Exclusive preshared key authentication

Information

  • Patent Grant
  • 10945127
  • Patent Number
    10,945,127
  • Date Filed
    Tuesday, April 25, 2017
    7 years ago
  • Date Issued
    Tuesday, March 9, 2021
    3 years ago
Abstract
Preshared keys are assigned to client devices, users, or user groups. The set of valid preshared keys or keys derived therefrom is distributed to network devices such as wireless access points. A client device attempts to establish a secure network connection with a network device using its assigned preshared key. A network device identifies the client device's preshared key by selecting a candidate key from its set of valid preshared keys. The network device determines a validation cryptographic checksum based on the selected candidate key. If the validation cryptographic checksum matches the client's cryptographic checksum, the network device establishes a secure network connection with the client device using this candidate key. If the validation cryptographic checksum does not match the cryptographic checksum provided by the client device, the network device repeats this comparison using different candidate keys selected from its set of valid preshared keys until a match is found.
Description
BACKGROUND OF THE INVENTION

The present invention relates to the field of communication networks, and in particular to the systems and methods for authenticating users and devices for access to communication networks. Communications networks allow computers and other electronic devices to exchange data. Wireless networks, which exchange data without wires, typically using radio waves, are popular with users due to the ability to send and receive data almost anywhere within the physical coverage area of the network. This allows users to access communication networks, including local area networks, organization or company intranets, virtual private networks, and wide area networks, such as the Internet, anywhere within the physical coverage area of the wireless networks.


Wireless networks with large physical coverage areas, such as networks covering university campuses or entire cities, offer users ubiquitous access to their data and the Internet. However, typical wireless access points have a ranges of around 100 feet. As a result, large wireless networks require tens, hundreds, or thousands of wireless access points to provide network coverage over a large physical area.


Configuring, managing, and operating a large number of wireless access points requires complicated network configurations. One complication with managing wireless access points is managing network security. Network security typically includes authentication to prevent unauthorized users or devices from accessing the network and data encryption to prevent eavesdropping on communications of authorized users or devices.


There are many wired and wireless networking standards, including the 802.11 set of IEEE standards, that govern wireless networking communications and security methods. In general, the most secure types of wireless networking security, such as the 802.1X standard, often rely on authentication servers and cryptographic certificates to authenticate users and devices and exchange encryption keys to establish secure network connections. However, configuring and maintaining authentication servers and certificates is complicated, error-prone, and expensive. Additionally, users often find it difficult to install the required certificates and configure their devices to use these authentication schemes. This makes it difficult to deploy this type of network security, especially in situations where users and devices are frequently added and removed, such as hotels, conference centers, and other locations that wish to provide wireless networking to visitors.


Another network security approach relies on a preshared key (PSK) to authenticate users and establish secure communications. In these approaches, users are provided with a password or other login information in advance of connecting with the network. This approach is relatively easy for users and network administrators to implement. Authentication servers and certificates are not required. Users can typically configure their devices to connect with the network by inputting the provided password or other login information.


However, preshared key approaches are much less secure than other authentication techniques. Typically, a single preshared key is used by every user and device connecting with the network. This allows any user or device to eavesdrop on the communications of any other device connected via the network. Additionally, anyone with knowledge of the preshared key can access the network. This can be a disadvantage when an employee leaves a company, but can still access the company network using the preshared key. To prevent this, network administrators can change the preshared key. However, this requires all of the legitimate network users and devices to update their configurations, which can be very disruptive.


SUMMARY

An embodiment of the invention provides much of the same control and flexibility as that provided by authentication server-based network security techniques with the administrative and technical simplicity of preshared key-based network security. In an embodiment, preshared keys are assigned exclusively to specific client devices, users, or user groups. The set of valid preshared keys or keys derived from the preshared keys is distributed to network devices such as wireless access points.


Upon connecting with a network device, a client device attempts to establish a secure network connection using its assigned preshared key. In an embodiment, a network device attempts to identify the preshared key used by the client device. If this identification is successful, the network device establishes a secure network connection with the client device.


In an embodiment, a network device attempts to identify the preshared key used by the client device by selecting one of its set of valid preshared keys as a candidate key. The network device then determines a validation cryptographic checksum based on the selected candidate key. If the validation cryptographic checksum matches a cryptographic checksum provided by the client device using its assigned preshared key, then the selected candidate key is the preshared key assigned to the client device. If the validation cryptographic checksum does not match the cryptographic checksum provided by the client device, then the network device repeats this comparison using a different candidate key selected from its set of valid preshared keys. This comparison may be repeated using each of the valid preshared keys to determine a validation cryptographic checksum until the preshared key of the client device is identified or the set of valid preshared keys is exhausted.


Once the preshared key used by the client device is identified, an embodiment of the invention may optionally perform a user authentication using an authentication server. Alternatively, a secure network connection may be established without the use of an authentication server.





BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be described with reference to the drawings, in which:



FIG. 1 illustrates a method of authenticating users and exchanging cryptographic keys according to an embodiment of the invention;



FIG. 2 illustrates a method of authenticating guest users and exchanging cryptographic keys according to an embodiment of the invention;



FIG. 3 illustrates another method of authenticating guest users and exchanging cryptographic keys according to an embodiment of the invention;



FIG. 4 illustrates a method of authenticating users without an authentication server according to an embodiment of the invention;



FIG. 5 illustrates a method of authenticating users with an authentication server according to an embodiment of the invention; and



FIG. 6 illustrates a computer system suitable for implementing an embodiment of the invention.





DETAILED DESCRIPTION

An embodiment of the invention allows for users or devices to access a communications network using different preshared keys. An embodiment of the invention automatically manages the distribution and revocation of multiple preshared keys to any number of network devices, ensuring that each user or device can connect using their assigned preshared key. An embodiment of the invention also includes a modified authentication and handshake technique for network devices, such as wireless access points, to identify and authenticate the different preshared keys provided by client devices. For client devices, this authentication and handshake technique does not require any modification from standard preshared key network security techniques. Embodiments of the invention can be used with standard network drivers and applications on client devices and does not require the execution of any additional software applications or non-standard network configurations on client devices. This enables the modified authentication and handshake technique to be utilized with a wide range of client devices.


Additionally, embodiments of the invention may be implemented without an authentication server, such as a RADIUS server, reducing the cost and complexity of implementation. Other embodiments may use authentication servers for aspects of authentication and/or accounting for access charges. Even with authentication servers, client configuration is reduced in complexity.



FIG. 1 illustrates a method 100 of authenticating users and exchanging cryptographic keys according to an embodiment of the invention. An embodiment of the invention uses a 4-way handshake to authenticate users and devices, collectively referred to as clients, and to exchange cryptographic keys, allowing clients to communicate securely with a communications network. In an embodiment of method 100, step 105 provides a client with a preshared key (PSK) or other shared secret prior to attempting to connect with the network. This preshared key is referred to as an exclusive preshared key, because it is assigned to a single user or group of users, rather than every user on a network. As described in detail below, step 105 also provides the preshared key to the network, including one or more wireless access points or other wireless network interface devices. Using the PSK, both the client and one or more network devices, such as wireless access points, separately derive a pairwise master key (PMK) from the PSK, for example as defined by the IEEE 802.11 family of network standards.


