Upload
habao
View
216
Download
2
Embed Size (px)
Citation preview
SOLUTIONS FOR IMPLEMENTING CELLULAR TO WI-FI OFFLOAD
Hartmut Schroeder
September 2012
2 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Legal Statement
Statements of direction set forth Juniper Networks’ current
intention and are subject to change at any time without notice.
No purchases are contingent upon Juniper Networks
delivering any feature or functionality depicted in this presentation.
3 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
WHY WI-FI OFFLOAD?
4 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
GROWTH IN WIRELESS BROADBAND DATA CONTINUES
Growth fueled by: • Increased Smartphone Adoption
• Wireless Enabled Portable Devices
• Machine-to-Machine Mobile Devices Gartner predicted that tablet sales will grow 181% in
2011 to 54.8M, many of which are built to take
advantage of mobile 3G and 4G networks.
According to IDC we will reach 1 billion smart mobile
devices in 2013. Morgan Stanley tells us we will reach 10B
mobile devices in 2050.
181% TABLET
GROWTH
1B SMART MOBILE
DEVICES
5 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
WIRELESS BROADBAND ALLIANCE
6 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
3 STAGES OF WI-FI OFFLOAD
Offload
•Hard offload
•User driven
•Unmanaged
Optimize
•Auto-login
•User identity
•Secure
Integrate
•Policy driven
•Session mobility
•Fully transparent
Source: Heavy Reading
2010 2012 2014
7 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
REFERENCE ARCHITECTURE
8 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
KEY SOLUTION COMPONENTS
AUTHENTICATION
& SECURITY BACKHAUL & EDGE POLICY ENFORCEMENT
& CHARGING
• Security GW
• Video/Web
Optimization
• NAT/FW functions
• Server Load
Balancing
• Mobility GW functions
• Routing Functions
• VPN Gateway
Provides uniform user
experience with authentication,
security & policy enforcement
Provides secure traffic
termination and service
delivery functions
Provides support for network
based policy enforcement and
charging
SRC MX-3D JUNOS Pulse Client (optional)
• Mobile Security Suite
• VPN / secure tunneling
• Enforcement point for future policy
based capabilities and data
collection
SBR – CARRIER
• Single platform managing AAA
functions for all access
technologies
• High performance
• Reliable mobility
• High Availability
• Outdoor/Indoor
• Superior Planning
and Lifecycle Mgnt
• Direct and Central
Traffic breakout
Juniper WLAN • Ideal if WLAN traffic not backhauled to
GGSN / P-GW
• Leverages Juniper MX as PCEF
• QoS
• Service Mapping
• DPI
• Captive Portal
• Volume Tracking (VTA)
• Bandwidth limits
• Daily/Monthly usage
• Charging integration
9 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
OPEN AND SECURE ACCESS E2E ARCHITECTURE PHASE 1 (TODAY)
WLM
Internet
Open
802.1x
WLC AP
SBR SRC
Portal
SSR VTA
Auth-Check /
Service
Subs-Data
Base / HLR
Policy push
MX-BNG
Smartphone
Policy push Redirect IP
Ta Rad
JSRC Dia
Gi IP
Corba
SQL
SIGTRAN
10 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Juniper MX as Wi-Fi Access Gateway acts as a PCEF for
CGNAT (leveraging MS-DPC)
DPI (leveraging MS-DPC)
Basic QoS / Hirachical QoS (leveraging MS-DPC)
Lawfull Interception Point for CC
DHCP-Server
SBR Carrier AAA with SSR SIM-Module for seemless
authentiaction with HLR for EAP-SIM/AKA
Session State Register for global, redundant Subscriber Knowledge
Juniper SRC (Session Resource Controller)
Captive Portal
Volume Tracking Application
Various Accounting Interfaces
Policy push to all Juniper core routers
Juniper Wireless WLA / WLC / WLM
Wi-Fi Access with Backhauling due to Central Switching
Complete Livecycle Management through RingMaster
JUNIPER VALUE PROPOSITION
11 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
UNIVERSAL EDGE
12 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
MX 3D: A NETWORK SERVICES PLATFORM
Ultimate in flexibility
Versatility of 4 platforms ensures there is a platform tailor made for every deployment model
L2 to L3 to L4-7 services
Support multiple services simultaneously without impacting performance
Industry-leading performance and scale
OPEX Savings Simplifies operations
30–50% more power efficient & 40% more space efficient
Embedded monitoring services to ensure SLAs are met
Unparalleled functional bundling that allows massive cost saving
Unparalleled packet processing performance
Separate control and data plane that scale independently
13 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Services Flexibility for Mobile MX 3D with Trio is a Common Services Layer for IP Convergence
Common hardware, common software, investment protection
MX 3D
TWAG
Security-GW
S/P-GW
Backbone
Backhaul
Carrier Grade NAT
BNG
Firewall
Business Edge GGSN
Packet Core
Transport
Fixed Edge
Security
Datacenter
L2/L3 Switch SDG
14 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Network-Integrated Apps. &
Services (Partners)
Network-Integrated Apps.
