US20200367058A1 - Providing secure access for automatically on-boarded subscribers in wi-fi networks - Google Patents

Providing secure access for automatically on-boarded subscribers in wi-fi networks Download PDF

Info

Publication number
US20200367058A1
US20200367058A1 US16/415,442 US201916415442A US2020367058A1 US 20200367058 A1 US20200367058 A1 US 20200367058A1 US 201916415442 A US201916415442 A US 201916415442A US 2020367058 A1 US2020367058 A1 US 2020367058A1
Authority
US
United States
Prior art keywords
shared key
authentication request
network
private
data indicative
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US16/415,442
Other versions
US10820201B1 (en
Inventor
Suja Thangaveluchamy
Niranjan Mallapura Mallikarjunaiah
Aries Kuttiyan
Sudhir Kumar Jain
Vijay Kumar Kothamasu
Ramachandra Murthy S
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Technology Inc filed Critical Cisco Technology Inc
Priority to US16/415,442 priority Critical patent/US10820201B1/en
Assigned to CISCO TECHNOLOGY, INC. reassignment CISCO TECHNOLOGY, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JAIN, SUDHIR KUMAR, KOTHAMASU, VIJAY KUMAR, Kuttiyan, Aries, MALLIKARJUNAIAH, NIRANJAN MALLAPURA, MURTHY S, RAMACHANDRA, THANGAVELUCHAMY, SUJA
Priority to US17/028,455 priority patent/US11051168B2/en
Application granted granted Critical
Publication of US10820201B1 publication Critical patent/US10820201B1/en
Publication of US20200367058A1 publication Critical patent/US20200367058A1/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • H04W12/0609
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • H04W12/04031
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present disclosure relates to Wi-Fi networks and the automatic on-boarding of subscribers to such networks.
  • Wireless subscriber bases are rapidly increasing in size and this is particularly true in Wi-Fi® wireless local area networks. While this phenomenon is good for users and service providers, it results in new challenges, especially for the Wi-Fi service providers.
  • Configuring and provisioning of the user credentials to provide users with wireless local area network access presents real challenges, as does maintaining these credentials. These provisioning and maintaining tasks become even more difficult in public deployments where subscriber presence is dynamic.
  • the usual and/or manual provisioning techniques of the related art may not scale easily and may be difficult to sustain as a subscriber base increases. In other words, in large scale Wi-Fi deployments, particularly for service providers with large subscriber bases, it may be extremely difficult to provision and manage subscribers with traditional and manual related art procedures without compromising on security.
  • FIG. 1 is an illustration of a network environment configured to implement the secure and automatic onboarding of Wi-Fi network subscriber techniques of the present disclosure, according to example embodiments.
  • FIG. 2 is first process flow associated with a first part of the techniques of the present disclosure, according to example embodiments.
  • FIG. 3 is second process flow associated with a second part of the techniques of the present disclosure, according to example embodiments.
  • FIG. 4 is process flow associated with a third part of the techniques of the present disclosure, according to example embodiments.
  • FIG. 5 is a flowchart providing a process flow for implementing the secure and automatic onboarding of Wi-Fi network subscriber techniques of the present disclosure, according to example embodiments.
  • FIG. 6 is a functional block diagram of an apparatus configured to implement the techniques of the present disclosure, according to example embodiments.
  • a default pre-shared key is provided from a first device to a second device.
  • the first device is configured to control network access to a network.
  • a first authentication request is obtained at the first device from a third device.
  • the first authentication request includes data indicative of the second device.
  • a first response to the first authentication request is provided from the first device to the third device.
  • the first response includes the default pre-shared key.
  • a second authentication request containing a private pre-shared key and the data indicative of the second device is obtained at the first device from the third device.
  • Stored data at the first device is updated in response to the second authentication request with the private pre-shared key and the data indicative of the second device to provision the first device to provide network access to the network to the second device.
  • the techniques of the present disclosure provide a mechanism to provision an authentication, authorization, and accounting (AAA) server with the private pre-shared keys of authenticated clients in a secure manner and to on-board subscribers automatically in Wi-Fi and/or wireless local area network (WLAN) deployments.
  • AAA authentication, authorization, and accounting
  • the techniques provide suitable mechanisms for both public and private Wi-Fi deployments.
  • AAA servers often require administrators and end-users to configure the credentials for Wi-Fi access.
  • Wi-Fi Protected Access 2 WPA2
  • IEEE 802.1x Standard for port-based Network Access Control
  • administrators may need to manually configure credentials, including a username, a password, and a passphrase.
  • the techniques of the present disclosure provide secure access for automatically on-boarding (e.g., configuring and/or provisioning) subscribers in Wi-Fi deployments.
  • the techniques of the present disclosure provide a mechanism to provision the private pre-shared key (sometimes referenced in the figures as an “aPSK”) of authenticated clients in a secure manner and to on-board subscribers automatically in Wi-Fi deployments.
  • aPSK private pre-shared key
  • FIG. 1 depicted therein is a network environment 100 that includes client devices 105 a - e (also referred to as stations (STAs)), an access point (AP) 110 , a wireless local area network controller (WLC) 115 and an AAA server 120 which are leveraged according to the techniques of the present disclosure to provide access to Wi-Fi network 125 .
  • client devices 105 a - e also referred to as stations (STAs)
  • AP access point
  • WLC wireless local area network controller
  • AAA server 120 AAA server
  • a default pre-shared key 130 is provided to client device 105 a via, for example, a social login application that communicates with AAA server 120 .
  • This default pre-shared key is used in a first Media Access Control (MAC) authentication procedure 135 . While this first authentication procedure 135 may be denied, it is leveraged to provide the AAA server 120 with the MAC address of the client device 105 a .
  • Pre-shared key negotiation 140 is then performed between client device 105 a and WLC 115 to generate a unique private pre-shared key 145 .
  • a second authentication procedure 150 is performed which provisions AAA server 120 with the unique private pre-shared key 145 for client device 105 a , automatically and securely provisioning AAA server 120 to permit client device 105 a to access Wi-Fi network 125 when media requests are subsequently made by client device 105 a.
  • a WLC may be configured with the WLAN name, also referred to as the service set identifier (SSID) for the WLAN, and with a configuration that includes a pre-shared-key to be used for MAC authentication and Web Authentication.
  • SSID service set identifier
  • Access points such as AP 110 , may connect or join to WLC 115 , download the configuration and start beaconing the configured SSID.
  • FIGS. 2-4 illustrate an example embodiment of a device association flow according to the techniques of the present disclosure. First and second portions of the process flow, illustrated in FIGS. 2 and 3 , autogenerate the unique private pre-shared keys and update or automatically provision the AAA server 120 securely. In other words, example embodiments provision private pre-shared keys back to an AAA server 120 in a secured manner.
  • the AAA server 120 may be auto provisioned with user credentials for the clients 105 a - e to join Wi-Fi network 125 automatically.
  • the third part of the process flow, illustrated in FIG. 4 illustrates how a client device 105 a - e accesses Wi-Fi network 125 once AAA server 120 is auto-provisioned with the MAC address and private pre-shared key for the client device 105 a - e.
  • an application used to generate a private pre-shared key is installed on client device 205 .
  • This application may be integrated with a social login application 225 , such as “WeChat.”
  • Example embodiments of client device 205 may be mobile devices, such as smart phones or tablets, laptop computer devices, or desktop computer devices.
  • the application will perform social login authentication 235 with Social Login application 225 through the AAA server 220 .
  • AAA server 220 Upon successful authentication of the user associated with client 205 in operation 240 , maintains a username associated with the user of client device 205 in its memory, in operation 245 .
  • AAA server 220 may maintain stored data, such as a database of usernames and associated pre-shared keys that are used for providing access to Wi-Fi networks. Accordingly, an example of stored data after operation 245 is illustrated in Table 1, below. As illustrated, Table 1 includes usernames for client devices for which AAA server 220 has undergone the process of FIG. 2 . The remaining values in Table 1, i.e., the “Macaddress” and “Private PSK” data associated with respective “Usernames,” will be populated through the process illustrated in FIG. 3 , below.
  • AAA server 220 may also provide client 205 with a default pre-shared key in operation 250 , which may be used in the subsequent processing illustrated in FIG. 3 .
  • This default pre-shared key may be used to automatically provision AAA server 220 with the credentials, i.e., the “Macaddress” and “Private PSK” data, via which client 205 will access a particular WLAN or Wi-Fi network.
  • the process flow of FIG. 3 may be viewed as being broken into four stages: association stage 330 , a default pre-shared key stage 340 , a web authentication stage 350 , and a private pre-shared key update stage 360 .
  • client 205 detects the WLAN or Wi-Fi network (i.e., it detects the SSID broadcast by an access point, such as access point 110 of FIG. 1 , or by WLC 315 ).
  • Client 205 initiates an association request to WLC 315 , as illustrated in operation 332 .
  • WLC 315 receives the association request 332 and sends association response 333 back to client 205 .
  • WLC 315 also sends an access request 334 to AAA server 220 .
  • Access request 334 includes the MAC address for client 205 for use in the MAC Authentication performed by AAA server 220 . As this is the first access request sent on behalf of client 205 , the MAC address for client 205 may not have been registered with AAA server 220 . Therefore, AAA server 220 sends access reject 335 back to WLC 315 . Included in access reject 335 is the default pre-shared key previously provided to client 205 , as illustrated in operation 250 of FIG. 2 .
  • WLC 315 uses the default pre-shared key received with the access reject 335 from the AAA server to perform pre-shared key negotiation 342 .
  • Client 205 is already aware of the default pre-shared key due to the pre-configuration thereof performed as illustrated in FIG. 2 .
