SP Wifi: Deploying Access for 3G and 4G Mobile Networks Cisco Plus Canada

SP WiFi: Deploying Access for 3G and 4G Mobile Networks Cisco Plus Canada

. Why SP Wifi?

. What are the Requirements?

. Components of an End-to-End Solution

. Mobile Packet Core Integration

. Call flows for typical deployments

. Case Study

. Summary and Key Takeaways

Growth in Mobile Data: 26x over 5 years

180% increase in Lack of spectrum and signalling traffic due to inability to rapidly • Easy Connectivity smartphones increase # cell sites • Seamless • Deployment Authentication Complexity • Session continuity • Consistent user

• Application Economics of indoor experience offload and small cell A shift from outdoor transparency systems consumption to indoor

WiFi already used to support >30% of US smartphone usage

Network implications of exponential data traffic growth

Decline in voice revenues and difficulty in monetizing data traffic

Source: IBSG Research & Economics Practice, 2011 BRKSPM-2200 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Doing nothing is not an option Illustrative Results for a Large European Operator

Cash Flow From Operations Financial Metrics

Source: IBSG Research & Economics Practice, 2011

. Service usage growing unchecked

. Macrocell capacity growth cannot 26x keep up with demand Growth Macrocell 1000 Capacity . Licensed spectrum availability not growing to meet demand Average 100 Macrocell Efficiency . Smaller Cells are needed to scale Spectrum supply efficiently & economically Growth 10

Source: Agilent . Licensed and Unlicensed Spectrum 1 will need to be exploited 1990 1995 2000 2005 2010 2015

BRKSPM-2200 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Why Small Cells? Drivers for Deploying Service Provider WiFi Spectrum (5MHz vs 10,20 MHz) . Meet Subscriber Demand Multiple carriers ‒ Increased coverage and service ubiquity ‒ Higher Speed enabling richer applications Footprint Efficiency (#cells/m ) (Bits/Hz, backhaul Small Cells BW) . High Volume Low Cost Technology 3G to HSPA to LTE ‒ SP WiFi is to Mobile (3G/4G) as Carrier Ethernet is to Wired (SDH/PDH) Macro . Licensed Spectrum Availability ‒ Not growing to meet demand . Hierarchical Network Approach ‒ Macro cells & small cells Consumer Business Community

Cellular Wi-Fi Example: GSM Phone Example: iPhone

Turn on phone and get secure cellular connectivity Turn on phone and get secure Wi-Fi connectivity • Roaming anywhere – no logins or passwords • Automatic Network Selection • Access anywhere with my profile & services

Ubiquitous Access Common Seamless Unified Authentication Services Control • Automatic service • SIM credentials • Monetization • Traffic path selection advertisement • Non-SIM credentials opportunities • Billing • Automatic network • Single AAA • Consistent services • QoS selection infrastructure • Session persistence • Quota mgmt • Roaming • Inter-access mobility • Wholesale/Roaming • “One Subscriber”

Carrier Class Solution for MNOs, MSOs and Hotspot Providers

BRKSPM-2200 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public SP WiFi One Access Technology, Many Deployment Models No SP involvement. User driven offload via Uncontrolled unmanaged device.

Home/Soho Dual SSID SP provides dual SSID home device. (Community) Private and public (community) SSID

SP installed and managed hot spots in Malls, Hot Spot / Hot Zone restaurants, Hotels,…

SP installed and managed hot spots in high density High Density Wireless user areas (stadiums,..)

SP install and manages outdoor Wi-Fi for large Metro / Mesh dense urban areas1001110100100100010 coverage

Enterprise Guest Access Enterprise Guest Access managed by SP

BRKSPM-2200 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public SP WiFi Key Requirements Manageability, Network Reliability and Availability Carrier Grade 100s of thousands of APs ; Millions (residential); Millions of Clients

Radio Performance Radio differentiation, Link Budgets, Beamforming, MIMO Interference Management, Radio Resource Management

Mobility Seamless authentication and Fast Roaming/Handoff Wi-Fi to Wi-Fi (inter and intra-vendor), 3G/4G to Wi-Fi

Roaming Seamless roaming (with little or no user intervention) Support home and “visited” network scenarios

Standards Compliant Critical to support Multi-vendor solution 3GPP compliance important to MNOs1001110100100100010 Common Billing, Policy and Subscriber Management Integration Leverage MPC/EPC for Wi-Fi network Parental Control / Lawful Intercept / Local Breakout BRKSPM-2200 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Components of an End-to-End Solution SP WiFi Functional Architecture

