Bringing Wi-Fi Security to the Next Level

Luther Smith
Director, Wireless Technology

May 4, 2021

WBA PKI Framework Enables RadSec Connection Security

In 2020, the COVID-19 pandemic nearly eliminated travel. Today, as restrictions are lifted, we’re seeing travel levels increase—particularly locally. Soon, we should all be able to return to the world of far-reaching travel.

Whether for trips across town or journeys around the globe, Wi-Fi accessibility is a critical necessity in the 21st century. Using various Wi-Fi roaming technologies such as Passpoint®, Wireless Broadband Alliance (WBA) WRIX and OpenRoaming™, we can enjoy the Wi-Fi connected broadband experience wherever we go. And as we move about, there are many Wi-Fi networks available to us from various operators; most are secured by some level of security, whether a shared secret, captive portal or Extensible Authentication Protocol (EAP), also known as 802.1x.

Many service providers are moving to EAP for user authentication, a tactic that not only simplifies access to their own Wi-Fi network but also enables a secure roaming experience for their users. To allow users to be authenticated and gain access to roaming Wi-Fi networks, user credentials need to be routed to the home service provider. This interconnection between the roaming partner and the home service provider has typically been over IPSec tunnels. The introduction of RadSec is changing the method of interconnection. RadSec offers a full end-to-end secure path and the ability to use dynamic interconnections.

RadSec interconnection security is based on the mutual exchange of certificates between the two operators, enabling authentication of the operators and encryption of the information exchanged. To standardize these certificates, WBA members (under the leadership of CableLabs) undertook the creation of a solid RadSec PKI framework.

The WBA team led by CableLabs are proud to have completed the PKI framework and have made it available for deployment and use by all members of the WBA, marking the closure of the WBA Roaming Evolution Working Group. The PKI framework includes the PKI Certificate Policy (CP), Trust Root Certificate Authority (CA) agreement, Policy Intermediary CA (I-CA) agreement, Issuing I-CA agreement, End-Entity agreement, Operator Deployment Guidelines and End-Entity Deployment Guidelines.

The completion of the PKI framework is ready to advance and make Wi-Fi roaming simpler. There are several roaming implementations that will benefit from the PKI framework, including specific inter-operators’ roaming deployments, the WBA Wireless Roaming intermediary eXchange (WRiX) and OpenRoaming.

The WBA PKI framework is currently available to WBA members and PKI certificates by Kyrio®, a wholly owned subsidiary of CableLabs. Moving forward, the WBA Roaming Work Group will continue to manage the PKI framework and documentation including the new project, “Profiles & RCOIs Prioritization”.

For more information about the WBA PKI framework contact and to get your RadSec certificates, contact




WBA OpenRoaming™ to Enable Global Wi-Fi Roaming

Luther Smith
Director, Wireless Technology

Nov 12, 2020

On May 28, 2020, the Wireless Broadband Alliance (WBA) announced the launch of OpenRoaming. OpenRoaming is a cloud federation–based framework that will open Wi-Fi roaming to a broad community of Identity Providers (IDPs) and Access Network Providers (ANPs). OpenRoaming is a cyber-secured, seamless connection and automatic RADIUS router all rolled into one global multi-provider ecosystem. The fundamental makeup of OpenRoaming spans multiple technologies: Passpoint, DNS Discovery, RadSec and components of the Wireless Roaming Intermediary eXchange (WRIX).

OpenRoaming works by using Roaming Consortium Identifiers (RCOIs) to allow Passpoint-driven ANP selection. The RCOIs are identified by two major categories, Settlement Free and Settlement, followed by two sets of subcategories. The subcategories define roaming consortium types and service levels. The roaming consortium types span from general consortiums to industry-specific consortiums. Service levels include none, silver and gold, each defining the level of network Quality of Service (QoS) and the rate of reporting QoS information.

Current roaming platforms are based on the use of specific realms, 3GPP network identities or roaming consortiums for the selection of the Wi-Fi networks with static peer-to-peer interconnections over an IPSec tunnel for RADIUS traffic. OpenRoaming, which Figure 1 shows, established ANPs to support multiple consortiums coupled with dynamic RadSec interconnections, eliminating the need for static peer-to-peer interconnections. An additional benefit is the use of RadSec, a RADIUS client/server connection using TLS for security, which not only eliminates the need for an IPSec peer-to-peer tunnel but also encrypts the RADIUS traffic from RADIUS client to RADIUS server, which secures traffic deeper into the providers’ networks.

Why OpenRoaming?

