Radiator RADIUS for library Wi-Fi authentication

Radiator AAA server is known for its flexibility when it comes to unique use cases. This flexibility comes from the variety of supported protocols, authentication backends and logging destinations that are available in Radiator AAA server as an off-the-shelf product. This blog post will dig deeper into Radiator integration with library management systems and the 3M’s SIP2 protocol.

Library Guest Wi-Fi Authentication

Previous Radiator blog posts have gone over how network authentication works for enterprises and hotels. Today’s blog post will look at how Radiator can utilise existing library management systems to authenticate library Wi-Fi access for customers (often known as patrons). In its essence, Radiator will utilise patrons’ existing library card credentials for the authentications. Typically these credentials are used to loan and return books. This method has many benefits. First, it gives library patrons easy access to the internet without handing a common public password. Second, the internet access can be modified or disallowed based on patron status or information, for example age restrictions can be applied.

AuthBy SIP2

The key to library Wi-Fi authentication with Radiator lies on 3M™ Standard Interchange Protocol 2.0, known as the SIP2 protocol. The SIP2 protocol provides an interface between a library’s management system and library automation devices. The original use case for this protocol was and generally still is automated self-check devices for loaning and returning library books. However, this protocol can also be utilised for network authentication within the library, which is where Radiator comes in.

Radiator has a specific authentication function for this functionality. In Radiator AAA server Reference Manual Section 3.93., the function and its usage is explained. authenticates patrons based on their username and password, for example library card number and PIN code. The basic version of this configuration is very simple and Radiator’s scripts handle the communication with the library system. Essentially, In the library system’s view, Radiator is a self-service loaning device among the others.

This integration also enables further functionality. Radiator can be configured to do that if the patron has outstanding fines or fees that exceed an agreed threshold, their Wi-Fi access will be declined upon login. This is done by Radiator’s scripts and is a toggleable option within the Radiator configuration file. The access can be tied to patron status or other patron information, for example age restriction can be applied.

Want to know more?

Would you be interested in getting your library a stable, proven and affordable Wi-Fi authentication solution? Please contact us sales@radiatorsoftware.com for more information on both commercial and technical matters.

Testing the solution is also an option. We offer a 30-day evaluation licences for testing purposes and Radiator evaluation comes with thorough documentation and resources like well documented example configurations and our reference manual. To get started with a Radiator evaluation, please fill the form at our evaluation page.

New release: Radiator VNF Flex 2023.1.1 is available!

Great news! We are happy to announce that as a part of our development efforts a new release for Radiator VNF Flex is now available - Radiator VNF Flex 2023.1.1. As always, this development work has been done with close interaction with our carrier customers that have given valuable feedback when testing and implementing new features.

A sneak peek to the sales demo of Radiator VNF Flex. More visuals of the product can be found in the user guide.

 

New features and related material

During 2023, our team has developed several key feature to new Radiator VNF Flex releases - and release Radiator VNF Flex 2023.1.1 includes all the following:

• AlmaLinux 9.2 as base for the Radiator VNF Flex Image
• Radiator AAA Server Software 4.27-1 included
• Possibility to integrate Radiator VNF Manager with LDAP to allow authenticating to GUI and CLI with domain user accounts
• Possibility to use specific mirror for AlmaLinux repositories
• Includes hardenings for Radiator VNF Manager and Radiator VNF hosts
• Unneeded services removed
• Radiator VNF Manager internal firewall tightened
• Usability improvement: requirement for the Radiator VNF Flex configuration file to have unique radiator_configuration and enhancements configuration_source file names within the Radiator VNF Manager has been removed

In addition to the features implemented to the Radiator VNF Flex, we also provide extensive documentation and material for our customers interested in Radiator VNF Flex. For example, we have also published following materials to different user groups:

• Radiator VNF Manager user guide »  (for day-to-day operations)
• Radiator VNF Manager advanced user guide » (for administrative functions)
• Radiator VNF Manager Deployment and Configuration guide » (for deployments and when planning new implementations)
  
  

 Would you like to know more?