WLC Transparent

aggregation

AP/ PMIPv6 IPSG

MAG

PMIPv6 L3 LMA

AP= Access Point AP Subscriber

MAG=Mobility Access Gateway WLC= Wireless LAN controller GTP Enforcement Policy

LMA= Local Mobility Anchor LMA MAG GTP= GPRS Tunneling Protocol WLC/ AP IPSG= IP Services Gateway MAG EWAG= Enhanced Wireless Access GTP P-GW L2 GTP L3 Gateway Or GGSN PMIP= Proxy Mobile IP (v6) 802.1Q UE= User Entity (mobile terminal) Subscriber

AP IPSe L3 Policy Enforcement Policy c L3

802.1Q AP WLC EWAG

IPSec Intelligent Internet UE aggregation

Enhanced WiFi Access Gateway (EWAG) MNO Home Network MNO Visited Network Policy Policy HLR OCS PCRF CGF DHCP AAA Portal

Key Capabilities: AP GGSN Gy Gx Ga P-GW . MPC Integration WLC

. Inter-access Mobility

PMIP

4G Core

. Roaming S2a LMA

LMA

MAG

. Wholesale L3

Aggregation

Switch AZR GTP Subscriber . Subscriber-aware L2

GTP 3G Core

Gn’

GTP

Policy EnforcementPolicy Subscriber

. Local Breakout

Policy EnforcementPolicy

. Flexible Access AP L3 IPSec Models AP/CPE . Flexible Tunnel (L2TP/PMIPv6/IPsec) Enhanced Internet Authentication WiFi Access LAC/MAG/IPsec Initiator LNS/LMA/IPsec Concentrator Gateway

Authentication Address Session Transport Redundancy Authorization Allocation Management Backhaul Load balancing AAA / RADIUS Before / After ISG Keep alive CAPWAP HSRP/ GLBP DIAMETER At LMA Idle Timeout Fragmentation 1:1 Redundancy HLR / HSS External DHCP Quota enforcement PMIPv6 (MAG/ LMA) N:1 Redundancy Integration / Roaming IPv4 / IPv6 Policy enforcement L2TP (AZR) / GTP ACE based Authentication point Pool depletion Session differentiation Autonomous AP Single SSID EAP / Web Auth Location based Session Initiation MPC integration Multiple SSID

Accounting Web Portals Mobility Network Subscriber Billing & Policy When to redirect Management Management WiFi only mobility Start and Stop L4 / HTTP 302 Security Hierarchical mobility Provisioning Records (CDR) Who redirects Zero touch rollout WiFi / Macro Pre-paid / Quotas Who sends them Redirection Portals Legal Intercept Max mobility coverage WiFi only users Integration with Web Authentication Parental Control Roaming agreements Transparent logon Existing billing Self service Portals Analytics / planning Mobility events Service profiles Gx / Gy / Gz Whitelisting Asset tracking Anchors / tracking Self service portals Policy definitions Location based Rogue AP’s

. When to assign? ‒ Before authentication for Web-auth users ‒ Post authentication for EAP / 802.1x . Where in the network? ‒ In the access network (eg. EWAG) or in the core (eg. ISG / IPSG Subscriber Service Managers) . What to assign? ‒ Location based address assignment with option 82 . Subnet size? ‒ Oversubscription ratio ‒ Lease time ‒ Broadcast domain size . Overlapping IP address from different administrative domains

BRKSPM-2200 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Address Allocation & Management The Challenge Independent Administrative Retailer AP Domains Providers DHCP WLC WLC Address AP Pool DHCP Address Roaming Pool Partner #1 Core

AP DHCP UEs may Aggregation be Switch Address L3 Roaming allocated Partner #2 Pool same IP Core address EWAG AP DHCP Optional NAT Address Home Network Pool Provider Wholesale Provider

Challenge: How to Manage UE address Overlap and Routing in Roaming Scenarios

Subscriber Transport Models in Access Network DHCP Access Network Policy AP DHCP AAA Portal MNO Home Network AP Policy AP HLR OCS PCRF CGF WLC WLC

AP Single SSID Single VLAN or QinQ Roaming Partner #1 Core AP

AP EWAG L2 AZR Multiple Switch AZR SSID Roaming L3 Single VLAN or QinQ Partner #2 Core Single VLAN or QinQ AP

SingleAP VLAN or QinQ Optional AP/CPE NAT Tunnel (L2TP/PMIPv6/IPsec)

Home Subs from Network different Provider MNOs EWAG= Enhanced Wireless Access Gateway BRKSPM-2200 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Address Allocation and Management Key Issues in Roaming Scenarios

. Roaming Partners are independent administrative domains ‒ Address pool allocation and overlap will be difficult to coordinate . Access network design should handle UE address overlap

