Thursday, December 22, 2022

Radiator 4.27 now available!

We are pleased to announce the release of Radiator version 4.27!

The main new feature in the release is support for EAP-TLS v. 1.3 - as specified in the RFC 9190. TLS v. 1.3 is available also for RadSec and for all TLS-based EAP methods. TLSv1.3 is disabled by default, but can be turned on by the customer when needed. TLSv1.3 will be enabled by default in future Radiator releases.

At the same time, we continue to monitor TLSv1.3 interoperability with EAP-TTLS and PEAP. At the moment TLSv1.3 session resumption is disabled because of interoperability problems. To help with this, we are participating in IETF work that aims to solve the pending issues.

In addition, significant update work for LDAP connection and TLS debugging has been made - as well as support for different Linux distributions.
 
For other new features, enhancements, interoperability, and bug fixes, please see below.
 
Selected compatibility notes, enhancements and fixes

  • Significant LDAP updates to connection and TLS handling.
  • Red Hat Enterprise Linux 9 and its derivatives are now supported.
  • Ubuntu 22.04 is now supported.
  • Session resumption is enabled for EAP-TLS with TLSv1.3 but remains disabled for the other TLS based EAP methods.
  • TLSv1.3 is supported by EAP-TLS, EAP-TTLS and PEAP but remains disabled by default.
  • TLSv1.3 is tested with RadSec and other Stream modules but remains disabled by default.
  • Radiator can log TLS key material to a file to allow fully decrypting EAP and Stream SSL/TLS sessions.
  • TLS handshake and state trace logging is now enabled for EAP and Stream modules, such as PEAP and RadSec, when Trace 4 (debugging) or PacketTrace is configured.
  • Radiator SIM Pack 2.7 and Carrier Pack 1.7, or later, are strongly recommended.

 

Known caveats and other notes

  • TLSv1.3 remains disabled by default for TLS based EAP methods and Stream based classes, such as RadSec. TLSv1.3 testing reports are welcome.
  • Fix and enhance EAP-FAST. Requires Net::SSLeay 1.94 or later with OpenSSL 1.1.1 and later.

More detailed changes can be found in the revision history.

Radiator packages are available to download for current licensees from the downloads page and the Radiator repository.


Would you like to know more?


If you like to know more about Radiator, the new release and how it can help you in your use case, you can always contact our team at info(a)radiatorsoftware.com

Monday, December 12, 2022

Offline TOTP implementation with Radiator AAA Server and Windows Server

Recently, we have had multiple customer cases in the need of offline TOTP (time-based one-time password) implementations. Both private enterprises and public institutions working on different fields have discovered an increasing need for offline multi-factor authentication to protect their critical infrastructure. These use cases include for example power companies, transport infrastructure and other use cases that are used in private networks, and where secure authentication is essential at all times.

Many of these customers use Windows Server and Microsoft SQL server in their implementations, so we wanted to share how Radiator AAA Server Software can be used with them when implementing an offline TOTP solution. And as clarified below, given the flexibility of Radiator, other platforms can be used as well⁠—do not hesitate to contact us with your own specific use case in your own infrastructure.

How it is done

We have had a working example in the Radiator goodies directory that can be leveraged to individual needs:

totp.cfg and totp.sql
Sample configuration file for Radiator, showing how to authenticate using TOTP (RFC 6238) one-time-passwords. The sample MySQL database schema provides test users, with and without a PIN.

generate-totp.pl
Supporting script for generating secret values for TOTP and printing them in different text formats and as QR code images.

The existing example is using SQL definitions specific to MySQL and MariaDB database servers. As Radiator is flexible, the same functionality can be achieved on any supported OS and with any database. Here we show how to set up a similar system with Windows Server 2012 to 2022 and Microsoft SQL Server 2012 to 2022, with Radiator AAA Server Software (current version 4.26). The new Windows-specific configuration shown here will also be included in the goodies of the oncoming release of Radiator soon.

To start with, we expect the system with Windows Server is already installed and hardened as needed. Also, installing Microsoft SQL Server and Microsoft SQL Server Management Studio is out of scope of this post. You can try this TOTP setup out also on a standard desktop Windows version and free SQL Server Express (https://www.microsoft.com/en-us/sql-server/sql-server-downloads).

After the prerequisites are met, the next step is to download and install the rest of the needed software packages:

ODBC Driver for SQL Server
https://learn.microsoft.com/en-us/sql/connect/odbc/download-odbc-driver-for-sql-server

Radiator AAA Server Software, Radiator Windows MSI installer
https://radiatorsoftware.com/products/radiator/

After creating a new ODBC data source (be sure to select a 64-bit driver on 64-bit environments), you can test if the DSN is available to Radiator by running a small test script. Start the command shell with correct environment settings by selecting Radiator configuration from the Start menu and then clicking Perl command line. Save and run the following script on the server. The script lists all DSNs it finds, and if you see the newly created DSN, everything is OK.

# List available data sources
#
# Example run:
# C:\> perl list_datasources.pl
# - dbi:ODBC:<datasourcename1>
# - dbi:ODBC:<datasourcename2>

use strict;
use DBI;
my @dsns = DBI->data_sources('ODBC');
foreach my $d (@dsns)
{
  print "- $d\n";
}

If you want to generate TOTP secrets with generate-totp.pl you also need to install the following new modules. The command cpanm makes it easy if you're connected to the internet:

cpanm MIME::Base32
and
cpanm Imager::QRCode

You can also download the modules manually (check for the latest versions), for example:
https://cpan.metacpan.org/authors/id/R/RE/REHSACK/MIME-Base32-1.303.tar.gz
https://cpan.metacpan.org/authors/id/K/KU/KURIHARA/Imager-QRCode-0.035.tar.gz
and install them from local files like:

cpanm MIME-Base32-1.303.tar.gz
cpanm Imager-QRCode-0.035.tar.gz
Create the database and grant the needed privileges to the user (SELECT and UPDATE). Here's the table definition with SQL Server specific field types. The definition is stripped from comments for brevity, and some fields are optional. Please see goodies for full details.
CREATE TABLE totpkeys
(
  id              INT NOT NULL IDENTITY(1,1),
  active          BIT DEFAULT 0,
  created         DATETIME NOT NULL,
  accessed        DATETIME NOT NULL,
  username        VARCHAR(100) UNIQUE NOT NULL,
  tokenId         TEXT,
  pin             TEXT,
  secret          VARCHAR(130) UNIQUE NOT NULL,
  digits          INT DEFAULT 6,
  bad_logins      INT DEFAULT 0,
  last_timestep   INT,
  algorithm       TEXT NOT NULL,
  timestep        INT DEFAULT 30,
  timestep_origin INT DEFAULT 0,
  PRIMARY KEY (id)
);
Insert some example data ( we use 6-digit codes for broader compatibility, and here's only some of the records):
INSERT INTO totpkeys VALUES (1, GETUTCDATE(), GETUTCDATE(), 'mikem', NULL, NULL,
    '3132333435363738393031323334353637383930', 6, 0, NULL, 'SHA1', 30, 0);
INSERT INTO totpkeys VALUES (1, GETUTCDATE(), GETUTCDATE(), 'mikem512', NULL, NULL,
    '31323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334',
    6, 0, NULL, 'SHA512', 30, 0);
INSERT INTO totpkeys VALUES (1, GETUTCDATE(), GETUTCDATE(), 'fred', NULL, 'fred',
    '1111111111111111111111111111111111111111', 6, 0, NULL, 'SHA1', 30, 0);
Then we make modifications to the example TOTP configuration. Change the DBSource name (DSN) and credentials as needed in the <AuthBy SQLTOTP> block. Also, AuthSelect and UpdateQuery are modified with SQL Server syntax:
<AuthBy SQLTOTP>
  DBSource    dbi:ODBC:totp
  DBUsername  totp
  DBAuth      fred

  AuthSelect SELECT secret, active, pin, digits, bad_logins, DATEDIFF(s, '1970-01-01', accessed), \
                    last_timestep, algorithm, timestep, timestep_origin FROM totpkeys WHERE username=?
  AuthSelectParam %0

  UpdateQuery UPDATE totpkeys SET accessed=GETUTCDATE(), bad_logins=?, last_timestep=? WHERE username=?
  UpdateQueryParam %0
  UpdateQueryParam %2
  UpdateQueryParam %1
</AuthBy>
Update the configuration otherwise as needed (ie. make sure paths are correct to your setup, etc.), and set Trace 4 to see the interesting information during testing. (Re)start the Radiator server process to make sure the new configuration will be used, and then you can try your new setup. Importing the keys to your TOTP application can be done with the help of generate-totp.pl script. If you use the predefined examples, you can get the QR codes by running it like
C:\Radiator>perl generate-totp.pl -accountname "mikem" -issuer "Organisation" \
    -algorithm SHA1 -hex_secret "3132333435363738393031323334353637383930" -digits 6 \
    -image_format gif -qrcode_file \temp\mikem.gif

TOTP key to insert into Radiator database: 3132333435363738393031323334353637383930
TOTP key in BASE32 for client: GEZD GNBV GY3T QOJQ GEZD GNBV GY3T QOJQ
Writing QR code file \temp\mikem.gif
otpauth://totp/Radiator:mikem?secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ&issuer=Radiator&
algorithm=SHA1&digits=8&period=30

You can also create new keys by leaving out the -hex_secret parameter and insert the generated hex string into the database.

