Content uploaded by Aleksandar Tudzarov
Author content
All content in this area was uploaded by Aleksandar Tudzarov
Content may be subject to copyright.
0-7803-9164-0/05/$20.00 ©2005 IEEE 352
Integrated AAA System for PLMN-WLAN Interworking
Toni Janevski
1
, Aleksandar Tudzarov
1
, Meri Janevska
2
, Perivoje Stojanovski
1
,
Dusko Temkov
1
, Goce Stojanov
1
, Dusko Kantardziev
2
, Mine Pavlovski
2
,
Tome Bogdanov
2
Abstract –In this paper we propose an applicative solution for
Authentication, Authorization and Accounting i.e. AAA system
for interworking between Public Land Mobile Networks (PLMN)
and Wireless Local Area Networks (WLAN). The developed
solution is based on several networks nodes, such as WLAN
Access Controller, WLAN AAA gateway, AAA server, as well as
necessary network elements for dynamic allocation of IP
addresses and web-server for user access to the network. WLAN
Access Controller, together with the AAA server, provides access
control functionality for WLAN users. WLAN AAA Gateway
provides charging and billing functionalities for the WLAN
service. The integrated AAA system with all network elements
gives an efficient solution for PLMN-WLAN internetworking.
Keywords: AAA, Billing, Mobile, Internetworking, Wireless
LAN.
I. INTRODUCTION
Wireless access networks can be classified into two main
groups: wireless networks that provide high data rates and
have limited coverage from a given Access Point, such as
802.11 WLAN, and wireless networks that have wide
coverage from a given base station and limited bandwidth,
such as PLMN, PLMN, and UMTS (as well as CDMA2000 in
Americas). Hence, the WLAN standard will never be able to
provide large-scale coverage due to limited propagation.
However, the WLAN systems are a good complement to the
widespread PLMN systems as well as 3G systems. PLMN and
3G offer data rates that in relation to WLANs have low
bandwidth. One may expect PLMN or 3G to be the
dominating large-scale coverage data transfer wireless system
for some years to come and due to this, the combination of
WLAN and Public Land Mobile Network (PLMN) technology
will use the best features of the both systems.
To make an integrated PLMN/WLAN system popular, it is
necessary to have a shared system for billing the users.
Without such shared system, someone using different
networks could receive many bills from small WLAN
operators. High bandwidth WLANs are used for data transfer
where available and PLMN is used where WLAN coverage is
lacking. In other words, WLAN and PLMN should be able to
complement each other and will probably not compete for the
same users. The price for usage of WLAN should be smaller
than price for usage of the same services (e.g. transferred data
volume) over PLMN, thus forcing subscribers to use WLAN
where it is available, and to use PLMN where WLAN is not
available. Such scenario is an excellent choice for mobile
operators to additionally offer WLAN service, besides PLMN.
1
University “Sv. Kiril i Metodij”, Faculty of Electrical
Engineering, 1000 Skopje, Macedonia E-mail:
tonij@cerera.etf.ukim.edu.mk
2
Mobimak AD, Skopje, Macedonia
Due to interest for WLAN considering lower price than
classical cellular infrastructure, ease of use, and higher
bandwidth than PLMN, either 2.5G or 3G (e.g. UMTS)
mobile networks, large vendors on the telecommunication
market have created different solutions for Wireless LAN
operated by mobile operators. Some of these solutions
provided by some of the world largest vendors in wireless
communications market are described in [1-5].
In this paper we propose and describe in details efficient
and cost-effective system for unified Authentication,
Authorization and Accounting (AAA) for PLMN-WLAN
internetworking, in particular, for the scenario where PLMN
operator adds its own WLAN network to offer WLAN
service.
II. PLMN-WLAN ARCHITECTURE
Depending on the degree of inter-dependence that one is
willing to introduce between the PLMN network and the
802.11 network, there are two different ways of integrating
the two wireless technologies. They are usually defined as [6]:
• Loosely-coupled internetworking (loose coupling)
• Tightly-coupled internetworking (tight coupling).
There are several advantages to the loosely-coupled
integration approach [7-8]. First, it allows independent
deployment and traffic engineering for PLMN and WLAN
networks. Second, loosely-coupled solution has lower costs
and complexity compared to tightly-coupled one.
Furthermore, loosely-coupled internetworking provides easy
access to WLAN services for all potential types of users, such
as postpaid and prepaid users of the mobile operator, as well
as provides possibility to use WLAN services to users that
have no subscription ties with the mobile operator by using
WLAN vouchers. Also, tightly-coupled approach demands
additional investments in end user equipment for WLAN
access (besides traditional 802.11 network cards), while
loosely-coupled solution does not.
