SIM Authentication, also known as EAP-SIM/AKA, is all about a seamless and secure user experience and is one of the cornerstones of Passpoint (Hotspot 2.0). Users are automatically connected to an encrypted (802.1x) Wi-Fi network.
Seamless and Secure Authentication
The key to a successful mobile data offloading strategy is the ease of use with a seamless and secure user experience. A SIM-based authentication is a powerful tool for achieving these goals. This is the method whereby mobile/cellular devices use the credentials in a SIM card / eSIM to authenticate the device for Wi-Fi service on a secure 802.1x capable Wi-Fi network. Users will just automatically and securely fly onto the Wi-Fi network.
SIM Authentication for Wi-Fi as Secure as Cellular
One of the key benefits of using the SIM / eSIM for authentication (EAP-SIM/AKA) is that both the authentication process and the data must be encrypted in the Wi-Fi network. Hence, the Wi-Fi network becomes as secure as the cellular network. Learn more technical details below.
EAP-SIM/AKA Optimized for Wi-Fi Offload
The Enea Aptilo SMP SIM Authentication server performs EAP-SIM/AKA authentication optimized with the standard 3GPP AAA functionalities needed for an offloading scenario, enabling SIM-based authentication for any secure Wi-Fi network. Furthermore, the Enea Aptilo mobile offloading solution supports various alternative authentication methods for devices without SIM cards or lacking support for the EAP-SIM/AKA method.
EAP-SIM and EAP-AKA for Mobile Devices
Delivered as a module on Enea Aptilo Service Management Platform (SMP), the Aptilo SMP SIM Authentication server utilizes the same mechanism used in the mobile core to obtain a seamless and secure user experience when authenticating the mobile device to the cellular network. As Enea Aptilo SMP (software) or SMP-S (service on AWS) is the core platform, you can get seamless Wi-Fi Offload, Carrier Wi-Fi, and B2B Guest Wi-Fi support from one scalable platform.
We can also provide the 3GPP AAA functionality for Wi-Fi Calling, even though we recommend the Enea Access Manager if this is all you want to do.
Using Existing Mobile Infrastructure
A mobile operator (MNO/MVNO) can leverage the existing infrastructure for HLR/HSS by adding a dedicated EAP-SIM/AKA authentication function.
The Enea Aptilo SMP SIM Authentication server provides a means for authentication with the subscriber credentials in the SIM card /eSIM. It provides EAP-SIM/AKA (SIM/USIM-based) authentication for Wi-Fi users based on the information retrieved from the existing HSS over the Diameter Wx interface (supporting 3GPP Release 7 and onwards). It can do the same with data from the HLR over the SS7/MAP D’/Gr’ interface (supporting 3GPP Release 6 and onwards).
It can also interact with existing core network systems such as PCRF/PCF and DPI and OSS/BSS systems such as CRM to build advanced policies for the session. One example is first to authenticate the user seamlessly. Then engage them with a portal experience or send an SMS/e-mail if policies for the current location and user type dictate.
Using our vendor-agnostic solution, you can use the existing mobile infrastructure independent of the HLR/HSS vendor and regardless of system generation.
Scalability and Availability
When automatically and actively offloading cellular users, mobile operators need to handle Wi-Fi as a service that is as critical as mobile broadband.
This calls for an exceptionally scalable architecture with high availability. Our solution caters to this as we have built it on our SMP ALE architecture which takes the scalability and availability issue out of the equation with linear scalability and high availability, including geographic redundancy.
It supports SNMP-based network management, meaning service providers can integrate this node into the overall NOC operations.
Flexible Connectivity to HSS/HLR in the Mobile Core
The Enea Aptilo SMP SIM Authentication server can easily connect to existing SS7 networks and can be delivered with an optional SS7 PCI-Express board. Additionally, to facilitate connection with next-generation IP networks, it can handle SS7 over IP using the built-in support for SIGTRAN. The physical link for the IP-based SIGTRAN protocol and Diameter Wx is the native high-capacity IP network adapter in the server hardware. Many SS7 and SIGTRAN protocols are supported to facilitate smooth integration with the mobile core. Different national variants (ANSI, ITU, Chinese, and Japanese) and hybrid variants are also supported. Authentication for both USIM- and SIM-based devices simultaneously provides a seamless migration path from older to newer devices.
With a dedicated and purpose-built function for SIM-based authentication, a service provider gets the most flexibility in terms of network topology. In a multi-HLR and -HSS environment, we provide a central aggregation point for all Wi-Fi-based SIM authentication requests. We can perform authentications to multiple HLR and HSS nodes from different vendors. Thanks to the central aggregation point based on Enea Aptilo SMP multi-vendor support, it is possible to connect various other Wi-Fi systems that perform RADIUS signaling for the individual Wi-Fi networks.
It is also possible to deploy co-located with each HLR/HSS and configure a connection to the Wi-Fi AAA from each authentication node.
How Does EAP-SIM/AKA Work?
The EAP-SIM/AKA method requires that the Wi-Fi network has support for 802.1x, which encrypts the content of the communication – a significant benefit as it gives a security level equivalent to the security in cellular networks. The authentication – using the user credentials on the SIM card /eSIM and the Extensible Authentication Protocol (EAP) – is made in three automatic steps that occur without any user interaction:
- During the initialization, only EAP over LAN (EAPOL) 802.1x traffic is allowed between the client and the Wi-Fi access point. All other traffic like DHCP or HTTP is blocked.
- The client delivers the user credentials from the SIM card to the Wi-Fi access point, which in turn encapsulates an EAP authentication request in RADIUS and sends it to the Aptilo SMP SIM Authentication server. The Aptilo SMP SIM Authentication server contacts the HSS/HLR through the SS7/MAP or Diameter D’/Gr’ interface and retrieves the GSM/LTE authentication vectors used to authenticate the user. Upon successful authentication, the Aptilo SMP SIM Authentication server sends the generated encryption keys, used to protect the Wi-Fi radio network, to the access point (AP).
- The client needs to generate precisely the same encryption keys and validate the authentication vectors correctly through the SIM card to be admitted to the network.