Upon a client connecting or associating with one of the wireless access points or other network devices of the network, in step 110 the wireless access point begins the 4-way handshake by sending a first message to the client. The first message includes a first cryptographic nonce, or number used once, to the client. This is referred to as the A-Nonce.


Upon receiving the A-Nonce, in an embodiment of step 115, the client generates and sends a second message in response to the first message. In an embodiment of method 100, the client generates its own nonce, referred to as the S-Nonce. Using the S-Nonce and the A-Nonce, the client generates a copy of a pairwise transient key (PTK), which will be used to encrypt future communications with the network. In an embodiment, the pairwise transient key is determined using a hash of the A-Nonce, S-Nonce, and other data, such as the PMK. For example, PTK=SHA1(PMK, client MAC, wireless access point MAC, A-Nonce, S-Nonce).


An embodiment of the invention divides the PTK into four separate keys, each of which is used for different purposes: EAPOL-MIC key, EAPOL-Encr key, Data-MIC key and Data-Encr key (for AES, the Data-MIC key and the Data_Encr key are the same).


In an embodiment of step 115, the client then sends a second message to the wireless access point. The second message includes the client-generated S-Nonce and a MIC, which is a cryptographic checksum of the message. In an embodiment, the MIC is calculated by applying the EAPOL-MIC key, which is part of the PTK, to the other contents of the second message, including the S-Nonce.


In prior systems, every client used the same preshared key. However, embodiments of the invention use multiple preshared keys. For example, each client may be assigned its own exclusive preshared key. In another embodiments, clients may be assigned to groups, with each group having a different exclusive preshared key. Thus, a wireless access point or other network device may store multiple valid keys, such as PSKs, PMKs, or other data derived from the preshared keys, with each key associated with a different client or group of clients. The set of valid keys are stored in a list, array, or other data structure. Because of this, upon receiving the second message from the client, the wireless access point or any other network device must identify which preshared key the client is using.


In an embodiment, method 100 identifies the preshared key used by the client to send the second message. Step 120 begins this identification by selecting one of the keys from the set of valid keys. In an embodiment of step 120, a wireless access point or other network device stores a list of all of the preshared keys assigned to clients, or alternatively, a list of PMKs derived from all of the preshared keys assigned to clients. Upon receiving the second message from a client that includes a S-Nonce and MIC, an embodiment of a wireless access point or other network device will select one of the preshared keys or PMKs from its stored list. The selected key, whether in the form of a PSK, PMK, or other type of derived data, is referred to as a candidate key.


In step 125, the wireless access point or other network device derives a corresponding PTK using the same technique used by the client. The wireless access point or other network device then uses all or a portion of the derived PTK to calculate its own MIC, referred to herein as a verification MIC, based on the contents of the received second message.


In decision block 130, the wireless access point or other network device compares the verification MIC with the MIC included in the second message by the client. If the verification MIC matches the MIC included by the client in the second message, then the wireless access point or other network device has successfully identified the preshared key and corresponding PMK and PTK used by the client. An embodiment of method 100 may then proceed to step 135 to complete the authentication process. The wireless access point or other network device can then communicate with the client using the PTK derived from the selected preshared key or PMK.


Conversely, if the verification MIC does not match the MIC provided by the client in the second message, then method 100 returns to step 120 and the wireless access point or other network device selects another preshared key or PMK from its list, derives a new corresponding PTK and verification MIC in step 125, and compares the new verification MIC with the MIC included in the second message in decision block 130. The steps 120, 125, and 130 may be repeated until the verification MIC matches the MIC provided in the second message. If the wireless access point or other network device does not match a verification MIC with the MIC included in the second message, then the client is not authorized to access the network.


In a further embodiment, network devices such as wireless access points precalculate and store PMKs corresponding with PSKs, so as to reduce the time required to determine and compare a large number of verification MICs with the MIC of the received message from the client.


Following the determination of the correct PTK by the wireless access point or other network device, the authentication process may be completed in step 135 by exchanging one or more additional messages with the client. For example, the wireless access point and client may follow the IEEE 802.11i standard. In this example, the wireless access point provides a group temporal key (GTK) to be used for multicast traffic and a sequence number to the client in a third message. The client then sends a fourth message to the wireless access point or other network device to acknowledge completion of the authentication. Following this, the wireless access point or other network device and the client communicate with each other using the PTK and GTK.


In some networks, it is desirable to be able to change users for access. In an embodiment, the exclusive preshared key scheme described above is combined with an authentication and accounting server, such as a RADIUS server, to perform authentication/accounting/authorization process for large companies. PAP, CHAP, MSCHAPv2, EAP, EAP-LEAP, EAP-PEAP or others can be used as the authentication methods carried by RADIUS protocol for RADIUS servers to authenticate the clients.


To configure exclusive preshared key techniques to work with a RADIUS server, the username and password should be provided. For example, each client is provided with a username, password and PSK. To configure exclusive preshared key techniques to work without a RADIUS server, a username and preshared key is sufficient to distinguish different users.


In a further embodiment using a RADIUS server, each client is provided with a username and password. In this embodiment, a RADIUS server derives a preshared key for each client from the username and password and other data. For example:


<PSK>=<password>, or


<PSK>=<username><concatenating string><password>.


For example, when username=“adam” and password=“abc123” are provided, and if the expression <PSK>=<password> is chosen, the PSK will be “abc123”; if the expression <PSK>=<username><concatenating string><password> is chosen and the <concatenating string>=“#”, the PSK will be “adam#abc123”.


In client side, the preshared key is given by an administrator to configure a client. The administrator also distributes the preshared key to the wireless access point, RADIUS server, or other network device, such as a wireless access point manager device or application. In RADIUS server, the username and password are configured by the IT administrator.


In further embodiments, passwords may be generated automatically for users. For example:


<password>=SHAI (<username>, <created-time>, <expired-time>, [<index>,] <secret>, <location>, [<SSID>])


In this example, the username is configured for an individual user. The “created-time” is the time when the password is created and start to be used. The “expired-time” is the time when the password ceases to be valid. The “index” is the index of the password which is used to specify one user and to distinguish different users (different users will be given different indexes). The indexes are also used to generate a large numbers of passwords (to derive a bunch of PSKs) for guest clients. The “secret” is a shared secret among all wireless access points for generating the same password for the same user. The “location” is used to distinguish the HQ and branches for large companies. The “SSID” is the SSID the PSKs will apply to. Some or all of these parameters of this example may be optional, for example allowing the SSID and/or index to be omitted.


Embodiments of the invention may allow administrators to configure the username, created-time, expired-time, index, shared secret and location for each user. After the passwords are generated, the PSKs can be derived by using <PSK>=<password> or <PSK>=<username>#<password>. When the index is used, there will be another method to derive the PSK: <PSK>=<username><index>#<password>.


In further embodiments, the clients can be divided into different groups. Each group may be associated with one or more group attributes, such as a VLAN ID, user profile ID (user role) and firewall policy. When the client is being authenticated, the PSK, username and group can be identified. The group attributes can be applied to that client and its connection with the network. This allows different clients or groups of clients to be treated differently upon connection with the network, for example using different VLANs, different user profiles and/or different firewall policies.


