TWI223941B - System and method for managing network access - Google Patents

Abstract

A system and method for managing network access. The method and system involve a policy server and a service gateway which send messages to one another via a user's network access application program. In one embodiment, the network access application program is an Internet web browser. The service gateway receives a network access request from a user and sends an authorization request message regarding the user to a policy server via the user's network application program. In one embodiment, the network access request is an Internet web site access request. The service gateway will then, if the policy server grants access, receive from the user's network access application program an authorization granted message regarding the user that was initiated by the policy server. The service gateway will then provide the user access to a network such as the Internet. The policy server receives an authorization request message from a user's network access application program that was initiated by the service gateway. The policy server processes payment information received from the user and, assuming that the payment information is sufficient, provides an authorization granted message regarding the user to the service gateway via the user's network access application program.

Description

5. Description of the invention (1) Related patents This patent was filed in the US case 60 / 177,187 filed on January 13, 2000. b Scope of the invention The present invention relates to the field of managing network access. More specifically, the present invention relates to systems and methods for receiving payments to provide access to, for example, a network.背景 BACKGROUND OF THE INVENTION The Internet and personal computers are prevalent in today's society. Although the Internet has existed in many different forms for many years, it has become quite popular for mass communication vehicles using the World Wide Web. From a user's perspective, the World Wide Web is a way to easily identify a remote computer, connect to a remote computer, and view the information stored on the remote computer. . When using the Internet, ‘hidden behind the user’ are the various protocols that can perform Internet functions. Various committees and ad hoc groups of known working groups coordinate and control the Internet. Under the Internet Engineering Task Force (IETF), the working group can determine the rules and protocols of the basic functions of the Internet and publish them as a request for comment. It is commonly known as RFCs. RFCs are available on various websites. The Internet is fully usable via the Internet. The website is specified by a textual description or name called a consistent resource locator (URL), which is currently caused by the term consistent resource identifier (UR I). (Available online http: // www · rfc-editor · org / rfc / 1223941 V. Description of the invention (2) ric2396.txt refers to the standard RFC 2396 drafted in August 1998, with the name " Uniform Resource Identifiers (URI): Generic S, yn, taxn). Generally, information can be communicated over the Internet via User Datagram Protocol (UDP), Transmission Control Protocol / Internet Protocol (TCP / IP), and Hypertext Transfer Protocol (HTTP), which operates over TCP. For more information, please refer to the following website: http://www.rfc-editor.org/rfc/ rfc768.txt, published on August 28, 1980 by J. Postel " User Datagram Protocol11 RFC 76 8 ; Website ht tp: " www. Ietf.org/rfc/rfcll80.txt, published by T. Socolofsky and C. Kale in January 1991 ^ jnA TCP / IP Tutorial 丨 丨 RFC 1180; and website http: / / www · ietf.org/rfc/rfc2616.txt, n Hypertext Transfer Protocol-HTTP / 1.1 published by R. Fielding et al. in June 1999 (draft standard), RFC 2616. When on the Internet As the use of the World Wide Web increases, so does the demand for high-speed Internet access. Although people and small businesses may want higher-speed Internet access, several are reluctant to pay the costs associated with obtaining a high-speed Internet connection, such as a cable modem, digital subscriber line (DSL), T1 Line etc. One way to provide Internet users with high-speed Internet access in multiple occupants, multiple rooms, or public buildings such as apartments, office buildings, dormitory rooms, etc. is to allow multiple users in a location to share Access to a high-speed internet connection. These Internet users are happy to think that they can provide Internet access payments, especially if the cost can be shared with other users using the same high-speed access method.

Page 8 A ^ 394i V. Description of the invention (3) In addition, when the computer user moves and travels, the user I, I portable computer and other personal computing devices, road servers, can be imagined from moment 2 To access network resources, such as Internet Fang Yu. In addition, such as travelling to their office or the remote end of the office, such as the user's temporary Internet access. These locations can provide a visit to the Internet web server as needed, and users can access network resources, such as Internet users who are willing and can provide input locations to provide this network access. They can compensate them for their costs or payments made via Internet access, as long as they have Internet access. Run 'these locations will be equally happy to provide the network in a variety of different implementations ^-multi-occupant, multi-room building you $' The method and system of the present invention allows high-speed access to be provided to, for example, the network, an owner or an operator The network can include a policy server and a network of two channels. The method and system uses a user's network access application program II, which can send messages through a network access application program which is _ = f. In a specific embodiment :: Receive from-user 'Network: Datong = Station Liu Lan. The service channel μ instructs the request message to pass through the user's details, and the server will be notified about the user. In a specific embodiment, the application program sends the request to an Internet website to receive the request. If the Internet access request is an Internet device, you can access it from the user ’s network, and the service is started by the relevant user—ρ. — Two gateways can provide user access with 辂 ^ 萑 4 messages. Then, the monthly strategy server can access a network from a user's Internet,

