Method and apparatus for authentication in a wireless telecommunications system

US 20040208151A1
Filed: 01/21/2003
Published: 10/21/2004
Est. Priority Date: 01/18/2002
Status: Active Grant

First Claim

Patent Images

1. A method for relaying data packets of a wireless terminal device in a communication network, the network comprising;

an access point for setting up a communication connection to the terminal device, an access controller for relaying authentication information between the terminal device and an authentication server, an authentication server for providing an authenticating service for the terminal device to authenticate to the network, the terminal device being configured to use one of the following authentication methods in order to authenticate itself to the network;

a first authentication method wherein the access point relays authentication information between the terminal device and the authentication server, a second authentication method wherein the access controller relays authentication information between the terminal device and the authentication server, the method comprising establishing a communication connection between the terminal device and the access point, characterized by the method further comprising the steps of identifying at the access point a parameter relating to the step of establishing the communication connection, classifying the terminal device on the basis of the identified parameter and directing data packets of terminal devices of different classes to separate logical channels.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and device for routing data packets of a wireless terminal device in a communication network. When Open system Authentication is used, the system operates similarly as the current Nokia Operator Wireless LAN system, in which the terminal device and the access controller are the parties involved in the authentication. The access controller relays information relating to the authentication between the terminal device and an authenticating server, and it is capable of updating independently the list of users it maintains. When authentication according IEEE 802.1X authentication, the access point operates according to the IEEE 802.1X standard, serving as the authenticating party and relaying information relating to the authentication between the terminal device and the authentication server. In addition, the list maintained by the access controller is updated after a successful authentication, for example by the access point or the authenticating server.

189 Citations

33 Claims

1. A method for relaying data packets of a wireless terminal device in a communication network, the network comprising;
- an access point for setting up a communication connection to the terminal device, an access controller for relaying authentication information between the terminal device and an authentication server, an authentication server for providing an authenticating service for the terminal device to authenticate to the network, the terminal device being configured to use one of the following authentication methods in order to authenticate itself to the network;
  
  a first authentication method wherein the access point relays authentication information between the terminal device and the authentication server, a second authentication method wherein the access controller relays authentication information between the terminal device and the authentication server, the method comprising establishing a communication connection between the terminal device and the access point, characterized by the method further comprising the steps of identifying at the access point a parameter relating to the step of establishing the communication connection, classifying the terminal device on the basis of the identified parameter and directing data packets of terminal devices of different classes to separate logical channels.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method according to claim 1, characterized in that the identified parameter is the authentication method used by the terminal.
  - 3. A method according to claim 2, characterized in that the authentication method is one of the following:
    - an open system authentication and an authentication according to 802.1x protocol.
  - 4. A method according to claim 1, characterized in that the identified parameter is one of the following:
    - the Network Access Identifier, part of the Network Access Identifier used by the terminal device, frequency band, data rate, used radio technology of the terminal device.
  - 5. A method according to claim 1, characterized in that the separate logical channels are one of the following:
    - Virtual LANs, IP sub networks and IP address ranges.
  - 6. A method according to claim 5, characterized in that the access point ensures that the terminal device is assigned an IP address from the correct IP sub network or IP address range.
  - 7. A method according to claim 1, characterized in that the separate logical channels are tunnels.
  - 8. A method according to claim 1, characterized in that the access point verifies for data packets that, the logical channel used, matches the identified terminal device class.
  - 9. A method according to claim 8, characterized in that the access point only relays data packets for which said verification is successful and discards data packets for which said verification is unsuccessful.
  - 10. A method according to claim 1, characterized in that the access point applies different security processing to data packets of different terminal device classes.