From the discussion above it is clear that loosely-coupled
solution offers several architectural advantages over the
tightly-coupled approach. Furthermore, in loosely-coupled
solution we may distinguish two main access methods:
• Universal Access Method – UAM, which is
dominant today; and
• Secured access method, which should be
implemented for users that care about the security
Because one WLAN access method is secured by using
802.1X and an encryption protocol, and other is not (i.e.
UAM), we need to separate both types of access methods.
Solution for this is to use Wireless Virtual LAN – WVLAN,
which is based on 802.1Q standard. In such approach, one
353
Virtual WLAN will be used for UAM, and other (or others)
will be used for secured WLAN access method.
WEB Login Form
Internet
DMZ
O&M
Billing
Administration
LAN
Corporate
LAN of the mobile
operator
Mobile operator’s
network
Open Charging Interface (OCI)
Perimeter Router
Switch
10/100 Mbps
Oracle
database
WLAN Domain
Hot Spot (2)
Hot Spot (1)
Hot Spot (3)
Switch
10/100 Mbps
Wireless Client
Perimeter
Firewall
Switch
Gigabit
Cisco Secure
RADIUS
Server
WLAN DMZ
SMS
gateway
SMS Center
Database
connection
SMS-OTP request
SMS-OTP response
O&M
Firewall
Wireless Client
RADIUS
AAA data
exchange
Wired Infrastructure
AAA Information Exchange Logic
Logical Path of User Traffic
Switch
10/100 Mbps
WEB Server
RADIUS
AAA data exchange
Hotspot access
router
Hotspot access
router
Hotspot access
router
Access network (ADSL, 2 Mbps,
WiMAX)
WLAN Access
Controller
DHCP Server
WLAN
firewall
SMS-OTP request
SMS-OTP response
Figure 1. Architecture for PLMN-WLAN interworking
Our PLMN-WLAN internetworking framework is based on
loosely-coupled architecture (Figure 1). Both, user data traffic
and control traffic (e.g. AAA control signaling) aggregate at
WLAN perimeter router. Traffic from hotspots (and vice
versa) may aggregate in a switch (from the WLAN side of the
network) that is plugged into the WLAN router.
III. AUTHORIZATION, AUTHENTICATION AND
ACCOUNTING FOR PLMN-WLAN
Security solution provided for a wireless LAN environment
depends upon the purpose of the WLAN. In that sense, the
solution differs for public WLAN network and corporate
WLAN. While corporations give security a preference over
easiness of use, an ordinary Internet user may prefer
simplicity than security. There is always a balance that should
be achieved between system security and user friendliness,
especially in public WLAN access network.
Most common method for controlling Internet access for
WLAN networks is to filter packets based on IP address
and/or MAC address [10]. This method refers mainly to
UAM, but it may be applied to the secured access as well.
This method is based on limiting the user’s access to only a
set of designating destinations, which is usually web server
with web-login page in the operator’s WLAN backbone
network. This is referred to as browser redirection. However,
the implementation of this access control is a proprietary
solution, because there is no standardized one.
IV. BILLING SYSTEM FOR PLMN-WLAN
In an integrated PLMN-WLAN network the main objective
for an operator is to bill subscribers for the service. Hence,
billing of the WLAN users is an essential issue.
In a WLAN network operated by a mobile operator, the
following types of users are foreseen:
• PLMN/WLAN postpaid – these are existing PLMN
postpaid users that will subscribe to WLAN service
• PLMN/WLAN prepaid – these are existing PLMN
prepaid users that will want to use WLAN service
and to be charged from their prepaid account
• WLAN prepaid – these are WLAN users that have
bought WLAN prepaid scratch-cards and have
activated their WLAN account (this category
includes all, those that are not prepaid or postpaid
subscribers of the mobile operator, as well as those
that are subscribers of the mobile operator and want
to use WLAN scratch-cards).
A. PLMN/WLAN postpaid
Billing the PLMN users for using WLAN services is related
to how to handle accounting, that is, the process of gathering
charging information about the user, processing it, and
transferring the bill to the user [11]. To be able to provide a
solution for billing WLAN usage to postpaid users, we briefly
explain the PLMN accounting in the continuing section.
Postpaid WLAN users do not need any type of feedback
such as credits left on the client’s PLMN subscription. In the
354
case of WLAN postpaid users the user is charged for WLAN
usage on his monthly invoice.
To be able to charge postpaid users a mobile operator
should add in his billing system an option for WLAN service
as an offer to his users. The simplest way for WLAN service
handling by the Billing system and Customer care department
of the mobile operator is to “copy” the handling of PLMN
service for postpaid subscribers.