In further embodiments, a preshared key may be exclusive to a user or alternatively to a specific client device. In the former case, a user may use their assigned exclusive preshared key for more than one simultaneous network connection. For example, if the user has two laptop computers, he/she can configure these two client devices and connect the two devices to the same wireless network. An exclusive preshared key may be associated with a connection limit to prevent a user from using the same preshared key for an unlimited number of simultaneous network connections. In the case of the latter, a preshared key may be associated with one or more specific client devices, for example using one or more MAC addresses or other unique client device identifiers. This prevents a preshared key from being used with any arbitrary client device.


Embodiments of the invention can employ exclusive preshared key techniques to a variety of applications. The following scenarios illustrate example applications for enabling guest access to a network and employee access to a network in small and large network deployments.



FIG. 2 illustrates an example 200 of authenticating guest users and exchanging cryptographic keys according to an embodiment of the invention. Example 200 illustrates an application of an embodiment of the invention allowing for free guest access to a network.


In example 200, a network administrator 205 will create a set (for example, 1024) of username/password pairs, derives PSKs from these pairs, and save the PSKs. In an embodiment, the pregenerated preshared keys are saved 207 in a preshared key database associated with a guest manager application 210. The guest manager application 210 then distributes 208 these PSKs, or derived PMKs, to one or more wireless access points, including wireless access point 235 or other network devices to prepare them to receive connections from clients. The pregenerated preshared keys may be distributed using a network device management application 215. Network device management application 215 may include management applications that operate outside of the data path of wireless access points as well as controller applications and devices that are inside of the data path of wireless access points and thus are required by the wireless access points' operation. Usernames, passwords, and/or preshared keys may be generated manually or automatically, for example as described above. In alternate implementations, wireless access points may derive PSKs from username/password pairs, and then derive PMKs from PSKs.


A receptionist 220 or other employee associated with the network accesses the Guest Manager application 209, for example via a graphical user interface, to provide 211 an unused PSK to a guest user 225. In an embodiment, the PSK, expired-time and other info can be printed out and handed to the guest user by the receptionist.


Then the guest user 225 can configure the PSK to his/her own wireless-enabled client device 230 (such as a computer or handheld device) to connect to the wireless network. After the guest's client device 230 gets associated with one of the wireless access points 235 of the network using its assigned preshared key, authentication proceeds as described above.


For example, the access point 235 sends a first message 215 including an A-Nonce to the client. The client 230 response with a second message 217 including an S-Nonce and a MIC created using a PMK derived from the preshared key. In response to the second message 217, the wireless access point 235 will traverse list of PSKs or PMKs to match the received MIC with a validation MIC, as described in method 100, thereby identifying the specific key used by the guest. After the client's key is found, the wireless access point 235 and client will continue their authentication and key exchange using messages 219 and 221.



FIG. 3 illustrates another example 300 of authenticating guest users and exchanging cryptographic keys according to an embodiment of the invention. Example 300 illustrates an application of an embodiment of the invention allowing for paid guest access to a network.


First, an administrator 305 will create a number (for example, 1024) of user accounts including username/password pairs, and send 306 them into the embedded RADIUS server 307 of the guest manager application 310, which derives PSKs from these pairs and saves the PSKs in the PSK database of the guest manager application 310. If the passwords are manually configured, the IT administrator 305 will also distribute 308 these passwords to wireless access points and other network devices, including wireless access point 320 either manually or automatically using a network device management application 315. Passwords may be automatically generated as described above.


A receptionist or other employee 325 associated with the network accesses the Guest Manager application 310, for example via a graphical user interface, to provide 327 an unused PSK to a guest user 330. In an embodiment, the PSK, expired-time and other info can be printed out and handed to the guest user 330 by the receptionist 325. Then the guest user 330 can configure the PSK to his/her own wireless-enabled client device 335 (such as a computer or handheld device) to connect to the wireless network.


After the guest's client device 335 gets associated with one of the wireless access points 320 of the network using its assigned preshared key, authentication proceeds similarly to that described above. For example, the access point 320 sends a first message 340 including an A-Nonce to the client 335.


The client 335 response with a second message 342 including an S-Nonce and a MIC created using a PMK derived from the preshared key. In response to the second message 342, the wireless access point 320 or other network device will traverse list of PSKs or PMKs to match the received MIC with a validation MIC, thereby identifying the specific key used by the guest.


After the client's key is found, the wireless access point 320 will provide the username and password corresponding to the identified PSK or PMK to the RADIUS server 307 to do RADIUS authentication using PAP, CHAP, MSCHAPv2, EAP, or any other authentication technique. In an embodiment, the RADIUS server 307 may be embedded in a guest manager application 310.


If the RADIUS authentication succeeds, the wireless access point 320 will continue the 4-way handshake by sending the third message 344 to the client device 335. The client device 335 will reply fourth message 346 to complete the 4-way handshake.


The wireless access point 320 will send accounting start message 348 to an accounting server 350, which is optionally embedded in the guest manager application 310, to count the time or bandwidth used by the guest user 330. After the customer exhausts their time or bandwidth, the client device 335 of the guest user 330 will be disassociated from the wireless access point 320.



FIG. 4 illustrates an example 400 of authenticating users without an authentication server according to an embodiment of the invention. In an embodiment, employee access without an authentication server, such as a RADIUS server, is performed in a similar manner as that done for free guest access, described above. For example, first, an administrator 405 will configure a number (for example, 1024) of user accounts including username/password pairs. The username/password pairs are distributed 407 to wireless access points and other network devices, including wireless access point 415, for example using a management application 410. The wireless access points will derive PSKs from username/password pairs and derive PMKs from PSKs, preparing themselves for user access.


The administrator 405 will derive identical PSKs from username/password pairs and distribute 411 them to employees or other users, including guest user 420. The employees or administrators configure each client device, including guest user device 425 with its assigned PSK.


When the client device 425 starts to associate with one of the wireless access points 415, the wireless access point 415 will send the first message 432 of the 4-way handshake to the client 425. The client device 425 replies the second message 434 including the S-Nonce and MIC. The wireless access point 415 will traverse the PSK list (or PMK list) to find a verification MIC matching the MIC provided by the second message 434, thereby identifying the PSK used by the employee.


After the PSK is found, the wireless access point 415 will send the third message 436 to client device 425. The client device 425 replies with the fourth message 438 to complete the 4-way handshake.



FIG. 5 illustrates an example 500 of authenticating users with an authentication server according to an embodiment of the invention. In an embodiment, employee access with an authentication server, such as a RADIUS server, is performed in a similar manner as that done for paid guest access, described above.


For example, first, an administrator 505 will create a number (for example, 1024) of user accounts including username/password pairs, send them into the authentication server 510, such as an embedded RADIUS server of a manager application, and derive PSKs from these pairs and save 509 the PSKs in the PSK database of the manager application 515. The administrator 505 will also distribute these usernames and optionally passwords to wireless access points and other network devices, including wireless access point 520, either manually or automatically using a network device management application 515. Passwords may be automatically generated as described above. The administrator 505 derives PSKs from username/password pairs using the management application 515 and dispatches 511 the PSKs to employees, including guest user 525.


The employees or administrators configure each client device, including guest user device 530 with its assigned PSK. When the client device 530 starts to associate with one of the wireless access points 520, the wireless access point 520 will send the first message 532 of the 4-way handshake to the client 530. The first message 532 includes an A-Nonce.


The client responds with a second message 534 including an S-Nonce and a MIC created using a PMK derived from the preshared key. In response to the second message 534, the wireless access point 520 will traverse the stored PSKs or PMKs to match the received MIC with a validation MIC, thereby identifying the specific key used by the guest user device 530.


After the client's key is found, the wireless access point 520 will provide the username and password corresponding to the identified PSK or PMK to the authentication server, such as a RADIUS server 510, to authenticate the user via PAP, CHAP, MSCHAPv2, EAP, or any other authentication technique. In an embodiment, the authentication server may be embedded in a network device manager application 515.


If the RADIUS authentication succeeds, the wireless access point 520 will continue the 4-way handshake by sending the third message 536 to the client device 530, for example including a GTK. The client device 530 will reply with a fourth message 538 to complete the 4-way handshake. Upon establishing a connection between the guest user device 530 and the wireless access point 520, the wireless access point 520 may notify the accounting server 540 to allow tracking and possible billing for network usage.


In a further embodiment, PSKs may be assigned creation times and expiration times. In an embodiment, these assigned times are stored by wireless access points in addition to their respective PSKs or PMKs. Upon receiving a second message from a client during the 4-way authentication and identifying the PSK or PMK used by the client, an embodiment of the invention compares the current time with the creation and expiration times associated with the PSK or PMK. If the current time is between the creation and expiration times, then authentication proceeds; otherwise the authorization fails and the client is disassociated from the wireless access point.


In an embodiment, multiple keys, such as PSKs, can be assigned to each user or client, to allow for seamless key changes when keys expire.


In an embodiment, a management application 515 can also revoke keys from clients. In this embodiment, a management application 515 directs wireless access points and other network devices to remove or mark invalid one or more specified keys. Once removed or marked invalid, a revoked key cannot be used by a client to access the network.


As described above, a wireless access point 520 generates and compares at least one and typically more validation MICs with a client supplied MIC to identify the client's assigned PSK. In a further embodiment, upon successfully identifying a client's assigned PSK, a wireless access point or other network device forwards the client's MAC address or other identifier, such as a user name, to a roaming cache data structure accessible to other wireless access points or other devices. A roaming cache is a data structure stored in a memory that associates client identifiers, such as client MAC addresses or user names, with PSKs or PMKs. If the client later roams and attempts to connect to another wireless access point, the roaming cache is checked against the client's MAC address. If there is matching entry, the associated PSK or PMK is used finish the authentication of the roaming client. Additionally, any RADIUS or other authentication may be skipped if the client matches the roaming cache. If there are no matching roaming cache entries, then the wireless access point or other network device traverses its key list to calculate validation MICs to identify the client's PSK or PMK.


In still a further embodiment, a wireless access point or other network device can use a roaming cache to store previously connected clients' MAC addresses or other identifiers and their associations with PSKs or PMKs. In this embodiment, if a previously-connected client reconnects with the same wireless access point or other network device, or any other network device having access to the same roaming cache data, the network device may identify this client's PSK or PMK using the roaming cache, rather than traversing the list of all PSKs or PMKs to compare validation MICs. This decreases the time and computational costs when clients frequently reconnect with the same wireless access point or other network device.



FIG. 6 illustrates a computer system suitable for implementing an embodiment of the invention. FIG. 6 is a block diagram of a computer system 2000, such as a personal computer or other digital device, suitable for practicing an embodiment of the invention. Embodiments of computer system 2000 include dedicated networking devices, such as wireless access points, network switches, hubs, routers, hardware firewalls, network traffic optimizers and accelerators, network attached storage devices, and combinations thereof.


Computer system 2000 includes a central processing unit (CPU) 2005 for running software applications and optionally an operating system. CPU 2005 may be comprised of one or more processing cores. Memory 2010 stores applications and data for use by the CPU 2005. Examples of memory 2010 include dynamic and static random access memory. Storage 2015 provides non-volatile storage for applications and data and may include fixed or removable hard disk drives, flash memory devices, ROM memory, and CD-ROM, DVD-ROM, Blu-ray, HD-DVD, or other magnetic, optical, or solid state storage devices. Memory 2010 may store a firmware image comprising applications and data adapted to be executed by computer system 2000.


Optional user input devices 2020 communicate user inputs from one or more users to the computer system 2000, examples of which may include keyboards, mice, joysticks, digitizer tablets, touch pads, touch screens, still or video cameras, and/or microphones. In an embodiment, user input devices may be omitted and computer system 2000 may present a user interface to a user over a network, for example using a web page or network management protocol and network management software applications.


Computer system 2000 includes one or more network interfaces 2025 that allow computer system 2000 to communicate with other computer systems via an electronic communications network, and may include wired or wireless communication over local area networks and wide area networks such as the Internet. Computer system 2000 may support a variety of networking protocols at one or more levels of abstraction. For example, computer system may support networking protocols at one or more layers of the seven layer OSI network model. An embodiment of network interface 2025 includes one or more wireless network interfaces adapted to communicate with wireless clients and with other wireless networking devices using radio waves, for example using the 802.11 family of protocols, such as 802.11a, 802.11b, 802.11g, and 802.11n.


An embodiment of the computer system 2000 may also include a wired networking interface, such as one or more Ethernet connections to communicate with other networking devices via local or wide-area networks. In a further embodiment, computer system 2000 may be capable of receiving some or all of its required electrical power via the network interface 2025, for example using a wired networking interface power over Ethernet system.


The components of computer system 2000, including CPU 2005, memory 2010, data storage 2015, user input devices 2020, and network interface 2025 are connected via one or more data buses 2060. Additionally, some or all of the components of computer system 2000, including CPU 2005, memory 2010, data storage 2015, user input devices 2020, and network interface 2025 may be integrated together into one or more integrated circuits or integrated circuit packages. Furthermore, some or all of the components of computer system 2000 may be implemented as application specific integrated circuits (ASICS) and/or programmable logic.


A power supply 2030 provides electrical power to the computer system 2000. Power supply 2030 may be adapted to draw electrical power from a connection with an electrical power distribution grid. In an embodiment, power supply 2030 is connected with network interface 2025 to draw electrical power for computer system 2000 from one or more wired network connections using a network power standard, such as IEEE 802.3af.


Although embodiments of the invention are discussed with reference to the IEEE 802.11i standard, embodiments of the invention are equally applicable to other standard and proprietary network authentication standards. Additionally, embodiments of the invention are not limited to 802.1x wireless network connections and may be utilized for any type of communication network where user authentication and/or network security is required.


Further embodiments can be envisioned to one of ordinary skill in the art from the specification and figures. In other embodiments, combinations or sub-combinations of the above disclosed invention can be advantageously made. The block diagrams of the architecture and flow charts are grouped for ease of understanding. However it should be understood that combinations of blocks, additions of new blocks, re-arrangement of blocks, and the like are contemplated in alternative embodiments of the present invention. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. It will, however, be evident that various modifications and changes may be made thereunto without departing from the broader spirit and scope of the invention as set forth in the claims.

Claims
  • 1. A method comprising: receiving an exclusive preshared key assigned to a user group, each user of the user group being different from a device, wherein the exclusive preshared key is uniquely associated with the user group to prevent the exclusive preshared key from being used by other user groups and wherein each user of the user group is enabled to simultaneously use the exclusive preshared key on a plurality of devices on respective network connections;distributing, by a network device management application, the exclusive preshared key and a user credential of a user in the user group to a network device configured to provide wireless access to network services of a network;wirelessly connecting a client device to the network device for purposes of the client device attempting to authenticate for accessing the network services;determining, at the network device, whether a preshared key used by the client device to access the network services matches the exclusive preshared key;in response to determining the preshared key used by the client device matches the exclusive preshared key, sending, from the network device to an authentication server, the user credential for authentication of the client device;sending, by the network device, a message to an accounting server, the message instructing the accounting server to begin tracking an amount of time the client device has accessed the network services or an amount of bandwidth used by the client device in accessing the network services; andafter the client device has accessed the network services for a predetermined period of time or has used a predetermined amount of bandwidth, terminating, by the network device, access to the network services.
  • 2. The method of claim 1, further comprising identifying whether the preshared key used by the client device matches the exclusive preshared key using a 4-way handshake authentication technique.
  • 3. The method of claim 1, further comprising: deriving, at the network device, a first pairwise master key from at least one exclusive preshared key distributed to the network device;receiving, from the client device, a second pairwise master key from the preshared key used by the client device, the second pairwise master key being derived by the client device; anddetermining, at the network device and based on the first pairwise master key and the second pairwise master key, whether the preshared key used by the client device matches the exclusive preshared key.
  • 4. The method of claim 1, further comprising: sending, from the network device to the client device, a first message in response to the client device being wirelessly connected to the network device;receiving, from the client device at the network device, a second message generated in response to the client device receiving the first message from the network device using the preshared key used by the client device; anddetermining, at the network device and based on the second message, whether the second message was generated by the client device using the exclusive preshared key assigned to the user group to identify whether the preshared key used by the client device to matches the exclusive preshared key.
  • 5. The method of claim 1, further comprising: sending, from the network device to the client device, a first message in response to the client device being wirelessly connected to the network device;receiving, from the client device at the network device, a second message including a client generated message integrity code generated in response to the client device receiving the first message from the network device using the preshared key used by the client device;generating, at the network device, a verification message integrity code using the exclusive preshared key distributed to the network device; anddetermining, at the network device and based on the second message, whether the second message was generated by the client device using the exclusive preshared key based on whether the client generated message integrity code matches the verification message integrity code generated at the network device to identify whether the preshared key used by the client device matches the exclusive preshared key.
  • 6. The method of claim 1, further comprising: sending, from the network device to the client device, a first message in response to the client device being wirelessly connected to the network device;receiving, from the client device at the network device, a second message including a client generated message integrity code generated in response to the client device receiving the first message from the network device using the preshared key used by the client device to authenticate for accessing the network services;generating, at the network device, a plurality of verification message integrity codes using a locally stored plurality of exclusive preshared keys including the exclusive preshared key distributed to the network device; anddetermining, at the network device and based on the second message, whether the second message was generated by the client device using the exclusive preshared key based on whether the client generated message integrity code matches at least one verification message integrity code of the plurality of verification message integrity codes generated at the network device to identify whether the preshared key used by the client device matches the exclusive preshared key.
  • 7. The method of claim 1, further comprising: sending, from the network device to the client device, a first message in response to the client device being wirelessly connected to the network device;receiving, from the client device at the network device, a second message including a client generated message integrity code generated in response to the client device receiving the first message from the network device using the preshared key and encrypted using a pairwise transient key generated from an A-nonce included in the first message and the preshared key;generating, at the network device, a verification message integrity code using the exclusive preshared key distributed to the network device and an S-nonce included in the second message and determined at the network device from a separately calculated pairwise transient key determined at the network device using the exclusive preshared key; anddetermining, at the network device and based on the second message, whether the second message was generated by the client device using the exclusive preshared key assigned to the user group based on whether the client generated message integrity code matches the verification message integrity code generated at the network device to identify whether the preshared key used by the client device matches the exclusive preshared key.
  • 8. The method of claim 1, further comprising: sending, from the network device to the client device, a first message in response to the client device being wirelessly connected to the network device for purposes of the client device attempting to authenticate for accessing the network services;receiving, from the client device at the network device, a second message including a client generated message integrity code generated in response to the client device receiving the first message from the network device using the preshared key and encrypted using a pairwise transient key generated from an A-nonce included in the first message and the preshared key;generating, at the network device, a plurality of verification message integrity codes using a locally stored plurality of exclusive preshared keys included in the exclusive preshared key distributed to the network device and an S-nonce included in the second message and determined at the network device from a separately calculated pairwise transient key determined at the network device using at least one of the locally stored plurality of exclusive preshared keys; anddetermining, at the network device and based on the second message, whether the second message was generated by the client device using the exclusive preshared key assigned to the specific group of users based on whether the client generated message integrity code matches at least one verification message code of the plurality of verification message integrity codes generated at the network device to identify whether the preshared key used by the client device matches the exclusive preshared key.
  • 9. The method of claim 1, further comprising: receiving a username; anddetermining the exclusive preshared key to be assigned to the user group using the username as part of the exclusive preshared key.
  • 10. The method of claim 1, further comprising: distributing, by the network device management application, the exclusive preshared key to a second client device associated with the user in the user group;distributing, by the network device management application, the exclusive preshared key and the user credential of the user in the user group to a second network device configured to provide wireless access to the network services of the network, wherein the network device is a first network device;wirelessly connecting the second client device to the second network device;determining, at the second network device, whether a preshared key used by the second client device to authenticate for accessing the network services of the network through the second network device matches the exclusive preshared key assigned to the user group;in response to determining the preshared key used by the second client device matches the exclusive preshared key assigned to the user group, sending the user credential from the second network device to the authentication server;sending, by the second network device, a message to the accounting server, the message instructing the accounting server to begin tracking an amount of time the second client device has accessed the network services of the network or an amount of bandwidth used by the second client device in accessing the network services of the network; andafter the second client device has accessed the network services for a predetermined period of time or has used a predetermined amount of bandwidth, terminating, by the second network device, access to the network services.
  • 11. A non-transitory computer-readable medium including instructions adapted to direct a computer to perform operations, the operations comprising: receiving an exclusive preshared key assigned to a user group, each user of the user group being different from a device, wherein the exclusive preshared key is uniquely associated with the user group to prevent the exclusive preshared key from being used by other user groups and wherein each user of the user group is enabled to simultaneously use the exclusive preshared key on a plurality of devices on respective network connections;distributing, by a network device management application, the exclusive preshared key and user credential of a user in the user group to a network device configured to provide wireless access to network services of a network;wirelessly connecting a client device to the network device for purposes of the client device attempting to authenticate for accessing the network services;determining, at the network device, whether a preshared key used by the client device to access the network services matches the exclusive preshared key;in response to determining the preshared key used by the client device matches the exclusive preshared key, sending, from the network device to an authentication server, the user credential for authentication of the client device;sending, by the network device, a message to an accounting server, the message instructing the accounting server to begin tracking an amount of time the client device has accessed the network services or an amount of bandwidth used by the client device in accessing the network services; andafter the client device has accessed the network services for a predetermined period of time or has used a predetermined amount of bandwidth in accessing the network services, terminating, by the network device, access to the network services.
  • 12. The non-transitory computer-readable medium of claim 11, the operations further including identifying whether the preshared key used by the client device matches the exclusive preshared key using a 4-way handshake authentication technique.
  • 13. The non-transitory computer-readable medium of claim 11, the operations further including: deriving, at the network device, a first pairwise master key from at least one exclusive preshared key distributed to the network device;receiving, from the client device, a second pairwise master key from the preshared key used by the client device, the second pairwise master key being derived by the client device; anddetermining, at the network device and based on the first pairwise master key and the second pairwise master key, whether the preshared key used by the client device matches the exclusive preshared key.
  • 14. The non-transitory computer-readable medium of claim 11, the operations further including: sending, from the network device to the client device, a first message in response to the client device being wirelessly connected to the network device;receiving, from the client device at the network device, a second message generated in response to the client device receiving the first message from the network device using the preshared key used by the client device; anddetermining, at the network device and based on the second message, whether the second message was generated by the client device using the exclusive preshared key assigned to the user group to identify whether the preshared key used by the client device matches the exclusive preshared key.
  • 15. The non-transitory computer-readable medium of claim 11, the operations further including: sending, from the network device to the client device, a first message in response to the client device being wirelessly connected to the network device;receiving, from the client device at the network device, a second message including a client generated message integrity code generated in response to the client device receiving the first message from the network device using the preshared key used by the client device;generating, at the network device, a verification message integrity code using the exclusive preshared key distributed to the network device; anddetermining, at the network device and based on the second message, whether the second message was generated by the client device using the exclusive preshared key based on whether the client generated message integrity code matches the verification message integrity code generated at the network device to identify whether the preshared key used by the client device matches the exclusive preshared key.
  • 16. The non-transitory computer-readable medium of claim 11, the operations further including: sending, from the network device to the client device, a first message in response to the client device being wirelessly connected to the network device;receiving, from the client device at the network device, a second message including a client generated message integrity code generated in response to the client device receiving the first message from the network device using the preshared key used by the client device to authenticate for accessing the network services of the network;generating, at the network device, a plurality of verification message integrity codes using a locally stored plurality of exclusive preshared keys including the exclusive preshared key distributed to the network device; anddetermining, at the network device and based on the second message, whether the second message was generated by the client device using the exclusive preshared key based on whether the client generated message integrity code matches at least one verification message integrity code of the plurality of verification message integrity codes generated at the network device to identify whether the preshared key used by the client device matches the exclusive preshared key.
  • 17. The non-transitory computer-readable medium of claim 11, the operations further including: sending, from the network device to the client device, a first message in response to the client device being wirelessly connected to the network device;receiving, from the client device at the network device, a second message including a client generated message integrity code generated in response to the client device receiving the first message from the network device using the preshared key and encrypted using a pairwise transient key generated from an A-nonce included in the first message and the preshared key;generating, at the network device, a verification message integrity code using the exclusive preshared key distributed to the network device and an S-nonce included in the second message and determined at the network device from a separately calculated pairwise transient key determined at the network device using the exclusive preshared key; anddetermining, at the network device and based on the second message, whether the second message was generated by the client device using the exclusive preshared key assigned to the user group based on whether the client generated message integrity code matches the verification message integrity code generated at the network device to identify whether the preshared key used by the client device matches the exclusive preshared key.
  • 18. The non-transitory computer-readable medium of claim 11, the operations further including: sending, from the network device to the client device, a first message in response to the client device being wirelessly connected to the network device for purposes of the client device attempting to authenticate for accessing the network services of the network through the network device;receiving, from the client device at the network device a second message, including a client generated message integrity code generated in response to the client device receiving the first message from the network device using the preshared key and encrypted using a pairwise transient key generated from an A-nonce included in the first message and the preshared key;generating, at the network device, a plurality of verification message integrity codes using a locally stored plurality of exclusive preshared keys included in the exclusive preshared key distributed to the network device and an S-nonce included in the second message and determined at the network device from a separately calculated pairwise transient key determined at the network device using at least one of the locally stored plurality of exclusive preshared keys; anddetermining, at the network device and based on the second message, whether the second message was generated by the client device using the exclusive preshared key assigned to the specific group of users based on whether the client generated message integrity code matches at least one verification message code of the plurality of verification message integrity codes generated at the network device to identify whether the preshared key used by the client device matches the exclusive preshared key.
  • 19. The non-transitory computer-readable medium of claim 11, the operations: distributing, by the network device management application, the exclusive preshared key to a second client device associated with the user in the user group;distributing, by the network device management application the exclusive preshared key and the user credential of the user in the user group to a second network device configured to provide wireless access to the network services of the network, wherein the network device is a first network device;wirelessly connecting the second client device to the second network device;determining at the second network device whether a preshared key used by the second client device to authenticate for accessing the network services of the network through the second network device matches the exclusive preshared key assigned to the user group;in response to determining the preshared key used by the second client device matches the exclusive preshared key assigned to the user group, sending the user credential from the second network device to the authentication server;sending, by the second network device, a message to the accounting server, the message instructing the accounting server to begin tracking an amount of time the second client device has accessed the network services of the network or an amount of bandwidth used by the second client device in accessing the network services; andafter the second client device has accessed the network services for a predetermined period of time or has used a predetermined amount of bandwidth, terminating, by the second network device, access to the network services.
CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation application of U.S. patent application Ser. No. 12/485,041, filed Jun. 16, 2009, which claims priority to U.S. Provisional Patent Application No. 61/111,210, filed Nov. 4, 2008, both of which are incorporated by reference herein for all purposes.

US Referenced Citations (266)
Number Name Date Kind
5471671 Wang et al. Nov 1995 A
5697059 Carney Dec 1997 A
5726984 Kubler et al. Mar 1998 A
5956643 Benveniste Sep 1999 A
6061799 Eldridge et al. May 2000 A
6112092 Benveniste Aug 2000 A
6154655 Borst et al. Nov 2000 A
6201792 Lahat Mar 2001 B1
6233222 Wallentin May 2001 B1
6314294 Benveniste Nov 2001 B1
6473413 Chiou et al. Oct 2002 B1
6496699 Benveniste Dec 2002 B2
6519461 Andersson et al. Feb 2003 B1
6628623 Noy Sep 2003 B1
6628938 Rachabathuni et al. Sep 2003 B1
6636498 Leung Oct 2003 B1
6775549 Benveniste Aug 2004 B2
6865393 Baum et al. Mar 2005 B1
6957067 Iyer et al. Oct 2005 B1
7002943 Bhagwat et al. Feb 2006 B2
7057566 Theobold Jun 2006 B2
7085224 Oran Aug 2006 B1
7085241 O'Neill et al. Aug 2006 B1
7130629 Leung et al. Oct 2006 B1
7154874 Bhagwat et al. Dec 2006 B2
7164667 Rayment et al. Jan 2007 B2
7174170 Steer et al. Feb 2007 B2
7177646 O'Neill et al. Feb 2007 B2
7181530 Halasz et al. Feb 2007 B1
7216365 Bhagwat et al. May 2007 B2
7224697 Banerjea et al. May 2007 B2
7251238 Joshi et al. Jul 2007 B2
7336670 Calhoun Feb 2008 B1
7339914 Bhagwat et al. Mar 2008 B2
7346338 Calhoun et al. Mar 2008 B1
7366894 Kalimuthu et al. Apr 2008 B1
7369489 Bhattacharya May 2008 B1
7370362 Olson et al. May 2008 B2
7440434 Chaskar et al. Oct 2008 B2
7512379 Nguyen Mar 2009 B2
7536723 Bhagwat et al. May 2009 B1
7562384 Huang Jul 2009 B1
7593356 Friday et al. Sep 2009 B1
7656822 Abdelaziz et al. Feb 2010 B1
7706789 Qi et al. Apr 2010 B2
7716370 Devarapalli May 2010 B1
7751393 Chaskar et al. Jul 2010 B2
7768952 Lee Aug 2010 B2
7793104 Iheng et al. Sep 2010 B2
7804808 Bhagwat et al. Sep 2010 B2
7843907 Abou-Emara et al. Nov 2010 B1
7844057 Meier et al. Nov 2010 B2
7856209 Rawat Dec 2010 B1
7921185 Chawla et al. Apr 2011 B2
7949342 Cuffaro et al. May 2011 B2
7961725 Nagarajan et al. Jun 2011 B2
7970894 Patwardhan Jun 2011 B1
8000308 Dietrich et al. Aug 2011 B2
8069483 Matlock Nov 2011 B1
8219688 Wang Jul 2012 B2
8249606 Neophytou et al. Aug 2012 B1
8493918 Karaoguz et al. Jul 2013 B2
8553612 Alexandre Oct 2013 B2
8788707 Su Jul 2014 B1
8789191 Bhagwat et al. Jul 2014 B2
8824448 Narayana et al. Sep 2014 B1
8948046 Kang et al. Feb 2015 B2
8953453 Xiao Feb 2015 B1
9003527 Bhagwat et al. Apr 2015 B2
10492071 Havaralu Rama Chandra Adiga Nov 2019 B1
20010006508 Pankaj et al. Jul 2001 A1
20020012320 Ogier et al. Jan 2002 A1
20020021689 Robbins et al. Feb 2002 A1
20020041566 Yang Apr 2002 A1
20020071422 Amicangioli Jun 2002 A1
20020091813 Lamberton et al. Jul 2002 A1
20020114303 Crosbie Aug 2002 A1
20020116463 Hart Aug 2002 A1
20020128984 Mehta et al. Sep 2002 A1
20030005100 Barnard et al. Jan 2003 A1
20030039212 Lloyd et al. Feb 2003 A1
20030084104 Salem May 2003 A1
20030087629 Juitt May 2003 A1
20030104814 Gwon et al. Jun 2003 A1
20030129988 Lee et al. Jul 2003 A1
20030145091 Peng et al. Jul 2003 A1
20030179742 Ogier et al. Sep 2003 A1
20030198207 Lee Oct 2003 A1
20040003285 Whelan et al. Jan 2004 A1
20040013118 Borella Jan 2004 A1
20040022222 Clisham Feb 2004 A1
20040054774 Barber et al. Mar 2004 A1
20040064467 Kola et al. Apr 2004 A1
20040077341 Chandranmenon et al. Apr 2004 A1
20040103282 Meier et al. May 2004 A1
20040109466 Van Ackere et al. Jun 2004 A1
20040125781 Walter Jul 2004 A1
20040162037 Shpak Aug 2004 A1
20040185876 Groenendaal et al. Sep 2004 A1
20040192312 Li et al. Sep 2004 A1
20040196977 Johnson et al. Oct 2004 A1
20040236939 Watanabe et al. Nov 2004 A1
20040255028 Chu et al. Dec 2004 A1
20050053003 Cain et al. Mar 2005 A1
20050074015 Chari et al. Apr 2005 A1
20050085235 Park Apr 2005 A1
20050099983 Nakamura et al. May 2005 A1
20050122946 Won Jun 2005 A1
20050154774 Giaffreda et al. Jul 2005 A1
20050207417 Ogawa et al. Sep 2005 A1
20050259682 Yosef et al. Nov 2005 A1
20050262266 Wiberg et al. Nov 2005 A1
20050265288 Liu et al. Dec 2005 A1
20050266848 Kim Dec 2005 A1
20060010250 Eisl et al. Jan 2006 A1
20060013179 Yamane Jan 2006 A1
20060026289 Lyndersay et al. Feb 2006 A1
20060062250 Payne, III Mar 2006 A1
20060107050 Shih May 2006 A1
20060117018 Christiansen et al. Jun 2006 A1
20060140123 Conner et al. Jun 2006 A1
20060146748 Ng et al. Jul 2006 A1
20060146846 Yarvis et al. Jul 2006 A1
20060165015 Melick et al. Jul 2006 A1
20060187949 Seshan et al. Aug 2006 A1
20060221920 Gopalakrishnan et al. Oct 2006 A1
20060233128 Sood et al. Oct 2006 A1
20060234701 Wang et al. Oct 2006 A1
20060245442 Srikrishna et al. Nov 2006 A1
20060251256 Asokan et al. Nov 2006 A1
20060268802 Faccin Nov 2006 A1
20060294246 Stieglitz et al. Dec 2006 A1
20070004394 Chu et al. Jan 2007 A1
20070010231 Du Jan 2007 A1
20070025274 Rahman et al. Feb 2007 A1
20070025298 Jung Feb 2007 A1
20070030826 Zhang Feb 2007 A1
20070049323 Wang et al. Mar 2007 A1
20070050839 Dharanikota Mar 2007 A1
20070077937 Ramakrishnan et al. Apr 2007 A1
20070078663 Grace Apr 2007 A1
20070082656 Stieglitz et al. Apr 2007 A1
20070087756 Hoffberg Apr 2007 A1
20070091859 Sethi et al. Apr 2007 A1
20070115847 Strutt et al. May 2007 A1
20070116011 Lim et al. May 2007 A1
20070121947 Sood et al. May 2007 A1
20070133407 Choi et al. Jun 2007 A1
20070140191 Kojima Jun 2007 A1
20070150720 Oh et al. Jun 2007 A1
20070153697 Kwan Jul 2007 A1
20070153741 Blanchette et al. Jul 2007 A1
20070156804 Mo Jul 2007 A1
20070160017 Meier et al. Jul 2007 A1
20070171885 Bhagwat et al. Jul 2007 A1
20070192862 Vermeulen et al. Aug 2007 A1
20070195761 Tatar et al. Aug 2007 A1
20070206552 Yaqub Sep 2007 A1
20070247303 Payton Oct 2007 A1
20070248014 Xie Oct 2007 A1
20070249324 Jou et al. Oct 2007 A1
20070263532 Mirtorabi et al. Nov 2007 A1
20070280481 Eastlake Dec 2007 A1
20070288997 Meier et al. Dec 2007 A1
20080002642 Borkar et al. Jan 2008 A1
20080022392 Karpati Jan 2008 A1
20080037552 Dos Remedios et al. Feb 2008 A1
20080080369 Sumioka Apr 2008 A1
20080080377 Sasaki et al. Apr 2008 A1
20080090575 Barak et al. Apr 2008 A1
20080095094 Innami Apr 2008 A1
20080095163 Chen et al. Apr 2008 A1
20080107027 Allan et al. May 2008 A1
20080109879 Bhagwat et al. May 2008 A1
20080130495 Dos Remedios et al. Jun 2008 A1
20080146240 Trudeau Jun 2008 A1
20080151751 Ponnuswamy et al. Jun 2008 A1
20080159128 Shaffer Jul 2008 A1
20080159135 Caram Jul 2008 A1
20080170527 Lundsgaard et al. Jul 2008 A1
20080186932 Do et al. Aug 2008 A1
20080194271 Bedekar et al. Aug 2008 A1
20080207215 Chu et al. Aug 2008 A1
20080209186 Boden Aug 2008 A1
20080212562 Bedekar et al. Sep 2008 A1
20080219286 Ji et al. Sep 2008 A1
20080225857 Lange Sep 2008 A1
20080229095 Kalimuthu et al. Sep 2008 A1
20080240128 Elrod Oct 2008 A1
20080253370 Cremin et al. Oct 2008 A1
20080273520 Kim et al. Nov 2008 A1
20080279161 Stirbu et al. Nov 2008 A1
20090019521 Vasudevan Jan 2009 A1
20090028052 Stater et al. Jan 2009 A1
20090040989 da Costa et al. Feb 2009 A1
20090043901 Mizikovsky et al. Feb 2009 A1
20090082025 Song Mar 2009 A1
20090088152 Orlassino Apr 2009 A1
20090097436 Vasudevan et al. Apr 2009 A1
20090111468 Burgess et al. Apr 2009 A1
20090113018 Thomson et al. Apr 2009 A1
20090141692 Kasslin et al. Jun 2009 A1
20090144740 Gao Jun 2009 A1
20090168645 Tester et al. Jul 2009 A1
20090172151 Davis Jul 2009 A1
20090197597 Kotecha Aug 2009 A1
20090207806 Makela et al. Aug 2009 A1
20090239531 Andreasen et al. Sep 2009 A1
20090240789 Dandabany Sep 2009 A1
20090247170 Balasubramanian et al. Oct 2009 A1
20090257380 Meier Oct 2009 A1
20090303883 Kucharczyk et al. Dec 2009 A1
20090307751 Lin Dec 2009 A1
20090310557 Shinozaki Dec 2009 A1
20100020753 Fulknier Jan 2010 A1
20100046368 Kaempfer et al. Feb 2010 A1
20100057930 DeHaan Mar 2010 A1
20100061234 Pai et al. Mar 2010 A1
20100067379 Zhao et al. Mar 2010 A1
20100112540 Gross et al. May 2010 A1
20100115278 Shen May 2010 A1
20100115576 Hale et al. May 2010 A1
20100132040 Bhagwat et al. May 2010 A1
20100195585 Horn Aug 2010 A1
20100208614 Harmatos Aug 2010 A1
20100228843 Ok et al. Sep 2010 A1
20100238871 Tosic Sep 2010 A1
20100240313 Kawai Sep 2010 A1
20100254316 Sendrowicz Oct 2010 A1
20100260091 Seok Oct 2010 A1
20100290397 Narayana et al. Nov 2010 A1
20100304738 Lim et al. Dec 2010 A1
20100311420 Reza et al. Dec 2010 A1
20100322217 Jin et al. Dec 2010 A1
20100325720 Etchegoyen Dec 2010 A1
20110004913 Nagarajan et al. Jan 2011 A1
20110040867 Kalbag Feb 2011 A1
20110051677 Jetcheva et al. Mar 2011 A1
20110055326 Michaelis et al. Mar 2011 A1
20110055928 Brindza Mar 2011 A1
20110058524 Hart et al. Mar 2011 A1
20110064065 Nakajima et al. Mar 2011 A1
20110085464 Nordmark et al. Apr 2011 A1
20110182225 Song et al. Jul 2011 A1
20110185231 Balestrieri et al. Jul 2011 A1
20110222484 Pedersen Sep 2011 A1
20110258641 Armstrong et al. Oct 2011 A1
20110292897 Wu et al. Dec 2011 A1
20120014386 Xiong et al. Jan 2012 A1
20120290650 Montuno et al. Nov 2012 A1
20120322435 Erceg Dec 2012 A1
20130003729 Raman et al. Jan 2013 A1
20130003739 Raman et al. Jan 2013 A1
20130003747 Raman et al. Jan 2013 A1
20130028158 Lee et al. Jan 2013 A1
20130059570 Hara et al. Mar 2013 A1
20130086403 Jenne et al. Apr 2013 A1
20130103833 Ringland et al. Apr 2013 A1
20130188539 Han Jul 2013 A1
20130227306 Santos et al. Aug 2013 A1
20130227645 Lim Aug 2013 A1
20130230020 Backes Sep 2013 A1
20130250811 Vasseur et al. Sep 2013 A1
20140269327 Fulknier et al. Sep 2014 A1
20140298467 Bhagwat et al. Oct 2014 A1
20150120864 Unnimadhavan et al. Apr 2015 A1
Foreign Referenced Citations (11)
Number Date Country
1642143 Jul 2005 CN
0940999 Sep 1999 EP
1732276 Dec 2006 EP
1771026 Apr 2007 EP
1490773 Jan 2013 EP
0059251 Oct 2000 WO
0179992 Oct 2001 WO
2004042971 May 2004 WO
2006129287 Dec 2006 WO
WO 2006129287 Dec 2006 WO
2009141016 Nov 2009 WO
Non-Patent Literature Citations (16)
Entry
IEEE 802.11i, Jul. 23, 2004.
“Wi-Fi Protected Access 2 (WPA 2) Configuration Example,” Jan. 21, 2008. (Year: 2008).
Wikipedia, “Client (computing).”
Chirumamilla, Mohan K. et al., “Agent Based Intrustion Detection and Response System for Wireless LANs,” CSE Conference and Workshop Papers, Paper 64, Jan. 1, 2003.
Clausen, T., et al., “Optimized Link State Routing Protocol (OLSR),” Network Working Group, pp. 1-71, Oct. 2003.
Craiger, J. Philip, “802.11, 802.1x, and Wireless Security,” SANS Institute InfoSec Reading Room, Jun. 23, 2002.
Finlayson, Ross et al., “A Reverse Address Resolution Protocol,” Nework Working Group, Request for Comments: 903 (RFC 903), Jun. 1984.
He, Changhua et al., “Analysis of the 802.11i 4-Way Handshake,” Proceedings of the 3rd ACM Workshop on Wireless Security, pp. 43-50, Oct. 2004.
Lee, Jae Woo et al, “z2z: Discovering Zeroconf Services Beyond Local Link,” 2007 IEEE Globecom Workshops, pp. 1-7, Nov. 26, 2007.
Perkins, C., et al., “Ad hoc On-Demand Distance Vector (AODV) Routing,” Network Working Group, pp. 1-35, Oct. 2003.
Wu, Haitao et al., “Layer 2.5 SoftMAC: End-System Based Media Streaming Support on Home Networks,” IEEE Global Telecommunications Conference (Globecom '05), vol. 1, pp. 235-239, Nov. 2005.
European Patent Application No. 11823931.8, Search Report dated Aug. 29, 2016.
European Patent Application No. 12879114.2, Search Report dated Jan. 21, 2016.
International Application No. PCT/US2008/061674, International Search Report and Written Opinion dated Oct. 14, 2008.
International Application No. PCT/US2011/047591, International Search Report and Written Opinion dated Dec. 19, 2011.
International Application No. PCT/US2012/059093, International Search Report and Written Opinion dated Jan. 4, 2013.
Related Publications (1)
Number Date Country
20170230824 A1 Aug 2017 US
Provisional Applications (1)
Number Date Country
61111210 Nov 2008 US
Continuations (1)
Number Date Country
Parent 12485041 Jun 2009 US
Child 15496522 US