Web Authentication Support for Proxy Mobile IP

US 20130139221A1
Filed: 11/29/2011
Published: 05/30/2013
Est. Priority Date: 11/29/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

storing data for a redirect rule for traffic associated with a mobile wireless device that has associated with a wireless access point in a public wireless local area network and has been given a temporary unauthenticated session access using an Internet Protocol (IP) address assigned to the mobile wireless device by equipment in a wireless wide area core network that serves as a home network for the mobile wireless device, the redirect rule for use when a request is received from the mobile wireless device for world wide web access in order to obtain authentication for the mobile wireless device before permitting world wide web access;

receiving a world wide web access request from the mobile wireless device; and

redirecting the world wide web access request to an authentication portal to allow a user of the mobile wireless device to enter user credentials for world wide web access using the IP address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for performing web authentication of mobile wireless devices that roam from a wireless wide area network to a wireless local area network. A redirect rule is invoked when a request is received from the mobile wireless device for world wide web access in order to obtain authentication for the mobile wireless device before permitting world wide web access. When a world wide web access request is received from the mobile wireless device, it is redirected to an authentication portal to allow a user of the mobile wireless device to enter user credentials to allow for world wide web access using the IP address.

40 Citations

26 Claims

1. A method comprising:
- storing data for a redirect rule for traffic associated with a mobile wireless device that has associated with a wireless access point in a public wireless local area network and has been given a temporary unauthenticated session access using an Internet Protocol (IP) address assigned to the mobile wireless device by equipment in a wireless wide area core network that serves as a home network for the mobile wireless device, the redirect rule for use when a request is received from the mobile wireless device for world wide web access in order to obtain authentication for the mobile wireless device before permitting world wide web access;
  
  receiving a world wide web access request from the mobile wireless device; and
  
  redirecting the world wide web access request to an authentication portal to allow a user of the mobile wireless device to enter user credentials for world wide web access using the IP address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein storing, receiving, and redirecting are performed at a gateway device in the public wireless local area network.
  - 3. The method of claim 2, and further comprising:
    - receiving at the gateway device from the mobile wireless device a message indicating that the mobile wireless device has associated with a wireless access point in the public wireless local area access network, the message including a media access control (MAC) address of the mobile wireless device; and
      
      obtaining the IP address for the mobile wireless device from equipment in the wireless wide area core network that serves as the home network for the mobile wireless device.
  - 4. The method of claim 3, wherein obtaining the IP address for the mobile wireless device from the mobile wireless wide area core network comprises creating a proxy mobile IPv6 tunnel and using the proxy mobile IPv6 tunnel to obtain the IP address for the mobile wireless client device.
  - 5. The method of claim 3, wherein obtaining the IP address for the mobile wireless device from the wireless wide area core network comprises creating a General Packet Radio Service Tunnel with the gateway device and using the General Packet Radio Service Tunneling protocol to obtain the IP address for the mobile wireless client device.
  - 6. The method of claim 1, and further comprising:
    - sending an access request message to an authentication, accounting and authorization server, the access request message including the media access control (MAC) address of the mobile wireless device;
      
      receiving from the authentication, accounting and authorization server an access accept message indicating that the mobile wireless device is unknown and to use a default profile for the mobile wireless device, wherein the default profile includes a shared identity to be used for the temporary unauthenticated session for the mobile wireless device; and
      
      wherein storing is performed based on the access accept message indicating that the mobile wireless device is unknown.
  - 7. The method of claim 6, wherein the shared identity included in the default profile comprises a sequence of bits that otherwise are invalid but are used by and known to equipment in the wireless local area network and wireless wide area network as being allocated for use in temporary unauthenticated sessions for mobile wireless devices, and further comprising creating the temporary unauthenticated session using the shared identity.
  - 8. The method of claim 7, wherein creating the temporary unauthenticated session is performed at a router device in the wireless wide area core network that serves as the anchor router device in the home network for the mobile wireless device.
  - 9. The method of claim 8, and further comprising creating a proxy mobile IP tunnel with a gateway device in the public wireless local area network and using the proxy mobile IPv6 protocol to assign the IP address for the mobile wireless client device at the router device in the wireless wide area core network.
  - 10. The method of claim 8, and further comprising creating a General Packet Radio Service Tunnel with a gateway device in the public wireless local area network and using the General Packet Radio Service Tunneling protocol to assign the IP address for the mobile wireless device.
  - 11. The method of claim 8, and further comprising forwarding the shared identity from the router device in the wireless wide area core network to a policy server to enable the policy server to recognize the shared identity and signal the router device in the wireless wide area core network to install the redirect rule for the mobile wireless device.
  - 12. The method of claim 6, and further comprising deleting the redirect rule for the mobile wireless device when a message is received indicating that the mobile wireless device has been authenticated by the authentication portal.
  - 13. The method of claim 6, and further comprising:
    - sending a message from the authentication portal to an authentication, accounting and authorization (AAA) server indicating that the IP address associated with the shared identity has since been authenticated, together with an authentic identity to be used in the public wireless local area network; and
      
      sending from the AAA server to a router device in the mobile wireless wide area core network a message containing the authentic identity associated with the IP address to be subsequently used in communications of policy and charging messages, and indicating that the redirect rule should be disabled.
  - 14. The method of claim 1, and further comprising receiving an attach trigger message sent by the mobile wireless device, the attach trigger message containing a service set identifier that identifies the home network for the mobile wireless device in the wireless wide area network.
  - 15. The method of claim 1, and further comprising:
    - sending an access request message to a policy server, the access request message including the media access control (MAC) address of the mobile wireless device;
      
      receiving from the policy server an access accept message indicating that the mobile wireless device is unknown and to use a default profile for the mobile wireless device, wherein the default profile includes a shared identity to be used for the temporary unauthenticated session for the mobile wireless device; and
      
      wherein storing is performed based on the access accept message indicating that the mobile wireless device is unknown.
  - 16. The method of claim 15, wherein the shared identity included in the default profile comprises a sequence of bits that otherwise are invalid but are used by and known to equipment in the wireless local area network and wireless wide area network as being allocated for use in temporary unauthenticated sessions for mobile wireless devices, and further comprising creating the temporary unauthenticated session using the shared identity.

