Patent Application
20070047477
The present invention relates to a system and method for providing an authentication protocol for authenticating nodes for access to a network, such as to a server of a wireless ad-hoc peer-to-peer network. More particularly, the present invention relates to a wireless communication network, such as a mobile wireless distribution system (WDS), that employs an Extensible Authentication Protocol Over Local Area Network (EAPOL) proxy to authenticate nodes for access to the network.
Wireless communication networks, such as mobile wireless telephone networks, have become increasingly prevalent over the past decade. These wireless communications networks are commonly referred to as “cellular networks”, because the network infrastructure is arranged to divide the service area into a plurality of regions called “cells”. A terrestrial cellular network includes a plurality of interconnected base stations, or base nodes, that are distributed geographically at designated locations throughout the service area. Each base node includes one or more transceivers that are capable of transmitting and receiving electromagnetic signals, such as radio frequency (RF) communications signals, to and from mobile user nodes, such as wireless telephones, located within the coverage area. The be appreciated by one skilled in the art, network nodes transmit and receive data packet communications in a multiplexed format, such as time-division multiple access (TDMA) format, code-division multiple access (CDMA) format, or frequency-division multiple access (FDMA) format, which enables a single transceiver at a first node to communicate simultaneously with several other nodes in its coverage area.
In recent years, a type of mobile communications network known as an “ad-hoc” network has been developed. In this type of network, each mobile node is capable of operating as a base station or router for the other mobile nodes, thus eliminating the need for a fixed infrastructure of base stations. More sophisticated ad-hoc networks are also being developed which, in addition to enabling mobile nodes to communicate with each other as in a conventional ad-hoc network, further enable the mobile nodes to access a fixed network and thus communicate with other mobile nodes, such as those on the public switched telephone network (PSTN), and on other networks such as the Internet. Details of these advanced types of ad-hoc networks are described in U.S. patent application Ser. No. 09/897,790 entitled “Ad Hoc Peer-to-Peer Mobile Radio Access System Interfaced to the PSTN and Cellular Networks”, filed on Jun. 29, 2001, in U.S. patent application Ser. No. 09/815,157 entitled “Time Division Protocol for an Ad-Hoc, Peer-to-Peer Radio Network Having Coordinating Channel Access to Shared Parallel Data Channels with Separate Reservation Channel”, filed on Mar. 22, 2001, now U.S. Pat. No. 6,817,165, and in U.S. patent application Ser. No. 09/815,164 entitled “Prioritized-Routing for an Ad-Hoc, Peer-to-Peer, Mobile Radio Access System”, filed on Mar. 22, 2001, now U.S. Pat. No. 6,873,839, the entire content of each being incorporated herein by reference.
As can be appreciated from the nature of wireless ad-hoc mobile networks, it is necessary for the network to be capable of recognizing whether a wireless more radio is authorized to access the network. Accordingly, a need exists for a process for authenticating radios or nodes for access to the wireless ad-hoc network.
The accompanying figures, where like reference numerals refer to identical or functionally similar elements throughout the separate views and which together with the detailed description below are incorporated in and form part of the specification, serve to further illustrate various embodiments and to explain various principles and advantages all in accordance with the present invention.
Skilled artisans will appreciate that elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. For example, the dimensions of some of the elements in the figures may be exaggerated relative to other elements to help to improve understanding of embodiments of the present invention.
Before describing in detail embodiments that are in accordance with the present invention, it should be observed that the embodiments reside primarily in combinations of method steps and apparatus components related to an Extensible Authentication Protocol Over LAN (EAPOL) proxy in a wireless network for node to node authentication. Accordingly, the apparatus components and method steps have been represented where appropriate by conventional symbols in the drawings, showing only those specific details that are pertinent to understanding the embodiments of the present invention so as not to obscure the disclosure with details that will be readily apparent to those of ordinary skill in the art having the benefit of the description herein.
In this document, relational terms such as first and second, top and bottom, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. The terms “comprises,” “comprising,” or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. An element proceeded by “comprises . . . a” does not, without more constraints, preclude the existence of additional identical elements in the process, method, article, or apparatus that comprises the element.
