WO2014181028A1 - Method and apparatus for access control - Google Patents

Method and apparatus for access control Download PDF

Info

Publication number
WO2014181028A1
WO2014181028A1 PCT/FI2013/050496 FI2013050496W WO2014181028A1 WO 2014181028 A1 WO2014181028 A1 WO 2014181028A1 FI 2013050496 W FI2013050496 W FI 2013050496W WO 2014181028 A1 WO2014181028 A1 WO 2014181028A1
Authority
WO
WIPO (PCT)
Prior art keywords
access point
authentication request
authentication
indication
load
Prior art date
Application number
PCT/FI2013/050496
Other languages
French (fr)
Inventor
Sami Johannes Kekki
Original Assignee
Nokia Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Corporation filed Critical Nokia Corporation
Priority to PCT/FI2013/050496 priority Critical patent/WO2014181028A1/en
Publication of WO2014181028A1 publication Critical patent/WO2014181028A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • H04W48/06Access restriction performed under specific conditions based on traffic conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • the present application relates generally to managing a load in an access system, or controlling access of a device into an access system.
  • Wireless communication systems may comprise cellular systems, such as global system for mobile communication, GSM, wideband code division multiple access, WCDMA, or long term evolution, LTE, systems.
  • Wireless communication systems may also comprise non-cellular systems, such as wireless local area network, WLAN, or worldwide interoperability for microwave access, WiMAX, systems.
  • a wireless terminal such as for example a smartphone, may be furnished with capability to attach to more than one type of system, for example a wireless terminal may attach to GSM and WLAN systems. When both types of system are available, the wireless terminal may decide based on various rules, which type of system to use for communication.
  • Rules for system selection may be pre-provisioned in a wireless terminal.
  • the wireless terminal may receive access selection rules from a network, for example from an access network discovery and selection function, ANDSF.
  • a wireless terminal may follow such rules, or a user or application on the wireless terminal may override the rules in selecting an access system.
  • a network operator running a multi-system network comprising cellular and non-cellular parts may offer wide-area coverage to subscribers using the cellular part, and more concentrated hotspot coverage using the non-cellular part.
  • Individual non- cellular cells may be located inside cellular cells, such that a wireless terminal in the area of the non-cellular cell may also be in an area of a cellular cell.
  • Wireless terminals may be furnished with identity modules, such as subscriber identity modules, SIMs, that are configured to interact with a wireless communication system to authenticate the wireless terminals to thereby enable charging and communication secrecy.
  • identity modules such as subscriber identity modules, SIMs
  • an identity module may interact with an authentication server comprised in the communication system to verify the identity of the subscriber operating the wireless terminal.
  • the authentication server may challenge the wireless terminal with a nonce, and the wireless terminal may, using the identity module, provide the authentication server with a correct response to the nonce.
  • an apparatus comprising a receiver configured to obtain a load indication of an access point, at least one processing core configured to compile an authentication request comprising the load indication, and a transmitter configured to cause the authentication request to be transmitted toward an authentication server.
  • a method comprising obtaining, in an apparatus, a load indication of an access point, compiling an authentication request comprising the load indication, and causing the authentication request to be transmitted toward an authentication server.
  • an apparatus comprising at least one processor, at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to at least receive an authentication request requesting a mobile terminal to be authenticated for attaching to an access point, decide, based at least in part on a load indication relating to the access point, whether to grant the authentication request, and cause an indication of the decision to be transmitted.
  • a method comprising receiving an authentication request requesting a mobile terminal to be authenticated for attaching to an access point, deciding, based at least in part on a load indication relating to the access point, whether to grant the authentication request, and causing an indication of the decision to be transmitted.
  • an apparatus comprising at least one processor, at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to at least receive an authentication request requesting a mobile terminal to be authenticated for attaching to an access point, decide at least in part based on a load indication relating to the access point, whether to deny the authentication request, and wherein when the decision is to deny the authentication request, apparatus is caused to at least one of inform the access point of denial of the authentication request, to not forward the authentication request to an authentication server and to forward the authentication request to an authentication server together with an indication that the authentication request has been denied.
  • FIGURE 1 illustrates an example system capable of supporting at least some embodiments of the invention
  • FIGURE 2 illustrates a block diagram of an apparatus in accordance with an example embodiment of the invention
  • FIGURE 3 is a first signaling diagram showing operations an example embodiment of the invention.
  • FIGURE 4 is a second signaling diagram showing operations an example embodiment of the invention.
  • FIGURE 5 is a first flowgraph of a method in accordance with an example embodiment of the invention.
  • FIGURE 6 is a second flowgraph of a method in accordance with an example embodiment of the invention.
  • FIGURE 7 is a third flowgraph of a method in accordance with an example embodiment of the invention.
  • FIGURE 8 is a fourth flowgraph of a method in accordance with an example embodiment of the invention.
  • FIGURE 1 illustrates an example communication system capable of supporting at least some embodiments of the invention. Illustrated is mobile 110, which may comprise, for example, a user equipment, cellular telephone, laptop computer, tablet computer, personal digital assistant, PDA, or other mobile device with connectivity functions. An example of structure of mobile 110 is presented in FIG. 2.
  • FIG. 1 illustrates a system comprising cellular and non-cellular parts. Base station 140 and base station 130 are comprised in a cellular part of the system, and access point 120 is comprised in a non- cellular part of the system.
  • the cellular part may be configured to operate in accordance with a cellular standard such as, for example, WCDMA, LTE or IS-95.
  • the non-cellular part may be configured to operate in accordance with a non-cellular standard, such as WLAN.
  • the non-cellular part may comprise first access points operating in accordance with a first non-cellular standard and second access points operating in accordance with a second non-cellular standard.
  • Base station 140 controls a cell in which mobile 150 is disposed.
  • Mobile 150 is communicatively coupled to base station 140 via wireless link 151.
  • Wireless link 151 may comprise an uplink for conveying information from mobile 150 to base station 140.
  • Wireless link 151 may comprise a downlink for conveying information from base station 140 to mobile 150.
  • Wireless link 151 may operate in accordance with the same cellular standard as the cellular part of the communication system to achieve
  • Base station 140 is in
  • Core network node 160 may comprise, for example, a switch or mobility management entity comprised in a core network of the cellular part of the communication system.
  • Connection 141 may traverse further nodes, which are not illustrated in FIG. 1, between base station 140 and core network node 160.
