GB2417856A - Wireless LAN Cellular Gateways - Google Patents

Wireless LAN Cellular Gateways Download PDF

Info

Publication number
GB2417856A
GB2417856A GB0406351A GB0406351A GB2417856A GB 2417856 A GB2417856 A GB 2417856A GB 0406351 A GB0406351 A GB 0406351A GB 0406351 A GB0406351 A GB 0406351A GB 2417856 A GB2417856 A GB 2417856A
Authority
GB
United Kingdom
Prior art keywords
mobile device
access
server
network
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB0406351A
Other versions
GB2417856B (en
GB0406351D0 (en
Inventor
Efstathios Ioannidis
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alcyone Holding SA
Original Assignee
Alcyone Holding SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alcyone Holding SA filed Critical Alcyone Holding SA
Priority to GB0406351A priority Critical patent/GB2417856B/en
Publication of GB0406351D0 publication Critical patent/GB0406351D0/en
Publication of GB2417856A publication Critical patent/GB2417856A/en
Priority to US11/490,856 priority patent/US8824430B2/en
Application granted granted Critical
Publication of GB2417856B publication Critical patent/GB2417856B/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • H04Q7/38
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W40/00Communication routing or communication path finding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/042Public Land Mobile systems, e.g. cellular systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/16Gateway arrangements

Abstract

A Gateway (200) implements a method to authenticate a wireless lan mobile device (100) utilising the Subscriber Identity Module (SIM) information. Upon successful authentication the Gateway (200) instructs an access server (105) to provide service to the mobile device (100) according to a mobile device profile. The access server (105) performs traffic routing as instructed by the gateway (200), which may include secure tunneling to an access network gateway (202) or direct routing to Internet networks (108).

