Abstract: Presented herein are techniques to facilitate wireless authorization based on in-line assurance and tariffing information. In one example, a method may include obtaining, by a home network, a request to authorize access of a roaming subscriber for a visited network; determining whether the request includes visited network charging information and visited network metric information; based on determining that the request includes the visited network charging information and the visited network metric information, determining whether one or more visited network metrics satisfy one or more threshold metrics for the roaming subscriber; and based on determining that the one or more visited network metrics satisfy the one or more threshold metrics for the roaming subscriber, authorizing access of the roaming subscriber for the visited network.

Abstract: Systems and methods provide for identification and remediation of IoT devices exhibiting anomalous behaviors. An IoT management system can identify IoT devices requiring remediation. The IoT management system may present a first interface including representations of the devices requiring remediation, where each representation can include identifying information for an IoT device, policies applied to the IoT device, and bandwidth/throughput information of the IoT device. The IoT management system can present a second remediation interface representing a detailed representation of a first IoT device. The detailed representation can include user interface elements representing actions to be performed relating to the first IoT device. The IoT management system can perform a first action corresponding to a selection of one of the user interface elements.

Abstract: A system and method for optimizing access points (APs) within a network comprises receiving, at a first AP, parameters corresponding to a second AP, and determining that the first AP and the second AP are part a first and a second wireless local area network (WLAN), respectively. The first and second WLANs support client credential sharing allowing seamlessly transitioning of a client device between the first and second WLANs using common credentials. Further, co-channel interference between the first AP and the second AP is detected based on the parameters corresponding to the second AP and parameters of the first AP, and at least one of a channel and transmission power of one or more of the first AP and the second AP is changed in response to the detection of the interference.

Abstract: The disclosed technology relates to a process of evaluating any number of different identity providers (IDPs) and their respective set of credentials that are used to authenticate corresponding users to assist with the onboarding of the different IDPs in connection with Wi-Fi identity federations. In particular, the process allows a person's electronic identity and attributes (stored across one or more IDPs) to be determined once using a standard. Once trust has been established for the user, that trust can then be utilized across a number of different systems (e.g., Single-sign on). The same trust determination can be used without the need for the authenticity of the user identity to be re-evaluated with each new access request.

Abstract: An example method is provided in one example embodiment and may include receiving traffic associated with at least one of a mobile network and a Gi-Local Area Network (Gi-LAN), wherein the traffic comprises one or more packets; determining a classification of the traffic to a service chain, wherein the service chain comprises one or more service functions associated at least one of one or more mobile network services and one or more Gi-LAN services; routing the traffic through the service chain; and routing the traffic to a network using one of a plurality of egress interfaces, wherein each egress interface of the plurality of egress interfaces is associated with at least one of the one or more mobile network services and the one or more Gi-LAN services.

Abstract: Various embodiments disclosed herein include apparatuses, systems, devices, and methods for anonymously generating an encrypted session for a client device in a wireless network. The method comprises, in response to providing, to the client device in the wireless network, a request for credentials associated with the client device, obtaining, from the client device, a response including proposed credentials associated with the client device. The method further comprises determining whether or not the format of the response matches a response template. The method further comprises, in response to determining that the format of the response matches the response template, generating an encrypted wireless session for the client device independent of the proposed credentials associated with the client device.

Abstract: Roaming Consortium Identifier (RCOI)-based handling of identity requirements may be provided. First, an access device may advertise an identifier. The identifier may identify a roaming federation and an identity type used by a service provider in order to provide service by the access device. Next, a request to associate with the access device may be received from a user device. The request may be compliant with the identity type advertised in the identifier. The user device may then be associated with the access device in response to receiving the request.

Abstract: Various implementations disclosed herein enable controlling access to networks. In various implementations, a method of controlling access to a network is performed by a computing device including one or more processors, and a non-transitory memory. In various implementations, the method includes obtaining an indication that a mobile device having access to a first network utilizing a first radio access technology (RAT) has requested access to a second network utilizing a second RAT. In some implementations, the method includes determining whether the access to the first network satisfies an authentication criterion associated with the second network. In some implementations, the method includes granting the mobile device access to the second network in response to determining that the access to the first network satisfies the authentication criterion associated with the second network.

