NO324810B1 - Procedure for transferring a client from a first wireless LAN to a second wireless LAN - Google Patents

Abstract

A method and arrangement for handover between WLANs is described. By opening the traffic channel (gate) while the authentication is processed in parallel, handover delays can be minimized. The traffic channel / access port will only be closed if the authentication process fails.

Description

Field of the invention

The present invention relates to handover procedures in wireless local area networks.

Background

Today, it is a trend to offer users of WLAN (Wireless LAN) mobile facilities. This means that a WLAN user can move from access point to access point without losing their established session or Internet connections; a so-called seamless handover. In existing WLAN systems, the problem is that the user device/client must reauthenticate to each new access point before the traffic channel is opened. The reauthentication process is time-consuming and presents a real obstacle, especially for real-time applications such as streaming and voice, where delays of more than 120 ms will significantly degrade functionality.

Today, the port-based security system IEEE 802. IX provides authentication and the opening of the traffic channel as sequential processes, that is, the access policy is not to allow any traffic until the authentication process is successfully completed, see Figure 1 below. There are reasons for this, mostly related to accounting and billing: All consumption of WLAN bandwidth and Internet access should be accounted for, but this is only possible if the user is first identified and authenticated. However, the problem is that the authentication delays are usually long. Authentication credentials are typically generated in a remote database/server and the authentication process typically requires multiple queries to this remote database/server. This introduces large delays that can be detrimental to fast handover for mobile users, and also break up real-time applications such as voice and streaming. This can further reduce the attractiveness of mobile users and new services, which in turn is unfavorable for the business.

A similar method is used in GSM networks where mobile stations are constantly moving around. When a mobile station detects that it has moved from one location area into another (by listening to location area information periodically broadcast by the base stations), it will inform the network by sending a

location update message. The network will authenticate the mobile station before releasing the signaling channel. This change of location range will introduce a momentary stop in the communication which may cause a degradation of the channel quality. To provide a seamless handover between location areas, US patent 5483668 to Nokia describes a method where the mobile station remains in contact with the old base station until the connection to the new base station is established. This is achieved by transmitting in two different time slots at the same time. However, this procedure will only work in GSM systems that are TDMA-based, and with a

complex infrastructure of interconnected base station controllers, switching centers for mobile services, home location registries, visitor location registries, authentication centers, etc. This makes this approach irrelevant for WLAN.

US Patent 5,898,924 to Siemens describes connection handover of wireless terminal equipment in a DECT system. However, no authentication function is described, as this is non-existent in DECT systems.

Summary of the Invention

It is an object of the present invention to provide a method and an arrangement for handover in a WLAN which avoids the problems outlined above, and provides a stable connection when roaming from one wireless zone to another.

The new idea is to introduce a compromise between security and handover latency. By opening the traffic channel (port) while the authentication is processed in parallel, handover delays can be minimized. The traffic channel/access port will only be closed if the authentication process fails. The cost of this will be on the access/network provider (Residential Gateway (RG)/Hotspot owner, etc.) who will have to provide some resources/time without payment. This "free time" should be configurable (expected to be a few seconds).

The proposed policy reflects that "everything" is allowed until something is proven wrong, as opposed to the traditional policy where "nothing" is allowed until something is proven right (that is, authentication succeeds).

The inventive solution is as defined in the attached independent patent claims 1 and 8.

The benefits of parallel processing of authentication and traffic can be significant, since it will both ensure fast handover between access points belonging to the same (intra) domain (owner) as well as inter-domains, where re-authentication represents the biggest delays. The price is that the access point must provide some free resources that cannot be accounted for. The features covered by the additional non-independent requirements will limit such "free surfing", and also counter "denial of service" type attacks where fake clients try to exploit the open port policy.

Brief description of the drawings

Fig. 1 illustrates the traditional policy of sequential port access policy,

Fig. 2 shows parallel processed access according to the present invention,

Fig. 3 illustrates a security improvement of the inventive process in Fig. 1 which involves parallel processing with timer control of ongoing states, Fig. 4 illustrates the access points and ports in a system according to the present invention, Fig. 5 shows the message sequence during a successful client connection to a WLAN access point, Fig. 6 shows the corresponding message sequence in case the connection process should fail, Fig. 7 is a schematic illustration of the main building blocks in an arrangement according to the invention, for incorporation into a WLAN access point.

