IEEE Communications Magazine • November 200182

Wireless LANAccess Network Architecture forMobile Operators

0163-6804/01/$10.00 © 2001 IEEE

ABSTRACT

The evolution of IP-based office applicationshas created a strong demand for public wirelessbroadband access technology offering capacity farbeyond current cellular systems. Wireless LANaccess technology provides a perfect broadbandcomplement for the operators’ existing GSM andGPRS services in an indoor environment. Mostcommercial public wireless LAN solutions haveonly modest authentication and roaming capabilitycompared to traditional cellular networks. Thisarticle describes a new wireless LAN system archi-tecture that combines the WLAN radio accesstechnology with mobile operators’ SIM-based sub-scriber management functions and roaming infra-structure. In the defined system the WLAN accessis authenticated and charged using GSM SIM.This solution supports roaming between cellularand WLAN access networks and is the first steptoward an all-IP network architecture. The proto-type has been implemented and publicly verifiedin a real mobile operator network.

INTRODUCTIONSeamless access to modern office tools is one ofthe most valuable assets for mobile business pro-fessionals today. Most corporate information sys-tems and databases can be accessed remotelythrough the Internet (IP) backbone, but the highbandwidth demand of typical office applications,such as large e-mail attachment downloading,often exceeds the transmission capacity of cellu-lar networks. Mobile professionals are lookingfor a public wireless access solution that couldcover the demand for data-intensive applicationsand enable smooth online access to corporatedata services.

Wireless local area networking (WLAN)radio technology provides superior bandwidthcompared to any cellular technology. The state-of-the-art Wi-Fi™ wireless LAN standard (IEEE802.11b) offers a maximum throughput of 11Mb/s over a license exempt 2.4 GHz frequencyband [1, 2]. The maximum data rate of a single

user in a public WLAN radio network is 11 Mb/s(typical 6.5 Mb/s), while a General Packet RadioService (GPRS) handset offers a data rate up to172 kb/s (typically 42 kb/s) and the third-genera-tion terminal up to 2 Mb/s (typically 144 kb/s).From the end users’ perspective the perfor-mance difference is huge, which makes WLAN acompetitive option to cellular data indoors.

Most WLAN terminals are laptops or PDAswith separate WLAN network adapters. Themarket analysts forecast a major growth ofWLAN PC card market in 2001. The WLANterminal business is gradually moving towardmore integrated devices; the leading high-endlaptop models shall have integrated wirelessLAN interfaces during 2001. Furthermore, theterminal category is expanding with WLANPDA phones and integrated PDA devices.

The business professionals’ desire for broad-band public data access and the rapidly growingWLAN terminal penetration create a fascinatingbusiness opportunity for mobile operators toextend their services to cover WLAN access.Today, there are about 50 million mobile laptopusers, of which 30 million also have GSM sub-scription [3]. WLAN can complement mobileoperators’ traditional wide-area GPRS and GSMservice portfolio by offering a cost-efficient wire-less broadband data solution indoors. Targetplaces for WLAN access services are airports,railway stations, hotels, business parks, andoffice buildings where most mobile laptop userstypically work.

The key question is how to utilize mobileoperator strengths: large GSM customer base,cellular infrastructure investments, and well estab-lished roaming agreements in operator WLANnetworks. The authors have been involved in thedevelopment of a new WLAN system architecturewhich is targeted to mobile operators. Thedefined solution, called an operator WLAN(OWLAN) system, combines GSM subscribermanagement and billing mechanisms with WLANaccess technology. The OWLAN enables IP roam-ing between different operator access networks.The operator WLAN solution is available for

Juha Ala-Laurila, Jouni Mikkonen, and Jyri Rinnemaa, Nokia Mobile Phones

WIRELESS LOCAL AREA AND HOME NETWORKS

IEEE Communications Magazine • November 2001 83

any wireless LAN terminal device that providesGSM SIM card reader and defined operatorWLAN signaling module. The reference systemwas implemented as part of the companyresearch project and was successfully piloted in areal mobile operator network in 2000. The obser-vations and learnings from the trial proved theusability of the concept, and the first commercialsystem was launched in July 2001 and has beensuccessfully piloted by several mobile operators.

