GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 85
GESTS-Oct.2005
Design of Wireless LAN Applicative Solution for Internetworking with Public Land Mobile Networks
Toni Janevski1, Aleksandar Tudzarov1, Perivoje Stojanovski1, Meri Janevska2, Dusko Temkov1, Goce Stojanov1, Dusko Kantardziev2,
Tome Bogdanov2 and Mine Pavlovski2
1 Faculty of Electrical Engineering, Postal Code 1000,
Skopje, Republic of Macedonia [email protected]
2 Mobimak AD, Postal Code 1000, Skopje, Republic of Macedonia
Abstract. Public Land Mobile Networks (PLMN) of 2.5 and 3rd generation of-fer Internet connectivity and IP-based services on wide coverage areas, but they lack bandwidth for demanding applications. On the other side, Wireless LANs (WLAN) offers many times higher data rates compared to cellular networks, but they can cover only small area spots. This situation leads to the requirement for internetworking between PLMN and WLAN, where WLAN shall be used to cover dense city areas called hotspots. In this paper we describe the design of our applicative solution for internetworking between PLM N and WLAN based on integrated authentication and accounting system. For such purpose we have developed two additional network nodes called WLAN Access Controller and WLAN Authentication, Authorization, and Accounting (AAA) Gateway. The developed applicative solution is targeted to provide cost-effective integration solution that is suitable for mobile operators that want to offer a WLAN service and to charge for its usage.
1 Introduction
Public Land Mobile Networks have wide coverage from a given base station and low bandwidth for Internet connectivity. Here, PLMN denotes all Public Land Mobile Networks, such as GSM, GPRS, EDGE and UMTS (as well as CDMA2000 in Americas).
Wireless LAN standards (e.g. IEEE 802.11 family) have higher bandwidth than to-day’s mobile networks (e.g. up to 11 Mbps for 802.11b, and up to 54 Mbps for 802.11a and 802.11g), but they lack large-scale coverage due to limited propagation. However, the WLAN systems are a good complement to the widespread 2.5G systems as well as 3G systems.
One may expect 2.5G or 3G to be the dominating large-scale coverage data transfer wireless system for some years to come and due to this , the combination of WLAN
86 Design of Wireless LAN Applicative Solution
GESTS-Oct.2005
and Public Land Mobile Network (PLMN) technology will use the best features of both systems.
High bandwidth WLANs are used for data transfer where they are available and PLMN is used where WLAN coverage is lacking. In other words, WLAN and PLMN should be able to complement each other and will probably not compete for the same users. The price for usage of WLAN should be smaller than price for usage of the same services (e.g. transferred data volume) over PLMN, thus forcing subscribers to use WLAN where it is available, and to use PLMN where WLAN is not available. Of course, such scenario is an excellent choice for mobile operators to additionally offer WLAN service, besides PLMN [1-16].
In the following part of this paper we describe overall design of the WLAN Appli-cative Solution for internetworking between PLMN and WLAN. The paper is organ-ized as follows. Next section gives an overview of the internetworking architecture. Section 3 describes the WLAN Access Controller. Web-login solution for WLAN users is given in Section 4. WLAN AAA Gateway is described in Section 5. Finally, Section 6 concludes the paper.
2 IP Backbone Network Infrastructure for WLAN
WLAN Applicative Solution consists of several network nodes that internetwork. Also, some of the WLAN network nodes require communication with existing systems of the PLMN network, such as Open Charging Interface (OCI) and SMS Gateway, which are two nodes of interconnection between the two systems, PLMN system and WLAN system.
WLAN Applicative Solution uses Universal Access Method (UAM), which was justified as preferred access method during the research and development [17]. In the case of UAM we have WLAN Access Controller as a gateway node between the WLAN network and the Internet, as shown in Fig. 1. Also, we have WLAN AAA Database, which is used for authentication of WLAN users as well as charging and billing for WLAN service.