Detailed description of the invention

The available port access authentication standard used today (802.IX) performs the authentication functions before the access port is opened to normal traffic. This means that information must be exchanged between the user client and the RG/Hotspot access point. In some cases, i.e. when the user belongs to another domain, the RG must even contact the user's Internet Service Provider (ISP) to obtain authentication data. This introduces even more time delay to end the process. Re-authentication is considered the most time-consuming in handover situations.

Figure 1 shows the sequence of authentication and traffic management in today's WLAN systems. The access point will complete the authentication task before any user traffic is allowed through its port(s). If the authentication is successful, traffic is allowed and account management is started, if it fails the port is closed for this user.

The present invention provides a new method for organizing the process of port authentication for access networks with port-based access control, such as WLAN and WMAN in connection with traffic management, in that the two processes are carried out in parallel instead of in sequence.

Figure 2 shows the new idea. Here, the access point allows user traffic in parallel with the ongoing authentication process. When the authentication result is ready, two things can happen: If the authentication is successful, account management is started for this user, who continues his Internet traffic with the already established session. If it fails, the port will be closed and the user's traffic rejected (that is, according to standard procedures).

The access point (AP) will open the traffic channel to any unauthenticated user while the authentication function is processed for the associated link address for the client (eg WLAN MAC address). If the authentication is successful, the accounting function is enabled (through, for example, RADIUS accounting), if the authentication fails, the traffic is stopped for this client. In parallel, the terminal will open the traffic channel for any unauthenticated access point, while the associated link address for the access point is processed. If the authentication fails, the traffic is stopped. For a WLAN terminal, a disassociation message can be sent to the access point.

The new method can be used in any access network with port-based access control that controls access to an external network. This applies, for example, to any wireless local area network (WLAN) using the 802. lx protocol, such as WiFi (Wireless Fidelity (IEEE 802.11b wireless networking) protected access (WPA), WPA2 and 802.1 li-based WLANs, as well as any Wireless Metropolitan Area Network (WMAN) that uses port-based access control, such as 802.16e.

For protection purposes, the inventive method can be enhanced with additional functionality. At the same time as the authentication function is started, a timer will be set. This timer is configurable. The timer can be configured off (disabled), on, and the duration of the timer can be set. If the authentication fails, or is not successful within the configurable time frame, the traffic will be rejected for this node (either the terminal or the access point, or both the terminal and the access point). If the authentication of the terminal is successful, the accounting function will be injected into the access point.

Figure 3 illustrates the sequencing in this security-enhanced method. Compared to Figure 2 (the base model), a timer is added to control the latency of a possible delayed authentication process. If no response is received from the authentication process in Figure 2, the port may remain open. To avoid never-ending ongoing states, the timer will eventually stop the traffic by closing the port. If there is a response from the authentication process before the timer expires, the timer is canceled and the result of the authentication process defines whether the port should remain open or close (as in the basic model).

When a port is closed, communication on the relevant link address (e.g. WLAN MAC address) is prevented.

Note that this functionality alone does not prevent the attempting client from repeating its access attempt.

To reduce false "free surfing" where the client exploits the time window where unauthenticated access is allowed, the method illustrated in Figure 3 can be even further improved.

If a client with the specified (for example, MAC) ID is rejected a configurable number of times, i.e. having experienced that the traffic has been blocked by the access port, further access attempts shall not be handled by the access server, and this client shall not have further access to the traffic channel and the policy of parallel processing according to this inventive method.

To implement this functionality, the access server should include:

A switch that closes the port to any communication for a rejected client MAC address.

A caching function that stores the rejected MAC address.

A counter for the number of access attempts that have either been rejected attempts or

timed attempts. Each cached rejected MAC address stores the associated counter.

A configurable max-retry value. If it is exceeded, the access point

no longer handle access attempts for this id.

A trust function to remove this MAC address from the cache after a

configurable time (and thus reopen his opportunity to retry connection).

Control function to set the maximum number of access attempts. Control function to set the interval that resets the cache for a blocked MAC ID.

Parameters: Hours: Minutes.

In addition to limiting the maximum number of failed access attempts for a specific MAC-id, the possibility of obtaining false access by deliberately changing the client's MAC-id is also foreseen. This will prevent the functions in the procedure described above from checking false use of resources, and possibly result in accesses and resource consumption that cannot be accounted for.

A countermeasure for this type of attack is to measure the ratio between accounted and non-accounted traffic over a period of time. If the ratio exceeds a certain limit, the policy of parallel processing can be exchanged with the traditional policy illustrated in Figure 1. Assuming that the access point is able to switch between the two policies, a state machine is proposed that operates between two states: State 1: The valid/effective policy is the scenario with parallel processing as in fig. 2, and with the improvements described above.