Description

24 1 7856
WIRELESS LAN CELLULAR GATEWAYS
1. Field of Invention
This invention pertains to the field of telecommunications and particularly wireless mobile interact communications.
2. Related Art and Other Considerations: Wireless LAN integration in the Mobile Core Network Mobile Cellular networks have now become widespread through the world. For the most part these mobile networks are constructed using one or more of the following cellular technologies: GSM, UMTS, EDGE and CDMA. These are all considered Wide Area Network (WAN) technologies smce their radio coverage is "wide", meaning that they span entire areas, cities, regions or countries.
However another wireless technology has emerged that covers a reduced local area (hotspot) and thus named Wireless Local Area Network (WLAN). The term WLAN is typically used to identify the Institute of Electrical and Electromc Engineers' (IEEE) 802.11 wireless standard, sometimes called WiFi. Both Mobile Cellular and WLAN networks can be used to transport Internet Protocol (IP) traffic and are important in the wireless market. However Mobile Cellular technologies and WLAN technologies have been developed separately and thus networks made with these technologies cannot be easily integrated nor managed efficiently. This makes it difficult for a mobile operator to make good use of these different types of technologies in a single network that is easy to manage, build and expand.
In order to integrate WLAN and Cellular Mobile networks it is necessary to introduce new functionality to glue them together. The mobile standardization group called the Third Generation Partnership Project (3GPP) has performed some work to specify this functionality in document TS 23.234. According to this model a WLAN UE (User Equipment) uses the IEEE 802.1x (abbreviated to 802.1x) protocol and the Extensible Authentication Protocol (EAP) methods in order to prove that it is allowed to gain access to the WLAN network. In particular the EAP-SIM and EAP-AKA authentication methods are applicable here. The authentication inforrnabon used to gain access to the network is based on the well-known cellular authentication methods based on the Subscriber Information Module (SIM) card. In this case the SIM card would be accessible by the WLAN UE just as it is accessible by a normal mobile phone. With reference to Figure 1, according to the 3GPP method the WLAN UE 100 uses EAP- SIM or EAP-AKA authentication protocol transported by the IEEE 802.1x to exchange authentication information with the IEEE X02.1x capable Access Point (AP) 101. The 802.1x AP 101 includes AAA (Authentication, Authorisation and Accounting) client functionality, which typically means it acts as a RADIUS client. The AP 101 then forwards the EAP authentication information to the local visited AAA server 103. Typically this means that the AP 101 functions as a AAA client towards the visited AAA server 103. The visited AAA server 103 uses the EAP authentication information to determine the WLAN UE's Home AAA server. The visited AAA server 103 then passes the authentication information to the home AAA server 110. The EAP/AAA server and HER proxy 107 processes the authentication information and checks it against the authentication triplets or quintuplets obtained from the HER 109.
Based on these checks the EAP/AAA server 107 replies to AP 101 with an accept or reject message. As a consequence the AP 101 forwards the appropriate 802.1x EAP success or reject message to the WLAN UE 100. If the message indicated successful authentication then the 802.1x AP 101 allows the WLAN UE 100 to use the WLAN network to communicate towards other peers, Internet or external networks 108. Otherwsc in case the authentication was rejected the 802.1x AP 101 will not allow the WLAN UE to make use of the WLAN access network.
In order to perform the above, all WLAN Access Points (APB) in all WLAN Access Networks must support the 802.1x standard that allows transport of the EAP-SIM and EAP-AKA authentication methods over IEEE 802 networks (including Ethernet and WLAN) between UE and ultimately the home AAA server. However the majority of WLAN APs deployed today m WLAN networks do not support the 802.1x standard, such as simple AP 102 in Figure 1. Also support of EAP- SIM and EAP-AKA on 802.1 x in WLAN UEs may be slow to be adopted and may run into difEcultics.
Typically current WLAN Access Networks include a WLAN Access Server (AS) 105 in Figure 1. This is currently used to provide access control by athenticating users and allowing packet communications destined to or originated from authenticated users. When a WLAN UE connects to a WLAN Access Network 106, a standard web browser needs to be started on the WLAN UK. The WLAN AS 105 intercepts the web page request (typically the browser's "home page" at startup) being accessed and redirects it to an authentication web page where the user is to enter authentication credentials such as username and password or valid credit card information. If these credentials are entered correctly then the WLAN AS opens up access for that WLAN UE by opening the communication ports for packets coming from and destined to the WLAN UE's IP address and MAC address. When 802.1x and EAP authentication are used, as described previously, WLAN ASs no longer have a role since the authentication functionality is distributed to the APs. The idea of discarding an existing investment such as the WLAN AS 105 may not make sense to all WLAN Access Network providers, since the actual centralised access control functions can in principle be reused. Also if a WLAN Access Network contains both 802.1x capable APs and simple APs the interoperability between the WLAN AS and the 802.1 x authentication methods poses problems.
There arc also problems with the WLAN AS 105 redirecting the user to another web page at startup. This approach is not always applicable, since some WLAN UEs do no have web browsers. In addition it can be confusing for a user to have to open up the web browser and perform an authentication before starting the application that was required in the first place (e.g. email application).
Therefore it would be desirable to provide a solution for WLAN Cellular interworking that reuses existing functionality m the WLAN Access Network and thcrcforc works independently of the type of WLAN APs and the WLAN AS in the WLAN Access Network. It would also be desirable that such a solution is independent of the web browsing application. Such a solution should be equally apphcable to any wireless technology based on the Internet Protocol, but for simphcity this invention will use WLAN technology as reference.
