BE1025148B1 - METHOD FOR CONNECTING TO AN ACCESS POINT EQUIPPED WITH A PUBLIC AND PRIVATE WIRELESS NETWORK CONNECTION - Google Patents

Abstract

Method implementable on a wireless access point (AP) (100) for establishing a wireless network connection with a client device (200), the AP (100) being a public AP (100a) and private AP (100b) ), which includes the step of receiving a polling request (314) for the public wireless network connection (100a) from the client device (200). The method (300) determines whether the client device (200) is blacklisted (317); if so, the level request (314) is ignored for a duration of a first timer while the client device (200) that is blacklisted connects (328, 330) to the private wireless network connection of the private AP (100b).

Description

(30) Priority data:

(73) Holder (s):

TELENET private limited liability company 2800, MECHELEN

Belgium (72) Inventor (s):

CELLARIUS Quentin 1050 IXELLES

Belgium

VAN DRIESSCHE Tom 9220 HAMME

Belgium (54) METHOD FOR CONNECTING AN ACCESS POINT PROVIDING A PUBLIC AND A PRIVATE WIRELESS NETWORK CONNECTION (57) Method implementable on a wireless access point (AP) (100) to establish a wireless network connection with a client device (200), the AP (100) comprising a public AP (100a) and private AP (100b), comprising the step of receiving a polling request (314) for the public wireless from the client device (200) network connection (100a). The method (300) determines whether the client device (200) is blacklisted (317); if so, the level request (314) is ignored for the duration of a first timer while the blacklisted client device (200) connects (328, 330) to the private wireless network connection of the private AP (100b).

HG. 1

BELGIAN INVENTION PATENT

FPS Economy, K.M.O., Self-employed & Energy

Publication number: 1025148

Filing number: BE2017 / 5648

Intellectual Property Office

International Classification: H04W 12/08 H04L 29/06

Date of grant: 20/11/2018

The Minister of Economy,

Having regard to the Paris Convention of 20 March 1883 for the Protection of Industrial Property;

Having regard to the Law of March 28, 1984 on inventive patents, Article 22, for patent applications filed before September 22, 2014;

Having regard to Title 1 Invention Patents of Book XI of the Economic Law Code, Article XI.24, for patent applications filed from September 22, 2014;

Having regard to the Royal Decree of 2 December 1986 on the filing, granting and maintenance of inventive patents, Article 28;

Having regard to the application for an invention patent received by the Intellectual Property Office on 12/09/2017.

Whereas for patent applications that fall within the scope of Title 1, Book XI, of the Code of Economic Law (hereinafter WER), in accordance with Article XI.19, § 4, second paragraph, of the WER, the granted patent will be limited. to the patent claims for which the novelty search report was prepared, when the patent application is the subject of a novelty search report indicating a lack of unity of invention as referred to in paragraph 1, and when the applicant does not limit his filing and does not file a divisional application in accordance with the search report.

Decision:

Article 1

TELENET private limited liability company, Liersesteenweg 4, 2800 MECHELEN Belgium;

represented by

LESTHAEGHE David, Ed. Gevaertdreef 10a, 9830, ST MARTENS LATEM;

DE CLERCQ Ann, Ed. Gevaertdreef 10a, 9830, ST MARTENS LATEM;

GOESAERT Hans, Ed. Gevaertdreef 10a, 9830, ST MARTENS LATEM;

VANHALST Koen Victor Rachel, Ed. Gevaertdreef 10a, 9830, ST MARTENS LATEM;

a Belgian invention patent with a term of 20 years, subject to payment of the annual fees as referred to in Article XI.48, § 1 of the Code of Economic Law, for: METHOD FOR CONNECTING AN ACCESS POINT PROVIDED WITH A PUBLIC AND A PRIVATE WIRELESS NETWORK CONNECTION.

INVENTOR (S):

CELLARIUS Quentin, Henninstraat 89, 1050, IXELLES;

VAN DRIESSCHETom, Neerstraat 117, 9220, HAMME;

PRIORITY :

BREAKDOWN:

Split from basic application:

Filing date of the basic application:

Article 2. - This patent is granted without prior investigation into the patentability of the invention, without warranty of the merit of the invention, nor of the accuracy of its description and at the risk of the applicant (s).

Brussels, 20/11/2018,

With special authorization:

BE2017 / 5648

Method for connecting to an access point comprising a public and a private wireless network connection

Field of the invention

The present invention is in the field of wireless access points (AP) with a public wireless network and a private wireless network, in particular, methods implemented on wireless APs to block access to the public part for client devices or prioritizing a private AP over a public AP.

Background for the invention

A wireless access point (AP), with a public wireless network and a private wireless network, is generally installed in a home situation, allowing a first client device with permission to access the faster and unrestricted private wireless network, and allows a second client device without permission to join the private wireless network to access the restricted public wireless network. The public wireless network generally uses a stronger encryption type (WPA2-Enterprise) than the private wireless network (WPA2-PSK) and is a default choice for the first client device.