State 2: The valid/effective policy is the traditional sequential processing of authentication and traffic as in figure 1.1 state 2, non-accounted traffic is not possible.

The change of state is performed automatically after the following events.

State 1 -> State 2: When statistics based on the ratio non-accounted/accounted resource consumption reach a configurable reaction point.

State 2 -> State 1: When a configurable timer expires (controllable period).

When the state is changed/set to state 1, the statistics counter is reset.

It must also be possible to set the policy permanently in state 1 or state 2.

The access server should include the following management functions:

• Function to set state permanently to state 1 or state 2

• Function to set state machine active (default state 1)

• Function to set the max stat ratio to trigger transition to state 2 • Function to set the timer that controls the transition to state 1 from state 2.

Parameters: Hours: Minutes

Figure 4 shows a system description for two important ports. The left port (A) is under the client's control; the client can control this port depending on its own policy.

The right port (B) of the access network (normal access point), and is under his control. For the client to reach the external network, both ports must be open for traffic. So far, the description has focused on the right port B: Depending on the authentication of the client, B will control his traffic. Similar methods can be used for port A, where the client requires authentication by the access network/access point server before opening the port, for example to receive traffic. Authentication of both client and access point/server is called "mutual authentication".

The traffic gate to be opened can be more advanced than an all-or-nothing gate. In fact, the port on the access point may be open only for voice and/or video traffic, while web reading may be closed until authentication is successful.

Example of a practical implementation of the solution in the context of WLAN using the WPA security framework for WLAN.

We describe the signaling flow in the case of a terminal associating for the first time to the WLAN network, for the case of a successful authentication process (figure 5) and for the case of a failed authentication (figure 6).

Case 1 - Successful case

The policy in the access point (AP) is such that the port is opened for a given time window which is sized so that it covers twice the average time for an authentication process. If the authentication is successful, the port will remain open after the time window has expired. Otherwise, the gate is closed and the event is recorded.

Figure 5 shows the message sequence for successful client connection to the WLAN AP. The different steps are indicated in dashed boxes and lines. The procedure includes the following individual steps:

1. The terminal associates with an access point using standard 802.11 mechanisms. 2. The WLAN AP sends an access request to the radius server, providing the MAC address of the terminal, and the ordered service, such as WLAN access. This is part of the radius specification. 3. The radius server responds positively to the request. This response includes the IP address that should be allocated to the terminal that initiated the access process. This is part of the radius specification. 4. The association response is sent back. Information in the association response indicates that the port may be opened before authentication is successful. The terminal knows at this point that it can receive and send traffic even if the authentication is not complete. An alternative solution is to include this information in the sample response (before association).

A new information element can easily be included in the association message.

This is the key difference with WPA where the traffic port should always be closed until the user is authenticated and the session keys are generated. 5. The terminal can then establish its IP connection using mechanisms such as DHCP. IDHCP includes the MAC address of the terminal and the DHCP server in the AP can allocate the IP address assigned by the AAA/Radius server (see message 3 in Figure 5). 6. At this point, it is the terminal's responsibility to start the EAP process by sending EAP start, as specified by WPA. The WLAN AP associates this EAP sequence with

the radius sequence that was previously established.

7. The AP starts the authentication process by requesting the identity of the terminal, as specified by WPA. 8. The EAP authentication methods run, as specified by the authentication methods used sequentially, as specified by WPA. 9. A successful message is sent to the terminal when authentication is successful, as specified by WPA.

10. The master key is sent to the AP, as specified by WPA.

11. This key material is used to generate the session keys, as specified by WPA. At this point, the traffic is secured and the account information is reliable and can be used to debit the user.

Case 2 - failed case

Figure 6 above shows the message sequence for a failed client connection to the WLAN AP. The different steps are indicated by dashed boxes and lines, and each step includes the following actions:

1. The terminal associates with an access point using standard IEEE 802.11 mechanisms. 2. The WLAN AP sends an access request to the radius server, which provides the MAC address of the terminal and the requested service, for example WLAN access. This is part of the radius specification. 3. The radius server responds positively to the request. This response includes the IP address that should be allocated to the terminal that initiated the access process. This is part of the radius specification. 4. The association response is sent back. Information in the association response indicates that the port may be opened before authentication is successful. The terminal knows at this point that it can receive and send traffic even if the authentication is not complete. An alternative solution is to include this information in the probe response (before association).

A new information element can easily be included in the association message.