Options: . VRF separation on interfaces to roaming partners . Access network allocates UE IP address with NAT to Home MNO address ‒ Clean solution, but leads to address pool fragmentation in PMIPv6 architectures . Augmented L2 switching at WiFi gateway ‒ Use combination of MAC address and GRE-Key or GTP TEID for switching and ARP resolution

. UEs Require IP Host Configuration; Link model is different for WiFi and UMTS/LTE . UMTS model allocated a /32 host address directly to the UE and software stack is built to suit this model . WiFi model is standard IP subnet model: Host Address & Mask plus DNS server address . LTE with PMIPv6 supports the IP subnet model (PBU along with PCO option) . WiFi core network supports the IP subnet model (DHCP/ARP control) . UMTS core integration has challenges: ‒ Obtaining subnet mask and default gateway address ‒ Obtaining DNS and DHCP server addresses

1. New Information Element (IE) defined to provide the host configuration ‒ Currently applicable only to GTPv2 ‒ TSG Core Network Working Group 4 working on this ‒ Standardization for GTPv1 and then implementation will take time 2. Per-APN static configuration ‒ Pragmatic short-term option, but lacks flexibility 3. Dynamic Subnet Extraction ‒ EWAG could create a subnet from the allocated IP address (eg. bit 32 flip) ‒ Use GTP Protocol Configuration Options IE for DNS address; Locally configured DHCP server address 4. Proprietary IEs

Subscriber Session Management Initiation and Termination

. Session creation (First Sign of Life - FSOL) ‒ DHCP initiated (L2 connected) ‒ Unclassified MAC (L2 Connected) ‒ Unclassified IP (L3 routed) ‒ Radius proxy (L3 routed) ‒ RADIUS accounting start (L3 Routed) . Session termination options ‒ Idle timeouts? Keep alives? ‒ DHCP lease expiry ‒ Authentication timeout

. Service Differentiation . Dynamic service updates ‒ Gold / Silver / Bronze / policy ‒ Policy push enforcement . Service Control and Policy ‒ Parental control / DPI ‒ DPI . Quota enforcement . Targeted Push Advertising ‒ Usage based / Time based ‒ Intelligent, Location-aware . Location based services . Branding . Free services ‒ Open garden ‒ Whitelisting

. Two options for session management . What is IPSG? on ASR5000: . Standalone or integrated tool for inline . Manage WiFi session as mobile session management: session from another RAT Type ‒ DPI, Peer-to-peer control ‒ Gateway does bearer and session ‒ Firewall, NAT management ‒ PCEF functionality for Policy (Gx) and ‒ Leverage charging, billing and inline Charging (Gy) services capabilities . Radius based session creation . Manage WiFi session using IPSG ‒ No Diameter/GTP initiators ‒ Gateway does bearer and session management . Sits at edge of packet core between Gi/SGi reference point and Internet ‒ IPSG does subscriber and session inline services ‒ Northbound of GGSN or PGW

Subscriber Policy Layer

Web Cisco Intelligent Services Gateway (ISG) Cisco IOS feature that AAA Server Policy Server DHCP Server … Portal provides Session Management and Policy Management services to a variety of access networks Addresses IP and PPP protocol sessions over Ethernet used in Open SP WiFi while maintaining all subscriber management functions Northbound Interfaces Is the subscriber management solution for many Cisco hotpsot and SP-WiFi deployments today

Subscriber Identity Policy Management Is an integral component of EWAG – Enhanced Wireless Gateway Management ISG and Enforcement on ASR1000 Deployed at the Internet Edge (Standalone) or in Aggregation (EWAG)

So focal, that the entire device is often referred as an: ISG Intelligent Services Gateway router or simply “The ISG”

IP Session: Layer2 Connected • All traffic associated with the Access Point Distribution session is IP traffic Eth • Clients are L2 connected Ethernet • Service Manager is L3 Edge and default router • Access may run PMIPv6 for mobility IP Session: Routed Connection • All traffic associated with the Access Point session is IP traffic IP • Clients are L3 connected (UE IP

Any access / distribution technology must be routable in Access domain!) • Session Manager may be more than one hop away from Client

IP Sessions - FSOL FSOL depends on the Session Type. There are options .....

