JP2003519871A - System and method for managing network access - Google Patents

Abstract

(57) Abstract: A method and system that requires a policy server and a service gateway that send messages to each other via a user's network access application program. In one embodiment, the network access application program is an Internet web browser (2). The service gateway receives a network access request from a user and sends an authorization request message for the user to the policy server via the user's network application program (4). In one embodiment, the network access request is an Internet web site access request. The service gateway then receives an authorization message initiated by the policy server (8) from the user's network access application program for the user if the policy server has granted access. The service gateway then provides the user with access to a network such as the Internet (12). The policy server receives from the user's network access application program an authorization request message initiated by the service gateway. The policy server processes the payment information received from the user, deems it satisfactory, and provides an authorization message for the user to the service gateway via the user's network access application program. .

Description

Description: [0001] This application is related to US Provisional Application No. 60/177, filed January 13, 2000.
Claim 187 benefits. FIELD OF THE INVENTION [0002] The present invention relates to the field of network access management. More specifically,
Ming pays to provide access to networks such as the Internet
A receiving system and method. BACKGROUND [0003] The Internet and personal computers have become commonplace in modern society.
It is wide. For many years, the Internet has existed in various forms,
The Internet will be mass communication with the introduction of the World Wide Web.
It became popular as a tool of the game. The World Wide Web is
Can easily identify the remote computer, connect to the remote computer,
This is one means for referring to information stored in a computer. During the use of the Internet, various communication protocols that allow the Internet to function.
Col is hidden from the user. Various committees known as working groups
And ad hoc groups prepare and maintain the Internet. Inn
A working group under the Internet Technical Standards Committee (IETF) is
Determine the rules and protocols for the underlying functions of the
Issued as a request for comment called FC. RFC via the Internet
And are exclusively available on various web sites. [0005] Web sites are now referred to as uniform resource identifiers (URIs).
Termed a uniform resource locator (URL) encompassed by the term
Specified by text description or name. ("Uniform Reso
use Identifiers (URI): Generic Syntax "
RFC 2396, August 1998, http: // www. rfc-edit
or. org / rfc / rfc2396. txt Draft Standard
d (see draft standard)) In general, the information is stored in the user datagram
Col (UDP), Transmission Control Protocol / Internet Protocol (TCP /
IP), and Hypertext Transfer Protocol (HTTP) running on TCP
By the Internet. For more information, see Postel, "U
ser Datagram Protocol, RFC 768, August 1980
March 28, http: // www. rfc-editor. org / rfc76
8. txt, T.M. Socolofsky and C.I. Kale, "A TCP / I
P Tutorial, RFC 1180, January 1991, http: // www
w. ief. org / rfc / rfc1180. / Txt, R.I. Fielddi
ng et al., "Hypertext Transfer Protocol-HTT"
P / 1.1 "RFC 2616, June 1999 (Draft Standard)
) Http: // www. ieft. org / rfc / rfc2616. txt
Available from [0006] As the use of the World Wide Web over the Internet increases,
Demand for high-speed Internet access has also increased. Individuals and small businesses are high
You may want high-speed Internet access, many of which, for example,
High-speed Internet such as cable modem, digital subscriber line (DSL), T1 line, etc.
Are not willing to pay for the costs associated with acquiring a network connection. Multiple occupants, multiple rooms
Or the interface of a common building such as an apartment, office building, dormitory room, etc.
To provide high-speed Internet access to Internet users
Share access to a high-speed Internet connection to multiple users in one location
Make it possible. These Internet users have access to the Internet.
And willing to pay for the same access. Same high-speed access method
This is especially true if it can be shared with others who use the law. [0007] In addition, computer users can use portable computers and other personal computers.
When traveling with a computing device and carrying it,
Use your home or home office resources on network resources such as the Internet and web servers.
May wish to access from a remote location, such as a hotel. Further
In some places, such as hotels, it may be turned on as needed by the visiting user.
Network access can be provided for demanding use. this
Such users have access to network resources such as the Internet and web servers.
You may want to access this network access at that location
There are cases. These computer users have access to the Internet.
There is willingness to pay for it and that is possible. Also, at that location,
Go to the Internet as long as you can compensate or make a profit
You may be willing to access. SUMMARY OF THE INVENTION In many embodiments, the methods and systems of the present invention include multiple occupants, multiple occupants,
For the owner or manager of the room building to a network such as the Internet
To provide shared high-speed access. The method and system are
Function), and then provide users with a network such as the Internet.
Access to the network. This policy server
The authorization request message initiated by the gateway is sent to the user's network
Received from the access application program. The policy server
Process payment information received from the user and consider the payment information satisfactory
Sends an authorization message about the user to the user's network access app.
To the service gateway through the application program. (Detailed Description) A. Systems and Methods for Managing Access to the Internet In many embodiments, the methods and systems of the present invention include multiple occupants, multiple
For the owner or manager of the room building to a network such as the Internet
To provide shared high-speed access. For example, if hotel guest
High-speed connection to the Internet. In another embodiment, the apartment or
Similar access could be provided to tenants of office buildings. same
Thus, in yet another embodiment, providing dormitory students with similar access
Can also. FIG. 1 illustrates the flow of operations taken with respect to one embodiment of the systems and methods of the present invention.
