Abstract: Techniques that provide proactive and intelligent packet capturing are described herein. In one embodiment, a method includes storing information associated with a plurality of user equipment (UE) sessions of a plurality of UEs within a mobile network; detecting an anomaly associated with at least one UE session of at least one UE based, at least in part, on the information stored for the at least one UE session; and activating a trace for the at least one UE session based, at least in part, on detecting the anomaly associated with the at least one UE session, wherein activating the trace comprises capturing packet information for a data packet flow associated with the at least one UE session at one or more data-path network elements of a plurality of data-path network elements within the mobile network.

Abstract: Techniques are described herein for providing cellular access of a user-defined network. In one example, a user plane function of a cellular network obtains, from a control plane function of the cellular network, an indication that a first user equipment is attempting to connect to a user-defined network via the cellular network. The user plane function joins a multicast group configured to include a second user equipment connected to the user-defined network via a wireless local area network. The user plane function obtains a multicast packet that is transmitted between the first user equipment and the second user equipment and that is addressed to the multicast group, and converts the multicast packet to a unicast packet.

Abstract: A secure Simultaneous Authentication of Equals (SAE) anti-clogging mechanism may be provided. A public key of an access point may be provided from the access point to a client attempting to connect with a network via the access point. The access point may receive from the client a first anti-clogging token and a public key of the client. The first anti-clogging token may be generated by the first client using a shared secret based on a private key of the client and the public key of the access point and a multiplier. The access point may generate a second anti-clogging token using a shared secret based on a private key of the access point and the public key of the client and the multiplier. The access point may then verify the first anti-clogging token and the second anti-clogging token match to authenticate the client.

Abstract: A wireless network environment includes a plurality of access points, a wireless local area network (WLAN) controller, and a plurality of client devices. The client devices attempt to authenticate with the WLAN controller to gain access to wireless services provided by the WLAN controller and/or the access points. To authenticate with the WLAN controller, the WLAN controller obtains a request to establish a wireless network connection from one or more of the client devices. The WLAN controller then provides a response to the request. The response indicates whether the WLAN controller supports performing password-mapped simultaneous authentication of equals (SAE). The WLAN controller then obtains a message including a password-mapped identifier from the client device. The WLAN controller then establishes a connection with the client device based on the password obtained with password-mapped identifier mapping at WLC.

Abstract: Authentication with security in wireless networks may be provided. A first confirm message comprising a first send-confirm element and a first confirm element may be received. Next, an Authenticator Number Used Once (ANonce) may be generated and a second confirm message may be sent comprising the ANonce, a second send-confirm element, and a second confirm element. Then an association request may be received comprising a Supplicant Number Used Once (SNonce) and a Message Integrity Code (MIC). An association response may be sent comprising an encrypted Group Temporal Key (GTK), an encrypted Integrity Group Temporal Key (IGTK), the ANonce, and the MIC. An acknowledgment may be received comprising the MIC in an Extensible Authentication Protocol (EAP) over LAN (EAPoL) key frame and a controller port may be unblocked in response to receiving the acknowledgment.

Abstract: Authentication with security in wireless networks may be provided. A first confirm message comprising a first send-confirm element and a first confirm element may be received. Next, an Authenticator Number Used Once (ANonce) may be generated and a second confirm message may be sent comprising the ANonce, a second send-confirm element, and a second confirm element. Then an association request may be received comprising a Supplicant Number Used Once (SNonce) and a Message Integrity Code (MIC). An association response may be sent comprising an encrypted Group Temporal Key (GTK), an encrypted Integrity Group Temporal Key (IGTK), the ANonce, and the MIC. An acknowledgment may be received comprising the MIC in an Extensible Authentication Protocol (EAP) over LAN (EAPoL) key frame and a controller port may be unblocked in response to receiving the acknowledgment.

Abstract: A secure Simultaneous Authentication of Equals (SAE) anti-clogging mechanism may be provided. A public key of an access point may be provided from the access point to a client attempting to connect with a network via the access point. The access point may receive from the client a first anti-clogging token and a public key of the client. The first anti-clogging token may be generated by the first client using a shared secret based on a private key of the client and the public key of the access point and a multiplier. The access point may generate a second anti-clogging token using a shared secret based on a private key of the access point and the public key of the client and the multiplier. The access point may then verify the first anti-clogging token and the second anti-clogging token match to authenticate the client.