Hence, to have a complete architecture for the WLAN Applicative Solution we need to have the following network nodes and servers:
• WLAN Access Controller (WLAN-AC) • WLAN AAA Database (charging and billing gateway) • RADIUS server (for AAA communication between WLAN-AC and WLAN
AAA Database) [15-16] • Web-server (for Web login interface) • DHCP server (for dynamical allocation of IP addresses to WLAN clients) • DNS server
On the other side we need WLAN access network, which is consisted of: • Access Points installed at hotspot locations, and • IP backbone transmission network for connecting the hotspot locations with
WLAN Access Controller. General IP network infrastructure strategy for WLAN solution is given in Fig. 1.
GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 87
GESTS-Oct.2005
Sec.Zone
WLAN Infrastructure Network
Internet(corporate data)
OpenSMS/SMSgateway
Hotspot 1
AP110.250.2.3
10.250.2.0/23 AP210.250.2.4
PLMNDMZ
Web-server
OCI/Merlinfront end
SMS O&MFirewall
DNS
PerimeterFirewall
wlan_router210.250.2.1
WLAN DMZ10.251.1.0/24
RADIUS server
10.250.1.0/24
WLANAccess
Controller
DHCP10.250.1.2
WLAN AAA Database
wlan_router110.250.1.10
Internet(customer data
WLAN, GPRS...)
Perimeterrouter
Wireless - Layer 3 mode
logical: 10.250.1.1physical: 10.240.1.1
10.251.1.1
Fig. 1. An example of IP backbone for PLMN-WLAN internetworking
3 WLAN Access Controller (WLAN-AC)
Most common method for controlling Internet access for WLAN networks is to filter packets based on IP address. This method is based on limiting the user’s access to only a set of designating destinations, which is usually web server with web-login page in the operator’s WLAN backbone network. This is referred to as browser redi-rection.
88 Design of Wireless LAN Applicative Solution
GESTS-Oct.2005
SMS handling
Username/password
RedirectAccess control
RADIUS client
WLAN Database Manager
Web-login
Popup browser
Accounting and billing
Merlin m-payment client
WLAN
database
PLMN Prepaid Billing System
PLMNPostpaid Billing System
Send SMS
Check for authorized/
unauthorized usersLogout request
Charge WLAN user account
For unauthorized users
AAAinformation
WLAN RADIUS server
Mer
lin m
-pay
men
t se
rver
HTTPS requests for real-time charging to PLMN prepaid
and postpaid users
AAA information
AAA
Popup initiation
For unauthorized users
Various controls
Storing usernames
and passwords
SMS Gateway
Send SMS via HTTP
Real-time m-payment
OpenSMS
Send /receive SMS via
OpenSMS
Fig. 2. Solution for PLMN-WLAN integration: software modules and interfaces
In our solution for WLAN network, we use packet filtering method for access con-trol in the network access control server based on the IP address assigned to the wire-less client. Wireless client can be any lap-top computer with built-in WLAN card or with PCMCIA WLAN card. The machine used for WLAN Access Control has two Ethernet cards, one on the side of the WLAN access network, and the second on the side to the external packet network (i.e. Internet). WLAN Access Controller is con-sisted of the following main logical modules:
• RADIUS client -for communication with RADIUS server • WLAN Access Control module -for controlling the access of WLAN clients • Redirection module -for redirection of unauthenticated users to the web-
login server • WLAN Access Controller main module
WLAN Access Controller also uses the following external module: • Web-login interface -used as user interface in the authentication process
The environment for the WLAN Access Controller and software modules are shown in Fig. 2.
WLAN-AC is working on IP-level i.e. network level. It acts as a gateway between WLAN network part and Internet link and servers farm. However, it provides possibil-ity to use different transmission options to connect hotspot locations to WLAN-AC, such as : leased lines 2 Mbps, ADSL, IP backbone with routers and switches, WiMAX (IEEE 802.16) or other wireless backbone technology, etc.
