5/16/2014 Aptilo 3GPP AAA for trusted / untrusted 3GPP Wi-Fi access | Aptilo

http://www.aptilo.com/mobile-data-offloading/3gpp-wifi-access 1/5
Mobile Data Offloading
Aptilo in 3GPP Wi-Fi access
Overview of 3GPP options for Wi-Fi access
The 3GPP standard defines two types of access; trusted and untrusted non-3GPP access. Non-3GPP access includes access
from for instance Wi-Fi, WiMAX, fixed and CDMA networks.
Trusted 3GPP Wi-Fi access
Trusted non-3GPP Wi-Fi access was first introduced with the LTE standard in 3GPP Release 8 (2008). Trusted access is often
assumed to be an operator-built Wi-Fi access with encryption in the Wi-Fi radio access network (RAN) and a secure authentication
method. However, it is always up to the home operator to decide what is to be considered trusted. In practice the Wi-Fi access
network must support the following features to be considered trusted:
802.1x-based authentication which in turn also requires encryption of the RAN
3GPP-based network access using EAP method for authentication
IPv4 and/or IPv6
In a trusted access, the device (UE) is connected through a TWAG (Trusted Wireless Access Gateway) in the Wi-Fi core. The
TWAG is in turn connected directly with the P-GW (Packet Gateway) in the Evolved Packet Core (EPC) through a secure tunnel
(GTP, MIP or PMIP).
A similar concept is also used in non-EPC 3G networks where a WAG (Wireless Access Gateway) is connected with the GGSN
through a secure GTP tunnel.
Parameters in the subscriber profile are needed in order to setup the GTP tunnel. This will normally in turn require knowledge about
the users IMSI (unique SIM card identifier). Therefore trusted 3GPP Wi-Fi access is not possible for devices without SIM cards.
However, Aptilos innovative features make the impossible possible providing trusted 3GPP access for all kinds of devices.
Untrusted 3GPP Wi-Fi access
The untrusted model was first introduced in the Wi-Fi specification in 3GPP Release 6 (2005). At that time it was rare with Wi-Fi
access points with advanced security features. Hence Wi-Fi was considered open and unsecured by default. Untrusted access
includes any type of Wi-Fi access that the operator has no control over such as public hotspots, subscribers home Wi-Fi and
Corporate Wi-Fi. It also includes Wi-Fi access that does not provide sufficient security mechanisms such as authentication and
radio link encryption.
The untrusted model requires no changes to the Wi-Fi RAN (Radio Access Network) but has an impact on the device side which
requires an IPSec client in the device. The device is connected directly to the ePDG (Evolved Packet Data Gateway) in the EPC
through a secure IPSec tunnel. The ePDG is connected to the P-GW where each user session is transported through a secure
tunnel (GTP or PMIP).
A similar concept is also used in non-EPC 3G networks where the device is connected to a TTG (Tunnel Termination Gateway)
through a secure IPSec tunnel. The TTG is in turn connected to the GGSN via GTP.
Because the communication is secured end-to-end between the device and EPC, this option can be used with any Wi-Fi network.
IP mobility with session continuity in 3GPP Wi-Fi access
Dual-radio device will require a client based solution on the end-user device to provide full IP mobility between the networks. IP
mobility within the same radio network can be provided without a client. Many popular applications on the smartphones are today
designed in a way that make them resilient for network changes such as change of IP-address. This allows for an seamless end-
Company Partners News Contact us Search:
Overview
Solution details
Innovative Features
Authentication
Policy & Charging
3GPP Wi-Fi Access
Contact us
Downloads
Your Business Solutions Products
5/16/2014 Aptilo 3GPP AAA for trusted / untrusted 3GPP Wi-Fi access | Aptilo
http://www.aptilo.com/mobile-data-offloading/3gpp-wifi-access 2/5
user experience even while moving between for instance the 3G or LTE network over to Wi-Fi.
Different options for 3GPP Wi-Fi access
The 3GPP AAA server is located within the 3GPP HPLMN. For 3GPP Wi-Fi
access, it provides authentication, authorization, policy enforcement and
routing information to the packet gateways in the Wi-Fi core and mobile core.
It can perform EAP-SIM/AKA authentication, via the SIM-card, for an automatic
and secure authentication of Wi-Fi enabled devices.
In order to create a good business case for Wi-Fi offloading, all types of devices
must be supported. Devices with no support for the EAP-SIM/AKA method or
even with no SIM-card at all. Hence there is a need for alternative authentication
methods. Read more about how Aptilos innovative Wi-Fi offload features enable 3GPP Wi-Fi access for devices lacking support
EAP-SIM/AKA.
Furthermore, the operator may want to monetize their Wi-Fi network by opening it for public use. We have created the Aptilo 3GPP
AAA+ Server for this purpose. We have added critical functionality to the 3GPP AAA in the Aptilo SIM Authentication Server.
With this added support of portals, Wi-Fi AAA, Wi-Fi Policy & Charging and Wi-Fi subscriber management, the mobile operator can
add additional revenue by allowing paying ad-hoc users as well as supporting all type of terminals for offload.
Below we will discuss the role of the Aptilo 3GPP AAA+ Server in different Wi-Fi access scenarios including all the 3GPP specified
options for 3GPP Wi-Fi access.
1. Wi-Fi access with 3G core and local WLAN break-out
This option is currently the most deployed solution by operators doing EAP-SIM/AKA authentication. The option provides local traffic
breakout for all clients at the Wi-Fi access gateway (such as the Aptilo Access Controller) and is based on standard RADIUS and
EAP methods for authentication with HLR. The Wi-Fi access point requires support for 802.1x authentication with EAP-SIM/AKA.
No additional 3GPP interfaces are required.
2. Wi-Fi access with 3G core (DPI)
All traffic from smartphones/tablets with EAP-SIM/AKA support is terminated at the Deep Packet Inspection (DPI) node in the 3G
core network while traffic from non-SIM devices are directed to the Internet locally. This option uses standard RADIUS and EAP
methods for authentication with HLR. The Wi-Fi access point requires support for 802.1x authentication with EAP-SIM/AKA. In this
case the DPI is typically used by the operator also to inspect and enforce policies for 3G data services. No additional 3GPP
interfaces are required.
3. Wi-Fi access with 3G core and WAG (GTP)
This option is partly aligned with 3GPP TS23.234 specifications with the introduction of the Wireless Access Gateway (WAG) node
in the Wi-Fi core for access to the 3G core. The WAG, emulating an SGSN, establishes GTP tunnels for client traffic for EAP
capable clients that are terminated in the GGSN. The 3GPP Wm interface is used for EAP client authentication with HLR and
tunnel establishment. The Wi-Fi access point requires support for 802.1x authentication with EAP-SIM/AKA. A DPI can potentially
also be used after the GGSN.
5/16/2014 Aptilo 3GPP AAA for trusted / untrusted 3GPP Wi-Fi access | Aptilo
http://www.aptilo.com/mobile-data-offloading/3gpp-wifi-access 3/5

