KR101068426B1 - Inter-working function for a communication system - Google Patents

Abstract

Interoperability (IWF) for interfacing wireless local area networks (WLANs) with communication systems. The IWF may contain sufficient information to authenticate user access to the WLAN, or the IWF may need to request authentication from the communication system. In one embodiment, the IWF sends an access challenge to the WLAN for the user. The IWF may then forward a response to the challenge on the communication system for authentication. IWF allows the WLAN to use the authentication capabilities of the communication system for local authentication.

WLAN, Interoperability, Authentication

Description

Interaction function for communication system {INTER-WORKING FUNCTION FOR A COMMUNICATION SYSTEM}

background

Field

TECHNICAL FIELD The present invention relates to interoperability functions for communication systems, and more particularly, to a mechanism for common authentication and key exchange through interoperation functions for use in a wireless local area network (WLAN).

background

WLANs allow users virtually unlimited access to Internet Protocol (IP) services and data networks. The use of WLAN is not limited to laptop computers and other computing devices, and is rapidly expanding to cellular telephones, personal digital assistants (PDAs), and other small wireless devices supported by external networks or carriers. For example, a wireless device communicating over a cellular carrier may roam to a WLAN in a cyber cafe or workspace. In this situation, the wireless device has access to the cellular system but wants access to the WLAN. WLAN access requires authentication. As the wireless device has already gained access to the cellular system, it is excessive to require further authentication. Accordingly, there is a need for an interoperability function that allows common authentication for access to cellular systems and WLANs.

Brief description of the drawings

1 is a communication system including a WLAN.

2 is a communication system having an Interoperation Function (IWF) unit.

3 is an authentication process timing diagram in a communication system.

4 is an authentication process flow diagram.

5 is a timing diagram of an authentication process in a communication system.

6 is a flow chart of an authentication process at the IWF in a communication system.

7 is a flowchart of an authentication process at a mobile station.

details

The word "representative" is used herein to mean "yes, illustration, or illustration." Embodiments described herein as "representative" are not necessarily considered to be preferred or superior to other embodiments.

An HDR subscriber station, referred to herein as an access terminal (AT), may be mobile or stationary, and may communicate with one or more HDR base stations, referred to as a modem full transceiver (MPT). The access terminal sends and receives data packets via one or more modem pool transceivers to an HDR base station controller, referred to herein as a modem pool controller (MPC). The modem pool transceiver and modem pool controller are part of a network called an access network. The access network transmits data packets between the plurality of access terminals. The access network may be further connected to additional networks outside the access network, such as an intra-company intranet or the Internet, and may transmit data packets between each access terminal and these external networks. An access terminal that has established an active traffic channel connection with one or more modem pool transceivers is called an active access terminal and is said to be in a traffic state. An access terminal in the process of establishing an active traffic channel connection with one or more modem pool transceivers is said to be in a connection setup state. The access terminal may be any data device that communicates over a wireless channel or a wired channel such as an optical fiber or coaxial cable. The access terminal may be any of a variety of types of devices, including but not limited to PC card, compact flash, external or internal modem, or wireless or landline telephone. The communication link through which the access terminal sends signals to the modem pool transceiver is called a reverse link. The communication link through which a modem pool transceiver transmits signals to an access terminal is called a forward link.

A WLAN 100 having a plurality of access points (AP) 106, 108, 110 is shown in FIG. 1. The AP is a hub or bridge that provides access to the wired network, as well as star topology control on the wireless side of the WLAN 100.

Each AP 106, 108, 110 supports access to data services, such as the Internet, as well as others not shown. Workstation 102, such as a laptop computer or other digital computing device, communicates with the AP via an air interface, thus using the term wireless LAN. The AP then communicates with the authentication server (AS) or authentication center (AC). AC is a component that performs authentication services for devices requesting entry into the network. An implementation is described in the Remote Authentication Dial-In User Service (RADIUS), an Internet user authentication disclosed in RFC 2138, published in April 1997 and published by C. Rigney et al. (RADIUS) ", and other authentication, authorization, and charging (AAA) servers.

Wireless networking is emerging as an important aspect of internetworking. It represents a set of inherent problems based on the fact that the only limitation of wireless networks is wireless signal strength. There is no wiring to define membership in the network. There is no physical way to limit a system within wireless range to be a member of a wireless network. Beyond any other networking technology, wireless networking requires authentication and access control mechanisms. Several groups are currently developing standard authentication mechanisms. Currently accepted standard is IEEE 802.11.

A characteristic of RF-based networks is that they are open to packet interception by any radio within the scope of the transmitter. Interception can occur far outside the user's 'working' range by using a high gain antenna. With readily available tools, the eavesdropper is not limited to collecting packets for later analysis, but can actually view interactive sessions such as web pages viewed by valid wireless users. The eavesdropper can also learn weak authentication exchanges, such as website logins. The eavesdropper can later access the copy by logging on.

Once an intruder gains knowledge of how WLANs control access, they can either enter the network themselves or steal valid user access. If an attacker can mimic a valid user's MAC (MAC) address or use that assigned IP address, stealing the user's access is straightforward. The attacker would wait for a valid system to stop using the network and then take its place on the network. This will always appear as a valid user of the compromised network to allow the intruder direct access to all devices in the network, or to use the network to access the wider Internet. Thus, authentication and encryption are major concerns in the implementation of WLAN.

Authentication is the process of providing the identity of a person or communication system application. This identification allows the service provider to check the entity as a valid user, and also to check the user for the particular service requested. Authentication and authorization, although the two names are often used interchangeably, actually have a very specific meaning and are not actually clearly distinguished.

Authentication is the process by which a user establishes the right to identity, essentially the right to use a name. Many techniques can be used to authenticate a user, such as passwords, biometric technologies, smart cards, and certificates.

The name or identity has an attribute associated with it. Attributes may be tightly coupled to a name (eg, in a certificate payload), but may be stored under a key corresponding to that name in a directory or other database. Attributes may change over time.

Authorization is the process of determining which actions (such as access to a resource) are allowed to perform an identity (in addition to the set of attributes associated with that identity). Permission to perform an action does not guarantee that the action can be performed. Authentication and authorization decisions may be made by other entities at different times.

In a cellular network, the authentication feature is a network capability that allows the cellular network to verify the identity of the wireless device, thereby reducing the unauthorized use of the cellular network. This process is transparent to the subscribers. Customers are not required to do anything to authenticate the identity of their phone when they call.

In general, authentication involves encryption techniques, and service providers and users have some shared and private information. In general, shared information is referred to as a "shared secret."

A-key

The authentication key (A-key) is a secret unique to each individual cellular telephone. It is registered with a cellular service provider and stored in a telephone and an authentication center (AC). The A-key is programmed into the phone by the manufacturer. In addition, the user can manually input from a wireless device menu or by a special terminal at the time of sale.

The radio and the AC must have the same A-key to produce the same calculation. The primary function of the A-key is to be used as a parameter to calculate the shared secret data (SSD).

Shared Secret Data (SSD)

SSDs are used as inputs for authentication calculations in wireless devices and ACs and are stored in both locations. Unlike the A-key, the SSD may be modified via the network. AC and wireless devices are the three elements involved in the calculation of the SSD: 1) electronic serial number (ESN); 2) authentication key (A-key); And 3) share a shared secret data calculation random number (RANDSSD).

ESN and RANDSSD are transmitted over network and air interface. The SSD is updated when the device first performs system access and then periodically. Once the SSD is calculated, the result is two separate values, SSD-A and SSD-B. SSD-A is used for authentication. SSD-B is used for encryption and voice privacy.

Depending on the capabilities of the serving system, the SSD may or may not be shared between the AC and the serving Mobile Switching Center (MSC). If the secret data is shared, the AC will send it to the serving MSC, which means that the serving MSC must be able to execute CAVE. If not shared, the AC will retain the data and perform authentication.

The type of sharing affects how authentication challenges are performed. The authentication challenge is a message sent to challenge the identity of the wireless device. Basically, an authentication challenge sends some information, typically random data, for the user to process. The user then processes the information and sends a response. This response is analyzed for user verification. With shared secret data, the challenge is handled at the MSC in service. With non-shared secret data, the challenge is handled by the AC. By sharing secret data, the system can minimize the amount of traffic sent and allows for challenges to occur more quickly on the serving switch.

Certification process

In a given system, the home location register (HLR) controls the authentication process by operating as an intermediate between the MSC and AC. The MSC in service is set up to support authentication with the HLR of the mobile and vice versa.

The device may initiate this process by setting the authorization field in the overhead message train and by notifying the serving MSC if it can authenticate. In response, the serving MSC initiates the registration / authentication process with an authentication request.

By sending an authentication request, the serving MSC informs the HLR / AC whether it can perform the CAVE calculation. The AC controls not only the device capabilities but also which MAC of the MSCs in service is available among the available. If the serving MSC does not have CAVE capability, the SSD cannot be shared between the AC and the MSC, so all authentication procedures are performed at the AC.

The purpose of an authentication request (AUTHREQ) is to authenticate the phone and request an SSD. AUTHREQ contains two parameters for authentication, AUTHR and RAND parameters. When AC acquires AUTHREQ, it uses RAND and last known SSD to calculate AUTHR. If it matches the AUTHR sent in AUTHREQ, authentication is successful. The return result for AUTHREQ will include the SSD if it can be shared.

challenge

The authentication process consists of a challenge and a response conversation. If the SSD is shared, the conversation takes place between the MSC and the device. If the SSD is not shared, the conversation takes place between the HLR / AC and the device. Depending on the switch type, the MSC may do a unique challenge, a global challenge, or both. Some MSCs do not currently have global challenges. A unique challenge is a challenge that occurs only during call attempts because it uses a voice channel. The unique challenge provides authentication to a single device during call origination and call forwarding. Global challenges are challenges that occur during registration, call origination, and call delivery. Global challenges provide authentication challenges to all MSs using a particular radio control channel. It is called a global challenge because it is broadcast over a radio control channel, and the challenge is used by all phones that access the control channel.

During the challenge, the device responds to a random number provided by the MSC or AC. The device uses random numbers and shared secret data stored on the device to calculate the response to the MSC. The MSC also uses random numbers and shared secret data to calculate what the response from the device is. These calculations are performed through the CAVE algorithm. If the responses are not the same, the service is denied. The challenge process does not increase the amount of time it takes to connect the call. Indeed, in some cases, if authentication fails, the call can proceed only to block.

WLANs have gained tremendous popularity as a means of providing users with unlimited access to IP data networks. In addition, third generation (3G) wireless networks are designed to provide high speed data access; In general, even if the data rates they support are smaller than those of the WLAN, 3G networks provide data coverage over a wider area. Although they are like competitors, WLANs and 3G networks may be complementary, while WLANs provide high capacity “hot spot” coverage in public areas such as airport lounges and hotel lobbies, while 3G networks provide users with almost no mobility on the go. It can provide ubiquitous data services. Thus, the same carrier may provide both 3G and WLAN services under a single user subscription. This means that the MS uses the same authentication method and secret for both types of access authentication.

In 3G access authentication, the authentication center (AC) authenticates the MS. AC and MS have a shared secret. On the network side, the shared secret is securely stored in AC and not distributed to any other network entities. On the MS side, shared secrets are safely stored in secure memory and are not distributed out of it. AC and MS use Cellular Authentication Voice Encryption (CAVE) or Authentication Key Agreement (AKA) as an authentication algorithm. Authentication parameters are passed between the MS and AC via 3G over-the-air signaling message and network signaling message (eg, IS-41).