It will be appreciated that embodiments of the invention described herein may be comprised of one or more conventional processors and unique stored program instructions that control the one or more processors to implement, in conjunction with certain non-processor circuits, some, most, or all of the functions of an EAPOL proxy in a wireless network for node to node authentication described herein. The non-processor circuits may include, but are not limited to, a radio receiver, a radio transmitter, signal drivers, clock circuits, power source circuits, and user input devices. As such, these functions may be interpreted as steps of a method to perform operations to achieve an EAPOL proxy in a wireless network for node to node authentication. Alternatively, some or all functions could be implemented by a state machine that has no stored program instructions, or in one or more application specific integrated circuits (ASICs), in which each function or some combinations of certain of the functions are implemented as custom logic. Of course, a combination of the two approaches could be used. Thus, methods and means for these functions have been described herein. Further, it is expected that one of ordinary skill, notwithstanding possibly significant effort and many design choices motivated by, for example, available time, current technology, and economic considerations, when guided by the concepts and principles disclosed herein will be readily capable of generating such software instructions and programs and ICs with minimal experimentation.
As can be appreciated by one skilled in the art, the nodes 102, 106 and 107 are capable of communicating with each other directly, or via one or more other nodes 102, 106 or 107 operating as a router or routers for packets being sent between nodes, as described in U.S. patent application Ser. No. 09/897,790 and U.S. Pat. Nos. 6,807,165 and 6,873,839, referenced above.
As shown in
Each node 102, 106 and 107 further includes a memory 114, such as a random access memory (RAM) that is capable of storing, among other things, routing information pertaining to itself and other nodes in the network 100. As further shown in
As will now be discussed, the present invention provides a system and method for providing an authentication protocol for authenticating nodes for access to a network, such as a server of a wireless ad-hoc peer-to-peer network. The system and method enables a wireless communication network, such as a mobile wireless distribution system (WDS), that employs an extensible authentication protocol over LAN (EAPOL) proxy to authenticate nodes for access to the network via mobile or stationary access points.
Specifically, the present invention provides a system and method for authenticating a node for access to a wireless communication network, such as an ad-hoc peer-to-peer wireless communication network, with the wireless communication network including a wired network and a wired access point that is wired to the wired network and enables communication between the wired network and wireless nodes. The system and method employ the operations of establishing the wired access point as an authenticator that is adapted to authenticate wireless node in the network, controlling the wireless node to send authentication information to the authenticator wired access point when the wireless node attempts to access the network, and controlling the authenticator wired access point to determine whether the authentication information is valid to permit access to the network by the wireless node when the authenticator wired access point receives the authentication information. The wireless node can be a mobile wireless node or itself a wireless access point that can be stationary or mobile.
As can be appreciated by one skilled in the art, the IEEE 802.1x specification describes an authentication framework for 802 based LANs. Details of these authentication frameworks can be found in the IEEE 802.1X specification, 2001 (EAPOL & 802.1X) and in RFC 2284: PPP Extensible Authentication Protocol (EAP), March 1998, for example, the contents of both of these documents are incorporated herein by reference. As discussed in more detail below, when used in wireless LANs, wireless Access Points (AP) can authenticate wireless users or stations with a backend Remote Authentication Dial-In User Service (RADIUS) Authentication Server. The user's credentials, such as user id and password, are stored in advance in the RADIUS Authentication Server, and are established in advance either by system administrator or user self-registration via some other communication channels. For example, when a user activates for the first time, the user can be prompted to answer a series of questions via a different medium, such as a secured web site or telephone line, to activate his or her unit. Also, each unit may have a serial number or other identifier that the network can recognize based on the network's security policy. At the very basic level, as long as the user id and password typed in by the user are the same as the pre-configured user id and password in RADIUS server, the network will allow access to that user's node.