Road access application receives transparent S Page 9 1223941 V. Description of the invention (4) An authorization request message started by the service gateway. The policy server can process the payment information received from the user, and assuming that the payment information is sufficient, an authorization permission message about the user is provided to the service gateway through the user's network access application. Brief Description of the Drawings Fig. 1 is a flow chart describing a specific embodiment of a system and method according to the present invention. FIG. 2 illustrates a network structure of a specific embodiment of a system and method of the present invention. Figures 3A and 3B describe the operation flow of a service gateway and a policy server according to one embodiment of the system and method according to the present invention. Detailed description of the invention A. A system and method for managing Internet access Multi-height and middle-scale samples are available for sampling In various specific embodiments, the method and system of the present invention allow occupants, multi-room buildings The owner or an operator can provide shared speed access to a network such as the Internet. For example, a guest in a hotel room can provide a high-speed connection to the Internet. In another example, a tenant in an apartment or office building can provide similar access. Similarly, in still another example, a student in a dormitory room may provide similar access. FIG. 1 is a flow chart describing a specific embodiment of a system and method according to the present invention. A user, renter, etc. can insert a line into a computer, laptop, desktop, personal computing device, etc. for direct network access, start the computer, and start, for example, the Internet

Page 10 In the J-body embodiment of the 1-site browser, Yin Fang Da Ying should use the program to access the website. The website that appeared on t met the requirements. … On the user's station: Waiting for a web page = web page provided, through Internet access in hotels, property management public time, from allowing users to agree to pay in certain embodiments; More specifically, the station is required, and the service gateway at the user's living location can intercept it ^ And as the block 4+, π you JJ bad wearing net-oriented-strategic feeder, so that τ will The browser re-requests the message to a strategy server: Use the web browser of the website to authorize this page sentence person M A, Bai Jinshui payment information and use with caution, J Z contains a hidden reference of the table server With the use of Bixun second-pay and second-time users to enter payment information and usage information, they are used to provide strategy servers. Located on the Internet: Yes! Ί: Allow or deny users access to the Internet. If the user agrees to accept the change, and the information is not provided, the strategy server will respond to the request for payment and use of the ignorant server and then instruct the service server to compete for block 10. A new web browser for users And to provide through the use of this strategy through the device to provide to the service opener ..., the customer's message j Dianyun & through authorization 12324941 V. Description of the invention (6) service gateway to the Internet Network, for example, until logout, until a specified date and time, and a specified number of days or hours. Then, the service gateway can provide the user with a confirmation of access via a webpage, and in a specific embodiment, can provide a preset start webpage, and in another specific embodiment, such as block 1 As shown in Figure 2, the user's web browser can be redirected to the website originally requested by the user. B. Network Structure of a System and Method for Internet Access Figure 2 is a network structure describing a specific embodiment of a system and method of the present invention. According to a specific embodiment of the present invention, the system and method include a plurality of user computers 40, of which only three are described, a hub 48, a strategy server 34, and a service gateway 14. In a specific embodiment, a policy server 34 and a service gateway 14 are connected to the Internet 50. This connection can be achieved in accordance with known methods of technology in the art, including but not limited to digital services via integrated services (I SDN), digital subscriber lines (DSL), cable modems, T 1 lines, T 3 lines, etc. Connection. Wireless communication can also be used in another environment. In another embodiment, the policy server 34 and the service gateway 14 can be connected to each other by a computer communication that allows data to be communicated between them. This connection includes but is not limited to leased lines. In a specific embodiment, the multi-strategy server 34 and the service gateway 14 can participate in the method of the present invention, especially when the multi-occupant building is large, and / or when the occupant entity and the owner have Or rent a strategy server with multiple buildings or geographically distant buildings. In addition, multiple hubs 48 or similar devices such as multiplexers, concentrators, etc. can be connected to one or more service gateways 0

Page 12

In a specific embodiment, the storage and execution method of the server gateway 14 can be implemented by using the policy server 34 and the server gateway 14. The policy server 34 and services are connected to a computer such as the Internet to execute software programs, and the gateway 14 includes a processor ^ = network. In a specific embodiment, the computer processor is served and the memory 16 is stored. The processor 15 may be any (RAM) or other readable disks. The processor 15 may be any random access memory. The processor 15 may execute a soft, physical, and writeable memory device.

method. The invention includes the invention 1 7 which can implement the invention 2 and the memory 16 which can be implemented. The magnetic disk drive is coupled to the migrating software information readable and written to the magnetic disk hard disk drive, and a readable and accessible Beijing disk controller 18. The magnetic disk drive 17 may be an object or a card memory device, a CD drive (cyw) machine, a floppy disk drive, a stick processor, any other machine, a digital 4F (DAT) machine, etc., or any Method instead. ^ ^ Two media, and through a network or communication to display commands on the display device 2 2 ^ 1 to communicate with the display controller 2 0, display controller, and display dream, = image. The display controller 20 can be any but not limited to a cathode ^ It can be any display monitor, including a transistor (TFT) display screen. (,,, WCRT) display monitors, or films connected by any computer input device, administrators or other similar people can enter the payment system server 1 4 through the input / output controller 28, for example through The service gateway 14 also includes a keyboard 24 and a mouse 26 to the processor.

