The invention provides an apparatus and a method controlling access by a user terminal to a communications network, and in particular, an apparatus and a method for controlling access by a mobile terminal to a WLAN by accommodating for each mobile terminal its particular capabilities and selecting accordingly, the optimum available authentication mechanism.
The context of the present invention is the family of wireless local area networks or (WLAN) employing the IEEE 802.1x architecture having an access point that provides access for mobile devices and to other networks, such as hard d wired local area and global networks, such as the Internet. Advancements in WLAN technology have resulted in the publicly accessible at rest stops, cafes, libraries and similar public facilities (“hot spots”). Presently, public WLANs offer mobile communication device users access to a private data network, such as a corporate intranet, or a public data network such as the Internet, peer-to-peer communication and live wireless TV broadcasting. The relatively low cost to implement and operate a public WLAN, as well as the available high bandwidth (usually in excess of 10 Megabits/second) makes the public WLAN an ideal access mechanism through which mobile wireless communications device users can exchange packets with an external entity, however as will be discussed below, such open deployment may compromise security unless adequate means for identification and authentication exists.
When a user operating a terminal incorporating the IEEE 802.1x protocol (“client terminal” or simply “IEEE 802.1x client”) attempts to access a public WLAN at a hot spot, the IEEE 802.1x client terminal would begin the authentication process according to its current machine configuration. After authentication, the public WLAN opens a secure data channel to the mobile communications device to protect the privacy of data passing between the WLAN and the device. Presently, many manufacturers of WLAN equipment have adopted the IEEE 802.1x protocol for deployed equipment. However, other devices utilizing WLAN may use other protocols such as may be provided by wired electronic privacy (WEP). Notably, the predominant authentication mechanism for WLAN utilizes the IEEE 802.1x protocol. Unfortunately, the IEEE 802.1x protocol was designed with private LAN access as its usage model. Hence, the IEEE 802.1x protocol does not provide certain convenient features necessary in a public WLAN environment. A further problem with the current predominant standard is that it requires IEEE 802.1x protocol client software installation and configuration. In addition, the IEEE 802.1x protocol does not have a sophisticated mechanism for interacting with the user. The access point can only send simple messages to the client via electronic access point (EAP) notification. This may be sufficient for an enterprise setting, but in a hot spot the access point might require that the user accept an end user license before permitting access. In some instances, the access point needs to inform the user about service charges. One solution would be to provide the access point the capability to interact with the users via the web browser interface.
Most existing WLAN hot spot wireless providers use a web browser based solution for user authentication and access control offering convenience to the user that does not require any software download on the user device. As illustrated in
What is desired is an apparatus and a method for improving the security, or control of access by a user terminal, to a communications network, in particular the control of access by a mobile terminal to a wireless local area network.
The invention provides a method for controlling the access by a terminal device by determining the type of authentication protocol associated with the terminal device and automatically routing the authentication request to the appropriate authentication server. Specifically, the invention herein provides a method for controlling the access of a terminal device in a WLAN environment by determining whether a terminal device utilizes an IEEE 802.1x protocol, comprising the steps of an access point communicating to the mobile terminal a request to identify, and if the mobile terminal utilizes an IEEE 802.1x protocol acknowledging the request to identify, otherwise the access point determines that the mobile terminal does not employ a IEEE 802.1x protocol and therefore selects an authentication mechanism compatible with the mobile terminal.
If the terminal device is not IEEE 802.1x compliant the access point initiates a state in the access point that indicates the terminal is a non-IEEE 802.1x protocol and configures an IP packet filter and redirects a user HTTP request to a local server. The process of the present invention may also communicate from the local server to the terminal device information specifically related to a browser-based authentication. If the device utilizes the IEEE 802.1x protocol, the access point transitions to a state that indicates that the mobile terminal is IEEE 802.1x compliant and thereafter processes all further communication utilizing the IEEE 802.1x protocol. In the event that the authentication process fails, then one embodiment of the present invention initiates in the access point, a failure condition.
One embodiment of the invention for improving the security of a terminal device in a WLAN environment utilizes the access point for determining whether the device utilizes an IEEE 802.1x protocol, by having the access point communicate to the terminal device a Request-Identity EAP packet, whereby if the devices utilizes a IEEE 802.1x protocol the device responds with a Response-Identity EAP packet and otherwise the access point determines that the mobile terminal protocol does not employ a IEEE 802.1x protocol (e.g. based on timeout) and selects an authentication mechanism compatible with the mobile terminal.