Then use your preferred method to display the generated QR code image (MS Paint or web browser are fine) and scan the key into your TOTP application. Microsoft and Google have their authenticators available for mobile devices, and Apple's mobile devices have the feature built-in. There's also a free alternative FreeOTP with an open source codebase: https://github.com/freeotp.

After getting your authenticator app set up you're ready for your first TOTP authentication using radpwtst on command line. Replace the password with your time-based response:

perl radpwtst -noacct -user mikem -password 751352
Or if static PIN is used, here PIN "fred" is prefixed to TOTP one-time-password:
perl radpwtst -noacct -user fred -password fred755224

If everything goes as expected you'll see the Access-Accept response on radpwtst's output, and also on the Radiator server's log. And if something fails, the log can be used to pin-point the problem.
This example is just basic password authentication (PAP). You can now change and expand the configuration to enable more elaborate TOTP RADIUS authentication to your devices or software as needed.

Would you like to know more?

If you want to know more how offline TOTP can be implemented for your use case and solution with Radiator, please do not hesitate to contact us. We can always be reached via email at info@radiatorsoftware.com

Wednesday, November 16, 2022

Radiator team take part in RADIUS extensions working group reboot

With the Remote Authentication Dial-In User Service (RADIUS) standard in its early 30s, it continues to be the go-to protocol for network authentication use cases. With the IETF drafting RADIUS protocol’s standard RFC 2058 in the year 1997, RADIUS has seen continuous development even though Diameter (RFC 6733) was developed to be its intended successor. Since then, RADIUS has held a strong ground in networking authentication and Diameter has become de facto standard in the TELCO field.

RADIUS is still alive and the way to keep it current with the latest security requirements such as TLS 1.3 is by cooperation of many players in the field in joint standardisation of the protocol. Last week our technical team took part in the reboot of the RADIUS extensions working group at IETF 115 meeting in London.

Some highlights from the proposed future agenda for standardisation are updating RFC 6614 RADIUS over TLS (RadSec) and developing RADIUS protocol and extensions further towards current security requirements: for example SRadius draft, Extended ID and Reverse Change of Authorisation over RadSec.

What is SRadius?

SRadius is essentially a RADIUS packet transport profile, which would mandate TLS transport and remove the previous reliance on MD5 attribute obfuscation and packet signing. This is an important change as MD5 has been proven insecure (RFC 6151) and should no longer be used. SRadius implementation would then be FIPS-140 compliant while old RADIUS is not.

Why RADIUS should be secured with TLS?

Even with the use of current EAP authentication methods, RADIUS accounting messages can and are still sent in plain text format. This accounting information can include sensitive information such as user location attributes, which are open to eavesdropping by man-in-the-middle attacks without any encryption in-between. RADIUS over TLS protocol (RadSec, RFC 6614) tunnels this information with TLS. Both RadSec and SRadius secure the transport with TLS.

The working group reboot received interest and positive feedback from many stakeholders in the field working on both commercial and non-commercial RADIUS projects. There is unanimous support across the field that rebooting the RADIUS extensions working group is necessary for the future development of RADIUS. We are looking forward to working on RADIUS drafts and standards and implementing them in Radiator.

Want to know more?

Friday, November 4, 2022

Radiator Service Provider Pack 1.8 released!

We are happy to announce that Radiator Service Provider Pack (formerly known as Radiator Carrier Pack) has been released!

The main new development is a new Diameter relay functionality. With Diameter relay, incoming Diametet traffic load can be distributed to multiple instances. The workers can be optionally made visible only as a single Diameter node to the rest of the Diameter nodes. This enhances Diameter performance when Radiator is used as 3GPP AAA server or in other use cases. For the relay functionality, we have also provided configuration examples, for Radiator SIM Pack, Radiator 3GPP AAA Server and Radiator Policy and Charging Pack.

At the same time, new release contains performance enhancements for Diameter protocol and enhanced logging for Diameter request and answers messages. More info can be found out from Radiator Service Provider Pack revision history.

Would you like to know more?

If you would like to know more about Radiator Service Provider Pack and how it could be used in your use case, please contact our team at info(a)radiatorsoftware.com

Friday, October 28, 2022

Using Radiator as the flexible, powerful AAA for FTTH service providers

 
Recently, we have seen a big rise in the number with projects where service providers are implementing new FTTH (Fibre to the Home) services – using different PON (Passive optical network) technologies, such as GPON, XG-PON1, XGS-PON. Based on different estimates for consumer services in the industry, high-performance fibre access is needed more than ever.