The gateway 14 can communicate with a network and interface 30. In this specific embodiment, the Internet 50 in the embodiment can communicate with a wide area network, or a specific physical machine, a cable modem, and a three-network interface 3 can be a digital data G too. Network card, or any other type

1223941 V. Description of the invention 7 = Access device, which allows via a digital subscriber line (DSL), cable t =: T 1 line, T 3 line, or any other Nanmi exclusive line that can communicate information on a network And connected to the Internet 5 0. In another environment, wireless communication can also be used. The processor 15, the memory 16, the disk controller, the display controller 20, the input / output controller 28, and the network interface 30 can be coupled to each other via the busbar 32, and the busbar Communicate with each other on 3 2. A bus 3 2 is any bus that provides communication between components in a computer. Although only one bus is described, multiple buses can be used in the service gateway 14 °. In addition, the described components and other components and controllers of the controller (not shown in the figure), or multiple instances can be included in the service. Gateway 丨 4. In a specific embodiment, the 'service gateway 14 can communicate over the Internet via a network interface, 30' and from a connection to, for example, a policy server 34 and a web server (not shown in the figure) Network devices receive information and communications. In a specific embodiment, each of the service gateway 4, the policy server 34, and the user computer 40 includes software that can communicate over the Internet 50. In a specific embodiment, this includes allowing provision via Hypertext Transfer Protocol (HTTP), User Datagram Protocol (UDp), Transport Connection Protocol / Internet Protocol (TCP / IP), and other network communication protocols. Communication software. Although only one service gateway 14 is described, a system implementing the service gateway of the present invention may include a local area network (UN), string, cluster, subnet, etc. (not shown in the figure) Multiple computers configured. In a specific embodiment, the system formed by a group, string, local area network, subnet, etc. may be connected to the Internet via one or more firewalls or other security devices and systems.

Page 14

Road, or Fuxian access% Internet i Global Communications Network ’so the feeder can be separated from the server and other computers for security purposes. This system may include a drawing server, an application server, and other special dedicated servers (not shown in the figure).

1, 1, and a policy server 3 4 are described, but the implementation of the policy server of the present invention, etc. (the husband and wife can include a local area network (LAN), string, cluster, subnet example, one (Shown in the figure) any kind of multiple computers. In a specific implementation, this system can be configured via a group, a string, a local area network, a subnet, etc.—or multiple firewalls or other security devices and systems connected to the appliance 4 or other The global communication network, so for security purposes, the server is separated from other computers. This system may include a special drawing server and other special dedicated servers (the user computer 40 not shown in the figure may be a component with a similar service gateway 14 and a special person 1, or a personal computer) Yes. In addition, the user's computer 40 can be any external device to execute programs and access a network such as the Internet. It is not limited to cell phones, personal digital assistants, Desktop ^ computer, portable computer, computer tablet, computer headset, laptop, computer workstation, etc. 4 4 To access the service gateway 1 4, the user computer 40 can perform, for example, the Internet

A network access application of the $ Road website browsing software, in addition to allowing access to the Internet as described above, an example is Netscape communications available from Netscape Communicator®, Inc. of California, USA. software. C. Gateway and a server function

Page 15 1223941 V. Description of the invention (ίο) Figures 3A and 3B describe the operation flow of a service gateway and a policy server adopted by a specific embodiment of the system and method according to the present invention. As long as the power is turned on, a service gateway can set all the ports to an unauthorized state as shown in block 5 2. This status indicates that a computing device connected via the port can access the Internet without authorization. In this way, the service gateway can disable Internet access through a computing device connected via a port, which is in an unauthorized state. In a specific embodiment, as long as the power is turned on, the service gateway may consult its own internal database and place these ports in the approved state with a residual time or not reaching a consent expiration date and time. Then, as indicated by block 54, the service gateway may receive a website access request from a user on a port. In a specific embodiment, the requirement is to specify the URL of a website. If the port receiving the website access request is in an unauthorized state, the service gateway can generate an authorization request message (AR-MSG) and send a redirection command to the user to browse the user's web browser. The server redirects to transmit the AR-MSG to a policy server as shown in block 56. In a specific embodiment, the redirect ifp command is in the form of a URL, which includes the redirection policy server's-cricket service ΐ ΐ also includes the AR_MSG field as a keyword. The specified strategy is determined by the construction of the service gateway, the special access connection bar, the current load of various non-rolling servers, or other factors: the branching server can be connected to eAR-MSG as shown in block 58, And who? Find payment information and usage information. In one example, f and I use 2 to provide a web page to the user to request payment information. In this specific embodiment, when the user makes a request via the web page,

1223941 V. Description of invention (π) When this information is provided, payment information and usage information will be transmitted to the policy server. In a specific embodiment, the payment information and the usage information can be transmitted from the user to the policy server in the encoding box 2, for example, according to the second packet layer (SSL) encoding and transmission layer provided by the user's browser. Safety, . More information on SSL can be obtained from Netscape Communications of Mountain View, California, and information on TLS can be found on the website http: // www · ietf.org/rfc/rfc2818·txt in May 2000 The month was obtained by '· HTTP Over ΤΤ.ς »RFC 2818 published by E. Rescoria. The strategy server can then receive payment information and usage information from the user, and can process AR-MSG, payment information, and usage information as shown in block 59. Based on this process, the policy server may then decide, as shown in block 60, whether the granting of access to the Internet should be allowed. The policy server may decide to use this internal policy database. The structure of the strategy database can be any of the methods of storing, retrieving, and holding the information needed to process the AR-MSG. In one embodiment, the policy server can communicate with a credit card processing company, financial machine name, or other similar entity to confirm that the payment information is correct, no "and / or have sufficient funds or credit. In various implementations, this may include consulting a policy server maintained and / or accessible by a third party computer communications internally. If the policy server initializes the port of a receiver as shown in block 62, it can be transmitted to the service gateway. The user's authorization is not allowed. The rejected web page is transmitted to the unauthorized access network. If authorized to pass, the policy server can give users such a way. When using the Internet, there is no message

