Method and apparatus for authentication in a wireless telecommunications system

US 8,045,530 B2
Filed: 01/21/2003
Issued: 10/25/2011
Est. Priority Date: 01/18/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising;

establishing a communication connection between a wireless terminal device and an access point,identifying at the access point a parameter relating to an authentication method of the wireless terminal device, said authentication method being identified by receiving an association request message from the wireless terminal device,classifying the wireless terminal device on the basis of the identified parameter in the communication network, anddirecting data packets of the wireless terminal device to a logical channel selected on the basis of the classification of the wireless terminal device, different classifications being related to separate logical channels,the wireless terminal device being configured to use one of the following authentication methods in order to authenticate itself to a communication network;

an 802.1x protocol authentication method wherein the access point relays authentication information directly between the terminal device and an authentication server, and an open system authentication method wherein the access point relays authentication information between the terminal device and the authentication server via an access controller, wherein the access point is configured to use both the 802.1x protocol authentication method and the open system authentication method.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and device for routing data packets of a wireless terminal device in a communication network. When Open system Authentication is used, the system operates similarly as the current Nokia Operator Wireless LAN system, in which the terminal device and the access controller are the parties involved in the authentication. The access controller relays information relating to the authentication between the terminal device and an authenticating server, and it is capable of updating independently the list of users it maintains. When authentication according IEEE 802.1X authentication, the access point operates according to the IEEE 802.1X standard, serving as the authenticating party and relaying information relating to the authentication between the terminal device and the authentication server. In addition, the list maintained by the access controller is updated after a successful authentication, for example by the access point or the authenticating server.

46 Citations

View as Search Results

37 Claims

1. A method comprising;
- establishing a communication connection between a wireless terminal device and an access point,identifying at the access point a parameter relating to an authentication method of the wireless terminal device, said authentication method being identified by receiving an association request message from the wireless terminal device,classifying the wireless terminal device on the basis of the identified parameter in the communication network, anddirecting data packets of the wireless terminal device to a logical channel selected on the basis of the classification of the wireless terminal device, different classifications being related to separate logical channels,the wireless terminal device being configured to use one of the following authentication methods in order to authenticate itself to a communication network;
  
  an 802.1x protocol authentication method wherein the access point relays authentication information directly between the terminal device and an authentication server, and an open system authentication method wherein the access point relays authentication information between the terminal device and the authentication server via an access controller, wherein the access point is configured to use both the 802.1x protocol authentication method and the open system authentication method.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, wherein the identified parameter is one of the following:
    - Network Access Identifier, part of the Network Access Identifier used by the terminal device, frequency band, data rate, used radio technology of the terminal device.
  - 3. A method according to claim 1, wherein the logical channel is one of the following:
    - a Virtual LAN, an IP sub network, and an IP address range.
  - 4. A method according to claim 3, wherein the access point ensures that the terminal device is assigned an IP address from the correct IP sub network or IP address range.
  - 5. A method according to claim 1, wherein the logical channel comprises a tunnel.
  - 6. A method according to claim 1, further comprising:
    - verifying by the access point that the logical channel used for data packets matches the identified terminal device class.
  - 7. A method according to claim 6, further comprising:
    - relaying by the access point only data packets for which said verifying is successful and discarding data packets for which said verifying is unsuccessful.
  - 8. A method according to claim 1, wherein the access point is configured to apply different security processing to data packets of different terminal device classes.

9. An access point comprising:
- establishing means configured to establish a communication connection between a wireless terminal device and an access point, wherein the access point is configured to accept from the wireless terminal device a request to use one of the following authentication methods in order to authenticate itself to a network;
  
  an 802.1x protocol authentication method wherein the access point is configured to relay authentication information directly between the wireless terminal device and an authentication server, an open system authentication method wherein the access point is configured to relay authentication information between the wireless terminal device and an authentication agent via the access controller, wherein the access point further comprisesidentifying means configured to identify a parameter relating to the authentication method of the wireless terminal device, said authentication method being identified by receiving an association request message from the wireless terminal device,classifying means configured to classify the wireless terminal device on the basis of the identified parameter in the communication network, anddirecting means configured to detect data packets of the wireless terminal device to a logical channel selected on the basis of the classification of the wireless terminal device, different classifications being related to separate logical channels, wherein the access point is configured to authenticate using both the 802.1x protocol authentication method and the open system authentication method.
- View Dependent Claims (10, 11, 12, 13)
- - 10. An access point according to claim 9, wherein said identifying means are arranged to identify the parameter in response to detecting one of the following:
    - authentication method used by the terminal device, Network Access Identifier or part of the Network Access Identifier used by the terminal device, frequency band, data rate and used radio technology of the terminal device.
  - 11. An access point according to claim 9, wherein said directing means are arranged to use one of the following as said logical channel:
    - Virtual LANs, IP sub networks and IP address ranges.
  - 12. An access point according to claim 9, further comprising verifying means configured to verify data packets that the logical channel used that match the identified terminal device class.
  - 13. An access point according to claim 9, wherein the access point is arranged to only relay data packets for which said verification is successful and discards data packets for which said verification is unsuccessful.

14. A network comprising:
- an authentication agent configured to relay authentication information between a wireless terminal device and an authentication server via an access point,a logical access controller functionality configured to relay data packets of authenticated terminal devices included on a list and to block data packets of unauthenticated terminal devices,the authentication server configured to provide an authenticating service for the wireless terminal device to authenticate to the network, wherein the access point is configured to accept the wireless terminal device to use one of the following authentication methods in order to authenticate itself to the network;
  
  an 802.1x protocol authentication method wherein the access point is configured to relay authentication information directly between the terminal device and the authentication server, and an open system authentication method wherein the access point is configured to relay authentication information between the terminal device and an authentication server via the authentication agent, the authentication server configured to utilize both the 802.1x protocol authentication method and the open system authentication method, in the network, the access point configured to set up a communication connection to the wireless terminal device, the access point comprisingidentifying means configured to identify whether the terminal device is using the 802.1x or the open system authentication method and selecting the authentication method before starting the authentication, said authentication method being identified by receiving an association request message from the wireless terminal device,first relaying means configured to relay authentication information between the terminal device and the authentication server if the terminal device was identified to be using the 802.1x authentication method,first sending means configured to send identifier data of the terminal device, in response to successful authentication of the terminal device according to only the 802.1x authentication method, to the list of the access controller functionality,second relaying means configured to relay authentication information between the terminal device and the authentication server via the authentication agent if the terminal device was identified to be using the open system authentication method andsecond sending means configured to send identifier data of the terminal device, in response to successful authentication of the terminal device according to only the open system authentication method, to the list of the access controller functionality.
- View Dependent Claims (15, 16, 17)
- - 15. A network according to claim 14, wherein the identifying means are arranged to detect an authentication suite element from the association request message, said authentication suite element comprising the information of the authentication method the device is using.
  - 16. A network according to claim 14 wherein the detecting means are arranged to detect successful authentication of the terminal device using said first authentication method by receiving a message from the authentication server.
  - 17. A network according to claim 14, wherein the detecting means are arranged to detect successful authentication of the terminal device using said open system authentication method by receiving a message from one of the following:
    - the authentication agent or the authentication server.

18. A network comprising:
- an access point configured to set up a communication connection to a wireless terminal device,an authentication agent configured to relay authentication information between the wireless terminal device and an authentication server,a logical access controller functionality configured to relay data packets of the authenticated wireless terminal device and to block data packets of unauthenticated terminal devices, the logical access controller functionality further comprising a list of authenticated terminal devices,an authenticating server configured to provide an authenticating service for the wireless terminal device to authenticate to a communication network,the wireless terminal device being configured to use one of the following authentication methods in order to authenticate itself to the network;
  
  an 802.1x protocol authentication method wherein the access point relays authentication information directly between the wireless terminal device and the authentication server, an open system authentication method wherein the access point relays authentication information between the wireless terminal device and the authentication server via the authentication agent, in the communication network, a system for access control of the wireless terminal device, the authentication server configured to utilize both the 802.1x protocol authentication method and the open system authentication method, the network comprising;
  
  identifying means configured to identify at the access point whether the wireless terminal device is using the 802.1x or the open system authentication method, said authentication method being identified by receiving an association request message from the wireless terminal device,first relaying means configured to relay at the access point the authentication information of the 802.1x authentication method between the wireless terminal device and the authentication server,second relaying means at the access point configured to relay information between the wireless terminal device and the authentication agent,third relaying means at the authentication agent configured to relay authentication information of the open system authentication method between the access point and the authentication server,first sending means configured to send from the access point identifier data of the terminal device, in response to successful authentication of the wireless terminal device according to only the 802.1x authentication method, to the list of the access controller functionality,second sending means configured to send from the authentication agent the identifier data of the wireless terminal device, in response to successful authentication of the terminal device according to only the open system authentication method, to the list of the access controller functionality andrelaying means at the access controller functionality configured to relay data packets of the wireless terminal device included on the list.

19. A method comprising:
- establishing a communication connection between a wireless terminal and an access point,identifying at the access point a parameter from an authentication request of the wireless terminal which authentication method from two possible authentication methods the wireless terminal supports before starting the authentication, wherein the two possible authentication methods comprise a layer 2 authentication method and a layer 3 authentication method, said layer 2 or layer 3 authentication method being identified by receiving an association request message from the wireless terminal, andauthenticating the wireless terminal utilizing the identified authentication method,wherein in the layer 2 authentication method the access point relays authentication information directly to the wireless terminal, andin the layer 3 authentication method the access point relays authentication information to the wireless terminal via an access controller.
- View Dependent Claims (20, 21)
- - 20. The method according to claim 19, wherein the layer 2 authentication method utilizes IEEE 802.1x protocol.
  - 21. The method according to claim 20, wherein the layer 3 authentication method utilizes an open system authentication method.

22. An apparatus comprising:
- a processor and a memory configured to;
  
  establish a connection to a wireless terminal device;
  
  identify a parameter from an authentication request of the wireless terminal, which parameter determines which authentication method of the two possible authentication methods the wireless terminal supports before starting the authentication, wherein the two possible authentication methods comprise a layer 2 authentication method where the apparatus relays authentication information directly to the wireless terminal and a layer 3 authentication method where the apparatus relays authentication information to the wireless terminal via an access controller, said layer 2 or layer 3 authentication method being identified by receiving an association request message from the wireless terminal device; and
  
  convey authentication information directly or indirectly to the wireless terminal using the authentication method determined by the parameter.
- View Dependent Claims (23, 24, 25)
- - 23. The apparatus according to claim 22, wherein the layer 2 authentication method is IEEE 802.1x protocol.
  - 24. The apparatus according to claim 23, wherein the layer 3 authentication method is an open system authentication method.
  - 25. The apparatus according to claim 24, wherein the apparatus is an access point of a wireless radio network.

26. An access point comprising:
- a processor; and
  
  a memory, wherein the access point, in conjunction with the processor and the memory, is configured to set up a communication connection to a wireless terminal device in the communication network, the access point is configured to communicate with an authentication agent configured to relay authentication information of the wireless terminal device received from the access point to an authentication server, and a logical access controller functionality is configured to relay data packets of the authenticated terminal device and to block data packets of unauthenticated terminal devices, the logical access controller functionality further comprising a list of authenticated terminal devices, the authenticating server is configured to provide an authenticating service for the terminal device to authenticate to the network,the access point is configured to use either of the following authentication methods in order to authenticate the terminal device;
  
  an 802.1x protocol authentication method wherein the access point relays authentication information directly between the terminal device and the authentication server, and an open system authentication method wherein the access point relays authentication information between the wireless terminal device and the authentication server via the authentication agent, in the communication network, said 802.1x protocol or open system authentication method being identified by receiving an association request message from the wireless terminal device.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 27. The access point as in claim 26, the access point configured to identify which of the 802.1x protocol and open system authentication methods the wireless terminal device is using,wherein if the wireless terminal device is identified to authenticate by using the 802.1x protocol authentication method but not the open system authentication method, the access point is configured to perform the following:
    - relaying authentication information directly between the wireless terminal device and the authentication server, andsending the identifier data of the wireless terminal device, in response to successful authentication, to the list of the access controller functionality,wherein the access controller functionality is configured to add the identifier data of the authenticated wireless terminal device to the list and relay data packets of the wireless terminal device included on the list.
  - 28. The access point as in claim 26, the access point configured to identify which of the 802.1x protocol and open system authentication methods the wireless terminal device is using,wherein if the wireless terminal device is identified to authenticate by using the open system authentication method, the access point is configured to perform the following:
    - relaying authentication information between the wireless terminal device and the authenticating agent, andrelaying authentication information between the access point and the authentication server,wherein the authentication agent is configured to send the identifier data of the wireless terminal device, in response to successful authentication, to the list of the access controller functionality, wherein the access controller functionality is configured to add the identifier data of the authenticated terminal device to the list and relaying data packets of the terminal device included on the list.
  - 29. The access point as in claim 26, wherein the access controller functionality is implemented as part of an access point device.
  - 30. The access point as in claim 26, wherein the access controller functionality is implemented as part of an authentication agent device.
  - 31. The access point as in claim 26, wherein the access controller functionality is implemented in a device separate from the access point and the authentication agent.
  - 32. The access point of claim 31, wherein the authentication agent is configured to update an access control list by sending a message to the device separate from the access point and the authentication agent.
  - 33. The access point of claim 27, wherein the identifier data comprises at least one of the following:
    - the IP address and the MAC address of the terminal device.
  - 34. The access point of claim 28, wherein the identifier data comprises at least one of the following:
    - the IP address and the MAC address of the terminal device.
  - 35. The access point of claim 28, wherein the open system authentication method is performed according to one of the following:
    - the internet key exchange protocol and the hypertext transfer protocol.
  - 36. The access point of claim 26, the association request message comprising an authentication suite element, said authentication suite element further comprising the information of the authentication method the device is using.
  - 37. The access point of claim 26, the access point further configured to renew the authentication after a time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Tuomi, Jukka, Smith, Mike P., Bush, Anton, Takamäki, Timo, Haverinen, Henry, Rinnemaa, Jyri, Tuominen, Hannu
Primary Examiner(s)
Yao; Kwang B
Assistant Examiner(s)
Kao; Jutai

Application Number

US10/347,947
Publication Number

US 20040208151A1
Time in Patent Office

3,199 Days
Field of Search

None
US Class Current

370/338
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/10   of different types

H04L 61/50   Address allocation

H04L 63/0236   Filtering by address, proto...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/205   involving negotiation or de...

H04W 12/069   using certificates or pre-s...

H04W 84/12   WLAN [Wireless Local Area N...

H04W 88/08   Access point devices

Method and apparatus for authentication in a wireless telecommunications system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

37 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for authentication in a wireless telecommunications system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

37 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others