  • Such further nodes may comprise, for example, base station controllers or radio network controllers, depending on network architecture.
  • Base station 130 controls a cell in which mobile 110 is disposed.
  • the cell coverage area of the cell controlled by base station 130 comprises access point 120, as well as most of the coverage area of a cell controlled by access point 120.
  • a coverage overlap area between a cellular cell and a non-cellular cell controlled by access point 120 inside a cell coverage area of the cell controlled by base station 130 is a coverage overlap area between a cellular cell and a non-cellular cell controlled by access point 120.
  • Mobile 110 is disposed in the coverage overlap area, wherein mobile 110 is in that aspect capable of communicating with either of base station 130 and access point 120 since it is in range of both.
  • a wireless link 111 is illustrated as connecting mobile 110 to base station 130, and a wireless link 112 is illustrated as connecting mobile 110 to access point 120.
  • Mobile 110 may be capable of simultaneous communication over wireless link 111 and wireless link 112, or alternatively mobile 110 may be capable of communication over only one of them at a time.
  • Wireless links 111 and 112 may comprise uplinks and/or downlinks as described above in connection with wireless link 151.
  • Base station 130 is connected to core network node 160 via connection 131, which may be similar to connection 141.
  • Access point 120 which may operate in accordance with a non-cellular communication standard as discussed above, may be connected to core network node 160 via connection 121, which may be similar to connections 141 and 131.
  • access point 120 may be connected to a different core network node in the core network, wherein such different core network node may comprise, for example, a gateway node configured to interface the cellular core network with the non-cellular part of the communication system.
  • Authentication server 170 may be configured to process authentication requests from mobile terminals seeking access to the communication system, either via the cellular part or via the non-cellular part.
  • mobile 150 accesses the communication system via the cellular part using base station 140.
  • Mobile 110 may choose to access the communication system either via the cellular part using base station 130, or via the non-cellular part using access point 120.
  • mobile 110 may transmit an authentication request such that the authentication request is transmitted from mobile 110 to authentication server 170 via wireless link 111, base station 130, connection 131 and core network node 160.
  • mobile 110 may transmit an authentication request such that the authentication request is transmitted from mobile 110 to authentication server 170 via wireless link 112, access point 120, connection 121 and core network node 160.
  • the authentication request is routed from access point 120 to authentication server 170 via another route, such as via a gateway node interfacing the non-cellular part to the core network.
  • the operator of the communication system may prefer to offload a part of traffic of the cellular cell to the cell controlled by access point 120. This may entail, for example, that a part of mobiles using the cellular cell from the coverage overlap region attach to access point 120 instead of base station 130.
  • the services offered to the mobiles in the non-cellular cell of access point 120 may be similar to those offered in the cellular cell of base station 130, in fact users of the mobiles may not even notice any difference between them.
  • the non-cellular cell of access point 120 is highly loaded, a part of traffic of the non- cellular cell may be offloaded to the cellular cell of base station 130.
  • non-cellular cell of access point 120 is highly loaded, a mobile in the coverage area of this non-cellular cell may nonetheless seek to access the non- cellular cell to obtain services. This may be due to preference rules of the mobile, wherein the preference rules may indicate that for certain types of applications or services, a non- cellular access is preferable to a cellular cell.
  • internet browsing or file sharing may be configured as preferably conducted over a non-cellular hotspot since such hotspots may offer a high datarate and fast response times. If too many users seek to use a non- cellular cell, the quality of service offered to all users of the non-cellular cell may deteriorate.
  • an operator of the communication system comprising the cellular and non-cellular parts may prefer to deny access to a mobile to the non-cellular cell.
  • Access point 120 may be configured to transmit, for example to broadcast, a load indication describing how loaded the non-cellular cell of access point 120 is.
  • a load indication is a "BSS Load Element" according to standards defined by the Institute of Electrical and Electronics Engineers, IEEE.
  • a mobile may use the load indication in deciding whether to use the cellular or non-cellular part of the communication system.
  • An ANDSF of the communication system may configure in mobiles rules defining that a non-cellular cell is to be used only when the load, for example as defined in a load indication from the non-cellular cell, is below a threshold level, the threshold being set in the rules configured in the mobiles by the ANDSF. From the point of view of the operator, this is useful as overloading the non-cellular cell becomes less likely.
  • users of mobiles may override rules configured by ANDSF and attach to highly loaded non-cellular cells regardless of the load.
  • a way for the operator to maintain control of attachment to loaded non- cellular cells is to require mobiles seeking authentication for attachment to non-cellular cells to report a load indication to the cellular core network.
  • a mobile may receive the load indication from access point 120 and include it, or load information derived from it, in an authentication request it sends to authentication server 170.
  • the authentication request may be sent toward authentication server 170 via access point 120 or base station 130, for example.
  • authentication server 170 may perform normal authentication with the mobile, and check whether the load status of the non-cellular cell is low enough to allow the mobile into the non-cellular cell.
  • the authentication server may indicate accepted authentication.
  • authentication server 170 may indicate denied authentication. Indicating denied authentication may comprise transmitting an authentication denial message, which may comprise a cause for the denial, which cause may comprise high load level. Since authentication server 170 is controlled by the operator, the operator is thus enabled to deny access to a highly loaded non-cellular cell via such an authentication procedure.
  • authentication server 170 may decline the authentication request. In this case, authentication server 170 may return a reject message with an indication of cause. The indication of cause may indicate that the load indication was absent in the authentication request as a cause for declining the authentication request.
  • Authentication server 170 may receive a load indication of the non- cellular cell in the authentication request, or alternatively where the authentication request comprises an identity of the non-cellular cell or of access point 120, authentication server 170 may obtain the load status of the non-cellular cell using the received identity. For example, authentication server 170 may query the load status from access point 120, or where access point 120 is configured to update its load status to a database accessible to authentication server 170, authentication server 170 may query the load status from the database. Such a database may be stored in authentication server 170, in a network node in the cellular core network, or elsewhere.
  • a node in the non-cellular part such as, for example, access point 120
  • access point 120 may compare a current load status to a threshold responsive to receiving from authentication server 170 an indication that authentication has been granted to the mobile to access access point 120.
  • the authentication server may provide a load indication of access point 120 to access point 120, wherein the authentication server may have obtained the load indication from an authentication request from the requesting mobile, and the requesting mobile may have obtained the load indication from a radio transmission from access point 120.
  • a node in the non-cellular part such as for example a gateway node for interfacing the non-cellular part with further networks, may be configured to decide whether to allow the requesting mobile access based at least in part on a load status of access point 120.
  • the node may receive an indication of load of access point 120 comprised in an authentication request originating from mobile 110, for example. Based on the indication, the node may decide whether to deny the authentication request. When the decision is to not deny the authentication request in the node, the node may forward the authentication request toward authentication server 170. When the decision is to deny the authentication request, the node may inform access point 120 of the denial, optionally with an indication as to a reason for denial, such as load status.
  • the node may discard the authentication request rather than forward it toward authentication server 170.
  • the node may forward the authentication request toward authentication server 170, wherein the node also informs the authentication server of the denial.
  • An indication of the denial may be added to the authentication request or to a message comprising the authentication request, or the node may inform authentication server 170 of the denial in a separate message.
  • authentication and admission control may be separated.
  • authentication server 170 may perform authentication, and responsive to a decision in authentication server 170 to grant authentication to a mobile requesting to attach to access point 120, the authentication server may be configured to provide an indication of the positive authentication decision together with a load indication to a node comprised in the non-cellular, part, which node is then enabled to decide separately and based on the load indication, whether to admit the requesting mobile to access point 120.
  • This node comprised in the non-cellular part may be the access point itself, or another node in the non-cellular part.
  • a first apparatus such as for example mobile
  • the first apparatus may comprise a receiver configured to obtain a load indication of an access point. Where the first apparatus comprises mobile 110, the receiver may comprise a radio receiver of mobile 110. Where the first apparatus comprises a control apparatus, such as for example a processor or chipset, the receiver may comprise an input port of the control device, enabled to receive information from electrical leads internal to mobile 110 when the control device is implanted in mobile 110.
  • a load indication may comprise a BSS Load Element, for example.
  • the first apparatus comprises at least one processing core configured to compile an authentication request comprising the load indication.
  • the authentication request may comply with an authentication protocol such as extensible authentication protocol method for authentication and key agreement, EAP-AKA, or extensible authentication protocol method for subscriber identity module, EAP-SIM, for example.
  • the first apparatus may further comprise a transmitter configured to cause the authentication request to be transmitted toward an authentication server.
  • the transmitter may comprise an output port of the control device, which is enabled to, when the control apparatus is implanted in a mobile 110, cause a radio transmitter of mobile 110 to transmit the authentication request by signaling from the output port to the radio transmitter via electrical leads internal to mobile 110.
  • the access point is a non-cellular access point, such as for example a WLAN or WiMAX access point.
  • a WLAN access point may function according to a version of IEEE 802.11 standards, for example.
  • the load indication is obtained from the access point by receiving a wireless transmission from the access point.
  • the wireless transmission may be a broadcast transmission.
  • a broadcast transmission may comprise a transmission that is not addressed to any receiver or group of receivers in particular.
  • receiving a broadcast transmission does not require a connected state to the access point.
  • the authentication request comprises a request for the first apparatus to be authenticated for attaching to the access point for internet protocol, IP, connectivity.
  • the first apparatus may need IP connectivity for web browsing, for example.
  • the authentication request may be transmitted toward the authentication server via the access point or via a cellular base station.
  • the cellular base station may be a base station with respect to which the apparatus is in a connected or idle mode.
  • a second apparatus such as for example an authentication server.
  • the authentication server may be configured to be connected, directly or indirectly, to a cellular core network.
  • the second apparatus comprises software and hardware that are configured to cause it to receive an authentication request requesting a mobile terminal to be authenticated for attaching to an access point.
  • the authentication request may comply with an authentication protocol such as an EAP protocol, for example.
  • the authentication request may be received via the access point, or via a cellular network.
  • the second apparatus is further caused to decide, based at least in part on a load indication relating to the access point, whether to grant the authentication request; and to cause an indication of the decision to be transmitted.
  • the load indication may be received from the access point comprised in the authentication request, responsive to a query from the second apparatus, or via a database.
  • the second apparatus is configured to compile historical information on a load situation of an access point from load indications.
  • the second apparatus may be configured to dynamically adjust, using the historical information, a load status threshold it uses in deciding whether to grant authentication requests concerning the access point.
  • the load indications used in compiling the historical information may be obtained in connection with previously received authentication requests.
  • a third apparatus such as for example an intermediate node comprised or suitable for inclusion in a non-cellular part of a
  • An example of an intermediate node is a gateway, such as a trusted WLAN gateway.
  • the third apparatus is caused, by a processor and computer program code stored in a memory of the third apparatus, to receive an authentication request requesting a mobile terminal to be authenticated for attaching to an access point.
  • the authentication request may be received from mobile 110, for example, via access point 120, for example.
  • the third apparatus may be caused to decide, based at least in part on a load indication relating to access point 120, whether to deny the authentication request.
  • the load indication may be obtained in the third apparatus from the authentication request or from a database node, for example.
  • FIGURE 3 is a first signaling diagram showing operations an example embodiment of the invention. Along the vertical axes are illustrated, from left to right, mobile 110, access point 120, core network node 160 and authentication server 170. The presence of core network node 160 is optional. Time advances from top to bottom.
  • mobile 110 receives a load indication, such as a load element, for example by receiving a broadcast radio message from access point 120.
  • a load indication such as a load element
  • mobile 110 requests authentication to access access point 120, for example for IP connectivity.
  • Mobile 110 requests authentication by transmitting to authentication server 170 an authentication request, the authentication request comprising the load indication, received in phase 310, or at least information derived from the received load indication, the information being indicative of load of access point 120.
  • authentication server 170 takes a decision on the authentication request sent in phase 320. The decision may be based at least in part on the information indicative of load of access point 120 that authentication server 170 received in the authentication request of phase 320.
  • phase 340 is performed when the decision is positive, mobile 110 successfully authenticates and the load level in access point 120 is low enough to admit a new mobile.
  • an indication is sent from authentication server informing access point 120 and/or mobile 110 of acceptance of authentication.
  • phase 350 is performed when the decision of phase 330 is negative due to excessive load in access point 120.
  • authentication server informs access point 120 and/or mobile 110 of refusal of authentication with a cause element indicating excessive load.
