The solution supports multiple authentication mechanisms. Type of authentication support depends on the Wi-Fi AP, UE capabilities and customer preference. In case of 802.1x/EAP capable Wi-Fi APs, supporting secure SSIDs via 802.11i/WPA2, various EAP based authentication such as SIM/uSIM based (SIM/AKA/AKA’), TTLS, PEAP, certs, and so on, are supported. The solution also supports web-portal based authentication with or without WISPr client on the UE. EAP and portal authentication works independent of the type of connectivity from the AP (tunneled or native IP).
The SR OS WLAN-GW uses the IPoE session concept to authenticate and manage UEs in ESM. Every WLAN-GW group interface uses a pre-defined default ipoe-session-policy that cannot be changed or disabled. The contents of the default policy also cannot be changed and always uses sap and mac as session-key. The ipoe-session session-timeout can optionally be ignored in a wlan-gw context. This is to support closed SSID authentication where the session-timeout is relative to the last re-authentication while for ipoe-session the timeout is absolute to the start of the session.
It can be useful to identify the AP and the SSID to which a UE is connected. Therefore, the AP MAC and SSID name can be learned as follows:
From the called-station-id as defined in RFC 3580, Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Certificate Handling
From DHCP circuit-Id or DHCPv6 interface-ID, if those options use the format specified below
From ARP or ND over GRE as specified in section 11.10. This only identifies the AP MAC, not the SSID
From the L2TPv3 cookie as specified in section 11.22. This only identifies the AP MAC, not the SSID
The format used for DHCP(v6) is AP-MAC;SSID-STRING;SSID-Type, where the AP-MAC should contain the AP MAC address in colon separated format (xx:xx:xx:xx:xx:xx), the SSID string should not contain the ‟;” delimiter and the SSID type is a single character ‟s” (secure) or ‟o” (open).
For example, if AP-MAC is ‟00:10:A4:23:19:C0”, SSID is ‟SP1-Wi-Fi”, and SSID-type is secure, then the value of circuit-id or interface-id would be the string ‟00:10:A4:23:19:C0;SP1-wifi;s”.