Abstract: In one embodiment, a device receives a request from a client to remotely access an endpoint in a local network. The device instantiates a network slice having a remote access function in a cellular network. The device causes the endpoint to communicate a particular type of traffic via the network slice and the remote access function. The device configures a virtual private network tunnel between the client and the remote access function. The client and endpoint communicate with one another via a connection that comprises the network slice and the virtual private network tunnel.

Abstract: Disclosed herein are systems, methods, and computer-readable media for authentication in a multi-cloud cellular service. In one aspect, a method includes receiving, at a controller of a local site within the multi-cloud cellular service, a network connection request from a device, the cloud-based authentication component being a central network component configured to store device credentials and network policies for authenticating devices connecting to the multi-cloud cellular service across all sites associated with the multi-cloud cellular service. In one aspect, the method also includes locally authenticating, by the controller, the device using stored credential information obtained from the cloud-based authentication component prior to losing the connectivity to the cloud-based authentication component.

Abstract: The present technology is generally directed to dynamically adding network resources based on an application function (AF) notification. The present technology can determine, by an AF of a service provider, a network congestion on a network, the network congestion indicating that network resources for servicing a user device using services of the service provider do not meet corresponding Quality of Service (QoS) requirements. Further, the present technology can transmit a notification by the AF to a core network of a network provider to request additional network resources to be allocated for servicing the user device, the network provider providing network connectivity for the user device to receive the services provided by the service provider.

Abstract: A trust based continuous Fifth Generation (5G) network service assessment, and more specifically a trust based continuous 5G network service assessment for a user equipment to ensure an authorized user is using the user equipment may be provided. A registration request may be received by an Access and Mobility Management Function (AMF) from a User Equipment (UE). In response to the registration request, a Policy Control Function (PCF) may exchange a policy with the AMF, wherein the policy comprises instructions to perform a continuous service assessment. Next, a registration accept message may be sent to the UE, wherein the registration accept message comprises instructions for the UE to enable the continuous service assessment.

Abstract: Disclosed herein are systems, methods, and computer-readable media for reporting QoE of a UE, as measured and determined from the perspective of the UE to one or more core components of the cellular network to which the UE is attached. The QoE may then be used by the one or more core components for managing and adjusting, if necessary, the cellular services provided to the UE. In one aspect, a method includes determining, at a user device, a quality of experience (QoE) of user device connected to a cellular network and transmitting, via a non-access stratum (NAS) signaling, a value of the QoE from the user device to a core network element of the cellular network, wherein the core network element utilizes the QoE value to manage network access and a quality of service (QoS) of the user device.

Abstract: Systems, methods, and computer-readable media are disclosed for dynamically onboarding a UE between private 5G networks. In one aspect, a private 5G (P5G) federation system can receive a request from a user device for registration with a serving private 5G network, which is part of a P5G federation system. The P5G federation system can further determine that the user device is authenticated with a home private 5G network of the user device, which is also part of the P5G federation system. The P5G federation system can transmit, to the serving private 5G network, a security profile of the user device that is received from the home private 5G network. As follows, the P5G federation system can facilitate onboarding of the user device to the serving private 5G network with the security profile.

Abstract: A private cellular management system detects that a device has connected to a private cellular network. The device is part of a device group that is associated with a policy applicable within an enterprise network and the private cellular network. The private cellular management system generates a determination corresponding to a policy effectiveness associated with the access policy based on different versions of the policy implemented in the enterprise and private cellular networks. The private cellular management system obtains an update to the access policy and applies this update for the device and other devices associated with the device group.

Abstract: A system and method of performing multi-layer client assurance in a private cellular network includes a plurality of assurance points within the network. The method includes receiving, by a network entity, a plurality of parameter sets from the plurality of assurance points. Each of the plurality of assurance points can be configured to obtain measurements from a portion of the private cellular network corresponding to a client assurance layer in a client assurance stack. The method can include combining a first parameter set from the plurality of parameter sets with a second parameter set from the plurality of parameter sets. The first parameter set can be associated with a first client assurance layer and the second parameter set is associated with a second client assurance layer. The method can include determining, based on the combined parameter set, a network service level corresponding to the client device.

Abstract: An enterprise device identity proxy between an SMF and an Enterprise's device profile store supports N7 protocol for enterprise policy delivery between a central management service (CMS) and an enterprise policy service. In particular, when a user equipment (UE) requests a data service, the enterprise device identity proxy receives AAA transactions from the SMF running the enterprise policy service over a secondary authentication interface, stores the results in a data store, and uses business rules set forth by the CMS to transform Remote Authentication Dial-In User Service (RADIUS) Attribute Value Pairs (AVPs) into a valid N7 response to the SMF. The enterprise device identity proxy enables an enterprise to treat a device with cellular connectivity using the same rules that would apply to other access/connection types without the complexity and cost of deploying a 3GPP policy service to support N7 protocol for policy delivery.