Because of this, one the most common new use cases for Radiator AAA server software, and especially to our Radiator Service Provider Pack is the flexible and high-powered AAA for FTTH operators – that may also run fixed line and WiFi hotspot operations at the same time. With our flexible licensing options, these Radiator installations can be run either by service providers themselves, or they can use a managed service provided by a 3rd party.



Often these enterprise use cases also include private APN (Access Point Name) service for their enterprise customers. We are happy to tell more about our experiences on providing Radiator to different environments and use cases.

With the experience from a wide range of use cases, the key benefit of Radiator is flexibility in different network infrastructures – especially when integrating AAA with different technological generations. Readymade configurations are available, as well as support for different back-ends and logging and management solutions. As we are actively participating in different standardisation efforts, Radiator is always up-to-date with the latest industry practices and security developments.

Would you like to know more? 

We are always happy to help you with your use case. Please contact our sales team at sales(a)radiatorsoftware.com for more information.

Tuesday, September 27, 2022

Radiator Policy and Charging Pack - apply credit control for your prepaid and postpaid data plans

One of our key products for service providers is Radiator Policy and Charging Pack.

Radiator Policy and Charging Pack extends Radiator by allowing direct connections to your 3GPP infrastructure through Diameter interfaces - a protocol commonly used in telecommunication networks.

The existing authentication, authorization and accounting features in Radiator are available for Diameter – RADIUS integration in Radiator Policy of Charging Pack. With this, examples of use include Wi-Fi offloading, integrating Diameter online and offline charging with RADIUS based infrastructure, integrating RADIUS accounting with Diameter online and offline charging - and much more.

How it is used by our customers

In many use cases operators and carriers have a need to expand their mobile data coverage with Wi-Fi hotspots and other Wi-Fi networks where authentication can be connected to their infrastructure with roaming. This way they can complement their mobile service with for example Wi-Fi offloading or Voice over WiFi  - at the same time keeping in track the data use of their subscribers.

With its RADIUS to Diameter conversion, Radiator Policy and Charging pack enables you to apply credit control in your network using RADIUS accounting, both with prepaid and postpaid data plans. When using prepaid data plans, the credit control features will enforce that subscriber data is limited to the amount they have paid.

Also, the credit control policies can be done in a way that the end of quota will be handled based on your business needs. For example, the customer network access can be throttled and directed to purchase additional data for renewed access. 

On more technical level, the functionality is shown in the flowchart below. Please note, how Radiator Policy and Charging Pack is situated to integrate RADIUS and Diameter interfaces, and is connected to WiFi controllers or BNG devices and with Online Charging System (OCS) or with Policy and Charging Rules Function (PCRF).

Flow chart showing the credit control functionality of Radiator Policy and Charging Pack
 

As Radiator Policy and Charging Pack is highly extensible for different customer cases, we are happy to tell you more about how your use case can be implemented. In addition, it can be integrated with other Radiator products (such Radiator SIM Pack for EAP-SIM, EAP-AKA and EAP-AKA' authentication), and we are happy to share our expertise in this as well.

Woud you like to know more?

If you would like to know more about Radiator Policy and Charging Pack and how it can be used in your use case, please contact our team at info(a)radiatorsoftware.com


Wednesday, August 10, 2022

Cisco ACS is reaching end of life - Radiator has got you covered

As announced already some time ago, Cisco will no longer support either the hardware or the software of their Access Control System (Cisco ACS) product line. If your network administration still runs Cisco ACS, it’s time to take action and upgrade it into a product with a clear future for updates and support. Radiator AAA Server software, often referred to as the Swiss Army Knife of AAA Servers, can pick up from there.

As mentioned in a previous Radiator Cookbook post in 2018, Radiator AAA Server Software offers TACACS+ support and can be integrated with existing hardware to replace current solution’s TACACS+ and RADIUS functionalities. This means that Radiator can replace the authentication functions Cisco ACS did in your previous system. All that is required is an external database for user credentials that Radiator integrates to.


Radiator is actively developed, with multiple updates per year, so continuous support for your solution is given. And most importantly, Radiator’s support team consists of experienced professionals who have developed and actively develop Radiator AAA, so your support requests are always handled by capable RADIUS and TACACS+ experts.

These same professionals will be handling the transition work from ACS to Radiator AAA, if you so wish. Our technical team consists of experienced seniors with vast experience in enterprise, ISP, CSP and other AAA solution integrations and have done these transition projects even before the EOL was announced.