Page 17 1223941 V. Description of the invention (12) The server generates an authorization permission message (AG-MSG), and in a specific embodiment, sends a redirection instruction to the user's web browser so that The block 64 transmits the AG-MSG to the serving gateway. This redirection instruction may already be in the form of a URL including the AG-MSG field as a keyword. In another specific embodiment, the policy server can provide a web page to the user via the user's web browser. The web browser has an HTML link that can point to a service gateway containing AG-MSG. For example, a user may provide it using a webpage that describes n Click Here To Access the Internet ". When the user clicks or activates the link related to this webpage, the user's browser can send the AG-MSG to the service gateway. In any of these embodiments, the user is not a series of events and actions taken in secret. As shown in block 66, the server gateway can then receive the AG-MSG from the user (user unknown), confirm the message, and change the user's port into an authorized state. As shown in block 68, after receiving the AG-MSG, the service gateway can provide a welcome page, and after displaying the welcome page for a short time, it can also provide the page originally requested by the user. As shown in block 70, the service gateway can then provide Internet access to the user. In a specific embodiment, the service gateway can also act as a firewall to avoid unnecessary access to the user's computer. As shown in block 72, the service gateway may periodically check to determine whether the authorization allowed by the user has expired. As shown in block 70, the service gateway can continuously provide the user's Internet access if the authorization has not expired. If the user's authorization expires, such as when the user exits a hotel room, when a user specifies the number of uses, or when a user specifies

Page 18 1223941 V. Description of the invention (13) When the end date and time arrive, the service gateway can send a web page that has expired to the user and set the user's port to an unauthorized state, so Further Internet access through the user may be rejected by the service gateway as shown in block 74. In a specific embodiment, the system and method can be operated entirely by the transmission of a TTP message. Although the AR-MSG starts through the service gateway and is received by the policy server, and although the AG-MSG starts through the policy server and is received by the service gateway, between the policy server and the service gateway No direct communication was described. These messages, as discussed above, can be transmitted via a web browser on the user's computer.

Since all communication can be transmitted through the browser of the client, each message can be seen and modified by the user. For example, a user may attempt to gain network access by passing a fraudulent authorization permission message to the service gateway without including a policy server. To protect against this type of attack, in a specific embodiment, each message generated and communicated through the policy server and service gateway can include a message digest 5 (MD5) digital signature, and can be combined with a shared secret. Confirmation of the message can be achieved by checking the signature on the message received. Additional information on MD5 is available at the website http: //www.ietf·org/rfc/rfcl321·txt by R · Rivest in April 1992, f The MD 5 Message-Digest Algorithmn RFC 1321. The shared secret is known only by the policy server and the gateway server, and the user does not need to know it. In this way, users will not be able to generate fraudulent messages. Similarly, to prevent an unruly user from repeating or copying a valid message previously validly received, each message may contain an arbitrary sequence number. 'If repeated,

223941 on page 19 V. Description of the invention (14) Checking the serial number is part of the message will cause the message to be ignored by the service gateway for confirmation. In a specific embodiment, authorized and unauthorized, Internet access is in an unauthorized state. In a computer-enabled embodiment that is connected, each logical policy server receives a status. When the authorization expires, when a system operator returns to an unauthorized state, in one embodiment, one or both can be used. RADIUS can manage information through Internet access. Service gateway, including status information, full information, and user identification, to manage the access to relevant users' 'use to obtain and process RADIUS information can be in' in the service gateway, the two states of the right Among them, and in the state of the right of connection via the port, the unrestricted Internet port can be initialized to an invalid permission message at one time, when the user interrupts and intervenes and only needs to restart the middle school, the policy server Device and the user service (RADIUS) co-service gateways are used to confirm and maintain that these connecting devices can maintain information about each such as the expired residual time. RADIUS can provide tributes to service gateways. In addition, ‘strategy feed’, and maintain payment information and website http: // www. Iet Each port is designated. A computer in the unauthorized state is only allowed to access the network through the connection. In a concrete authorization state. As long as you enter the authorized service gateway from the port, it is initialized at the time of connection. Any one of the logically connected service gateways implements remotely authorized dialing. The user allows the logical port information of each of the ports. Or the user of the Internet server through the policy server can use RADIUS usage information through the policy server. About f.org/rfc/

