WO2013121101A1 - A method, an apparatus and a system for network access control - Google Patents

A method, an apparatus and a system for network access control Download PDF

Info

Publication number
WO2013121101A1
WO2013121101A1 PCT/FI2013/050153 FI2013050153W WO2013121101A1 WO 2013121101 A1 WO2013121101 A1 WO 2013121101A1 FI 2013050153 W FI2013050153 W FI 2013050153W WO 2013121101 A1 WO2013121101 A1 WO 2013121101A1
Authority
WO
WIPO (PCT)
Prior art keywords
mobile device
access
tasks
network
response
Prior art date
Application number
PCT/FI2013/050153
Other languages
French (fr)
Inventor
Antti Tuomas LAPPETELÄINEN
Samuli Juhani SILANTO
Jukka Olavi HONKOLA
Original Assignee
Innorange Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Innorange Oy filed Critical Innorange Oy
Publication of WO2013121101A1 publication Critical patent/WO2013121101A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the invention relates to network access control.
  • the invention re- lates to a method, an apparatus, a system and a computer program enabling improved captive portal and/or access controller functionality in context of wireless network access.
  • a typical method to acquire customer feedback is to conduct a customer survey by asking a number of customers to fill in a customer survey sheet, either on paper or on a computer after or during a visit to the respective space. This is an example of active customer feedback.
  • Drawbacks of such an approach include uncertainty of actually receiving the customer feedback, possible delay in acquiring the customer feedback, usefulness of the feedback, etc.
  • passive technologies include, for example, monitoring the queu- ing times of the customer within various locations within the space and monitoring the time customers spend within the space to be used as basis for estimating customer satisfaction levels based on the statistics prepared based on the monitored data.
  • camera and radio based identification technologies may be employed to enable passive people monitoring within a phys- ical space.
  • Such approaches may involve monitoring people flow characteristics within a physical space based on analysis of image(s) captured at a certain location and monitoring people flow characteristics based on a number of detected radio transmitters in a certain location, respectively.
  • an additional service is a network access via one or more wireless access points covering the space at least in part.
  • the network access may be provided either free of charge or at a moderate price.
  • typically the access to a network via the wireless access points controlled by the operator of the space requires acquisition of access credentials, e.g. a username and a password, in order to enable access control and authentication.
  • access credentials e.g. a username and a password
  • an apparatus comprising a device analyzer configured to receive a network access request from a mobile device, the access request comprising information indicative of an address of the mobile device, to obtain an address of an access controller, and to obtain, on basis of the address of the mobile device, auxiliary information associated with the mobile device.
  • the apparatus further comprises a device controller configured to select, based at least in part on the auxilia- ry information, one or more tasks for presentation to a user of the mobile device as one or more web pages, and to determine an authentication key enabling the mobile device to have access to the network via the access controller, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device.
  • a method comprises receiving a network access request from a mobile device, the access request comprising information indicative of an address of the mobile device, obtaining an address of an access controller, and obtaining, on basis of the address of the mobile device, auxiliary information associated with the mobile device.
  • the method further comprises selecting based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device as one or more web pages, and determining an authentication key enabling the mobile device to have access to the network via the access controller, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device.
  • a system comprising a device analyzer configured to receive a network access request from a mobile device, the access request comprising information indicative of an address of the mobile device, to obtain an address of an access controller, and to obtain, on basis of the address of the mobile device, auxiliary information associated with the mobile device.
  • the system further comprises a device controller configured to select, based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device as one or more web pages, and to determine an authentication key enabling the mobile device to have access to the network via the access controller, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device.
  • a computer program comprises one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus to at least perform the method in accordance with the second aspect of the invention.
  • the computer program may be embodied on a volatile or a non-volatile com- puter-readable record medium, for example as a computer program product comprising at least one computer readable non-transitory medium having program code stored thereon, the program code, which when executed by an apparatus, causes the apparatus at least to perform the operations described hereinbefore for the computer program in accordance with the fourth aspect of the invention.
  • Embodiments of the invention enable improved reliability and usability of the passive customer feedback method by combining features of active method for acquiring customer feedback to the passive method via carrying out the customer feedback process between a server apparatus controlled by an operator and a wireless device of a customer as part of the network access control. Embodiments of the invention further allow linking the information obtained through active method(s) to that obtained using passive method(s).
  • Figure 1 schematically illustrates an exemplifying network arrangement.
  • Figure 2 illustrates an example of signaling e.g. in the arrangement of Figure 1 .
  • FIG. 3 schematically illustrates an apparatus according to an embodiment of the invention.
  • Figure 4 illustrates an example of signaling according to an embodiment of the invention.
  • Figure 5 illustrates a method in accordance with an embodiment of the invention.
  • Figure 6 schematically illustrates an exemplifying arrangement for detecting the presence of a mobile device at or close to the predetermined location.
  • Figure 1 schematically illustrates an exemplifying arrangement 100 involving mobile devices 1 10, 1 10' 1 10", wireless access points 130, 130', a network 140, a captive portal 150, a network server 160 and an authentication, authorization and accounting (AAA) server 170.
  • AAA authentication, authorization and accounting
  • Each of the mobile devices 1 10, 1 10', 1 10" may be for example a mobile phone, an internet tablet, a laptop computer, etc.
  • the mobile devices 1 10, 1 10', 1 10" may connect to a respective wireless access point 130, 130' for example over a wireless connection 120, 120' and 120", respectively.
  • the wireless access point 130, 130' may be for example a wireless local area network (WLAN) access point, e.g. according to an IEEE 802.1 1 standard.
  • the wireless access point 130 may employ an access controller 132 configured to allow only authorized devices to access the network 140.
  • the access controller 132 is illustrated as an entity separate from the wireless access points 130, 130', either co-located with or remote to the wireless access point 130, 130'.
  • the access controller 132 may be provided as an entity of one of the wireless access points 130, 130'.
  • the access controller 132 may be configured to carry out an authentication process involving exchange of one or more messages with the AAA server 170
  • the network 140 may be a broadband network, e.g. a packet switched network based on the Internet Protocol (IP) such as the Internet.
  • IP Internet Protocol
  • the wireless access point 130 and the mobile devices 1 10, 1 10' may be considered to be part of a first access network.
  • the first access network may comprise one or more additional wireless access points and/or one or more mobile devices.
  • the mobile device 1 10" and the wireless access point 130' may be considered to be part of a second access network, possibly including one or more other wireless access points and/or one or more mobile devices.
  • the captive portal 150 may be configured to control access to the network 140 via the wireless access point 130 and/or the access controller 132.
  • the captive portal 150 may be configured to provide a login page or a corresponding arrangement enabling user authentication in response to a message received from the mobile device 1 10. While the mobile device 1 10 may not be (yet) authorized to access the network 140, a special arrangement may be provided in order to allow the mobile device 1 10 to access the captive portal 150 via the wireless access point 130, via the access controller 132 and via the network 140. Such arrangement may involve whitelisting the device(s) or server(s) hosting the captive portal entity 150 e.g. at the access controller 132. Similar considerations apply to the mobile device 1 10' accessing the network 140 via the wireless access point 130 and the mobile device 1 10" accessing the network 140 via the wireless access point 130'.
  • the AAA server 170 may be configured, for example, to authenticate a device wishing to access the network 140, determine the device's authorization with respect to service(s) and/or device(s) it wishes to access and/or track the device's usage of the service(s) and/or network resources for network capacity control and billing purposes.
  • the AAA server 170 may be configured to carry out the authentication process with the access controller 132.
  • the AAA server 170 may be for example a RADIUS server or a Diameter server.
  • the AAA server 170 may be a RADIUS server, a Diameter server or any other AAA server within the framework of the logical architecture of the IEEE 802.1 x standard. Consequently, the authentication process involving exchange of one or more mes- sages between the AAA server 170 and the access controller 132 comprises signaling according to the RADIUS protocol or the Diameter protocol, respectively.
  • Figure 2 illustrates an example of signaling between the mobile device 1 10, the wireless access point 130, the access controller 132, the captive portal 150 and the AAA server 170 in a scenario where the mobile device 1 10 that is not (yet) authorized to access the network 140 wishes to access a web page hosted by the network server 160.
  • the wireless access point 130 and the access controller 132 are considered as a single logical entity, although illustrated as separate entities in the exemplifying arrangement 100 in Figure 1 .
  • the mobile device 1 10 tries to send a request to the network server 160 over a wireless connection 120 via the wireless access point 130 and via the network 140 to the network server 160.
  • the access controller 132 may be configured to return a redirect message to the mobile device 1 10.
  • the redirect message may cause the mobile device 1 10 to send a message, e.g. as an http message, to the captive portal 150 over a wireless connection 120 via the wireless access point 130 and via the network 140.
  • the captive portal 150 may be configured to return a page requesting the mobile device 1 10 to provide access credentials, e.g. a username and a password to enable access to the network 140.
  • the mobile device 1 10 may be configured to provide the access credentials based on input from the user of the mobile device 1 10.
  • the user may obtain the access credentials, for example the username and the password, from a service provider having an access to a database comprising access credentials to the AAA server 170.
  • a service provider may be for example, a ticket counter of a movie theater or a theme park, an information desk of a shopping mall or an airport, a bar counter or a cafe counter, etc.
  • the captive portal 150 sends a redirect message including the username and challenge of the password to the mobile device 1 10, subsequently causing the mobile device 1 10 to provide the authentication parameters, e.g. in form of a (redirect) message to the access controller 132, which in turn carries out authentication process that may involve exchanging one or more message - re- sponse pairs with the AAA server 170.
  • the access controller 132 sets the control function to allow the mobile device 1 10 to have access to the network 140.
  • the access controller 132 sends a message, e.g. a redirect message, to the mobile device 1 10 indicating the access to the network 140 being granted, resulting in the mobile device 1 10 being redirected to a landing page hosted or provided by the AAA server 170, by the server 160 or any other server connected to the network 140.
  • the mobile device 1 10 may access the network 140 to extent allowed by the authentication parameters.
  • the wireless access point 130, the access controller 132 and the captive portal 150 are described as separate entities, the functionalities provided by the wireless access point 130, the access controller 132 and the captive portal 150 may be provided by a single entity or de- vice or by two entities or devices.
  • a single entity or device may host the wireless access point 130, the access controller 132 and the captive portal 150 as logical entities, implemented for example as hardware components comprised in the device or implemented at least in part as software processes running on the device.
  • a function or component described as a function or a component of the captive portal 150 may be equally well a function or a component of the access controller 132, or vice versa, without departing from the scope of embodiments of the invention.
  • Figure 3 schematically illustrates an apparatus 300 for controlling access to a network.
  • the apparatus 300 comprises a device analysis unit 310 and a device control unit 320, operatively coupled to the device analysis unit 310.
  • the apparatus 300 may comprise further components or units, such as a processor, a memory, a user interface, a communication interface, etc.
  • the apparatus 300 may receive input from one or more external processing units and/or apparatuses and the apparatus 300 may provide output to one or more external processing units and/or apparatuses.
  • the device analysis unit 310 may also be referred to as a device analyzer, a network analysis unit or a network analyzer, and the device control unit 320 may be also referred to as a device controller.
  • the apparatus 300 may be for example a captive portal 150 or a component of the captive portal 150.
  • the apparatus 300 may be an entity separate from the captive portal 150, e.g. an entity of a device separate from a device hosting or constituting the captive portal 150, operatively cou- pled to the captive portal 150.
  • the device analysis unit 310 is configured to receive a message, for example a network access request, from a mobile device 1 10, the message comprising information indicative of an address of the mobile device 1 10.
  • the message may further comprise an address of an access controller 132 and/or the ad- dress of a wireless access point 130.
  • the message received by the device analysis unit 310 may be any message originating from the mobile device 1 10 and targeted to a server in the network 140. As a particular example, said message may be a message sent by the mobile device 1 10 in response to a redirect message from the access controller 132 as described hereinbefore.
  • the information indicative of the address of the mobile device 1 10 may comprise any information that may be used to identify the mobile device 1 10.
  • the information indicative of the address of the mobile device 1 10 may comprise a link layer address, e.g. a media access control (MAC) layer address, of the mobile device 1 10, which may considered as an address uniquely identifying the mobile device 1 10.
  • the information indicative of the address of the mobile device 1 10 may comprise a network layer address, e.g. an internet protocol (IP) address, allocated for the mobile device 1 10.
  • the device analysis unit 310 may be configured to consult an address resolution protocol (ARP) functionality in order to determine the link layer address of the mobile device 1 10 on basis of network layer address of the mobile device 1 10.
  • ARP address resolution protocol
  • An ARP functionality may be provided for example on basis of a one or more ARP databases that are either locally available within the apparatus 300 or in an device hosting the apparatus 300, or that are avail- able in one or more servers or devices within the network 140 and are hence accessible by the apparatus 300.
  • the device analysis unit 310 is further configured to obtain information indicate of an address of an access controller 132.
  • the access control unit 132 may employ a control function controlling the access to the network 140 via the wireless access point 130.
  • the device analysis unit 310 may be configured to receive the address of the access controller 132 comprised in the message received from the mobile device 1 10 comprising the information indicative of the address of the mobile device 1 10 described hereinbefore. Alternatively, the device analysis unit 310 may be configured to obtain the address in another message or based on a priori information.
  • the device analysis unit 310 may know the address of the access controller 132 based on the fact that the access control unit 132 is the default access control unit and/or the only access control unit assigned to or accessible by the device analysis unit 310 (or the apparatus 300 in general. As another example, the device analysis unit 310 (or the apparatus 300 in general) may be co-located, e.g. at the same entity or device, with the access controller 132, thereby making the address of the access controller 132 implicitly known or locally derivable for the device analysis unit 310.
  • the information indicative of an address of the access controller 132 may comprise a network layer address, e.g. a globally unique IP address or a locally unique (or private) IP address, or a service set identification (SSID) or a basic service set identification (BSSID) information according to a IEEE 802.1 1 standard.
  • the access controller 132 may be an entity separate from the wireless access point 130 or the access controller 132 may be an entity comprised in the wireless access point 130.
  • the device analysis unit 310 is configured to obtain, on basis of the address of the mobile device 1 10, the wireless access point 130, access controller 132 or any combination of the above, auxiliary information associated with the mobile device 1 10.
  • the device analysis unit 310 may be configured to access one or more databases in order to obtain the auxiliary information.
