Vous êtes sur la page 1sur 54

SOLUTIONS FOR IMPLEMENTING

CELLULAR TO WI-FI OFFLOAD


Hartmut Schroeder
September 2012

Legal Statement

Statements of direction set forth Juniper Networks current


intention and are subject to change at any time without notice.
No purchases are contingent upon Juniper Networks

delivering any feature or functionality depicted in this presentation.

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

WHY WI-FI OFFLOAD?


3

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

GROWTH IN WIRELESS BROADBAND DATA CONTINUES


TABLET
GROWTH
SMART MOBILE
DEVICES

181%
1B

Growth fueled by:


Increased Smartphone Adoption
Wireless Enabled Portable Devices
Machine-to-Machine Mobile Devices
Gartner predicted that tablet sales will grow 181% in
2011 to 54.8M, many of which are built to take
advantage of mobile 3G and 4G networks.
4

According to IDC we will reach 1 billion smart mobile


devices in 2013. Morgan Stanley tells us we will reach 10B
mobile devices in 2050.

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

WIRELESS BROADBAND ALLIANCE

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

3 STAGES OF WI-FI OFFLOAD

Offload
Hard offload
User driven
Unmanaged

Optimize
Auto-login
User identity
Secure

2010

2012

Integrate
Policy driven
Session mobility
Fully transparent

2014

Source: Heavy Reading

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

REFERENCE ARCHITECTURE
7

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

KEY SOLUTION COMPONENTS


AUTHENTICATION
& SECURITY

JUNOS Pulse Client (optional)


Mobile Security Suite
VPN / secure tunneling
Enforcement point for future policy
based capabilities and data
collection

SBR CARRIER
Single platform managing AAA
functions for all access
technologies

Provides uniform user


experience with authentication,
security & policy enforcement
8

BACKHAUL & EDGE

MX-3D

POLICY ENFORCEMENT
& CHARGING

SRC

Juniper WLAN

Security GW

Video/Web

Optimization
NAT/FW functions

Server Load
Balancing
Mobility GW functions
Routing Functions
VPN Gateway

High performance
Reliable mobility
High Availability
Outdoor/Indoor
Superior Planning
and Lifecycle Mgnt
Direct and Central
Traffic breakout

Provides secure traffic


termination and service
delivery functions
Copyright 2012 Juniper Networks, Inc.

www.juniper.net

Ideal if WLAN traffic not backhauled to


GGSN / P-GW
Leverages Juniper MX as PCEF
QoS
Service Mapping
DPI
Captive Portal
Volume Tracking (VTA)
Bandwidth limits
Daily/Monthly usage
Charging integration

Provides support for network


based policy enforcement and
charging

OPEN AND SECURE ACCESS


E2E ARCHITECTURE PHASE 1 (TODAY)
SSR
SBR

VTA

Subs-Data
Base / HLR

SQL
SIGTRAN

Auth-Check /
Service

SRC

Corba

Portal

Policy push

Ta
Rad

Policy push

Redirect
IP

JSRC

Open

Dia

Gi

WLC

AP

IP

Internet
Smartphone

802.1x

MX-BNG
WLM

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

JUNIPER VALUE PROPOSITION


Juniper MX as Wi-Fi Access
Gateway acts as a PCEF for
CGNAT (leveraging MS-DPC)
DPI (leveraging MS-DPC)
Basic QoS / Hirachical QoS
(leveraging MS-DPC)
Lawfull Interception Point for CC
DHCP-Server

SBR Carrier AAA with SSR

Juniper SRC (Session Resource


Controller)

Juniper Wireless WLA / WLC /


WLM

SIM-Module for seemless


authentiaction with HLR for EAPSIM/AKA
Session State Register for global,
redundant Subscriber Knowledge
10

Captive Portal
Volume Tracking Application
Various Accounting Interfaces
Policy push to all Juniper core routers

Copyright 2012 Juniper Networks, Inc.