4. Wi-Fi access with 3G core (I-WLAN)
This option is aligned with 3GPP TS23.234 specs for untrusted access with 3G core. This option requires an EAP client in the
device with IPSec support. No impact on the Wi-Fi core or Wi-Fi RAN, legacy Wi-Fi hotspot networks will work. IPSec tunnels will
be terminated in the Tunnel Terminating Gateway (TTG) node a new mobile core node introduced for this purpose. The TTG maps
the IPSec tunnels into GTP tunnels terminated in the GGSN (GGSN can typically not terminate IPSec).
The 3GPP Wa interface is used for EAP client authentication with HLR and the Wm interface is used for tunnel mapping in the TTG.
This option will most likely be replaced by the untrusted EPC option in most practical implementations.

5. Trusted Wi-Fi access in EPC
This option is based on 3GPP specification TS23.402 with the introduction of the Trusted Wireless Access Gateway (TWAG) node.
The TWAG establishes GTPv2, PMIP or MIP tunnel (the S2a interface) to the P-GW in the EPC core for all trusted traffic.
5/16/2014 Aptilo 3GPP AAA for trusted / untrusted 3GPP Wi-Fi access | Aptilo
http://www.aptilo.com/mobile-data-offloading/3gpp-wifi-access 4/5
Trusted traffic will most likely mean an operator controlled Wi-Fi environment based on a Hotspot 2.0 compatible Wi-Fi Core with
802.1x and EAP authentication support to the HSS/HLR. The Wi-Fi access point requires support for 802.1x authentication and
EAP-SIM/AKA methods. This option also requires support for EAP-SIM/AKA in the device.
The STa interface is mainly used for EAP client authentication with HSS and S2a option selection (which tunnel type to use). The
S6b interface between 3GPP AAA and P-GW is used for tunnel authentication, static QoS and mobility (if applicable), etc. The
3GPP specification allow also for full or partial local breakout of Wi-Fi traffic at the TWAG in the Wi-Fi core.
6. Untrusted Wi-Fi access in EPC
This option is based on 3GPP spec TS23.402 with the introduction of the evolved Packet Data Gateway (ePDG) node. This option
requires an EAP client in the device with IPSec support. No impact on the Wi-Fi core or Wi-Fi RAN, legacy Wi-Fi hotspot networks
will work. IPSec tunnels will be terminated in the ePDG a new mobile core node introduced for this purpose. The ePDG maps the
IPSec tunnels into GTP or PMIP tunnels terminated in the Packet Gateway P-GW.
Untrusted will most likely mean a non-operator controlled network or partner network with a legacy Wi-Fi hotspot networks not
supporting 802.1x.
The 3GPP SWa interface is mainly used for EAP client authentication with HSS. The SWm interface is used for additional
5/16/2014 Aptilo 3GPP AAA for trusted / untrusted 3GPP Wi-Fi access | Aptilo
http://www.aptilo.com/mobile-data-offloading/3gpp-wifi-access 5/5
Sitemap | Privacy Policy Copyright Aptilo Networks. All Rights Reserved.
authentication parameters including subscription profiles and S2b option selection (which tunnel type to use). The S6b interface is
used between Wi-Fi AAA and P-GW for tunnel authentication, static QoS and mobility (if applicable), etc.