It is an object of the present invention to provide methods that can be implemented in the AP where a home user connects his device to the private network instead of the public network.

Summary of the invention

Herein is provided a method implementable on a wireless access point (AP) (100) for establishing a wireless network connection to a client device (200), wherein the AP (100) is a public AP (100a) and includes a private AP (100b), the method comprising the following steps:

• receiving (316) a polling request (314) or an authentication request (362) from the client device (200) by the public AP (100a), • ignoring (320 ') the public AP (100a) of the level request (314) or responding negatively to the authentication request (366) for a duration of a first timer if the client device (200) is blacklisted (317) from

BE2017 / 5648 client establishments (200) previously associated with the private

AP (100b), and either:

° responding (328) to a targeted sounding request (324) by the private AP (100b) for the duration of the first timer or responding (372) to the authentication request (370) by the private AP (100b) , and subsequently associating with and starting a data transfer session with the private AP (328, 330, 370, 372), or »responding, after the duration of the first timer, by the public AP (100a) ( 336) to the polling request (302) or, by the public AP (100a), responding (376) to the authentication request (376), for a duration of a second timer, and starting a data transfer session with the public AP (336) , 338, 374, 376).

The method may further comprise the steps of, prior to receiving a targeted level request (302) from the client device (200) by the public AP (100a),

- by both the public (308) and the private (310) APs, responding to a sent probe request sent (302) by the client device (200), the response including encryption type information about the network.

The method may further comprise the steps of, prior to receiving a targeted level request (302) from the client device (200) by the public AP (100a),

- broadcast beacon frames by both the public (308) and private (310) APs, the beacon response including encryption type information about the network.

The negative response to the authentication request can be configurable, and can optionally be an association response rejection, and optionally be a status code 17.

The wireless network connection provided by the public AP (100a) may use a stronger data encryption than that of the private AP (100b).

BE2017 / 5648

The method may further include a step of adding a feature of the client device (200) to the blacklist (317) after the client device (200) has associated itself with the private AP (100b).

One or more of a data transfer rate, a data volume limit, and a session time may be inferior to the public AP (100a) compared to the private AP (100b).

The duration of the first timer may be less than that of the second timer.

The method blacklist (317) cannot be cleared at the end of the data transfer session.

Also, a wireless access point (AP) (100) is provided to provide a wireless network connection to a client device (200), the AP (100) having a public AP (100a) having a public wireless network connection and a private AP (100b) that provides a private wireless network connection, wherein the AP is configured to perform the method described herein.

Also provided herein is a computer program or computer program product with instructions that, when performed by a wireless access point (AP) (100), to provide a wireless network connection to a client device (200), wherein the AP ( 100) has a public AP (100a) that provides a public wireless network connection and has a private AP (100b) that provides a private wireless network connection, performing the method as described here.

Also provided is a computer-readable medium with a computer program or product stored thereon according to what is described herein.

Also provided is a data stream representative of a computer program or product as described herein.

Legend of figures

FIG. 1 is an illustration of the method described herein in which a client device establishes a wireless network connection with a wireless

BE2017 / 5648 access point (AP) with a public wireless network and a private wireless network.

FIG. 2 is a flowchart depicting a standard protocol according to IEEE

802.11.

FIG. 3 is a flowchart of a method described herein, in which the client device actively scans for networks, and ignores the public AP level requests from the blacklisted client devices.

FIG. 4 is a flowchart of a method described herein, in which the client device passively scans for Wi-Fi beacon frames, the public AP sends an authentication response that is a rejection of association to the blacklisted client devices.

FIG. 5 illustrates steps of adding an indication of a client device to the blacklist.

Detailed description of the invention

Before describing the method of the invention, it is to be understood that this invention is not limited to certain described methods, devices, computer programs or combinations thereof, since such methods, devices, computer programs or combinations thereof may of course vary.

It is also to be understood that the terminology used herein is not intended to be limiting since the scope of the present invention is limited only by the appended claims.

As used here, the singular forms of "a", and "the" include both singular and plural references unless the context clearly indicates otherwise.

The terms "include", "include", and "include" as used herein are synonymous with "include", "include" or "contain", "include" and include or include open-ended and exclude any additional , unlisted parts, elements, or method taps. It is understood that the terms "include", "include", and "include" as used herein include the terms "consisting of", "consisting", and "consisting of".

BE2017 / 5648

Numeric ranges through endpoints include all numbers and fractions that fall under the respective ranges, as well as the named endpoints themselves.

The term "approximately" or "approximate" as used herein when referring to a measurable value such as a parameter, an amount, a duration, and so on, is intended to mean variations of +/- 10% or less, at preferably +/- 5% or less, more preferably +/- 1% or less, and even more preferably to include +/- 0.1% or less from and from the specified value, to the extent that such variations are suitable to perform in the disclosed invention. It is to be understood that the value to which the term "approximately" or "approximate" refers is itself particularly, and preferably, disclosed.

