AUTOMATED WIRELESS DEVICE PROVISIONING AND AUTHENTICATION

US 20150264051A1
Filed: 08/14/2014
Published: 09/17/2015
Est. Priority Date: 03/14/2014
Status: Active Grant

First Claim

Patent Images

1. A method for automatically provisioning a device to wirelessly connect to an access point, the method comprising:

advertising an online signup (OSU) extended service set (ESS) and a production ESS, the OSU ESS sufficient for establishing wireless signaling between the device and the access point for the purposes of completing an OSU operation and the production ESS sufficient for establishing wireless signaling between the device and the access point for the purposes of providing network access, the access point requiring an authentication for the device from an Authentication, Authorization and Accounting (AAA) server prior to granting network access; and

while the device is connected to the OSU ESS;

i) facilitating determination of a service provider (SP) associated with the device;

ii) facilitating transmission of an OSU request from the device to an OSU server associated with the service provider for the purposes of conducting the OSU operation, including facilitating delivery of a credential and a selection policy from the OSU server to the device following successful completion of the OSU operation, the AAA server requiring the credential prior to issuing the authentication to the access point and the selection policy at least partially provisioning the device to connect to the production ESS; and

iii) facilitating use of a subscription construct for the purposes of authorizing entitlements associated with the device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Automated provisioning and/or authentication of a device to a wireless access point is contemplated. The automated provisioning may be performed in a manner that enables the device to receive provisioning instructions in accordance with HotSpot 2.0, Passpoint or other Wi-Fi related protocols and standards without having to input identification or other user-specific information like a username and password combination. The authentication may be performed in a manner sufficient to enable service-level differentiation for the provisioned devices and/or other devices desiring wireless access, such as but not necessary limited to facilitating assigning different bandwidth speed/priorities according to a service agreement.

Citations

20 Claims

1. A method for automatically provisioning a device to wirelessly connect to an access point, the method comprising:
- advertising an online signup (OSU) extended service set (ESS) and a production ESS, the OSU ESS sufficient for establishing wireless signaling between the device and the access point for the purposes of completing an OSU operation and the production ESS sufficient for establishing wireless signaling between the device and the access point for the purposes of providing network access, the access point requiring an authentication for the device from an Authentication, Authorization and Accounting (AAA) server prior to granting network access; and
  
  while the device is connected to the OSU ESS;
  
  i) facilitating determination of a service provider (SP) associated with the device;
  
  ii) facilitating transmission of an OSU request from the device to an OSU server associated with the service provider for the purposes of conducting the OSU operation, including facilitating delivery of a credential and a selection policy from the OSU server to the device following successful completion of the OSU operation, the AAA server requiring the credential prior to issuing the authentication to the access point and the selection policy at least partially provisioning the device to connect to the production ESS; and
  
  iii) facilitating use of a subscription construct for the purposes of authorizing entitlements associated with the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 further comprising generating the subscription construct to include a first access point identifier sufficient for uniquely identifying the access point to the OSU server.
  - 3. The method of claim 2 further comprising adding the first access point identifier within a supplemental data message transmitted to the OSU server as part of the OSU operation.
  - 4. The method of claim 3 further comprising adding the supplemental data message at the access point.
  - 5. The method of claim 4 further comprising transmitting the supplemental data message as one of a plurality of Transport Layer Security (TLS) messages exchanged within a TLS tunnel constructed between the device and the OSU server via the OSU ESS.
  - 6. The method of claim 2 further comprising generating the first access point identifier to identify a Media Access Control (MAC) address of the access point.
  - 7. The method of claim 2 further comprising generating the subscription construct to include a proximity value if the device is within a near field range of the access point.
  - 8. The method claim 7 further comprising generating the proximity value to be a first value if the device is within the near field range and to be a second value if the device is not within the near field range.
  - 9. The method of claim 7 further comprising determining the device to be within the near field range using near field signals exchanged between the device and the access point independently of the OSU ESS.
  - 10. The method of claim 9 further comprising transmitting the near field signals from the access point a shorter distance than OSU ESS related wireless signals transmitted from the access point.
  - 11. The method of claim 7 further comprising determining the device to be within the near field range if a corresponding user input to a human-machine interface (HMI) included on the access point is received proximate in time to the access point conducting a proximity test for the device.
  - 12. The method of claim 1 further comprising facilitating exchange of Extensible Authentication Protocol Transport Layer Security (EAP-TLS) messaging between the device and the AAA server via the production ESS, the EAP-TLS messaging transporting the credential from the device to the AAA server.
  - 13. The method of claim 12 further comprising facilitating transmission of a second identifier with EAP-TLS messaging, the second identifier sufficient for uniquely identifying the access point to the AAA server.
  - 14. The method of claim 1 further comprising facilitating installation of the subscription construct within an Internet browser of the device, the subscription construct acting as a token/cookie sufficient to enable zero sign-on (ZSO) access to online services over the Internet as at least part of the network access via the production ESS.

