Wi-Fi Offloading, How? – Chapter 4.2
4G/5G NSA Wi-Fi Access
The 3GPP AAA server is located within the 3GPP Home Public Land Mobile Network (HPLMN). For 3GPP Wi-Fi access in 4G and 5G non-standalone (5G NSA) networks, the 3GPP AAA provides authentication, authorization, policy enforcement, and routing information to the packet gateways in both the Wi-Fi core and mobile core networks. It performs EAP-SIM/AKA/AKA′ authentication via the SIM card for automatic and secure authentication of Wi-Fi devices.
White Paper: Wi-Fi Offloading, How?
This is an excerpt from our white paper, Wi-Fi Offloading, How?, a technical deep dive into deploying Wi-Fi offloading solutions. If you like what you read, download the full white paper. As a bonus, you’ll also gain access to Wi-Fi Offloading, Why?, outlining the business benefits for mobile operators.
Below, we will explore the role of the standard 3GPP AAA for SIM authentication in various 4G and 5G NSA Wi-Fi access scenarios, including all 3GPP-specified options for 3GPP Wi-Fi access. To provide a comprehensive view, we include the Enea Aptilo SMP in the diagrams with an integrated 3GPP AAA and additional functions that may be essential for real-world deployments. We will cover the Enea Aptilo SMP in more depth in the upcoming Enea’s Wi-Fi Offloading Expertise chapter, download the full white paper to get access to it now.
The two first, local WLAN break-out and access through DPI, are not standardized by 3GPP but are extensively used and could also be used for 5G as long as SIM authentication can be carried out in the corresponding 5G architecture.
Local WLAN Break-Out
As discussed, this option can be used for any generation of cellular networks and is currently mobile operators’ most widely deployed architecture. It enables local traffic breakout for all clients at the Wi-Fi access gateway and utilizes standard RADIUS and EAP methods for authentication with the HSS/HLR. The Wi-Fi access point must support 802.1x authentication with EAP-SIM/AKA/AKA′. Integration with the HLR for SIM authentication is facilitated through the D′/Gr′ MAP interfaces or with the HSS via the Wx/SWx Diameter interfaces.
Access Through DPI
This option can be used for any generation of cellular networks. The mobile operator typically uses the DPI to inspect and enforce policies for SIM-enabled devices.
All traffic for devices with SIM authentication support is terminated at the Deep Packet Inspection (DPI) node in the mobile core. In contrast, traffic from non-SIM devices is directed to the Internet locally.
This option uses standard RADIUS and EAP methods for authentication with HLR/HSS. The Wi-Fi access point requires support for 802.1x authentication with EAP-SIM/AKA/AKA′. Integration with the HLR for SIM authentication is facilitated through the D′/Gr′ MAP interfaces or with the HSS via the Wx/SWx Diameter interfaces.
Policy-based routing is utilized to route the traffic from the Wi-Fi access gateway to the DPI.
Trusted Wi-Fi Access in EPC
This option is for 4G and 5G non-standalone (5G NSA) and based on 3GPP specification TS23.402 with the introduction of the Trusted Wireless Access Gateway (TWAG) node. The TWAG establishes GTPv2, PMIP, or MIP tunnel (the S2a interface) to the P-GW in the EPC core for all trusted traffic.
“Trusted” traffic means an operator-controlled secure Wi-Fi environment with 802.1x. SIM authentication with the HLR is integrated through the D′/Gr′ MAP interfaces or with the HSS via the SWx Diameter interfaces. The Wi-Fi access point requires support for 802.1x and EAP-SIM/AKA/AKA′ authentication methods. This option also requires support for EAP in the device.
The STa interface is mainly used for EAP client authentication with HSS and S2a option selection of which tunnel type to use. The S6b interface between 3GPP AAA and P-GW is mainly used for tunnel authentication, static quality of service, and mobility (if applicable).
The 3GPP specification also allows for a full or partial local breakout of Wi-Fi traffic at the TWAG in the Wi-Fi core.
Untrusted Wi-Fi Access in EPC
This option is for 4G and 5G non-standalone (5G NSA) and based on 3GPP spec TS23.402 with the introduction of the evolved Packet Data Gateway (ePDG) node. This option requires an EAP client in the device with IPsec support. There is no impact on the Wi-Fi core or Wi-Fi RAN; any Wi-Fi network will function seamlessly. IPsec tunnels are terminated in the ePDG, a mobile core node specifically introduced for this purpose. The ePDG maps the IPsec tunnels into GTPv2 or PMIP tunnels, which are terminated in the P-GW. In practice, both ePDG and P-GW functions are typically integrated into the same Evolved Packet Gateway (EPG).
The SWa interface is mainly used for EAP client authentication with HSS through the SWx interface. The SWm interface is used for additional authentication parameters, including subscription profiles and S2b option selection of which tunnel type to use. The S6b interface is mainly used between 3GPP AAA and P-GW for tunnel authentication, static quality of service, and mobility (if applicable).