Radiator, being a flexible AAA Server with TACACS+ support, can replace ACS’s TACACS+ and RADIUS functions. Radiator does not have the built-in database, but rather integrates to a customer’s existing database. If need be, we are happy this database solution through our partner. The flexibility of Radiator also includes multi-vendor support for NAS devices. This means that changing NAS devices will not be troubled by vendor lock-in.

Want to know more?

If you want to know more about Radiator AAA Server software as the flexible and supported replacement for Cisco ACS, do not hesitate to contact our sales team sales(at)radiatorsoftware.com.

Thursday, July 14, 2022

Radiator supports EAP-TLS 1.3

One of the most used authentication methods for Radiator users is EAP-TLS. It is widely supported among wireless vendors and the support for EAP-TLS is needed for different certifications for wireless authentication. Radiator has supported different versions of EAP-TLS from the start. As we want to be in the forefront of industry standards, we are happy to announce that Radiator now supports EAP-TLS 1.3 - our team has also been involved in the standardisation work for EAP-TLS and other TLS-based EAP methods.

What is new in EAP-TLS 1.3?

The key feature in EAP-TLS 1.3 is increased privacy and security. Like the RFC document says “TLS 1.3 is in large part a complete remodeling of the TLS handshake protocol including a different message flow, different handshake messages, different key schedule, different cipher suites, different resumption mechanism, different privacy protection, and different record padding.” This new remodeled TLS handshake protocol ensures faster TLS connections as well as patches previous security errors TLS 1.2 had.

Especially important in this new version for EAP-TLS is that no information about the underlying peer identity is disclosed. In other words this means that with EAP-TLS 1.3 the certificate of the user is delivered encrypted. In previous versions of EAP-TLS the client certificate was delivered without encryption, providing a possibility of tracking the users. This has been an issue for some users of EAP-TLS discouraging its deployment. To increase the security of your organization, Radiator configuration allows you to enable EAP-TLS 1.3 for devices that support it, while the earlier versions of EAP-TLS are still available for older devices. Radiator AAA Server Software and its modules are actively developed and updated to support state-of-the-art AAA security features. With the most recent Radiator SIM Pack patch, Radiator now supports IMSI Privacy as well - as one of the few AAA software vendors. So, in short, Radiator is committed to stay in the frontlines of all AAA security features at all times.

Would you like to know more?

While the support for TLS v1.3 in some operating systems varies, the Radiator implementation of TLS v1.3 and EAP-TLS is currently available in the testing branch of Radiator, but will be included in the next stable release as well. If ou are interested please test and give us feedback about the implementation.

If you want to know more about Radiator and EAP-TLS 1.3, please do not hesitate to contact our sales team at info(a)radiatorsoftware.com. For full list of Radiator technical features, you can also visit the Radiator AAA Server Software product page.

Wednesday, June 22, 2022

Radiator FAQ page out now!

You have asked, and we have answered. In the past years working with Radiator AAA, we have encountered hundreds of interesting questions in support e-mails and calls, RFPs and in other inquiries. We have collected some of the more frequently asked questions onto a FAQ page, which has recently been published. Go check it out at https://faq.radiatorsoftware.com!

What topics are covered?

The FAQ page contains answers to great variety of questions about Radiator AAA Server Software. Currently the FAQ covers our core product, Radiator AAA Server Software. At the first stage, the FAQ page focuses on Radiator AAA Server Software, our core product. We will gradually push updates and expand the FAQ based on feedback and the needs of our audience, to include our modules and general questions about Radiator Software as a company.

What if my question is not in the FAQ?

If you do not find the question that is on your mind on the FAQ page, however, please do not hesitate to contact us via e-mail to info (at) radiatorsoftware.com.

Wednesday, June 8, 2022

Introducing Radiator VNF Flex

 As a recent addition to our portfolio, we have been developing Radiator VNF Flex. Radiator VNF Flex is our new approach to NFV solutions. It focuses on managing and scaling Radiator.  Built for flexibility, Radiator VNF Flex is designed to work on top of various virtualisation environments, and is suitable for carriers, CSPs and other customers that need a scalable AAA VNF solution.

Radiator VNF Flex consists of Radiator VNF and Radiator VNF Manager. Radiator VNF Manager makes it possible to deploy and manage multiple Radiator VNFs with different configurations within one virtualisation infrastructure (VI). The architecture of the Radiator VNF Manager is designed so that multiple virtualisation infrastructures can be utilised with Virtualisation Infrastructure (VI) specific Radiator VNF Manager images. 

As all Radiator VNFs are deployed and managed by independent Radiator VNF Manager, and based on Ansible playbooks, Radiator VNF Flex is better equipped to survive Virtualisation Infrastructure or Management and Orchestration (MANO) upgrades with less additional migration, upgrade and testing work.

