US20050149764A1 - Systems and methods for managing network connectivity for mobile users - Google Patents
Systems and methods for managing network connectivity for mobile users Download PDFInfo
- Publication number
- US20050149764A1 US20050149764A1 US11/072,039 US7203905A US2005149764A1 US 20050149764 A1 US20050149764 A1 US 20050149764A1 US 7203905 A US7203905 A US 7203905A US 2005149764 A1 US2005149764 A1 US 2005149764A1
- Authority
- US
- United States
- Prior art keywords
- network
- verifier
- computer network
- authorizer
- recited
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/08—Access restriction or access information delivery, e.g. discovery data delivery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/062—Pre-authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/18—Selecting a network or a communication service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/26—Network addressing or numbering for mobility support
Definitions
- the present invention relates to accessing wireless networks.
- the invention relates to systems and methods for managing network connectivity for mobile users.
- the usage and service options of a public network generally differ from that of a private (enterprise or home) network. Consequently, the two networks are often configured differently and computers accessing the networks must accommodate the different configurations to allow users to move easily between a private network and a public network.
- Public networks are security cautious only to the extent that the individual using the network is. The host organization's focus is on establishing the identity of a previously unknown user and then giving her access to the network, its resources, and other location services. Hence, tracking who is using the network, what services are being used and how much bandwidth is being used are important. Public networks typically perform packet-level processing for both user-level authentication and privacy, and for offering different kinds of services, and keeping track of network use on a per-user basis.
- client devices have to change behavior according to the network being accessed.
- the client When accessing a private network, the client need not do anything; hardware encryption with a shared key is sufficient to control users' access.
- the client when accessing a public network, the client runs through an authentication process and starts using a specialized network access protocol, which gets it different types of interesting services.
- the mobility problem can be further expressed in a few different scenarios:
- implementations for accommodating mobile connectivity between networks are described.
- implementations for accommodating mobile connectivity between private and public networks are shown.
- the public network is a wireless network.
- the private network in the described implementations may be wired or wireless.
- a public network architecture is provided, by one or more host organizations, for providing individuals with wireless access to the Internet.
- the public network architecture includes a global authentication server and at least one authorizer.
- the networks are advantageously deployed in public areas such as airports, shopping malls, libraries, etc.
- the host organization may partition this network either physically, or logically, into several smaller networks called subnets. Each subnet includes at least one verification server (“verifier”).
- the announcer broadcasts an announcer signal that identifies the network, I as well as the network addresses of the authorizer and the verifier.
- a daemon process on a mobile client is configured to monitor for the announcer signal. When detected, the mobile client contacts the authorizer by way of an Access Point to obtain authorization to access the network.
- the mobile client Upon authorization by the authorizer, the mobile client receives an authorization key that indicates that the mobile user has been authorized to access the network.
- the authorization key includes an expiration time, after which the authorization key is invalid.
- the mobile user communicates with the network by transmitting data packets through the verifier.
- the verifier verifies that each data packet received from a client is authorized to access the network, i.e., the verifier checks the data packet for a tag created by a valid authorization key. Data packets containing an appropriate tag are passed on to the network; data packets having an invalid tag are denied.
- a network may include more than one verifier. This feature of the described implementations provide scalability to the architecture, since a small network may have one verifier, while a larger network may have ten, twenty or more verifiers. The more verifiers utilized in a network, the higher the traffic load the network can accommodate.
- Multiple verifiers may also be used to provide load balancing and fault tolerance to a system.
- load balancing is accomplished by monitoring the traffic load on each verifier. Since new connections are directed to a verifier that is identified in the announcer signal, when a load on that verifier attains a load threshold, the announcer signal is changed to identify an alternate verifier that has a lower load. If that alternate verifier reaches the load threshold, the announcer signal may be altered again to identify yet another alternate verifier. In this manner, the traffic on the network may be spread out among all the verifiers utilized in the network.
- Utilization of multiple verifiers also provides a fault tolerance mechanism for the network. If a preferred verifier—i.e., a verifier that is identified in the announcer signal—fails, then mobile clients using the failed verifier detect that the verifier has failed, and re-direct data packets to an alternate verifier.
- the announcer signal is changed to reflect a new verifier when the server system detects a verifier failure.
- the alternate verifier may be previously identified to be a backup verifier for the preferred verifier, or the system may dynamically select an available verifier to use as the alternate verifier.
- Mobile clients that are currently communicating with the network through the preferred verifier will detect an announcer signal that contains a new address for a preferred verifier (the alternate verifier). Data packets are re-directed to the alternate verifier (the new preferred verifier).
- mobile clients that roam from one Access Point on a network to another Access Point on the same network can reconnect to the network without having to go through the authentication process again.
- a client that connects to a public network at SEATAC airport in Seattle while waiting for a flight to Chicago may disconnect from the network, catch the flight to Chicago, and reconnect to the same public network at O'Hare airport.
- the client accomplishes this by using the same authorization key that was obtained at SEATAC when the client reconnects at O'Hare.
- the authorizer in Chicago will recognize that the client has a valid authorization key and will allow the client to bypass the authentication process and go directly to a verifier associated with the O'Hare system. If an expiration time is used with the authorization key, the client will only be able to bypass authentication only if the authorization key has not expired.
- a mobile client contains network settings from a private network, or some other previous network
- the private network settings are stored when the public network is detected and accessed.
- the mobile client disconnects from the public network, e.g., the mobile client leaves the public network coverage area, then the private network settings are restored.
- the mobile client will be configured correctly.
- FIG. 1 is a high level system diagram of an exemplary system architecture in accordance with a described implementation.
- FIG. 2 is a diagram of a computer system that can be used to implement various aspects of various implementations.
- FIG. 3 is a high level diagram of process for authorizing mobile users in a wireless network.
- FIG. 4 is a high level diagram of a process for verifying users requesting access to a network.
- FIG. 5 is a diagram of an exemplary extended announcer signal.
- FIG. 6 is a diagram of an exemplary tagged data packet.
- FIG. 7 is a diagram of an announcer signal that is configured to provide load balancing over multiple verifiers.
- FIG. 8 is a diagram of an announcer signal that is configured to provide verifier fault tolerance.
- FIG. 9 is a flow diagram that depicts a method for tolerating a verifier failure.
- FIG. 10 is a block diagram of a mobile client.
- FIG. 11 is a flow diagram depicting a method for managing network connectivity for mobile users.
- systems and methods are provided for accommodating mobile connectivity between networks, e.g. private networks and public networks.
- Mobile users are provided with the capability to automatically detect the presence of a wireless network and to automatically change settings from a previous network to connect to the wireless network.
- An announcer beacon broadcasts an announcer signal that includes a network identifier, an authorizer identifier and a verifier identifier.
- the mobile client detects the announcer signal and obtains the information contained therein.
- the mobile client contacts the authorizer at the address received from the signal to obtain authorization to access the network. If the client is authorized, the authorizer transmits an authorization key to the client.
- the client attaches a tag created with the authorization key to each data packet.
- the verifier accepts data packets having a valid tag but denies data packets that do not have a valid tag.
- FIG. 1 shows a high level system diagram of an exemplary system architecture generally at 100 that is capable of implementing various features described below.
- Architecture 100 is used in connection with a computer network an exemplary one of which is the Internet 102 .
- One or more host organization networks 104 are provided and are managed by a host organization (not shown). Examples of a host organization include individual businesses that might, for example, be located in a public area. Although there may be more than one host organization network, only one host organization network 104 is shown in the present example. Exemplary public areas include shopping malls, libraries, airports, downtown shopping areas and the like.
- the host organization 104 includes one or more wireless subnets (wireless subnet 106 and wireless subnet 108 in the present example).
- Each wireless subnet 106 , 108 may be located in a different public area.
- wireless subnet 106 might be located in a shopping mall, while wireless subnet 108 might be located in an airport.
- One or more service providers 110 can be incorporated in the architecture 100 .
- the service providers 110 control access to the Internet 102 and comprise a plurality of different Internet Service Providers (ISPs) that are communicatively linked with the host organization network 104 .
- the host organization network 104 can include one or more resources 112 . Exemplary resources can include, without limitation, scanners, tape drives, laser printers, and the like.
- Each host organization network 104 might also include a local authentication database 114 for purposes that will be described below.
- Wireless subnet 106 is shown having Access Point 116 and Access Point 118 .
- Mobile clients 120 , 122 are shown communicating with the host organization network 104 through Access Point 116 .
- Mobile clients 124 , 126 , 128 are shown communicating with the host organization network 104 through Access Point 118 .
- Wireless subnet 108 is shown having Access Point 130 and 132 .
- Mobile clients 134 , 136 , 138 are shown communicating with the host organization network 104 through Access Point 130 .
- Mobile clients 140 , 142 are shown communicating with the host organization network 104 through Access Point 132 .
- wireless subnets 106 , 108 or other subnets may provide a greater or lesser number of Access Points than shown in FIG. 1 . Also, a greater or lesser number of mobile clients than shown may be connecting with the Access Points.
- Architecture 100 can also include a global authentication database 144 that is configured to be globally accessible from anywhere in the world.
- the global authentication database 144 includes not only a repository of data or information that is used to authenticate users, but also any information regarding server computers or computing devices that are used in connection with the data repository to authenticate a user.
- the global authentication database 144 is advantageously accessible via the Internet 102 .
- the global authentication database 144 can be any suitable globally accessible database that is capable of authenticating users as described below.
- Such databases can be operated by and/or associated with particular businesses, organizations or clubs for which authentication is desired. For example, a particular organization, e.g., Gold Club Frequent Fliers, may have negotiated with authorizer 116 for Internet access for its members.
- the global authentication database 144 provides a mechanism by which this can be done, as will become apparent below.
- the global authentication database 144 can be a more generalized database that can be operated on behalf of many organizations or businesses that might want to generally authenticate users.
- An example of this type of global authentication database is MICROSOFT PASSPORT Server and database.
- the MS server and database enable a user to be individually verified against information that is maintained by the server and database. Often times, this type of verification is conducted outside of the purview of other servers in an end-to-end secure fashion.
- users can access the Internet through the use of a client computer or other computing device.
- a “user” refers to a human individual and a “client” refers to a computer or computing device that the human individual uses to access the Internet.
- the client can be a mobile computer such as a lap top computer, or can be any other suitable computing device.
- the client can be provided by the host organization, or can be a mobile computing device that travels with its particular user.
- a user wishes to access the Internet, they simply use their client computer to interface with a wireless subnet 106 , 108 .
- the wireless subnets 106 , 108 provide means for communicating with the authorizer 116 and verifier 110 .
- the authorizer 116 first authenticates the user by using one of the local or global authentication databases 114 , 144 respectively.
- the user thereafter communicates with the host organization network 104 through one or more of the verifiers 110 .
- the authorizer 116 contains sufficient information to authorize users locally, i.e., by using the local authorization database 114 . Periodic downloads of user data from the global authorization database 144 is one way that may be used to widen the scope of users that can be authorized locally. However, it may be desirable for the authorizer 116 to communicate with the global authorization database 144 to authorize users.
- limited access to the Internet can be granted by the authorizer 116 for the limited purpose of authenticating a user via the global authorization database.
- Internet access can be terminated. For example, an IP address might be temporarily granted to a user via a DHCP or NAT process. If the user has not authenticated themselves within a definable period of time (e.g., ten minutes), their Internet access can be terminated.
- the global authentication database 114 takes the user through a separate authentication process (e.g., entry of a user name and password) so that the user can be authenticated to the global authentication database 114 .
- This authentication process can be a protected end-to-end secure process in which all of the user's transmissions to the global authentication database 114 are encrypted from the client machine and can be only decrypted by the global authentication database 114 .
- An exemplary encryption technique is Secure Socket Layer (SSL) transmission, however, other secure techniques can be used.
- SSL Secure Socket Layer
- the communications are secure between the authorizer 116 , the host organization network 104 and the global authorization database 144 .
- the database 114 Once the user is authenticated to the global authentication database 114 , the database 114 generates a message to the host organization network 104 and informs the host organization network 104 that the particular user has been authenticated. After the authentication has occurred, all communication with and access to the Internet 102 takes place through one or more of the verifiers 110 . That is, all of the data packets that are transmitted from and received by the client are routed through the verifiers 110 .
- An advantageous feature of the above architecture is that it enables a user to freely move about from host organization to host organization, without having their Internet access inextricably tied to any one particular ISP or to a particular company such as their employer. This system permits a much more individual-centric system that promotes user mobility, as will become apparent below. Another advantage of this architecture is that once a user is authenticated, they can move freely about without having to re-authenticate themselves to the system. Another advantageous feature of the above architecture is that a mobile client may roam between networks while providing seamless operation for a user.
- FIG. 2 shows an exemplary computer system that can be used to implement various computing devices, i.e. client computers, servers and the like, in accordance with the described embodiments.
- Computer 200 includes one or more processors or processing units 202 , a system memory 204 , and a bus 206 that couples various system components including the system memory 204 to processors 202 .
- the bus 206 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures.
- the system memory 204 includes read only memory (ROM) 208 and random access memory (RAM) 210 .
- ROM read only memory
- RAM random access memory
- a basic input/output system (BIOS) 212 containing the basic routines that help to transfer information between elements within computer 200 , such as during start-up, is stored in ROM 208 .
- Computer 200 further includes a hard disk drive 214 for reading from and writing to a hard disk (not shown), a magnetic disk drive 216 for reading from and writing to a removable magnetic disk 218 , and an optical disk drive 220 for reading from or writing to a removable optical disk 222 such as a CD ROM or other optical media.
- the hard disk drive 214 , magnetic disk drive 216 , and optical disk drive 220 are connected to the bus 206 by an SCSI interface 224 or some other appropriate interface.
- the drives and their associated computer-readable media provide nonvolatile storage of computer-readable instructions, data structures, program modules and other data for computer 200 .
- a number of program modules may be stored on the hard disk 214 , magnetic disk 218 , optical disk 222 , ROM 208 , or RAM 210 , including an operating system 228 , one or more application programs 230 , other program modules 232 , and program data 234 .
- a user may enter commands and information into computer 200 through input devices such as a keyboard 236 and a pointing device 238 .
- Other input devices may include a microphone, joystick, game pad, satellite dish, scanner, or the like.
- These and other input devices are connected to the processing unit 202 through an interface 240 that is coupled to the bus 206 .
- a monitor 242 or other type of display device is also connected to the bus 206 via an interface, such as a video adapter 244 .
- personal computers typically include other peripheral output devices (not shown) such as speakers and printers.
- Computer 200 commonly operates in a networked environment using logical connections to one or more remote computers, such as a remote computer 246 .
- the remote computer 246 may be another personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to computer 200 , although only a memory storage device 248 has been illustrated in FIG. 2 .
- the logical connections depicted in FIG. 2 include a local area network (LAN) 250 and a wide area network (WAN) 252 .
- LAN local area network
- WAN wide area network
- Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets, and the Internet.
- computer 200 When used in a LAN networking environment, computer 200 is connected to the local network 250 through a network interface or adapter 254 .
- computer 200 When used in a WAN networking environment, computer 200 typically includes a modem 256 or other means for establishing communications over the wide area network 252 , such as the Internet.
- the modem 256 which may be internal or external, is connected to the bus 206 via a serial port interface 226 .
- program modules depicted relative to the personal computer 200 may be stored in the remote memory storage device. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.
- the data processors of computer 200 are programmed by means of instructions stored at different times in the various computer-readable storage media of the computer.
- Programs and operating systems are typically distributed, for example, on floppy disks or CD-ROMs. From there, they are installed or loaded into the secondary memory of a computer. At execution, they are loaded at least partially into the computer's primary electronic memory.
- the invention described herein includes these and other various types of computer-readable storage media when such media contain instructions or programs for implementing the steps described below in conjunction with a microprocessor or other data processor.
- the invention also includes the computer itself when programmed according to the methods and techniques described below.
- programs and other executable program components such as the operating system are illustrated herein as discrete blocks, although it is recognized that such programs and components reside at various times in different storage components of the computer, and are executed by the data processor(s) of the computer.
- FIG. 3 shows a high level diagram of process for authorizing mobile users in a wireless network.
- An announcer beacon 300 broadcasts an basic announcer signal 302 generated by a signal generator 304 .
- the announcer signal 302 includes a network identifier 306 , an authorizer address 308 and a verifier address 310 .
- the network identifier 306 identifies a host organization network ( 104 , FIG. 1 ) that is broadcasting the announcer signal 302 .
- the authorizer address 308 is an Internet address or a host organization network address for an authorizer 312 .
- the verifier address 310 is an Internet address or a host organization network address associated with a verifier ( 110 , FIG. 1 ). (The verifier 110 is not shown in FIG. 3 because the verifier is not a part of the authorization process.)
- the authorizer address 308 is given out in the announcer signal 302 before a user has been authorized. This is so that the user can access information about the host organization network 104 and have the opportunity to download network access software if the user hasn't already done so. In this way, a user can walk into a building (or other wireless network coverage area), download the software and start using the network.
- a mobile client 314 includes a controller daemon 316 that continuously or periodically monitors for the announcer signal 302 .
- the controller daemon 316 detects the announcer signal 302 , the controller daemon 316 can determine the network broadcasting the announcer signal 302 and the authorizer 312 to contact to access the network identified by the network identifier 306 .
- authorization to access the network is demonstrated by possessing an authorization key 318 .
- the mobile client 314 includes a key acquisition module 320 that is configured to request the authorization key 318 from the authorizer 312 . Any authorization process known in the art may be used to authorize the mobile client 314 . Once the mobile client 314 is authorized, a key transfer module 322 transmits the authorization key 318 to the key acquisition module 320 of the mobile client 314 .
- the authorization key 318 also includes an expiration time 324 that indicates a time period in which the authorization key 318 is valid.
- the expiration time 324 may be a time of expiration, a date of expiration, a time period for key validity, etc. Any known method for limiting the time during which the authorization key 318 may be used to access the network may be used.
- the verifier handles the tasks related to per-packet verification, accounting and policy enforcement on packet transmissions between the mobile users and the public network.
- the mobile client uses the verifier as a service gateway for access to the Internet.
- the verifier checks each data packet received from a mobile client for a valid tag generated by the client's authorization key.
- the verifier may keep an account of the number of data packets received from each user so that the information may be used to enforce policies such as quality-of-service level by dropping packets from a user who violates a service agreement.
- verifiers may be deployed to handle large volumes of traffic flow within a wireless subnet. Additionally, verifiers may be replicated to support roaming between different wireless subnets.
- FIG. 4 is a high level diagram of a process for verifying users requesting access to a network.
- FIG. 4 continuing reference will be made to the features and reference numerals recited in FIGS. 1 and 3 .
- the mobile client 314 is prepared to communicate with the host organization network 104 through a verifier 400 .
- a communications module 402 in the mobile client 314 is configured to use the authorization key 318 to create a tag 404 , which is appended—or integrated in some way—to a data packet 406 transmitted from the mobile client 314 to the verifier 400 .
- the verifier 400 is configured to verify that each data packet 406 received from the mobile client 314 includes a tag 404 generated by a valid authorization key 318 . If the data packet 406 includes a tag 404 generated by a key other than the authorization key 318 , the data packet 406 is dropped. Furthermore, in one implementation, if the data packet 406 includes a tag 404 that the verifier determines has expired, the verifier 400 drops the data packet 406 .
- FIG. 5 is a diagram of an exemplary extended announcer signal 500 .
- the extended announcer signal 500 is similar to the announcer signal 302 shown in FIG. 3 in that it includes a network identifier 502 , an authorizer address 504 and a verifier address 506 .
- the extended announcer signal 500 includes a subnet mask 508 that identifies the particular wireless subnet ( FIG. 1 ; 106 , 108 ) to which a user receiving the announcer signal 500 will be connected.
- the subnet mask 508 is used primarily in networks having more than one subnet.
- the extended announcer signal 500 includes a website Universal Resource Locator (URL) 510 .
- URL Universal Resource Locator
- a mobile client detects the extended announcer signal 500 and connects to an authorizer identified by the authorizer address 504 , the mobile client is granted limited access to the Internet (for purposes of authorization, advertisement, free services, etc.).
- a mobile client connecting to the network identified by the network identifier 502 will be directed to the website URL 510 that identifies the network to the user and directs the user through the authorization process.
- the extended announcer signal 500 may contain either the subnet mask 508 or the website URL 510 or both. Furthermore, the extended announcer signal 500 may include other features that enhance a user's experience with the network.
- FIG. 6 is a diagram of an exemplary tagged data packet 600 .
- the tagged data packet 600 includes a data packet 602 and a tag 604 .
- the tag 604 may comprise any data tag generated by a known method that can be used to verify that the tagged data packet 600 was sent by an authorized source.
- the tag 604 includes a version number 606 , an encryption type 608 , a key identifier 610 and an encrypted portion 612 .
- the version number 606 identifies a version of the system software, i.e., the tag generation process, used to create the tagged data packet 600 .
- the version number 606 may be used to implement backward compatibility in the event that the system protocol is revised. In such an event, a system having a later software revision can properly communicate with a system having an earlier version.
- the encryption type 608 identifies the encryption algorithm—such as SSL—used to encrypt the encrypted portion 612 of the tagged data packet 600 . This provides more robust security, since more than one encryption type can be used.
- the key identifier 610 identifies the authorization key 318 ( FIG. 3 ) and, as a result, identifies the client using the authorization key 318 . It is noted that the authorization key 318 itself is not revealed for security reasons. But a verifier must keep track of valid keys in use in the system. When a tagged data packet is received, the verifier can map the key identifier 610 to an authorized user to verify that the user is authorized to access the network.
- the encrypted portion 612 of the tag 604 includes a token. 614 and a checksum 616 .
- the token 614 is a value initially provided by the server to the mobile client. The server then knows what the token 614 should be when encrypted by the mobile client's authorization key 318 .
- the token 618 is implemented as a counter that identifies a position of the data packet 600 in a sequence of data packets 600 sent from the mobile client to the verifier (e.g., if the data packet is the 256 th data packet sent from the client to the verifier in a given session, the token 618 is the value 256). If the verifier receives an out-of-sequence token 618 , then the verifier knows there is a security violation.
- the checksum 616 is included for data integrity verification. This prevents an unauthorized user from obtaining the tag 604 and appending the tag 604 to the unauthorized user's own data packet. Since the data packet must hash to a particular checksum value, replacing the data packet will result in a different checksum and will expose a security violation.
- checksums is well known in the art and any checksum method compatible with the present invention may be used.
- FIG. 7 is a diagram of an announcer signal 700 that is configured to provide load balancing over multiple verifiers.
- the announcer signal 700 includes a network identifier 702 and an authorizer address 704 .
- the announcer signal 700 in this situation also includes a preferred verifier address 706 .
- the preferred verifier address 706 is a network address of a first verifier 708 that is used as described above.
- the preferred verifier address 706 is changed to identify an address of a second verifier 709 . New users connecting to the network are now directed to use the second verifier 709 until the second verifier 709 attains a load at or nearing a load threshold identified for the second verifier 709 . When this condition is detected, the preferred verifier address 706 is changed again to identify an address of another verifier 710 , and so on until a last verifier 712 is identified as the preferred verifier address 706 .
- the switching of the preferred verifier address 706 is circular, so that when the last verifier 712 reaches a load threshold, the announcer signal 700 is once again changed to include a preferred verifier address 706 that identifies the address of the first verifier 708 .
- the announcer signal 700 is once again changed to include a preferred verifier address 706 that identifies the address of the first verifier 708 .
- verifiers may also be used to provide fault tolerance in the event of a verifier failure.
- a verifier fails the clients connected to that verifier are re-directed to another verifier.
- the verifiers must be redundant, i.e., each verifier must contain a set of all active keys in the network.
- FIG. 8 is a diagram of an announcer signal 800 that is configured to provide fault tolerance in the event that a verifier fails.
- An announcer signal 800 is shown having a network identifier 802 and an authorizer address 804 .
- the announcer signal 800 also includes a preferred verifier address 806 configured in a multiple verifier scheme as outlined above with reference to load balancing. As shown, the preferred verifier address 806 is an address of a first verifier 808 . Any number of verifiers may be utilized; therefore, an address of a last verifier 810 is shown as the n th verifier.
- the first verifier 808 is assigned a first backup verifier 812 .
- an address for the first backup verifier 812 is made the preferred verifier address 806 .
- the first backup verifier 812 may be one of the multiple verifiers in the rotation described above, i.e., an active verifier may serve as the backup verifier for another active verifier.
- Each of the verifiers is assigned a backup verifier, e.g., the last verifier 810 is assigned a last backup verifier 814 (designated as the nB verifier). In this way, fault tolerance is accommodated in the event any of the verifiers fail. Upon a verifier failure, no new clients will be directed to use the failed verifier.
- the failed verifier 808 has one or more mobile clients communicating with it at the time the verifier fails, those mobile clients will receive the new announcer signal 800 that contains the address of the new preferred verifier 806 . The mobile clients will immediately re-direct data packet transmissions to the new preferred verifier 806 .
- fault tolerance is handled similarly to the manner in which load balance is described above with regard to FIG. 7 .
- the mobile client determines if and when the preferred verifier 806 fails. This may be accomplished by the use of a time-out mechanism or an acknowledgement mechanism, wherein the mobile client can determine when the preferred verifier 806 is not responding.
- the mobile client re-directs data packets to the verifier address immediately following the verifier address deemed to have failed.
- the mobile client re-directs data packets to the verifier address immediately following the verifier address deemed to have failed.
- the mobile client re-directs data packets to the verifier address immediately following the verifier address deemed to have failed.
- the mobile client sends subsequent data packets to the next available verifier (in this case, verifier 810 ). In this way, the mobile client can continue to operate within the network in the event that a verifier fails.
- FIG. 9 is a flow diagram that depicts a method for tolerating a verifier failure as described in the latter implementation for FIG. 8 , above.
- a mobile client transmits tagged data packets to the preferred verifier as previously described.
- the preferred verifier is the verifier identified by the verifier signal.
- the mobile client continues to send data packets to the preferred verifier (“No” branch, block 902 ). If the preferred verifier fails (“Yes” branch, block 902 ), then the mobile client changes the preferred verifier with which it communicates to a backup verifier (block 904 ).
- the mobile client thereafter transmits tagged data packets to the new preferred verifier at block 906 .
- this fault tolerance scheme may also be used with the authorizer to protect against the authorizer failing.
- mobile clients should be able to smoothly transition from one network to another, e.g., from a private network to a public network and vice-versa.
- a user who obtains authorization to a network and roams to another subnet in the network should not have to go through the authorization process again if the user is still in possession of a valid authorization key from the network.
- FIG. 10 is a more detailed block diagram of a mobile client 1000 utilized in the implementations described herein.
- the mobile client 1000 includes a processor 1002 , a display 1004 , a communications module 1006 and memory 1008 .
- the mobile client 1000 also includes a detector 1010 configured to detect an announcer signal similar to the announcer signal 302 shown in FIG. 3 and the announcer signal 500 shown in FIG. 5 .
- the memory 1008 includes an operating system 1012 , a web browser 1014 and a controller 1016 similar to the controller daemon described above ( 316 , FIG. 3 ).
- the memory also stores an authorization key 1018 , a tagging module 1020 and an encryption module 1022 , the functions of which have been discussed above.
- Private network settings 1024 and public network settings 1026 are stored in the memory 1008 .
- the private network settings 1024 are network settings for connecting to and communicating with a private network (not shown), such as a network at a user's employer.
- the public network settings 1026 are network settings for a public network, such as the host organization network 104 shown in FIG. 1 .
- FIG. 11 is a flow diagram depicting a method for accommodating mobile connectivity between networks or between subnets of a network.
- FIG. 11 continuing reference will be made to the elements and reference numerals recited in the discussion of FIG. 10 .
- the following example deals with a mobile client that roams from a private network to a public network, disconnects from the public network then reconnects to the public network.
- the detector 1010 of the mobile client 1000 detects an announcer signal.
- the controller 1016 saves private network settings 1024 (block 1102 ) that are used to connect to and communicate with a private network (not shown).
- the controller 1016 loads public network settings 1026 that are used by the wireless network associated with the announcer signal. Once the public network settings have been loaded, the mobile client connects with a system authorizer (block 1106 ) and, if authorized, communicates with the network via a vendor (block 1108 ).
- the mobile client 1000 disconnects by command from a user or because the detector 1010 no longer detects the announcer signal, indicating that the mobile client 1000 has left the coverage area of the public network.
- the private network settings 1024 are restored on the mobile client 1000 .
- the mobile client 1000 is then prepared to connect to and communicate with the private network to which the mobile client 1000 was previously connected.
- the detector 1010 again detects an announcer signal (block 1114 ).
- the announcer signal is broadcast from the same public network to which the mobile client 1000 was connected previously.
- the private network settings 1024 are saved at block 1116 and the public network settings 1026 are loaded at block 1118 .
- the mobile client 1000 connects with an authorizer at block 1120 .
- the authorizer determines if the mobile client 1000 possesses an authorization key 1018 that is still valid. If a valid time, period for using the authorization key 1018 has expired (“No” branch, block 1122 ), then the mobile client 1000 must be re-authorized at block 1128 . If, however, the authorization key 1018 is still valid (“Yes” branch, block 1122 ), then the authorization key 1018 may continue to be used. Data packets are tagged at block 1124 and the tagged data packets are sent to a verifier at block 1126 .
- the mobile client 1000 can thus roam from the private network to the public network and back with ease, since the network settings are changed automatically. Also, if the mobile client 1000 re-connects to the network before the authorization key 1018 has expired, the user is saved the time and trouble of going through the authorization process again.
- the above-described methods and systems provide a mechanism for accommodating wireless connectivity when roaming between two networks, or between two subnets of a network.
- a mobile user can seamlessly transition from a private network to a public network without having to manually configure the user's mobile client.
- the user may also disconnect and reconnect to the same network without having to go through the authorization process each time the user reconnects to the network. Implementations described herein also provide for balancing loads between multiple verifiers and providing for backup services in the event of a verifier or authorizer failure.
Abstract
Systems and methods are described for managing network connectivity for mobile users, particularly when a mobile user roams between two networks or between two subnets of a network. An announcer signal is broadcast by a host organization. The announcer signal includes a network identifier, an authorizer address and a verifier address. A mobile client monitors for the announcer signal and, when detected, provides an option to connect to the network via the authorizer. Once authorization is obtained, the mobile client communicates with the network through the verifier. The verifier received tagged data packets from a mobile client and only accepts the data packets if a valid tag (created with an authorization key) is included therewith. Multiple verifiers may be used to provide load balancing and fault tolerance (in the event a verifier fails). If a mobile client disconnects from a network and later reconnects, the mobile client does not have to be re-authorized if the mobile client still has a valid authorization key.
Description
- This application is a divisional application of and claims priority to U.S. patent application Ser. No. 09/960,258, the disclosure of which is incorporated by reference herein.
- The present invention relates to accessing wireless networks. In particular, the invention relates to systems and methods for managing network connectivity for mobile users.
- The growth and popularity of the Internet has created an economy and society where businesses and individuals rely heavily on having connectivity to the Internet. In addition to the proliferation of private networks that can be accessed from homes and business, this has led to the creation of public networks that are located and accessible in public places, such as shopping malls, airports, libraries, etc. Public networks provide Internet access to mobile users in areas frequented by users but not traditionally configured to provide Internet access.
- The usage and service options of a public network generally differ from that of a private (enterprise or home) network. Consequently, the two networks are often configured differently and computers accessing the networks must accommodate the different configurations to allow users to move easily between a private network and a public network.
- Large corporations tend to be extremely security cautious, taking an enterprise-centric approach where every user is governed by a single policy. User authentication is intended to prevent unknown persons from accessing internal private networks. Such corporations generally use some sort of a pre-configured shared key mechanism with hardware encryption to secure network access.
- Public networks are security cautious only to the extent that the individual using the network is. The host organization's focus is on establishing the identity of a previously unknown user and then giving her access to the network, its resources, and other location services. Hence, tracking who is using the network, what services are being used and how much bandwidth is being used are important. Public networks typically perform packet-level processing for both user-level authentication and privacy, and for offering different kinds of services, and keeping track of network use on a per-user basis.
- Another difference is, while corporations generally have a high level of confidence and trust in their user (employees), public network operators have to guard against the network users who they might not know well. They need tools to protect themselves from malicious users who are only interested in bringing the network down.
- Consequently, client devices have to change behavior according to the network being accessed. When accessing a private network, the client need not do anything; hardware encryption with a shared key is sufficient to control users' access. However, when accessing a public network, the client runs through an authentication process and starts using a specialized network access protocol, which gets it different types of interesting services.
- The mobility problem can be further expressed in a few different scenarios:
-
- 1. The mobile client migrates between a private (company) network and a public network. Since the company network may not be running a system that is compatible with the public network, the mobile client must recognize when to enable/disable the public network protocol locally.
- 2. The mobile client migrates between different subnets of the same public network. In this case, it is undesirable to require the user to re-authenticate herself by repeating the logon process. Instead, the client should gain access in the new subnet by using the same key obtained from the previous subnet. The mobile client must recognize and perform any necessary changes in the routing configuration (e.g., directing traffic to a different verifier server) and resume network operation by using the same key.
- 3. The mobile client migrates between different public networks. The mobile client must distinguish this from the previous scenario and ask the user to perform the logon process in the new network. After authentication has succeeded, the client host will use a new key to communicate in the new network. However, the mobile client should save the previous key until it expires so that it could be reused upon returning to the previous network.
- There exists a need for a mobility support mechanism that allows devices to automatically determine how to establish/re-establish network connectivity as roaming users migrate across the different networks.
- Various implementations for accommodating mobile connectivity between networks are described. In particular, implementations for accommodating mobile connectivity between private and public networks are shown. In the described implementations, the public network is a wireless network. The private network in the described implementations may be wired or wireless.
- In one implementation, a public network architecture is provided, by one or more host organizations, for providing individuals with wireless access to the Internet. The public network architecture includes a global authentication server and at least one authorizer. The networks are advantageously deployed in public areas such as airports, shopping malls, libraries, etc. The host organization may partition this network either physically, or logically, into several smaller networks called subnets. Each subnet includes at least one verification server (“verifier”).
- The announcer broadcasts an announcer signal that identifies the network, I as well as the network addresses of the authorizer and the verifier. A daemon process on a mobile client is configured to monitor for the announcer signal. When detected, the mobile client contacts the authorizer by way of an Access Point to obtain authorization to access the network.
- Upon authorization by the authorizer, the mobile client receives an authorization key that indicates that the mobile user has been authorized to access the network. In one implementation, the authorization key includes an expiration time, after which the authorization key is invalid. After obtaining the authorization key, the mobile user communicates with the network by transmitting data packets through the verifier. The verifier verifies that each data packet received from a client is authorized to access the network, i.e., the verifier checks the data packet for a tag created by a valid authorization key. Data packets containing an appropriate tag are passed on to the network; data packets having an invalid tag are denied.
- A network may include more than one verifier. This feature of the described implementations provide scalability to the architecture, since a small network may have one verifier, while a larger network may have ten, twenty or more verifiers. The more verifiers utilized in a network, the higher the traffic load the network can accommodate.
- Multiple verifiers may also be used to provide load balancing and fault tolerance to a system. In one implementation wherein multiple verifiers are utilized, load balancing is accomplished by monitoring the traffic load on each verifier. Since new connections are directed to a verifier that is identified in the announcer signal, when a load on that verifier attains a load threshold, the announcer signal is changed to identify an alternate verifier that has a lower load. If that alternate verifier reaches the load threshold, the announcer signal may be altered again to identify yet another alternate verifier. In this manner, the traffic on the network may be spread out among all the verifiers utilized in the network.
- Utilization of multiple verifiers also provides a fault tolerance mechanism for the network. If a preferred verifier—i.e., a verifier that is identified in the announcer signal—fails, then mobile clients using the failed verifier detect that the verifier has failed, and re-direct data packets to an alternate verifier. In another implementation, the announcer signal is changed to reflect a new verifier when the server system detects a verifier failure. The alternate verifier may be previously identified to be a backup verifier for the preferred verifier, or the system may dynamically select an available verifier to use as the alternate verifier. Mobile clients that are currently communicating with the network through the preferred verifier will detect an announcer signal that contains a new address for a preferred verifier (the alternate verifier). Data packets are re-directed to the alternate verifier (the new preferred verifier).
- In one implementation, mobile clients that roam from one Access Point on a network to another Access Point on the same network can reconnect to the network without having to go through the authentication process again. For example, a client that connects to a public network at SEATAC airport in Seattle while waiting for a flight to Chicago may disconnect from the network, catch the flight to Chicago, and reconnect to the same public network at O'Hare airport. The client accomplishes this by using the same authorization key that was obtained at SEATAC when the client reconnects at O'Hare. The authorizer in Chicago will recognize that the client has a valid authorization key and will allow the client to bypass the authentication process and go directly to a verifier associated with the O'Hare system. If an expiration time is used with the authorization key, the client will only be able to bypass authentication only if the authorization key has not expired.
- In another implementation, if a mobile client contains network settings from a private network, or some other previous network, the private network settings are stored when the public network is detected and accessed. When the mobile client disconnects from the public network, e.g., the mobile client leaves the public network coverage area, then the private network settings are restored. When the private network is subsequently accessed, the mobile client will be configured correctly.
-
FIG. 1 is a high level system diagram of an exemplary system architecture in accordance with a described implementation. -
FIG. 2 is a diagram of a computer system that can be used to implement various aspects of various implementations. -
FIG. 3 is a high level diagram of process for authorizing mobile users in a wireless network. -
FIG. 4 is a high level diagram of a process for verifying users requesting access to a network. -
FIG. 5 is a diagram of an exemplary extended announcer signal. -
FIG. 6 is a diagram of an exemplary tagged data packet. -
FIG. 7 is a diagram of an announcer signal that is configured to provide load balancing over multiple verifiers. -
FIG. 8 is a diagram of an announcer signal that is configured to provide verifier fault tolerance. -
FIG. 9 is a flow diagram that depicts a method for tolerating a verifier failure. -
FIG. 10 is a block diagram of a mobile client. -
FIG. 11 is a flow diagram depicting a method for managing network connectivity for mobile users. - Overview
- In the described embodiments, systems and methods are provided for accommodating mobile connectivity between networks, e.g. private networks and public networks. Mobile users are provided with the capability to automatically detect the presence of a wireless network and to automatically change settings from a previous network to connect to the wireless network.
- An announcer beacon broadcasts an announcer signal that includes a network identifier, an authorizer identifier and a verifier identifier. The mobile client detects the announcer signal and obtains the information contained therein. The mobile client contacts the authorizer at the address received from the signal to obtain authorization to access the network. If the client is authorized, the authorizer transmits an authorization key to the client. On subsequent data packet transmissions to the verifier, the client attaches a tag created with the authorization key to each data packet. The verifier accepts data packets having a valid tag but denies data packets that do not have a valid tag.
- The claimed invention includes other features and aspects that will be discussed in greater detail below.
-
FIG. 1 shows a high level system diagram of an exemplary system architecture generally at 100 that is capable of implementing various features described below.Architecture 100 is used in connection with a computer network an exemplary one of which is theInternet 102. One or more host organization networks 104 are provided and are managed by a host organization (not shown). Examples of a host organization include individual businesses that might, for example, be located in a public area. Although there may be more than one host organization network, only onehost organization network 104 is shown in the present example. Exemplary public areas include shopping malls, libraries, airports, downtown shopping areas and the like. Thehost organization 104 includes one or more wireless subnets (wireless subnet 106 andwireless subnet 108 in the present example). Eachwireless subnet wireless subnet 106 might be located in a shopping mall, whilewireless subnet 108 might be located in an airport. One ormore service providers 110 can be incorporated in thearchitecture 100. In this example, theservice providers 110 control access to theInternet 102 and comprise a plurality of different Internet Service Providers (ISPs) that are communicatively linked with thehost organization network 104. Thehost organization network 104 can include one ormore resources 112. Exemplary resources can include, without limitation, scanners, tape drives, laser printers, and the like. Eachhost organization network 104 might also include alocal authentication database 114 for purposes that will be described below. -
Wireless subnet 106 is shown havingAccess Point 116 andAccess Point 118.Mobile clients host organization network 104 throughAccess Point 116.Mobile clients host organization network 104 throughAccess Point 118. -
Wireless subnet 108 is shown havingAccess Point Mobile clients host organization network 104 throughAccess Point 130.Mobile clients host organization network 104 throughAccess Point 132. - It is noted that
wireless subnets FIG. 1 . Also, a greater or lesser number of mobile clients than shown may be connecting with the Access Points. -
Architecture 100 can also include aglobal authentication database 144 that is configured to be globally accessible from anywhere in the world. In the illustrated example, theglobal authentication database 144 includes not only a repository of data or information that is used to authenticate users, but also any information regarding server computers or computing devices that are used in connection with the data repository to authenticate a user. Theglobal authentication database 144 is advantageously accessible via theInternet 102. Theglobal authentication database 144 can be any suitable globally accessible database that is capable of authenticating users as described below. Such databases can be operated by and/or associated with particular businesses, organizations or clubs for which authentication is desired. For example, a particular organization, e.g., Gold Club Frequent Fliers, may have negotiated withauthorizer 116 for Internet access for its members. When the members access thenetwork 104 throughwireless subnet 106, there needs to be a way to authenticate these Gold Club Frequent Flyer members so that they can be provided Internet access at the negotiated level. Theglobal authentication database 144 provides a mechanism by which this can be done, as will become apparent below. Alternately, theglobal authentication database 144 can be a more generalized database that can be operated on behalf of many organizations or businesses that might want to generally authenticate users. An example of this type of global authentication database is MICROSOFT PASSPORT Server and database. The MS server and database enable a user to be individually verified against information that is maintained by the server and database. Often times, this type of verification is conducted outside of the purview of other servers in an end-to-end secure fashion. - In the illustrated example, users can access the Internet through the use of a client computer or other computing device. In the context of this document, a “user” refers to a human individual and a “client” refers to a computer or computing device that the human individual uses to access the Internet. The client can be a mobile computer such as a lap top computer, or can be any other suitable computing device. The client can be provided by the host organization, or can be a mobile computing device that travels with its particular user. When a user wishes to access the Internet, they simply use their client computer to interface with a
wireless subnet wireless subnets authorizer 116 andverifier 110. Theauthorizer 116 first authenticates the user by using one of the local orglobal authentication databases - In the described embodiment, after a user has been authorized by the
authorizer 116, the user thereafter communicates with thehost organization network 104 through one or more of theverifiers 110. This permits theauthorizer 116 to be a dedicated server that only performs authorization. Consequently, theverifiers 110 are not required to perform authorizations, but can simply allow access to thehost organization network 104 as long as data packets transmitted through theverifiers 110 can provide proof that the user sending the data packets has already been authorized access to thehost organization network 104 by theauthorizer 116. - In at least one embodiment, the
authorizer 116 contains sufficient information to authorize users locally, i.e., by using thelocal authorization database 114. Periodic downloads of user data from theglobal authorization database 144 is one way that may be used to widen the scope of users that can be authorized locally. However, it may be desirable for theauthorizer 116 to communicate with theglobal authorization database 144 to authorize users. - In one or more embodiments, limited access to the Internet can be granted by the
authorizer 116 for the limited purpose of authenticating a user via the global authorization database. After a limited period of time, if the user has not been authenticated, Internet access can be terminated. For example, an IP address might be temporarily granted to a user via a DHCP or NAT process. If the user has not authenticated themselves within a definable period of time (e.g., ten minutes), their Internet access can be terminated. Theglobal authentication database 114 takes the user through a separate authentication process (e.g., entry of a user name and password) so that the user can be authenticated to theglobal authentication database 114. This authentication process can be a protected end-to-end secure process in which all of the user's transmissions to theglobal authentication database 114 are encrypted from the client machine and can be only decrypted by theglobal authentication database 114. An exemplary encryption technique is Secure Socket Layer (SSL) transmission, however, other secure techniques can be used. The communications are secure between theauthorizer 116, thehost organization network 104 and theglobal authorization database 144. - Once the user is authenticated to the
global authentication database 114, thedatabase 114 generates a message to thehost organization network 104 and informs thehost organization network 104 that the particular user has been authenticated. After the authentication has occurred, all communication with and access to theInternet 102 takes place through one or more of theverifiers 110. That is, all of the data packets that are transmitted from and received by the client are routed through theverifiers 110. - An advantageous feature of the above architecture is that it enables a user to freely move about from host organization to host organization, without having their Internet access inextricably tied to any one particular ISP or to a particular company such as their employer. This system permits a much more individual-centric system that promotes user mobility, as will become apparent below. Another advantage of this architecture is that once a user is authenticated, they can move freely about without having to re-authenticate themselves to the system. Another advantageous feature of the above architecture is that a mobile client may roam between networks while providing seamless operation for a user.
- Exemplary Computer System
-
FIG. 2 shows an exemplary computer system that can be used to implement various computing devices, i.e. client computers, servers and the like, in accordance with the described embodiments. -
Computer 200 includes one or more processors orprocessing units 202, asystem memory 204, and abus 206 that couples various system components including thesystem memory 204 toprocessors 202. Thebus 206 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. Thesystem memory 204 includes read only memory (ROM) 208 and random access memory (RAM) 210. A basic input/output system (BIOS) 212, containing the basic routines that help to transfer information between elements withincomputer 200, such as during start-up, is stored inROM 208. -
Computer 200 further includes ahard disk drive 214 for reading from and writing to a hard disk (not shown), a magnetic disk drive 216 for reading from and writing to a removablemagnetic disk 218, and anoptical disk drive 220 for reading from or writing to a removableoptical disk 222 such as a CD ROM or other optical media. Thehard disk drive 214, magnetic disk drive 216, andoptical disk drive 220 are connected to thebus 206 by anSCSI interface 224 or some other appropriate interface. The drives and their associated computer-readable media provide nonvolatile storage of computer-readable instructions, data structures, program modules and other data forcomputer 200. Although the exemplary environment described herein employs a hard disk, a removablemagnetic disk 218 and a removableoptical disk 222, it should be appreciated by those skilled in the art that other types of computer-readable media which can store data that is accessible by a computer, such as magnetic cassettes, flash memory cards, digital video disks, random access memories (RAMs), read only memories (ROMs), and the like, may also be used in the exemplary operating environment. - A number of program modules may be stored on the
hard disk 214,magnetic disk 218,optical disk 222,ROM 208, orRAM 210, including anoperating system 228, one ormore application programs 230,other program modules 232, andprogram data 234. A user may enter commands and information intocomputer 200 through input devices such as akeyboard 236 and apointing device 238. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, or the like. These and other input devices are connected to theprocessing unit 202 through aninterface 240 that is coupled to thebus 206. Amonitor 242 or other type of display device is also connected to thebus 206 via an interface, such as avideo adapter 244. In addition to the monitor, personal computers typically include other peripheral output devices (not shown) such as speakers and printers. -
Computer 200 commonly operates in a networked environment using logical connections to one or more remote computers, such as aremote computer 246. Theremote computer 246 may be another personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative tocomputer 200, although only amemory storage device 248 has been illustrated inFIG. 2 . The logical connections depicted inFIG. 2 include a local area network (LAN) 250 and a wide area network (WAN) 252. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets, and the Internet. - When used in a LAN networking environment,
computer 200 is connected to thelocal network 250 through a network interface oradapter 254. When used in a WAN networking environment,computer 200 typically includes amodem 256 or other means for establishing communications over thewide area network 252, such as the Internet. Themodem 256, which may be internal or external, is connected to thebus 206 via aserial port interface 226. In a networked environment, program modules depicted relative to thepersonal computer 200, or portions thereof, may be stored in the remote memory storage device. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used. - Generally, the data processors of
computer 200 are programmed by means of instructions stored at different times in the various computer-readable storage media of the computer. Programs and operating systems are typically distributed, for example, on floppy disks or CD-ROMs. From there, they are installed or loaded into the secondary memory of a computer. At execution, they are loaded at least partially into the computer's primary electronic memory. The invention described herein includes these and other various types of computer-readable storage media when such media contain instructions or programs for implementing the steps described below in conjunction with a microprocessor or other data processor. The invention also includes the computer itself when programmed according to the methods and techniques described below. - For purposes of illustration, programs and other executable program components such as the operating system are illustrated herein as discrete blocks, although it is recognized that such programs and components reside at various times in different storage components of the computer, and are executed by the data processor(s) of the computer.
- Authorization
-
FIG. 3 shows a high level diagram of process for authorizing mobile users in a wireless network. Although the discussion that follows is in the context of a wireless network, it is to be understood that some aspects of the system architecture could, alternately, employ a wired network. - An
announcer beacon 300 broadcasts anbasic announcer signal 302 generated by asignal generator 304. Theannouncer signal 302 includes anetwork identifier 306, anauthorizer address 308 and a verifier address 310. Thenetwork identifier 306 identifies a host organization network (104,FIG. 1 ) that is broadcasting theannouncer signal 302. Theauthorizer address 308 is an Internet address or a host organization network address for anauthorizer 312. The verifier address 310 is an Internet address or a host organization network address associated with a verifier (110,FIG. 1 ). (Theverifier 110 is not shown inFIG. 3 because the verifier is not a part of the authorization process.) - It is noted that the
authorizer address 308 is given out in theannouncer signal 302 before a user has been authorized. This is so that the user can access information about thehost organization network 104 and have the opportunity to download network access software if the user hasn't already done so. In this way, a user can walk into a building (or other wireless network coverage area), download the software and start using the network. - A
mobile client 314 includes acontroller daemon 316 that continuously or periodically monitors for theannouncer signal 302. When thecontroller daemon 316 detects theannouncer signal 302, thecontroller daemon 316 can determine the network broadcasting theannouncer signal 302 and theauthorizer 312 to contact to access the network identified by thenetwork identifier 306. In the present example, authorization to access the network is demonstrated by possessing anauthorization key 318. - The
mobile client 314 includes akey acquisition module 320 that is configured to request the authorization key 318 from theauthorizer 312. Any authorization process known in the art may be used to authorize themobile client 314. Once themobile client 314 is authorized, akey transfer module 322 transmits theauthorization key 318 to thekey acquisition module 320 of themobile client 314. - In the present example, the
authorization key 318 also includes anexpiration time 324 that indicates a time period in which theauthorization key 318 is valid. Theexpiration time 324 may be a time of expiration, a date of expiration, a time period for key validity, etc. Any known method for limiting the time during which theauthorization key 318 may be used to access the network may be used. Once themobile client 314 has obtained avalid authorization key 318, the authorization process is complete. - Verification
- The verifier handles the tasks related to per-packet verification, accounting and policy enforcement on packet transmissions between the mobile users and the public network. The mobile client uses the verifier as a service gateway for access to the Internet. The verifier checks each data packet received from a mobile client for a valid tag generated by the client's authorization key. In addition, the verifier may keep an account of the number of data packets received from each user so that the information may be used to enforce policies such as quality-of-service level by dropping packets from a user who violates a service agreement.
- Because the task of the authorizer and the verifier are separated, multiple verifiers may be deployed to handle large volumes of traffic flow within a wireless subnet. Additionally, verifiers may be replicated to support roaming between different wireless subnets.
-
FIG. 4 is a high level diagram of a process for verifying users requesting access to a network. In the discussion ofFIG. 4 , continuing reference will be made to the features and reference numerals recited inFIGS. 1 and 3 . - Once the
mobile client 314 has obtained avalid authorization key 318, themobile client 314 is prepared to communicate with thehost organization network 104 through averifier 400. Acommunications module 402 in themobile client 314 is configured to use theauthorization key 318 to create atag 404, which is appended—or integrated in some way—to adata packet 406 transmitted from themobile client 314 to theverifier 400. - The
verifier 400 is configured to verify that eachdata packet 406 received from themobile client 314 includes atag 404 generated by avalid authorization key 318. If thedata packet 406 includes atag 404 generated by a key other than theauthorization key 318, thedata packet 406 is dropped. Furthermore, in one implementation, if thedata packet 406 includes atag 404 that the verifier determines has expired, theverifier 400 drops thedata packet 406. - Exemplary Extended Announcer Signal
-
FIG. 5 is a diagram of an exemplaryextended announcer signal 500. Theextended announcer signal 500 is similar to theannouncer signal 302 shown inFIG. 3 in that it includes anetwork identifier 502, anauthorizer address 504 and averifier address 506. In addition, theextended announcer signal 500 includes asubnet mask 508 that identifies the particular wireless subnet (FIG. 1 ; 106, 108) to which a user receiving theannouncer signal 500 will be connected. Thesubnet mask 508 is used primarily in networks having more than one subnet. - The
extended announcer signal 500 includes a website Universal Resource Locator (URL) 510. When a mobile client detects the extendedannouncer signal 500 and connects to an authorizer identified by theauthorizer address 504, the mobile client is granted limited access to the Internet (for purposes of authorization, advertisement, free services, etc.). In the present example, a mobile client connecting to the network identified by thenetwork identifier 502 will be directed to thewebsite URL 510 that identifies the network to the user and directs the user through the authorization process. - It is noted that the
extended announcer signal 500 may contain either thesubnet mask 508 or thewebsite URL 510 or both. Furthermore, theextended announcer signal 500 may include other features that enhance a user's experience with the network. - Exemplary Tagged Data Packet
-
FIG. 6 is a diagram of an exemplary taggeddata packet 600. The taggeddata packet 600 includes adata packet 602 and atag 604. It is noted that thetag 604 may comprise any data tag generated by a known method that can be used to verify that the taggeddata packet 600 was sent by an authorized source. In the present example, thetag 604 includes aversion number 606, anencryption type 608, akey identifier 610 and anencrypted portion 612. - The
version number 606 identifies a version of the system software, i.e., the tag generation process, used to create the taggeddata packet 600. Theversion number 606 may be used to implement backward compatibility in the event that the system protocol is revised. In such an event, a system having a later software revision can properly communicate with a system having an earlier version. - The
encryption type 608 identifies the encryption algorithm—such as SSL—used to encrypt theencrypted portion 612 of the taggeddata packet 600. This provides more robust security, since more than one encryption type can be used. - The
key identifier 610 identifies the authorization key 318 (FIG. 3 ) and, as a result, identifies the client using theauthorization key 318. It is noted that theauthorization key 318 itself is not revealed for security reasons. But a verifier must keep track of valid keys in use in the system. When a tagged data packet is received, the verifier can map thekey identifier 610 to an authorized user to verify that the user is authorized to access the network. - The
encrypted portion 612 of thetag 604—in this example—includes a token.614 and achecksum 616. The token 614 is a value initially provided by the server to the mobile client. The server then knows what the token 614 should be when encrypted by the mobile client'sauthorization key 318. In one implementation, the token 618 is implemented as a counter that identifies a position of thedata packet 600 in a sequence ofdata packets 600 sent from the mobile client to the verifier (e.g., if the data packet is the 256th data packet sent from the client to the verifier in a given session, the token 618 is the value 256). If the verifier receives an out-of-sequence token 618, then the verifier knows there is a security violation. - The
checksum 616 is included for data integrity verification. This prevents an unauthorized user from obtaining thetag 604 and appending thetag 604 to the unauthorized user's own data packet. Since the data packet must hash to a particular checksum value, replacing the data packet will result in a different checksum and will expose a security violation. The use of checksums is well known in the art and any checksum method compatible with the present invention may be used. - Load Balancing
-
FIG. 7 is a diagram of anannouncer signal 700 that is configured to provide load balancing over multiple verifiers. Theannouncer signal 700, as previously discussed, includes anetwork identifier 702 and anauthorizer address 704. However, theannouncer signal 700 in this situation also includes apreferred verifier address 706. Thepreferred verifier address 706 is a network address of afirst verifier 708 that is used as described above. - In the event that the
first verifier 708 bears a load at or nearing a load threshold identified for thefirst verifier 708, thepreferred verifier address 706 is changed to identify an address of asecond verifier 709. New users connecting to the network are now directed to use thesecond verifier 709 until thesecond verifier 709 attains a load at or nearing a load threshold identified for thesecond verifier 709. When this condition is detected, thepreferred verifier address 706 is changed again to identify an address of anotherverifier 710, and so on until alast verifier 712 is identified as thepreferred verifier address 706. - The switching of the
preferred verifier address 706 is circular, so that when thelast verifier 712 reaches a load threshold, theannouncer signal 700 is once again changed to include apreferred verifier address 706 that identifies the address of thefirst verifier 708. By the time thefirst verifier 708 is re-identified by thepreferred verifier address 706, enough users will have disconnected from the network so that new users may connect to thefirst verifier 708 without overloading thefirst verifier 708. - Fault Tolerance—Verifier Failure
- Multiple verifiers may also be used to provide fault tolerance in the event of a verifier failure. When a verifier fails, the clients connected to that verifier are re-directed to another verifier. To make this operation seamless, the verifiers must be redundant, i.e., each verifier must contain a set of all active keys in the network.
-
FIG. 8 is a diagram of an announcer signal 800 that is configured to provide fault tolerance in the event that a verifier fails. An announcer signal 800 is shown having anetwork identifier 802 and anauthorizer address 804. The announcer signal 800 also includes apreferred verifier address 806 configured in a multiple verifier scheme as outlined above with reference to load balancing. As shown, thepreferred verifier address 806 is an address of afirst verifier 808. Any number of verifiers may be utilized; therefore, an address of alast verifier 810 is shown as the nth verifier. - The
first verifier 808 is assigned afirst backup verifier 812. In the event that thefirst verifier 808 fails, an address for thefirst backup verifier 812 is made thepreferred verifier address 806. Thefirst backup verifier 812 may be one of the multiple verifiers in the rotation described above, i.e., an active verifier may serve as the backup verifier for another active verifier. - Each of the verifiers is assigned a backup verifier, e.g., the
last verifier 810 is assigned a last backup verifier 814 (designated as the nB verifier). In this way, fault tolerance is accommodated in the event any of the verifiers fail. Upon a verifier failure, no new clients will be directed to use the failed verifier. - If the failed
verifier 808 has one or more mobile clients communicating with it at the time the verifier fails, those mobile clients will receive the new announcer signal 800 that contains the address of the newpreferred verifier 806. The mobile clients will immediately re-direct data packet transmissions to the newpreferred verifier 806. - In another implementation, fault tolerance is handled similarly to the manner in which load balance is described above with regard to
FIG. 7 . In this implementation, the mobile client determines if and when thepreferred verifier 806 fails. This may be accomplished by the use of a time-out mechanism or an acknowledgement mechanism, wherein the mobile client can determine when thepreferred verifier 806 is not responding. - If a verifier failure is detected by the mobile client, then the mobile client re-directs data packets to the verifier address immediately following the verifier address deemed to have failed. In the present example—supposing there are only two verifiers (808 and 810), if the mobile client detects that
verifier 808 is not responding, then the mobile client sends subsequent data packets to the next available verifier (in this case, verifier 810). In this way, the mobile client can continue to operate within the network in the event that a verifier fails. -
FIG. 9 is a flow diagram that depicts a method for tolerating a verifier failure as described in the latter implementation forFIG. 8 , above. Atblock 900, a mobile client transmits tagged data packets to the preferred verifier as previously described. The preferred verifier is the verifier identified by the verifier signal. As long as the preferred verifier is operational, the mobile client continues to send data packets to the preferred verifier (“No” branch, block 902). If the preferred verifier fails (“Yes” branch, block 902), then the mobile client changes the preferred verifier with which it communicates to a backup verifier (block 904). - The mobile client thereafter transmits tagged data packets to the new preferred verifier at
block 906. - It is noted that this fault tolerance scheme may also be used with the authorizer to protect against the authorizer failing. In such a case, there is at least one backup authorizer that is utilized in the event a primary authorizer fails.
- Roaming
- To accommodate efficiency and mobile connectivity, mobile clients should be able to smoothly transition from one network to another, e.g., from a private network to a public network and vice-versa. In addition, a user who obtains authorization to a network and roams to another subnet in the network should not have to go through the authorization process again if the user is still in possession of a valid authorization key from the network. The following discussion addresses these issues.
-
FIG. 10 is a more detailed block diagram of amobile client 1000 utilized in the implementations described herein. Themobile client 1000 includes aprocessor 1002, adisplay 1004, acommunications module 1006 andmemory 1008. Themobile client 1000 also includes adetector 1010 configured to detect an announcer signal similar to theannouncer signal 302 shown inFIG. 3 and theannouncer signal 500 shown inFIG. 5 . - The
memory 1008 includes anoperating system 1012, aweb browser 1014 and acontroller 1016 similar to the controller daemon described above (316,FIG. 3 ). The memory also stores anauthorization key 1018, atagging module 1020 and anencryption module 1022, the functions of which have been discussed above.Private network settings 1024 andpublic network settings 1026 are stored in thememory 1008. Theprivate network settings 1024 are network settings for connecting to and communicating with a private network (not shown), such as a network at a user's employer. Thepublic network settings 1026 are network settings for a public network, such as thehost organization network 104 shown inFIG. 1 . -
FIG. 11 is a flow diagram depicting a method for accommodating mobile connectivity between networks or between subnets of a network. In the discussion ofFIG. 11 , continuing reference will be made to the elements and reference numerals recited in the discussion ofFIG. 10 . For discussion purposes, the following example deals with a mobile client that roams from a private network to a public network, disconnects from the public network then reconnects to the public network. - At
block 1100, thedetector 1010 of themobile client 1000 detects an announcer signal. Thecontroller 1016 saves private network settings 1024 (block 1102) that are used to connect to and communicate with a private network (not shown). Atblock 1104, thecontroller 1016 loadspublic network settings 1026 that are used by the wireless network associated with the announcer signal. Once the public network settings have been loaded, the mobile client connects with a system authorizer (block 1106) and, if authorized, communicates with the network via a vendor (block 1108). - At
block 1110, themobile client 1000 disconnects by command from a user or because thedetector 1010 no longer detects the announcer signal, indicating that themobile client 1000 has left the coverage area of the public network. Upon disconnection from the public network, theprivate network settings 1024 are restored on themobile client 1000. Themobile client 1000 is then prepared to connect to and communicate with the private network to which themobile client 1000 was previously connected. - After some time, the
detector 1010 again detects an announcer signal (block 1114). For discussion purposes, it is assumed that the announcer signal is broadcast from the same public network to which themobile client 1000 was connected previously. Theprivate network settings 1024 are saved atblock 1116 and thepublic network settings 1026 are loaded atblock 1118. Themobile client 1000 connects with an authorizer atblock 1120. - Instead of requiring the
mobile client 1000 to re-authorize itself, the authorizer determines if themobile client 1000 possesses anauthorization key 1018 that is still valid. If a valid time, period for using theauthorization key 1018 has expired (“No” branch, block 1122), then themobile client 1000 must be re-authorized atblock 1128. If, however, theauthorization key 1018 is still valid (“Yes” branch, block 1122), then theauthorization key 1018 may continue to be used. Data packets are tagged atblock 1124 and the tagged data packets are sent to a verifier atblock 1126. - The
mobile client 1000 can thus roam from the private network to the public network and back with ease, since the network settings are changed automatically. Also, if themobile client 1000 re-connects to the network before theauthorization key 1018 has expired, the user is saved the time and trouble of going through the authorization process again. - Conclusion
- The above-described methods and systems provide a mechanism for accommodating wireless connectivity when roaming between two networks, or between two subnets of a network. A mobile user can seamlessly transition from a private network to a public network without having to manually configure the user's mobile client. The user may also disconnect and reconnect to the same network without having to go through the authorization process each time the user reconnects to the network. Implementations described herein also provide for balancing loads between multiple verifiers and providing for backup services in the event of a verifier or authorizer failure.
- Although the invention has been described in language specific to structural features and/or methodological steps, it is to be understood that the invention defined in the appended claims is not necessarily limited to the specific features or steps described. Rather, the specific features and steps are disclosed as preferred forms of implementing the claimed invention.
Claims (18)
1. A method for accessing a computer network, comprising:
detecting an announcer signal that identifies a computer network address of an authorizer in the computer network, the authorizer being configured to authorize user access to the computer network;
accessing the authorizer;
receiving authorization from the authorizer to access the computer network; and
accessing the computer network.
2. The method as recited in claim 1 , further comprising storing current network settings prior to accessing the computer network.
3. The method as recited in claim 1 , further comprising:
storing current network settings prior to accessing the computer network;
terminating access to the computer network; and
restoring the saved network settings as current network settings after terminating access to the computer network.
4. The method as recited in claim 1 , wherein the announcement signal further comprises a network identifier signal that identifies the computer network.
5. The method as recited in claim 1 , wherein the receiving authorization further comprises receiving an authorization key from the authorizer to create a tag to attach to each of a plurality of data packets transmitted to the computer network.
6. The method as recited in claim 1 , wherein the accessing the computer network further comprises attaching a tag created with an authorization key to data packets transmitted to the computer network, the tag allowing the data to be accepted by the computer network.
7. The method as recited in claim 6 , wherein a session time is associated with the authorization key and the authorization key is only valid if the session time has not expired.
8. The method as recited in claim 6 , further comprising encrypting the authorization key.
9. The method as recited in claim 6 , further comprising encrypting at least a portion of the tag.
10. The method as recited in claim 1 , wherein:
the announcer signal further identifies a computer network address of a verifier in the computer network that is configured to verify that a communication to the computer network are from a user that has been authorized to access the computer network;
the receiving authorization further comprises receiving an authorization key from the authorizer; and
the accessing the computer network further comprises transmitting key-tagged data packets to the computer network through the verifier.
11. The method as recited in claim 1 , wherein the detecting further comprises continuously monitoring to detect the announcement signal.
12. A method, comprising:
detecting a first announcer signal in a first location, the first announcer signal identifying a network, an authorizer on the network and a first verifier on the network;
obtaining an authorization key from the authorizer;
transmitting data packets to the network through the first verifier, each data packet having a tag created with the authorization key included therewith;
detecting a second announcer signal in a second location, the second announcer signal identifying the network and a second verifier on the network; and
transmitting data packets to the network through the second verifier, each data packet having the tag included therewith.
13. The method as recited in claim 12 , wherein:
the authorization key includes an indication of a valid time period; and
the data packets are transmitted during the valid time period.
14. The method as recited in claim 12 , further comprising encrypting at least a portion of the tag.
15. A system, comprising:
a detector configured to detect and receive a broadcast signal;
a web browser configured to access and communicate with a computer network by transmitting one or more data packets to a verifier on the computer network;
a controller configured to activate the detector to monitor for a broadcast signal from a network, the broadcast signal including a network address for the verifier and a network address for an authorizer that controls access to the computer network;
a tagging module configured to attach a tag created with an authorization key to each of the one or more data packets; and
wherein upon receipt of the broadcast signal, the controller directs the web browser to contact the authorizer to acquire an authorization key that allows the web browser to access the network by transmitting tagged data packets to the verifier.
16. The system as recited in claim 15 , further comprising an encryption module configured to encrypt at least a portion of the tag prior to transmitting the key-tagged data packets to the verifier.
17. The system as recited in claim 15 , wherein the computer network is a first computer network, the system further comprising:
second network settings associated with a second computer network; and
a network settings module configured to store the second network settings prior to accessing the first computer network.
18. The system as recited in claim 17 , wherein:
the web browser is further configured to disconnect from the first computer network; and
the network settings module is further configured to restore the second network settings when the web browser disconnects from the first computer network.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/072,039 US20050149764A1 (en) | 2001-09-21 | 2005-03-04 | Systems and methods for managing network connectivity for mobile users |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/960,258 US8041815B2 (en) | 2001-09-21 | 2001-09-21 | Systems and methods for managing network connectivity for mobile users |
US11/072,039 US20050149764A1 (en) | 2001-09-21 | 2005-03-04 | Systems and methods for managing network connectivity for mobile users |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/960,258 Division US8041815B2 (en) | 2001-09-21 | 2001-09-21 | Systems and methods for managing network connectivity for mobile users |
Publications (1)
Publication Number | Publication Date |
---|---|
US20050149764A1 true US20050149764A1 (en) | 2005-07-07 |
Family
ID=25502992
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/960,258 Active 2029-01-06 US8041815B2 (en) | 2001-09-21 | 2001-09-21 | Systems and methods for managing network connectivity for mobile users |
US11/072,039 Abandoned US20050149764A1 (en) | 2001-09-21 | 2005-03-04 | Systems and methods for managing network connectivity for mobile users |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/960,258 Active 2029-01-06 US8041815B2 (en) | 2001-09-21 | 2001-09-21 | Systems and methods for managing network connectivity for mobile users |
Country Status (1)
Country | Link |
---|---|
US (2) | US8041815B2 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030091030A1 (en) * | 2001-11-09 | 2003-05-15 | Docomo Communications Laboratories Usa, Inc. | Secure network access method |
GB2437585A (en) * | 2006-04-27 | 2007-10-31 | Nec Technologies | Mobile radio communications device and network connectivity |
US20090157757A1 (en) * | 2005-11-30 | 2009-06-18 | International Business Machines Corporation | Failure tolerant transaction processing system |
US20090327736A1 (en) * | 2003-10-16 | 2009-12-31 | Cisco Technology, Inc. | Insider attack defense for network client validation of network management frames |
US20120047556A1 (en) * | 2004-04-19 | 2012-02-23 | Lumension Security, Inc. | On-line centralization and local authorization of executable files |
US20120218077A1 (en) * | 2002-07-09 | 2012-08-30 | Neology, Inc. | System and method for providing secure identification solutions |
US20130094408A1 (en) * | 2011-10-18 | 2013-04-18 | Mitel Networks Corporation | Seamless interworking of call control between autonomous systems |
US10872478B2 (en) | 2015-09-14 | 2020-12-22 | Neology, Inc. | Embedded on-board diagnostic (OBD) device for a vehicle |
Families Citing this family (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6990581B1 (en) | 2000-04-07 | 2006-01-24 | At&T Corp. | Broadband certified mail |
JP3612528B2 (en) * | 2001-10-29 | 2005-01-19 | Necインフロンティア株式会社 | Parameter setting system |
JP3983035B2 (en) * | 2001-11-19 | 2007-09-26 | 富士通株式会社 | User terminal authentication program |
KR100429800B1 (en) * | 2001-12-01 | 2004-05-03 | 삼성전자주식회사 | Data interfacing method and apparatus |
US7483984B1 (en) * | 2001-12-19 | 2009-01-27 | Boingo Wireless, Inc. | Method and apparatus for accessing networks by a mobile device |
AU2003217021A1 (en) * | 2002-03-28 | 2003-10-13 | British Telecommunications Public Limited Company | Method and apparatus for network security |
US7167912B1 (en) * | 2002-08-09 | 2007-01-23 | Cisco Technology, Inc. | Method and apparatus for detecting failures in network components |
US7325134B2 (en) | 2002-10-08 | 2008-01-29 | Koolspan, Inc. | Localized network authentication and security using tamper-resistant keys |
US7853788B2 (en) | 2002-10-08 | 2010-12-14 | Koolspan, Inc. | Localized network authentication and security using tamper-resistant keys |
US7607015B2 (en) * | 2002-10-08 | 2009-10-20 | Koolspan, Inc. | Shared network access using different access keys |
US7698550B2 (en) * | 2002-11-27 | 2010-04-13 | Microsoft Corporation | Native wi-fi architecture for 802.11 networks |
US8098637B1 (en) * | 2003-03-28 | 2012-01-17 | Regents Of The University Of Minnesota | Load balancing in wireless local area networks |
US8571222B1 (en) * | 2003-08-13 | 2013-10-29 | Verizon Corporate Services Group Inc. | System and method for wide area wireless connectivity to the internet |
US7809128B2 (en) * | 2004-10-07 | 2010-10-05 | Genband Us Llc | Methods and systems for per-session traffic rate policing in a media gateway |
US10098132B2 (en) | 2005-02-23 | 2018-10-09 | Coco Communications Corp | Secure, distributed hierarchical convergence network |
US8494458B2 (en) * | 2005-02-23 | 2013-07-23 | Coco Communications Corp. | Secure, distributed hierarchical convergence network |
US7907735B2 (en) | 2007-06-15 | 2011-03-15 | Koolspan, Inc. | System and method of creating and sending broadcast and multicast data |
WO2009147215A2 (en) * | 2008-06-04 | 2009-12-10 | Nokia Siemens Networks Oy | Device management in visited network |
US8819791B2 (en) * | 2009-03-16 | 2014-08-26 | Apple Inc. | Captive network negotiation interface and automation |
JP5182316B2 (en) * | 2010-03-30 | 2013-04-17 | ブラザー工業株式会社 | Wireless communication device |
US8521882B2 (en) * | 2010-09-15 | 2013-08-27 | International Business Machines Corporation | Client/subscriber rotation using select write calls for server resiliency |
US8799454B2 (en) | 2010-12-15 | 2014-08-05 | International Business Machines Corporation | Behavior based client selection for disparate treatment |
US8761101B1 (en) * | 2011-10-13 | 2014-06-24 | Excelfore Corporation | Network based machine-to-machine system for monitoring |
US9418669B2 (en) * | 2012-05-13 | 2016-08-16 | Harry E. Emerson, III | Discovery of music artist and title for syndicated content played by radio stations |
GB2507056A (en) | 2012-10-17 | 2014-04-23 | Ibm | A protected wireless network access point allowing limited access to an affiliated group of mobile stations |
US11055721B2 (en) * | 2013-10-30 | 2021-07-06 | Tencent Technology (Shenzhen) Company Limited | Method, device and system for information verification |
US9949127B1 (en) | 2014-04-21 | 2018-04-17 | Google Llc | Web-based wireless hotspot creation and management |
WO2018125704A1 (en) | 2016-12-27 | 2018-07-05 | Bandwidthx Inc. | Radio management based on user intervention |
Citations (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5519708A (en) * | 1991-06-21 | 1996-05-21 | U.S. Philips Corporation | System for converting synchronous time-division signals into asynchronous time-division data packets |
US5812949A (en) * | 1994-09-28 | 1998-09-22 | Nec Corporation | Method for calling a mobile terminal in a mobile communication system and a device thereof |
US5848233A (en) * | 1996-12-09 | 1998-12-08 | Sun Microsystems, Inc. | Method and apparatus for dynamic packet filter assignment |
US5884024A (en) * | 1996-12-09 | 1999-03-16 | Sun Microsystems, Inc. | Secure DHCP server |
US5922049A (en) * | 1996-12-09 | 1999-07-13 | Sun Microsystems, Inc. | Method for using DHCP and marking to override learned IP addesseses in a network |
US6073016A (en) * | 1997-01-02 | 2000-06-06 | Telxon Corporation | Mobile device ID allocation system and method |
US6163843A (en) * | 1996-10-25 | 2000-12-19 | Kabushiki Kaisha Toshiba | Packet inspection device, mobile computer and packet transfer method in mobile computing with improved mobile computer authenticity check scheme |
US6374108B1 (en) * | 1999-11-30 | 2002-04-16 | Motorola, Inc. | Assigning an IP address to a mobile station while roaming |
US6487406B1 (en) * | 1999-06-16 | 2002-11-26 | Telcordia Technologies, Inc. | PCS-to-mobile IP internetworking |
US6516191B1 (en) * | 1999-11-24 | 2003-02-04 | At&T Corp. | Hypermedia links that address traffic channels in a wireless communication system |
US6671735B1 (en) * | 2000-01-28 | 2003-12-30 | Qualcomm Incorporated | System and method for using an IP address as a wireless unit identifier |
US6731621B1 (en) * | 1998-06-04 | 2004-05-04 | Hitachi, Ltd. | Mobil communication system for providing IP packet communications and method for routing IP packets |
US6742036B1 (en) * | 1997-12-19 | 2004-05-25 | Siemens Aktiengesellschaft | Method for supporting mobility on the internet |