Wi-Fi Access with Backhauling due to


Central Switching
Complete Livecycle Management
through RingMaster

www.juniper.net

UNIVERSAL EDGE
11

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

MX 3D: A NETWORK SERVICES PLATFORM


Industry-leading performance and
scale

Ultimate in flexibility
Versatility of 4 platforms
ensures there is a platform tailor
made for every deployment
model

Unparalleled packet
processing performance

Separate control and data


plane that scale
independently

L2 to L3 to L4-7 services
Support multiple services
simultaneously without
impacting performance

OPEX Savings
Simplifies operations

12

3050% more power efficient & 40% more space efficient


Embedded monitoring services to ensure SLAs are met
Unparalleled functional bundling that allows massive cost saving
Copyright 2012 Juniper Networks, Inc.

www.juniper.net

Services Flexibility for Mobile


MX 3D with Trio is a Common Services Layer for IP Convergence
Packet Core
S/P-GW

Fixed Edge
BNG

GGSN

Business Edge

TWAG
Security-GW

Datacenter
L2/L3 Switch

SDG
Transport
Backbone

Security
Carrier Grade NAT

MX 3D

Firewall

Backhaul

Common hardware, common software, investment protection


13

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

UNIVERSAL EDGE ENABLES NEW NETWORK


Network Applications
Cable Edge
Business Edge
Mobile Edge

Router-Integrated Services
Network-Integrated Apps.
& Services (Juniper )

Carrier Ethernet Aggregation


Video Distribution Networks

IPS

BGF

Media Flow

DAA

Network-Integrated Apps. &


Services (Partners)

StreamScope
eRM
Telchemy
Media
ePM
Enabler

MX 3D Series

Media Flow
Controller

14

SRC
Controller

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

JUNIPER WIRELESS
15

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

THE NONSTOP WIRELESS NETWORK


Single point of management
Active-active control

architecture
Self-organizing adds, moves

and changes
Self-repairing architecture
In service software upgrades
Full Featured Local switching

16

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

JUNIPER WLA SERIES ACCESS POINT FAMILY

Highest performance APs in the industry


Most cost effective APs in the industry
Full featured Intelligent switching
Spectrum analysis across the portfolio
Bridging and mesh

New

Functionality

WLA Series Highlights

New

3 Stream
MIMO
Dual Radio
Max.
Performance

2x2 MIMO
Dual Radio
High Density

3x3 MIMO
Dual Radio
All Weather

Dual Radio
Entry-level AP

WLA632

Single Radio
Low Cost AP

WLA532

WLA522
WLA322

WLA321
Entry level 802.11n
17

Indoor 11n
Copyright 2012 Juniper Networks, Inc.

www.juniper.net

Outdoor 11n

Enterprise

JUNIPER WLC SERIES CONTROLLER FAMILY

Simplest solution in the Industry


Highest Reliability in the industry
Only vendor with In-service upgrades
One software platform
Full Featured distributed deployment

64 - 512 11n AP

WLC2800
16 - 256 11n AP 3-Stream

WLC Series Highlights

Campus

WLC880
16 - 128 11n AP 3-Stream

WLC800
12 AP

Branc
h

4 AP

WLC8
WLC2
4

12

16

32

64

128

192

256

512

# of AP
18

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

BEST IN CLASS WLAN LIFE CYCLE MANAGEMENT

RingMaster
Planning and Deployment

3D predictive planning tool


Indoor and Outdoor network plan

Configuration and Verification

Complete offline configuration


System and service wizards
Pushes configuration to WLCs

Monitoring and Reporting

By user, radio, AP, WLC, SSID


30 day history aids compliance
WIDS/WIPS integration

Location Aware

Search by Location
Roaming History
Geo Fencing

19

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

SBR CARRIER
20

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

SBR CARRIER: ENABLES SEAMLESS ACCESS


Reduce operational
cost: Single platform
managing AAA
functions for all
access technologies

HLR

Public Wi-Fi
GPRS UMTS
HSxPA
21

Seamless integration:
Supports any SDM
technology with any
schema

LDAP

Reduce complexity:
Single platform provides
glue between network
technologies and IT
systems

SQL

Steel Belted Radius


xDSL
FTTH

UMA
Femtocell

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

RADIUS

CDMA
1xRTT/EvDO
Fixed/Mobile
WiMAX

FLEXIBLE SDM INTEGRATION: ANY


CREDENTIAL, ANY DATABASE
HLR authentication
D authentication and
authorization Interface
SIM and AKA
SS7 over E1/T1
SIGTRAN
MAP v2/v3
NO separate MAP-GW
(installed on SBR)

