1. Aptilo Networks
“We control Billing, User Services and Access in
Wi-Fi, WiMAX and 3G / LTE networks worldwide”
Why carrier Wi-Fi must go
beyond the offloading aspect
Reinaldo Medina
Manager Sales Engineer
2. Why Build Wi-Fi ?
Stand out from
competition Large Wi-Fi Network Drive to premium
= Loyalty plans ($49 -> $59)
Bundle with
other services
Reduce
churn Wi-Fi-only devices
become subscribers
”All” devices have
Wi-Fi Offload up to 30%
of traffic
Users like Wi-Fi Take control –
make Wi-Fi secure & Slow down CAPEX at
seamless Lower cost busy sites
Some services only to produce data
available in Wi-Fi
2
4. Offloading and 3GPP integration
3GPP AAA for Trusted & Untrusted Authentications
SWx
HSS
PCRF S6b
eNB
SGW/ PDN Is it really that
LTE MME GW
RAN S2a S2b
“simple” ?
3GPP
SWm
+ ePDG
Wi-Fi Wi-Fi to Trusted Un-Trusted
Mobile Core WLAN WLAN
STa, SWa
EAP-SIM
AG/WAG
Wi-Fi
RAN
Traffic path
Signalling path
4
5. Carrier-Class Wi-Fi is so much more than just
Offloading and 3GPP integration
Policy SMS
Charging Look-up OTP
OCS OFCS CRM SMSC
3GPP AAA for Trusted & Untrusted Authentications
ANDSF
SWx
HSS
S9
PCRF S6b
SGW/ PDN Carrier-Class Wi-Fi
LTE eNB
MME GW Service Management
RAN S2a S2b
3GPP
+ ePDG
SWm • Wi-Fi AAA, Captive Portal & Hotspot
Wi-Fi Wi-Fi to Management for non-3GPP
Trusted Un-Trusted
Mobile Core WLAN WLAN • One-time-password via SMS
STa, SWa
AG/WAG
EAP-SIM
Innovative Integration
Wi-Fi Radius/WEB
Wi-Fi RAN For Policy & Charging
Local Break-Out (non-SIM devices)
Only
Wi-Fi to
• Policy Manager for Wi-Fi policies,
Local Break-Out
can make lookups from PCRF,
Traffic path
CRM or any database.
Signalling path
• Charging & Billing aggregation
5
6. I am not building my own Wi-Fi footprint……
Do I need a Wi-Fi Service Management system?
Temporary credentials for WISP login
Mobile
Core
PCRF
HLR
HSS
Wi-Fi HTTPS Mobile Operator
ing
rward Portal OCS
Service Sec ure fo
Mgmt
YES!
OFCS
System Portal
CRM
• Need a system to roam with WISPs
Access
Gateway
• Need a system for SIM authentication
• Need a system to handle secure logins
AP ‒ Use of so-called opaque login, user is securely forwarded to their
home portal for login. Advanced Wi-Fi Service Management System
Clients
creates temporary credentials to login in the WISP’s network.
• Need a system for charging & billing aggregation
• Need a system to translate policies to what makes
sense in each WISP’s Wi-Fi network
Wirless Internet ServiceProviders
6
7. How To Build Coverage
Traditional Hotspots Small Cells (outdoor) Residential/SMB
• Hotels, restaurants, airports • Where high 3G traffic • Combined with DSL
• Retail/shopping strong trend • Stadiums, High Streets, • All subs > 5 Mbps
• Acquisition WISP network Metro, Square, Parks, Beaches • Dual SSID
• 3GPP Core Integration • 2016 90% of BS = Small Cells One for public use
• Wi-Fi + Small Cell convergence Utilize overcapacity
• Micro/Pico BS with Wi-Fi
Utilize an
"Normal" Existing
RAN roll-out Network
7
8. Common Wi-Fi Business Models
• Post/Prepaid subscription loyalty
→ Wi-Fi unlimited
• Post/Prepaid subscription bundle
→ Bundle Wi-Fi with e.g. 1:10 charging
• Group account subscriptions
→ One SIM, multiple devices (SIM/non-SIM)
• Pay per use
→ Multiple data plans (daypass, weekpass)
• Enterprise offers (B-to-B)
→ Guest Internet Access, Hospitality
8
9. Why SIM authentication is so important for the
offloading business model
• Very strong usage increase (10x users in 12 months)
‒ Similar statistics among several mobile operators
• More frequent and shorter session
‒ Due to completely seamless transfer Wi-Fi/3G
• Strong correlation to iOS5
‒ All Apple iOS devices can do EAP-SIM • Example from an airport
• 50% reduction HSPA traffic
‒ In cells with good Wi-Fi coverage
9
10. Why additional authentication methods are needed
All devices do not support
SIM authentication.
SIM-based
WISPr 2.0
• There are alternative methods Automatic
MAC-based
authentication WISPr Client
SIM-based
802.1x
‒ Balance experience vs security OTP via SMS
• Highest Security
‒ As secure as 3G/4G
Self- SIM-based
‒ Payload encrypted Manual registration via 802.1x with
SMS, then bill shock
One-time
• High Security MAC-based prevention*
‒ High security for authentication
‒ No encryption of payload
• Standard Security Manual login One-time-
Manual username / password via
‒ Some security risk for password SMS
authentication
‒ No encryption of payload
Standard High Highest
* User is automatically authenticated but needs to accept an
additional charge via the portal before gaining access to the Internet
10
11. Innovative combination of authentication methods
• Case: Tier 1 mobile operator
‒ Wanted to combine the
security and convenience of
SIM authentication with the
monetization of the service
through a WEB portal.
• Combines SIM + Portal
• User just have to approve
charge with a single click
• Use of Aptilo’s innovative
ServiceGlue
‒ Possible to add advanced
logic to the authentication flow 1. Retrieval of MAC address and IMSI
• During the SIM authentication, the user’s MAC address and IMSI is
retrieved and posted to the CRM system.
• Based on the IMSI - the user can be securely identified and the MAC
address tied to the correct MSISDN.
2. Re-direct to portal after SIM authentication
• The user’s MAC address is used to lookup the user’s MSISDN in
CRM system. The individual user is then presented with different
options based on his/her status, approve charge and click to connect
or top-up etc. MSISDN is used as charging identifier.
11
12. Hotspot 2.0 and the new 802.11u standard
• Network discovery and selection
‒ Automatic discovery of suitable networks
through the advertisement of access network More
type, roaming consortium support and venue information
• How Hotspot 2.0 works
1. 802.11u-capable AP beacons with HS2.0
support
2. The Passpoint certified device detects the AP Today
HS 2.0 network
3. Device selects AP and performs ANQP
request to determine what providers are
supported, capabilities of the AP, etc.
4. AP responds to ANQP query with requested
information
5. Device compiles provisioned profile
information against HS2.0 data from APs
and associates to the best SSID AP with 802.11u
• Next Generation Hotspot (NGH)
‒ Extends the HS 2.0 initiative to include Will take time before 802.11u
• Roaming/WRIX (roaming exchange) updates support is widespread, ANDSF
• Accounting support will add policy-based network selection
• Legacy authentication methods
12