Extension of Magma to support EAP-TLS for WiFi Authentication

[behrady]

Overview

Currently Magma supports Carrier WiFi solutions based on EAP-SIM/AKA authentication. Although Magma simplifies the Service Provider and Mobile Operator integration, the solution still requires integration to MNOs core networks which typically requires several months if not years of work. We propose a Magma extension to support EAP-TLS which simplifies and decouples authentication by avoiding complex 3GPP based integration to a mobile core but still provides the same level of seamless and secure authentication. We will present real use cases from MNO’s and Innovators that can greatly benefit from Magma supporting EAP-TLS which can accelerate building out “augmented networks” that can expand network coverage and capacity quickly, simply, and affordably. We will also provide high level end-to-end requirements needed for this project to be successful.

Current Magma WiFi support

Magma’s current WiFi authentication support is based on EAP-SIM/AKA and reusing credentials stored on a device's SIM card. Magma integrates to an MNO’s network using the Federation Gateway. The Federation Gateway talks to existing core elements such as HLR/HSS/OCS/PCRF and etc, over standard 3GPP interfaces. On the Service Provider or ISP side, Magma deploys a CWAG to facilitate secure EAP-AKA/SIM authentications and local breakout. This approach has two challenges that we will address with our EAP-TLS approach:

• Complex MNO Integration (core to SIM or eSIM based authentication) over a 3GPP interface: This integration is simplified using Magma's FeG; however, integration of a new element in an MNO’s network usually takes a long time due to technical and non technical requirements. This is particularly important in one to many or many to many deployments where there is no incentive for ISPs to integrate into the augmented network until an MNO is part of it.
• No support for devices without a SIM card (or eSIM): Since the credentials used for EAP-AKA/SIM are issued by an MNO and stored inside SIM card, devices without a SIM card (PCs, Tablets, etc) are not supported. As we can see in some of the use cases this is very important.

Project Context

Current network augmentation approaches require extensive design, planning, and negotiation with Mobile Operators, Service Providers, Venues, and other Third Parties which are complex, take months to negotiate contracts and end up costing a lot of money. This approach results in internal Mobile Network Operator (MNO) debates on “Build vs Rent” and without a viable “Rent” option, “Build” usually wins out. Further even with “Build” approaches, today’s network capacity is fixed from a user’s perspective and there is no way to request additional capacity in near real-time by an end user, application, or device. For example, for a high-bandwidth, low-latency application that ends up running over a low-performance user link.

Owing to these severe limitations, today Mobile Operators are unable to offer end-2-end QoE on-demand to their subscribers. They offer "all-you-can-eat" data plans but heavily rely on a subscriber's home and work Wi-Fi offload to balance their peak capacity budgets and may risk falling short for performance SLAs. In addition, there are limited options for Operators to switch to a public Wi-Fi hotspot or service, and solutions may require captive portal login, have reliability and performance issues, and may be insecure and untrusted.

These limitations, especially as unlimited plan market adoption accelerates, force MNOs to spend $Billions on augmenting their network infrastructure with cellular technology vs. leveraging Wi-Fi since there are no viable cost-effective and low-complexity alternatives to utilize existing Wi-Fi capacity. This puts tremendous pressure on Operator business models and infrastructure as the Cellular / Wi-Fi usage almost always sways towards Cellular, despite being an expensive proposition. All this is occurring in an ever-increasing competitive market environment with even more challenges on monetizing network investments.

A new approach is to enable Capacity-as-a-Service (CAPaaS) as an end-2-end trusted and comprehensive model that can be rolled out super-fast by MNOs and allow them to leverage existing unlicensed (or loosely licensed) network capacity through a single point of integration on each network thus eliminating complex core integration.

This approach makes network augmentation between heterogeneous networks totally viable, cost-effective, and end users can potentially access capacity whenever they want and wherever they need, with assured QoE.

