Radiator 4.28 released!

We are pleased to announce the release of Radiator version 4.28! The latest release is full of stability, usability and interoperability features that make it easier than ever to run and maintain Radiator.

New usability improvements

Multiple logging improvements for easier debugging

AuthBy REST and SIP2 improvements according to customer feedback

Ready to use profiles for Linux firewalls: firewalld (Red Hat, Alma Linux, Rocky Linux) and ufw (Ubuntu, Debian)

New attributes ensuring interoperability

New vendor specific attributes included in the standard dictionary:

3GPP release 17 and 5G internetworking attributes

Wi-Fi Alliance (WFA) Passpoint release 3 Hotspot 2.0 attributes

Wireless Broadband Alliance (WBA) attributes, used especially in OpenRoaming (latest from Github).

New vendor specific attributes for Aruba, Juniper, Meraki and PaloAlto, and new Huawei dictionary and attributes

More detailed changes can be found in the revision history. Radiator packages are available to download for current licensees from the downloads page and the Radiator repository.

Would you like to know more?

As always, you can contact our sales team at info(a)radiatorsoftware.com - we are happy to learn more about your use case and assist you!

Radiator first setup walkthrough

Radiator is a command line software which is controlled with a simple text file. The Radiator AAA reference manual and goodies directory contain a plethora of examples, but it might be daunting to find a good starting place.

Installing Radiator

Radiator runs on a wide range of platforms and there are platform specific installation packages as well as the full source code package available. Check out the installation instructions from Radiator AAA reference manual.

The manual lists various system requirements, but the absolute minimum that is needed for a simple initial setup are Radiator installation package, Radiator Radius::UtilXS add-on and Perl. Perl is usually included in the most common Unix distributions, and for Windows the Radiator MSI package contains all of these!

Running Radiator for the first time

Once Radiator is installed, it is time to see that Radiator can be run. The deb, RPM and MSI installation packages all install Radiator so that it is controlled by the system. On the Unix side by systemd and on Windows as service. By default the installation also brings a Radiator configuration that can be used to verify the installation, that is the configuration is capable of receiving RADIUS authentication and accounting requests from within the system and always responds with accept.

See how to start Radiator service and run the test from the installation instructions:

• For Linux installations
• For Windows installations

Developing own Radiator configuration

The default configuration available right after Radiator installation is not particularly useful, seeing as it always responds with accept. To develop a proper Radiator configuration, suitable to your needs, check out the goodies directory available in /opt/radiator/radiator/goodies/ on Linux and in \Radiator\Radiator\goodies\ on Windows. Note that on Windows Radiator is automatically installed on the drive that has most space, so the directory can be C:\Radiator\Radiator\goodies\ but it could also be E:\Radiator\Radiator\goodies\

Goodies contains full configuration examples, so when picking suitable starting point to your own configuration you can just copy the whole configuration from goodies as the default Radiator configuration /etc/radiator/radiator.conf on Linux or C:\Program Files\Radiator\radiator.conf on Windows. For example goodies/simple.cfg shows how to authenticate users from a file:

1. Copy the goodies/simple.cfg as /etc/radiator/radiator.conf or as C:\Program Files\Radiator\radiator.conf
2. The simple.cfg refers to users file, which is located to %D (check out more about special characters from this section of the reference manual)
3. There is a default users file available in /opt/radiator/radiator/ on Linux and in \Radiator\Radiator\, which can be copied to /etc/radiator/ directory on Linux or C:\Program Files\Radiator\ on Windows.
Have a look at the contents of the users to see the example users defined therein
4. Now that the new configuration file and the file listing the users are on their place, it is time to restart Radiator so the new configuration is read: sudo systemctl start radiator on Linux and restart Radiator AAA Server service on Windows
5. Whenever Radiator is restarted, it is a good practice to check out the Radiator log file in case there were any errors on the configuration. By default the log files are under /var/log/radiator/ on Linux or C:\Program Files\Radiator\ on Windows. Especially the Radiator process log file radiator.log should be checked as the possible errors could cause unexpected behavior or even leave Radiator unable to start.
6. Test the configuration by running

   perl /opt/radiator/radiator/radpwtst -user mikem -password fred

   on Linux or on Windows:
   1. Click "Radiator Software" -> "Radiator configuration" on the Windows Start menu. This opens a Windows Explorer window that shows the contents of Radiator configuration and log directory under the "Program Files" folder.
   2. Double click "Perl command line" to open a Command Prompt window
   3. Run

      perl radpwtst -user mikem -password fred

7. End result should be 3 OKs, as the radpwtst automatically sends one authentication request, one accounting start request and one accounting stop request.

Working with source code package

Although the recommended approach is to use the distribution specific Radiator packages, sometimes the source code package is the only option. The source code package can be unpackaged to any directory and it doesn’t automatically create any services. The simplest way to test the source code package is to run both Radiator server and radpwtst test from the command line.

1. Take goodies/simple.cfg as starting point and copy it to one level up. Check the DbDir and DictionaryFile defined on the simple.cfg and edit both to point to the location where the source code package was extracted.
2. Run radiusd from the command line:

   perl radiusd -foreground -log_stdout -trace 4 -config_file simple.cfg

3. Leave the command line running so you can watch the logging, then open a second command line and run the test utility radpwtst:

   perl radpwtst -user mikem -password fred

   1. Have a look at the contents of the file called users to see the example users defined therein
4. End result should be 3 OKs, as the radpwtst automatically sends one authentication request, one accounting start request and one accounting stop request.

All done!

You now have a basic Radiator installation and you are ready to start configuring Radiator your own use case. Check out these resources:

• Radiator AAA reference manual
• Configuration samples in Goodies directory included your distribution
• Radiator Software FAQ

For any questions, please reach out to us at info(a)radiatorsoftware.com. We’re always ready to discuss your use case and how to implement it with Radiator!

RADIUS news from IETF118

Practically all current Wi-Fi controllers and APs for enterprise and carriers support RADIUS. Mobile network APN and DNN authentication, fixed line fiber-to-the-home gateways and other broadband equipment depend on RADIUS authentication. The industry that uses RADIUS is growing and the standardisation work is active proving RADIUS is in rude health.

The latest Internet Engineering Task Force (IETF) meeting was held earlier this month in Prague, Czechia - with the Radiator team in attendance. RADIUS work is mainly done by the RADIUS EXTensions (radext) working group. The current radext draft documents are related to security enhancements, protocol extensions, maintenance and best practices.

TLS-PSK and RADIUS 1.1

TLS-PSK for RADIUS over TLS and DTLS (also known as RadSec) draft is moving towards the publication phase. The draft has completed its development within the working group. The intended status for the draft is to become an Informational RFC. TLS-PSK greatly eases the configuration of RadSec by using Pre-Shared Keys with TLS instead of certificates.

Closely following the TLS-PSK draft is the draft for RADIUS Version 1.1. This draft is currently in the working group last call phase before it moves on towards publication. With RADIUS Version 1.1, the obsolete methods for RADIUS integrity and authentication are replaced by TLS and DTLS.

RadSec update and depreciation of insecure methods

Other work still in the draft development phase includes an update to RadSec. The update obsoletes the current RFCs for RADIUS over TLS (RFC 6614) and RADIUS over DTLS (RFC 7360) by merging them into a single specification. The draft obsoletes TLS 1.1 and earlier versions, requires TLS-PSK for servers, clarifies the use of DTLS, TLS session resumption, certificate verification and other topics.

Security of RADIUS is updated by a draft that deprecates insecure transport and authentication methods. The draft discusses the problems with unencrypted UDP and TCP transports and common RADIUS authentication methods, such as CHAP. The draft formally deprecates a number of ways these are currently insecurely used. Use of TLS or IPsec transport is now mandated and scope of UDP and TCP transports is reduced.These unsecured transports can be used in secure networks only.

RadSec CoA and Roaming support enhancements

RADIUS dynamic authorisation is updated by a draft that defines how to use existing RadSec connections to send change of authorization (CoA) requests. This allows easier CoA deployments in environments where firewalls, routing or other reasons make it hard to send requests towards a RADIUS client. This specification documents the existing usage that is already implemented by a number of server and client vendors.

Roaming support enhancements are defined in a draft that is currently in working group adoption phase. These enhancements include RADIUS request routing loop detection, remote realm status check and RADIUS request path discovery. This draft is likely approved as a working group draft before the end of the year.

The radext working group is also helping other IETF working groups with draft reviews, liaison work with other organisations, such as Wireless Broadband Alliance (WBA). The working group may continue to work on other documents after the current ones are finished.

What do I gain as a Radiator user?

The new functionality becomes available in Radiator when the drafts are nearing completion. For example TLS-PSK support is made available with the existing RadSec support allowing the Radiator customers to choose between PSK and certificate authentication. As a Radiator user, you will directly benefit from the work we do in the IETF. This will ensure your authentication service stays current and secure and follows the latest standards.

Want to know more?

For status of all current drafts and the working group in general, see https://datatracker.ietf.org/wg/radext/documents/

If you want to know more about Radiator team’s involvement in standardisation or discuss Radiator roadmap items from these drafts, please contact info@radiatorsoftware.com

Meet Radiator team in Prague at IETF118

Radiator team continues the active engagement with RADIUS working groups at IETF and the team will also be attending IETF 118 meeting in Prague next week. You’ll find us at these sessions:

• Hackathon
• RADIUS EXTensions (radextra)
• EAP Method Update (emu)
• MAC Address Device Identification for Network and Application Services (madinas)

See full meeting agenda here: https://datatracker.ietf.org/meeting/118/agenda/

Meet the team

Radiator team is staying at the Hilton Prague event venue throughout the whole event and our engineers are available to discuss any authentication related topics. Just look for the people with Radiator hoodies!

Want to know more?

Stay tuned for meeting recap and the latest standardisation highlights - we’ll be posting another blog right after the team is back home.

Meet the Radiator Team at WGC EMEA and Network X in Paris!

We are delighted to announce that Radiator Software will be exhibiting at the top connectivity events of the season: WGC EMEA and Network X co-located at Porte de Versailles conference centre in Paris on 23 – 26 October 2023.

Wireless Global Congress EMEA 23 – 26 October

The Radiator team will participate in the WBA Members-Only Sessions on 23 and 24 Oct, and the WGC EMEA Open Congress on 25 and 26 Oct. Backed with 20 years of roaming experience, Radiator team can help you deploy RadSec, OpenRoaming, In-Flight Connectivity, and IMSI Privacy with best in class security.

For more information about Wireless Global Congress EMEA 2023, please see the official event website: https://www.wirelessglobalcongress.com/wgc-emea-2023/

Network X 24 – 26 October

Network X event brings together Broadband World Forum, 5G World and Telco Cloud. For service providers of all kinds, Radiator provides a flexible AAA solution for fixed broadband, wireless, and WiFi offloading including VoWiFi.

For more information about the Network X event, please see the official website: https://networkxevent.com/

Meet with Radiator team

We extend an invitation to all WGC EMEA and Network X attendees to visit Radiator Software booth F19. Here, you can engage Radiator experts for insightful discussions on latest advancements in network authentication, WiFi and mobile convergence and how Radiator unifies RADIUS and Diameter infrastructure.

To schedule a meeting or simply ask a question, please leave a message and we will get back to you. See you in Paris!

Replacing Juniper SBR in mobile APN authentication with Radiator

Like we have written before in our blog, Radiator AAA Server Software is currently being used in many projects to replace Juniper’s Steel-Belted RADIUS that is now reaching the end of support. Of course at the same time, many FTTH service providers, ISPs and mobile operators are always searching for new options when they prepare their network infrastructure for the future.

One specific use case where we have seen a lot of demand for Radiator is the RADIUS authentication needed in mobile networks. In mobile networks, RADIUS protocol is used when there are private, organization-specific APN (Access Point Name) network paths in use. For example, critical communications such as emergency services often require this kind of network segmentation to secure their operations.

In VoLTE/4G networks, PGW/GGSN components in mobile networks make RADIUS queries to RADIUS server (such as our Radiator), and RADIUS server then authenticates and authorizes the end user to a specific APN network path - that can for example be an enterprise-related private network.

What we have been recently doing with many customers is the replacement of RADIUS servers and the related business logic in mobile networks. These have been done both with Radiator AAA Server Software and with the consultation of our technical team. At the same time, these projects are often combined with different accounting use cases, storing of CDR records etc.

When preparing for the future and taking the course to 5G networks, either RADIUS or Diameter interfaces will be used for similar use cases. Radiator, with extensive support of different TLS-based EAP methods, is of course prepared for this use case with 5G networks as well.

Would you like to know more?

In case you are looking for a future-proof RADIUS and Diameter server for your mobile network, we are happy to provide more info - and discuss your use case. Just reach out to us at sales@radiatorsoftware.com and we can discuss further.

Cutting roaming costs and expanding coverage with Radiator SIM-based authentication.

Modern SIM-based devices, like smartphones and tablets, are able to join and switch between different networks automatically. This is especially valuable to mobile operators who want to offload data from their mobile network to a nearby Wi-Fi network, because Wi-Fi connections are significantly cheaper to operate. It also enables Wi-Fi providers to monetize their Wi-Fi net- works and provide services in partnership with mobile operators. In addition, with use of OpenRoaming or other Wi-Fi roaming services, it also provides a way to expand the coverage of carrier Wi-Fi.

Use cases for the SIM authentication include:

Wi-Fi Offloading:

In busy locations with high volumes of mobile traffic like sports stadiums, shopping malls, public transport hubs and underground metros, SIM-based devices can automatically switch from mobile data connections to local Wi-Fi networks. Transferring the data traffic to Wi-Fi networks reduces the load on the mobile network, which improves the coverage and the user experience. In addition, using Wi-Fi roaming services, such as Orion Wi-Fi or OpenRoaming, can further reduce costs when carriers can use these additional services for Wi-Fi offloading.

Voice over Wi-Fi

SIM-based devices can also switch voice calls from mobile networks to Wi-Fi networks, and this kind of call is known as Voice over Wi-Fi. As with data traffic, switching traffic from regular calls to Wi-Fi networks can help carriers and operators to reduce the load on the mobile network, enabling better call quality and continuity.

Wi-Fi Roaming

When a SIM-based device automatically joins a Wi-Fi network or switches to another one, this is called Wi-Fi roaming. Wi-Fi roaming is used to maintain an uninterrupted data connection when the user moves from location to location, or when the current Wi-Fi connection is overloaded or when the signal is weak. In these situations as well, using OpenRoaming and other Wi-Fi roaming services can expand the coverage for mobile carrier.

Wi-Fi SIM-based authentication is essential to making these capabilities work. Before a device is allowed to join a new Wi-Fi network, it must be authenticated using the IMSI*. For this reason, Wi-Fi SIM-based authentication is supported by the latest Android and iOS mobile devices. However, there are still some security issues with this type of authentication. As a result, mobile OS manufacturers are now pushing for even better security on Wi-Fi networks and they require IMSI Privacy Protection with all new OS versions.

How can Radiator help you in this?

The Radiator SIM Pack for Radiator AAA Server Software makes it easy for operators to enable IMSI Privacy Protection. It is the key component needed for secure and seamless switching between mobile and Wi-Fi networks using SIM-based authentication. The Radiator SIM Pack also provides all the functions required for a 3GPP AAA Server.

IMSI privacy is a key feature of the Radiator SIM Pack, and it provides server-side support for permanent identity protection during Wi-Fi SIM-based authentication, Wi-Fi offloading and VoWiFi, resulting in a higher quality user experience. You can read more about Radiator SIM Pack and IMSI Privacy protection from our IMSI Privacy whitepaper.

In addition to this, Radiator provides also all the services and products needed when joining to  Wi-Fi roaming services, such as OpenRoaming, or when connecting to mobile carrier infrastructure by using Diameter interfaces.

Would you like to know more?

If you would like to know more about Radiator, SIM authentication, IMSI Privacy, joining OpenRoaming etc., and how we can help you in your use case, you can always contact our team at info(a)radiatorsoftware.com. Looking forward to hearing from you!

*) In SIM-based mobile devices, like smart phones and tablets, the user’s unique identifier is stored on the SIM card in a standard format known as the International Mobile Subscriber Identifier, or IMSI for short.

Radiator AAA hardware requirements

In many of our new deployment projects, we face the common question “How much CPU, RAM and disk space does Radiator need for x users?” While conservative estimates can be given, there is much more to this question than a simple figure.

The requirements of the system depend on the use case, backend, and implementation. In this blog post we will go over the variables and why it actually is misleading from us to give an answer to this question - but at the same time, we are always happy to help you with the hardware correct sizing.

Use case

There are major differences between the requirements for different authentication methods. The differences can be divided to two: Number of transactions per authentication, and number of interim-accounting transactions per session. One PEAP or EAP-TTLS request can consist of many messages, while a fixed-line authorisation has less transactions.

In reality, AAA servers are usually not the hold-up. Database latency is often the limit for AAA server performance. The database just does not respond in time when the load is high enough. In networking authentication, some use cases are read-heavy and some write-heavy on the database. To allow for better system performance, the database model should be optimised based on the demand for writes over reads or the other way around. What can and should be done is separate VMs for Radiator and the database. It is always better to run AAA server and database on separate servers.

Implementation

Network design plays an important role in ensuring your Radiator setup is sized sufficiently. Radiator can be configured to run as a loadbalancer for other Radiator instances. While there also are other loadbalancer options, a setup loadbalanced with Radiator loadbalancer configuration has better throughput than one without loadbalancing.

The requirements

In conclusion, there are many factors that affect the system performance, and sizing Radiator depends heavily on the use case and preferred architecture. However, a conservative starting point that we give customers is that each Radiator instance requires 1 vCPU and 0.5 GB RAM and it runs around 1000 TPS. This may heavily vary depending on the use case.

As for disk space, Radiator itself takes around 20 MB of disk space. This does not take into account requirements of the operating system and log data generated by Radiator. However, the Radiator logs can be shipped off to another log host machine to assure the Radiator host’s disk is not filled with log data.

Radiator OpenRoaming Configuration Guide now available!

We are happy to announce that Radiator OpenRoaming Configuration Guide is now available!

What is OpenRoaming?

WBA OpenRoaming™ is a global Wi-Fi roaming federation service that enables an automatic and secure connection to Wi-Fi among a network of roaming partners that all adhere to the OpenRoaming™ framework. It provides a new global standards-led approach, removing public-guest Wi-Fi connectivity barriers and bringing greater convenience and security to the wireless ecosystem, enabling new business models. See more from Wireless Broadband Alliance website.

What is the Radiator OpenRoaming Configuration Guide?

You can find the guide from Radiator OpenRoaming Configuration Repository.

The Radiator OpenRoaming Configuration Repository has ready-to-use/adapted configurations for implementing OpenRoaming ANP or IdP RADIUS/RADSEC server with the Radiator AAA server software.

If you are already an operator or organisation with existing Wi-Fi roaming and authentication infrastructure the Radiator OpenRoaming configurations are designed to be able to connect your existing RADIUS servers to OpenRoaming with minimal changes to your production configuration.

The Radiator OpenRoaming configurations also support prioritizing static roaming agreements for specific realms over OpenRoaming Dynamic Peer Discovery as well as last resort default authentication targets.

How can Radiator Software help you?

As seen from the configuration guide, Radiator AAA Server Software is suited perfectly for joining OpenRoaming. Additionally, our product portfolio brings more features to mobile operators, carriers and other enterprises that want to benefit from Wi-Fi roaming. For example, our Radiator SIM Pack software provides the features needed for SIM authentication (with EAP-SIM, EAP-AKA and EAP-AKA’ authentication methods), providing also the features needed for IMSI Privacy when roaming.

Our team is also happy to help when doing the configuration work for joining OpenRoaming. We can also arrange workshops or provide remote consultation - in addition to the email support provided with the product.

Would you like to know more?

If you would like to know more, our team is available for a meeting in the Wireless Global Congress Americas in Las Vegas 19th - 22nd of June 2023. There will also be a Radiator Software webinar introducing the configuration guide and configuration templates on the 8th of June with more information at our webinars page. And as always, you can of course reach out to our team at info(a)radiatorsoftware.com.

Radiator RADIUS for library Wi-Fi authentication

Radiator AAA server is known for its flexibility when it comes to unique use cases. This flexibility comes from the variety of supported protocols, authentication backends and logging destinations that are available in Radiator AAA server as an off-the-shelf product. This blog post will dig deeper into Radiator integration with library management systems and the 3M’s SIP2 protocol.

Library Guest Wi-Fi Authentication

Previous Radiator blog posts have gone over how network authentication works for enterprises and hotels. Today’s blog post will look at how Radiator can utilise existing library management systems to authenticate library Wi-Fi access for customers (often known as patrons). In its essence, Radiator will utilise patrons’ existing library card credentials for the authentications. Typically these credentials are used to loan and return books. This method has many benefits. First, it gives library patrons easy access to the internet without handing a common public password. Second, the internet access can be modified or disallowed based on patron status or information, for example age restrictions can be applied.

AuthBy SIP2

The key to library Wi-Fi authentication with Radiator lies on 3M™ Standard Interchange Protocol 2.0, known as the SIP2 protocol. The SIP2 protocol provides an interface between a library’s management system and library automation devices. The original use case for this protocol was and generally still is automated self-check devices for loaning and returning library books. However, this protocol can also be utilised for network authentication within the library, which is where Radiator comes in.

Radiator has a specific authentication function for this functionality. In Radiator AAA server Reference Manual Section 3.93., the function and its usage is explained. authenticates patrons based on their username and password, for example library card number and PIN code. The basic version of this configuration is very simple and Radiator’s scripts handle the communication with the library system. Essentially, In the library system’s view, Radiator is a self-service loaning device among the others.

This integration also enables further functionality. Radiator can be configured to do that if the patron has outstanding fines or fees that exceed an agreed threshold, their Wi-Fi access will be declined upon login. This is done by Radiator’s scripts and is a toggleable option within the Radiator configuration file. The access can be tied to patron status or other patron information, for example age restriction can be applied.

Want to know more?

Would you be interested in getting your library a stable, proven and affordable Wi-Fi authentication solution? Please contact us sales@radiatorsoftware.com for more information on both commercial and technical matters.

Testing the solution is also an option. We offer a 30-day evaluation licences for testing purposes and Radiator evaluation comes with thorough documentation and resources like well documented example configurations and our reference manual. To get started with a Radiator evaluation, please fill the form at our evaluation page.