3. Summary
The present invention describes a method and means for integrating Wireless LAN and Mobile Cellular networks that is compatible with existing WLAN network deployments. A Wireless LAN Cellular Gateway (CellGate) Server is located inside each cooperating WLAN Access Network in order to authenticate WLAN users. The Cellgate software client on the WLAN User Equipment (UK) communicates with the CellGate Server to exchange security information based on cellular 2G Subscriber Identity Module (SIM) cards or 3G Universal Subscriber Identity Module (USIM) cards. The CellGate Server authenticates the WLAN UE using AAA (Authentication, Authorization and Accounting) technology by communicating with the WLAN Gateway. Once the WLAN user's authentication Is complete the CellGate server opens up the appropriate ports on the WLAN Access Server (AS). The CellGate server is also able to configure the WLAN AS to create a special tunnel interface between the WLAN AS and the WLAN Gateway in the Home Network for all traffic to and from the authenticated WLAN UK. Although this invention is described with reference to WLAN it is directly applicable to any other wireless technology that supports the Tntcrnet Protocol. One example are upcoming OFDM wireless tcchnologcs where the relative Access Points or Base Stations have TP connectivity.
4. Introduction to the Drawings
Figure I illustrates the portion of the conventional WLAN network architecture and 3GPP-WLAN network architecture related to authentication; Figure 2 illustrates the new WLAN Cellular architecture in accordance with exemplary embodimcats of the present invention; Figure 3 illustrates the message exchange between the WLAN UK, Cellular Gateway server, Visited AAA server and Home AAA server in order to authenticate and authorise the WLAN UE for network access.
5. Detailed Description
The evolved WLAN Cellular network architecture is illustrated m Figure 2 where the new parts of the network in accordance to this invention are the shaded boxes. A Cellular Gateway (CellGate) Server 200 is placed in the WLAN Access Network 106. Thc WLAN UE 100 is subscribed to a Home Cellular Operator. The Home Cellular operator typically manages the Wireless Gateway 203, the Home Location Register (HLR) 109 and the Home Mobile Services 206 that are situated in the Home network.
Thc Home Cellular operator also distributes the CellGate software chent 204 that runs on the WLAN UE to all its WLAN UEs. This invention is not limited to such a specific location or management of these network nodes, but this scenario is used as a means to most clearly describe the invention.
When the WLAN UE 100 connects to the WLAN Access Network 106, the CellGate client 204 accesses the SIM or USIM on the WLAN UE and communicates with the CellGate Servcr 200 to authenticate the WLAN UK. The communication between CellGate client 204 and server 200 is based on EAP. Thc CellGate Server 200 then functions as AAA client towards the local Visited AAA server 103.
The local Visited AAA server 103 identifies the WLAN UE's Home network by inspecting the authentication information and it passes the AAA message towards the appropriate Home AAA Server I 10. In the Home network the EAP/AAA Server 201 is configured with the address of the Home AAA server and therefore processes AAA traffic directed to the Home AAA server. The Home AAA server examines the authentication information and determines whether it Is a Cellular WLAN SIM-based authentication (c.g. EAP-SIM or EAP-AKA). If it is a SlM-based procedure the EAP/AAA Server 201 will process the request to verify the device credentials, which may or may not be directly related to the user of such device. A Challenge/Responsc security procedure is performed as described m section 5.1.
The EAP/AAA Servcr 201 will determine whether the correct credentials have been supplied by sending a request to the HER Proxy 205 to obtain the appropriate user's security quintuplets or triplets. The HER Proxy 205 processes this request, obtains the set of security quintuplets or triplets by requesting them from the I ILR 109 and returns them to the EAP/AAA Server 201. The EAP/AAA Servcr 201 then checks the requesting security quintuplets or triplets against the mformaton supplied by the WLAN UK. If the security information supplied by the WLAN UE matches with that returned by the HER then the WLAN UE has been successfully authenticated, otherwise the authentication has failed. If the authentication is successful then the WLAN UEis able to utilisc the WLAN Access Network to send and receive data traffic as described in section 5. 5. Thc authentication result is sent from the Home AAA Server 110 to the Visited AAA Server]03 and finally to the CellGate Server 200. The CellGate Server 200 will then inform the WLAN UE of the result. In the case of a successful authentication the CellGate Server 200 also communicates worth the WLAN AS 105 in order to unblock communication for the WLAN UK. This Is done by sending the WLAN UE's IP address and layer 2 (MAC) address from the CellGate Server to the WLAN AS, so that the WLAN AS allows traffic to and from this WLAN UE to pass through it. Thc CellGate Server 200 also sends the WLAN UE profile to the WLAN AS 105 so that the WLAN AS may perform special handling of the WLAN UE's traffic as described in section 5.4. Once this procedure is complete a hierarchy of keys will be established as described in section 5.3. These keys may be used by the WLAN UE to establish secure communication between itself and network elements such as the WLAN AS 105 or the WLAN Gateway 202 as described in section 5.3.
5.1 Message Exchange Thc detailed message exchange for the procedure illustrated previously is illustrated in Figure 3. A description of these message exchanges is given below.
When the WLAN UEIOO connects to the WLAN access network (106 in Figure 2) the WLAN UE CellGate software client 204 requests access from the CellGate Server 200 in message 1.
This prompts a message from the CellGate server for the WLAN UE's identity in message 2. Thc identity can be the WLAN UE's Network Address Identifier (NAI) or any other identifier that can be used to uniquely Identify the WLAN UE and the realm that it belongs to. Message 2 also contains information on the WLAN Access Network Provider, such as the operator's name and the capabilities or services available. The WLAN UE CellGate client 204 replies with its Identity in message 3.