17. An apparatus comprising:
- one or more network ports to receive messages from or transmit to over a network;
  
  a packet forwarding unit configured to process and forward messages over the network;
  
  a memory; and
  
  a processor coupled to the memory and to the packet forwarding unit, such that the apparatus is configured to;
  
  store data for a redirect rule for traffic associated with a mobile wireless device that has associated with a wireless access point in a public wireless local area network and has been given a temporary unauthenticated session access using an Internet Protocol (IP) address assigned to the mobile wireless device by equipment in a wireless wide area core network that serves as a home network for the mobile wireless device, the redirect rule for use when a request is received from the mobile wireless device for world wide web access in order to obtain authentication for the mobile wireless device before permitting world wide web access;
  
  receive a world wide web access request from the mobile wireless device; and
  
  redirect the world wide web access request to an authentication portal to allow a user of the mobile wireless device to enter user credentials for world wide web access using the IP address.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The apparatus of claim 17, wherein the apparatus is further configured to:
    - receive a message indicating that the mobile wireless device has associated with a wireless access point in the public wireless local area access network, the message including a media access control (MAC) address of the mobile wireless device; and
      
      obtain the IP address for the mobile wireless device from equipment in the wireless wide area core network that serves as the home network for the mobile wireless device.
  - 19. The apparatus of claim 17, wherein the apparatus is further configured to:
    - send an access request message to an authentication, accounting and authorization server, the access request message including the media access control (MAC) address of the mobile wireless device;
      
      receive an access accept message indicating that the mobile wireless device is unknown and to use a default profile for the mobile wireless device, wherein the default profile includes a shared identity to be used for the temporary unauthenticated session for the mobile wireless device; and
      
      wherein the processor is configured to store the data for the redirect rule based on the access accept message indicating that the mobile wireless device is unknown.
  - 20. The apparatus of claim 19, wherein the shared identity included in the default profile comprises a sequence of bits that otherwise are invalid but are used by and known to equipment in the wireless local area network and wireless wide area network as being allocated for use in temporary unauthenticated sessions for mobile wireless devices, and wherein the apparatus is further configured to create the temporary unauthenticated session using the shared identity.
  - 21. A system comprising the apparatus of claim 19, and further comprising the authentication portal and the authentication, accounting and authorization (AAA) server, wherein the authentication portal is configured to send a message to the AAA server indicating that the IP address associated with the shared identity has since been authenticated, together with an authentic identity to be used in the public wireless local area network, and the AAA server is configured to send to a router device in the wireless wide area core network a message containing the authentic identity associated with the IP address to be subsequently used in communications of policy and charging messages.
  - 22. The apparatus of claim 17, wherein the apparatus is further configured to receive an attach trigger message sent by the mobile wireless device, the attach trigger message containing a service set identifier that identifies the home network for the mobile wireless device in the wireless wide area network.

23. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions operable to:
- store data for a redirect rule for traffic associated with a mobile wireless device that has associated with a wireless access point in a public wireless local area network and has been given a temporary unauthenticated session access using an Internet Protocol (IP) address assigned to the mobile wireless device by equipment in a wireless wide area core network that serves as a home network for the mobile wireless device, the redirect rule for use when a request is received from the mobile wireless device for world wide web access in order to obtain authentication for the mobile wireless device before permitting world wide web access;
  
  receive a world wide web access request from the mobile wireless device; and
  
  redirect the world wide web access request to an authentication portal to allow a user of the mobile wireless device to enter user credentials for world wide web access using the IP address.
- View Dependent Claims (24, 25, 26)
- - 24. The computer readable storage media of claim 23, and further comprising instructions operable to:
    - receive a message indicating that the mobile wireless device has associated with a wireless access point in the public wireless local area access network, the message including a media access control (MAC) address of the mobile wireless device; and
      
      obtain the IP address for the mobile wireless device from equipment in the mobile wireless wide area core network that serves as the home network for the mobile wireless device.
  - 25. The computer readable storage media of claim 23, and further comprising instructions operable to:
    - send an access request message to an authentication, accounting and authorization server, the access request message including the media access control (MAC) address of the mobile wireless device;
      
      receive an access accept message indicating that the mobile wireless device is unknown and to use a default profile for the mobile wireless device, wherein the default profile includes a shared identity to be used for the temporary unauthenticated session for the mobile wireless device; and
      
      wherein the instructions operable to store the data for the redirect rule are based on receipt of the access accept message indicating that the mobile wireless device is unknown.
  - 26. The computer readable storage media of claim 25, wherein the shared identity included in the default profile comprises a sequence of bits that otherwise are invalid but are used by and known to equipment in the wireless local area network and wireless wide area network as being allocated for use in temporary unauthenticated sessions for mobile wireless devices, and further comprising instructions operable to create the temporary unauthenticated session using the shared identity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Gundavelli, Srinath, Alex, Arun C., Pazhyannur, Rajesh S., Grayson, Mark, Koodli, Rajeev, Feige, Gaetan, Velandy, Rajesh P., Wood, Steven W.

Granted Patent

US 8,769,626 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04W 12/068 using credential vaults, e....

H04W 28/02 Traffic management, e.g. fl...

Web Authentication Support for Proxy Mobile IP

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

40 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Web Authentication Support for Proxy Mobile IP

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links