Fast roaming in a wireless network using per-STA pairwise master keys shared across participating access points

US 20060256763A1
Filed: 05/09/2006
Published: 11/16/2006
Est. Priority Date: 05/10/2005
Status: Active Grant

First Claim

Patent Images

1. In a wireless network having a set of access points (APs) each having a predetermined service area, a station (STA) that receives a communication service by associating with APs in the set, an authentication server (AS) that authenticates the STA, and a controller that maintains a data structure identifying prospective APs to which the STA may roam, a method, comprising:

associating the STA to the first AP by obtaining a security key from the AS;

after the first AP reports to the controller that the STA has associated to the first AP using the security key obtained from the AS, forwarding the security key to the controller;

while the STA is associated with the first AP, forwarding the security key from the controller to at least a second AP in the set as identified by the data structure; and

re-associating the STA at the second AP using the security key and without requiring the STA to authenticate back to the AS; and

after re-associating, updating the data structure by notifying the controller that the first AP is a neighbor of the second AP.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A fast roaming (handoff) service is provided for a WLAN infrastructure. A given mobile station (STA) obtains a pairwise master key (PMK) when it associates with an access point (AP) in the infrastructure. A neighbor graph identifies prospective APs to which the STA may then roam. At initialization, preferably the neighbor graph is fully-connected (i.e., each AP is assumed to be connected to every other AP). The PMK (obtained by the STA initially) is shared proactively with the neighbor APs as indicated in the neighbor graph. Thus, when the STA roams to a neighbor AP, because the PMK is already available, there is no requirement that the STA initiate a real-time request to an authentication server to re-associate to the new AP. Further, the new AP causes an update to the neighbor graph information implicitly by simply issuing a notification that it is now handling the STA that arrived from the prior AP; in this manner, the prior AP is confirmed as a neighbor, but there is no requirement for any inter-AP dialog before a given neighbor graph is updated. As roaming occurs the neighbor graph is pruned down (to reflect the actual neighbor AP connections) using the implicit notification data.

Citations

20 Claims

1. In a wireless network having a set of access points (APs) each having a predetermined service area, a station (STA) that receives a communication service by associating with APs in the set, an authentication server (AS) that authenticates the STA, and a controller that maintains a data structure identifying prospective APs to which the STA may roam, a method, comprising:
- associating the STA to the first AP by obtaining a security key from the AS;
  
  after the first AP reports to the controller that the STA has associated to the first AP using the security key obtained from the AS, forwarding the security key to the controller;
  
  while the STA is associated with the first AP, forwarding the security key from the controller to at least a second AP in the set as identified by the data structure; and
  
  re-associating the STA at the second AP using the security key and without requiring the STA to authenticate back to the AS; and
  
  after re-associating, updating the data structure by notifying the controller that the first AP is a neighbor of the second AP.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as described in claim 1 wherein the security key is forwarded over a secure link using a given message protocol.
  - 3. The method as described in claim 2 wherein the secure link is TLS and the given message protocol is IAPP.
  - 4. The method as described in claim 1 wherein at a given time the data structure is fully-connected.
  - 5. The method as described in claim 4 wherein the step of updating the data structure optionally removes at least one connection from the fully-connected data structure.
  - 6. The method as described in claim 1 wherein the security key is forwarded from the controller to every AP in the set as identified by the data structure.
  - 7. The method as described in claim 1 wherein the controller is notified that the first AP is a neighbor of the second AP without having the first AP and the second AP communicate with one another directly.
  - 8. The method as described in claim 1 further including the step of providing to any new AP that is added to the set of APs all of the security keys associated with the stations in the wireless network.

9. A controller for use in a wireless network, the network having a set of access points (APs) each having a predetermined service area, wherein mobile stations (STA) receive a communication service by associating with APs in the set, and wherein an an authentication server (AS) is used to authenticate the mobile stations, comprising:
- a data store in which a data structure is stored, the data structure comprising a connection graph describing how each AP in the set of access points is connected to other APs in the set;
  
  code, executable by a processor, responsive to receipt of an association message that the station has associated to a first AP using a security key obtained from the AS, for receiving the security key from the first AP and forwarding the security key to a set of one or more other APs in the set as identified in the connection graph, and code, executable by the processor, responsive to receipt of a re-association message from a second AP that indicates that the station has associated with the second AP, for updating the connection graph to indicate that the second AP is connected to the first AP.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The controller as described in claim 9 wherein the connection graph is fully connected at a given time, thereby indicating that each AP in the set of APs is connected to every other AP in the set of APs.
  - 11. The controller as described in claim 10 wherein the code responsive to receipt of the re-association message updates the connection graph as required to indicate that the second AP is connected to the first AP by removing at least one connection from the connection graph.
  - 12. The controller as described in claim 10 wherein the code responsive to receipt of the message from the station also receives a MAC address of the STA.
  - 13. The controller as described in claim 9 further including code, executable by the processor, for establishing and maintaining a secure link between the controller and a given AP, whereby the association message and the re-association message are communicated over the secure link.

14. A system, comprising:
- a set of access points, each access point having a predetermined service area; and
  
  a controller, comprising;
  
  a data store in which a data structure is stored, the data structure comprising a connection graph describing how each AP in the set of access points is connected to other APs in the set;
  
  code, executable by a processor, responsive to receipt of a first message that the station has associated to a first AP using a security key, for receiving the security key from the first AP and forwarding the security key to a set of one or more other APs in the set as identified in the connection graph, and code, executable by the processor, responsive to receipt of a second message from a second AP that indicates that the station has associated with the second AP, for updating the connection graph to indicate that the second AP is connected to the first AP;
  
  wherein the second AP comprises code, executable by a processor, for receiving from the station a third message and responding to the third message with a fourth message so that the station is not required to obtain a new security key, and for thereafter issuing the second message to the controller, wherein the second message includes a data field indicating that the station last visited the first AP.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system as described in claim 14 wherein the connection graph in the data store of the controller is fully connected at a given time, thereby indicating that each AP in the set of APs is connected to every other AP in the set of APs
  - 16. The system as described in claim 15 wherein the code responsive to receipt of the second message updates the connection graph as required to indicate that the second AP is connected to the first AP by removing at least one connection from the connection graph.
  - 17. The system as described in claim 14 further including an authentication server for issuing the security key.
  - 18. The system as described in claim 17 wherein the authentication server is RADIUS-compliant.
  - 19. The system as described in claim 14 wherein each access point communicates with the controller over a secure link using a given message protocol.
  - 20. The system as described in claim 19 wherein the secure link is TLS and the given message protocol is IAPP.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Colubris Networks, Inc. (HP Inc.)
Inventors
Gupta, Anil, Nguyen, Hien, Sands, Roger D., Stefanski, Thomas S., Trudeau, Pierre

Granted Patent

US 7,873,352 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/338
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/166   at the transport layer

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 12/062   Pre-authentication

H04W 36/0011   for data sessions of end-to...

H04W 36/0016   Hand-off preparation specia...

H04W 84/12   WLAN [Wireless Local Area N...

H04W 88/08   Access point devices

Fast roaming in a wireless network using per-STA pairwise master keys shared across participating access points

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Fast roaming in a wireless network using per-STA pairwise master keys shared across participating access points

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links