In WLAN access authentication, the MS is preferably authenticated by the same AC using the same shared secret and authentication algorithm (AKA or CAVE). However, different mechanisms are used to convey authentication parameters in the WLAN. Specifically, authentication parameters are conveyed via Extended Authentication Protocol (EAP) and AAA protocol (RADIUS or Diameter). This challenge interoperates the transfer mechanism between 3G and WLAN such that authentication parameters can be passed between the MS and AC for WLAN access authentication.

As mentioned above, the CAVE algorithm is widely used for cellular communication and is therefore well used and distributed. In addition, alternative algorithms for authentication are used. Specifically, many algorithms exist in data communications with varying complexity and applications. To coordinate these mechanisms, EAP has been developed as a general-purpose protocol framework that supports multiple authentication and key distribution mechanisms. EAP is disclosed in the "PPP Extended Authentication Protocol (EAP)," RFC 2284, published by L. Blunk et al. In March 1998.

This mechanism supported by EAP, as defined in "EAP AKA Authentication" by J. Arkko et al., Published as an Internet draft in February 2002, is an AKA algorithm. Therefore, it is necessary to extend the EAP to include the cellular algorithm CAVE. This is desirable to provide compatibility for new systems and networks.

EAP

EAP is a generic protocol for authentication that supports multiple authentication mechanisms. EAP does not select a particular authentication mechanism during link establishment and control, rather than deferring authentication until the authentication procedure is initiated. This allows the authenticator to request more information before selecting a specific authentication mechanism. The authenticator is defined as the terminal of the link that requires authentication. The authenticator specifies the authentication protocol used during link establishment.

Interaction Function (IWF)

According to one embodiment, a new network entity is implemented and referred to as an Interaction Function (IWF) or more specifically AAA / IS-41 Interaction Function (IWF). The IWF interoperates the delivery mechanism of authentication parameters (eg, CAVE, AKA) between wireless networks such as 3G and WLAN networks. IWF 204 is shown in FIG. 2 as part of communication system 200. System 200 includes WLAN 202, IWF 204, and AC 206. As shown, workstation 208 is currently within communication range of WLAN 202. IWF 204 provides an interface between AC 206 and WLAN 202 while allowing the use of common authentication to allow MS 208 to gain access to the network. The MS 208 may be a wireless workstation, remote user, or other wireless device capable of communicating over a network other than the WLAN 202, which in this case is part of the AC 200.

IWF 204 is a one-way interaction function, that is, an authentication request is sent from WLAN 202. In the current embodiment and the figures, AAA is a delivery mechanism for transferring authentication parameters between WLAN 202 and IWF 204. IS-41 is also a transfer mechanism for transferring authentication parameters between IWF 204 and AC 206. Specifically in this example, RADIUS will be used as the AAA protocol.

Authentication processing is shown in FIG. 3. Initially, IWF 204 receives a RADUIS access request message that includes the identity of MS 208 (or wireless workstation) that wishes to perform authentication for access to WLAN 202. The IWF 204 is comprised of a database 210 that stores authentication capabilities associated with the MS 208 as well as other MSs 208 currently registered via the AC 206. Database 210 is indexed by each MS 208 identity. Thus, the IWF 204 may determine the MS 208 authentication capability (eg, AKA and / or CAVE).

If the MS 208 only supports CAVE, then the IWF 204 performs the following procedure consistent with FIG. The IWF sends a RADIUS Access Challenge message that includes an EAP Request message that includes a CAVE challenge. As mentioned above, this challenge includes a random number used by the MS 208 to calculate the authentication response. IWF 204 receives a RADIUS access request message including an EAP response message (including a CAVE challenge message). The CAVE response includes the MS 208 authentication response, that is, the result of the calculation using random numbers and other parameters specific to the MS 208.

If the IWF 204 cannot verify the EAP response message, or specifically the CAVE response for the CAVE challenge, the IWF 204 sends an AUTHREQ message, which is an IS-41 message, to the AC 206. In this case, the IWF 204 does not have the information needed to confirm this challenge response. The AUTHREQ message includes the IMSI assigned to the MS 208, a random number (ie, challenge), and an authentication response generated by the MS 208. The AC 206 with the shared secret knowledge specific to the MS 208 then verifies the MS 208 challenge response. AC 206 returns an AUTHREQ message, which is an IS-41 message, to the IWF. The AUTHREQ message contains the authentication result. Also, if successful, the AUTHREQ message includes a key called the Cellular Message Encryption Algorithm (CMEA) that is used to protect the MS 208 traffic at the WLAN 202. If the IWF 204 cannot receive an AUTHREQ message from the AC 206 after a predetermined number of retries, the IWF 204 sends a RADIUS Access Reject message to the WLAN 202 that includes an EAP-failure. Failure to receive an AUTHREQ message may indicate a network problem between the IWF 204 and the AC 206.

The IWF 204 can verify the challenge response from the MS 208, and if this verification is successful, the IWF 204 generates a CMEA key. If the MS 208 is successfully authenticated, the IWF 204 sends a RADIUS Access Accept message to the WLAN 202. These messages contain EAP success messages as well as CMEA keys. If the MS 208 fails authentication, the IWF 204 sends a RADIUS Access Reject message to the WLAN 202 that includes an EAP Failure message.

4 shows an authentication process 400 according to one embodiment, where the MS 208 supports the CAVE protocol. The process begins at step 402 when the MS 208 and the WLAN 202 begin identification negotiation. Also at this stage, the WLAN 202 sends a RADIUS Access Request message that includes the identity of the MS 208. As mentioned above, this identity may be provided by an IMSI or other unique identifier for the MS 202. This process includes the MS 208 seeking access to the WLAN 202 and, in response, the WLAN 202 requesting identification from the MS 208 at step 402. At this point, in step 404, IWF 204 sends a RADIUS Access Challenge message to WLAN 202 including the CAVE challenge. In response to this challenge, MS 208 calculates a response and provides this response to WLAN 208 (not shown). This response is then sent to the IWF 204 in a RADIUS Access Response message, at step 406. If the IWF 204 does not have knowledge of the shared secret for the MS 208 at the decision diamond 408, processing continues to step 410 where the IWF 204 sends an AUTHREQ message to the AC 206. do. The AUTHREQ message requests authentication of the MS 208. If an AUTHREQ message is returned at decision diamond 412, processing continues to decision diamond 414 to determine whether the AUTHREQ message is a successful authentication, that is, whether the result of the authentication is an authorization for access to the WLAN. If the AUTHREQ message is not received at decision diamond 412, processing continues to step 416 where the IWF sends a RADIUS Access Reject message.

Continuing from decision diamond 408, if IWF 204 has knowledge of the MS 208 shared secret information, IWF 204 can determine whether authentication is successful at decision diamond 418. Successful authentication proceeds to step 420 to calculate the CMEA key. Thereafter, a RADIUS access accept message is sent to step 424. Also, in step 414, successful authentication (for authentication by AC 206) proceeds to step 420. From decision diamond 418, if authentication is not successful, then at step 422 the IWF sends a RADIUS Access Denied message.

In another embodiment, the IWF 204 uses the AKA protocol to send a challenge. As shown in FIG. 5, if MS 208 supports AKA, IWF 204 implements an AKA challenge, and the order of authentication processing is changed. In this scenario, enough information to authenticate a user such as MS 208 is provided in the authentication vector (AV). The AC 206 may send the secret (SS) information shared in the AV to the IWF 204. According to this embodiment, the AV includes an SS, a challenge and an encryption key (CK). CK is used to encrypt MS traffic.

If the IWF 204 does not have an authentication vector (AV) for authenticating the MS 208, the IWF 204 sends an AUTHREQ message to request an AV from the AC 206. The AUTHREQ message includes the identity of the MS 208, such as IMSI, and a request for AV. AC 206 responds with an AUTHREQ message containing the AV. The AV consists of a random number (RAND), an expected response (XRES), an encryption key (CK), and an authentication token (AUTN). Since the AC may provide multiple AVs in the AUTHREQ message, the IWF does not need to request subsequent authentication from the AC 206.

If the IWF 204 cannot receive an AUTHREQ message (which may be after a certain number of retries) from the AC 206, the IWF 204 may be responsible for a network problem between the IWF 204 and the AC 206. Send a RADIUS Access Denied message to the WLAN 202 including the EAP Failure message.

If the received AUTHREQ message does not include an AV, the IWF 204 sends a RADIUS Access Reject message to the WLAN 202 that includes an EAP Failure message. For example, this case may appear when the MS 202 is an expired subscriber.

If IWF 204 has an AV, IWF 204 sends a RADIUS access challenge message to WLAN 202 including an EAP request message with an AKA challenge. AKA challenges include AUTN and RAND. The AUTN passes the AC 206 proof and will be verified by the MS 208. RAND is a challenge to the MS 208 that is used to calculate the authentication response (RES). MS 208 provides RES to WLAN 202.

The IWF 204 receives a RADIUS Access Request message containing an EAP response including a CAVE challenge from the WLAN 202. The CAVE challenge includes the MS 208 Authentication Response (RES) received via the WLAN 202. IWF 204 compares RES and XRES. For matching, the MS 208 is successfully authenticated and the IWF 204 sends a RADIUS Access Accept message to the WLAN 202. Such messages include EAP Success Message and CK. CK will be used to protect MS 208 traffic in WLAN 202. If the MS 208 fails authentication, the IWF 204 sends a RADIUS Access Reject message to the WLAN 202 that includes an EAP Failure message.

6 illustrates an authentication procedure 500 using AV. At decision diamond 502, if the IWF 204 has enough AV to verify the MS 208, the process continues to step 506, otherwise processing continues to step 504. At step 506, the IWF 204 sends a RADIUS Access Challenge message to the WLAN 202 for the MS 208. This challenge is then forwarded to the MS 208 for processing, and a response is provided to the WLAN 202 (not shown). At step 510, IWF 204 receives the RADIUS Access Request message and determines if MS authentication is successful at decision diamond 512. For successful authentication, at step 514, IWF 204 sends a RADIUS Access Accept message, otherwise at step 516, IWF 204 sends a RADIUS Access Reject message.

Returning to decision diamond 502 and if IWF 204 does not have AV, then at step 504 IWF sends an AUTHREQ message to AC 206. Upon receiving the AV, the IWF 204 continues processing to step 506, otherwise processing continues to step 516.

7 illustrates an IWF 600 configured to interface between WLANs (not shown), thus performing the necessary procedures for communication, authentication, key exchange, and other secure communications with them, and AC (not shown). have. IWF 600 includes a WLAN interface unit 602 that prepares, transmits, receives, and / or interprets communication with a WLAN. Similarly, IWF 600 includes an AC interface unit 604 that prepares, transmits, receives, and / or interprets communication with AC. IWF 600 further includes a CAVE procedure unit 608, an EAP procedure unit 610, and a RADIUS procedure unit 612. IWF 600 may include some such procedural units (not shown) as required for interoperability in a given system. Procedure units such as CAVE procedure unit 608, EAP procedure unit 610, and RADIUS procedure unit 612 may be implemented in software, hardware, firmware, or a combination thereof. Several modules in IWF 600 communicate over a communication bus 614.

Those skilled in the art may represent information and signals using any of a variety of other schemes and techniques. For example, data, commands, commands, information, signals, bits, symbols, and chips that may be mentioned throughout the foregoing specification may include voltages, currents, electromagnetic waves, magnetic fields, magnetic particles, optical fields or optical particles, or It may be represented by a combination of these.