This article describes the OWLAN architec-ture, main system components and their func-tionality. The focus is on the SIM basedauthentication, roaming and billing mechanisms.

OPERATOR WLANSOLUTION OVERVIEW

DESIGN OBJECTIVESThe future mobile operator network shall be acombination of several radio communicationtechnologies, such as GSM/GPRS, the third gen-eration radio access and wireless LAN. A singlesubscriber identity should be used in all accessnetworks to enable smooth roaming and seam-less service availability. The operator WLANsystem should maintain compatibility with theexisting GSM/GPRS core network roaming andbilling functions [4, 5], which minimizes thenumber of modifications in the GSM core equip-ment and the standardization effort needed. AGSM Subscriber Identity Module (SIM) is a nat-ural choice for WLAN subscriber managementsince it is widely deployed and enables roamingto existing GSM/GPRS handsets and networks.

In the first phase the focus of WLAN businessis on data applications. Thus, the OWLAN sys-

tem should be optimized for terminal initiated IPdata services, which reduces system complexity.The evolution to all-IP services in the wirelessLAN shall follow in the next step as mobile oper-ator all-IP service infrastructure is available.

To minimize the installation costs and com-plexity, the OWLAN should utilize the existingGPRS charging system. GPRS operators havedefined a mechanism for exchanging billing databetween operators’ networks [6]. The samemechanism should be used for transmittingWLAN charging records.

OPERATOR WLAN SYSTEM ARCHITECTUREThe OWLAN system architecture, depicted inFig. 1, consists of the public LAN access net-work and the cellular operator site, which com-municate over the IP backbone. The main designchallenge was to transport standard GSM sub-scriber authentication signaling [4] from the ter-minal to the cellular site using the IP protocolframework. One could call the resulting operatorWLAN architecture the first instance of a mobileoperator all-IP network.

The OWLAN system contains four key physi-

■ Figure 1. An overview of the operator WLAN system architecture.

SS7

Operator IPcore

GPRScharginggateway

Cellularoperator

site

Cellularoperator

core

1) Terminal authenticationto WLAN RAN with SIM

3) GSMauthenticationand chargingmessaging

2) SIM authentication anduser accounting signallingover IP

PublicWLANaccess

GPRSRAN

GSMbase

station

WLANterminalwith SIM

2,4 GHz11 Mb/s

WLANaccesspoints Access

controllerGGSN

SGSN

Authenticationserver

MSC/HLR

■ Table 1. OWLAN vs. GPRS network elements.

OWLAN GPRS Function

Authentication server (AS) SGSN User authentication, access billing

Access controller (AC) GGSN End point of IP packet network,IP address allocation

Access point (AP) BTS Radio coverage

Mobile terminal (MT) Mobile phone End-user device

IEEE Communications Magazine • November 200184

cal entities: authentication server, access con-troller, access point, and mobile terminal (Fig. 1).The system architecture resembles a GPRS net-work. Each system component has a counterpartin the GPRS network, as illustrated in Table 1.

The significant difference compared to theGPRS architecture is that in the OWLAN systemonly the control signaling data is transported to thecellular core. The access controller routes userdata packets directly to the IP backbone, which isused for accessing the public and private services.This architecture avoids the GPRS kind of roam-ing complexity since the user’s IP traffic does nothave to be carried via the cellular core to the homenetwork. Consequently, the operator WLANapproach decreases the load of the cellular core.

The subscriber authentication works as follows.First a WLAN terminal associates with a WLANaccess point, gets an IP address from the accesscontroller, and initiates the network authentica-tion by sending a dedicated authentication requestto the access controller (1). The access controllerrelays the authentication request to the authenti-cation server (2), which implements the gatewaybetween the access network and the GSM signal-ing network. The authentication server queries theGSM home location register (HLR) for theauthentication data and performs user authentica-tion using this information (3).

