Description
The Trusted WLAN AAA Proxy (TWAP) is a critical control plane function residing within the Trusted WLAN Access Network (TWAN) architecture. Its primary role is to act as an intermediary for Authentication, Authorization, and Accounting (AAA) signaling between the User Equipment (UE) accessing via WLAN and the 3GPP AAA Server (or Proxy) in the mobile operator's core network. The TWAP does not make authentication decisions itself but reliably forwards and may translate AAA protocols, ensuring that the WLAN access point and the 3GPP core can communicate effectively for subscriber management. It is a key enabler for secure, SIM-based access to trusted WLANs.
Operationally, the TWAP sits on the STa reference point, which connects the TWAN to the 3GPP AAA Server. When a UE attempts to connect to a trusted WLAN, it initiates an EAP (Extensible Authentication Protocol) procedure. The WLAN Access Point (AP) forwards the EAP messages to the TWAP using protocols like RADIUS or Diameter. The TWAP then acts as a proxy, forwarding these messages over the STa interface to the 3GPP AAA Server using the Diameter protocol. The AAA server interacts with the Home Subscriber Server (HSS) to verify the UE's credentials (using EAP-AKA or EAP-AKA'). The TWAP ensures the entire authentication dialogue is completed successfully. Beyond initial authentication, the TWAP is also involved in authorization, relaying information about the authorized user's profile and any access restrictions from the core network to the WLAN.
The TWAP's responsibilities extend into session management and policy control. Upon successful authentication, the 3GPP AAA Server provides the TWAP with subscription profile information and may trigger the establishment of the user plane session. The TWAP communicates with the Trusted WLAN Access Gateway (TWAG) within the same TWAN to inform it of the successful authentication and to provide necessary parameters for setting up the data bearer over S2a. Furthermore, in some architectures, the TWAP can interact with the Policy and Charging Rules Function (PCRF) via the Gxa/Gxb reference points (or act as a Proxy for such signaling) to obtain policy and charging rules for the subscriber's session. These rules are then enforced at the TWAG for the user plane traffic.
In summary, the TWAP is the control plane nerve center for trusted WLAN access. It abstracts the specifics of the WLAN's AAA protocol from the 3GPP core, providing a standardized Diameter-based interface. By handling the complex signaling for authentication and policy, it enables the WLAN to be treated as a trusted 3GPP access network, ensuring that only authorized subscribers gain access and that their sessions are managed according to their mobile service profiles. This function was essential for the commercial deployment of seamless and secure carrier Wi-Fi services.
Purpose & Motivation
The TWAP was introduced to solve a critical signaling interoperability problem in integrating WLAN with the 3GPP core network. WLAN infrastructure traditionally uses AAA protocols like RADIUS for network access control, while the 3GPP core network uses the Diameter protocol for its internal AAA signaling. The TWAP was created to bridge this protocol gap, acting as a translation point or proxy to enable communication between these two different technological domains. Without it, SIM-based authentication and 3GPP policy control over trusted WLAN would not be feasible.
Its creation in Release 11 was motivated by the need for a standardized function to handle the control plane signaling for the newly defined Trusted WLAN Access Network (TWAN). Previous non-integrated Wi-Fi access required separate, often web-based, login portals and credentials. The goal was to leverage the strong security of the USIM card for WLAN access. The TWAP made this possible by reliably transporting EAP authentication dialogues (EAP-AKA/AKA') between the UE in the WLAN and the 3GPP AAA Server/HSS in the core. This solved the problem of how a WLAN access point, which speaks RADIUS/EAP, could authenticate a user against a 3GPP HSS.
Beyond basic authentication, the TWAP also addressed the need for integrated session and policy control. It enabled the transfer of subscriber profile information from the core to the access network and facilitated the interaction with the PCRF. This allowed mobile operators to apply the same sophisticated policy and charging rules to Wi-Fi traffic as they did to LTE traffic, enabling service differentiation, guaranteed quality of service for services like VoWiFi, and accurate charging. The TWAP was thus a foundational component that transformed Wi-Fi from a mere internet pipe into a managed, billable, and service-aware extension of the mobile network.
Key Features
- Proxies AAA signaling (e.g., RADIUS/Diameter) between the WLAN and the 3GPP AAA Server over the STa interface
- Facilitates EAP-AKA/AKA' authentication, enabling SIM-based access to trusted WLAN
- Relays subscriber profile and authorization data from the core network to the TWAN
- Interfaces with the TWAG to trigger user plane session establishment after successful authentication
- May act as a proxy for Policy and Charging Control (PCC) signaling between the TWAN and the PCRF
- Supports accounting message forwarding for session-based charging
Evolution Across Releases
Initial definition of the TWAP as the AAA proxy function within the TWAN. Specified its role in proxying EAP authentication between the WLAN and the 3GPP AAA Server over the Diameter-based STa interface, and its coordination with the TWAG for session setup.
Defining Specifications
| Specification | Title |
|---|---|
| TS 23.003 | 3GPP TS 23.003 |
| TS 23.273 | 3GPP TS 23.273 |
| TS 23.402 | 3GPP TS 23.402 |
| TS 23.852 | 3GPP TS 23.852 |
| TS 24.502 | 3GPP TS 24.502 |
| TS 29.214 | 3GPP TS 29.214 |
| TS 29.518 | 3GPP TS 29.518 |
| TS 29.561 | 3GPP TS 29.561 |
| TS 33.501 | 3GPP TR 33.501 |
| TS 38.413 | 3GPP TR 38.413 |