Abstract: A method comprises obtaining, from a client device, a first set of application authentication credentials formatted in accordance with a first authentication protocol. The first set of application authentication credentials corresponds to a first user profile. The method includes translating the first set of application authentication credentials to a second set of application authentication credentials. The second set of application authentication credentials is formatted in accordance with a second authentication protocol different from the first authentication protocol and corresponds to the first user profile. The method includes providing the second set of application authentication credentials to an application authentication system. The method includes, in response to providing the second set of application authentication credentials to the application authentication system, obtaining, from the application authentication system, an application authentication indicator.

Abstract: A Third Generation Partnership Project (3GPP) based network, such as an enterprise private 3GPP network, is operative to provide a guest onboarding of a device using a realm-based discovery of an identity provider and a mutual authentication of identity federation peers. A secure connection may be established between the peers so that the device may be authenticated based on credentials associated with a Subscriber Identity Module (SIM) provided by its Mobile Network Operator (MNO). Credentials may be extended to those associated with embedded SIMs (eSIMs), digital certificates from private enterprises, login and passwords, and identities from a wide range of identity providers. After device authentication, the 3GPP-based network is operative to select and enforce access policies according to an identity or other attribute of the device.

Abstract: A user equipment (UE) may be in coverage of a local private non-Third Generation Partnership Project (non-3GPP) wireless network (e.g. a Wi-Fi network) of an enterprise. This non-3GPP wireless network may be part of a private communication system of the enterprise which further includes a local private 3GPP network (e.g. a Long-Term Evolution or “LTE” based network). When the non-3GPP wireless network advertises “single-authentication” support, the UE may complete authentication for non-3GPP access, obtain a Master Session Key (MSK) from the authentication, and generate an Access Security Management Entity (ASME) key (KASME) based on the MSK. In further implementations, the UE may obtain a Globally Unique Temporary Identifier (GUTI) from the non-3GPP wireless network. Subsequently, the UE may perform an attach procedure with the local private 3GPP network without performing an authentication procedure, presenting the GUTI that it obtained from the non-3GPP wireless network for 3GPP access.

Abstract: Various implementations disclosed herein enable controlling access to networks. In various implementations, a method of controlling access to a network is performed by a computing device including one or more processors, and a non-transitory memory. In various implementations, the method includes obtaining an indication that a mobile device having access to a first network utilizing a first radio access technology (RAT) has requested access to a second network utilizing a second RAT. In some implementations, the method includes determining whether the access to the first network satisfies an authentication criterion associated with the second network. In some implementations, the method includes granting the mobile device access to the second network in response to determining that the access to the first network satisfies the authentication criterion associated with the second network.

Abstract: Single sign-on (SSO) techniques of the present disclosure provide for enterprise application user identities that are bound to a mobile identity (e.g. IMSI) associated with a user equipment (UE) for authentication, using general bootstrapping architecture (GBA)/general authentication architecture (GAA) functionality in combination with identity provider (IDP) functionality (e.g. OpenID Connect), all of which may be provided in an enterprise network. The present techniques need not rely on GBA/GAA infrastructure of a mobile network operator (MNO), and have little or no impact or effect on the mobile network.

Abstract: Profile prioritization in a roaming consortium environment may be provided. First, a client device may initiate a network discovery with a network device. Next, the client device may receive in response to initiating the network discovery, a response. The response may comprise an organization identifier and a plurality of response access identifiers corresponding to the organization identifier. A one of the plurality of response access identifiers may be labeled as preferred. Then the client device may determine to access the network based on the organization identifier. The client device may then select, from a plurality of profiles, a profile for accessing the network. The selected profile may have a profile access identifier corresponding to the one of the plurality of response access identifiers labeled as preferred.