  • client 205 learns the Internet Protocol (IP) address for WLC 315 in operation 344 , and a session key and a broadcast key are generated in operation 346 .
  • IP Internet Protocol
  • client 205 makes a web request 352 to WLC 315 .
  • this web request may be made via the application used in FIG. 2 to acquire the default pre-shared key.
  • Client 205 may attempt to browse to some default page (such as Google's default search page) via the application.
  • the web request is redirected to the IP address for WLC 315 in operation 354 .
  • client 205 may auto generate (e.g., via the application) a random private pre-shared key.
  • a web page may be provided to client 205 for entry of a username and/or password.
  • Client 205 may provide the username and generated private pre-shared key (e.g., automatically via the application) and post the web-authentication page back to WLC 315 in operation 356 .
  • the process then moves to the private pre-shared key update stage 360 .
  • WLC 315 fetches the username and private pre-shared key from operation 356 and sends these to AAA server 220 via access update request 362 .
  • access update request 362 includes the MAC address for client 205 .
  • AAA server 220 searches its stored data or database using the username (e.g., as a primary key where the stored data is embodied as a database) and provisions the stored data with the given MAC address and private pre-shared key. For example, in operation 245 of FIG. 2 , AAA server 220 updated the username for client 205 in its stored data.
  • AAA server 220 searches its stored data in operation 363 based upon the username, this data associated with the username may be updated with the private pre-shared key and MAC address for client 205 .
  • the AAA server then sends back access accept 364 to WLC 315 . Accordingly, AAA server 220 has been automatically provisioned with the credentials (e.g., username, private pre-shared key and MAC address) for client 205 .
  • This private pre-shared key is generated and provided to each element in the network environment in a secure manner.
  • the private pre-shared key is first provisioned at client 205 , then provisioned to an access point (if present), from the access point the private pre-shared key is provisioned to WLC 315 , and finally, the private pre-shared key is provisioned to AAA server 220 . This path is completely secured.
  • the path between client 205 and an access point may be secured using the pre-shared key.
  • the path between the access point and WLC 315 may be secured using, for example, a Datagram Transport Layer Security (DTLS) connection.
  • the path between WLC 315 and AAA server 220 may be secured using an Internet Protocol Security (IPSsec) or RADIUS (RadSec) connection. Hence the complete path between client 205 and AAA server 220 is secured.
  • IPSsec Internet Protocol Security
  • RADIUS Remote Authentication Diality
  • Table 2 Illustrated below in Table 2 is an example AAA database table, illustrating example entries after the successful private pre-shared key update stage has completed with the username as the primary key.
  • WLC 315 Upon receiving access accept 364 from AAA server 220 , WLC 315 de-authenticates client 205 via de-authentication request 365 . Client 205 sends de-authentication response 366 . This de-authentication forces client 205 to re-join WLC 315 using the private pre-shared key, as illustrated with reference to FIG. 4 below.
  • FIG. 4 depicted therein is the process via which client 205 re-authenticates to WLC 315 so that client 205 may begin utilizing the Wi-Fi network or WLAN.
  • the process of FIG. 4 begins when client 205 uses the private pre-shared key generated in operation 346 of FIG. 3 to send association request 402 .
  • WLC sends association response 404 back to client 205 and also sends access request 406 to AAA server 220 .
  • Access request 406 includes the MAC address for client 205 .
  • AAA server 220 searches its stored data in operation 408 based on the MAC address of client 205 and returns access accept 410 with the already provisioned private pre-shared key found against the MAC address for client 205 .
  • access is now granted to client 205 because AAA server 220 was previously provisioned with the private pre-shared key, username and MAC address of client 205 in operation 363 of FIG. 3 .
  • This grant of access may be contrasted with the access denial of operation 335 of FIG. 3 from prior to the provisioning of operation 363 , also of FIG. 3 .
  • WLC 315 and client 205 perform pre-shared key negotiation 412 based upon the private pre-shared key to generate a session key and a broadcast key. From this point onwards, traffic between client 205 and WLC 315 (or an access point, such as access point 110 of FIG. 1 ) would be encrypted using these keys.
  • client 205 receives the appropriate IP address for messages sent via the WLAN or WIFi network from, for example, a Dynamic Host Configuration Protocol (DHCP) server, client 205 and WLC 315 communicate in run state 416 . Accordingly, client 205 is now provided access to the WLAN or Wi-Fi environment that AAA server 220 controls.
  • DHCP Dynamic Host Configuration Protocol
  • FIG. 5 depicted therein is a flowchart 500 illustrating a process flow for performing an example embodiment of the techniques of the present disclosure.
  • the process flow of FIG. 5 begins in operation 505 where a default pre-shared key is provided from a first device to a second device.
  • the first device is configured to authenticate client devices to a network.
  • the first device may be embodied as an AAA server, such as AAA server 120 of FIG. 1 or AAA server 220 of FIGS. 2-4 .
  • the second device may be embodied as a client device, such as one or more of client devices 105 a - e of FIG. 1 and/or client device 205 of FIGS. 2-4 .
  • the default pre-shared key may be provided to the second device via, for example, a social login application, as illustrated in FIG. 2 .
  • a first authentication request is obtained at the first device from a third device.
  • the authentication request includes data indicative of the second device.
  • Operation 510 may be embodied as, for example, access request 334 of FIG. 3
  • the data indicative of the second device may be embodied as a MAC address for the second device, also as shown in access request 334 of FIG. 3 .
  • a first response to the first authentication request is provided to third device from the first device.
  • the first response includes the default pre-shared key.
  • the first response may be embodied as access reject 335 of FIG. 3 .
  • a second authentication request is obtained at the first device from the third device.
  • This second authentication request includes a private pre-shared key and data indicative of the second device.
  • the second authentication request may be embodied as access request 362 of FIG. 3 , with the data indicative of the second device being embodied as one or more of the username or MAC address associated with client 205 of FIGS. 2-4 .
  • the private pre-shared key may be generated through a negotiation process between the second device and third device, such as pre-shared key negotiation 342 of FIG. 3 .
  • stored data at the first device is updated in response to the second authentication request.
  • the stored data is updated with the private pre-shared key and the data indicative of the second device. This updating of the stored data provisions the first device to provide network access to the network to the second device.
  • operation 525 may be embodied as operation 363 of FIG. 3 .
  • the process flow illustrated in flowchart 500 may include additional steps as illustrated in, for example, FIGS. 1-4 . Accordingly, once the first device is provisioned to provide network access to the network to the second device, authentication requests may be made to the first device via one or more of the second and third devices so that the second device can receive access to the network. In other words, additional processing steps as illustrated in FIG. 4 may be added to the processing illustrated in FIG. 5 .
  • the techniques described above with reference to FIGS. 1-5 may be utilized in a number of different deployments, which include public Wi-Fi deployments and private or enterprise Wi-Fi deployments. These techniques may be used in conjunction with key expiry processes which differ depending on whether the techniques are applied within a public, private or enterprise setting.
  • key expiry and rotation may be mandatory because of the dynamic nature of the client devices that will be accessing the WLAN or Wi-Fi environment. Otherwise, with the auto provisioning in place, the AAA server stored data (e.g., database) could grow exponentially. Accordingly, the AAA server expires the older keys and new associations from client devices would come with the default pre-shared key. Said differently, when a private pre-shared key in the stored data of the AAA server expires, the process illustrated in FIG. 3 may be re-implemented to generate a new private key for use with the client whose previous private key has expired.
  • the AAA server stored data e.g., database
  • AAA server may be running on the WLC itself, so that provisioning onto the external AAA server is not required.
  • key management may include the following aspects so that the management techniques may be tailored to different scenarios:
  • FIG. 6 depicted therein is an apparatus configured to implement the techniques of the present disclosure. Specifically, illustrated in FIG. 6 is an apparatus that may be configured to implement any of the functions described above with reference to FIGS. 1-5 .
  • FIG. 6 illustrates a computer system 601 upon which the embodiments presented may be implemented.
  • the computer system 601 may be programmed to implement a computer based device.
  • the computer system 601 includes a bus 602 or other communication mechanism for communicating information, and a processor 603 coupled with the bus 602 for processing the information. While the figure shows a single block 603 for a processor, it should be understood that the processors 603 represent a plurality of processing cores, each of which can perform separate processing.
  • the computer system 601 also includes a main memory 604 , such as a random access memory (RAM) or other dynamic storage device (e.g., dynamic RAM (DRAM), static RAM (SRAM), and synchronous DRAM (SD RAM)), coupled to the bus 602 for storing information and instructions to be executed by processor 603 .
  • main memory 604 may be used for storing temporary variables or other intermediate information during the execution of instructions by the processor 603 .
  • the computer system 601 further includes a read only memory (ROM) 605 or other static storage device (e.g., programmable ROM (PROM), erasable PROM (EPROM), and electrically erasable PROM (EEPROM)) coupled to the bus 602 for storing static information and instructions for the processor 603 .
  • ROM read only memory
  • PROM programmable ROM
  • EPROM erasable PROM
  • EEPROM electrically erasable PROM
  • the computer system 601 also includes a disk controller 606 coupled to the bus 602 to control one or more storage devices for storing information and instructions, such as a magnetic hard disk 607 or solid state drive, and a removable media drive 608 (e.g., floppy disk drive, read-only compact disc drive, read/write compact disc drive, removable magneto-optical drive and optical storage drive).
