Abstract: Techniques are described for providing wireless network connectivity using a distributed mobility management functionality. In one example, each of a plurality of on-premise access points co-locate a mobility management functionality and a packet routing and forwarding functionality. Each of the plurality of on-premise access points obtain, from user equipment, a request to wirelessly connect to the on-premise access point. Each of the plurality of on-premise access points provide the user equipment with wireless network connectivity using the co-located mobility management functionality and the packet routing and forwarding functionality.

Abstract: A mobility management entity (MME) controls an enterprise fabric. The MME receives from a mobile device via a cellular network a request to initiate an attach procedure. In response, the MME acquires from the mobile device a unique equipment identifier of the mobile device. The MME generates an enterprise identity for the mobile device based on the unique equipment identifier, and registers the enterprise identity in the enterprise fabric. The MME signals to a user plane function of the cellular network that the mobile device has been registered, to trigger the user plane function to acquire an Internet Protocol (IP) address of the mobile device based on the enterprise identity. The MME receives from the user plane function the acquired IP address. The MME sends to the mobile device, through the cellular network, an attach accept message that includes the acquired IP address for use by the mobile device.

Abstract: In various implementations, a method includes receiving a request to establish an end-to-end encrypted session between a device in an enterprise network and an external entity that is outside the enterprise network. In some implementations, the end-to-end encrypted session allows encrypted packets to be transmitted between the device and the external entity. In various implementations, the method includes determining whether the request satisfies an enterprise security criterion for establishing the end-to-end encryption session. In various implementations, the method includes in response to determining that the request satisfies the enterprise security criterion, triggering the establishment of the end-to-end encrypted session between the device in the enterprise network and the external entity that is outside the enterprise entity.

Abstract: A mobility management entity (MME) controls an enterprise fabric. The MME receives from a mobile device via a cellular network a request to initiate an attach procedure. In response, the MME acquires from the mobile device a unique equipment identifier of the mobile device. The MME generates an enterprise identity for the mobile device based on the unique equipment identifier, and registers the enterprise identity in the enterprise fabric. The MME signals to a user plane function of the cellular network that the mobile device has been registered, to trigger the user plane function to acquire an Internet Protocol (IP) address of the mobile device based on the enterprise identity. The MME receives from the user plane function the acquired IP address. The MME sends to the mobile device, through the cellular network, an attach accept message that includes the acquired IP address for use by the mobile device.

Abstract: In one example, a server obtains, from a device having an embedded Subscriber Identification Module (eSIM), a unique identifier of the eSIM. The server validates the device based on the unique identifier of the eSIM. The server provides, to the device, a unique credential for a profile of the eSIM. The profile of the eSIM corresponds to a network of an enterprise. The server provides, to a credential database, the unique credential for the profile of the eSIM. The credential database including the unique credential for the profile of the eSIM indicates that the device is permitted to access the network of the enterprise.

Abstract: In one embodiment, a method for providing access to wireless networks may include receiving, by a wireless network access provider from a user device, a request to access a wireless network. The method may include obtaining data representing a policy applicable to the access request, sending the access request, augmented with the policy, to an identity provider associated with the user and having no pre-existing relationship with the access provider, and receiving, from the identity provider, an access request response indicating whether or not the policy is met. The method may include communicating, to the wireless device, an indication that the access request has been accepted, if the policy is met, or an indication that the access request has been rejected, if the policy is not met. The access provider and identity provider may be members of an identity and access federation that communicate over a dynamically established secure connection.

Abstract: Techniques are described to provide for authentication and subscription management that are decoupled from a Home Subscriber Server (HSS).

Abstract: Techniques for optimizing performance of narrowband Internet-of-Things (NB-IoT) devices in a wireless wide area network (WWAN) are described. In one embodiment, a method includes providing a NB-IoT base station in an in-band deployment mode to operate within a WWAN. The NB-IoT base station is configured to use a physical resource block of the WWAN for communicating with a plurality of NB-IoT devices. The method includes causing a reduction of a power level for a transmission from an initial power level to a first reduced power level. The method includes obtaining parameters associated with performance and throughput for the WWAN and comparing the parameters to a quality threshold. Based on the comparison of the parameters to the threshold, the method includes determining whether or not to reduce the power level for the physical resource block from the first reduced power level to a second reduced power level.

Abstract: Techniques for optimizing performance of narrowband Internet-of-Things (NB-IoT) devices in a wireless wide area network (WWAN) are described. In one embodiment, a method includes providing a NB-IoT base station in an in-band deployment mode to operate within a WWAN. The NB-IoT base station is configured to use a physical resource block of the WWAN for communicating with a plurality of NB-IoT devices. The method includes causing a reduction of a power level for a transmission from an initial power level to a first reduced power level. The method includes obtaining parameters associated with performance and throughput for the WWAN and comparing the parameters to a quality threshold. Based on the comparison of the parameters to the threshold, the method includes determining whether or not to reduce the power level for the physical resource block from the first reduced power level to a second reduced power level.

Abstract: Various implementations disclosed herein provide a method for authenticating users to an enterprise network using closed subscriber groups. The method includes determining whether the client device is associated with a subscriber group that corresponds to the enterprise network. The method further includes granting the client device access to the enterprise network in response to determining that the client device is associated with the subscriber group that corresponds to the enterprise network.