rfc2865.txt was published by C · Rigney, etal · in June 2000

Page 20 1223941 V. Description of the invention (15), 'B ^ ino ^ _Authentic cation D ^ j a] Tn User Service RFC 2865. D. Request message An AR-MSG can be generated through a service gateway that represents the user requesting Internet access. In a specific embodiment, the AR-MSG and the URL string constituting the AR-MSG may include some or all of the following fields / keywords: a connection, an identifier (" port "), and a host identifier (" host "), a mac address (mac '), the initial URL indication (norigUri"), a serial number (" seq "), a digital signature (" si gπ), and a version number ("ve Γ "). In a specific embodiment, an AR-MSG in the form of a URL string includes a port. A user can connect to a service gateway through the port. For example, in the United States, the standard is ASCII format. A description of a digital booth. This price setting can indicate whether the physical or logical access port is connected to the service gateway through the user. The port identifier can be specified in any form as long as the special connection bee connected to the service gateway is unique. For example, if a service gateway has a logical or physical connection to several access concentrators f and a user is connected to port 5, the following can be coded: nport = switch3-port5 " to indicate that it is the third The fifth port of the concentrator. In another embodiment, if the port value is unknown, it can be completely omitted from the message. In a specific embodiment, a host may use a text name or a p address description, which is composed of ASCII characters in a URL string including an AR-MSG. The specified host name or IP address is the name or address of the service gateway. If the service gateway is multi-addressed, this means that it has more than _ 丨 p bits

Page 21 1223941 V. Description of the invention (16) The IP address supplied in the host value must be an address reachable by the user. An example of a host identifier in the text is "'host' = sg3-mainstreet.hotel.isp.netπ, and when an IP address is n'h 〇st '= 1 9 2 · 2 3 · 1 2 · 3 π.

In a specific embodiment, the π mac π block of an AR-MSG URL string can be referred to the Institute of Electrical and Electronics Engineers (IEEE) 802 Media Access Control ("MAC ") Hardware address. Generally, IEEE 802 is called the Ethernet standard. In other specific embodiments, other physical node addresses can be used. In another specific embodiment, if the " mac "bit The address is unknown and it can be omitted from the message. In a specific embodiment, before the redirection, the initial n urln specified by the user is placed in a field consisting of ASCI I characters, which can be named " or i gur 1 π, such as π origurl = http: // www · uspto.gov '丨 ° In a specific embodiment, the service gateway can provide a 64-bit non-repeating serial number as a field of a URL string formed by an AR-MSG . As long as the system is initialized to an arbitrary value, the serial number is set so that it will not be repeated from earlier initialization and use. In a specific embodiment, the serial number can be provided in a field designated as n seqn, and can be encoded with a 16-byte ASCI I hexadecimal value, which indicates that the hexadecimal represents 8 two Carry value, for example, 丨 丨 seq = 002d41e465 0 000219d4en 〇

In a specific embodiment, the URL string containing an AR-MSG may include an MD5 digital signature, which can be calculated by using the ar-MSG URL starting with the first keyword, strung, omitting the signature behind the shared secret Parameters (ie, in a specific embodiment, the keyword nsi g " and its parameters). That is, 1223941 V. Description of the invention (17) n sign = MD5 (message + shared secret), where “+” means concatenation. In a specific embodiment, the service gateway can provide a protocol version in the URL. Value. In a specific embodiment, the version can be specified by nver followed by a sequence of values in ASCII decimal, for example, ver = 0 '. A description, encoding included in a specific embodiment The size and size of the AR-MSG keyword summary are described in Table 1. Keyword description encoding size (bytes) "port" logical access port address ASCII variable "ver" protocol version ASCII decimal variable "Host" Message originator's domain name ASCII variable "mac" Client's "MAC" address ASCII hexadecimal 12 "origurl" URL-User redirected ASCII variable "seq" specified in the redirect policy server "ASCII Hexadecimal 16 about this requirement" sig ,, MD5 signature ASCII Hexadecimal 16 Rainbow AR-MSG keyword

In a specific embodiment, the AR-MSG message prepared through the service gateway and directed to the policy server may be in the form of a URL query, and the format is as follows: http: // hostname? Kevwordl = valuel & kevword2 = value2 & kevword3 = value3. kevwordN = va 1 ueN E

Page 231223941 V. Description of the invention (18) Yun =:, an AG_MSG can be generated through the strategy server, i = road access, and transmitted to the service to ask for deduction from φ ... recognize ^ unplug * receive one AG_MSG, the service gateway can change the state of the port in the heart of the message to the authorized state. In a specific implementation, the strategic feeder can transmit an AG-MSG to the service gateway via the user's website Liu. In doing so, the string communicates with the user, and the URL string contains a beacon composed of an AG_MSG. In this URL substring, a destination service gateway is regarded as an initiator of a corresponding AR-MSG. In a specific embodiment, the URL substrings transmitted by AG-MSG and reach_AG_MSG may have some or all of the following keywords / slots: a host identifier (h 0st '), a sequence fool (' 'se q "), a digital signature (" s 丨 g "), a version number (nve rπ), a time value (π ί 1 me π), a user identifier (" 土 d „), a The maximum data rate parameter can also be regarded as the bandwidth and a destination URL (丨 丨 ur i 丨 丨 In a specific embodiment, the 'service gateway can receive an AG- MSG 'It is initialized through a strategy server. The service gateway can confirm the signature ("sig,") field value of the URL string containing an AR-MSG, in a specific embodiment' is calculated in the first A hashed MD 5 on the received message beginning with the keyword, and appended to the appropriate shared secret of the host name specified in the host field ("h 〇s tπ). That is, MD5 (message + shared secret), where π + π means serial connection. In addition to confirming the validity of the signature, the service gateway can also confirm that it contains an AG-M A sequence number (n s e qπ) in the URL string of the SG to ensure that it matches the sequence number of an earlier transmission A R-M S G.