& Services (Juniper )
UNIVERSAL EDGE ENABLES NEW NETWORK
Router-Integrated Services
Cable Edge
Business Edge
Mobile Edge
Carrier Ethernet Aggregation
Video Distribution Networks DAA BGF Media Flow
StreamScope
eRM
Telchemy
ePM
IPS
Media
Enabler
Media Flow Controller
SRC Controller
MX 3D Series
Network Applications
15 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
JUNIPER WIRELESS
16 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
THE NONSTOP WIRELESS NETWORK
Single point of management
Active-active control
architecture
Self-organizing adds, moves
and changes
Self-repairing architecture
In service software upgrades
Full Featured Local switching
17 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
JUNIPER WLA SERIES ACCESS POINT FAMILY
Entry level 802.11n Indoor 11n Outdoor 11n
Single Radio Low Cost AP
WLA321
Dual Radio Entry-level AP
WLA322
2x2 MIMO Dual Radio
High Density
WLA522
WLA Series Highlights
Highest performance APs in the industry
Most cost effective APs in the industry
Full featured Intelligent switching
Spectrum analysis across the portfolio
Bridging and mesh
3 Stream MIMO
Dual Radio Max.
Performance
WLA532
Fu
ncti
on
ali
ty
3x3 MIMO Dual Radio All Weather
WLA632
WLA532
New
New
18 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
JUNIPER WLC SERIES CONTROLLER FAMILY
WLC Series Highlights
Simplest solution in the Industry
Highest Reliability in the industry
Only vendor with In-service upgrades
One software platform
Full Featured distributed deployment
4 12 16 32 128 192 256 512 64
4 AP
WLC2
WLC8
12 AP
16 - 128 11n AP 3-Stream
WLC800
Bra
nc
h
Ca
mp
us
En
terp
ris
e
16 - 256 11n AP 3-Stream
WLC880
64 - 512 11n AP
WLC2800
# of AP
19 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Planning and Deployment 3D predictive planning tool Indoor and Outdoor network plan
Configuration and Verification Complete offline configuration System and service wizards Pushes configuration to WLCs
Monitoring and Reporting By user, radio, AP, WLC, SSID 30 day history aids compliance WIDS/WIPS integration
Location Aware Search by Location Roaming History Geo Fencing
BEST IN CLASS WLAN LIFE CYCLE MANAGEMENT
RingMaster
20 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SBR CARRIER
21 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SBR CARRIER: ENABLES SEAMLESS ACCESS
Steel Belted Radius
Seamless integration: Supports any SDM technology with any schema
Reduce operational cost: Single platform managing AAA functions for all access technologies
Reduce complexity: Single platform provides glue between network technologies and IT systems
CDMA
1xRTT/EvDO
GPRS UMTS
HSxPA
xDSL
FTTH
UMA
Femtocell
Public Wi-Fi
Fixed/Mobile
WiMAX
HLR RADIUS LDAP SQL
22 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
FLEXIBLE SDM INTEGRATION: ANY
CREDENTIAL, ANY DATABASE
Steel Belted Radius
HLR RADIUS LDAP SQL
HLR authentication
D’ authentication and authorization Interface
SIM and AKA
SS7 over E1/T1
SIGTRAN
MAP v2/v3
NO separate MAP-GW (installed on SBR)
ORACLE
LDAP
LDAP v2/v3
Load-balancing and failover
Any LDAP schema
Programmable searches with recursiveness
Scripting
Unparalleled performance
SQL
Generic SQL over JDBC
Load-balancing and failover
Any SQL schema
Stored procedure support
Oracle
Native oracle interface
Load-balancing and failover
Any SQL schema
Stored procedure support
Unparalled performance
RADIUS proxy
Carrier grade proxy engine
Weighted load-balancing and failover
Target health detection
Advanced filtering
Unparalled performance
Credentials:
Username/password
Certificate
SIM & USIM
SMS OTP
Token
Service-ID (eg. APN, DNIS …)
23 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
JUNIPER SRC
