Arrangement and a method relating to IP network access

US 20060094403A1
Filed: 12/12/2005
Published: 05/04/2006
Est. Priority Date: 06/18/2003
Status: Active Grant

First Claim

Patent Images

1. An arrangement, for providing an end user with access to an IP network, comprising a user station, an access server of an access network, a web server and an authentication server, an end user station with first means for communication with an access server and a web server, second means for communication with an authentication server over a mobile telecommunications system, an access/login procedure comprising a first and a second phase, wherein the authentication server controls the first phase, said first phase comprising a one-time password (OTP) login sequence, and wherein the second login phase is performed by creating/modifying a temporary account for which user credentials are defined in order to log in the end user at the access server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to an arrangement and a method respectively for providing an end user with access to an IP network (login). It comprises a user station, an access server of an access network, a web server and an authentication server. The end user station comprises first means for communication with the access server and second means for communication over a moile telecommunication system with the authentication server. The access/login procedure comprises a first and a second phase, the authentication server controls the first phase comprising a one-time-password (OTP) login sequence, and, if the one time password (OTP) is valid, the second login phase is performed in order to login the end user at the access server, by creating a temporary account for which user credentials are defined.

Citations

33 Claims

1. An arrangement, for providing an end user with access to an IP network, comprising a user station, an access server of an access network, a web server and an authentication server, an end user station with first means for communication with an access server and a web server, second means for communication with an authentication server over a mobile telecommunications system, an access/login procedure comprising a first and a second phase, wherein the authentication server controls the first phase, said first phase comprising a one-time password (OTP) login sequence, and wherein the second login phase is performed by creating/modifying a temporary account for which user credentials are defined in order to log in the end user at the access server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. An arrangement according to claim 1, wherein for the second phase a user account is created/modified in the authentication server.
  - 3. An arrangement according to claim 2, wherein said created/modified account is temporary for allowing login only for a limited time period.
  - 4. An arrangement according to claim 1, wherein the access server (AS) is run by an Internet Service Provider.
  - 5. An arrangement according to claim 4, wherein the Internet Service Provider offers a wireless service (i.e. is a WISP).
  - 6. An arrangement according to claim 1, wherein the one-time-password (OTP) used in the first phase is reused in the second phase.
  - 7. An arrangement according to claim 1, wherein the first means of the user station comprises a PC, and in that the second means comprises a mobile telephone.
  - 8. An arrangement according to claim 1, wherein the one-time-password (OTP) is created by, and transferred from, the authentication server to the second means of the end user station over the mobile telecommunication system.
  - 9. An arrangement according to claim 8, wherein the OTP is transferred by an alfa numeric text message, e.g. a SMS or a voice message to the second means of the user station.
  - 10. An arrangement according to claim 7, wherein the OTP is entered on the first means of the user station and provided to the authentication server for authentication/validation.
  - 11. An arrangement according to claim 10, wherein if the OTP is valid, the OTP from the first phase is reused in the second phase.
  - 12. An arrangement at least according to claim 2, wherein, if the OTP is valid, the user name and a password of the created/modified account are defined, which are uniquely tied to the OTP sequence.
  - 13. An arrangement according to claim 12, wherein the second phase the same user name is used as in the first phase and in that the OTP is used as password.
  - 14. An arrangement according to claim 12, wherein for the second phase a dynamic user name is used and in that the OTP (of the first phase) is used as password.
  - 15. An arrangement according to claim 12, wherein for the second phase a static user name (common for all users) is used and in that the OTP (of the first phase) is used as password.
  - 16. An arrangement according to claim 12, wherein for the second phase static user name (common for all users) is used and in that a random number is used as password.
  - 17. An arrangement according to claim 12, wherein for the second phase a dynamic user name is used and in that a random value is used as password.
  - 18. An arrangement according to claim 1, wherein web server redirects the login message to the access server login page when an account has been created/modified in the authentication server and in that a timer is set to a given time period during which user credentials are checked, and if they are not valid, an error message is returned to the user.
  - 19. An arrangement according to claim 18, wherein, if the user credentials comprise user name and password, and if they are verified/authenticated within the given time period, the added/modified temporary user account is removed/disabled.
  - 20. An arrangement according to claim 1, wherein the authentication server comprises a Radius server or an Diameter server.
  - 21. An arrangement according to claim 20, wherein one or more proxy servers are provided between the access server (AS) and the authentication (Radius, Diameter etc.) server.
  - 22. An arrangement according to claim 21, wherein the access network comprises a WLAN, an Ethernet or similar.
  - 23. An arrangement according to claim 1, wherein login syntax is stored in the access server and in that the login syntax is transferred to the web server to subsequently form part of a redirect message.

24. An access server in an access network communicating with an end user station for providing said end user station with access to an IP network, with a web server and with an authentication server, wherein the access server allows any user to perform an access attempt to the web server, e.g. by using a white list function, a login link to the operator, and supports authentication server roaming, and in that the access server supports a second phase of a login procedure following on a first phase during which a one-time-password is given, and in that for said second phase a temporary user account is created/modified, the password and user name of which are defined and uniquely associated with the one-time-password given by the authentication server and provided to the user station over a mobile communication system e.g. as an SMS, voice message or similar in the first phase.
- View Dependent Claims (25)
- - 25. An access server according to claim 24, wherein the access server is of a WLAN, an Ethernet and is run by an Internet Service Provider or a wireless ISP.

26. A method for providing an end user with access to an IP network over an access network comprising an access server, comprising performing a first phase of a login procedure whereby a one-time-password (OTP) is provided by an authentication server and transferred to the end user over a mobile communication system, checking the validity/authenticity of the one-time-password, and if valid, adding/modifying a temporary account in the authentication server, for a second phase of the login procedure, defining a user name and a password uniquely tied to the one-time-password of the first phase, checking the validity of the user name and the password in the authentication server, and if valid, allowing the user login request, removing/disabling the temporary user account after lapse of a predetermined time period.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33)
- - 27. A method according to claim 26, wherein the steps of performing the first phase of the login comprises the steps of:
    - sending a login request to an access server from the user station, receiving a response from the access server if the user station enabling activation of a link to the operator web (login) server, accessing the web server, entering end user station identity in web server, providing a one-time-password (OTP) to the user station from the authentication server and transferring it to the user station over the mobile communications system, e.g. by SMS or a voice message;
      
      requesting the one-time-password by web server, verifying validity/authenticity of the one-time-password.
  - 28. A method according to claim 26, wherein the second phase comprises the steps of:
    - redirecting the login request to the login page of the access server;
      
      setting a timer, checking the validity/authenticity of the user credentials, e.g. password, user name, in authentication server, and if valid, removing/disabling the temporary account at expiry of the set timer.
  - 29. A method according to claim 26, further comprising:
    - using the same user name in the second phase as in the first phase, using the OTP as password.
  - 30. A method according to claim 26, further comprising, in the second phase:
    - using a dynamic user name, using the OTP of the first phase as password.
  - 31. A method according to claim 26, further comprising, in the second step:
    - using a static user name common for all users, using the OTP of the first phase or a random number as password.
  - 32. A method according to claim 26, further comprising, in the second step:
    - using a dynamic user name, using a random value as password.
  - 33. A method according to claim 26, wherein the access network comprises a WLAN, an Ethernet or similar, and in that the authentication server comprises e.g. a Radius server or a Diameter server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Norefors, Arne, Schuberth, Ulf

Granted Patent

US 8,108,903 B2
Time in Patent Office

Days
Field of Search
US Class Current

455/411
CPC Class Codes

G06F 21/35   communicating wirelessly

G06F 21/43   wireless channels

H04L 63/0838   using one-time-passwords

H04L 63/108   when the policy decisions a...

H04L 63/18   using different networks or...

H04W 12/068   using credential vaults, e....

H04W 80/00   Wireless network protocols ...

Arrangement and a method relating to IP network access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Arrangement and a method relating to IP network access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links