This is shown. Users, customers, renters, etc. can work on a
Whether you're at the top or a personal computing device,
Direct computer access to the site for network access
Plug into the line that provides the
Network access application programs such as web browsers
Ram can be started. In one embodiment, as shown in block 2, the user
The user can connect to the network by pointing the web browser to a web site.
Issue an access request. Specify the web site to be displayed on the user's screen
Web pages provided by hotels, property management companies, etc.
Page, for example, up to the time of checkout, for the total time,
Or request for access to the Internet for a certain period of time, such as until the designated date and time
Instruct the user to agree to receive. More specifically, in one embodiment
Is a service game where multiple occupants reside, as shown in block 4.
Tway intercepts the website request and sends the user's web browser
User's web site so that the user sends an authorization request message to the policy server.
-Redirect the browser to the policy server. The policy server:
Request payment and usage information from the user as shown in block 5
Provide web pages to This web page, as shown in block 6
Then, when the user enters payment and usage information, the user does not
Server that will submit the payment information for the policy to the policy server
Contains a hidden reference to Remotely located on the Internet,
This policy allows you to grant or deny access to the Internet.
It is a server. The user agrees to accept the charge, as shown in block 8
After providing the requested payment and usage information, the policy server
Allow users to access the Internet. The policy server:
The user grants Internet access, as shown in block 10.
To notify the service gateway that this should be done.
Internet access by redirecting web browsers
Instruct the service gateway to grant to the user. In one embodiment,
This is when the policy server sends a message to the user's web browser.
Is achieved by This allows the user's web browser to
Provide a permission grant message to the service gateway without the knowledge of the user
I do. In this way, the customer's computer has access to the Internet,
For example, until check-out, until a specified date and time, or only a specified date and time
Granted by the service gateway only during the authorization period of. Service game
Twaye then proceeds through the web page to the user, as shown in block 12.
Confirm access to the user and, in one embodiment, the default start web page.
In another embodiment, the user's web browser can be provided.
, The user may be redirected to the originally requested web site. B. Network of systems and methods for managing access to the Internet
FIG. 2 illustrates a network architecture of one embodiment of the system and method of the present invention.
Represents Kucha. According to one embodiment of the present invention, the system and method
A plurality of user computers 40, hubs 28, policy
It includes a server 34 and a service gateway 14. In one embodiment, the
The policy server 23 and the service gateway 14 are connected to the Internet.
You. This connection may be, but is not limited to, an Integrated Services Digital Network (ISDN)
, Digital subscriber line, cable modem T1 line, T3 line, etc.
This is done by methods known to those skilled in the art, including: In another embodiment, using wireless communication
It is also possible. In an alternative embodiment, the policy server 23 and the service
Gateway 14 can be any computer that enables data communication between them.
They can be connected to each other by communication means. Dedicated line etc. for such connection
But not limited to this. In one embodiment, in particular, owned by multiple persons
If the building is large and / or owns the facility, or
The entity that rents the server owns multiple buildings or locates buildings that are geographically separated.
If so, a plurality of policy servers 34 and service gateways 1
4 may be added to the method of the invention. In addition, multiple hubs 48 or multiple hubs
Similar devices such as loudspeakers, concentrators, etc.
You may connect to the tower. In one embodiment, the method comprises a policy server 34 and a service gate.
Implemented as software stored in ways 14 and executed by them
. The policy server 34 and the service gateway 14 are software
Software programs, and communication networks such as the Internet.
It can be any server computer that can access the network. one
In an embodiment, service gateway 14 includes processor 15 and memory 1
6 inclusive. Processor 15 may be any computer processor, and may include memory 1
6 is any random access memory (RAM) or other readable
A functional and writable memory device may be used. Processor 15 utilizes memory 16 to implement software for implementing the method of the present invention.
Execute the software. Information, including software implementing the method of the invention, is stored on a disc.
Read from the disk drive 17 coupled to the controller 18 and
Is written to the disk drive 17. Disk drive 17 is a hard disk
Drive, readable and writable compact disc (CDRW) drive
Live, floppy disk drive, stick or card type
Memory devices, digital audio table (DAT) readers, etc.
Is local to the processor, as well as a network or any communication method
And any other machine-readable medium remotely connected by The processor is
Transmits an instruction to the display controller 20 and displays an image on the display device 22
Can be done. The display controller 20 is an optional display controller.
The display device 22 may be a cathode ray tube (CR)
T) display monitor or any display including thin film transistor (TFT) display screen
A monitor is fine. A system administrator or other similar person may, for example,
Optional keyboard 24, mouse 26, etc., coupled to the processor by a
Access payment system server 14 through a computer input device
Can be. The service gateway 14 also includes a network interface 30.
In this embodiment, the service gateway 14 is a network, wide area
A network or, in one embodiment, with the Internet 50
I do. The network interface 30 includes a digital subscriber line (DSL),
Information via cable TV line, T1 line, T3 line, or network
Internet 50 via other high-speed, dedicated lines capable of communicating
Modems, cable modems, and Ethernet to enable connectivity to
(Registered trademark) card or any other kind of network access device
Is good. In another environment, wireless communication may be used. Processor 1
5, memory 16, disk controller 18, display controller 2
0, the input / output controller 28, and the network interface 30
And can communicate with one another via a network 32. Bus 32
Any bus that provides communication between components within the computer and between components
Is fine. Although only one bus is shown in the figure, the service gateway 14
Can use multiple buses. In addition, other components and components
Controller (not shown) or multiple components of the diagram and the controller.
