Controlling access to a network using redirection

US 20070113269A1
Filed: 07/29/2004
Published: 05/17/2007
Est. Priority Date: 07/29/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method for controlling access to a network, said method comprising:

receiving, by an access point (AP) of said network, a request to access said network, said request transmitted by a client;

re-directing, by said AP, said access request to a local server;

associating unique data with an identifier of said client and storing a mapping of said association in said AP;

generating a Web page by said local server requesting that said client select an authentication server (AS) and including said unique data and forwarding said generated Web page to said client;

transmitting an authentication request to said selected authentication server; and

receiving a response to said authentication request from said selected authentication server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism to improve the security and access control over a network, such as a wireless local area network (“WLAN”), that takes advantage of web browser interactions without requiring explicit separate communication session between a hot spot network and a service provider network. The method comprises receiving a request to access the WLAN from a mobile terminal (MT)/client disposed within a coverage area of the WLAN. The access point (AP) of the network associates a session ID and randomized number with an identifier associated with the MT and stores data mapping the session ID to the identifier of the MT and randomized number. The local server transmits an authentication request in the form of a web page, which includes the session ID and randomized number, to the MT. The AP receives from the MT a digitally signed authentication message, a parameter list containing user credential information, session ID, and randomized number concerning the MT, the authentication message being digitally signed using the session ID and randomized number together with the parameter list. The AP correlates the session ID and parameter list received from the MT and, using the stored mapping data, generates a local digital signature for comparison with the received digitally signed authentication message for controlling access of the MT to the WLAN.

Citations

57 Claims

1. A method for controlling access to a network, said method comprising:
- receiving, by an access point (AP) of said network, a request to access said network, said request transmitted by a client;
  
  re-directing, by said AP, said access request to a local server;
  
  associating unique data with an identifier of said client and storing a mapping of said association in said AP;
  
  generating a Web page by said local server requesting that said client select an authentication server (AS) and including said unique data and forwarding said generated Web page to said client;
  
  transmitting an authentication request to said selected authentication server; and
  
  receiving a response to said authentication request from said selected authentication server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 34, 36, 41, 52)
- - 2. The method according to claim 1, wherein said network is a wireless Local Area network (WLAN).
  - 3. The method according to claim 1, further comprising:
    - forwarding said identifier of said client from said local server; and
      
      generating said unique data for said client by said local server.
  - 4. The method according to claim 1, further comprising:
    - retrieving, by said client, a re-directed URL having embedded data including a first digital signature, authentication parameters and said unique data and forwarding said re-directed URL to said AP;
      
      creating, by said AP, a second digital signature using said authentication parameters, said unique data and said identifier;
      
      comparing, by said AP, said first digital signature with said second digital signature;
      
      determining, by said AP, if there is a match between said first digital signature and said second digital signature; and
      
      performing, by said AP, one of granting network access and denying network access based on said match determination.
  - 5. The method according to claim 1, wherein said unique data includes a session ID and a randomized number.
  - 6. The method according to claim 1, wherein said identifier is an address of said client.
  - 7. The method according to claim 1, wherein the act of authenticating further comprises:
    - processing, by said AS, said authentication request, wherein said authentication request includes a session ID embedded in said authentication request;
      
      responding to said authentication request by forwarding to said client by said AS an authentication input page, said authentication input page including a request for authentication information; and
      
      receiving, by said AS, authentication credentials from said client, wherein said response to said authentication request forwarded to said client includes a re-direct header and a success code and associated information relevant to access of said network by said client.
  - 8. The method according to claim 7, wherein the act of forwarding further comprises generating, by said AS, said success code and said associated information includes a first digital signature and authentication parameters.
  - 9. The method according to claim 5, wherein said randomized number is one of a random number and a pseudo-random number.
  - 10. The method according to claim 1, wherein said identifier is one of a physical (PHY) address of said client, a MAC address of said client and an IP address of said client.
  - 11. The method according to claim 1, wherein said AP and said local server are co-located.
  - 12. The method according to claim 4, wherein said first and said second digital signatures are generated using one of a private key of said AS and a shared key between said AS and said local server.
  - 13. The method according to claim 4, wherein said second digital signature is locally generated at said AP.
  - 34. The method of claim 1, further comprising:
    - at the authentication server, authenticating the client using the unique data, and forwarding said response to the client using a re-direct header, and including a digitally signed authentication message and authentication parameters corresponding to the unique data; and
      
      the access point receiving from the client according to the re-direct header the digitally signed authentication message and authentication parameters and correlating the authentication parameters with the mapped association data for determining access to the network.
  - 36. The method of claim 1, wherein said unique data comprises a session ID and a randomized number and further comprising:
    - receiving, by said AP, a re-directed request from the client and including a digitally signed authentication message, an authentication parameter list, and said session ID, the digitally signed authentication message being generated using the randomized number, said session ID and said authentication parameter list, by said selected authentication server associated with the client; and
      
      correlating the received digitally signed authentication message with the re-directed request for access using the stored mapping data for controlling access by the client to the network.
  - 41. The method according to claim 36, wherein said AP and said LS are co-located.
  - 52. The system according to claim 51, wherein said unique data comprises a session identifier and a random number.