  • Phase 360 is performed when the decision of phase 330 is negative due to missing information in the authentication request of phase 320. For example, where the authentication request lacks the load indication or other information indicative of load of access point 120, authentication server may refuse the authentication request.
  • phase 360 authentication server informs access point 120 and/or mobile 110 of refusal of
  • FIGURE 4 is a second signaling diagram showing operations an example embodiment of the invention.
  • the vertical axes correspond to, from left to right, to mobile
  • Node 160 may comprise core network node 160, or node 160 may comprise a node in a non-cellular part such as a trusted WLAN access gateway, for example.
  • node 160 of FIG. 4 is a node comprised in the non-cellular part and not a core network node of the cellular core network.
  • Phase 410 may substantially correspond to phase 310 of FIG.3 and phase 420 may substantially correspond to phase 320 of FIG.3.
  • authentication server 170 performs authentication of mobile 110 for access to access point 120, for example for IP connectivity access to access point 120.
  • authentication server 170 indicates an accepted
  • node 160 may perform a load-based admittance decision concerning mobile 110, wherein it may be decided whether to allow mobile 110 to attach to a cell controlled by access point 120.
  • the load-based admittance decision may be based at least in part on the load indication received from authentication server 170.
  • node 160 may inform at least one of access point 120 and mobile 110 of a result of the load-based admittance decision.
  • node 160 may in phase 450 also inform at least one of access point 120 and mobile 110 of a cause for the negative admittance decision, wherein the cause may comprise excessive load or missing load indication, for example. If authentication server 170 indicates in phase 430 failed authentication, node 160 may be configured to convey this indication to access point 120.
  • FIGURE 5 is a first flowgraph of a method in accordance with an example embodiment of the invention.
  • the method of FIG. 5 may be performed in mobile 110, or a control device for use in mobile 110, for example.
  • Phase 510 comprises obtaining, in an apparatus, a load indication of an access point.
  • Phase 520 comprises compiling an authentication request comprising the load indication, and finally phase 530 comprises causing the authentication request to be transmitted toward an authentication server.
  • the apparatus may comprise the mobile 110 or control device, for example.
  • the obtaining of phase 510 may comprise obtaining by receiving from a broadcast radio transmission from the access point, for example.
  • FIGURE 6 is a second flowgraph of a method in accordance with an example embodiment of the invention.
  • the method of FIG. 6 may be performed in authentication server 170, for example.
  • Phase 610 comprises receiving an authentication request requesting a mobile terminal to be authenticated for attaching to an access point.
  • Phase 620 comprises deciding, based at least in part on a load indication, whether to grant the authentication request, and phase 630 comprises causing an indication of the decision to be transmitted.
  • the load indication may be received from the access point, from the authentication request or from a database, for example.
  • the indication of phase 630 may be caused to be transmitted to at least one of the access point and the mobile terminal, for example.
  • FIGURE 7 is a third flowgraph of a method in accordance with an example embodiment of the invention.
  • the method of FIG. 7 may be performed in node 160 of FIG. 4, or in an access point 120, for example.
  • Phase 710 comprises receiving from an authentication server an indication of a decision to grant authentication to a mobile terminal to access an apparatus for internet protocol connectivity.
  • Phase 720 comprises receiving from an authentication server a load indication. The receivings of phases 710 and 720 may be accomplished by receiving a single message comprising the indication of the decision and the load indication, or these indications may be received in distinct messages.
  • phase 730 comprises deciding whether to grant the mobile terminal access to the apparatus based at least in part on the load information.
  • FIGURE 8 is a fourth flowgraph of a method in accordance with an example embodiment of the invention.
  • Phases 810 and 820 may substantially correspond to phases 310 and 320 of FIG. 3, except that the message of phase 820 is received in non- cellular node TWAN instead of authentication server 170, as in FIG. 1.
  • Non-cellular node TWAN is configured to, in phase 840, decide whether to deny the authentication request it received in phase 820. The decision whether to deny may be based at least in part on a load indication relating to access point 120.
  • Non-cellular node TWAN may receive the load indication comprised in the authentication request of phase 820 or from a database node, for example.
  • Phase 830 which is illustrated as 830-A and 830-B comprises non-cellular node TWAN forwarding the authentication request to authentication server 170. Such forwarding may take place before or after phase 840.
  • non-cellular node TWAN is configured to indicate in phase 860 to at least one of access point 120 and mobile 110 that the authentication request is denied regardless of what authentication server indicates to non- cellular node TWAN in phase 850.
  • non-cellular node TWAN is configured to indicate to authentication server that the authentication request is denied. Such an indication may be comprised in the authentication request, a message comprising the authentication request or separate message.
  • non-cellular node TWAN In case non-cellular node TWAN indicates the authentication request is denied to authentication server 170, non-cellular node TWAN is configured to indicate in phase 860 to at least one of access point 120 and mobile 110 that the authentication request is denied regardless of what authentication server indicates to non-cellular node TWAN in phase 850. In case the decision of phase 840 is to not deny the authentication request, non-cellular node TWAN may indicate in phase 860 that the authentication request is allowed or denied according to a decision received from authentication server in phase 850, in other words in this case the decision is left to authentication server 170.
  • FIGURE 2 illustrates a block diagram of an apparatus 10 such as, for example, a mobile terminal, in accordance with an example embodiment of the invention. While several features of the apparatus are illustrated and will be hereinafter described for purposes of example, other types of electronic devices, such as mobile telephones, mobile computers, portable digital assistants, PDAs, pagers, laptop computers, desktop computers, gaming devices, televisions, routers, home gateways, and other types of electronic systems, may employ various embodiments of the invention.
  • other types of electronic devices such as mobile telephones, mobile computers, portable digital assistants, PDAs, pagers, laptop computers, desktop computers, gaming devices, televisions, routers, home gateways, and other types of electronic systems, may employ various embodiments of the invention.
  • the mobile terminal 10 may include at least one antenna 12 in communication with a transmitter 14 and a receiver 16. Alternatively transmit and receive antennas may be separate.
  • the mobile terminal 10 may also include a processor 20 configured to provide signals to and receive signals from the transmitter and receiver, respectively, and to control the functioning of the apparatus.
  • Processor 20 may be configured to control the functioning of the transmitter and receiver by effecting control signaling via electrical leads to the transmitter and receiver.
  • processor 20 may be configured to control other elements of apparatus 10 by effecting control signaling via electrical leads connecting processor 20 to the other elements, such as for example a display or a memory.
  • the processor 20 may, for example, be embodied as various means including circuitry, at least one processing core, one or more microprocessors with accompanying digital signal processor(s), one or more processor(s) without an
  • processors one or more coprocessors, one or more multi-core processors, one or more controllers, processing circuitry, one or more computers, various other processing elements including integrated circuits such as, for example, an application specific integrated circuit, ASIC, or field programmable gate array, FPGA, or some combination thereof. Accordingly, although illustrated in FIG. 2 as a single processor, in some embodiments the processor 20 comprises a plurality of processors or processing cores.
  • Signals sent and received by the processor 20 may include signaling information in accordance with an air interface standard of an applicable cellular system, and/or any number of different wireline or wireless networking techniques, comprising but not limited to Wi-Fi, wireless local access network, WLAN, techniques such as Institute of Electrical and Electronics Engineers, IEEE, 802.11, 802.16, and/or the like.
  • these signals may include speech data, user generated data, user requested data, and/or the like.
  • the apparatus may be capable of operating with one or more air interface standards, communication protocols, modulation types, access types, and/or the like.
  • the apparatus may be capable of operating in accordance with various first generation, 1G, second generation, 2G, 2.5G, third-generation, 3G, communication protocols, fourth-generation, 4G, communication protocols, Internet Protocol Multimedia Subsystem, IMS, communication protocols, for example, session initiation protocol, SIP, and/or the like.
  • the apparatus may be capable of operating in accordance with 2G wireless communication protocols IS- 136, Time Division Multiple Access TDMA, Global System for Mobile communications, GSM, IS-95, Code Division Multiple Access, CDMA, and/or the like.
  • the mobile terminal may be capable of operating in accordance with 2.5G wireless communication protocols General Packet Radio Service. GPRS, Enhanced Data GSM Environment, EDGE, and/or the like.
  • the apparatus may be capable of operating in accordance with 3G wireless communication protocols such as Universal Mobile Telecommunications System, UMTS, Code Division Multiple Access 2000, CDMA2000, Wideband Code Division Multiple Access, WCDMA, Time Division-Synchronous Code Division Multiple Access, TD- SCDMA, and/or the like.
  • the apparatus may be additionally capable of operating in accordance with 3.9G wireless communication protocols such as Long Term Evolution, LTE, or Evolved Universal Terrestrial Radio Access Network, E-UTRAN, and/or the like.
  • the apparatus may be capable of operating in accordance with fourth-generation, 4G, wireless communication protocols such as LTE Advanced and/or the like as well as similar wireless communication protocols that may be developed in the future.
  • 3G wireless communication protocols such as Universal Mobile Telecommunications System, UMTS, Code Division Multiple Access 2000, CDMA2000, Wideband Code Division Multiple Access, WCDMA, Time Division-Synchronous Code Division Multiple Access, TD- SCDMA, and/or the like.
  • the apparatus may be additionally capable of
  • NAMPS Narrow-band Advanced Mobile Phone System
  • Total Access Communication System TACS
  • mobile terminal apparatuses may also benefit from embodiments of this invention, as should dual or higher mode phone apparatuses, for example, digital/analogue or TDMA/CDMA/analogue phones.
  • apparatus 10 may be capable of operating according to Wi-Fi or Worldwide Interoperability for Microwave Access, WiMAX, protocols.
  • the processor 20 may comprise circuitry for implementing audio/video and logic functions of apparatus 10.
  • the processor 20 may comprise a digital signal processor device, a microprocessor device, an analogue- to-digital converter, a digital-to-analogue converter, and/or the like. Control and signal processing functions of the mobile terminal may be allocated between these devices according to their respective capabilities.
  • the processor may additionally comprise an internal voice coder, VC, 20a, an internal data modem, DM, 20b, and/or the like.
  • the processor may comprise functionality to operate one or more software programs, which may be stored in memory. In general, processor 20 and stored software instructions may be configured to cause apparatus 10 to perform actions.
  • processor 20 may be capable of operating a connectivity program, such as a web browser.
  • the connectivity program may allow the mobile terminal 10 to transmit and receive web content, such as location-based content, according to a protocol, such as wireless application protocol, WAP, hypertext transfer protocol, HTTP, and/or the like
  • Apparatus 10 may also comprise a user interface including, for example, an earphone or speaker 24, a ringer 22, a microphone 26, a display 28, a user input interface, and/or the like, which may be operationally coupled to the processor 20.
  • the processor 20 may comprise user interface circuitry configured to control at least some functions of one or more elements of the user interface, such as, for example, the speaker 24, the ringer 22, the microphone 26, the display 28, and/or the like.
  • the processor 20 and/or user interface circuitry comprising the processor 20 may be configured to control one or more functions of one or more elements of the user interface through computer program instructions, for example, software and/or firmware, stored on a memory accessible to the processor 20, for example, volatile memory 40, non-volatile memory 42, and/or the like.
  • the apparatus may comprise a battery for powering various circuits related to the mobile terminal, for example, a circuit to provide mechanical vibration as a detectable output.
  • the user input interface may comprise devices allowing the apparatus to receive data, such as a keypad 30, a touch display, which is not shown, a joystick, which is not shown, and/or at least one other input device.
  • apparatus 10 may also include one or more means for sharing and/or obtaining data.
  • the apparatus may comprise a short-range radio frequency, RF, transceiver and/or interrogator 64 so data may be shared with and/or obtained from electronic devices in accordance with RF techniques.
  • the apparatus may comprise other short-range transceivers, such as, for example, an infrared, IR, transceiver 66, a BluetoothTM' BT, transceiver 68 operating using BluetoothTM brand wireless technology developed by the BluetoothTM Special Interest Group, a wireless universal serial bus, USB, transceiver 70 and/or the like.
  • the BluetoothTM transceiver 68 may be capable of operating according to low power or ultra-low power BluetoothTM technology, for example, WibreeTM, radio standards.
  • the apparatus 10 and, in particular, the short-range transceiver may be capable of transmitting data to and/or receiving data from electronic devices within a proximity of the apparatus, such as within 10 meters, for example.
  • the apparatus may be capable of transmitting and/or receiving data from electronic devices according to various wireless networking
  • WLAN techniques including 6LoWpan, Wi-Fi, Wi-Fi low power, WLAN techniques such as
  • IEEE 802.11 techniques IEEE 802.15 techniques, IEEE 802.16 techniques, and/or the like.