Abstract: Techniques that provide proactive and intelligent packet capturing are described herein. In one embodiment, a method includes storing information associated with a plurality of user equipment (UE) sessions of a plurality of UEs within a mobile network; detecting an anomaly associated with at least one UE session of at least one UE based, at least in part, on the information stored for the at least one UE session; and activating a trace for the at least one UE session based, at least in part, on detecting the anomaly associated with the at least one UE session, wherein activating the trace comprises capturing packet information for a data packet flow associated with the at least one UE session at one or more data-path network elements of a plurality of data-path network elements within the mobile network.

Abstract: Authentication with security in wireless networks may be provided. A first confirm message comprising a first send-confirm element and a first confirm element may be received. Next, an Authenticator Number Used Once (ANonce) may be generated and a second confirm message may be sent comprising the ANonce, a second send-confirm element, and a second confirm element. Then an association request may be received comprising a Supplicant Number Used Once (SNonce) and a Message Integrity Code (MIC). An association response may be sent comprising an encrypted Group Temporal Key (GTK), an encrypted Integrity Group Temporal Key (IGTK), the ANonce, and the MIC. An acknowledgment may be received comprising the MIC in an Extensible Authentication Protocol (EAP) over LAN (EAPoL) key frame and a controller port may be unblocked in response to receiving the acknowledgment.

Abstract: A wireless network environment includes a plurality of access points, a wireless local area network (WLAN) controller, and a plurality of client devices. The client devices attempt to authenticate with the WLAN controller to gain access to wireless services provided by the WLAN controller and/or the access points. To authenticate with the WLAN controller, the WLAN controller obtains a request to establish a wireless network connection from one or more of the client devices. The WLAN controller then provides a response to the request. The response indicates whether the WLAN controller supports performing password-mapped simultaneous authentication of equals (SAE). The WLAN controller then obtains a message including a password-mapped identifier from the client device. The WLAN controller then establishes a connection with the client device based on the password obtained with password-mapped identifier mapping at WLC.

Abstract: Techniques that provide proactive and intelligent packet capturing are described herein. In one embodiment, a method includes storing information associated with a plurality of user equipment (UE) sessions of a plurality of UEs within a mobile network; detecting an anomaly associated with at least one UE session of at least one UE based, at least in part, on the information stored for the at least one UE session; and activating a trace for the at least one UE session based, at least in part, on detecting the anomaly associated with the at least one UE session, wherein activating the trace comprises capturing packet information for a data packet flow associated with the at least one UE session at one or more data-path network elements of a plurality of data-path network elements within the mobile network.

Abstract: An example method is provided and may include retrieving by a user equipment (UE) an access point (AP) Media Access Control (MAC) address for an AP to which the UE is connected; reporting location information for the UE to an evolved Packet Data Gateway over an SWu interface using Internet Key Exchange version 2 (IKEv2) protocol, wherein the location information includes, at least in part, a UE location in GPS coordinates, a service set identifier, the retrieved AP MAC address and cell identity information for the UE; and populating a location database with the location information. The method can include embedding the location information in an identity initiator (Idi) of an IKE Authentication Request (IKE_AUTH_REQ) message using a Network Access Identifier (NAI) and communicating the location information from the ePDG to a PGW over an S2b interface using a private extension information element of GPRS Tunneling Protocol version 2 (GTPv2).

Abstract: An example method is provided and may include receiving a DIAMETER-based error over an SWm interface by a first evolved packet data gateway (ePDG) for a user equipment (UE) attempting to connect to the first ePDG; determining an Internet Key Exchange version two (IKEv2) error type corresponding to the DIAMETER-based error; and communicating the IKEv2 error type to the UE over an SWu interface. In some cases, the IKEv2 error type can be included in a notify payload or in a vendor ID payload for an IKE authentication response (IKE_AUTH_RESP) message. By distinguishing the IKEv2 error type, the UE can determine whether the error is a temporary or a permanent type and can determine whether to attempt to connect again to the first ePDG after a period of time or attempt to connect to another ePDG, which can help to reduce unnecessary signaling and provide better connectivity and user experience.

Abstract: An example method is provided and may include retrieving by a user equipment (UE) an access point (AP) Media Access Control (MAC) address for an AP to which the UE is connected; reporting location information for the UE to an evolved Packet Data Gateway over an SWu interface using Internet Key Exchange version 2 (IKEv2) protocol, wherein the location information includes, at least in part, a UE location in GPS coordinates, a service set identifier, the retrieved AP MAC address and cell identity information for the UE; and populating a location database with the location information. The method can include embedding the location information in an identity initiator (Idi) of an IKE Authentication Request (IKE_AUTH_REQ) message using a Network Access Identifier (NAI) and communicating the location information from the ePDG to a PGW over an S2b interface using a private extension information element of GPRS Tunneling Protocol version 2 (GTPv2).

