SYSTEM AND METHOD FOR SECURING MESH ACCESS POINTS IN A WIRELESS MESH NETWORK, INCLUDING RAPID ROAMING
First Claim
1. A method in a first mesh access point (AP) comprising:
- securing a layer-2 link between the first mesh AP and a second mesh AP, the second mesh AP part of a mesh network and that has a secure tunnel to a controller, wherein the controller controls the mesh network, including controlling functions other than authentication, authorization and accounting performed by a RADIUS server, the functions including access point capability of mesh points in the mesh network; and
undergoing a join exchange with the controller to establish a secure tunnel with the controller and to join the mesh network,wherein the securing the layer-2 link includes;
carrying out an association exchange with the controller via the second mesh AP;
undergoing a backend authentication with the controller as authenticator resulting in a pairwise master key available at the first mesh AP and the authenticator, such that a secure tunnel is established between the first mesh AP and the controller; and
undergoing a 4-way handshake with the first mesh AP as supplicant and the controller as authenticator using the pairwise master key to determine a pairwise transient key to use between the first mesh AP and the second mesh AP.
0 Assignments
0 Petitions
Accused Products
Abstract
Authentication in a mesh network controlled by a central controller, including using standard IEEE 802.11i mechanisms between a potential child mesh access point (AP) as supplicant and the controller as authenticator. Each mesh AP in the mesh network has a secure tunnel to a controller using a protocol for controlling the mesh AP, including AP capabilities, and a fast roaming method for re-establishing a secure layer-2 link with a new parent mesh AP including, while the mesh AP is a child mesh AP to the first parent mesh AP and has a secure layer-2 link to the first parent mesh AP, caching key information and wireless mesh network identity information in the controller.
-
Citations
26 Claims
-
1. A method in a first mesh access point (AP) comprising:
-
securing a layer-2 link between the first mesh AP and a second mesh AP, the second mesh AP part of a mesh network and that has a secure tunnel to a controller, wherein the controller controls the mesh network, including controlling functions other than authentication, authorization and accounting performed by a RADIUS server, the functions including access point capability of mesh points in the mesh network; and undergoing a join exchange with the controller to establish a secure tunnel with the controller and to join the mesh network, wherein the securing the layer-2 link includes; carrying out an association exchange with the controller via the second mesh AP; undergoing a backend authentication with the controller as authenticator resulting in a pairwise master key available at the first mesh AP and the authenticator, such that a secure tunnel is established between the first mesh AP and the controller; and undergoing a 4-way handshake with the first mesh AP as supplicant and the controller as authenticator using the pairwise master key to determine a pairwise transient key to use between the first mesh AP and the second mesh AP. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method in a controller comprising:
-
controlling a mesh network comprising a root mesh access point (AP) and one or more other mesh APs, including controlling functions other than authentication, authorization and accounting performed by a RADIUS server, the functions including AP capability of the APs in the mesh network; maintaining a secure tunnel with a first mesh AP; carrying out an association exchange with the s second mesh AP via the first mesh AP; undergoing a backend authentication as authenticator, with the second mesh AP as supplicant, the authentication resulting in a pairwise master key available at the second mesh AP and the controller; undergoing a 4-way handshake as authenticator with the second mesh AP as supplicant using the pairwise master key to determine a pairwise transient key to use between the second mesh AP and the first mesh AP, such that a secure a layer-2 link between the second mesh AP and a first mesh AP is established for the first mesh AP to be a parent mesh AP to the second mesh AP in the mesh network; undergoing a join exchange with the second mesh AP to establish a secure tunnel between the second mesh AP and the controller such that the second mesh AP joins the mesh network. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A controller comprising:
-
one or more processors, and a storage subsystem, wherein the storage subsystem is configured with instructions that when executed, cause; controlling a mesh network comprising a root mesh access point (AP) and one or more other mesh APs, including controlling functions other than authentication, authorization and accounting performed by a RADIUS server, the functions including AP capability of the APs in the mesh network; maintaining a secure tunnel with a first mesh AP; carrying out an association exchange with the s second mesh AP via the first mesh AP; undergoing a backend authentication with the controller as authenticator, with the second mesh AP as supplicant, the authentication resulting in a pairwise master key available at the second mesh AP and the controller; storing the pairwise master key in the storage subsystem; the controller undergoing a 4-way handshake as authenticator with the second mesh AP as supplicant using the pairwise master key to determine a pairwise transient key to use between the second mesh AP and the first mesh AP, such that a secure a layer-2 link between the second mesh AP and a first mesh AP is established for the first mesh AP to be a parent mesh AP to the second mesh AP in the mesh network; undergoing a join exchange with the second mesh AP to establish a secure tunnel between the second mesh AP and the controller such that the second mesh AP joins the mesh network. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A method in a first mesh point, including:
-
the first mesh point associating with a first parent mesh point of a wireless mesh network, the first parent mesh point being coupled to a Controller acting as an authenticator, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality; the first mesh point undergoing a certificate-based backend mutual authentication with the Controller as authenticator via the first parent mesh point of the mesh network, the certificate-based backend authentication resulting in a first pairwise master key; using a hierarchy of derived keys to define how to determine derived master key keys based on the first pairwise master key that is the result of the certificate-based backend authentication; and undergoing a 4-way handshake initiated by the first mesh point as supplicant and the Controller as authenticator using a master key derived from the certificate-based backend authentication using the hierarchy, the 4-way handshake to determine a transient key for the first mesh point to securely communicate with the first parent mesh point in the mesh network; such that a new link between the first mesh point and a new different parent mesh point is securable by a new transient key determined according to the key hierarchy without the first mesh point needing to re-undergo a certificate-based backend authentication. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification