WO2021023376A1

WO2021023376A1 - Passing restricted network access credentials for visibly present user devices

Info

Publication number: WO2021023376A1
Application number: PCT/EP2019/071110
Authority: WO
Inventors: Itamar OFEK; Igor SHAFRAN
Original assignee: Huawei Technologies Co., Ltd.
Priority date: 2019-08-06
Filing date: 2019-08-06
Publication date: 2021-02-11
Also published as: CN113906776A; CN113906776B

Abstract

An access point for onboarding client devices in a wireless network, comprising a processing circuit executing a code for receiving from a target device, a connection request to the wireless network, the connection request based on a Pre-Shared Key (PSK), accessing a database storing at least one access record, where each of the at least one access record binding between a respective PSK and an access policy, identifying among the at least one access record, an access record corresponding to the PSK on which the connection request is based, providing the target device with network entity identifier for use with the wireless network and exposing to the target device at least one network service according to the access policy associated with the PSK in the identified corresponding access record.

Description

PASSING RESTRICTED NETWORK ACCESS CREDENTIALS FOR VISIBLY

PRESENT USER DEVICES

TECHNICAL FIELD

The present disclosure, in some embodiments thereof, relates to wireless communications access setup and, more specifically, but not exclusively, to onboarding client devices in a wireless network.

BACKGROUND

Wireless communication is constantly evolving and providing vast variety of network services to users using wireless enabled devices to access these services. The different scenarios of deploying wireless communication span across wide range of applications.

Networked services provided through wireless communication are constantly evolving for a plurality of applications, services and platforms ranging over practically every aspect of modern life. These networked services hence present multiple ever increasing challenges for the underlying networks which become ever more complex. The different deployment schemes of the wireless applications raise a slew of requirements and limitations in the setup of the wireless access.

These challenging requirements include, amongst others, need for easy provisioning of access of guest devices to the wireless network, improved security level compared to original WiFi Protected Access-Pre-Shared Key (WPA-PSK) security protocol, flexibility in applying policy constrains used in limiting access to different services of the network and need to be able to limit network view exposed to the connecting clients.

These challenges may further increase and become more apparent with the rapid deployment of mobile devices which serve as an essential communication tool used by different users running different applications and in different and versatile networks. One of the major challenges such wireless networks face is the need to address the above requirements as these requirements impose technical constraints that may conflict each other.

In today’s common solutions to the above challenge a tradeoff between the requirements is practiced. The tradeoff is essentially between the ease of network configuration which is lacking in policy constrains and complex non user friendly setup with out-of-band device binding. Current implementations do not allow combining in-band device onboarding and easy policy settings. In an example of a common application using WPA-PSK protocol, the password is shared among different users, so no personalization can be achieved. The wireless access credentials can be handed over from a connected device to a nearby device via Near Field Communication (NFC) or Quick Response (QR) code scanning. In such application the network access provides a view of all network topology to the connected devices and all services, so restriction can only be done by deploying a firewall on Media Access Control (MAC) level. Such deployment is complex to configure and hard to maintain. In another example of a common application, a WPA- PSK-Enterprise protocol is used. In such application, an Authentication-Authorization- Accounting (AAA) infrastructure is required and credentials cannot be handed over easily from one device to another device. However, this protocol allows flexible policy definition and enforcement, but it requires previous knowledge of client device MAC address. Policy group enforcement via AAA user database is enabled.

It may be highly desirable to provide a method and system that will enable an easy and non-complex provisioning of guest devices access to wireless network while facilitating high level of security and allowing for policy constrains based access of connecting devices.

SUMMARY

An objective of the embodiments of the disclosure is to provide a solution which mitigates or solves the drawbacks and problems of conventional solutions.

The above and further objectives are solved by the subject matter of the independent claims. Further advantageous embodiments can be found in the dependent claims. The disclosure aims at providing a solution for onboarding a client device in a wireless network that will allow for easy provisioning of the access of the client device to the wireless network, with improved security level compared to WPA-PSK security protocol, while applying policy constrains used in limiting the access to different services of the network and with the ability to limit network view exposed to the connecting client.

According to a first aspect of the present invention, there is provided an access point for onboarding client devices in a wireless network, comprising a processing circuit executing a code for:

Receiving from a target device, a connection request to the wireless network, the connection request based on a Pre-Shared Key (PSK).

- Accessing a database storing one or more access records, each of the access records binding between a respective PSK and an access policy.

Identifying among the access records, an access record corresponding to the PSK on which the connection request is based. - Providing the target device with network entity identifier for use with the wireless network.

Exposing to the target device one or more network services according to the access policy associated with the PSK in the identified corresponding access record. According to a second aspect of the present invention, there is provided an administrator device for onboarding client devices in a wireless network, comprising a processing circuit executing a code for:

Generating a request for providing access to the wireless network for a target device, defining an allocated Pre-Shared Key (PSK) and assigned access policy to the wireless network.

Sending the request to an authentication entity of the wireless network to be stored in a database as an access record.

Creating a proximity enabled transfer scheme encoding the PSK. Generating instruction to facilitate an exposure of the proximity enabled transfer scheme, to enable capturing the proximity enabled transfer scheme by the target device, when in proximity to the administrator device, for connecting to the wireless network using the PSK extracted from the proximity enabled transfer scheme.

According to a third aspect of the present invention, there is provided an administrator device for onboarding client devices in a wireless network, comprising a processing circuit executing a code for:

Generating and storing in a database an access record for providing access to a wireless network for a target device, the access record defining a client identity and a password, and including a link to one of a plurality of access policy groups for the wireless network.

Creating a proximity enabled transfer scheme encoding the client identity and the password. - Generating instructions to facilitate an exposure of the proximity enabled transfer scheme, to enable capturing the proximity enabled transfer scheme by the target device for connecting to the wireless network using the client identity and password extracted from the proximity enabled transfer scheme, for authentication. According to a fourth aspect of the present invention, there is provided a method for onboarding client devices in a wireless network, comprising:

Identifying among the access records, an access record corresponding to the PSK on which the connection request is based on. Providing the target device with an assigned Internet Protocol (IP) address and an assigned Domain Name System (DNS) identity for use with the wireless network.

Exposing to the target device one or more network services according to the access policy associated with the PSK in the identified corresponding access record.

According to a fifth aspect of the present invention, there is provided a method for onboarding client devices in a wireless network, comprising:

Creating a proximity enabled transfer scheme encoding the PSK. - Generating instruction to facilitate an exposure of the proximity enabled transfer scheme, to enable capturing the proximity enabled transfer scheme by the target device, when in proximity to the administrator device, for connecting to the wireless network using the PSK extracted from the proximity enabled transfer scheme. According to a sixth aspect of the present invention, there is provided a method for onboarding client devices in a wireless network, comprising:

Generating and storing in a database an access record for providing access to the wireless network for a target device, the access record defining a client identity and a password, and including a link to one of a plurality of access policy groups for the wireless network.