24 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SRC ENABLES APPLICATION INTELLIGENT NETWORKING
Netw
ork
P
olic
y a
nd C
ontr
ol
Serv
ice
Internet IPTV Home VoIP
Data VPN Software as a Service
Videoconference
Data Center Core Edge
Service Activation / Reporting
Provisioning / Accounting
Applications Residential Services
Enterprise Services
SRC
Policy
Engine
C3000 C5000
Dynamic Provisioning
Filters, Captive Portal, Bandwidth,…
Resource Control
Call Admission control, QoS,…
Metering
Per service time & volume
Quota services
25 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SRC USAGE TRACKING / ACCOUNTING OPTIONS
End user
Policy
SRC Subscriber
state & profile
Charging Systems
Traffic
Flat file
RADIUS
Custom Plug-in
VTA
VTA Plug-in Plu
g-in A
PI
MX
WLC 2800 Wi-Fi AP
26 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
ENHANCED SUBSCRIBER MANAGEMENT
Per subscriber accounting
Regular Enhanced
Per Service Accounting
Benefits:
• Usage based billing
• Congestion mitigation by de-prioritizing heavy users
Features
• Periodical collection of counters associated to SRC managed services
• Based on combination of 5-tuples or per application/application-groups
• Accounting record generation from SRC (flat files or RADIUS) – duration and volumes
• Multiple accounting sessions per subscriber
• Start, Stop and variable Interim
• Fair usage / quota services with Volume Tracking Application
27 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
OVERVIEW OF THE SRC VOLUME TRACKING APPLICATION
The SRC Volume-Tracking Application (SRC VTA) allows service providers to track and control the network usage of subscribers and services. You can control volume and time usage on a per-subscriber or per-service basis.
When a subscriber or service exceeds bandwidth limits (or quotas), the SRC VTA can take actions, including
directing the subscriber to a portal to activate additional services or
purchase additional bandwidth,
imposing rate limits on traffic,
sending an e-mail notification,
or charging extra for additional bandwidth consumed.
FUTURE PRODUCTS /
SOLUTIONS
30 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
HOTSPOT V2.0
31 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
IEEE 802.11U AND HOTSPOT V2.0 PART 1
IEEE 802.11u (Standardization finished Feb 2011)
Allows a Station (UE/Mobile) to query information about the WLAN and Network behind it before an Authentication is tried
Must be supported at WLAN-AP and UE/Mobile to work
Network Discovery and Selection component
Advertise Networks basic 11u capabilities in Beacons and Probe Response Frames to minimize Battery impact
– Access Type
– Venue Info
– HESSID
– supported Advertisement Protocols
– Roaming Consortium
– Emergency Call ongoing Alert
Generic Advertisement Service (GAS) for extended Queries
– Access Network Query Protocol (ANQP) and others (MIH)
QOS Map Set distribution
Tell the Mobile which QOS DSCP Marking to set for IP Traffic according to operators policy
Expedited Bandwidth Request (EBR) support
Emergency services
Emergency Call and Network Alert support at the link level
32 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
IEEE 802.11U AND HOTSPOT V2.0 PART 2
Hotspot V2.0 Goals
Improve end-user experience to level of cellular networks
Facilitate Wi-Fi offload
Facilitate Wi-Fi roaming agreements between hot spot operators/service providers
Deliverables
Technical Spec. (uses heavily 11u), Test Plan, Certification Program, Deployment Guide
Phase 1 (called “Passport”), Certification starts: mid-year 2012 – Access network discovery
– Security
Phase 2, Certification starts: mid-year 2013 – Operator Policy (TBD) Will it be ANDSF? At which Sublevel then?