  • the storage devices may be added to the computer system 601 using an appropriate device interface (e.g., small computer system interface (SCSI), integrated device electronics (IDE), enhanced-IDE (E-IDE), direct memory access (DMA), or ultra-DMA), or any other technologies now known or hereinafter developed.
  • SCSI small computer system interface
  • IDE integrated device electronics
  • E-IDE enhanced-IDE
  • DMA direct memory access
  • ultra-DMA ultra-DMA
  • the computer system 601 may also include special purpose logic devices (e.g., application specific integrated circuits (ASICs)) or configurable logic devices (e.g., simple programmable logic devices (SPLDs), complex programmable logic devices (CPLDs), and field programmable gate arrays (FPGAs)), that, in addition to microprocessors and digital signal processors may individually, or collectively, are types of processing circuitry.
  • ASICs application specific integrated circuits
  • SPLDs simple programmable logic devices
  • CPLDs complex programmable logic devices
  • FPGAs field programmable gate arrays
  • the processing circuitry may be located in one device or distributed across multiple devices.
  • the computer system 601 may also include a display controller 609 coupled to the bus 602 to control a display 610 , such as a Liquid Crystal Display (LCD), Light Emitting Diode (LED) display, or other now known or hereinafter developed display technologies, for displaying information to a computer user.
  • the computer system 601 includes input devices, such as a keyboard 611 and a pointing device 612 , for interacting with a computer user and providing information to the processor 603 .
  • the pointing device 612 for example, may be a mouse, a trackball, a pointing stick or a touch-pad, for communicating direction information and command selections to the processor 603 and for controlling cursor movement on the display 610 .
  • the display 610 may be a touch-screen display.
  • the computer system 601 performs a portion or all of the processing steps of the process in response to the processor 603 executing one or more sequences of one or more instructions contained in a memory, such as the main memory 604 .
  • a memory such as the main memory 604 .
  • Such instructions may be read into the main memory 604 from another computer readable medium, such as a hard disk or solid state drive 607 or a removable media drive 608 .
  • processors in a multi-processing arrangement may also be employed to execute the sequences of instructions contained in main memory 604 .
  • hard-wired circuitry may be used in place of or in combination with software instructions. Thus, embodiments are not limited to any specific combination of hardware circuitry and software.
  • the computer system 601 includes at least one computer readable medium or memory for holding instructions programmed according to the embodiments presented, for containing data structures, tables, records, or other data described herein.
  • Examples of computer readable media are compact discs, hard disks, floppy disks, tape, magneto-optical disks, PROMs (EPROM, EEPROM, flash EPROM), DRAM, SRAM, SD RAM, or any other magnetic medium, compact discs (e.g., CD-ROM), or any other optical medium, punch cards, paper tape, or other physical medium with patterns of holes, or any other medium from which a computer can read.
  • embodiments presented herein include software for controlling the computer system 601 , for driving a device or devices for implementing the process, and for enabling the computer system 601 to interact with a human user (e.g., print production personnel).
  • software may include, but is not limited to, device drivers, operating systems, development tools, and applications software.
  • Such computer readable storage media further includes a computer program product for performing all or a portion (if processing is distributed) of the processing presented herein.
  • the computer code devices may be any interpretable or executable code mechanism, including but not limited to scripts, interpretable programs, dynamic link libraries (DLLs), Java classes, and complete executable programs. Moreover, parts of the processing may be distributed for better performance, reliability, and/or cost.
  • the computer system 601 also includes a communication interface 613 coupled to the bus 602 .
  • the communication interface 613 provides a two-way data communication coupling to a network link 614 that is connected to, for example, a local area network (LAN) 615 , or to another communications network 616 such as the Internet.
  • LAN local area network
  • the communication interface 613 may be a wired or wireless network interface card to attach to any packet switched (wired or wireless) LAN.
  • the communication interface 613 may be an asymmetrical digital subscriber line (ADSL) card, an integrated services digital network (ISDN) card or a modem to provide a data communication connection to a corresponding type of communications line.
  • Wireless links may also be implemented.
  • the communication interface 613 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.
  • the network link 614 typically provides data communication through one or more networks to other data devices.
  • the network link 614 may provide a connection to another computer through a local area network 615 (e.g., a LAN) or through equipment operated by a service provider, which provides communication services through a communications network 616 .
  • the local network 614 and the communications network 616 use, for example, electrical, electromagnetic, or optical signals that carry digital data streams, and the associated physical layer (e.g., CAT 5 cable, coaxial cable, optical fiber, etc.).
  • the signals through the various networks and the signals on the network link 614 and through the communication interface 613 , which carry the digital data to and from the computer system 601 maybe implemented in baseband signals, or carrier wave based signals.
  • the baseband signals convey the digital data as unmodulated electrical pulses that are descriptive of a stream of digital data bits, where the term “bits” is to be construed broadly to mean symbol, where each symbol conveys at least one or more information bits.
  • the digital data may also be used to modulate a carrier wave, such as with amplitude, phase and/or frequency shift keyed signals that are propagated over a conductive media, or transmitted as electromagnetic waves through a propagation medium.
  • the digital data may be sent as unmodulated baseband data through a “wired” communication channel and/or sent within a predetermined frequency band, different than baseband, by modulating a carrier wave.
  • the computer system 601 can transmit and receive data, including program code, through the network(s) 615 and 616 , the network link 614 and the communication interface 613 .
  • the network link 614 may provide a connection through a LAN 615 to a mobile device 617 such as a personal digital assistant (PDA) laptop computer, or cellular telephone.
  • PDA personal digital assistant
  • each block in the flowchart, process flow or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s).
  • the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
  • the techniques of the present disclosures provides for secure access for automatically on-boarded subscribers in Wi-Fi deployments.
  • the techniques also provide for the automatic provisioning of an AAA server to provide access to a WLAN or Wi-Fi network.
  • the techniques of the present disclosure may provide one or more of the following advantages.
  • the techniques of the present application may also be easily integrated with social media and social login applications such as Wechat.
  • methods that include: providing, from a first device to a second device, a default pre-shared key, wherein the first device is configured to control network access to a network; obtaining, at the first device from a third device, a first authentication request including data indicative of the second device; providing, from the first device to the third device, a first response to the first authentication request including the default pre-shared key; obtaining, at the first device from the third device, a second authentication request containing a private pre-shared key and the data indicative of the second device; and updating stored data at the first device in response to the second authentication request with the private pre-shared key and the data indicative of the second device to provision the first device to provide network access to the network to the second device.
  • apparatuses comprising one or more memories, a network interface, and one or more processors.
  • the apparatus is configured to control network access to a network
  • the one or more processors are configured to: provide, via the network interface to a first device, a default pre-shared key; obtain, via the network interface from a second device, a first authentication request including data indicative of the first device; provide, via the network interface to the second device, a first response to the first authentication request including the default pre-shared key; obtain, via the network interface from the second device, a second authentication request containing a private pre-shared key and the data indicative of the first device; and update stored data contained in the one or more memory devices in response to the second authentication request with the private pre-shared key and the data indicative of the first device to provision the apparatus to provide network access to the network to the first device.
  • the techniques of the present application also provide for one or more tangible, non-transitory computer readable media encoded with instructions, which when executed by a processor, are operable to: provide, from a first device to a second device, a default pre-shared key, wherein the first device is configured to control network access to a network; obtain, at the first device from a third device, a first authentication request including data indicative of the second device; provide, from the first device to the third device, a first response to the first authentication request including the default pre-shared key; obtain, at the first device from the third device, a second authentication request containing a private pre-shared key and the data indicative of the second device; and update stored data at the first device in response to the second authentication request with the private pre-shared key and the data indicative of the second device to provision the first device to provide network access to the network to the second device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A default pre-shared key is provided from a first device to a second device. The first device is configured to control network access to a network. A first authentication request is obtained at the first device from a third device. The first authentication request includes data indicative of the second device. A first response to the first authentication request is provided from the first device to the third device. The first response includes the default pre-shared key. A second authentication request containing a private pre-shared key and the data indicative of the second device is obtained at the first device from the third device. Stored data at the first device is updated in response to the second authentication request with the private pre-shared key and the data indicative of the second device to provision the first device to provide network access to the network to the second device.

Description

    TECHNICAL FIELD
  • The present disclosure relates to Wi-Fi networks and the automatic on-boarding of subscribers to such networks.
    • BACKGROUND
  • With the tremendous speed of technological evolution, wireless connectivity and mobility play significant roles in bringing greater comfort, seamless usability and improved collaboration to user experiences. Wireless subscriber bases are rapidly increasing in size and this is particularly true in Wi-Fi® wireless local area networks. While this phenomenon is good for users and service providers, it results in new challenges, especially for the Wi-Fi service providers.
  • Configuring and provisioning of the user credentials to provide users with wireless local area network access presents real challenges, as does maintaining these credentials. These provisioning and maintaining tasks become even more difficult in public deployments where subscriber presence is dynamic. The usual and/or manual provisioning techniques of the related art may not scale easily and may be difficult to sustain as a subscriber base increases. In other words, in large scale Wi-Fi deployments, particularly for service providers with large subscriber bases, it may be extremely difficult to provision and manage subscribers with traditional and manual related art procedures without compromising on security.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is an illustration of a network environment configured to implement the secure and automatic onboarding of Wi-Fi network subscriber techniques of the present disclosure, according to example embodiments.
  • FIG. 2 is first process flow associated with a first part of the techniques of the present disclosure, according to example embodiments.
  • FIG. 3 is second process flow associated with a second part of the techniques of the present disclosure, according to example embodiments.
  • FIG. 4 is process flow associated with a third part of the techniques of the present disclosure, according to example embodiments.
  • FIG. 5 is a flowchart providing a process flow for implementing the secure and automatic onboarding of Wi-Fi network subscriber techniques of the present disclosure, according to example embodiments.
  • FIG. 6 is a functional block diagram of an apparatus configured to implement the techniques of the present disclosure, according to example embodiments.
    •  DESCRIPTION OF EXAMPLE EMBODIMENTS Overview
  • The techniques of the present disclosure provide secure access for automatically on-boarding (e.g., configuring and/or provisioning) users in network deployments. According to these techniques, a default pre-shared key is provided from a first device to a second device. The first device is configured to control network access to a network. A first authentication request is obtained at the first device from a third device. The first authentication request includes data indicative of the second device. A first response to the first authentication request is provided from the first device to the third device. The first response includes the default pre-shared key. A second authentication request containing a private pre-shared key and the data indicative of the second device is obtained at the first device from the third device. Stored data at the first device is updated in response to the second authentication request with the private pre-shared key and the data indicative of the second device to provision the first device to provide network access to the network to the second device.
  • According to specific example embodiments, the techniques of the present disclosure provide a mechanism to provision an authentication, authorization, and accounting (AAA) server with the private pre-shared keys of authenticated clients in a secure manner and to on-board subscribers automatically in Wi-Fi and/or wireless local area network (WLAN) deployments. The techniques provide suitable mechanisms for both public and private Wi-Fi deployments.
    • Example Embodiments
  • Related art procedures to provision, for example, AAA servers often require administrators and end-users to configure the credentials for Wi-Fi access. For example, in systems implementing Wi-Fi Protected Access 2 (WPA2) used in conjunction with the Institute of Electrical and Electronics Engineers Standards association (IEEE) 802.1x standard for port-based Network Access Control, administrators may need to manually configure credentials, including a username, a password, and a passphrase.
  • As the size of a Wi-Fi user base increases, manual provisioning and configuring of these types of credentials may cease to be possible or feasible. The techniques of the present disclosure provide secure access for automatically on-boarding (e.g., configuring and/or provisioning) subscribers in Wi-Fi deployments. According to specific example embodiments, the techniques of the present disclosure provide a mechanism to provision the private pre-shared key (sometimes referenced in the figures as an “aPSK”) of authenticated clients in a secure manner and to on-board subscribers automatically in Wi-Fi deployments. The techniques provide suitable mechanisms for both public and private Wi-Fi deployments.
  • With reference now made to FIG. 1, depicted therein is a network environment 100 that includes client devices 105 a-e (also referred to as stations (STAs)), an access point (AP) 110, a wireless local area network controller (WLC) 115 and an AAA server 120 which are leveraged according to the techniques of the present disclosure to provide access to Wi-Fi network 125. While FIG. 1 illustrates access point 110 and WLC 115 as being separate devices, these devices may be combined or separated into fewer or more devices. Accordingly, when the present disclosure refers to operations performed by a WLC with reference to FIGS. 1-5, these operations may be implemented through an access point, a WLC and/or a combination thereof.
  • According to the example embodiment of FIG. 1, a default pre-shared key 130 is provided to client device 105 a via, for example, a social login application that communicates with AAA server 120. This default pre-shared key is used in a first Media Access Control (MAC) authentication procedure 135. While this first authentication procedure 135 may be denied, it is leveraged to provide the AAA server 120 with the MAC address of the client device 105 a. Pre-shared key negotiation 140 is then performed between client device 105 a and WLC 115 to generate a unique private pre-shared key 145. A second authentication procedure 150 is performed which provisions AAA server 120 with the unique private pre-shared key 145 for client device 105 a, automatically and securely provisioning AAA server 120 to permit client device 105 a to access Wi-Fi network 125 when media requests are subsequently made by client device 105 a.
  • More specifically, according to example embodiments of the present disclosure, during a MAC authentication failure, a WLC may be configured with the WLAN name, also referred to as the service set identifier (SSID) for the WLAN, and with a configuration that includes a pre-shared-key to be used for MAC authentication and Web Authentication. Access points (APs), such as AP 110, may connect or join to WLC 115, download the configuration and start beaconing the configured SSID.
  • An application or “app” installed on the client devices 105 a-e may be used for social login and for auto generation of a unique private pre-shared key. This unique pre-shared key may then be used to automatically provision AAA server 120 to permit access to Wi-Fi network 125. FIGS. 2-4 illustrate an example embodiment of a device association flow according to the techniques of the present disclosure. First and second portions of the process flow, illustrated in FIGS. 2 and 3, autogenerate the unique private pre-shared keys and update or automatically provision the AAA server 120 securely. In other words, example embodiments provision private pre-shared keys back to an AAA server 120 in a secured manner. Accordingly, the AAA server 120 may be auto provisioned with user credentials for the clients 105 a-e to join Wi-Fi network 125 automatically. The third part of the process flow, illustrated in FIG. 4, illustrates how a client device 105 a-e accesses Wi-Fi network 125 once AAA server 120 is auto-provisioned with the MAC address and private pre-shared key for the client device 105 a-e.
  • Turning to FIG. 2, the process flow begins in operation 230 where an application used to generate a private pre-shared key is installed on client device 205. This application may be integrated with a social login application 225, such as “WeChat.” Example embodiments of client device 205 may be mobile devices, such as smart phones or tablets, laptop computer devices, or desktop computer devices. As illustrated in FIG. 2, prior to the association, the application will perform social login authentication 235 with Social Login application 225 through the AAA server 220. Upon successful authentication of the user associated with client 205 in operation 240, AAA server 220 maintains a username associated with the user of client device 205 in its memory, in operation 245. For example, AAA server 220 may maintain stored data, such as a database of usernames and associated pre-shared keys that are used for providing access to Wi-Fi networks. Accordingly, an example of stored data after operation 245 is illustrated in Table 1, below. As illustrated, Table 1 includes usernames for client devices for which AAA server 220 has undergone the process of FIG. 2. The remaining values in Table 1, i.e., the “Macaddress” and “Private PSK” data associated with respective “Usernames,” will be populated through the process illustrated in FIG. 3, below.
  • TABLE 1
    Macaddress Private PSK Username
    wireless
    cisco
  • Finally, AAA server 220 may also provide client 205 with a default pre-shared key in operation 250, which may be used in the subsequent processing illustrated in FIG. 3. This default pre-shared key may be used to automatically provision AAA server 220 with the credentials, i.e., the “Macaddress” and “Private PSK” data, via which client 205 will access a particular WLAN or Wi-Fi network.
  • Turning to FIG. 3, the process flow continues with operations performed between client 205, AAA server 220 and WLC 315. The process flow of FIG. 3 may be viewed as being broken into four stages: association stage 330, a default pre-shared key stage 340, a web authentication stage 350, and a private pre-shared key update stage 360.
  • In the association stage 330, client 205 detects the WLAN or Wi-Fi network (i.e., it detects the SSID broadcast by an access point, such as access point 110 of FIG. 1, or by WLC 315). Client 205 initiates an association request to WLC 315, as illustrated in operation 332. WLC 315 receives the association request 332 and sends association response 333 back to client 205. WLC 315 also sends an access request 334 to AAA server 220. Access request 334 includes the MAC address for client 205 for use in the MAC Authentication performed by AAA server 220. As this is the first access request sent on behalf of client 205, the MAC address for client 205 may not have been registered with AAA server 220. Therefore, AAA server 220 sends access reject 335 back to WLC 315. Included in access reject 335 is the default pre-shared key previously provided to client 205, as illustrated in operation 250 of FIG. 2.
  • In the default pre-shared key stage 340, WLC 315 uses the default pre-shared key received with the access reject 335 from the AAA server to perform pre-shared key negotiation 342. Client 205 is already aware of the default pre-shared key due to the pre-configuration thereof performed as illustrated in FIG. 2.
  • As a result of pre-shared key negotiation 342, client 205 learns the Internet Protocol (IP) address for WLC 315 in operation 344, and a session key and a broadcast key are generated in operation 346. With client 205 in possess of the IP address for WLC 315 and the session and broadcast keys, the process moves to the web authentication stage 350 to perform the web-authentication required state.
  • In web authentication stage 350, client 205 makes a web request 352 to WLC 315. For example, this web request may be made via the application used in FIG. 2 to acquire the default pre-shared key. Client 205 may attempt to browse to some default page (such as Google's default search page) via the application. The web request is redirected to the IP address for WLC 315 in operation 354. Meanwhile, client 205 may auto generate (e.g., via the application) a random private pre-shared key.
  • In response to the redirection 354 to the IP address of WLC 315, a web page may be provided to client 205 for entry of a username and/or password. Client 205 may provide the username and generated private pre-shared key (e.g., automatically via the application) and post the web-authentication page back to WLC 315 in operation 356. The process then moves to the private pre-shared key update stage 360.
  • In the private pre-shared key update stage 360, WLC 315 fetches the username and private pre-shared key from operation 356 and sends these to AAA server 220 via access update request 362. In addition to the username and private pre-shared key, access update request 362 includes the MAC address for client 205. In operation 363, AAA server 220 searches its stored data or database using the username (e.g., as a primary key where the stored data is embodied as a database) and provisions the stored data with the given MAC address and private pre-shared key. For example, in operation 245 of FIG. 2, AAA server 220 updated the username for client 205 in its stored data. When AAA server 220 searches its stored data in operation 363 based upon the username, this data associated with the username may be updated with the private pre-shared key and MAC address for client 205. The AAA server then sends back access accept 364 to WLC 315. Accordingly, AAA server 220 has been automatically provisioned with the credentials (e.g., username, private pre-shared key and MAC address) for client 205. This private pre-shared key is generated and provided to each element in the network environment in a secure manner. Specifically, the private pre-shared key is first provisioned at client 205, then provisioned to an access point (if present), from the access point the private pre-shared key is provisioned to WLC 315, and finally, the private pre-shared key is provisioned to AAA server 220. This path is completely secured.
  • The path between client 205 and an access point may be secured using the pre-shared key. The path between the access point and WLC 315 may be secured using, for example, a Datagram Transport Layer Security (DTLS) connection. The path between WLC 315 and AAA server 220 may be secured using an Internet Protocol Security (IPSsec) or RADIUS (RadSec) connection. Hence the complete path between client 205 and AAA server 220 is secured.
  • Illustrated below in Table 2 is an example AAA database table, illustrating example entries after the successful private pre-shared key update stage has completed with the username as the primary key.
  • TABLE 2
    Macaddress Private PSK Username
    07:ae:b9:d2:f3:b2 erjjejhjd21 wireless
    03:ee:a9:c2:d4:a5 jjhhkl1l145 cisco
  • Upon receiving access accept 364 from AAA server 220, WLC 315 de-authenticates client 205 via de-authentication request 365. Client 205 sends de-authentication response 366. This de-authentication forces client 205 to re-join WLC 315 using the private pre-shared key, as illustrated with reference to FIG. 4 below.
  • Turning to FIG. 4, depicted therein is the process via which client 205 re-authenticates to WLC 315 so that client 205 may begin utilizing the Wi-Fi network or WLAN. The process of FIG. 4 begins when client 205 uses the private pre-shared key generated in operation 346 of FIG. 3 to send association request 402. WLC sends association response 404 back to client 205 and also sends access request 406 to AAA server 220. Access request 406 includes the MAC address for client 205. AAA server 220 searches its stored data in operation 408 based on the MAC address of client 205 and returns access accept 410 with the already provisioned private pre-shared key found against the MAC address for client 205. In other words, access is now granted to client 205 because AAA server 220 was previously provisioned with the private pre-shared key, username and MAC address of client 205 in operation 363 of FIG. 3. This grant of access may be contrasted with the access denial of operation 335 of FIG. 3 from prior to the provisioning of operation 363, also of FIG. 3.
  • WLC 315 and client 205 perform pre-shared key negotiation 412 based upon the private pre-shared key to generate a session key and a broadcast key. From this point onwards, traffic between client 205 and WLC 315 (or an access point, such as access point 110 of FIG. 1) would be encrypted using these keys. In operation 414, client 205 receives the appropriate IP address for messages sent via the WLAN or WIFi network from, for example, a Dynamic Host Configuration Protocol (DHCP) server, client 205 and WLC 315 communicate in run state 416. Accordingly, client 205 is now provided access to the WLAN or Wi-Fi environment that AAA server 220 controls.
  • With reference now made to FIG. 5, depicted therein is a flowchart 500 illustrating a process flow for performing an example embodiment of the techniques of the present disclosure. The process flow of FIG. 5 begins in operation 505 where a default pre-shared key is provided from a first device to a second device. The first device is configured to authenticate client devices to a network. According to specific implementation of operation 505, the first device may be embodied as an AAA server, such as AAA server 120 of FIG. 1 or AAA server 220 of FIGS. 2-4. The second device may be embodied as a client device, such as one or more of client devices 105 a-e of FIG. 1 and/or client device 205 of FIGS. 2-4. The default pre-shared key may be provided to the second device via, for example, a social login application, as illustrated in FIG. 2.
  • In operation 510, a first authentication request is obtained at the first device from a third device. The authentication request includes data indicative of the second device. Operation 510 may be embodied as, for example, access request 334 of FIG. 3, and the data indicative of the second device may be embodied as a MAC address for the second device, also as shown in access request 334 of FIG. 3.
  • In operation 515, a first response to the first authentication request is provided to third device from the first device. The first response includes the default pre-shared key. According to specific embodiments of operation 515, the first response may be embodied as access reject 335 of FIG. 3.
  • In operation 520, a second authentication request is obtained at the first device from the third device. This second authentication request includes a private pre-shared key and data indicative of the second device. For example, the second authentication request may be embodied as access request 362 of FIG. 3, with the data indicative of the second device being embodied as one or more of the username or MAC address associated with client 205 of FIGS. 2-4. As with the example of FIG. 3, the private pre-shared key may be generated through a negotiation process between the second device and third device, such as pre-shared key negotiation 342 of FIG. 3.
  • In operation 525 stored data at the first device is updated in response to the second authentication request. The stored data is updated with the private pre-shared key and the data indicative of the second device. This updating of the stored data provisions the first device to provide network access to the network to the second device. For example, operation 525 may be embodied as operation 363 of FIG. 3.
  • The process flow illustrated in flowchart 500 may include additional steps as illustrated in, for example, FIGS. 1-4. Accordingly, once the first device is provisioned to provide network access to the network to the second device, authentication requests may be made to the first device via one or more of the second and third devices so that the second device can receive access to the network. In other words, additional processing steps as illustrated in FIG. 4 may be added to the processing illustrated in FIG. 5.
  • The techniques described above with reference to FIGS. 1-5 may be utilized in a number of different deployments, which include public Wi-Fi deployments and private or enterprise Wi-Fi deployments. These techniques may be used in conjunction with key expiry processes which differ depending on whether the techniques are applied within a public, private or enterprise setting.
  • In public Wi-Fi deployments, key expiry and rotation may be mandatory because of the dynamic nature of the client devices that will be accessing the WLAN or Wi-Fi environment. Otherwise, with the auto provisioning in place, the AAA server stored data (e.g., database) could grow exponentially. Accordingly, the AAA server expires the older keys and new associations from client devices would come with the default pre-shared key. Said differently, when a private pre-shared key in the stored data of the AAA server expires, the process illustrated in FIG. 3 may be re-implemented to generate a new private key for use with the client whose previous private key has expired.
  • In private or enterprise Wi-Fi deployments, key expiry and rotation may be optional. In some private deployments, the AAA server may be running on the WLC itself, so that provisioning onto the external AAA server is not required.
  • In addition to the above described key management mechanisms, key management may include the following aspects so that the management techniques may be tailored to different scenarios:
      • The generated and provisioned private pre-shared keys of the devices may be generated with a limited lifetime. Once a private pre-shared key expires, if the client device associated with the expired private pre-shared key is still present, the AAA server will push for Change of Authorization (CoA) and the client On-Boarding mechanism (e.g., the processes illustrated in one or more of FIGS. 1-3 and/or 5) will be re-triggered. This will help to cleanup stale client entries on AAA servers.
      • Excluded or Blacklisted clients details shall be provisioned on the AAA server by the Administrator so that automatic on-Boarding of those clients may be denied.
  • With reference now made to FIG. 6, depicted therein is an apparatus configured to implement the techniques of the present disclosure. Specifically, illustrated in FIG. 6 is an apparatus that may be configured to implement any of the functions described above with reference to FIGS. 1-5. FIG. 6 illustrates a computer system 601 upon which the embodiments presented may be implemented. The computer system 601 may be programmed to implement a computer based device. The computer system 601 includes a bus 602 or other communication mechanism for communicating information, and a processor 603 coupled with the bus 602 for processing the information. While the figure shows a single block 603 for a processor, it should be understood that the processors 603 represent a plurality of processing cores, each of which can perform separate processing. The computer system 601 also includes a main memory 604, such as a random access memory (RAM) or other dynamic storage device (e.g., dynamic RAM (DRAM), static RAM (SRAM), and synchronous DRAM (SD RAM)), coupled to the bus 602 for storing information and instructions to be executed by processor 603. In addition, the main memory 604 may be used for storing temporary variables or other intermediate information during the execution of instructions by the processor 603.
  • The computer system 601 further includes a read only memory (ROM) 605 or other static storage device (e.g., programmable ROM (PROM), erasable PROM (EPROM), and electrically erasable PROM (EEPROM)) coupled to the bus 602 for storing static information and instructions for the processor 603.
  • The computer system 601 also includes a disk controller 606 coupled to the bus 602 to control one or more storage devices for storing information and instructions, such as a magnetic hard disk 607 or solid state drive, and a removable media drive 608 (e.g., floppy disk drive, read-only compact disc drive, read/write compact disc drive, removable magneto-optical drive and optical storage drive). The storage devices may be added to the computer system 601 using an appropriate device interface (e.g., small computer system interface (SCSI), integrated device electronics (IDE), enhanced-IDE (E-IDE), direct memory access (DMA), or ultra-DMA), or any other technologies now known or hereinafter developed.
  • The computer system 601 may also include special purpose logic devices (e.g., application specific integrated circuits (ASICs)) or configurable logic devices (e.g., simple programmable logic devices (SPLDs), complex programmable logic devices (CPLDs), and field programmable gate arrays (FPGAs)), that, in addition to microprocessors and digital signal processors may individually, or collectively, are types of processing circuitry. The processing circuitry may be located in one device or distributed across multiple devices.
  • The computer system 601 may also include a display controller 609 coupled to the bus 602 to control a display 610, such as a Liquid Crystal Display (LCD), Light Emitting Diode (LED) display, or other now known or hereinafter developed display technologies, for displaying information to a computer user. The computer system 601 includes input devices, such as a keyboard 611 and a pointing device 612, for interacting with a computer user and providing information to the processor 603. The pointing device 612, for example, may be a mouse, a trackball, a pointing stick or a touch-pad, for communicating direction information and command selections to the processor 603 and for controlling cursor movement on the display 610. The display 610 may be a touch-screen display.
  • The computer system 601 performs a portion or all of the processing steps of the process in response to the processor 603 executing one or more sequences of one or more instructions contained in a memory, such as the main memory 604. Such instructions may be read into the main memory 604 from another computer readable medium, such as a hard disk or solid state drive 607 or a removable media drive 608. One or more processors in a multi-processing arrangement may also be employed to execute the sequences of instructions contained in main memory 604. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions. Thus, embodiments are not limited to any specific combination of hardware circuitry and software.
  • As stated above, the computer system 601 includes at least one computer readable medium or memory for holding instructions programmed according to the embodiments presented, for containing data structures, tables, records, or other data described herein. Examples of computer readable media are compact discs, hard disks, floppy disks, tape, magneto-optical disks, PROMs (EPROM, EEPROM, flash EPROM), DRAM, SRAM, SD RAM, or any other magnetic medium, compact discs (e.g., CD-ROM), or any other optical medium, punch cards, paper tape, or other physical medium with patterns of holes, or any other medium from which a computer can read.
  • Stored on any one or on a combination of non-transitory computer readable storage media, embodiments presented herein include software for controlling the computer system 601, for driving a device or devices for implementing the process, and for enabling the computer system 601 to interact with a human user (e.g., print production personnel). Such software may include, but is not limited to, device drivers, operating systems, development tools, and applications software. Such computer readable storage media further includes a computer program product for performing all or a portion (if processing is distributed) of the processing presented herein.
  • The computer code devices may be any interpretable or executable code mechanism, including but not limited to scripts, interpretable programs, dynamic link libraries (DLLs), Java classes, and complete executable programs. Moreover, parts of the processing may be distributed for better performance, reliability, and/or cost.
  • The computer system 601 also includes a communication interface 613 coupled to the bus 602. The communication interface 613 provides a two-way data communication coupling to a network link 614 that is connected to, for example, a local area network (LAN) 615, or to another communications network 616 such as the Internet. For example, the communication interface 613 may be a wired or wireless network interface card to attach to any packet switched (wired or wireless) LAN. As another example, the communication interface 613 may be an asymmetrical digital subscriber line (ADSL) card, an integrated services digital network (ISDN) card or a modem to provide a data communication connection to a corresponding type of communications line. Wireless links may also be implemented. In any such implementation, the communication interface 613 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.
  • The network link 614 typically provides data communication through one or more networks to other data devices. For example, the network link 614 may provide a connection to another computer through a local area network 615 (e.g., a LAN) or through equipment operated by a service provider, which provides communication services through a communications network 616. The local network 614 and the communications network 616 use, for example, electrical, electromagnetic, or optical signals that carry digital data streams, and the associated physical layer (e.g., CAT 5 cable, coaxial cable, optical fiber, etc.). The signals through the various networks and the signals on the network link 614 and through the communication interface 613, which carry the digital data to and from the computer system 601 maybe implemented in baseband signals, or carrier wave based signals. The baseband signals convey the digital data as unmodulated electrical pulses that are descriptive of a stream of digital data bits, where the term “bits” is to be construed broadly to mean symbol, where each symbol conveys at least one or more information bits. The digital data may also be used to modulate a carrier wave, such as with amplitude, phase and/or frequency shift keyed signals that are propagated over a conductive media, or transmitted as electromagnetic waves through a propagation medium. Thus, the digital data may be sent as unmodulated baseband data through a “wired” communication channel and/or sent within a predetermined frequency band, different than baseband, by modulating a carrier wave. The computer system 601 can transmit and receive data, including program code, through the network(s) 615 and 616, the network link 614 and the communication interface 613. Moreover, the network link 614 may provide a connection through a LAN 615 to a mobile device 617 such as a personal digital assistant (PDA) laptop computer, or cellular telephone.
  • The process flows, flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments. In this regard, each block in the flowchart, process flow or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.
  • In summary, the techniques of the present disclosures provides for secure access for automatically on-boarded subscribers in Wi-Fi deployments. The techniques also provide for the automatic provisioning of an AAA server to provide access to a WLAN or Wi-Fi network.
  • Furthermore, the techniques of the present disclosure may provide one or more of the following advantages.
      • Simplified secure guest access workflows and on-boarding applications.
      • The ability to revoke a single key without effecting the rest of the network. In other words, the ability to easily revoke access, for a single device or individual, without affecting everyone else.
      • Self-registration against Active Directory for personal Bring-Your-Own-Device (BYOD) environments.
      • Time-based key validity for guest access.
      • With a username in place, accounting per user login from multiple devices is possible.
      • No configuration is required for client devices, making it ideal for BYOD and guest deployments.
      • Highly suitable for service provider Wi-Fi deployments for both public and private locations.
  • The techniques of the present application may be particularly applicable to:
      • Public deployments like malls, airports, hotels and stadiums, where the subscribers may be provisioned and onboarded automatically without compromising on security.
      • Private/enterprise deployments permitting the auto on-boarding of employees and guests to be easily managed.
  • The techniques of the present application may also be easily integrated with social media and social login applications such as Wechat.
  • Furthermore, in large scale Wi-Fi deployments, especially with service providers, it is extremely difficult to provision and manage subscribers with the traditional and manual procedures without compromising on security. Traditional approaches would require, administrators and end-users need to configure the credentials manually. The techniques of the present disclosure may alleviate or solve some of these challenges.
  • According to the techniques of the present application, provided for herein are methods that include: providing, from a first device to a second device, a default pre-shared key, wherein the first device is configured to control network access to a network; obtaining, at the first device from a third device, a first authentication request including data indicative of the second device; providing, from the first device to the third device, a first response to the first authentication request including the default pre-shared key; obtaining, at the first device from the third device, a second authentication request containing a private pre-shared key and the data indicative of the second device; and updating stored data at the first device in response to the second authentication request with the private pre-shared key and the data indicative of the second device to provision the first device to provide network access to the network to the second device.
  • Also provided for herein are apparatuses comprising one or more memories, a network interface, and one or more processors. The apparatus is configured to control network access to a network, and the one or more processors are configured to: provide, via the network interface to a first device, a default pre-shared key; obtain, via the network interface from a second device, a first authentication request including data indicative of the first device; provide, via the network interface to the second device, a first response to the first authentication request including the default pre-shared key; obtain, via the network interface from the second device, a second authentication request containing a private pre-shared key and the data indicative of the first device; and update stored data contained in the one or more memory devices in response to the second authentication request with the private pre-shared key and the data indicative of the first device to provision the apparatus to provide network access to the network to the first device.
  • The techniques of the present application also provide for one or more tangible, non-transitory computer readable media encoded with instructions, which when executed by a processor, are operable to: provide, from a first device to a second device, a default pre-shared key, wherein the first device is configured to control network access to a network; obtain, at the first device from a third device, a first authentication request including data indicative of the second device; provide, from the first device to the third device, a first response to the first authentication request including the default pre-shared key; obtain, at the first device from the third device, a second authentication request containing a private pre-shared key and the data indicative of the second device; and update stored data at the first device in response to the second authentication request with the private pre-shared key and the data indicative of the second device to provision the first device to provide network access to the network to the second device.
  • The above description is intended by way of example only. Although the techniques are illustrated and described herein as embodied in one or more specific examples, it is nevertheless not intended to be limited to the details shown, since various modifications and structural changes may be made within the scope and range of equivalents of the claims.

Claims (21)

1. A method comprising:
providing, from a first device to a second device, a default pre-shared key, wherein the first device is configured to control network access to a network;
obtaining, at the first device from a third device, a first authentication request including data indicative of the second device;
providing, from the first device to the third device, a first response to the first authentication request including the default pre-shared key;
obtaining, at the first device from the third device, a second authentication request containing a private pre-shared key and the data indicative of the second device; and
updating stored data at the first device in response to the second authentication request with the private pre-shared key and the data indicative of the second device to provision the first device to provide network access to the network to the second device.
2. The method of claim 1, wherein the first device comprises an authentication authorization and accounting server; wherein the second device comprises a client device, and wherein the third device comprises a wireless local area network controller.
3. The method of claim 1, further comprising:
obtaining, at the first device from the third device, a third authentication request containing the data indicative of the second device;
retrieving, from the stored data, the private pre-shared key; and
providing, to the third device from the first device, a third response including the private pre-shared key, configured to allow the third device to provide access to the network to the second device.
4. The method of claim 1, wherein obtaining the second authentication request comprises obtaining the second authentication request subsequent to a pre-shared key negotiation between the second device and the third device during which the private pre-shared key is generated by the second device and the third device.
5. The method of claim 1, wherein providing, from the first device to the second device, the default pre-shared key comprises providing the default pre-shared key to the second device via a social login application.
6. The method of claim 1, wherein the network comprises a private Wi-Fi network deployment.
7. The method of claim 1, wherein the network comprises a public Wi-Fi network deployment.
8. The method of claim 1, further comprising:
expiring the private pre-shared key; and
obtaining, at the first device from the third device in response to the expiring of the private pre-shared key, a third authentication request including the data indicative of the second device.
9. An apparatus comprising:
one or more memory devices;
a network interface; and
one or more processors,
wherein the apparatus is configured to control network access to a network, and
wherein the one or more processors are configured to:
provide, via the network interface to a first device, a default pre-shared key;
obtain, via the network interface from a second device, a first authentication request including data indicative of the first device;
provide, via the network interface to the second device, a first response to the first authentication request including the default pre-shared key;
obtain, via the network interface from the second device, a second authentication request containing a private pre-shared key and the data indicative of the first device; and
update stored data contained in the one or more memory devices in response to the second authentication request with the private pre-shared key and the data indicative of the first device to provision the apparatus to provide network access to the network to the first device.
10. The apparatus of claim 9, wherein the apparatus comprises an authentication authorization and accounting server; wherein the first device comprises a client device, and wherein the second device comprises a wireless local area network controller.
11. The apparatus of claim 9, wherein the one or more processors are further configured to:
obtain, via the network interface from the second device, a third authentication request containing the data indicative of the first device;
retrieve, from the one or more memory devices, the private pre-shared key; and
provide, via the network interface to the second device, a third response including the private pre-shared key, configured to allow the second device to provide access to the network to the first device.
12. The apparatus of claim 9, wherein the one or more processors are configured to obtain the second authentication request by obtaining the second authentication request subsequent to a pre-shared key negotiation between the first device and the second device during which the private pre-shared key is generated by the first device and the second device.
13. The apparatus of claim 9, wherein the one or more processors are configured to provide, via the network interface to the second device, the default pre-shared key by providing the default pre-shared key to the first device via a social login application.
14. The apparatus of claim 9, wherein the one or more processors are further configured to:
expire the private pre-shared key; and
obtain, via the network interface from the second device in response to expiration of the private pre-shared key, a third authentication request including the data indicative of the first device.
15. One or more tangible non-transitory computer readable media encoded with instructions, which when executed by a processor, are operable to:
provide, from a first device to a second device, a default pre-shared key, wherein the first device is configured to control network access to a network;
obtain, at the first device from a third device, a first authentication request including data indicative of the second device;
provide, from the first device to the third device, a first response to the first authentication request including the default pre-shared key;
obtain, at the first device from the third device, a second authentication request containing a private pre-shared key and the data indicative of the second device; and
update stored data at the first device in response to the second authentication request with the private pre-shared key and the data indicative of the second device to provision the first device to provide network access to the network to the second device.
16. (canceled)
17. The one or more tangible non-transitory computer readable media of claim 15, wherein the instructions are further operable to:
obtain, at the first device from the third device, a third authentication request containing the data indicative of the second device;
retrieve, from the stored data, the private pre-shared key; and
provide, to the third device from the first device, a third response including the private pre-shared key, configured to allow the third device to provide access to the network to the second device.
18. The one or more tangible non-transitory computer readable media of claim 15, wherein the instructions are further operable to obtain the second authentication request by obtaining the second authentication request subsequent to a pre-shared key negotiation between the second device and the third device during which the private pre-shared key is generated by the second device and the third device.
19. The one or more tangible non-transitory computer readable media of claim 15, wherein the instructions are further operable to provide, from the first device to the second device, the default pre-shared key by providing the default pre-shared key to the second device via a social login application.
20. The one or more tangible non-transitory computer readable media of claim 15, wherein the instructions are further operable to:
expire the private pre-shared key; and
obtain, at the first device from the third device in response to expiration of the private pre-shared key, a third authentication request including the data indicative of the second device.
21. The method of claim 1, wherein obtaining the first authentication request including the data indicative of the second device includes:
based on the second device being associated with the third device, obtaining, at the first device from the third device, the first authentication request in which the data includes an address of the second device,
wherein the first response is an access reject that includes the default pre-shared key.
US16/415,442 2019-05-17 2019-05-17 Providing secure access for automatically on-boarded subscribers in Wi-Fi networks Active 2039-06-25 US10820201B1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US16/415,442 US10820201B1 (en) 2019-05-17 2019-05-17 Providing secure access for automatically on-boarded subscribers in Wi-Fi networks
US17/028,455 US11051168B2 (en) 2019-05-17 2020-09-22 Providing secure access for automatically on-boarded subscribers in Wi-Fi networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US16/415,442 US10820201B1 (en) 2019-05-17 2019-05-17 Providing secure access for automatically on-boarded subscribers in Wi-Fi networks

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/028,455 Continuation US11051168B2 (en) 2019-05-17 2020-09-22 Providing secure access for automatically on-boarded subscribers in Wi-Fi networks

Publications (2)

Publication Number Publication Date
US10820201B1 US10820201B1 (en) 2020-10-27
US20200367058A1 true US20200367058A1 (en) 2020-11-19

Family

ID=72944729

Family Applications (2)

Application Number Title Priority Date Filing Date
US16/415,442 Active 2039-06-25 US10820201B1 (en) 2019-05-17 2019-05-17 Providing secure access for automatically on-boarded subscribers in Wi-Fi networks
US17/028,455 Active US11051168B2 (en) 2019-05-17 2020-09-22 Providing secure access for automatically on-boarded subscribers in Wi-Fi networks

Family Applications After (1)

Application Number Title Priority Date Filing Date
US17/028,455 Active US11051168B2 (en) 2019-05-17 2020-09-22 Providing secure access for automatically on-boarded subscribers in Wi-Fi networks

Country Status (1)

Country Link
US (2) US10820201B1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10820201B1 (en) * 2019-05-17 2020-10-27 Cisco Technology, Inc. Providing secure access for automatically on-boarded subscribers in Wi-Fi networks
US11805416B2 (en) * 2020-08-20 2023-10-31 Apple Inc. Systems and methods for multi-link device privacy protection

Family Cites Families (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070101122A1 (en) * 2005-09-23 2007-05-03 Yile Guo Method and apparatus for securely generating application session keys
CN102257842B (en) * 2008-12-17 2014-03-12 交互数字专利控股公司 Enhanced security for direct link communications
US8375432B2 (en) * 2009-08-31 2013-02-12 At&T Mobility Ii Llc Methods, apparatus, and computer program products for subscriber authentication and temporary code generation
TWI538463B (en) * 2011-03-23 2016-06-11 內數位專利控股公司 Systems and methods for securing network communications
US8590023B2 (en) 2011-06-30 2013-11-19 Intel Corporation Mobile device and method for automatic connectivity, data offloading and roaming between networks
BR112014017238B1 (en) * 2012-01-11 2023-01-10 Interdigital Patent Holdings, Inc METHOD OF USE AT AN ACCESS POINT, ACCESS POINT, METHOD OF USE AT A STATION WITHOUT ACCESS POINT AND STATION WITHOUT ACCESS POINT
US8756668B2 (en) 2012-02-09 2014-06-17 Ruckus Wireless, Inc. Dynamic PSK for hotspots
WO2013165605A1 (en) * 2012-05-02 2013-11-07 Interdigital Patent Holdings, Inc. One round trip authentication using single sign-on systems
US20140040621A1 (en) * 2012-08-03 2014-02-06 Infineon Technologies Ag Mobile Electronic Device
TW201427361A (en) * 2012-08-15 2014-07-01 Interdigital Patent Holdings Enhancements to enable fast security setup
US8811363B2 (en) 2012-09-11 2014-08-19 Wavemax Corp. Next generation network services for 3G/4G mobile data offload in a network of shared protected/locked Wi-Fi access points
US9167427B2 (en) * 2013-03-15 2015-10-20 Alcatel Lucent Method of providing user equipment with access to a network and a network configured to provide access to the user equipment
TWI669972B (en) * 2013-08-29 2019-08-21 內數位專利控股公司 Methods, apparatus and systems for wireless network selection
US9426649B2 (en) * 2014-01-30 2016-08-23 Intel IP Corporation Apparatus, system and method of securing communications of a user equipment (UE) in a wireless local area network
CA2937908A1 (en) * 2014-03-24 2015-10-01 Intel IP Corporation Apparatus, system and method of securing communications of a user equipment (ue) in a wireless local area network
US10932128B2 (en) * 2014-09-19 2021-02-23 Pcms Holdings, Inc. Systems and methods for secure device provisioning
WO2017018968A1 (en) * 2015-07-24 2017-02-02 Intel IP Corporation Apparatus, system and method of communicating between a cellular manager and a user equipment (ue) via a wlan node
EP3563599B1 (en) 2016-12-30 2021-10-13 British Telecommunications Public Limited Company Automatic pairing of devices to wireless networks
WO2018182604A1 (en) * 2017-03-30 2018-10-04 Intel Corporation Wifi protected access 2 (wpa2) pass-through virtualization
US10785683B2 (en) * 2017-03-30 2020-09-22 Maxlinear, Inc. Native fragmentation in WiFi protected access 2 (WPA2) pass-through virtualization protocol
US10820201B1 (en) * 2019-05-17 2020-10-27 Cisco Technology, Inc. Providing secure access for automatically on-boarded subscribers in Wi-Fi networks
US10750366B1 (en) * 2019-12-19 2020-08-18 Cisco Technology, Inc. Efficient authentication and secure communications in private communication systems having non-3GPP and 3GPP access

Also Published As

Publication number Publication date
US10820201B1 (en) 2020-10-27
US20210014684A1 (en) 2021-01-14
US11051168B2 (en) 2021-06-29

Similar Documents

Publication Publication Date Title
CN111107543B (en) Cellular service account transfer and authentication
US11089480B2 (en) Provisioning electronic subscriber identity modules to mobile wireless devices
AU2019206665B2 (en) Method and apparatus for multiple registrations
JP6901009B2 (en) Privacy considerations for network slice selection
US10609634B2 (en) Access network selection
EP1935143B1 (en) Virtual lan override in a multiple bssid mode of operation
US11777935B2 (en) Extending secondary authentication for fast roaming between service provider and enterprise network
US11706619B2 (en) Techniques to facilitate fast roaming between a mobile network operator public wireless wide area access network and an enterprise private wireless wide area access network
US11051168B2 (en) Providing secure access for automatically on-boarded subscribers in Wi-Fi networks
EP4055860B1 (en) Open access in neutral host network environments
US20230111913A1 (en) Non-3gpp handover preparation
WO2019140337A1 (en) Method and apparatus for multiple registrations
US20240056804A1 (en) Method, apparatus and computer program
US12015529B1 (en) Private mobile network having network edges deployed across multiple sites
WO2022237898A1 (en) Onboarding method, communication apparatus, medium and chip
US20240155439A1 (en) Securing communications at a change of connection
WO2024065483A1 (en) Authentication procedures for edge computing in roaming deployment scenarios
EP4294065A1 (en) Application key delivery in a roaming situation
US20230129117A1 (en) Cloud-orchestrated role management for wlan
US20230231708A1 (en) Method and apparatus for multiple registrations

Legal Events

Date Code Title Description
AS Assignment

Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:THANGAVELUCHAMY, SUJA;MALLIKARJUNAIAH, NIRANJAN MALLAPURA;KUTTIYAN, ARIES;AND OTHERS;REEL/FRAME:049212/0511

Effective date: 20190510

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4