Design of Wireless LAN Applicative Solution for ... - CiteSeerX

GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1

85

Design of Wireless LAN Applicative Solution for Internetworking with Public Land Mobile Networks Toni Janevski1 , Aleksandar Tudzarov1, Perivoje Stojanovski1 , Meri Janevska 2, Dusko Temkov1, Goce Stojanov1 , Dusko Kantardziev2, Tome Bogdanov2 and Mine Pavlovski2 1

Faculty of Electrical Engineering, Postal Code 1000, Skopje, Republic of Macedonia [email protected] 2 Mobimak AD, Postal Code 1000, Skopje, Republic of Macedonia

Abstract. Public Land Mobile Networks (PLMN) of 2.5 and 3rd generation offer Internet connectivity and IP-based services on wide coverage areas, but they lack bandwidth for demanding applications. On the other side, Wireless LANs (WLAN) offers many times higher data rates compared to cellular networks, but they can cover only small area spots. This situation leads to the requirement for internetworking between PLMN and WLAN, where WLAN shall be used to cover dense city areas called hotspots. In this paper we describe the design of our applicative solution for internetworking between PLM N and WLAN based on integrated authentication and accounting system. For such purpose we have developed two additional network nodes called WLAN Access Controller and WLAN Authentication, Authorization, and Accounting (AAA) Gateway. The developed applicative solution is targeted to provide cost-effective integration solution that is suitable for mobile operators that want to offer a WLAN service and to charge for its usage.

1 Introduction Public Land Mobile Networks have wide coverage from a given base station and low bandwidth for Internet connectivity. Here, PLMN denotes all Public Land Mobile Networks, such as GSM, GPRS, EDGE and UMTS (as well as CDMA2000 in Americas). Wireless LAN standards (e.g. IEEE 802.11 family) have higher bandwidth than today’s mobile networks (e.g. up to 11 Mbps for 802.11b, and up to 54 Mbps for 802.11a and 802.11g), but they lack large-scale coverage due to limited propagation. However, the WLAN systems are a good complement to the widespread 2.5G systems as well as 3G systems. One may expect 2.5G or 3G to be the dominating large-scale coverage data transfer wireless system for some years to come and due to this , the combination of WLAN

ཱྀGESTS-Oct.2005

86

Design of Wireless LAN Applicative Solution

and Public Land Mobile Network (PLMN) technology will use the best features of both systems. High bandwidth WLANs are used for data transfer where they are available and PLMN is used where WLAN coverage is lacking. In other words, WLAN and PLMN should be able to complement each other and will probably not compete for the same users. The price for usage of WLAN should be smaller than price for usage of the same services (e.g. transferred data volume) over PLMN, thus forcing subscribers to use WLAN where it is available, and to use PLMN where WLAN is not available. Of course, such scenario is an excellent choice for mobile operators to additionally offer WLAN service, besides PLMN [1-16]. In the following part of this paper we describe overall design of the WLAN Applicative Solution for internetworking between PLMN and WLAN. The paper is organized as follows. Next section gives an overview of the internetworking architecture. Section 3 describes the WLAN Access Controller. Web-login solution for WLAN users is given in Section 4. WLAN AAA Gateway is described in Section 5. Finally, Section 6 concludes the paper.

2 IP Backbone Network Infrastructure for WLAN WLAN Applicative Solution consists of several network nodes that internetwork. Also, some of the WLAN network nodes require communication with existing systems of the PLMN network, such as Open Charging Interface (OCI) and SMS Gateway, which are two nodes of interconnection between the two systems, PLMN system and WLAN system. WLAN Applicative Solution uses Universal Access Method (UAM), which was justified as preferred access method during the research and development [17]. In the case of UAM we have WLAN Access Controller as a gateway node between the WLAN network and the Internet, as shown in Fig. 1. Also, we have WLAN AAA Database, which is used for authentication of WLAN users as well as charging and billing for WLAN service. Hence, to have a complete architecture for the WLAN Applicative Solution we need to have the following network nodes and servers: • WLAN Access Controller (WLAN-AC) • WLAN AAA Database (charging and billing gateway) • RADIUS server (for AAA communication between WLAN-AC and WLAN AAA Database) [15-16] • Web-server (for Web login interface) • DHCP server (for dynamical allocation of IP addresses to WLAN clients) • DNS server On the other side we need WLAN access network, which is consisted of: • Access Points installed at hotspot locations, and • IP backbone transmission network for connecting the hotspot locations with WLAN Access Controller. General IP network infrastructure strategy for WLAN solution is given in Fig. 1.

