Abstract: A method includes linking, at an access node, a first media control access (MAC) address of a device to an identifier of the device to establish a communication session between the access node and the device and during the communication session, receiving, at the access node, an indication of a change of the first MAC address to a second MAC address. The method also includes linking, at the access node, the second MAC address to the first MAC address and the identifier and receiving, at the access node, a communication from the device using the second MAC address while maintaining the communication session.

Abstract: In one embodiment, a method includes: transmitting a message to a first end point that includes an instruction to initiate a communication type, wherein the communication type includes sharing a randomization token between the first and second end points; obtaining a first communication report from the first end point and a second communication report from the second end point in response to initialization of a communication based on the communication type between the first end point and the second end point across the network, wherein the first and second communication reports respectively include a first and second hash that corresponds to a function of the randomization token and identity information; determining whether the first hash matches the second hash; generating a value that correlates the first and second end points with the communication across the network in response to determining that the first hash matches the second hash.

Abstract: Techniques are described to provide multipath mobility via Domain Name System-as-an-Authoritative Source (DNS-AS) techniques. In one example, a method includes obtaining, by a multipath policy decision element, a plurality of multipath policy recommendations for an application, wherein the plurality of multipath policy recommendations are obtained from one or more multipath policy recommendation elements; combining the plurality of multipath policy recommendations to generate a policy enforcement decision, wherein the policy enforcement decision identifies, at least in part, one or more network paths that are to be utilized for one or more packet flows associated with the application, wherein each of the one or more network paths is associated with an access type; and enforcing the policy enforcement decision for one or more packet flows associated with the application.

Abstract: The present technology pertains to a system, method, and non-transitory computer-readable medium for confirming the identities of devices requesting roaming access on a network by authoritative identity providers and proxies for authoritative identity providers. The technology can, in response to a receipt of a request from a device for roaming access, connect to an identity entity at an address by a network access provider, wherein the request for roaming access identifies an authoritative identity provider host name; receive a certificate from the identity entity; and determine, using the certificate, whether the identity entity is an authoritative identity provider or a proxy for an authoritative identity provider.

Abstract: In one embodiment, a method for providing access to wireless networks may include receiving, by a wireless network access provider from a user device, a request to access a wireless network. The method may include obtaining data representing a policy applicable to the access request, sending the access request, augmented with the policy, to an identity provider associated with the user and having no pre-existing relationship with the access provider, and receiving, from the identity provider, an access request response indicating whether or not the policy is met. The method may include communicating, to the wireless device, an indication that the access request has been accepted, if the policy is met, or an indication that the access request has been rejected, if the policy is not met. The access provider and identity provider may be members of an identity and access federation that communicate over a dynamically established secure connection.

Abstract: Presented herein are techniques to facilitate wireless authorization based on in-line assurance and tariffing information. In one example, a method may include obtaining, by a home network, a request to authorize access of a roaming subscriber for a visited network; determining whether the request includes visited network charging information and visited network metric information; based on determining that the request includes the visited network charging information and the visited network metric information, determining whether one or more visited network metrics satisfy one or more threshold metrics for the roaming subscriber; and based on determining that the one or more visited network metrics satisfy the one or more threshold metrics for the roaming subscriber, authorizing access of the roaming subscriber for the visited network.

Abstract: Presented herein are techniques to facilitate wireless authorization based on in-line assurance and tariffing information. In one example, a method may include determining, by a roaming subscriber, that a visited network is a chargeable network; querying, by the roaming subscriber, the visited network for charging policies for at least two identity realms; obtaining, by the roaming subscriber, charging policy metadata associated with the charging policies for the at least two identity realms; selecting, by the roaming subscriber, an identity realm through which to connect to the visited network based on the charging policy metadata for the at least two identity realms; and connecting to the visited network using the selected identity realm.

Abstract: Techniques presented herein may provide Distributed Unit (DU) failover techniques for a virtualized Radio Access Network (vRAN) architecture. In one example, a method may include maintaining, by a management node for a vRAN, service information for a plurality of distributed unit components for the vRAN in which the service information identifies, at least in part, service characteristics and failover rules for the vRAN. The method may further include determining a failure of a particular DU component of the plurality of DU components; and reassigning one or more particular RUs currently assigned to the particular DU component to one or more other DU components based on the service characteristics maintained in the service information and particular failover rules identified in the service information that are associated with each of the one or more particular RUs that are re-assigned.

Abstract: Presented herein are techniques to facilitate wireless authorization based on in-line assurance and tariffing information. In one example, a method may include obtaining, by a home network, a request to authorize access of a roaming subscriber for a visited network; determining whether the request includes visited network charging information and visited network metric information; based on determining that the request includes the visited network charging information and the visited network metric information, determining whether one or more visited network metrics satisfy one or more threshold metrics for the roaming subscriber; and based on determining that the one or more visited network metrics satisfy the one or more threshold metrics for the roaming subscriber, authorizing access of the roaming subscriber for the visited network.

Abstract: A method includes linking, at an access node, a first media control access (MAC) address of a device to an identifier of the device to establish a communication session between the access node and the device and during the communication session, receiving, at the access node, an indication of a change of the first MAC address to a second MAC address. The method also includes linking, at the access node, the second MAC address to the first MAC address and the identifier and receiving, at the access node, a communication from the device using the second MAC address while maintaining the communication session.