If you are interested in Radiator VNF Flex or in other Radiator products please contact our sales team at info(a)radiatorsoftware.com. We are happy to give a technical demo and discuss how we can help you with your use case.

Radiator as Steel-Belted RADIUS Replacement

Recently we have received many inquiries on whether Radiator AAA would be a good solution for replacing Juniper’s Steel-Belted RADIUS. As the aforementioned SBR has reached End of Engineering date in February, its support ending in September and with seemingly no alternative from the OEM, many operators are looking to replace their existing SBR setups with alternative established robust AAA solution. If you are among these companies, Radiator AAA is the solution for you.

Why choose Radiator AAA?

Known for its reliability and flexibility, Radiator AAA has been in the market for decades. Radiator is an actively developed and support AAA server with RADIUS and TACACS+ functionalities. With modules, Radiator AAA can also be complemented with Diameter relay, SIM-based authentication and other mobile network functionalities.

Like SBR, Radiator AAA Server offers support for both Linux, Windows and Solaris installations with various different operating systems (See our Supported Platforms for more information. Radiator has extensive support for different databases and authentication backends (SQL-based, LDAP, AD etc.) as well as support for MFA solutions with TOTP capable authenticators and tokens (Google and MS authenticator, Yubikey, DIGIPASS etc.)

The Radiator technical team consists of experts with vast experience in migration from other AAA solutions. We offer migration support and configuration assistance so you do not need to worry about meeting project schedule before SBR EoSL. Radiator can integrate with existing database and in nearly all cases no changes to schema are needed.

Like Steel-Belted RADIUS, Radiator AAA has multi-vendor support and can be installed flexibly on different platforms on physical or virtual machines. With Radiator, you can compile your AAA use cases under one product: RADIUS, Diameter, TACACS+, SIGTRAN, you name it, we have it!

Want to know more?

For any questions or other inquiries about Radiator as SBR replacement, please contact sales@radiatorsoftware.com

What’s next after IETF 116 for Radiator?

Recently, Radiator Software has been heavily involved in Internet Engineering Task Force (IETF) working groups. We see IETF as an important forum to discuss important developments that benefit our customers as well. Last month, IETF meeting 116 was organised in Japan, and Radiator Software participated in the meeting.

Now the IETF 116 has concluded and the newly rechartered RADIUS EXTensions (radext) working group is now organising its work items. The first drafts called for radext WG adoption are:

• RFC 6614 RadSec update: Transport Layer Security (TLS) Encryption for RADIUS
• RADIUS encryption and FIPS compliance enhancements, efficiency updates: RADIUS Version 1.1
• Guidance for using pre-shared keys as an alternative for certificates with (D)TLS: RADIUS and TLS-PSK

The RadSec update moves RadSec from experimental to standards track and updates TLS and encryption recommendations to cover TLSv1.3 and the current best practices.

FIPS compliance is achieved by removing the use of MD5 with RADIUS hop-by-hop attribute value obfuscation and message integrity signing. This frees the authenticator field in the RADIUS messages header and allows its re-use as a long identifier field. The current short identifier field is a major cause of problems with RADIUS, especially when used with connection oriented protocols, such as RadSec that runs over TCP. When identifiers run out, a new connection and TLS session is needed. This causes significant overhead on busy RADIUS systems.

Where RADIUS traffic is secured with TLS, many organisations can benefit from the possibility of using pre-shared keys (PSKs) instead of having to set up certificates. The use of PSKs with (D)TLS is mentioned in the current RFCs, but specific guidance of their use is now getting updated and expanded.

What does the above mean for Radiator users?

We will start implementing the new drafts and do testing, including interoperability testing, with other vendors. We will also participate in the radext working group activities to help advancing the drafts to RFCs. When the drafts stabilise, we’ll make our implementation available as part of Radiator. If you are interested in early testing, please let us know.

The work is just starting and the final number of drafts, their names and content, and resulting RFCs, are subject to change.

EAP Method Update (emu) working group has a number of drafts that are getting near to being published as RFCs.