An Access request (including the WLAN UE's identity) is then sent from the CellGate server 200 to the local Visited AAA 103 server in message 4. The Visited AAA server 103 in turn forwards the Access Request to the home AAA server 110 in message 5.
The home AAA server 110 then authenticates the WLAN UE CellGate client 204 by sending a cryptographic challenge that requires a particular cryptographic response based on the WLAN UE's shared secret and a sequence number. The challenge is sent in message 6 to the WLAN UE's local visited AAA server 103. This challenge is then sent in Message 7 from the local visited AAA server 103 to the CellGate server 200. The CellGate server 200 forwards the challenge to the WLAN UE Cellgate client 204 in message 8.
The WLAN UE CellGate client 204 verifies whether the challenge is correct based on its knowledge of the shared secret and the sequence number. This allows the WLAN UE to authenticate the home AAA server 110 (i.e. determine whether the Home AAA server that issued the challenge is really the WLAN UE's Home server rather than a malicious entity).
The WLAN UE Cellgate client 204 then replies with message 9, based on the result of its authentication procedure, which includes the response to the challenge if the Home AAA server l lO was authenticated correctly in the previous step. The WLAN UE CellGate client's response in message 9 is sent to the CellGate server 200 that forwards it to the local Visited AAA server 103 in message 10. The local Visited AAA server 103 forwards the Response to the Home AAA server 110 in message 11.
The Home AAA server 110 checks the Response to the challenge agamst the expected response and thus determines whether the WLAN UE has performed successful authentication or not.
Upon successful authentication the Home AAA server 110 authorises the WLAN UE 100 for network access by informing the local Visited AAA server 103 of the successful result of the authentication. This information is included m the Access Reply message 12. In the same message the Home AAA server l lO Includes the WLAN UE's profile and some of the keys required for the UE to secure communication with local nodes further described in sections 5.4 and 5.3.
The authentication result information in the Access Reply message is forwarded from the local Visited AAA server 103 to the CellGate server 200 in message 13. The CellGate server then extracts the WLAN UE's profile and keys required to communicate with the WLAN UE in a secure manner and informs the WLAN UE of the authentication result in message 14. Message 14 does not include any keys or the WLAN UE's profile since that information is kept by the CellGate server 200.
Finally if the authentication was successful, the CellGate server 200 sends a Command message (Message 15) to the WLAN AS 105. This message commands the WLAN AS 105 to allow the WLAN UE's traffic through it and Instructs the WLAN AS 105 how to handle that traffic by providing it with the WLAN UE's profile related to data traffic. If the profile requires secure connection between the WLAN UE]00 and the WLAN AS 105 then the CellGate server also includes security information in Message 15, Including the security keys and security type described in sections 5.3 and 5.4.
5.2 WLAN UE - AAA server authentication Mutual authentication between the WLAN UE and the Home AAA server is utilised in this invention, such that the WLAN UE can determine that the Home AAA Server is not a malicious impersonating node and vieeversa for the Home AAA Server with the WLAN UK.
A successful authentication allows the device to gain access to the visited WLAN Access Network. As a result of the authentication mechanism, a hierarchy of keys is generated. This is known to the end device (WLAN UK) and the Home AAA server. Some of the keys can be used to secure communication between the WLAN UE and various application servers in the visited or home network.
In addition, a subserber's profile is downloaded from the Home AAA server to the Cellgate server in the visited WLAN Access network, through the local Visited AAA server.
A temporary identifier for the WLAN UE is generated by the Home AAA server to be used by network nodes in the Visited network when communicating with the WLAN UK, or when communicating information about such WLAN UE to other network nodes. The temporary identifier is sent from the Home AAA server to both the Cellgate server and to the WLAN UK. Communication with the Cellgate server is done through the local Visited AAA server. The temporary identifier is encrypted when sent to those entities. The temporary identifier and its encryption is needed to allow for user anonymity. The Home AAA server is configured with different spaces of numbers as follows: Permanent space: This space is dedicated to permanent identifiers that are used by devices and are tied to a shared secret between the WLAN UE and the Home AAA server.
Temporary space: This space is dedicated to temporary identifiers that are used by the WLAN UE after authentication for the purpose of anonymity.
The Permanent identifier space can be further divided to indicate dtterent categories of users. Such division need not be universal and can be done by the operator.
5.3 Key Hierarchy Every Home AAA server stores all Permanent identifiers and the shared secret (root key) associated with each identifier. The root key is known only to the Home AAA server 110 and the WLAN UE CellGate client 204. In cellular networks the SIM card, used by the WLAN UE CellGate client 204, and the HER 209 contain the root key. When a WLAN UE is authenticated, the root key and the device identifier, in addition to a Pseudo Random Function, are used to generate a Master key. The Master key is then used to generate several other keys that are used to secure communication between the WLAN UE and other entities within the local network (e.g. WLAN AS or CellGate server).
Keys are distributed from the Home AAA server to the local Visited AAA server. Each applcabon that requires mutual authentication between the WLAN UE and the application server can be provided with a key in an open manner without compromising the security of the key. An example for the generation of applicaton-specfic keys is shown below: Appkey = hash(MasterKeylAppuame) The Appkey is the application-specific key. The Masterkey is the Master key generated by the Home AAA server for the purpose of generating application-specific keys. The Appname is a text string that includes the name of the application. For example the Appname for the Session Initiation Protocol could be "SIP".
