US20160381625A1 - Method for post-authenticating user equipment, controller and network system - Google Patents

Method for post-authenticating user equipment, controller and network system Download PDF

Info

Publication number
US20160381625A1
US20160381625A1 US14/979,565 US201514979565A US2016381625A1 US 20160381625 A1 US20160381625 A1 US 20160381625A1 US 201514979565 A US201514979565 A US 201514979565A US 2016381625 A1 US2016381625 A1 US 2016381625A1
Authority
US
United States
Prior art keywords
user equipment
gateway
access point
port
controller
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US14/979,565
Other versions
US9532304B1 (en
Inventor
Jyh-Cheng Chen
Jen-Shun Yang
Yi-Hao Lin
Shang-Chun Ou
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial Technology Research Institute ITRI
National Chiao Tung University NCTU
Original Assignee
Industrial Technology Research Institute ITRI
National Chiao Tung University NCTU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial Technology Research Institute ITRI, National Chiao Tung University NCTU filed Critical Industrial Technology Research Institute ITRI
Assigned to INDUSTRIAL TECHNOLOGY RESEARCH INSTITUTE, NATIONAL CHIAO TUNG UNIVERSITY reassignment INDUSTRIAL TECHNOLOGY RESEARCH INSTITUTE ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: OU, SHANG-CHUN, CHEN, JYH-CHENG, LIN, Yi-hao, YANG, JEN-SHUN
Application granted granted Critical
Publication of US9532304B1 publication Critical patent/US9532304B1/en
Publication of US20160381625A1 publication Critical patent/US20160381625A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/16Discovering, processing access restriction or access information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • H04W60/04Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration using triggered events
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W64/00Locating users or terminals or network equipment for network management purposes, e.g. mobility management
    • H04W64/006Locating users or terminals or network equipment for network management purposes, e.g. mobility management with additional information processing, e.g. for direction or speed determination
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present application relates to a method for post-authenticating at least one user equipment (UE), a controller and a network system thereof.
  • UE user equipment
  • High-Speed Rail is one of important transportation tools in many countries, such as TVG in France, ICE (Inter-City Express) in German, Shinkansen in Japan, and Taiwan High Speed Rail.
  • ICE Inter-City Express
  • Taiwan High Speed Rail With the development of the high-speed rail and the popularity of the communication equipment, the demands of the network are rapidly increasing in fast moving scenarios. In general, a highest speed of a train in the High-Speed Rail is approximate to 280 kilometers per hour. Under such a high moving speed, the variation of the signal quality within a short time would be quite large. And, influenced by the Doppler Effects, the decoding error rate at the receiving side would increase. This makes the User Equipment (UE) frequently try to resend data when the network connection is interrupted.
  • UE User Equipment
  • the UE Before an UE to access the Internet, the UE must accept an authentication, such as authenticated by an authentication authorization accounting (AAA) server. However, if an authentication process to authenticate the UE failed due to the network disconnection, the UE would continuously try to resend the authentication data to complete the authentication process.
  • AAA authentication authorization accounting
  • FIG. 1 is a block diagram illustrating a network system of a train 100 .
  • the train 100 in FIG. 1 could be a train, a High-Speed Rail, or other transportation with a predictable traveling route and multi-cars.
  • the rain 100 may include five cars 100 _ 1 ⁇ 100 _ 5 .
  • the access points (APs) 102 _ 1 ⁇ 102 _ 5 could be disposed respectively to cars 100 _ 1 ⁇ 100 _ 5 in the train, and could respectively provide the passengers in cars 100 _ 1 ⁇ 100 _ 5 with network access capabilities.
  • the access point 102 _ 1 could provide the passengers in 100 _ 1 car to access the network with mobile devices (such as mobile phones, tablet PCs, notebook computers or other similar devices), and access point 102 _ 2 could provide the passengers in car 100 _ 2 network access, and the remaining access points 102 _ 3 ⁇ 102 _ 5 likewise.
  • mobile devices such as mobile phones, tablet PCs, notebook computers or other similar devices
  • access point 102 _ 2 could provide the passengers in car 100 _ 2 network access, and the remaining access points 102 _ 3 ⁇ 102 _ 5 likewise.
  • the train 100 disposed only a single External Gateway 104 (for example, a client device (Customer Premise Equipment, CPE) gateway) connected to the car 100 _ 3 .
  • Gateway 104 could be connected to APs 102 _ 1 ⁇ 102 _ 5 , and as an intermediate access point to communicate with the network 106 between cars 102 _ 1 ⁇ 102 _ 5 .
  • Network 106 could be, but not limited to long-range evolution (LTE), WiMAX (worldwide interoperability for microwave access, WiMAX), third generation mobile communication networks (3Gs), the fourth generation of mobile communication networks (4Gs) or other similar networks.
  • LTE long-range evolution
  • WiMAX worldwide interoperability for microwave access, WiMAX
  • 3Gs third generation mobile communication networks
  • 4Gs fourth generation of mobile communication networks
  • network 106 may include an enhanced node B (eNB), a mobility management entity (MME), serving gateway (S-GW), and packet data network gateways (P-GW) and other network entities, but not limited thereto.
  • eNB enhanced node B
  • MME mobility management entity
  • S-GW serving gateway
  • P-GW packet data network gateways
  • the train 100 has only a single External Gateway 104 , so that the channel quality between the gateways 104 and the network 106 would be changed rapidly when the train 100 was moving, and the situation of network disconnection would occur often.
  • the transmission queue of the external gateway would be filled with the authentication data, and it could cause network congestion.
  • the embodiments of the disclosure may provide a method for post-authenticating the at least one user equipment, a controller, and a network system thereof.
  • An embodiment of the disclosure relates to a method for post-authenticating at least one user equipment, adapted to a controller connected to at least one gateway.
  • the method comprises: the at least one user equipment is connected to at least an access point, determining whether an external channel quality of the at least one gateway is higher than a threshold; wherein the external channel quality is not higher than the threshold; incompletely authenticating the at least one user equipment, and controlling the at least one access point to provide the at least one user equipment with a limited network access ability, and the external channel quality is not higher than the threshold; estimating a future channel capacity of the at least one gateway; calculating a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateways; and selecting at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranging a corresponding authentication mechanism for completely authentic
  • the controller comprises a storage unit storing multiple modules; and a processing unit connected to the storage unit, accessing and executing the multiple modules.
  • the multiple modules include a determining module, a controlling module, an estimating module, a calculating module, and a selecting module.
  • the determining module determines whether an external channel quality of at least one gateway is higher than a threshold, wherein at least one user equipment is connected to at least one access point through the at least one gateway.
  • the controlling module incompletely authenticates the at least one user equipment, and controls the at least one access point to provide the at least one user equipment with a limited network access ability, wherein the external channel quality is not higher than the threshold.
  • the estimating module estimates a future channel capacity of the at least one gateway.
  • the calculating module calculates a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateway.
  • the selecting module selects at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranges a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
  • the network system comprises a at least one gateway, at least one access point connected to the at least one gateway to access a network, and a controller connected to the at least one gateway and the at least one access point, wherein at least one user equipment is connected to the at least one access point through the at least one gateway.
  • the controller further determines whether an external channel quality of the at least one gateway is higher than a threshold; incompletely authenticates the at least one user equipment, and controls the at least one access point to provide the at least one user equipment with a limited network access ability, wherein the external channel quality is not higher than the threshold; estimates a future channel capacity of the at least one gateway; calculates a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateway; and selects at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranges a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
  • FIG. 1 is a block diagram illustrating a network system of a train.
  • FIG. 2 is a network system, according to an exemplary embodiment of the present disclosure.
  • FIG. 3 illustrates the flow chart of a method for post-authenticating at least one user equipment, according to an exemplary embodiment of the present disclosure.
  • FIG. 4 is a network system, according to an embodiment of the present disclosure.
  • FIG. 5 is a network system, according to another embodiment of the present disclosure.
  • the disclosure provides a method for post-authenticating at least one UE.