Creating a proximity enabled transfer scheme encoding the client identity and the password. Generating instructions to facilitate an exposure of the proximity enabled transfer scheme, to enable capturing the proximity enabled transfer scheme by the target device for connecting to the wireless network using the client identity and password extracted from the proximity enabled transfer scheme, for authentication.

According to a seventh aspect of the present invention, there is provided a computer program product including computer program code, which, when executed by a processor, causes the method according to any of the fourth, fifth or sixth aspect to be performed.

According to an eighth aspect of the present invention, there is provided a non- transitory computer-readable recording medium that stores therein a computer program product which, when executed by a processor, causes the method according to any of the fourth, fifth or sixth aspect to be performed.

Onboarding of guest device access via instantly created secure credentials allows for an easy personalized wireless access and further facilitates imposing access policies as policy is linked to credentials at the creation of the credentials. Furthermore, providing the client device with the credentials associated with access policy allows for an unmodified client software/firmware of a mobile device to easily onboard a network with secure service access without preinstalled Public Key Infrastructure (PKI) certificate. This allows access provisioning via another device, for example a friend’s or administrator’s device. Moreover, the provisioned access is according to the policy, only to allowed network services and activities.

In a further implementation form of the first aspect, the PSK is transferred from an administrator device to the target device using a proximity enabled transfer scheme. The transfer of the PSK from the administrator device to the target device is facilitated by proximity transfer scheme, allowing an easy, simple and quick process of onboarding the target device which its user is requesting to get access to the wireless network administrated by the administrator device.

In a further implementation form of the first and/or second and/or third aspects, the proximity enabled transfer scheme is a Quick Response (QR) code optically scanned from a screen of the administrator device by the target device. A QR optical code is a ubiquitous scheme to transfer data from one device to the other by presenting the optical code on a screen of one device and scanning the code by the other device, using a camera that captures the image from the presenting device. Use of the QR code eases the onboarding process by a simple and quick step of transferring the network entity identifier to the client device requesting to onboard the network.

In a further implementation form of the first aspect, the processing circuit is further executing code for allowing different target devices to share a same Service Set Identifier (SSID), based on a personalized password derivative included in each of a plurality of connection requests received from respective each of a plurality of target devices. The personalized requests transmitted by different target devices facilitate to distinguish between the different target devices, although they share services having the same SSID. The distinguishing is by using different passwords, and allowing provisioning different services set.

In a further implementation form of the first aspect, the processing circuit is further executing code for limiting an access to the wireless network by the target device, according to a time limit defined in the access record. Limiting the access of an onboarding device to a pre-defmed time limit provides additional control over the network by controlling the duration a device which has been allowed to access the network is permitted to continue getting services from the network.

In a further implementation form of the first aspect, the processing circuit is further executing code for limiting an access to the wireless network, based on the identified access record, to a single target device. Further control of the network utilization and load is achieved through limiting the access to a single target device, preventing multiple devices to access the network using the same access record.

In a further implementation form of the first aspect, the limiting of the access to the wireless network to a single target device is by identifying a first MAC address associated device, out of a plurality of target devices requesting connection based on a same PSK, and limiting the access to the identified first MAC address associated device. In controlling the client devices accessing the network, the access records may define that an only single client device is allowed to access the network using a specific PSK. When multiple client devices request access using the same PSK, the access point will limit the access to the first device that has requested the access. Identifying the first device is according to the MAC address of the first device. The limitation of the devices provides enhanced control on the connected devices and the load on the network.

In a further implementation form of the first aspect, the network entity identifier comprises an assigned Internet Protocol (IP) address and an assigned Domain Name System (DNS) identity.

In a further implementation form of the second aspect, defining assigned access policy is by providing a link or a unique identifier to one of a plurality of different access policies groups. The definition of different policies groups and linking them to the access records provide a flexibility of controlling the set of services and conditions for the provisioning of services to different client devices. As different client devices may be using different PSKs, the different access records with different access policies linked to them allow for distinguishing between the client devices and exposing them to different set of services, based on the policies allocated to them.

In a further implementation form of the second aspect, the processing circuit further executing a code for encoding a personalized password in the proximity enabled transfer scheme for allowing different target devices to share a same Service Set Identifier (SSID). The personalized requests transmitted by different target devices facilitate to distinguish between the different target devices, although they share services having the same SSID. The distinguishing is by using different passwords which may be embedded in the proximity transfer scheme, and allowing provisioning different services set.

In a further implementation form of the second aspect, the processing circuit is further executing code for generating request for modifying access records in the database. The administrator device, when having the capacity to modify the access records, may allow the administrator to change definitions in the access records and modify the definition of the parameters of the records, for example changing the access policy associated with certain PSKs. This flexibility provides enhanced control over the client devices that will be onboarding the network.

In a further implementation form of the second aspect, the processing circuit is further executing code for including a link or a unique identifier to one of a plurality of different access policies groups in the request. The administrator device can define in the request to provide access to target devices different policies groups. This allows the administrator device to be flexible in controlling the set of services and conditions for the provisioning of services to different client devices. As different client devices may be using different PSKs, the different access records with different access policies linked to them allow for distinguishing between the client devices and exposing them to different set of services, based on the policies allocated to them.

In a further implementation form of the second aspect, the processing circuit is further executing code for generating request for scheduling a lifetime of the access record. The controllability of the network by the administrator device is enhanced by allowing the administrator device to request that an access record will be valid to a certain pre-defmed time frame only. By providing the administrator device with an ability to control the expiration time of an access record, a closer and tighter monitoring and controlling of the client devices is achieved by the administrator device.

In a further implementation form of the second and/or third aspects, the proximity enabled transfer scheme is a visibility present transfer scheme, and the generated instructions to facilitate the exposure of the proximity enabled transfer scheme are instructions to display the visibly present transfer scheme on a screen of the administrator device for optically scanning by the target device. A visibility present transfer scheme is a ubiquitous scheme to transfer data from one device to the other by presenting a visible presentation code on a screen of one device and scanning the code by the other device, using a camera that captures the image from the presenting device. Use of the visibility present transfer scheme eases the onboarding process by a simple and quick step of transferring the PSK, as an example, to the client device requesting to connect to the network.

Unless otherwise defined, all technical and/or scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which the invention pertains. Although methods and materials similar or equivalent to those described herein can be used in the practice or testing of embodiments of the invention, exemplary methods and/or materials are described below. In case of conflict, the patent specification, including definitions, will control. In addition, the materials, methods, and examples are illustrative only and are not intended to be necessarily limiting. BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

Some embodiments of the invention are herein described, by way of example only, with reference to the accompanying drawings. With specific reference now to the drawings in detail, it is stressed that the particulars shown are by way of example and for purposes of illustrative discussion of embodiments of the invention. In this regard, the description taken with the drawings makes apparent to those skilled in the art how embodiments of the invention may be practiced.