While the terms “one or more” or “at least one”, such as one or more or at least one part of a group of parts, are clear in themselves, by way of further examples, the term inter alia includes a reference to any of the parts, or to any two or more of the parts, such as, for example, some> 3,> 4,> 5,> 6,> 7, etc. of the parts, and up to and including all of the parts.

All references mentioned in the present specification are hereby incorporated in their entirety by reference. In particular, the teachings of all references particularly referred to herein are incorporated by reference.

Unless otherwise defined, all terms used in the present invention, including technical and scientific terms, have the meaning as generally understood by one skilled in the art to which this invention belongs. Through further guidance, term definitions are included to better understand the teaching of the present invention.

In the following passages, various aspects of the invention are defined in more detail. Any aspect defined as such may be combined with any other aspect or aspects unless the opposite is clearly indicated. In particular, any feature identified as being preferred or advantageous may be combined with any other feature or features identified as being preferred or beneficial.

BE2017 / 5648

Reference in this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, occurrences of the phrases “in one embodiment” or “in an embodiment” at different locations in this specification do not necessarily all refer to the same embodiment, but possibly. In addition, the particular features, structures or characteristics may be combined in any suitable manner, as would be apparent to a person skilled in the art of this invention, in one or more embodiments. Furthermore, while some embodiments described herein include some but not other features included in other embodiments, combinations of features of different embodiments are intended to be within the scope of the invention, and to form different embodiments, as would be understood by people in the field. For example, in the appended claims, any of the claimed embodiments can be used in any combination.

In the present description, reference is made to the accompanying drawings, which form part thereof, and in which, by way of illustration, only certain embodiments are presented in which the invention can be carried out. Reference numerals in parentheses or in bold and next to respective elements are only used to illustrate the elements by examples, which are not intended to limit the respective elements. It will be understood that other embodiments can be used and that structural or logical changes can be made without departing from the scope of the present invention. The subsequent detailed description is therefore not to be understood in a limiting manner, and the scope of the present invention is defined by the appended claims.

Here, a method is provided for setting up a wireless network connection by means of a wireless access point, which in this text is also referred to as an access point (AP). Referring to FIG. 1, the AP (100) has a public AP (100a) that provides a public wireless network connection and a private AP (100b) that provides a private wireless

BE2017 / 5648 network connection provided. The AP is connected to the Internet (150) or an intranet. The method (300) can be implemented on the AP (100). The method (300) includes a step of receiving, from a client device (200), a poll request (314) for the public wireless network connection (100a). The method (300) determines whether the client device (200) is blacklisted (317); if yes then the level request (314) is ignored for a duration of a first timer or period (for example 10-20 seconds). During the first time period, the blacklisted client device (200) would connect (328, 330) to the private wireless network connection of the private AP (100b). At the end of the first time period (if not already associated with the private AP (100b)), the client device (200) is blacklisted to associate (authenticate and associate, 336, 338) with the public wireless network (100a) for a duration of a second timer. Data transfer takes place after successful association. After the second time period expires, the blacklisted client device (200) is prohibited from re-associating with the public wireless network for the first time period, and the process of establishing a wireless network connection to the AP becomes restarted. While the method (300) can be implemented in response to a targeted level request (314) from the client device (200), it may as well be implemented in response to an authentication request (360) from the client device (200), during a first time period the blacklisted client device (200) would connect (370, 372) to the private wireless network connection of the private AP (100b).

Accordingly, and referring to FIG. 3 and 4 hereby provide a method implementable on a wireless access point (AP) (100) for establishing a wireless network connection to a client device (200), wherein the AP (100) is a public AP ( 100a) and includes a private AP (100b), the method comprising the following steps:

• receiving (316) a directed level request (314) or an authentication request (362) from the client device (200) by the public AP (100a); • ignoring (320) the public AP (100a) from the client device (200); targeted polling request (314) or sending (366) a negative authentication response (366) (e.g. association rejection, status code 17) for a duration of a first timer as the client device (200) blacklists (317) client devices (200) previously associated with the private

BE2017 / 5648

AP (100b), and either:

° for the duration of the first timer, responding (328) to a targeted sounding request (324) by the private AP (100b) or responding to the authentication request (370) by the private AP (100b), and subsequently associating with and starting a data transfer session with the private AP (328, 330, 370, 372), or after the duration of the first timer, responding (336) by the public AP (100a) for a duration of a second timer on the targeted watering request (336) or authentication request (376).

It is to be understood that a client device (200) attempts to discover an AP by two main means. Active scanning takes place where the client device (200) sends a broad broadcast request (SSID set to empty ("null")) that is received within range by and responded to by all APs (for example, public and private); if certain criteria match (for example, security or encryption strength), the client device sends a targeted sounding request to a particular AP that indicates an intention to attempt to associate (authenticate and associate). The other is passive scanning, where beacon frames are broadcast at regular intervals (for example, every 102.4 ms) by the APs, announcing the presence of the public and private APs, and containing the same security information as level responses; if certain criteria match (for example, security), the client device sends an authentication request to a particular AP, thus demonstrating an intention to attempt association. The present method can handle both discovery means.