When a wireless user then subsequently wants to access the network and, in particular, the wired network resource, the user will exchange messages with the wireless Access Point, which in turn will relay the message between the wireless user and the RADIUS Authentication Server. The exchange between the user and the wireless Access Point can be direct if they are within broadcast range of each other, or via other intermediate nodes as discussed above with regard to
Three components are identified in the 802.1x framework: Supplicant, Authenticator and Authentication Server, which are shown in
For a fixed located Authenticator 122, this task is relative easy to accomplish. For users, the password is associated with the user id. For the Authenticator 122, the secret identifier is associated with the IP address of the Authenticator 122. Sometimes, a mobile AP (Authenticator) will dynamically receive its IP address when the mobile AP joins the network. Therefore, it may not be practical to statically configure within a RADIUS server both the IP address and the associated secret identifier for a mobile Authenticator. However, for a fixed IAP, the IP address can be pre-assigned and therefore the IP address and secret identifier pair can be pre-configured in RADIUS server.
It is also noted that any of the IAPs 106 can be a mobile IAP as described, for example, in U.S. patent application Ser. No. 09/929,030 of Masood Garahi and Peter J. Stanforth entitled “Movable Access Points and Repeaters for Minimizing Coverage and Capacity Constraints in a Wireless Communications Network and a Method for Using the Same”, the entire content of which is incorporated herein by reference. These mobile IAPs communicate with other mobile or fixed IAPs via any suitable backhaul technology, such as microwave.
In a mobile access point network such as a mobile wireless distribution system (WDS), the Access Points are meshed together and form a meshed mobile wireless network. As understood in the art, a wireless meshed network can also be referred to as a wireless ad-hoc peer-to-peer network in which devices or “nodes” can hop through each other to reach other devices in the network as described above with regard to
As further shown in
For a STA 140 or a MAP 142 or 144 that is one-hop away from an MIAP 138 to authenticate to an MIAP 138, the standard 802.1× framework can be applied where the Supplicant, Authenticator, RADIUS client and RADIUS server are involved. If a STA wants to authenticate to a MAP or a MAP wants to authenticate to another one-hop away authenticated MAP, a new mechanism, namely, an EAPOL proxy, will be used since a statically provisioned RADIUS client in MAP is not desirable.
For example as shown in
When a bounded MAP (Authenticator) (e.g. MAP 144) receives an EAPOL message during transmission 150 from a STA 140 or a MAP 142 wishing to be authenticated, the bounded MAP 144 uses an EAPOL proxy client instead of RADIUS client to send the messages to the MIAP in transmission 152. The EAPOL proxy client puts the EAPOL message into the MEA link layer packets instead of RADIUS packets as does the RADIUS Client. The MIAP has an EAPOL proxy server which unpacks the EAPOL messages from the MEA link layer packets. The proxy server then uses a RADIUS client to repack the EAPOL messages onto the RADIUS packets and send to the backend RADIUS Server in transmission 154. As original Supplicant-Authenticator-Authentication Server framework, the authentication messages between the Supplicant 120 and the Authentication Server 124 depend on the authentication protocols used. The security association is between the Supplicant 120 and the bounded MAP 144 is thus established for communications 156.
As can be appreciated from the above, the authentication system and method according to the embodiment of the present invention described herein provides certain advantages, such as it allows for an extended 802.1x framework into mobile Meshed WDS. Furthermore, since a RADIUS client is not required for the authenticator, it will easily meet the auto-configuration requirement for the mobile meshed access points. In addition, the MAP can have faster handoff between two MIAPs. The MAP normally maintains one-hop security associations with all of its neighboring nodes, thus, no new authentication process is needed when the MAP switches to a new MIAP through either the same neighboring node or the different neighboring node.
In the foregoing specification, specific embodiments of the present invention have been described. However, one of ordinary skill in the art appreciates that various modifications and changes can be made without departing from the scope of the present invention as set forth in the claims below. Accordingly, the specification and figures are to be regarded in an illustrative rather than a restrictive sense, and all such modifications are intended to be included within the scope of present invention. The benefits, advantages, solutions to problems, and any element(s) that may cause any benefit, advantage, or solution to occur or become more pronounced are not to be construed as a critical, required, or essential features or elements of any or all the claims. The invention is defined solely by the appended claims including any amendments made during the pendency of this application and all equivalents of those claims as issued.
