We’ve Moved!
Our blog has a new home. From now on, all of our updates, insights, and stories will be shared directly on our website. By bringing the blog and website together, everything you need will be in one place, making it easier to stay connected with us.
Visit us at radiatorsoftware.com/blog and bookmark the page so you don’t miss out on any updates.
Monday, March 3, 2025
Radiator 10 performance with EAP-TLSv1.3
With people’s ever-increasing online activity, communication service providers are faced with increasingly growing performance requirements for their networks. And while computing power grows as well, not all software can utilise the resources and scale to meet these increasing performance requirements.
We’ve closely monitored the feedback from our existing and prospective customers, and designed and built a new policy engine, Radiator 10, from ground up to handle the highest performance requirements, setting the bar for what the performance of a modern RADIUS server should look like.
We conducted a case study to showcase how our product excels in EAP-TLS authentication, demonstrating its ability to process an industry-leading number of authentication transactions per second. In this case study, we showcase how our solution not only enhances security but also delivers unparalleled authentication speed, ensuring smooth and secure access for thousands of users simultaneously.
Case study
The performance tests were conducted on standard-sized Google Compute Engine machines using a bash script to repeatedly execute the eapol_test tool for EAP-TLS authentication. The testing was done with two deployments, one for RADIUS/UDP and one for RadSec.
In the RADIUS/UDP deployment, the Client instances sent direct EAP-TLS authentication requests to authenticating Radiator 10 instance. In the RadSec deployment, Client instances sent RADIUS EAP-TLS authentication requests to Radiator 10 proxy instances, which proxied the requests over RadSec to an authenticating Radiator 10 instance.
For more information about the test setups, please see the case study paper here.
Results
The tests concluded that on the test setup, Radiator 10 could process over 4200 RADIUS EAP-TLSv1.3 requests per second. With parallel RadSec connections from four proxy instances, Radiator processed over 9900 EAP-TLSv1.3 authentications per second. With an average EAP-TLS request requiring 8.4 total RADIUS packet exchanges, this means that Radiator 10 exchanged over 83 000 RADIUS packets per second over the 3 500 000 EAP-TLS authentication test set.
For more results and considerations, please see the case study paper here.
If you have questions about the performance testing, or want to discuss how Radiator 10 products, Radiator Policy Server and Radiator Core, could help you scale up your deployment, please do not hesitate to contact sales@radiatorsoftware.com
Thursday, February 27, 2025
Introducing Radiator 10 products: Radiator Core and Radiator Policy Server
For the last 25 years, Radiator AAA has been a cornerstone of network authentication for thousands of companies across all continents and industries. There are few things it can not do when it comes to integration interfaces, backends, authentication methods and logging extensions. We’ve closely listened to feedback from existing and prospective customers, and in order to meet the demands and latest drivers in the market, and after years of development we are proud to announce a completely rewritten policy engine Radiator 10. Designed from the beginning with performance and security in mind by the same engineers who’ve worked with Radiator deployments for years. Developed with Rust, assuring asynchronous processing and concurrent queries with multi-threadding, security and continuity, Radiator products continue to be the reliable cornerstone of your network’s security that help you scale your business now and in the future.
Radiator Core
Radiator Core is our Radiator 10 product aimed towards ISPs and other service provider customers. It features full RADIUS support, with proven performance for the largest deployments (see case study). Radiator Core features a dashboard for monitoring, REST API for upstream and downstream integration with high extendability for different logging solutions. At the start of March, Radiator team will be present at MWC2025 with a demo of Radiator Core. If you want to book a demo meeting, please contact us using this form or via email sales(a)radiatorsoftware.com.