Unclassified MAC or IP . IP packet with unknown MAC or IP source address Data Traffic Use MAC for L2-connected IP sessions Use IP for routed IP sessions

DHCP . DHCP Discover message DHCP discover ISG must be DHCP Relay or Server

RADIUS RADIUS . RADIUS Access/Accounting Start Access Request OR Accounting Start ISG must be a Radius Proxy for Account Start/Stop Typically used in PWLAN and WiMAX environments Wireless Client AP

. EAP/802.1x – WLC or AP Authenticator / ISG - Authorization ‒ AAA is the authentication server ‒ Seamless authentication but requires client config. (certificates, username/pwd, etc) ‒ EAP-SIM/AKA helps if proper supplicant SW available on terminal device

. Weblogin – Portal-based Authentication and Authorization

‒ Open SSID ‒ Requires no client configuration, completely Web-based ‒ Subsequent Logins are transparent/automatic using device MAC address ‒ Vulnerable to MAC Spoofing

. Service: A collection of features that are applicable on a subscriber session Service = {feat.1, feat.2,...,feat.n}

Session Portbundle (PBHK) Keepalives: ICMP and ARP based Administration Timeouts: Idle, Absolute

QoS: Policing, MQC Traffic Conditioning Security: Per User ACLs Subscriber Address Assignment Control

Features Traffic Forwarding Redirection: Initial, Permanent, Periodic Control VRF assignment: Initial, Transfer Associated to Primary Services GTP or PMIP tunnel assignment1. PostPaid Prepaid: Time/Volume based Traffic Accounting Tariff Switching Interim Broadcast . Primary Service: Contains one “traffic forwarding” feature and optionally other features; only one primary service can be active on a session

1. New feature with EWAG – Q4-2012 BRKSPM-2200 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Defining Services ISG services Location Download 1 AAA Server . Premium HSI service should be activated 2 RADIUS Access-request on the session . Services defined in Service Profiles Username: Premium_HSI . No definition yet available Password: . Standard and Vendor Specific RADIUS attributes used . On demand download on a need basis . Service Activated on session 3 RADIUS Access-accept . Service Stored in local cache while in use by at least Features associated w/ service 1 sessions 4

• Definition of all existing Services typically pre- Policy Manager downloaded on Box (supporting the SGI Interface) 1 SGI Request . Services defined in XML Premium, Standard, Basic HSI service definitions 3 . Pre-download of all existing services . Services permanently stored in local database 2 SGI Response

ISG . Services pre-configured using CLI . Services permanently stored in local . Services defined on Service Policies: policy-map type database service

During Subscriber Via an External Policy Via the On-Box Policy Manager Authentication/ Authorization Manager/Web Portal

from external PM Administrator

Subscriber Policy Layer Subscriber Policy Layer

DHCP Web Portal / AAA DHCP Web Portal / AAA actions

Server Policy Server Server Server Policy Server Server

plane

Policy

events

from RADIUS data RADIUS CoA or plane Acc-req plane Control

RADIUS SGI

Acc-accept Request

Data plane

Subscriber Subscriber

. Subscriber is successfully authenticated . Service Activation request sent by External . Policy Plane determines what actions to take on Policy Managers via a RADIUS CoA or a SGI session based on events . RADIUS Response includes Services and Request message Features to activate on Session (from . actions *include* applying a service UserProfile) . Control Plane ensures actions are taken – i.e. provisions the data plane . Data Plane enforces traffic conditioning policies to the session

Library VLAN 10 Web Portal VLAN 20 (Library) WLC ISG SSID:XYZ

VLAN 30 Web Portal VLAN 40 (Stadium)

Same SSID from different Separate policies on VLAN’s AP groups mapped to Redirect traffic to different Stadium separate VLAN groups Portals.

AP-Groups VLAN-Groups Portals (500 max) (512 max)

. Common anchor point for all access technologies . A common subscriber identifier across all access technologies ‒ Eg. MAC address, MSISDN…. key for inter-access mobility . Address allocated from a common DHCP pool . A common authentication scheme . Common session identifier ‒ For common billing and subscriber service across WiFi/3G/4G . Ability to track subscriber

1 Common IP pool Common Anchor Same Subscriber ID 2 WLC MAG Same Session ID

Local Mobility 3

PGW / LMA 4 WLC

Mobility Internet Domain IPv6 Mobility

WiFi 5

6 WLC

Local MAG Mobility 7 Location Mobility 8 WLC

802.11(x) CAPWAP L2 PMIPv6

BRKSPM-2200 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Mobility Management Domain Mobility with PMIPv6 PMIP Signalling: Proxy Binding Update (PBU) LMA-Local Mobility . Host-based Mobility: Mobile IP - MIPv4, Proxy Binding Acknowledge (PBA) Anchor MIPv6 ‒ Requires client implementation of Mobile IP stacks; client signalling needed ‒ Drawback: requires client support (ubiquity?) MAG-Mobility . Network-based Mobility: Proxy Mobile IP – Access Signalling: Access Gateway PMIPv6 (RFC-5213) DHCP, IPv6 Router Solicitation ‒ Only network entities participate in mobility related signaling on behalf of clients ‒ Advantage: transparent to UE; no client required