General WLAN Access Controller network configuration is shown in Fig. 3. The network configuration is consisted of the following interconnected parts:
• WLAN access network: these are hotspot locations, where each hotspot lo-cation has one or more WLAN Access Points (AP) connected to a local switch, which is connected to the transmission network via a router node;
GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 89
GESTS-Oct.2005
LAN on the WLAN side
RADIUSServer
LAN on the Internet side
WLAN Database
Web-server
DHCP server
Transmission network
WLAN access network
WLAN Access Controller
DNS
Fig. 3. General network configuration for WLAN Access Controller
• Transmission network: it includes all possible transmission solution for con-nection of hotspot location to WLAN Access Controller;
• Wired Local Area Network (LAN) on WLAN side: it is connected WLAN-AC and DHCP server, which dynamically assigns IP addresses to WLAN clients at hotspot locations;
• LAN on the Internet side: on this network are attached all other required servers for proper functioning of WLAN applicative solution, and they are: RADIUS server, Web-server, WLAN Database, as well as Domain Name Server (DNS).
4 Web-login solution
The Universal Access Method – UAM should be as simple as possible for WLAN users. It is worldwide practice to use web-login for the UAM. For the reason of sim-plicity in the UAM we want to avoid the user to type explicitly the HTTP-address of the web-login page. To be able to do this we use the WLAN Access Controller. These rules will redirect to web-login page every HTTP request that tries to go through the WLAN Access Controller to the Internet. All HTTP requests of users will be redi-rected to the web-login server.
The web-login server will get the original HTTP request. Since the requested URL will not be available at the local web-server (except in the case when the requested URL is the own one of the web-server), a default web-login page will be sent to the user.
The requested information from user will be username and password, which user should enter using the web-login page. After the successful authentication, new rules are added in the WLAN Access Controller for that user. These rules remove the redi-rection and the user has open access to the Internet.
At the moment when user is logged into WLAN, a popup window appears from the user’s browser. This popup window contains logout button and timer for the elapsed time from the session start . By pressing the logout button the user is able to log out of the WLAN network.
90 Design of Wireless LAN Applicative Solution
GESTS-Oct.2005
Also, there is an option for forced termination of the user connection due to some reason (e.g., no credit on WLAN prepaid account). For that purpose WLAN AAA Database sends disconnection request directly to WLAN Access Controller, which is listening for such requests on a port on Ethernet interface towards Internet. Discon-nection requests from WLAN Database restore redirection at the WLAN Access Con-troller for that user to the web-login page.
5 WLAN AAA Gateway
WLAN Billing functionality is built in WLAN AAA Gateway (i.e. WLAN Database). It is based on AAA information flow from WLAN Access Controller via RADIUS server to WLAN AAA Database, and vice versa.
The Billing of the WLAN users is based on triggering the events of storing ac-counting records from RADIUS server into WLAN AAA Database. Triggering hap-pens on three types of accounting records from WLAN Access Controller client via RADIUS server:
• Start Accounting; • Interim Accounting; • Stop Accounting.
In WLAN AAA Gateway the following types of users are defined: • PLMN/WLAN postpaid – these are existing PLMN postpaid users that will
subscribe to WLAN service as well; • PLMN/WLAN prepaid – these are existing PLMN prepaid users that will want
to use WLAN service and to be charged from their prepaid account; • WLAN prepaid – these are WLAN users that have bought WLAN prepaid
vouchers and have activated their WLAN account (includes those that are not prepaid or postpaid subscribers of the mobile operator, as well as all sub-scribers of the mobile operator which want to use WLAN vouchers).
However, PLMN/WLAN postpaid and PLMN/WLAN prepaid users are treated in the same manner, because real-time charging for these users is done through m-payment OCI system, which further communicates for respective billing systems, i.e. postpaid billing system for PLMN/WLAN postpaid users and prepaid billing system for PLMN/WLAN prepaid users.
There are two types of charging defined in the WLAN AAA Database: time-based charging, and volume-based charging. In the case of time-based charging user is charged at the session start (triggered by Start Accounting RADIUS record) in ad-vance for the first time interval, and further during the session triggered by every In-terim Accounting record stored in WLAN AAA Database from the RADIUS server at fixed time intervals (charging intervals). There is no charging of the user at the Ac-counting Stop message, because he will be already charged at the previous Account-ing message (either Start or Interim Accounting). In the case of volume-based charg-ing user is charged after each charging interval.
GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 91
GESTS-Oct.2005
RADIUS server
WLAN databaseAuthentication Procedure
Database tableTJ_WLAN_USERS
Database tableTJ_TARIFFS
Database tableTJ_VOUCHERS
Database tableTJ_REQUESTS
Database tableTJ_PARAMS
Database tableTJ_ERROR_LOG
Username/password check through database access -
interface
Check/Update voucher status and credit
Check/Update WLAN user status
WLAN AAA Database
Fig. 4. Authentication procedure in WLAN AAA Database
5.1 Authentication Procedure
WLAN AAA Gateway has a role in the authentication process for any user that want to login into WLAN network. For that purpose RADIUS server communicates with WLAN AAA Database and its Authentication procedure. Main tasks of the Au-thentication procedure are the following: validation of the username and password entered by the user through Web-login interface, checking whether the user is online (ON) or offline (OFF), handling voucher’s status.
The communication between RADIUS server and Authentication procedure from WLAN AAA Database is through WLAN database access-interface as shown in Fig. 4. RADIUS calls the Authentication procedure with input parameters: username and password, and receives positive or negative result from the procedure.
Even in the case when the username/check is positive, Authentication procedure returns negative result to RADIUS server in the following cases:
• Voucher is expired or has no credit; • User is online, and there are less than two charging intervals from the last
RADIUS accounting record;
92 Design of Wireless LAN Applicative Solution
GESTS-Oct.2005
Wireless clientMobile phone
WLAN databaseMSISDN+OTP
GSM/GPRS subscriber
SMS-Center
OTP
SMS-OTPSMS- Request OTP
Fig. 5. Authentication of MM WLAN users by using OTP
• User account cannot be charged due to an error in the system or due to com-munication interruption between WLAN AAA Database and m-payment Merlin system.
5.2 Authentication with OTP (One Time Password)
WLAN PLMN users are authenticated with SMS-OTP (SMS - One Time Password). PLMN user, either postpaid or prepaid, requests OTP with SMS with content “WLAN” sent to a predefined number in PLMN’s SMS Gateway. The Received SMS from SMS Gateway is stored in the database via an OpenSMS system. This event triggers a WLAN database trigger, which generates One Time Password (OTP) and sends the OTP to the user via SMS via HTTP interface of the SMS Gateway. Also, SMS can be sent by calling a function from OpenSMS (via database link) for sending SMS from the trigger. The trigger generates OTP as random string.
The authentication process with SMS-OTP for WLAN PLMN users is shown in Fig.5.
5.3 WLAN Billing System
WLAN Billing functionality is built in WLAN AAA Gateway (i.e. WLAN Database). It uses the AAA information flow from WLAN Access Controller via RADIUS server to WLAN AAA Database, and vice versa.
The Billing of the WLAN users is based on triggering the events of storing ac-counting records from RADIUS server into WLAN AAA Database. Triggering hap-pens on each accounting records from WLAN Access Controller client via RADIUS server (i.e. Start Accounting, Interim Accounting, and Stop Accounting). All account-ing messages are stored in WLAN database.
GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 93
GESTS-Oct.2005
WLAN RADIUS Server
WLAN usage
PLMN/WLAN postpaid subscriber
Postpaid Billing System
Monthly invoice
CDR
WLAN AAA server
Accounting data
WLAN Access Controller
Accounting data
Merlin m-payment serverm-charging
Fig. 6. PLMN/WLAN postpaid accounting deployment solution
To integrate time-based and volume-based accounting triggering is performed be-fore insert into the WLAN database. This was needed because in the case of volume-based charging “triggering before insert” is needed to check the current charged amount to the user’s account from the beginning of the session to be able to charge accurately.
Billing for PLMN/WLAN postpaid
Billing the PLMN users for WLAN services is related to how to handle accounting i.e. the process of gathering charging information about the user, processing it, and transferring the bill to the user.