14. (canceled)

15. (canceled)

16. (canceled)

17. (canceled)

18. (canceled)

19. (canceled)

20. (canceled)

21. (canceled)

22. (canceled)

23. (canceled)

24. (canceled)

25. A system for controlling access to a network comprising:
- a client;
  
  an access point (AP) coupled to a local server (LS) for relaying network communications to and from the client; and
  
  an authentication server for performing an authentication process in response to a request from the client;
  
  wherein the AP, in response to a re-directed request to access the network from the client, associates unique data with an identifier of the client and stores a mapping of the association;
  
  the LS transmits the unique data to the client;
  
  the authentication server, upon authenticating the client using the unique data, is operative to provide a re-direct header for access to the client including a digitally signed authentication message and authentication parameters corresponding to the unique data, the AP receiving the digitally signed retrieved re-directed URL and authentication parameters from the client and the AP further correlating the authentication parameters with the mapped association data for determining access to the network based on the results of the correlation.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33)
- - 26. The system of claim 25, wherein the network is a wireless local area network (WLAN) comprising the access point and local server.
  - 27. The system of claim 25, wherein the local server generates a web page requesting that the client select an authentication server, and embeds the unique data in the web page for transmission to the client.
  - 28. The system of claim 25, wherein the identifier of the client is one of a physical address, MAC address and an IP address, and wherein the unique data comprises a session ID and a randomized number.
  - 29. The system of claim 28, wherein the session ID and randomized number are generated by the local server.
  - 30. The system of claim 28, wherein the authentication server receives user credential information from the client and provides a digitally signed authentication message including an authentication parameters using said unique data through HTTPS to the client via said re-direct header to the client.
  - 31. The system of claim 30, wherein the AP, in response to receiving the digitally signed authentication message re-directed from the client including the authentication parameters and at least a portion of the unique data from the client, generates a local digital signature using the received portion of the unique data and the stored mapping data together with the authentication parameters, and compares the local digital signature with the digitally signed authentication message to determine network access by the client.
  - 32. The system of claim 25, wherein the re-direct header further comprises a means for re-directing a browser of the client to a URL on the network, and embedding in the URL said digitally signed authentication message, the authentication parameters and a portion of the unique data.
  - 33. The system of claim 26, wherein said AP and said LS are co-located.

35. (canceled)

37. (canceled)

38. (canceled)

39. (canceled)

40. (canceled)

42. A method for controlling network access, said method comprising:
- receiving a request for network access;
  
  re-directing said request via a message;
  
  receiving a client identifier and unique data;
  
  associating said unique data and said client identifier;
  
  receiving a re-directed universal resource locator included embedded information;
  
  generating a local digital signature using said embedded information and said association between said unique data and said client identifier;
  
  comparing said local digital signature with a digital signature received in said embedded information;
  
  granting network access if said local digital signature matches said digital signature received in said embedded information; and
  
  deny network access if said local digital signature does not match said digital signature received in said embedded information.
- View Dependent Claims (43, 44)
- - 43. The method according to claim 42, wherein said unique data comprises a session identifier and a random number.
  - 44. The method according to claim 42, wherein said embedded information further comprises a session identifier and authentication parameters.

45. A system for controlling network access, comprising:
- means for receiving a request for network access;
  
  means for re-directing said request via a message;
  
  means for receiving a client identifier and unique data;
  
  means for associating said unique data and said client identifier;
  
  means for receiving a re-directed universal resource locator included embedded information;
  
  means for generating a local digital signature using said embedded information and said association between said unique data and said client identifier;
  
  means for comparing said local digital signature with a digital signature received in said embedded information;
  
  means for granting network access if said local digital signature matches said digital signature received in said embedded information; and
  
  means for deny network access if said local digital signature does not match said digital signature received in said embedded information.
- View Dependent Claims (46, 47)
- - 46. The system according to claim 45, wherein said unique data comprises a session identifier and a random number.
  - 47. The system according to claim 45, wherein said embedded information further comprises a session identifier and authentication parameters.

48. A method for controlling network access, said method comprising:
- receiving a re-directed request for network access via a message;
  
  transmitting a client identifier and unique data; and
  
  generating a web page including embedded data.
- View Dependent Claims (49, 50)
- - 49. The method according to claim 48, wherein said unique data comprises a session identifier and a random number.
  - 50. The method according to claim 48, wherein said embedded data comprises a session identifier, a random number and authentication server selection information.

51. A system for controlling network access, comprising:
- means for receiving a re-directed request for network access via a message;
  
  means for transmitting a client identifier and unique data; and
  
  means for generating a web page including embedded data.
- View Dependent Claims (53)
- - 53. The system according to claim 51, wherein said embedded data comprises a session identifier, a random number and authentication server selection information.

54. A method for controlling network access, said method comprising:
- receiving an authentication user input message;
  
  transmitting authentication input page requesting authentication information;
  
  receiving authentication credentials; and
  
  transmitting an authentication message indicating one of success and failure of an authentication process.
- View Dependent Claims (55)
- - 55. The method according to claim 54, wherein said authentication message comprises a digital signature, a session identifier, authentication parameters and a random number.

56. A system for controlling network access, comprising:
- means for receiving an authentication user input message;
  
  means for transmitting authentication input page requesting authentication information;
  
  means for receiving authentication credentials; and
  
  means for transmitting an authentication message indicating one of success and failure of an authentication process.
- View Dependent Claims (57)
- - 57. The system according to claim 56, wherein said authentication message comprises a digital signature, a session identifier, authentication parameters and a random number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thomson Licensing (Vantiva SA)
Original Assignee
Thomson Licensing (Vantiva SA)
Inventors
Zhang, Junbiao

Application Number

US10/566,393
Publication Number

US 20070113269A1
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/0892   by using authentication-aut...

H04L 63/10   for controlling access to d...

H04L 63/123   received data contents, e.g...

H04L 63/168   above the transport layer

H04W 12/069   using certificates or pre-s...

H04W 12/08   Access security

Controlling access to a network using redirection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

57 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access to a network using redirection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

57 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links