Those skilled in the art may also implement the various logical blocks, modules, circuits, and algorithm steps described above in connection with the embodiments as electronic hardware, computer software, or a combination thereof. To clearly illustrate the interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps described have been described generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends on the specific application and design requirements that support the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but its implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

Various logic blocks, modules, and circuits described in connection with the embodiments described above may be used in general purpose processors, digital signal processors (DSPs), application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), or other programmable logic devices, It may be implemented or performed in separate gate or transistor logic, separate hardware components, or a combination thereof designed to perform the functions described in the specification. A general purpose processor may be a microprocessor, but in another alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, eg, a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors associated with a DSP core, or some other such configuration.

The steps of a method or algorithm in connection with the above embodiments may be embedded in hardware, in a software module executed by a processor, or in a combination thereof. The software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor so that the processor can read the information form and write the information to the storage medium. In another alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In another alternative, the processor and the storage medium may reside as discrete components in a user terminal.

The foregoing embodiments are provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be apparent to those skilled in the art, and the generic principles defined in the specification may be applied to other embodiments without departing from the scope of the present invention. Therefore, the present invention is not limited to the above-described embodiments and can be interpreted in a broad sense consistent with the principles and novel features in the specification.

Claims (9)

An Inter-Working Function (IWF) device that communicates with a wireless local area network (WLAN) and a cellular communication network, which communicates with a wireless device, The IWF apparatus is configured to determine an authentication capability associated with the wireless device from a database using the received identity of the wireless device, The authentication capability includes a cellular authentication voice encryption (CAVE) algorithm or an authentication key agreement (AKA) algorithm, The IWF device, A database configured to store the authentication capability corresponding to the wireless device; WLAN interface; And Includes an access control (AC) interface, The WLAN interface is, Transmit an access challenge over the WLAN to the wireless device based on the determined authentication capability, Receive an access request from the wireless device via the WLAN, The access request comprises an access challenge response from the wireless device, the access challenge response is generated by the wireless device based on a predetermined authentication key, If the IWF apparatus does not have information to authenticate the wireless device, the IWF apparatus causes the AC interface to send an authentication request to the cellular communication network, and based on the predetermined authentication key. And receive the authentication response generated by the cellular communication network. The method of claim 1, The IWF device is configured to communicate with the WLAN via a first transport protocol comprising one of a RADIUS or DIAMETER protocol and is configured to communicate with the cellular communication network via a second transport protocol comprising an IS-41 protocol. , Interaction function device. A method of authenticating a wireless device by a cellular communications network to access a wireless local area network (WLAN), the method comprising: Determining an authentication capability associated with the wireless device from a database using the received identity of the wireless device, the authentication capability being a cellular authentication voice encryption (CAVE) algorithm or an authentication key agreement (CAVE). Determining an authentication capability, including an authentication key agreement (AKA) algorithm; Transmitting an access challenge over the WLAN to the wireless device based on the determined authentication capability; Generating an access request by the wireless device based on a predetermined authentication key, the access request comprising an access challenge response from the wireless device; Receiving the access request via the WLAN at an Inter-Working Function (IWF) device in communication with the wireless device and the cellular communication network; If the IWF apparatus does not have information to authenticate the wireless device, Sending an authentication request to the cellular communication network; And Authenticating the wireless device by the cellular communication network based on the predetermined authentication key. The method of claim 3, wherein And if the wireless device is authenticated by the cellular communication network based on the predetermined authentication key, authorizing the WLAN for wireless access by the WLAN. The method of claim 3, wherein And the access request is received at the IWF device via a first transport protocol comprising one of a RADIUS or a DIAMETER protocol. The method of claim 3, wherein And the authentication request is sent to the cellular communication network via a second transport protocol that includes an IS-41 protocol. delete delete delete

Images