  • at least one access point may provide limited network access capabilities (such as limited bandwidth, flow and time, etc.) to the at least one UE incompletely authenticated such as an authentication process has not been finished yet.
  • the method may arrange a mechanism to select at least one candidate UE having a higher priority weight to be authenticated from the at least one UE, and then allows the at least one candidate UE to complete the authentication process at a proper time. The detailed will be described in the following.
  • a channel quality may be but not limited to characterized as a reference signal received power (RSRP), a carrier to interference noise ratio (CINR), a carrier noise ratio (carrier to noise ratio, CNR), a signal to noise ratio (SNR) and/or a signal to interference noise ratio (SINR), but is not limited thereto.
  • RSRP reference signal received power
  • CINR carrier to interference noise ratio
  • CNR carrier noise ratio
  • SNR signal to noise ratio
  • SINR signal to interference noise ratio
  • FIG. 2 is a network system, according to an exemplary embodiment of the present disclosure.
  • a network system 200 includes a controller 210 , at least one gateway 220 and at least one access point 230 .
  • the at least one access point 230 may also be disposed on a car of a train for serving the UEs of this car.
  • the at least one gateway 220 may be electrically connected to the access point 230 , and the access point 230 may route data flow from at least one user equipment 260 _ 1 ⁇ 260 _N (N is a positive integer) to a network 240 .
  • the at least one gateway 220 may facilitate the at least one access point 230 to route the authentication information to the authentication server 250 (for example, an AAA server).
  • the authentication server 250 for example, an AAA server
  • the network system 200 in FIG. 2 includes a controller electrically connected or wireless connection to the at least one gateway 220 and the controller 210 .
  • the controller 210 may be a software-defined networking (SDN) controller, which may include a storage unit 212 , and a processing unit 214 .
  • Storage unit 212 may be, but not limited to a memory, a hard disk, or any other element that may be used to store data and/or record multiple codes or modules.
  • Processing unit 214 is electrically connected to the storage unit 212 .
  • Processing unit 214 may be a general purpose processor, a special purpose processor, a conventional processor, a digital signal processor, a plurality of microprocessors, a microprocessor with one or more digital signal processors, controller, microcontrollers, application-specific integrated circuit (ASIC), field programmable gate array circuits (FPGAs), any other kind of integrated circuits, a state machine, based on Advanced RISC Set machine (ARM) processor and similar articles.
  • ASIC application-specific integrated circuit
  • FPGAs field programmable gate array circuits
  • the at least one access point 230 may have SDN switch features, and may communicate with the controller 210 by a SDN-based communication protocol (for example, OpenFlow) to exchange information.
  • the SDN switch may also be implemented as a separate switch on the device outside the at least one access point 230 , to facilitate the access point 230 to communicate with the controller 210 .
  • data plane and control plane are separated.
  • FIG. 2 also depicts a transmission path for data flow and control flow separately.
  • FIG. 2 illustrates only a single gateway 220 and a single access point 230 to illustrate the concepts of the present embodiment, but this is not construed as limiting the possible embodiments disclosed. In other embodiments, these technical features are equally applicable to the present disclosed network systems with multiple gateways and multiple access points.
  • the processing unit 214 may access the storage unit 212 and executes a determining module 212 _ 1 , a control module 212 _ 2 , an estimating module 212 _ 3 , a calculating module 212 _ 4 and a selecting module 212 _ 5 and execute the method for post-authenticating at least one user equipment.
  • FIG. 3 illustrates a flow chart of a method for post-authenticating at least one user equipment, according to an exemplary embodiment of the present disclosure.
  • the method in FIG. 3 may be executed by the controller 210 of FIG. 2 .
  • the controller 210 of FIG. 2 may be executed by the controller 210 of FIG. 2 .
  • the detailed of the exemplary embodiment of FIG. 3 will be explained in the following.
  • the determining module 212 _ 1 may determine whether the external channel quality of the gateway 220 is higher than a threshold or not.
  • the external channel quality may be a channel quality (such as SNR) between at least one gateway 220 and the network 240 , and the threshold may be an arbitrary value selected by the designer (e.g. 20 dB). This threshold may be preset, randomly selected, or transmitted via the network.
  • the at least one access point 230 may send the user information (such as a media access control (MAC) address and international mobile subscriber identity (IMSI), etc.) to the controller 210 through OpenFlow, but is not limited thereto.
  • user information such as a media access control (MAC) address and international mobile subscriber identity (IMSI), etc.
  • the designer may also determine the threshold based on the channel quality corresponding to a channel capacity. For example, designers may find out a channel capacity for sufficiently transmitting at least one authentication data, and determine the channel quality corresponding to the channel capacity as a threshold. In this case, when the external channel quality is higher than the threshold, it represents that the channel capacity corresponding to the external channel quality is sufficient to transmit at least one authentication data. Assume that the channel capacity corresponding to the external channel quality is sufficient to transfer two authentication information, the controller 210 may arrange directly two of user equipments 260 _ 1 ⁇ 260 _N (in the case, N ⁇ 2) to authenticate with the authentication server 250 . On the other hand, when the external channel quality is not higher than the threshold, it may represent that the channel capacity corresponding to the external channel quality is insufficient to transmit any authentication information.
  • step S 320 when the external channel quality is not higher than the threshold, the control module 212 _ 2 may incompletely authenticate the at least one user equipment 260 _ 1 ⁇ 260 _N, and control the at least one access point 230 to provides the at least one user equipment 260 _ 1 ⁇ 260 _N limited network access capabilities.
  • the control module 212 _ 2 may allow unauthenticated or only partially authenticated user equipment 260 _ 1 ⁇ 260 _N to connect the network 240 with the limited network access abilities to the Internet via the at least one access point 230 .
  • unauthenticated or only partially authenticated user equipment 260 _ 1 may connect the network 240 with limited abilities (such as limited bandwidth, limited throughput or limited time (e.g. 20 minutes), but is not limited thereto) to the Internet via access point 230 through the control module 212 _ 2 .
  • the disclosed method not only satisfies the demands of the user equipment 260 _ 1 to access the Internet, but also avoids the user equipment 260 _ 1 to continuously try to send authentication information under the condition of a poor external channels quality.
  • the embodiments of the present disclosure may reduce the probability of occurring network congestion on the at least one gateway 220 , and also improve the Internet time for the unauthenticated or partially authenticated users.
  • the method may select at least one candidate user equipment having a higher priority weight to be authenticated from the at least one user equipment 260 _ 1 ⁇ 260 _N through steps S 330 ⁇ S 350 , and completely authenticate the at least one candidate user equipment at a proper time.
  • the estimating module 212 _ 3 may estimate a future channel capacity of the at least one gateway 220 .
  • the channel quality estimation model of the at least one gateway 220 may be built by the estimating module 212 _ 3 based on the at least one gateway 220 and a car individual history information.
  • the car individual history information includes, for example, a traveling route of a car or a train and traveling speeds of various sections on this traveling route.
  • the history information for the at least one gateway 220 includes, for example, the channel quality of the at least one gateway 220 previously measured on the traveling route of the car or the train.
  • the estimating module 212 _ 3 may be used to estimate the future channel quality of the at least one gateway 220 on each section on the traveling route of the car or the train. Subsequently, estimating module 212 _ 3 may establish a mapping table of channel quality relative to section on the traveling route according to the measured results (that is, the channel quality estimation model of the at least one gateway 220 ). Because the traveling route of the car or the train and the location of the surrounding station are fixed, therefore, the mapping table is quite reliable. For other configurations of the gateway relative to the car or the train (not shown), the estimating module 212 _ 3 may establish the channel quality estimation model on the basis of the foregoing teachings.
  • the estimating module 212 _ 3 may get current moving information of the train and use the current moving information to estimate the future moving information of the train.
  • the current moving information may include, but not limited to the information of the current traveling section and the traveling speed of the train obtained from the satellite positioning system (global positioning system, GPS).
  • the future moving information of the train may include, but not limited to the information of the future traveling section and future traveling speed of the train.
  • the traveling route and the traveling speed of the train are generally predefined parameters, therefore, the estimating module 212 _ 3 may easily get the future traveling route of the train and the future traveling speed of the train after the current moving information is obtained.
  • B is a frequency range of the at least one gateway 220 .
  • the estimating module 211 _ 3 may calculate the quotient of C(i) divided by the authentication information size (hereinafter referred to j), to get the number of the authenticate information that the at least one gateways 220 may transmit at time i.
  • j is a number of user equipments trying to complete the authentication at the time i, and which is allowed by the at least one gateway 220 .
  • j is 4, it means that the at least one gateway 220 allows four of the user equipments 260 _ 1 ⁇ 260 _Ns (in the case, N ⁇ 4) to respectively transmit its own authentication information to the authentication server 250 at time i.
  • the calculating module 212 _ 4 may calculate a priority weight of each user equipment of the at least one user equipment 260 _ 1 ⁇ 260 _N according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateway.
  • an n-th (1 ⁇ n ⁇ N) priority weight of the n-th user equipment 260 _ n may be characterized as:
  • w 1 to w 3 are weight values
  • WT is the authentication waiting time of the n-th user equipment
  • h is the at least one hop count between the at least one access point and the at least one gateway serving for the n-th user equipment
  • FT is the number of the authentication failures for the n-th user equipment.
  • w 1 To w 3 may be, but not limited to any value (including zero) selected by the designers based on their demands, which may be pre-set, set randomly or transmitted via the Internet.
  • WT may be, but not limited to the time for the n-th user equipment to access network 240 with limited network access abilities.
  • h may be, but not limited to the number of devices having been passed while the access point 230 transmits data to the at least one gateway 220 .
  • h is 1.
  • FT is a number of authentication failures such as the n-th user equipment attempting to send the authentication information but failing to be authenticated completely.
  • the n-th (n is an integer of between 1 ⁇ N) priority weight of the user equipment 260 _ n may be, but not limited to characterized as the demands of the designers, such as the following equations (3) to (9).
  • the selecting module 212 _ 5 may select at least one candidate user equipment from the at least one user equipment 260 _ 1 ⁇ 260 _N based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranges a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
  • the selecting module 212 _ 5 may sort the at least one user equipment 260 _ 1 ⁇ 260 _N in a descending order according to the priority weight of each user equipment, and calculate a specific number based on the future channel capacity (i.e., C(i)) and an authentication information size (hereinafter referred to j), wherein the specific number may be, but not limited to the future channel capacity divided by the authentication information size; C(i) Next, the selecting module 212 _ 5 may select a specific number of preceding user equipments being sorted from the at least one user equipment 260 _ 1 ⁇ 260 _N as at least one candidate user equipment.
  • the selecting module 212 _ 5 may select j user equipment(s) having a higher priority from the at least one user equipment 260 _ 1 ⁇ 260 _N as the at least one candidate user equipment. Next, the selecting module 212 _ 5 may arrange an authentication mechanism for completely authenticating the at least one candidate user equipment at a time.
  • the selecting module 212 _ 5 may control the at least one access point 230 to provide unlimited network capabilities to the at least one candidate user equipment.
  • the user equipment after completing the authentication may access network 240 with unlimited bandwidth, unlimited throughput, and without a time limit.
  • the controller 210 may temporarily allow the at least one user equipment 260 _ 1 ⁇ 260 _N to use limited network access abilities to access the network. Then, when the controller 210 estimates the future channel quality at time i will be improved, the controller 210 may arrange authentication opportunities for the at least one candidate user equipment having a higher priority weight to send the authentication information to the authentication server 250 at a proper time.
  • a network system 400 may be configured to control respectively the access point to provide the user equipment with the limited or unlimited network access ability, as shown in FIGS. 4-5 .
  • a network system 400 includes a controller 410 , a first access point 420 _ 1 , and a second access point 420 _ 2 connected to an authentication server 440 .
  • the first access point 420 _ 1 is connected to an incompletely authenticated user equipment 430 , and provides a limited access network ability to the user equipment 430 .
  • the first access point 420 _ 1 may transfer the user information of user equipment 430 to the controller 410 via OpenFlow. Then, according to the aforementioned teachings in arranging the authentication mechanism of the disclosure, the controller 410 may allow the user equipment 430 attempts to be authenticated at a time i. Also, the controller 410 may inform the user equipment 430 by using a control protocol to switch the connecting from the first access point 420 _ 1 to the second access point 420 _ 2 at the time i, so that the authentication server may completely authenticate the candidate user equipment 430 through the second port 420 _ 2 .
  • the control protocol may be, but not limited to a network search and selection mechanism (access network discovery and selection function, ANDSF).
  • the controller 410 may control the second access point 420 _ 2 to provide an unlimited network ability to the user equipment 430 , to allow the user equipment 430 to access the network with such as unlimited bandwidth, unlimited throughput, and without a time limit.
  • the authentication server 440 may have a different scheme to authenticate the user equipment 430 according to the type of the user equipment 430 .
  • the authentication server 440 may base on the subscriber identification module (SIM) extensible authentication Agreement (EAP) (i.e., EAP-SIM) to authenticate the user equipment 430 .
  • SIM subscriber identification module
  • EAP-SIM extensible authentication Agreement
  • the authentication server 440 may base on the security authentication and key distribution (Authentication and Key Agreement for, AKA) of EAP (i.e., EAP-AKA) to authenticate the user equipment 430 .
  • AKA security authentication and key distribution
  • a network system 500 includes a controller 510 and an authentication server 540 connected to a specific access point 520 .
  • the specific access point 520 may further include a first port and a second port (not shown).
  • the first port may be a default port that may provide a limited network ability to an incompletely authenticated user equipment 530 .
  • the specific access point 520 may transfers the user information of user equipment 530 to the controller 510 via the OpenFlow.
  • the controller 510 may allow the user equipment 530 attempts to be authenticated at a time i. Also, the controller 510 may inform the user equipment 530 via OpenFlow to switch the connecting from the first port to the second port at the time i, so that the authentication server 540 may completely authenticate the candidate user equipment 530 through the second port. After the authentication server 540 completely authenticates the user equipment 530 , the controller 510 may control the specific access point 520 to provide an unlimited network ability to the user equipment 530 , to allow the user equipment 530 to access the network with such as unlimited bandwidth, unlimited throughput, and without a time limit.
  • the first port may be characterized as a service set identifier (SSID) without password
  • the second port may be characterized as a service set identifier (SSID) with password.
  • the unauthenticated user equipment 530 will connect to a SSID corresponding to the first port.
  • the specific access point 520 informs the user equipment 530 to switch the connecting to the second port
  • the specific access point 520 may also informs the user equipment 530 of the password of the second port, to allow the user equipment 530 to switch the connecting to the SSID of the second port.
  • the second port may be implemented as a hidden SSID with password. That is, the unauthenticated user equipment 530 fails to find the information of the second port from a list of SSID of the first port, but the disclosed embodiments are not limited thereto.
  • the present disclosure provides a method for post-authenticating at least one user equipment, a controller and a network systems thereof.
  • the controller may temporarily allow the at least one unauthenticated or partially authenticated user equipment to use limited network access abilities to access the network. Then, when the controller estimates the future channel quality will be improved at a time, the controller may arrange authentication opportunities for the at least one candidate user equipment having a higher priority to send the authentication information to the authentication server at the time. Therefore, the embodiments of the present disclosure reduce the probability of occurring network congestion on the at least one gateway, and also improve the Internet time for the unauthenticated or partially authenticated users.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for post-authenticating user equipment (UE), a controller and a network system are disclosed. The method includes: determining whether an external channel quality of at least one gateway is higher than a threshold when UE connects to an access point (AP) routed by the gateway; when the external channel quality is not higher than the threshold, authenticating the UE incompletely and controlling the AP to limit a network capability providing to the UE; estimating a future channel capacity of the gateway; calculating a priority weight of each UE; selecting candidate UE from the UEs according to the future channel capacity and the priority weight of each UE; arranging an authenticating mechanism for completely authenticating the candidate UE at a timing point corresponding to the future channel capacity.

Description

    CROSS-REFERENCE TO RELATED APPLICATION
  • This application claims the priority benefits of Taiwan application serial no. 104120333, filed on Jun. 24, 2015. The entirety of the above-mentioned patent application is hereby incorporated by reference herein and made a part of this specification.
    • TECHNICAL FIELD
  • The present application relates to a method for post-authenticating at least one user equipment (UE), a controller and a network system thereof.
    • BACKGROUND
  • High-Speed Rail is one of important transportation tools in many countries, such as TVG in France, ICE (Inter-City Express) in German, Shinkansen in Japan, and Taiwan High Speed Rail. With the development of the high-speed rail and the popularity of the communication equipment, the demands of the network are rapidly increasing in fast moving scenarios. In general, a highest speed of a train in the High-Speed Rail is approximate to 280 kilometers per hour. Under such a high moving speed, the variation of the signal quality within a short time would be quite large. And, influenced by the Doppler Effects, the decoding error rate at the receiving side would increase. This makes the User Equipment (UE) frequently try to resend data when the network connection is interrupted. Generally, before an UE to access the Internet, the UE must accept an authentication, such as authenticated by an authentication authorization accounting (AAA) server. However, if an authentication process to authenticate the UE failed due to the network disconnection, the UE would continuously try to resend the authentication data to complete the authentication process.
  • FIG. 1 is a block diagram illustrating a network system of a train 100. The train 100 in FIG. 1 could be a train, a High-Speed Rail, or other transportation with a predictable traveling route and multi-cars. The rain 100 may include five cars 100_1˜100_5. In this embodiment, the access points (APs) 102_1˜102_5 could be disposed respectively to cars 100_1˜100_5 in the train, and could respectively provide the passengers in cars 100_1˜100_5 with network access capabilities. For example, the access point 102_1 could provide the passengers in 100_1 car to access the network with mobile devices (such as mobile phones, tablet PCs, notebook computers or other similar devices), and access point 102_2 could provide the passengers in car 100_2 network access, and the remaining access points 102_3˜102_5 likewise.
  • As shown in FIG. 1, the train 100 disposed only a single External Gateway 104 (for example, a client device (Customer Premise Equipment, CPE) gateway) connected to the car 100_3. Gateway 104 could be connected to APs 102_1˜102_5, and as an intermediate access point to communicate with the network 106 between cars 102_1˜102_5. Network 106 could be, but not limited to long-range evolution (LTE), WiMAX (worldwide interoperability for microwave access, WiMAX), third generation mobile communication networks (3Gs), the fourth generation of mobile communication networks (4Gs) or other similar networks. Although FIG. 1 is not explicitly depicted the configuration of network 106, but it is substantially based on communication standards and could be configured to include corresponding network entities. For example, if using the LTE network to communicate 106 and the gateway 104, network 106 may include an enhanced node B (eNB), a mobility management entity (MME), serving gateway (S-GW), and packet data network gateways (P-GW) and other network entities, but not limited thereto.
  • Since the train 100 has only a single External Gateway 104, so that the channel quality between the gateways 104 and the network 106 would be changed rapidly when the train 100 was moving, and the situation of network disconnection would occur often. When the authentication process of UE failed, the transmission queue of the external gateway would be filled with the authentication data, and it could cause network congestion.
  • In addition, even if an additional redundant Gateway was built in car 100_3 like gateway 104 to shunt the traffic of gateway 104, the overall transmission efficiency still could not reach the channel diverse effect because the channel quality of the redundant gateway is similar to that of the gateway 104.
  • In the network topology built by the well-known train, there is only one single configuration of an external (outbound) gateway. As previously mentioned, when the authentication process of an UE failed, the transmission queue of the external gateway will would be filled with the authentication data, and the phenomenon of network congestion could occurs.
    • SUMMARY
  • The embodiments of the disclosure may provide a method for post-authenticating the at least one user equipment, a controller, and a network system thereof.
  • An embodiment of the disclosure relates to a method for post-authenticating at least one user equipment, adapted to a controller connected to at least one gateway. The method comprises: the at least one user equipment is connected to at least an access point, determining whether an external channel quality of the at least one gateway is higher than a threshold; wherein the external channel quality is not higher than the threshold; incompletely authenticating the at least one user equipment, and controlling the at least one access point to provide the at least one user equipment with a limited network access ability, and the external channel quality is not higher than the threshold; estimating a future channel capacity of the at least one gateway; calculating a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateways; and selecting at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranging a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
  • Another embodiment of the disclosure relates to a controller. The controller comprises a storage unit storing multiple modules; and a processing unit connected to the storage unit, accessing and executing the multiple modules. The multiple modules include a determining module, a controlling module, an estimating module, a calculating module, and a selecting module. The determining module determines whether an external channel quality of at least one gateway is higher than a threshold, wherein at least one user equipment is connected to at least one access point through the at least one gateway. The controlling module incompletely authenticates the at least one user equipment, and controls the at least one access point to provide the at least one user equipment with a limited network access ability, wherein the external channel quality is not higher than the threshold. The estimating module estimates a future channel capacity of the at least one gateway. The calculating module calculates a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateway. The selecting module selects at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranges a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
  • Yet another embodiment of the disclosure relates to a network system. The network system comprises a at least one gateway, at least one access point connected to the at least one gateway to access a network, and a controller connected to the at least one gateway and the at least one access point, wherein at least one user equipment is connected to the at least one access point through the at least one gateway. The controller further determines whether an external channel quality of the at least one gateway is higher than a threshold; incompletely authenticates the at least one user equipment, and controls the at least one access point to provide the at least one user equipment with a limited network access ability, wherein the external channel quality is not higher than the threshold; estimates a future channel capacity of the at least one gateway; calculates a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateway; and selects at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranges a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
  • The foregoing will become better understood from a careful reading of a detailed description provided herein below with appropriate reference to the accompanying drawings.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a block diagram illustrating a network system of a train.
  • FIG. 2 is a network system, according to an exemplary embodiment of the present disclosure.
  • FIG. 3 illustrates the flow chart of a method for post-authenticating at least one user equipment, according to an exemplary embodiment of the present disclosure.
  • FIG. 4 is a network system, according to an embodiment of the present disclosure.
  • FIG. 5 is a network system, according to another embodiment of the present disclosure.
    •  DETAILED DESCRIPTION OF THE EMBODIMENTS
  • Below, exemplary embodiments will be described in detail so as to be easily realized by a person having ordinary knowledge in the art. The inventive concept may be embodied in various forms without being limited to the exemplary embodiments set forth herein. Descriptions of well-known parts are omitted for clarity, and like reference numerals refer to like elements throughout.
  • According to an embodiment, the disclosure provides a method for post-authenticating at least one UE. In the embodiment, while the channel quality of the at least one gateway is poor, at least one access point may provide limited network access capabilities (such as limited bandwidth, flow and time, etc.) to the at least one UE incompletely authenticated such as an authentication process has not been finished yet. Further, the method may arrange a mechanism to select at least one candidate UE having a higher priority weight to be authenticated from the at least one UE, and then allows the at least one candidate UE to complete the authentication process at a proper time. The detailed will be described in the following. In an exemplary embodiment, a channel quality may be but not limited to characterized as a reference signal received power (RSRP), a carrier to interference noise ratio (CINR), a carrier noise ratio (carrier to noise ratio, CNR), a signal to noise ratio (SNR) and/or a signal to interference noise ratio (SINR), but is not limited thereto.
  • FIG. 2 is a network system, according to an exemplary embodiment of the present disclosure. In this embodiment, a network system 200 includes a controller 210, at least one gateway 220 and at least one access point 230. The at least one access point 230 may also be disposed on a car of a train for serving the UEs of this car. The at least one gateway 220 may be electrically connected to the access point 230, and the access point 230 may route data flow from at least one user equipment 260_1˜260_N (N is a positive integer) to a network 240. In one embodiment, when the data from the user equipment is authentication information, the at least one gateway 220 may facilitate the at least one access point 230 to route the authentication information to the authentication server 250 (for example, an AAA server).
  • Unlike the well-known art as shown in FIG. 1, the network system 200 in FIG. 2 includes a controller electrically connected or wireless connection to the at least one gateway 220 and the controller 210. In an embodiment, the controller 210 may be a software-defined networking (SDN) controller, which may include a storage unit 212, and a processing unit 214. Storage unit 212 may be, but not limited to a memory, a hard disk, or any other element that may be used to store data and/or record multiple codes or modules. Processing unit 214 is electrically connected to the storage unit 212. Processing unit 214 may be a general purpose processor, a special purpose processor, a conventional processor, a digital signal processor, a plurality of microprocessors, a microprocessor with one or more digital signal processors, controller, microcontrollers, application-specific integrated circuit (ASIC), field programmable gate array circuits (FPGAs), any other kind of integrated circuits, a state machine, based on Advanced RISC Set machine (ARM) processor and similar articles.
  • In an embodiment, the at least one access point 230 may have SDN switch features, and may communicate with the controller 210 by a SDN-based communication protocol (for example, OpenFlow) to exchange information. In other embodiments, the SDN switch may also be implemented as a separate switch on the device outside the at least one access point 230, to facilitate the access point 230 to communicate with the controller 210. In SDN, data plane and control plane are separated. FIG. 2 also depicts a transmission path for data flow and control flow separately.
  • In addition, although FIG. 2 illustrates only a single gateway 220 and a single access point 230 to illustrate the concepts of the present embodiment, but this is not construed as limiting the possible embodiments disclosed. In other embodiments, these technical features are equally applicable to the present disclosed network systems with multiple gateways and multiple access points.
  • In this embodiment, the processing unit 214 may access the storage unit 212 and executes a determining module 212_1, a control module 212_2, an estimating module 212_3, a calculating module 212_4 and a selecting module 212_5 and execute the method for post-authenticating at least one user equipment.
  • FIG. 3 illustrates a flow chart of a method for post-authenticating at least one user equipment, according to an exemplary embodiment of the present disclosure. The method in FIG. 3 may be executed by the controller 210 of FIG. 2. Combined with the elements shown in FIG. 2, the detailed of the exemplary embodiment of FIG. 3 will be explained in the following.
  • First, in step S310, when the at least one user equipment 260_1˜260_N connects to the at least one the access point 230 routed by the at least one gateway 220, the determining module 212_1 may determine whether the external channel quality of the gateway 220 is higher than a threshold or not. The external channel quality, for example, may be a channel quality (such as SNR) between at least one gateway 220 and the network 240, and the threshold may be an arbitrary value selected by the designer (e.g. 20 dB). This threshold may be preset, randomly selected, or transmitted via the network. In an embodiment, when the at least one user equipment 260_1˜260_N connects to the at least one access point 230, the at least one access point 230 may send the user information (such as a media access control (MAC) address and international mobile subscriber identity (IMSI), etc.) to the controller 210 through OpenFlow, but is not limited thereto.
  • In an embodiment, the designer may also determine the threshold based on the channel quality corresponding to a channel capacity. For example, designers may find out a channel capacity for sufficiently transmitting at least one authentication data, and determine the channel quality corresponding to the channel capacity as a threshold. In this case, when the external channel quality is higher than the threshold, it represents that the channel capacity corresponding to the external channel quality is sufficient to transmit at least one authentication data. Assume that the channel capacity corresponding to the external channel quality is sufficient to transfer two authentication information, the controller 210 may arrange directly two of user equipments 260_1˜260_N (in the case, N≧2) to authenticate with the authentication server 250. On the other hand, when the external channel quality is not higher than the threshold, it may represent that the channel capacity corresponding to the external channel quality is insufficient to transmit any authentication information.
  • Thus, in step S320, when the external channel quality is not higher than the threshold, the control module 212_2 may incompletely authenticate the at least one user equipment 260_1˜260_N, and control the at least one access point 230 to provides the at least one user equipment 260_1˜260_N limited network access capabilities. In other words, the control module 212_2 may allow unauthenticated or only partially authenticated user equipment 260_1˜260_N to connect the network 240 with the limited network access abilities to the Internet via the at least one access point 230. Take user equipment 260_1 as an exemplar, unauthenticated or only partially authenticated user equipment 260_1 may connect the network 240 with limited abilities (such as limited bandwidth, limited throughput or limited time (e.g. 20 minutes), but is not limited thereto) to the Internet via access point 230 through the control module 212_2. Thus, the disclosed method not only satisfies the demands of the user equipment 260_1 to access the Internet, but also avoids the user equipment 260_1 to continuously try to send authentication information under the condition of a poor external channels quality. In other words, the embodiments of the present disclosure may reduce the probability of occurring network congestion on the at least one gateway 220, and also improve the Internet time for the unauthenticated or partially authenticated users.
  • Next, the method may select at least one candidate user equipment having a higher priority weight to be authenticated from the at least one user equipment 260_1˜260_N through steps S330˜S350, and completely authenticate the at least one candidate user equipment at a proper time.
  • In step S330, the estimating module 212_3 may estimate a future channel capacity of the at least one gateway 220. In an embodiment, the channel quality estimation model of the at least one gateway 220 may be built by the estimating module 212_3 based on the at least one gateway 220 and a car individual history information. The car individual history information includes, for example, a traveling route of a car or a train and traveling speeds of various sections on this traveling route. The history information for the at least one gateway 220 includes, for example, the channel quality of the at least one gateway 220 previously measured on the traveling route of the car or the train.
  • From the aforementioned, it may be seen that the estimating module 212_3 may be used to estimate the future channel quality of the at least one gateway 220 on each section on the traveling route of the car or the train. Subsequently, estimating module 212_3 may establish a mapping table of channel quality relative to section on the traveling route according to the measured results (that is, the channel quality estimation model of the at least one gateway 220). Because the traveling route of the car or the train and the location of the surrounding station are fixed, therefore, the mapping table is quite reliable. For other configurations of the gateway relative to the car or the train (not shown), the estimating module 212_3 may establish the channel quality estimation model on the basis of the foregoing teachings.
  • After the channel quality estimation model of the at least one gateway 220 has been established, the estimating module 212_3 may get current moving information of the train and use the current moving information to estimate the future moving information of the train. The current moving information may include, but not limited to the information of the current traveling section and the traveling speed of the train obtained from the satellite positioning system (global positioning system, GPS). The future moving information of the train may include, but not limited to the information of the future traveling section and future traveling speed of the train. The traveling route and the traveling speed of the train are generally predefined parameters, therefore, the estimating module 212_3 may easily get the future traveling route of the train and the future traveling speed of the train after the current moving information is obtained.
  • Then, the estimating module 212_3 may estimate the future channel quality of the at least one gateway 220 according to the future moving information and the channel quality estimation model. For example, the estimating module 212_3 may look up the mapping table according to the future traveling section and the future traveling speed, and get the channel quality (i.e., future channel quality) relative to the traveling section. Thereafter, the estimating module 212_3 may get the future channel capacity according to the future channel quality of the at least one gateway 220. In an embodiment, assumed that the signal noise ratio at a time i (i is a positive integer) is denoted as SNRi. The future channel capacity estimated by the estimating module 212_3 at the time i may be characterized as:

  • C(i)=B×log2+(1+SNRi)  (1)
  • Wherein B is a frequency range of the at least one gateway 220.
  • The difference of the authentication information size under a same authentication mechanism is small. Therefore, after the future channel capacity (i.e., C(i)) at the time i is calculated, the estimating module 211_3 may calculate the quotient of C(i) divided by the authentication information size (hereinafter referred to j), to get the number of the authenticate information that the at least one gateways 220 may transmit at time i. Namely, j is a number of user equipments trying to complete the authentication at the time i, and which is allowed by the at least one gateway 220. Assume that j is 4, it means that the at least one gateway 220 allows four of the user equipments 260_1˜260_Ns (in the case, N≧4) to respectively transmit its own authentication information to the authentication server 250 at time i.
  • In step S340, the calculating module 212_4 may calculate a priority weight of each user equipment of the at least one user equipment 260_1˜260_N according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateway.
  • In an embodiment, an n-th (1≦n≦N) priority weight of the n-th user equipment 260_n may be characterized as:

  • P(n)=w 1×WT+(1−w 2 h)+(1−w 3 ×FT)  (2)
  • Wherein w1 to w3 are weight values, WT is the authentication waiting time of the n-th user equipment, h is the at least one hop count between the at least one access point and the at least one gateway serving for the n-th user equipment, FT is the number of the authentication failures for the n-th user equipment. w1 To w3 may be, but not limited to any value (including zero) selected by the designers based on their demands, which may be pre-set, set randomly or transmitted via the Internet. WT may be, but not limited to the time for the n-th user equipment to access network 240 with limited network access abilities. h may be, but not limited to the number of devices having been passed while the access point 230 transmits data to the at least one gateway 220. Assume that the at least one access point 230 is connected directly to the at least one gateway 220, then h is 1. Assume that the at least one access point 230 is connected through two devices (for example, two other access points) to the at least one gateway 220, then the h is 3. FT is a number of authentication failures such as the n-th user equipment attempting to send the authentication information but failing to be authenticated completely.
  • In other embodiments, the n-th (n is an integer of between 1˜N) priority weight of the user equipment 260_n may be, but not limited to characterized as the demands of the designers, such as the following equations (3) to (9).

  • P(n)=w 1×WT+w 2 ×h+(1−w 3 ×FT)  (3)

  • P(n)=w 1×WT  (4)

  • P(n)=w 2 ×h  (5)

  • P(n)=(1−w 3 ×FT)  (6)

  • P(n)=w 1×WT+w 2 ×h  (7)

  • P(n)=w 1×WT+(1−w 3 ×FT)  (8)

  • P(n)=w 2 ×h+(1−w 3 ×FT)  (9)
  • In step S350, the selecting module 212_5 may select at least one candidate user equipment from the at least one user equipment 260_1˜260_N based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranges a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
  • In an embodiment, the selecting module 212_5 may sort the at least one user equipment 260_1˜260_N in a descending order according to the priority weight of each user equipment, and calculate a specific number based on the future channel capacity (i.e., C(i)) and an authentication information size (hereinafter referred to j), wherein the specific number may be, but not limited to the future channel capacity divided by the authentication information size; C(i) Next, the selecting module 212_5 may select a specific number of preceding user equipments being sorted from the at least one user equipment 260_1˜260_N as at least one candidate user equipment. In other words, the selecting module 212_5 may select j user equipment(s) having a higher priority from the at least one user equipment 260_1˜260_N as the at least one candidate user equipment. Next, the selecting module 212_5 may arrange an authentication mechanism for completely authenticating the at least one candidate user equipment at a time.
  • When the at least one candidate user equipment completes the authentication, the selecting module 212_5 may control the at least one access point 230 to provide unlimited network capabilities to the at least one candidate user equipment. In other words, the user equipment after completing the authentication may access network 240 with unlimited bandwidth, unlimited throughput, and without a time limit.
  • Briefly, when the controller 210 determines that the external channel quality of the at least one gateway 220 is currently not good, the controller 210 may temporarily allow the at least one user equipment 260_1˜260_N to use limited network access abilities to access the network. Then, when the controller 210 estimates the future channel quality at time i will be improved, the controller 210 may arrange authentication opportunities for the at least one candidate user equipment having a higher priority weight to send the authentication information to the authentication server 250 at a proper time.
  • In other embodiments of the disclosure, the network system may be configured to control respectively the access point to provide the user equipment with the limited or unlimited network access ability, as shown in FIGS. 4-5. Referring to the embodiment in FIG. 4, a network system 400 includes a controller 410, a first access point 420_1, and a second access point 420_2 connected to an authentication server 440. For example, the first access point 420_1 is connected to an incompletely authenticated user equipment 430, and provides a limited access network ability to the user equipment 430. As previously mentioned, when the user equipment 430 connects to the first access point 420_1, the first access point 420_1 may transfer the user information of user equipment 430 to the controller 410 via OpenFlow. Then, according to the aforementioned teachings in arranging the authentication mechanism of the disclosure, the controller 410 may allow the user equipment 430 attempts to be authenticated at a time i. Also, the controller 410 may inform the user equipment 430 by using a control protocol to switch the connecting from the first access point 420_1 to the second access point 420_2 at the time i, so that the authentication server may completely authenticate the candidate user equipment 430 through the second port 420_2. The control protocol may be, but not limited to a network search and selection mechanism (access network discovery and selection function, ANDSF). After the authentication server 440 completely authenticates the user equipment 430, the controller 410 may control the second access point 420_2 to provide an unlimited network ability to the user equipment 430, to allow the user equipment 430 to access the network with such as unlimited bandwidth, unlimited throughput, and without a time limit.
  • In addition, the authentication server 440 may have a different scheme to authenticate the user equipment 430 according to the type of the user equipment 430. For example, when the user equipment 430 is a device running under a global system for mobiles, (GSM), the authentication server 440 may base on the subscriber identification module (SIM) extensible authentication Agreement (EAP) (i.e., EAP-SIM) to authenticate the user equipment 430. For another example, when the user equipment 430 is a device running under the standard universal mobile telecommunications system (UMTS), the authentication server 440 may base on the security authentication and key distribution (Authentication and Key Agreement for, AKA) of EAP (i.e., EAP-AKA) to authenticate the user equipment 430.
  • In other embodiments of the disclosure, the network system may also be configured to control a specific access point to provide the user equipment with the limited or unlimited network access ability concurrently. Refer to the embodiment in FIG. 5, a network system 500 includes a controller 510 and an authentication server 540 connected to a specific access point 520. The specific access point 520 may further include a first port and a second port (not shown). The first port may be a default port that may provide a limited network ability to an incompletely authenticated user equipment 530. As previously mentioned, when the user equipment 530 connects to the first port, the specific access point 520 may transfers the user information of user equipment 530 to the controller 510 via the OpenFlow. Then, according to the aforementioned teachings in arranging the authentication mechanism of the disclosure, the controller 510 may allow the user equipment 530 attempts to be authenticated at a time i. Also, the controller 510 may inform the user equipment 530 via OpenFlow to switch the connecting from the first port to the second port at the time i, so that the authentication server 540 may completely authenticate the candidate user equipment 530 through the second port. After the authentication server 540 completely authenticates the user equipment 530, the controller 510 may control the specific access point 520 to provide an unlimited network ability to the user equipment 530, to allow the user equipment 530 to access the network with such as unlimited bandwidth, unlimited throughput, and without a time limit.
  • In an embodiment, the first port may be characterized as a service set identifier (SSID) without password, and the second port may be characterized as a service set identifier (SSID) with password. In this case, the unauthenticated user equipment 530 will connect to a SSID corresponding to the first port. When the specific access point 520 informs the user equipment 530 to switch the connecting to the second port, the specific access point 520 may also informs the user equipment 530 of the password of the second port, to allow the user equipment 530 to switch the connecting to the SSID of the second port. In other embodiments, the second port may be implemented as a hidden SSID with password. That is, the unauthenticated user equipment 530 fails to find the information of the second port from a list of SSID of the first port, but the disclosed embodiments are not limited thereto.
  • In summary, the present disclosure provides a method for post-authenticating at least one user equipment, a controller and a network systems thereof. When the controller determines that the external channel quality of the at least one gateway is currently not good, the controller may temporarily allow the at least one unauthenticated or partially authenticated user equipment to use limited network access abilities to access the network. Then, when the controller estimates the future channel quality will be improved at a time, the controller may arrange authentication opportunities for the at least one candidate user equipment having a higher priority to send the authentication information to the authentication server at the time. Therefore, the embodiments of the present disclosure reduce the probability of occurring network congestion on the at least one gateway, and also improve the Internet time for the unauthenticated or partially authenticated users.
  • It will be apparent to those skilled in the art that various modifications and variations can be made to the disclosed embodiments. It is intended that the specification and examples be considered as exemplary embodiments only, with a scope of the disclosure being indicated by the following claims and their equivalents.