In 1H/2021, an initial PoC was implemented, tested and demonstrated in a 1:N model (1 MNO : N ISPS) between TIP Menlo Park lab and DT Germany lab with QoS and Pricing policy enforcement. Shown in this video, a mobile subscriber provisioned UE and connected to an LTE network walks into a location with an ISP’s Wi-Fi access points (APs). Scenario: The UE recognizes the trusted AP and the intelligent traffic agent on the UE monitors QoS to assure users' QoE objectives from the MNO’s subscriber SLA are met. As long as the contract terms are met, the UE seamlessly transitions to the augmented Wi-Fi network and the blockchain stores usage metrics for accounting and automated reconciliation and clearing later.

For this Proposal, the goal is to implement EAP-TLS Authentication within Magma to simplify connecting to WiFi Capacity Providers which is critical to establishing the Capacity as a Service (CAPaaS) Ecosystem. In the first phase, SIM authentication was utilized but was deemed not practical for a production system (requires physical SIM distribution and dual SIM devices). An EAP-TLS auth approach was decided as the best to help accelerate the CAPaaS adoption, simplify deployment, and provide operations flexibility for commercialization. From past experience with MNOs/MVNOs in connection management EAP-TLS was the preferred method.

Proposed Final deliverable for the project:
The final deliverable for this project will be to conduct a field trial of the EAP-TLS Auth capabilities in Magma and to evaluate the solution end-2-end ease of integration and system performance in real-world environments. Helium/Freedom Fi and DT also said they will need EAP-TLS auth capabilities for their WiFi initiatives.

Any legacy or other codebases
For initial validation and prototype we will utilize FreeRadius: https://github.com/FreeRADIUS
For AP we will use OpenWRT: https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x

For the Mobile client(Android/iOS) we might utilize some OpenSchema legacy gRPC and mTLS implementation: https://github.com/magma/openschema

List if any specific IP licenses utilized: None contemplated at this time.

System Design

There are two main flows/processes to be implemented:

1. EAP-TLS process flow
2. Identity Verification and PKI infrastructure for certificate issuance and delivery.

EAP-TLS

EAP-TLS is a 802.11x based authentication method, specified by RFC 5216 and uses secure TLS handshake to authenticate users to the WiFi network. EAP-TLS is one of the most secure authentication methods and is recommended, endorsed or used by WFA(HS2.0), GSMA for WiFi roaming and 3GPP for integration of non-3GPP elements to WLAN. Eduroam is an example of a global WiFi network based on EAP-TLS with 1,000s of locations and millions of daily users.

Figure below is the typical EAP-TLS process(from [5])

There are two main processes for an EAP-TLS Implementation:

• Out of band certificate management: In this process, Identity of the Client (UEs, Supplicant or Peer) is verified via their Identity Provider and then a client certificate is signed and issued and delivered to the client.
• EAP-TLS: Is the main EAP process in which a Supplicant uses the certificate to mutually authenticate itself to the Authentication Server.

In the proposed design, the following components can be used to extend Magma and implement the EAP-TLS process:

1. A user space application on the Client’s device will be used to verify the user's identity, receive/store/update client certificates, receive profiles and policies, and find and suggest WiFi connections.
2. Magma Orc8r/Cloud element can function as the Authentication Server.
3. Magma CWAG or AP with Embedded CWAG can provide functionality for secure Radius Communication and facilitation of EAP-Process.
4. Magma FeG can provide a proxy for Identity verification as well as an integration point to an external certificate management system.

Identity Verification and PKI infrastructure for certificate issuance and delivery

On the client OpenSchema SDK will be extended to add the Authentication and Onboarding Layer, from the UE CAPaaS feature stack, for EAP-TLS:

Tech Stack

• EAP-TLS will be implemented as specified in RFC5216 https://datatracker.ietf.org/doc/html/rfc5216
• Initial EAP-TLS flow validation will be based on FreeRadius as a reference model and help build unit tests to make development more productive.
• Everything else will be implemented inside Magma and will follow the same process and tech stack as Magma.