Abstract: The present technology provides a system and method for automating on-boarding and management of IoT devices on data network. The disclosed technology further provides an interactive representation of various performance attribute with automatically generated actionable alert based on operator defined rules and performance-specific threshold values. Furthermore, disclosed technology provides for single-click activation of suggested actions at scale directed at once to all device units within one or more device groups reported in critical state. In this way the proposed technology enables rapid restoration of a network state. Offending device(s) may then be easily identified, from device units within the device category isolated in a resolution space, and managed according to one or more device-specific actionable alerts automatically generated on the offending device.

Abstract: In one embodiment, a method for providing access to wireless networks may include receiving, by a wireless network access provider from a user device, a request to access a wireless network. The method may include obtaining data representing a policy applicable to the access request, sending the access request, augmented with the policy, to an identity provider associated with the user and having no pre-existing relationship with the access provider, and receiving, from the identity provider, an access request response indicating whether or not the policy is met. The method may include communicating, to the wireless device, an indication that the access request has been accepted, if the policy is met, or an indication that the access request has been rejected, if the policy is not met. The access provider and identity provider may be members of an identity and access federation that communicate over a dynamically established secure connection.

Abstract: A user equipment (UE) may be in coverage of a local private non-Third Generation Partnership Project (non-3GPP) wireless network (e.g. a Wi-Fi network) of an enterprise. This non-3GPP wireless network may be part of a private communication system of the enterprise which further includes a local private 3GPP network (e.g. a Long-Term Evolution or “LTE” based network). When the non-3GPP wireless network advertises “single-authentication” support, the UE may complete authentication for non-3GPP access, obtain a Master Session Key (MSK) from the authentication, and generate an Access Security Management Entity (ASME) key (KASME) based on the MSK. In further implementations, the UE may obtain a Globally Unique Temporary Identifier (GUTI) from the non-3GPP wireless network. Subsequently, the UE may perform an attach procedure with the local private 3GPP network without performing an authentication procedure, presenting the GUTI that it obtained from the non-3GPP wireless network for 3GPP access.

Abstract: In one embodiment, a gateway to a zero trust network applies an access control policy to an endpoint device attempting to access a cloud-based application hosted by the zero trust network. The gateway acts as a reverse proxy between the endpoint device and the cloud-based application, based on the access control policy applied to the endpoint device. The gateway captures telemetry data regarding application traffic reverse proxied by the gateway between the endpoint device and the cloud-based application. The gateway detects an anomalous behavior of the application traffic by comparing the captured telemetry data to a machine learning-based behavioral model for the application. The gateway initiates a mitigation action for the detected anomalous behavior of the application traffic.

Abstract: An IoT management system can determine historical traffic volumes of a plurality of IoT devices over one or more time intervals. The IoT management system can determine historical temporal traffic metrics of the IoT devices over the time intervals. The IoT management system can determine standard deviation information for at least one of the historical traffic volumes or the historical temporal traffic metrics over the time intervals. The IoT management system can determine current traffic volumes of the IoT devices. The IoT management system can determine current temporal traffic volumes of the IoT devices. The IoT management system can present an interface including first information indicative of the current traffic volumes, second information indicative of the current temporal traffic metrics, and third information indicative of at least one of the current traffic volumes or the current temporal traffic metrics relative to the standard deviation information.

Abstract: In one embodiment, a method for providing access to wireless networks may include receiving, by a wireless network access provider from a user device, a request to access a wireless network. The method may include obtaining data representing a policy applicable to the access request, sending the access request, augmented with the policy, to an identity provider associated with the user and having no pre-existing relationship with the access provider, and receiving, from the identity provider, an access request response indicating whether or not the policy is met. The method may include communicating, to the wireless device, an indication that the access request has been accepted, if the policy is met, or an indication that the access request has been rejected, if the policy is not met. The access provider and identity provider may be members of an identity and access federation that communicate over a dynamically established secure connection.