– On-line Signup (TBD)
Phase 3, Certification starts: TBD probably mid-year 2014 – Scope isn’t defined
– proposals have been made around Wi-Fi offload issues and improved operations/monitoring.
33 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
IEEE 802.11U AND HOTSPOT V2.0 PART 3
Network Discovery (Phase 1)
New information elements (11u based)
Interworking, Advertisement Protocol, Roaming Consortium, BSS Load, WFA Peer to Peer
GAS/ANQP Protocols (11u based)
ANQP: Venue Name, Network Authentication Type, IP Address Type Availability, Network Access Identifier Realm List, 3GPPP MCC/MNC, Domain Name List
HS2.0 ANQP extensions: Operator Name, WAN Metrics, Connection Capability, NAI Home Realm Query
Note: Only a SUBSET of 11u will be certified in HS 2.0.
– QoS-Mapping Tests and Emergency Calls are not scope of HS2.0
Security (and Battery Life Extension) (Phase 1)
Certification includes 802.1x based WPA(2) Enterprise Authentication
EAP-TLS, EAP-TTLS (inner MS-CHAPv2), EAP-SIM/AKA (if the Device has a (U)SIM-Card it SHALL support this)
Certification does NOT include UE based Tunnels
Hotspot V2.0 certifies “sort-of” 3GPP “Trusted Access” Mobiles / UE’s only
Proxy ARP and Proxy Neighbor Discovery (802.11v)
Downstream Group Addressed Frame Forwarding
Peer to Peer Communication Blocking
34 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
3GPP TRUSTED ACCESS
35 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
WI-FI OFFLOAD USING S2A GTP (SAMOG)
Smartphone
Secure Simplified Access for Trusted Wi-Fi Networks
WLAN
Access
AP
Backhaul &
Packet Core Service
Complex
VPN
SDG PGW
GGSN
HA
Policy and Credential Servers
PCRF NetOpt
App ANDSF Credential
Mngt
SaMOG GW
GTP S2a
• Documented in TS 23.402 section 16 for 3GPP Rel 11
• 802.1x recommended to ensure air interface security (WPA)
• EAP-AKA credentials used to authenticate the UE
• Needed to get IMSI identity of the UE
• Allows HSS to pass information required for GTP management (including
target PGW)
• Needed for IP future address preservation
• Leverages standard GTP “Create/Modify” Session/Bearer messages
HSS/AAA
BENEFITS: • Avoids cost and overhead of IPsec
• Uses standard GTP based procedures
CAVEATS:
• Used only for trusted Wi-Fi networks
• TWAG must see UE-MAC (Layer2)
• IP-Address preservation comes in Rel. 12
36 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
TRUSTED WLAN ACCESS TO EVOLVED PACKET CORE ARCHITECTURE
No additional SW on UE / IP address Preservation (and no IKEv2/IPsec/ePDG)
SWw is a point-to-point IP link over 802.11 protected by 802.1X
Access Control enforced by Trusted WLAN on behalf of 3GPP operator (802.1X)
Default APN for Trusted WLAN PDN connection stored in subscription data
hPCRF
HSS
Trusted
WLAN Access
Network
PDN Gateway HPLMN
SWd
Non - 3GPP Networks
VPLMN
vPCRF
3GPP AAA Proxy
STa
3GPP AAA Server
S2a
S9
SGi Gx
S6b
Operator's IP S ervices
(e.g. IMS, PSS etc.)
