AAA Solution for Interworking between Mobile Networks and Wireless LANs

Toni Janevski*, Aleksandar Tudzarov*, Dusko Temkov*, Perivoje Stojanovski*, Goce Stojanov*, Meri Janevska**, Dusko Kantardziev**, Mine Pavlovski** and Tome Bogdanov**

* Faculty of Electrical Engineering, University “Sv. Kiril i Metodij”, Skopje, Republic of Macedonia ** Mobimak AD, Skopje, Republic of Macedonia

E-mail: tonij@etf.ukim.edu.mk, Aleksandar.Tudzarov@mobimak.com.mk, Dusko.Temkov@mt.com.mk, pstojanovski@mt.net.mk, gocestojanov@mt.net.mk, Dusko.Kantardziev@mobimak.com.mk,

Mine.Pavlovski@mobimak.com.mk, Tome.Bogdanov@mobimak.com.mk

Abstract –In this paper we propose and describe a unified solution for interoperability between mobile cellular network and WLAN. The integration between two networks, cellular and WLAN, is performed on the Authentication, Authorization and Accounting i.e. AAA side. For that purpose we developed WLAN Access Controller and WLAN AAA Gateway, which provide gateway-type access control as well as charging and billing functionalities for the WLAN service, respectively. In the development process of these elements we have considered current development stadium of all needed network entities and protocols. The developed solution provides cost-effective and easy-to-deploy PLMN-WLAN internetworking scenario.

I. INTRODUCTION Wireless access networks can be classified into two

main groups: wireless networks that provide high data rates and have limited coverage from a given Access Point, such as 802.11 WLAN, and wireless networks that have wide coverage from a given base station and limited bandwidth, such as GSM, GPRS, and UMTS (as well as CDMA2000 in Americas). Hence, the Wireless LAN (WLAN) standard will never be able to provide large-scale coverage due to limited propagation. However, the WLAN systems are a good complement to the widespread 2.5G systems as well as 3G systems. GPRS and 3G offer data rates that in relation to WLANs have low bandwidth. One may expect GPRS or 3G to be the dominating large-scale coverage data transfer wireless system for some years to come and due to this, the combination of WLAN and Public Land Mobile Network (PLMN) technology will use the best features of the both systems.

To make an integrated PLMN/WLAN system popular, it is necessary to have a shared system for billing the users. Without such shared system, someone using different networks could receive many bills from small WLAN operators. High bandwidth WLANs are used for data transfer where available and PLMN is used where WLAN coverage is lacking. In other words, WLAN and PLMN should be able to complement each other and will probably not compete for the same users. The price for usage of WLAN should be smaller than price for usage of the same services (e.g. transferred data volume) over PLMN, thus forcing subscribers to use WLAN where it is

available, and to use PLMN where WLAN is not available. Of course, such scenario is an excellent choice for mobile operators to additionally offer WLAN service, besides PLMN.

Due to interest for WLAN considering lower price than classical cellular infrastructure, ease of use, and higher bandwidth than PLMN, either 2.5G or 3G (e.g. UMTS) mobile networks, large vendors on the telecommunication market have created different solutions for Wireless LAN operated by mobile operators. Some of these solutions provided by some of the world largest vendors in wireless communications market are described in [1-51].

In this paper we propose and describe in details efficient and cost-effective system for unified Authentication, Authorization and Accounting (AAA) for PLMN-WLAN internetworking, in particular, for the scenario where PLMN operator adds its own WLAN network to offer WLAN service.

II. ARCHITECTURE FOR PLMN-WLAN INTERWORKING Depending on the degree of inter-dependence that one

is willing to introduce between the PLMN network and the 802.11 network, there are two different ways of integrating the two wireless technologies. They are usually defined as [16]:

• Loosely-coupled internetworking (loose coupling)

• Tightly-coupled internetworking (tight coupling).