SYSTEM ELEMENTSFigure 2 depicts the main operator WLAN sys-tem elements and interfaces in more detail.

THE AUTHENTICATION SERVERThe authentication server is the main controlpoint of the OWLAN subscriber management. Asingle entity may support several access con-trollers and provide authentication and billing ser-vices for thousands of roaming users in differentaccess zones. The authentication server communi-cates with the access controller using RADIUS

authentication protocol [7], which is a de factoauthentication, authorization, and accounting(AAA) protocol in the IP industry. When theuser disconnects, the authentication serverreceives the accounting data from the access con-troller, converts it into GPRS billing format [6],and issues the ticket to the cellular billing system.

The authentication server hides the cellularinfrastructure from the access network. It pro-vides a gateway to the cellular core network ele-ments, namely the GSM home location register(HLR) and GPRS charging gateway. Theauthentication server sends standard GSMauthentication signaling to the HLR using theSS7 signaling network that connects variousoperator networks together. The cellular net-work identifies the user with GSM InternationalMobile Subscriber Identity (IMSI) code storedin the SIM card.

In the prototype system the authenticationserver has been implemented using a WindowsNT server platform that has been connecteddirectly to the Nokia Mobile Switching Centre(MSC). An IP-compliant vendor-specific protocolcarries the authentication requests from the AS tothe MSC. Figure 2 shows the applied configura-tion in which the MSC offers a redundant high-performance MAP interface and allows us tobalance the signaling traffic from the WLAN withnormal GSM signaling. In this setup WLANrequests can never block GSM signaling. Alterna-tively, the authentication server could be imple-mented with a native MAP interface.

A predefined bit pattern in the HLR sub-scriber service profile indicates the WLAN servicesubscription. The authentication server alwayschecks if the roaming user has subscribed to theWLAN service. In the future the service profilecould be extended to include, for example, thequality of service class of a WLAN subscriber.The current GSM standard does not define aWLAN service bit pattern, and the service profilebit interpretation rules are operator-dependent.

ACCESS CONTROLLERThe access controller provides an Internet gate-way between the radio access network and thefixed IP core. It allocates IP addresses to themobile terminals and maintains a list of theauthenticated terminals’ IP addresses. The ACacts as a traffic filter monitoring the address ofeach incoming or outgoing IP packet and discard-ing the packets that come from a nonauthenticat-ed terminal. The access controller separates themobile terminals using a terminal IP address anda unique WLAN link-layer-specific MAC address.The MAC address verification ensures that aduplicate IP address cannot simultaneously beused by a hostile user. The access controller gath-ers accounting information for billing purposes.The access controller prototype has been imple-mented using an IP router platform, more pre-cisely, Nokia IPSO IP330 series router.

THE WIRELESS LAN ACCESS POINTThe access point offers a wireless Ethernet linkbetween the mobile terminal and the fixed LAN.Access points are connected to the same LANwith the access controller. The access points areWi-Fi compliant and support the data rates of 1,

■ Figure 2. The elements of the OWLAN system.C

ellular operator

MAP

RADIUS

Multiple accessnetwork vendors

Multiple terminalcategories

WLAN accesspoint

Access operator m

obile user

HLR

Accesscontroller

Authenticationserver

MSC

Charginggateway

Billingsystem

WLAN accesspoint

WLAN accesspoint

IEEE Communications Magazine • November 2001 85

2, 5.5, and 11 Mb/s [1, 2]. The typical coveragerange of a single Wi-Fi access point is 50–100 mindoors. The coverage can be extended usingdirectional antennas and radio network planningtools. The access point offers a shared radiointerface. Consequently, the amount of activeterminals affects the perceived user data rate. Ifthere are no other terminals in the same accesspoint, a single user may use the complete 11Mb/s radio link. This is one significant differencefrom GPRS radio access [5].

