DE60215978T2 - Method and device for access control of a mobile terminal in a communication network - Google Patents

Description

The The present invention relates to a method and an apparatus for access control of a wireless terminal to a communication network, and in particular, though not necessarily, for sending Data packets of a wireless terminal with controlled access to a wireless local area network.

State of technology

One A wireless local area network typically includes a network that includes terminals, like wireless devices or portable computers or access points, wherein the data transfer between the terminals and the access points partly or totally wirelessly using Radio waves or infrared technology is executed.

The Structure of telecommunication networks is generally in use of the OSI model (Open System Interconnection) explains that defines the interfaces, via the different devices and the associated Software communicate with each other. The OSI model is based on a shift concept founded, the lowest or first layer being known as a physical layer is that spans all logical, electrical and mechanical issues, which data transmission affect. The second protocol layer, i. the link layer, is for Connection setup, error correction and disconnection responsible. The third protocol layer, i. the network layer, does not look dependent on the network structure data transfer in front. The following layers are the transport layer (fourth layer), Session layer (fifth layer), Presentation layer (sixth layer) and application layer (seventh layer) Layer).

in the OWLAN system (Operator Wireless Local Area Network) find authentication and access control currently on the third layer of the OSI model instead of, i. the network layer or IP layer, and WLAN mapping between the terminal and the access point is running without authentication. One Access point is a physical device, such as a base station, which connects a wireless network and a wired network. In Open System Authentication, the allocation event includes no actual Authentication, however, is the Open System Authentication, the was executed before the assignment, nonexistent authentication. After the assignment is the terminal typically after the assignment event using an IP-based DHCP (Dynamic Host Configuration Protocol) with an IP address. The Authentication is then performed by running an IP-based authentication protocol carried out. Although the authentication protocol also uses protocol layers over the IP layer is used, authentication in this case as Authentication of the third protocol layer called because Access control typically on the third protocol layer is implemented. The operator wireless LAN solution includes the network Access Authentication Protocol (NAAP), which is a protocol of the third protocol layer for authenticating the wireless terminal using the GSM Subscriber Identity Module is. Another example of an authentication protocol The third protocol layer is solutions based on hypertext Transfer Protocol (http), where authentication is using a page of the World Wide Web (WWW) is used on which the user enter the credentials. Another example for a The third protocol layer authentication protocol is the Key Exchange Internet Protocol (IKE; Internet Key Exchange) when connecting to a virtual, private network is used. In all these examples the wireless device, run the third protocol layer authentication protocol before it can get access to the resources for which access control is enforced.

The Standardization provides a framework for hardware and software manufacturers made possible with it is to use products from different manufacturers side by side. The title of the WLAN standard is IEEE 802.11 and has been changed to and supplemented by a number of subordinate standards. According to the coming IEEE 802.11i standard the WLAN authentication according to a Authentication method of the second protocol layer, such as an IEEE 802.1x protocol, before transferring IP packets between the terminal and the network.

The first router in the OWLAN system, ie the edge router located between the communication network and the wireless terminal connected to the wireless local area network, serves as the other side of authentication in the OWLAN according to the third protocol layer , ie Open System Authentication, runs and maintains an access control list (ACL) of authenticated terminals. The IEEE is currently standardizing a new WLAN authentication system that performs authentication against the access point. If the access network handles only the new WLAN authentication system, then the current OWLAN system, such as Nokia Operator Wireless LAN Release 1.0, can not be used because the client is not allowed to execute the third protocol layer authentication protocol without first following IEEE To authenticate 802.1x. Since some Be Users will acquire new terminals while others have old terminals, there will be "old" terminals that can access the network using the third protocol layer authentication method, and "new" terminals using the IEEE 802.1x authentication method Standard access to the network. In addition, there will be networks that include access points that only operate in accordance with the IEEE 802.1x standard, and other access points that only work as part of an OWLAN system. A problem addressed in the standardization of current systems is the incompatibility of the current open system and the future authentication methods of the second protocol layer, ie the current terminals can not access networks according to the IEEE 802.1x standard, and the future terminals according to the IEEE 802.1x standard can not access the current open system networks.

The publication WO 01/41470 presents a method and an apparatus for enabling that a mobile station in a wireless network is network authentication in connection with mobile packet data services. at this solution is always a CHAP (Challenge Handshake Authentication Protocol) before a possible Use of authentication protocols according to Mobile-IP. With others In other words, there is a requirement that every mobile terminal used by can be authenticated to the wireless network, must support CHAP.

Summary the invention

It Now, a method and apparatus has been invented to enable that a wireless terminal either by using authentication of the third protocol layer, such as Open System Authentication, or authentication of the second protocol layer, such as in accordance with the IEEE 802.1x protocol on Network accesses. An access point of the invention allows both Open System Authentication, where the terminal is at a later stage according to the third protocol layer authenticated, as well as authentication of the second protocol layer, such as IEEE 802.1x authentication. Using the invention can certain network elements of the WLAN both the new IEEE 802.1x authentication the second layer as well as the current authentication of the third layer backward compatible support.

at the current Nokia Operator Wireless LAN solution is the access control for maintaining an access control list and performing a Authentication protocol of the third protocol layer responsible. In In the present invention, these functions are logical Access control function and an authentication agent function to run an authentication protocol of the third protocol layer divided up. The network is organized so that at least a part the packets of terminals go through the network element, which is the logical access control function contains. The authentication agent function refers to the authentication protocol implementation the third layer, like the NAAP protocol, the HTTP (Hypertext Transfer Protocol) Authentication Protocol or Key Exchange (IKE) Protocol implementation. The access control function and the Authentication agent function are not necessarily in the same physical network element implemented, but it is possible to use the Access control function instead in the access point device or a other device to implement.

If the authentication of the third protocol layer is used, then the authentication agent acts as the authenticator unit, which executes the authentication protocol of the third protocol layer, such as at the current Nokia Operator Wireless LAN solution. A successful authentication has the result that the terminal of the access control list added becomes. If the access control feature is located in a device, which is disconnected from the authentication agent, then sends the Authentication agent the information of the terminal to the Network element containing the access control function. One Authenticator is a device that provides network access authentication to the device terminal by working as a partner unit in the authentication protocol facilitated between the terminal and the authenticator. An authentication server is a unit that is an authenticator provides an authentication service. This service is determined that of the applicant, i. the terminal, provided credentials, whether the applicant is entitled to access the services, the provided by the authenticator. If authentication of the second protocol layer accomplished then, the access point will first work as specified in the IEEE standards and as an athletic unit. In addition, the access point updates after successful authentication the access control list such that the packets of the clients are on the second protocol layer have been authenticated, also forwarded. If the Access control function is located in a device that is separate from the access point is, then the access point sends the information of the terminal to the Network element containing the access control function.