There are several advantages to the loosely-coupled integration approach. First, it allows independent deployment and traffic engineering for PLMN and WLAN networks. Second, loosely-coupled solution has lower costs and complexity compared to tightly-coupled one. Furthermore, loosely-coupled internetworking provides easy access to WLAN services for all potential types of users, such as postpaid and prepaid users of the mobile operator, as well as provides possibility to use WLAN services to users that have no subscription made with the mobile operator by using WLAN vouchers. Also, tightly-coupled approach demands additional investments in end user equipment for WLAN access (besides traditional 802.11 network cards), while loosely-coupled solution does not.

WEB Login Form

Internet

DMZ O&MBilling

AdministrationLAN

CorporateLAN of the mobile

operator

Mobile operator’s network

Open Charging Interface (OCI)

Perimeter Router

Switch10/100 Mbps

Oracle database

WLAN Domain

Hot Spot (2)

Hot Spot (1)

Hot Spot (3)Switch

10/100 Mbps

Wireless Client

PerimeterFirewall

SwitchGigabit

Cisco Secure RADIUSServer

WLAN DMZ

SMS gateway

SMS CenterDatabase connection

SMS-OTP requestSMS-OTP response

O&MFirewall

Wireless Client

RADIUSAAA dataexchange

Wired Infrastructure

AAA Information Exchange Logic

Logical Path of User Traffic

Switch10/100 Mbps

WEB Server

RADIUSAAA data exchange

Hotspot accessrouter Hotspot access

router

Hotspot accessrouterAccess network (ADSL, 2 Mbps,

WiMAX)

WLAN Access Controller

DHCP Server

WLAN firewall

SMS-OTP requestSMS-OTP response

Figure 1. Architecture for PLMN-WLAN interworking

From the discussion above it is clear that loosely-coupled solution offers several architectural advantages over the tightly-coupled approach, with no drawbacks. Furthermore, in loosely-coupled solution we may distinguish two main access methods:

• Universal Access Method – UAM, which is dominant today; and

• Secured access method, which should be implemented for users that care about the security

Because one WLAN access method is secured by using 802.1X and an encryption protocol, and other is not (i.e. UAM), we need to separate both types of access methods. Solution for this is to use Wireless Virtual LAN – WVLAN, which is based on 802.1Q standard [21]. In such approach, one Virtual WLAN will be used for UAM, and other (or others) will be used for secured WLAN access method.

Our PLMN-WLAN internetworking framework is based on loosely-coupled architecture (Fig. 1). Both, user data traffic and control traffic (e.g. AAA control signalling) aggregate at WLAN perimeter router. Traffic from hotspots (and vice versa) may aggregate in a switch (from the WLAN side of the network) that is plugged into the WLAN router.

III. AUTHORIZATION, AUTHENTICATION AND ACCOUNTING FOR PLMN-WLAN

Security solution provided for a wireless LAN environment depends upon the purpose of the WLAN. In that sense, the solution differs for public WLAN network and corporate WLAN. While corporations give security a preference over easiness of use, an ordinary Internet user may prefer simplicity than security. There is always a

balance that should be achieved between system security and user friendliness, especially in public WLAN access network.

The IEEE 802.11 standard defines two authentication mechanisms in the wireless interface, i.e. Open System and Shared Key, as well as a privacy method called Wired Equivalent Protocol (WEP). The standard mandates use of the authentication for the infrastructure BSS mode (it is optional for the ad-hoc mode), while WEP is optional in all cases.

WLAN Access Controller main module

RADIUS client

Redirectionmodule

WLAN Access Control

WLAN Access Controller

Figure 2.WLAN Access Controller

Most common method for controlling Internet access for WLAN networks is to filter packets based on IP address and/or MAC address [43]. This method refers mainly to UAM, but it may be applied to the secured access as well. This method is based on limiting the user’s access to only a set of designating destinations, which is usually web server with web-login page in the operator’s WLAN backbone network. This is referred to as browser redirection. However, the implementation of this access control is a proprietary solution, because there is no standardized one.