  • the one or more databases may be located at the apparatus 300 or in a device hosting the apparatus 300, or the one or more databases may be available at another device accessible via the network 140.
  • suitable auxiliary information may be provided directly by the mobile device 1 10 or the auxiliary information may be derivable on basis of the address or other identity associated with the mobile device 1 10.
  • information of this type may be obtained from http header information inserted by a browser application at the mobile device 1 10 as part of a message or messages originating therefrom.
  • suitable auxiliary information may be readily available at the apparatus 300, for example stored in a memory accessible by the device analysis unit 310, based on past exchange of information between the apparatus 300 and the mobile device 1 10.
  • the auxiliary information may comprise information descriptive of a history of information associated with mobile device 1 10, such as information indicative of a current location of the mobile device 1 10 and/or information indicative of past location or locations of the mobile device 1 10 and the timing thereof.
  • the auxiliary information may comprise information indicative of the characteristics of the data transmitted and/or received by the mobile device 1 10 over the wireless connection 120 or over any other connections the mobile device 1 10 may have employed during a period of interest.
  • An example of another connection the mobile device 1 10 may have employed is a Bluetooth connection.
  • the auxiliary information may comprise information characterizing the mobile device 1 10 in general, e.g.
  • the auxiliary information may comprise information indicating the mobile device 1 10 being assigned as a personal device of a member of a group. Examples of the groups include habitue of a retail chain, market research panel, registered users of a certain service, etc.
  • the information indicative of the characteristics of the data transmitted and/or received by the mobile device 1 10 may comprise, for example, a history of wireless access requests originated from the mobile device 1 10, responses to forms or other queries (from the wireless access point 130 or another device of the network 14) by the mobile device and/or information indica- tive of amount of data transmitted/received by the mobile device 1 10.
  • the auxiliary information may comprise information that is indicative of reception locations of one or more control messages transmitted and/or received by the mobile device 1 10 over a period of interest.
  • the reception locations may be in- dicative of location of the mobile device 1 10 itself or indicative of location of a wireless access point, e.g. the wireless access point 130 or another access point enabling access to the network 140 or to another network, having received or transmitted the respective control message(s).
  • a location may be determined as geographic coordinates indicating or approx- imating the location, as GPS coordinates or coordinates of any other satellite- based navigation system, as a distance and a direction from a predetermined reference location, etc.
  • a location may be determined by indicating a portion of a predetermined space.
  • a location may be determined indirectly by providing information indicative of an object whose location is known or whose location may be determined e.g. by querying a database via the network 140.
  • An example of such indirect determination of a location is an identification of an access point installed in a fixed position (within a predetermined space), hence enabling indirect determination or approximation of the mobile devices accessing a network via the respective access point.
  • the control messages received and/or transmitted by the mobile device 1 10 referred to hereinbefore may comprise indication(s) on one or more probe requests according to an IEEE 802.1 1 protocol.
  • said control messages received and/or transmitted by the mobile device 1 10 may comprise indication(s) on one or more Bluetooth inquire responses.
  • said con- trol messages received and/or transmitted by the mobile device 1 10 may comprise indication(s) on one or more access requests of other kind to networks or connections different from IEEE 802.1 1 and Bluetooth.
  • mapping between a Bluetooth address and an IEEE 802.1 1 address may be needed.
  • Several methods to map a Bluetooth address with an IEEE802.1 1 address are known in the art. As an example, one may record time and spatial receptions of one or more Bluetooth inquire responses and one or more probe requests according to an IEEE 802.1 1 protocol and obtain the correct pair of Bluetooth and IEEE 802.1 1 addresses by exclusion. In other words, one may determine a pair of Bluetooth and IEEE 802.1 1 addresses as origins of respective control messages approximately at the same time at approximately the same location, thereby indicating a Bluetooth address associated with an IEEE 802.1 1 ad- dress.
  • the device analysis unit 310 may be configured to obtain auxiliary information associated with a number of other mobile devices on basis of their addresses or other pieces of information identifying the other mobile devices.
  • the device analysis unit 310 may be configured to access one or more data- bases in order to obtain the auxiliary information descriptive of a history of information associated with the number of other mobile devices with respect to their current and/or past locations and the timing thereof, as described hereinbefore for the mobile device 1 10.
  • the device analysis unit 310 may be configured to use the ob- tained information indicative of current or a recent location of the mobile device 1 10 and the current or a recent location of the number of other mobile devices to estimate a relative number of mobile devices at or in vicinity of a first location and a number of mobile devices at or in vicinity of a second location.
  • the device analysis unit 310 may be configured to determine a first number of mobile devices as the number of mobile devices that are at or in vicinity of the first location and to determine a second number of mobile devices as the number of mobile devices that are at or in vicinity of the second location.
  • the device analysis unit 310 - or the device control unit 320 - may be configured to provide a message to one or more of the mobile devices at or in vicinity of the second location inviting the (user of the) respective mobile device(s) to move close to the first location.
  • the invitation may involve an additional benefit being available at the first location, such as improved network access, additional services, etc.
  • the device control unit 320 of the apparatus 300 is configured to select, based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device 1 10 as one or more web pages.
  • a task provided for presentation to the user of the mobile device 1 10 may comprise one or more questions for the user of the mobile device 1 10 to respond.
  • a task is considered accomplished once the answers to the one or more questions comprised therein are provided and, in particular, the respective response or responses are received by the device control unit 320.
  • a question may be, for example, a multiple choice question to be answered by ticking a respective box on a web page to be presented for the user of the mobile device 1 10, whereas the respective response to be provided to the device control unit 320 is an indication of the choice made by the user for the respective question.
  • a question may be formulated as an open question, i.e. such that an answer, and consequently a response to the device control unit 320, therefor comprises free text.
  • the one or more tasks may be related to the current and/or a past location of the mobile device 1 10 and/or any services or facilities available at or near the current or the past location of the mobile device 1 10.
  • the device control unit 320 may be configured to provide a predetermined set of tasks for presentation to the user of the mobile device 1 10 on basis of the current and/or a past location of the mobile device 1 10.
  • the past location may be a recent location of the mobile device 1 10, for example a location at or in vicinity of which the mobile device 1 10 has been detected within a prede- termined period of time.
  • the device control unit 320 may be configured to select the one more tasks at least in part on basis of the information characterizing the mobile device 1 10 in general, e.g. with respect to aspects like the manufacturer of the mobile device 1 10, model of the mobile device 1 10, data transmission/reception capabilities of the mobile device 1 10, etc. as described hereinbefore.
  • the one or more tasks may be selected or modified in accordance with the characteristics of the mobile device 1 10.
  • the questions comprised in the one or more tasks may involve, for example, a question or questions regarding the quality of service offered at the current and/or the past location and/or a question or questions regarding the characteristics of the user of the mobile device (such as name, age, contact information, etc.).
  • the questions may ask the user to join in a group such as a habitue or a consumer panel or the question may be based on the answer to the previous question.
  • the device control unit 320 may be configured to provide the one more tasks to the mobile device 1 10 in one or more task-related messages to be sent to the mobile device 1 10, for example in response to the message originating from the mobile device 1 10, sent in response to the redirect message from the wireless access point 130, as described hereinbefore.
  • the one or more tasks may be provided to the mobile device 1 10 in the single message comprising information indicative of all of the one or more tasks or the one more tasks may be provided to the mobile device 1 10 in a number of messages, each comprising one or more of the one or more tasks.
  • a first task-related message comprising one or more tasks may be provided to the mobile device 1 10, followed by a second task-related message comprising one or more tasks only after a response or responses providing answers or replies to the tasks provided in the first task-related message has been received by the device control unit 320.
  • all of the one or more tasks may be provided to the mobile device 1 10 in a single task-related message, and the answers or replies thereto may be received by the device control unit 320 in one or more responses from the mobile device 100.
  • the one or more web pages may comprise a form or forms for presentation of said one or more tasks to the user of the mobile device 1 10. Consequently, the device control unit 320 may be configured to receive the response(s) to said one or more tasks from the mobile device 1 10 as one or more responses com- prising data indicative of the replies or answers by the user to said one or more tasks presented in said form.
  • a response received by the device control unit 320 may comprise answers to a subset of questions comprised in a task, answers to all questions comprised in a task, or answers to questions comprised in two or more of the one or more tasks.
  • a task presented to the user of the mobile device 1 10 as a form on a display of the mobile device 1 10, e.g. via a browser application, may be considered as accomplished once all questions associated with the given task in said form are answered and the respective information is provided as one or more responses to the device control unit 320.
  • the one or more responses may comprise information indicative of the form filled either partially or completely, thereby comprising replies or answers by the user of the mobile device 1 10 to the questions posed to him/her on the form he/she was willing to answer.
  • the one or more web pages may comprise executable code, such as JavaScript, Java, etc., to be executed at the mobile device 1 10. Consequently, the device control unit 320 is configured to receive the response ⁇ ) to said one or more tasks from the mobile device 1 10 as indication of the executable code having been at least partially executed at the mobile device 1 10.
  • the executable code may be configured to cause the mobile device 1 10 to pose a question or questions associated with the one or more tasks in the user interface of the mobile device 1 10 and to provide the answer(s) the user provides as one or more responses to the device control unit 320.
  • the executable code may be configured to cause the mobile device 1 10 to provide a response or responses associated with a given question and/or task to the device control unit 320 once the given question has been answered and/or the given task has been completed.
  • the device control unit 320 may be configured to consider a response received from the mobile device 1 10 to indicate progress in execution of the executable code at the mobile device 1 10, thereby indicating the extent of accomplishment of the one or more tasks by the user of the mobile device 1 10.
  • the executable code may result in a random or a pseudo-random outcome based on the probability distributions determined partly based on one or more of the current location of the mobile device, a recent location of the mobile device 1 10, other information possibly provided by the mobile device 1 10 and the estimated absolute or relative number of other mobile device in the vicinity of the mobile device 1 10.
  • the random or pseudo ran- dom process may be used to cause the mobile device 1 10 to display a message to a user of the mobile device 1 10 at a predetermined probability, which predetermined probability may increase with increasing absolute or relative number of other mobile devices in the vicinity of the mobile device 1 10.
  • the message may involve an invitation to a user of the mobile device 1 10, as de- scribed hereinbefore.
  • the device control unit 320 is configured to determine an authentication key enabling the mobile device 1 10 to have access to the network 140, wherein the extent of access is at least in part dependent on one or more responses to said one or more tasks received from the mobile device 1 10.
  • the device control unit 320 may be configured to determine an authentication key enabling the mobile device 1 10 to have access to the network 140 via the wireless access point 130 and/or via the access controller 132.
  • Determining the authentication key may comprise creating an access profile for a predetermined AAA server of the access network, such as the AAA server 170 of the network 140, and providing to the mobile device 1 10 a message, e.g. an http redirect message, that is configured to initiate the authentication process on basis of the created access profile. Determining the authentication key may further comprise providing the authentication key to the AAA server 170 to enable subsequent authentication process between the AAA server 170 and the mobile device 1 10 to involve e.g. a comparison of the authentication key provided by the device control unit 320 with the authentication key provided by the mobile device 1 10.
  • the authentication key may comprise a username and a password allocated for the mobile device 1 10.
  • the AAA server may comprise e.g. a RADIUS server or a Diame- ter server and, consequently, the authentication process comprises signaling according to the RADIUS protocol or Diameter protocol, respectively.
  • the extent of access may be at least in part dependent on a number of said one or more tasks successfully accomplished, wherein a successfully accomplished task is one for which a response or responses indicat- ing an answer or a reply to all questions comprised in the respective task has been received by the device control unit 320.
  • the extent of access may be, for example, directly proportional to the number of successfully accomplished tasks.
  • the device control unit 320 may be configured to grant a full access in response to at least a predetermined number of the one or more tasks having been successfully accomplished, whereas no access is granted in response to a smaller number of tasks successfully accomplished.
  • the device control unit 320 may be configured to grant a limited access in response to at least a first predetermined number of tasks having been successfully accomplished and to grant a full access in response to at least a second predetermined number of tasks having been successfully accomplished, wherein the first predetermined number is higher than the second predetermined number.
  • the extent of access may be determined, for example, by one or more of dura- tion of the access, available bandwidth during the access and services available during the access.
  • the available bandwidth may be determined differently for transmission and reception (i.e. uplink and downlink, respectively). Consequently, depending on the response(s) to the one or more tasks the mobile device 1 10 provides to the device control unit 320, access with e.g. different du- ration, with different uplink/downlink bandwidth and with different set of available services may be granted.
  • the set of available services may be controlled for example by authorizing the usage of only a limited set of TCP and/or UDP ports.
  • the mobile device 1 10 may be capable of communicating via two or more dif- ferent communication and/or access technologies.
  • the mobile device 1 10 may be capable of communication over a wireless local area network e.g. according to an IEEE 802.1 1 standard as described by an example hereinbefore and further capable of communication over a wireless cellular communication.
  • the cellular access may employ, for example, one or more of the GSM, UMTS, LTE, CDMA, CDMA2000 and WiMax technologies.
  • the captive portal 150 may be configured to make use of location information as the auxiliary information and select one or more tasks for presentation to the user based at least in part on the location information.
  • the location information in this regard may be location information indicative of the current location of the mobile device 1 10 and/or location in- formation indicative of the past location of the mobile device 1 10, e.g. the location of the mobile device 1 10 within a predetermined time period of interest, as described hereinbefore.
  • the selected one or more tasks are to be provided to the user e.g. as one or more questions requesting feedback on user satisfaction.
  • These questions may be open questions or multiple choice questions, depending on the characteristics of information sought from the user.
  • a question may be a multiple choice question providing a predefined set of textual description of the user satisfaction levels for the user of the mobile device 1 10 to choose from, or a question may be an open question requesting user indication of the user satisfaction level e.g. in the range from 1 to 5.
  • the captive portal 150 may be configured to, in response to at least one of user's responses to said one or more questions indicating user satisfaction level at or below a predetermined threshold level, provide for presentation to the user of the mobile device 1 10 a web page presenting the user with a choice to contact by a phone call to a customer feedback center of another person responsible over the customer feedback.