There are two options for handling PLMN/WLAN postpaid users: 1. Using the SMS-OTP authentication for PLMN/WLAN postpaid users and
real-time charging on user’s account via m-payment OCI 2. Charging an electronic voucher (e-voucher) to the user’s postpaid account
by the external application, this at the same time generates e-voucher in WLAN Database by calling appropriate WLAN Database function.
In this section we describe Option 1 from above, i.e. when PLMN/WLAN user is au-thenticated using SMS-OTP authentication.
The deployment solution for PLMN/WLAN users, which includes WLAN Access Controller, RADIUS server, WLAN Database, SMS-Center through SMS Gateway, and PLMN Open Charging Interface (i.e. m-payment system), is shown in Fig. 6.
In the case of WLAN postpaid users the user should be charged for WLAN usage on his monthly invoice.
94 Design of Wireless LAN Applicative Solution
GESTS-Oct.2005
Billing for PLMN/WLAN prepaid
In PLMN-WLAN network there are possible two types of prepaid users: one with PLMN vouchers and the other with WLAN vouchers . In this section we refer to the first one.
The difference between PLMN postpaid and prepaid users is made in the Open Charging Interface (m-payment system), which is external system to WLAN. For PLMN prepaid users the OCI requests credits in advance for WLAN usage from PLMN prepaid account.
One should note that considering WLAN Applicative Solution, there is no differ-ence in billing of PLMN/WLAN postpaid and PLMN/WLAN prepaid users.
Billing for WLAN prepaid
WLAN prepaid refers to prepaid users that are using WLAN vouchers. This cate-gory includes WLAN users that are not PLMN subscribers, but it may also include PLMN subscribers that use WLAN prepaid vouchers to access WLAN network. In general, there is simply no limitation about who can be a WLAN prepaid user.
In the case of a WLAN prepaid users, there is no intercommunication between nodes in PLMN network and nodes in WLAN segment. However, WLAN prepaid users share the same Internet access as PLMN/WLAN postpaid and PLMN/WLAN prepaid users.
Credentials (username and password) can be delivered to WLAN prepaid users in two different ways:
• Using electronic vouchers (e-vouchers); • Using printed vouchers (i.e. scratch-cards).
As usual with prepaid vouchers, all voucher numbers or username/password pairs of the vouchers are recorded into WLAN database. When a subscriber buys a voucher, he/she should enter credentials from the voucher into Web-login page. Then, WLAN system checks the entered credentials, and if a match is found, WLAN prepaid account is activated with a certain amount of credits (dependent upon the voucher type).
After the successful authentication user is granted access to the Internet. During the active session user credit is periodically updated at each RADIUS accounting record in WLAN database, and the number of credits is reduced for certain amount according to the usage of WLAN resources (either time or volume-based charging).
For time-based charging, at each RADIUS accounting record in the WLAN Data-base user’s credit is reduced for the amount that should be charged for the next charg-ing time interval (that is RADIUS Interim Accounting time period). For exa mple, for time-based charging, with charging interval equal to one minute, the user will be granted further usage of WLAN only when he has at least credits for another minute of usage. If the user has not enough credits for next charging interval, he/she will be disconnected by sending disconnect request from WLAN AAA Gateway directly to WLAN Access Controller.
GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 95
GESTS-Oct.2005
For volume-based charging of the prepaid WLAN users, the user’s credit is charged after each charging interval, which is different compared to time-based charg-ing. The charging is done after each Interim Accounting record and after Stop Ac-counting record from RADIUS server, because we cannot accurately estimate in ad-vance the amount of volume of data that will be sent/received by the user in the next charging interval.
6 Conclusion
In this paper we have described a design solution for PLMN-WLAN internetworking based on integrated system for authentication and accounting. The developed appli-cative solution includes two additional network nodes for WLAN deployment by a mobile operator, and they are WLAN Access Controller and WLAN AAA Gateway.