SMS handler

Password generator

MSISDN check

RedirectAccess control

RADIUS client

User management

Keep-alive

Web-login

Applet in browser

Credits management CDR-data

aggregatorCDR-data to

Billing Interface

WLAN

database

PLMN Prepaid System

PLMNBilling System

Query for WLAN user

Record SMS; or get OTP

Check/change status of the user

Check for authorized/

unauthorized users Real-time user’s data check, or Log-off status change

Reserve, subtract credits, or record

credit status

Aggregates accounting

information for CDRs per

session or time

For unauthorized users

Authenticationinformation

WLAN RADIUS serverB

illin

g In

terf

ace

Periodical transfer of CDR-data to “BillingInterface”

PLMN prepaid creditsreservation, subtraction or

real-time information

Check for PLMN

postpaid or prepaid user

AAA

AAA

Applet initiation

For unauthorized users

Various controls

MSISDN or password (static or OTP) transfer

Storing passwords

Periodical collection of

data for CDRs to transfer

Figure 3. Solution for PLMN-WLAN integration: software modules and interfaces

In the solution for mobile operator’s WLAN network, we use dynamic packet filtering method for access control in the network access control server. The machine used for Access Control (i.e. gateway) has two Ethernet cards, one on the side of the WLAN access network, and the second out on the side to the external packet network (i.e. Internet). WLAN Access Controller is shown in Fig. 2. It is consisted of the following main modules:

• RADIUS client -for communication with RADIUS server

• Access Control module -for controlling the access of WLAN clients

• Redirection module -for redirection of unauthenticated users to the web-login server

• WLAN web-login interface -used as an user interface in the authentication process

The environment for the WLAN Access Controller is shown in Fig. 3. In the following sections are described components shown in the Fig. 3.

The Access Control module creates connections for WLAN users in a given address pool of private IP addresses. It also creates data structures for each authenticated user. For any unauthorized user it calls the Redirect module to redirect the user to the WLAN web-login interface placed on a web server. Using the web-login interface, the Access Control module obtains user credentials, which are further checked in the WLAN database via RADIUS client-server communication. If credentials check is positive, the user is granted to access the Internet service via WLAN and a user session is established in the WLAN Access Controller.

For each session WLAN Access Controller sends periodical RADIUS accounting messages to the RADIUS server, which are stored in the WLAN database. AAA gateway implemented on the WLAN database manages all accounting information related to the charging and billing of the users as well as it communicates with the PLMN postpaid and prepaid billing systems via a mediation node called Billing interface. When a user session should be terminated due to no credit on the

account, the AAA gateway sends termination request to the WLAN Access Controller.

Termination of an established session may occur due to one of the following reasons: user logoff, no more credits on the account, session timeout or idle timeout, where the last two parameters are defined in the RADIUS server.

IV. INTERWORKING OF PLMN AND WLAN VIA UNIFIED BILLING SYSTEM

In an integrated PLMN-WLAN network the main objective for an operator is to bill subscribers for the service. Hence, billing of the WLAN users is an essential issue.

In a WLAN network operated by a mobile operator, the following types of users are foreseen:

• PLMN/WLAN postpaid – these are existing PLMN postpaid users that will subscribe to WLAN service

• PLMN/WLAN prepaid – these are existing PLMN prepaid users that will want to use WLAN service and to be charged from their prepaid account

• WLAN prepaid – these are WLAN users that have bought WLAN prepaid scratch-cards and have activated their WLAN account (this category includes all, those that are not prepaid or postpaid subscribers of the mobile operator, as well as those that are subscribers of the mobile operator and want to use WLAN scratch-cards).

A. PLMN/WLAN postpaid Billing the PLMN users for using WLAN services is

related to how to handle accounting, that is, the process of gathering charging information about the user, processing it, and transferring the bill to the user. To be able to provide a solution for billing WLAN usage to postpaid users, we briefly explain the PLMN accounting in the continuing section.