Page 24 1223941 V. Description of the invention (19) If the serial numbers match, the service gateway can set the port parameters to the description of the stop specified in AG-MSG, and connect the user to the logic of the service gateway The port is set to authorized status. In a specific embodiment, unknown AR-MSG stops can be ignored through the service gateway. If the destination n u r 1 π is specified in A G-M S G, the service gateway can direct the user to this destination URL. In this way, the service gateway can provide an opening screen, such as a hotel or real estate management company website entity, to manage the attributes of the user. In a specific embodiment, a host may specify a text name or an IP address composed of ASCII characters in an AG-MSG. In a specific embodiment, the policy server may include its own host name or IP address. The format is '_ _' like n h 〇 s tπ block in A R-M S G. In a specific embodiment, the policy server may respond to the 64-bit non-repeating serial number (丨 丨 e q '丨) provided in the AR-MSG. In a specific embodiment, the AG-MSG may include an MD5 signature field (11 sig ") ′ which may be calculated as A R-M S G. In a specific embodiment, a protocol version value (" ver ") in ASCII decimal format may be included. In a specific embodiment, the AG-MSG may include a time parameter (nt imen). In a specific embodiment The time parameter can specify the minimum total hours and scores, which is the authorization that allows Internet access. In other specific embodiments, when the authorized access expires, the time parameter can specify the date and time. Between temples, for example, at 2: 00 on February 2, 2000. In a specific embodiment, the format of the time parameter is a sequence of digits in the ASC II decimal format. For example, ntime 26 0 π corresponds to 60 minutes or 1 hour; and

II

Page 25 1223941 V. Description of the invention (20) ′ ’time 2 0 2 0 2 2 0 0 0 1 4 0 0 " Corresponds to 2: 00 in the afternoon of February 2, 2000. In these examples, Internet access for users via the designated port will expire in 60 minutes or after the designated date and time. In a specific embodiment, the AG-MSG may include a user identifier (n i dn). In a specific embodiment, the user identifier can identify a logical connection bee. In other specific embodiments, the identifier may be a conversation identifier, a user name, an IP number connected by the user, an account number of the user, a room number, and the like. The user identifier can be stored through the service gateway and represented by management messages or other processing within the service gateway, other communications with the policy server, account functions, and any other use. Examples of user identifiers include: " i d = j 〇 e-s m i t h ", ’’ id = 5 ", and " id = 1 2 3 4 5 6 7 ". In addition, in other embodiments, the user identifier can be used to store similar information, such as "idl " for the room number," id2 "for the user name," id3 "for the account number, etc. These identifiers In various specific embodiments, it can be ... ⑺I and "(: 1 decimal. In a specific embodiment, the AG-MSG may include a parameter to specify the maximum data rate or frequency of communication transmitted and received from the user. Width. This value can be specified in kilobits per second (Kbps) or million bits per second (Mbps) and can be an ASCI I decimal value. An example of a maximum data rate field is "bandWidth" = 32 ". In this example, the user's connection can be described as having a maximum transmission and reception speed of 32 Kbps. In a specific embodiment, the key can be -ASCI I word, which can be identified in Existing on the service gateway-routing shape contour. In this embodiment, the shape contour package

Page 26 1223941 V. Description of the invention (21) Contains, for example, the transmission and / or reception bank depth, processing rate, discard rate, and other computer communication parameters and information. In a specific embodiment, the AG-MSG may include a destination URL indication in a n ur 1 π field. The destination URL can be any domain name that provides a website, such as a website of a hotel or real estate management company entity that manages the attributes of the user. In other embodiments, any other web page may be specified. An example of a nur 1π field is nur 1 = h 11 p: // ww w. Somehotel.com " ° A description of the description, encoding, and size included in a specific embodiment. An AG-MSG keyword summary is in Table 2 describes it. Keyword description encoding size (bytes) "ver" protocol version ASCII decimal variable "host" field name of message originator ASCII variable "mac" client's "MAC" address ASCII hexadecimal 12 "seq" Corresponding serial number ASCII hex 16 "sig" MD5 signature ASCII hex 16 "bandwidth" Allows maximum bandwidth ASCII variable "time" Authorized duration ASCII decimal variable "id" Assigned to logical port The name of the ASCII variable "url" is as long as the authorized destination website is ASCII variable

Table 2. AG-MSG keywords In a specific embodiment, the AG-MSG message prepared through the service gateway

Page 27 1223941 V. Description of the invention (22), and the guide policy server can be a U RL query form, and the format can be as follows:

ttp: // hostname? kevwordl = valuel & kevword2 = value2 & kevword3 = value3. ·· kevwordN = va1ueN F. Example

The system and method of the present invention can be better understood by reviewing the following examples. In this example, a user in a multi-occupier building can plug a computer into a wall outlet, which is connected to an access concentrator. The concentrator can be connected to a service gateway with IP address 3 5. 42. 42. 42 and its host name is somehotel.com. The service gateway is associated with a policy server with an IP address of 192.168. 254.249, and the host name is hotelpolicyserver.com. After the user opens a web browser and specifies a web page such as h 11 p: // w w w · t u t s s s · co om, the Moongate Gateway can intercept the web page specifications. If the requested port is not authorized, the user refuses access to the Internet. However, the service gateway can be prepared to send to the user an AR-MSG as an HTTP redirect message, for example: ttp: //hotelpolicyserver.com/pp/ welcome.php3? Port = 1 9 2. 1 6 8 2 54. 2 1 1-0 2 0 0 7 & host

= somehotel.com & mac = 00a00cll47fl & origurL = www% 2etutsys% 2ecom% 2f & seq = 1828d81492b2c044461fd709f0a5637b & sig = 6d39e8d81bfbfcad490e908ec60d6d7a

Page 28 1223941 V. Description of the invention (23) The user's browser can execute this URL. In terms of response, the strategy server can provide a web page that can provide welcome information and payment information and usage information. In a specific embodiment, this payment information may be an agreement ′ in order to obtain a special fee for the hotel room bill of the user, and may prompt the user to enter credit card information and the like. This can be achieved through the use of user interface technologies such as drawing, text, text registration fields, pull-down menus, buttons, scrollers, etc. In a specific embodiment, common gateway interface (CGI) scripts JAVA® applets, and other web technologies can be combined. After providing the payment and usage information, the user must then accept the items used and confirm the payment and usage information. This can be done with a click of a button in a web page, or through other user interface technologies. With the confirmed information, a link or website reference related to the webpage can be launched to direct the user's web browser and the payment information is sent to the strategy server. The strategy server can then process the payment and usage information. The policy server can then decide to allow or deny the user's Internet access. If access is denied, the policy server may communicate a connection-rejected page to the user. If the access is allowed, the policy server generates an AG-MSG in a URL format containing an HTTP query, and communicates the URL with the user's browser to redirect the user to the service gateway: http : //servicegw.somehotel.com/PublicPort / PP-Authenticate? id = l + seq = 1828d81492b2c044461fd7090a5637b + url = http% 3a% 2f% 2fwww% 2etutsys% 2ecom% 2f + sig

Page 29 1223941 V. Description of the invention (24) = 7863e5a6d77e0e9b5ab472ea7e71e053 When the user receives this URL, the user's web browser can be directed to the service gateway. The service gateway can change the user's logical port status to authorized in response to receiving A G_MSG from the user, provide the specified nauthok.h1: ml " web page, and provide the user with Internet access. In a specific embodiment, when initially attempting to access a database by providing a serial number to access the Internet, the service gateway can also retrieve: the original URL specified by the domain, the port number, or other unique identification Search by operator. τ ′ is used for information

In the foregoing specifications, it is clear that the various forms and drawings issued in the appendix of the patent application are only descriptions, but the invention has been described. Specific specific modifications and changes can be achieved, and the spirit and scope of the present invention are limited .

Page 30

Claims (1)