ཱྀGESTS-Oct.2005


Internet (corporate data)

Internet (customer data WLAN, GPRS...)

87

DNS

Web-server

Perimeter Firewall PLMN DMZ

Perimeter router Sec. Zone

WLAN Access Controller DHCP 10.250.1.2

OCI/Merlin front end

WLAN Infrastructure Network

WLAN DMZ 10.251.1.0/24

10.251.1.1 logical: 10.250.1.1 physical: 10.240.1.1

SMS O&M Firewall

10.250.1.0/24 wlan_router1 10.250.1.10

WLAN AAA Database

Wire les s

OpenSMS/SMS gateway RADIUS server

- Lay er 3 m ode

Hotspot 1 wlan_router2 10.250.2.1

10.250.2.0/23 AP2 AP1 10.250.2.4 10.250.2.3

Fig. 1. An example of IP backbone for PLMN-WLAN internetworking

3 WLAN Access Controller (WLAN-AC) Most common method for controlling Internet access for WLAN networks is to filter packets based on IP address. This method is based on limiting the user’s access to only a set of designating destinations, which is usually web server with web-login page in the operator’s WLAN backbone network. This is referred to as browser redirection.

ཱྀGESTS-Oct.2005

88


For unauthorized users

Access control

OpenSMS

AAA information

Redirect Web-login For unauthorized users

SMS Gateway Username/ password PLMN Prepaid Billing System Send SMS

Merlin m-payment server

via HTTP

PLMN Postpaid Billing System

Popup initiation

Popup browser

Check for authorized/ unauthorized users Logout request

RADIUS client

Storing usernames and passwords

Send /receive SMS via OpenSMS

AAA

WLAN SMS handling

Send SMS

database

AAA information Various controls Charge WLAN user account

HTTPS requests for real-time charging to PLMN prepaid and postpaid users

Merlin m- payment client

Real-time m-payment

WLAN RADIUS server

WLAN Database Manager

Accounting and billing

Fig. 2. Solution for PLMN-WLAN integration: software modules and interfaces

In our solution for WLAN network, we use packet filtering method for access control in the network access control server based on the IP address assigned to the wireless client. Wireless client can be any lap-top computer with built-in WLAN card or with PCMCIA WLAN card. The machine used for WLAN Access Control has two Ethernet cards, one on the side of the WLAN access network, and the second on the side to the external packet network (i.e. Internet). WLAN Access Controller is consisted of the following main logical modules: • RADIUS client -for communication with RADIUS server • WLAN Access Control module -for controlling the access of WLAN clients • Redirection module -for redirection of unauthenticated users to the weblogin server • WLAN Access Controller main module WLAN Access Controller also uses the following external module: • Web-login interface -used as user interface in the authentication process The environment for the WLAN Access Controller and software modules are shown in Fig. 2. WLAN-AC is working on IP-level i.e. network level. It acts as a gateway between WLAN network part and Internet link and servers farm. However, it provides possibility to use different transmission options to connect hotspot locations to WLAN-AC, such as : leased lines 2 Mbps, ADSL, IP backbone with routers and switches, WiMAX (IEEE 802.16) or other wireless backbone technology, etc. General WLAN Access Controller network configuration is shown in Fig. 3. The network configuration is consisted of the following interconnected parts: • WLAN access network: these are hotspot locations, where each hotspot location has one or more WLAN Access Points (AP) connected to a local switch, which is connected to the transmission network via a router node;