Use Cases (User Stories)

Currently there are multiple planned and active projects that will benefit from EAP-TLS support by Magma:

San Diego Promise Zone(SDPZ):

San Diego Promise Zone is one of 22 US Federally assigned HUD Promise Zones in the nation with 30% of population under or unconnected. Currently, Shoelace Wireless is working with UCSD and the Qualcomm Institute, CENIC, Dish, Intel, Montage Connect, and FBC to conduct a Fixed Wireless Access pilot project in the zone. CENIC, which in addition to having a vast network of Fiber Connectivity in the CA (8000 miles of fiber with Internet backhaul connected to 12,000 sites as part of the CALREN Network) is responsible for the recently approved $3 billion CA State budget for middle mile broadband expansion and plans to use this project as an “early win” for the State per their CALREN’s CEO. The Fixed Wireless Access network will be powered by Magma. In order to augment the coverage and serve more people, we are planning to Augment the network by distributing FWA over WiFi. Since delivering SIM cards is not feasible, the only secure way for clients (Mobiles, Tablets, PCs etc) to authenticate on the network will be EAP-TLS.

Helium/FFi/Dish:

Helium and FreedomFi are building a Magma powered 5G network over unlicensed CBRS spectrum. They are creating a vast distributed wireless network that is community built and rewards them with Helium cryptocurrency. Soon the network will be expanded to WiFi per Helium and Freedom Fi discussions. EAP-TLS supported by Magma makes it possible for end users to get on the “People’s WiFi Network” simply by just downloading an App. Getting more users on this network faster (e.g., not waiting for a sim card to be delivered or provisioned) means more rewards and incentives for community network providers and faster expansion of the network.

0Chain:

0Chain has a similar approach to Helium/FFi but they are only focused only on a WiFi network powered by Magma and 0Chain’s blockchain technology. They have been working with Shoelace Wireless, TIP Lab, DT, and Facebook Connectivity(Shah and Evgeniy) on a block chain based augmented network and need TLS for field trials.

DT:

DT has been a big proponent of Magma as an open source converged core solution. As part of their 5G strategy, DT has a #1 initiative to roll out a home converged gateway solution (a CGW with fixed line and fixed wireless backhaul) for home office worker connectivity continuity. CGW provides better and more reliable connectivity for consumers while at the same time enables new revenue streams and monetization opportunities for DT. Each CGW box can also provide a roaming SSID as an augmented and offload network for DT’s mobile consumer. DT states that EAP-TLS is the preferred authentication method for their WiFi onboarding. At Shoelace Wireless, we are currently working with DT on testing our CGW solution and moving to production deployment. Our CGW solution, with Magma EAP-TLS added and bundled with our Smart Connectivity Agent on Mobile Phone, will provide Improved QoE, Seamless offload and Always Best Connected Solutions to DT consumers.

UCSD and Other UCs:

UCSD provides free WiFi to students and faculty and staff. This is technically a zero-cost roaming network for MNOs and MVNOs. Implementing a Magma powered CAPaaS for UC system Campuses can potentially provide a meaningful revenue stream for universities per UCSD’s CIO. By avoiding complications of integration to MNOs for SIM based authentication and by enabling non-SIM devices to connect, Magma with EAP-TLS can turn campus WiFi networks to a secure roaming augmented network for over 400k daily UC users (which is almost 2x LAX daily visitors).

Key Product Requirements

Magma EAP-TLS will be implemented on two main components:

• Client SDK/App: to be deployed on UEs.
• Magma: Access Gateway, Orc8r/Cloud, FeG

Following are the list of Key Requirements for each component:

Req	Component	User Story/Use Case
Client must be able to securely download TLS certificates	Client	All
Client must provide a way for the end user to verify their identity with identity provider	Client	All
Client must be able to find and connect/suggest connection to supported WiFi networks	Client	All
Client must be able to update and manage TLS certificates	Client	All
Magma must provide a method to verify users identities	Magma	All
Magma must implement a secure method to issue/deliver and update TLS certificates	Magma	All
Magma must implement Authentication Server for EAP-TLS process	Magma	All
Magma must add EAP-TLS support to existing Radius server	Magma	All