. PMIPv6 Entities: ‒ Local Mobility Anchor (LMA): topological anchor point for UE; assigns and manages UE address and access network location Switches UE downstream/upstream data to appropriate MAG via PMIP tunnelling (GRE-based encapsulation) ‒ Mobility Access Gateway (MAG): manages mobility signalling for the UE; tracks UE location subnet-to-subnet; Switches downstream/upstream UE data between correct access subnet and PMIP tunnel to LMA notifies LMA of location changes for MAG handoff

. Intra-Controller roam happens when an AP moves association between APs joined to the same controller . Client must be re- authenticated and new security session established . Controller updates client database entry with new AP and appropriate security context . No IP address refresh needed

. L2 Inter-Controller roam happens when an AP moves association between APs joined to the different controllers but client traffic bridged onto the same subnet . Client must be re- authenticated and new security session established . Client database entry moved to new controller . No IP address refresh needed

. Foreign controllers will send Layer 3 roaming client’s packet back to its anchor controller through EtherIP tunneling . Source IP address of the packet will be the foreign controller’s management IP address . Upstream routers that have Reverse Path Forwarding (RPF) will forward on packets . No IP address refresh needed

BRKSPM-2200 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Mobile Packet Core Integration Integrating WiFi into Mobile Packet Core Clientless and Client-based Options Summary Converged, WLAN AAA 3GPP Policy, Charging and AAA Billing Systems

Devices Trusted Wi-Fi IP Core Un Tunneled User Data (IP) IPSG or Clientless – IPSG ISG or ISG (IP)

EWAG Clientless Per User PMIPv6 or GTP Tunnel EWAG (PMIPv6) EWAG Un Tunneled User Data (IP) P-GW Clientless GGSN eWAG (GTPv1) EWAG Clientless Per User PMIPv6 Tunnel 3GPP2 HSGW Per User GTP Tunnel Clientless Per User GTP Tunnel 3GPP SGSN 3G Cellular

Secure Client Per User IPSec Tunnel GTP ( Gn) based iWLAN TTG Untrusted Wi-Fi Mobile Packet Core

“Tunnel Termination AAA HLR OCS PCRF CGF Gateway” Wx

IPSec/IKEv2 Gy Gx Ga

GTP 3G Core

Gn’ . Client based integration – iWLAN Internet • Defined in 3GPP 23.234 4G Core • WiFi infrastructure can be trusted or untrusted • No dependencies on WiFi infrastructure other then IPSec needs to get through any firewalls • TTG to terminate IPSec tunnel required in MPC • Existing MPC infrastructure reused – PCRF, OCS, Billing, LI • TTG only interfaces to AAA and GGSN – no other MPC integration is needed • Seamless mobility via Home Agent based on Client Mobile IP or PMIP from GGSN • Device IPSec client needed

EWAG AAA HLR OCS PCRF CGF “Enhanced Wireless Access Gateway” Wx

Gy Gx Ga

3G: GTP over Gn’ 4G: PMIPv6 over s2a

3G Core

. Enhanced Wireless Access Gateway – EWAG Internet ‒ Clientless Wifi Integration into the mobile packet core 4G Core P-GW or GGSN ‒ A mediation device between WiFi access and 3GPP Core ‒ Clean partition of RAT types ‒ Interworking between IP-based Access Network and Mobile Core control planes ‒ Authentication via Mobile AAA infrastructure ‒ PMIPv6 and GTP capability ‒ Existing MPC infrastructure reused – PCRF, Billing, Lawful Intercept…

Enhanced WiFi Access Gateway Common Subscriber Management and Routing Functions

. Subscriber and Service Aware Aggregation Function ‒ Key to support for Local Breakout, Wholesale access ‒ Per-subscriber APN selection and control . Policy-controlled subscriber routing, mobility services (PMIP, GTP) ‒ Anchoring to the GGSN, PGW or local-breakout based on subscriber profile ‒ Subscriber service management for home network as well! ‒ Interprovider Roaming with policy control . Policy interface options: ‒ Radius-based (WiFi evolution) and/or Gx-based (MNO evolution) . Integrated Accounting for Wholesale and Retail Services . IP Aggregation support: ‒ DHCP Server and Relay capability ‒ Support for routed and switched access networks ‒ Efficient solution for IP control-plane to Mobile network control plane interworking – i.e. link model mediation ‒ Address Pool overlap management in access network BRKSPM-2200 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Key EWAG Functions for 4G Integration PMIPv6 . Packet Core Interface: ‒ PMIPv6 over S2a is standardized method of integrating trusted non-3GPP access networks with a 3GPP Evolved Packet Core ‒ 3GPP 29.275 defines PMIPv6 based S2a interface . Session Triggers: DHCP, IPv6 Router Solicitation, Radius Proxy and Unclassified MAC for tunnel initiation . Transport: IPv4 and IPv6 as per RFC-5844 and RFC-5213 . EAP Methods: Agnostic to generic EAP methods (EAP-SIM/AKA and MSISDN) . PMIP Info Elements: Supports all necessary IEs for interface to the MPC . Policy: Cisco UE Service VSA for provisioning of differentiated access per subscriber ‒ Phase 1.5 includes 3 different service options “IPv4”, “IPv6” and “dual”