The invention for improving the security of a terminal device in a WLAN environment also includes an apparatus comprised of an access point in communication with a terminal device in a WLAN environment utilizing a means to determine whether the terminal device utilizes an IEEE 802.1x protocol and if the terminal does not utilize said protocol then the access point employs an authentication means compatible with the terminal device otherwise the access point employs an IEEE 802.1x protocol. The access point means to determine includes communicating to the terminal device a Request-Identity EAP packet and if the mobile terminal utilizes the IEEE 802.1x protocol the access receives a Response-Identity EAP packet. The access point further comprises the means to configure an IP packet filtering to redirect the device HTTP request to a local server if the terminal device does not utilize said protocol.
In a further embodiment of the apparatus, the access point includes a means to communicate IEEE 802.1x protocol exchanges and means to establish IP packet filtering through an IP filter module and state information for the HTTP server to control the terminal device access during and after IEEE 802.1x based authentication process if the access point detects that the terminal device is an IEEE 802.1x client.
The invention is best understood from the following detailed description when read in connection with the accompanying drawing. The various features of the drawings are not specified exhaustively. On the contrary, the various features may be arbitrarily expanded or reduced for clarity. Included in the drawing are the following figures:
In the figures to be discussed the circuits and associated blocks and arrows represent functions of the process according to the present invention, which may be implemented as electrical circuits and associated wires or data busses, that transport electrical signals. Alternatively, one or more associated arrows may represent communication (e.g., data flow) between software routines, particularly when the present method or apparatus of the present invention is implemented as a digital process.
In accordance with
As further illustrated in
In accordance with the present principles of the invention, an access 160 enables each mobile terminals 1401-n, to securely access a WLAN 115 by authenticating the mobile terminal 1401-n as well as its communication stream in accordance with the IEEE 802.1x protocol or other optional protocol as the specific terminal 1401-n may choose. The manner in which the access 160 enables such secure access can best be understood by reference to
With reference to
More particularly,
In the case where the access point 130n detects that the terminal device is an IEEE 802.1x client, it permits normal IEEE 802.1x protocol communication exchanges to proceed through the access point 130n and sets up appropriate IP packet filtering through IP filter module 330 and state information for the HTTP server 120 to control the mobile terminal 140n user access during and after IEEE 802.1x based authentication process.
As indicated above, the WLAN 115 system must maintain proper state information for the system to function properly. Such state information will be provided by the access point 130n 802.1x engine, which is used by, among other things, the packet filtering function 330 and the HTTP server 120. With reference to
The access point includes an 802.1x engine 325, which is a module that implements the IEEE 802.1x protocol with the determining means necessary to carry out the steps of the invention. Such means to select from one or more available security protocols is well known by those skilled in the art of programming and engineering in a WLAN environment. The 802.1x engine 325 is therefore responsible for client detection and providing the client capability information to other modules of the system. In addition it also implements RADIUS client functionality to convert EAP messages to RADIUS messages. The packet filter module 330 is responsible for filtering packets based on the criteria set by other modules.
Referring to
In a further embodiment of the apparatus, the access point includes a means to communicate IEEE 802.1x protocol exchanges and means to establish IP packet filtering through an IP filter module and state information for the HTTP server to control the terminal device access during and after IEEE 802.1x based authentication process if the access point detects that the terminal device is an IEEE 802.1x client.
It is to be understood that the form of this invention as shown is merely a preferred embodiment. Various changes may be made in the function and arrangement of parts; equivalent means may be substituted for those illustrated and described; and certain features may be used independently from others without departing from the spirit and scope of the invention as defined in the following claims.
This application claims the benefit, under 35 U.S.C. §365 of International Application PCT/US04/07805, filed Mar. 12, 2004, which was published in accordance with PCT Article 21(2) on Sep. 30, 2004 in English and which claims the benefit of U.S. provisional patent application No. 60/454,558, filed Mar. 14, 2003.