RADIUS server WLAN Users Database

MobileTerminal

Association

MSISDN+OTP Request MSISDN+OTP Forward

MSISDN+OTP AcceptMSISDN+OTP Accept

User’s Internet traffic (to/from user)

Accounting Start

Interim Accounting

Interim Accounting

Interim Accounting

Accounting Stop

SMS-Center PLMN Open Charging Interface

WLAN Access Controller

Charging request

MSISDN+OTP Accept

MSISDN+OTP Check

Accounting Stop Record

Accounting Start Record

Interim Accounting Record

Interim Accounting Record

Interim Accounting Record

Charging requests (for volume-based only)

Access Control message to block a user with no quota

Charging request (for time-based only)

Charging request

Charging request

Accounting trigger

Accounting trigger

Accounting trigger

Accounting trigger

Accounting trigger

Accounting trigger

SMS-OTP via HTTP request

OTP Generation

SMS Request for OTP

SMS Reply with OTP

SMS with OTP request

Authenticationprocedure

Redirect to web-login page

Figure 4. Accounting and billing flow for PLMN postpaid and prepaid users that use WLAN service

RADIUS server WLAN Users Database

MobileTerminal

Association

Username/Password Request Username/Password Forward

Username/Password AcceptUsername/Password Accept

User’s Internet traffic (to/from user)

Accounting Start

Interim Accounting

Interim Accounting

Interim Accounting

Accounting Stop

WLAN Access Controller

Username/Password Accept

Accounting Stop Record

Accounting Start Record

Interim Accounting Record

Interim Accounting Record

Interim Accounting Record

Access Control message to block a user with no quota

Accounting trigger

Accounting trigger

Accounting trigger

Accounting trigger

Accounting trigger

Accounting trigger

Authenticationprocedure

Username/Password Check

Redirect to web-login page

Figure 5. Accounting and billing flow for WLAN prepaid users

Postpaid WLAN users do not need any type of feedback such as credits left on the client’s PLMN subscription. In the case of WLAN postpaid users the user is charged for WLAN usage on his monthly invoice.

To be able to charge postpaid users a mobile operator should add in his billing system an option for WLAN service as an offer to his users. The simplest way for WLAN service handling by the Billing system and Customer care department of the mobile operator is to “copy” the handling of PLMN service for postpaid subscribers.

In Fig. 4 we show the complete flow of AAA information between different network nodes.

For both authentication methods, the user should enter (in the web login page for UAM, or in the popup window for 802.1X-PEAP) his Mobile Subscriber Integrated Services Digital Network (MSISDN) number as a username, and a password. The password is One-Time-Password (OTP), which will have limited time validity (e.g. a few hours). To be able to obtain OTP the user will be required to send an SMS message to a designated number for that purpose. How the user will know that he should send an SMS? Additionally we want to simplify the procedure as possible for a postpaid user to start using WLAN service.

The answer is the following: assume that we have a PLMN subscriber that has never used a WLAN service offered by the mobile operator, and he enters a hotspot. He recognizes that there is a WLAN network and his lap-top “sees” the SSID of the UAM VLAN. If the user opens a browser his browser will be redirected to the web-login page of mobile operator’s WLAN. There postpaid user will find information that he should send an SMS to a designated number to obtain access to the WLAN network (if he does not have such information in advance).

The SMS-Center of mobile operator receives the SMS and forwards it to a machine connected to IP backbone network of mobile operator by using the Short Message Peer to Peer (SMPP) protocol for that purpose. An application receives that request for an OTP via SMS, and triggers check of the MSISDN number of the user (whether it is a mobile operator subscriber or not). The MSISDN check is necessary because there can be also roaming users from other operators. It is performed by an analysis of the number of the SMS sender.

After a positive check of the user’s MSISDN, the application will trigger generation of OTP for that user. Then, the MSISDN and OTP are stored in the SQL database for WLAN users, as shown in Fig. 4. Further, the OTP is sent to the user in a SMS via mobile operator’s SMS-Center by using SMPP for communication between the application and the SMS-C (we refer to this OTP as Sent OTP i.e. S-OTP). The user receives the SMS-OTP and enters his MSISDN and the Received OTP (R-OTP) as his username and password. These credentials are sent to the WLAN RADIUS AAA server via the AP. Then, the Received OTP (R-OTP) is compared with Sent-OTP (S-OTP), which is in the WLAN users’ database. After successful match of credentials given by the user and those recorded in the database, the user is granted access to the Internet, and accounting process starts. RADIUS server is also an accounting server and it receives all accounting messages

(Accounting Start, Interim Accounting, Accounting Stop etc.). After session ends, RADIUS server records the accounting data into the SQL database. Also, all start, stop, and interim accounting messages are stored in the WLAN database.