The invention provides a solution that enables both a wireless local area network system, such as the Nokia Operator Wireless LAN the second protocol layer authentication standard, ie layer 2, such as an IEEE 802.1x authentication standard, as well as the current authentication standard based on the third protocol layer, ie layer 3.

If Open System Authentication is used, the system works much like the current Nokia Operator Wireless LAN system in which the terminal and the Authentication agent involved in authentication Pages are. The authentication agent forwards information regarding the Authentication between the terminal and the authentication server and is for updating the list of authenticated users regardless of which network element the list maintains.

If Authentication according to the second protocol layer accomplished which is how the IEEE 802.1x authentication works the access point according to the IEEE 802.1x standard, where it serves as the authenticating site and Information regarding authentication between the terminal and the authentication server forwards. In addition, the access control list will after a successful Authentication updated, for example by the access point or the authentication server to make it the network element that the Contains access control function, to allow, too Packages of terminals forward according to the second Protocol layer are authenticated.

Regarding terminals that use the authentication of the second protocol layer, In the implementation according to the invention, the interface is the between the terminal and the network, in full compliance with the standard. The invention also makes no new demands to terminals, which use the authentication of the third protocol layer.

To belongs to the advantages of the invention the compatibility with the current open system where authentication is on the third protocol layer is executed, and with a system where authentication is performed on the second protocol layer, for example, according to the IEEE 802.1x standard. Regardless of the authentication method, the network element is which contains the access control function, is capable of and execute billing routines, the the transfer of data packets. Furthermore, the devices are able to comply with the new standard, in a network according to the current open system standard to work.

According to a first aspect of the invention, there is provided a method for access control of a wireless terminal in a communication network, the communication network comprising an access point for establishing a communication connection with the wireless terminal, an authentication server for providing an authentication service for the wireless terminal for authentication for the communication network Authentication agents for relaying authentication information between the wireless terminal and the authentication server and an access controller for forwarding data packets from authenticated wireless terminals and blocking data packets from unauthenticated wireless terminals, an access control function comprising an access control list comprising a list of authenticated wireless terminals , wherein the wireless terminal is configured to perform any of the following authentication A first authentication method in which the access point forwards authentication information between the wireless terminal and the authentication server, a second authentication method in which the authentication agent forwards authentication information between the wireless terminal and the authentication server, wherein the A method characterized in that it comprises the steps of: identifying at the access point whether the wireless terminal is using the first authentication method or the second authentication method, performing the following steps when the wireless terminal authenticates using the first authentication method: forwarding authentication information between the wireless Terminal and the authentication server through the access point, sending identification data of the d in response to successful authentication to the access control list by the access point and adding the wireless terminal to the access control list and forwarding data packets of the wireless terminal included in the access control list by the access controller, and performing the following steps when using the wireless terminal the authentication method of the second authentication method: forwarding authentication information between the wireless terminal and the authentication agent by the access point, forwarding authentication information between the wireless terminal and the authentication server by the authentication agent, transmitting the authentication data of the wireless terminal in response to successful authentication to the access control list by the authentication agent and adding the identification data of the wireless terminal to the access control list and forwarding data packets of the recorded in the access control list, wireless terminal through the access control.

According to one second aspect of the invention is an access point for building the Establishing a communication connection with a wireless terminal in one Communication network provided, the communication network comprising: an authentication server for providing an authentication service for the wireless terminal for Authentication for the communication network, an authentication agent for forwarding Authentication information between the wireless terminal and the Authentication server and access control for forwarding Data packets from authenticated wireless terminals and Block data packets from unauthenticated wireless Data packets, wherein an access control function is an access control list which is a list of authenticated wireless terminals, the access point being characterized by having thereto is configured to accept that the wireless terminal of a The following authentication method is used to sign up for the communication network to authenticate: a first authentication method the access point for forwarding authentication information between the wireless device and the authentication server is configured, a second authentication method, where the authentication agent is to forward authentication information between the wireless terminal and an authentication agent, wherein the Access point comprises: identifying means for identifying, whether the wireless terminal the first authentication method or the second authentication method uses first forwarding means for forwarding authentication information between the wireless device and the authentication server in response to a situation in which it has been identified that the wireless terminal is the first one Authentication method has used first transmission means for sending identification data of the wireless terminal in response to a successful Authentication of the wireless terminal according to the first authentication method to the access control list, second forwarding means for forwarding of authentication information between the wireless terminal and the Authentication agent in response to a situation in which it has been identified that the wireless terminal is the second authentication method and second transmitting means for transmitting identification data of the wireless terminal in response to successful authentication of the wireless terminal according to the second Authentication procedure to the access control list.

According to a third aspect of the invention, there is provided a system for controlling access of a wireless terminal in a communication network, the communication network comprising: an access point for establishing a communication connection with the wireless terminal, an authentication server for providing an authentication service for the wireless terminal for authentication for the communication network, an authentication agent for relaying authentication information between the wireless terminal and the authentication server and an access controller for forwarding data packets from authenticated wireless terminals and blocking data packets from unauthenticated wireless data packets, wherein an access control function comprises an access control list comprising a list of authenticated wireless ones Terminal devices, wherein the wireless terminal is configured to be one of the following A first authentication method in which the access point forwards authentication information between the wireless terminal and the authentication server, a second authentication method in which the authentication agent forwards authentication information between the wireless terminal and the authentication server, wherein the A system characterized in that it comprises: identification means for identifying at the access point whether the wireless terminal is using the first authentication method or the second authentication method, first forwarding means for forwarding at the access point authentication information of the first authentication method between the wireless terminal and the authentication server, second routing means for forwarding at the access point of authentication information of the second authentication method between the wireless terminal and the authentication agent, third forwarding means at the authentication agent for relaying authentication information of the second authentication method between the access point and the authentication server, first transmission means for transmitting the access point of identification data of the wireless terminal in response to successful authentication of the wireless terminal according to first authentication method to the access control list, second transmission means for sending by the authentication agent the identification data of the wireless terminal in response to a successful authentication of the wireless terminal according to the second authentication method to the access control list and forwarding means to the access control function for forwarding data packets of the wireless terminal included in the access control list.

in the The invention will now be described with reference to the accompanying drawings Drawings described in more detail.