  • the predetermined threshold level may be a fixed level, e.g. the level indicating the lowest user satisfaction among the choices or the task given to the user, or, alternatively, the threshold level may be a reference level calculated on basis of earlier answers from the same mobile device 1 10 or from the earlier answers received from other mobile devices for the same question(s).
  • the example of providing the one or more tasks as one or more questions regarding the user satisfaction generalizes into providing the one or more tasks as questions in general, where the captive portal 150 is configured to provide the web page offering the choice to contact a predetermined phone number, e.g. the customer feedback center, in response to the user selecting one of a respective predetermined subset of potential responses as an answer to one or more of said one or more questions.
  • a predetermined phone number e.g. the customer feedback center
  • the phone call choice may be provided as a 'traditional' cellular call over the cellular communication, such as a GSM call, or the phone call choice may be provided a web-call over the wireless local area network or over the cellular communication, such as a Skype call.
  • the call option may be provided to the user of the mobile device 1 10 by embedding a suitable HTML tag to the web page to be presented to the user of the mobile device 1 10.
  • the captive Portal 150 may employ http-header information to select and prioritize possible call technologies.
  • the captive portal 150 may be configured to obtain information indicative of the current location of the mobile device 1 10 connecting to the network over the wireless connection 120 via the wireless access point 130 and the access controller 132.
  • the current location in this regard may refer to the location of the mobile device 1 10 in the immediate past, e.g. within a few tens of seconds or a few minutes immediately preceding the current time.
  • the captive portal 150 may be configured to provide a predetermined list of one or more options as a task for presentation to the user of the mobile device 1 10 where one or more items associated with the current location are provided as options of said list. The options may be presented as links to be displayed for the user to the mobile device 1 10 to select from.
  • the list of options may be provided as a multiple choice question, where one or more items associated with the current location are provided as the choices of said multi- pie choice question.
  • the captive portal 1 50 may be configured to redirect the mobile device 1 10 to a predetermined web page together with a location information indicator referring to the current location of the mobile device 1 10, wherein the predetermined web page is associated with the option selected by the user of the mobile device 1 10, e.g. the choice made by the us- er of the mobile device 1 10 among the choices of a multiple choice question.
  • the captive portal 150 may use the information indicative of the current location of the mobile device 1 10 as the auxiliary information and to provide a task for presentation to the user of the mobile device 1 10, where the task comprises instructions to select one of one or more Radio-Frequency identification (RFID) tags arranged at or near the location(s) of respective items associated with the current location.
  • RFID Radio-Frequency identification
  • Such a task may be provided for presentation to the user of the mobile device 1 10 e.g. text and/or image(s) instructing the user to select one of said one or more RFID tags.
  • Selecting an RFID tag may comprise, for example, bringing a RFID reader of the mobile de- vice at close proximity to the respective RFID tag or touching the respective RFID tag with the RFID reader of the mobile device 1 10.
  • the in- formation exchanged with the RFID reader and the selected RFID task identifies the selected RFID tag and the associated item, and the information identifying the selected RFID tag and/or item is provided to the captive portal 150 as a response to the task. Consequently, the captive portal 150 may be config- ured to redirect the mobile device 1 10 to a predetermined web page together with a location information indicator referring to the current location of the mobile device 1 10 in accordance with the selected RFI D tag and/or item.
  • the current location may be a location within a department store or a shopping mall
  • the one or more items associated with the current location may be items on display and/or for sale in the vicinity of the current location
  • the mobile device 1 10 may be redirected to a web page providing further information regarding the item corresponding to the choice made by the user in response to the multiple choice question listing the one or more items on display in the vicinity of the current location.
  • the web page whereto the mobile device 1 10 is redirected to may be a web page of a web store offering the item corresponding to the choice made by the user in response to the multiple choice question listing the one or more items for sale in the vicinity of the current location.
  • Figure 6 schematically illustrates an exemplifying arrangement for detecting the mobile device 1 10 at or close to the pre- determined location.
  • Figure 6 illustrates the mobile device 1 10 connecting to the captive portal 150 over the wireless connection 120 and via the wireless access point 130, the access controller 132 and the network 140.
  • Figure 6 further illustrates a presence detector 670 arranged at or close to said predetermined location and a location information database 680.
  • the presence detec- tor 670 may be configured to connect via the network 140 to the location information database 680 and provide information that serves as indication of the mobile device 1 10 (and/or other mobile devices) being detected within the operating range of the presence detector 670 to be stored in the location information database 680.
  • the captive portal 150 may be further configured to access the location information database 680 and to initiate the above- described provision of the predetermined multiple choice question regarding one or more items associated with the current location of the mobile device for presentation to the user of the mobile device 1 10 in response to encountering an indication of the presence of the mobile device 1 10 at or close to the location of the presence detector 670.
  • the captive portal 150 may be further con- figured to return, in response to receiving a response to one or more presented tasks from the mobile device 1 10, a web page comprising a machine-readable code for presentation to the user of the mobile device 1 10.
  • a machine- readable code may be for example a bar code, which may be e.g. a conventional linear or one-dimensional bar code or a two-dimensional bar code.
  • the bar code may entitle the user of the mobile device 1 10, for example, to have access or admittance to one or more physical spaces and/or events, to one or more services, to one more discounts at given locations.
  • the bar code may be provided, optionally, with text and/or image(s) e.g.
  • the presence detector 670 may comprise for example a WiFi signal monitor configured to detect signaling between a mobile device and a wireless access point within the operating range of the presence detector 670.
  • WiFi signal monitors are known in the art.
  • the captive portal 150 may be further configured to, in response to a failure to obtain recent location information regarding the mobile device 1 10 from the location information database 680, return a web page that is arranged to invoke data traffic over the wireless connection 120 for presentation to the user of the mobile device 1 10 and to subsequently re-enquire location information indicating the mobile device 1 10 hav- ing been detected within the operating range of the presence detector 670 from the location information database 680.
  • the location of the mobile device 1 10 may be determined by the mobile device 1 10 itself e.g. by using one or more of a RFID, a bar code, a Bluetooth and/or a WLAN.
  • the mobile device 1 10 may be configured to read a RFID tag or a bar code included in the presence detector 670.
  • the employed RFID technology may comprise, for example, near field communication (NFC) as known in the art.
  • the mobile device 1 10 may be configured to read a signal transmitted by a Bluetooth transmitter included in the presence detector 670, the Bluetooth transmitter employing e.g.
  • the mobile device 1 10 may be configured to employ a pseudo-satellite technology based indoor position system, typically referred to as pseudolite, as known in the art. In such cases where the mobile device 1 10 is actively participating in the determination of its location, the mobile device 1 10 may be configured to make a http request with positioning coordinates indicative of its location.
  • SLAM simultaneous location and mapping
  • HAIP high-accuracy indoor positioning
  • the access controller 132 re- directs the request to captive portal 150, wherein the access controller 132 may add its own identity or location information to the redirected request.
  • the captive portal 150 may use the location information received therein to provide the predetermined multiple choice question as a task for presentation to the user of the mobile device 1 10 with one or more items associated with the current location provided as the choices of said multiple choice question, as described hereinbefore.
  • suitable positioning technology candidates are NFC, HAIP (high-accuracy indoor positioning) and Bluetooth Slam.
  • the procedures assigned to the device analysis unit 310 and the device con- trol unit 320 described hereinbefore may be divided between the units in a different manner, or the apparatus 300 may comprise further units that may be configured to perform some of the procedures described hereinbefore for the device analysis unit 310 and the device control unit 320.
  • the procedures the device analysis unit 310 and the device control unit 320 are configured to perform may be assigned to a single processing unit within the apparatus 300 instead.
  • the apparatus 300 may comprise means for receiving a network access request from a mobile device 1 10, the access request comprising information indicative of an address of the mobile device, means for obtaining an address of an access controller 132, means for obtain- ing, on basis of the address of the mobile device 1 10, auxiliary information associated with the mobile device 1 10, means for selecting, based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device 1 10 as one or more web pages, and means for determining an authentication key enabling the mobile device 1 10 to have access to the net- work, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device 1 10.
  • Figure 4 illustrates an example of signaling between the mobile device 1 10, the wireless access point 130, the access controller 132, the captive portal 150 and the AAA server 170 in a scenario where the mobile device 1 10 that is not (yet) authorized to access the network 140 wishes to access a web page host- ed by the network server 160, wherein the captive portal 150 comprises the apparatus 300 or the apparatus 300 operates as the captive portal 150.
  • the wireless access point 130 and the access controller 132 are considered as a single logical entity, although illustrated as separate entities in the exemplifying arrangement 100 in Figure 1 .
  • the mobile device 1 10 In order to access the web page the mobile device 1 10 tries to send a request to the network server 160 over a wireless connection 120 via the wireless access point 130 and via the network 140 to the network server 160.
  • the access controller 132 may be configured to return a redirect message to the mobile device 1 10.
  • the redirect message may cause the mobile device 1 10 to send a message, e.g. as an http message, to the captive portal 150 over a wireless connection 120 via the wireless access point 130 and via the network 140, wherein the message, which may be considered as a network access request from the mobile device 1 10, comprises address of the mobile device or other indicator identifying the mobile device 1 10.
  • the captive portal 150 is configured to obtain on basis of the address of the mobile device 1 10, auxiliary information associated with the mobile device 1 10, to select, based at least in part on the auxiliary in- formation, one or more tasks for presentation to a user of the mobile device 1 10 as one or more web pages, and to determine an authentication key enabling the mobile device 1 10 to have access to the network, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device 1 10, as described in more detail hereinbefore.
  • the provision of the one or more tasks to the mobile device 1 10 and reception of the respective one or more responses at the captive portal 150 may involve one or more messages or signals being exchanged between the captive portal 150 and the mobile device 1 10, e.g.
  • one or more task-related messages to be sent from the captive portal 150 to the mobile device 1 10 and the respective response(s) from the mobile device 1 10 to be received at the captive portal 150.
  • These messages are indicated in Figure 4 by the rectangle 410 depicted using a dashed line.
  • the captive portal 150 sends a message to the AAA to provide authentication parameters, e.g. a username and a password, that will subsequently enable the mobile device 1 10 to access the network 140 and hence the web page hosted by the network server 160.
  • the captive portal 150 sends a redirect message to the mobile device 1 10, subsequently causing the mobile device 1 10 to send a message, e.g. in form of a (redirect) message, to the access controller 132, which in turn carries out authentication process on behalf of the mobile device 1 10.
  • the authentication process may involve the access controller 132 exchanging one or more message - response pairs with the AAA server 170.
  • the access controller 132 sets the control function to allow the mobile device 1 10 to have access to the network 140.
  • the access controller 132 sends a message, e.g. a redirect message, to the mobile device 1 10 indicating the access to the network 140 being granted, resulting in the mobile device 1 10 being redirected to a landing page hosted or provided by the AAA server 170, by the server 160 or by another server connected to the network 140.
  • the mobile device 1 10 may access the network 140 to extent allowed by the authentication parameters.
  • the procedures assigned to the device analysis unit 310 and the device control unit 320 described hereinbefore may be divided between the units in a different manner, or the procedures assigned to the device analysis unit 310 and the device control unit 320 may be divided between more than a single apparatus. Consequently, a system or an arrangement for controlling an access to a network may be provided, the system or the arrangement comprising the device analysis unit 310 and the device control unit 320, wherein the device analysis unit 310 is configured to receive a network access request from a mobile device 1 10, the access request comprising information indicative of an address of the mobile device 1 10, to obtain an address of an access controller 132 and to obtain, on basis of the address of the mobile device 1 10, auxiliary information associated with the mobile device 1 10.
  • the device control unit 320 is configured to select, based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device 1 10 as one or more web pages, and to determine an authentication key enabling the mobile device 1 10 to have access to the network 140 via the access controller 132, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device 1 10.
  • FIG. 5 illustrates a method 500 in accordance with an embodiment of the invention.
  • the method 500 may be arranged to control access to a network 140 by carrying out the steps and/or procedures described hereinbefore in context of the apparatus 300.
  • the method 500 comprises receiving a network access request from a mobile device 1 10, the access request comprising information indicative of an address of the mobile device 1 10, as indicated in step 510.
  • the method 500 further comprises obtaining an address of an access controller 132, as indicated in step 520, and obtaining, on basis of the address of the mobile device 1 10, auxiliary information associated with the mobile device 1 10, as indicated in step 530.
  • the method 500 further comprises selecting, based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device 1 10 as one or more web pages, as indicated in step 540, and determining an authentication key enabling the mobile device 1 10 to have access to the network 140 via the access controller 132, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile de- vice, as indicated in step 550.
  • the apparatus 300 may be implemented as hardware alone, for example as an electric circuit, as a programmable or non-programmable processor, as a microcontroller, etc.
  • the apparatus 300 may have certain aspects implemented as software alone or can be implemented as a combination of hardware and software.
  • the apparatus 300 may be implemented using instructions that enable hardware functionality, for example, by using executable computer program instructions in a general-purpose or special-purpose processor that may be stored on a computer readable storage medium to be executed by such a processor.
  • the apparatus may further comprise a memory as the computer readable stor- age medium the processor is configured to read from and write to.
  • the memory may store a computer program comprising computer-executable instructions that control the operation of the apparatus 300 when loaded into the processor.
  • the processor is able to load and execute the computer program by reading the computer-executable instructions from memory
  • the processor may comprise one or more processors or processing units and the memory may comprise one or more memories or memory units. Consequently, the computer program, comprising one or more sequences of one or more instructions that, when executed by the one or more processors, cause an apparatus to perform steps implementing a method in accordance with an aspect of the invention.
  • references to a processor or a processing unit should not be understood to encompass only programmable processors, but also dedicated circuits such as field-programmable gate arrays (FPGA), application specific circuits (ASIC), signal processors, etc.
  • FPGA field-programmable gate arrays
  • ASIC application specific circuits
  • Signal processors etc.
  • functions have been described with reference to certain features, those functions may be performable by other features whether described or not.
  • Alt- hough features have been described with reference to certain embodiments, those features may also be present in other embodiments whether described or not.

