US20160381625A1 - Method for post-authenticating user equipment, controller and network system - Google Patents
Method for post-authenticating user equipment, controller and network system Download PDFInfo
- Publication number
- US20160381625A1 US20160381625A1 US14/979,565 US201514979565A US2016381625A1 US 20160381625 A1 US20160381625 A1 US 20160381625A1 US 201514979565 A US201514979565 A US 201514979565A US 2016381625 A1 US2016381625 A1 US 2016381625A1
- Authority
- US
- United States
- Prior art keywords
- user equipment
- gateway
- access point
- port
- controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 230000007246 mechanism Effects 0.000 claims abstract description 17
- 238000012545 processing Methods 0.000 claims description 6
- 230000006855 networking Effects 0.000 claims description 4
- SAZUGELZHZOXHB-UHFFFAOYSA-N acecarbromal Chemical compound CCC(Br)(CC)C(=O)NC(=O)NC(C)=O SAZUGELZHZOXHB-UHFFFAOYSA-N 0.000 claims 3
- 230000008569 process Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/02—Access restriction performed under specific conditions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W60/00—Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
- H04W60/04—Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration using triggered events
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W64/00—Locating users or terminals or network equipment for network management purposes, e.g. mobility management
- H04W64/006—Locating users or terminals or network equipment for network management purposes, e.g. mobility management with additional information processing, e.g. for direction or speed determination
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Definitions
- the present application relates to a method for post-authenticating at least one user equipment (UE), a controller and a network system thereof.
- UE user equipment
- High-Speed Rail is one of important transportation tools in many countries, such as TVG in France, ICE (Inter-City Express) in German, Shinkansen in Japan, and Taiwan High Speed Rail.
- ICE Inter-City Express
- Taiwan High Speed Rail With the development of the high-speed rail and the popularity of the communication equipment, the demands of the network are rapidly increasing in fast moving scenarios. In general, a highest speed of a train in the High-Speed Rail is approximate to 280 kilometers per hour. Under such a high moving speed, the variation of the signal quality within a short time would be quite large. And, influenced by the Doppler Effects, the decoding error rate at the receiving side would increase. This makes the User Equipment (UE) frequently try to resend data when the network connection is interrupted.
- UE User Equipment
- the UE Before an UE to access the Internet, the UE must accept an authentication, such as authenticated by an authentication authorization accounting (AAA) server. However, if an authentication process to authenticate the UE failed due to the network disconnection, the UE would continuously try to resend the authentication data to complete the authentication process.
- AAA authentication authorization accounting
- FIG. 1 is a block diagram illustrating a network system of a train 100 .
- the train 100 in FIG. 1 could be a train, a High-Speed Rail, or other transportation with a predictable traveling route and multi-cars.
- the rain 100 may include five cars 100 _ 1 ⁇ 100 _ 5 .
- the access points (APs) 102 _ 1 ⁇ 102 _ 5 could be disposed respectively to cars 100 _ 1 ⁇ 100 _ 5 in the train, and could respectively provide the passengers in cars 100 _ 1 ⁇ 100 _ 5 with network access capabilities.
- the access point 102 _ 1 could provide the passengers in 100 _ 1 car to access the network with mobile devices (such as mobile phones, tablet PCs, notebook computers or other similar devices), and access point 102 _ 2 could provide the passengers in car 100 _ 2 network access, and the remaining access points 102 _ 3 ⁇ 102 _ 5 likewise.
- mobile devices such as mobile phones, tablet PCs, notebook computers or other similar devices
- access point 102 _ 2 could provide the passengers in car 100 _ 2 network access, and the remaining access points 102 _ 3 ⁇ 102 _ 5 likewise.
- the train 100 disposed only a single External Gateway 104 (for example, a client device (Customer Premise Equipment, CPE) gateway) connected to the car 100 _ 3 .
- Gateway 104 could be connected to APs 102 _ 1 ⁇ 102 _ 5 , and as an intermediate access point to communicate with the network 106 between cars 102 _ 1 ⁇ 102 _ 5 .
- Network 106 could be, but not limited to long-range evolution (LTE), WiMAX (worldwide interoperability for microwave access, WiMAX), third generation mobile communication networks (3Gs), the fourth generation of mobile communication networks (4Gs) or other similar networks.
- LTE long-range evolution
- WiMAX worldwide interoperability for microwave access, WiMAX
- 3Gs third generation mobile communication networks
- 4Gs fourth generation of mobile communication networks
- network 106 may include an enhanced node B (eNB), a mobility management entity (MME), serving gateway (S-GW), and packet data network gateways (P-GW) and other network entities, but not limited thereto.
- eNB enhanced node B
- MME mobility management entity
- S-GW serving gateway
- P-GW packet data network gateways
- the train 100 has only a single External Gateway 104 , so that the channel quality between the gateways 104 and the network 106 would be changed rapidly when the train 100 was moving, and the situation of network disconnection would occur often.
- the transmission queue of the external gateway would be filled with the authentication data, and it could cause network congestion.
- the embodiments of the disclosure may provide a method for post-authenticating the at least one user equipment, a controller, and a network system thereof.
- An embodiment of the disclosure relates to a method for post-authenticating at least one user equipment, adapted to a controller connected to at least one gateway.
- the method comprises: the at least one user equipment is connected to at least an access point, determining whether an external channel quality of the at least one gateway is higher than a threshold; wherein the external channel quality is not higher than the threshold; incompletely authenticating the at least one user equipment, and controlling the at least one access point to provide the at least one user equipment with a limited network access ability, and the external channel quality is not higher than the threshold; estimating a future channel capacity of the at least one gateway; calculating a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateways; and selecting at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranging a corresponding authentication mechanism for completely authentic
- the controller comprises a storage unit storing multiple modules; and a processing unit connected to the storage unit, accessing and executing the multiple modules.
- the multiple modules include a determining module, a controlling module, an estimating module, a calculating module, and a selecting module.
- the determining module determines whether an external channel quality of at least one gateway is higher than a threshold, wherein at least one user equipment is connected to at least one access point through the at least one gateway.
- the controlling module incompletely authenticates the at least one user equipment, and controls the at least one access point to provide the at least one user equipment with a limited network access ability, wherein the external channel quality is not higher than the threshold.
- the estimating module estimates a future channel capacity of the at least one gateway.
- the calculating module calculates a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateway.
- the selecting module selects at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranges a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
- the network system comprises a at least one gateway, at least one access point connected to the at least one gateway to access a network, and a controller connected to the at least one gateway and the at least one access point, wherein at least one user equipment is connected to the at least one access point through the at least one gateway.
- the controller further determines whether an external channel quality of the at least one gateway is higher than a threshold; incompletely authenticates the at least one user equipment, and controls the at least one access point to provide the at least one user equipment with a limited network access ability, wherein the external channel quality is not higher than the threshold; estimates a future channel capacity of the at least one gateway; calculates a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateway; and selects at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranges a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
- FIG. 1 is a block diagram illustrating a network system of a train.