It demonstrate:

1 a flowchart illustrating a method according to an embodiment of the invention;

2 a device according to an embodiment of the invention;

3 the current Nokia Operator WLAN system;

4 a system according to the IEEE 802.1x protocol;

5 a system according to an embodiment of the invention;

6 a flowchart of a method according to an alternative embodiment of the invention;

7 an access point according to an alternative embodiment of the invention; and

8th a system according to an alternative embodiment of the invention.

1 shows a flowchart of a method according to an embodiment of the invention. At step 101 An access point and a terminal, such as a wireless communication device, establish a connection and associate with each other. Upon initiation of the access point, the routine then checks to see if authentication according to the second protocol layer (step 102 ) or Open System Authentication (step 103 ) is affected. This check is performed on the access point based on authentication and allocation messages, as explained below. In a WLAN system according to the IEEE 802.11 standard, when using Open System Authentication, the terminal sends an authentication request message to the access point indicating Open System Authentication. The access point responds with an authentication response message. The exchange of these initial authentication messages actually does not authenticate the terminal, but their function is void; hence the name Open System Authentication. Such Open System Authentication is also possible in WLAN systems according to the IEEE 802.11i standard. In a WLAN system according to the IEEE 802.11i standard, when the terminal uses the 802.1x authentication method, there are no initial authentication request and response messages, but the terminal first assigns the access point to the access point by sending an association request message. The request includes a request for authentication using the authentication method according to the IEEE 802.1x standard. Thus, the access point identifies the authentication method that the terminal uses based on the authentication and allocation messages. When the terminal uses the Open System Authentication method, the terminal receives an IP address from, for example, a DHCP server located at the access point, authentication agent or elsewhere in the network ( 104 ), according to which an IP-based authentication protocol according to the third protocol layer is executed ( 105 ). IP layer authentication is performed between the terminal and the authentication agent. After a successful IP layer authentication, the authenticated terminal is included in an access control list maintained in the network element containing the access control function (step 106 and 107 ). This allows the access control to forward data packets of the terminal. If the access control function is located in the authentication agent, then the authentication agent is able to update the access control list independently by internally transmitting the terminal's identification data to the access control function. If the access control function is located in another network element, then the authentication agent can update the access control list by sending a message to the network element containing the access control function. For example, this message can be sent over the IP protocol using the User Datagram Protocol (UDP). The message contains at least the authentication data of the authenticated terminal, such as an IP address of the terminal, which must be updated in the access control list.

If the terminal is authenticated according to the second protocol layer, IEEE 802.1x protocol authentication (step 102 ) is first executed between the terminal and the access point (step 108 ). After a successful authentication according to the IEEE 802.1x protocol, the terminal receives an IP address, for example from the DHCP server, which may be located, for example, at the access point or at the authentication agent or elsewhere in the network (step 109 ), and the access point transmits information about the event to the access controller function ( 106 ). If the access point contains the access control function, then the access point independently updates the access control list by internally transmitting the information of the terminal to the access control function. If the access control function is located in another network element, then the access point updates the access control list by sending a message to the network element containing the access control function. For example, this message can be sent over the IP protocol using the User Datagram Protocol (UDP). The message contains at least the identification data of the authenticated terminal, such as an IP address or a MAC address of the terminal, which must be updated in the access control list. The access control function then adds the information, such as the IP address or MAC address of the authenticated terminal, to the list it maintains (step 107 ). This allows the access control function to forward data packets of the terminal (step 110 ).

Also if the access control function of the authenticator unit, such as the access point or the authentication agent, is separate, the authenticator unit of the access control does not necessarily have to express Send information for a successful authentication when the Access control is able to reason otherwise, for example follows. In conjunction with authentication, the authenticator unit communicates typically with the authentication server that continues located within the network. The communication usually takes place Use of a so-called AAA protocol (Authentication, Authorization, Accounting), such as the RADIUS (Remote Authentication Dial In User Service) or the DIAMETER protocol. If the access control function as RADIUS proxy server works and AAA log messages between the authenticator unit and the authentication server receives the access control function already by examining the RADIUS news information about one successful authentication. A problem here in the case of IEEE 802.1x authentication arises is that access control the IP address of the terminal, the at the time the authentication is done, not yet is known for the list she maintains needed. However, if the access control function is the DHCP server, IP addresses distributed after 802.1x authentication, the List this by combining at the access control function of information about the successful authentication, the resulting MAC address of the terminal and the successful execution of the DHCP protocol, resulting in an IP address which corresponds to the MAC address.

2 shows an access point 200 an embodiment of the invention. The access point 200 includes a processor 201 and a memory 202 to execute the relevant operations and at least one application 203 for performing eg identifying an authentication method. The access point 200 further comprises an interface for connecting to the router, to servers such as an access control or an authentication server. The access point further comprises identification means 207 for identifying whether the terminal is using the first or second authentication method. Preferably, the access point identifies the authentication method by receiving a message from the terminal, the message indicating the authentication method the terminal is using. When the terminal employs the open system authentication method, the message is preferably an authentication request message according to the IEEE 802.11 standard, the authentication request message indicating Open System Authentication. When the terminal employs the IEEE 802.1x authentication method, the message is an association request message, preferably in accordance with the IEEE 802.11i standard. The association request message includes an authentication suite element that displays IEEE 802.1x authentication. The access point further comprises transmitting means for transmitting the authentication data of the authenticated terminal to the access control list when the terminal uses the authentication method in which the access point forwards authentication information between the terminal and the authentication server. The access point further comprises forwarding means 206 for forwarding authentication information between the terminal and one of the following: the authentication server when the terminal uses the first authentication method and the authentication agent when the terminal uses the second authentication method. If the logical access control function is included in the access point, the access point further comprises access control means 208 for forwarding data packets from authenticated terminals and blocking data packets from unauthenticated terminals.