BRKSPM-2200 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Key EWAG Functions for 3G Integration GTP-based 3G Integration . Packet Core Interface: ‒ GTP over Gn’ Interface as per TS 29.060 ‒ GTP control support: PDP context creation, deactivation, PDP echo . Session Triggers: DHCP, IPv6 Router Solicitation, Radius Proxy and Unclassified MAC for tunnel initiation . Transport: IPv4, IPv6 . EAP Methods: Agnostic to EAP method (EAP-SIM/AKA with MSISDN or user@realm subscriber ID) . GTP Info Elements: Supports all necessary IEs for interface to the MPC ‒ eg. Protocol Configuration Options, MSISDN, APN

AP Portal DHCP AAA

WLC WLC AP Roaming Internet Services Partner Core Access Network Policy Hotspot PGW/LMA

AP GTP Aggregation Roaming Internet Services Switch Gn’ L2 Partner Core AP EWAG Optional GGSN Public/Large NAT Retailer Venue Providers

AP/CPE Home Internet Services Network Core Wholesale Provider Community WiFi

50 PCRF Integration Architecture – Mobile Packet Core Interfaces and Functions

PB – Policy Builder PS – Policy Server CS – Charging Server SM – Unified Subscriber Manager

OSS/BSS Broadband Access Subscriber Policy Infra Inventory & Radius Server Profiles & Portal HSS Billing Provisioning CRM Polices

SOAP/XM Radius Portal API L BroadHop Service Manager PB – Policy Builder PS – Policy Server CS – Charging Server SM – Unified Subscriber Manager

WiFi Internet Access

EWAG Internet (ASR1000 with ISG) Gateway

ITP- IP Transfer Point Interfaces and Functions MAP Gateway for MAP/Radius interworking

Broadband Access OSS/BSS MPC Authentication Roaming Subscriber Policy Infra Interworking Partner Inventory & Radius Server Profiles & Portal CAR HSS Billing Provisioning CRM Polices HLR SS7 ITP Network

SOAP/XM Radius Portal API L

Local HLR

BroadHop Interface to Local SME HLR if Applicable

Radius Radius

WiFi Internet Access

EWAG Internet (ASR1000 with ISG) Gateway

Device AP+WLC DHCP/MAG P-GW PCRF Policy Manager AAA HLR Configure authorized IMSIs on the Sub DB Subscriber database with WiFi Open Association Subscriber Profile.

EAP Request/ID WiFi Subscriber Profile: EAP ID Response/ID RADIUS Access Request (username= EAP ID, calling station ID = MAC, called-station-ID Realm, WiFi APN, Charging MAP SEND AUTH = SSID) Characteristics, IPv4/IPv6 service INFO Req EAP-SIM Method, Recover IMSI from Pseudonym or Fast Re-Auth ID MAP SEND AUTH INFO Res IMSI Authenticated, but MSISDN Recover Subscription unknown Profile (IMSI)

MAP SRI for LCS Req (IMSI) User Profile VSAs: MAP SRI for LCS CISCO-SERVICE-SELECTION (APN), CISCO-MOBILE-NODE-IDENTIFIER Store MSISDN Res (MSISDN) (IMSI@realm) , CISCO-MSISDN, Cache MAC, IMSI, MSISDN, subscriber 3GPP-CHARGING-CHARS, profile CISCO-MN-SERVICE (IPv4) EAP SUCCESS RADIUS Access Accept (EAP Success, PMIPv6 VLAN override)

VLAN Source MAC Address: DHCP Discover RADIUS Access Request (Calling Station ID = Source MAC address)

SPR/ AAA Device AP+WLC DHCP/MAG P-GW PCRF HLR Sub DB IPv4 HoA = 0.0.0.0 MN-ID (imsi@realm), SSMO (APN), MSISDN, CHARGING CHARACTERISTICS , ATT = WiFi

PBU Gx:CCR-I: IMSI, MSISDN, Gx:CCR-I APN, RAT Type Subscriber ID Type = E.164, Gx:CCA-I RAT=WiFi DHCP Offer (a.b.c.d) PBA