WLAN Access Controller performs user access control from the WLAN side, and collects data for user activity, which are further used to charge the user for the service. User interface for authentication purposes is the Web-login interfaces, which is con-trolled by the WLAN Access Controller. Integration between WLAN segment and PLMN is established via WLAN AAA Gateway, which is capable to accomplish real-time charging for existing PLMN subscribers, either prepaid or postpaid, as well as to perform charging to WLAN prepaid users. The latter can be WLAN users with printed or electronic vouchers (e-vouchers).
The proposed system is already tested in practice and it is completely functional as it was designed.
Finally, the design solution described in this paper provides possibility for instant and low cost deployment of WLAN service by mobile operators.
References
[1] Alcatel, “Public Wireless LAN for Mobile Operators: WLAN beyond the enterprise”, White paper, 2003.
[2] M. T. Bostrom, A. Norefors, “Ericsson Mobile Operator WLAN”, Release 1 Technical Description, February 2002.
[3] Telia HomeRun, http://www.homerun.telia.com, accessed June 2004. [4] BT Openzone, http://www.btopenzone.com, accessed June 2004. [5] T-Mobile US, http://www.t-mobile.com/hotspot/, accessed June 2004. [6] M. Buddhikot et al., “Integration of 802.11 and Third-Generation Wireless Data Net-
works”, Infocom 2003, San Francisco, USA, March 30 – April 3, 2002. [7] Toni Janevski, “Traffic Analysis and Design of Wireless IP Networks”, Artech House
Inc., Boston, USA, 2003. [8] Intel, “Wireless LAN (WLAN) End To End Guidelines for Enterprises and Public Hot-
Spot Service Providers”, Release 1.0, October 2002. [9] IEEE 802.1X standard, “IEEE standard for local and metropolitan area networks – Port-
Based Access Control”, July 2001.
96 Design of Wireless LAN Applicative Solution
GESTS-Oct.2005
[10] IEEE 802.1Q standard, “IEEE standard for local and metropolitan area networks - Vir-tual Bridged Local Area Networks”, May 7, 2002.
[11] Frank Ohrtman, Konrad Roeder, “Wi-Fi Handbook: Building 802.11b Wireless Net-works”, McGraw-Hill, 2003.
[12] IEEE 802.1X standard, “IEEE standard for local and metropolitan area networks – Port-Based Access Control”, July 2001.
[13] J. Edney, W.A. Arbaugh, “Real 802.11 Security: Wi-Fi Protected Access and 802.11i”, Addison Wesley, July 2003.
[14] ETSI TS 101 393 – Digital cellular telecommunications system (Phase 2+); General Packet Radio Service (PLMN); PLMN Charging, 3GPP TS 12.15 version 7.7.0 Release 1998.
[15] C. Rigney, S. Willens, A. Rubens, W. Simpson, “Remote Dial-In User Authentication Service (RADIUS)”, RFC 2865, June 2000.
[16] C. Rigney, “RADIUS Accounting”, RFC 2866, June 2000. [17] T. Janevski, “AAA System for PLMN-WLAN Internetworking”, Journal of Communi-
cations and Networks (JCN), Special Issue on “Towards the Next Generation Mobile Communications”, pp.192-206, Volume 7, Number 2, June 2005.
Biography
Toni Janevski was born in Skopje, Republic of Macedonia, on October 15, 1972. He received the B.Sc. degree in Electrical Engineering and the M.Sc. and the Ph.D. degrees in Electrical Engineering from the University “Sv. Kiril i Metodij”, Skopje, R. Macedonia, in 1996, 1999, and 2001 respectively. From 1996 to 1999 he was with Mobimak GSM mobile operator in R. Macedonia. From October 1999 he is with Faculty of Elec-trical Engineering in Skopje. From July 2001 to November 2001, he was at IBM T.J. Watson Research Center, New York, USA. He has written the book ''Traffic Analysis and Design of Wireless IP Networks'', published by Artech House Inc. in 2003. He is an Assistant Professor at the Faculty of Electrical Engineering, University “Sv. Kiril i Metodij”, Skopje. His research interests are in wireless and mobile net-works, Quality of Service, network planning and dimensioning, traffic theory and internetworking. He is Senior Member of IEEE.
Top Related