Rx SWx
Gxc
S8
S6a
3GPP Access
Serving Gateway
SWw UE
S2a Mobility based On GTP and
WLAN access to EPC (SaMOG)
37 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
TRUSTED WLAN ACCESS INTERNAL FUNCTIONS
WLAN: APs terminating UE’s SWw 802.11 WLAN link
Authenticates UE with EAP-AKA
Provide integrity and/or confidentiality protection
Trusted WLAN Access Gateway (TWAG): Creates/Deletes S2a GTP tunnel
Default router and DHCP server
Enforces packet forwarding between UE’s SWw point-to-point IP link and S2a GTP tunnel based on UE MAC address
Trusted WLAN AAA Proxy (TWAP): AAA proxy b/w WLAN Access Network and 3GPP AAA Server/Proxy over STa
Binds UE subscription data (e.g. IMSI, APN) with UE MAC address
Notifies TWAG of UE L2 Attach to / Detach from WLAN
SWw
STa
Intranet / Internet
Trusted WLAN Access Network
S2a
WLAN
Trusted WLAN AAA
Proxy
Trusted WLAN
Access Gateway
38 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
TRUSTED WLAN ACCESS PDN & NSWO POINT-TO-POINT LINK MODEL
S2a PDN Connection
802.11 Bridging
DL: TWAG unicast to UE MAC
UE MAC
S2a-TEID
or NSWO
TWAG PDN GW AP/WLC
NSWO a.k.a. Local Break-Out
PDN1
PDN23
UL: AP/WLC force-forwards
802.11 Association Per PDN/NSWO
VLAN or GRE tunnel
UE1
UE2
UE3
UE4
39 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
TRUSTED WLAN ACCESS INITIAL ATTACH
Roaming Scenarios
UE AAA Proxy
PDN GW
HSS/ AAA hPCRF
3. Create Session Request
TWAN
2. Authentication & Authorization
5. Update PDN GW Address
2. EAP Authentication
1. Non-3GPP Specific Procedures
15. L3 Attach Completion
7. GTP Tunnel
6. Create Session Response
4. IP-CAN Session Establishment Procedure
vPCRF
9. L3 Attach
8. EAP authentication Completion
(B)
(A)
10. Create Session Request
12. Update PDN GW Address
14. GTP Tunnel
13. Create Session Response
11. IP-CAN Session Establishment Procedure
Two variants based on PDN:
A. IPv4, IPv6, IPv4v6,
based on successful
authentication event
(recommended)
B. IPv4 only,
based on DHCPv4
address request
40 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
4 Way Handshake
Diameter EAP Response
EAP Response from UE to WLC
EAP Response from UE to WLC
High Level SaMOG Call Flow
RADIUS EAP Response
(MAC, VLAN)
SaMOG
GatewayGGSN / PDN
Gateway
Internet
IEEE 802.11
Discovery
AAAWLAN
Controller
Access
Point
User
Equipment
Layer3 VPN
Diameter EAP Success
GTP Request Response
Acquired IP Address
RADIUS EAP Success EAP Success to UE
Derive PTK Derive PTK
Ready to use / OK to use
IEEE 802.11 AES Data Encryption
DHCP Request / Response
802.11 abg 802.11 in CAPWAP (VLAN, MAC) IP Packet
EAP Request to UE
Diameter EAP RequestRADIUS EAP RequestEAP Request to UE
Diameter EAP Response
Depending on EAP
method, from 0 to N
such EAP Request/
Response Exchange
This will be RADIUS in the first release
GTP-Traffic
41 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
TRUSTED WLAN ACCESS TO EVOLVED PACKET CORE MOTIVATION – PHASE 2 / REL-12
Desire for (missing) Additional Functions IP address preservation across handovers b/w 3GPP and WLAN
Concurrent Connectivity Multiple PDN connections
Concurrent 3GPP access & Trusted WLAN Access
Concurrent PDN Connectivity and Non-Seamless WLAN Offload
UE / NW Selection of APN & NSWO
Solution Space has 2 dimensions: UE / NW Signalling for APN/NSWO & attach/handover/detach
Layer 2: extensions to EAP-AKA or 802.11 ANQP
Layer 3: extensions to DHCP/DHCPv6
Per-PDN / NSWO Link Model Per-PDN/NSWO VLAN tagging
Per-PDN/NSWO MAC address on TWAG side
42 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
TRUSTED ACCESS VISION TOWARDS FMC
2G/3G RAN
GGSN
SaMOG based
TWAG
AAA
IP
Networks SGSN
HLR
Gn (GTP)
OCS PCRF
Non HLR
based SDM
Trusted Access
EAP-SIM/AKA
Trusted Access
EAP-TTLS
BRAS
Any Access
Network
Set-Top
DHCP
CPE
PPPoX
Portal
Internet access APN
43 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
JUNOS PULSE WI-FI MANAGER MODULE
44 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
WHY USE CLIENT TECHNOLOGY FOR WI-FI OFFLOAD?