RADIUS server
WLAN Users
Database
Mobile
Terminal
Association
MSISDN+OTP Request
MSISDN+OTP Forward
MSISDN+OTP AcceptMSISDN+OTP Accept
User’s Internet traffic
(to/from user)
Accounting Start
Interim Accounting
Interim Accounting
Interim Accounting
Accounting Stop
SMS-Center
PLMN
Open Charging Interface
WLAN Access
Controller
Charging request
MSISDN+OTP Accept
MSISDN+OTP Check
Accounting Stop Record
Accounting Start Record
Interim Accounting Record
Interim Accounting Record
Interim Accounting Record
Charging requests (for volume-based only)
Access Control message to block a user with no quota
Charging request (for time-based only)
Charging request
Charging request
Accounting
trigger
Accounting
trigger
Accounting
trigger
Accounting
trigger
Accounting
trigger
Accounting
trigger
SMS-OTP via HTTP request
OTP Generation
SMS Request for OTP
SMS Reply with OTP
SMS with OTP request
Authentication
procedure
Redirect to web-
login page
Figure 2 Accounting and billing flow for PLMN postpaid and prepaid users that use WLAN service
In Figure 2 we show the complete flow of AAA
information between different network nodes.
For both authentication methods, the user should enter (in
the web login page for UAM, or in the popup window for
802.1X-PEAP) his MSISDN number as a username, and a
password. The password is One-Time-Password (OTP), which
will have limited time validity (e.g. a few hours). To be able
to obtain OTP the user will be required to send an SMS
message to a designated number for that purpose. How the
user will know that he should send an SMS? Additionally we
want to simplify the procedure as possible for a postpaid user
to start using WLAN service.
The answer is the following: assume that we have a PLMN
subscriber that has never used a WLAN service offered by the
mobile operator, and he enters a hotspot. He recognizes that
there is a WLAN network and his lap-top “sees” the SSID of
the UAM VLAN. If the user opens a browser his browser will
be redirected to the web-login page of mobile operator’s
WLAN. There postpaid user will find information that he
should send an SMS to a designated number to obtain access
to the WLAN network (if he does not have such information
in advance).
The SMS-Center of mobile operator receives the SMS and
forwards it to a machine connected to IP backbone network of
mobile operator by using the SMPP protocol for that purpose.
An application receives that request for an OTP via SMS, and
triggers check of the MSISDN number of the user (whether it
is a mobile operator subscriber or not). The MSISDN check is
necessary because there can be also roaming users from other
operators. It is performed by an analysis of the number of the
SMS sender.
RADIUS server
WLAN Users
Database
Mobile
Terminal
Association
Username/Password Request
Username/Password Forward
Username/Password AcceptUsername/Password Accept
User’s Internet traffic
(to/from user)
Accounting Start
Interim Accounting
Interim Accounting
Interim Accounting
Accounting Stop
WLAN Access
Controller
Username/Password Accept
Accounting Stop Record
Accounting Start Record
Interim Accounting Record
Interim Accounting Record
Interim Accounting Record
Access Control message to block a user with no quota
Accounting
trigger
Accounting
trigger
Accounting
trigger
Accounting
trigger
Accounting
trigger
Accounting
trigger
Authentication
procedure
Username/Password Check
Redirect to web-
login page
Figure 3 Accounting and billing flow for WLAN prepaid users
After a positive check of the user’s MSISDN, the
application will trigger generation of OTP for that user. Then,
355
the MSISDN and OTP are stored in the SQL database for
WLAN users, as shown in Figure 2. Further, the OTP is sent
to the user in a SMS via mobile operator’s SMS-Center by
using SMPP for communication between the application and
the SMS-C (we refer to this OTP as Sent OTP i.e. S-OTP).
The user receives the SMS-OTP and enters his MSISDN and
the Received OTP (R-OTP) as his username and password.
These credentials are sent to the WLAN RADIUS AAA
server [8-9] via the AP. Then, the Received OTP (R-OTP) is
compared with Sent-OTP (S-OTP), which is in the WLAN
users’ database. After successful match of credentials given
by the user and those recorded in the database, the user is
granted access to the Internet, and accounting process starts.
RADIUS server is also an accounting server and it receives all
accounting messages (Accounting Start, Interim Accounting,
Accounting Stop etc.). After session ends, RADIUS server
records the accounting data into the SQL database. Also, all
start, stop, and interim accounting messages are stored in the
WLAN database.
Each accounting message triggers the WLAN database to
send request to the mediation node i.e. PLMN Open Charging
Interface – OCI (Figure 2). From the accounting data recorded
into the OCI database, an application periodically creates
CDRs from the accounting data for completed sessions. All
created CDRs are periodically sent to the Billing System of
the mobile operator over FTP.
B. PLMN/WLAN Prepaid
In PLMN-WLAN network there is possibility for two types
of prepaid users: one with PLMN prepaid cards; and the other
with WLAN prepaid cards. In this section we refer to the first
one.
The flow of accounting and billing information for
PLMN/WLAN prepaid users (as described above) is shown in
Figure 2, and is the same as for PLMN/WLAN postpaid users.