In the drawings:

FIG. 1 presents a flow chart of an exemplary process of onboarding client devices in a wireless network using access records binding between PSKs and access policies, according to some embodiments of the present invention;

FIG. 2 presents a flow chart of a second exemplary process of onboarding client devices in a wireless network using access records binding between PSKs and access policies, according to some embodiments of the present invention; FIG. 3 presents a flow chart of a third exemplary process of onboarding client devices in a wireless network using access records binding between client identity and password, and access policies, according to some embodiments of the present invention;

FIG. 4 is a schematic illustration of an exemplary prior art system for setting up wireless access to guest devices using WPA-PSK protocol; FIG. 5 is a schematic illustration of a second exemplary prior art system for setting up wireless access to guest devices using WPA-PSK Enterprise protocol;

FIG. 6 is a schematic illustration of an exemplary wireless network system for onboarding client devices in a wireless network using access records, according to some embodiments of the present invention; FIG. 7 is a schematic illustration of a second exemplary wireless network system for onboarding client devices in a wireless network using access records, according to some embodiments of the present invention; FIG. 8 is a schematic illustration of a third exemplary wireless network system for onboarding client devices in a wireless network using access records, according to some embodiments of the present invention.

DETAILED DESCRIPTION

The present invention, in some embodiments thereof, relates to wireless communications access setup and, more specifically, but not exclusively, to onboarding client devices in a wireless network.

The present invention presents devices, systems and methods for setting up an access of client devices to a wireless network, in particular onboarding client devices in a wireless networks using access records.

The wireless communication network may be a network deployed in different types of environment, for example, home network, commercial environment, public environment, enterprise and business environment and the like. Client devices may be any computing device that has the capability of communicating wirelessly, for example mobile devices, cellular phones, tablet computing devices, notebooks, desktop devices or any other mobile or stationary computing devices.

When a client device enters an environment which is covered by a wireless communication network, the client device may request to be connected to the wireless network in order to receive services from the wireless network, such as communication with other devices connected to the network, access to different applications, storage devices, servers and other devices and services managed on the network.

As used herein, the term “onboarding” means allowing a client device to connect to a wireless network and receive services from and through the network. An admin device may be any stationary or mobile computing device that is defined and has privileges in the wireless network as an administrator device. Such device may be a laptop, a cellular or other mobile phone, a desktop, tablet or the like. The admin device may generate a request to an authenticating entity of the network to provide access to an onboarding client device. Such request may define an allocated Pre-Shared Key (PSK) and an assigned access policy which defines the setup of the services the client device may be exposed to. The request from the admin device may be stored by the authentication entity as an access record. In an alternative implementation, the access record is generated and stored by the admin device. The access record may be used for onboarding client device that may request to connect to the network, as described above. In an alternative implementation the access record may define a client identity and a password for the client and may also include a link to one of a plurality of access policy groups. Each of the policy groups may define a different set of services and restrictions that can be provided and/or imposed on devices connecting to the network.

A user of the client device may approach the admin device in order to get connected to the network. The admin device may generate a proximity enabled transfer scheme that may encode the PSK, or in an alternative implementation, the client identity and password. A proximity enabled transfer scheme is a mean to transfer the encoded information to another device when in proximity to the admin device. The proximity enabled transfer scheme may be implemented as a Near Field Communication (NFC) scheme, a Quick Response (QR) code or the like. In an example implementation using a QR code, the admin device may display on a screen of the admin device a visual code, the QR code, and the user of the client device may approach the admin device, operate the client device to capture the image displayed on the screen of the admin device, using the camera of the client device. The client device, then, may extract the PSK, or alternatively the client identity and password, from the code and connect to the network.

Following the extraction of the PSK from the code, the client device may transmit a request to connect to the wireless network, based on the extracted PSK. An access point that may receive the request, may access the data base in which the access records are stored and identify an access record among the access records stored thereon an access record corresponding to the PSK provided in the request received from the client device. The access point than may provide the client device with a network entity identifier to be used with the wireless network. For example, the access point may provide an assigned Internet Protocol (IP) address and an assigned Domain Name System (DNS).

The access point may expose to the client device onboarding the network a set of network services according to the access policy associated with the access record identified for the client device. As described above, a personalized wireless access seamless onboarding and secure access to preconfigured set of services is achieved by the described implementations. This allows multiple users with different pre-shared keys to share the same Service Set Identifier (SSID). The above implementations allow for provisioning of service access to be restricted based on specific policy.

The access infrastructure may limit credentials usage by client devices for a single physical device only, and may identify the first associated device by its MAC address, and allow only this device to communicate over the network. Further use of the device’s MAC address may allow for imposing additional policy based restrictions. The user credentials may be valid for a predefined time interval, and may be time limited.

The admin device may be installed with an Administration Application Programming Interface (API), which provides the admin device a variety of functionalities, for example creating, editing or deleting access records, attaching predefined user policies to the access records, schedule user records lifetime and the like. Managing user records, as for example described above, requires an API with Authentication-Authorization- Accounting (AAA) platform.

The above described implementations may offload the client devices from the need to manage PKI certificates, and the connection scheme, as described above may work seamlessly with legacy devices.

In an exemplary embodiment, provisioning of client device onboarding to a wireless network is a dynamic identity based PSK provisioning. The admin device may allocate new pre-shared key (PSKnew). The Admin device may initiate an update request and may store the PSKnew at the AAA backend database as the access record, where it may be linked to an access policy group. The access record is unassociated with a client and may have a limited lifespan. When a client device approaches the admin device (location proximity), the admin device lets the client read QR code using a native camera application that may be installed or connected to the client device. Following extraction of the QR code, the client device may interpret the QR code as a valid Wi-Fi network configuration and configures the client device accordingly. The client device and an access point (AP) may start WPA handshake while the AP may have not yet learned a correct PSKnew. The AP may validate client’s packet and determines that a wrong PSK is used by the client. The AP then may access the AAA in a lookup operation to look for the correct PSKnew at the AAA server. The AAA server may find match between the PSKnew provided by the client device and client signature from WPA handshake response. The AAA server may link client MAC address with found PSKnew. Upon the matching, the AAA server may return the PSKnew securely to AP. The Access Point may then override the default PSK with the new PSK provided in RADIUS-Accept packet provided by the AAA. At this point, the AP may trigger full WPA handshake with the client device, using the PSKnew, which may be followed by authorization granted to the client device to connect to the network.