Radiator Policy Server
Radiator Policy Server is our next-generation product aimed for enterprise customers. It includes full RADIUS and TACACS+ functionality, with latest functionality like enterprise Wi-Fi authentication with TLS1.3 support, RadSec and ENTRA ID authentication. The all-new user interface provides a dashboard for monitoring, option for user and client management with the built-in database, as well as options for licence and certificate management. We are currently taking up pilot enterprise customers who want to leverage the performance and functionality of Radiator Policy Server, for both greenfield deployments and as migrations from existing AAA server setups. We are currently expanding the use case base of Radiator Policy Server based on our experiences on Radiator AAA. If you are interested in joining the pilot, please contact us at email sales(a)radiatorsoftware.com.
What does this mean for existing customers?
Radiator 10 is the platform for our new product line, but at the same time Radiator AAA server products remain under active development. We also continue to offer multi-year support renewals for existing Radiator 4 based products, such as Radiator AAA Server Software, Radiator SIM Pack and others. For customers looking to take advantage of Radiator 10 products’ enhanced features, we are happy to discuss the options based on your customer needs - also providing cost-effective ways to utilize our Radiator 10 product line as well. For inquiries in new Radiator Policy Server or Radiator Core deployments or renewal of your existing Radiator AAA deployment’s support contract, please contact sales(a)radiatorsoftware.com
Tuesday, February 18, 2025
Meet Radiator Software at Mobile World Congress 2025
As the telecom industry gears up for the biggest connectivity event of the year, we at Radiator Software are also preparing for Mobile World Congress 2025, taking place at Fira Gran Via in Barcelona from March 3–6, 2025.
At MWC25, we’ll be showcasing a new Radiator product release, designed to offer an unbeatable combination of flexibility, interoperability, and high performance for complex operator AAA deployments.
Meet our team of network authentication specialists to explore key AAA topics, including FTTH authentication, WiFi roaming, VoWiFi, IMSI Privacy, OpenRoaming, and more. Whether you’re an existing partner, a longtime customer, or new to Radiator, we’d love to connect at MWC25!
Schedule a meeting here: Google Form
Monday, February 10, 2025
How to update the new WBA Root CA chain for the Radiator OpenRoaming deployments?
WBA OpenRoaming certificates now issued or renewed using the new WBA Root Certificate Authority chain
At 00:00 UTC (beginning of the day) on 3rd of Febuary 2025 Wireless Broadband Alliance (WBA) switched to issuing OpenRoaming certificates using new WBA Root Certificate Authority (CA) chain. This means that all OpenRoaming certificates, which are renewed or issued on 3rd of February 2025 or later, use the new WBA Root CA chain.
Although WBA planned and informed OpenRoaming Identity Providers (IdP) and Access Network Providers (ANP) about the planned change, there are OpenRoaming ANPs and IdPs, which have not updated their RADIUS/RadSec server configurations to accept both the old and new WBA root CA certificate chain for RadSec connections.
This means for example that IdP customers of the IdP using the new root chain issued certificate are not able to roam in the ANP networks, which do not accept IdP's new RadSec server certificate if it is issued by the new WBA Root CA chain. If an IdP does not accept the new WBA Root CA verified RadSec client certificates for connections originating from the ANP's Wi-Fi network, that IdP's customers are not able to roam into that ANP's Wi-Fi network.
If ANPs and IdPs do not update their inbound and outbound RADIUS/RadSec connections to accept both the old and new WBA Root CA chain certificates, when new OpenRoaming certificates are issued or old ones are renewed, gradually the roaming connections with those ANPs and IdPs deteriorate.
How to update Radiator OpenRoaming deployment to use the new WBA Root CA chain?
- Directory for CA certificates used for verifying inbound OpenRoaming connections from other OpenRoaming ANPs to your server: /etc/radiator/certificates/radsec_inbound_openroaming/ca
- Directory for CA certificates used for verifying the OpenRoaming IdP server certificates for RadSec connections used to authenticate those IdPs users roaming in your network: /etc/radiator/certificates/etc/radiator/certificates/radsec_outbound_openroaming/ca
First install the new WBA Root CA to the CA directory for verifying inbound OpenRoaming RadSec connections:
cd /etc/radiator/certificates/radsec_inbound_openroaming/ca wget https://wballiance.com/wp-content/uploads/2024/05/wba-root1.pem chown root:radiator wba-root1.pem chmod 644 wba-root1.pem openssl rehash -v .