MOBILE TERMINALOWLAN service is available for any terminal withWLAN radio access capability, a SIM reader, anda SIM authentication software module. The enduser may deploy either a WLAN card with anintegrated SIM reader or a WLAN card and anexternal smart card reader. Laptop vendors havealso indicated that some laptop models shall haveintegrated smart card readers in the future.

The OWLAN terminal may detect the correctroaming WLAN network by using predefined net-work profiles that contain the list of the roamingpartners’ radio network identifiers. When enter-ing a new location the terminal compares thenames of available WLAN networks with theroaming profile and associates to the correctWLAN. The operator may distribute the profiles,say, in a SIM card or using a Web server.

SYSTEM OPERATIONThe requirement to maintain compatibility withexisting WLAN devices and the cellular coreimplicitly lead to an architecture in which the nec-essary SIM specific signaling messages are trans-ported using the IP protocol. The IP approachmakes an OWLAN system independent of theWLAN standard and allows us to deploy thesame concept for future 5 GHz WLAN systems,such as IEEE 802.11 and HIPERLAN/2.

The functional division between the accesscontroller and the authentication server keeps the

complexity of the core network low. The comput-ing-intensive IP packet filtering and routing func-tions reside on the access network side where theprocessing load can be distributed among a num-ber of access controllers. This improves systemscalability and robustness. Figure 3 illustrates theresulting control plane architecture.

The core component of the mobile terminalsoftware is the Roaming Control module, whichoffers a graphical control user interface to roam-ing services. This module communicates with theSIM card. The operator WLAN-specific Net-work Access Authentication and AccountingProtocol (NAAP) protocol encapsulates GSMauthentication messages inside IP packets. TheNAAP utilizes a connectionless User DatagramProtocol (UDP) transport layer but includes aretransmission mechanism that ensures reliablerelay of the control messages.

The key component of the access controller isthe Access Manager which controls IP routingand collects accounting statistics. The RADIUSprotocol [7] carries SIM specific authenticationparameters inside vendor specific attributeswhile the accounting data is submitted usingstandard RADIUS accounting attributes [8].

The most important module in the authenti-cation server is the Authentication Controllerwhich handles the RADIUS authentication mes-sages and communicates with the GSM core.The Accounting module receives and stores theaccounting information from the access network.The Accounting module interfaces with theGPRS charging gateway using GTP’ billing pro-tocol [6]. There is no uniquely defined openGTP’ interface available, but rather there existsa combination of several GTP’ versions and vari-ous billing data formats. The authenticationserver offers an open FTP interface which canbe used for transferring the accounting datadirectly to various billing systems. The followingparagraphs describe the key system procedures,such as authentication, billing and secure accessto the corporate network in detail.

■ Figure 3. OWLAN control plane architecture.

802.11 802.11 Ethernet

IPIP

TCP UDP

Mobile terminal Access point

EthernetWANlink

UDP TCP

IP

Access controller

WANlink

TCP/UDP

IP

Authenticationserver

Auth.controller

RADIUS RADIUS

RADIUSauthentication

CDRtransmission

RADIUSaccounting

MAP link to HLR

IP-SIM authenticationsignaling

NAAP NAAPSIM

Roamingcontrol

GTP' GTP'

Ethernet

TCP/UDP

IP

Charginggateway

Ethernet

Accessmanager Accounting

IEEE Communications Magazine • November 200186

AUTHENTICATION

The core part of the operator wireless LAN sys-tem is the SIM-based authentication. The accesscontroller acts as a relay between the terminaland the authentication server. The authentica-tion sequence is as follows:

The first step is to activate the user terminalwith the personal identity number (PIN). TheSIM card and user identity are secured with PINcode protection. When the authentication phaseis started, the software prompts the user for thePIN code. This functionality is equivalent toGSM, and makes it impossible to use a stolenSIM card that has PIN query enabled withoutknowledge of the correct PIN code.