In an alternative embodiment, a modified QR code scheme may be deployed, which may not require special support at the Access Point (AP). The modified QR code scheme may be adapted to instantly configure secure Wi-Fi access. The client device support may require only QR code scheme interpretation change. The modified QR code scheme enables configuring WPA-Enterprise with protocol that hides user identity, for example EAP-PEAP/ EAP-TTLS. The QR code may encode SSID, user@domain and password parameters to properly configure authentication. The access policy may be implicitly encoded in a client’s identity/password pair used by the server as a token. The service policy may be mapped into time limited authentication token.

Before explaining at least one embodiment of the invention in detail, it is to be understood that the invention is not necessarily limited in its application to the details of construction and the arrangement of the components and/or methods set forth in the following description and/or illustrated in the drawings and/or the Examples. The invention is capable of other embodiments or of being practiced or carried out in various ways.

The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.

The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing.

Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network.

The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer such as the user equipment (UE), as a stand-alone software package, partly on the user's computer and partly on a remote computer such as the network apparatus or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In some embodiments, electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.

The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.

Reference is now made to FIG. 1, which presents a flow chart of an exemplary process of onboarding client devices in a wireless network using access records binding between PSKs and access policies, according to some embodiments of the present invention.

Exemplary process 100 may be executed in order to onboard a client device in a wireless network. A client device, which is also referred to as a target device, may be a processor based device which has the capability to communicate with other devices over a wireless network. Target device may be a cellular phone, mobile device, laptop, tablet or any other personal assisting device, a stationary device - for example a desktop computer, and the like. Process 100 may be executed when a target device enters a geographic area which is covered by one or more wireless networks. A user of the target device may want to use the target device and connect to the wireless network in order to access other devices connected to the wireless network, such as printers, storage devices and the like. The user may want to receive other services using the target device, provided by and through the wireless network. The wireless network may be a private network, a publicly available network e.g. in commercial environment, tourism environment, enterprise environment or other networks deployed in different types of establishments or facilities. The wireless network may be able to provide different types of services which may be common or standard services, such as printing services, storage services or the like, and may be able to provide specific types of services that may be particular to the specific facility or establishment in which the network is operating. The wireless network may be able to provide services that may be restricted for some of the users. Therefore, different access policies may need to be imposed on different user client devices so that for different client devices or different users, different privileges may be allocated, and maybe exposing different services or different topology of the network. In order to allow easy and simple onboarding of a new target device entering the operational area of a wireless network while allocating the services according to a required access policy fitted to the specific user and/or device, exemplary process 100 may be executed.

Exemplary process 100 may be executed by an Access Point device.

At step 102 a connection request to connect to a wireless network is received from a target device. The connection request may be sent from the client device when the target device enters the range of the wireless network and the wireless communication is enabled within the target device. The connection request may be based on a Pre-Shared Key (PSK). The PSK may have been transferred to the target device from an administrator device before the connection request is sent. The administration device may deploy a proximity enabled transfer scheme to transfer the PSK. Proximity enabled transfer scheme may use Near Field Communication (NFC) wireless protocol, visual schemes such as Quick Response (QR) code, or the like. For example, when using QR code as the proximity enabled transfer scheme, the admin device may encode the information including the PSK into a visual image. The administrator device may present the QR on the screen of the administrator device. The user of the target device may approach the administrator device, and using, for example, a native application of the camera, which may be installed in the target device, captures the image of the QR presented on the screen of the administrator device. The target device then may extract the information from the encoded code.

An example of a possible QR code scheme may be:

WIFI:S:ssid;I:Identity;P:password;E:PEAP;PH:MS-CHAPv2;;

The above is a string that may need to be turned into a QR code. The scheme requires to substitute different sections with relevant WiFi information. The different field may be explained as follows:

S - SSID

I - Identity

P - Password E - EAP method (PEAP/TTLS)

PH - phase2 authentication protocol (MS-CHAPv2/CHAP (Challenge-Handshake Authentication Protocol)).

At step 104, a database which stores access records may be accessed. The database may be accessed by an AP that executes process 100 when a connection request is received from a target device requesting to connect to the wireless network. The database may be implemented within an Authentication- Authorization-Accounting (AAA) infrastructure or server or a storage device accessible by an AAA infrastructure or server, or the like. Each one of the access records may bind between a certain PSK and an access policy. The access policy may define privileges and restrictions on a device which connects to the wireless network and is enforced with the access policy. The access policy may define what services the affected target device may be provided with, as some of the services the network is capable to provide may be restricted from being offered to one target device, but may be allowed to be provided to another target device as may be defined in a different access record. The access policy may also define what network topology may be exposed to the target device connecting under the access policy.

At step 106, a certain access record may be identified in the database storing the access records, for example by the Access Point executing process 100. The identification of the certain access record may be by comparing the PSK on which the connection request is based on, and the PSK included in the different access records. An access record which its PSK matches the PSK on which the request is based may be identified in this step. According to the identified access record, an access policy assigned to the target device may be identified.

At step 108 the target device may be provided with an assigned Internet Protocol (IP) address and an assigned Domain Name System (DNS) identity. For example, the AP executing exemplary process 100 may provide the IP address and DNS to the target device. The target device may use the IP address and DNS identity when connecting to the wireless network.

At step 110, a set of services that can be one or more services that the network is capable of providing, may be exposed to the target device while utilizing the wireless connection. The set of services may be defined by the access policy associated with the certain access record identified in step 106. The services exposed to the target device may be a certain network topology mapped with devices allowed for access by the target device under the certain access policy, the services may also include access to different applications that an access to them may be restricted, or other services.

Different target devices may request to connect to the wireless network. In such situation, the AP that may execute process 100 may allow different target devices to share a same Service Set Identifier (SSID), based on a personalized password derivative included in each of the connection requests received from the different target devices.

An entity which executes process 100, for example an AP, will limit the access of the target devices to the wireless network to a single target device, when a plurality of target devices requesting to connect to the network using the same PSK. This limitation may be based on the identified access record. In such case, the single target device may be identified as the first device requesting the connection, identified by the MAC address associated with the first device.

Reference is now made to FIG. 2, which presents a flow chart of a second exemplary process of onboarding client devices in a wireless network using access records binding between PSKs and access policies, according to some embodiments of the present invention.

Exemplary process 200 may be executed in order to onboard a client device in a wireless network. A client device, which is also referred to as a target device, may be a processor based device which has the capability to communicate with other devices over a wireless network. Target device may be a cellular phone, mobile device, laptop, tablet or any other personal assisting device, a stationary device - for example a desktop computer, and the like.

