We use Radiator for our DATA and SMS real-time charging (using Gy Diameter protocol). It sits between our core network elements (SMSC/GGSN) and our online charging system. All our DATA and SMS traffic (national and roaming ) is controlled using this flow. On top of that we use the control function (Gx) to apply throttling on the DATA flow for roaming.
Radiator management with Ansible
Nowadays more and more carriers use virtual infrastructure with complicated configurations supporting various technologies. As part of this transition, different network functions like AAA are also virtualized. Virtualization with Radiator AAA server is already supported, but to make the increasingly complicated Radiator configurations easy to manage, we have created Ansible playbooks.
Radiator Software Ansible playbooks offer an easy way to install, configure and control one or several Radiator instances in a single or multiple host environment. When needed, the Radiator environment managed with Ansible can be scaled up or down by increasing the number of Radiator instances in a host, or by deploying Radiator to a completely new existing host. With Ansible playbooks available Radiator instances can be configured to different roles, for example from load balancers to ensure even traffic distribution to worker instances handling the actual authentication or accounting.
The Radiator Software Ansible playbooks can be run in a cloud-native infrastructure, such as Openstack, as well as on static VMs. As a lightweight configuration management option the Radiator Software Ansible playbooks take only small effort to set up, while maximizing the efficiency once in use.
More details in our blog
Radiator provides IMSI privacy for EAP-SIM, EAP-AKA and EAP-AKA’ authentication
In many high traffic areas such as sports stadiums, shopping venues, or public transport hubs, mobile carriers may partner with the local Wi-Fi providers to improve coverage and user experience: mobile devices can be automatically connected to Wi-Fi instead of congested cellular network. Internationally, Wi-Fi roaming agreements also allow carriers to lower the cellular roaming costs.
EAP-SIM, EAP-AKA and EAP-AKA’ are SIM-based Wi-Fi authentication methods used to achieve seamless offloading to carrier and partner Wi-Fi, with International Mobile Subscriber Identifier (IMSI) derived from the SIM card acting as a unique identifier for each user.
On the first ever connection to such a Wi-Fi network, the mobile device communicates its permanent subscriber identity information (IMSI), which is then sent to the home operator for authentication. This identity is sent in the clear. A potential 3rd party adversary installing a Wi-Fi sniffer in the vicinity of such networks can harvest permanent identities and track users. This tracking can also be done by the venue or network owner when connecting to the Wi-Fi network.
The solution is to protect user privacy by implementing IMSI encryption for EAP-SIM, EAP-AKA and EAP-AKA’ authentication. As an operator, you can enable IMSI privacy easily: Radiator 3GPP AAA Server handles both encrypted and clear authentication requests. This means IMSI privacy can be offered to devices supporting it without affecting other users.
Starting already from revision 2.5, Radiator SIM Pack supports IMSI encryption as specified in 3GPP S3-170116 document “Privacy Protection for EAP-AKA”, and WBA’s IMSI Privacy Protection for Wi-Fi – Technical Specification. The feature is already implemented by some of our operator customers to cover their AAA server encryptio
More details in our blog
Radiator Software’s experts have contributed to eduroam* development since 2002. In Finland, Radiator Software provides federation top-level RADIUS service for CSC and Funet since 2003. Radiator Software currently serves over 50% of the top 250 universities in the world, many of them members of eduroam.
Most of the major universities in Finland are Radiator Software’s customers that have Radiator-based eduroam RADIUS solution. We in Radiator Software deliver both products and services for turn-key deployment of eduroam – like we have provided for many customers since 2003.
*) eduroam (education roaming) is the secure, world-wide roaming access service developed for the international research and education community.
Radiator supports OpenRoaming™
Wireless Broadband Alliance (WBA), provides OpenRoaming™, a roaming federation service enabling an automatic and secure Wi-Fi experience globally. It creates a federation of networks and identity providers to enable automatic roaming and user onboarding on Wi-Fi. More information can be found from WBA OpenRoaming™ pages.
Radiator Software, being a WBA member and solution provider, can provide your organisation the products and services you need in order to join OpenRoaming™. For OpenRoaming™, support both for RadSec and DNSRoaming protocol is needed in order to implement the roaming securely and without extra effort to the end user. Radiator AAA Server supports both these protocols as can be seen from our product page. Combined with our consultation services, Radiator Software has everything you need to set up OpenRoaming.
Also, Radiator is already in use with OpenRoaming – a word from our customer:
We use Radiator for Dynamic Peer Discovery of RadSec servers which is fundamental to OpenRoaming and our Service Broker service. Radiator makes it easy to enable dynamic discovery on our servers leading to quicker network integrations. This ease of use allows us to provide superior operational support for our customers and network partners.