Abstract: In one embodiment, a method for providing access to wireless networks may include receiving, by a wireless network access provider from a user device, a request to access a wireless network. The method may include obtaining data representing a policy applicable to the access request, sending the access request, augmented with the policy, to an identity provider associated with the user and having no pre-existing relationship with the access provider, and receiving, from the identity provider, an access request response indicating whether or not the policy is met. The method may include communicating, to the wireless device, an indication that the access request has been accepted, if the policy is met, or an indication that the access request has been rejected, if the policy is not met. The access provider and identity provider may be members of an identity and access federation that communicate over a dynamically established secure connection.

Abstract: A method is provided that includes obtaining an access request for a device to access a visited access network, the access request including an authentication identifier for the device including an identity for the device and a realm comprising a network identifying portion; determining a re-write rule for the realm by querying a database based on an identity type of the device and the network identifying portion of the realm, the database including a plurality of re-write rules for a plurality of networks and a plurality of identity types; re-writing the realm based on the re-write rule using the identity for the device to generate a re-written realm; obtaining, based on the re-written realm, an address for an authentication server of an identity provider associated with the device; and performing an authentication with the authentication server using the authentication identifier to authenticate the device for the visited access network.

Abstract: A method of controlling performance of a wireless device is performed by a node that is in electronic communication with a cellular network. The node includes a processor, a non-transitory memory, and a network interface. The method includes receiving a performance value characterizing a performance of a communication channel between a wireless device and a wireless access point. In some implementations, the wireless device and the cellular network are associated with different radio access technologies (RATs). The method includes determining whether the performance value breaches a performance criterion for the wireless device. The method includes adjusting a first amount of data transmitted to the wireless device from a base station of the cellular network and a second amount of data transmitted to the wireless device from the wireless access point. In some implementations, the combined first and second amounts of data satisfy the performance criterion for the wireless device.

Abstract: Dynamic roaming partner prioritization based on service quality feedback may be provided. First, a server associated with an enterprise may receive performance data and location data for each of a plurality of service provider networks from a plurality of end use devices associated with the enterprise. Next, the server may assign a ranking to a plurality of service providers by location based upon information. The information may comprise the received performance data and the location data corresponding to each of the plurality of service provider networks. The server may then push the ranking to a first end use device.

Abstract: The presently claimed disclosure is directed to methods that may be implemented at a computer. Methods and systems consistent with the present disclosure may include extending protocols associated with authenticating client (i.e. supplicant) devices and with authorizing those supplicant devices to access a wireless network. These methods may include sending data relating to the failure of an authentication and/or an authorization process to a supplicant device attempting to access a wireless network. Methods discussed within may include securely sending failure codes or reasons to a supplicant device that identify why an authentication or authorization process failed. These methods may include sending messages between a supplicant device, an authenticator device, and an authentication and authorization server. After a first failure, the supplicant device may be able to access the wireless network after a reason or code of that failure has been reported to the supplicant device.

Abstract: Embodiments herein describe techniques for dynamically negotiating an SLA between a roaming device and a VN in an identity federation. Instead of an IDP having to individually negotiate with a VN to decide on an SLA before a user device roams to the VN, the parties can dynamically negotiate the SLA after the user device has detected the VN (but before the device is permitted to connect or associate with the VN). In one embodiment, when a roaming user device comes within wireless range of a VN, the roaming device receives an advertisement from the VN that indicates the current SLA (or SLAs) offered by the VN. The roaming device can compare this offered SLA to a stored SLA in an identity profile the device received from the IDP to determine whether to accept the offer. In another embodiment, the SLA is instead negotiated between VN and the IDP.

Abstract: The disclosed technology relates to a process of evaluating any number of different identity providers (IDPs) and their respective set of credentials that are used to authenticate corresponding users to assist with the onboarding of the different IDPs in connection with Wi-Fi identity federations. In particular, the process allows a person's electronic identity and attributes (stored across one or more IDPs) to be determined once using a standard. Once trust has been established for the user, that trust can then be utilized across a number of different systems (e.g., Single-sign on). The same trust determination can be used without the need for the authenticity of the user identity to be re-evaluated with each new access request.

Abstract: Presented herein are techniques to facilitate extending a multiple access Protocol Data Unit (PDU) session and Access Traffic Steering, Switching, and Splitting Low-Layer (ATSSS-LL) policies to an enterprise network. In one example, a method may include obtaining a request for an ATSSS-LL policy for a user equipment (UE) for establishing a multiple access protocol data unit session for the UE via a wireless wide area access network for an enterprise network; and providing to the UE one or more ATSSS-LL rules for the ATSSS-LL policy, an Internet Protocol (IP) address for the multiple access protocol data unit session for the UE, and an identifier for the multiple access protocol data unit session for the UE in which the IP address is utilized for a wireless local area access network connection for the UE established via a wireless local area access network of the enterprise network.

Abstract: Presented herein are techniques to prevent and/or minimize user equipment (UE) service disruptions in a virtualized Radio Access Network (vRAN) architecture. In one example, a method may include establishing, via a central unit of a vRAN, a first radio connection for a UE via a first cell belonging to a first shared cell for the vRAN; determining that the UE is dual connectivity capable; instructing the UE to perform measurements for one or more other cells belonging to one or more other shared cells that have available capacity; obtaining measurement information from the UE for the one or more other cells; determining, based on the measurement information, a second cell among the one or more other cells having a highest measured signal strength; and establishing a second radio connection for the UE via the second cell belonging to the second shared cell.

Abstract: Presented herein are techniques to facilitate OpenRoaming integration into a Wireless Roaming Intermediary Exchange (WRIX) data-clearing and financial-settlement architecture. In one example, a method is provided that may include querying, by an application endpoint, a Domain Name System (DNS) server to determine support for a service for a domain; and obtaining, by the application endpoint from the DNS server, an explicit indication that one of: the service is not supported for the domain; or the service is proprietary and is supported for the domain.