Claims (33)

What is claimed is:
1. A method for post-authenticating at least one user equipment, adapted to a controller connected to at least one gateway, comprising:
the at least one user equipment is connected to at least an access point, determining whether an external channel quality of the at least one gateway is higher than a threshold;
incompletely authenticating the at least one user equipment, and controlling the at least one access point to provide the at least one user equipment with a limited network access ability, wherein the external channel quality is not higher than the threshold;
estimating a future channel capacity of the at least one gateway;
calculating a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateway; and
selecting at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranging a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
2. The method for post-authenticating the at least one user equipment of claim 1, wherein
the controller is a software-defined networking controller, and the controller, the at least one access point and the at least one gateway are configured on a train having a plurality of cars and a predictable traveling route.
3. The method for post-authenticating the at least one user equipment of claim 1, wherein estimating the future channel capacity of the at least one gateway further includes:
establishing a channel quality estimation model based on the at least one gateway and a car individual history information;
getting a current moving information of a car and estimating a future moving information of the car based on the current moving information;
estimating a future channel quality of the at least one gateway according to the future moving information and the channel quality estimation model; and
estimating the future channel capacity of the at least one gateway according to the future channel quality.
4. The method for post-authenticating the at least one user equipment of claim 1, wherein the future channel capacity at time i is:

C(i)=B×log2(1+SNRi)
wherein B is a frequency range of the at least one gateway, and SNRi is a signal to noise ratio at time i.
5. The method for post-authenticating the at least one user equipment of claim 1, wherein the priority weight of an n-th user equipment of the at least one user equipment is characterized by:

P(n)=w 1×WT+(1−w 2 h)+(1−w 3 ×FT)
wherein w1 to w3 are weight values, WT is the authentication waiting time of the n-th user equipment, h is the at least one hop count between the at least one access point and the at least one gateway serving for the n-th user equipment, FT is the number of the authentication failures for the n-th user equipment.
6. The method for post-authenticating the at least one user equipment of claim 1, wherein selecting the at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment further includes:
sorting the at least one user equipment in a descending order according to the priority weight of the each user equipment;
calculating a specific number based on the future channel capacity and an authentication information size, wherein the specific number is the future channel capacity divided by the authentication information size; and
selecting the specific number of at least one user equipment having a higher priority weight as that of the at least one candidate user equipment.
7. The method for post-authenticating the at least one user equipment of claim 1, wherein the at least access point further includes a first port connecting to the at least one user equipment incompletely authenticated, and the first port provides the limited network access ability to the at least one user equipment incompletely authenticated.
8. The method for post-authenticating the at least one user equipment of claim 7, wherein the at least one access point further includes a second port connected to an authentication server, and arranging the corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at the time corresponding to the future channel capacity further includes:
switching the connecting from the first port to the second port at the time by a control protocol, and the authentication server completely authenticates the at least one candidate user equipment through the second port.
9. The method for post-authenticating the at least one user equipment of claim 1, wherein the at least one access point includes a specific access point having a first port, and the first port provides the limited network access ability to the at least one user equipment which is incompletely authenticated and connected to the first port.
10. The method for post-authenticating the at least one user equipment of claim 9, wherein the specific access point further includes a second port connected to an authentication server, and arranging the corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at the time corresponding to the future channel capacity further includes:
switching the connecting from the first port to the second port at the time, and the authentication server completely authenticates the at least one candidate user equipment through the second port.
11. The method for post-authenticating the at least one user equipment of claim 1, wherein arranging the corresponding authentication mechanism for completely authenticating the at least one candidate user equipment further includes:
wherein authenticating the at least one candidate user equipment is finished, and the at least one access point provides an unlimited network access capability to the at least one candidate user equipment.
12. A controller, comprising:
a storage unit, storing multiple modules; and
a processing unit, connected to the storage unit, accessing and executing the multiple modules, the multiple modules include:
a determining module, determining whether an external channel quality of at least one gateway is higher than a threshold, wherein at least one user equipment is connected to at least one access point through the at least one gateway;
a controlling module, incompletely authenticating the at least one user equipment, wherein the external channel quality is not higher than the threshold, and controlling the at least one access point to provide the at least one user equipment with a limited network access ability;
an estimating module, estimating a future channel capacity of the at least one gateway;
a calculating module, calculating a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and at least one gateway; and
a selecting module, selecting at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranging a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
13. The controller of claim 12, wherein the controller is a software-defined networking controller, and the controller, the at least one access point and the at least one gateway are configured on a train having a plurality of cars and a predictable traveling route.
14. The controller of claim 12, wherein the estimating module further includes:
to establish a channel quality estimation model based on the at least one gateway and a car individual history information;
to get a current moving information of a car and estimating a future moving information of the car based on the current moving information;
to estimate a future channel quality of the at least one gateway according to the future moving information and the channel quality estimation model; and
to estimate the future channel capacity of the at least one gateway according to the future channel quality.
15. The controller of claim 12, wherein the future channel capacity at time i is:

C(i)=B×log2(1+SNRi)
wherein B is a frequency range of the at least one gateway, and SNRi is a signal to noise ratio at time i.
16. The controller of claim 12, wherein the priority weight of an n-th user equipment of the at least one user equipment is characterized by:

P(n)=w 1×WT+(1−w 2 h)+(1−w 3 ×FT)
wherein w1 to w3 are weight values, WT is the authentication waiting time of the n-th user equipment, h is the at least one hop count between the at least one access point and the at least one gateway serving for the n-th user equipment, FT is the number of the authentication failures for the n-th user equipment.
17. The controller of claim 12, wherein the controller module further includes:
to sort the at least one user equipment in a descending order according to the priority weight of the each user equipment;
to calculate a specific number based on the future channel capacity and an authentication information size, wherein the specific number is the future channel capacity divided by the authentication information size; and
to select the specific number of at least one user equipment having a higher priority weight as that of the at least one candidate user equipment.
18. The controller of claim 12, wherein the at least access point further includes a first port connecting the at least one user equipment incompletely authenticated, and the first port provides the limited network access ability to the at least one user equipment incompletely authenticated.
19. The controller of claim 18, wherein the at least one access point further includes a second port connected to an authentication server, and the selecting module is configured to:
switch the connecting from the first port to the second port at the time by a control protocol, and the authentication server completely authenticates the at least one candidate user equipment through the second port.
20. The controller of claim 12, wherein the at least one access point includes a specific access point having a first port, and the first port provides the limited network access ability to the at least one user equipment incompletely authenticated and connecting the first port.
21. The controller of claim 20, wherein the specific access point further include a second port connected to an authentication server, and the selecting module is configured to:
switch the connecting from the first port to the second port at the time, and the authentication server authenticates the at least one candidate user equipment completely through the second port.
22. The controller of claim 12, wherein the selecting module is further configured to:
provide, by the at least one access point, an unlimited network access capability to the at least one candidate user equipment, wherein authenticating the at least one candidate user equipment is finished.
23. A network system, comprising:
at least one gateway;
at least one access point, connected to the at least one gateway to access a network; and
a controller, connected to the at least one gateway and the at least one access point, wherein at least one user equipment is connected to the at least one access point through the at least one gateway, and the controller further including:
to determine whether an external channel quality of the at least one gateway is higher than a threshold;
to incompletely authenticate the at least one user equipment, and control the at least one access point to provide the at least one user equipment with a limited network access ability, wherein the external channel quality is not higher than the threshold;
to estimate a future channel capacity of the at least one gateway;
to calculate a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and at least one gateway; and
to select at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and to arrange a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
24. The network system of claim 23, wherein the controller is a software-defined networking controller, and the controller, the at least one access point and the at least one gateway are configured on a train having a plurality of cars and a predictable traveling route.
25. The network system of claim 23, wherein the controller includes:
to establish a channel quality estimation model based on the at least one gateway and a car individual history information;
to get a current moving information of a car and estimating a future moving information of the car based on the current moving information;
to estimate to estimate a future channel quality of the at least one gateway according to the future moving information and the channel quality estimation model; and
to estimate the future channel capacity of the at least one gateway according to the future channel quality.
26. The network system of claim 23, wherein the future channel capacity at time i is:

C(i)=B×log2(1+SNRi)
wherein B is a frequency range of the at least one gateway, and SNRi is a signal to noise ratio at time i.
27. The network system of claim 23, wherein the priority weight of an n-th user equipment of the at least one user equipment is characterized by:

P(n)=w 1×WT+(1−w 2 h)+(1−w 3 ×FT)
wherein w1 to w3 are weight values, WT is the authentication waiting time of the n-th user equipment, h is the at least one hop count between the at least one access point and the at least one gateway serving for the n-th user equipment, FT is the number of the authentication failures for the n-th user equipment.
28. The network system of claim 23, wherein the controller further includes:
to sort the at least one user equipment in a descending order according to the priority weight of the each user equipment;
to calculate a specific number based on the future channel capacity and an authentication information size, wherein the specific number is the future channel capacity divided by the authentication information size; and
to select the specific number of at least one user equipment having a higher priority weight as that of the at least one candidate user equipment.
29. The network system of claim 23, wherein the at least access point further includes a first port connecting the at least one user equipment incompletely authenticated, and the first port provides the limited network access ability to the at least one user equipment incompletely authenticated.
30. The network system of claim 29, wherein the at least one access point further includes a second port connected to an authentication server, and the controller is configured to:
switch the connecting from the first port to the second port at the time by a control protocol, and the authentication server completely authenticates the at least one candidate user equipment through the second port.
31. The network system of claim 23, wherein the at least one access point includes a specific access point having a first port, and the first port provides the limited network access ability to the at least one user equipment incompletely authenticated and connecting the first port.
32. The network system of claim 31, wherein the specific access point further include a second port connected to an authentication server, and the controller is configured to:
switch the connecting from the first port to the second port at the time, wherein the authentication server completely authenticates the at least one candidate user equipment through the second port.
33. The network system of claim 23, wherein the controller is configured to:
provide, by the at least one access points, an unlimited network access capability to the at least one candidate user equipment, wherein authenticating the at least one candidate user equipment is finished.
US14/979,565 2015-06-24 2015-12-28 Method for post-authenticating user equipment, controller and network system Active US9532304B1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
TW104120333 2015-06-24
TW104120333A 2015-06-24
TW104120333A TWI580224B (en) 2015-06-24 2015-06-24 Method for post-authenticating user equipment, controller and network system

Publications (2)

Publication Number Publication Date
US9532304B1 US9532304B1 (en) 2016-12-27
US20160381625A1 true US20160381625A1 (en) 2016-12-29

Family

ID=57589967

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/979,565 Active US9532304B1 (en) 2015-06-24 2015-12-28 Method for post-authenticating user equipment, controller and network system

Country Status (4)

Country Link
US (1) US9532304B1 (en)
JP (1) JP6159788B2 (en)
CN (1) CN106304065B (en)
TW (1) TWI580224B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3357249A4 (en) 2015-09-30 2018-12-19 Sonifi Solutions, Inc. Methods and systems for enabling communications between devices
US10602212B2 (en) 2016-12-22 2020-03-24 Sonifi Solutions, Inc. Methods and systems for implementing legacy remote and keystroke redirection
CN108513697A (en) * 2017-12-29 2018-09-07 深圳市大疆创新科技有限公司 Channel capacity prediction technique and device, wireless signal sending device and Transmission system
KR102063819B1 (en) * 2018-02-01 2020-01-08 충북대학교 산학협력단 System for controlling connectivity for wireless lan device based on software defined networks

Family Cites Families (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2320162C (en) * 1996-12-06 2011-08-03 Immarsat Ltd Communication method and apparatus
JP2004193917A (en) * 2002-12-11 2004-07-08 Hitachi Ltd Railroad information service system and mobile terminal used for same
US7634252B2 (en) * 2003-03-07 2009-12-15 Computer Assocaites Think, Inc. Mobility management in wireless networks
WO2005008981A1 (en) * 2003-07-03 2005-01-27 Sinett Corporation Apparatus for layer 3 switching and network address port translation
US8677125B2 (en) * 2005-03-31 2014-03-18 Alcatel Lucent Authenticating a user of a communication device to a wireless network to which the user is not associated with
DE102006015033B4 (en) * 2005-12-16 2016-07-07 Siemens Aktiengesellschaft Mobile station as a gateway for mobile terminals to an access network and method for network registration of the mobile station and the mobile terminals
US7768952B2 (en) 2006-08-18 2010-08-03 WI-FI Rail, Inc. System and method of wirelessly communicating with mobile devices
US8073428B2 (en) * 2006-09-22 2011-12-06 Kineto Wireless, Inc. Method and apparatus for securing communication between an access point and a network controller
EP2158784A2 (en) * 2007-06-06 2010-03-03 Boldstreet Inc. Remote service access system and method
CN101325801B (en) * 2007-06-12 2013-05-01 北京三星通信技术研究有限公司 Method and apparatus for locating business authentication and authorization examination in Winax network
US20090028169A1 (en) * 2007-07-27 2009-01-29 Motorola, Inc. Method and device for routing mesh network traffic
US8050238B2 (en) 2007-12-31 2011-11-01 Motorola Mobility, Inc. Method and apparatus for improving network access through multi-stage signaling
US11477721B2 (en) * 2008-02-22 2022-10-18 Qualcomm Incorporated Methods and apparatus for controlling transmission of a base station
JP5241426B2 (en) * 2008-10-22 2013-07-17 新日鐵住金株式会社 Mobile body and communication method
JP2011124781A (en) * 2009-12-10 2011-06-23 Nec Corp Communication system and communication method
US9526058B2 (en) * 2010-02-10 2016-12-20 Lantronix, Inc. Smart roam system and method
US8548465B2 (en) * 2010-04-23 2013-10-01 Apple Inc. Methods and apparatus for providing dynamic information in a wireless information channel
US8402530B2 (en) * 2010-07-30 2013-03-19 Microsoft Corporation Dynamic load redistribution among distributed servers
JP5437292B2 (en) * 2011-02-22 2014-03-12 株式会社日立製作所 Bandwidth control system
US8806573B2 (en) 2011-08-09 2014-08-12 Cisco Technology, Inc. Authentication control in low-power lossy networks
TW201316815A (en) * 2011-10-01 2013-04-16 Inst Information Industry Base station and transmission path creation method thereof
US20150003358A1 (en) 2012-01-16 2015-01-01 Agency For Science, Technology And Research Wireless communication system and a method of controlling the same
EP2663051A1 (en) * 2012-05-07 2013-11-13 Industrial Technology Research Institute Authentication system for device-to-device communication and authentication method therefore
UA116219C2 (en) * 2012-11-16 2018-02-26 Басф Се An encapsulated fertilizer particle containing pesticide
US9973429B2 (en) 2013-04-05 2018-05-15 Futurewei Technologies, Inc. Software defined networking (SDN) controller orchestration and network virtualization for data center interconnection

Also Published As

Publication number Publication date
TWI580224B (en) 2017-04-21
US9532304B1 (en) 2016-12-27
JP6159788B2 (en) 2017-07-05
CN106304065B (en) 2019-08-16
TW201701620A (en) 2017-01-01
CN106304065A (en) 2017-01-04
JP2017011673A (en) 2017-01-12

Similar Documents

Publication Publication Date Title
US20230397145A1 (en) Mobility in Non-Public Networks
US9532304B1 (en) Method for post-authenticating user equipment, controller and network system
EP4118926B1 (en) Tunnel failure procedure, device and computer-readable medium
EP4260649A1 (en) State transition of wireless device
US20230328821A1 (en) Modifying PDU Sessions In Underlay Networks
EP4315915A1 (en) Resource allocation in non-public network
US20240073848A1 (en) Network Slice in a Wireless Network
US20230276391A1 (en) End-to-end latency measurement
US12010610B2 (en) Support for tunneling
US20230309166A1 (en) Asymmetric Channel
US20240114441A1 (en) Network Access Management
EP4118925B1 (en) Support for tunneling
US20220386401A1 (en) Multiple Access
US20230422293A1 (en) Network Slice Based Priority Access
US20240064626A1 (en) Support For Network Service
US20230247548A1 (en) Failure and Recovery of Electrical Supply Service For Wireless Communications
WO2024091565A1 (en) Multiple paths
WO2024097304A1 (en) Lossless path switching
WO2023129501A1 (en) Channel symmetry for communication system
WO2024072952A2 (en) Tracking area of mobile base station relay
WO2024072752A2 (en) Mobility of mobile base station relay
WO2024097090A1 (en) Media data reporting

Legal Events

Date Code Title Description
AS Assignment

Owner name: INDUSTRIAL TECHNOLOGY RESEARCH INSTITUTE, TAIWAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHEN, JYH-CHENG;YANG, JEN-SHUN;LIN, YI-HAO;AND OTHERS;SIGNING DATES FROM 20151130 TO 20151201;REEL/FRAME:037380/0132

Owner name: NATIONAL CHIAO TUNG UNIVERSITY, TAIWAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHEN, JYH-CHENG;YANG, JEN-SHUN;LIN, YI-HAO;AND OTHERS;SIGNING DATES FROM 20151130 TO 20151201;REEL/FRAME:037380/0132

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4