A terminal using the open-system authentication method receives an IP address for use by the DHCP server, which may be located at the authentication agent or alternatively at the access point or elsewhere in the network. The access point 200 forwards authentication messages between the terminal and the authentication agent acting as the authenticator unit and using the terminal the IP-based authentication method of the third protocol layer authenticated. The authentication agent typically uses the authentication service provided by the authentication server by further forwarding the authentication information between the terminal and the authentication server that verifies the authentication information. After authentication, the authentication agent sends information about a successful authentication and the terminal's identification data, such as the terminal's IP address or MAC address, to the access controller, which issues it to the access control list 204 adds and begins to forward the data packets of the terminal.

When a terminal uses the IEEE 802.1x protocol for authentication, the access point operates as an authenticator unit and authenticates the terminal using the IEEE 802.1x protocol of the second protocol layer. The authentication agent typically uses the authentication service provided by the authentication server by forwarding the authentication information between the terminal and the authentication server that verifies the authentication information. The authentication agent sends information about a successful authentication and the terminal's identification data, such as the IP address or MAC address of the terminal, to the access controller, which will give it the access control list 204 adds and begins to forward the data packets of the terminal.

3 shows the current Nokia Operator WLAN system. The system includes a wireless terminal 303 such as a WLAN terminal configured to use Open System Authentication for its authentication to the network, an access point 301 for providing a wireless connection from the communication device 303 to the network, an access control 302 for forwarding authentication information between the terminal 303 and an authentication server 307 for maintaining an access control list 309 of authenticated terminals (eg terminal 303 ) and for forwarding data packets of the authenticated terminals that are in the list 309 are included. The system further includes the authentication server 307 for providing an authentication service for an authenticator, such as the access point 301 by determining whether the terminal is authorized to access the services provided by the access point. The system may further include servers, such as a DHCP server 305 , to provide the terminal with an IP address when Open System Authentication is used, an accounting server 306 for billing the amount of data transmitted to and from the terminal and a router 308 for routing data packets of the terminal.

When authentication of the wireless terminal according to the third protocol layer is performed, such as Open System Authentication. itself the terminal 303 the access point 301 to. At this point no authentication takes place. For example, an IP address is obtained using the DHCP server for the terminal 303 created. Then follows the actual authentication of the third protocol layer. In one embodiment of the OWLAN system, the communication device sends 303 For example, a paging message for calling an authentication server 307 where the message is from the authentication server 307 is answered. Based on the answer message, the terminal experiences 303 in that the network in question has IP-based authentication of the third protocol layer between the terminal 303 and access control 302 requires. The access control 302 exchanges authentication messages with the authentication server 307 out. For example, in SIM authentication, the International Mobile Subscriber Identification (IMSI) is sent to the authentication server 307 transfer. The access control 302 communicates with the authentication server 307 using an AAA (Authentication, Authorization, Accounting) protocol, such as the Remote Authentication Dial In User Service (RADIUS) protocol or the DIAMETER protocol.

The authentication server 307 receives GSM challenges (GSM challenge is a parameter, ie a 128-bit random number used in GSM authentication) and sends the challenges to the access controller using the AAA protocol 302 They also use the authentication protocol NAAP of the third protocol layer to the terminal 303 forwards. The terminal 303 then calculates a response value corresponding to the issued challenge using a secret key stored in the SIM card. The response value is a 32-bit number, and the terminal sends the response with the authentication protocol of the third protocol layer to the access controller 302 , The access control 302 Forwards the information to the authentication server using the AAA protocol 307 further. The authentication server 307 verifies the answer by checking whether the terminal has calculated a correct answer value or not. If the received response is correct, the authentication server sends 307 with the AAA protocol an indication of successful authentication to the access control 302 indicating the authentication protocol of the third protocol layer to the terminal 303 forwards. After authentication, the identification data of the terminal 303 through the access control 302 in the Access control list 309 added. The access control 302 transmits only data packets of the communication device, its identification data, such as an IP or MAC address, in the list 309 can be found.

4 shows a system according to the IEEE 802.1x protocol. The system includes a wireless terminal 404 such as a WLAN terminal configured to use the authentication method according to the IEEE 802.1x protocol for its authentication for the network, an access point 401 for establishing a communication connection to the terminal 404 and for forwarding authentication information between the terminal 404 and an authentication server 402 , The system further includes the authentication server 402 for providing an authentication service for an authenticator, such as the access point 401 by determining if the terminal 404 authorized to access the services provided by the access point and an accounting server 405 for billing the amount of data transmitted to and from the terminal. The system further includes one or more routers 403 for routing data packets of the terminal 404 ,

The authenticator unit, such as the access point 401 typically communicates with the authentication server using an AAA protocol (Authentication, Authorization, Accounting) 402 , similar to the one above 3 described Nokia operator wireless LAN solution. When the terminal is successfully authenticated, the access point routes data packets between the terminal 404 and the router 403 further.

5 shows a system according to an embodiment of the invention. In the following, the invention is exemplified in an environment comprising a wireless terminal 303 such as a WLAN terminal that can authenticate using the authentication method of the third protocol layer, such as Open System Authentication, and a WLAN terminal 404 which can authenticate using the authentication method according to the IEEE 802.11i standard, such as a wireless WLAN terminal using the IEEE 802.11i standard. The terminals are capable of establishing a connection to a communications network having an access point 501 for providing a wireless connection from the communication device 303 . 404 to the network and to forward authentication information between the terminal 404 and an authentication server 505 includes. The access point includes a logical access control function 502 for forwarding data packets of the authenticated terminal and blocking data packets from unauthenticated terminals, and a list 503 authenticated terminals. The access control function 502 and the list 503 Alternatively, for example, in an authentication agent 504 , Router 508 or elsewhere in the network. The system further includes an authentication agent 504 for forwarding authentication information between the terminal 303 and the authentication server 505 , The system further includes servers, such as a DHCP server 506 for providing an IP address for the terminal 303 , an accounting server 507 for billing the amount of data transmitted to and from the terminal and an authentication server 505 for providing an authentication service for an authenticator. The authenticator is one of the following: the access point 501 and the authentication agent 504 , The authentication server 505 determines whether the terminal is authorized to access the services provided by the authenticator. The system also includes one or more routers 506 for routing data packets of the terminals 303 . 404 ,