Project Plan/Roadmap

(A) Client Tasks (Initial focus will be on Android client to perform e2e system validation)

• (A0) Review Client EAP-TLS Flow
• (A1) Design EAP-TLS UE Flow Model and Requirements(UE Cert/Profile Download and Management
  Find and Connect/Suggest WiFi)
• (A2) Design and Build EAP-TLS (CAPaaS) AuthSDK
• (A3) Design and Build UI/UX EAP-TLS Auth PoC App
• (A4) Test and Modify SDK and App

(B) Server Tasks

• (B0) Review FreeRadius EAP-TLS Flow for Magma Design/Implementation
• (B1) Design and Build and Test Magma EAP-TLS Baseline PoC
• (B2) Start Engineering Testing of PoC
• (B3) Design Magma Architecture for EAP-TLS based on PoC(Cert Infrastructure, Identity Management, & Secure Radius and Accounting)
• (B4) Dev and Test Magma EAP-TLS (Engineering Field Test PoC Candidate), Cert Infrastructure, Identity Management, & Secure Radius and Accounting

(C) E2E Test and Engineering Field Trial of Magma based EAP-TLS PoC

• (C0) Integrate and Test with Client
• (C1) Embedded AP CWAG (Non Embedded CWAG Test by TIP Lab)

(D) General Tasks

• (D0) Conduct project kick off and Finalize use cases, solution rqmts, and project schedule
• (D1) Document and Update Magma Repo
• (D2) Project Management

Milestones

Project will have the following deliverables:

• MS1: Complete project kick-off and use cases, solution rqmts, and project schedule doc consistent with Magma's contribution process, reviewed and accepted by Magma TSC. (Tasks: A0, B0, D0). 420 SWE hours.
• MS2: Complete UE EAP-TLS Flow Design and Design/Build/Test Server EAP-TLS Flow for Magma Baseline PoC with Unit tests, submitted as pull request and reviewed by Magma Codeowner. (Tasks: A1, B1). 1050 SWE hours.
• MS3: Complete Design/Build/Test of EAP-TLS AuthSDK and PoC App, and
  Complete Engineering Test of Baseline EAP-TLS Client/Server PoC with Unit tests, submitted as pull request and reviewed by Magma Codeowner. Complete Design of Magma EAP-TLS Architecture based on PoC. (Tasks: A2-4, B2,B3). 1512 SWE hours.
• MS4: Complete Dev/Integration Test of Magma EAP-TLS (Engineering Field Test PoC Candidate) with Unit tests, submitted as pull request and reviewed by Magma Codeowner.
  Complete e2e Engineering Field Trial of Magma EAP-TLS Client/Server PoC Candidate.
  Complete Project Documentation and Magma Repo Updates.
  (Tasks: B4, C0-1, D1-2). 1218 SWE hours.

Test Plan

Following test will be performed:

• Unit Testing Magma, Client and AP components
• Compliance with Magma Regression and CI requirements
• Full end to end verification of EAP TLS flow in Lab
• Filed Trial of the feature with FWA and Augmented Networking

Team Bio

Lead Architect/Dev and Magma Code owner
https://github.com/emakeev

Dev/Test Team:
https://github.com/behrady
https://github.com/emakeev
https://github.com/echiang07
https://github.com/BioZrod
https://github.com/SebastianJM

Bios:
https://www.linkedin.com/in/behrady/
https://www.linkedin.com/in/eduardo-chiang/
https://www.linkedin.com/in/sebasjmdlc/
https://www.linkedin.com/in/jimains/ (Biz Contact)

Project Management:
https://www.linkedin.com/in/jovanyfunes/

Repos:
https://github.com/magma/openschema
https://github.com/shoelacewireless

Shoelace Past Magma Contributions

Shoelace has been working on Magma since early 2019 on projects relating to WiFi offload and Augmented Networks with Deutsche Telekom and other Eco-System Parties. We created and open sourced our data collection agent into Magma (called OpenSchema) which provides critical network metrics for planning and QoE assessment for traffic steering decisioning.

