Monday, December 28, 2015

Implementing VoLTE supplementary services with Radiator GBA/BSF

Generic Bootstrapping Architecture (GBA) is a technology that enables the authentication of a user. This authentication is possible if the user owns a valid identity on an HSS (Home Subscriber Server). GBA is standardised at the 3GPP. The user authentication is instantiated by a shared secret, for example, a SIM card inside the mobile phone and the other is on the HSS.

With GBA, it is possible to provide VoLTE Supplementary Services, for example, Call Forwarding in VoLTE. Call Forwarding is an example of use case that cannot be pre-configured for all the subscribers because users want to configure their own forwarding number. With Radiator GBA/BSF module, this is possible to done in your VoLTE network – without the need to drop the user from VoLTE to other network.

How this is done with Radiator?

One of our customers had a need for VoLTE Supplementary Services in their network, and as a part of product development, a new Radiator GBA/BSF module was introduced to meet their needs.

GBA_AP.png
One example architecture when using Radiator GBA/BSF module for VoLTE Supplementary Services


As it is shown in picture above, Radiator GBA/BSF module will work as a authentication proxy between the end-user UE and HSS. It will authenticate user requests, and also separate the authentication procedure and the Application Specific server (AS) specific application logic to different logical entities – such as VoLTE Supplementary Services.

After the authentication procedure has been completed, Radiator GBA/BSF module assumes the role of a reverse proxy, i.e. the AP forwards HTTP requests originating from the UE to the correct AS, and returns corresponding HTTP responses from the AS to the originating UE.

Need for VoLTE Supplementary Services in your own network?

In case you need VoLTE Supplementary Services, such as Call Forwarding, in your own network, please do not hesitate to contact our team at sales(a.t.)radiatorsoftware.com. Our team of experts is happy to assist with your project.

Monday, December 7, 2015

Powered by Radiator: Verkkovieras.fi for simple and secure federated Wi-Fi authentication

Powered by Radiator: Verkkovieras.fi



This blog post is first one of the Powered by Radiator articles, where we and our agents or partners introduce products, services or solutions they have made using Radiator. If you have a product, service or solution you would like to introduce, please contact sales (a.t.) radiatorsoftware.com for more information.

This time it's Arch Red's turn to introduce their cloud based authentication service -- verkkovieras.fi , Powered by Radiator.

verkkovieras.fi for simple and secure federated Wi-Fi authentication

David Bleasdale: security
Verkkovieras is a Finnish word, which means network guest. Verkkovieras.fi is Arch Red's cloud authentication service for organisation’s employee and guest network access control. The service also supports authentication roaming federations such as eduroam and roam.fi making the service an easy way to deploy and serve federated network access for employees, guests and partners.

We know that maintaining user databases and RADIUS servers for employee and guest access can be difficult, especially when there’s additional complexity such as federated roaming. With verkkovieras.fi we focused in building a service, which is easy to deploy and easy to use. We thought, designed, thought some more and improved our design to be as clean and clear as possible.

Easily deployed in any Wi-Fi network

To deploy verkkovieras.fi authenticaton service you only need RADIUS capable authenticated devices such as for example almost all Wi-Fi controllers and access points. The authenticating device, usually the Wi-Fi controller, needs to be able to communicate with our cloud based servers in Internet and that’s it -- only our server details and Wi-Fi networks need to be configured in the controller.

User account registration as easy as email


Employees manage their user accounts themselves by requesting them from WWW page and after simple email-www page confirmation they activate their email address based user account. Account’s username is their email address and password is randomly generated string. We wanted to make sure that the network password is secure and on the other hand create a separate user account for network access. This was to keep more important or sensitive passwords such as Active Directory or other service passwords separate and safe. This way the employee cannot undermine the security by changing password to less secure or more sensitive one.

Federated roaming with a flick of a switch


Roaming federations and federated user access is even simpler, just select which federations and to activate or deactivate it. Your employees or visiting roaming guests are then able to roam free within federations and networks with same profiles they use for network access in your home network.

Easy guest user access or traditional vouchers -- you choose

Howard Lake: Sainsburys Active Kids vouchers
For guest user access there are two options, a simple time-limited guest user account for automated access and possibility to create and print more traditional time-limited guest user accounts before hand. Automated access means that the user account can be integrated for example with WWW page based authentication to provide guest short Internet access with just a click of a button on the authentication page. The traditional guest user accounts can be used like vouchers, the username and password must be entered on the authentication page or system dialog to get the access to network.

All this as a cloud service, ready to be deployed today

verkkovieras.fi architecture

We packaged all this in a redundant Amazon cloud based service distributed across two geographical regions, where we handle the difficult details such as scaling, server certificates, EAP methods (EAP-PEAP, EAP-TTLS, EAP-PWD) leaving you as a customer time to focus to your business and core functions.

If you are interested, contact our sales team: sales (a.t.) archred.com for more details.