Abstract

An arrangement for controlling access to a network is provided. The arrange- ment comprises receiving a network access request from a mobile device, the access request comprising information indicative of an address of the mobile device, obtaining an address of an access controller, and obtaining, on basis of the address of the mobile device, auxiliary information associated with the mobile device. The arrangement further comprises selecting based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device as one or more web pages, and determining an authenti- cation key enabling the mobile device to have access to the network via the access controller, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device.

Description

A METHOD, AN APPARATUS AND A SYSTEM FOR NETWORK ACCESS CONTROL
FIELD OF THE INVENTION
The invention relates to network access control. In particular, the invention re- lates to a method, an apparatus, a system and a computer program enabling improved captive portal and/or access controller functionality in context of wireless network access.
BACKGROUND OF THE INVENTION
Many operators of physical spaces - such as theme parks, shopping malls, universities, airports, etc. - pay increasing focus on customer feedback. A typical method to acquire customer feedback is to conduct a customer survey by asking a number of customers to fill in a customer survey sheet, either on paper or on a computer after or during a visit to the respective space. This is an example of active customer feedback. Drawbacks of such an approach include uncertainty of actually receiving the customer feedback, possible delay in acquiring the customer feedback, usefulness of the feedback, etc.
Lately, some operators have started to deploy and utilize passive technologies to obtain information of the customer behavior within the physical space it operates. Such passive technologies include, for example, monitoring the queu- ing times of the customer within various locations within the space and monitoring the time customers spend within the space to be used as basis for estimating customer satisfaction levels based on the statistics prepared based on the monitored data. For example camera and radio based identification technologies may be employed to enable passive people monitoring within a phys- ical space. Such approaches may involve monitoring people flow characteristics within a physical space based on analysis of image(s) captured at a certain location and monitoring people flow characteristics based on a number of detected radio transmitters in a certain location, respectively. However, the amount of information that can be acquired using passive methods and the re- liability thereof may be limited, thereby limiting the applicability of the customer feedback received using passive technologies in providing real benefit to the operator. In parallel, some operators of physical spaces provide additional services for the customers within the space. An example of such an additional service is a network access via one or more wireless access points covering the space at least in part. The network access may be provided either free of charge or at a moderate price. However, typically the access to a network via the wireless access points controlled by the operator of the space requires acquisition of access credentials, e.g. a username and a password, in order to enable access control and authentication. In the operator's point of view the main benefit of provision of network access is to provide an additional service, which is typi- cally independent of the main function of the physical space, that may help prolonging the time a customer spends within the space.
SUMMARY OF THE INVENTION
It is an object of the invention to provide a method, an apparatus and a system for acquiring client-specific information as part of network access control and/or authentication
The objects of the invention are reached by an apparatus, a method, a system and a computer program as defined by the respective independent claims.
According to a first aspect of the invention, an apparatus is provided. The apparatus comprises a device analyzer configured to receive a network access request from a mobile device, the access request comprising information indicative of an address of the mobile device, to obtain an address of an access controller, and to obtain, on basis of the address of the mobile device, auxiliary information associated with the mobile device. The apparatus further comprises a device controller configured to select, based at least in part on the auxilia- ry information, one or more tasks for presentation to a user of the mobile device as one or more web pages, and to determine an authentication key enabling the mobile device to have access to the network via the access controller, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device. According to a second aspect of the invention, a method is provided. The method comprises receiving a network access request from a mobile device, the access request comprising information indicative of an address of the mobile device, obtaining an address of an access controller, and obtaining, on basis of the address of the mobile device, auxiliary information associated with the mobile device. The method further comprises selecting based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device as one or more web pages, and determining an authentication key enabling the mobile device to have access to the network via the access controller, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device.
According to a third aspect of the invention, a system is provided. The system comprises a device analyzer configured to receive a network access request from a mobile device, the access request comprising information indicative of an address of the mobile device, to obtain an address of an access controller, and to obtain, on basis of the address of the mobile device, auxiliary information associated with the mobile device. The system further comprises a device controller configured to select, based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device as one or more web pages, and to determine an authentication key enabling the mobile device to have access to the network via the access controller, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device.
According to a fourth aspect of the invention, a computer program is provided. The computer program comprises one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus to at least perform the method in accordance with the second aspect of the invention.
The computer program may be embodied on a volatile or a non-volatile com- puter-readable record medium, for example as a computer program product comprising at least one computer readable non-transitory medium having program code stored thereon, the program code, which when executed by an apparatus, causes the apparatus at least to perform the operations described hereinbefore for the computer program in accordance with the fourth aspect of the invention.
Embodiments of the invention enable improved reliability and usability of the passive customer feedback method by combining features of active method for acquiring customer feedback to the passive method via carrying out the customer feedback process between a server apparatus controlled by an operator and a wireless device of a customer as part of the network access control. Embodiments of the invention further allow linking the information obtained through active method(s) to that obtained using passive method(s).
The exemplifying embodiments of the invention presented in this patent appli- cation are not to be interpreted to pose limitations to the applicability of the appended claims. The verb "to comprise" and its derivatives are used in this patent application as an open limitation that does not exclude the existence of also unrecited features. The features described hereinafter are mutually freely combinable unless explicitly stated otherwise. The novel features which are considered as characteristic of the invention are set forth in particular in the appended claims. The invention itself, however, both as to its construction and its method of operation, together with additional objects and advantages thereof, will be best understood from the following detailed description of specific embodiments when read in connection with the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 schematically illustrates an exemplifying network arrangement.
Figure 2 illustrates an example of signaling e.g. in the arrangement of Figure 1 .
Figure 3 schematically illustrates an apparatus according to an embodiment of the invention.
Figure 4 illustrates an example of signaling according to an embodiment of the invention.
Figure 5 illustrates a method in accordance with an embodiment of the invention. Figure 6 schematically illustrates an exemplifying arrangement for detecting the presence of a mobile device at or close to the predetermined location.
DETAILED DESCRIPTION
Figure 1 schematically illustrates an exemplifying arrangement 100 involving mobile devices 1 10, 1 10' 1 10", wireless access points 130, 130', a network 140, a captive portal 150, a network server 160 and an authentication, authorization and accounting (AAA) server 170.
Each of the mobile devices 1 10, 1 10', 1 10" may be for example a mobile phone, an internet tablet, a laptop computer, etc. The mobile devices 1 10, 1 10', 1 10" may connect to a respective wireless access point 130, 130' for example over a wireless connection 120, 120' and 120", respectively.
The wireless access point 130, 130' may be for example a wireless local area network (WLAN) access point, e.g. according to an IEEE 802.1 1 standard. The wireless access point 130 may employ an access controller 132 configured to allow only authorized devices to access the network 140. In the exemplifying arrangement 100 the access controller 132 is illustrated as an entity separate from the wireless access points 130, 130', either co-located with or remote to the wireless access point 130, 130'. However, the access controller 132 may be provided as an entity of one of the wireless access points 130, 130'. The access controller 132 may be configured to carry out an authentication process involving exchange of one or more messages with the AAA server 170
The network 140 may be a broadband network, e.g. a packet switched network based on the Internet Protocol (IP) such as the Internet. The wireless access point 130 and the mobile devices 1 10, 1 10' may be considered to be part of a first access network. The first access network may comprise one or more additional wireless access points and/or one or more mobile devices. In a similar manner, the mobile device 1 10" and the wireless access point 130' may be considered to be part of a second access network, possibly including one or more other wireless access points and/or one or more mobile devices. The captive portal 150 may be configured to control access to the network 140 via the wireless access point 130 and/or the access controller 132. In particular, the captive portal 150 may be configured to provide a login page or a corresponding arrangement enabling user authentication in response to a message received from the mobile device 1 10. While the mobile device 1 10 may not be (yet) authorized to access the network 140, a special arrangement may be provided in order to allow the mobile device 1 10 to access the captive portal 150 via the wireless access point 130, via the access controller 132 and via the network 140. Such arrangement may involve whitelisting the device(s) or server(s) hosting the captive portal entity 150 e.g. at the access controller 132. Similar considerations apply to the mobile device 1 10' accessing the network 140 via the wireless access point 130 and the mobile device 1 10" accessing the network 140 via the wireless access point 130'.
The AAA server 170 may be configured, for example, to authenticate a device wishing to access the network 140, determine the device's authorization with respect to service(s) and/or device(s) it wishes to access and/or track the device's usage of the service(s) and/or network resources for network capacity control and billing purposes. The AAA server 170 may be configured to carry out the authentication process with the access controller 132. The AAA server 170 may be for example a RADIUS server or a Diameter server. In particular, in case of an IEEE 802.1 1 compliant wireless access point the AAA server 170 may be a RADIUS server, a Diameter server or any other AAA server within the framework of the logical architecture of the IEEE 802.1 x standard. Consequently, the authentication process involving exchange of one or more mes- sages between the AAA server 170 and the access controller 132 comprises signaling according to the RADIUS protocol or the Diameter protocol, respectively.
In the following, various aspects of the invention are discussed with a reference to the mobile device 1 10 and the wireless access point 130. However, the same description equally applies to any device, mobile or other, accessing the network 140 via a wireless access point, e.g. the mobile device 1 10' accessing the network 140 via the wireless access point 130 or the mobile device 1 10" accessing the network 140 via the wireless access point 130'.
Figure 2 illustrates an example of signaling between the mobile device 1 10, the wireless access point 130, the access controller 132, the captive portal 150 and the AAA server 170 in a scenario where the mobile device 1 10 that is not (yet) authorized to access the network 140 wishes to access a web page hosted by the network server 160. Note that in Figure 2 the wireless access point 130 and the access controller 132 are considered as a single logical entity, although illustrated as separate entities in the exemplifying arrangement 100 in Figure 1 . In order to access the web page the mobile device 1 10 tries to send a request to the network server 160 over a wireless connection 120 via the wireless access point 130 and via the network 140 to the network server 160. In case a control function employed by the access controller 132 does not recognize the mobile device 1 10 as an authorized device, the access controller 132 may be configured to return a redirect message to the mobile device 1 10. The redirect message, in turn, may cause the mobile device 1 10 to send a message, e.g. as an http message, to the captive portal 150 over a wireless connection 120 via the wireless access point 130 and via the network 140. In response to the message sent by the mobile device 1 10, the captive portal 150 may be configured to return a page requesting the mobile device 1 10 to provide access credentials, e.g. a username and a password to enable access to the network 140. The mobile device 1 10 may be configured to provide the access credentials based on input from the user of the mobile device 1 10. The user may obtain the access credentials, for example the username and the password, from a service provider having an access to a database comprising access credentials to the AAA server 170. Such a service provider may be for example, a ticket counter of a movie theater or a theme park, an information desk of a shopping mall or an airport, a bar counter or a cafe counter, etc. The captive portal 150 sends a redirect message including the username and challenge of the password to the mobile device 1 10, subsequently causing the mobile device 1 10 to provide the authentication parameters, e.g. in form of a (redirect) message to the access controller 132, which in turn carries out authentication process that may involve exchanging one or more message - re- sponse pairs with the AAA server 170. In case the authentication messaging results in the access being granted, i.e. the AAA server 170 considers the authentication parameters provided by the mobile device 1 10 to match those provided to the captive portal 150 earlier, the access controller 132 sets the control function to allow the mobile device 1 10 to have access to the network 140. The access controller 132 sends a message, e.g. a redirect message, to the mobile device 1 10 indicating the access to the network 140 being granted, resulting in the mobile device 1 10 being redirected to a landing page hosted or provided by the AAA server 170, by the server 160 or any other server connected to the network 140. Subsequently, the mobile device 1 10 may access the network 140 to extent allowed by the authentication parameters.