OpenRoaming allows the cable industry to easily establish an inter-roaming partnership across the industry while reducing the overhead of a networking setup. With the defined cable industry-specific RCOI, ANPs can be targeted as part of the cable consortium.

OpenRoaming provides users a seamless Wi-Fi connection beyond the subscriber’s home service area, reducing the need to rely on a cellular data connection. Beyond the operators that provide Wi-Fi services, OpenRoaming is a tool that can be used by Mobile Virtual Network Operators (MVNOs) to assist with Wi-Fi connectivity, enabling cellular data to offload. This would broaden the data offload from a local network to a global network.

Learn More About WBA OpenRoaming



Carrier-Grade Wi-Fi Keeps Pace With Wi-Fi Network Growth: How CableLabs is Contributing

Mark Poletti
Director, Wireless Network Technologies

Apr 28, 2014

“Operators of all kinds – fixed, mobile, converged and pure-play Wi-Fi – are moving beyond using Wi-Fi just for convenient access, or data offload, and are making it a central part of their broader strategies to support a high quality broadband experience everywhere.”
(Excerpt from WBA Industry Report 2013: Global Trends in Public Wi-Fi p3)

Over the past few years Wi-Fi networks have seen substantial growth in the number of hotspots to deliver expanded coverage and new service offerings.  Wi-Fi networks offer unique characteristics, such as very high data rates (50 Mbps up to 400 Mbps using 802.11n),  easy connection to neutral hosts, and unlicensed shared spectrum.  Hotspots have very small coverage and are especially useful in areas with dense population.  This is very attractive to 3G/4G cellular carriers experiencing congestion due to spectrum and network capacity limitations.  Cellular networks experiencing such congestion use Wi-Fi networks to offload cellular data to maintain service and data integrity.


The Wireless Broadband Association (WBA) projects that 22% of new carrier capacity will come from Wi-Fi networks in 2014.

Wi-Fi network operators are exploring opportunities beyond 3G offload that will offer differentiated services to their core business.  For example, Wi-Fi network operators, such as mobile operators (MNOs) and cable operators (MSOs), offer service plans that enhance (e.g. from fixed cable to wireless used by cable operators) or extend (e.g. mobile to Wi-Fi used by T-Mobile, Verizon) existing service.   As mobile and Wi-Fi services continue to overlap and converge, the integration of mobile and Wi-Fi networks,  such as that used for 3G to Wi-Fi network handoff, will continue to become increasingly prevalent and more complex.


(Excerpt from WBA Industry Report 2013: Global Trends in Public Wi-Fi)

Vision of Carrier Grade Wi-Fi

As Wi-Fi networks are used for faster and more robust data, video, and voice services, maintaining a quality-user experience is becoming increasingly important.  “Carrier grade Wi-Fi” is a phrase used for an industry effort to improve Wi-Fi network design, management, and performance to closely match that of cellular networks within the inherent limitations of Wi-Fi.  The carrier grade Wi-Fi effort touches all aspects of the Wi-Fi ecosystem including vendors, operators, chipset manufacturers, industry groups, and standards bodies.

Wi-Fi was created to share unlicensed spectrum on a non-interfering basis with autonomous performance and control for any number of users.  As industry and market demand has evolved over the years, Institute of Electrical and Electronics Engineers (IEEE) standards and industry groups – such as the Wi-Fi Alliance (WFA) and the Wireless Broadband Alliance (WBA) – have continually added features to improve the quality of Wi-Fi network service, performance, and management.  Recent activities have begun to address specific features that will enable Wi-Fi to be carrier grade.

The WBA recently submitted a white paper addressing carrier grade Wi-Fi guidelines and providing definition of carrier grade Wi-Fi features.  In addition, the WFA has been incorporating these features into interoperability certification.

CableLabs has submitted several contributions that provide carrier grade Wi-Fi feature definition and use cases.  These features have been incorporated into an initial operators’ requirements document that will, once completed, be referenced by WFA task groups as test requirements for WFA certification.

CableLabs has also submitted a contribution to the Wi-Fi Mobile Converged Wireless Group (CWG) Test Plan Group.  This group has the charter to define the testing procedures for radio-frequency performance of all Wi-Fi devices (i.e. access points, tablets, Wi-Fi clients, and smartphones).

Radio Frequency (RF) Performance Is Key to Carrier Grade Wi-Fi

One key aspect of carrier grade Wi-Fi is RF performance.  At present, Wi-Fi access points (APs) and devices are not held to defined RF performance standards. This impacts coverage and capacity performance of Wi-Fi networks. For enterprise and consumer devices, defining minimum RF performance requirements will ensure that poorly performing devices don’t reduce overall network capacity.  It is important to note that maximizing transmitter and receiver performance has a dramatic impact on the coverage and capacity of Wi-Fi networks.

