Abstract: Roaming validation for Access Network Providers (ANPs), and particularly to protecting communications between Stations (STAs) and ANPs while providing roaming validation for ANPs may be provided. An ANP may first register a roaming federation system. The ANP may determine a roaming message based on subscription features of the network, and the ANP may request signing of the roaming message by the roaming federation system. The ANP may receive the signed roaming message from the roaming federation system and send the signed roaming message to a STA. The ANP may then receive a request to connect to the network from the STA and initiate a connection for the STA.

Abstract: Provided herein are techniques to facilitate conflict management in a shared Open Radio Access Network (O-RAN) architecture. In one instance, a method can be performed by a conflict manager of a near-real-time RAN intelligent controller of a shared RAN including radio unit (RU) nodes provided by a host operator. The method can include obtaining each of a requested radio unit (RU) configuration from each of a distributed unit (DU) node operated by each of a tenant operator and determining whether there are any conflicts among RU configuration parameters for each requested RU configuration. In one instance, upon determining one or more conflicts among the RU configuration parameters for each requested RU configuration, the method may include providing a response to each DU node indicating that each DU node is allowed to configure the plurality of RU nodes using each requested RU configuration in accordance with a modification.

Abstract: Described herein is a network that shares metrics and the algorithms used to determine the values of metrics. A wireless device includes one or more memories and one or more processors communicatively coupled to the one or more memories. The one or more processors, individually or collectively, perform an operation that includes calculating, using a first algorithm, a first value of a first metric for a wireless medium in a network, adding, to a message, the first value of the first metric, adding, to the message, an indication of the first algorithm used to calculate the first value of the first metric, and transmitting the message to report the first value of the first metric and the first algorithm.

Abstract: Differentiated service in a federation-based access network is provided by receiving a set of credentials from a User Equipment (UE) for a wireless network offering a plurality of service levels. In response to determining that the set of credentials indicate a realm associated with a given service level, network access is provided to the UE according to the given service level. In response to determining that the given service level is not a highest service level in the wireless network, a list of one or more preferred realms is transmitted to the UE, where each realm of the list of one or more preferred realms is associated with one or more higher service levels than the given service level.

Abstract: A method for exposing a location associated with an emergency call may include receiving, at a first network, a request to initiate an emergency session from a user device associated with a second network. The request may trigger the first network to determine location information of the user device. Data associated with the location information of the user device is maintained by the second network in one or more databases. The method may further include querying, by the first network, the DNS for the location information associated with the user device. The one or more databases may be updated by the second network. The method may further include receiving, at the first network and from the DNS via the one or more databases, the location information associated with the user device. The method may further include updating the emergency session based on the location information.

Abstract: The present disclosure relates to simultaneous operation of Wi-Fi access points in a super cell mode and a standalone mode and controlling connectivity of end terminals thereto. In one aspect, a method includes receiving a configuration for a group of access points operating within a network, the configuration allowing each access point of the group to operate in a super cell mode over a shared frequency channel and a standalone mode over a non-shared frequency channel. The method further includes determining, for an end terminal, whether the end terminal is to connect to the network over the shared frequency channel or the non-shared frequency channel based on a network policy to yield a determination; and controlling connectivity of the end terminal to at least one access point of the group of access points over the shared frequency channel or the non-shared frequency channel based on the determination.

Abstract: The presently claimed disclosure is directed to methods that may be implemented at a computer. Methods and systems consistent with the present disclosure may include extending protocols associated with authenticating client (i.e. supplicant) devices and with authorizing those supplicant devices to access a wireless network. These methods may include sending data relating to the failure of an authentication and/or an authorization process to a supplicant device attempting to access a wireless network. Methods discussed within may include securely sending failure codes or reasons to a supplicant device that identify why an authentication or authorization process failed. These methods may include sending messages between a supplicant device, an authenticator device, and an authentication and authorization server. After a first failure, the supplicant device may be able to access the wireless network after a reason or code of that failure has been reported to the supplicant device.

Abstract: The presently claimed disclosure is directed to methods that may be implemented at a computer. Methods and systems consistent with the present disclosure may include extending protocols associated with authenticating client (i.e. supplicant) devices and with authorizing those supplicant devices to access a wireless network. These methods may include sending data relating to the failure of an authentication and/or an authorization process to a supplicant device attempting to access a wireless network. Methods discussed within may include securely sending failure codes or reasons to a supplicant device that identify why an authentication or authorization process failed. These methods may include sending messages between a supplicant device, an authenticator device, and an authentication and authorization server. After a first failure, the supplicant device may be able to access the wireless network after a reason or code of that failure has been reported to the supplicant device.

Abstract: Disclosed are systems, apparatuses, processes, and computer-readable media for automated certificate-based device enrollment system. For example, a disclosed method includes receiving, by a client device, a certificate signed by a certificate authority, the certificate including network credential information associated with a wireless network; in response to enabling a client supplicant, configuring a credential of the client device based on the certificate and the network selection credential information; using the configured credential to trigger the automatic network detection and selection of a wireless network; and authenticating with the wireless network using the credential.