Each accounting message triggers the WLAN database to send request to the mediation node i.e. PLMN Open Charging Interface – OCI (Fig. 4). From the accounting data recorded into the OCI database, an application periodically creates CDRs from the accounting data for completed sessions. All created CDRs are periodically sent to the Billing System of the mobile operator over FTP.

B. PLMN/WLAN Prepaid In PLMN-WLAN network there is possibility for two

types of prepaid users: one with PLMN prepaid cards; and the other with WLAN prepaid cards. In this section we refer to the first one.

The flow of accounting and billing information for PLMN/WLAN prepaid users (as described above) is shown in Fig. 4, and is the same as for PLMN/WLAN postpaid users. The difference between PLMN postpaid and prepaid users is made in the Open Charging Interface - OCI. For PLMN prepaid users the OCI request credits in advance for WLAN usage, either for a time period (e.g. one minute) or for a given amount of data (in bytes). However, different pricing factors (e.g. different tariffs) are agreed between WLAN database and the OCI prior to their interconnection.

C. WLAN Prepaid WLAN prepaid refers to prepaid users that are using

WLAN vouchers (scratch-cards). This category includes WLAN users that are not PLMN subscribers, but it may also include PLMN subscribers that want to use WLAN prepaid vouchers to access WLAN network. In general, there is simply no limitation about who can be a WLAN prepaid user, i.e. everybody with purchased and activated WLAN voucher will be a WLAN prepaid user of the mobile operator.

The accounting flow for WLAN prepaid users is shown in Fig. 5. First major difference between WLAN prepaid and the PLMN/WLAN postpaid or PLMN/WLAN prepaid is the type of credentials. While in the previous two cases username was MSISDN number of the PLMN subscriber, in the WLAN prepaid case the credentials will be given on the WLAN prepaid card. There can be username and password given on the scratch-card, or just one credential (i.e. unique number of the scratch card, consisted of digits, similar to current prepaid cards of mobile operators).

As usual with prepaid vouchers, all voucher numbers or username/password pairs of the vouchers will be recorded into WLAN database prior to their selling. When a subscriber buys a voucher at the first login he should enter credential(s) from the prepaid card into web-login page (for UAM access) or in popup window (for 802.1X-PEAP access). Then, system compares the entered credentials from the user with those in WLAN database, and if a match is found, WLAN prepaid account is created with a certain amount of credits (dependent upon the voucher type).

After a successful authentication user is granted access to the Internet. During the active session user balance is periodically checked (i.e. every minute) and number of credits is updated according to the usage of resources. At each balance check, quota is allocated until the next balance check. For example, for usage-based charging, with balance check on every 100 KB of data transferred, the user will be granted further usage only when he has at least credits for another 100 KB. It is similar for time-based charging of the prepaid WLAN users.

V. BUSINESS ASPECTS Billing and charging management in the WLAN

network operated by mobile operator is the process of integrating the WLAN billing functions into the overall customer billing system [50]. The user experience on the WLAN is significantly different than on the current PLMN data networks. In particular the billing for WLAN service in our system is based on resource usage (e.g. amount of data transferred in bytes, or time duration of a session).

In our solution, for each user system collects parameters for the WLAN resources usage, such as time duration of the session and volume of data transferred uplink and downlink. By “the duration of a session” we mean the time interval between the login (when a user pushes the Login button on the web-login page) and logout (when user pushes the logout button or session ends due to Session or Idle Timeout, or forced session termination). On the other side, volume of data refers to overall number of octets (i.e. bytes) transferred uplink and downlink from/to WLAN user during a session.

The collected information about connection duration and transferred bytes can be used for different tariff models.

There are some pricing factors that influence the price for resource usage. One pricing factor is discount, such as time of day (e.g., in current cellular networks different tariffs are usually applied during the day and the night hours, or during weekdays and weekends). Also, there can be given different prices for postpaid and prepaid users. Additionally, the AAA gateway offers possibility to create different voucher types to target specific customer groups for WLAN service etc.

