3GPP Wi-Fi Access

The standard way of integrating Wi-Fi with cellular core networks


3GPP Options for Wi-Fi Access

The 3GPP standard defines two types of access; trusted and untrusted non-3GPP access. Non-3GPP access includes access from, for instance, Wi-Fi, WiMAX, fixed, and CDMA networks. Our Mobile Data Offloading solution is based on these standards with the addition of functions to make it work even better in real-world deployments.

The 3GPP Wi-Fi Access works in concert with Passpoint-enabled Wi-Fi networks, using SIM authentication (EAP-SIM/AKA) as the preferred authentication method.

new white paper

Wi-Fi Offloading – Why?

Download our white paper now.

Wi-Fi Offload Why white paper

Use the tabs below to learn more about trusted and untrusted non-3GPP access and how the standards support cellular and Wi-Fi convergence for 3G, 4G, and 5G networks. Under the 5G tab, you will also find more information about Access Traffic Steering, Switching, and Splitting (ATSSS).


Below we will explain the practical principles behind trusted and untrusted 3GPP Wi-Fi access.



3GPP Wi-Fi Access Acronyms in 3G, 4G and 5GIt can be overwhelming and confusing with all these acronyms that come with new 3GPP releases. So for the benefit of those of you familiar with the acronyms for 3G and 4G, please refer to this ‘translation table.

Note that these are just ‘functions’ and may be delivered as one combined solution, deployed as containerized functions, or the same virtual or physical gateway node.


Trusted 3GPP Wi-Fi Access

3GPP Wi-Fi Access Trusted

Trusted non-3GPP (Wi-Fi) access was first introduced with the LTE standard in 3GPP Release 8 (2008). Trusted access is often assumed to be operator-built Wi-Fi access with encryption (enabled by 802.1x) in the Wi-Fi radio access network (RAN) and a secure authentication method (EAP). However, it is always up to the home operator to decide what is to be considered trusted.

In the case of trusted access, the device (UE) is connected through a Wireless Access Gateway in the Wi-Fi core. In turn, this Wireless Access Gateway (WAG) is connected through a secure tunnel directly with the Packet Gateway, also used for cellular traffic in the Mobile Core. In the case of 5G, a null-encryped tunnel is used between the device and the WAG, more about this in the  Wi-Fi and 5G convergence section.

SIM Authentication (EAP-SIM/AKA/AKA’ or 5G-AKA) is also essential for trusted non-3GPP access. In addition to authentication of the device, it produces cryptographic keys used for encryption in the secure Wi-Fi network (802.1x).

In practice, the Wi-Fi access network must support the following features to be considered trusted:
  • 802.1x-based authentication, which in turn also requires encryption of the RAN
  • 3GPP-based network access using the EAP method for authentication
  • IPv4 and/or IPv6

Untrusted 3GPP Wi-Fi Access

3GPP Wi-Fi Access Untrusted

Untrusted non-3GPP (Wi-Fi) access was first introduced in the Wi-Fi specification in 3GPP Release 6 (2005). At that time, Wi-Fi access points featuring advanced security features were rare. Hence Wi-Fi was considered open and unsecured by default. Untrusted access includes any Wi-Fi access the operator has no control over, such as public hotspots, subscribers’ home Wi-Fi, and corporate Wi-Fi. It also consists of Wi-Fi that does not provide sufficient security mechanisms such as authentication and radio link encryption.

The fact that untrusted non-3GPP access works over any Wi-Fi network is why it is the method of choice for Wi-Fi Calling.

The untrusted model requires no changes to the Wi-Fi network but impacts the device side because it needs an IPsec client to reside on it. The device is connected through a secure IPsec tunnel directly to an IPsec Terminating Gateway in the Mobile Core, which is connected through an encrypted tunnel to the Packet Gateway. The Packet Gateway is used for both cellular and Wi-Fi traffic.

This integration on the core network side also means that Wi-Fi service management platforms, such as the Aptilo Service Management Platform™ (SMP), must interface with mobile core network HLR/HSS/AMF for SIM Authentication (EAP-SIM/AKA/AKA’ or 5G-AKA). This provides the same level of authentication security as in the cellular network. It may also be required to interface with mobile core network policy functions. In addition to authentication of the device, the SIM authentication process produces cryptographic keys used for IPsec tunnel establishment.

  • People from all over the world will flock to Brazil to celebrate the World Cup and 2016 Olympics. The ability to offload mobile data to Wi-Fi will ease network congestion significantly and increase data speeds, for an exceptional user experience.
    Rafael Marques
    Marketing Director at TIM Intelig