Abstract: An example method is provided in one example embodiment and may include determining a first routing metric associated with a first communication network, wherein the first routing metric identifies a capability of the first communication network to handle an Internet Protocol (IP) flow for a user equipment (UE); determining a second routing metric associated with a second communication network, wherein the second routing metric identifies a capability of the second communication network to handle the IP flow for the UE and wherein the second routing metric is different from the first routing metric; and routing the IP flow for the UE using the first communication network or the second communication network based, at least in part, on the first routing metric and the second routing metric.

Abstract: An example method is provided in one example embodiment and includes receiving an assignment request from a core node in a network to establish a tunnel for user plane traffic; forwarding first parameters to a controller of an enterprise network, wherein the first parameters include a tunnel identifier and a network address associated with the core node; receiving an assignment response; and forwarding second parameters to the core node, wherein the second parameters include a tunnel identifier and a network address associated with the controller. In some instances, the assignment request can be a request to establish a tunnel for user plane data traffic. In some instances, the assignment request can be a request to establish a tunnel for user plane voice traffic.

Abstract: In one embodiment, a method is performed. An interworking module of a wireless local access network (LAN) controller may receive a non-access stratum (NAS) message from an access point (AP) device using a control and provisioning of wireless access protocols (CAPWAP) tunnel. The NAS message may be translated to a WiFi service layer message. The WiFi service layer message may be sent to a wireless control plane module of the wireless LAN controller.

Abstract: Systems, methods, and devices are disclosed for providing a quality of service between nodes. A service provider can receive, from a first node of a customer network to an ingress node of a service provider network, packets bound for a second node on the customer network that is remote from the first node. The packets are mapped to a network segment according to a traffic type based on an identifier associated with the packets that identifies the traffic type of the packets. The packets are sent via their mapped network segment to an egress node with connectivity to the second node of the customer network according to a quality of service associated with the traffic type identified by the identifier.

Abstract: An example method is provided in one example embodiment and includes intercepting a setup request for a session via a small cell network portion associated with a wide area network (WAN) instance, wherein the WAN instance comprises the small cell network portion and an enterprise network portion and wherein the small cell network portion and the enterprise network portion are interconnected to a service provider network; classifying the session to a particular WAN priority queue, wherein a plurality of WAN priority queues are configured for the WAN instance; determining whether the particular WAN priority queue has available bandwidth for the session; allocating bandwidth for the particular WAN priority queue if the particular WAN priority queue has available bandwidth; and permitting the session to be established if the particular WAN priority queue has available bandwidth.

Abstract: In one embodiment, a method for providing access to wireless networks may include receiving, by a wireless network access provider from a user device, a request to access a wireless network. The method may include obtaining data representing a policy applicable to the access request, sending the access request, augmented with the policy, to an identity provider associated with the user and having no pre-existing relationship with the access provider, and receiving, from the identity provider, an access request response indicating whether or not the policy is met. The method may include communicating, to the wireless device, an indication that the access request has been accepted, if the policy is met, or an indication that the access request has been rejected, if the policy is not met. The access provider and identity provider may be members of an identity and access federation that communicate over a dynamically established secure connection.

Abstract: Roaming Consortium Identifier (RCOI)-based handling of identity requirements may be provided. First, an access device may advertise an identifier. The identifier may identify a roaming federation and an identity type used by a service provider in order to provide service by the access device. Next, a request to associate with the access device may be received from a user device. The request may be compliant with the identity type advertised in the identifier. The user device may then be associated with the access device in response to receiving the request.

Abstract: Various embodiments disclosed herein include apparatuses, systems, devices, and methods for anonymously generating an encrypted session for a client device in a wireless network. The method comprises, in response to providing, to the client device in the wireless network, a request for credentials associated with the client device, obtaining, from the client device, a response including proposed credentials associated with the client device. The method further comprises determining whether or not the format of the response matches a response template. The method further comprises, in response to determining that the format of the response matches the response template, generating an encrypted wireless session for the client device independent of the proposed credentials associated with the client device.

Abstract: In one embodiment, a method includes: transmitting a message to a first end point that includes an instruction to initiate a communication type, wherein the communication type includes sharing a randomization token between the first and second end points; obtaining a first communication report from the first end point and a second communication report from the second end point in response to initialization of a communication based on the communication type between the first end point and the second end point across the network, wherein the first and second communication reports respectively include a first and second hash that corresponds to a function of the randomization token and identity information; determining whether the first hash matches the second hash; generating a value that correlates the first and second end points with the communication across the network in response to determining that the first hash matches the second hash.

Abstract: A method is performed at a gateway device including one or more processors and a non-transitory memory. The method includes, receiving, from a first wireless network, a first get authentication token request, where the first get authentication token request includes network information of a second wireless network and information of a first user equipment (UE). The method further includes forwarding the first get authentication token request to the second wireless network in response to receiving the first get authentication token request. The method additionally includes receiving a first authentication token from the second wireless network. The method also includes forwarding the first authentication token to the first UE via the first wireless network in order to associate the first UE with the second wireless network.