Where the public AP (100a) receives a targeted level request (314) from the client device (200), this may be preceded by a step of responding by both the public (308) and the private (310) APs to a broadcasting polling request sent (302) by the client device (200) (i.e., during active scanning) (see FIG. 3). The response (308, 310) includes encryption type information about the network, for example, specifying WEP, WPA, WPAenterprise, WPA2, or WPA2 enterprise security protocols. From the response, the client device (200) determines the most secure network (312) - the public

BE2017 / 5648 network (100a) - and sends a direct level response (314) to the public AP (100a) and not to the private AP (100b).

Where the public AP (100a) receives an authentication request (360) (362) from the client device (200), this may be preceded by a step of broadcasting beacon frames from both the public (352) and private (354) APs. ; these beacon frames being received (356) by the client device (e.g., during passive scanning) (see FIG. 4). The beacon frames include encryption type information about the network, for example, specifying WEP, WPA, WPA enterprise, WPA2, or WPA2 enterprise security protocols. From the beacon frames, the client device (200) determines the most secure network (358) - the public network (100a) and sends an authentication request (360) to the public AP (100a) and not to the private AP (100b).

The terms “public AP”, “public part”, “public network part”, “public SSID”, and “public wireless network” used herein all refer to the part of the same AP that provides the public wireless network connection, and the terms “private AP ”,“ private part ”,“ private network part ”,“ private SSID ”, and“ private wireless network ”all refer to the part of the same AP that provides the private wireless network connection.

The AP is generally a wireless access point that contains a processor and a transceiver capable of establishing a wireless network connection using an 802.11 protocol for both a public wireless network and the private wireless network. In general, the AP is connected to an intranet or the Internet. In a common configuration, the AP includes a processor, memory, a connection to the Internet or an intranet, and a wireless network radio transceiver. The public wireless network and the private wireless network each have their own separate service set identifier (“service set identifier”, SSID) that allows identification of the public or private APs. A single transceiver can simultaneously control the public wireless network of the public AP and the private wireless network of the private AP by switching quickly.

The public AP may have a data transfer rate subordinate to that of the private AP. The public AP can have a data volume limit that

BE2017 / 5648 is secondary to that of the private AP. The public AP can provide a time-limited data transfer session; the private AP can provide a time-unlimited data transfer session. The number of devices connected simultaneously for a data transfer session may be less for the public AP than for the private AP. The access data (for example password) that provide access for the public AP and the private AP may differ.

The AP is preferably installed in a building (e.g. home) of a primary user with one or more primary client devices. Via the private wireless network, the AP provides the primary client device of full access sessions, for example, unlimited time, data transfer rate, data volume limit. Via the public wireless network, the AP may provide a secondary client device - which may not have permission to connect to the private wireless network - of limited access sessions such as limited time, limited data transfer rate, and / or limited data volume. The primary client device can also connect to the public AP. The secondary device is excluded from connecting to the private wireless network, for example due to lack of a key to access the private AP.

The AP responds to requests with status codes. An authentication request can be negatively responded to by the public AP, that is, with a status code that does not allow the protocol to proceed. The status code can be configurable in the method of the AP via a management protocol (e.g. SNMP or TR-069). A list of status codes can be found here in Table 1. In the present invention, status code 17 can be broadcast in response to an authentication request to deny association after passive scanning. The present method may be reconfigurable with other negative responses in response to an authentication request selected from Table 1.

Table 1: AP status codes Status code Name Meaning 0 SUCCESS Successful 1 REFUSED, REFUSED_REASO N_UNSPECIFIED Unnamed failure

BE2017 / 5648

Table 1: AP status codes Status code Name Meaning 2 TDLS wake-up schedule that has been rejected but alternative planning has been provided 3 TDLS wake-up schedule rejected 4 Reserved 5 Security disabled 6 Unacceptable longevity 7 Not in the same BSS 8-9 Reserved 10 REFUSED_CAPABILITIES_MI SMATCH Cannot support all requested capabilities in the Opportunities Information field 11 Re-association rejected due to inability to confirm association 12 Association rejected for reasons beyond the scope of this standard 13 Responding STA supports the specified authentication algorithm does not 14 Authentication frame received with authentication transaction sequence number outside expected range 15 Authentication declined due to research failure 16 Authentication rejected by waiting timeout for next frame in sequence 17 Association declined due to AP unable to process additional Associated STAs 18 REFUSED_BASIC_RATES_MI SMATCH Association rejected because requesting STA does not support all data rates in the BSSBasicRateSet parameter 19 Association rejected because requesting STA does not support the short preamble option 20 Association rejected because requesting STA does not support the PBCC modulation option 21 Association rejected because interrogative STA not the Channel Agility option (“Agility option”) supports 22 Association request rejected because Spectrum Management capability is required 23 Association request rejected because the information in the Power Capability element is unacceptable 24 Association request rejected because information in it