Abstract: An example method is provided and may include retrieving by a user equipment (UE) an access point (AP) Media Access Control (MAC) address for an AP to which the UE is connected; reporting location information for the UE to an evolved Packet Data Gateway over an SWu interface using Internet Key Exchange version 2 (IKEv2) protocol, wherein the location information includes, at least in part, a UE location in GPS coordinates, a service set identifier, the retrieved AP MAC address and cell identity information for the UE; and populating a location database with the location information. The method can include embedding the location information in an identity initiator (Idi) of an IKE Authentication Request (IKE_AUTH_REQ) message using a Network Access Identifier (NAI) and communicating the location information from the ePDG to a PGW over an S2b interface using a private extension information element of GPRS Tunneling Protocol version 2 (GTPv2).

Abstract: An example method is provided and may include receiving a DIAMETER-based error over an SWm interface by a first evolved packet data gateway (ePDG) for a user equipment (UE) attempting to connect to the first ePDG; determining an Internet Key Exchange version two (IKEv2) error type corresponding to the DIAMETER-based error; and communicating the IKEv2 error type to the UE over an SWu interface. In some cases, the IKEv2 error type can be included in a notify payload or in a vendor ID payload for an IKE authentication response (IKE_AUTH_RESP) message. By distinguishing the IKEv2 error type, the UE can determine whether the error is a temporary or a permanent type and can determine whether to attempt to connect again to the first ePDG after a period of time or attempt to connect to another ePDG, which can help to reduce unnecessary signaling and provide better connectivity and user experience.

Abstract: An example method is provided and may include receiving a DIAMETER-based error over an SWm interface by a first evolved packet data gateway (ePDG) for a user equipment (UE) attempting to connect to the first ePDG; determining an Internet Key Exchange version two (IKEv2) error type corresponding to the DIAMETER-based error; and communicating the IKEv2 error type to the UE over an SWu interface. In some cases, the IKEv2 error type can be included in a notify payload or in a vendor ID payload for an IKE authentication response (IKE_AUTH_RESP) message. By distinguishing the IKEv2 error type, the UE can determine whether the error is a temporary or a permanent type and can determine whether to attempt to connect again to the first ePDG after a period of time or attempt to connect to another ePDG, which can help to reduce unnecessary signaling and provide better connectivity and user experience.

Abstract: An example method is provided and may include receiving a DIAMETER-based error over an SWm interface by a first evolved packet data gateway (ePDG) for a user equipment (UE) attempting to connect to the first ePDG; determining an Internet Key Exchange version two (IKEv2) error type corresponding to the DIAMETER-based error; and communicating the IKEv2 error type to the UE over an SWu interface. In some cases, the IKEv2 error type can be included in a notify payload or in a vendor ID payload for an IKE authentication response (IKE_AUTH_RESP) message. By distinguishing the IKEv2 error type, the UE can determine whether the error is a temporary or a permanent type and can determine whether to attempt to connect again to the first ePDG after a period of time or attempt to connect to another ePDG, which can help to reduce unnecessary signaling and provide better connectivity and user experience.

Abstract: An example method is provided and may include retrieving by a user equipment (UE) an access point (AP) Media Access Control (MAC) address for an AP to which the UE is connected; reporting location information for the UE to an evolved Packet Data Gateway over an SWu interface using Internet Key Exchange version 2 (IKEv2) protocol, wherein the location information includes, at least in part, a UE location in GPS coordinates, a service set identifier, the retrieved AP MAC address and cell identity information for the UE; and populating a location database with the location information. The method can include embedding the location information in an identity initiator (Idi) of an IKE Authentication Request (IKE_AUTH_REQ) message using a Network Access Identifier (NAI) and communicating the location information from the ePDG to a PGW over an S2b interface using a private extension information element of GPRS Tunneling Protocol version 2 (GTPv2).

Abstract: An example method is provided and may include retrieving by a user equipment (UE) an access point (AP) Media Access Control (MAC) address for an AP to which the UE is connected; reporting location information for the UE to an evolved Packet Data Gateway over an SWu interface using Internet Key Exchange version 2 (IKEv2) protocol, wherein the location information includes, at least in part, a UE location in GPS coordinates, a service set identifier, the retrieved AP MAC address and cell identity information for the UE; and populating a location database with the location information. The method can include embedding the location information in an identity initiator (Idi) of an IKE Authentication Request (IKE_AUTH_REQ) message using a Network Access Identifier (NAI) and communicating the location information from the ePDG to a PGW over an S2b interface using a private extension information element of GPRS Tunneling Protocol version 2 (GTPv2).