The phases of the SIM-based authenticationare illustrated in Fig. 4. The steps are numberedboth in the figure and in the text below. Initially,the terminal locates the access controller in thenetwork by sending a NAAP solicitation mes-sage to which the access controller replies (1).After receiving the IP address of the access con-troller, the terminal sends the initial authentica-tion request to the access controller, where theIMSI is encapsulated into the Network AccessIdentifier (NAI) (2). NAI is a well-known partof the standard IETF AAA framework [9]. Thedomain part of the NAI identifies the homeoperator domains, e.g. IMSI@operator.com.The access controller and RADIUS infra-structure use the domain part for relaying theauthentication request to the correct authentica-tion server (3).

The authentication server requests GSMtriplets from the home location register using

an MSC connection (4). Then the authentica-tion server sends the GSM RAND to themobile terminal along with a message authenti-cation code calculated over the RAND (5, 6).The message authentication code authenticatesthe cellular network to the terminal, enablingmutual authentication. The terminal calculatesthe message authentication code and comparesit to the one it received from the network (7).If the calculated message authentication codedoes not match with the received one, the ter-minal can suspect a fraudulent service and stopanswering the authentication request. Thismechanism makes it impossible for an attackerto gather RAND and SRES pairs from theIMSI, and thus makes it impossible to find outthe secret key Ki stored on the SIM card. Themessage authentication procedure utilizes theHMAC mechanism presented in [10]. Next theterminal calculates the signed response (SRES)using the algorithms stored on the SIM cardand also calculates a message authenticationcode over the SRES (8).

The terminal sends the response to the accesscontroller which relays it to the authenticationserver (9, 10). The authentication server verifiesthe response by calculating the similar messageauthentication code over the SRES (11). Theauthentication server sends the result code of theauthentication to the access controller (12). If theauthentication was successful, the access con-troller sends the authentication server an indica-tion that a new accounting session has beenstarted (13). Finally, the access controller enablesrouting for the terminal data packets, and sendsthe acknowledgment to the terminal (14, 15).

■ Figure 4. The SIM-based authentication sequence.

AC address solicitation andadvertisement

MT:

AC_MT_AUTHSTART_RESP (RAND, MAC_RAND)

AC_MT_AUTHANSWER_RESP (result)

MT_AC_AUTHSTART_REQ (IMSI,nonce)AC_AS_AUTHSTART_REQ (IMSI,nonce)

AS_MSC_GETTRIPLETS_REQ (IMSI)

MSC_AS_GETRIPLETS_RESP (triplets)

AC_AS_AUTHANSWER_REQ (MAC,SRES)

AC_AS_STARTACCOUNTING_REQ

AS_AC_AUTHSTART_RESP (IMSI,nonce)

AS_AC_AUTHANSWER_RESP (result)

AS_AC_STARTACCOUNTING_RESP

MT_AC_AUTHSTART_REQ (MAC_SRES)

1

2

6

3

4

5

7

9

AC: AS: MSC:

MT verifies MAC_RAND

AS verifies MAC_SRES

8 MT generates MAC_SRES

MT checks result

11

12

13

14

10

15

IEEE Communications Magazine • November 2001 87

The authentication procedure may be abort-ed due to the following reasons: the IMSI is notknown in HLR, the WLAN service has not beensubscribed, the access operator does not supportroaming of the specific IMSI, or the authentica-tion server does not receive the triplets from theHLR. In these cases, the terminal remainsnonauthenticated and the access controller doesnot route the IP traffic of the terminal.

During the authentication sequence theauthentication server sends the terminal and theaccess controller a session lifetime value, whichindicates how long the authenticated session isvalid. When the session lifetime expires in theaccess controller or the terminal disconnects, theaccess controller closes the terminal’s connec-tion. It also notifies the authentication server,which closes the accounting session for the ter-minal. The terminal must initiate a reauthentica-tion sequence before the session lifetime expires,if it wishes to continue the session. The reau-thentication procedure allows the operator togrant an access that is valid only for a certainperiod. This is a useful feature for prepaid sys-tems as well as for environments where chargingcould be bound to certain access times. This alsoallows the operator to authenticate the terminalperiodically during an active session just like inthe GSM system.

ACCOUNTING AND BILLINGThe access controller monitors the data trafficand periodically sends the traffic statistics infor-mation to the authentication server. The follow-ing accounting methods are supported:• Time-based: connection start time and end

time are recorded• Volume-based: the amount of transferred

data is recorded• Flat rate

The authentication server converts the account-ing data to standard GPRS charging data record(CDR) format. WLAN CDRs are marked with aWLAN-specific identifier code. More details onthe CDR format can be found in [6].

The authentication server verifies thereceived accounting data related to an authenti-cated terminal (IMSI). This ensures that charg-ing records are not generated for a connectionthat has not been properly authenticated. Fur-thermore, accounting data is protected usingthe shared secret mechanism in RADIUS pro-tocol [7]. This mechanism prevents fraudulentinsertion of accounting data in the IP networkside since the access controller and authentica-tion server that share the secret key notice ifthe data has been altered during transmission.The shared secret key is entered in the accesscontroller and authentication server during sys-tem configuration. The transferred data canalso be encrypted using IP Security (IPSEC)protocol [11] between access controller andauthentication server.

Finally, the authentication server delivers thegenerated CDRs to the charging gateway orbilling system. The explicit rules according towhich the connection is eventually billed areconfigured in the back-end process of the opera-tor billing system.

ROAMING TO FOREIGN WLAN NETWORKSMobile operator consortia have the infra-structure and the culture to support roamingbetween different access networks as well asbetween operator networks. Unlike most Inter-net service providers, mobile operators have theinfrastructure and the culture to support roam-ing between different access networks as well asbetween operator networks. The mobile opera-tors have agreed on how to exchange the authen-

■ Figure 5. WLAN roaming to a foreign operator network.

4) Billingdataexchangeas in GSM

3) Billing info storedto GPRS/GSM billingsystem

2) Authenticationto HLR usingMAP

1) SIM authentication

signaling

Roaminguser,

operator ASIM

2,4 GHz11 Mb/s

WLANRANWLAN

accesspoints

WLANaccesspoints

Internetcore

HLRB

HLRA

SS7

Operator AIP

network

Cellularoperator AGPRS core

Cellularoperator BGPRS core

Operator BIP

networkAccesscontroller

Accesscontroller

Auth.server

Auth.server

Charginggateway

Billingsystem

Charginggateway

Billingsystem

IEEE Communications Magazine • November 200188

tication and accounting data between the roam-ing and the home operatotr. The existing opera-tor billing systems are also capable of exchangingaccounting information with each other. Figure 5illustrates how the operator-to-operator roamingscenario works in the operator WLAN system.

First, the roaming mobile terminal associ-ates to the foreign operator WLAN networkand initializes authentication by sending anauthentication request to the access controller,which relays it to the authentication server (1).The authentication server analyzes the IMSIand verifies that the operators have a validroaming agreement for WLAN services. Next,the authentication server sends the authentica-tion query to the correct HLR using the GSMSS7 network (2) [4]. The corresponding HLRresponds with user profile and authenticationtriplets, and the authentication procedure iscompleted in a normal way. After the terminaldisconnects, the authentication server sendsthe charging record to the foreign operator’sbilling system (3). The IMSI code indicatesthat the CDR is generated for a roaming ter-minal. The operator billing systems regularlycommunicate with each other, and exchangeGSM/GPRS and WLAN-specific billing recordsgenerated by roaming users. Using this mecha-nism the foreign operator ’s bil l ing systemrelays the WLAN CDR to the user ’s homeoperator billing system, which finally submitsthe end-user bill (4).