Abstract: Systems, methods, and computer-readable media are disclosed for facilitating bi-directional edge proxy-to-edge proxy communications across an enterprise firewall in 5G service-based architecture. In one aspect, a method includes receiving a subscription request from a user device to operate on a visited private network; determining that the user device is associated with a home network; and establishing a communication protocol between a security edge protection proxy of the visited private network and a security edge protection proxy of the home network, wherein the communication protocol enables bi-directional exchange of roaming signals between the visited private network and the home network while user device is operating on the visited private network.

Abstract: Systems, methods, and computer-readable media are provided for on-boarding network devices onto a private 5G network. An example method can include discovering a first private 5G network upon the network device being turned on, authenticating, at the network device, the network device, downloading a second network profile from an SM-DP+ server of a second private 5G network, and on-boarding the network device to the second private 5G network.

Abstract: The present technology is generally directed to dynamically adding network resources based on an application function (AF) notification. The present technology can determine, by an AF of a service provider, a network congestion on a network, the network congestion indicating that network resources for servicing a user device using services of the service provider do not meet corresponding Quality of Service (QoS) requirements. Further, the present technology can transmit a notification by the AF to a core network of a network provider to request additional network resources to be allocated for servicing the user device, the network provider providing network connectivity for the user device to receive the services provided by the service provider.

Abstract: The present technology discloses non-transitory computer-readable media, systems, and methods for receiving a notification that an identified physical object has attached to a roaming network, wherein the identified physical object is roaming when on the roaming network; translating at least one policy intent that was defined at a home network for the identified physical object into a policy suitable to be applied by the roaming network; and sending, to the roaming network, the at least one translated policy intent to be applied to the identified physical object on the roaming network.

Abstract: The present technology discloses non-transitory computer-readable media, systems, and methods for receiving a notification that an identified physical object has attached to a roaming network, wherein the identified physical object is roaming when on the roaming network; translating at least one policy intent that was defined at a home network for the identified physical object into a policy suitable to be applied by the roaming network; and sending, to the roaming network, the at least one translated policy intent to be applied to the identified physical object on the roaming network.

Abstract: In one embodiment, a method comprises communicating with a plurality of network elements via a first communication protocol to obtain state information of the plurality of network elements; receiving a request via a second communication protocol for a communication session to be established for a client computing device; selecting one or more network elements, wherein the selection is based on at least a portion of the state information of the network elements; and communicating identification information of the one or more network elements selected for use in the communication session.

Abstract: In one embodiment, a method comprises obtaining, by a first network element comprising processing logic, notification of a plurality of events associated with a plurality of communication sessions, wherein the events include at least one of a mid-session event or an end-session event, wherein the plurality of events are communicated to a routing agent using a first communication protocol by a plurality of second network elements; receiving, by the first network element, a request via a second communication protocol for a first communication session to be established for a client computing device; selecting, by the first network element, one or more network elements from the second network elements for the communication session based on the at least one of a mid-session or an end-session event; and communicating, by the first network element, identification information of the one or more network elements selected for use in the first communication session.

Abstract: First, an authentication module may receive an identification (ID) linking request, create a secured ID linking request from the ID linking request, and send the secured ID linking request to a packet gateway module located in a packet core of a mobile network. Next, the packet gateway module may insert into the secured ID linking request, an encrypted version of a mobile identifier corresponding to a client device from which the secured ID linking request was received. Next, a mobile video session manager module may receive from the packet gateway module, the secured ID linking request and link a subscriber of a managed video service corresponding to a video identifier to the client device corresponding to the mobile identifier. A policy corresponding to the subscriber of the managed video service may then be applied to flows over the packet core to and from the client device.

Abstract: A method is provided in one example embodiment and includes receiving a data packet transported on a backhaul link at a first network element; de-capsulating the data packet; identifying whether the data packet is an upstream data packet; identifying whether the data packet matches an internet protocol (IP) access control list (ACL) or a tunnel endpoint identifier; and offloading the data packet from the backhaul link. In more specific embodiment, the method can include identifying that the data packet does not match the IP ACL or the tunnel endpoint identifier; and communicating the data packet to a second network element. In other examples, the method can include identifying that the data packet is a downstream data packet; identifying a service to be performed for the data packet that cannot be performed at the first network element; and communicating the data packet to a second network element.

Abstract: In one embodiment, a method comprises communicating with a plurality of network elements via a first communication protocol to obtain state information of the plurality of network elements; receiving a request via a second communication protocol for a communication session to be established for a client computing device; selecting one or more network elements, wherein the selection is based on at least a portion of the state information of the network elements; and communicating identification information of the one or more network elements selected for use in the communication session.

Abstract: First, an authentication module may receive an identification (ID) linking request, create a secured ID linking request from the ID linking request, and send the secured ID linking request to a packet gateway module located in a packet core of a mobile network. Next, the packet gateway module may insert into the secured ID linking request, an encrypted version of a mobile identifier corresponding to a client device from which the secured ID linking request was received. Next, a mobile video session manager module may receive from the packet gateway module, the secured ID linking request and link a subscriber of a managed video service corresponding to a video identifier to the client device corresponding to the mobile identifier. A policy corresponding to the subscriber of the managed video service may then be applied to flows over the packet core to and from the client device.