DHCP Req/Ack SP: Recover Subscriber Profile (Primary DNS recovered from PBA) Open PGW-CDR With container for WiFi Policy Profile to Apply Service, subscriber ID = MSISDN

RF: Diameter ACR PBA: IPv4 Home Address (HoA) RF: Diameter ACA PCO: Primary DNS

PMIPv6

. This case study was presented at the event only . Please contact your Cisco SE for details if needed

. SP WiFi access is a business reality today for MNOs and Hotspot providers alike . Mobile Packet Core integration is a multifaceted problem ‒ attention needed to multiple factors . WiFi access and aggregation uses IP control plane mechanisms. ‒ WiFi Access Gateways need proper interworking support . Wholesale access and roaming is a key consideration ‒ WiFi Access Gateway need to support multiple roaming partners; 3G, 4G core interfaces . Rich service management needed for subscriber differentiation and monetization . There is no single solution for all access types, but all types of access should be supported at the service layer . The results of a good deployment will deliver outstanding user experience!

BRKSPM-2200 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 Presentation_ID © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public ISG Subscriber Session TC = Traffic Class Traffic Forwarding Capabilities (similar to Traffic Flow Template) Subscriber Session

Feature permit 3 TC1Service TC1 ACL deny Session Feature Service TC1 1 Feature Feature Feature 2 1 Feature 3 permit Traffic 2 TC2 Forwarding Data ACL FeatureFeature Feature deny Service TC2Service Feature TC2 1 Allow traffic Default- Feature Class 2 drop traffic

Session-Features Traffic Classification Flow-Features Forwarding Service Apply to the (using traffic classes: Apply to the Forwarding entire session class-map type classified flow (at L2, e.g. GTP) e.g. per-user ACL, traffic) TC1Service: priority 10 (a portion of or Routing Policing, MQC, entire session (at L3, e.g. PMIP, VRF) TC2Service: priority 20 Accounting traffic) Mutually exclusive

Subscriber DHCP Exchange Starts DHCP Exchange Completes(*) Subscriber Authentication(*) Dynamic Service Update

T0 T1 T2 TN

Brian Brian Subscriber Session Subscriber Session Subscriber Session Subscriber Session ISG

MAC Addr: 00:DE:34:F1:C0:28 MAC Addr: 00:DE:34:F1:C0:28 MAC Addr: 00:DE:34:F1:C0:28 MAC Addr: 00:DE:34:F1:C0:28 Identities IP Addr: ? IP Addr: 10.1.1.211 IP Addr: 10.1.1.211 IP Addr: 10.1.1.211 Username: ? Username: ? Username: Brian Username: Brian Services Service: DEFAULT_SRV Service: DEFAULT_SRV Service: PPU_SRV Service: PREMIUM_FR_SRV

DEFAULT_SRV PREMIUM_FR_SRV Only permits management traffic PPU_SRV Flat Rate Premium Data Service: through the session Pay Per Use Service: - Permits all traffic - Permits all traffic - 1M/8Mbps US/DS - 512K/1Mbps US./DS - Accounting enabled on session

(*) Order of operations not representative of a real call flow

NEW OLD SPR/ CAR Device NEW AP OLD AP P-GW PCRF AZR/MAG AZR/MAG Sub DB Open Association IPv4 HoA: a.b.c.d EAP Request/ID

Standard EAP-SIM flows and PMIPv6 Tunnel Establishment

PMIPv6 Open Association EAP Request/ID

Standard EAP-SIM flows

EAP SUCCESS RADIUS Access Accept (EAP Success) (Source MAC address) RADIUS Access Request (Calling Station ID = Source MAC address)

RADIUS Access Accept(User Profile)

PBU: IPv4 HoA: a.b.c.d Gx:CCR-U

Gx:CCA-U

PBA: IPv4 HoA a.b.c.d Update BCE ARP Response

Device AP WLC AAA DHCP ISG Internet

802.1x (1) 802.1x (1) RADIUS (2) User record cached EAP Negotiation (3) User Authorized EAP Authentication / Authorization (4) Service profile downloaded DHCP Discover (5) DHCP Discover (6) DHCP Offer (7) DHCP Request / ACK (8) Acct Start (9)

User session created IP Traffic (10) Service Applied Policies enforced RADIUS (11)

RADIUS (12)

IP Traffic (13) IP Traffic (14)

802.11(x) CAPWAP RADIUS DHCP IP

Authorization at the MAG EWAG

Device AP WLC AAA DHCP/MAG LMA Internet Note: example uses Integrated DHCP Server. External Server also possible.