11. An access point (700) for setting up a communication connection to a terminal device in a network, said network comprising:
- an access controller for relaying authentication information between the terminal device and an authentication server, an authentication server for providing an authenticating service for the terminal device to authenticate to the network, said access point comprising establishing means (701-703, 705) for establishing a communication connection between the terminal device and the access point, characterized in that the access point is configured to accept the terminal device to use one of the following authentication methods in order to authenticate itself to the network;
  
  a first authentication method wherein the access point is configured to relay authentication information between the terminal device and the authentication server, a second authentication method wherein the access point is configured to relay authentication information between the terminal device and an authentication agent, whereby the access point further comprises identifying means (707) for identifying a parameter relating to the establishment of the communication connection, classifying means (704) for classifying the terminal device on the basis of the identified parameter and directing means (701-703, 705, 706) for directing data packets of terminal devices of different classes to separate logical channels.
- View Dependent Claims (12, 13, 14, 15)
- - 12. An access point according to claim 11, characterized in that said identifying means are arranged to identify the parameter in response to detecting one of the following:
    - authentication method used by the terminal device, the Network Access Identifier or part of the Network Access Identifier used by the terminal device, frequency band, data rate and used radio technology of the terminal device.
  - 13. An access point according to claim 11, characterized in that said directing means are arranged to use one of the following as said separate logical channels:
    - Virtual LANs, IP sub networks and IP address ranges.
  - 14. An access point according to claim 11, characterized in that the access point further comprising verifying means for verifying data packets that, the logical channel used, matches the identified terminal device class.
  - 15. An access point according to claim 11, characterized in that the access point is arranged to only relay data packets for which said verification is successful and discards data packets for which said verification is unsuccessful.

16. A method for access control of a wireless terminal device in a communication network, the network comprising an access point for setting up a communication connection to the terminal device, an authentication agent for relaying authentication information between the terminal device and an authentication server, a logical access controller functionality for relaying data packets of the authenticated terminal device and blocking data packets of unauthenticated terminal devices, the logical access controller functionality further comprising a list of authenticated terminal devices, an authenticating server for providing an authenticating service for the terminal device to authenticate to the network, the terminal device being configured to use either of the following authentication methods in order to authenticate itself to the network:
- a first authentication method wherein the access point relays authentication information between the terminal device and the authentication server, a second authentication method wherein the authentication agent relays authentication information between the terminal device and the authentication server, characterized by the method comprising the steps of identifying at the access point whether the terminal device is using the first or the second authentication method, whereby if the terminal device authenticates by using the first authentication method, performing the steps of;
  
  the access point relaying authentication information between the terminal device and the authentication server, the access point sending the identifier data of the terminal device, in response to successful authentication, to the list of the access controller functionality, the access controller functionality adding the identifier data of the authenticated terminal device to the list and relaying data packets of the terminal device included on the list and if the terminal device authenticates by using the second authentication method, performing the steps of;
  
  the access point relaying authentication information between the terminal device and the authenticating agent, the authentication agent relaying authentication information between the terminal device and the authentication server, the authentication agent sending the identifier data of the terminal device, in response to successful authentication, to the list of the access controller functionality, and the access controller functionality adding the identifier data of the authenticated terminal device to the list and relaying data packets of the terminal device included on the list.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. A method according to claim 16, characterized in that the access controller functionality is implemented as part of the access point device.
  - 18. A method according to claim 16, characterized in that the access controller functionality is implemented as part of the authentication agent device.
  - 19. A method according to claim 16, characterized in that the access controller functionality is implemented in a device separate from the access point and the authentication agent.
  - 20. A method according to claim 16, characterized in that the identifier data comprises at least one of the following:
    - the IP address and the MAC address of the terminal device.
  - 21. A method according to claim 16, characterized in that the first authentication method is performed according to IEEE 802.1X protocol.
  - 22. A method according to claim 21, characterized in that the first authentication method is performed according to IEEE 802.11i protocol.
  - 23. A method according to claim 16, characterized in that the second authentication method is performed over the Internet protocol.
  - 24. A method according to claim 23, characterized in that the second authentication method is performed according to one of the following:
    - the internet key exchange protocol and the hypertext transfer protocol.
  - 25. A method according to claims 21 to 24, characterized in that the access point identifies the authentication method by receiving an association request message from the terminal device.
  - 26. A method according to claim 25, characterized in that the association request message comprising an authentication suite element, said authentication suite element further comprising the information of the authentication method the device is using.
  - 27. A method according to any one of claims 17 to 26, characterized in that the method further comprises renewing the authentication after a time period.

28. An access point (200) for setting up a communication connection to a terminal device in a network, said network comprising an authentication agent for relaying authentication information between the terminal device and an authentication server, a logical access controller functionality for relaying data packets of authenticated terminal devices included on a list and blocking data packets of unauthenticated terminal devices, an authenticating server for providing an authenticating service for the terminal device to authenticate to the network, characterized in that the access point is configured to accept the terminal device to use one of the following authentication methods in order to authenticate itself to the network:
- a first authentication method wherein the access point is configured to relay authentication information between the terminal device and the authentication server, a second authentication method wherein the access point is configured to relay authentication information between the terminal device and an authentication agent, whereby the access point comprises identifying means (207) for identifying whether the terminal device is using the first or the second authentication method, first relaying means (201, 205, 206) for relaying authentication information between the terminal device and the authentication server if the terminal device was identified to be using the first authentication method, first sending means (201, 205) for sending identifier data of the terminal device, in response to successful authentication of the terminal device according to the first authentication method, to the list of the access controller functionality, second relaying (201, 205, 206) means for relaying authentication information between the terminal device and the authentication agent if the terminal device was identified to be using the second authentication method and second sending means (201, 205) for sending identifier data of the terminal device, in response to successful authentication of the terminal device according to the second authentication method, to the list of the access controller functionality.
- View Dependent Claims (29, 30, 31, 32)
- - 29. An access point according to claim 28, characterized in that the identifying means are arranged to identify the authentication method by receiving an association request message from the terminal device.
  - 30. An access point according to claim 29 characterized in that the identifying means are arranged to detect an authentication suite element from the association request message, said authentication suite element the information of the authentication method the device is using.
  - 31. An access point according to claim 28 characterized in that the detecting means are arranged to detect successful authentication of the terminal device using said first authentication method by receiving a message from the authentication server.
  - 32. An access point according to claim 28, characterized in that the detecting means are arranged to detect successful authentication of the terminal device using said second authentication method by receiving a message from one of the following:
    - the authentication agent or the authentication server.

33. A system for access control of a wireless terminal device (303, 304) in a communication network, the network comprising:
- an access point (501) for setting up a communication connection to the terminal device, an authentication agent (504) for relaying authentication information between the terminal device (303) and an authentication server (505), a logical access controller functionality (502) for relaying data packets of the authenticated terminal device and blocking data packets of unauthenticated terminal devices, the logical access controller functionality further comprising a list (503) of authenticated terminal devices, an authenticating server (505) for providing an authenticating service for the terminal device (303, 404) to authenticate to the network, the terminal device (303, 304) being configured to use one of the following authentication methods in order to authenticate itself to the network;
  
  a first authentication method wherein the access point (501) relays authentication information between the terminal device (404) and the authentication server (505), a second authentication method wherein the authentication agent (504) relays authentication information between the terminal device (303) and the authentication server (505), characterized in that the system comprises;
  
  identifying means for identifying at the access point (501) whether the terminal device (303, 404) is using the first or the second authentication method, first relaying means for relaying at the access point (501) the authentication information of the first authentication method between the terminal device (404) and the authentication server (505), second relaying means for relaying information between the terminal device (303) and the authentication agent (504), third relaying means at the authentication agent (504) for relaying authentication information of the second authentication method between the access point (501) and the authentication server (505), first sending means for sending from the access point (501) identifier data of the terminal device (404), in response to successful authentication of the terminal device according to the first authentication method, to the list (503) of the access controller functionality (502), second sending means for sending from the authentication agent (504) the identifier data of the terminal device (303), in response to successful authentication of the terminal device according to the second authentication method, to the list (503) of the access controller functionality (502) and relaying means at the access controller functionality (502) for relaying data packets of the terminal device (303, 404) included on the list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Haverinen, Henry, Rinnemaa, Jyri, Tuominen, Hannu, Tuomi, Jukka, Smith, Mike P., Bush, Anton, Takamaki, Timo

Granted Patent

US 8,045,530 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/338
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/10   of different types

H04L 61/50   Address allocation

H04L 63/0236   Filtering by address, proto...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/205   involving negotiation or de...

H04W 12/069   using certificates or pre-s...

H04W 84/12   WLAN [Wireless Local Area N...

H04W 88/08   Access point devices

Method and apparatus for authentication in a wireless telecommunications system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

189 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for authentication in a wireless telecommunications system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

189 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links