1223941 丨 Amendment of case number 90100748 \, patent application scope 1. A method for managing network access, including: receiving a network access request from a user; passing an authorization request message about the user through A network access application of the user is sent to a policy server; a message authorization message about the user initialized by the policy server is received from the network access application; and provided in response to receiving the permission authorization message The network access application that accesses a network. Wherein the network access application and the network includes the network where the network access request includes which the transmission includes: 2. If the method of patent application No. 1 method program may include an Internet website browser Internet . 3. The method of item 1 of the scope of patent application may include an Internet website access request. 4. The method of item 1 of the scope of patent application redirects the network access application to the policy server. 5. The method according to item 4 of the scope of patent application, wherein the redirection includes: communication-hypertext transfer protocol (HT TP) can redirect the user to an Internet website browsing in the form of a consistent resource identifier (URI) ≪ 6. The method according to item 1 of the patent application scope, wherein the transmitting includes: calculating a digital signature of the authorization request message. 7. The method of claim 1 in the scope of patent application, wherein the authorization request message j includes: a connection identifier; O: \ 68 \ 68698-930506.ptc Page 32 1223941 Appearance: i Case No. 90100748 a Amend the scope of patent application-host-media-original-serial number according to 11 version identifier; Access Control (MAC) address; Consistent Resource Locator (URL) instructions; a digital signature of a shared secret; and a number. 8. The method according to item 1 of the patent application scope, wherein the authorization permission message includes: a host identifier; a serial number; a digital signature number using one of the largest data sharing secrets according to the 11 version and the time; value; Rate; parameter; and a destination 9. If the patent is applied for inspection, the authorization is 10. If the patent is applied for inspection, the authorization is 1 1 · A method for managing a user, which uses a uniform service to locate resources URL (URL). The method of scope item 1 further includes: whether a serial number of the permitted message is correct. The method of scope item 1 further includes: whether a digital signature of the allowed message is correct. A method for managing network access, including: the network access application of the network receiving application starts with receiving an authorization request message; a payment information received by the application; and O: \ 68 \ 68698-930506.ptc Page 33 Non-replacement clause if: PI 丨 Case No. 90100748 Amendment VI. The scope of the patent application will provide the relevant program 1 2. If the application program contains a 1 3 · Such as from Connect 1 4 · If you are 15. If you are 16. If you are from 17 ", you will be 1 8. If you check 1 9. If you are counting 2 0. If you will be 2 1 · If you include: Apply for a receipt to apply for a network application Apply for the use of the application to apply for a web application to check the application is considered to apply for the application of the network to the service patents Internet patents must self-patent the patent page patents Patent users should self-patent the patent page patents authorized patents authorized patents road access patents The service range network range requires the user range, the supply range, the user range, the user range, the supply range, and the request range. The range permits the range. The range authorization permits the message to access the application via the network. Item 11 Website View Item 11 Payment of Payment Funds Item 13-Internet Item 11 Received Item 15-Use of Funds Item 16 Item 1 Internet Item 11 1 The 11th item of the message is the message of the browser of the 20th item of the program; the message of the party using the information; the message of the party using the network; the party using the network; Method, wherein the network access application method further includes: method, wherein the request includes: a web browser. Law, which further includes: information. Law, which further includes: Law, where the requirements include: A web browser. Law, which further includes: whether the signature is correct. The law, which provides: Bit signature. Method, where the provision includes: directing the service gateway. Method in which the redirect package O: \ 68 \ 68698-930506.ptc Page 34 1223941 Case No. 90100748 Amendment VI. Patent Application Communication-Hypertext Transfer Protocol (Η TTP) can be redirected to an Internet in the form of a URI Road web browser 1 2 2. If the method of the scope of patent application No. 11 is applied, the department verifies that the payment information is not fraudulent, and it is not that if the payment information is insufficient or fraudulent, it will be sent to the user . 2 3. The method according to item 22 of the scope of patent application, wherein the web site provides an Internet site to the user. 2 4. A method for executing the operation of a machine through a processor to store the instructions. Machine-readable media including: receiving a network access request from a user; transmitting an authorization request message about the user to a policy server by using the access application; accessing the application from the network Receiving a message authorization message about the policy server user; and providing the network-type access to the Internet in response to the reception. 25. If the machine-readable medium in the 24th scope of the patent application includes: redirecting the network access application to the strategy 22.6. If the machine-readable medium in the 25th scope of the patent application, guides Contains: a web browser that redirects the user in the form of communication-hypertext transfer protocol (HTTP) which can be consistent with a URI. Source Identifier ► Management Contains: Enough; and A Reject Message is sent Contains: Browser. The server is initialized by a network device that is capable of accessing the application. Where the re-source identifier O: \ 68 \ 68698-930506.ptc Page 35 1223941 S3. Case No. 90100748 Amendment t. Application for patent scope 2 7. If an order is made to inspect the machine 2 8. If an order is made to inspect the machine, please use the patent scope Operation of this authorization allows the patent scope to perform the operation. This authorization allows 29. — a kind of use of the program from a store to store these instructions from 30. Order can 31. Order can 32. Contains 33. Including is transparent processing will have The requester handles the request, checks the requester, calculates the requester, supplies the requester, and instructs the requester to perform the request. The user of the service area shall apply for the machine-readable medium of item 24 of the scope of operation right, where these refers to, which further includes: whether the serial number of the message is correct. The machine-readable medium of item 24, where these refer to, further comprising: whether the digital signature of the message is correct. The execution of the processor enables the machine to have a readable medium when performing the operation, including: the road access application program starts receiving an authorization request message channel; a payment information is received; and an authorization permission message accesses the application channel through the network Device. The machine-readable medium of item 29, wherein these refer to, further comprising: a usage information received. Item 29. The machine-readable medium, which refers to, further includes: Item 29 of the message. Is the digital signature correct? A machine-readable medium in which the authorization is provided to allow a digital digit signature of the patent scope message. The machine-readable medium of item 29, wherein the providing O: \ 68 \ 68698-930506.ptc Page 36 1223941 5, or: Case No. 901Q0748 Month Amendment VI. Patent Application Scope Redirect the network access application to the service gateway. 3 4. The machine-readable medium according to item 33 of the patent application scope, wherein the redirection includes: a communication-hypertext transfer protocol (HT TP) that can be consistent with the resource identifier (URI) form and redirect the user Internet website browser. 35. If the machine-readable medium of item 29 of the patent application scope, the processing includes: «verifying that the payment information is not fraudulent and not insufficient; and if the payment information is insufficient or fraudulent, A rejection message was sent to the user. 3 6. — A system for managing network access, including: a policy server; and a service gateway to receive a network access request from a network access application and send a related user Of the authorization request message is transmitted to the policy server through the network access application, and receives an authorization permission message from the network access application about the user initialized through the policy server; wherein the service gateway The device is responsive to receiving the authorization permission message and provides the user with access to a network. 37 7. The system according to item 36 of the patent application scope, wherein the network is the Internet. 38. The system according to item 36 of the scope of patent application, wherein the network access application is an Internet website browser. O: \ 68 \ 68698-930506.ptc Page 37