And then install the new WBA Root CA to the CA directory for verifying the IdP servers responding to outbound OpenRoaming RadSec connections:
cd /etc/radiator/certificates/radsec_outbound_openroaming/ca wget https://wballiance.com/wp-content/uploads/2024/05/wba-root1.pem chown root:radiator wba-root1.pem chmod 644 wba-root1.pem openssl rehash -v .
After installing the certificates, it is recommended to restart the Radiator instances responsible of handling the connections with:
systemctl restart radiator@radsec_inbound_openroaming systemctl restart radiator@radsec_outbound_openroaming
or all Radiator instances with:
systemctl restart radiator-instances
If you are deploying Radiator OpenRoaming Configuration from scratch, you should also download and install wba-root0.pem from the WBA PKI repository by following the above instructions but replacing the wget command, which retrieves the certificate with:
wget https://wballiance.com/wp-content/uploads/2024/05/wba-root1.pem
All other commands should be executed as described above for both directories.
As a result you now have a Radiator OpenRoaming configuration, which supports both the old and the new WBA Root CA chain. You can read more about Radiator OpenRoaming configuration from the Radiator OpenRoaming Configuration Guide. There are also new useful updates to the Radiator OpenRoaming configuration template files done in January 2025.
How can I do this with other RADIUS servers?
Where can I get more help with Radiator OpenRoaming deployment?
Wednesday, January 22, 2025
Securing IoT networks with private APN
In today’s day and age, every machine around us is ‘smart’. Ranging from smart homes and wearables to more complex machines like cars, planes and industrial machinery, devices are connected with each other and with the internet to enhance user experience, control machines remotely and use other benefits of connectivity. This network of connected devices that communicate with each other and share information over the internet is often called Internet of Things, IoT for short.
Every one of these devices should be authenticated with secure methods when connecting to the internet, else a perpetrator can falsify data, steal information or gain access to networks through unsecure devices and networks. Companies can manage this and take control of their network by deploying a private access point name network, private APN for short.
What is private APN?
The Private APN service utilises operator’s SIM cards for radio network access, but separates the data traffic in operator’s P-GW (LTE core network packet gateway) by the access point name (e.g. internet.company instead of operator’s own access point name). These separate private access points may have their own parameters for authentication, accounting, IP networks, IP address allocation, connection parameters, traffic accounting, priorities, and other functionalities. Depending on the P-GW capabilities, it is possible to move some of these functionalities and information to a separate RADIUS service, which is provided either by the operator or company utilising the Private APN.
The choices of authentication method are between PAP and CHAP. As can be seen from the picture, the deployment does not need extensive infrastructure for the AAA, merely a basic Radiator AAA licence and a backend of choice (AD, SQL, REST etc.).
Enhance coverage of in-door devices with Radiator SIM Pack
The private APN functionality can also be enhanced with Radiator SIM Pack. If the IoT device also has Wi-Fi radio and functionality, it can also utilise Wi-Fi access whenever within range of the company’s Wi-Fi network. In this case, the authentication would be done directly with SIM-based authentication methods (EAP-AKA, EAP-AKA’) and the device will have access to the company network via Wi-Fi, like illustrated in the next picture.
The benefits of adapting Radiator SIM Pack lies in coverage. While the monitoring and other IoT devices might not need the biggest bandwidth, reliable cellular connection can be an issue for in-door solutions, for example in warehouses. With Radiator SIM Pack, the IoT devices will connect to the company network securely over Wi-Fi, ensuring reliable monitoring and metrics.
Want to know more?
If you are building an IoT device network or want to enhance the security of an existing IoT device network, Radiator is the solution for you.
For more information about Radiator licensing, technical details or for any questions, please do not hesitate to contact us sales@radiatorsoftware.com