Grant Proposal Criteria Checklist:
✔ Implements or extends features or functionalities of Magma or Magma related Open Source software.
Yes. EAP-TLS Auth is critical for enabling and simplifying Augmented Networking and increasing Magma functionality and adoption.
✔ Fits Magma Interests Areas 1 & 3
1: Support for outbound roaming of Magma subscribers
3: Support for handoff between Magma AGWs and non-Magma 3gpp compliant networks
✔ Timeframe: up to 12 months to Proof of Concept. Yes (~ 7 months)
✔ Licensed openly under the BSD 3 Clause license. Yes
✔ Implemented to the quality standards of the Magma Project as confirmed by one or more then current Magma Codeowners:
Yes, Evgeniy Makeev (Meta Connect , Magma Code Owner)

References

1- Magma Augmented Network Report: https://docs.google.com/document/d/1lS50SR0Vkzi3r8e4zsGaKLbtJqgWrwrje2wgjgPlazU/edit

2- Mobile Data Offload WP: https://cdn.brandfolder.io/D8DI15S7/at/bzhb4s5rmxxs7gfj5mhtsv8/TIP_Test___Integration_Plug-n-Play_Core_Integration_for_Mobile_Data_Offload_MDO_White_Paper_FINAL_June_2021_Green.pdf

3- RFC: https://datatracker.ietf.org/doc/html/rfc5216

4- Helium/FF: https://github.com/helium/HIP/blob/master/0027-cbrs-5g-support.md

5- Moerschel, Grant, Richard Dreger, and Tom Carpenter. CWSP Certified Wireless Security Professional: Official Study Guide (exam PWO-200). McGraw Hill Professional, 2006.

6- TIP WiFi QoE White paper: https://cdn.brandfolder.io/D8DI15S7/at/3qr9r82qxt7gscvxswc7tfk8/TIP_Wi-Fi_HetNet_OpenSchema_QoS_QoE_Score_White_Paper_v10_Final_GREEN_-_Public_Access.pdf

[emakeev]

I think, EAP-TLS would be a very useful feature to expand Magma WiFi capabilities and market adoption. I'd be happy to provide necessary support & participate in the feature design & implementation.

[guruhubb]

I agree with @emakeev. We'd be happy to provide support on the client side and use it with 0Chain SDK.

[zer0tweets]

This will definitely be helpful for our Helium Wi-Fi roll out! Looking forward to it.

[sdechi]

EAP-TLS is a feature that has been missing since we first looked at the CWAG.

• In todays cellular operators business its often necessary especially in case of wifi to not only connect the users smartphone to WiFi also non-cellular devices like WiFi Tablets should be able to connect to the same networks.
• As a converged operator we also have a huge base on fixed line customers. From our operator App it is possible to create a network profile based on EAP-TLS to the operation system of the user and we can also connect the fixed line customers to the managed carrier wifi.

[edaspb]

That is the really necessary feature.
From the operator perspective I would like to propose to add EAP-AKA/SIM for non-federated magma deployment. In combination with EAP-TLS it would open incredible wifi offload perspective for data only wireless operators.

[gehechtman]

We are working on various private network solutions to reach underconnected students and their communities in North America. Magma would be ideal for most of these if it had TLS. We also are involved in CWAG solutions which a TLS enabled Magma would be great to deploy.

[kaderwavelabs]

Quick question: I am happy to read several interests on Carrier WiFi use case supported by Magma. However, i have not seen many contribution towards continuing to support Carrier WiFi use case in the community. Is there a plan?

[Jmains888]

RE Carrier WiFi and Magma ...
Carrier WiFi and Mobile Data Offload (now being called Augmented Networking) are very active efforts. The proposal discusses 5 initiatives and pending trials. Support from 2 MNOs and 2 WISPs also show above.