One of the EMU drafts defines updates for using TLSv1.3 with PEAP, EAP-TTLS and some other TLS-based EAP methods. TLSv1.3 for PEAP and EAP-TTLS is already implemented in Radiator 4.27.

Another EMU working group draft defines updates and clarifications for TEAP, for which our customers have also shown a lot of interest. Radiator implementation for TEAP aims directly for the revised version and it is under development and interoperability testing.

Would you like to know more?

If you are interested more about these and other developments with Radiator, you can always contact us at info(a)radiatorsoftware.com. We are always delighted to hear about different use cases of our customers, and to provide assistance when needed.

Enterprise network authentication with Radiator

Is your Wi-Fi password written on the conference room wall? Can your guests just plug a cable in and be connected to your enterprise network? These are situations where Radiator could help your network security. Once a company grows out of the founder’s garage, gains some employees and takes up an office space, this office in most cases needs a networking solution for both the company internal network and access to the internet for employees. At the beginning these might be resolved with one router with open Wi-Fi and a shared folder over the internet. However, companies should implement some form of security for their enterprise network. The goal for these implementations is that the right people have access to the right networks and other people do not. And once these basic needs are met, then flexibility and user experience should also be taken into account.

Radiator as enterprise network AAA Server

Enterprise network authentication is a bread-and-butter use case for Radiator. The key differentiator in the market for Radiator is flexibility. Radiator offers a variety of options for when it comes to what the users are authenticated against (SQL database, LDAP or Active Directory, REST etc.), as well as what hardware your enterprise uses for their network. Radiator also offers multi-vendor support for network devices.

This is a basic setup which can be altered depending on your organisation’s needs. Multi-factor authentication with TOTP or HOTP can also be added to the solution for enterprises who want to add another layer of security to their network. Radiator supports a great variety of options for TOTP and HOTP implementations. On the other hand, Radiator can also be used for network device administration as a TACACS+ server (more information about this use case in our previous blog post). Another key differentiator for Radiator is access to active and competent support. Both Radiator email and telephone support grant you straight access to experienced Radiator developers so you can be sure your issues are resolved swiftly. While many company flagship RADIUS server products like Cisco’s ACS and Junipers Steel Belted RADIUS have been announced End-of-Life, Radiator is actively developed and supported.

Managed solution for Wi-Fi Authentication

Radiator also offers enterprise Wi-Fi authentication as a service: Radiator Auth.Fi. Radiator Auth.fi is a RADIUS based Wi-Fi authentication cloud service for authenticating network users and guests. It provides user authentication as a service for Wi-Fi, wired network and VPN. Subscription based cloud service works globally, one service covering all customer locations. Radiator Auth.fi also provides an easy way to connect to eduroam and govroam. The starting requirements for this service is RADIUS capable Wi-Fi controller. The starting solution enables simple username-password authentication for both employees and guests. This solution can be customised to include certificate authentication in collaboration with certificate provisioning solutions and PKIs such as for example SCEPman, Microsoft NDES, Intune. For more information about the managed solution for Wi-Fi authentication Radiator Auth.Fi, please see the previous blog post and our Radiator Auth.Fi product presentation.

Want to know more?

If you would like to know more about how Radiator can help your organisations enterprise network AAA needs, please contact our sales team via e-mail sales@radiatorsoftware.com or via our contact form.

Radiator team take part in IETF 116 in Yokohama

We at Radiator take pride in applying the latest industry standards into Radiator. Part of these efforts include actively engaging with the relevant IETF working groups. Following up on the widely supported reboot of the RADIUS Extensions working group at IETF 115 in London, Radiator team is flying out to Japan to participate in IETF 116 in person. We’re especially looking forward to these two sessions:

RADIUS EXTensions (radextra)

EAP Method Update (emu)

Meet the team

Staying at the forefront of industry developments is a top priority for Radiator development. As always, we are looking forward to working on RADIUS drafts and standards and implementing them in Radiator. If you’re in Yokohama, come find us at the and say hi! The point of contact is Radiator developer Heikki Vatiainen, who is available to meet at Pacifico venue. Everyone else, please drop us an email!

Want to know more?

IETF 116 Yokohama

IETF 116 RADIUS EXTensions meeting

IETF EAP Method Update meeting

Our blog from IETF 115 highlights

info@radiatorsoftware.com

Radiator SIM Pack 2.8 released! Major scalability improvement and other enhanced features

We are pleased to announce the release of Radiator SIM Pack version 2.8. This new release contains major scalability improvement and many enhanced features.

Scalability improvement and other enhanced features

To make it easier to manage large installations and improve performance, Radiator 3GPP AAA Server now supports configuration with multiple parallel workers that use the same Diameter identity. This update was also reflected in earlier Radiator Service Provider Pack release. 

In addition, Radiator SIM Pack has supported IMSI Privacy since release 2.5 and 2.8 release now adds support for certificate revocation and expiration notifications. For more info about IMSI Privacy features in Radiator SIM Pack, please see our new whitepaper.

Also, customers using SIGTRAN will be pleased to learn that SIGTRAN stack upper layers have been rearranged to better support additional MAP dialogues. For more detailed changes, please see the Radiator SIM Pack revision history.

Would you like to know more?

If you like to know more about Radiator, the new release and how it can help you in your use case, you can always contact our team at info(a)radiatorsoftware.com - or fill out the contact form.

New whitepaper: Introduction to IMSI Privacy Protection for Wi-Fi with Radiator SIM Pack

 

Great news! We are proud to present our new whitepaper “Introduction to IMSI Privacy Protection for Wi-Fi with Radiator SIM Pack”. You can download the whitepaper from our website.

What is IMSI Privacy about and why is it important?

One of the key use cases for SIM authentication, Wi-Fi offloading enables SIM-based devices to automatically switch data and voice traffic from mobile networks to Wi-Fi networks. This lets mobile carriers and operators reduce their operating costs, and provide better network coverage and customer service, in locations with high amounts of mobile traffic. However, without IMSI Privacy Protection for Wi-Fi the mobile user’s identity will be exposed on the Wi-Fi network when the device is authenticated and the latest Android and iOS mobile devices will also give the user a security warning and may refuse to connect automatically.

Since many of the SIM-based Wi-Fi authentication use cases, such as Wi-Fi offloading, Voice over Wi-Fi and Wi-Fi roaming capabilities are growing in importance, mobile OS manufacturers are putting pressure on the industry to improve Wi-Fi security, leading to a clear need for reliable IMSI Privacy Protection.

In our white paper, we give an overview of the security issues with Wi-Fi SIM-based device authentication and introduce the Radiator SIM Pack, which is a proven solution for IMSI Privacy Protection for Wi-Fi.

For more information, please download the whitepaper from our website.

*) In SIM-based mobile devices, like smart phones and tablets, the user’s unique identifier is stored on the SIM card in a standard format known as the International Mobile Subscriber Identifier, or IMSI for short.

Meet Radiator Team at Mobile World Congress Barcelona 2023!

Radiator Software is exhibiting at MWC23 Barcelona! 

We are delighted to announce that Radiator team will once again be exhibiting at the world’s largest connectivity event of the year: Mobile World Congress 2023 held at Fira Gran Via in Barcelona on 27 February – 2 March.

Our theme for this event is the capabilities of Radiator SIM Pack; a standalone support SIM-based authentication methods with use cases like WiFi offloading, in-flight connectivity and OpenRoaming. To prepare for the event next month we are hosting a webinar about SIM Authentication with Radiator next week on 24th and 26th of January. More information and sign up at our webinars page.

Where can you find the Radiator team?

Finland country pavillion, booth 7G41.

We are exhibiting with fellow Finns in hall 7. The event team will consist of both commercial and technical Radiator experts so whichever Radiator topic you have in mind, we have got you covered. So whether you are familiar with Radiator or considering options for your AAA needs, or just exploring the world of network authentication come stop by and have a chat with us.

If you want to schedule a meeting or simply ask a question, please fill out this form and we will get back to you.

See you in Barcelona!