When a device attempts to communicate with an application, it can generate the Appkey using the above formula (as an example) and attempt to authenticate the message using such key. The application server can then pull the same information from the local Visited (or Home) AAA server to authenticate the message.
5.4 User Profiles The Home AAA server is responsible for passing the authentication results to the local Visited AAA scrvcr. In addition, it passes the subscriber's (WLAN UE's) profile. The profile includes the type of subscription, in addition to several other attributes that are used to indicate the level of service required for each subscriber and the services that a subscriber is authorised to use. An example of the parameters included in the profiec are: Service Icvel: This parameter indicates the service level agreement between the user and the home operator (e.g. Gold, Silver, Bronze) IP address: This parameter includes the IP addrcss(cs) allocated to the user. This may include one or more IP addresses using IPv4 and IPv6.
Local services: This parameter indicates whether the subscriber is allowed to use local services within the visited WLAN Access network.
Global services: This parameter is an indexed array that lists the Global services that the subscriber is allowed to use (i.c. Services known to the home and visited networks). Examples of such services are: Voice, Data, Video.
Time: This parameter indicates the amount of time the user is allowed access to the network. This field is useful for operators that use utilization time for billing purposes.
Data throughput or quantity: This parameter indicates the amount of data or data rate that the user is allowed to send and receive while in the visited network.
Reauth: This parameter states the frequency of reauthentication required to the Home AAA server.
Tunnel end point and Traffic type: This is an optional field that indicates whether and what type of WLAN UE traffic should be tunnelled to the home operator's network (WLAN Gateway 202) and if so, it includes the transport IP and port addresses, tunnel type, security information and so on.
Local Security: This is an optional field that indicates whether the WLAN UE requires a secure local connection to be established between itself and the WLAN AS. It also indicates the type of security connection required, where an example The WLAN UE user's profile is used to control the user access by the visited WLAN Access Network and to guarantee that the user will only have access to billable services (to the Home network).
5.5 Data traffic Handling If the WLAN UE 100 is successfully authenticated and authorised for network access, according to the procedures described previously, then the WLAN UE 100 is allowed to send and receive data traffic through the visited WLAN Access network 106. The CellGate Server 110 receives the authentication results from the Visited AAA server 103. If the authentication was successful the CellGate server 200 communicates with the WLAN AS 105 to instruct it open up the filters for the WLAN UE by providing the WLAN AS with information identifying the WLAN UE such as IP address and lower layer (MAC) address. This allows the WLAN UE 100 to utilize the visited WLAN Access Network 106. If the generic WLAN AP 209 in the WLAN Access Network supports access filtering control then the CellGate server 200 communicates this information also to the WLAN AP 209.
The WLAN AS 105 can then handle the WLAN UE's traffic in different ways. The same traffic handling function could be performed by the WLAN AP 209. For simplicity this functionality will be described using the WLAN AS as reference, but it should be noted that this part of the invention can be apphed equally to the WLAN AP. Two different routing methods are used for WLAN AS handling of WLAN UE traffic in this invention: Direct Internet access: In this case the user's outgoing packets are forwarded between the WLAN UK: and the WLAN AS (105 in Fig. 2). The WLAN AS forwards these packets towards the Internet or Corporate networks as per normal IP routing; Tunnel traffic to the WLAN Gateway: In this case the WLAN UE's outgoing packets are tunuclled to the WLAN Gateway 202, which provides a tunnel end point for each WLAN Access Network. All or a part of the WLAN UE's traffic is tunnelled to the tunnel end point. The typical location for the WLAN Gateway 202 is the Home Operator's network.
The WLAN AS 105 receives user policy int'ormation from the CellGate Server 200 following a successful authentication. This policy Information contains routing policy that informs the WLAN AS 105 how it should route data to or from a specific WLAN UK. This policy may specify that a certam portion of the traffic, such as but not limited to the portion of traffic directed to the Home Mobile Services 206, should be routed towards the Wireless Gateway 203 In the home network through path 208 in Figure 2, while remaining traffic, if any, should be routed directly to Internet through path 207 in Figure 2. Alternatively the routing policy may specify that all traffic for a specific WLAN UE is to be routed to the Wireless Gateway 203 in the home network (path 208 in Figure 2) or all traffic is to be routed directly to Internet (path 207 in Figure 2).
The Direct Internet traffic routing case (path 207) involves either communication to the Internet or corporate networks. In the case of corporate networks the CellGate server 200 sends policies to the WLAN AS 105 that require a secure tunnel to be used for the WLAN UE's traffic between WLAN AS 105 and the corporate network in 108. This may be any type of secure IP tunnel including IPsec (IP security) and L2TP (Layer 2 Tunnelling Protocol) as described in section 5.4.
Instead if all or a certain portion of the WLAN UE's traffic is to be tunnelled to the Wireless Gateway 203 in the home network (path 208), the Home AAA server 110 communicates the traffic description and tunnel information to the Cellgate server 200, via the local visited AAA server 103, as part of the WLAN UE policy information described in section 5.4. The WLAN AS 105 configures one IP tunnel per WLAN Gateway 202 in each collaborating cellular operator's home network.
The WLAN Gateway 202 that acts as the tunnel endpoint in the home network performs filtering and packet counting functions according to the security and charging policies of the home operator.
The WLAN UE CellGate client 204 is able to obtain usage and current account status infonnaton either from CellGate server 200, that would in turn obtain this information from the WLAN Gateway 202, or from the WLAN Gateway 202 directly.