- FIG. 2 is a network system, according to an exemplary embodiment of the present disclosure.
- FIG. 3 illustrates the flow chart of a method for post-authenticating at least one user equipment, according to an exemplary embodiment of the present disclosure.
- FIG. 4 is a network system, according to an embodiment of the present disclosure.
- FIG. 5 is a network system, according to another embodiment of the present disclosure.
- the disclosure provides a method for post-authenticating at least one UE.
- at least one access point may provide limited network access capabilities (such as limited bandwidth, flow and time, etc.) to the at least one UE incompletely authenticated such as an authentication process has not been finished yet.
- the method may arrange a mechanism to select at least one candidate UE having a higher priority weight to be authenticated from the at least one UE, and then allows the at least one candidate UE to complete the authentication process at a proper time. The detailed will be described in the following.
- a channel quality may be but not limited to characterized as a reference signal received power (RSRP), a carrier to interference noise ratio (CINR), a carrier noise ratio (carrier to noise ratio, CNR), a signal to noise ratio (SNR) and/or a signal to interference noise ratio (SINR), but is not limited thereto.
- RSRP reference signal received power
- CINR carrier to interference noise ratio
- CNR carrier noise ratio
- SNR signal to noise ratio
- SINR signal to interference noise ratio
- FIG. 2 is a network system, according to an exemplary embodiment of the present disclosure.
- a network system 200 includes a controller 210 , at least one gateway 220 and at least one access point 230 .
- the at least one access point 230 may also be disposed on a car of a train for serving the UEs of this car.
- the at least one gateway 220 may be electrically connected to the access point 230 , and the access point 230 may route data flow from at least one user equipment 260 _ 1 ⁇ 260 _N (N is a positive integer) to a network 240 .
- the at least one gateway 220 may facilitate the at least one access point 230 to route the authentication information to the authentication server 250 (for example, an AAA server).
- the authentication server 250 for example, an AAA server
- the network system 200 in FIG. 2 includes a controller electrically connected or wireless connection to the at least one gateway 220 and the controller 210 .
- the controller 210 may be a software-defined networking (SDN) controller, which may include a storage unit 212 , and a processing unit 214 .
- Storage unit 212 may be, but not limited to a memory, a hard disk, or any other element that may be used to store data and/or record multiple codes or modules.
- Processing unit 214 is electrically connected to the storage unit 212 .
- Processing unit 214 may be a general purpose processor, a special purpose processor, a conventional processor, a digital signal processor, a plurality of microprocessors, a microprocessor with one or more digital signal processors, controller, microcontrollers, application-specific integrated circuit (ASIC), field programmable gate array circuits (FPGAs), any other kind of integrated circuits, a state machine, based on Advanced RISC Set machine (ARM) processor and similar articles.
- ASIC application-specific integrated circuit
- FPGAs field programmable gate array circuits
- the at least one access point 230 may have SDN switch features, and may communicate with the controller 210 by a SDN-based communication protocol (for example, OpenFlow) to exchange information.
- the SDN switch may also be implemented as a separate switch on the device outside the at least one access point 230 , to facilitate the access point 230 to communicate with the controller 210 .
- data plane and control plane are separated.
- FIG. 2 also depicts a transmission path for data flow and control flow separately.
- FIG. 2 illustrates only a single gateway 220 and a single access point 230 to illustrate the concepts of the present embodiment, but this is not construed as limiting the possible embodiments disclosed. In other embodiments, these technical features are equally applicable to the present disclosed network systems with multiple gateways and multiple access points.
- the processing unit 214 may access the storage unit 212 and executes a determining module 212 _ 1 , a control module 212 _ 2 , an estimating module 212 _ 3 , a calculating module 212 _ 4 and a selecting module 212 _ 5 and execute the method for post-authenticating at least one user equipment.
- FIG. 3 illustrates a flow chart of a method for post-authenticating at least one user equipment, according to an exemplary embodiment of the present disclosure.
- the method in FIG. 3 may be executed by the controller 210 of FIG. 2 .
- the controller 210 of FIG. 2 may be executed by the controller 210 of FIG. 2 .
- the detailed of the exemplary embodiment of FIG. 3 will be explained in the following.
- the determining module 212 _ 1 may determine whether the external channel quality of the gateway 220 is higher than a threshold or not.
- the external channel quality may be a channel quality (such as SNR) between at least one gateway 220 and the network 240 , and the threshold may be an arbitrary value selected by the designer (e.g. 20 dB). This threshold may be preset, randomly selected, or transmitted via the network.
- the at least one access point 230 may send the user information (such as a media access control (MAC) address and international mobile subscriber identity (IMSI), etc.) to the controller 210 through OpenFlow, but is not limited thereto.
- user information such as a media access control (MAC) address and international mobile subscriber identity (IMSI), etc.
- the designer may also determine the threshold based on the channel quality corresponding to a channel capacity. For example, designers may find out a channel capacity for sufficiently transmitting at least one authentication data, and determine the channel quality corresponding to the channel capacity as a threshold. In this case, when the external channel quality is higher than the threshold, it represents that the channel capacity corresponding to the external channel quality is sufficient to transmit at least one authentication data. Assume that the channel capacity corresponding to the external channel quality is sufficient to transfer two authentication information, the controller 210 may arrange directly two of user equipments 260 _ 1 ⁇ 260 _N (in the case, N ⁇ 2) to authenticate with the authentication server 250 . On the other hand, when the external channel quality is not higher than the threshold, it may represent that the channel capacity corresponding to the external channel quality is insufficient to transmit any authentication information.
- step S 320 when the external channel quality is not higher than the threshold, the control module 212 _ 2 may incompletely authenticate the at least one user equipment 260 _ 1 ⁇ 260 _N, and control the at least one access point 230 to provides the at least one user equipment 260 _ 1 ⁇ 260 _N limited network access capabilities.
- the control module 212 _ 2 may allow unauthenticated or only partially authenticated user equipment 260 _ 1 ⁇ 260 _N to connect the network 240 with the limited network access abilities to the Internet via the at least one access point 230 .
- unauthenticated or only partially authenticated user equipment 260 _ 1 may connect the network 240 with limited abilities (such as limited bandwidth, limited throughput or limited time (e.g. 20 minutes), but is not limited thereto) to the Internet via access point 230 through the control module 212 _ 2 .
- the disclosed method not only satisfies the demands of the user equipment 260 _ 1 to access the Internet, but also avoids the user equipment 260 _ 1 to continuously try to send authentication information under the condition of a poor external channels quality.
- the embodiments of the present disclosure may reduce the probability of occurring network congestion on the at least one gateway 220 , and also improve the Internet time for the unauthenticated or partially authenticated users.
- the method may select at least one candidate user equipment having a higher priority weight to be authenticated from the at least one user equipment 260 _ 1 ⁇ 260 _N through steps S 330 ⁇ S 350 , and completely authenticate the at least one candidate user equipment at a proper time.
- the estimating module 212 _ 3 may estimate a future channel capacity of the at least one gateway 220 .