Although in the arrangement 100 the wireless access point 130, the access controller 132 and the captive portal 150 are described as separate entities, the functionalities provided by the wireless access point 130, the access controller 132 and the captive portal 150 may be provided by a single entity or de- vice or by two entities or devices. As a particular example, a single entity or device may host the wireless access point 130, the access controller 132 and the captive portal 150 as logical entities, implemented for example as hardware components comprised in the device or implemented at least in part as software processes running on the device. Hence, a function or component described as a function or a component of the captive portal 150 may be equally well a function or a component of the access controller 132, or vice versa, without departing from the scope of embodiments of the invention. However, in the following most of the components and/of functions of an exemplifying apparatus are described in context of the captive portal 150 only for clarity and brevity of description. Figure 3 schematically illustrates an apparatus 300 for controlling access to a network. The apparatus 300 comprises a device analysis unit 310 and a device control unit 320, operatively coupled to the device analysis unit 310. The apparatus 300 may comprise further components or units, such as a processor, a memory, a user interface, a communication interface, etc. In particular, the apparatus 300 may receive input from one or more external processing units and/or apparatuses and the apparatus 300 may provide output to one or more external processing units and/or apparatuses.
The device analysis unit 310 may also be referred to as a device analyzer, a network analysis unit or a network analyzer, and the device control unit 320 may be also referred to as a device controller.
The apparatus 300 may be for example a captive portal 150 or a component of the captive portal 150. As a further example, the apparatus 300 may be an entity separate from the captive portal 150, e.g. an entity of a device separate from a device hosting or constituting the captive portal 150, operatively cou- pled to the captive portal 150.
The device analysis unit 310 is configured to receive a message, for example a network access request, from a mobile device 1 10, the message comprising information indicative of an address of the mobile device 1 10. The message may further comprise an address of an access controller 132 and/or the ad- dress of a wireless access point 130. The message received by the device analysis unit 310 may be any message originating from the mobile device 1 10 and targeted to a server in the network 140. As a particular example, said message may be a message sent by the mobile device 1 10 in response to a redirect message from the access controller 132 as described hereinbefore. The information indicative of the address of the mobile device 1 10 may comprise any information that may be used to identify the mobile device 1 10. As an example, the information indicative of the address of the mobile device 1 10 may comprise a link layer address, e.g. a media access control (MAC) layer address, of the mobile device 1 10, which may considered as an address uniquely identifying the mobile device 1 10. Alternatively or additionally, the information indicative of the address of the mobile device 1 10 may comprise a network layer address, e.g. an internet protocol (IP) address, allocated for the mobile device 1 10. The device analysis unit 310 may be configured to consult an address resolution protocol (ARP) functionality in order to determine the link layer address of the mobile device 1 10 on basis of network layer address of the mobile device 1 10. An ARP functionality may be provided for example on basis of a one or more ARP databases that are either locally available within the apparatus 300 or in an device hosting the apparatus 300, or that are avail- able in one or more servers or devices within the network 140 and are hence accessible by the apparatus 300.
The device analysis unit 310 is further configured to obtain information indicate of an address of an access controller 132. The access control unit 132 may employ a control function controlling the access to the network 140 via the wireless access point 130. The device analysis unit 310 may be configured to receive the address of the access controller 132 comprised in the message received from the mobile device 1 10 comprising the information indicative of the address of the mobile device 1 10 described hereinbefore. Alternatively, the device analysis unit 310 may be configured to obtain the address in another message or based on a priori information. As an example of a priori information, the device analysis unit 310 may know the address of the access controller 132 based on the fact that the access control unit 132 is the default access control unit and/or the only access control unit assigned to or accessible by the device analysis unit 310 (or the apparatus 300 in general. As another example, the device analysis unit 310 (or the apparatus 300 in general) may be co-located, e.g. at the same entity or device, with the access controller 132, thereby making the address of the access controller 132 implicitly known or locally derivable for the device analysis unit 310.
The information indicative of an address of the access controller 132 may comprise a network layer address, e.g. a globally unique IP address or a locally unique (or private) IP address, or a service set identification (SSID) or a basic service set identification (BSSID) information according to a IEEE 802.1 1 standard. As described hereinbefore, the access controller 132 may be an entity separate from the wireless access point 130 or the access controller 132 may be an entity comprised in the wireless access point 130. The device analysis unit 310 is configured to obtain, on basis of the address of the mobile device 1 10, the wireless access point 130, access controller 132 or any combination of the above, auxiliary information associated with the mobile device 1 10. The device analysis unit 310 may be configured to access one or more databases in order to obtain the auxiliary information. The one or more databases may be located at the apparatus 300 or in a device hosting the apparatus 300, or the one or more databases may be available at another device accessible via the network 140.
As further examples, suitable auxiliary information may be provided directly by the mobile device 1 10 or the auxiliary information may be derivable on basis of the address or other identity associated with the mobile device 1 10. In particular, information of this type may be obtained from http header information inserted by a browser application at the mobile device 1 10 as part of a message or messages originating therefrom. As a yet further example, suitable auxiliary information may be readily available at the apparatus 300, for example stored in a memory accessible by the device analysis unit 310, based on past exchange of information between the apparatus 300 and the mobile device 1 10.
The auxiliary information may comprise information descriptive of a history of information associated with mobile device 1 10, such as information indicative of a current location of the mobile device 1 10 and/or information indicative of past location or locations of the mobile device 1 10 and the timing thereof. As a further example, the auxiliary information may comprise information indicative of the characteristics of the data transmitted and/or received by the mobile device 1 10 over the wireless connection 120 or over any other connections the mobile device 1 10 may have employed during a period of interest. An example of another connection the mobile device 1 10 may have employed is a Bluetooth connection. As a yet further example, the auxiliary information may comprise information characterizing the mobile device 1 10 in general, e.g. with respect to aspects like the manufacturer of the mobile device 1 10, model of the mobile device 1 10, data transmission/reception capabilities of the mobile de- vice 1 10, etc. As a yet further example, the auxiliary information may comprise information indicating the mobile device 1 10 being assigned as a personal device of a member of a group. Examples of the groups include habitue of a retail chain, market research panel, registered users of a certain service, etc. In particular, the information indicative of the characteristics of the data transmitted and/or received by the mobile device 1 10 may comprise, for example, a history of wireless access requests originated from the mobile device 1 10, responses to forms or other queries (from the wireless access point 130 or another device of the network 14) by the mobile device and/or information indica- tive of amount of data transmitted/received by the mobile device 1 10.
The auxiliary information, obtained e.g. from one or more databases as described hereinbefore, may comprise information that is indicative of reception locations of one or more control messages transmitted and/or received by the mobile device 1 10 over a period of interest. The reception locations may be in- dicative of location of the mobile device 1 10 itself or indicative of location of a wireless access point, e.g. the wireless access point 130 or another access point enabling access to the network 140 or to another network, having received or transmitted the respective control message(s).
A location may be determined as geographic coordinates indicating or approx- imating the location, as GPS coordinates or coordinates of any other satellite- based navigation system, as a distance and a direction from a predetermined reference location, etc. As further examples, a location may be determined by indicating a portion of a predetermined space. A location may be determined indirectly by providing information indicative of an object whose location is known or whose location may be determined e.g. by querying a database via the network 140. An example of such indirect determination of a location is an identification of an access point installed in a fixed position (within a predetermined space), hence enabling indirect determination or approximation of the mobile devices accessing a network via the respective access point. The control messages received and/or transmitted by the mobile device 1 10 referred to hereinbefore may comprise indication(s) on one or more probe requests according to an IEEE 802.1 1 protocol. As another example, said control messages received and/or transmitted by the mobile device 1 10 may comprise indication(s) on one or more Bluetooth inquire responses. Moreover, said con- trol messages received and/or transmitted by the mobile device 1 10 may comprise indication(s) on one or more access requests of other kind to networks or connections different from IEEE 802.1 1 and Bluetooth.
In order to provide associate a Bluetooth inquire response with a mobile device wishing to access the network 140 via the wireless access point 130, mapping between a Bluetooth address and an IEEE 802.1 1 address may be needed. Several methods to map a Bluetooth address with an IEEE802.1 1 address are known in the art. As an example, one may record time and spatial receptions of one or more Bluetooth inquire responses and one or more probe requests according to an IEEE 802.1 1 protocol and obtain the correct pair of Bluetooth and IEEE 802.1 1 addresses by exclusion. In other words, one may determine a pair of Bluetooth and IEEE 802.1 1 addresses as origins of respective control messages approximately at the same time at approximately the same location, thereby indicating a Bluetooth address associated with an IEEE 802.1 1 ad- dress.
The device analysis unit 310 may be configured to obtain auxiliary information associated with a number of other mobile devices on basis of their addresses or other pieces of information identifying the other mobile devices. In particular, the device analysis unit 310 may be configured to access one or more data- bases in order to obtain the auxiliary information descriptive of a history of information associated with the number of other mobile devices with respect to their current and/or past locations and the timing thereof, as described hereinbefore for the mobile device 1 10.
Consequently, the device analysis unit 310 may be configured to use the ob- tained information indicative of current or a recent location of the mobile device 1 10 and the current or a recent location of the number of other mobile devices to estimate a relative number of mobile devices at or in vicinity of a first location and a number of mobile devices at or in vicinity of a second location. As an example, the device analysis unit 310 may be configured to determine a first number of mobile devices as the number of mobile devices that are at or in vicinity of the first location and to determine a second number of mobile devices as the number of mobile devices that are at or in vicinity of the second location. In response to the first number of mobile devices not exceeding a first predetermined threshold and the second number of mobile devices exceeding a second predetermined threshold, the second predetermined threshold being higher than the first predetermined threshold, the device analysis unit 310 - or the device control unit 320 - may be configured to provide a message to one or more of the mobile devices at or in vicinity of the second location inviting the (user of the) respective mobile device(s) to move close to the first location. The invitation may involve an additional benefit being available at the first location, such as improved network access, additional services, etc.
The device control unit 320 of the apparatus 300 is configured to select, based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device 1 10 as one or more web pages.
A task provided for presentation to the user of the mobile device 1 10 may comprise one or more questions for the user of the mobile device 1 10 to respond. A task is considered accomplished once the answers to the one or more questions comprised therein are provided and, in particular, the respective response or responses are received by the device control unit 320. A question may be, for example, a multiple choice question to be answered by ticking a respective box on a web page to be presented for the user of the mobile device 1 10, whereas the respective response to be provided to the device control unit 320 is an indication of the choice made by the user for the respective question. As another example, a question may be formulated as an open question, i.e. such that an answer, and consequently a response to the device control unit 320, therefor comprises free text.
As an example, the one or more tasks may be related to the current and/or a past location of the mobile device 1 10 and/or any services or facilities available at or near the current or the past location of the mobile device 1 10. In particu- lar, the device control unit 320 may be configured to provide a predetermined set of tasks for presentation to the user of the mobile device 1 10 on basis of the current and/or a past location of the mobile device 1 10. The past location may be a recent location of the mobile device 1 10, for example a location at or in vicinity of which the mobile device 1 10 has been detected within a prede- termined period of time.
As another example, instead of or in addition to using location information in selection of the one or more tasks, the device control unit 320 may be configured to select the one more tasks at least in part on basis of the information characterizing the mobile device 1 10 in general, e.g. with respect to aspects like the manufacturer of the mobile device 1 10, model of the mobile device 1 10, data transmission/reception capabilities of the mobile device 1 10, etc. as described hereinbefore. In other words, the one or more tasks may be selected or modified in accordance with the characteristics of the mobile device 1 10. The questions comprised in the one or more tasks may involve, for example, a question or questions regarding the quality of service offered at the current and/or the past location and/or a question or questions regarding the characteristics of the user of the mobile device (such as name, age, contact information, etc.). As yet further examples, the questions may ask the user to join in a group such as a habitue or a consumer panel or the question may be based on the answer to the previous question.
The device control unit 320 may be configured to provide the one more tasks to the mobile device 1 10 in one or more task-related messages to be sent to the mobile device 1 10, for example in response to the message originating from the mobile device 1 10, sent in response to the redirect message from the wireless access point 130, as described hereinbefore. Depending on the intended format of presenting the tasks to a user of the mobile device 1 10, the one or more tasks may be provided to the mobile device 1 10 in the single message comprising information indicative of all of the one or more tasks or the one more tasks may be provided to the mobile device 1 10 in a number of messages, each comprising one or more of the one or more tasks.
As an example, a first task-related message comprising one or more tasks may be provided to the mobile device 1 10, followed by a second task-related message comprising one or more tasks only after a response or responses providing answers or replies to the tasks provided in the first task-related message has been received by the device control unit 320. As another example, all of the one or more tasks may be provided to the mobile device 1 10 in a single task-related message, and the answers or replies thereto may be received by the device control unit 320 in one or more responses from the mobile device 100.
The one or more web pages may comprise a form or forms for presentation of said one or more tasks to the user of the mobile device 1 10. Consequently, the device control unit 320 may be configured to receive the response(s) to said one or more tasks from the mobile device 1 10 as one or more responses com- prising data indicative of the replies or answers by the user to said one or more tasks presented in said form. A response received by the device control unit 320 may comprise answers to a subset of questions comprised in a task, answers to all questions comprised in a task, or answers to questions comprised in two or more of the one or more tasks.
As an example, a task presented to the user of the mobile device 1 10 as a form on a display of the mobile device 1 10, e.g. via a browser application, may be considered as accomplished once all questions associated with the given task in said form are answered and the respective information is provided as one or more responses to the device control unit 320. The one or more responses may comprise information indicative of the form filled either partially or completely, thereby comprising replies or answers by the user of the mobile device 1 10 to the questions posed to him/her on the form he/she was willing to answer. Alternatively or additionally, the one or more web pages may comprise executable code, such as JavaScript, Java, etc., to be executed at the mobile device 1 10. Consequently, the device control unit 320 is configured to receive the response^) to said one or more tasks from the mobile device 1 10 as indication of the executable code having been at least partially executed at the mobile device 1 10.
The executable code may be configured to cause the mobile device 1 10 to pose a question or questions associated with the one or more tasks in the user interface of the mobile device 1 10 and to provide the answer(s) the user provides as one or more responses to the device control unit 320. The executable code may be configured to cause the mobile device 1 10 to provide a response or responses associated with a given question and/or task to the device control unit 320 once the given question has been answered and/or the given task has been completed. Hence, the device control unit 320 may be configured to consider a response received from the mobile device 1 10 to indicate progress in execution of the executable code at the mobile device 1 10, thereby indicating the extent of accomplishment of the one or more tasks by the user of the mobile device 1 10.
As a further example, the executable code may result in a random or a pseudo-random outcome based on the probability distributions determined partly based on one or more of the current location of the mobile device, a recent location of the mobile device 1 10, other information possibly provided by the mobile device 1 10 and the estimated absolute or relative number of other mobile device in the vicinity of the mobile device 1 10. The random or pseudo ran- dom process may be used to cause the mobile device 1 10 to display a message to a user of the mobile device 1 10 at a predetermined probability, which predetermined probability may increase with increasing absolute or relative number of other mobile devices in the vicinity of the mobile device 1 10. The message may involve an invitation to a user of the mobile device 1 10, as de- scribed hereinbefore.
The device control unit 320 is configured to determine an authentication key enabling the mobile device 1 10 to have access to the network 140, wherein the extent of access is at least in part dependent on one or more responses to said one or more tasks received from the mobile device 1 10. In particular, the device control unit 320 may be configured to determine an authentication key enabling the mobile device 1 10 to have access to the network 140 via the wireless access point 130 and/or via the access controller 132.
Determining the authentication key may comprise creating an access profile for a predetermined AAA server of the access network, such as the AAA server 170 of the network 140, and providing to the mobile device 1 10 a message, e.g. an http redirect message, that is configured to initiate the authentication process on basis of the created access profile. Determining the authentication key may further comprise providing the authentication key to the AAA server 170 to enable subsequent authentication process between the AAA server 170 and the mobile device 1 10 to involve e.g. a comparison of the authentication key provided by the device control unit 320 with the authentication key provided by the mobile device 1 10. The authentication key may comprise a username and a password allocated for the mobile device 1 10. As discussed hereinbefore, the AAA server may comprise e.g. a RADIUS server or a Diame- ter server and, consequently, the authentication process comprises signaling according to the RADIUS protocol or Diameter protocol, respectively.
As an example, the extent of access may be at least in part dependent on a number of said one or more tasks successfully accomplished, wherein a successfully accomplished task is one for which a response or responses indicat- ing an answer or a reply to all questions comprised in the respective task has been received by the device control unit 320.
The extent of access may be, for example, directly proportional to the number of successfully accomplished tasks. As another example, the device control unit 320 may be configured to grant a full access in response to at least a predetermined number of the one or more tasks having been successfully accomplished, whereas no access is granted in response to a smaller number of tasks successfully accomplished. As a yet another example, the device control unit 320 may be configured to grant a limited access in response to at least a first predetermined number of tasks having been successfully accomplished and to grant a full access in response to at least a second predetermined number of tasks having been successfully accomplished, wherein the first predetermined number is higher than the second predetermined number.
The extent of access may be determined, for example, by one or more of dura- tion of the access, available bandwidth during the access and services available during the access. The available bandwidth may be determined differently for transmission and reception (i.e. uplink and downlink, respectively). Consequently, depending on the response(s) to the one or more tasks the mobile device 1 10 provides to the device control unit 320, access with e.g. different du- ration, with different uplink/downlink bandwidth and with different set of available services may be granted. The set of available services may be controlled for example by authorizing the usage of only a limited set of TCP and/or UDP ports.
The mobile device 1 10 may be capable of communicating via two or more dif- ferent communication and/or access technologies. As an example, the mobile device 1 10 may be capable of communication over a wireless local area network e.g. according to an IEEE 802.1 1 standard as described by an example hereinbefore and further capable of communication over a wireless cellular communication. The cellular access may employ, for example, one or more of the GSM, UMTS, LTE, CDMA, CDMA2000 and WiMax technologies. In an exemplifying scenario in this regard, the captive portal 150 may be configured to make use of location information as the auxiliary information and select one or more tasks for presentation to the user based at least in part on the location information. The location information in this regard may be location information indicative of the current location of the mobile device 1 10 and/or location in- formation indicative of the past location of the mobile device 1 10, e.g. the location of the mobile device 1 10 within a predetermined time period of interest, as described hereinbefore.
The selected one or more tasks are to be provided to the user e.g. as one or more questions requesting feedback on user satisfaction. These questions may be open questions or multiple choice questions, depending on the characteristics of information sought from the user. As examples in this regard, a question may be a multiple choice question providing a predefined set of textual description of the user satisfaction levels for the user of the mobile device 1 10 to choose from, or a question may be an open question requesting user indication of the user satisfaction level e.g. in the range from 1 to 5. Consequently, the captive portal 150 may be configured to, in response to at least one of user's responses to said one or more questions indicating user satisfaction level at or below a predetermined threshold level, provide for presentation to the user of the mobile device 1 10 a web page presenting the user with a choice to contact by a phone call to a customer feedback center of another person responsible over the customer feedback. The predetermined threshold level may be a fixed level, e.g. the level indicating the lowest user satisfaction among the choices or the task given to the user, or, alternatively, the threshold level may be a reference level calculated on basis of earlier answers from the same mobile device 1 10 or from the earlier answers received from other mobile devices for the same question(s). The example of providing the one or more tasks as one or more questions regarding the user satisfaction generalizes into providing the one or more tasks as questions in general, where the captive portal 150 is configured to provide the web page offering the choice to contact a predetermined phone number, e.g. the customer feedback center, in response to the user selecting one of a respective predetermined subset of potential responses as an answer to one or more of said one or more questions.
The phone call choice may be provided as a 'traditional' cellular call over the cellular communication, such as a GSM call, or the phone call choice may be provided a web-call over the wireless local area network or over the cellular communication, such as a Skype call. The call option may be provided to the user of the mobile device 1 10 by embedding a suitable HTML tag to the web page to be presented to the user of the mobile device 1 10. As examples in this regard, a cellular call may be provided by a HTML tag of the format "<a href='te\ 358-50-12234567'>Call our quality manager to sort your prob- lem</a>", whereas a web-call may be provided by a HTML tag of the format "<a href="skype:QualityManager?caH"> Call our quality manager to sort your problem </a>". The captive Portal 150 may employ http-header information to select and prioritize possible call technologies. The captive portal 150 may be configured to obtain information indicative of the current location of the mobile device 1 10 connecting to the network over the wireless connection 120 via the wireless access point 130 and the access controller 132. Instead of employing strictly the immediate current location, the current location in this regard may refer to the location of the mobile device 1 10 in the immediate past, e.g. within a few tens of seconds or a few minutes immediately preceding the current time. Using this information indicative of the current location of the mobile device 1 10 as the auxiliary information, the captive portal 150 may be configured to provide a predetermined list of one or more options as a task for presentation to the user of the mobile device 1 10 where one or more items associated with the current location are provided as options of said list. The options may be presented as links to be displayed for the user to the mobile device 1 10 to select from. As an example, the list of options may be provided as a multiple choice question, where one or more items associated with the current location are provided as the choices of said multi- pie choice question. Moreover, the captive portal 1 50 may be configured to redirect the mobile device 1 10 to a predetermined web page together with a location information indicator referring to the current location of the mobile device 1 10, wherein the predetermined web page is associated with the option selected by the user of the mobile device 1 10, e.g. the choice made by the us- er of the mobile device 1 10 among the choices of a multiple choice question.
As another example, the captive portal 150 may use the information indicative of the current location of the mobile device 1 10 as the auxiliary information and to provide a task for presentation to the user of the mobile device 1 10, where the task comprises instructions to select one of one or more Radio-Frequency identification (RFID) tags arranged at or near the location(s) of respective items associated with the current location. Such a task may be provided for presentation to the user of the mobile device 1 10 e.g. text and/or image(s) instructing the user to select one of said one or more RFID tags. Selecting an RFID tag may comprise, for example, bringing a RFID reader of the mobile de- vice at close proximity to the respective RFID tag or touching the respective RFID tag with the RFID reader of the mobile device 1 10. Consequently, the in- formation exchanged with the RFID reader and the selected RFID task identifies the selected RFID tag and the associated item, and the information identifying the selected RFID tag and/or item is provided to the captive portal 150 as a response to the task. Consequently, the captive portal 150 may be config- ured to redirect the mobile device 1 10 to a predetermined web page together with a location information indicator referring to the current location of the mobile device 1 10 in accordance with the selected RFI D tag and/or item.
As an example in this regard, the current location may be a location within a department store or a shopping mall, the one or more items associated with the current location may be items on display and/or for sale in the vicinity of the current location, and the mobile device 1 10 may be redirected to a web page providing further information regarding the item corresponding to the choice made by the user in response to the multiple choice question listing the one or more items on display in the vicinity of the current location. Along similar lines, the web page whereto the mobile device 1 10 is redirected to may be a web page of a web store offering the item corresponding to the choice made by the user in response to the multiple choice question listing the one or more items for sale in the vicinity of the current location.
Since the above-mentioned arrangement, preferably, makes use of rather ac- curate location information, possibly indicating the presence of the mobile device 1 10 within a range of a few meters only, a dedicated arrangement for detecting the presence of the mobile device 1 10 at or in proximity of a predetermined location may be employed. Figure 6 schematically illustrates an exemplifying arrangement for detecting the mobile device 1 10 at or close to the pre- determined location. Figure 6 illustrates the mobile device 1 10 connecting to the captive portal 150 over the wireless connection 120 and via the wireless access point 130, the access controller 132 and the network 140. Figure 6 further illustrates a presence detector 670 arranged at or close to said predetermined location and a location information database 680. The presence detec- tor 670 may be configured to connect via the network 140 to the location information database 680 and provide information that serves as indication of the mobile device 1 10 (and/or other mobile devices) being detected within the operating range of the presence detector 670 to be stored in the location information database 680. The captive portal 150 may be further configured to access the location information database 680 and to initiate the above- described provision of the predetermined multiple choice question regarding one or more items associated with the current location of the mobile device for presentation to the user of the mobile device 1 10 in response to encountering an indication of the presence of the mobile device 1 10 at or close to the location of the presence detector 670. The captive portal 150 may be further con- figured to return, in response to receiving a response to one or more presented tasks from the mobile device 1 10, a web page comprising a machine-readable code for presentation to the user of the mobile device 1 10. Such as a machine- readable code may be for example a bar code, which may be e.g. a conventional linear or one-dimensional bar code or a two-dimensional bar code. The bar code may entitle the user of the mobile device 1 10, for example, to have access or admittance to one or more physical spaces and/or events, to one or more services, to one more discounts at given locations. The bar code may be provided, optionally, with text and/or image(s) e.g. instructing the user where, how and/or when to present and/or apply the bar code. The presence detector 670 may comprise for example a WiFi signal monitor configured to detect signaling between a mobile device and a wireless access point within the operating range of the presence detector 670. Such WiFi signal monitors are known in the art. In a scenario where a WiFi signal monitor is employed as the presence detector 670, the captive portal 150 may be further configured to, in response to a failure to obtain recent location information regarding the mobile device 1 10 from the location information database 680, return a web page that is arranged to invoke data traffic over the wireless connection 120 for presentation to the user of the mobile device 1 10 and to subsequently re-enquire location information indicating the mobile device 1 10 hav- ing been detected within the operating range of the presence detector 670 from the location information database 680.
As another example, the location of the mobile device 1 10 may be determined by the mobile device 1 10 itself e.g. by using one or more of a RFID, a bar code, a Bluetooth and/or a WLAN. As an example in this regard, the mobile device 1 10 may be configured to read a RFID tag or a bar code included in the presence detector 670. The employed RFID technology may comprise, for example, near field communication (NFC) as known in the art. As another example, the mobile device 1 10 may be configured to read a signal transmitted by a Bluetooth transmitter included in the presence detector 670, the Bluetooth transmitter employing e.g. simultaneous location and mapping (SLAM) technology as known in the art, or a WLAN transmitter included in the presence de- tector 670, the WLAN transmitter employing e.g. high-accuracy indoor positioning (HAIP) known in the art, in order to determine and enable indicating its location at or close to the predetermined location of the presence detector 670. As a further example in this regard, the mobile device 1 10 may be configured to employ a pseudo-satellite technology based indoor position system, typically referred to as pseudolite, as known in the art. In such cases where the mobile device 1 10 is actively participating in the determination of its location, the mobile device 1 10 may be configured to make a http request with positioning coordinates indicative of its location. Consequently, the access controller 132 re- directs the request to captive portal 150, wherein the access controller 132 may add its own identity or location information to the redirected request. As the captive portal 150 receives the request, it may use the location information received therein to provide the predetermined multiple choice question as a task for presentation to the user of the mobile device 1 10 with one or more items associated with the current location provided as the choices of said multiple choice question, as described hereinbefore. Especially suitable positioning technology candidates are NFC, HAIP (high-accuracy indoor positioning) and Bluetooth Slam.
The procedures assigned to the device analysis unit 310 and the device con- trol unit 320 described hereinbefore may be divided between the units in a different manner, or the apparatus 300 may comprise further units that may be configured to perform some of the procedures described hereinbefore for the device analysis unit 310 and the device control unit 320. On the other hand, the procedures the device analysis unit 310 and the device control unit 320 are configured to perform may be assigned to a single processing unit within the apparatus 300 instead. In particular, the apparatus 300 may comprise means for receiving a network access request from a mobile device 1 10, the access request comprising information indicative of an address of the mobile device, means for obtaining an address of an access controller 132, means for obtain- ing, on basis of the address of the mobile device 1 10, auxiliary information associated with the mobile device 1 10, means for selecting, based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device 1 10 as one or more web pages, and means for determining an authentication key enabling the mobile device 1 10 to have access to the net- work, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device 1 10. Figure 4 illustrates an example of signaling between the mobile device 1 10, the wireless access point 130, the access controller 132, the captive portal 150 and the AAA server 170 in a scenario where the mobile device 1 10 that is not (yet) authorized to access the network 140 wishes to access a web page host- ed by the network server 160, wherein the captive portal 150 comprises the apparatus 300 or the apparatus 300 operates as the captive portal 150. Note that in Figure 4 the wireless access point 130 and the access controller 132 are considered as a single logical entity, although illustrated as separate entities in the exemplifying arrangement 100 in Figure 1 . In order to access the web page the mobile device 1 10 tries to send a request to the network server 160 over a wireless connection 120 via the wireless access point 130 and via the network 140 to the network server 160. In case the control function employed by the s access controller 132 does not recognize the mobile device 1 10 as an authorized device, the access controller 132 may be configured to return a redirect message to the mobile device 1 10. The redirect message, in turn, may cause the mobile device 1 10 to send a message, e.g. as an http message, to the captive portal 150 over a wireless connection 120 via the wireless access point 130 and via the network 140, wherein the message, which may be considered as a network access request from the mobile device 1 10, comprises address of the mobile device or other indicator identifying the mobile device 1 10.
In response to this message the captive portal 150 is configured to obtain on basis of the address of the mobile device 1 10, auxiliary information associated with the mobile device 1 10, to select, based at least in part on the auxiliary in- formation, one or more tasks for presentation to a user of the mobile device 1 10 as one or more web pages, and to determine an authentication key enabling the mobile device 1 10 to have access to the network, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device 1 10, as described in more detail hereinbefore. The provision of the one or more tasks to the mobile device 1 10 and reception of the respective one or more responses at the captive portal 150 may involve one or more messages or signals being exchanged between the captive portal 150 and the mobile device 1 10, e.g. one or more task-related messages to be sent from the captive portal 150 to the mobile device 1 10 and the respective response(s) from the mobile device 1 10 to be received at the captive portal 150. These messages are indicated in Figure 4 by the rectangle 410 depicted using a dashed line.
Once the captive portal 150 has received the one or more responses and/or an indication that the mobile device 100 - or a user thereof - has accomplished the one or more tasks to extent the user of the mobile device 1 10 is willing to, the captive portal 150 sends a message to the AAA to provide authentication parameters, e.g. a username and a password, that will subsequently enable the mobile device 1 10 to access the network 140 and hence the web page hosted by the network server 160. After receiving a response from the AAA server 170, the captive portal 150 sends a redirect message to the mobile device 1 10, subsequently causing the mobile device 1 10 to send a message, e.g. in form of a (redirect) message, to the access controller 132, which in turn carries out authentication process on behalf of the mobile device 1 10. The authentication process may involve the access controller 132 exchanging one or more message - response pairs with the AAA server 170. In case the authentication messaging results in the access being granted the access controller 132 sets the control function to allow the mobile device 1 10 to have access to the network 140. The access controller 132 sends a message, e.g. a redirect message, to the mobile device 1 10 indicating the access to the network 140 being granted, resulting in the mobile device 1 10 being redirected to a landing page hosted or provided by the AAA server 170, by the server 160 or by another server connected to the network 140. Subsequently, the mobile device 1 10 may access the network 140 to extent allowed by the authentication parameters. The procedures assigned to the device analysis unit 310 and the device control unit 320 described hereinbefore may be divided between the units in a different manner, or the procedures assigned to the device analysis unit 310 and the device control unit 320 may be divided between more than a single apparatus. Consequently, a system or an arrangement for controlling an access to a network may be provided, the system or the arrangement comprising the device analysis unit 310 and the device control unit 320, wherein the device analysis unit 310 is configured to receive a network access request from a mobile device 1 10, the access request comprising information indicative of an address of the mobile device 1 10, to obtain an address of an access controller 132 and to obtain, on basis of the address of the mobile device 1 10, auxiliary information associated with the mobile device 1 10. The device control unit 320 is configured to select, based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device 1 10 as one or more web pages, and to determine an authentication key enabling the mobile device 1 10 to have access to the network 140 via the access controller 132, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device 1 10.
The operations described hereinbefore in context of the apparatus 300 may also be expressed as steps of a method implementing the corresponding function. As an example, Figure 5 illustrates a method 500 in accordance with an embodiment of the invention. The method 500 may be arranged to control access to a network 140 by carrying out the steps and/or procedures described hereinbefore in context of the apparatus 300. The method 500 comprises receiving a network access request from a mobile device 1 10, the access request comprising information indicative of an address of the mobile device 1 10, as indicated in step 510. The method 500 further comprises obtaining an address of an access controller 132, as indicated in step 520, and obtaining, on basis of the address of the mobile device 1 10, auxiliary information associated with the mobile device 1 10, as indicated in step 530. The method 500 further comprises selecting, based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device 1 10 as one or more web pages, as indicated in step 540, and determining an authentication key enabling the mobile device 1 10 to have access to the network 140 via the access controller 132, wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile de- vice, as indicated in step 550.
The apparatus 300 may be implemented as hardware alone, for example as an electric circuit, as a programmable or non-programmable processor, as a microcontroller, etc. The apparatus 300 may have certain aspects implemented as software alone or can be implemented as a combination of hardware and software.
The apparatus 300 may be implemented using instructions that enable hardware functionality, for example, by using executable computer program instructions in a general-purpose or special-purpose processor that may be stored on a computer readable storage medium to be executed by such a processor. The apparatus may further comprise a memory as the computer readable stor- age medium the processor is configured to read from and write to. The memory may store a computer program comprising computer-executable instructions that control the operation of the apparatus 300 when loaded into the processor. The processor is able to load and execute the computer program by reading the computer-executable instructions from memory
While the processor and the memory are hereinbefore referred to as single components, the processor may comprise one or more processors or processing units and the memory may comprise one or more memories or memory units. Consequently, the computer program, comprising one or more sequences of one or more instructions that, when executed by the one or more processors, cause an apparatus to perform steps implementing a method in accordance with an aspect of the invention.
Reference to a processor or a processing unit should not be understood to encompass only programmable processors, but also dedicated circuits such as field-programmable gate arrays (FPGA), application specific circuits (ASIC), signal processors, etc. Features described in the preceding description may be used in combinations other than the combinations explicitly described. Although functions have been described with reference to certain features, those functions may be performable by other features whether described or not. Alt- hough features have been described with reference to certain embodiments, those features may also be present in other embodiments whether described or not.

Claims

1 . A method comprising receiving (510) a network access request from a mobile device (1 10), the access request comprising information indicative of an address of the mobile device (1 10), obtaining an address of an access controller (132), obtaining (520), on basis of the address of the mobile device (1 10), auxiliary information associated with the mobile device (1 10), wherein said auxiliary information comprises information indicative of the location of the mobile device (1 10), selecting (530), based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device (1 10) as one or more web pages, and determining (540) an authentication key enabling the mobile device (1 10) to have access to the network (140) via the access controller (132), wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device (1 10).
2. A method according to claim 1 , wherein said auxiliary information comprises information indicative of a current and/or a past location of the mobile device (1 10).
3. A method according to claim 1 or 2, wherein said auxiliary information is obtained from one or more databases indicating reception locations of one or more control messages transmitted by the mobile device (1 10).
4. A method according claim 3, wherein said one or more control messages comprise one or more probe requests according to IEEE 802.1 1 protocol.
5. A method according to claim 3 or 4, wherein said one or more control messages comprise one or more Bluetooth inquire responses.
6. A method according to any of claims 1 to 5, wherein said one or more web pages comprise a form for presentation of said one or more tasks to the user of the mobile device (1 10), and wherein the response to said one or more tasks received from the mobile device (1 10) comprises responses to said one or more tasks presented in said form.
7. A method according to any of claims 1 to 6, wherein said one or more web pages comprise executable code to be executed at the mobile device (1 10), and wherein the response to said one or more tasks received from the mobile device (1 10) comprises indication of said executable code having been at least partially executed at the mobile device (1 10).
8. A method according to any of claims 1 to 7, wherein the extent of access is at least in part dependent on a number of said one or more tasks successfully accomplished.
9. A method according to any of claims 1 to 8, wherein the extent of access is determined by one or more of duration of the access, available bandwidth during the access, services available during the access.
10. A method according any of claims 1 to 9, wherein determining the authentication key comprises creating an access profile for a predetermined AAA server of the access network and providing to the mobile device (1 10) a http redirect message configured to initiate an authentication process on basis of the created access profile.
1 1 . A method according to claim 10, wherein the AAA server comprises a RADIUS server and the authentication process comprises RADIUS authentication.
12. A method according to any of claims 1 to 1 1 , wherein said one or more tasks comprise one or more questions and wherein the method further comprises selecting an option to contact a predetermined phone number for presentation to the user of the mobile device (1 10) in a web page in response to the response from the mobile device (1 10) indicating a response within a predetermined subset of potential responses for one or more of said one or more questions.
13. A method according to any of claims 1 to 1 1 , wherein said one or more tasks comprise a list of one or more options with the one or more options representing one or more items in the vicinity of the location of the mobile device (1 10) and wherein the method further comprises redirect- ing the mobile device (1 10) to access a predetermined web page associated with the selected option indicated by the response from the mobile device (1 10) together with a location indicator referring to the location of the mobile device (1 10).
14. A computer program including one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus (300) to at least perform the method of any of claims 1 to 13.
15. An apparatus (300) comprising a device analyzer (310) configured to receive a network access request from a mobile device (1 10), the access request comprising information indicative of an address of the mobile device (1 10), obtain an address of an access controller (132), and obtain, on basis of the address of the mobile device (1 10), auxiliary information associated with the mobile device (1 10), wherein said auxiliary information comprises information indicative of the location of the mobile device (1 10); and a device controller (320) configured to select, based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device (1 10) as one or more web pages, and determine an authentication key enabling the mobile device (1 10) to have access to the network (140) via the access controller (132), wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device.
16. An apparatus according to claim 15, wherein said auxiliary information comprises information indicative of a current and/or a past location of the mobile device (1 10).
17. An apparatus according to claim 15 or 16, wherein the device analyzer is configured to obtain said auxiliary information from one or more databases indicating reception locations of one or more control messages transmitted by the mobile device (1 10).
18. An apparatus according claim 17, wherein said one or more control messages comprise one or more probe requests according to IEEE 802.1 1 protocol.
19. An apparatus according to claim 17 or 18, wherein said one or more control messages comprise one or more Bluetooth inquire responses.
20. An apparatus according to any of claims 15 to 19, wherein said one or more web pages comprise a form for presentation of said one or more tasks to the user of the mobile device (1 10), and wherein the response to said one or more tasks received from the mobile device comprises responses to said one or more tasks presented in said form.
21 . An apparatus according to any of claims 15 to 20, wherein said one or more web pages comprise executable code to be executed at the mo- bile device (1 10), and wherein the response to said one or more tasks received from the mobile device comprises indication of said executable code having been at least partially executed at the mobile device (1 10).
22. An apparatus according to any of claims 15 to 21 , wherein the extent of access is at least in part dependent on a number of said one or more tasks successfully accomplished.
23. An apparatus according to any of claims 15 to 22, wherein the extent of access is determined by one or more of duration of the access, available bandwidth during the access, services available during the access.
24. An apparatus according any of claims 15 to 23, wherein determining the authentication key comprises creating an access profile for a predetermined AAA server of the access network and providing to the mobile device a http redirect message configured to initiate an authentication process on basis of the created access profile.
25. An apparatus according to claim 24, wherein the AAA server comprises a RADIUS server and the authentication process comprises RADIUS authentication.
26. An apparatus according to any of claims 15 to 25, wherein said one or more tasks comprise one or more questions and wherein the method further comprises selecting an option to contact a predetermined phone number for presentation to the user of the mobile device (1 10) in a web page in response to the response from the mobile device (1 10) indicating a response within a predetermined subset of potential responses for one or more of said one or more questions.
27. An apparatus according to any of claims 15 to 25, wherein said one or more tasks comprise a list of one or more options with the one or more options representing one or more items in the vicinity of the location of the mobile device (1 10) and wherein the method further comprises redirecting the mobile device (1 10) to access a predetermined web page associated with the selected option by the response from the mobile device (1 10) together with a location indicator referring to the location of the mobile device (1 10)..
28. A system comprising a device analyzer (310) configured to receive a network access request from a mobile device (1 10), the access request comprising information indicative of an address of the mobile device (1 10), obtain an address of an access controller (132), and obtain, on basis of the address of the mobile device (1 10), auxiliary information associated with the mobile device (1 10), wherein said auxiliary information comprises information indicative of the location of the mobile device (1 10); and a device controller (320) configured to select, based at least in part on the auxiliary information, one or more tasks for presentation to a user of the mobile device (1 10) as one or more web pages, and determine an authentication key enabling the mobile device to have access to the network (140) via the access controller (132), wherein the extent of access is at least in part dependent on a response to said one or more tasks received from the mobile device.
PCT/FI2013/050153 2012-02-15 2013-02-12 A method, an apparatus and a system for network access control WO2013121101A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20125175 2012-02-15
FI20125175 2012-02-15

Publications (1)

Publication Number Publication Date
WO2013121101A1 true WO2013121101A1 (en) 2013-08-22

Family

ID=48045570

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2013/050153 WO2013121101A1 (en) 2012-02-15 2013-02-12 A method, an apparatus and a system for network access control

Country Status (1)

Country Link
WO (1) WO2013121101A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2519226A (en) * 2013-09-21 2015-04-15 Avaya Inc Captive portal systems, methods, and devices

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050154925A1 (en) * 2003-11-24 2005-07-14 Interdigital Technology Corporation Tokens/keys for wireless communications
US20080146193A1 (en) * 2006-12-15 2008-06-19 Avaya Technology Llc Authentication Based On Geo-Location History
WO2012010743A1 (en) * 2010-07-23 2012-01-26 Nokia Corporation Method and apparatus for authorizing a user or a user device based on location information

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050154925A1 (en) * 2003-11-24 2005-07-14 Interdigital Technology Corporation Tokens/keys for wireless communications
US20080146193A1 (en) * 2006-12-15 2008-06-19 Avaya Technology Llc Authentication Based On Geo-Location History
WO2012010743A1 (en) * 2010-07-23 2012-01-26 Nokia Corporation Method and apparatus for authorizing a user or a user device based on location information

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2519226A (en) * 2013-09-21 2015-04-15 Avaya Inc Captive portal systems, methods, and devices
US9294920B2 (en) 2013-09-21 2016-03-22 Avaya Inc. Captive portal systems, methods, and devices
US9787502B2 (en) 2013-09-21 2017-10-10 Extreme Networks, Inc. Captive portal systems, methods, and devices
GB2519226B (en) * 2013-09-21 2020-11-04 Extreme Networks Inc Captive portal systems, methods and devices

Similar Documents

Publication Publication Date Title
AU2021202615B2 (en) Systems and methods for scalable-factor authentication
US10156167B2 (en) Mobile device detection and tracking
US10638410B2 (en) Method and device for providing access point information of wireless access point
US9374799B2 (en) Mobile device locating using long term evolution signals
JP5175401B1 (en) Information providing system and information providing method
WO2016022329A1 (en) Short-range device communications for secured resource access
US9572190B2 (en) Device and method for associating with WiFi networks
RU2635389C2 (en) Network detection and connection using device address not correlated with device
JP2014507850A (en) Dynamic wireless network detection system, method and apparatus
WO2011006231A1 (en) Hotspot network access system and method
US20120226622A1 (en) Location And Profile Based System Service
WO2015106275A1 (en) Location aware captive guest portal
WO2009029157A1 (en) System and method for mapping wireless access points
US11140170B2 (en) Network-based partial and full user identification techniques
KR102527491B1 (en) System, Apparatus And Server For Providing Advertisement Using Positional Information Of Beacon
US20210029543A1 (en) Method and device for authenticating device using wireless lan service
JP6125837B2 (en) Information providing system and information providing method
WO2013121101A1 (en) A method, an apparatus and a system for network access control
US9532167B2 (en) Mobile terminal, location information related content providing server, content panel display method, and mobile terminal program
KR20110137068A (en) System and method for producing location information using wifi terminal
JP2017028588A (en) Proxy authentication method and communication device
US20140241330A1 (en) Method and system to provide relevant local service over wi-fi
JP6034185B2 (en) Information providing system and information providing method
KR101838289B1 (en) Method and Apparatus for providing location-based push URL service by using access point

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13713931

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13713931

Country of ref document: EP

Kind code of ref document: A1