ཱྀGESTS-Oct.2005


89

RADIUS Server DHCP server

WLAN access network

Transmission network

LAN on the WLAN side

WLAN Database WLAN Access Controller Web-server

DNS

LAN on the Internet side

Fig. 3. General network configuration for WLAN Access Controller

• • •

Transmission network: it includes all possible transmission solution for connection of hotspot location to WLAN Access Controller; Wired Local Area Network (LAN) on WLAN side: it is connected WLAN-AC and DHCP server, which dynamically assigns IP addresses to WLAN clients at hotspot locations; LAN on the Internet side: on this network are attached all other required servers for proper functioning of WLAN applicative solution, and they are: RADIUS server, Web-server, WLAN Database, as well as Domain Name Server (DNS).

4 Web-login solution The Universal Access Method – UAM should be as simple as possible for WLAN users. It is worldwide practice to use web-login for the UAM. For the reason of simplicity in the UAM we want to avoid the user to type explicitly the HTTP-address of the web-login page. To be able to do this we use the WLAN Access Controller. These rules will redirect to web-login page every HTTP request that tries to go through the WLAN Access Controller to the Internet. All HTTP requests of users will be redirected to the web-login server. The web-login server will get the original HTTP request. Since the requested URL will not be available at the local web-server (except in the case when the requested URL is the own one of the web-server), a default web-login page will be sent to the user. The requested information from user will be username and password, which user should enter using the web-login page. After the successful authentication, new rules are added in the WLAN Access Controller for that user. These rules remove the redirection and the user has open access to the Internet. At the moment when user is logged into WLAN, a popup window appears from the user’s browser. This popup window contains logout button and timer for the elapsed time from the session start . By pressing the logout button the user is able to log out of the WLAN network.

ཱྀGESTS-Oct.2005

90


Also, there is an option for forced termination of the user connection due to some reason (e.g., no credit on WLAN prepaid account). For that purpose WLAN AAA Database sends disconnection request directly to WLAN Access Controller, which is listening for such requests on a port on Ethernet interface towards Internet. Disconnection requests from WLAN Database restore redirection at the WLAN Access Controller for that user to the web-login page.

5 WLAN AAA Gateway WLAN Billing functionality is built in WLAN AAA Gateway (i.e. WLAN Database). It is based on AAA information flow from WLAN Access Controller via RADIUS server to WLAN AAA Database, and vice versa. The Billing of the WLAN users is based on triggering the events of storing accounting records from RADIUS server into WLAN AAA Database. Triggering happens on three types of accounting records from WLAN Access Controller client via RADIUS server: • Start Accounting; • Interim Accounting; • Stop Accounting. In WLAN AAA Gateway the following types of users are defined: • PLMN/WLAN postpaid – these are existing PLMN postpaid users that will subscribe to WLAN service as well; • PLMN/WLAN prepaid – these are existing PLMN prepaid users that will want to use WLAN service and to be charged from their prepaid account; • WLAN prepaid – these are WLAN users that have bought WLAN prepaid vouchers and have activated their WLAN account (includes those that are not prepaid or postpaid subscribers of the mobile operator, as well as all subscribers of the mobile operator which want to use WLAN vouchers). However, PLMN/WLAN postpaid and PLMN/WLAN prepaid users are treated in the same manner, because real-time charging for these users is done through m-payment OCI system, which further communicates for respective billing systems, i.e. postpaid billing system for PLMN/WLAN postpaid users and prepaid billing system for PLMN/WLAN prepaid users. There are two types of charging defined in the WLAN AAA Database: time-based charging, and volume-based charging. In the case of time-based charging user is charged at the session start (triggered by Start Accounting RADIUS record) in advance for the first time interval, and further during the session triggered by every Interim Accounting record stored in WLAN AAA Database from the RADIUS server at fixed time intervals (charging intervals). There is no charging of the user at the Accounting Stop message, because he will be already charged at the previous Accounting message (either Start or Interim Accounting). In the case of volume-based charging user is charged after each charging interval.