Does OS natively provide tunneling?
If the answer to ANY question is “no”, then a client is required!
Does OS support selective tunneling
& confidentiality?
Does OS support policy-based
control of network selection and
application routing?
Does OS support management of
more than just Wi-Fi authentication
credentials? 3rd party roaming?
45 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
End User Quality of Experience
Wi-Fi Offloading can help.
However….
Solution must be 100% seamless and
transparent to the end user
Completely automated
Zero end user intervention
No compromise on quality of connection
No compromise on device performance
ELSE
47 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
End User/Device
(UE) The Network
Enhances end user
Quality of Experience
Junos Pulse + Pulse Wi-Fi Manager
bridges the gap between the
network and the end device
Significantly enhancing end the
quality of experience (QoE) while
still offering control to the carrier or
enterprise
Junos Pulse & Wi-Fi Offload
Pulse manages 3G/Wi-Fi
interactions based on pre-
defined policy
Pulse Wi-Fi
Manager (PWM)
Junos Pulse
48 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
PULSE WI-FI MANAGER ANDROID SUPPORT ONLY IN PHASE 1
Manage Wi-Fi
Wi-Fi Provisioning
- Push & manage Wi-Fi profiles
- Use on-device supplicant
Location & Device Aware
- User location (city level)
- Device type (iOS/Android)
- e.g. User in Austin provisioned with
SSID A & SSID B, User in San Jose
provisioned for SSID A only
Automatic credential
management
- Addresses gap for non EAP-
SIM/AKA enabled Android
devices
Smart Wi-Fi On/Off
Turn Wi-Fi On/Off on the device
based on location
- Balance UX with Wi-Fi attach
- Automate action or notify user
- e.g. Enable/Disable Wi-Fi based on
proximity to malls, stadiums etc
based on “3G Cell broadcast ID”
information
App Notification
Discourage Offload for walled
garden applications
e.g. Notify user and allow them to
switch to 3G/4G when they run
certain walled gardened applications.
VPN tunnel
Setup VPN tunnel from client based
on Wi-Fi type etc.
- Secure air link
- Enable Wall garden access via
backhaul
- No IKEv2 (SSL VPN)
*Scale factors must be considered
Reporting
Measure ROI & plan capacity
- Bytes offloaded on Wi-Fi
- Time spent on Wi-fi
- Apps used, type of device etc.
- By SSID, AP, Location
49 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
BTS SGSN
HLR
RNC GGSN
Wi-Fi AP
Pulse Wi-Fi
Manager (PWM)
Firewall
Internet
AAA
(e.g. SBR)
Junos Pulse
Phone boots
up. Pulse
starts running
on the device
Pulse contacts
Wi-Fi Manager
over 3G/4G
network to get
policies
Policy gets downloaded
to device over 3G/4G
network. Policy includes
Wi-Fi profiles,
credentials, location,
application & other
criteria etc.
Pulse takes
action on device
based on Policy
User connects to Wi-Fi
based on Policy. Policy
controls when & how
user is offloaded.
Policy also dictates what
happens after offload (e.g. setup
VPN over insecure Wi-Fi)
Pulse Wi-Fi Offload workflow
Try to use an 802.1x
based Authentication
with the AAA
50 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
BTS SGSN
HLR
RNC GGSN
Wi-Fi AP
802.1x SSID
Pulse Wi-Fi
Manager (PWM)
Firewall
Internet
AAA
(e.g. SBR)
Junos Pulse
Phone boots
up. Pulse
starts running
on the device
Pulse collects
IMSI + MSISDN
and contacts Wi-
Fi Manager over
3G/4G network
to get policies
Policy gets downloaded
to device over 3G/4G
network. Policy includes
Wi-Fi profiles,
credentials, location,
application & other
criteria etc.
Pulse takes
action on device
based on Policy
User connects to Wi-Fi
based on Policy. Policy
controls when & how
user is offloaded.
Trusted Wi-Fi Access Gateway
(SaMOG) forwards Layer 2
Traffic into GTP towards GGSN
Pulse Wi-Fi Offload including Trusted Access
Use 802.1x Authentication
with the AAA based on
PEAP or EAP-TTLS
T-WAG
SaMOG
Access-Accept has
IMSI + MSISDN
from PWM DB
52 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
PROVIDER ROAMING & WHOLESALE
53 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
EAP-IDENTITY BASED ROAMING EXAMPLE (W. CLEARING HOUSE)
Smartphone
User
Wi-Fi AP
Internet Subscriber DB
or HLR
Subscribers
Home AAA
MetroNetwork
Wi-Fi AP
Wi-Fi AP
WLC 2800
Visited AAA
Clearing House AAA
1.) Subscriber moves to a Visited Network and attaches to next Wi-Fi AP.
2.) AP directs all Traffics through Metro (or Internet) to Wi-Fi Controller at Visited Network
3.) Wi-Fi Controller notice a new attachment and asks the UE for the EAP-Identity to start the EAP negotiation
4.) UE answers and starts EAP-Exchange with EAP-Identifier
5.) Wi-Fi Controller creates Radius Request to local (Visited) AAA
6.) Realm Part of User NAI identifies request can’t be authenticated local -> Proxy forward to Clearing House AAA
7.) Clearing House AAA identifies Home AAA and forwards request.
8.) Home AAA analyses request (he may answer with a challenge which will case a few more interactions back and
forth before he can make a final conclusion)
9.) Home AAA authenticates Subscriber on Database/HLR and sends back Access-Accept (with a Profile to be used)
10.) Answer get’s routed back the same way to VAAA (which analyses the Profile setting and may override it)
11.) Wi-Fi Controller get’s Access-Accept with negotiated Cryptographic Keys and starts the $-Way Handshake with
the UE to secure the Air interface (AES-CCMP)
12.) Wi-Fi Controller generates Radius Accounting Information to be forwarded (VAAA to HAAA via Clearing House)
54 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
EXAMPLE ROAMING - VPLS BASED
HAAA
IP
Networks
H-HLR/HSS
Pulse
Manager
VPLS based
Roaming
WAG
VAAA
Proxy
SWd Home Network
Visited Network
VAAA to add VLAN attribute per Home
Network on returned Access-Accept
WLAN AP
WLAN AP
WLAN WLC
MAC / VLAN
55 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
ROAMING TRUSTED LOCAL SAMOG
H-GGSN
H-PGW
HAAA
IP
Networks
H-HLR/HSS
Pulse
Manager
OCS PCRF
Gp/GTP based
GRX roaming
Visited WiFi
Access Gateway
(SaMOG)
VAAA
Proxy
SWd
Home Network
Visited Network
WLAN AP
WLAN AP
WLAN WLC MAC / L2
56 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
ROAMING TRUSTED HOME SAMOG VPLS
H-GGSN
H-PGW
HAAA
IP
Networks
H-HLR/HSS
Pulse
Manager
OCS PCRF
VPLS based
Roaming
Home WiFi
Access Gateway
(SaMOG)
VAAA
Proxy
SWd Home Network
Visited Network
VAAA to add VLAN attribute per Home
Network on returned Access-Accept
WLAN AP
WLAN AP
WLAN WLC
MAC / VLAN