Exemplary process 200 may be executed by an administrator device, also referred herein as an admin device. An admin device may be any stationary or mobile computing device that is defined and has privileges in the wireless network as an administrator device. Such device may be a laptop, a cellular or other mobile phone, a desktop, tablet or the like. Exemplary process 200 may be used to facilitate easy and quick onboarding of a target device that is requesting to connect to a wireless network. At step 202, a request for providing access to the wireless network for a target device is being generated, for example by the administrator device. The request may be forwarded to an AAA infrastructure server. The request may define an allocated PSK and assigned access policy to the wireless network. This step may be repeated for multiple PSKs such that for each PSK a different access policy may be assigned. This gives the advantage of setting different sets of services to potential target devices that may request to connect to the network. By assigning different PSKs with different access policies, the admin device may facilitate the provisioning of different services to different target devices by allocating different PSKs, where each PSK may be associated with a different access policy.

In step 204, the entity executing exemplary process 200, which may be the administrator device, may send the request to an authentication entity of the wireless network, for example an AAA server or infrastructure. The AAA server or authentication entity may store the request in a database as an access record. The database may store multiple access records, where each record may include a different PSK and an access policy associated with the specific PSK.

In step 206, a proximity enabled transfer scheme is created. The proximity enabled transfer scheme may encode the PSK or in an alternative implementation, the client identity and password. A proximity enabled transfer scheme is a mean to transfer the encoded information to another device when in proximity to the admin device. The proximity enabled transfer scheme may be implemented as a Near Field Communication (NFC) scheme, a Quick Response (QR) code or the like.

In step 208, instruction to facilitate an exposure of the proximity enabled transfer scheme may be generated, for example by the admin device. The exposure enables capturing the proximity enabled transfer scheme by the target device, when in proximity to the administrator device.

In an example implementation using a QR code as the proximity enabled transfer scheme, the admin device may display on a screen of the admin device a visual code, the QR code, and the user of the client device may approach the admin device, operate the client device to capture the image displayed on the screen of the admin device, using the camera of the client device. The client device, then, may extract the PSK or in an alternative implementation, the client identity and password, and use the PSK, or the client identity and password, to connect to the network.

Reference is now made to FIG. 3, which presents a flow chart of a third exemplary process of onboarding client devices in a wireless network using access records binding between client identity and password, and access policies, according to some embodiments of the present invention.

Exemplary process 300 may be executed in order to onboard a client device in a wireless network. A client device, which is also referred to as a target device, may be a processor based device which has the capability to communicate with other devices over a wireless network. Target device may be a cellular phone, mobile device, laptop, tablet or any other personal assisting device, a stationary device - for example a desktop computer, and the like.

Exemplary process 300 may be executed by an administrator device, also referred herein as an admin device. An admin device may be any stationary or mobile computing device that is defined and has privileges in the wireless network as an administrator device. Such device may be a laptop, a cellular or other mobile phone, a desktop, tablet or the like. Exemplary process 300 may be used to facilitate easy and quick onboarding of a target device that is requesting to connect to a wireless network.

At step 302, an access record for providing access to a wireless network for a target device may be generated and stored in a database. The access record may define a client identity and a password, and may include a link to one of a plurality of access policy groups for the wireless network. The database may store multiple access records, each may define different pairs of client identity and password, and may include link to a different access policy groups. By that, each access record may be used in configuring a different set of services and different exposure to the network to different target devices, according to different pairs of client identity and password. The database may be implemented in an AAA infrastructure or server.

In step 304, a proximity enabled transfer scheme is created. The proximity enabled transfer scheme may encode the client identity and password. A proximity enabled transfer scheme is a mean to transfer the encoded information to another device when in proximity to the admin device. The proximity enabled transfer scheme may be implemented as a Near Field Communication (NFC) scheme, a Quick Response (QR) code or the like.

In step 306, instruction to facilitate an exposure of the proximity enabled transfer scheme may be generated, for example by the admin device. The exposure enables capturing the proximity enabled transfer scheme by the target device, when in proximity to the administrator device.

In an example implementation using a QR code as the proximity enabled transfer scheme, the admin device may display on a screen of the admin device a visual code, the QR code, and the user of the client device may approach the admin device, operate the client device to capture the image displayed on the screen of the admin device, using the camera of the client device. The client device, then, may extract the client identity and password, and use the client identity and password for authentication process in connecting to the wireless network.

Reference is now made to FIG. 4, which is a schematic illustration of an exemplary prior art system for setting up wireless access to guest devices using WPA-PSK protocol.

System 400 describes an environment which has an available wireless network that wireless communication capable devices can connect to. A connected device 404 is a device already connected to the network. The access of the devices is conducted through the deployment of an Access Point (AP) 406. An administration personnel 408 may be responsible for managing and administering restrictions, procedures and processes for onboarding devices etc. A guest device 402 may be used by a user who may want to get services and utilize the wireless network. In the example of setting 400, a common application using WPA-PSK protocol is utilized. The password is shared among different users, so no personalization can be achieved. The wireless access credentials can be handed over from a connected device 404 to a nearby guest device 402 via Near Field Communication (NFC) or Quick Response (QR) code scanning 410. The guest device 402 is configured to access the network at 412 and communicates with the AP 406 by probing the network using a client MAC address 414. Out of band operation is taken place to attach MAC to a defined policy group 418. Full WPA handshake using PSK is conducted, followed by authorization of the guest device 416. In such application the network access provides a view of all network topology to the connected devices and all services, so restriction can only be done by deploying a firewall on Media Access Control (MAC) level. Such deployment is complex to configure and hard to maintain.

Reference is now made to FIG. 5, which is a schematic illustration of a second exemplary prior art system for setting up wireless access to guest devices using WPA-PSK Enterprise protocol.

System 500 describes an enterprise environment of wireless network managed using WPA-PSK Enterprise protocol. System 500 requires deployment of AAA infrastructure 508. Onboarding guest device 502 cannot be handed over from a connected device to a guest device 502. Out of band operation is needed to be conducted, for example by supervision of administration personnel 504. The out of band operations may require providing the administrator 504 with the MAC address 510 of the guest device 502. The administrator will store the MAC address and PSK as a record with link to policy group 512 at the AAA infrastructure 508. The guest device 502 has to be manually configured to access the network 514. The guest device 502 probes the network by communicating with an Access Point (AP) 516, which accesses the AAA infrastructure to lookup for correct PSK 518. The AP retrieves encrypted PSK 520 from the AAA 508, and overrides the existing PSK 522. At this stage a full WPA handshake operation can be initiated with the retrieved PSK, followed by authorization 524. This process allows flexible policy definition and enforcement, but requires previous knowledge of client device MAC address to enable policy group enforcement via AAA user database.

Reference is now made to FIG. 6, which is a schematic illustration of an exemplary wireless network system for onboarding client devices in a wireless network using access records, according to some embodiments of the present invention.

System 600 may be a wireless communication network operating as a private network, a public network, an enterprise network and the like. A guest device 602 may enter the area which is covered by the wireless network and may request to connect to the network in order to obtain services provided by the network, for example access to devices connected to the network such as printers, scanners, storage devices, servers and the like and access to applications the network may offer. The guest device 602 may be a mobile device, for example cellular phone, smart-phone, Personal Digital Assistance (PDA) device, laptop, tablet or the like. The guest device may have the capability of communicating through wireless communication. The guest device may embed a camera and a native application to operate the camera. The guest device may be connected to a camera.

An admin device 604, alternatively referred to as an administrator device, may be a mobile device or a stationary device with privileges to conduct administration operations within the wireless network. The admin device may operate to facilitate personalized wireless access seamless onboarding and secure access to preconfigured set of services. The system may include an authorization and access infrastructure 606, for example a server, and storage device(s) which may be used for storing database 608. The admin device 604 may generate a user and an assigned access policy for the user. The admin device may request 610 a creation of a user record from the authorization and access infrastructure 606. The user record, also referred to as an access record, may define a set of network services that may be allowed to be provided to the assigned user when connecting to the network. The authorization and access infrastructure may create and store a user record and associated allowed services set in a database 612 which may be implemented as a storage device accessible to the authorization and access infrastructure, optionally through the wireless network.

The admin device 604 may be installed with an Administration Application Programming Interface (API), which may provide the admin device 604 a variety of functionalities, for example creating, editing or deleting access records, attaching predefined user policies to the access records, schedule user records lifetime and the like. Managing user records, as for example described above, may require an API with Authentication-Authorization-Accounting (AAA) platform.

The admin device 604 may create a proximity enabled transfer scheme. The proximity enabled transfer scheme may encode the credentials, for example, client identity and password. A proximity enabled transfer scheme is a mean to transfer the encoded information to another device when in proximity to the admin device. The proximity enabled transfer scheme may be implemented as a Near Field Communication (NFC) scheme, a Quick Response (QR) code or the like.

In 614, the guest device may approach the admin device 604 to a proximity that may allow to operate the proximity enabled transfer scheme. The admin device 604 may facilitate the exposure of the proximity enabled transfer scheme to the guest device. For example, an image of the QR code may be presented on the display of the admin device 604. The exposure enables capturing the proximity enabled transfer scheme by the guest device. In an example implementation using a QR code as the proximity enabled transfer scheme, the user of the guest device 602 may operate the client device to capture the image displayed on the screen of the admin device, using the camera of the client device. The client device 602, then, may extract the credentials, and use the credentials to access the wireless network 616. The authorization and access infrastructure 606 may receive the connection request from the guest device, including the credentials extracted from the QR code 616, and may conduct a lookup in the database 618 to identify a match between the credentials provided by the guest device and a user record stored in the database 608. Upon identifying the matching record an access policy associated with the matching access record is looked up. According to the access policy identified by the authorization and access infrastructure based on the matching access record, the authorization and access infrastructure may configure service access that may be provided to the guest device 620. At 622, the authorization and access infrastructure may authenticate the guest device 602, and provide the guest device with an assigned Internet Protocol (IP) address and a Domain Name System (DNS) to allow the guest device to connect to the network and receive the services configured for the guest device.

The admin device may define that user credentials may be limited by time. Using different access records to different guest devices 602 may allow multiple users with different pre-shared keys to share the same SSID. The admin device may define that the authorization and access infrastructure will limit credentials usage for a single physical device 602. By identifying the MAC address of the first guest device using the credentials, the authorization and access infrastructure may allow traffic from the MAC address of first associated device only.

Reference is now made to FIG. 7, which is a schematic illustration of a second exemplary wireless network system for onboarding client devices in a wireless network using access records, according to some embodiments of the present invention.

System 700 may be a wireless communication network operating as a private network, a public network, an enterprise network and the like and may be based on dynamic identity based PSK provisioning. A guest device 702 may enter the area which is covered by the wireless network and may request to connect to the network in order to obtain services provided by the network, for example access to devices connected to the network such as printers, scanners, storage devices, servers and the like and access to applications the network may offer. The guest device 702 may be a mobile device, for example cellular phone, smart-phone, Personal Digital Assistance (PDA) device, laptop, tablet or the like. The guest device may have the capability of communicating through wireless communication. The guest device may embed a camera and a native application to operate the camera. The guest device may be connected to a camera.

An admin device 704, alternatively referred to as an administrator device, may be a mobile device or a stationary device with privileges to conduct administration operations within the wireless network. The admin device may operate to facilitate personalized wireless access seamless onboarding and secure access to preconfigured set of services. The admin device may be using processing circuit or circuits that may execute code stored in a program store that may be embedded in the admin device. The system may include an Access Point (AP) device 706 that may be using processing circuit or circuits which may execute code stored in a program store that may be embedded in the AP.

In 710, the admin device 704 may generate a new PSK (PSKnew) and send a request to an Authentication-Authorization-Accounting (AAA) infrastructure 708, like a server, to create and store an access record with a link to a policy group.

The access record, may define a set of network services that may be allowed to be provided to a user when connecting to the network. The AAA 708 may create and store access records and associated allowed services defined by policy groups in a database which may be implemented as a storage device accessible to the AAA infrastructure. The access record, also referred to as client unassociated record, may have a limited lifespan.

The admin device 704 may be installed with an Administration Application Programming Interface (API), which may provide the admin device 704 a variety of functionalities, for example creating, editing or deleting access records, attaching predefined user policies to the access records, schedule user records lifetime and the like. Managing user records, as for example described above, may require an API with AAA platform. The admin device 704 may create a proximity enabled transfer scheme. The proximity enabled transfer scheme may encode the PSKnew. In 712, the guest device 702 may approach the admin device 704 to a proximity that may allow to operate the proximity enabled transfer scheme. The admin device 704 may facilitate the exposure of the proximity enabled transfer scheme to the guest device. For example, an image of the QR code may be presented on the display of the admin device 704. The exposure enables capturing the proximity enabled transfer scheme by the guest device 702. In an example implementation using a QR code as the proximity enabled transfer scheme, the user of the guest device 702 may operate the client device to capture the image displayed on the screen of the admin device 704, using the camera of the client device. The client device 702, then, may extract the PSKnew from the QR code, and may interpret QR code as a valid Wi-Fi network configuration and may configure the guest device accordingly 714.

At 716, the client device 702 and the AP 706 may start WPA handshake process. At this point, the AP may have not yet learned the correct PSKnew. The AP 706 may attempt to validate the client devices’ packet by using, for example a default PSK, and may conclude that the client device 702 is using a wrong PSK.

At 718, the Access Point 706 may conduct a lookup operation at the AAA server 708 to identify the correct PSKnew in one of the access records stored by the AAA.