ཱྀGESTS-Oct.2005


91

RADIUS server

Username/password check through database access interface

Database table TJ_PARAMS

Database table TJ_TARIFFS

WLAN database Authentication Procedure

Database table TJ_ERROR _LOG

Database table TJ_REQUESTS Check/Update voucher status and credit

Database table TJ_VOUCHERS

Check/Update WLAN user status

Database table T J_WLAN_USERS

WLAN AAA Database

Fig. 4. Authentication procedure in WLAN AAA Database

5.1 Authentication Procedure WLAN AAA Gateway has a role in the authentication process for any user that want to login into WLAN network. For that purpose RADIUS server communicates with WLAN AAA Database and its Authentication procedure. Main tasks of the Authentication procedure are the following: validation of the username and password entered by the user through Web-login interface, checking whether the user is online (ON) or offline (OFF), handling voucher’s status. The communication between RADIUS server and Authentication procedure from WLAN AAA Database is through WLAN database access-interface as shown in Fig. 4. RADIUS calls the Authentication procedure with input parameters: username and password, and receives positive or negative result from the procedure. Even in the case when the username/check is positive, Authentication procedure returns negative result to RADIUS server in the following cases: • Voucher is expired or has no credit; • User is online, and there are less than two charging intervals from the last RADIUS accounting record;

ཱྀGESTS-Oct.2005


92

GSM/GPRS subscriber Mobile phone

Wireless client

SMS- Request OTP SMS-OTP MSISDN+OTP

WLAN database

SMS-Center

OTP

Fig. 5. Authentication of MM WLAN users by using OTP

•

User account cannot be charged due to an error in the system or due to communication interruption between WLAN AAA Database and m-payment Merlin system.

5.2 Authentication with OTP (One Time Password) WLAN PLMN users are authenticated with SMS-OTP (SMS - One Time Password). PLMN user, either postpaid or prepaid, requests OTP with SMS with content “WLAN” sent to a predefined number in PLMN’s SMS Gateway. The Received SMS from SMS Gateway is stored in the database via an OpenSMS system. This event triggers a WLAN database trigger, which generates One Time Password (OTP) and sends the OTP to the user via SMS via HTTP interface of the SMS Gateway. Also, SMS can be sent by calling a function from OpenSMS (via database link) for sending SMS from the trigger. The trigger generates OTP as random string. The authentication process with SMS-OTP for WLAN PLMN users is shown in Fig.5.

5.3 WLAN Billing System WLAN Billing functionality is built in WLAN AAA Gateway (i.e. WLAN Database). It uses the AAA information flow from WLAN Access Controller via RADIUS server to WLAN AAA Database, and vice versa. The Billing of the WLAN users is based on triggering the events of storing accounting records from RADIUS server into WLAN AAA Database. Triggering happens on each accounting records from WLAN Access Controller client via RADIUS server (i.e. Start Accounting, Interim Accounting, and Stop Accounting). All accounting messages are stored in WLAN database.

ཱྀGESTS-Oct.2005


93

WLAN AAA server Accounting data

m-charging

Merlin m-payment server

WLAN RADIUS Server CDR Accounting data

WLAN Access Controller

Postpaid Billing System WLAN usage

Monthly invoice

PLMN/WLAN postpaid subscriber

Fig. 6. PLMN/WLAN postpaid accounting deployment solution

To integrate time-based and volume-based accounting triggering is performed before insert into the WLAN database. This was needed because in the case of volumebased charging “triggering before insert” is needed to check the current charged amount to the user’s account from the beginning of the session to be able to charge accurately.