In the picture below, we present an example deployment for Radiator VNF Flex:


As can be seen from the image, different Radiator VNF instances then connect to customer services, such as log management and visualization systems, external databases and OSS/BSS systems. Also, it should be noted that Radiator VNF Flex does not limit Radiator VNF configurations: any Radiator configuration can be adapted to be a Radiator VNF configuration deployed by Radiator VNF Manager.

The transition process to Radiator VNF Flex is made easy. Radiator VNF Manager makes it easy to quickly deploy Radiator into production without time-consuming integration with general or third-party VNF managers. Own VNF Manager also protects the VNF and its configuration from third-party managers and components. This makes virtualisation infrastructure upgrades easier as Radiator VNF Manager handles management and orchestration of all Radiator VNFs.

To sum up, the key features of Radiator VNF Flex:

  • New Ansible-based AAA solution from Radiator
  • Easier deployment to production without time-consuming integration to third party VNF managers
  • All Radiator AAA configurations and functionalities can be implemented
  • First available on OpenStack, other support based on customer needs
  • Supports Linux distributions based on customer needs 
  • Radiator VNF Manager is provided as a separate virtual image


Would you like to know more about Radiator VNF Flex?

We are currently engaging multiple projects with Radiator VNF Flex. If you are interested in virtualising your AAA solution, please contact us at info(a)radiatorsoftware.com. We are happy to have a discussion about your use case and project, and tell how Radiator VNF Flex would suit your needs.

Tuesday, May 24, 2022

More flexibility to authentication with Ut interface and Radiator GBA/BSF Pack

One of the carrier products in our Radiator product line is the Radiator GBA/BSF Pack. The main use case for this product has been providing the authentication for VoLTE supplementary services in carrier networks and Radiator GBA/BSF Pack has been in this use for many years. 

In addition to self-provisioning VoLTE supplementary services (call forwarding, call barring, knocking, etc.) the same GBA/BSF functionalities can be used for proxying authentication to different services as well - such as Rich Communication Services or different services for IoT devices, for example.

The main functionality in GBA/BSF is that after the initial authentication, end user authentication can be proxied directly to Application Specific servers via Ut interface. The basic architecture is shown on the diagram below.


The Ut interface and authentication proxying can also be used for example in secure IoT authentication for different products, such as IoT devices that need to be authorised and authenticated. In this use case as well, the IoT device is supplied with SIM/eSIM that authenticates with carrier HSS. After the initial authentication, the later authentications can be proxied using the Authentication Proxy provided by Radiator GBA/BSF Pack.  

Radiator provides flexibility when working with Ut interface

For Ut interface, there is a wide range of different vendor specific implementations from device manufacturers. This causes differences in user equipment behaviour across vendors.

This is where Radiator GBA/BSF shows its strengths: wide interoperability accommodating different user equipment within the same systems makes our Radiator GBA/BSF easy to integrate to different network environments. Radiator GBA/BSF’s implementation allows tweaking the configuration when unexpected behaviour is encountered and adjust accordingly.

This focus to accommodate multiple vendor-specific implementations is what we have been doing in recent releases of Radiator GBA/BSF Pack - latest release in April 2022: providing more interoperability based on real observed behaviour of the devices. In this development work, the feedback from our live carrier customer has been extremely valuable.

Would you like to know more?

If you would like to know more about Radiator GBA/BSF and how it can be used in your use case, please contact our team at info(a)radiatorsoftware.com


Wednesday, April 6, 2022

Radiator Auth.Fi: Self-service, Passwordless Guest Access

 As a part of our Radiator Auth.Fi - Wi-Fi Authentication Service we provide self-service, passwordless guest access for Wi-Fi networks. With this service you can limit the use of your guest network to those users willing to validate their network access with email address or phone number. Compared to unauthenticated guest networks, the authenticated guest networks reduce network abuse  cases and overuse of network resources.

We have designed the guest network access validation to be easy and secure enough for the end-user without any hassle with passwords or need to reauthenticate. As the network access validation is done as a self-service, no vouchers are provided and needed reducing the work needed to support guest users in accessing the network - the authentication and authorization is connected to the user to the MAC address of the user device.

How does it work?

