and S6b dictionaries for 29.273 version 15.4.0.
  • Crypt::Rijndael is no longer required when Radius::UtilXS release 2.2 or later and Radiator 4.25 or later is installed.
  • 3GPP AAA Server SQL and Redis based session backends no longer trigger unnecessary lookups and SWx deregistration updates when session termination requests are received over SWm or S6b. This can reduce Diameter traffic significantly with certain configurations where lots of clients are not allowed to connect and gateway devices send STRs for these attempts.
  • Removed warnings logged to STDERR by 3GPP AAA Server when processing certain request types. These warnings were harmless but cause unnecessary log entries.
  • 3GPP AAA Server now supports stripping MAC address from NAI format usernames. A new optional configuration parameter StripMACFromUserName controls how this is done.
  • A number of code clean up and maintenance changes were done based on Perl::Critic and other tools.
  • Requires Radiator 4.24 or later and Carrier Module 1.6 or later with 3GPP AAA Server. Radiator 4.24 and later are recommended with plain EAP-SIM, EAP-AKA and EAP-AKA’.
For more information, you can see the Radiator SIM Pack product page or contact us directly at info@radiatorsoftware.com.

Monday, October 19, 2020

Radiator Dockerfiles now available

Radiator Dockerfiles are now available with all our Radiator packages! The Dockerfiles and the accompanying README provided makes it easy to build Docker containers where Radiator is run. Currently available are five different variations:

  • Radiator installed from Radiator public repository to CentOS 8 container
  • Radiator installed from Radiator public repository to Ubuntu 20.04 container
  • Radiator installed from RPM packages to CentOS 8 container
  • Radiator installed from deb packages to Ubuntu 20.04 container
  • Radiator installed from MSI to Windows Server Core 2019 container

Each Dockerfile has a command ready for copying your own Radiator configuration to the container image already on the build phase. Each Linux-based Dockerfile uses ENTRYPOINT for running the Radiator. In the Windows container, Radiator is run as a Windows Service. Of course, these Dockerfiles are meant just as starting points and there are several tips on what could be done differently in the accompanying README. Be sure to check it out!

Due to the nature of the Docker containers, systemd is not readily available on the Linux containers. This means that instead of running multiple Radiator instances in a single Docker container via systemd, you should be running several containers with each of them having different Radiator configuration.

Radiator Software Ansible playbooks for easy Radiator setup and instance management

To help manage and install Radiator in a more automatic way, we now provide Radiator Software Ansible playbooks as part of the goodies available in every Radiator package. The playbooks make it easy to:

  • Install Radiator with basic prerequisites easily to multiple servers in single command.
  • Upgrade or downgrade Radiator to multiple servers in single command.
  • Deploy multiple Radiator configurations to multiple servers running Radiator, in single command/Deploy Radiator configuration to single server running multiple Radiator instances.
  • Rollback latest Radiator configuration deployment quickly to previous Radiator configuration.
  • Restart/start/stop all Radiator instances on multiple servers running Radiator in single command.

As general playbooks aimed for easy automation starting point, these playbooks are usable with Radiator RPM/deb packages after a few simple steps like setting up the Ansible control node and Radiator servers with SSH user for Ansible to use. After that just create your Radiator configuration and run the playbooks to setup the Radiator server and deploy the configuration. There are very simple authentication and accounting example configurations available in the Ansible role used by the deployment playbook, so testing the system is possible by just deploying the default example configurations. 

These playbooks are meant to be a starting point for various situations, but naturally they do not answer every need. So go ahead and modify the playbooks when needed! We do recommend storing both the modified playbooks (with the Ansible roles) and Radiator configurations deployed by these playbooks to a version control of your choice. Although for the rollback mechanism there is a simple backup system built-in, it is strictly for the rollback and is limited to the latest deployed Radiator configuration version only.

To get the Radiator Software Ansible playbooks, just download the latest Radiator package of your choice. When using the playbooks, Radiator is not required to be installed on the Ansible control node, but if it is you should copy the playbooks from the default location to some other location for usage. This way upgrading the possible Radiator installation on Ansible control node does not overwrite any changes you may have done to Ansible related files.

Check out the README document from the goodies/Ansible directory for how to run the playbooks!

Find more information about Ansible and Ansible playbooks on Ansible website.

 Requirements for using the Radiator Software Ansible playbooks

  • Ansible 2.7 is the minimum supported version on Ansible control node.
  • Supported Radiator host Linux distributions are Ubuntu 18.04 or newer, Debian 10 or newer, CentOS 7 or newer, and RHEL 7 or newer.
  • Radiator hosts must have sudo capable SSH user that Ansible can use.
  • Radiator hosts need internet access for apt/yum/dnf usage.
  • Radiator and/or Radius::UtilXS installation files (RPM/deb) are available on Ansible control node.

Wednesday, March 25, 2020

Introducing new Radiator Repository

Recently, Radiator Software team has been putting their efforts into making life easier for system administrators. Following the introduction of the new Radiator Linux packages, we are now very proud to announce the new Radiator Repository. This is good news for the Linux users, since the new repository allows you to streamline maintenance and to easily distribute the updates to all Radiator servers in your organisation. What is even better, this new service is included with all active Radiator Support contracts. 

Supported platforms are Red Hat 7/8, CentOS 7/8, Ubuntu 16.04 (Xenial), Ubuntu 18.04 (Bionic), Debian 9 (Stretch) and Debian 10 (Buster). Here are the steps how to get it:

  1. Visit our repository page and log in using your existing Radiator user credentials: https://downloads.radiatorsoftware.com/repo/ 
  2. Scroll down to your Linux distribution version 
  3. Follow the instructions and use the commands in instructions to set up Radiator Repository
  4. Enjoy easy updates

For security, the repository URLs are customer specific and generated for your organization, and the packages provided from Radiator repositories are never marked as security upgrades. This means that using unattended-upgrades for system's security upgrades is safe as Radiator will not be automatically upgraded. You also get to pick whether you want the official releases only, or include the testing versions. 

For our customers using other platforms or with download access only contracts, Radiator Downloads site has been redesigned and is sporting a clean new look. You will continue to get the software updates the classic way by downloading the packages from our website, whether you are using Mac or Windows, older Linux distributions, or simply prefer to do so.  

Please contact our team at sales@radiatorsoftware.com if you want to check your subscription status, renew or upgrade your support contract, or reset your password. Let us know if you try the new repositories. We would like to hear your feedback!