Claims (41)

  1. c. e Claims 1. A method of establishing communication between a mobile
    device and a network through an access network, the access network including an access point for connecting the mobile device to the access network, an access server for providing access to said network, and a gateway for authenticating the mobile device and for instructing the access server to allow data traffic between the mobile device and the network, the method comprising: transmitting an access request from the mobile device to the gateway, the access lo request including data for identifying the mobile device; transmitting an authentication challenge from the gateway to the mobile device; transmitting a response to the authentication challenge from the mobile device to the gateway; determining whether the mobile device is authorised and, if the mobile device is authorised: transmitting an indication of successful authentication from the gateway to the mobile device; and transmitting a mobile device profile and security information including a key from the gateway to the access server.
  2. 2. A method according to claim 1, further comprising, at the mobile device: encrypting data using the key; and transmitting encrypted data to the access server.
  3. 3. A method according to claim 1 or 2, further comprising, at the access server: receiving data from the network; identifying that the data is intended for said mobile device using the mobile device profile; and forwarding said data to the mobile device. .
    e:.: e.e:: :: . :. :.::: Is
  4. 4. A method according to any preceding claim, further comprising: transmitting a request to authenticate the mobile device from the gateway to a local authentication server in the access network, the request comprising information for identifying the mobile device and a home network; transmitting the request to authenticate the mobile device from the local authentication server to a home authentication server; transmitting a request for security information for authenticating the mobile device from the home authentication server via a home location register proxy to a home location register; lo receiving, at the home authentication server, security information for authenticating the mobile device; deriving, at the home authentication server, the authentication challenge from the security information; transmitting the authentication challenge from the home authentication server to the local authentication server; and transmitting the authentication challenge from the local authentication server to the gateway.
  5. 5. A method according to any preceding claim, further comprising transmitting the response to the authentication challenge from the gateway to a local authentication server in the access network; transmitting the response to the authentication challenge from the local authentication server to a home authentication server; comparing, at the home authentication server, the response with security 2s information for authenticating the mobile device; determining, at the home authentication server, whether the response matches the security information; and if the response matches the security information, transmitting a success message indicating successful authentication, the security information and the mobile device profile, or, if the response does not match the security information; transmitting a failure message indicating unsuccessful authentication, from the home authentication server to the local authentication server; and . . . ë:: e. e: :: e e - 1b transmitting the success message, the security information and the mobile device profile, or the failure message, from the local authentication server to the gateway.
  6. 6. A method according to any preceding claim, further comprising: obtaining the response to the authentication challenge, at the mobile device, using a Subscriber Identity Module (SIM) card or 3G Universal Subscriber Identity Module (USIM) card.
  7. 7. A method according to any preceding claim, further comprising: lo using Extensible Authentication Protocol for GSM Subscriber Identification Modules (EAP-SIM) and/or the Extensible Authentication Protocol for 3r Generation Authentication and Key Agreement (EAP-AKA) to transport authentication information between the mobile device and a home authentication server.
  8. 8. A method according to any preceding claim, further comprising: generating, at a home authentication server and at the mobile device, a master key from a root key for including in the security information for securing communication between the mobile device and the access server.
  9. 9. A method according to claim 8, further comprising: generating an application-specific key from the master key.
  10. l O. A method according to claim 9, further comprising: transmitting the application-specific key from the home authentication server to an application server.
  11. 11. A method according to claim 9 or 10, wherein the application-specific key is used to establish a secure communication between the mobile device and the application server.
    ëe ee - 1
  12. 12. A method according to claim 10 or 11, wherein the application server comprises a Session Initiation Protocol (SIP) server.
  13. 13. A method according toany one of claims 8 to 12, comprising: establishing secure communication between the mobile device and the access server, wireless gateway, and/or to the network using the security information.
  14. 14. A method according to claim 13, comprising: lo establishing secure communication using Internet Protocol security (IPsec) .
  15. 15. A method according to any preceding claim, comprising: the access server configuring, using the mobile terminal profile, a secure IP tunnel between the access server and an access network gateway for connecting the access server to the network.
  16. 16. A method according to claim 15, comprising: implementing the secure IP tunnel using Internet Protocol security (IPsec) and/or Layer 2 Tunnelling Protocol (L2TP).
  17. 17. A method according to any preceding claim, further comprising: generating an application-specific security key for establishing secure communication by performing a hash function on the master key and an application name string.
  18. 18. A method according to any preceding claim, comprising: if the mobile device is authorised: transmitting, from the gateway to the access point or access server, information a - ls for identifying the mobile device and an instruction to provide service to the mobile device.
  19. 19. A method according to claim 18, comprising: transmitting, from the gateway to the access point or access server, security information for establishing secure communication between the mobile device and the access point or access server.
  20. 20. A method according to any preceding claim, wherein the mobile device profile lo comprises service level information for indicating a service level.
  21. 21. A method according to any preceding claim, wherein the mobile device profile comprises IF address information for the mobile device.
  22. 22. A method according to any preceding claim, wherein the mobile device profile comprises local service information for indicating whether the mobile device is allowed to use local services within the access network.
  23. 23. A method according to any preceding claim, wherein the mobile device profile comprises global service information for indicating services which the mobile device is allowed to use.
  24. 24. A method according to any preceding claim, wherein the mobile device profile comprises time information for indicating the amount of time the mobile device is allowed access to the access network.
    Be- c; - iR
  25. 25. A method according to any preceding claim, wherein the mobile device profile comprises data throughput or quantity information for indicating data rate or data amount the mobile device is allowed to send and receive while in the access network.
    s
  26. 26. A method according to any preceding claim, wherein the mobile device profile comprises re-authorization frequency information for indicating frequency with which the mobile device should re-authenticate with a home authentication server.
  27. 27. A method according to any preceding claim, wherein the mobile device profile lo comprises tunnel end point and traffic type information for indicating, for different traffic types, whether data packets transmitted between the mobile device and the network are to be tunnelled and, if so, indicating at least IP and port addresses, tunnel type and security information.
  28. 28. A method according to any preceding claim, wherein the mobile device profile comprises local security information for indicating whether mobile device requires a secure local connection to be established between itself and the access server.
  29. 29. A method according to any preceding claim, comprising: the access server blocking the mobile device from using services that it is not allowed to access and providing the mobile device with a subscribed quality of service in dependence upon the mobile device profile information.
  30. 30. A method according to any preceding claim, comprising, the access server determining how to route traffic and whether it must establish a secure IP tunnel to an access network gateway for connecting the access server to the network in dependence upon tunnel endpoint and traffic type information contained in the mobile device profile. .
    - ë :e es::; - 7o -
  31. 31. A method according to claim 30, comprising: the access server establishing a secure IP tunnel to each access network gateway in respective home networks.
  32. 32. A method according to any preceding claim comprising identifying the mobile device using an international mobile subscriber identity (IMSI); identifying the mobile device using a mobile subscriber integrated services digital network (MSISDN) number; lo identifying the mobile device using a network address identifier (NAI); and/or identifying the mobile device using an IPv4 and/or IPv6 address and/or Medium Access Control (MAC) address.
  33. 33. A method according to any preceding claim comprising: identifying a home network of the mobile device using an international mobile subscriber identity (IMSI), a mobile subscriber integrated services digital network (MSISDN) number or an network address identifier; and identifying a network address of the home authentication server using the home network.
  34. 34. An access network comprising: an access point for connecting a mobile device; an access server for providing access to another network; an authentication proxy for obtaining authentication information from a home authentication server; and a gateway configured to authenticate the mobile device and to instruct the access server to allow data traffic between the mobile device and the network.
  35. 35. A method or network according to any preceding claim, wherein: the access network is a wireless network; the mobile device is a wireless user equipment; the access point is a wireless access point; and ce. I:: ^ - 21 the access server is a wireless access server and wherein the access network, the mobile device, the access point and the access server support Internet Protocol.
  36. 36. A method or network according to claim 35, wherein: the access network is a wireless local area network (WLAN); the mobile device is a WLAN user equipment; the access point is a WLAN access point; and the access server is a WLAN access server.
  37. 37. A method or network according to any claim 35, wherein: the access network is a orthogonal frequency division multiplexing (OFDM) network; the mobile device is an OFDM user equipment; the access point is an OFDM access point; and the access server is an OFDM access server.
  38. 38. A gateway for use in an access network including an access point, an access server and an authentication proxy, the gateway configured to exchange authentication information with a home authentication server via the local authentication proxy, to authenticate the mobile device and to instruct the access server to allow data traffic to and from the mobile device.
  39. 39. A gateway according to claim 38, configured to transmit a challenge according to extensible authentication protocol (EAP).
  40. 40. A gateway according to claim 38 or 39, configured to instruct the access server to how to route data traffic to and from the mobile device.
    :. l: 'se ec.
    : - e e; _t _
  41. 41. A method substantially as hereinbefore described with reference to Figures 2 and 3 of the accompanying drawings.
GB0406351A 2004-01-31 2004-03-20 Wireless LAN cellular gateways Ceased GB2417856B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
GB0406351A GB2417856B (en) 2004-03-20 2004-03-20 Wireless LAN cellular gateways
US11/490,856 US8824430B2 (en) 2004-01-31 2006-07-21 Wireless mobility gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0406351A GB2417856B (en) 2004-03-20 2004-03-20 Wireless LAN cellular gateways