  • the apparatus 10 may comprise memory, such as a subscriber identity module, SIM, 38, a removable user identity module, R-UIM, and/or the like, which may store information elements related to a mobile subscriber.
  • the apparatus may comprise other removable and/or fixed memory.
  • the apparatus 10 may include volatile memory 40 and/or non-volatile memory 42.
  • volatile memory 40 may include Random Access Memory, RAM, including dynamic and/or static RAM, on-chip or off-chip cache memory, and/or the like.
  • Non-volatile memory 42 which may be embedded and/or removable, may include, for example, read-only memory, flash memory, magnetic storage devices, for example, hard disks, floppy disk drives, magnetic tape, etc., optical disc drives and/or media, non-volatile random access memory, NVRAM, and/or the like. Like volatile memory 40, non-volatile memory 42 may include a cache area for temporary storage of data. At least part of the volatile and/or non-volatile memory may be embedded in processor 20. The memories may store one or more software programs, instructions, pieces of information, data, and/or the like which may be used by the apparatus for performing functions of the mobile terminal.
  • the memories may comprise an identifier, such as an international mobile equipment identification, IMEI, code, capable of uniquely identifying apparatus 10.
  • IMEI international mobile equipment identification
  • the memories may comprise an identifier, such as an international mobile equipment identification, IMEI, code, capable of uniquely identifying apparatus 10.
  • Another technical effect of one or more of the example embodiments disclosed herein is that an operator is enabled to control access to non-cellular cells in heterogeneous networks.
  • Embodiments of the present invention may be implemented in software, hardware, application logic or a combination of software, hardware and application logic.
  • the software, application logic and/or hardware may reside on memory 40, the control apparatus 20 or electronic components, for example.
  • the application logic, software or an instruction set is maintained on any one of various conventional computer-readable media.
  • a "computer- readable medium" may be any media or means that can contain, store, communicate, propagate or transport the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer, with one example of a computer described and depicted in FIGURE 2.
  • a computer-readable medium may comprise a computer-readable non-transitory storage medium that may be any media or means that can contain or store the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer.
  • the scope of the invention comprises computer programs configured to cause methods according to embodiments of the invention to be performed.
  • the different functions discussed herein may be performed in a different order and/or concurrently with each other. Furthermore, if desired, one or more of the above-described functions may be optional or may be combined.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

In accordance with an example embodiment of the present invention,there is provided an apparatus, comprising a receiver configured to obtain a load indication of an access point, at least one processing core configured to compile an authentication request comprising the load indication, and a transmitter configured to cause the authentication request to be transmitted toward an authentication server. Nodes comprised in the network may be enabled to decide on the authentication request at least in part based on the load indication, or information derived from it.

Description

METHOD AND APPARATUS FOR ACCESS CONTROL
TECHNICAL FIELD
[0001] The present application relates generally to managing a load in an access system, or controlling access of a device into an access system.
BACKGROUND
[0002] Wireless communication systems may comprise cellular systems, such as global system for mobile communication, GSM, wideband code division multiple access, WCDMA, or long term evolution, LTE, systems. Wireless communication systems may also comprise non-cellular systems, such as wireless local area network, WLAN, or worldwide interoperability for microwave access, WiMAX, systems.
[0003] A wireless terminal, such as for example a smartphone, may be furnished with capability to attach to more than one type of system, for example a wireless terminal may attach to GSM and WLAN systems. When both types of system are available, the wireless terminal may decide based on various rules, which type of system to use for communication.
[0004] Rules for system selection, which may be known as access selection rules, may be pre-provisioned in a wireless terminal. Alternatively, the wireless terminal may receive access selection rules from a network, for example from an access network discovery and selection function, ANDSF. A wireless terminal may follow such rules, or a user or application on the wireless terminal may override the rules in selecting an access system.
[0005] A network operator running a multi-system network comprising cellular and non-cellular parts may offer wide-area coverage to subscribers using the cellular part, and more concentrated hotspot coverage using the non-cellular part. Individual non- cellular cells may be located inside cellular cells, such that a wireless terminal in the area of the non-cellular cell may also be in an area of a cellular cell.
[0006] Wireless terminals may be furnished with identity modules, such as subscriber identity modules, SIMs, that are configured to interact with a wireless communication system to authenticate the wireless terminals to thereby enable charging and communication secrecy. To attach to a communication system, an identity module may interact with an authentication server comprised in the communication system to verify the identity of the subscriber operating the wireless terminal. For example, the authentication server may challenge the wireless terminal with a nonce, and the wireless terminal may, using the identity module, provide the authentication server with a correct response to the nonce.
SUMMARY
[0007] Various aspects of examples of the invention are set out in the claims.
[0008] According to a first aspect of the present invention, there is provided an apparatus, comprising a receiver configured to obtain a load indication of an access point, at least one processing core configured to compile an authentication request comprising the load indication, and a transmitter configured to cause the authentication request to be transmitted toward an authentication server.
[0009] According to a second aspect of the present invention, three is provided a method, comprising obtaining, in an apparatus, a load indication of an access point, compiling an authentication request comprising the load indication, and causing the authentication request to be transmitted toward an authentication server.
[0010] According to a third aspect of the present invention, there is provided an apparatus, comprising at least one processor, at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to at least receive an authentication request requesting a mobile terminal to be authenticated for attaching to an access point, decide, based at least in part on a load indication relating to the access point, whether to grant the authentication request, and cause an indication of the decision to be transmitted.
[0011] According to a fourth aspect of the present invention, there is provided a method, comprising receiving an authentication request requesting a mobile terminal to be authenticated for attaching to an access point, deciding, based at least in part on a load indication relating to the access point, whether to grant the authentication request, and causing an indication of the decision to be transmitted.
[0012] According to a fifth aspect of the present invention, there is provided an apparatus, comprising at least one processor, at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to at least receive an authentication request requesting a mobile terminal to be authenticated for attaching to an access point, decide at least in part based on a load indication relating to the access point, whether to deny the authentication request, and wherein when the decision is to deny the authentication request, apparatus is caused to at least one of inform the access point of denial of the authentication request, to not forward the authentication request to an authentication server and to forward the authentication request to an authentication server together with an indication that the authentication request has been denied.