HLR

LDAP
LDAP v2/v3
Load-balancing and
failover
Any LDAP schema
Programmable searches
with recursiveness
Scripting
Unparalleled performance

LDAP

SQL
Generic SQL over JDBC
Load-balancing and
failover
Any SQL schema
Stored procedure support

SQL

Oracle
Native oracle interface
Load-balancing and
failover
Any SQL schema
Stored procedure support
Unparalled performance

ORACLE

Copyright 2012 Juniper Networks, Inc.

RADIUS

Credentials:
Username/password
Certificate
SIM & USIM
SMS OTP
Token
Service-ID (eg. APN, DNIS )

Steel Belted Radius


22

RADIUS proxy
Carrier grade proxy
engine
Weighted load-balancing
and failover
Target health detection
Advanced filtering
Unparalled performance

www.juniper.net

JUNIPER SRC
23

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

Service

SRC ENABLES
APPLICATION INTELLIGENT NETWORKING

Resource Control
Call Admission control, QoS,

Quota services

Data VPN
Software as a Service
Videoconference

Service Activation / Reporting

SRC
Policy
Engine

C3000

C5000

Provisioning / Accounting

Edge

24

Enterprise
Services

Network

Metering
Per service time & volume

Internet
IPTV
Home VoIP

Policy and Control

Dynamic Provisioning
Filters, Captive Portal, Bandwidth,

Applications

Residential
Services

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

Core

Data Center

SRC
Subscriber
state & profile

Policy

Plug-in API

SRC USAGE TRACKING / ACCOUNTING OPTIONS


Custom Plug-in

Flat file
RADIUS
VTA Plug-in

Charging
Systems

VTA

Traffic
Wi-Fi AP

End user

25

WLC 2800

MX
Copyright 2012 Juniper Networks, Inc.

www.juniper.net

ENHANCED SUBSCRIBER MANAGEMENT


Regular

Enhanced
Per Service Accounting

Per subscriber accounting


Features

Periodical collection of counters associated to SRC managed services

Based on combination of 5-tuples or per application/application-groups

Accounting record generation from SRC (flat files or RADIUS) duration and volumes

Multiple accounting sessions per subscriber

Start, Stop and variable Interim


Benefits:

Fair usage / quota services with Volume Tracking Application

Usage based billing

26

Congestion mitigation by de-prioritizing heavy users

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

OVERVIEW OF THE SRC VOLUME TRACKING APPLICATION


The SRC Volume-Tracking Application (SRC VTA) allows service
providers to track and control the network usage of subscribers and
services. You can control volume and time usage on a per-subscriber
or per-service basis.
When a subscriber or service exceeds bandwidth limits (or quotas), the
SRC VTA can take actions, including
directing the subscriber to a portal to activate additional services or

purchase additional bandwidth,


imposing rate limits on traffic,
sending an e-mail notification,
or charging extra for additional bandwidth consumed.
27

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

FUTURE PRODUCTS /
SOLUTIONS

HOTSPOT V2.0
30

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

IEEE 802.11U AND HOTSPOT V2.0 PART 1


IEEE 802.11u (Standardization finished Feb 2011)

Allows a Station (UE/Mobile) to query information about the WLAN and Network behind it before an
Authentication is tried
Must be supported at WLAN-AP and UE/Mobile to work
Network Discovery and Selection component

Advertise Networks basic 11u capabilities in Beacons and Probe Response Frames to minimize Battery impact

Generic Advertisement Service (GAS) for extended Queries

Tell the Mobile which QOS DSCP Marking to set for IP Traffic according to operators policy
Expedited Bandwidth Request (EBR) support

Emergency services

31

Access Network Query Protocol (ANQP) and others (MIH)

QOS Map Set distribution

Access Type
Venue Info
HESSID
supported Advertisement Protocols
Roaming Consortium
Emergency Call ongoing Alert

Emergency Call and Network Alert support at the link level


Copyright 2012 Juniper Networks, Inc.

www.juniper.net

IEEE 802.11U AND HOTSPOT V2.0 PART 2

Hotspot V2.0 Goals

Improve end-user experience to level of cellular networks


Facilitate Wi-Fi offload
Facilitate Wi-Fi roaming agreements between hot spot operators/service providers

Deliverables

Technical Spec. (uses heavily 11u), Test Plan, Certification Program, Deployment Guide

Phase 1 (called Passport), Certification starts: mid-year 2012

Access network discovery

Security

Phase 2, Certification starts: mid-year 2013

Operator Policy (TBD) Will it be ANDSF? At which Sublevel then?

On-line Signup (TBD)

Phase 3, Certification starts: TBD probably mid-year 2014

32

Scope isnt defined

proposals have been made around Wi-Fi offload issues and improved operations/monitoring.
Copyright 2012 Juniper Networks, Inc.

www.juniper.net

IEEE 802.11U AND HOTSPOT V2.0 PART 3


Network Discovery (Phase 1)

New information elements (11u based)

GAS/ANQP Protocols (11u based)

Interworking, Advertisement Protocol, Roaming Consortium, BSS Load, WFA Peer to Peer
ANQP: Venue Name, Network Authentication Type, IP Address Type Availability, Network Access Identifier Realm
List, 3GPPP MCC/MNC, Domain Name List
HS2.0 ANQP extensions: Operator Name, WAN Metrics, Connection Capability, NAI Home Realm Query

Note: Only a SUBSET of 11u will be certified in HS 2.0.

QoS-Mapping Tests and Emergency Calls are not scope of HS2.0

Security (and Battery Life Extension) (Phase 1)

Certification includes 802.1x based WPA(2) Enterprise Authentication

EAP-TLS, EAP-TTLS (inner MS-CHAPv2), EAP-SIM/AKA (if the Device has a (U)SIM-Card it SHALL support this)

Certification does NOT include UE based Tunnels

Hotspot V2.0 certifies sort-of 3GPP Trusted Access Mobiles / UEs only

Proxy ARP and Proxy Neighbor Discovery (802.11v)


Downstream Group Addressed Frame Forwarding
Peer to Peer Communication Blocking
33

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

3GPP TRUSTED ACCESS


34

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

WI-FI OFFLOAD USING S2A GTP (SAMOG)


Documented in TS 23.402 section 16 for 3GPP Rel 11
802.1x recommended to ensure air interface security (WPA)
EAP-AKA credentials used to authenticate the UE
Needed to get IMSI identity of the UE
Allows HSS to pass information required for GTP management (including
target PGW)
Needed for IP future address preservation
Leverages standard GTP Create/Modify Session/Bearer messages

WLAN SaMOG GW
Access
AP

HSS/AAA

BENEFITS:
Avoids cost and overhead of IPsec
Uses standard GTP based procedures
CAVEATS:
Used only for trusted Wi-Fi networks
TWAG must see UE-MAC (Layer2)
IP-Address preservation comes in Rel. 12

Policy and Credential Servers


NetOpt
Credential
ANDSF
PCRF
App
Mngt

GTP S2a

Smartphone
Backhaul &
Packet Core
PGW
GGSN
HA

SDG

Service
Complex

VPN

Secure Simplified Access for Trusted Wi-Fi Networks


35

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

TRUSTED WLAN ACCESS TO EVOLVED PACKET CORE


ARCHITECTURE

No additional SW on UE / IP address Preservation (and no IKEv2/IPsec/ePDG)


SWw is a point-to-point IP link over 802.11 protected by 802.1X
Access Control enforced by Trusted WLAN on behalf of 3GPP operator (802.1X)
Default APN for Trusted WLAN PDN connection stored in subscription data
HSS
Rx
hPCRF
Gx
PDN
Gateway

S6a

HPLMN

SGi

SWx
Operator's IP
Services
(e.g. IMS, PSS
etc.)

3GPP AAA
Server

S6b
S9
SWd

S8

3GPP Serving
Access Gateway

vPCRF

Gxc
3GPP AAA
Proxy
S2a

VPLMN
Non-3GPP
Networks

S2a Mobility based On GTP and


WLAN access to EPC (SaMOG)
36

STa
Trusted
WLAN Access
Network
SWw

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

UE

TRUSTED WLAN ACCESS


INTERNAL FUNCTIONS
WLAN:

Intranet / Internet

APs terminating UEs SWw 802.11 WLAN link


Authenticates UE with EAP-AKA
Provide integrity and/or confidentiality protection

Trusted WLAN Access Gateway (TWAG):

SWw

Trusted WLAN Access Network


Trusted WLAN AAA
Proxy

STa

WLAN
Trusted WLAN
Access Gateway

S2a

Creates/Deletes S2a GTP tunnel


Default router and DHCP server
Enforces packet forwarding between UEs SWw point-to-point IP link and S2a

GTP tunnel based on UE MAC address

Trusted WLAN AAA Proxy (TWAP):


AAA proxy b/w WLAN Access Network and 3GPP AAA Server/Proxy over STa
Binds UE subscription data (e.g. IMSI, APN) with UE MAC address
Notifies TWAG of UE L2 Attach to / Detach from WLAN
37

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

TRUSTED WLAN ACCESS


PDN & NSWO POINT-TO-POINT LINK MODEL
DL: TWAG unicast to UE MAC

PDN1

UE MAC

S2a-TEID
or NSWO

802.11
Bridging

PDN23

UE1
UE2
UE3
UE4
AP/WLC
802.11 Association

PDN GW

TWAG
Per PDN/NSWO
VLAN or
GRE tunnel

NSWO
a.k.a. Local
Break-Out

UL: AP/WLC force-forwards


38

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

S2a PDN Connection

TRUSTED WLAN ACCESS


INITIAL ATTACH
Roaming Scenarios
UE

PDN
GW

TWAN

vPCRF

AAA
Proxy

hPCRF

HSS/
AAA

1. Non-3GPP
Specific Procedures
2. EAP Authentication
2. Authentication & Authorization
3. Create Session Request

Two variants based on PDN:


A. IPv4, IPv6, IPv4v6,
based on successful
authentication event
(recommended)
B. IPv4 only,
based on DHCPv4
address request

4. IP-CAN Session Establishment


Procedure

(A)
5. Update PDN GW Address
6. Create Session Response
7. GTP Tunnel
8. EAP authentication
Completion
9. L3 Attach

10. Create Session Request


11. IP-CAN Session Establishment
Procedure
12. Update PDN GW Address
13. Create Session Response
14. GTP Tunnel
15. L3 Attach Completion

39

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

(B)

High Level SaMOG Call Flow


User
Equipment

Access
Point

Internet

Layer3 VPN

SaMOG
Gateway

WLAN
Controller

GGSN / PDN
Gateway

AAA

(MAC, VLAN)

IEEE 802.11
Discovery

EAP Request to UE

EAP Response from UE to WLC

RADIUS EAP Response


Diameter EAP Response

EAP Request to UE

RADIUS EAP Request

Diameter EAP Request

EAP Response from UE to WLC


Diameter EAP Response

This will be RADIUS in


the first release
Depending on EAP
method, from 0 to N
such EAP Request/
Response Exchange

Diameter EAP Success


EAP Success to UE

RADIUS EAP Success

GTP Request Response


Acquired IP Address

4 Way Handshake
Derive PTK

Derive PTK

Ready to use / OK to use


IEEE 802.11 AES Data Encryption
DHCP Request / Response

802.11 abg

40

802.11 in CAPWAP

(VLAN, MAC)

Copyright 2012 Juniper Networks, Inc.

IP Packet
GTP-Traffic

www.juniper.net

TRUSTED WLAN ACCESS TO EVOLVED PACKET CORE


MOTIVATION PHASE 2 / REL-12
Desire for (missing) Additional Functions
IP address preservation across handovers b/w 3GPP and WLAN
Concurrent Connectivity
Multiple PDN connections
Concurrent 3GPP access & Trusted WLAN Access
Concurrent PDN Connectivity and Non-Seamless WLAN Offload
UE / NW Selection of APN & NSWO

Solution Space has 2 dimensions:


UE / NW Signalling for APN/NSWO & attach/handover/detach
Layer 2: extensions to EAP-AKA or 802.11 ANQP
Layer 3: extensions to DHCP/DHCPv6
Per-PDN / NSWO Link Model
Per-PDN/NSWO VLAN tagging
Per-PDN/NSWO MAC address on TWAG side
41

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

TRUSTED ACCESS VISION TOWARDS FMC


Trusted Access
EAP-TTLS

AAA

Non HLR
based SDM

Set-Top
DHCP

HLR

Any Access
Network

CPE
PPPoX

BRAS

SaMOG based
TWAG

OCS

Trusted Access
EAP-SIM/AKA

PCRF

Portal

Gn (GTP)

IP
Networks

2G/3G RAN
SGSN

Internet access APN

GGSN
42

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

JUNOS PULSE WI-FI MANAGER MODULE


43

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

WHY USE CLIENT TECHNOLOGY


FOR WI-FI OFFLOAD?
Does OS natively provide tunneling?
Does OS support selective tunneling
& confidentiality?
Does OS support policy-based
control of network selection and
application routing?
Does OS support management of
more than just Wi-Fi authentication
credentials? 3rd party roaming?

If the answer to ANY question is no, then a client is required!


44

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

End User Quality of Experience

Wi-Fi Offloading can help.


However.
Solution must be 100% seamless and
transparent to the end user
Completely automated
Zero end user intervention
No compromise on quality of connection
No compromise on device performance
45

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

ELSE

Junos Pulse & Wi-Fi Offload


Junos Pulse + Pulse Wi-Fi Manager
bridges the gap between the
network and the end device

Junos Pulse

Pulse Wi-Fi
Manager (PWM)

Pulse manages 3G/Wi-Fi


Significantly enhancing end the
interactions based on prequality of experience (QoE) while
defined policy
still offering control to the carrier or
enterprise
Enhances end user
Quality of Experience
End User/Device
The Network
(UE)
47

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

PULSE WI-FI MANAGER ANDROID SUPPORT ONLY IN PHASE 1


Manage Wi-Fi

Wi-Fi Provisioning
- Push & manage Wi-Fi profiles
- Use on-device supplicant
Location & Device Aware
- User location (city level)
- Device type (iOS/Android)
- e.g. User in Austin provisioned with
SSID A & SSID B, User in San Jose
provisioned for SSID A only

Automatic credential
management
- Addresses gap for non EAPSIM/AKA enabled Android
devices
48

Smart Wi-Fi On/Off

VPN tunnel

Turn Wi-Fi On/Off on the device


based on location

Setup VPN tunnel from client based


on Wi-Fi type etc.

- Balance UX with Wi-Fi attach


- Automate action or notify user

- Secure air link


- Enable Wall garden access via
backhaul
- No IKEv2 (SSL VPN)
*Scale factors must be considered

- e.g. Enable/Disable Wi-Fi based on


proximity to malls, stadiums etc
based on 3G Cell broadcast ID
information
App Notification

Measure ROI & plan capacity

Discourage Offload for walled


garden applications
e.g. Notify user and allow them to
switch to 3G/4G when they run
certain walled gardened applications.
Copyright 2012 Juniper Networks, Inc.

Reporting

www.juniper.net

- Bytes offloaded on Wi-Fi


- Time spent on Wi-fi
- Apps used, type of device etc.
- By SSID, AP, Location

Pulse Wi-Fi Offload workflow


User connects to Wi-Fi
based on Policy. Policy
controls when & how
user is offloaded.
Junos Pulse

Policy also dictates what


happens after offload (e.g. setup
VPN over insecure Wi-Fi)

Wi-Fi AP

Try to use an 802.1x


based Authentication
with the AAA
SGSN

BTS

GGSN

RNC

Internet
Phone boots
Pulse
takes
Pulse
contacts
Policy
gets
downloaded
up. Pulse
action
onManager
device
Wi-Fi
to starts
devicerunning
over 3G/4G
based
on
Policy
over
3G/4G
network.
Policy includes
on the
device
network
to get
Wi-Fi
profiles,
policies
credentials, location,

Firewall
HLR

AAA
(e.g. SBR)

application & other


criteria etc.
49

Pulse Wi-Fi
Manager (PWM)
Copyright 2012 Juniper Networks, Inc.

