Method and apparatus for providing authentication, authorization and accounting to roaming nodes
First Claim
1. A communications method for use in a communications network including a mobile node, a first security device and a second security device, said mobile node being identified in a home region of said communications network by a first identifier, said second security device being in a foreign region of said communications network, the method comprising:
- operating the second security device to;
transmit a signal including said first identifier to the first security device, said first identifier including a first realm associated only with said home region;
receive a first secret in response to said transmitted signal including said first identifier;
generate a second identifier to identify said mobile node in said foreign region, said second identifier including a second realm associated only with said foreign region, wherein the second identifier further includes a username of the first identifier, and further includes the first realm; and
associate said second identifier with said first secret.
3 Assignments
0 Petitions
Accused Products
Abstract
This invention proposes an integrated process for AAA (Authentication, Authorisation, and Accounting) with the order reversed whereby L2 follows L3. The L3 process treats the wireless link as any normal IP access link, and the L3 authorisation provides L3 processing, but also includes the L2 terminal authentication identifiers so that the L2 security parameters can also be returned. This means that the wireless link and the IP layer are not secured until after the L3 authorisation has completed and therefore the first IP messages that trigger authorisation are sent insecurely. This invention also provides methods to avoid these insecure messages presenting any opportunities to an attacker. Finally, the inventions include methods to enable L3 before L2 authorisation when a user is roaming in a foreign network.
-
Citations
50 Claims
-
1. A communications method for use in a communications network including a mobile node, a first security device and a second security device, said mobile node being identified in a home region of said communications network by a first identifier, said second security device being in a foreign region of said communications network, the method comprising:
operating the second security device to; transmit a signal including said first identifier to the first security device, said first identifier including a first realm associated only with said home region; receive a first secret in response to said transmitted signal including said first identifier; generate a second identifier to identify said mobile node in said foreign region, said second identifier including a second realm associated only with said foreign region, wherein the second identifier further includes a username of the first identifier, and further includes the first realm; and associate said second identifier with said first secret. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 36)
-
24. A communications network for use with a mobile node, the communications network comprising:
-
a home region including a first security system, said mobile node being associated with said home region and being identified in said home region by a first identifier including a first realm associated only with said home region, said first security system storing said first identifier and a first secret known to both said mobile node and said first security system; and a foreign region including a second security system, said mobile node being located in said foreign region for a period of time, the second security system being coupled to said first security system, said second security system including;
said first identifier, a second secret generated from said first secret by said first security system and supplied to said second security system, and a second identifier, generated by said second security system, to identify said mobile node to said second security system, the second identifier including a second realm associated only with said foreign region, wherein the second identifier further includes a username of the first identifier, and further includes the first realm. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
-
31. A non-transitory computer readable medium including machine executable instructions for controlling a second security device to implement a communications method in a communications network including a mobile node, a first security device and said second security device, said mobile node being identified in a home region of said communications network by a first identifier, said second security device being in a foreign region of said communications network, the computer readable medium comprising:
-
instructions for causing the second security device to transmit a signal including said first identifier to the first security device, said first identifier including a first realm associated only with said home region; instructions for causing the second security device to receive a first secret in response to said transmitted signal including said first identifier; instructions for causing the second security device to generate a second identifier to identify said mobile node in said foreign region, said second identifier including a second realm associated only with said foreign region, wherein the second identifier further includes a username of the first identifier, and further includes the first realm; and instructions for causing the second security device to associate said second identifier with said first secret. - View Dependent Claims (32, 33, 34, 35)
-
-
37. A second security device including a processor configured to control said second security device to implement a communications method in a communications network including a mobile node, a first security device and said second security device, said mobile node being identified in a home region of said communications network by a first identifier, said second security device being in a foreign region of said communications network, the processor being configured to:
-
transmit a signal including said first identifier to the first security device, said first identifier including a first realm associated only with said home region; receive a first secret in response to said transmitted signal including said first identifier; generate a second identifier to identify said mobile node in said foreign region, said second identifier including a second realm associated only with said foreign region, wherein the second identifier further includes a username of the first identifier, and further includes the first realm; and associate said second identifier with said first secret. - View Dependent Claims (38, 39, 40, 41, 42)
-
-
43. A second security device for use in a communications network including a mobile node, a first security device and said second security device, said mobile node being identified in a home region of said communications network by a first identifier, said second security device being in a foreign region of said communications network, the second security device comprising:
-
means for transmitting a signal including said first identifier to the first security device, said first identifier including a first realm associated only with said home region; means for receiving a first secret in response to said transmitted signal including said first identifier; means for generating a second identifier to identify said mobile node in said foreign region, said second identifier including a second realm associated only with said foreign region, wherein the second identifier further includes a username of the first identifier, and further includes the first realm; and means for associating said second identifier with said first secret. - View Dependent Claims (44, 45, 46, 47)
-
-
48. A second security device for use in a communications network including a mobile node, a first security device and said second security device, said mobile node being identified in a home region of said communications network by a first identifier, said second security device being in a foreign region of said communications network, the second security device comprising:
-
a transmitter module for transmitting a signal including said first identifier to the first security device, said first identifier including a first realm associated only with said home region; an interface module for receiving a first secret in response to said transmitted signal including said first identifier; a processor module for generating a second identifier to identify said mobile node in said foreign region, said second identifier including a second realm associated only with said foreign region, wherein the second identifier further includes a username of the first identifier, and further includes the first realm; and an authentication module for associating said second identifier with said first secret. - View Dependent Claims (49, 50)
-
Specification