The access point 501 sends messages, such as IEEE 802.11i or IEEE 802.11 beacon messages, to the environment of the access point. The beacon message may comprise an authentication suite element further comprising information about the authentication method that the access point can handle, eg the authentication method according to the IEEE 802.11i standard. A wireless device 404 that implements the IEEE 802.11i standard, will recognize that the access point supports the IEEE 802.1x authentication protocol. A wireless device 303 that does not implement the IEEE 802.11i standard does not process the authentication suite item, but interprets the beacon message in accordance with the IEEE 802.11 standard, thereby recognizing that the access point supports Open System mappings. The terminal 303 . 404 receives the from the access point 501 sent beacon message. The terminal 303 . 4040 can receive multiple beacon messages from multiple access points that are within range of the end device. As an alternative to beacon messages, the terminal can 303 . 404 also locate local access points by sending messages, such as an IEEE 802.11i standard or IEEE 802.11 standard sample request message, to all access points within the range of the terminal. If the access point 501 receives the probe request message, sends the terminal 303 . 404 in response to the probe request, a message such as a probe response message according to the IEEE 802.11i or IEEE 802.11 standard. The probe response message to the terminal 404 is according to the IEEE 802 .1i standard and includes the authentication suite element comprising information of the authentication method. The probe response message to the terminal 303 can be sent in accordance with the IEEE 802.11 standard and therefore does not need to contain the authentication suite element. The terminal 303 . 404 receives the probe response message from the access point 501 , The terminal 303 . 404 can receive multiple probe response messages from multiple access points that are within range of the end device.

After discovering suitable local access points based on beacon messages or probe messages, the terminal selects 303 . 404 the access point that supports the authentication method that the terminal uses. The terminal 404 , which supports the IEEE 802.11i standard and wishes to use the IEEE 802.1x authentication method, adds the authentication suite element to the message, such as an IEEE 802.11i assignment request message. The terminal 303 who wishes to use Open System Authentication, begins the Open Authentication by sending an authentication request message to which the access point 501 respond with an authentication response message indicating success. The Open Authentication follows the assignment. The terminal 303 does not include an authentication suite element in the assignment messages it sends. Then the terminal sends 303 . 404 the association request message to the access point. Based on the authentication or assignment request message, the access point identifies 501 the authentication method that the terminal 303 . 404 used.

When authentication of the wireless communication device according to the third protocol layer is performed, the communication device is arranged 303 the access point 501 to, at which point no authentication is performed yet. An IP address becomes, for example, using the DHCP protocol for the communication device 303 created. Then follows the actual authentication of the third protocol layer. For example, in one embodiment of the OWLAN system, the terminal transmits 303 a paging message to call an authentication agent 504 where the message is answered by the authentication agent. Based on the answer message, the terminal experiences 303 in that the network in question has IP-based authentication of the third protocol layer between the communication device 303 and the authentication agent 504 requires. The authentication agent 504 exchanges authentication messages with the authentication server using an AAA protocol 505 out. The authentication procedure is similar to the one in 3 described Nokia Operator Wireless LAN system. The authentication agent 504 receives a message of successful authentication from the authentication server 507 using the AAA protocol. After authentication, the authentication agent sends the identification data, such as an IP address, of the terminal 303 to the access control function 502 , In this embodiment, the access control function is 502 in the access point device 501 implemented. The authentication agent 504 sends a message to the access point 501 , For example, the message can be formed using the User Datagram Protocol (UDP) over the Internet Protocol (IP). The message contains at least the identification data of the terminal 303 , After receiving the message takes the access control function 502 in the access point 501 the identification data in the access control list 503 on. The access control function 502 only forwards data packets of the terminal whose identification data, such as an IP or MAC address, in the list 503 can be found. The authentication typically has to be repeated by the communication device after a certain period of time, for example when the terminal is switched off (due to low battery level), leaving the network (shadow area) or automatically terminating the use of a service. The access control 502 preserves a record of the connection time of the communication device 303 and the number of transmitted / received data packets. The access control 502 For example, send the information to the authentication server 505 or the accounting server 507 as a basis for user billing. Alternatively, the authentication according to the third protocol layer may be performed such that when the user opens a WWW browser, the authentication agent 504 the browser of the terminal 303 sends a page that queries the user identification and password, thereby identifying the user and in the access control list 503 is recorded. As a further alternative, authentication according to the third protocol layer may be performed using Virtual Private Network (VPN) software, where user authentication is typically performed as part of the Internet Key Change (IKC) protocol.

In the authentication of the second protocol layer come the communication device 404 and the access point 501 Already during the mapping, they will use WLAN authentication (not Open System Authentication as with the third protocol layer authentication). WLAN authentication is performed as specified in the IEEE 802.1x protocol. After a successful authentication becomes the access control function 502 about the event in and takes the terminal authenticated according to the second protocol layer 404 in the access list 503 and begins to forward the packets of the authenticated terminal. As the access control function 502 in the access point device 501 is implemented is the access point 501 capable of locally identifying the terminal's identification data to the access control function 502 to send. The access control list 503 includes identification data of terminals that are authenticated according to the third and the second protocol layer. After authenticating the second protocol layer, the authentication agent must 504 the terminal no longer subject to authentication of the third protocol layer, as the identification data of the terminal 404 already in the list 503 are included.

In an alternative embodiment of this invention, service differentiation is provided for different terminal classes. 6 shows a flowchart of a method according to the alternative embodiment of the invention. At step 601 An access point and a terminal, such as a wireless communication device, establish a connection and associate with each other. Upon initiation of the access point, the routine then checks 602 whether authentication according to the second protocol layer or Open System Authentication is affected. The terminal establishes communications with the access point by sending an authentication or assignment request to the access point. The request includes a request for authentication by using the authentication method using the terminal. At step 603 The WLAN access point divides WLAN clients into different classes, preferably based on the authentication method used by the client or other parameters exchanged during the mapping and authentication phase. At step 604 The access point routes data packets based on the classification. The client class is taken into account when forwarding data packets between the wireless network and the wired network (distribution network, DS). For example, the authentication method selected after the mapping can be used to classify users so that open system clients are directed to a different Virtual LAN (VLAN) than IEEE 802.1x / 802.11i clients. In the case of 802.1x, the access point may further differentiate clients based on the Network Access Identifier (NAI) portion of the name. The territory name identifies the RADIUS server that authenticates the user. For example, a corporate WLAN access point may direct clients authenticated by the corporate RADIUS server to a different VLAN than clients authenticated by other RADIUS servers. For simplicity, the authentication method (Open System or IEEE 802.1x) is used here as an example of the parameter according to which the access point divides wireless terminals into different classes. It will be apparent to those skilled in the art that the invention is not limited to terminal classification by authentication methods, and that there are other parameters by which the access point may divide terminals into separate classes. The access point can use any parameter that it experiences after the communication setup as a classification basis. The parameter may relate to radio technology, authentication or association, or other communication building areas, such as the radio frequency band, data rate used by the terminal, the Network Access Identifier or any part thereof, or the Extensible Authentication Protocol (EAP) used in IEEE 802.1x authentication becomes.