To learn more, please see:
1- MAN Report: https://docs.google.com/document/d/1lS50SR0Vkzi3r8e4zsGaKLbtJqgWrwrje2wgjgPlazU/edit?usp=sharing
2- MDO WP: https://cdn.brandfolder.io/D8DI15S7/at/bzhb4s5rmxxs7gfj5mhtsv8/TIP_Test___Integration_Plug-n-Play_Core_Integration_for_Mobile_Data_Offload_MDO_White_Paper_FINAL_June_2021_Green.pdf

[ssanadhya]

@Jmains888 , thanks for updating the proposal description with project roadmap, testing approach, etc. To give the TSC and grant committee a good sense of effort involved, could you also include the SWE hours estimate for the different milestones or roadmap items?

[Shoelace-Jim]

Hi Shruti We updated the milestones with SWE hrs. Also we reviewed this plan with Evgeniy. He also committed up to 25% of his time/wk to the project. Thanks, Jim CEO, Shoelace Wireless *"**"Unbreakable Connectivity"* Stay in touch with us on Facebook <https://www.facebook.com/ShoelaceWireless> , LinkedIn <https://www.linkedin.com/company/shoelace-wireless>, and Twitter <https://twitter.com/ShoelaceW>

…

On Wed, Mar 30, 2022 at 12:52 PM Shruti Sanadhya ***@***.***> wrote: @Jmains888 <https://github.com/Jmains888> , thanks for updating the proposal description with project roadmap, testing approach, etc. To give the TSC and grant committee a good sense of effort involved, could you also include the SWE hours estimate for the different milestones or roadmap items? — Reply to this email directly, view it on GitHub <#7 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ATETCZUIUPZGZMIM4JBBCK3VCSWHXANCNFSM5HWB3TNQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[ShubhamTatvamasi]

Attached email from Jim (CEO, Shoelace Wireless) below.

Hi Shubham
Below we provided more info in the areas you requested.
Also we provided additional info for the areas that may help provide more insight.
Please let us know if you have any questions or need any additional information.
tks

Team Domain Expertise

• Dozens of years working with MNOS & MVNOs in developing and delivering carrier grade solutions in connection management and security, mobile access gateways, location based services, and messaging.
• Experts in Mobile Data Offload (MDO), security, and Seamless HetNet Transitions.
• Multiple patents in hybrid access (cooperative) software defined networking.
• 3 years working with Facebook Magma team on Magma extensions for data collection and MDO.

Privacy

• Privacy is built into the feature. No PII is collected or stored as part of EAP-TLS flow.
• There will be local break out and data plane traffic does not reach the cloud.
• AP-Cloud control traffic is fully encrypted to prevent any privacy leak.
• We also provide features for enhanced privacy protection (e.g., auto-encryption on non whitelisted networks, app connection control, app blocking)

Debuggability

• Cloud/Backend and Components are extension to Magma components (e.g., Orc8r and CWAG) and follow the same observability (e.g., monitoring, metrics and alerts via Prometheus/Grapha) and logging (https://github.com/magma/magma/wiki/Contributing-Code-Conventions#logging) requirements.
• Clients will have extensive logging with critical logs shipped to cloud, Crashlytics for stability and performance monitoring, and metrics pushed to cloud via OpenSchema.

Project Plans

• Blessed and Review by Evgeniy Makeev

Team Community Contributions

• Developed several Mobile Data Offload PoC demos for FB/Magma MWC and TIP events
• Developed Augmented Networking PoC with FB/Magma Team, TIP Lab, DT, and 0Chain.

Alternative Solutions

• This proposal is an alternate solution to the existing approach of SIM based authentication that is faster, lower cost, and provides flexibility to support non cellular devices which enables value added service opportunities for Operators.

Effort

• 4200 SWE hrs (3.5 SWE)

Thanks,

Jim
CEO, Shoelace Wireless
""Unbreakable Connectivity"
Stay in touch with us on Facebook , LinkedIn, and Twitter