802.1x (1) 802.1x (1) RADIUS (2) User record cached EAP Negotiation (3) EAP Authentication / Authorization (4) PMIPv6 trigger

DHCP Discover (5) STOP DHCP Relay (6) User Authorized LMA / NAI downloaded RADIUS Access Request (7)

RADIUS Access Accept (8) Binding created on LMA PBU (9)

PBA(10)

DHCP Offer (11) (IP Address, Mask, GW, DNS) DNS option added to offer

DHCP Request / ACK (12) IP Traffic (13)

802.11(x) CAPWAP RADIUS PMIPv6 IP

EAP SIM Authentication and Radius Control Configure authorized IMSIs on the AAA Server and there MSISDN mapping ITP AAA Device AP+WLC L3 Router EWAG GGSN ITP HLR Open Association Username=EAP ID, Calling Stn ID = MAC, Called Stn ID = SSID EAP Request/ID EAP ID Response/ID RADIUS Access Request RADIUS Access VSA = MAP: getauthinfo Request MAP SEND AUTH INFO Req EAP-SIM Method MAP SEND RADIUS Access AUTH INFO Accept Res

VSA = MAP: authtriplet EAP SUCCESS RADIUS Access Accept (EAP Success)

Cache mapping between IMSI, DHCP Discover (MAC address) MAC, address and SSID RADIUS Access Request (MAC address)

RADIUS Access User Authorized at EWAG Accept User Profile VSAs: Create PDP Ctx Req mn-nai=IMSI@realm, APN, MSISDN

Create PDP Ctx Res GGSN Allocated IP address GTP DHCP Offer (IPv4) DHCP Req/Ack Gi Data packet (Src IP=IP) Data packet (Src IP=IP)

reader SIM Device AP WLC AAA DHCP Home AAA HLR IPSG / GGSN Client starts EAP EAP-SIM/AKA authentication User MAC and IMSI Cached after User traffic successful EAP encrypted using EAP derived WEP keys AAA looks up user DHCP Req/Resp IMSI / MSISDN based on MAC Radius Acct Start (Framed IP, mac)

Radius Acct Response

WLC forwards all Radius Acct Start (Framed IP, IMSI/MSISDN) traffic to User session on VLAN_EAP. All IPSG VLAN_EAP traffic VPN to mobile core Radius Acct Resp

User traffic

. Web portal based access continues to be demanded by MNOs and WiFi Access providers . Many mobile devices do not have SIM cards or SIM-based clients apps ‒ WiFi iPAD and iPod touch are two major examples ‒ Will every WiFi connected device get a SIM? When? . BYOD will be a major use case for WiFi access going forward . Exploit visiting “non-subscribers” – a good “churn” opportunity for you ‒ Need a portal login and splash page to offer your service . However there are many integration challenges….

Device AP WLC AAA DHCP ISG Portal Internet Open Association (1) association Association (2) Unauthenticated DHCP Discover (3) DHCP Relay (4) Session DHCP Offer (5) DHCP Request / ACK (6) DNS Query (7) User Profile cached DNS Query (8) DNS Response (9) HTTP Request (10)

HTTP Response (11) User Login (12) RADIUS CoA (13) RADIUS Auth (14) CoA Ack (15) Authenticated Session

Radius Acct Start (16)

Residential Gateway BNG LNS ISG “Hotspot” DHCP Policy AAA Portal Internet UE Server Server Association to Hotspot ISP PPP Session SSID triggers Setup Wireless L2TP/PPP connection Association

L2TP Tunnel Establishment LNS Assigns IP Address to Residential PPP Session Establishment GW “Hotspot”

RG Hotspot registers DHCP: Discovery with the ISG. This clears any previously existing sessions for Radius Accting Start this RG

DHCP Discovery Relayed to LNS

DHCP Discover Relayed to DHCP Server

DHCP DHCP DHCP Offer/Req/Ac Offer/Req/Ac Offer/Req/Ac k k k WiFi Client now has an IP PPPoE address PPPoL2TP 802.11 MAC

Residential Gateway BNG LNS ISG AAA Policy AAA Portal Internet UE “hotspot” Accounting Server ISG First Sign of Life. Initial Services Applied – eg. HTTP redirect DHCP Accounting Start Traffic redirect to Portal DHCP Accounting Start for Login

TCP/HTTP Successful Login. Subscriber enters credentials Notify ISG via Radius Account Logon CoA CoA Request: Account Logon

ISG queries AAA Server RadiusAccess-Request for User service profile Radius Access-Accept which is returned in Radius Access-Accept Message PPPoE

PPPoL2TP User service and policy profile applied to user session. Internet access established