Billing for PLMN/WLAN postpaid Billing the PLMN users for WLAN services is related to how to handle accounting i.e. the process of gathering charging information about the user, processing it, and transferring the bill to the user. There are two options for handling PLMN/WLAN postpaid users: 1. Using the SMS-OTP authentication for PLMN/WLAN postpaid users and real-time charging on user’s account via m-payment OCI 2. Charging an electronic voucher (e-voucher) to the user’s postpaid account by the external application, this at the same time generates e-voucher in WLAN Database by calling appropriate WLAN Database function. In this section we describe Option 1 from above, i.e. when PLMN/WLAN user is authenticated using SMS-OTP authentication. The deployment solution for PLMN/WLAN users, which includes WLAN Access Controller, RADIUS server, WLAN Database, SMS-Center through SMS Gateway, and PLMN Open Charging Interface (i.e. m-payment system), is shown in Fig. 6. In the case of WLAN postpaid users the user should be charged for WLAN usage on his monthly invoice.

ཱྀGESTS-Oct.2005

94


Billing for PLMN/WLAN prepaid In PLMN-WLAN network there are possible two types of prepaid users: one with PLMN vouchers and the other with WLAN vouchers. In this section we refer to the first one. The difference between PLMN postpaid and prepaid users is made in the Open Charging Interface (m-payment system), which is external system to WLAN. For PLMN prepaid users the OCI requests credits in advance for WLAN usage from PLMN prepaid account. One should note that considering WLAN Applicative Solution, there is no difference in billing of PLMN/WLAN postpaid and PLMN/WLAN prepaid users.

Billing for WLAN prepaid WLAN prepaid refers to prepaid users that are using WLAN vouchers. This category includes WLAN users that are not PLMN subscribers, but it may also include PLMN subscribers that use WLAN prepaid vouchers to access WLAN network. In general, there is simply no limitation about who can be a WLAN prepaid user. In the case of a WLAN prepaid users, there is no intercommunication between nodes in PLMN network and nodes in WLAN segment. However, WLAN prepaid users share the same Internet access as PLMN/WLAN postpaid and PLMN/WLAN prepaid users. Credentials (username and password) can be delivered to WLAN prepaid users in two different ways: • Using electronic vouchers (e-vouchers); • Using printed vouchers (i.e. scratch-cards). As usual with prepaid vouchers, all voucher numbers or username/password pairs of the vouchers are recorded into WLAN database. When a subscriber buys a voucher, he/she should enter credentials from the voucher into Web-login page. Then, WLAN system checks the entered credentials, and if a match is found, WLAN prepaid account is activated with a certain amount of credits (dependent upon the voucher type). After the successful authentication user is granted access to the Internet. During the active session user credit is periodically updated at each RADIUS accounting record in WLAN database, and the number of credits is reduced for certain amount according to the usage of WLAN resources (either time or volume-based charging). For time-based charging, at each RADIUS accounting record in the WLAN Database user’s credit is reduced for the amount that should be charged for the next charging time interval (that is RADIUS Interim Accounting time period). For exa mple, for time-based charging, with charging interval equal to one minute, the user will be granted further usage of WLAN only when he has at least credits for another minute of usage. If the user has not enough credits for next charging interval, he/she will be disconnected by sending disconnect request from WLAN AAA Gateway directly to WLAN Access Controller.

ཱྀGESTS-Oct.2005


95

For volume-based charging of the prepaid WLAN users, the user’s credit is charged after each charging interval, which is different compared to time-based charging. The charging is done after each Interim Accounting record and after Stop Accounting record from RADIUS server, because we cannot accurately estimate in advance the amount of volume of data that will be sent/received by the user in the next charging interval.

6 Conclusion In this paper we have described a design solution for PLMN-WLAN internetworking based on integrated system for authentication and accounting. The developed applicative solution includes two additional network nodes for WLAN deployment by a mobile operator, and they are WLAN Access Controller and WLAN AAA Gateway. WLAN Access Controller performs user access control from the WLAN side, and collects data for user activity, which are further used to charge the user for the service. User interface for authentication purposes is the Web-login interfaces, which is controlled by the WLAN Access Controller. Integration between WLAN segment and PLMN is established via WLAN AAA Gateway, which is capable to accomplish realtime charging for existing PLMN subscribers, either prepaid or postpaid, as well as to perform charging to WLAN prepaid users. The latter can be WLAN users with printed or electronic vouchers (e-vouchers). The proposed system is already tested in practice and it is completely functional as it was designed. Finally, the design solution described in this paper provides possibility for instant and low cost deployment of WLAN service by mobile operators.

References [1] [2] [3] [4] [5] [6] [7] [8] [9]

Alcatel, “Public Wireless LAN for Mobile Operators: WLAN beyond the enterprise”, White paper, 2003. M. T. Bostrom, A. Norefors, “Ericsson Mobile Operator WLAN”, Release 1 Technical Description, February 2002. Telia HomeRun, http://www.homerun.telia.com, accessed June 2004. BT Openzone, http://www.btopenzone.com, accessed June 2004. T-Mobile US, http://www.t-mobile.com/hotspot/, accessed June 2004. M. Buddhikot et al., “Integration of 802.11 and Third-Generation Wireless Data Networks”, Infocom 2003, San Francisco, USA, March 30 – April 3, 2002. Toni Janevski, “Traffic Analysis and Design of Wireless IP Networks”, Artech House Inc., Boston, USA, 2003. Intel, “Wireless LAN (WLAN) End To End Guidelines for Enterprises and Public HotSpot Service Providers”, Release 1.0, October 2002. IEEE 802.1X standard, “IEEE standard for local and metropolitan area networks – PortBased Access Control”, July 2001.

ཱྀGESTS-Oct.2005

96


[10] IEEE 802.1Q standard, “IEEE standard for local and metropolitan area networks - Virtual Bridged Local Area Networks”, May 7, 2002. [11] Frank Ohrtman, Konrad Roeder, “Wi-Fi Handbook: Building 802.11b Wireless Networks”, McGraw-Hill, 2003. [12] IEEE 802.1X standard, “IEEE standard for local and metropolitan area networks – PortBased Access Control”, July 2001. [13] J. Edney, W.A. Arbaugh, “Real 802.11 Security: Wi-Fi Protected Access and 802.11i”, Addison Wesley, July 2003. [14] ETSI TS 101 393 – Digital cellular telecommunications system (Phase 2+); General Packet Radio Service (PLMN); PLMN Charging, 3GPP TS 12.15 version 7.7.0 Release 1998. [15] C. Rigney, S. Willens, A. Rubens, W. Simpson, “Remote Dial-In User Authentication Service (RADIUS)”, RFC 2865, June 2000. [16] C. Rigney, “RADIUS Accounting”, RFC 2866, June 2000. [17] T. Janevski, “AAA System for PLMN-WLAN Internetworking”, Journal of Communications and Networks (JCN), Special Issue on “Towards the Next Generation Mobile Communications”, pp.192-206, Volume 7, Number 2, June 2005.

Biography Toni Janevski was born in Skopje, Republic of Macedonia, on October 15, 1972. He received the B.Sc. degree in Electrical Engineering and the M.Sc. and the Ph.D. degrees in Electrical Engineering from the University “Sv. Kiril i Metodij”, Skopje, R. Macedonia, in 1996, 1999, and 2001 respectively. From 1996 to 1999 he was with Mobimak GSM mobile operator in R. Macedonia. From October 1999 he is with Faculty of Electrical Engineering in Skopje. From July 2001 to November 2001, he was at IBM T.J. Watson Research Center, New York, USA. He has written the book ''Traffic Analysis and Design of Wireless IP Networks'', published by Artech House Inc. in 2003. He is an Assistant Professor at the Faculty of Electrical Engineering, University “Sv. Kiril i Metodij”, Skopje. His research interests are in wireless and mobile networks, Quality of Service, network planning and dimensioning, traffic theory and internetworking. He is Senior Member of IEEE.

ཱྀGESTS-Oct.2005