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/US2004/007805 | 3/12/2004 | WO | 00 | 9/14/2005 |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2004/084464 | 9/30/2004 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
5347524 | I'Anson et al. | Sep 1994 | A |
5784566 | Viavant et al. | Jul 1998 | A |
6038400 | Bell et al. | Mar 2000 | A |
6259675 | Honda | Jul 2001 | B1 |
6400696 | Hreha | Jun 2002 | B1 |
6510236 | Crane et al. | Jan 2003 | B1 |
6600726 | Nevo et al. | Jul 2003 | B1 |
6611231 | Crilly et al. | Aug 2003 | B2 |
6732176 | Stewart et al. | May 2004 | B1 |
6965674 | Whelan et al. | Nov 2005 | B2 |
6965816 | Walker | Nov 2005 | B2 |
6970682 | Crilly et al. | Nov 2005 | B2 |
7035932 | Dowling | Apr 2006 | B1 |
7039021 | Kokudo | May 2006 | B1 |
7092943 | Roese et al. | Aug 2006 | B2 |
7116970 | Brusilovsky et al. | Oct 2006 | B2 |
7133526 | Whelan et al. | Nov 2006 | B2 |
7164663 | Frank et al. | Jan 2007 | B2 |
7200112 | Sundar et al. | Apr 2007 | B2 |
7203463 | Bahl et al. | Apr 2007 | B2 |
7215660 | Perlman | May 2007 | B2 |
7277404 | Tanzella et al. | Oct 2007 | B2 |
7289465 | Kuan et al. | Oct 2007 | B2 |
7295556 | Roese et al. | Nov 2007 | B2 |
7325246 | Halasz et al. | Jan 2008 | B1 |
7350076 | Young et al. | Mar 2008 | B1 |
7350077 | Meier et al. | Mar 2008 | B2 |
7353533 | Wright et al. | Apr 2008 | B2 |
7424605 | Arai | Sep 2008 | B2 |
7478420 | Wright et al. | Jan 2009 | B2 |
7483411 | Weinstein et al. | Jan 2009 | B2 |
7483984 | Jonker et al. | Jan 2009 | B1 |
7499401 | Buddhikot et al. | Mar 2009 | B2 |
7512081 | Ayyagari et al. | Mar 2009 | B2 |
7526800 | Wright et al. | Apr 2009 | B2 |
7633909 | Jones et al. | Dec 2009 | B1 |
7712128 | Porozni et al. | May 2010 | B2 |
7769898 | Morinaga | Aug 2010 | B2 |
8103278 | Tsao | Jan 2012 | B2 |
8104072 | Rohilla et al. | Jan 2012 | B2 |
8170032 | Mohri et al. | May 2012 | B2 |
8218516 | Donovan et al. | Jul 2012 | B1 |
20020061031 | Sugar et al. | May 2002 | A1 |
20030008662 | Stern et al. | Jan 2003 | A1 |
20030054846 | Parry | Mar 2003 | A1 |
20030083080 | Fournier et al. | May 2003 | A1 |
20030120809 | Bellur et al. | Jun 2003 | A1 |
20030202494 | Drews et al. | Oct 2003 | A1 |
20030219033 | Silvester | Nov 2003 | A1 |
20040203872 | Bajikar | Oct 2004 | A1 |
20040208151 | Haverinen et al. | Oct 2004 | A1 |
20050177515 | Kalavade et al. | Aug 2005 | A1 |
20060075073 | Bichot | Apr 2006 | A1 |
20060259768 | Chow | Nov 2006 | A1 |
20110211219 | Bradley et al. | Sep 2011 | A1 |
20110280331 | Hansen et al. | Nov 2011 | A1 |
20120178431 | Gold | Jul 2012 | A1 |
Number | Date | Country |
---|---|---|
0998094 | May 2000 | EP |
998094 | May 2000 | EP |
1265420 | Dec 2002 | EP |
1265420 | Dec 2002 | EP |
1298952 | Apr 2003 | EP |
1330073 | Jul 2003 | EP |
05-292147 | Nov 1993 | JP |
07-235950 | Sep 1995 | JP |
11-017770 | Jan 1999 | JP |
11-313371 | Nov 1999 | JP |
2000261461 | Sep 2000 | JP |
2001-086563 | Mar 2001 | JP |
2001-111544 | Apr 2001 | JP |
0211391 | Feb 2002 | WO |
WO 02100062 | Dec 2002 | WO |
WO 02100062 | Dec 2002 | WO |
Number | Date | Country | |
---|---|---|---|
20060179475 A1 | Aug 2006 | US |
Number | Date | Country | |
---|---|---|---|
60454558 | Mar 2003 | US |