Method for grouping 802.11 stations into authorized service sets to differentiate network access and services

US 6,950,628 B1
Filed: 08/02/2002
Issued: 09/27/2005
Est. Priority Date: 08/02/2002
Status: Expired due to Fees

First Claim

Patent Images

1. An 802.11 network, comprising:

a first basic service set comprising a first access point, and a second basic service sets, comprising a second access point;

wherein the fast access point comprises means for creating a service set at the first access point that defines a set of network access parameter values to differentiate network services having an associated service set identifier;

means for receiving a message from the wireless station to the first access point, the message comprising a service set identifier;

means verifying the first access point has a matching associated service set identifier for the service set identifier sent in the message;

means for associating the wireless station to a first VLAN based on the service set identifier; and

wherein the second access point comprises means for creating a second service set at the second access point that defines a second set of network access parameter values to differentiate network services having an associated service set identifier;

means for receiving a message from the wireless station to the second access point, the service set identifier used in the message to the first access point;

means verifying the second access point has a matching associated service set identifier for the service set identifier;

means for associating the wireless station to a second VLAN based on the service set identifier;

wherein the first VLAN is different than the second VLAN.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for associating a WSTA to a service set, wherein the service set is configurable at the AP. Each service set is an arbitrary grouping of one or more network service parameters, and is typically configured for either VLAN or proxy mobile IP host. When a wireless station desires to associate with an access point, the wireless station sends a message to the access point, the message containing a SSID. The access point then matches the SSID to a service set and associates the WSTA to either a home subnet or a VLAN based on the SSID. By locally configuring the service set, the default VLAN and home subnet for a WSTA may be different at each AP the WSTA encounters. A security server is configured with a list of allowed SSIDs for each wireless station to prevent unauthorized access to a VLAN or home subnet.

149 Citations

28 Claims

1. An 802.11 network, comprising:
- a first basic service set comprising a first access point, and a second basic service sets, comprising a second access point;
  
  wherein the fast access point comprises means for creating a service set at the first access point that defines a set of network access parameter values to differentiate network services having an associated service set identifier;
  
  means for receiving a message from the wireless station to the first access point, the message comprising a service set identifier;
  
  means verifying the first access point has a matching associated service set identifier for the service set identifier sent in the message;
  
  means for associating the wireless station to a first VLAN based on the service set identifier; and
  
  wherein the second access point comprises means for creating a second service set at the second access point that defines a second set of network access parameter values to differentiate network services having an associated service set identifier;
  
  means for receiving a message from the wireless station to the second access point, the service set identifier used in the message to the first access point;
  
  means verifying the second access point has a matching associated service set identifier for the service set identifier;
  
  means for associating the wireless station to a second VLAN based on the service set identifier;
  
  wherein the first VLAN is different than the second VLAN.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The 802.11 network of claim 1 wherein the service set identifier is an 802.11 service set identifier.
  - 24. The 802.11 network of claim 1 further comprisingmeans for accessing a security server communicatively coupled to the first access point and the second access point;
    - wherein security server verifies the wireless station is authorized to use the service set associated with the service set identifier by the means for associating the wireless station to a first VLAN and the means for associating the wireless station to a second VLAN.
  - 25. The 802.11 network of claim 24 wherein the security server is a Remote Authentication Dial-In User Server.
  - 26. The 802.11 network of claim 24, the security server further comprising means for authenticating that the wireless station is authorized to use the service set identifier as configured on at least one of the first access point and the second access point.
  - 27. The 802.11 network of claim 24, the security server further comprising means for authenticating that the wireless station is authorized to use its service set identifier via an allowed service set identifier list contained in a RADIUS record for the wireless station.
  - 28. The 802.11 network of claim 1, the first access point'"'"'s means for associating further comprising means for binding the wireless station to the first VLAN corresponding to an Ethernet VLAN, based on a service set parameter that is configured with a VLAN Identifier.

2. A method wherein Wireless stations (WSTAs) are partitioned into Service Sets, each Service Set comprising a set of network access parameter values to differentiate network services and a Service Set Identifier, comprising the steps of:
- configuring an AP with a list of at least one service set identifier that identifies the service set the AP will accept;
  
  sending a message from the WSTA to its parent AP, the message comprising an active service set identifier for the WSTA, wherein the service set identifier is selected from the group consisting explicitly identifying a service set, and a wildcard so that the WSTA'"'"'s service set is selected by a network infrastructure;
  
  verifying by the parent AP that the parent AP has a service set identifier that matches the service set identifier sent by the WSTA; and
  
  authorizing the WSTA to use its service set identifier by a security server and a security protocol;
  
  wherein service set parameters that determine the WSTA'"'"'s access to network services is at least one of the group consisting of VLAN and home subnet may be configured with different values for the same service set identifier in a different AP.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 3. The method of claim 2 wherein the security server is a RADIUS server and the security protocol is RADIUS.
  - 4. The method in claim 3 further comprising a method wherein a list of allowed service set identifiers for a WSTA is sent from the RADIUS server to the parent AP in a RADIUS protocol message.
  - 5. The method in claim 3 further comprising a method where a RADIUS server explicitly assigns a WSTA to a service by including an service set identifier in a RADIUS protocol message sent to the parent AP.
  - 6. The method in claim 2 wherein a service set parameter that determines the WSTA'"'"'s home subnet contains at least one of a VLAN Identifier and an IP subnet address.
  - 7. The method in claim 6 further comprising a method where a WSTA is initially bound to a home subnet based on the service set parameter value in its parent AP, but the service set parameter is not used to bind the WSTA to a different home subnet as the WSTA roams to APs with a different service set parameter value, so that the WSTA is bound to a single home subnet as it roams.
  - 8. The method in claim 7 where either VLAN trunking or IP tunneling is dynamically selected to bind a station to a single home subnet as it roams, so that the most optimal available access method is used to forward packets between the WSTA and its home subnet.
  - 9. The method in claim 7 further comprising discarding home subnet bindings for a WSTA after the WSTA has become inactive for some period of time, so that the WSTA can bind to a different (i.e. more optimal) subnet when it again becomes active.
  - 10. The method in claim 6 further comprising a method where a WSTA is bound to a different home subnet when it roams to an AP with a different service set parameter value, so that the WSTA is bound to the “
    - optimal”
      
      home subnet.
  - 11. The method in claim 2 where a WSTA uses a “
    - wildcard”
      
      service set identifier to match a different service set identifier in the parent AP.
  - 12. The method in claim 2 where the service set parameter that determines the WSTA'"'"'s home subnet contains a Mobile IP home agent address.
  - 13. The method in claim 2 further comprising a method wherein a service set parameter is used to determine whether a WSTA should be bound to a single home subnet as it roams in a network with multiple subnets.
  - 14. The method in claim 13 wherein a service set parameter is used to determine whether Proxy Mobile IP and Mobile IP tunneling is used to bind a station to a single home subnet.
  - 15. The method in claim 13 wherein the home subnet for a WSTA is determined by examining the IP address in IP packets transmitted by the WSTA.
  - 16. The method in claim 15 further comprising a method wherein a station is not bound to a home subnet unless it is authorized to access that home subnet.
  - 17. The method in claim 16 wherein a WSTA is authorized to access a home subnet only when there is at least one AP that has a parameter value for the services set identified by the WSTAs service set identifier that contains at least one of a VLAN ID and subnet address that identifies the home subnet.
  - 18. The method in claim 17 where a central database is used to authorize a WSTA to access a home subnet, wherein the central database contains a list of service set identifiers and, for each service set identifier, a list of allowed subnets.
  - 19. The method in claim 18 where the list of subnets for each service set identifier is statically configured or automatically populated with the local service set identifier and subnet bindings for each AP.
  - 20. The method in claim 2 wherein an unauthenticated WSTA is assigned to a guest service set and where service set parameter values, configured for the guest service set at least 1 APs, are used to restrict the WSTA to at least one guest subnets.
  - 21. The method in claim 2 wherein a WSTA is authorized to use more than one service set identifier so that the WSTA can change its service set without requiring configuration changes in the security server.
  - 22. The method in claim 2 wherein the service set identifier is an 802.11 service set identifier and a wildcard service set identifier is an 802.11 broadcast service set identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Meier, Robert C., Nelakanti, Bhavannarayana, Griswold, Victor J., Yang, Sheausong, Olson, Tim
Primary Examiner(s)
Milord, Marceau

Application Number

US10/212,193
Time in Patent Office

1,152 Days
Field of Search

455/41.1, 455/41.2, 455/414.1, 455/418, 455/461, 455/456.4, 455/512, 340/7.1, 340/870.02, 342/357.1, 342/357.66, 342/357.13
US Class Current

455/41.2
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/104   Grouping of entities

H04W 12/08   Access security

H04W 28/18   Negotiating wireless commun...

H04W 4/08   User group management

H04W 72/27   between access points

H04W 80/04   Network layer protocols, e....

H04W 84/12   WLAN [Wireless Local Area N...

Method for grouping 802.11 stations into authorized service sets to differentiate network access and services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

149 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method for grouping 802.11 stations into authorized service sets to differentiate network access and services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

149 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links