7 shows an access point according to an alternative embodiment of the invention. The access point 700 includes a processor 701 and a memory 702 for performing the respective operations and at least one application 703 for performing, for example, identifying an authentication method. The access point 700 also includes an interface 705 for connecting to routers, to servers such as an access control or an authentication server. The access point further comprises identification means 707 for identifying whether the terminal is using the first or second authentication method. Preferably, the access point identifies the authentication method by receiving a message from the terminal, the message comprising the authentication method using the terminal. When the terminal employs the first authentication method, the message is preferably an association request message according to the IEEE 802 .11i standard, wherein the association request message comprises an authentication suite element indicating IEEE 802.1x authentication. When the terminal employs the second authentication method, the message is preferably an authentication request message according to the IEEE 802.11 standard, the authentication request message indicating Open System Authentication. The device further comprises classifying means 704 for splitting terminals into different classes based on the identified authentication method. The access point further comprises forwarding means 706 for forwarding data packets of the wireless terminal between the wireless network and the wired network, the routing means taking into account by routing data packets from terminals of different classes to separate logical channels. The Benut Using different Virtual LANs for different terminal classes is an example of how the terminal class is considered when forwarding data packets. After receiving a data packet from a wireless terminal, the access point preferably recognizes the terminal class of the transmitting wireless terminal based on the source MAC address field in the data packet and then forwards the data packet using the VLAN identifier associated with the terminal class wireless network so that packets from open system clients are forwarded as packets from 802.1x clients using a different VLAN identification. In addition, after receiving a unicast data packet from the wired network, the access point first identifies the terminal class of the destination wireless terminal, preferably based on the destination MAC address field in the data packet, and then verifies that the VLAN identification in the data packet is correct, ie as it should be for the recognized terminal class. The access point only forwards the data packet to the destination wireless terminal if the packet was received with the correct VLAN identification from the wired network. If the VLAN identification is not correct, the access point preferably discards the data packet. After receiving a multicast or broadcast data packet from the wired network, the access point can not recognize the terminal class of a single terminal because there may be multiple destinations. In this case, the access point may continue to process the data packets according to the terminal class specified in the VLAN identification. For example, multicast or broadcast data frames directed to open system clients may be transmitted without encryption or integrity protection, while IEEE 802.11i packet security may be applied to multicast or broadcast data frames directed to IEEE 802.1x clients ,

As an alternative to VLANs, the access point can differentiate the data packets based on IP subnet or IP address range. In this example, the access point ensures that the wireless terminal is assigned an IP address from the IP subnet or area corresponding to the terminal class identified after the communication setup. Preferably, the access point forwards the DHCP packets sent by the wireless terminal after the IP configuration phase to a suitable terminal-class based DHCP server such that the terminal is assigned an address from the correct IP subnet or IP address range. After receiving a data packet from a wireless terminal, the access point preferably recognizes the terminal class based on the source MAC address field in the data packet and then verifies that the source IP address field (or other protocol field that includes an IP address) belongs in the received data packet to the correct IP subnet or IP address range associated with the recognized terminal class. The access point only forwards the data packets to the wired network if this verification succeeds. If the verification fails, the access point discards the data packet. In addition, after receiving a unicast data packet from the wired network, the access point first recognizes the terminal class, preferably based on the destination MAC address field in the data packet, and then verifies that the destination IP address field in the data packet is the correct IP Subnetwork or IP address range associated with the recognized terminal class. The access point only forwards the data packets to the destination wireless terminal if this verification succeeds. If the verification fails, the access point discards the data packet. After receiving a multicast or broadcast data packet from the wired network, the access point is still able to detect a correct terminal class based on a protocol field that includes an IP field. Different processing, such as differential encryption or integrity protection, may be applied to multicast or broadcast data packets directed to Open System Clients or IEEE 802.1x clients. For the sake of simplicity, the use of separate VLANs for different terminal classes will be used as an example of how the access point considers the terminal class in forwarding data packets between the wireless terminals and the wired network. It will be apparent to those skilled in the art that the invention is not limited to the use of different VLANs for each class of terminal, and that there are other ways to accommodate the terminal class in forwarding data packets. As an alternative to VLANs, the access point may consider the terminal class by any method of differentiating data packets into different logical channels based on the terminal class when forwarding data packets between the wireless network and the wired network. Another example of this method is packet tunneling to various destinations based on the terminal class. After receiving a data packet from the wireless terminal, the access point preferably recognizes the terminal class based on the source MAC address field in the received packet. The access point then encapsulates the received packet in a new packet. The destination of the new data packet is chosen based on the terminal class, so that different terminal classes are tunnelled to different destinations. The encapsulation is preferably IP encapsulation, eliminating the original MAC header and the resulting IP packet is encapsulated in a new IP packet. The IP packet is then forwarded according to the new IP destination address. Accordingly, data packets received by the wired network can also be tunneled. After receiving a data packet from the wired network, the access point preferably recognizes the terminal class based on the source IP address in the outer IP header when using different tunnel origins for each terminal class. The access point then decapsulates the tunneled packet and forwards the resulting data packet to the destination wireless terminal.