At 720 the AAA server 708 may find a match between the PSKnew of an access record and the client signature from the WPA handshake process of step 716. The AAA server may link the MAC address of the guest device to the PSKnew and returns the PSKnew securely to the AP, at 722, for example encrypted, for example as a RADIUS-Accept packet.

At 724, the AP 706 may override the PSK which was used by the AP in the partial handshake of 716, by the new PSK - PSKnew.

At 726, the AP may trigger a 4-way handshake with the guest device 702 using the PSKnew, followed by authorization.

Reference is now made to FIG. 8, which is a schematic illustration of a third exemplary wireless network system for onboarding client devices in a wireless network using access records, according to some embodiments of the present invention. System 800 may be a wireless communication network operating as a private network, a public network, an enterprise network and the like and may be based modified QR code scheme that may not require special support at the Access Point. A guest device 802, alternately referred to as a client device or target device, may enter the area which is covered by the wireless network and may request to connect to the network in order to obtain services provided by the network, for example access to devices connected to the network such as printers, scanners, storage devices, servers and the like and access to applications the network may offer. The guest device 802 may be a mobile device, for example cellular phone, smart-phone, Personal Digital Assistance (PDA) device, laptop, tablet or the like. The guest device may have the capability of communicating through wireless communication. The guest device may embed a camera and a native application to operate the camera. The guest device may be connected to a camera.

An admin device 804, alternatively referred to as an administrator device, may be a mobile device or a stationary device with privileges to conduct administration operations within the wireless network. The admin device may operate to facilitate personalized wireless access seamless onboarding and secure access to preconfigured set of services. The admin device may be using processing circuit or circuits that may execute code stored in a program store that may be embedded in the admin device. The system may include an Access Point (AP) device 806 that may be using processing circuit or circuits which may execute code stored in a program store that may be embedded in the Access Point.

In 810, the admin device 804 may generate an access record which may define user name (user identity (ID)) and password and may include a link to a policy group. The policy group may be one of a plurality of policy groups, where each of the policy groups may define a set of services that may be a subset of all services the wireless network may offer to connecting users. Each one of the policy groups may define different or partially different set of services. The policy groups may allow to provide different visible network topology and different set of services to different users. The admin device may store the access record in a database which may be implemented as a storage device accessible to the AAA infrastructure 808.

The admin device 804 may be installed with an Administration Application Programming Interface (API), which may provide the admin device 804 a variety of functionalities, for example creating, editing or deleting access records, attaching predefined user policies to the access records, schedule user records lifetime and the like. Managing user records, as for example described above, may require an API with AAA platform.

The admin device 804 may create a proximity enabled transfer scheme. The proximity enabled transfer scheme may encode the user ID and password. The proximity code may encode SSID, user@domain and password.

In 812, the guest device 802 may approach the admin device 804 to a proximity that may allow to operate the proximity enabled transfer scheme. The admin device 804 may facilitate the exposure of the proximity enabled transfer scheme to the guest device. For example, as described in system 800, the proximity enabled transfer scheme may be implemented as a QR code. An image of the QR code may be presented on the display of the admin device 804. The exposure enables capturing the proximity enabled transfer scheme by the guest device 802. In the example implementation using a QR code as the proximity enabled transfer scheme, as depicted in system 800, the user of the guest device 802 may operate the client device to capture the image displayed on the screen of the admin device 804, using the camera of the client device. The client device 802, then, may read and extract the user identity and password, or the SSID, user@domain and password from the QR code, at 812. The guest device may configure the network access accordingly for proper authentication 814, using the user identity and password.

At 816, the client device 802 may initiate a WPA-Enterprise handshake with the Access Point, at 816. The AP may initiate a WPA-Enterprise handshake with the AAA infrastructure 808, at 818. The handshake process may be followed by authorization.

System 800 may define modified QR code scheme that may instantly configure secure Wi-Fi access to guest devices 802. Modified QR code scheme may enable configuring WPA-Enterprise with protocol that hides user identity (EAP-PEAP/ EAP- TTLS). The access policy may be implicitly encoded in a client’s identity/password pair used by the AAA server 808 as a token. The access record may be limited by its lifetime by mapping service policy into time limited authentication token.

The descriptions of the various embodiments of the present invention have been presented for purposes of illustration, but are not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen to best explain the principles of the embodiments, the practical application or technical improvement over technologies found in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

It is expected that during the life of a patent maturing from this application many relevant technologies will be developed and the scope of the terms virtual networking, virtual node and virtual switch are intended to include all such new technologies a priori.

As used herein the term “about” refers to ± 10 %. The terms “comprises”, “comprising”, “includes”, “including”, “having” and their conjugates mean “including but not limited to”. This term encompasses the terms “consisting of’ and “consisting essentially of’.

The phrase “consisting essentially of’ means that the composition or method may include additional ingredients and/or steps, but only if the additional ingredients and/or steps do not materially alter the basic and novel characteristics of the claimed composition or method.

As used herein, the singular form “a”, “an” and “the” include plural references unless the context clearly dictates otherwise. For example, the term “a compound” or “at least one compound” may include a plurality of compounds, including mixtures thereof. The word “exemplary” is used herein to mean “serving as an example, instance or illustration”. Any embodiment described as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments and/or to exclude the incorporation of features from other embodiments.

The word “optionally” is used herein to mean “is provided in some embodiments and not provided in other embodiments”. Any particular embodiment of the invention may include a plurality of “optional” features unless such features conflict.

Throughout this application, various embodiments of this invention may be presented in a range format. It should be understood that the description in range format is merely for convenience and brevity and should not be construed as an inflexible limitation on the scope of the invention. Accordingly, the description of a range should be considered to have specifically disclosed all the possible subranges as well as individual numerical values within that range. For example, description of a range such as from 1 to 6 should be considered to have specifically disclosed subranges such as from 1 to 3, from 1 to 4, from 1 to 5, from 2 to 4, from 2 to 6, from 3 to 6 etc., as well as individual numbers within that range, for example, 1, 2, 3, 4, 5, and 6. This applies regardless of the breadth of the range.

Whenever a numerical range is indicated herein, it is meant to include any cited numeral (fractional or integral) within the indicated range. The phrases “ranging/ranges between” a first indicate number and a second indicate number and “ranging/ranges from” a first indicate number “to” a second indicate number are used herein interchangeably and are meant to include the first and second indicated numbers and all the fractional and integral numerals there between.

It is appreciated that certain features of the invention, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the invention, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable subcombination or as suitable in any other described embodiment of the invention. Certain features described in the context of various embodiments are not to be considered essential features of those embodiments, unless the embodiment is inoperative without those elements.