In some cases it is useful to provide access to some services for free (e.g., to obtain local information at the airport, or to obtain information about local shops, events etc.).

However, pricing for the WLAN usage is dependent upon the mobile operator policy.

VI. CONCLUSIONS Public WLANs provide an important complement to

mobile networks, enabling broadband Internet access in selected hot spots and offering additional capacity to the PLMN networks. Public WLANs can be deployed today with a simple and cost effective solution based on existing equipment. Mobile operators can offer their corporate customers a bundled offering of PLMN plus WLAN, managing the subscription to the service as well as customer care and billing.

In this paper we have described our solution for PLMN-WLAN interoperability. First, we have made a

choice for loosely-coupled PLMN-WLAN integration, which is a dominant scenario today worldwide and has advantages over the tightly-coupled approach. Furthermore, we have decided to provide both types of access methods, unsecured or Universal Access Method, which is dominant in WLAN ISPs today, and secured access, which certainly offer higher protection of user’s information, but requires certain settings in mobile clients.

Further, we have developed WLAN Access Controller, which works as a gateway towards Internet and PLMN. Also, we have developed PLMN-WLAN AAA gateway, including PLMN/WLAN postpaid and prepaid users as well as WLAN prepaid users. The created solution is cost-effective and provides all needed functionalities for efficient charging and billing, as well as secured and non-secured access to Internet via WLAN.

REFERENCES [1] Alcatel, “Public Wireless LAN for Mobile Operators: WLAN

beyond the enterprise”, White paper, 2003. [2] Flash Networks, “NettGain 1200 Flash Networks”,

www.adjungonet.com [3] M. T. Bostrom, A. Norefors, “Ericsson Mobile Operator

WLAN”, Release 1 Technical Description, February 2002. [4] M.Ritter, “Billing WLAN to macro-networks”, White paper,

Mobility Networks, www.mobilitynetworks.com, 2003. [5] The Wireless Directory, “Hotspot Locations”,

http://www.hotspot-locations.com/modules.php?name=HotSpots, accessed June 2004.

[6] “Huawei to provide WLAN for China Mobile”, http://www.ciol.com/content/news/repts/102112206.asp, accessed May 2004.

[7] WeRoam – WLAN and PLMN united, www.weroam.com, accessed June 2004.

[8] Swisscom-Eurospot, http://www.swisscom-eurospot.com, accessed June 2004.

[9] Telia HomeRun, http://www.homerun.telia.com, accessed June 2004.

[10] BT Openzone, http://www.btopenzone.com, accessed June 2004. [11] T-Mobile International, http://www.t-mobile-international.com,

accessed June 2004. [12] T-Mobile US, http://www.t-mobile.com/hotspot/, accessed June

2004. [13] “TDC Mobil” official WiFi/3G offer, www.tdcmobil.dk,

accessed April 2004. [14] VIPonline, https://airlink.vip.hr/hotspot/, accessed June 2004. [15] Era Hot@Spot, http://www.erahotspot.pl, accessed June 2004. [16] M. Buddhikot, G. Chandranmenon, S. Han, Y. W. Lee, S. Miller,

L. Salgarelli, “Integration of 802.11 and Third-Generation Wireless Data Networks”, Infocom 2003, San Francisco, USA, March 30 – April 3, 2002.

[17] M. T. Bostrom, A. Norefors, “Ericsson Mobile Operator WLAN”, Release 1 Technical Description, February 2002.

[18] Wi-Fi Alliance (2003) “Wi-Fi Alliance Wireless ISP Roaming Best Practices Document”. http://www.Wi-Fialliance.org/opensection/

[19] Intel, “Wireless LAN (WLAN) End To End Guidelines for Enterprises and Public HotSpot Service Providers”, Release 1.0, October 2002.

[20] IEEE 802.1X standard, “IEEE standard for local and metropolitan area networks – Port-Based Access Control”, July 2001.

[21] IEEE 802.1Q standard, “IEEE standard for local and metropolitan area networks - Virtual Bridged Local Area Networks”, May 7, 2002.