The graph in Figure 1 shows that a few decibels (dBs) – a measurement of RF power – of underperforming Wi-Fi devices can result in shorter range and lower throughput.  In Figure 1, the coverage heat maps of carrier grade and non-compliant Wi-Fi APs are shown, which indicate a significant reduction of coverage performance for non-compliant APs.

carriergrade2Screen Shot 2014-04-29 at 9.22.30 AM

Figure 1 – Coverage Performance of Carrier Grade vs. Underperforming Wi-Fi Devices

By improving the RF component selection and design optimization in Wi-Fi devices, the achievable network throughput significantly improves.  CableLabs is working with Industry bodies to determine reasonable performance thresholds for AP and Wi-Fi devices.

Current State of RF Certifications

At present, RF certification of Wi-Fi devices and access points is optional with no minimum performance standards.  Original Equipment Manufacturers (OEMs) have the option whether to test their equipment against WFA standards or not.  Although current test plans are thorough, they do not contain pass/fail or minimum performance levels requirements.

Currently, Federal Communications Commission (FCC) RF regulations are only intended to ensure public safety and non-interference with co-channel and adjacent channel systems. The regulations are designed for “not to exceed” power levels, not for minimum levels. In other words, the FCC focus has been on avoiding interference to other systems as opposed to requiring minimum performance requirements. The lack of receiver sensitivity tests does not provide assessment of end-user performance.  In addition, FCC tests do not cover device throughput performance versus coverage or interference.



Figure 2 – CWG RF Certification Testing for Smart Phones, Home and Small Office APs

As shown in Figure 2, CWG RF certification testing of Wi-Fi devices has not been pursued by OEMs and device OEM participation is decreasing.  CableLabs is working with industry bodies to recommend requiring that Wi-Fi devices meet minimum RF performance criteria during WFA RF testing and encourage RF certification testing.

CableLabs to Install RF Anechoic Chamber


CableLabs is in the process of installing an in-house RF anechoic chamber with the capability to measure RF performance of Wi-Fi devices such as total isotropic sensitivity (TIS), total radiated power (TRP), Wi-Fi adjacent-/co-channel interference and LTE interference.  Scheduled completion is late July 2014.  Once complete, CableLabs will have the ability to test RF performance of all Wi-Fi devices.  The RF chamber will be available to all member MSOs with the potential to lead Wi-Fi RF certification tests within the Wi-Fi industry.

Wi-Fi First Service Will Benefit from Carrier Grade Wi-Fi

Wi-Fi first service, a hybrid Wi-Fi/mobile service, where voice over Wi-Fi service is selected first over mobile voice service, is among the many new innovative services being introduced by Wi-Fi network operators.  This service offers several technical challenges such as:

  • Maintaining seamless Wi-Fi roaming and handover between Wi-Fi and 3G/4G networks
  • Maintaining authentication and security across Wi-Fi and 3G/4G networks
  • Supporting service profile across Wi-Fi and 3G/4G networks
  • Providing efficient mobile device network discovery, selection, and attachment
  • Delivering quality of service

Wi-Fi network operators are developing customized solutions to network architectures and target markets unique to their core business. As carrier grade Wi-Fi continues to gain momentum, it will offer improvement to Wi-Fi network quality and user experience. CableLabs is working with vendors and operators to develop solutions with emphasis on developing carrier grade Wi-Fi features.

Other Aspects of Carrier Grade Wi-Fi: What’s Next?

As carrier grade Wi-Fi continues to gain traction in the industry, CableLabs will maintain pace with standards body activities, product roadmaps, technology roadmaps, new services, business paradigms, and technology disruptors that will impact user experience and quality of Wi-Fi networks.  Future blog posts will provide updates to carrier grade Wi-Fi features that may include:

  • Solutions to Wi-Fi first network architectures and mobile applications
  • Carrier Grade Wi-Fi WFA certifications
  • IEEE 802.11 feature enhancements
  • Carrier Grade best practices for Wi-Fi  network planning, operation and performance
  • Quality of Service


Mark Poletti is a Lead Wireless Architect with CableLabs.  He has been addressing mobile operator design, operations and performance issues of 2G, 3G, 4G, and satellite networks for over 20 years.   Mark is a member of the WFA and WBA and is focused on the wireless convergence of MSO and MNO networks.