All publications, patents and patent applications mentioned in this specification are herein incorporated in their entirety by reference into the specification, to the same extent as if each individual publication, patent or patent application was specifically and individually indicated to be incorporated herein by reference. In addition, citation or identification of any reference in this application shall not be construed as an admission that such reference is available as prior art to the present invention. To the extent that section headings are used, they should not be construed as necessarily limiting. In addition, any priority document(s) of this application is/are hereby incorporated herein by reference in its/their entirety.

Claims

1. An access point for onboarding client devices in a wireless network, comprising: a processing circuit executing a code for: receiving from a target device, a connection request to said wireless network, said connection request based on a Pre-Shared Key, PSK; accessing a database storing at least one access record, wherein each of said at least one access record binding between a respective PSK and an access policy; identifying among said at least one access record, an access record corresponding to the PSK on which the connection request is based ; providing said target device with network entity identifier for use with said wireless network; and exposing to said target device at least one network service according to said access policy associated with the PSK in the identified corresponding access record.

2. The access point of claim 1, wherein said PSK is transferred from an administrator device to the target device using a proximity enabled transfer scheme.

3. The access point of claim 2, wherein said proximity enabled transfer scheme is a Quick Response, QR, code optically scanned from a screen of said administrator device by said target device.

4. The access point of any of claims 1 to 3, wherein said processing circuit is further executing code for allowing different target devices to share a same Service Set Identifier, SS1D, based on a personalized password derivative included in each of a plurality of connection requests received from respective each of a plurality of target devices.

5. The access point of any of claims 1 to 4, wherein said processing circuit is further executing code for limiting an access to said wireless network by said target device, according to a time limit defined in said access record.

6. The access point of any of claim 1 to 5, wherein said processing circuit is further executing code for limiting an access to the wireless network, based on said identified access record, to a single target device.

7. The access point of claim 6, wherein said limiting said access to the wireless network to a single target device is by identifying a first Media Access Control, MAC, address associated device, out of a plurality of target devices requesting connection based on a same PSK, and limiting said access to the identified first MAC address associated device.

8. The access point of any of claims 1 to 7, wherein the network entity identifier comprises: an assigned Internet Protocol, IP, address and an assigned Domain Name System, DNS, identity.

9. An administrator device for onboarding client devices in a wireless network, comprising: a processing circuit executing a code for: generating a request for providing access to said wireless network for a target device, defining an allocated Pre-Shared Key, PSK, and assigned access policy to said wireless network; sending said request to an authentication entity of said wireless network to be stored in a database as an access record; creating a proximity enabled transfer scheme encoding said PSK; and generating instruction to facilitate an exposure of said proximity enabled transfer scheme, to enable capturing said proximity enabled transfer scheme by said target device, when in proximity to said administrator device, for connecting to said wireless network using said PSK extracted from said proximity enabled transfer scheme.

10. The administrator device of claim 9, wherein said defining assigned access policy is by providing a link or a unique identifier to one of a plurality of different access policies groups.

11. The administrator device of claim 9 or 10, wherein said proximity enabled transfer scheme is a Quick Response, QR, code.

12. The administrator device of any of claims 9 to 11, wherein said processing circuit further executing a code for encoding a personalized password in said proximity enabled transfer scheme for allowing different target devices to share a same Service Set Identifier, SSID.

13. The administrator device of any of claims 9 to 12, wherein said processing circuit is further executing code for generating request for modifying access records in said database.

14. The administrator device of any of claims 9 to 13, wherein said processing circuit is further executing code for including a link or a unique identifier to one of a plurality of different access policies groups in said request.

15. The administrator device of one of claims 9 to 14, wherein said processing circuit is further executing code for generating request for scheduling a lifetime of said access record.

16. The administrator device of one of claims 9 to 15, wherein said proximity enabled transfer scheme is a visibility present transfer scheme, and wherein said generated instructions to facilitate said exposure of said proximity enabled transfer scheme are instructions to display said visibly present transfer scheme on a screen of said administrator device for optically scanning by said target device.

17. An administrator device for onboarding client devices in a wireless network, comprising: a processing circuit executing a code for: generating and storing in a database an access record for providing access to a wireless network for a target device, the access record defining a client identity and a password, and including a link to one of a plurality of access policy groups for said wireless network; creating a proximity enabled transfer scheme encoding said client identity and said password; and generating instructions to facilitate an exposure of said proximity enabled transfer scheme, to enable capturing said proximity enabled transfer scheme by said target device for connecting to said wireless network using said client identity and password extracted from said proximity enabled transfer scheme, for authentication.

18. The administrator device of claim 17, wherein said proximity enabled transfer scheme is a Quick Response, QR, code.

19. The administrator device of claim 17 or 18, wherein said proximity enabled transfer scheme is a visibility present transfer scheme, and wherein said generated instructions to facilitate said exposure of said proximity enabled transfer scheme are instructions to display said visibly present transfer scheme on a screen of said administrator device for optically scanning by said target device.

20. A method for onboarding client devices in a wireless network, comprising: receiving from a target device, a connection request to said wireless network, said connection request based on a Pre-Shared Key, PSK; accessing a database storing at least one access record, wherein each of said at least one access record binding between a respective PSK and an access policy; identifying among said at least one access record, an access record corresponding to the PSK on which the connection request is based on; providing said target device with an assigned Internet Protocol, IP, address and an assigned Domain Name System, DNS, identity for use with said wireless network; and exposing to said target device at least one network service according to said access policy associated with the PSK in the identified corresponding access record.

21. A method for onboarding client devices in a wireless network, comprising: generating a request for providing access to said wireless network for a target device, defining an allocated Pre-Shared Key, PSK, and assigned access policy to said wireless network; sending said request to an authentication entity of said wireless network to be stored in a database as an access record; creating a proximity enabled transfer scheme encoding said PSK; and generating instruction to facilitate an exposure of said proximity enabled transfer scheme, to enable capturing said proximity enabled transfer scheme by said target device, when in proximity to said administrator device, for connecting to said wireless network using said PSK extracted from said proximity enabled transfer scheme.

22. A method for onboarding client devices in a wireless network, comprising: generating and storing in a database an access record for providing access to said wireless network for a target device, the access record defining a client identity and a password, and including a link to one of a plurality of access policy groups for said wireless network; creating a proximity enabled transfer scheme encoding said client identity and said password; and generating instructions to facilitate an exposure of said proximity enabled transfer scheme, to enable capturing said proximity enabled transfer scheme by said target device for connecting to said wireless network using said client identity and password extracted from said proximity enabled transfer scheme, for authentication.

23. A computer program product including computer program code, which, when executed by a processor, causes the method according to any of claims 20 to 22 to be performed.

24. A non-transitory computer-readable recording medium that stores therein a computer program product which, when executed by a processor, causes the method according to any of claims 20 to 22 to be performed.