SECURE REMOTE ACCESS FORCORPORATE USERS

The target customers of the operator wirelessLAN service are mobile business users who usewireless LAN extension to access the corporatenetwork. In order to guarantee the privacy ofbusiness-critical information, an end-to-endencrypted connection needs to be establishedbetween the terminal and the corporate network.Typically this is provided using a virtual privatenetworking (VPN) server in the corporate net-work side and a corresponding VPN client soft-ware in the remote terminal [11]. The usabilityof the remote access may further be improved by

storing the VPN authentication certificate in theSIM. This makes it possible to protect the VPNkeys and to launch seamless VPN authenticationafter SIM-based authentication to the accessnetwork. In this approach the operator couldoffer both VPN and access service in close coop-eration with the corporate information manage-ment department.

A few VPN clients support only the use ofroutable IP addresses instead of private IPaddresses. This is a common constraint for allremote access services as the operator has toallocate a large number of routable IP addressesfor roaming users. The operator WLAN archi-tecture requires the usage of modern VPN prod-ucts with private addressing support, whichimproves the scalability and usability of the pub-lic WLAN access system.

SCALABILITY ANDSYSTEM ROBUSTNESS

The mobile operators have extremely high errortolerance and resilience requirements for thenetworking infrastructure. To meet theserequirements the operation of the access point,the access controller and the authentication serv-er must be reliable and the system has to offersufficient redundancy characteristics.

The critical part of the operator WLAN sys-tem is the fault tolerance of the authenticationserver since a single AS may serve several radioaccess networks and tens of thousands of mobileusers simultaneously. A minimum installation ofthe operator WLAN consists of two authentica-tion servers. Fault tolerance of the authenticationserver is supported using standard RADIUSproxy infrastructure, depicted in Fig. 6. Theaccess controller is connected to both proxies, onebeing the primary and the other the secondaryRADIUS proxy. If the authentication server doesnot reply to the access controller’s messages, theaccess controller sends the message to the sec-ondary RADIUS proxy, which relays the mes-sages to the secondary authentication server.Consequently, redundant IP routing infrastructureand RADIUS proxies ensure seamless switching

■ Figure 6. Using RADIUS proxies for system redundancy.

Billingsystem

Charginggateway

MSC/HLR

GTP'

SS7Authentication

IPbackbone

Primary AS

Secondary AS

Public WLANRAN

WLANaccesspoint

Radiusproxy

WLANAS1

Cellularbackbone

WLANAS2

Accesscontroller Radius

proxy

IEEE Communications Magazine • November 2001 89

between the authentication servers in the case ofan error. This approach allows the mobile opera-tor to increase the system capacity by addingmore authentication servers to the network. Itmust be noted that only interoperability-testedproxy servers should be deployed.

The risk of losing accounting data is mini-mized by updating it periodically to the authenti-cation server. The operator may further improvesystem robustness by installing a secondaryaccess controller which is used if the primaryaccess controller is broken or under heavy load.The access controller platform also monitors itsinternal functionality. If the platform is notworking correctly it shall send alarms to the net-work management system and/or automaticallyreboot.

The redundancy of the access point is notextremely critical. If an access point is not function-ing well it shall turn its radio off, after which theterminal automatically roams to a new access point.

SUMMARY AND CONCLUSIONSThe increasing amount of roaming data users andbroadband Internet services has created a strongdemand for public high-speed IP access with suffi-cient roaming capability. Wireless LAN systemsoffer high bandwidth but only modest IP roamingcapability and global user management features.

This article describes a system that efficientlyintegrates wireless LAN access with the widelydeployed GSM/GPRS roaming infrastructure.The designed architecture exploits GSM authen-tication, SIM-based user management, andbilling mechanisms, and combines them withpublic WLAN access.

With the presented solution cellular opera-tors can rapidly enter the growing broadbandaccess market and utilize their existing sub-scriber management and roaming agreements.The OWLAN system allows cellular subscribersto use the same SIM and user identity forWLAN access. This gives the cellular operator amajor competitive advantage over ISP operators,who have neither a large mobile customer basenor a cellular kind of roaming service.

