WAG

Wireless Access Gateway

Core Network
Introduced in Rel-2
The Wireless Access Gateway (WAG) is a core network element that provides secure, controlled interworking between 3GPP mobile networks and non-3GPP IP access networks, such as WLANs. It acts as a gateway for authentication, authorization, and IP traffic routing, enabling seamless service continuity and secure data offload. Its role is critical for early mobile-WLAN integration and converged network access.

Description

The Wireless Access Gateway (WAG) is a standardized network function defined by 3GPP to facilitate secure and managed access from non-3GPP IP networks, primarily Wireless Local Area Networks (WLANs), into the 3GPP mobile core. Architecturally, it resides at the boundary between the untrusted non-3GPP IP access network and the trusted 3GPP core, often interfacing with a Packet Data Gateway (PDG) for tunneling user plane traffic. The WAG's primary function is to enforce policy-based access control. It authenticates and authorizes user equipment (UE) attempting to access 3GPP services via a WLAN hotspot, typically using Extensible Authentication Protocol (EAP) methods over the Ww reference point. This process involves interacting with the 3GPP AAA (Authentication, Authorization, and Accounting) infrastructure, including the Home Subscriber Server (HSS), to validate subscriber credentials and service profiles.

From a data plane perspective, the WAG does not terminate user IP traffic itself but rather acts as an enforcement point. It ensures that only authorized traffic from authenticated UEs is forwarded toward the PDG, which establishes an IPsec tunnel (using IKEv2) with the UE for secure data transmission. The WAG may perform packet filtering, policing, and routing based on policies received from the AAA server. This architecture, defined in the early 3GPP releases for WLAN interworking, creates a clear demarcation: the WAG handles access control and initial routing at the network edge, while the PDG handles secure tunneling and connectivity to external packet data networks (PDNs).

The WAG's role is integral to the 3GPP System Architecture Evolution (SAE) for non-3GPP access. It supports mobility scenarios, allowing a UE to discover and select a WAG for access. While later architectures evolved with the introduction of the ePDG for untrusted non-3GPP access in EPS and the Non-3GPP Interworking Function (N3IWF) in 5GS, the WAG concept laid the foundational principles of a dedicated gateway for managing and securing the ingress point from external wireless networks into the mobile core, ensuring operator control over service access and security.

Purpose & Motivation

The WAG was created to address the growing need for mobile operators to integrate WLAN hotspots with their cellular networks in a controlled and secure manner. In the early 2000s, WLANs offered high bandwidth but lacked the integrated authentication, billing, and security frameworks of cellular networks. The purpose of the WAG was to provide a standardized gateway that could bring WLAN access under the operator's umbrella, enabling new business models like seamless offload and unified service offerings.

Prior to its standardization, ad-hoc WLAN integration posed significant problems: there was no standardized method for a cellular subscriber to use their SIM credentials for WLAN access, no guaranteed security for the access link, and no way for the operator to apply consistent policy and charging. The WAG solved these by defining a clear architectural component that interfaced with the existing 3GPP AAA infrastructure. This allowed operators to leverage their subscriber database (HSS) for WLAN authentication and to enforce access policies uniformly, regardless of the radio technology.

Its creation was motivated by the desire for network convergence and service continuity. It enabled scenarios where a user could start a data session on a cellular network and, upon entering WLAN coverage, have their session securely handed over or offloaded, with the operator maintaining visibility and control. The WAG standardized the critical first hop from an untrusted, non-3GPP network into the trusted core, establishing the security and policy enforcement model that later evolved for other access types in 4G and 5G.

Key Features

  • Interworks with 3GPP AAA for subscriber authentication and authorization
  • Provides policy enforcement at the edge of non-3GPP IP access networks
  • Routes authorized user traffic towards the Packet Data Gateway (PDG)
  • Supports access network discovery and selection functions
  • Enables secure WLAN offload for 3GPP subscribers
  • Facilitates operator-controlled billing and charging for WLAN access

Evolution Across Releases

Rel-2 Initial

Introduced the Wireless Access Gateway (WAG) as part of the initial 3GPP-WLAN interworking architecture. It defined the WAG's role in providing access control and routing for UE connecting via WLAN to 3GPP services, establishing the Ww reference point to the 3GPP AAA server for authentication and authorization.

TS 23.234TS 24.234TS 28.601TS 28.602TS 29.234TS 32.102TS 32.808TS 32.820TS 33.234

Defining Specifications

SpecificationTitle
TS 23.234 3GPP TS 23.234
TS 24.234 3GPP TS 24.234
TS 28.601 3GPP TS 28.601
TS 28.602 3GPP TS 28.602
TS 29.234 3GPP TS 29.234
TS 32.102 3GPP TR 32.102
TS 32.808 3GPP TR 32.808
TS 32.820 3GPP TR 32.820
TS 33.234 3GPP TR 33.234