As seen from the picture below, the authentication and access process follows a few steps, after which the guest can join to the Wi-Fi network automatically - but still as an authenticated user. The steps are as follows:

  1. Guest user connects to the Wi-Fi network operated by your organization
  2. The user device of the guest user notices that authentication is needed before browsing and the user's WWW browser is redirected to the authentication page operated by Radiator Auth.Fi.
  3. Guest user chooses the method for authentication and inserts either email address or telephone number for authentication.
  4. Radiator Auth.Fi service sends the authentication verification message to the guest user to email or SMS messaging service.
  5. Email message (or optionally SMS) containing verification link is sent to the guest user 
  6. Following the verification link guest user verifies contact information and network access is authenticated with Radiator Auth.Fi
  7. Guest user can now use guest Wi-Fi network and the device joins network automatically
  8. Guest user can now use the guest Wi-Fi network for a limited time (for example 24 hours - based on your company policies) without the need for reauthentication. The authorisation of the user device to the network is checked periodically during allowed time.

Would you like to know more?

For more info about Radiator Auth.fi Wi-Fi Authentication Service, please contact our sales team at sales(a)radiatorsoftware.com or via contact form.

We are happy to discuss your use case and how Radiator Auth.fi may suit your needs. Commercially, Radiator Auth.fi is based on a flexible, pay-as-you-go subscription model that allows you scale the commercial model of the service based on your business needs. At the same time, we provide several feature options for the Radiator Auth.fi - this use case of providing guest access being one of them.

Wednesday, March 2, 2022

In-flight Connectivity with Radiator

For many of our customers we have been implementing WiFi roaming for different use cases: for example, carriers offloading traffic from their mobile network to WiFi hotspots or for providing VoWiFi (Voice over WiFi) calling to their customers.

One case for Radiator is to implement in-flight connectivity for airline carriers, providing authentication to onboard WiFi that is connected by other means (such as satellite connection) to the internet.

In this scenario, Radiator provides the necessary interfaces for WiFi roaming when subscribers of mobile operators are using their phones during the flight. With smooth WiFi roaming provided by Radiator AAA Server Software, end user devices can connect automatically to the in-flight WiFi network, and continue their use based on the roaming policy agreements between mobile operators and in-flight network operators.

Some of the benefits for this kind of solution are:

  • For the airline carrier: More value for service as a provider of smoothly connected onboard WiFi as a part of their in-flight services.
  • For the end user: Better user experience when connecting to onboard WiFi.
  • For the mobile operator: New product opportunities for mobile operator roaming with airline onboard WiFi.
  • For the onboard Wi-Fi technology provider: A flexible product with Radiator that provides connectivity to carrier networks via different interfaces.


At the same time, the solution with Radiator AAA server can of course be used in cruise ships and platforms where a smoothly run, commercial onboard WiFi is needed. 

How does it work?

On the technical side, Radiator AAA Server, combined with Radiator SIM Pack, is used to provide EAP-SIM, EAP-AKA and EAP-AKA’ authentication and connectivity to different HSS / HLR systems used by different roaming partner carriers and mobile operators. In these cases, the flexibility of Radiator helps to connect to various different systems needed via multiple interfaces.

With this configuration, in addition to handling the authentication traffic, Radiator AAA Server also proxies the accounting traffic to policy enforcement or traffic monitoring solutions that can then use it to provide access to end users, based on their data plan or subscriber profile. The following diagram shows Radiator as part of the architecture for in-flight connectivity.


Radiator provides EAP-SIM / EAP-AKA / EAP-AKA’ authentication and connecting to roaming partners HSS / HLR. 
 

Would you like to know more?

For commercial contact and more in-depth technical discussion, please do not hesitate to contact our sales team at sales(a)radiatorsotware.com . We are happy to discuss about your requirements, suitable license and configuration assistance needed for your service.


Wednesday, February 23, 2022

Radiator used for secure authentication in power companies

For many years, Radiator AAA Server Software has been used in different utilities: from mobility solutions to water monitoring. In addition to this, Radiator is used more and more in power companies that require secure ways for authentication and accounting in their networks.  Radiator, being the most flexible AAA server software in the market, is easy to configure to these case kind of use cases.

In some use cases, Radiator (and RADIUS protocol in general) is used to get accounting information from electric meters over the internet. Another use case, where secure access is critical, is the power system system management.

Radiator providing secure authentication for power system management

In power system networks, secure access and authentication to management systems is crucial. In times of cyber attacks, proper authentication methods ensure that only authorized personnel and equipment are able to manage power system equipment.

The standard way to do this secure authentication is role-based access control (RBAC) for power system management. RBAC assigns human users, automated systems, and software applications to specific roles, and restricts their access to only those resources, which the security policies identify as necessary for their roles.

As a part of being compliant to industry standards, Radiator also supports role-based access control (IEC 62351-8) in power systems and the related RADIUS attributes specified in the standard. 

Would you like to know more?

If you are interested in using Radiator in power system authentication and accounting, please do not hesitate to contact our sales team at sales@radiatorsoftware.com. Radiator, being the flexible AAA server in the market, may be just the solution for your authentication use case.