BE2017 / 5648

Table 1: AP status codes Status code Name Meaning Supported Channels- (“Supported Channels-”) element is unacceptable 25 Association rejected because requesting STA does not support the Short Slot Time option (“Short Slot Time option”) 26 Association rejected because requesting STA does not support the DSSS-OFDM option 27 Association rejected because the interrogative STA does not support HT attributes 28 ROKH unreachable 29 Association rejected because the requesting STA does not support the phased coexistence operation (PCO) transition time required by the AP 30 REFUSED_TEMPORARILY Association request temporarily refused; try again later 31 Violation of robust management framework policy (“Robust Management Frame Policy ”) 32 Unnamed, QoS-related failure 33 Association rejected because QoS AP does not have enough bandwidth to process another QoS STA 34 Association rejected due to excessive frame loss rates and / or poor conditions on current working channel 35 36 Reserved 37 The request was rejected 38 INVALID_PARAMETERS The request was unsuccessful as one or more parameters have invalid values 39 REJECTED_WITH_SUGGEST ED_CHANGES TS was not created because the request cannot be met; however, a proposed TSPEC has been provided so that the initiating STA can attempt to set another TS with the proposed changes in the TSPEC 40 Invalid element, that is, an element defined in this standard for which the content does not meet the specifications in Clause 8 41 Invalid group key 42 Invalid pair key 43 Invalid AKMP 44 Unsupported RSNE version

BE2017 / 5648

Table 1: AP status codes Status code Name Meaning 45 Invalid RSNE capabilities 46 Key collection rejected due to security policy 47 REJECTED_FOR_DELAY_PE RIOD The TS has not been created; however, the HC may be able to create a TS in response to a request after the time specified in the TS Delay element 48 DLS_NOT_ALLOWED Direct connection is not allowed in the BSS by policy 49 NOT PRESENT The Destination STA is not present within this BSS 50 NOT_QOS_STA The Destination STA is not a QoS STA 51 Association rejected includes the Listen Interval (“Listen Interval”) too large 52 Invalid FT Action frame count 53 Invalid pairwise master key identifier (“Pairwise Master Key Identifier ”, PMKID) 54 Invalid MDE 55 Invalid FTE 56 Requested TCLAS processing is not supported by the AP 57 The AP does not have enough TCLAS processing resources to fulfill the request 58 The TS was not created because the request cannot be met; however, the HC proposes the STA transitions to other BSSs to set the T. 59 GAS_ADVERTISEMENT_PRO TOCOL_NOT_SUPPORTED GAS Advertising Protocol (“GAS Advertisement Protocol”) not supported 60 NO_OUTSTANDING_GAS_RE QUEST No outstanding GAS request 61 GAS_RESPONSE_NOT_RECE IVED.FROM .SERVER GAS Response (“GAS Response”) not received from the Advertisement Server (“Advertisement Server”) 62 GAS.QUERY.TIMEOUT STA time expired while waiting for GAS Query Response 63 GAS.QUERY.RESPONSE.T OO_ LARGE GAS Response is greater than demand response length limit 64 REJECTED_HOME_WITH.SU GESTED.CHANGES Request denied because home network does not support request 65 SERVER.UNREACHABLE Advertisement server (“Advertisement Server”) in the network is on this

BE2017 / 5648

Table 1: AP status codes Status code Name Meaning moment not available 66 Reserved 67 REJECTED_FOR_SSP_PERMI SSION Request denied due to permissions received via SSPN interface 68 Request denied because AP does not support unauthenticated access 69-71 Reserved 72 Invalid content of RSNE 73 U-APSD Coexistence (“U-APSD Coexistence”) is not supported 74 Requested U-APSD Coexistence mode is not supported 75 Requested interbox / duration value cannot be supported with U-APSD Coexistence 76 Authentication was refused because an Anti-Clogging Token (“AntiClogging Token”) is required 77 Authentication was denied because the given Finite Cyclic Group (Finite Cyclic Group) is not supported 78 CANNOT_FIND_ALTERNATIV E_ TBTT The TBTT customization request was unsuccessful including the STA was unable to find an alternative TBTT 79 TRANSMISSION_FAILURE Broadcast failure 80 REQUESTED_TCLAS_NOT_ SUPPORTED Requested TOLAS is not supported 81 TCLAS_RESOURCES_EXHAU STED TCLAS resources exhausted 82 REJECTED_WITH_SUGGEST ED_ BSS_TRANSITION Declined with proposed BSS transition. 83 Reserved 92 REFUSED_EXTERNAL_REAS ON (Re) association was refused for an external reason 93 REFUSED_AP_OUT_OF_MEM ORY (Re) association refused due to memory limits on the AP 94 REJECTED_EMERGENCY_ SERVICES_NOT_SUPPORTE D (Re) association refused because emergency services are not supported on the AP.