The difference between PLMN postpaid and prepaid users is
made in the Open Charging Interface - OCI. For PLMN
prepaid users the OCI request credits in advance for WLAN
usage, either for a time period (e.g. one minute) or for a given
amount of data (in bytes). However, different pricing factors
(e.g. different tariffs) are agreed between WLAN database and
the OCI prior to their interconnection.
C. WLAN Prepaid
WLAN prepaid refers to prepaid users that are using
WLAN vouchers (scratch-cards). This category includes
WLAN users that are not PLMN subscribers, but it may also
include PLMN subscribers that want to use WLAN prepaid
vouchers to access WLAN network. In general, there is
simply no limitation about who can be a WLAN prepaid user,
i.e. everybody with purchased and activated WLAN voucher
will be a WLAN prepaid user of the mobile operator [12].
The accounting flow for WLAN prepaid users is shown in
Figure 3. First major difference between WLAN prepaid and
the PLMN/WLAN postpaid or PLMN/WLAN prepaid is the
type of credentials. While in the previous two cases username
was MSISDN number of the PLMN subscriber, in the WLAN
prepaid case the credentials will be given on the WLAN
prepaid card. There can be username and password given on
the scratch-card, or just one credential (i.e. unique number of
the scratch card, consisted of digits, similar to current prepaid
cards of mobile operators).
As usual with prepaid vouchers, all voucher numbers or
username/password pairs of the vouchers will be recorded into
WLAN database prior to their selling. When a subscriber buys
a voucher at the first login he should enter credential(s) from
the prepaid card into web-login page (for UAM access) or in
popup window (for 802.1X-PEAP access). Then, system
compares the entered credentials from the user with those in
WLAN database, and if a match is found, WLAN prepaid
account is created with a certain amount of credits (dependent
upon the voucher type).
After a successful authentication user is granted access to
the Internet. During the active session user balance is
periodically checked (i.e. every minute) and number of credits
is updated according to the usage of resources. At each
balance check, quota is allocated until the next balance check.
For example, for usage-based charging, with balance check on
every 100 KB of data transferred, the user will be granted
further usage only when he has at least credits for another 100
KB. It is similar for time-based charging of the prepaid
WLAN users.
V. CONCLUSIONS
Public WLANs provide an important complement to mobile
networks, enabling broadband Internet access in selected hot
spots and offering additional capacity to the PLMN networks.
Public WLANs can be deployed today with a simple and cost
effective solution based on existing equipment. Mobile
operators can offer their corporate customers a bundled
offering of PLMN plus WLAN, managing the subscription to
the service as well as customer care and billing.
In this paper we have described our solution for PLMN-
WLAN interworking via integrated billing system. First, we
have made a choice for loosely-coupled PLMN-WLAN
integration, which has advantages over the tightly-coupled
approach. Additionally, we propose the Universal Access
Method to be used for public access to a WLAN owned by a
cellular operator.
Finally, we have developed PLMN-WLAN AAA gateway,
for PLMN/WLAN postpaid and PLMN/WLAN prepaid users
as well as WLAN prepaid users. The created solution is cost-
effective and provides all needed functionalities for efficient
charging and billing, as well as controlled access to Internet
via WLAN.
REFERENCES
[1] Alcatel, “Public Wireless LAN for Mobile Operators: WLAN beyond
the enterprise”, White paper, 2003.
[2] Swisscom-Eurospot, http://www.swisscom-eurospot.com, accessed
June 2004.
[3] Telia HomeRun, http://www.homerun.telia.com, accessed June 2004.
[4] BT Openzone, http://www.btopenzone.com, accessed June 2004.
[5] T-Mobile US, http://www.t-mobile.com/hotspot/, accessed June 2004.
[6] M. Buddhikot, G. Chandranmenon, S. Han, Y. W. Lee, S. Miller, L.
Salgarelli, “Integration of 802.11 and Third-Generation Wireless Data
Networks”, Infocom 2003, San Francisco, USA, April 2002.
[7] M. T. Bostrom, A. Norefors, “Ericsson Mobile Operator WLAN”,
Release 1 Technical Description, February 2002.
[8] C. Rigney, S. Willens, A. Rubens, W. Simpson, “Remote Dial-In User
Authentication Service (RADIUS)”, RFC 2865, June 2000.
[9] C. Rigney, “RADIUS Accounting”, RFC 2866, June 2000.
[10] P.Iyer at el, “Public WLAN Hotspot Deployment and
Internetworking”, Intel Technology Journal Vol. 7, August 19, 2003.
[11] ETSI TS 101 393 – General Packet Radio Service (PLMN); PLMN
Charging, 3GPP TS 12.15 version 7.7.0 Release 1998.
[12] Portal Software Inc., “Overcoming Wireless LAN Billing
Challenges”, 2003.