8th shows a system according to an alternative embodiment of the invention. In the following, the invention is shown by way of example in an environment which is a terminal 303 that can authenticate using the authentication method of the third protocol layer, such as Open System Authentication, and a terminal 404 which can authenticate using the authentication method according to the IEEE 802.1x standard, such as a wireless WLAN terminal using the IEEE 802.11i standard. The terminals are capable of establishing a connection to a communications network having an access point 801 for providing a wireless connection from the communication device 303 . 404 to the network and to forward authentication information between the terminal 404 and an authentication server 806 includes. The system also includes access control 802 comprising a logical access control function for forwarding data packets of the terminal authenticated by Open System Authentication and blocking data packets from unauthenticated terminals and a list 803 of authenticated open system terminals. The access control 802 routes authentication information between the terminal 303 and the authentication server 806 further. The system further includes servers, such as a DHCP server 804 for providing an IP address for the terminal 303 , an accounting server 805 for billing the amount of data transmitted to and from the terminal and an authentication server 806 for providing an authentication service for an authenticator, wherein the authenticator is one of the following: the access point 801 and the access control 802 by determining whether the terminal is authorized to access the services provided by the authenticator and one or more routers 506 to route data packets of the terminals 303 . 404 ,

This example system is arranged such that network access control for the open system terminal 303 in the access control device 802 is implemented and network access control for the IEEE 802.1x terminal 404 in the access point device 801 is implemented. The arrangement is based on data packet classification in the access point device 801 into separate logical channels based on the terminal authentication method.

If a terminal 303 using the open system authentication method, establishing connections with the access point, points the access point 801 the terminal 303 a terminal class for which the access control 802 Access control on the third protocol layer. By using Virtual LANs is the access control 802 configured to perform admission control of data packets received with a VLAN identifier associated with open system terminals. When separate IP subnets or IP address ranges are used to separate data packets into logical channels, access control is 802 for performing access control of data packets from terminals 303 configured to use an IP address from the IP subnet or IP address range of open system terminals.

If a terminal 404 Connections to the access point 801 and authenticates with the IEEE 802.1x authentication mechanism, the access point points out 801 the terminal 404 a terminal class for which the access control 802 does not use access control. With Virtual LANs it is possible to access control 802 for routing data packets with the IEEE 802.1x terminal 404 configured VLAN identification without performing any access control. Alternatively, the Virtual LAN, which is the IEEE 802.1x terminals 404 is assigned to another router device 807 that routes the data packets from IEEE 802.1x terminals so that the data packets do not go through the access control. If separate IP subnets or IP address ranges are used to separate data packets into logical channels, access control 802 for routing data packets of the terminals 404 that use an IP address from the IP subnet or IP address range of IEEE 802.1x terminals without being configured to perform access control.

The alternative embodiment of the invention according to 6 to 8th allows to use the same wireless network for multiple purposes. The same wireless network can serve legacy WLAN clients, such as OWLAN Release 1 clients using Open System Authentication, and new WLAN clients using the new IEEE standards, such as OWLAN Release 2 clients, IEEE 802.1x authentication to use. An extreme access point implementation of this invention could look like two separate access points for the wireless clients. One of the "virtual" access points would allow open system mappings and the other access point would allow 802.1x mappings - a simpler implementation would look like a single access point but support open system mapping as well as 802.1x mapping.

A another task for the alternative embodiment are protected Networks currently on Virtual Private Network (VPN) technology be built, such as corporate networks. An access point, implementing this invention would be able to open system clients route to the existing LAN using a VPN gateway from the protected network is disconnected. Open system clients therefore need a VPN connection to access the protected Build network. The access point could be IEEE 802.11i clients too Another Virtual LAN route, the direct connectivity to the protected Net has. Thus, this invention provides a managed deployment path from the current corporate WLAN solution to the new IEEE 802.11i solution.

In another example system, which is the alternative embodiment of this invention, the terminal classification in the access point device can be used for routing of data packets from terminals that Open System Authentication to an uncontrolled network, in which no access control is performed, be used. This non-controlled network can be a local intranet or another Network with limited and free resources available to everyone. In this example, data packets from terminals are IEEE 802.1x authentication to a controlled network, such as the global Internet, directed. The controlled network is such that it only terminals for disposal stands out using the IEEE 802.1x authentication mechanism authenticate.

advantages The above-described alternative embodiment is as follows single wireless network is able to both traditional and Also, to support new wireless clients, traditional and new wireless clients can have different Use IP subnets and various services in wireless stations No support is required.

The Invention is not open system authentication and authentication according to the IEEE 802.11i protocol or the IEEE.8021x protocol. The first embodiment The invention can be used in any system in which a terminal under Using an access point or authentication agent as Authenticator can access a network. The second embodiment of the Invention can be used in any system in which it is advantageous is, different terminal classes with different services, the terminal class identified based on a parameter of the connection establishment becomes.

The The above disclosure represents the implementation of the invention and their embodiments by way of examples. It is obvious to a person skilled in the art that the invention is not limited to the details of those described above embodiments limited is, and that there are others as well Implementations of the invention gives without departing from the characteristics to deviate from the invention. The above embodiments should therefore be considered illustrative and not restrictive. The Implementation and usage options Therefore, the invention is limited only by the appended claims, and therefore belong the various alternative implementations of the invention, including equivalent Implementations defined in the claims are also to the scope of the invention.

Claims (18)