New release: Radiator VNF Flex 2023.1.1 is available!

Great news! We are happy to announce that as a part of our development efforts a new release for Radiator VNF Flex is now available - Radiator VNF Flex 2023.1.1. As always, this development work has been done with close interaction with our carrier customers that have given valuable feedback when testing and implementing new features.

A sneak peek to the sales demo of Radiator VNF Flex. More visuals of the product can be found in the user guide.

 

New features and related material

During 2023, our team has developed several key feature to new Radiator VNF Flex releases - and release Radiator VNF Flex 2023.1.1 includes all the following:

• AlmaLinux 9.2 as base for the Radiator VNF Flex Image
• Radiator AAA Server Software 4.27-1 included
• Possibility to integrate Radiator VNF Manager with LDAP to allow authenticating to GUI and CLI with domain user accounts
• Possibility to use specific mirror for AlmaLinux repositories
• Includes hardenings for Radiator VNF Manager and Radiator VNF hosts
• Unneeded services removed
• Radiator VNF Manager internal firewall tightened
• Usability improvement: requirement for the Radiator VNF Flex configuration file to have unique radiator_configuration and enhancements configuration_source file names within the Radiator VNF Manager has been removed

In addition to the features implemented to the Radiator VNF Flex, we also provide extensive documentation and material for our customers interested in Radiator VNF Flex. For example, we have also published following materials to different user groups:

• Radiator VNF Manager user guide »  (for day-to-day operations)
• Radiator VNF Manager advanced user guide » (for administrative functions)
• Radiator VNF Manager Deployment and Configuration guide » (for deployments and when planning new implementations)
  
  

 Would you like to know more?

If you are interested in Radiator VNF Flex or in other Radiator products please contact our sales team at info(a)radiatorsoftware.com. We are happy to give a technical demo and discuss how we can help you with your use case.

Radiator as Steel-Belted RADIUS Replacement

Recently we have received many inquiries on whether Radiator AAA would be a good solution for replacing Juniper’s Steel-Belted RADIUS. As the aforementioned SBR has reached End of Engineering date in February, its support ending in September and with seemingly no alternative from the OEM, many operators are looking to replace their existing SBR setups with alternative established robust AAA solution. If you are among these companies, Radiator AAA is the solution for you.

Why choose Radiator AAA?

Known for its reliability and flexibility, Radiator AAA has been in the market for decades. Radiator is an actively developed and support AAA server with RADIUS and TACACS+ functionalities. With modules, Radiator AAA can also be complemented with Diameter relay, SIM-based authentication and other mobile network functionalities.

Like SBR, Radiator AAA Server offers support for both Linux, Windows and Solaris installations with various different operating systems (See our Supported Platforms for more information. Radiator has extensive support for different databases and authentication backends (SQL-based, LDAP, AD etc.) as well as support for MFA solutions with TOTP capable authenticators and tokens (Google and MS authenticator, Yubikey, DIGIPASS etc.)

The Radiator technical team consists of experts with vast experience in migration from other AAA solutions. We offer migration support and configuration assistance so you do not need to worry about meeting project schedule before SBR EoSL. Radiator can integrate with existing database and in nearly all cases no changes to schema are needed.

Like Steel-Belted RADIUS, Radiator AAA has multi-vendor support and can be installed flexibly on different platforms on physical or virtual machines. With Radiator, you can compile your AAA use cases under one product: RADIUS, Diameter, TACACS+, SIGTRAN, you name it, we have it!

Want to know more?

For any questions or other inquiries about Radiator as SBR replacement, please contact sales@radiatorsoftware.com

What’s next after IETF 116 for Radiator?

Recently, Radiator Software has been heavily involved in Internet Engineering Task Force (IETF) working groups. We see IETF as an important forum to discuss important developments that benefit our customers as well. Last month, IETF meeting 116 was organised in Japan, and Radiator Software participated in the meeting.

Now the IETF 116 has concluded and the newly rechartered RADIUS EXTensions (radext) working group is now organising its work items. The first drafts called for radext WG adoption are:

• RFC 6614 RadSec update: Transport Layer Security (TLS) Encryption for RADIUS
• RADIUS encryption and FIPS compliance enhancements, efficiency updates: RADIUS Version 1.1
• Guidance for using pre-shared keys as an alternative for certificates with (D)TLS: RADIUS and TLS-PSK

The RadSec update moves RadSec from experimental to standards track and updates TLS and encryption recommendations to cover TLSv1.3 and the current best practices.

FIPS compliance is achieved by removing the use of MD5 with RADIUS hop-by-hop attribute value obfuscation and message integrity signing. This frees the authenticator field in the RADIUS messages header and allows its re-use as a long identifier field. The current short identifier field is a major cause of problems with RADIUS, especially when used with connection oriented protocols, such as RadSec that runs over TCP. When identifiers run out, a new connection and TLS session is needed. This causes significant overhead on busy RADIUS systems.

Where RADIUS traffic is secured with TLS, many organisations can benefit from the possibility of using pre-shared keys (PSKs) instead of having to set up certificates. The use of PSKs with (D)TLS is mentioned in the current RFCs, but specific guidance of their use is now getting updated and expanded.

What does the above mean for Radiator users?

We will start implementing the new drafts and do testing, including interoperability testing, with other vendors. We will also participate in the radext working group activities to help advancing the drafts to RFCs. When the drafts stabilise, we’ll make our implementation available as part of Radiator. If you are interested in early testing, please let us know.

The work is just starting and the final number of drafts, their names and content, and resulting RFCs, are subject to change.

EAP Method Update (emu) working group has a number of drafts that are getting near to being published as RFCs.

One of the EMU drafts defines updates for using TLSv1.3 with PEAP, EAP-TTLS and some other TLS-based EAP methods. TLSv1.3 for PEAP and EAP-TTLS is already implemented in Radiator 4.27.

Another EMU working group draft defines updates and clarifications for TEAP, for which our customers have also shown a lot of interest. Radiator implementation for TEAP aims directly for the revised version and it is under development and interoperability testing.

Would you like to know more?

If you are interested more about these and other developments with Radiator, you can always contact us at info(a)radiatorsoftware.com. We are always delighted to hear about different use cases of our customers, and to provide assistance when needed.

Enterprise network authentication with Radiator

Is your Wi-Fi password written on the conference room wall? Can your guests just plug a cable in and be connected to your enterprise network? These are situations where Radiator could help your network security. Once a company grows out of the founder’s garage, gains some employees and takes up an office space, this office in most cases needs a networking solution for both the company internal network and access to the internet for employees. At the beginning these might be resolved with one router with open Wi-Fi and a shared folder over the internet. However, companies should implement some form of security for their enterprise network. The goal for these implementations is that the right people have access to the right networks and other people do not. And once these basic needs are met, then flexibility and user experience should also be taken into account.

Radiator as enterprise network AAA Server

Enterprise network authentication is a bread-and-butter use case for Radiator. The key differentiator in the market for Radiator is flexibility. Radiator offers a variety of options for when it comes to what the users are authenticated against (SQL database, LDAP or Active Directory, REST etc.), as well as what hardware your enterprise uses for their network. Radiator also offers multi-vendor support for network devices.

This is a basic setup which can be altered depending on your organisation’s needs. Multi-factor authentication with TOTP or HOTP can also be added to the solution for enterprises who want to add another layer of security to their network. Radiator supports a great variety of options for TOTP and HOTP implementations. On the other hand, Radiator can also be used for network device administration as a TACACS+ server (more information about this use case in our previous blog post). Another key differentiator for Radiator is access to active and competent support. Both Radiator email and telephone support grant you straight access to experienced Radiator developers so you can be sure your issues are resolved swiftly. While many company flagship RADIUS server products like Cisco’s ACS and Junipers Steel Belted RADIUS have been announced End-of-Life, Radiator is actively developed and supported.

Managed solution for Wi-Fi Authentication

Radiator also offers enterprise Wi-Fi authentication as a service: Radiator Auth.Fi. Radiator Auth.fi is a RADIUS based Wi-Fi authentication cloud service for authenticating network users and guests. It provides user authentication as a service for Wi-Fi, wired network and VPN. Subscription based cloud service works globally, one service covering all customer locations. Radiator Auth.fi also provides an easy way to connect to eduroam and govroam. The starting requirements for this service is RADIUS capable Wi-Fi controller. The starting solution enables simple username-password authentication for both employees and guests. This solution can be customised to include certificate authentication in collaboration with certificate provisioning solutions and PKIs such as for example SCEPman, Microsoft NDES, Intune. For more information about the managed solution for Wi-Fi authentication Radiator Auth.Fi, please see the previous blog post and our Radiator Auth.Fi product presentation.

Want to know more?

If you would like to know more about how Radiator can help your organisations enterprise network AAA needs, please contact our sales team via e-mail sales@radiatorsoftware.com or via our contact form.