[0013] According to a further aspect of the present invention there is provided a method of performing the actions the computer program of the fifth aspect causes the apparatus of that aspect to perform. BRIEF DESCRIPTION OF THE DRAWINGS
[0014] For a more complete understanding of example embodiments of the present invention, reference is now made to the following descriptions taken in connection with the accompanying drawings in which:
[0015] FIGURE 1 illustrates an example system capable of supporting at least some embodiments of the invention;
[0016] FIGURE 2 illustrates a block diagram of an apparatus in accordance with an example embodiment of the invention;
[0017] FIGURE 3 is a first signaling diagram showing operations an example embodiment of the invention;
[0018] FIGURE 4 is a second signaling diagram showing operations an example embodiment of the invention;
[0019] FIGURE 5 is a first flowgraph of a method in accordance with an example embodiment of the invention;
[0020] FIGURE 6 is a second flowgraph of a method in accordance with an example embodiment of the invention;
[0021] FIGURE 7 is a third flowgraph of a method in accordance with an example embodiment of the invention, and
[0022] FIGURE 8 is a fourth flowgraph of a method in accordance with an example embodiment of the invention.
DETAILED DESCRIPTION OF THE DRAWINGS
[0023] An example embodiment of the present invention and its potential advantages are understood by referring to FIGURES 1 through 8 of the drawings. [0024] FIGURE 1 illustrates an example communication system capable of supporting at least some embodiments of the invention. Illustrated is mobile 110, which may comprise, for example, a user equipment, cellular telephone, laptop computer, tablet computer, personal digital assistant, PDA, or other mobile device with connectivity functions. An example of structure of mobile 110 is presented in FIG. 2. FIG. 1 illustrates a system comprising cellular and non-cellular parts. Base station 140 and base station 130 are comprised in a cellular part of the system, and access point 120 is comprised in a non- cellular part of the system. The cellular part may be configured to operate in accordance with a cellular standard such as, for example, WCDMA, LTE or IS-95. The non-cellular part may be configured to operate in accordance with a non-cellular standard, such as WLAN. The non-cellular part may comprise first access points operating in accordance with a first non-cellular standard and second access points operating in accordance with a second non-cellular standard.
[0025] Base station 140 controls a cell in which mobile 150 is disposed. Mobile 150 is communicatively coupled to base station 140 via wireless link 151. Wireless link 151 may comprise an uplink for conveying information from mobile 150 to base station 140. Wireless link 151 may comprise a downlink for conveying information from base station 140 to mobile 150. Wireless link 151 may operate in accordance with the same cellular standard as the cellular part of the communication system to achieve
interoperability between the cellular part and mobile 150. Base station 140 is in
communication with core network node 160 via connection 141, which may be wire-line or at least in part wireless. Core network node 160 may comprise, for example, a switch or mobility management entity comprised in a core network of the cellular part of the communication system. Connection 141 may traverse further nodes, which are not illustrated in FIG. 1, between base station 140 and core network node 160. Such further nodes may comprise, for example, base station controllers or radio network controllers, depending on network architecture.
[0026] Base station 130 controls a cell in which mobile 110 is disposed. The cell coverage area of the cell controlled by base station 130 comprises access point 120, as well as most of the coverage area of a cell controlled by access point 120. In other words, inside a cell coverage area of the cell controlled by base station 130 is a coverage overlap area between a cellular cell and a non-cellular cell controlled by access point 120. Mobile 110 is disposed in the coverage overlap area, wherein mobile 110 is in that aspect capable of communicating with either of base station 130 and access point 120 since it is in range of both. A wireless link 111 is illustrated as connecting mobile 110 to base station 130, and a wireless link 112 is illustrated as connecting mobile 110 to access point 120. Mobile 110 may be capable of simultaneous communication over wireless link 111 and wireless link 112, or alternatively mobile 110 may be capable of communication over only one of them at a time. Wireless links 111 and 112 may comprise uplinks and/or downlinks as described above in connection with wireless link 151. Base station 130 is connected to core network node 160 via connection 131, which may be similar to connection 141.
[0027] Access point 120, which may operate in accordance with a non-cellular communication standard as discussed above, may be connected to core network node 160 via connection 121, which may be similar to connections 141 and 131. Alternatively, access point 120 may be connected to a different core network node in the core network, wherein such different core network node may comprise, for example, a gateway node configured to interface the cellular core network with the non-cellular part of the communication system.
[0028] Comprised in the core network, or at least communicatively coupled to the core network, is authentication server 170. Authentication server 170 may be configured to process authentication requests from mobile terminals seeking access to the communication system, either via the cellular part or via the non-cellular part. In FIG. 1, mobile 150 accesses the communication system via the cellular part using base station 140. Mobile 110 may choose to access the communication system either via the cellular part using base station 130, or via the non-cellular part using access point 120. When choosing to access the communication system via the cellular part using base station 130, mobile 110 may transmit an authentication request such that the authentication request is transmitted from mobile 110 to authentication server 170 via wireless link 111, base station 130, connection 131 and core network node 160. When choosing to access the
communication system via the non-cellular part using access point 120, mobile 110 may transmit an authentication request such that the authentication request is transmitted from mobile 110 to authentication server 170 via wireless link 112, access point 120, connection 121 and core network node 160. In embodiments where access point 120 is not connected to core network node 160, the authentication request is routed from access point 120 to authentication server 170 via another route, such as via a gateway node interfacing the non-cellular part to the core network.
[0029] When the cell controlled by base station 130 becomes highly loaded, for example due to a large number of mobiles attaching to it and using its services, the operator of the communication system may prefer to offload a part of traffic of the cellular cell to the cell controlled by access point 120. This may entail, for example, that a part of mobiles using the cellular cell from the coverage overlap region attach to access point 120 instead of base station 130. The services offered to the mobiles in the non-cellular cell of access point 120 may be similar to those offered in the cellular cell of base station 130, in fact users of the mobiles may not even notice any difference between them. Likewise, if the non-cellular cell of access point 120 is highly loaded, a part of traffic of the non- cellular cell may be offloaded to the cellular cell of base station 130.