US6763007B1 (en) * | 1998-12-11 | 2004-07-13 | Lucent Technologies Inc. | Two phase local mobility scheme for wireless access to packet based networks |
US6834341B1 (en) * | 2000-02-22 | 2004-12-21 | Microsoft Corporation | Authentication methods and systems for accessing networks, authentication methods and systems for accessing the internet |
US6845094B1 (en) * | 1999-12-16 | 2005-01-18 | Ut Starcom, Inc. | Network address translation based internet protocol mobility |
US6864341B2 (en) * | 2001-11-02 | 2005-03-08 | Bausch & Lomb Incorporated | High refractive index aromatic-based prepolymer precursors |
US6877104B1 (en) * | 1999-03-29 | 2005-04-05 | Nec Infiontia Corporation | Wireless local area network system, fault recovery method, and recording medium stored therein a computer program executing the fault recovery process |
US7185360B1 (en) * | 2000-08-01 | 2007-02-27 | Hereuare Communications, Inc. | System for distributed network authentication and access control |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0656708A1 (en) * | 1993-12-03 | 1995-06-07 | International Business Machines Corporation | System and method for the transmission and validation of an updated encryption key between two users |
-
2001
- 2001-09-21 US US09/960,258 patent/US8041815B2/en active Active
-
2005
- 2005-03-04 US US11/072,039 patent/US20050149764A1/en not_active Abandoned
Patent Citations (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5519708A (en) * | 1991-06-21 | 1996-05-21 | U.S. Philips Corporation | System for converting synchronous time-division signals into asynchronous time-division data packets |
US5812949A (en) * | 1994-09-28 | 1998-09-22 | Nec Corporation | Method for calling a mobile terminal in a mobile communication system and a device thereof |
US6163843A (en) * | 1996-10-25 | 2000-12-19 | Kabushiki Kaisha Toshiba | Packet inspection device, mobile computer and packet transfer method in mobile computing with improved mobile computer authenticity check scheme |
US5848233A (en) * | 1996-12-09 | 1998-12-08 | Sun Microsystems, Inc. | Method and apparatus for dynamic packet filter assignment |
US5884024A (en) * | 1996-12-09 | 1999-03-16 | Sun Microsystems, Inc. | Secure DHCP server |
US5922049A (en) * | 1996-12-09 | 1999-07-13 | Sun Microsystems, Inc. | Method for using DHCP and marking to override learned IP addesseses in a network |
US6073016A (en) * | 1997-01-02 | 2000-06-06 | Telxon Corporation | Mobile device ID allocation system and method |
US6742036B1 (en) * | 1997-12-19 | 2004-05-25 | Siemens Aktiengesellschaft | Method for supporting mobility on the internet |
US6731621B1 (en) * | 1998-06-04 | 2004-05-04 | Hitachi, Ltd. | Mobil communication system for providing IP packet communications and method for routing IP packets |
US6763007B1 (en) * | 1998-12-11 | 2004-07-13 | Lucent Technologies Inc. | Two phase local mobility scheme for wireless access to packet based networks |
US6877104B1 (en) * | 1999-03-29 | 2005-04-05 | Nec Infiontia Corporation | Wireless local area network system, fault recovery method, and recording medium stored therein a computer program executing the fault recovery process |
US6487406B1 (en) * | 1999-06-16 | 2002-11-26 | Telcordia Technologies, Inc. | PCS-to-mobile IP internetworking |
US6516191B1 (en) * | 1999-11-24 | 2003-02-04 | At&T Corp. | Hypermedia links that address traffic channels in a wireless communication system |
US6374108B1 (en) * | 1999-11-30 | 2002-04-16 | Motorola, Inc. | Assigning an IP address to a mobile station while roaming |
US6845094B1 (en) * | 1999-12-16 | 2005-01-18 | Ut Starcom, Inc. | Network address translation based internet protocol mobility |
US6671735B1 (en) * | 2000-01-28 | 2003-12-30 | Qualcomm Incorporated | System and method for using an IP address as a wireless unit identifier |
US6834341B1 (en) * | 2000-02-22 | 2004-12-21 | Microsoft Corporation | Authentication methods and systems for accessing networks, authentication methods and systems for accessing the internet |
US7185360B1 (en) * | 2000-08-01 | 2007-02-27 | Hereuare Communications, Inc. | System for distributed network authentication and access control |
US6864341B2 (en) * | 2001-11-02 | 2005-03-08 | Bausch & Lomb Incorporated | High refractive index aromatic-based prepolymer precursors |
Cited By (35)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7286671B2 (en) * | 2001-11-09 | 2007-10-23 | Ntt Docomo Inc. | Secure network access method |
US20030091030A1 (en) * | 2001-11-09 | 2003-05-15 | Docomo Communications Laboratories Usa, Inc. | Secure network access method |
US9342719B2 (en) | 2002-04-09 | 2016-05-17 | Neology, Inc. | System and method for providing secure identification solutions |
US10694386B2 (en) | 2002-07-09 | 2020-06-23 | Neology, Inc. | System and method for providing secure identification solutions |
US10706412B2 (en) | 2002-07-09 | 2020-07-07 | Neology, Inc. | System and methods for providing secure transactional solutions |
US11188898B2 (en) | 2002-07-09 | 2021-11-30 | Neology, Inc. | System and method for providing secure identification solutions |
US9558385B2 (en) | 2002-07-09 | 2017-01-31 | Neology, Inc. | System and method for providing secure identification solutions |
US10867297B2 (en) | 2002-07-09 | 2020-12-15 | Neology, Inc. | System and method for providing secure transactional solutions |
US20120218077A1 (en) * | 2002-07-09 | 2012-08-30 | Neology, Inc. | System and method for providing secure identification solutions |
US20200356988A1 (en) * | 2002-07-09 | 2020-11-12 | Neology, Inc. | System and methods for providing secure transactional solutions |
US10762187B2 (en) | 2002-07-09 | 2020-09-01 | Neology, Inc. | System and method for providing secure transactional solutions |
US10726414B2 (en) | 2002-07-09 | 2020-07-28 | Neology, Inc. | System and methods for providing secure transactional solutions |
US10719824B2 (en) | 2002-07-09 | 2020-07-21 | Neology, Inc | System and method for providing secure transactional solutions |
US8766772B2 (en) | 2002-07-09 | 2014-07-01 | Neology, Inc. | System and method for providing secure transactional solutions |
US8847763B2 (en) | 2002-07-09 | 2014-09-30 | Neology, Inc. | System and method for providing secure identification solutions |
US8933807B2 (en) | 2002-07-09 | 2015-01-13 | Neology, Inc. | System and method for providing secure transactional solutions |
US10445719B2 (en) | 2002-07-09 | 2019-10-15 | Neology, Inc. | System and method for providing secure identification solutions |
US11663574B2 (en) | 2002-07-09 | 2023-05-30 | Neology, Inc. | System and method for providing secure identification solutions |
US10970716B2 (en) | 2002-07-09 | 2021-04-06 | Neology, Inc. | System and method for providing secure identification solutions |
US8325044B2 (en) * | 2002-07-09 | 2012-12-04 | Neology, Inc. | System and method for providing secure identification solutions |
US9922217B2 (en) | 2002-07-09 | 2018-03-20 | Neology, Inc. | System and method for providing secure identification solutions |
US10061949B2 (en) | 2002-07-09 | 2018-08-28 | Neology, Inc. | System and method for providing secure identification solutions |
US10235513B2 (en) | 2002-07-09 | 2019-03-19 | Neology, Inc. | System and method for providing secure identification solutions |
US20090327736A1 (en) * | 2003-10-16 | 2009-12-31 | Cisco Technology, Inc. | Insider attack defense for network client validation of network management frames |
US7882349B2 (en) * | 2003-10-16 | 2011-02-01 | Cisco Technology, Inc. | Insider attack defense for network client validation of network management frames |
US8474011B2 (en) * | 2004-04-19 | 2013-06-25 | Lumension Security, Inc. | On-line centralized and local authorization of executable files |
US20120047556A1 (en) * | 2004-04-19 | 2012-02-23 | Lumension Security, Inc. | On-line centralization and local authorization of executable files |
US8935224B2 (en) | 2005-11-30 | 2015-01-13 | International Business Machines Corporation | Failure tolerant transaction processing system |
TWI416901B (en) * | 2005-11-30 | 2013-11-21 | Ibm | Failure tolerant transaction processing system |
US8166007B2 (en) * | 2005-11-30 | 2012-04-24 | International Business Machines Corporation | Failure tolerant transaction processing system |
US20090157757A1 (en) * | 2005-11-30 | 2009-06-18 | International Business Machines Corporation | Failure tolerant transaction processing system |
GB2437585A (en) * | 2006-04-27 | 2007-10-31 | Nec Technologies | Mobile radio communications device and network connectivity |
US20130094408A1 (en) * | 2011-10-18 | 2013-04-18 | Mitel Networks Corporation | Seamless interworking of call control between autonomous systems |
US9674349B2 (en) * | 2011-10-18 | 2017-06-06 | Mitel Networks Corporation | Seamless interworking of call control between autonomous systems |
US10872478B2 (en) | 2015-09-14 | 2020-12-22 | Neology, Inc. | Embedded on-board diagnostic (OBD) device for a vehicle |
Also Published As
Publication number | Publication date |
---|---|
US20030061363A1 (en) | 2003-03-27 |
US8041815B2 (en) | 2011-10-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8041815B2 (en) | Systems and methods for managing network connectivity for mobile users | |
US7886149B2 (en) | Method and apparatus for assigning network addresses based on connection authentication | |
US8713641B1 (en) | Systems and methods for authorizing, authenticating and accounting users having transparent computer access to a network using a gateway device | |
CA2421665C (en) | Wireless provisioning device | |
US7606242B2 (en) | Managed roaming for WLANS | |
US5944794A (en) | User identification data management scheme for networking computer systems using wide area network | |
US7743158B2 (en) | Access network dynamic firewall | |
US7958352B2 (en) | Method and system for verifying and updating the configuration of an access device during authentication | |
US7287271B1 (en) | System and method for enabling secure access to services in a computer network | |
US8484695B2 (en) | System and method for providing access control | |
JP3869392B2 (en) | User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method | |
US7257636B2 (en) | Inter-working method of wireless internet networks (gateways) | |
US5822434A (en) | Scheme to allow two computers on a network to upgrade from a non-secured to a secured session | |
JP5813790B2 (en) | Method and system for providing distributed wireless network services | |
AU2001280975B2 (en) | Systems and methods for authenticating a user to a web server | |
US7587751B2 (en) | Method and apparatus for automatically re-validating multiple clients of an authentication system | |
US7568092B1 (en) | Security policy enforcing DHCP server appliance | |
EP1641210A1 (en) | Configuration information distribution apparatus and configuration information reception program | |
US20020042883A1 (en) | Method and system for controlling access by clients to servers over an internet protocol network | |
JP2004505383A (en) | System for distributed network authentication and access control | |
CA2228687A1 (en) | Secured virtual private networks | |
US8751647B1 (en) | Method and apparatus for network login authorization | |
US20030226037A1 (en) | Authorization negotiation in multi-domain environment | |
KR20070009490A (en) | System and method for authenticating a user based on the internet protocol address | |
KR100454687B1 (en) | A method for inter-working of the aaa server and separated accounting server based on diameter |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC, WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MICROSOFT CORPORATION;REEL/FRAME:034766/0001 Effective date: 20141014 |