This is the key difference with WPA where the traffic port should always be closed until the user is authenticated and the session keys are generated. 5. The terminal can then establish its IP connection using mechanisms such as DHCP. In DHCP, the MAC address of the terminal is included and the DHCP server in the AP can allocate the IP address assigned by the AAA/radius server (see message 3 in Figure 6). 6. At this point, it is the terminal that is responsible for starting the EAP process by sending EAP start, as specified by WPA. The WLAN AP relates this EAP sequence with the radius sequence previously established. 7. The AP starts the authentication process by requesting the identity of the terminal, as specified by WPA. 8. The EAP methods of authentication are run, as specified by WPA. In this case, authentication fails.

9. An EAP error message is sent to the terminal, as specified by WPA.

10. The access point informs the terminal that it has been disconnected by sending a disassociation message.

Fig. 7 shows 802. lx port 1 which can be open or closed for user traffic. Port 1 is connected to the user through a WLAN connection 2, and to the Internet through a connection 3. Port 1 is primarily controlled by a WPA (WiFi (IEEE 802.11b wireless networking) Protected Access) controller 4, and a timer 5. WPA- the function depends on communication with a RADIUS (AAA) server 7, which performs the authentication and authorization function on behalf of the WPA port controller 4. The WPA port controller 4 will operate depending on the access policy selector 8 (either closed until authentication succeeds, or open until authentication fails) . The access policy selector 8 is controlled by a statistical monitoring control function 6 which measures the quotient between recorded and unrecorded traffic. The timer 5 will close the port 1 if the WPA controller 4 remains in the ongoing state for too long (configurable time).

Claims (12)

1. Procedure for accessing an external network from a client in a wireless LAN, characterized by opening a traffic channel to the external network that transfers traffic to and from the client, simultaneously perform an authentication of the client in the external network, and if the authentication is successful to continue to transfer traffic over said traffic channel, otherwise to close said traffic channel. 2. Method according to claim 1, where the opening of the traffic channel includes establishing contact with an access point in the other LAN, as the access point opens a traffic port for the client which transfers traffic to and from the client, wherein the authentication step includes the client delivering authentication parameters to the access point and the authentication point performing an authentication process, and if the authentication process succeeds, to start accounting for the client's use of the traffic channel, otherwise to close the traffic port. 3. Method according to claim 2, wherein said method includes the further step of starting a timer when the authentication process is started, and if the timer expires and the authentication process is still in progress, to close the traffic port. 4. Method according to claim 3, in that said method includes storing an address for the client, to count access attempts for the client that have been rejected or expired, to compare the number of access attempts with a predetermined max-attempt value, and if said number exceeds said value, to deny further access attempts from the client. 5. Method according to claim 4, wherein said method includes the further step of deleting said address from storage when a predetermined time period has expired. 6. Method according to claim 5, wherein said method includes the further steps: measuring unbooked traffic in a first predetermined time period, measuring booked traffic in said first predetermined period, and if the ratio between unbooked and booked traffic exceeds a predetermined border, to close said traffic gate to all unregistered traffic. 7. Method according to claim 6, in that said method includes the further step: when said traffic gate is closed, to start a timer which opens said gate for non-booked traffic and resets the measurements of non-booked and booked traffic when a second time period has expired. 8. Arrangement in a WLAN access point for controlling access to an external network, said arrangement including a traffic port (1), a WLAN connection (2) for said traffic port (1), an Internet connection (3) for said traffic port (1 ), a protected access controller (4) to control said traffic port (1), characterized in that the protected access controller (4) is arranged to open the traffic port (1) when requested by a client through said WLAN connection, and at the same time perform an authentication of the client, and if the authentication fails to close said traffic port (1). 9. Arrangement according to claim 8, wherein said arrangement further includes an authentication server (7) connected to said protected access controller (4), wherein said authentication server (7) is arranged to perform authentication on behalf of the protected access controller (4). 10. Arrangement according to claim 8, wherein said arrangement further includes an access policy selector (8) arranged to control the protected access controller (4) to either close the traffic gate (1) until authentication succeeds, or open the traffic gate (1) until authentication fails. 11. Arrangement according to claim 10, wherein said arrangement further includes a statistical monitoring control function (6) which is arranged to control the access policy selector (8) by measuring the quotient between booked and non-booked traffic. 12. Arrangement according to claim 8, wherein said arrangement further includes a timer (5) arranged to close the traffic gate (1) if the protected access controller (4) remains in an ongoing state for too long.