15. A non-transitory computer-readable medium comprising a plurality of instructions operable with a processor of an online signup (OSU) server and sufficient for facilitating connection of a device to a wireless access point having a local area network (LAN) interface and a wide area network (WAN) interface, the LAN interface being configured to facilitate wireless signaling with the device and the WAN interface being configured to facilitate signal associated with providing the device network access, the wireless access point providing an online signup (OSU) extended service set (ESS) and a production ESS via the LAN interface, the OSU ESS sufficient for establishing wireless signaling between the device and OSU server for the purposes of completing an OSU operation and the production ESS sufficient for establishing wireless signaling between the device and the access point for the purposes of providing network access, the access point requiring an authentication for the device from an Authentication, Authorization and Accounting (AAA) server prior to granting network access, the non-transitory computer-readable medium comprising instructions sufficient for:
- receiving an OSU request from the device via the OSU ESS, the OSU request indicating a desire of the device to undertake the OSU operation in order to receive a credential and a selection policy from the OSU server, the AAA server requiring the credential prior to issuing the authentication to the access point, the selection policy at least partially provisioning the device to connect to the production ESS;
  
  determining an in-home status for the device while undertaking the OSU operation, the in-home status being one of a first state and a second state, the first state indicating the device to be within a near field range of the access point associated with the OSU request and the second state indicating the device to be either beyond the near field range or indicating a position of the device relative to the access point associated with the OSU request being unknown; and
  
  providing the credential and the selection policy to the device upon receipt of an identification if the second state is determined and without receipt of the identification if the first state is determined, the identification being determined from a user input to the device as part of the OSU operation.
- View Dependent Claims (16, 17)
- - 16. The non-transitory computer-readable medium of claim 15 further comprising instructions sufficient for determining the in-home status as a function of an OSU tag added by the access point as a supplemental data message to Transport Layer Security (TLS) messages exchanged between the device and the OSU server via the OSU ESS.
  - 17. The non-transitory computer-readable medium of claim 15 further comprising instructions sufficient for providing an authentication cookie to the device as part of the OSU operation, the authentication cookie being suitable for use with an Internet browser of the device to enable zero sign-on (ZSO) access to online services accessed over the Internet via the production ESS.

18. A non-transitory computer-readable medium comprising a plurality of instructions operable with a processor of an Authentication, Authorization and Accounting (AAA) server and sufficient for facilitating authentication of a device to a first access point advertising an online signup (OSU) extended service set (ESS) and a production ESS, the OSU ESS sufficient for establishing wireless signaling between the device and the first access point for the purposes of executing an OSU operation, successful execution of the OSU operation resulting in the OSU server provisioning the device with a credential and a set of instructions sufficient for connecting to the production ESS, the production ESS being sufficient for establishing wireless signaling between the device and the access point for the purposes of providing network access, the non-transitory computer-readable medium comprising instructions sufficient for:
- receiving an update request from the OSU server identifying the credential provided to the device as part of the OSU operation;
  
  associating the credential with one or more identifiers used to uniquely identify a corresponding access point;
  
  executing a security association with the device via the production ESS, the security association including the device providing the credential and the access point providing a first identifier;
  
  determining whether the first identifier matches with one or more of the identifiers previously associated with the credential;
  
  providing a first authentication to the first access point if the first identifier matches with one of the identifiers associated with the credential, the first authentication being sufficient to authenticate the device to access a first level of service; and
  
  providing a second authentication to the first access point if the first identifier fails to match with one of the identifiers associated with the credential, the second authentication being sufficient to authenticate the device to access a second level of service, the second level of service being different than the first level of service.
- View Dependent Claims (19, 20)
- - 19. The non-transitory computer-readable medium of claim 18 further comprising instructions sufficient for providing the first authentication such that the first level of service corresponds with a first bandwidth speed/priority and providing the second authentication such that the second level of service corresponds with a second bandwidth speed/priority, the second bandwidth speed/priority being less than the first bandwidth speed/priority.
  - 20. The non-transitory computer-readable medium of claim 18 further comprising instructions sufficient for recovering the first identifier from Extensible Authentication Protocol Transport Layer Security (EAP-TLS) messaging exchange with the device as part of the security association.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cable Television Laboratories Incorporated
Original Assignee
Cable Television Laboratories Incorporated
Inventors
Hoggan, Stuart

Granted Patent

US 9,800,581 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/0892   by using authentication-aut...

H04W 12/065   Continuous authentication

H04W 12/069   using certificates or pre-s...

AUTOMATED WIRELESS DEVICE PROVISIONING AND AUTHENTICATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATED WIRELESS DEVICE PROVISIONING AND AUTHENTICATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links