- the channel quality estimation model of the at least one gateway 220 may be built by the estimating module 212 _ 3 based on the at least one gateway 220 and a car individual history information.
- the car individual history information includes, for example, a traveling route of a car or a train and traveling speeds of various sections on this traveling route.
- the history information for the at least one gateway 220 includes, for example, the channel quality of the at least one gateway 220 previously measured on the traveling route of the car or the train.
- the estimating module 212 _ 3 may be used to estimate the future channel quality of the at least one gateway 220 on each section on the traveling route of the car or the train. Subsequently, estimating module 212 _ 3 may establish a mapping table of channel quality relative to section on the traveling route according to the measured results (that is, the channel quality estimation model of the at least one gateway 220 ). Because the traveling route of the car or the train and the location of the surrounding station are fixed, therefore, the mapping table is quite reliable. For other configurations of the gateway relative to the car or the train (not shown), the estimating module 212 _ 3 may establish the channel quality estimation model on the basis of the foregoing teachings.
- the estimating module 212 _ 3 may get current moving information of the train and use the current moving information to estimate the future moving information of the train.
- the current moving information may include, but not limited to the information of the current traveling section and the traveling speed of the train obtained from the satellite positioning system (global positioning system, GPS).
- the future moving information of the train may include, but not limited to the information of the future traveling section and future traveling speed of the train.
- the traveling route and the traveling speed of the train are generally predefined parameters, therefore, the estimating module 212 _ 3 may easily get the future traveling route of the train and the future traveling speed of the train after the current moving information is obtained.
- B is a frequency range of the at least one gateway 220 .
- the estimating module 211 _ 3 may calculate the quotient of C(i) divided by the authentication information size (hereinafter referred to j), to get the number of the authenticate information that the at least one gateways 220 may transmit at time i.
- j is a number of user equipments trying to complete the authentication at the time i, and which is allowed by the at least one gateway 220 .
- j is 4, it means that the at least one gateway 220 allows four of the user equipments 260 _ 1 ⁇ 260 _Ns (in the case, N ⁇ 4) to respectively transmit its own authentication information to the authentication server 250 at time i.
- the calculating module 212 _ 4 may calculate a priority weight of each user equipment of the at least one user equipment 260 _ 1 ⁇ 260 _N according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateway.
- an n-th (1 ⁇ n ⁇ N) priority weight of the n-th user equipment 260 _ n may be characterized as:
- w 1 to w 3 are weight values
- WT is the authentication waiting time of the n-th user equipment
- h is the at least one hop count between the at least one access point and the at least one gateway serving for the n-th user equipment
- FT is the number of the authentication failures for the n-th user equipment.
- w 1 To w 3 may be, but not limited to any value (including zero) selected by the designers based on their demands, which may be pre-set, set randomly or transmitted via the Internet.
- WT may be, but not limited to the time for the n-th user equipment to access network 240 with limited network access abilities.
- h may be, but not limited to the number of devices having been passed while the access point 230 transmits data to the at least one gateway 220 .
- h is 1.
- FT is a number of authentication failures such as the n-th user equipment attempting to send the authentication information but failing to be authenticated completely.
- the n-th (n is an integer of between 1 ⁇ N) priority weight of the user equipment 260 _ n may be, but not limited to characterized as the demands of the designers, such as the following equations (3) to (9).
- the selecting module 212 _ 5 may select at least one candidate user equipment from the at least one user equipment 260 _ 1 ⁇ 260 _N based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranges a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
- the selecting module 212 _ 5 may sort the at least one user equipment 260 _ 1 ⁇ 260 _N in a descending order according to the priority weight of each user equipment, and calculate a specific number based on the future channel capacity (i.e., C(i)) and an authentication information size (hereinafter referred to j), wherein the specific number may be, but not limited to the future channel capacity divided by the authentication information size; C(i) Next, the selecting module 212 _ 5 may select a specific number of preceding user equipments being sorted from the at least one user equipment 260 _ 1 ⁇ 260 _N as at least one candidate user equipment.
- the selecting module 212 _ 5 may select j user equipment(s) having a higher priority from the at least one user equipment 260 _ 1 ⁇ 260 _N as the at least one candidate user equipment. Next, the selecting module 212 _ 5 may arrange an authentication mechanism for completely authenticating the at least one candidate user equipment at a time.
- the selecting module 212 _ 5 may control the at least one access point 230 to provide unlimited network capabilities to the at least one candidate user equipment.
- the user equipment after completing the authentication may access network 240 with unlimited bandwidth, unlimited throughput, and without a time limit.
- the controller 210 may temporarily allow the at least one user equipment 260 _ 1 ⁇ 260 _N to use limited network access abilities to access the network. Then, when the controller 210 estimates the future channel quality at time i will be improved, the controller 210 may arrange authentication opportunities for the at least one candidate user equipment having a higher priority weight to send the authentication information to the authentication server 250 at a proper time.
- a network system 400 may be configured to control respectively the access point to provide the user equipment with the limited or unlimited network access ability, as shown in FIGS. 4-5 .
- a network system 400 includes a controller 410 , a first access point 420 _ 1 , and a second access point 420 _ 2 connected to an authentication server 440 .
- the first access point 420 _ 1 is connected to an incompletely authenticated user equipment 430 , and provides a limited access network ability to the user equipment 430 .
- the first access point 420 _ 1 may transfer the user information of user equipment 430 to the controller 410 via OpenFlow. Then, according to the aforementioned teachings in arranging the authentication mechanism of the disclosure, the controller 410 may allow the user equipment 430 attempts to be authenticated at a time i. Also, the controller 410 may inform the user equipment 430 by using a control protocol to switch the connecting from the first access point 420 _ 1 to the second access point 420 _ 2 at the time i, so that the authentication server may completely authenticate the candidate user equipment 430 through the second port 420 _ 2 .
- the control protocol may be, but not limited to a network search and selection mechanism (access network discovery and selection function, ANDSF).
- the controller 410 may control the second access point 420 _ 2 to provide an unlimited network ability to the user equipment 430 , to allow the user equipment 430 to access the network with such as unlimited bandwidth, unlimited throughput, and without a time limit.
- the authentication server 440 may have a different scheme to authenticate the user equipment 430 according to the type of the user equipment 430 .
- the authentication server 440 may base on the subscriber identification module (SIM) extensible authentication Agreement (EAP) (i.e., EAP-SIM) to authenticate the user equipment 430 .
- SIM subscriber identification module
- EAP-SIM extensible authentication Agreement
- the authentication server 440 may base on the security authentication and key distribution (Authentication and Key Agreement for, AKA) of EAP (i.e., EAP-AKA) to authenticate the user equipment 430 .
- AKA security authentication and key distribution
- a network system 500 includes a controller 510 and an authentication server 540 connected to a specific access point 520 .
- the specific access point 520 may further include a first port and a second port (not shown).
- the first port may be a default port that may provide a limited network ability to an incompletely authenticated user equipment 530 .