Method for access control of a wireless terminal ( 303 . 404 ) in a communication network, the communication network comprising an access point ( 501 ) for establishing a communication connection with the wireless terminal, an authentication server ( 505 ) for providing an authentication service for the wireless terminal for authentication for the communication network, an authentication agent ( 504 ) for forwarding authentication information between the wireless terminal and the authentication server and an access controller for forwarding data packets from authenticated wireless terminals and blocking data packets from unauthenticated wireless terminals, wherein an access control function ( 502 ) an access control list ( 503 ), which is a list of authenticated wireless terminals, wherein the wireless terminal is configured to use any of the following authentication methods to authenticate to the communication network: a first authentication method in which the access point ( 501 ) Authentication information between the wireless terminal and the authentication server ( 505 ), a second authentication method in which the authentication agent ( 504 ) Authentication information between the wireless terminal and the authentication server ( 505 ), characterized in that the method comprises the steps of: identifying ( 101 ) at the access point ( 501 ), whether the wireless terminal is using the first authentication method or the second authentication method, performing the following steps when the wireless terminal authenticates using the first authentication method (102): forwarding ( 108 ) of authentication information between the wireless terminal and the authentication server through the access point, sending ( 106 ) identification data of the wireless terminal in response to successful authentication to the access control list by the access point and adding ( 107 ) of the wireless terminal's identification data to the access control list and forwarding data packets of the wireless terminal accommodated in the access control list by the access controller and performing the following steps when the wireless terminal authenticates using the second authentication method ( 103 ): Hand off ( 105 ) authentication information between the wireless terminal and the authentication agent by the access point, relaying authentication information between the wireless terminal and the authentication server by the authentication agent, transmitting ( 106 ) the authentication data of the wireless terminal in response to successful authentication to the access control list by the authentication agent and adding ( 107 ) of the identification data of the wireless terminal to the access control list and forwarding data packets of the wireless access terminal included in the access control list by the access control. Method according to claim 1, characterized in that the access control function ( 502 . 503 ) as part of the access point ( 501 ) is implemented. Method according to claim 1, characterized in that the access control function ( 502 . 503 ) as part of the authentication agent ( 504 ) is implemented. Method according to claim 1, characterized in that the access control function ( 502 . 503 ) is implemented in a device separate from the access point and the authentication agent. Method according to claim 1, characterized in that the identification data comprise at least one of the following: an IP address and a MAC address of the wireless terminal. Method according to claim 1, characterized in that that the first authentication method according to the IEEE 802.1x protocol accomplished becomes. Method according to Claim 6, characterized that the first authentication method according to the IEEE 802.11i protocol accomplished becomes. Method according to claim 1, characterized in that that the second authentication method is performed via an internet protocol. Method according to claim 8, characterized in that that the second authentication method according to a key exchange Internet protocol or a hypertext transfer Internet protocol. Method according to one of claims 6 to 9, characterized that the access point the authentication method by receiving a Assignment request message identified by the wireless terminal. Method according to claim 10, characterized in that the association request message is an authentication suite element wherein the authentication suite element further comprises the information of the authentication method using the device. Method according to one of claims 2 to 11, characterized that the method further renewing the authentication after a period. Access point ( 501 ) for establishing a communication connection with a wireless terminal in a communication network, the communication network comprising: an authentication server ( 505 ) for providing an authentication service for the wireless terminal for authentication for the communication network, an authentication agent ( 504 for passing authentication information between the wireless terminal and the authentication server and an access controller for forwarding data packets from authenticated wireless terminals and blocking data packets from unauthenticated wireless data packets, wherein an access control function ( 502 . 503 ) an access control list ( 503 ), which is a list of authenticated wireless terminals, characterized in that the access point is configured to accept that the wireless terminal uses one of the following authentication methods to authenticate to the communication network: a first authentication method, wherein the access point is configured for forwarding authentication information between the wireless terminal and the authentication server, a second authentication method, wherein the authentication agent is configured to forward authentication information between the wireless terminal and an authentication agent, the access point comprising: identification means ( 207 ) for identifying whether the wireless terminal is using the first authentication method or the second authentication method, first forwarding means ( 201 . 205 . 206 ) for forwarding authentication information between the wireless terminal and the authentication server in response to a situation in which it has been identified that the wireless terminal has used the first authentication method, first transmission means ( 201 . 205 ) for transmitting identification data of the wireless terminal in response to a successful authentication of the wireless terminal according to the first authentication method to the access control list and second forwarding means ( 201 . 205 . 206 ) for forwarding authentication information between the wireless terminal and the authentication agent in response to a situation in which it has been identified that the wireless terminal has used the second authentication method, and second transmission means ( 201 . 205 ) for transmitting identification data of the wireless terminal in response to a successful authentication of the wireless terminal according to the second authentication method to the access control list. Access point according to claim 13, characterized in that in that the identification means for identifying the authentication method by receiving a mapping request message from the wireless terminal are arranged. Access point according to claim 14, characterized in that the identification means are for recognizing an authentication suite element from the association request message, wherein the authentication suite element Information of the authentication method that includes the wireless terminal used. Access point according to claim 13, characterized in that the access point comprises detection means arranged thereon are the successful authentication of the wireless terminal, the uses the first authentication method by receiving a Detect message from the authentication server. Access point according to claim 13, characterized in that the access point comprises detection means arranged thereon are the successful authentication of the wireless terminal, the uses the second authentication method, by receiving a message from one of the following: the authentication agent or the authentication server. System for access control of a wireless terminal ( 303 . 404 ) in a communication network, the communication network comprising: an access point ( 501 ) for establishing a communication connection with the wireless terminal, an authentication server ( 505 ) for providing an authentication service for the wireless terminal ( 303 . 404 ) for authentication for the communication network, an authentication agent ( 504 ) for forwarding authentication information between the wireless terminal ( 303 ) and the authentication server ( 505 ) and an access control ( 502 ) for forwarding data packets from authenticated wireless terminals and blocking data packets from unauthenticated wireless data packets, an access control function comprising an access control list ( 503 ), which is a list of authenticated wireless terminals, wherein the wireless terminal ( 303 . 404 ) is configured to use one of the following authentication methods to authenticate itself to the communications network: a first authentication method in which the access point ( 501 ) Authentication information between the wireless terminal ( 404 ) and the authentication server ( 505 ), a second authentication method in which the authentication agent ( 504 ) Authentication information between the wireless terminal ( 303 ) and the authentication server ( 505 ), characterized in that the system comprises: identification means ( 207 ) for identifying at the access point ( 501 ), whether the wireless terminal ( 303 . 404 ) uses the first authentication method or the second authentication method, first forwarding means for forwarding at the access point ( 501 ) of authentication information of the first authentication method between the wireless terminal ( 404 ) and the authentication server ( 505 ), second forwarding means for forwarding at the access point ( 501 ) of authentication information of the second authentication method between the wireless terminal ( 303 ) and the authentication agent ( 504 ), third forwarding means at the authentication agent ( 504 ) for forwarding authentication information of the second authentication method between the access point ( 501 ) and the authentication server ( 505 ) first transmission means for transmitting from the access point ( 501 ) of identification data of the wireless terminal ( 404 in response to a successful authentication of the wireless terminal according to the first authentication method to the access control list ( 503 ), second sending means for sending by the authentication agent ( 504 ) the identification data of the wireless terminal ( 303 ) in response to a successful authentication of the wireless terminal according to the second authentication method to the access control list ( 503 ) and forwarding means at the access control function ( 502 ) for forwarding data packets of the wireless terminal (included in the access control list) ( 303 . 404 ).