Best-Practice Authentication Methods For Wi-Fi Offload
In order for a Wi-Fi offload service to be successful, it must be easy for the subscriber to access and use. This means that authentication to the network must be seamless for the subscriber and easy for mobile network operators (MNOs) to use and implement.
There are many options for authentication, including:
Captive Portal and Manual Login
MAC Address Authentication,
Authentication via SMS
SIM-based using EAP-SIM and/or EAP-AKA
Options 1-3 above have limited security and/or do not provide a seamless roaming experience.
Option 4 (SIM-based) is the preferred method for seamless authentication – it is easiest to use for the subscriber and is the best method for supporting Wi-Fi roaming.
Handing off to the Wi-Fi offload network should be managed autonomously without the requirement for subscriber’s credentials to be entered manually (e.g. username and password). The ideal choice, therefore for GSM operators, is to use subscriber identity module (SIM) credentials already available on the end-user’s device. Combining these credentials with EAP-SIM authentication provides the same process as in existing 3G/4G networks and therefore roaming is seamless and secure. For UMTS operators, they can use USIM credentials with authentication via extensible authentication protocol method for UMTS authentication and key agreement (EAP-AKA). 802.1x must also therefore be supported on the Wi-Fi offload network to handle the EAP authentication.
Acurix Networks supports all of the above authentication options, including the preferred SIM-based authentication methods. This covers most smartphones as well as tablets with Wi-Fi and 3G (SIM cards).
Not all devices have SIM cards or support EAP-SIM authentication. For example, Wi-Fi-only tablets and most laptops do not have SIM cards. Therefore so the metro Wi-Fi network that supports Wi-Fi offload still needs to provide alternative authentication methods. These can be secure methods using 802.1x, WPA2 or open methods like captive portal login via a web browser (likely to be required to support initial service signup by walk-up users). Therefore the Wi-Fi offload network must support multiple authentication methods at all points of the network. To facilitate this, an Acurix metro Wi-Fi network can support multiple MNOs, each with their own virtual network and SSID, on a single set of network infrastructure. Each MNO can have multiple SSIDs, with each SSID or virtual access point (VAP) being capable of supporting an independent authentication profile. One VAP can be dedicated to EAP-SIM authentication while others can provide different captive sign-up pages for each virtual network operator.
Next-generation Wi-Fi offload networks will extend the use of EAP-SIM/AKA with processes from the Hotspot 2.0 standard (from the Hotspot 2.0 Task Group in the Wi-Fi Alliance). See also the Next Generation Hotspot Program of the Wireless Broadband Alliance.
Acurix Networks customer metromesh recently completed testing of a full SIM-based Wi-Fi offload solution in Perth, Australia.