- the specific access point 520 may transfers the user information of user equipment 530 to the controller 510 via the OpenFlow.
- the controller 510 may allow the user equipment 530 attempts to be authenticated at a time i. Also, the controller 510 may inform the user equipment 530 via OpenFlow to switch the connecting from the first port to the second port at the time i, so that the authentication server 540 may completely authenticate the candidate user equipment 530 through the second port. After the authentication server 540 completely authenticates the user equipment 530 , the controller 510 may control the specific access point 520 to provide an unlimited network ability to the user equipment 530 , to allow the user equipment 530 to access the network with such as unlimited bandwidth, unlimited throughput, and without a time limit.
- the first port may be characterized as a service set identifier (SSID) without password
- the second port may be characterized as a service set identifier (SSID) with password.
- the unauthenticated user equipment 530 will connect to a SSID corresponding to the first port.
- the specific access point 520 informs the user equipment 530 to switch the connecting to the second port
- the specific access point 520 may also informs the user equipment 530 of the password of the second port, to allow the user equipment 530 to switch the connecting to the SSID of the second port.
- the second port may be implemented as a hidden SSID with password. That is, the unauthenticated user equipment 530 fails to find the information of the second port from a list of SSID of the first port, but the disclosed embodiments are not limited thereto.
- the present disclosure provides a method for post-authenticating at least one user equipment, a controller and a network systems thereof.
- the controller may temporarily allow the at least one unauthenticated or partially authenticated user equipment to use limited network access abilities to access the network. Then, when the controller estimates the future channel quality will be improved at a time, the controller may arrange authentication opportunities for the at least one candidate user equipment having a higher priority to send the authentication information to the authentication server at the time. Therefore, the embodiments of the present disclosure reduce the probability of occurring network congestion on the at least one gateway, and also improve the Internet time for the unauthenticated or partially authenticated users.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
- This application claims the priority benefits of Taiwan application serial no. 104120333, filed on Jun. 24, 2015. The entirety of the above-mentioned patent application is hereby incorporated by reference herein and made a part of this specification.
- The present application relates to a method for post-authenticating at least one user equipment (UE), a controller and a network system thereof.
- High-Speed Rail is one of important transportation tools in many countries, such as TVG in France, ICE (Inter-City Express) in German, Shinkansen in Japan, and Taiwan High Speed Rail. With the development of the high-speed rail and the popularity of the communication equipment, the demands of the network are rapidly increasing in fast moving scenarios. In general, a highest speed of a train in the High-Speed Rail is approximate to 280 kilometers per hour. Under such a high moving speed, the variation of the signal quality within a short time would be quite large. And, influenced by the Doppler Effects, the decoding error rate at the receiving side would increase. This makes the User Equipment (UE) frequently try to resend data when the network connection is interrupted. Generally, before an UE to access the Internet, the UE must accept an authentication, such as authenticated by an authentication authorization accounting (AAA) server. However, if an authentication process to authenticate the UE failed due to the network disconnection, the UE would continuously try to resend the authentication data to complete the authentication process.
-
FIG. 1 is a block diagram illustrating a network system of a train 100. The train 100 inFIG. 1 could be a train, a High-Speed Rail, or other transportation with a predictable traveling route and multi-cars. The rain 100 may include five cars 100_1˜100_5. In this embodiment, the access points (APs) 102_1˜102_5 could be disposed respectively to cars 100_1˜100_5 in the train, and could respectively provide the passengers in cars 100_1˜100_5 with network access capabilities. For example, the access point 102_1 could provide the passengers in 100_1 car to access the network with mobile devices (such as mobile phones, tablet PCs, notebook computers or other similar devices), and access point 102_2 could provide the passengers in car 100_2 network access, and the remaining access points 102_3˜102_5 likewise. - As shown in
FIG. 1 , the train 100 disposed only a single External Gateway 104 (for example, a client device (Customer Premise Equipment, CPE) gateway) connected to the car 100_3.Gateway 104 could be connected to APs 102_1˜102_5, and as an intermediate access point to communicate with thenetwork 106 between cars 102_1˜102_5. Network 106 could be, but not limited to long-range evolution (LTE), WiMAX (worldwide interoperability for microwave access, WiMAX), third generation mobile communication networks (3Gs), the fourth generation of mobile communication networks (4Gs) or other similar networks. AlthoughFIG. 1 is not explicitly depicted the configuration ofnetwork 106, but it is substantially based on communication standards and could be configured to include corresponding network entities. For example, if using the LTE network to communicate 106 and thegateway 104,network 106 may include an enhanced node B (eNB), a mobility management entity (MME), serving gateway (S-GW), and packet data network gateways (P-GW) and other network entities, but not limited thereto. - Since the train 100 has only a single
External Gateway 104, so that the channel quality between thegateways 104 and thenetwork 106 would be changed rapidly when the train 100 was moving, and the situation of network disconnection would occur often. When the authentication process of UE failed, the transmission queue of the external gateway would be filled with the authentication data, and it could cause network congestion. - In addition, even if an additional redundant Gateway was built in car 100_3 like
gateway 104 to shunt the traffic ofgateway 104, the overall transmission efficiency still could not reach the channel diverse effect because the channel quality of the redundant gateway is similar to that of thegateway 104. - In the network topology built by the well-known train, there is only one single configuration of an external (outbound) gateway. As previously mentioned, when the authentication process of an UE failed, the transmission queue of the external gateway will would be filled with the authentication data, and the phenomenon of network congestion could occurs.
- The embodiments of the disclosure may provide a method for post-authenticating the at least one user equipment, a controller, and a network system thereof.
- An embodiment of the disclosure relates to a method for post-authenticating at least one user equipment, adapted to a controller connected to at least one gateway. The method comprises: the at least one user equipment is connected to at least an access point, determining whether an external channel quality of the at least one gateway is higher than a threshold; wherein the external channel quality is not higher than the threshold; incompletely authenticating the at least one user equipment, and controlling the at least one access point to provide the at least one user equipment with a limited network access ability, and the external channel quality is not higher than the threshold; estimating a future channel capacity of the at least one gateway; calculating a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateways; and selecting at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranging a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
- Another embodiment of the disclosure relates to a controller. The controller comprises a storage unit storing multiple modules; and a processing unit connected to the storage unit, accessing and executing the multiple modules. The multiple modules include a determining module, a controlling module, an estimating module, a calculating module, and a selecting module. The determining module determines whether an external channel quality of at least one gateway is higher than a threshold, wherein at least one user equipment is connected to at least one access point through the at least one gateway. The controlling module incompletely authenticates the at least one user equipment, and controls the at least one access point to provide the at least one user equipment with a limited network access ability, wherein the external channel quality is not higher than the threshold. The estimating module estimates a future channel capacity of the at least one gateway. The calculating module calculates a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateway. The selecting module selects at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranges a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
- Yet another embodiment of the disclosure relates to a network system. The network system comprises a at least one gateway, at least one access point connected to the at least one gateway to access a network, and a controller connected to the at least one gateway and the at least one access point, wherein at least one user equipment is connected to the at least one access point through the at least one gateway. The controller further determines whether an external channel quality of the at least one gateway is higher than a threshold; incompletely authenticates the at least one user equipment, and controls the at least one access point to provide the at least one user equipment with a limited network access ability, wherein the external channel quality is not higher than the threshold; estimates a future channel capacity of the at least one gateway; calculates a priority weight of each user equipment of the at least one user equipment according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateway; and selects at least one candidate user equipment from the at least one user equipment based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranges a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
- The foregoing will become better understood from a careful reading of a detailed description provided herein below with appropriate reference to the accompanying drawings.