Tuesday, February 15, 2022

Upcoming webinar: Radiator Portfolio Updates - 8th March and 10th March

We are pleased to announce that we are presenting a series of live webinars about new developments in Radiator products and their use cases.

The first webinar focuses on harnessing benefits of the full Radiator product portfolio and giving brief examples from the topic list below. Each of the following sessions takes a deep-dive on real Radiator use cases, with technical insight from our experts:

  • Radiator Software news and updates in our product and services portfolio
  • Radiator Auth.fi - our new secure and easy service for Wi-Fi authentication
  • How to connect to OpenRoaming (™) roaming federation service with Radiator
  • Radiator VNF Flex - new and flexible approach to AAA VNF with Radiator
  • Using Radiator in eduroam and other roaming services 
  • Using Radiator with utility networks, such as water systems and power system management
  • Experiences from using Radiator as replacement for products nearing end-of-life
  • More coming up

The first webinar Radiator Portfolio Updates is held in parallel sessions on Tuesday 8th March 08.00-09.00 UTC and Thursday 10th March 16.00-17.00 UTC for participants from different regions to join.

Please register here to receive an invite to your preferred session. By registering you’ll also get access to the presentation recording and materials after the webinar.

Thursday, February 3, 2022

How Radiator can be used in different test use cases

Radiator AAA Server Software can be used by different vendors to perform authentication tests, whenever they need their equipment to be connected to different networks in a secure and flexible way, such as Wi-Fi networks or mobile networks. Over the years, Radiator team has acquired a lot of experience in these scenarios.

Secure authentication is especially important for vendors developing IoT-products, such as medical equipment used in mission-critical hospital Wi-Fi networks. Secure authentication, and various supported authentication methods, help the products to be connected securely in different environments.

Radiator can be easily deployed and configured when automating these tests. Whenever a new version of a product needs to go through authentication and other tests, the process is easy and time-efficient with Radiator. In addition to authentication tests, Radiator provides logging in a variety of formats, making it easy to interoperate with external testing systems.

Additionally, for many utility appliance vendors, such as water sensors or electricity meters, Radiator can handle the accounting data, which can then be used to integrate with different reporting and management systems. The Radiator team has plenty of experience with interoperability testing from different use cases.

In recent years, Radiator has been an integral component in the Wi-Fi Alliance ® testbed for Wi-Fi authentication certification purposes, which is used by vendors to acquire the Wi-Fi Certified ® certification. Authentication methods included in the testbed are EAP-TLS, EAP-TTLS, EAP-FAST, EAP-PEAP, and EAP-PWD. In other similar test cases, Radiator has been used for testing IMSI privacy encryption, which is supported by Radiator SIM Module.

Would you like to know more?

We are happy to discuss your use case, the different authentication methods, and to suggest suitable configuration and deployment models. We can provide our expertise gathered from using Radiator in different environments such as interoperability testing. For test use cases, we provide flexible licensing options; please contact our sales team at sales(a)radiatorsoftware.com.

In addition, if you would like to know more about the Wi-Fi Alliance ® testbed, we are happy to assist you.

Thursday, January 6, 2022

Radiator Auth.fi: easy and secure Wi-Fi Authentication for your organization

Organizations using Wi-Fi networks need an easy and secure way to provide access to the network, either to their own users or guests. At Radiator Software, we have been working with many use cases around this theme and we wanted to provide a solution where authentication features of Radiator can be used as easily as possible.

For this use, we created Radiator Auth.fi.

Radiator Auth.fi is a RADIUS based Wi-Fi authentication cloud service for network users and guests. It provides an easy way for employees or subcontractors to get self-service network access credentials for WPA2/WPA3 Enterprise secured network. It can also be easily deployed: you do not need new hardware, but only a few changes to the settings of your current network devices.

Radiator Auth.fi can be used globally from different locations. To accomplish this, we have set up a global cloud service that can cover multiple locations, while making sure that the service is GDPR compliant.

In addition, Radiator Auth.fi supports Wi-Fi roaming. If the visited organization and networks are part of the same roaming federation (such as eduroam or govroam) that is supported by the service, and roaming access is permitted, the roaming user’s device signs in to the network automatically and safely. It uses the settings and user credentials that are already stored in the user device.

Would you like to know more?

For more info about Radiator Auth.fi, please contact our sales team at sales(a)radiatorsoftware.com. We are happy to discuss your use case and how Radiator Auth.fi may suit your needs. Commercially, Radiator Auth.fi is based on a flexible, pay-as-you-go subscription model that allows you to scale the use of the service based on your business needs.