Authentication

The solution supports multiple authentication mechanisms. Type of authentication support depends on the Wi-Fi AP, UE capabilities and customer preference. In case of 802.1x/EAP capable Wi-Fi APs, supporting secure SSIDs via 802.11i/WPA2, various EAP based authentication such as SIM/uSIM based (SIM/AKA/AKA’), TTLS, PEAP, certs, and so on, are supported. The solution also supports web-portal based authentication with or without WISPr client on the UE. EAP and portal authentication works independent of the type of connectivity from the AP (tunneled or native IP).

The SR OS WLAN-GW uses the IPoE session concept to authenticate and manage UEs in ESM. Every WLAN-GW group interface uses a pre-defined default ipoe-session-policy that cannot be changed or disabled. The contents of the default policy also cannot be changed and always uses sap and mac as session-key. The ipoe-session session-timeout can optionally be ignored in a wlan-gw context. This is to support closed SSID authentication where the session-timeout is relative to the last re-authentication while for ipoe-session the timeout is absolute to the start of the session.

It can be useful to identify the AP and the SSID to which a UE is connected. Therefore, the AP MAC and SSID name can be learned as follows:

The format used for DHCP(v6) is AP-MAC;SSID-STRING;SSID-Type, where the AP-MAC should contain the AP MAC address in colon separated format (xx:xx:xx:xx:xx:xx), the SSID string should not contain the ‟;” delimiter and the SSID type is a single character ‟s” (secure) or ‟o” (open).

For example, if AP-MAC is ‟00:10:A4:23:19:C0”, SSID is ‟SP1-Wi-Fi”, and SSID-type is secure, then the value of circuit-id or interface-id would be the string ‟00:10:A4:23:19:C0;SP1-wifi;s”.

Parent topic: Enhanced Subscriber Management