-
FIG. 1 is a block diagram illustrating a network system of a train. -
FIG. 2 is a network system, according to an exemplary embodiment of the present disclosure. -
FIG. 3 illustrates the flow chart of a method for post-authenticating at least one user equipment, according to an exemplary embodiment of the present disclosure. -
FIG. 4 is a network system, according to an embodiment of the present disclosure. -
FIG. 5 is a network system, according to another embodiment of the present disclosure. - Below, exemplary embodiments will be described in detail so as to be easily realized by a person having ordinary knowledge in the art. The inventive concept may be embodied in various forms without being limited to the exemplary embodiments set forth herein. Descriptions of well-known parts are omitted for clarity, and like reference numerals refer to like elements throughout.
- According to an embodiment, the disclosure provides a method for post-authenticating at least one UE. In the embodiment, while the channel quality of the at least one gateway is poor, at least one access point may provide limited network access capabilities (such as limited bandwidth, flow and time, etc.) to the at least one UE incompletely authenticated such as an authentication process has not been finished yet. Further, the method may arrange a mechanism to select at least one candidate UE having a higher priority weight to be authenticated from the at least one UE, and then allows the at least one candidate UE to complete the authentication process at a proper time. The detailed will be described in the following. In an exemplary embodiment, a channel quality may be but not limited to characterized as a reference signal received power (RSRP), a carrier to interference noise ratio (CINR), a carrier noise ratio (carrier to noise ratio, CNR), a signal to noise ratio (SNR) and/or a signal to interference noise ratio (SINR), but is not limited thereto.
-
FIG. 2 is a network system, according to an exemplary embodiment of the present disclosure. In this embodiment, anetwork system 200 includes acontroller 210, at least onegateway 220 and at least oneaccess point 230. The at least oneaccess point 230 may also be disposed on a car of a train for serving the UEs of this car. The at least onegateway 220 may be electrically connected to theaccess point 230, and theaccess point 230 may route data flow from at least one user equipment 260_1˜260_N (N is a positive integer) to anetwork 240. In one embodiment, when the data from the user equipment is authentication information, the at least onegateway 220 may facilitate the at least oneaccess point 230 to route the authentication information to the authentication server 250 (for example, an AAA server). - Unlike the well-known art as shown in
FIG. 1 , thenetwork system 200 inFIG. 2 includes a controller electrically connected or wireless connection to the at least onegateway 220 and thecontroller 210. In an embodiment, thecontroller 210 may be a software-defined networking (SDN) controller, which may include astorage unit 212, and aprocessing unit 214.Storage unit 212 may be, but not limited to a memory, a hard disk, or any other element that may be used to store data and/or record multiple codes or modules.Processing unit 214 is electrically connected to thestorage unit 212.Processing unit 214 may be a general purpose processor, a special purpose processor, a conventional processor, a digital signal processor, a plurality of microprocessors, a microprocessor with one or more digital signal processors, controller, microcontrollers, application-specific integrated circuit (ASIC), field programmable gate array circuits (FPGAs), any other kind of integrated circuits, a state machine, based on Advanced RISC Set machine (ARM) processor and similar articles. - In an embodiment, the at least one
access point 230 may have SDN switch features, and may communicate with thecontroller 210 by a SDN-based communication protocol (for example, OpenFlow) to exchange information. In other embodiments, the SDN switch may also be implemented as a separate switch on the device outside the at least oneaccess point 230, to facilitate theaccess point 230 to communicate with thecontroller 210. In SDN, data plane and control plane are separated.FIG. 2 also depicts a transmission path for data flow and control flow separately. - In addition, although
FIG. 2 illustrates only asingle gateway 220 and asingle access point 230 to illustrate the concepts of the present embodiment, but this is not construed as limiting the possible embodiments disclosed. In other embodiments, these technical features are equally applicable to the present disclosed network systems with multiple gateways and multiple access points. - In this embodiment, the
processing unit 214 may access thestorage unit 212 and executes a determining module 212_1, a control module 212_2, an estimating module 212_3, a calculating module 212_4 and a selecting module 212_5 and execute the method for post-authenticating at least one user equipment. -
FIG. 3 illustrates a flow chart of a method for post-authenticating at least one user equipment, according to an exemplary embodiment of the present disclosure. The method inFIG. 3 may be executed by thecontroller 210 ofFIG. 2 . Combined with the elements shown inFIG. 2 , the detailed of the exemplary embodiment ofFIG. 3 will be explained in the following. - First, in step S310, when the at least one user equipment 260_1˜260_N connects to the at least one the
access point 230 routed by the at least onegateway 220, the determining module 212_1 may determine whether the external channel quality of thegateway 220 is higher than a threshold or not. The external channel quality, for example, may be a channel quality (such as SNR) between at least onegateway 220 and thenetwork 240, and the threshold may be an arbitrary value selected by the designer (e.g. 20 dB). This threshold may be preset, randomly selected, or transmitted via the network. In an embodiment, when the at least one user equipment 260_1˜260_N connects to the at least oneaccess point 230, the at least oneaccess point 230 may send the user information (such as a media access control (MAC) address and international mobile subscriber identity (IMSI), etc.) to thecontroller 210 through OpenFlow, but is not limited thereto. - In an embodiment, the designer may also determine the threshold based on the channel quality corresponding to a channel capacity. For example, designers may find out a channel capacity for sufficiently transmitting at least one authentication data, and determine the channel quality corresponding to the channel capacity as a threshold. In this case, when the external channel quality is higher than the threshold, it represents that the channel capacity corresponding to the external channel quality is sufficient to transmit at least one authentication data. Assume that the channel capacity corresponding to the external channel quality is sufficient to transfer two authentication information, the
controller 210 may arrange directly two of user equipments 260_1˜260_N (in the case, N≧2) to authenticate with theauthentication server 250. On the other hand, when the external channel quality is not higher than the threshold, it may represent that the channel capacity corresponding to the external channel quality is insufficient to transmit any authentication information. - Thus, in step S320, when the external channel quality is not higher than the threshold, the control module 212_2 may incompletely authenticate the at least one user equipment 260_1˜260_N, and control the at least one
access point 230 to provides the at least one user equipment 260_1˜260_N limited network access capabilities. In other words, the control module 212_2 may allow unauthenticated or only partially authenticated user equipment 260_1˜260_N to connect thenetwork 240 with the limited network access abilities to the Internet via the at least oneaccess point 230. Take user equipment 260_1 as an exemplar, unauthenticated or only partially authenticated user equipment 260_1 may connect thenetwork 240 with limited abilities (such as limited bandwidth, limited throughput or limited time (e.g. 20 minutes), but is not limited thereto) to the Internet viaaccess point 230 through the control module 212_2. Thus, the disclosed method not only satisfies the demands of the user equipment 260_1 to access the Internet, but also avoids the user equipment 260_1 to continuously try to send authentication information under the condition of a poor external channels quality. In other words, the embodiments of the present disclosure may reduce the probability of occurring network congestion on the at least onegateway 220, and also improve the Internet time for the unauthenticated or partially authenticated users. - Next, the method may select at least one candidate user equipment having a higher priority weight to be authenticated from the at least one user equipment 260_1˜260_N through steps S330˜S350, and completely authenticate the at least one candidate user equipment at a proper time.
- In step S330, the estimating module 212_3 may estimate a future channel capacity of the at least one
gateway 220. In an embodiment, the channel quality estimation model of the at least onegateway 220 may be built by the estimating module 212_3 based on the at least onegateway 220 and a car individual history information. The car individual history information includes, for example, a traveling route of a car or a train and traveling speeds of various sections on this traveling route. The history information for the at least onegateway 220 includes, for example, the channel quality of the at least onegateway 220 previously measured on the traveling route of the car or the train. - From the aforementioned, it may be seen that the estimating module 212_3 may be used to estimate the future channel quality of the at least one
gateway 220 on each section on the traveling route of the car or the train. Subsequently, estimating module 212_3 may establish a mapping table of channel quality relative to section on the traveling route according to the measured results (that is, the channel quality estimation model of the at least one gateway 220). Because the traveling route of the car or the train and the location of the surrounding station are fixed, therefore, the mapping table is quite reliable. For other configurations of the gateway relative to the car or the train (not shown), the estimating module 212_3 may establish the channel quality estimation model on the basis of the foregoing teachings. - After the channel quality estimation model of the at least one
gateway 220 has been established, the estimating module 212_3 may get current moving information of the train and use the current moving information to estimate the future moving information of the train. The current moving information may include, but not limited to the information of the current traveling section and the traveling speed of the train obtained from the satellite positioning system (global positioning system, GPS). The future moving information of the train may include, but not limited to the information of the future traveling section and future traveling speed of the train. The traveling route and the traveling speed of the train are generally predefined parameters, therefore, the estimating module 212_3 may easily get the future traveling route of the train and the future traveling speed of the train after the current moving information is obtained. - Then, the estimating module 212_3 may estimate the future channel quality of the at least one
gateway 220 according to the future moving information and the channel quality estimation model. For example, the estimating module 212_3 may look up the mapping table according to the future traveling section and the future traveling speed, and get the channel quality (i.e., future channel quality) relative to the traveling section. Thereafter, the estimating module 212_3 may get the future channel capacity according to the future channel quality of the at least onegateway 220. In an embodiment, assumed that the signal noise ratio at a time i (i is a positive integer) is denoted as SNRi. The future channel capacity estimated by the estimating module 212_3 at the time i may be characterized as: -
C(i)=B×log2+(1+SNRi) (1) - Wherein B is a frequency range of the at least one
gateway 220. - The difference of the authentication information size under a same authentication mechanism is small. Therefore, after the future channel capacity (i.e., C(i)) at the time i is calculated, the estimating module 211_3 may calculate the quotient of C(i) divided by the authentication information size (hereinafter referred to j), to get the number of the authenticate information that the at least one
gateways 220 may transmit at time i. Namely, j is a number of user equipments trying to complete the authentication at the time i, and which is allowed by the at least onegateway 220. Assume that j is 4, it means that the at least onegateway 220 allows four of the user equipments 260_1˜260_Ns (in the case, N≧4) to respectively transmit its own authentication information to theauthentication server 250 at time i. - In step S340, the calculating module 212_4 may calculate a priority weight of each user equipment of the at least one user equipment 260_1˜260_N according to the user equipment's an authentication waiting time, a number of authentication failures and at least one hop count between the at least one access point and the at least one gateway.
- In an embodiment, an n-th (1≦n≦N) priority weight of the n-th user equipment 260_n may be characterized as:
-
P(n)=w 1×WT+(1−w 2 h)+(1−w 3 ×FT) (2) - Wherein w1 to w3 are weight values, WT is the authentication waiting time of the n-th user equipment, h is the at least one hop count between the at least one access point and the at least one gateway serving for the n-th user equipment, FT is the number of the authentication failures for the n-th user equipment. w1 To w3 may be, but not limited to any value (including zero) selected by the designers based on their demands, which may be pre-set, set randomly or transmitted via the Internet. WT may be, but not limited to the time for the n-th user equipment to access
network 240 with limited network access abilities. h may be, but not limited to the number of devices having been passed while theaccess point 230 transmits data to the at least onegateway 220. Assume that the at least oneaccess point 230 is connected directly to the at least onegateway 220, then h is 1. Assume that the at least oneaccess point 230 is connected through two devices (for example, two other access points) to the at least onegateway 220, then the h is 3. FT is a number of authentication failures such as the n-th user equipment attempting to send the authentication information but failing to be authenticated completely. - In other embodiments, the n-th (n is an integer of between 1˜N) priority weight of the user equipment 260_n may be, but not limited to characterized as the demands of the designers, such as the following equations (3) to (9).
-
P(n)=w 1×WT+w 2 ×h+(1−w 3 ×FT) (3) -
P(n)=w 1×WT (4) -
P(n)=w 2 ×h (5) -
P(n)=(1−w 3 ×FT) (6) -
P(n)=w 1×WT+w 2 ×h (7) -
P(n)=w 1×WT+(1−w 3 ×FT) (8) -
P(n)=w 2 ×h+(1−w 3 ×FT) (9) - In step S350, the selecting module 212_5 may select at least one candidate user equipment from the at least one user equipment 260_1˜260_N based on the future channel capacity and the priority weight of the at least one candidate user equipment, and arranges a corresponding authentication mechanism for completely authenticating the at least one candidate user equipment at a time corresponding to the future channel capacity.
- In an embodiment, the selecting module 212_5 may sort the at least one user equipment 260_1˜260_N in a descending order according to the priority weight of each user equipment, and calculate a specific number based on the future channel capacity (i.e., C(i)) and an authentication information size (hereinafter referred to j), wherein the specific number may be, but not limited to the future channel capacity divided by the authentication information size; C(i) Next, the selecting module 212_5 may select a specific number of preceding user equipments being sorted from the at least one user equipment 260_1˜260_N as at least one candidate user equipment. In other words, the selecting module 212_5 may select j user equipment(s) having a higher priority from the at least one user equipment 260_1˜260_N as the at least one candidate user equipment. Next, the selecting module 212_5 may arrange an authentication mechanism for completely authenticating the at least one candidate user equipment at a time.