The stance can be included in the service gateway 14. In one embodiment,
, The service gateway 14 via the network interface 30
Communicate through the Internet, the policy server 34 and the web server (
(Not shown), and receives information from devices connected to the Internet,
To communicate information to such devices. In one embodiment, service gateway 14, policy server 34, and
And each user computer 40 can communicate via the Internet.
Includes software. In one embodiment, the software includes hyper-
Text Transfer Protocol (HTTP), User Datagram Protocol (U
DP), Transfer Control Protocol / Internet Protocol (TCP / IP),
And / or software that provides communication via other network communication protocols.
Software. Although only one service gateway 14 is shown in FIG.
The system implementing the service gateway is a local area network (
LAN), cluster, grouping, sub-network, etc. (not shown)
From a plurality of computers. Grouping, cluster
, LAN, sub-network, etc., in one embodiment
For security, the server must be accessible from the Internet and other computers
One or more firewalls and other security
Internet or other worldwide via security devices and systems
Communication network. This system has a graphic
Servers, application servers, and other specialized dedicated servers
(Not shown). Although only one policy server 34 is shown in FIG.
The system that implements is a local area network (LAN), cluster
On multiple computers in the form of groupings, sub-networks (not shown)
Can be configured. Grouping, cluster, LAN, subnetwork
In any form, the system may, in one embodiment, be serviced for security.
One or more to isolate the server from the Internet and other computers.
Through multiple firewalls or other security devices and systems
To connect to the Internet or other global communications networks.
Can be. This system includes a graphics server and an application server.
Server, and other specialized dedicated servers (not shown)
You. The user computer 40 has the same components as the service gateway 14.
And any personal computer having the functions. In addition, users
The computer 40 is capable of executing programs,
Any personal computer with network access
Device. This includes mobile phones, personal digital assistants, desktop
Personal computers, portable computers, computer tablets,
Computer headsets, laptop computers, computer
But not limited to these. To access the service gateway 14, a user computer 40
In addition to the above software that can access the Internet,
Network access apps such as web browsing software
Run the application program. One example of this software is California
Netscape Communications, Mountain View, A
Netscape Communicator X, available from the company. C. 3A and 3B illustrate a service gateway and policy server function according to one embodiment of the system and method of the present invention.
7 shows the operation flow of the service gateway and the policy server. Turn on the power
Then, the service gateway, as shown in block 52,
To the unauthorized state. This state indicates that the computer connected through the port
That the device is not authorized to access the Internet
Represent. In this way, the service gateway is connected via a port
Internet access by unauthorized computing devices
Ban access. In one embodiment, when powered on, the service gateway
Lee consults its own internal database,
Is authorized for ports that have not reached the agreed expiration date and time.
Put in state. The service gateway then proceeds to the port as shown in block 54.
Receive requests for access to websites from users via
. In one embodiment, the request is a URL that specifies a web site. web
If the port receiving the access request is in an unauthorized state, the service gate
The way sends an authorization request message (AR-MSG) as shown in block 56.
Generate and send a redirect instruction to the user to redirect the user's web browser.
And sends the AR-MSG to the policy server. In one embodiment, the
The redirection instruction of U contains a redirect of HTTP to the policy server.
RL format and also includes AR-MSG field as keyword
You. The designated policy server is responsible for configuring the service gateway, specific
Access ports, current load of various policy servers, or other factors
Can be determined by The policy server receives the AR-MSG, as shown in block 58, and
Confirm the message and request the user for payment information and usage information. In one embodiment
Policy server sends a web page for payment and usage information
To provide to the. In this embodiment, the user receives the information via this web page.
Upon submitting the information, payment and usage information is sent to the policy server.
In one embodiment, the payment and usage information is transmitted via the user's web browser.
Provided Secure Socket Layer (SSL) encryption and transport layer security
Security (TLS) protocol, the user receives a policy in encrypted form.
Sent to the server. For more information about SSL, see Mounte, California
Obtained from Netscape Communications, Inc.
And detailed information on TLS can be found at http: www. ie
tf. orglrfclrfc2818. txt, E.C. By Rescorla
Can be obtained from RFC2818 "HTTP Over TLS" in May 2000.
Can be. The policy server then proceeds to the payment information, as shown in block 59.
Information and usage information from the user, AR-MSG, payment information and usage information.
Process information for Based on this processing, the policy server then proceeds as shown in block 60
, Decide whether to grant permission to access the Internet. policy
The server may use its internal policy database to make this decision.
it can. The structure of the policy database is necessary to process AR-MSG.
Any method of storing, retrieving, and holding information may be used. In one embodiment,
The policy server can be a credit card processing company, financial institution, or similar
Communicate with the entity to ensure that payment information is accurate and not fraudulent,
And / or confirm that funds and balances are sufficient. Various fruits
In an embodiment, this includes the policy server maintaining within it and / or
Or check the blacklist accessed by communication with the third party computer
Can be included. If the policy server does not authorize the user, the policy server
The web page whose access is denied is transmitted, as shown in block 62. That
User ports are initialized as not allowing access to the Internet.
No message is sent to the service gateway. policy
• If permission is granted by the server, the policy server proceeds to block 64
As shown, an authorization grant message (AG-MSG) is generated, and in one embodiment,
Send a redirect command to the user's web browser to trigger the AG-MSG
To the service gateway. This redirect command uses A as a keyword
This is a URL format including a G-MSG field. In another embodiment, the policy
The server contains the server containing the AG-MSG via the user's web browser.