Radiator multi-factor authentication
Modern services all around the internet offer different multi-factor authentication solutions. They provide stronger security than using only username and password. Multi-factor authentication requires a combination of something the user knows and something the user possesses. One common combination is the username and PIN or password with a physical token, such as a specific device, smart card, or mobile phone. The multi-factor secured service may range from a web service to a network device to a remote VPN (Virtual Private Network) access – wherever stronger security is needed. The VPN devices can authenticate remote employees, the network devices can authorise administrators, and the web services can identify the users with secure multi-factor authentication.
All you need is Radiator-based multi-factor AAA service and a free mobile phone app, such as Google Authenticator, Microsoft Authenticator, or some other OTP/TOTP/HOTP app. The authenticator app is paired with Radiator multi-factor AAA service and particular user credentials, and multi-factor authentication are ready to be used. Radiator can combine complementary AAA information and functions from Active Directory, LDAP, and even 3rd party multi-factor services, such as RSA SecurID, YubiKey, Duo Security, and Vasco Digipass. It can check existence and validity of a user from Active Directory, retrieve a proper VPN group, perform multi-factor authentication using TOTP (Time-based One-time Password Algorithm), and then combine the results to a RADIUS authentication and authorisation response, which is sent back to a Cisco ASA VPN device.
More details in our blog
Hotel management systems
One of the widely seen use cases for Radiator is interoperating with different hotel property management systems (PMS). Radiator is used between the hotel’s PMS and the network equipment that controls internet access in hotel rooms. One of the commonly used systems is Micros Opera that is used by both independent hotels and hotel chains. Many hotels require guests to log in with their name and room number. Radiator then gives access based on customer information it has received from Opera. However, Radiator support is not limited to Opera: it supports any PMS that provides a FIAS interface.
In addition to simply offering unpoliced, complimentary internet access, Radiator provides you more advanced options for revenue generating services. Radiator can, for example, give policy instructions, such as the speed given to the customer – based on the price customer is willing to pay for the internet access. Also, Radiator can pass information to network equipment (such as Mikrotik controllers) about how long the customer can use the internet with their current login without having go through the login process again.
More details in our blog
VoWiFi (Voice over Wi-Fi)
Since Wi-Fi calling (VoWiFi) has been introduced into the market, operators have been increasing their indoor coverage to provide better voice coverage to their subscribers and offer new voice models both domestic and roaming. With the new generation devices and automatic SIM authentication, end users will not have to consider if they are connected to a LTE or a Wi-Fi network. In addition to better indoor coverage, VoWiFi brings also other benefits to operators. These benefits include getting back the revenues and control of the calls from the OTT players. Wi-Fi is also a low-cost solution to enhance voice service coverage and at the same time offload traffic from the core network.
Radiator products provide the essential components for the VoWifi authentication. For our customers, VoWiFi authentication is done with our Radiator SIM Pack that includes 3GPP AAA Server – providing all the interfaces for 3GPP and non-3GPP authentication. When combined with Radiator Telco Pack Diameter support for policy control and authentication, your network will be ready for Wi-Fi calling. Radiator integrates with all your evolved packet core and Wi-Fi network elements via 3GPP interfaces.
More details in our blog
For many of our customers we have been implementing WiFi roaming for different use cases: for example, carriers offloading traffic from their mobile network to WiFi hotspots or for providing VoWiFi (Voice over WiFi) calling to their customers.
One case for Radiator is to implement in-flight connectivity for airline carriers, providing authentication to onboard WiFi that is connected by other means (such as satellite connection) to the internet.
In this scenario, Radiator provides the necessary interfaces for WiFi roaming when subscribers of mobile operators are using their phones during the flight. With smooth WiFi roaming provided by Radiator AAA Server Software, end user devices can connect automatically to the in-flight WiFi network, and continue their use based on the roaming policy agreements between mobile operators and in-flight network operators.
More details in our blog
Using Radiator as the flexible, powerful AAA for FTTH service providers
Recently, we have seen a big rise in the number with projects where service providers are implementing new FTTH (Fibre to the Home) services – using different PON (Passive optical network) technologies, such as GPON, XG-PON1, XGS-PON. Based on different estimates for consumer services in the industry, high-performance fibre access is needed more than ever.
Because of this, one the most common new use cases for Radiator AAA server software, and especially to our Radiator Service Provider Pack is the flexible and high-powered AAA for FTTH operators – that may also run fixed line and WiFi hotspot operations at the same time. With our flexible licensing options, these Radiator installations can be run either by service providers themselves, or they can use a managed service provided by a 3rd party.
Often these enterprise use cases also include private APN (Access Point Name) service for their enterprise customers. We are happy to tell more about our experiences on providing Radiator to different environments and use cases.
With the experience from a wide range of use cases, the key benefit of Radiator is flexibility in different network infrastructures – especially when integrating AAA with different technological generations. Readymade configurations are available, as well as support for different back-ends and logging and management solutions. As we are actively participating in different standardisation efforts, Radiator is always up-to-date with the latest industry practices and security developments.