www.juniper.net

Pulse Wi-Fi Offload including Trusted Access


User connects to Wi-Fi
based on Policy. Policy
controls when & how
user is offloaded.
Junos Pulse

T-WAG
SaMOG
Wi-Fi AP
802.1x SSID

Use 802.1x Authentication


with the AAA based on
PEAP or EAP-TTLS

BTS

RNC

SGSN

Trusted Wi-Fi Access Gateway


(SaMOG) forwards Layer 2
Traffic into GTP towards GGSN
Access-Accept has
IMSI + MSISDN
from PWM DB
GGSN

Internet
Phone
boots
collects
Pulse takes
Policy
gets
downloaded
up.
Pulse
IMSI
MSISDN
action+on
device
to
device
overWi3G/4G
starts
running
and
contacts
based
on Policy
network.
Policy
on
the
device
Fi Manager overincludes
Wi-Fi
3G/4Gprofiles,
network
credentials,
location,
to get policies
application & other
criteria etc.
50

Firewall
HLR

AAA
(e.g. SBR)

Pulse Wi-Fi
Manager (PWM)
Copyright 2012 Juniper Networks, Inc.

www.juniper.net

PROVIDER ROAMING & WHOLESALE


52

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

EAP-IDENTITY BASED ROAMING EXAMPLE (W. CLEARING HOUSE)


Clearing House AAA
Visited AAA

Subscribers
Home AAA
WLC 2800

Subscriber DB
or HLR

Internet

1.) Subscriber moves to a Visited Network and attaches to next Wi-Fi AP.
2.) AP directs all Traffics through Metro (or Internet) to Wi-Fi Controller at Visited Network
3.) Wi-Fi Controller notice a new attachment and asks the UE for the EAP-Identity to start the EAP negotiation
4.) UE answers and starts EAP-Exchange with EAP-Identifier
5.) Wi-Fi Controller creates Radius Request to local (Visited) AAA
6.) Realm Part of User NAI identifies request cant be authenticated local -> Proxy forward to Clearing House AAA
7.) Clearing House AAA identifies Home AAA and forwards request.
8.) Home AAA analyses request (he may answer with a challenge which will case a few more interactions back and
forth before he can make a final conclusion)
9.) Home AAA authenticates Subscriber on Database/HLR and sends back Access-Accept (with a Profile to be used)
10.) Answer gets routed back the same way to VAAA (which analyses the Profile setting and may override it)
11.) Wi-Fi Controller gets Access-Accept with negotiated Cryptographic Keys and starts the $-Way Handshake with
the UE to secure the Air interface (AES-CCMP)
12.) Wi-Fi Controller generates Radius Accounting Information to be forwarded (VAAA to HAAA via Clearing House)

53

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

MetroNetwork
Wi-Fi AP

Smartphone

User

Wi-Fi AP
Wi-Fi AP

EXAMPLE ROAMING - VPLS BASED


HAAA
Pulse
Manager

H-HLR/HSS

IP
Networks
WAG

SWd

Home Network
Visited Network

VPLS based
Roaming

VAAA
Proxy
WLAN AP

MAC / VLAN

WLAN WLC

VAAA to add VLAN


attribute per Home
Network on returned
Access-Accept

WLAN AP

54

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

ROAMING TRUSTED LOCAL SAMOG


HAAA

OCS

Pulse
Manager

H-HLR/HSS

Home Network
Visited Network
VAAA
Proxy

Gp/GTP based
GRX roaming

WLAN AP

WLAN WLC
WLAN AP

55

MAC / L2

IP
Networks
H-GGSN
H-PGW

SWd

Visited WiFi
Access Gateway
(SaMOG)

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

PCRF

ROAMING TRUSTED HOME SAMOG VPLS


HAAA

OCS

Pulse
Manager

H-HLR/HSS
Home WiFi
Access Gateway
(SaMOG)

Home Network
Visited Network

VPLS based
Roaming

VAAA
Proxy
WLAN AP

IP
Networks
H-GGSN
H-PGW

SWd

MAC / VLAN

WLAN WLC

VAAA to add VLAN


attribute per Home
Network on returned
Access-Accept

WLAN AP

56

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

PCRF