[22] C. Rigney, S. Willens, A. Rubens, W. Simpson, “Remote Dial-In User Authentication Service (RADIUS)”, RFC 2865, June 2000.

[23] C. Rigney, “RADIUS Accounting”, RFC 2866, June 2000. [24] C. Rigney, W. Willats, P. Calhoun, “RADIUS Extensions”, RFC

2869, June 2000.

[25] Cisco, “Single-User Network Access Security TACACS+”, http://www.cisco.com/warp/public/614/7.html, accessed June 2003.

[26] P.Calhoun et al, “DIAMETER base protocol”, IETF, RFC 3588, September 2003.

[27] C. Finseth, “An Access Control Sometimes Called TACACS”, RFC 1492, July 1993.

[28] The Unofficial 802.11 Security Web Page, http://www.drizzle.com/~aboba/IEEE/, accessed June 2003.

[29] Wi-Fi Alliance, “Q&A Wi-Fi Protected Access”, http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_Protected_Access_QA.pdf , March 28, 2003.

[30] Frank Ohrtman, Konrad Roeder, “Wi-Fi Handbook: Building 802.11b Wireless Networks”, McGraw-Hill, 2003.

[31] US Department of Commerce, “Advanced Encryption Standard (AES)”, Federal Information Processing Standard (FIPS), Publication 197, November 2001.

[32] L.Blunk, J.Vollbrecht, “PPP Extensible Authentication Protocol”, IETF, RFC 2284, March 1998.

[33] T. Dierks, C. Allen, “The TLS Protocol”, RFC 2246, January 1999.

[34] T. Wu, “The SRP Authentication and Key Exchange System”, RFC 2945, September 2000.

[35] IEEE 802.1X standard, “IEEE standard for local and metropolitan area networks – Port-Based Access Control”, July 2001.

[36] W. Simpson, "PPP Challenge Handshake Authentication Protocol (CHAP)”, August 1996.

[37] RFC 2716, “PPP EAP TLS Authentication Protocol”, Internet Engineering Task Force (IETF), October 1999.

[38] J. Edney, W.A. Arbaugh, “Real 802.11 Security: Wi-Fi Protected Access and 802.11i”, Addison Wesley, July 2003.

[39] J. Hammond et al., “Wireless Hotspot Deployment Guide”, Intel in Communications, December 2003.

[40] Palekar, et al, "Protected EAP Protocol (PEAP) Version 2”, draft-josefsson-pppext-eap-tls-eap-00, October 2003.

[41] N. Cam-Winget, D. McGrew, J. Salowey, H. Zhou, “EAP Flexible Authentication via Secure Tunnelling (EAP-FAST)”, draft-cam-winget-eap-fast-00, February 2003.

[42] H.Haverinen, et al., “EAP SIM Authentication”, draft-haverinen-pppext-eap-sim-13, April 5, 2003.

[43] P.Iyer at el, “Public WLAN Hotspot Deployment and Internetworking”, Intel Technology Journal Vol. 7, August 19, 2003.

[44] Microsoft 802.1x Authentication Client, www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp, December 13, 2002.

[45] Open Source Implementation of IEEE 802.1x, www.open1x.org/, accessed June 2003.

[46] IEEE 802.1Q standard, “IEEE standard for local and metropolitan area networks - Virtual Bridged Local Area Networks”, May 7, 2003.

[47] SMPP Protocol Specification v4.0, http://www.smsforum.net/doc/public/Spec.

[48] ETSI TS 101 393 – Digital cellular telecommunications system (Phase 2+); General Packet Radio Service (PLMN); PLMN Charging, 3GPP TS 12.15 version 7.7.0 Release 1998.

[49] Ericsson Radio System AB, “PLMN System Description”, PLMN Customer Documentation, 1551-AXB 250 01/1 Uen, 1999.

[50] PLMN Association, “Services, Ease of Use, and Operator Considerations in Interworked WLAN-Cellular Systems”, PRD SE. 27, May 28, 2003.

[51] Portal Software Inc., “Overcoming Wireless LAN Billing Challenges”, 2003.