Abstract: Techniques for network communications are disclosed. These techniques include receiving a cryptographically generated device identifier (CGDI) and a public key relating to a wireless station (STA). The techniques further include determining a first hash based on decrypting the CGDI using the public key, and validating the first hash for an access network. The techniques further include identifying the STA in the access network using the CGDI based on binding the CGDI to a session associated with the STA and the access network.

Abstract: Techniques for enhancing the security of network access within an open roaming framework are provided. A first network device receives a request to authenticate connection of a user device to a network. The first network device retrieves security data associated with the network. Based on analyzing the security data associated with the network, the first network device determines that one or more security criteria are satisfied. The first network device transmits a response to the user device, where the response instructs the user device to establish a connection with the network and does not disclose the security data.

Abstract: Systems, methods, and computer-readable media are disclosed for facilitating bi-directional edge proxy-to-edge proxy communications across an enterprise firewall in 5G service-based architecture. In one aspect, a method includes receiving a subscription request from a user device to operate on a visited private network; determining that the user device is associated with a home network; and establishing a communication protocol between a security edge protection proxy of the visited private network and a security edge protection proxy of the home network, wherein the communication protocol enables bi-directional exchange of roaming signals between the visited private network and the home network while user device is operating on the visited private network.

Abstract: Presented herein are techniques associated with providing an alternative network indication to a client device in a wireless local area network (WLAN) roaming federation. In one example a method is provided that may include obtaining access network information for each of a plurality of access networks that neighbor a first access network through connection of a client device with the first access network involving a first identity provider profile; determining an alternative access network with which the client device is recommended to seek connection or an alternative identity provider profiles with which the client device is recommended to connect to the first access network; and enabling the client device to initiate a connection with the alternative access network or to re-initiate a connection with the first access network utilizing the alternative identity provider profile.

Abstract: Access network monitoring in a wireless federation may be provided. A plurality of access requests may be received from a probe device. Each of the plurality of access requests may comprise access request information. Next, an availability metric may be determined based on an amount of the plurality of access requests received and the access request information. The availability metric may then be reported.

Abstract: Presented herein are techniques associated with replicating an OpenRoaming™ policy federation in a Third Generation Partnership Project (3GPP) network environment. For example, techniques herein provide a roaming policy federation architecture for a 3GPP network environment.

Abstract: The disclosed technology relates to a process of evaluating any number of different identity providers (IDPs) and their respective set of credentials that are used to authenticate corresponding users to assist with the onboarding of the different IDPs in connection with Wi-Fi identity federations. In particular, the process allows a person's electronic identity and attributes (stored across one or more IDPs) to be determined once using a standard. Once trust has been established for the user, that trust can then be utilized across a number of different systems (e.g., Single-sign on). The same trust determination can be used without the need for the authenticity of the user identity to be re-evaluated with each new access request.

Abstract: Presented herein are techniques to facilitate fast roaming between a mobile network operator-public (MNO-public) wireless wide area (WWA) access network and an enterprise private WWA access network. In one example, a method is provided that may include generating, by an authentication node, authentication material for a user equipment (UE) based on the UE being connected to a public WWA access network, wherein the public WWA access network is associated with a mobile network operator, and the authentication node and the UE are associated with an enterprise entity; obtaining, by the authentication node, an indication that the UE is attempting to access a private WWA access network associated with the enterprise entity; and providing, by the authentication node, the authentication material for the UE, wherein the authentication material facilitates connection establishment between the UE and the private WWA access network.

Abstract: The disclosed technology relates to a process of evaluating any number of different identity providers (IDPs) and their respective set of credentials that are used to authenticate corresponding users to assist with the onboarding of the different IDPs in connection with Wi-Fi identity federations. In particular, the process allows a person's electronic identity and attributes (stored across one or more IDPs) to be determined once using a standard. Once trust has been established for the user, that trust can then be utilized across a number of different systems (e.g., Single-sign on). The same trust determination can be used without the need for the authenticity of the user identity to be re-evaluated with each new access request.

Abstract: Techniques for wireless communications are disclosed. The techniques include generating a provisioning domain (PVD) identifier by associating a roaming consortium organization identifier (RCOI), relating to an identity federation comprising an identity provider (IDP), with the PVD. The techniques further include providing PVD configuration information from the IDP to a wireless station (STA) associated with the IDP, using the PVD identifier. The techniques further include applying one or more configuration policies at the STA based on the PVD configuration information.

Abstract: Subscriber identity concealment from an access network provider may be provided. A computing device may receive first identity data associated with a client device. Then the first identity data associated with the client device may be encrypted using second identity data to create an encrypted version of the first identity data associated with the client device. The encrypted version of the first identity data associated with the client device may be provided to an access network.