Rogue AP detection
First Claim
1. A method of detecting a rogue access point by a client comprising the steps of:
- directing a message from the client node to a network through a first access point, the first access point configured to exchange wireless signals with the client node to communicatively couple the client node to the network, to an authentication server, disposed on the network, the message containing identity credentials;
receiving a network response packet by the client node from the first access point responsive to directing a message from the client to a network through a first access point;
determining that the first access point is a rogue access point by the client node based on the network response packet received from the access point in being in nonconformity with predetermined expectations;
sending a start message from the client node to a second access point, the second access point configured to exchange wireless signals with the client node to communicatively couple the client node to the network;
sending an identity request message from the second access point to the client node responsive to the sending a start message;
forwarding the identity response message from the second access point to the authentication server;
validating the identity credentials by the authentication server;
forwarding a send key from the authentication server to the client node through the second access point, the send key comprising key length and key index to specify encryption parameters for a session key;
reporting the first access point as a rogue access point by the client node to the network through the valid access point;
wherein the message reporting the first access point as a rogue access point is encrypted with the session key.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of detecting a rogue access point is disclosed. A message is directed from a supplicant to a network through an access point. A network response message is received by the supplicant from the access point. A step of determining whether the access point is one of a valid network access point and a rogue access point is performed based on whether the received network response message is respectively in conformity or nonconformity with predetermined expectations. If the access point is determined to be a rogue access point, it is reported to the network. If the access point is determined to be a valid network access point, the supplicant is authenticated to the network.
199 Citations
19 Claims
-
1. A method of detecting a rogue access point by a client comprising the steps of:
-
directing a message from the client node to a network through a first access point, the first access point configured to exchange wireless signals with the client node to communicatively couple the client node to the network, to an authentication server, disposed on the network, the message containing identity credentials; receiving a network response packet by the client node from the first access point responsive to directing a message from the client to a network through a first access point; determining that the first access point is a rogue access point by the client node based on the network response packet received from the access point in being in nonconformity with predetermined expectations; sending a start message from the client node to a second access point, the second access point configured to exchange wireless signals with the client node to communicatively couple the client node to the network; sending an identity request message from the second access point to the client node responsive to the sending a start message; forwarding the identity response message from the second access point to the authentication server; validating the identity credentials by the authentication server; forwarding a send key from the authentication server to the client node through the second access point, the send key comprising key length and key index to specify encryption parameters for a session key; reporting the first access point as a rogue access point by the client node to the network through the valid access point; wherein the message reporting the first access point as a rogue access point is encrypted with the session key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 12)
-
-
10. A client node configured as a supplicant for detecting a rogue access point comprising:
-
means for directing a message from the supplicant to a network through a first access point, the first access point configured to exchange wireless signals with the client node to communicatively couple the client node to the network, to an authentication server disposed on the network, the message containing identity credentials; means for receiving a network response packet by the supplicant from the first access point responsive to the means for directing a message from the supplicant to a network through a first access point; means for determining the first access point is a rogue access point based on the network response packet received from the access point being in nonconformity with predetermined expectations; means for sending a start message from the supplicant to a second access point, the first access point configured to exchange wireless signals with the client node to communicatively couple the client node to the network; means for sending an identity request message from the second access point to the supplicant responsive to the means for sending a start message; means for sending an identity response message containing the identity credentials from the supplicant to the second access point in response to the identity request message means for forwarding the identity response message from the second access point to the authentication server; means for validating the identity credentials of the supplicant using the authentication server; means for forwarding a send key from the authentication server to the supplicant through the second access point, the means for forwarding a send key comprises means for supplying key length and key index to specify encryption parameters for a session key; means for independently deriving a session key from the send key and the identity credentials by the supplicant and the authentication server; means for encrypting data packets between the supplicant and the authentication server using the derived session key; means adapted for reporting the first access point as a rogue access point through the second access point that the client is able to authenticate via the means for directing, the means for receiving and the means for determining. - View Dependent Claims (11, 13, 14, 15, 16, 17, 18)
-
-
19. A wireless client node, comprising:
-
a supplicant, the supplicant is configured for authenticating with a first access point, the first access point configured to exchange wireless signals with the client node to communicatively couple the client node to a network, and upon successful authentication with the first access point, the supplicant is configured to issue a counter-challenge to the first access point; the supplicant is responsive to receiving a response to the counter-challenge from the first access point to determine the response to the counter-challenge is invalid; the supplicant responsive to determining the response to the counter-challenge is invalid to authenticate with a second access point configured to exchange wireless signals with the client node to communicatively couple the client node to the network, the supplicant sending an identity response message responsive to an identity request message received from the second access point; the supplicant responsive to receiving keying material from the second access point, the keying material comprising a key length and key index to specify encryption parameters for a session key to derive the session key; the supplicant responsive to deriving the session key to issue a counter-challenge and validate a corresponding session key derived by the access point; the supplicant responsive to validating the corresponding session key derived by the access point to encrypt packets using the derived session key; and the supplicant is responsive to validating the corresponding session key to send a message through the second access point reporting the first access point as a rogue access point encrypted using the derived session key.
-
Specification