A web page with an HTML link pointing to the service gateway
Present to the user. For example, a user may be asked, "To access the Internet.
Please click here. "
You. The user clicks a link associated with the web page,
Or launch it in some other way, the user's browser will service the AG-MSG
・ Send to the gateway. In all of these embodiments, the user is done
You do not know the sequence of events and actions. The service gateway then
Receive the AG-MSG from the user as shown in block 66 (this is the user
Acknowledges the message and moves the user's port to the authorized state. Upon receiving the AG-MSG, the service gateway indicates at block 68
As such, a welcome web page can be provided and a welcome web page
After the web page has been displayed for a short time, the first web page requested by the user
Can be provided. The service gateway then indicates at block 70
Provide the user with access to the Internet. In one embodiment,
The service gateway acts as a firewall, allowing the user
Unwanted access to the computer can also be prevented. Shown in block 72
As such, the service gateway performs periodic checks and grants the user
To determine if has expired. If the permission has not expired
If so, the service gateway continues to connect to the Internet, as shown in block 70.
Provide user access to the Internet. For example, a user checks a hotel room
・ When the user goes out, when the number of hours specified by the user has elapsed, or when the user
The user's permission has expired, such as when the scheduled end date and time have been reached.
If so, the service gateway expires the access, as shown in block 74.
Send the reached web page to the user and set the user's port to unauthorized
After that, the user's access to the Internet is
Can be rejected by Tway. [0025] In one embodiment, the system and method provide for transmitting an HTTP message.
It works perfectly. AR-MSG is initiated by the service gateway
, Received by the policy server, and the AG-MSG is
Started and received by the service gateway, but
There is no direct addressing between the gateways. above
As such, both of these messages are sent to a web browser on the user's computer.
Sent through the All communication can be bridged by the client browser
And all messages are visible to the user and potentially change
be able to. For example, a user may send a fraudulent message to grant permission.
Network gateway without involving the policy server.
Network access. To prevent this type of attack,
In one embodiment, generated by the policy server and service gateway
Each message that is sent and communicated is in message digest 5 (MD5).
Digital signatures, and can also incorporate shared secrets. Me
Confirmation of the message is performed by confirming the signature when receiving the message. M
Other information regarding D5 can be found at http: / llwww. ief. orglr
fcrlfccl321. txt. R. of April 1992. By Rivest
RFC 1321 "The MD5 Message-Digest Algor
itm ". The shared secret is shared between the policy server and the
Only known to the gateway server and hidden from the user. With this method, you
Users cannot compose fraudulent messages. Similarly, malicious users
Does not repeat or duplicate valid messages received in the past in the proper way.
To prevent this, each message contains a random sequence number that, when repeated,
The message is ignored by the service gateway. To check the sequence number,
Part of message confirmation. In one embodiment, at the service gateway, each port has an authorized state
It is designated as one of two states, the unauthorized state. Unauthorized in unauthorized state
Computers connected through ports that are in a state
Access is only allowed. If in the authorized state, the port in the authorized state
Internet access is allowed for computers connected via
. In one embodiment, each logical port is initialized to be in an unauthorized state. Poe
Enters the authorized state upon receiving a valid grant message from the policy server
. The logical port is activated when the user disconnects from the service gateway.
It returns to the unauthorized state when the system operator intervenes and when re-initialization occurs. In one embodiment, either the policy server or the service gateway
, Or both, are Remote Authentication Dial
Implementing the In User Service (RADIUS) protocol
It is possible. RADIUS allows the service gateway to provide users with Internet access.
To authenticate and maintain management information for each port that grants packet access
Can be used for The service gateway communicates status information,
Or logical information including time limit information such as the date and time of the
It can hold information about ports. RADIUS provides policy support
Server, which user has granted access, and which service gateway
Used to manage information about whether they provide Internet access to users
can do. In addition, the policy server enters payment and usage information.
RADIUS can be used to handle, process, and manage. Radii
Information about the US can be found at http: www. ief. orglrfclrfc2
865. txt. C. of June 2000. RFC 286 by Regney et al.
5 "Remote Authentication Dial In User
Service (RADIUS) ". D. Authorization request message AR-MSG is used by the service on behalf of the user requesting Internet access.
Generated by the service gateway. In one embodiment, AR-MSG and
The URL string that constitutes the AR-MSG is one of the following fields / keywords.
Part or all: port identifier ("port"), host identity
Besshi ("host"), mac address ("mac"), first URL destination ("
origurl "), sequence number (" seq "), digital signature (" sig "
"), And the version number (" ver "). In one embodiment, an AR-MSG in the form of a URL string is
The user specifies the service as specified by an alphanumeric field in standard code (ASCII) format.
It can include the port to connect to the service gateway. Which value
User services through physical or logical access ports
-Can be set to indicate whether to connect to the gateway. Port identifier
Is unique for the particular port connected to the service gateway,
It may be represented in any form. For example, how many service gateways
Have a logical or physical connection to the access concentrator
When connected to port 5, “port = switch3_port5”
Is encoded, indicating that it is the fifth port of the third concentrator
. In another embodiment, if the value of the port is not known, it can be completed from the message.
Exclude all. In one embodiment, the host uses the A in the URL string that constitutes the AR-MSG.
Can be specified as text name or IP address consisting of SCII characters
You. The specified host name or IP address is the name of the service gateway
Or an address. The service gateway is multi-homed, that is
Has multiple IP addresses, the IP address supplied to the host value is:
The address must be reachable from the user. By text
An example of the host identifier is “'host' = sg3-mainstreet.hot”
el. isp. "host" = 192 in the form of an IP address.
. 23.12.3 ". In one embodiment, the “mac” field of the URL string making up the AR-MSG
Field is the media connected to the user's network-connected node by IEEE 802.
-Refers to the access control ("MAC") hardware address. Generally, IEEE
E802 is called the Ethernet Networking Standard. In other embodiments
Can use other physical node addresses. In another embodiment, "
If you do not know the "mac" address, you can exclude it from the message.
Wear. In one embodiment, the original "url" specified by the user before being redirected
"Is a file consisting of ASCII characters that can be named" orgurl ".
Field, for example, “origurl = http: //www.uspto
. gov ". In one embodiment, the service gateway has a URL that configures the AR-MSG
Provide a 64-bit non-repeating sequence number as a field in the string.
Can be offered. This sequence number was used during previous initialization and use.
Is set to a random value during system initialization to prevent repeated sequences.
You. In one embodiment, this sequence number is in a field denoted as "seq".
And, for example, "seq = 002d41e46500002"
19d4e ”, 16 octet A that represents an 8 octet binary value in hexadecimal
Can be encoded as a SCII hexadecimal value. In one embodiment, the URL strings that make up the AR-MSG are in accordance with MD5.
Can include a digital signature, which starts with the first keyword
, Signature parameters (ie, in one embodiment, the keyword “sig” and its parameters)
Meter), followed by the AR-MSG string followed by the shared secret
Is calculated. That is, “sig” = MD5 (message + shared secret),
“+” Represents concatenation. In one embodiment, the service gateway uses the protocol version in the URL.
Option values can be provided. In one embodiment, the version is "ver"
Followed by a sequence of numbers in ASCII decimal, for example "ve
r = 0 ". In one embodiment, the AR-MSG key, including description, encoding, and size,
A summary of the keywords is shown in Table 1. [Table 1] In one embodiment, the service gateway creates and directs the policy to the policy server.
The AR-MSG message that is sent can be in the form of a URL query,
It can be of the form http: // hostname? keyword1 = value1 & keyword2 = value2 & keyword3 = value3 ... keywor
dN = valueN Authorization Grant Message In one embodiment, the AG-
The MSG is generated by the policy server and connects the user to the service gateway
Sent to the user to pass up. The service gateway is AG-MSG
, The state of the port specified in the message is changed to the allowed state
. In one embodiment, the policy server communicates with A via the user's web browser.
Send G-MSG to the service gateway. When doing this, the policy
-The server sends a URL string containing information constituting the AG-MSG to the user.
I believe. In this URL string, the destination as the source of the corresponding AR-MSG
A service gateway is identified. In one embodiment, the AG-MSG and a URL list that accomplishes the transmission of the AG-MSG
The ring consists of a host identifier ("host"), a sequence number ("seq"),
Digital signature ("sig"), version number ("ver"), time value ("ti
me "), user identifier (" id "), maximum data rate, also called bandwidth
Parameter and destination URL ("url") keyword / field
May include some or all of In one embodiment, the service gateway is initiated by a policy server
The received AG-MSG is received as a URL string from the user. service·
The gateway receives the MD5 hash from the first keyword in one embodiment and
To the host specified in the host field ("host").
By adding the appropriate shared secret for the strike name, the URL string A
The value of the signature ("sig") field containing the R-MSG can be verified.
That is, MD5 (message + shared secret), and “+” indicates concatenation
To indicate In addition to verifying the validity of the signature, the service gateway also
Also, the sequence number ("seq") in the URL string including AG-MSG is
Verify that it matches the AR-MSG sequence number previously sent
You can also. If the sequence numbers match, the service gateway will
, The logical port parameter as described in the field specified in AG-MSG.
The logic used to configure the meter and connect the user to the service gateway
Set the port to the authorized state. In one embodiment, the unrecognized AR-MSG file
The field is silently ignored by the service gateway. Destination ("ur
l)) is specified in the AG-MSG, the service gateway shall
The user can be directed to this destination. In this way, the service gateway
A is the entity that manages the building where the user is located
A start screen such as a personal property management company web site can be provided. In one embodiment, the host has a text name or IP address consisting of ASCII characters.
The dress can be specified in the AG-MSG. In one embodiment, the policy
The server can include its own hostname or IP address. H
The format is the same as the “host” field in the AR-MSG. One practice
In an embodiment, the policy server uses a 64-bit non-recovery provided in the AR-MSG.
The reverse sequence number ("seq") can be echoed back. In one embodiment, AG-MSG is computed as in AR-MSG.
A D5 signature field ([sig]) may be included. In one embodiment, AG
-MSG is the protocol version value in ASCII decimal format ("
ver "). In one embodiment, the AG-MSG includes a time parameter (“time”).
Can be. In one embodiment, the time parameter is the Internet access
The maximum amount of time and / or minutes that permission is granted can be specified. other
In an embodiment of the present invention, the time parameter may be set to
, You can specify the date and time when Internet access will expire.
Wear. In one embodiment, the format of the time parameter is alphanumeric ASCII.
It is a decimal format. For example, “time = 60” is 60 minutes, that is, 1
"Time = 0202200001400" is February 2, 2000
Equivalent to 2 pm. In these examples, the user's input through the specified port
Internet access will expire after 60 minutes or at a specified date and time. In one embodiment, the AG-MSG may include a user identifier (“id”).
Wear. In one embodiment, the user identifier can identify a logical port. other
In the embodiment, the identifier is a session identifier, a user name, and an IP number of a user connection
Number, account number for the user, room number, and the like. A user
The identifier can be stored by the service gateway and the service
Management messages or other processing within the gateway, its
For other communications, accounting functions, and any other use.
Can be. Examples of the user identifier include “id = joe_smith” and “id = joe_smith”.
5 "and" id = 12434567 ". In still other embodiments, the "id
“1” is for the room number, “id2” is for the user name, and “id3” is for the account number.
How multiple user identifiers can be used to store similar information
. These identifiers include ASCII and ASCII decimal numbers in various embodiments.
can do. In one embodiment, the AG-MSG relates to both transmitting and receiving user communications.
Can include parameters to specify the maximum data rate or bandwidth.
Wear. This value can be in kilobits per second (Kbps) or megabits per second (Mbps).
) And can be an ASCII decimal value. Maximum
An example of the data rate field is "bandwidth = 32". this
In the example, the maximum transmission / reception speed of the connection of the user is described as 32 Kbps.
In one embodiment, the bandwidth keyword may reside on the service gateway
Can be an ASCII string that identifies the traffic shaping profile
Wear. In this embodiment, the forming profile may be, for example, transmitted and / or received.
Queue depth, committed rate, drop rate, and other
It can include computer communication parameters and information. In one embodiment, the AG-MSG specifies the destination URL in the “url” field.
Can be included. The destination URL is an entity that manages the building where the user is located.
Responsible for providing websites, such as hotels and real estate management company websites
Any domain name can be used. In other embodiments, any website
Can be specified. An example of a “url” field is “url = http:
// www. somehotel. com ". The outline of the AG-MSG keyword is described in one embodiment by description, encoding, and
Table 2 includes the size. [Table 2] In one embodiment, the policy service created by the service gateway
The AG-MSG message directed to the server can take the form of a URL query,
It can be formatted as follows: http: // hostname? keyword1 = value1 & keyword2 = value2 & keyword3 = value3 ... keywo
rdN = valueN F. EXAMPLES The systems and methods of the present invention can be understood by considering the following examples.
Can be. In this example, a user in a multi-resident building
Plug into the wall socket. The socket is connected to the access concentrator
You. The concentrator has an IP address 35.42.42.42 and a host name someh
otel. com's service gateway. Service Gateway
A has an IP address of 192.168.254.249 and a host name of hotel
policyserver. com's policy server. The user
Launch the web browser and go to http: // www. tutsys. com etc.
After specifying the web page for the
Intercept the page specification. If the requested port is not authorized,
The user is denied access to the Internet. However, the service gateway
Way creates the following AR-MSG, which is an HTTP redirect message
Sent to the user. http://hotelpolicyserver.com/pp/welcome/php3?port=192.168.254.211-02007
& host = somehotel.com & mac = 00a00c1147fl & origurL = www% 2etutsys% 2ecom% 2f & seq = 1
828d81492b2c044461fd709f0a5637b & sig = 6d39e8d81bfbfcad490e908ec60d6d7a The user's browser executes this URL. In response, the policy server
Web pages provide welcome information and request payment and usage information.
Page. In one embodiment, the payment information includes a specific charge for the user's hotel.
You may also agree to bill your room
The user may be prompted to input a number. This is graphics, text
Text, text entry fields, pull-down menus, buttons, sliders, etc.
Achieve through web pages using common user interface technologies
be able to. In one embodiment, the common gateway interface (CG
I) Scripts, Java applets, and other web pages
Technology can be incorporated. After providing payment and usage information, the user
Must accept the terms of use, submit payment and usage information
. This can be done by clicking a button in a web page, or
This can be achieved by other user interface technologies. Use this information
By submitting a link, you can create a link or web site
Is activated, which sends payment information to the policy server.
To the user's web browser. The policy server then processes the payment information and usage information. Then you
Decide whether to grant or deny Internet access to users. A
To deny access, the Policy Server displays a connection denied web page to the user.
Communicate to When granting access, the policy server includes an HTTP query.
An AG-MSG is generated in the following URL format, and this URL is used as a URL.
To the user's browser. Browser directs user to service gateway
Change ahead. http://servicegw.somehotel.com/PublicPort/PP-Authenticate?id=1+seq=1828
d81492b2c044461fd7090a5637b + url = http% 3a% 2f% 2fwww% 2etutsys% 2ecom% 2f + sig = 7
863e5a6d77e0e9b5ab472ea7e71e053 When the user receives this URL, the user's web browser opens the service
To the gateway. In response to receiving the AG-MSG from the user,
The service gateway changes the state of the logical port for the user to the authorized state.
Provides the designated "authok.html" web page,
Provide users with access to the In one embodiment, the service gateway
Lee also accesses the local database to access the sequence number, port number
Or provide other unique identifiers that can be used to index information
Specified by the user when first attempting to access the Internet.
The original URL obtained can also be retrieved. In the above description, the invention has been described with reference to specific embodiments. However, head
Departures from the broader spirit and scope of the invention as set forth in the appended claims.
It will be apparent that various modifications and changes can be made without departing from the invention. Accordingly
Accordingly, the specification and drawings are to be considered in an illustrative, rather than a restrictive, sense. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 shows a flow of actions taken with respect to one embodiment of the systems and methods of the present invention.
FIG. FIG. 2 is a network application of one embodiment of the system and method of the present invention.
FIG. FIG. 3A is a service gate taken for one embodiment of the system and method of the present invention.
FIG. 9 is a diagram showing a flow of operations of a way and a policy server. FIG. 3B is a service gate taken for one embodiment of the systems and methods of the present invention.
FIG. 9 is a diagram showing a flow of operations of a way and a policy server.

[Procedure amendment] [Date of submission] July 19, 2002 (July 19, 2002) [Procedure amendment 1] [Document name to be amended] Description [Item name to be amended] Claims [Amendment method] Modification [Contents of amendment] [Claim 1] Receiving a network access request from a user, and transmitting a permission request message relating to the user to the network access
Sending to the policy server via the application program; receiving from the network access application program an authorization message initiated by the policy server for the user; in response to receiving the authorization message. , Providing a network access application program with access to a network. 2. The method of claim 1, wherein the network access application program comprises an Internet web browser and the network comprises the Internet. 3. The method of claim 1, wherein the network access request comprises an Internet web site access request. 4. The method of claim 1, wherein transmitting comprises redirecting a network access application program to a policy server. 5. The method of claim 4, wherein redirecting comprises transmitting a hypertext transfer protocol (HTTP) redirect to a user's Internet web browser in the form of a uniform resource identifier (URI). 6. The method of claim 1, wherein transmitting comprises calculating a digital signature for the authorization request message. 7. The authorization request message includes a port identifier, a host identifier, a medium access control (MAC) address, an original uniform resource locator (URL) designation, a sequence number, a digital signature based on a shared secret, and a portion of a version number. 2. The method according to 1. 8. The method of claim 1, wherein the authorization grant message includes a host identifier, a sequence number, a digital signature based on a shared secret, a version number, a time value, a user identifier, a maximum data rate parameter, and a portion of a destination uniform resource locator (URL). the method of. 9. The method of claim 1, further comprising: verifying that a sequence number for the grant message is correct. 10. The method of claim 1, further comprising verifying that a digital signature for the authorization message is correct. 11. Receiving an authorization request message initiated by a service gateway from a user's network access application program, processing payment information received from the user, and transmitting an authorization grant message for the user to the network. A method comprising providing to a service gateway via an access application program. 12. The method of claim 11, wherein the network access application program comprises an Internet web browser. 13. The method of claim 11, further comprising: requesting payment information from a user; and receiving payment information from the user. 14. The method of claim 13, wherein requesting comprises providing a web page to an internet web browser. 15. The method of claim 11, further comprising processing usage information received from a user. 16. The method of claim 15, further comprising requesting usage information from a user, and receiving usage information from the user. 17. The method of claim 16, wherein requesting comprises providing a web page to an internet web browser. 18. The method of claim 11, further comprising verifying that the digital signature for the authorization message is correct. 19. The method of claim 11, wherein providing comprises calculating a digital signature for the authorization grant message. 20. The method of claim 11, wherein providing comprises redirecting a network access application program to a service gateway. 21. The method of claim 20, wherein redirecting comprises transmitting a hypertext transfer protocol (HTTP) redirect to an Internet web browser in the form of a uniform resource identifier (URI). 22. Processing includes verifying that the payment information is not incorrect and not insufficient, and sending an access denied message to the user if the payment information is insufficient or incorrect. The method of claim 11, comprising: 23. The method of claim 22, wherein transmitting comprises providing a web page to a user's Internet web browser. 24. Receiving a network access request from a user, and transmitting an authorization request message for the user to the user's network access request.
Sending to the policy server via the application program; receiving, from the network access application program, an authorization message initiated by the policy server for the user; A machine-readable medium storing instructions that, when executed by a processor, cause the machine to perform operations, including providing access to the Internet for application programs. 25. The machine-readable medium of claim 24, wherein transmitting comprises redirecting a network access application program to a policy server. 26. The machine-readable medium of claim 25, wherein redirecting comprises transmitting a hypertext transfer protocol (HTTP) redirect to a user's web browser in the form of a uniform resource identifier (URI). 27. The machine-readable medium of claim 24, wherein the instructions direct the machine to perform operations that further comprise verifying that the sequence number for the authorization grant message is correct. 28. The machine-readable medium of claim 24, wherein the instructions direct the machine to perform operations further comprising verifying that the digital signature for the authorization grant message is correct. 29. Receiving an authorization request message initiated by a service gateway from a user's network access application program; processing payment information received from the user; A machine-readable medium storing instructions that, when executed by a processor, include instructions for causing a machine to perform operations, including providing to a service gateway via an access application program. 30. The machine-readable medium of claim 29, wherein the instructions direct the machine to perform operations further comprising processing usage information received from the user. 31. The machine-readable medium of claim 29, wherein the instructions direct the machine to perform operations further comprising verifying whether the digital signature for the authorization request message is correct. 32. The machine-readable medium of claim 29, wherein providing comprises calculating a digital signature for the authorization grant message. 33. The machine-readable medium of claim 29, wherein providing comprises redirecting a network access application program to a service gateway. 34. The machine-readable medium of claim 33, wherein redirecting comprises transmitting a hypertext transfer protocol (HTTP) redirect to a user's Internet web browser in the form of a uniform resource identifier (URI). Medium. 35. Processing comprises: verifying that the payment information is not incorrect or insufficient, and sending an access denied message to the user if the payment information is insufficient or incorrect. 30. The machine-readable medium of claim 29, comprising: 36. A network server comprising: a policy server and a network access application program.
Receiving an access request and sending an authorization request message for the user to the policy server via the network access application program, wherein the network access application program issues an authorization grant message for the user initiated by the policy server; A service gateway receiving the authorization message, wherein the service gateway provides the user with access to the network in response to receiving the authorization grant message. 37. The system according to claim 36, wherein the network is the Internet. 38. The system according to claim 36, wherein the network access application program is an Internet web browser. [Procedure amendment 2] [Document name to be amended] Description [Item name to be amended] 0008 [Correction method] Change [Contents of amendment] (Summary of the Invention) In many embodiments, the method and system of the present invention are described. Enables multi-occupants, multi-room building owners or operators to provide shared high-speed access to networks such as the Internet. The method and system require a policy server and a service gateway that send messages to each other via the user's network access application program.
In one embodiment, the network access application program is an internet web browser. The service gateway receives a network access request from a user and sends an authorization request message for the user to the policy server via the user's network application program. In one embodiment, the network access request is an Internet web site access request. The service gateway then receives, from the user's network access application program, an authorization grant message for the user initiated from the policy server when the policy server grants access. The service gateway then provides the user with access to a network such as the Internet. The policy server receives an authorization request message initiated from the service gateway from the user's network access application program. The policy server processes the payment information received from the user, considers the payment information satisfactory, and sends an authorization message for the user to the service gateway via the user's network access application program. provide. The copy that was sent was partially missing.

────────────────────────────────────────────────── ─── Continuation of front page    (81) Designated country EP (AT, BE, CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, I T, LU, MC, NL, PT, SE, TR), OA (BF , BJ, CF, CG, CI, CM, GA, GN, GW, ML, MR, NE, SN, TD, TG), AP (GH, G M, KE, LS, MW, MZ, SD, SL, SZ, TZ , UG, ZW), EA (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), AE, AG, AL, AM, AT, AU, AZ, BA, BB, BG, BR, BY, B Z, CA, CH, CN, CR, CU, CZ, DE, DK , DM, DZ, EE, ES, FI, GB, GD, GE, GH, GM, HR, HU, ID, IL, IN, IS, J P, KE, KG, KP, KR, KZ, LC, LK, LR , LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, MX, MZ, NO, NZ, PL, PT, R O, RU, SD, SE, SG, SI, SK, SL, TJ , TM, TR, TT, TZ, UA, UG, UZ, VN, YU, ZA, ZW (72) Inventors Carson, David Jay             United States 48105 Michigan A             N Arbor Longshore 1718 (72) Inventor Harrell, Richard Elm             United States 48154 Michigan Li             Bonia Jamison 38818 (72) Inventor Bachman, Todd A             United States 48104 Michigan A             N Arbor East Kingsley             Street 816 (72) Inventor Blank, Larry Jay             United States 48176 Michigan             Elline Wildwood Trail             2829 (72) Inventor Jabons, Kimberly Shi             United States 48187 Michigan Ki             Jaantong Embassy Drive 7516 F term (reference) 5B085 AA01 AE02 AE15 AE23 BA07                       BC02 BG02 BG07                 5K030 GA15 HA08 HB08 HD09 KA04                       KA05 KX24 LB09 LC16 LE02 [Continuation of summary] The policy server provides the user with network access ・ From the application program, the service ・ Authorization request message initiated by the gateway Receive. The policy server communicates the support received from the user. Process payment information, consider it satisfactory, The permission grant message for the user is Network access application program To the service gateway.

Claims (1)

Claims 1. Receiving a network access request from a user, and transmitting an authorization request message for the user to the user's network access request.
Sending to the policy server via the application program; receiving from the network access application program an authorization message initiated by the policy server for the user; in response to receiving the authorization message. , Providing a network access application program with access to a network. 11. Receiving an authorization request message initiated by a service gateway from a user's network access application program, processing payment information received from the user, and transmitting an authorization grant message for the user to the network. A method comprising providing to a service gateway via an access application program. 24. Receiving a network access request from a user, and transmitting an authorization request message for the user to the user's network access request.
Sending to the policy server via the application program; receiving, from the network access application program, an authorization message initiated by the policy server for the user; A machine-readable medium storing instructions that, when executed by a processor, cause the machine to perform operations, including providing access to the Internet for application programs. 29. Receiving an authorization request message initiated by a service gateway from a user's network access application program; processing payment information received from the user; A machine-readable medium storing instructions that, when executed by a processor, include instructions for causing a machine to perform operations, including providing to a service gateway via an access application program. 36. A network server comprising: a policy server and a network access application program.
Receiving an access request and sending an authorization request message for the user to the policy server via the network access application program, wherein the network access application program issues an authorization grant message for the user initiated by the policy server; A service gateway receiving the authorization message, wherein the service gateway provides the user with access to the network in response to receiving the authorization grant message.