Radiator team take part in IETF 116 in Yokohama

We at Radiator take pride in applying the latest industry standards into Radiator. Part of these efforts include actively engaging with the relevant IETF working groups. Following up on the widely supported reboot of the RADIUS Extensions working group at IETF 115 in London, Radiator team is flying out to Japan to participate in IETF 116 in person. We’re especially looking forward to these two sessions:

RADIUS EXTensions (radextra)

EAP Method Update (emu)

Meet the team

Staying at the forefront of industry developments is a top priority for Radiator development. As always, we are looking forward to working on RADIUS drafts and standards and implementing them in Radiator. If you’re in Yokohama, come find us at the and say hi! The point of contact is Radiator developer Heikki Vatiainen, who is available to meet at Pacifico venue. Everyone else, please drop us an email!

Want to know more?

IETF 116 Yokohama

IETF 116 RADIUS EXTensions meeting

IETF EAP Method Update meeting

Our blog from IETF 115 highlights

info@radiatorsoftware.com

Radiator SIM Pack 2.8 released! Major scalability improvement and other enhanced features

We are pleased to announce the release of Radiator SIM Pack version 2.8. This new release contains major scalability improvement and many enhanced features.

Scalability improvement and other enhanced features

To make it easier to manage large installations and improve performance, Radiator 3GPP AAA Server now supports configuration with multiple parallel workers that use the same Diameter identity. This update was also reflected in earlier Radiator Service Provider Pack release. 

In addition, Radiator SIM Pack has supported IMSI Privacy since release 2.5 and 2.8 release now adds support for certificate revocation and expiration notifications. For more info about IMSI Privacy features in Radiator SIM Pack, please see our new whitepaper.

Also, customers using SIGTRAN will be pleased to learn that SIGTRAN stack upper layers have been rearranged to better support additional MAP dialogues. For more detailed changes, please see the Radiator SIM Pack revision history.

Would you like to know more?

If you like to know more about Radiator, the new release and how it can help you in your use case, you can always contact our team at info(a)radiatorsoftware.com - or fill out the contact form.

New whitepaper: Introduction to IMSI Privacy Protection for Wi-Fi with Radiator SIM Pack

 

Great news! We are proud to present our new whitepaper “Introduction to IMSI Privacy Protection for Wi-Fi with Radiator SIM Pack”. You can download the whitepaper from our website.

What is IMSI Privacy about and why is it important?

One of the key use cases for SIM authentication, Wi-Fi offloading enables SIM-based devices to automatically switch data and voice traffic from mobile networks to Wi-Fi networks. This lets mobile carriers and operators reduce their operating costs, and provide better network coverage and customer service, in locations with high amounts of mobile traffic. However, without IMSI Privacy Protection for Wi-Fi the mobile user’s identity will be exposed on the Wi-Fi network when the device is authenticated and the latest Android and iOS mobile devices will also give the user a security warning and may refuse to connect automatically.

Since many of the SIM-based Wi-Fi authentication use cases, such as Wi-Fi offloading, Voice over Wi-Fi and Wi-Fi roaming capabilities are growing in importance, mobile OS manufacturers are putting pressure on the industry to improve Wi-Fi security, leading to a clear need for reliable IMSI Privacy Protection.

In our white paper, we give an overview of the security issues with Wi-Fi SIM-based device authentication and introduce the Radiator SIM Pack, which is a proven solution for IMSI Privacy Protection for Wi-Fi.

For more information, please download the whitepaper from our website.

*) In SIM-based mobile devices, like smart phones and tablets, the user’s unique identifier is stored on the SIM card in a standard format known as the International Mobile Subscriber Identifier, or IMSI for short.

Meet Radiator Team at Mobile World Congress Barcelona 2023!

Radiator Software is exhibiting at MWC23 Barcelona! 

We are delighted to announce that Radiator team will once again be exhibiting at the world’s largest connectivity event of the year: Mobile World Congress 2023 held at Fira Gran Via in Barcelona on 27 February – 2 March.

Our theme for this event is the capabilities of Radiator SIM Pack; a standalone support SIM-based authentication methods with use cases like WiFi offloading, in-flight connectivity and OpenRoaming. To prepare for the event next month we are hosting a webinar about SIM Authentication with Radiator next week on 24th and 26th of January. More information and sign up at our webinars page.

Where can you find the Radiator team?

Finland country pavillion, booth 7G41.

We are exhibiting with fellow Finns in hall 7. The event team will consist of both commercial and technical Radiator experts so whichever Radiator topic you have in mind, we have got you covered. So whether you are familiar with Radiator or considering options for your AAA needs, or just exploring the world of network authentication come stop by and have a chat with us.

If you want to schedule a meeting or simply ask a question, please fill out this form and we will get back to you.

See you in Barcelona!