BE2017 / 5648

Table 1: AP status codes Status code Name Meaning 95 QUERY_RESPONSE_ OUTSTANDING GAS demand response not yet received 96-99 Reserved 100 MCCAOP_RESERVATION_ CONFLICT Request failed due to reservation conflict 101 MAF_LIMIT_EXCEEDED Request failed due to exceeded MAF limit 102 MCCA_TRACK_LIMIT_EXCEE DED Request failed due to exceeded MCCA track limit 103- 65535 Reserved

The wireless network connection is preferably according to the 802.11 protocol. The IEEE802.11 protocol is known to pertain to three major phases, which are generally described below, and which are illustrated in FIG. 2. A first phase, active network discovery, starts with the level request (22) sent (23) by the client device (200) to discover APs in its vicinity. The polling request (22) is preferably a broadcasting polling request to search for known networks. The nearby APs receive the probe request and in response, each AP (13) sends a probe response (12) to the client device with information such as its SSID, supported data rates, data encryption types and supported IEEE 802.11 capabilities. In response to the poll responses, the client device selects appropriate APs, which are often based on data encryption types; where it is a default choice of most client devices to select the AP with the strongest data encryption.

A second stage involves an association, wherein the client device first sends (25) an open system authentication request (24) that is answered (15) with an authentication response (14) from the AP (100). Subsequently, the client device (27) will send an association request (26) that includes the selected data encryption types and other suitable IEEE 802.11 capabilities. The AP (100), if it matches the data encryption types and capabilities, sends (17) an association response (16) containing a generated Association ID and a success message giving network access to the client device.

The third and final phase involves data transfer (18, 28) after a successful association.

BE2017 / 5648

If association is successful, the status of the connection is authenticated and associated (46), after which the AP and CD begin the actual data transfer (18, 28). The status of the connection may change; successful authentication (S-Auth) changes an unauthenticated and unassociated state (42) to an authenticated and unassociated (44) state. De-authentication (DAuth) changes an authenticated and unassociated state (44) to an unauthenticated and unassociated state (42). Successful Association (S-Assoc) changes an authenticated and unassociated status (44) to authenticated and associated (46). De-association (D-Assoc) changes an authenticated and associated status (46) to authenticated and unassociated (44). De-authentication (D-Auth) changes an authenticated and associated status (46) to an unauthenticated and unassociated status (42). The protocol can be performed on one of the two communication frequency bands.

Describing poll, authentication, or association requests as being answered here means that the response allows the protocol to proceed unless otherwise specified, that is, it means a positive response. As mentioned later, an AP can exceptionally respond to an authentication request with a negative response (e.g. rejection of association, status code 17).

Obviously, the AP implements the main steps of the IEEE-802.11 protocol, the method intervening in the steps of the protocol including responding to the targeted poll or authentication request.

Both the public wireless network and the private wireless network use data encryption. The public wireless network can use stronger data encryption than the private wireless network. The private wireless network can use a WPA-PSK or WPA2-PSK (“Wi-Fi Protected Access - Preshared Key”, Wi-Fi Protected Access - Pre-shared Key) security protocol. The public network can use one or more of the WPA enterprise or WPA2enterprise security protocols. WPA-Enterprise or WPA2-Enterprise are considered to be stronger encryption types over WPA-PSK or WPA2-PSK. Generally, the client device tries to establish a connection to by default

BE2017 / 5648 the public wireless network that uses stronger data encryption. Stronger data encryption means that it is more resistant to cryptoanalytic attacks.

The client device is any wireless network capable computing device, such as a smartphone, tablet, laptop computer, desktop computer, game console, or other computing device. The client device generally includes a processor and memory operatively coupled to a radio transceiver and configured to operate according to an IEEE-802.11 protocol. The CD can be identified using a unique feature such as a media access controller (MAC) address that uniquely identifies a network interface card (NIC) in a client device. The client device can be a primary client device, in which case it has permission to connect to the private wireless network, but it can also connect to the public wireless network. The client device can be a secondary client device, in which case it does not have permission to connect to the private wireless network, but it can connect to the public wireless network.

The blacklist contains a list of client devices previously associated with the private AP. Client devices can be identified by their media access controller (MAC) address. Preferably, the blacklist focuses on a particular AP. The client device identifier (200) can be added to the blacklist (317) after the client device (200) has once associated with the private AP (100b). The blacklist is generally not cleared at the end of the session. An example flowchart for adding a client device to the blacklist is shown in FIG. 5. After the network discovery steps (402, 404) described elsewhere herein, the client device (200) sends an authentication request (406) to the private AP (100b) that responds with an authentication response (408); subsequently, an association request (410) is sent by the client device (200) to the private AP (100b) that responds with an association response (412); subsequently, the association is completed (414, 416) and the client device is added (418) to the blacklist (417).

BE2017 / 5648

The duration of the first timer allows the client device to attempt to associate with the private AP. A standard action of client devices is to search for an alternative wireless network when polling requests are ignored or authentication requests are answered with a negative response (e.g. association rejection, status code 17), after a certain timeout period. Generally, the timeout period is 10 seconds. Accordingly, the duration of the first timer can be equal to about less than 20, 15 or 10 seconds. The duration of the second timer allows the client device that is allowed to connect to the private AP to connect to the public time-limited data transfer session. The duration of the second timer can be 20 seconds.

FIG. 3 illustrates a flowchart of an example of a method for setting up a wireless network connection using an AP (100), wherein the AP (100) has a public (100a) and a private (100b) wireless network connection with a client device (200 ) provided. The client device (200) actively scans for an AP within range; it sends broadly broadcast level requests (302) received (304, 306) by public (100a) and private (100b) APs, respectively. The public (100a) and private (100b) APs each send a level response (308, 310) that contains information including data encryption information, for example, those WEP, WPA, WPA enterprise, WPA2, or WPS2 specifies surprise security protocol types received (312) by the client device (200). The client device (200) determines (312) which AP provides the most secure network. The client device (200) sends (314) a targeted polling request to the public AP (100a) with the most secure network. The public AP (100a) receives (316) the targeted watering request (316). The public AP (100a) checks (318) whether the client device (200) is blacklisted (317). The blacklist (317) consists of client devices previously associated with the private AP. If the client device (200) is blacklisted, the public AP (100a) ignores level requests (320) from the client device (200) for the duration of a first timer.

The client device (200), which does not receive a level response (322), can send a targeted level request (324) (path a) to the private AP (100b). The private AP (100b) receives (326) the targeted level request (316), and sends a level response (328). The client device (200) receives (330) the probe response, completes association and initiates a data transfer session (328, 330) with the private AP (100b). Alternatively, the client device (200), which does not receive a level response (322), if not already

BE2017 / 5648 is associated with the private AP, continuing to send (332) targeted polling requests to the public AP (100a) received by the public AP (334). At the end of the period of the ^1st timer responsive public AP (100a) on the directed probe request (336) for a duration of a second timer. The poll response is received by the client device (338), association is completed, and a data transfer session with the public AP (100a) begins (338). Thus, the method blocks sending a sound response (320) from the public AP to client devices that have previously associated itself, but, for the duration of a 2 ^nd timer starting after the 1 ^st timer, an opportunity opens for sending a targeted level response and for completing association with the client device (200), after which a data transfer session begins. Client devices are automatically associated with the private AP (100b) with the benefits of full access.

It is noted that authentication requests can be replied otherwise or additionally with an authentication response that association has been denied. It can be denied, for example, because the AP is unable to process additional associated stations (i.e. client devices); this is generally status code 17 according to IEEE-802.11. This is illustrated in the schematic of FIG. 4. The client device (200) listens (356) to beacons sent by the public (352) and private (354) APs. The beacons (352, 254) each include data encryption type information, for example, specifying WEP, WPA, WPA enterprise, WPA2, WPA2 enterprise security protocols. The client device (200) receiving the beacons determines (358) the most secure data encryption type (in this case, the public SSID) and sends an authentication request (360) to the public AP (100a). The public AP (100a) receiving the authentication request (362) checks (364) whether the client device (200) is blacklisted (317). The blacklist (317) features unique features of client devices previously associated with the private AP (100b). If the client device (200) is blacklisted, the public AP (100a) responds with a negative authentication response, for example, that association is denied because the AP is unable to process additional associated stations (i.e. client devices), which i.e. with status code 17, for the duration of a first timer (366). The client device (200) receiving the negative authentication response (368) can associate (path a) and start a session (370) with the private AP (100b, 372). Otherwise, (path b) the client device (200) may have the negative

BE2017 / 5648 authentication response (368), if not yet associated with the private AP, continues to resend an authentication request (374) to the public AP (100a). At the end of the duration of the 1 ^st timer, the public AP (100a) responds positively to the authentication request for the duration of a 2 ^nd timer with, for example, a status code 0 (success); whereby the association process can be started and eventually a data transfer session with the public AP (100a) begins (374, 376). When the second timer has expired, the client is not allowed to attempt to associate with the public AP. Thus, the method blocks client devices previously associated with the private AP from associating with the public AP, but still allows them to associate with the public AP if association is successful after the duration of the first timer. Client devices are automatically associated with the private AP (100b) with the benefits of full access.

The method uses the AP to automatically bypass a default selection of many client devices to associate with the most secure wireless network, that is, the one that uses the strongest data encryption normally implemented in the public wireless network. Currently in the work field, when an AP is installed at home, the client device known to the private part will connect to the public wireless network with limited performance by default, such as reduced speed, data volume, limited number of sessions, etc. compared to the private wireless network. At this time, it requires active selection by the client device of the private wireless network. The present method is implemented by the AP, and not by the client device, making it compatible with a wide range of client devices. In testing, there is a success rate of more than 70%, that is, the client device associates with the less secure private network.

Additionally, the AP implemented method allows a client device to select from the public AP and the private AP. A client device that needs access to the public AP at some point may prefer to have access to the private AP at a relatively distant time in the future, for example after two weeks. This is facilitated by the AP ignoring poll or authentication requests for the duration of the first timer, during which period the private AP responds to the poll or authentication requests. In contrast, the same client device may wish to access it smoothly

BE2017 / 5648 public AP during a part of a given day, for example when the private network part would be unreachable for some reason. This is facilitated by the public AP responding to the direct level request or authentication request after the end of the first timer, and allowing the client device to access the public network portion. Access is granted for the duration of a second timer.

Where the polling request is ignored, the method further saves airtime since the steps of association with an unwanted public or private network part are excluded. Where passive scanning is used, the authentication request is responded with a negative response (e.g. rejection of association), which excludes further association steps.

Also, an AP is provided with a public AP that provides a public wireless network connection and has a private AP that provides a private wireless network connection, which is configured to perform the method as described herein.

Also, a computer program or computer program product is provided with instructions which, when executed by the AP, perform the method as described herein.

Also provided is a computer readable medium with a computer program or product stored thereon as described herein.

Also provided is a computer-readable medium with instructions stored thereon which, when executed by the AP, prompt the AP to perform the method as described herein.

Also provided is a data stream representative of a computer program or product as described herein.

Also provided is a data stream representative of a computer program or product with instructions that, when executed by the AP, prompt the AP to perform the method as described herein.

BE2017 / 5648

Claims (10)

Conclusions A method implementable on a wireless access point (AP) (100) for establishing a wireless network connection to a client device (200), the AP (100) being a public AP (100a) and a private AP (100b) which includes the following steps: • receiving (316) a polling request (314) or an authentication request (362) from the client device (200) by the public AP (100a), • ignoring (320 ') the public AP (100a) the poll request (314) or respond negatively to the authentication request (366) for a duration of a first timer if the client device (200) is blacklisted (317) of client devices (200) previously associated with the private AP (100b), and either: - responding (328) to a targeted level request (324) for the duration of the first timer, by the private AP (100b) or responding (372) to the authentication request (370) by the private AP (100b) , and subsequently associating with and starting a data transfer session with the private AP (328, 330, 370, 372), or - after the duration of the first timer, responding (336) to the level request (302) by the public AP (100a) or responding (376) to the authentication request (376) by the public AP (100a), a duration of a second timer, and starting a data transfer session with the public AP (336, 338, 374, 376). The method of claim 1, further comprising, preceded by the public AP (100a) receiving a targeted polling request (302) from the client device (200), comprising the steps of: - responding, by both the public (308) and the private (310) APs, to a broadcasting polling request sent (302) by the client device (200), the response including encryption type information about the network. The method of claim 1, further comprising, preceded by the public AP (100a) receiving a targeted polling request (302) from the client device (200), comprising the steps of: BE2017 / 5648 - broadcasting beacon frames by both the public (308) and private (310) APs, the beacon response including encryption type information about the network. The method of any one of claims 1 to 3, wherein the negative response to the authentication request is configurable, and optionally is a rejection-of-association response, optionally is a status code 17. 5 carries out claims 1 - 9. A computer-readable medium with a computer program or product according to claim 11 stored thereon. The method of any one of claims 1 to 4, wherein the wireless network connection provided by the public AP (100a) uses a stronger data encryption than that of the private AP (100b). The method of any one of claims 1 to 5, further comprising a step of adding an identifier of the client device (200) to the blacklist (317) after the client device (200) has associated with the private AP ( 100b). The method of any one of claims 1 to 6, wherein one or more of a data transfer rate, a data volume limit, and a session time are or are subordinate to the public AP (100a) compared to the private AP (100b). The method of any one of claims 1 to 7, wherein the duration of the first timer is less than that of the second timer. The method of any one of claims 1 to 8, wherein the blacklist (317) is not cleared at the end of the data transfer session. A wireless access point (AP) (100) for providing a wireless network connection to a client device (200), the AP (100) having a public AP (100a) providing a public wireless network connection, and has a private AP (100b) that provides a private wireless network connection and is configured to perform the method of any one of claims 1 to 9. 11. Computer program or computer program product with instructions that, when performed by a wireless access point (“access point”), BE2017 / 5648 AP) (100), for providing a wireless network connection to a client device (200), the AP (100) having a public AP (100a) providing a public wireless network connection and having a private AP (100b) having a private wireless network connection, the method of any of the 13. Data stream representative of a computer program or product according to claim 11. BE2017 / 5648