Method and system for managing data traffic in wireless networks

US 7,042,988 B2
Filed: 09/27/2002
Issued: 05/09/2006
Est. Priority Date: 09/28/2001
Status: Active Grant

First Claim

Patent Images

1. A method for managing access control and security with a gateway server interposed between a wireless local area network and a protected network, the method comprising the steps of:

(a) receiving, by a first gateway server from a user of a mobile device that is in communication with the gateway server via a wireless access point, an indication of a request to access another server on the protected network;

(b) passively monitoring, at the gateway server, an authentication process between the user and the another server in which the user makes a request to authenticate to the another server and the another server authenticates the user;

(c) assigning a role to the authenticated user based on the another server with which the user authenticated; and

(d) providing access to the protected network based on the assigned role.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention can be used to facilitate the integration of wireless capability provided by wireless access points into an enterprise computer network. A gateway server is interposed between wireless access points and protected networks to provide security and integration functions, for example, authentication, access control, link privacy, link integrity, and bandwidth metering in various embodiments. Use of such a gateway server allows substantial control to be gained over network access even with the use of relatively simple access points. In general, such a gateway server receives a request to access the protected network. An authentication subsystem of the gateway server authenticates the user, preferably by accessing an external authentication server and returns a role to the authenticated user. An access controller in the gateway server provides differential access to the protected network based on the user'"'"'s assigned role. A multiple gateway servers can be connected together to form a mesh network architecture.

Citations

52 Claims

1. A method for managing access control and security with a gateway server interposed between a wireless local area network and a protected network, the method comprising the steps of:
- (a) receiving, by a first gateway server from a user of a mobile device that is in communication with the gateway server via a wireless access point, an indication of a request to access another server on the protected network;
  
  (b) passively monitoring, at the gateway server, an authentication process between the user and the another server in which the user makes a request to authenticate to the another server and the another server authenticates the user;
  
  (c) assigning a role to the authenticated user based on the another server with which the user authenticated; and
  
  (d) providing access to the protected network based on the assigned role.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 21, 22)
- - 2. The method of claim 1 further comprising providing a second gateway server interposed between the wireless network and the protected network for a fail-over configuration, and wherein step (a) further comprises receiving the request by the second gateway server if the first gateway server fails.
  - 3. The method of claim 1, wherein the request to access the protected network received in step (a) comprises an identifier and authentication information.
  - 4. The method of claim 3, wherein the identifier comprises at least one of a username, an email address, and an unique name.
  - 5. The method of claim 3, wherein the authentication information comprises at least one of a PIN, password, digital certificate, encryption key, and digital code.
  - 6. The method of claim 1, wherein the request to access the protected network received in step (a) comprises a request to access network resources.
  - 7. The method of claim 6, wherein the authenticating step (b) comprises authenticating a previously authenticated user without requiring communication of authentication information.
  - 8. The method of claim 1, wherein the external authentication server comprises a RADIUS server.
  - 9. The method of claim 1, wherein the external authentication server comprises a LDAP server.
  - 10. The method of claim 1, wherein the external authentication server comprises a NTLM server.
  - 11. The method of claim 10, wherein the use of the external authentication server is transparent to the user.
  - 12. The method of claim 11, wherein the server is a Windows 2000 or NT server.
  - 13. The method of claim 1, wherein the authenticating step (b) is performed substantially according to one of the Point-to-Point Tunneling Protocol (PPTP) or the IPSec protocol.
  - 14. The method of claim 1 further comprising, prior to step (a), the step of defining the role for the user.
  - 15. The method of claim 14, wherein the step of defining a role further comprises:
    - (i) specifying network resources available;
      
      (ii) specifying a degree of access to the protected network; and
      
      (iii) specifying an available connection bandwidth.
  - 16. The method of claim 15, wherein the defining step further comprises:
    - (iv) specifying a tunneling protocol.
  - 17. The method of claim 15, wherein the defining step further comprises:
    - (v) specifying an inherited role.
  - 18. The method of claim 1 further comprising replicating a plurality of second gateway servers interposed between the wireless network and the protected network from the first gateway server.
  - 19. The method of claim 1 further comprising protecting from illicit monitoring using a secure web browser page.
  - 21. The method of claim 1 wherein the assigned role comprises one or more policies.
  - 22. The method of claim 21 wherein the policies describe one or more services requested by the user.

20. The method of clam 1 further comprising detecting unauthorized access points by monitoring network traffic.

23. A gateway server for interposition between a wireless local area network and a protected network, the server comprising:
- (a) a receiver for receiving, from a user of a mobile device via a wireless access point, an indication of a request to access another server on the protected network;
  
  (b) an authentication subsystem for passively monitoring an authentication process in which the user makes a request to authenticate to the another server and the another server authenticates the user;
  
  (c) a role assignor in communication with the receiver and the authentication subsystem for assigning a role to the authenticated user based on the another server with which the user authenticated; and
  
  (d) an access controller in communication with the assignor for providing access to the protected network based on the assigned role.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 34, 35, 36, 37, 38, 39, 40, 41, 43, 44)
- - 24. The gateway server of claim 23 further comprising a second gateway server for interposition between the wireless network and the protected network to provide a fail-over configuration, and wherein the second gateway server receives the request if the first gateway server fails.
  - 25. The gateway server of claim 23, wherein the request to access the protected network received by the receiver comprises an identifier and authentication information.
  - 26. The gateway server of claim 25, wherein the identifier comprises at least one of a username, an email address, and an unique name.
  - 27. The gateway server of claim 25, wherein the authentication information comprises at least one of a PIN, password, digital certificate, encryption key, and digital code.
  - 28. The gateway server of claim 23, wherein the request to access the protected network received by the receiver comprises a request to access network resources.
  - 29. The gateway server of claim 28, wherein the external authentication server authenticates the user as a user that previously authenticated without requiring communication of authentication information.
  - 30. The gateway server of claim 23, wherein the external authentication server used comprises a RADIUS server.
  - 31. The gateway server of claim 23, wherein the external authentication server used comprises a LDAP server.
  - 34. The gateway server of claim 23, wherein user authentication with a Windows 2000 or NT server.
  - 35. The gateway server of claim 23, wherein the communication between the mobile device and the gateway server substantially is according to one of the Point-to-Point Protocol (PPTP) or the IPSec protocol.
  - 36. The gateway server of claim 23 further comprising a role definer for defining the role for the user.
  - 37. The gateway server of claim 36, wherein the role definer further comprises:
    - (i) specifying network resources available;
      
      (ii) specifying a degree of access to the protected network; and
      
      (iii) specifying an available connection bandwidth.
  - 38. The gateway server of claim 37, wherein the role definer further comprises:
    - (iv) specifying a tunneling protocol.
  - 39. The gateway server of claim 37, wherein the role definer further comprises:
    - (v) specifying an inherited role.
  - 40. The gateway server of claim 23 further comprising a replicator for replicating a plurality of second gateway servers for interposition between the wireless network and the protected network from the gateway server.
  - 41. The gateway server of claim 23 further comprising a secure web browser page.
  - 43. The gateway server of claim 23 wherein the assigned role comprises one or more policies.
  - 44. The gateway server of claim 43 wherein the policies describe one or more services requested by the user.

32. The gateway server of claim 32, wherein the external authentication server used comprises a NTLM server.
- View Dependent Claims (33)
- - 33. The gateway server of claim 32, wherein the use of the external authentication server is transparent to the user.

42. The gateway server of clam 23 further comprising a detector for detecting unauthorized access points by monitoring network traffic and signals.

45. A gateway server for interposition between a wireless network and a protected network, the server comprising:
- (a) means for receiving, from a user of a mobile device via a wireless access point, an indication of a request to access another server on the protected network;
  
  (b) means for passively monitoring an authentication process between the user and the another server in which the user makes a request to authenticate to another server and the another server authenticates the user;
  
  (c) means for assigning a role to the authenticated user based on the another server with which the user authenticated without authenticating the user to the gateway server; and
  
  (d) means for providing access to the protected network based on the assigned role.

46. A mesh network of gateway servers comprising:
- a plurality of gateway servers each in communication with a wireless local area network and a protected network, each of the plurality of gateway servers in communication with each other to facilitate hand-off of a mobile device from one of the plurality of gateway servers to another of the plurality of gateway servers, and, wherein each of the plurality of gateway servers comprises;
  
  (i) a receiver for receiving, from a user of a mobile device via a wireless access point, an indication of a request to access another server on the protected network;
  
  (ii) an authentication subsystem for passively monitoring an authentication process in which the user makes a request to authenticate to the another server and the another server authenticates the user;
  
  (iii) a role assignor in communication with the receiver and the authentication subsystem for assigning a role to the authenticated user based on the another server with which the user authenticated; and
  
  (iv) an access controller in communication with the assignor for providing access to the protected network based on the assigned role.
- View Dependent Claims (47, 48, 49, 50, 51, 52)
- - 47. The network of claim 46, wherein each of the plurality of gateway servers provides a fail-over configuration and configuration replication.
  - 48. The network of claim 46, wherein at least two of the plurality of gateway are in communication with substantially different types networks.
  - 49. The network of claim 48, wherein at least one of the plurality of gateway servers supports a cellular network.
  - 50. The network of claim 48, wherein at least one of the plurality of gateway servers are in communication with radio-frequency based network.
  - 51. The network of claim 46 wherein the assigned role comprises one or more policies.
  - 52. The network of claim 51 wherein the policies describe one or more services requested by the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bluesocket Incorporated (ADTRAN Holdings, Inc.)
Original Assignee
Bluesocket Incorporated (ADTRAN Holdings, Inc.)
Inventors
Crawshaw, Geoffrey, Crosbie, David, Christoffel, Thomas, Bates, Philip, Juitt, David
Primary Examiner(s)
Hoosain, Allan
Assistant Examiner(s)
Gauthier, Gerald

Application Number

US10/259,248
Publication Number

US 20030087629A1
Time in Patent Office

1,320 Days
Field of Search

455/412, 455/414.1, 455/413, 455/415
US Class Current

379/88.17
CPC Class Codes

H04L 1/22   using redundant apparatus t...

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/168   above the transport layer

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

H04W 12/088   using filters or firewalls

H04W 74/00   Wireless channel access

H04W 84/12   WLAN [Wireless Local Area N...

H04W 84/18   Self-organising networks, e...

H04W 88/16   Gateway arrangements

H04W 92/02   Inter-networking arrangements

Method and system for managing data traffic in wireless networks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for managing data traffic in wireless networks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links