- When the at least one candidate user equipment completes the authentication, the selecting module 212_5 may control the at least one
access point 230 to provide unlimited network capabilities to the at least one candidate user equipment. In other words, the user equipment after completing the authentication may accessnetwork 240 with unlimited bandwidth, unlimited throughput, and without a time limit. - Briefly, when the
controller 210 determines that the external channel quality of the at least onegateway 220 is currently not good, thecontroller 210 may temporarily allow the at least one user equipment 260_1˜260_N to use limited network access abilities to access the network. Then, when thecontroller 210 estimates the future channel quality at time i will be improved, thecontroller 210 may arrange authentication opportunities for the at least one candidate user equipment having a higher priority weight to send the authentication information to theauthentication server 250 at a proper time. - In other embodiments of the disclosure, the network system may be configured to control respectively the access point to provide the user equipment with the limited or unlimited network access ability, as shown in
FIGS. 4-5 . Referring to the embodiment inFIG. 4 , anetwork system 400 includes acontroller 410, a first access point 420_1, and a second access point 420_2 connected to anauthentication server 440. For example, the first access point 420_1 is connected to an incompletely authenticateduser equipment 430, and provides a limited access network ability to theuser equipment 430. As previously mentioned, when theuser equipment 430 connects to the first access point 420_1, the first access point 420_1 may transfer the user information ofuser equipment 430 to thecontroller 410 via OpenFlow. Then, according to the aforementioned teachings in arranging the authentication mechanism of the disclosure, thecontroller 410 may allow theuser equipment 430 attempts to be authenticated at a time i. Also, thecontroller 410 may inform theuser equipment 430 by using a control protocol to switch the connecting from the first access point 420_1 to the second access point 420_2 at the time i, so that the authentication server may completely authenticate thecandidate user equipment 430 through the second port 420_2. The control protocol may be, but not limited to a network search and selection mechanism (access network discovery and selection function, ANDSF). After theauthentication server 440 completely authenticates theuser equipment 430, thecontroller 410 may control the second access point 420_2 to provide an unlimited network ability to theuser equipment 430, to allow theuser equipment 430 to access the network with such as unlimited bandwidth, unlimited throughput, and without a time limit. - In addition, the
authentication server 440 may have a different scheme to authenticate theuser equipment 430 according to the type of theuser equipment 430. For example, when theuser equipment 430 is a device running under a global system for mobiles, (GSM), theauthentication server 440 may base on the subscriber identification module (SIM) extensible authentication Agreement (EAP) (i.e., EAP-SIM) to authenticate theuser equipment 430. For another example, when theuser equipment 430 is a device running under the standard universal mobile telecommunications system (UMTS), theauthentication server 440 may base on the security authentication and key distribution (Authentication and Key Agreement for, AKA) of EAP (i.e., EAP-AKA) to authenticate theuser equipment 430. - In other embodiments of the disclosure, the network system may also be configured to control a specific access point to provide the user equipment with the limited or unlimited network access ability concurrently. Refer to the embodiment in
FIG. 5 , anetwork system 500 includes acontroller 510 and anauthentication server 540 connected to aspecific access point 520. Thespecific access point 520 may further include a first port and a second port (not shown). The first port may be a default port that may provide a limited network ability to an incompletely authenticateduser equipment 530. As previously mentioned, when theuser equipment 530 connects to the first port, thespecific access point 520 may transfers the user information ofuser equipment 530 to thecontroller 510 via the OpenFlow. Then, according to the aforementioned teachings in arranging the authentication mechanism of the disclosure, thecontroller 510 may allow theuser equipment 530 attempts to be authenticated at a time i. Also, thecontroller 510 may inform theuser equipment 530 via OpenFlow to switch the connecting from the first port to the second port at the time i, so that theauthentication server 540 may completely authenticate thecandidate user equipment 530 through the second port. After theauthentication server 540 completely authenticates theuser equipment 530, thecontroller 510 may control thespecific access point 520 to provide an unlimited network ability to theuser equipment 530, to allow theuser equipment 530 to access the network with such as unlimited bandwidth, unlimited throughput, and without a time limit. - In an embodiment, the first port may be characterized as a service set identifier (SSID) without password, and the second port may be characterized as a service set identifier (SSID) with password. In this case, the
unauthenticated user equipment 530 will connect to a SSID corresponding to the first port. When thespecific access point 520 informs theuser equipment 530 to switch the connecting to the second port, thespecific access point 520 may also informs theuser equipment 530 of the password of the second port, to allow theuser equipment 530 to switch the connecting to the SSID of the second port. In other embodiments, the second port may be implemented as a hidden SSID with password. That is, theunauthenticated user equipment 530 fails to find the information of the second port from a list of SSID of the first port, but the disclosed embodiments are not limited thereto. - In summary, the present disclosure provides a method for post-authenticating at least one user equipment, a controller and a network systems thereof. When the controller determines that the external channel quality of the at least one gateway is currently not good, the controller may temporarily allow the at least one unauthenticated or partially authenticated user equipment to use limited network access abilities to access the network. Then, when the controller estimates the future channel quality will be improved at a time, the controller may arrange authentication opportunities for the at least one candidate user equipment having a higher priority to send the authentication information to the authentication server at the time. Therefore, the embodiments of the present disclosure reduce the probability of occurring network congestion on the at least one gateway, and also improve the Internet time for the unauthenticated or partially authenticated users.
- It will be apparent to those skilled in the art that various modifications and variations can be made to the disclosed embodiments. It is intended that the specification and examples be considered as exemplary embodiments only, with a scope of the disclosure being indicated by the following claims and their equivalents.
Claims (33)
C(i)=B×log2(1+SNRi)
P(n)=w 1×WT+(1−w 2 h)+(1−w 3 ×FT)
C(i)=B×log2(1+SNRi)
P(n)=w 1×WT+(1−w 2 h)+(1−w 3 ×FT)
C(i)=B×log2(1+SNRi)
P(n)=w 1×WT+(1−w 2 h)+(1−w 3 ×FT)
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW104120333A | 2015-06-24 | ||
TW104120333A TWI580224B (en) | 2015-06-24 | 2015-06-24 | Method for post-authenticating user equipment, controller and network system |
TW104120333 | 2015-06-24 |
Publications (2)
Publication Number | Publication Date |
---|---|
US9532304B1 US9532304B1 (en) | 2016-12-27 |
US20160381625A1 true US20160381625A1 (en) | 2016-12-29 |
Family
ID=57589967
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/979,565 Active US9532304B1 (en) | 2015-06-24 | 2015-12-28 | Method for post-authenticating user equipment, controller and network system |
Country Status (4)
Country | Link |
---|---|
US (1) | US9532304B1 (en) |
JP (1) | JP6159788B2 (en) |
CN (1) | CN106304065B (en) |
TW (1) | TWI580224B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10631042B2 (en) | 2015-09-30 | 2020-04-21 | Sonifi Solutions, Inc. | Methods and systems for enabling communications between devices |
US10602212B2 (en) | 2016-12-22 | 2020-03-24 | Sonifi Solutions, Inc. | Methods and systems for implementing legacy remote and keystroke redirection |
WO2019127499A1 (en) * | 2017-12-29 | 2019-07-04 | 深圳市大疆创新科技有限公司 | Channel capacity prediction method and apparatus, wireless signal sending device and transmission system |
KR102063819B1 (en) * | 2018-02-01 | 2020-01-08 | 충북대학교 산학협력단 | System for controlling connectivity for wireless lan device based on software defined networks |
Family Cites Families (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2320162C (en) * | 1996-12-06 | 2011-08-03 | Immarsat Ltd | Communication method and apparatus |
JP2004193917A (en) * | 2002-12-11 | 2004-07-08 | Hitachi Ltd | Railroad information service system and mobile terminal used for same |
US7634252B2 (en) * | 2003-03-07 | 2009-12-15 | Computer Assocaites Think, Inc. | Mobility management in wireless networks |
WO2005008981A1 (en) * | 2003-07-03 | 2005-01-27 | Sinett Corporation | Apparatus for layer 3 switching and network address port translation |
US8677125B2 (en) * | 2005-03-31 | 2014-03-18 | Alcatel Lucent | Authenticating a user of a communication device to a wireless network to which the user is not associated with |
DE102006015033B4 (en) * | 2005-12-16 | 2016-07-07 | Siemens Aktiengesellschaft | Mobile station as a gateway for mobile terminals to an access network and method for network registration of the mobile station and the mobile terminals |
US7768952B2 (en) | 2006-08-18 | 2010-08-03 | WI-FI Rail, Inc. | System and method of wirelessly communicating with mobile devices |
US8073428B2 (en) * | 2006-09-22 | 2011-12-06 | Kineto Wireless, Inc. | Method and apparatus for securing communication between an access point and a network controller |
WO2008148191A2 (en) * | 2007-06-06 | 2008-12-11 | Boldstreet Inc. | Remote service access system and method |
CN101325801B (en) * | 2007-06-12 | 2013-05-01 | 北京三星通信技术研究有限公司 | Method and apparatus for locating business authentication and authorization examination in Winax network |
US20090028169A1 (en) * | 2007-07-27 | 2009-01-29 | Motorola, Inc. | Method and device for routing mesh network traffic |
US8050238B2 (en) | 2007-12-31 | 2011-11-01 | Motorola Mobility, Inc. | Method and apparatus for improving network access through multi-stage signaling |
US11477721B2 (en) * | 2008-02-22 | 2022-10-18 | Qualcomm Incorporated | Methods and apparatus for controlling transmission of a base station |
JP5241426B2 (en) * | 2008-10-22 | 2013-07-17 | 新日鐵住金株式会社 | Mobile body and communication method |
JP2011124781A (en) * | 2009-12-10 | 2011-06-23 | Nec Corp | Communication system and communication method |
US9526058B2 (en) * | 2010-02-10 | 2016-12-20 | Lantronix, Inc. | Smart roam system and method |
US8548465B2 (en) * | 2010-04-23 | 2013-10-01 | Apple Inc. | Methods and apparatus for providing dynamic information in a wireless information channel |
US8402530B2 (en) * | 2010-07-30 | 2013-03-19 | Microsoft Corporation | Dynamic load redistribution among distributed servers |
JP5437292B2 (en) * | 2011-02-22 | 2014-03-12 | 株式会社日立製作所 | Bandwidth control system |
US8806573B2 (en) | 2011-08-09 | 2014-08-12 | Cisco Technology, Inc. | Authentication control in low-power lossy networks |
EP2575393A2 (en) * | 2011-10-01 | 2013-04-03 | Institute for Imformation Industry | Base station and transmission path creation method thereof |
SG11201404097UA (en) | 2012-01-16 | 2014-08-28 | Agency Science Tech & Res | A wireless communication system and a method of controlling the same |
EP2663051A1 (en) * | 2012-05-07 | 2013-11-13 | Industrial Technology Research Institute | Authentication system for device-to-device communication and authentication method therefore |
MY169255A (en) * | 2012-11-16 | 2019-03-19 | Basf Se | An encapsulated particle |
US9973429B2 (en) | 2013-04-05 | 2018-05-15 | Futurewei Technologies, Inc. | Software defined networking (SDN) controller orchestration and network virtualization for data center interconnection |
-
2015
- 2015-06-24 TW TW104120333A patent/TWI580224B/en active
- 2015-09-17 CN CN201510594166.5A patent/CN106304065B/en active Active
- 2015-12-28 US US14/979,565 patent/US9532304B1/en active Active
- 2015-12-30 JP JP2015257718A patent/JP6159788B2/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN106304065A (en) | 2017-01-04 |
US9532304B1 (en) | 2016-12-27 |
JP2017011673A (en) | 2017-01-12 |
TW201701620A (en) | 2017-01-01 |
CN106304065B (en) | 2019-08-16 |
TWI580224B (en) | 2017-04-21 |
JP6159788B2 (en) | 2017-07-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20230397145A1 (en) | Mobility in Non-Public Networks | |
US9532304B1 (en) | Method for post-authenticating user equipment, controller and network system | |
EP4118926B1 (en) | Tunnel failure procedure, device and computer-readable medium | |
US20240073848A1 (en) | Network Slice in a Wireless Network | |
WO2022125747A1 (en) | State transition of wireless device | |
US20230328821A1 (en) | Modifying PDU Sessions In Underlay Networks | |
EP4315915A1 (en) | Resource allocation in non-public network | |
US20230276391A1 (en) | End-to-end latency measurement | |
US12010610B2 (en) | Support for tunneling | |
US20230309166A1 (en) | Asymmetric Channel | |
US20240114441A1 (en) | Network Access Management | |
US20220386401A1 (en) | Multiple Access | |
US20230422293A1 (en) | Network Slice Based Priority Access | |
US20240064626A1 (en) | Support For Network Service | |
US20230247548A1 (en) | Failure and Recovery of Electrical Supply Service For Wireless Communications | |
WO2024091565A1 (en) | Multiple paths | |
WO2024097304A1 (en) | Lossless path switching | |
WO2023129501A1 (en) | Channel symmetry for communication system | |
WO2024072952A2 (en) | Tracking area of mobile base station relay | |
WO2024072752A2 (en) | Mobility of mobile base station relay | |
WO2024097090A1 (en) | Media data reporting | |
CA3241934A1 (en) | Data unit processing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INDUSTRIAL TECHNOLOGY RESEARCH INSTITUTE, TAIWAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHEN, JYH-CHENG;YANG, JEN-SHUN;LIN, YI-HAO;AND OTHERS;SIGNING DATES FROM 20151130 TO 20151201;REEL/FRAME:037380/0132 Owner name: NATIONAL CHIAO TUNG UNIVERSITY, TAIWAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHEN, JYH-CHENG;YANG, JEN-SHUN;LIN, YI-HAO;AND OTHERS;SIGNING DATES FROM 20151130 TO 20151201;REEL/FRAME:037380/0132 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |