Method and apparatus for controlling wireless network access privileges based on wireless client location

US 7,551,574 B1
Filed: 03/31/2005
Issued: 06/23/2009
Est. Priority Date: 03/31/2005
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access privileges in a wireless network having a plurality of access points based on the location of a wireless client that is connected to the network via radio-frequency signals sent between the wireless client and one of the plurality of access points wherein the one access point interacts with a RADIUS server to obtain access to the network, the method comprising:

(a) computing, using a location system that is associated with the network and does not involve the wireless client, the location of the wireless client with an RF fingerprinting method from measured properties of radio frequency signals generated by the wireless client and received at a plurality of sensors connected to the network;

(b) receiving information that identifies the wireless client;

(c) generating a set of access privileges based on the location and the identifying information of the wireless client; and

(d) sending the access privileges to the RADIUS server and using the RADIUS server to cause the one access point to apply the access privileges to the wireless client before the wireless client accesses the network via the one access point.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access point through which a wireless device attaches to a wireless network determines the access privileges that will be accorded to the device based on a criteria set, such as the ID and physical location of the device requesting network access, the access point through which the device is connected to the network and user credentials. The location of the device is determined by a location determination system using the signal strength of the device signal. The location information and ID information is provided to an access server that uses the criteria set to retrieve access privileges from a privilege database. The retrieved access privileges are then applied to the wireless device by means of the access point and other devices in the wireless network.

137 Citations

30 Claims

1. A method for controlling access privileges in a wireless network having a plurality of access points based on the location of a wireless client that is connected to the network via radio-frequency signals sent between the wireless client and one of the plurality of access points wherein the one access point interacts with a RADIUS server to obtain access to the network, the method comprising:
- (a) computing, using a location system that is associated with the network and does not involve the wireless client, the location of the wireless client with an RF fingerprinting method from measured properties of radio frequency signals generated by the wireless client and received at a plurality of sensors connected to the network;
  
  (b) receiving information that identifies the wireless client;
  
  (c) generating a set of access privileges based on the location and the identifying information of the wireless client; and
  
  (d) sending the access privileges to the RADIUS server and using the RADIUS server to cause the one access point to apply the access privileges to the wireless client before the wireless client accesses the network via the one access point.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein step (b) comprises receiving from the access point a device ID of the wireless client.
  - 3. The method of claim 2 wherein the device ID is a device MAC address.
  - 4. The method of claim 2 wherein step (b) comprises receiving from the access point an access point ID of the access point.
  - 5. The method of claim 1 wherein step (c) comprises retrieving the set of access privileges from a privilege database using the location and the identifying information of the wireless client.
  - 6. The method of claim 1 wherein step (d) comprises assigning the wireless client to a virtual LAN, identifying each data packet sent from the wireless client with a tag specifying that the data packet is part of the virtual LAN and using devices that respond to the tag to apply the access privileges.
  - 7. The method of claim 6 wherein step (d) further comprises changing the access privileges assigned to the wireless client by changing the virtual LAN to which the wireless client is assigned.
  - 8. The method of claim 6 wherein step (d) further comprises changing the access privileges assigned to the wireless client by changing devices that respond to the tag to apply different access privileges to the wireless client.
  - 9. The method of claim 1 wherein step (d) comprises using stateful packet filtering to apply the privileges.
  - 10. The method of claim 1 wherein step (c) is performed by an access server connected to the wireless network and wherein the access point recurrently polls the access server to cause step (c) to be recurrently performed.
  - 11. The method of claim 1 wherein step (c) is recurrently performed and the set of access privileges is recurrently sent to the access point.
  - 12. The method of claim 1 wherein step (d) comprises applying the access privileges to the wireless client for a predetermined period of time.
  - 13. The method of claim 12 wherein step (d) comprises performing an additional action after the predetermined period of time has expired.
  - 14. The method of claim 1 wherein step (d) comprises applying the access privileges to the wireless client based on the time of day.

15. Apparatus for controlling access privileges in a wireless network having a plurality of access points based on the location of a wireless client that is connected to the network via radio-frequency signals sent between the wireless client and one of the plurality of access points wherein the one access point interacts with a RADIUS server to obtain access to the network, the apparatus comprising:
- a location system that is associated with the network and does not involve the wireless client and computes the location of the wireless client with an RF fingerprinting method from measured properties of radio frequency signals generated by the wireless client and received at a plurality of sensors connected to the network;
  
  an access server that receives information that identifies the wireless client;
  
  a policy server that generates a set of access privileges based on the location and the identifying information of the wireless client; and
  
  a mechanism that comprises means for sending the access privileges to the RADIUS server and means for using the RADIUS server to cause the one access point to apply the access privileges to the wireless client before the wireless client accesses the network via the access point.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The apparatus of claim 15 wherein the access server comprises means for receiving from the access point a device ID of the wireless client.
  - 17. The apparatus of claim 16 wherein the device ID is a device MAC address.
  - 18. The apparatus of claim 16 wherein the access server comprises means for receiving from the access point an access point ID of the access point.
  - 19. The apparatus of claim 15 wherein the policy server comprises means for retrieving the set of access privileges from a privilege database using the location and the identifying information of the wireless client.
  - 20. The apparatus of claim 15 wherein the mechanism that applies the access privileges to the wireless client comprises:
    - means for assigning the wireless client to a virtual LAN;
      
      means for identifying each data packet sent from the wireless client with a tag specifying that the data packet is part of the virtual LAN; and
      
      means for using devices that respond to the tag to apply the access privileges.
  - 21. The apparatus of claim 20 wherein the mechanism that applies the access privileges to the wireless client further comprises means for changing the access privileges assigned to the wireless client by changing the virtual LAN to which the wireless client is assigned.
  - 22. The apparatus of claim 20 wherein the mechanism that applies the access privileges to the wireless client further comprises means for changing the access privileges assigned to the wireless client by changing devices that respond to the tag to apply different access privileges to the wireless client.
  - 23. The apparatus of claim 15 wherein the mechanism that applies the access privileges to the wireless client comprises means for using stateful packet filtering to apply the privileges.
  - 24. The apparatus of claim 15 wherein the access point recurrently polls the access server to recurrently cause the policy server to generate a set of access privileges based on the location and the identifying information of the wireless client.
  - 25. The apparatus of claim 15 wherein the policy server recurrently generates a set of access privileges based on the location and the identifying information of the wireless client and the generated set of access privileges is recurrently sent to the access point.
  - 26. The apparatus of claim 15 wherein the mechanism that applies the access privileges to the wireless client comprises means for applying the access privileges to the wireless client for a predetermined period of time.
  - 27. The apparatus of claim 26 wherein the mechanism that applies the access privileges to the wireless client comprises means for performing an additional action after the predetermined period of time has expired.
  - 28. The apparatus of claim 15 wherein the mechanism that applies the access privileges to the wireless client comprises means for applying the access privileges based on the time of day.

29. Apparatus for controlling access privileges in a wireless network having a plurality of access points based on the location of a wireless client that is connected to the network via radio-frequency signals sent between the wireless client and one of the plurality of access points wherein the one access point interacts with a RADIUS server to obtain access to the network, the apparatus comprising:
- means associated with the network and that does not involve the wireless client for computing the location of the wireless client with an RF fingerprinting method from measured properties of radio frequency signals generated by the wireless client and received at a plurality of sensors connected to the network;
  
  means for receiving information that identifies the wireless client;
  
  means for generating a set of access privileges based on the location and the identifying information of the wireless client; and
  
  means for sending the access privileges to the RADIUS server and means for using the RADIUS server to cause the one access point to apply the access privileges to the wireless client before the wireless client accesses the network via the access point.

30. A computer program product for controlling access privileges in a wireless network having a plurality of access points based on the location of a wireless client that is connected to the network via radio-frequency signals sent between the wireless client and one of the plurality of access points wherein the one access point interacts with a RADIUS server to obtain access to the network, the computer program product comprising a computer usable tangible storage medium having computer readable program code thereon, including:
- program code operable in a location system that is associated with the network and does not involve the wireless client for computing the location of the wireless client with an RF fingerprinting method from measured properties of radio frequency signals generated by the wireless client and received at a plurality of sensors connected to the network;
  
  program code for receiving information that identifies the wireless client;
  
  program code for generating a set of access privileges based on the location and the identifying information of the wireless client; and
  
  program code for sending the access privileges to the RADIUS server and program code for using the RADIUS server to cause the one access point to apply the access privileges to the wireless client before the wireless client accesses the network via the access point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trapeze Networks Incorporated (Juniper Networks Incorporated)
Original Assignee
Trapeze Networks Incorporated (Juniper Networks Incorporated)
Inventors
Gray, Matthew K., Parker, Coleman P., Peden, Jeffrey J. II
Primary Examiner(s)
Phan; Huy Q

Application Number

US11/094,987
Time in Patent Office

1,545 Days
Field of Search

370/310, 370/332, 370/236, 370/230, 370/328, 370/338, 370/310.2, 370/331, 370/395.42, 370/455, 370/444, 455/517, 455/456.3, 455/456.1, 455/404.2, 455/512, 455/435.3, 455/166.2
US Class Current

370/310.2
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0254   Stateful filtering

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04L 63/108   when the policy decisions a...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/79   Radio fingerprint

Method and apparatus for controlling wireless network access privileges based on wireless client location

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

137 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for controlling wireless network access privileges based on wireless client location

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

137 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links