Seamless roaming for clients between access points with WPA-2 encryption

US 10,595,240 B2
Filed: 05/10/2019
Issued: 03/17/2020
Est. Priority Date: 03/01/2018
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

detecting, by a plurality of access points, a client device that is in a pre-determined range of the plurality of access points;

generating, by each access point of the plurality of access points, a connection score for communication with the client device, the connection score indicating a corresponding access point'"'"'s suitability for handling communication with the client device;

broadcasting, by the each access point of the plurality of access points, a corresponding connection score to other access points in a wireless network;

determining that a first access point has a highest connection score from among a plurality of connection scores generated by the each access point;

designating the first access point as a primary access point for communication with the client device;

in response to the designation, performing, by the first access point, encrypted communication with the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A wireless network system that provides for seamless roaming of client devices is described. The wireless network system includes a plurality of access points. One access point is designated as the primary access point that is responsible for handling encrypted communication with the client device. The primary access point has access to the necessary encryption key(s) for encrypted communication. The primary access point receives broadcast updates from the other access points that includes connection scores. When a connection score for a second access point exceeds the connection score of the current primary access point, the current primary access point designates the second access point as the new primary access point and sends the new primary access point the encryption key(s) for encrypted communication. The handoff is seamless and does not require a new handshake between the new primary access point and the client device.

6 Citations

20 Claims

1. A computer-implemented method comprising:
- detecting, by a plurality of access points, a client device that is in a pre-determined range of the plurality of access points;
  
  generating, by each access point of the plurality of access points, a connection score for communication with the client device, the connection score indicating a corresponding access point'"'"'s suitability for handling communication with the client device;
  
  broadcasting, by the each access point of the plurality of access points, a corresponding connection score to other access points in a wireless network;
  
  determining that a first access point has a highest connection score from among a plurality of connection scores generated by the each access point;
  
  designating the first access point as a primary access point for communication with the client device;
  
  in response to the designation, performing, by the first access point, encrypted communication with the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1, wherein performing the encrypted communication comprises:
    - performing a 4-way handshake between the first access point and the client device to generate an encryption key.
  - 3. The computer-implemented method of claim 2, wherein the encryption key comprises a Pairwise Transient Key (PTK).
  - 4. The computer-implemented method of claim 3, wherein the PTK comprises an initialization vector (IV), wherein the IV is a monotonically increasing counter for encrypted data packets that are communicated between the first access point and the client device.
  - 5. The computer-implemented method of claim 4, wherein the first access point is permitted to increment the IV while incrementation of the IV is halted for the other access points.
  - 6. The computer-implemented method of claim 1, wherein the each access point of the plurality of access points has access to the plurality of connection scores.
  - 7. The computer-implemented method of claim 1, wherein the client device is determined to be in the pre-determined range of the plurality of access points when a received signal strength indicator (RSSI) for the client device exceeds a pre-specified threshold.
  - 8. The computer-implemented method of claim 1, further comprising:
    - broadcasting, by the first access point, to the other access points of the plurality of access points that the first access point is the primary access point;
      
      in response to the broadcast, halting, by the other access points, direct communication to the client device.
  - 9. The computer-implemented method of claim 1, further comprising broadcasting, by the each access point of the plurality of access points, a Basic Service Set Identifier (BSSID), wherein the BSSID is identical for the each access point of the plurality of access points.
  - 10. The computer-implemented method of claim 1, wherein a connection score is calculated by the each access point using a plurality of functions applied to connection criteria, wherein the connection criteria represent status information that describes performance or status of an access point or status information that describes connectivity of the client device to the access point.
  - 11. The computer-implemented method of claim 10, wherein the connection criteria comprises data that measures a performance load of an access point, data that measures latency of communication between the client device and the access point, or data that measures a RSSI of a signal between the client device and the access point.
  - 12. The computer-implemented method of claim 1, further comprising:
    - determining that a connection score was not generated for a particular access point;
      
      in response to the determination, assigning a default value to the particular access point.

13. A computer system comprising:
- a plurality of access points communicatively coupled to a client device and configured to detect the client device that is in a pre-determined range of the plurality of access points;
  
  each access point of the plurality of access points configured to;
  
  generate a connection score of a plurality of connection scores for communication with the client device, wherein the connection score indicates a corresponding access point'"'"'s suitability for handling communication with the client device;
  
  broadcast a corresponding connection score to other access points in a wireless network;
  
  determine that a first access point has a highest connection score from among the plurality of connection scores generated by the each access point;
  
  designate the first access point as a primary access point for communication with the client device;
  
  in response to the designation, the first access point of the plurality of access points configured to perform encrypted communication with the client device.

14. A computer-implemented method comprising:
- designating a first access point as a primary access point based on a first connection score generated at the first access point and a second connection score generated at a second access point, wherein the first connection score exceeds the second connection score;
  
  performing encrypted communication between the first access point and a client device using an encryption key;
  
  generating, at the first access point, an updated first connection score;
  
  receiving, at the first access point, an updated second connection score generated at the second access point,determining, at the first access point, that the updated second connection score exceeds the updated first connection score;
  
  in response to determining that the updated second connection score exceeds the updated first connection score;
  
  halting the encrypted communication between the first access point and the client device;
  
  sending the encryption key from the first access point to the second access point;
  
  performing encrypted communication between the second access point and the client device using the encryption key.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer-implemented method of claim 14, further comprising, before performing the encrypted communication between the first access point and the client device:
    - storing, at the first access point, the encryption key for communication with the client device.
  - 16. The computer-implemented method of claim 14, wherein the first connection score is generated before generating the updated first connection score.
  - 17. The computer-implemented method of claim 14, wherein the second connection score is generated before generating the updated second connection score.
  - 18. The computer-implemented method of claim 14, further comprising generating, at each particular access point of a plurality of access points, a particular connection score of a plurality of connection scores, wherein each particular connection score is generated by the particular access point based on connection criteria.
  - 19. The computer-implemented method of claim 14, further comprising performing a 4-way handshake between the first access point and the client device to generate the encryption key.
  - 20. The computer-implemented method of claim 14, wherein performing the encrypted communication between the second access point and the client device comprises performing the encrypted communication between the second access point and the client device without performing a 4-way handshake between the second access point and the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Systems, Inc.
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Bhartia, Apurv, Lin, Lizhen
Primary Examiner(s)
Siddiqui, Kashif

Application Number

US16/409,700
Publication Number

US 20190274073A1
Time in Patent Office

312 Days
Field of Search
US Class Current
CPC Class Codes

G06F 9/5088   involving task migration

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 67/10   in which an application is ...

H04W 12/02   Protecting privacy or anony...

H04W 12/04   Key management, e.g. using ...

H04W 36/0038   of security context informa...

H04W 36/023   Buffering or recovering inf...

H04W 36/08   Reselecting an access point

H04W 36/18   for allowing seamless resel...

H04W 36/30   by measured or perceived co...

H04W 84/12   WLAN [Wireless Local Area N...

Seamless roaming for clients between access points with WPA-2 encryption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Seamless roaming for clients between access points with WPA-2 encryption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links