The designed architecture combines cellularauthentication with native IP access. This canbe considered the first step toward all-IP net-works. The system proposes no changes toexisting cellular network elements, which mini-mizes the standardization effort and enablesrapid deployment. The reference system hasbeen commercially implemented and successful-ly piloted by several mobile operators. TheGSM SIM-based WLAN authentication andaccounting signaling has proved to be a robust

and scalable approach that offers a very attrac-tive opportunity for mobile operators to extendtheir mobility services to also cover indoorwireless broadband access.

REFERENCES[1] IEEE Std 802.11b, “Supplement to ANSI/IEEE Std

802.11, 1999 Edition, IEEE Standard for Wireless LANMedium Access Control (MAC) and Physical Layer (PHY)Specifications,” PDF: ISBN 0-7381-1812-5, Jan. 2000.

[2] Wireless Ethernet Compatibility Alliance, http://www.wirelessethernet.org, June 2001.

[3] IDC Personal Computer bulletin, “Worldwide PortablePC Forecast Update 1999-2003,” doc. 21555, Feb.2000.

[4] M. Mouly and M. Pautet, “The GSM System for MobileCommunications,” 1992, p. 701.

[5] J. Hämäläinen, “Design of GSM High Speed Data Ser-vices,” Ph.D. thesis, Tampere Univ. of Technology, Aug.1996.

[6] ETSI TS 101 393, “Digital Cellular TelecommunicationsSystem (Phase 2+); General Packet Radio Service(GPRS); GPRS Charging,” v. 7.6.0.

[7] C. Rigney et al., Remote Authentication Dial In User Ser-vice (RADIUS), IETF RFC 2865, 2000.

[8] C. Rigney, “RADIUS Accounting,” IETF RFC 2866, 2000.[9] B. Aboba and M. Beadles, “The Network Access Identifi-

er,” IETF RFC 2486, 1999.[10] H. Krawczyk, M. Bellare, and R. Canetti, “HMAC:

Keyed-Hashing for Message Authentication,” RFC 2104,1997.

[11] D. Fowler, Virtual Private Networks — Making theRight Connection, Morgan Kaufmann, 1999.

BIOGRAPHIESJUHA ALA-LAURILA (juha.ala-laurila@nokia.com) received hisM.Sc. degree in telecommunications from Tampere Univer-sity of Technology in 1997. He has been with Nokia since1995. He has been involved in the development of variouswireless broadband data services both in the Nokia MobilePhones and in Nokia Internet Communications. BetweenSeptember 1995 and October 1998, he worked as theworkpackage leader in the Magic WAND (Wireless ATMNetwork Demonstrator) project, which was the EuropeanUnion funded activity within the Fourth Framework pro-gramme called Advanced Communications Technologiesand Services (ACTS). In June 1998 he was nominated tech-nology officer within Nokia. In this position he managedresearch and development activities related to wireless LANquality of service, security, and IP mobility. Between 1999and 2001 he has been responsible for development on theNokia operator WLAN system.

JOUNI MIKKONEN received his Ph.D. degree in telecommuni-cations from the Technical University of Tampere in 1999.He has been with Nokia since 1992. He has been involvedin the development of GSM network and new data servicesat both Nokia Telecommunication and Nokia MobilePhones. Between September 1995 and October 1998 heworked as technical manager of the Magic WAND project,which was the European Union funded activity within theFourth Framework programme called ACTS. In April 2000he was nominated senior technology manager of wirelessbroadband technologies within Nokia.

JYRI RINNEMAA received his M.Sc. degree from the TampereUniversity of Technology, Finland, in 1999. He joined Nokiain 1997. From 1999 tp 2001 he has been involved in thedevelopment of the wireless LAN networking security fea-tures and mobile operator wireless LAN system solutions.

The designed

architecture

combines cellular

authentication

with native

IP access.

This can be

considered as the

first step toward

All-IP networks.