Publications (3)

Publication Number Publication Date
GB0406351D0 GB0406351D0 (en) 2004-04-21
GB2417856A true GB2417856A (en) 2006-03-08
GB2417856B GB2417856B (en) 2008-11-19

Family

ID=32118117

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0406351A Ceased GB2417856B (en) 2004-01-31 2004-03-20 Wireless LAN cellular gateways

Country Status (1)

Country Link
GB (1) GB2417856B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008033244A2 (en) * 2006-09-15 2008-03-20 Lucent Technologies Inc. A method and apparatus for concurrent registration of voice and data subscribers
WO2010057595A1 (en) 2008-11-18 2010-05-27 Ip.Access Limited Method and apparatus for providing access to a packet data network
GB2485388A (en) * 2010-11-12 2012-05-16 Trinity College Dublin Authorising a user device comprising a subscriber identity module to access wireless networks other than a cellular network
US10171998B2 (en) 2007-03-16 2019-01-01 Qualcomm Incorporated User profile, policy, and PMIP key distribution in a wireless communication network

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003077572A1 (en) * 2002-03-13 2003-09-18 Adjungo Networks Ltd. Accessing cellular networks from non-native local networks
WO2004034720A2 (en) * 2002-10-08 2004-04-22 Nokia Corporation Method and system for establishing a connection via an access network
WO2004095803A1 (en) * 2003-04-15 2004-11-04 Thomson Licensing S.A. Techniques for offering seamless accesses in enterprise hot spots for both guest users and local users

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003067439A1 (en) * 2002-02-04 2003-08-14 Flarion Technologies, Inc. A method for extending mobile ip and aaa to enable integrated support for local access and roaming access connectivity
ATE380424T1 (en) * 2002-05-01 2007-12-15 Ericsson Telefon Ab L M SYSTEM, APPARATUS AND METHOD FOR SIM BASED AUTHENTICATION AND ENCRYPTION WHEN ACCESSING A WIRELESS LOCAL NETWORK
US8341700B2 (en) * 2003-10-13 2012-12-25 Nokia Corporation Authentication in heterogeneous IP networks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003077572A1 (en) * 2002-03-13 2003-09-18 Adjungo Networks Ltd. Accessing cellular networks from non-native local networks
WO2004034720A2 (en) * 2002-10-08 2004-04-22 Nokia Corporation Method and system for establishing a connection via an access network
WO2004095803A1 (en) * 2003-04-15 2004-11-04 Thomson Licensing S.A. Techniques for offering seamless accesses in enterprise hot spots for both guest users and local users

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008033244A2 (en) * 2006-09-15 2008-03-20 Lucent Technologies Inc. A method and apparatus for concurrent registration of voice and data subscribers
WO2008033244A3 (en) * 2006-09-15 2008-06-19 Lucent Technologies Inc A method and apparatus for concurrent registration of voice and data subscribers
US8306529B2 (en) 2006-09-15 2012-11-06 Alcatel Lucent Method and apparatus for concurrent registration of voice and data subscribers
US10171998B2 (en) 2007-03-16 2019-01-01 Qualcomm Incorporated User profile, policy, and PMIP key distribution in a wireless communication network
US11463874B2 (en) 2007-03-16 2022-10-04 Qualcomm Incorporated User profile, policy, and PMIP key distribution in a wireless communication network
WO2010057595A1 (en) 2008-11-18 2010-05-27 Ip.Access Limited Method and apparatus for providing access to a packet data network
GB2465402B (en) * 2008-11-18 2011-05-25 Ip Access Ltd Method and apparatus for providing access to a packet data network
US10021630B2 (en) 2008-11-18 2018-07-10 Ip.Access Limited Method and apparatus for providing access to a packet data network
GB2485388A (en) * 2010-11-12 2012-05-16 Trinity College Dublin Authorising a user device comprising a subscriber identity module to access wireless networks other than a cellular network

Also Published As

Publication number Publication date
GB2417856B (en) 2008-11-19
GB0406351D0 (en) 2004-04-21

Similar Documents

Publication Publication Date Title
EP1770940B1 (en) Method and apparatus for establishing a communication between a mobile device and a network
RU2745719C2 (en) Implementation of inter-network connection function using untrusted network
RU2304856C2 (en) Method and system, meant for setting up a connection via access network
AU2005236981B2 (en) Improved subscriber authentication for unlicensed mobile access signaling
EP1523129B1 (en) Method and apparatus for access control of a wireless terminal device in a communications network
US7936710B2 (en) System, apparatus and method for sim-based authentication and encryption in wireless local area network access
CN106105134B (en) Method and apparatus for improving end-to-end data protection
FI121560B (en) Authentication in a mobile communication system
KR102390380B1 (en) Support of emergency services over wlan access to 3gpp evolved packet core for unauthenticated users
US20080026724A1 (en) Method for wireless local area network user set-up session connection and authentication, authorization and accounting server
US20050114680A1 (en) Method and system for providing SIM-based roaming over existing WLAN public access infrastructure
US20060019635A1 (en) Enhanced use of a network access identifier in wlan
US9226153B2 (en) Integrated IP tunnel and authentication protocol based on expanded proxy mobile IP
US10461987B2 (en) Voice and text data service for mobile subscribers
US20130104207A1 (en) Method of Connecting a Mobile Station to a Communcations Network
CN110249648B (en) System and method for session establishment performed by unauthenticated user equipment
US20060046693A1 (en) Wireless local area network (WLAN) authentication method, WLAN client and WLAN service node (WSN)
US20040133806A1 (en) Integration of a Wireless Local Area Network and a Packet Data Network
WO2006013150A1 (en) Sim-based authentication
EP1624639B1 (en) Sim-based authentication
Kunz et al. New 3GPP security features in 5G phase 1
RU2292648C2 (en) System, device, and method designed for sim based authentication and for encryption with wireless local area network access
GB2417856A (en) Wireless LAN Cellular Gateways
Iyer et al. Public WLAN Hotspot Deployment and Interworking.
El-Sadek et al. Universal mobility with global identity (UMGI) architecture

Legal Events

Date Code Title Description
AT Applications terminated before publication under section 16(1)
ERR Erratum

Free format text: APPLICATION NUMBER GB0406351.7 PREVIOUSLY ANNOUNCED AS TERMINATED IN ERROR IN JOURNAL NUMBER 6085 ON 20060104 HAS NOW BEEN REINSTATED UNDER THE PROVISIONS OF R.100(2)(B).

732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)

Free format text: REGISTERED BETWEEN 20101223 AND 20101229