[0030] Where the non-cellular cell of access point 120 is highly loaded, a mobile in the coverage area of this non-cellular cell may nonetheless seek to access the non- cellular cell to obtain services. This may be due to preference rules of the mobile, wherein the preference rules may indicate that for certain types of applications or services, a non- cellular access is preferable to a cellular cell. For example, internet browsing or file sharing may be configured as preferably conducted over a non-cellular hotspot since such hotspots may offer a high datarate and fast response times. If too many users seek to use a non- cellular cell, the quality of service offered to all users of the non-cellular cell may deteriorate. To safeguard the quality of service, an operator of the communication system comprising the cellular and non-cellular parts may prefer to deny access to a mobile to the non-cellular cell.
[0031] Access point 120 may be configured to transmit, for example to broadcast, a load indication describing how loaded the non-cellular cell of access point 120 is. An example of such a load indication is a "BSS Load Element" according to standards defined by the Institute of Electrical and Electronics Engineers, IEEE. A mobile may use the load indication in deciding whether to use the cellular or non-cellular part of the communication system. An ANDSF of the communication system may configure in mobiles rules defining that a non-cellular cell is to be used only when the load, for example as defined in a load indication from the non-cellular cell, is below a threshold level, the threshold being set in the rules configured in the mobiles by the ANDSF. From the point of view of the operator, this is useful as overloading the non-cellular cell becomes less likely. However, users of mobiles may override rules configured by ANDSF and attach to highly loaded non-cellular cells regardless of the load.
[0032] A way for the operator to maintain control of attachment to loaded non- cellular cells is to require mobiles seeking authentication for attachment to non-cellular cells to report a load indication to the cellular core network. For example, a mobile may receive the load indication from access point 120 and include it, or load information derived from it, in an authentication request it sends to authentication server 170. The authentication request may be sent toward authentication server 170 via access point 120 or base station 130, for example. Upon receipt of the authentication request, authentication server 170 may perform normal authentication with the mobile, and check whether the load status of the non-cellular cell is low enough to allow the mobile into the non-cellular cell. When authentication server 170 determines that the load is less than a threshold load level configured in authentication server 170, the authentication server may indicate accepted authentication. Where authentication server 170 determines that the load is above a threshold load level configured in authentication server 170, the authentication server may indicate denied authentication. Indicating denied authentication may comprise transmitting an authentication denial message, which may comprise a cause for the denial, which cause may comprise high load level. Since authentication server 170 is controlled by the operator, the operator is thus enabled to deny access to a highly loaded non-cellular cell via such an authentication procedure.
[0033] In case a mobile 110 seeking authentication to access access point 120 fails to provide the load indication in the authentication request, authentication server 170 may decline the authentication request. In this case, authentication server 170 may return a reject message with an indication of cause. The indication of cause may indicate that the load indication was absent in the authentication request as a cause for declining the authentication request.
[0034] Authentication server 170 may receive a load indication of the non- cellular cell in the authentication request, or alternatively where the authentication request comprises an identity of the non-cellular cell or of access point 120, authentication server 170 may obtain the load status of the non-cellular cell using the received identity. For example, authentication server 170 may query the load status from access point 120, or where access point 120 is configured to update its load status to a database accessible to authentication server 170, authentication server 170 may query the load status from the database. Such a database may be stored in authentication server 170, in a network node in the cellular core network, or elsewhere.
[0035] Alternatively to authentication server 170 deciding whether the non- cellular cell is too highly loaded, a node in the non-cellular part such as, for example, access point 120, may be configured to decide whether to allow the requesting mobile access based at least in part on a load status of access point 120. For example, access point 120 may compare a current load status to a threshold responsive to receiving from authentication server 170 an indication that authentication has been granted to the mobile to access access point 120. The authentication server may provide a load indication of access point 120 to access point 120, wherein the authentication server may have obtained the load indication from an authentication request from the requesting mobile, and the requesting mobile may have obtained the load indication from a radio transmission from access point 120.
[0036] A node in the non-cellular part, such as for example a gateway node for interfacing the non-cellular part with further networks, may be configured to decide whether to allow the requesting mobile access based at least in part on a load status of access point 120. The node may receive an indication of load of access point 120 comprised in an authentication request originating from mobile 110, for example. Based on the indication, the node may decide whether to deny the authentication request. When the decision is to not deny the authentication request in the node, the node may forward the authentication request toward authentication server 170. When the decision is to deny the authentication request, the node may inform access point 120 of the denial, optionally with an indication as to a reason for denial, such as load status. Additionally or alternatively, the node may discard the authentication request rather than forward it toward authentication server 170. In some embodiments, the node may forward the authentication request toward authentication server 170, wherein the node also informs the authentication server of the denial. An indication of the denial may be added to the authentication request or to a message comprising the authentication request, or the node may inform authentication server 170 of the denial in a separate message.
[0037] In some systems, authentication and admission control may be separated. For example, authentication server 170 may perform authentication, and responsive to a decision in authentication server 170 to grant authentication to a mobile requesting to attach to access point 120, the authentication server may be configured to provide an indication of the positive authentication decision together with a load indication to a node comprised in the non-cellular, part, which node is then enabled to decide separately and based on the load indication, whether to admit the requesting mobile to access point 120.
This node comprised in the non-cellular part may be the access point itself, or another node in the non-cellular part.
[0038] In general there is provided a first apparatus, such as for example mobile
110 or a control device for controlling the functions of mobile 110. The first apparatus may comprise a receiver configured to obtain a load indication of an access point. Where the first apparatus comprises mobile 110, the receiver may comprise a radio receiver of mobile 110. Where the first apparatus comprises a control apparatus, such as for example a processor or chipset, the receiver may comprise an input port of the control device, enabled to receive information from electrical leads internal to mobile 110 when the control device is implanted in mobile 110. A load indication may comprise a BSS Load Element, for example. The first apparatus comprises at least one processing core configured to compile an authentication request comprising the load indication. The authentication request may comply with an authentication protocol such as extensible authentication protocol method for authentication and key agreement, EAP-AKA, or extensible authentication protocol method for subscriber identity module, EAP-SIM, for example. The first apparatus may further comprise a transmitter configured to cause the authentication request to be transmitted toward an authentication server. Where the first apparatus is a control apparatus, the transmitter may comprise an output port of the control device, which is enabled to, when the control apparatus is implanted in a mobile 110, cause a radio transmitter of mobile 110 to transmit the authentication request by signaling from the output port to the radio transmitter via electrical leads internal to mobile 110.
[0039] In some embodiments, the access point is a non-cellular access point, such as for example a WLAN or WiMAX access point. A WLAN access point may function according to a version of IEEE 802.11 standards, for example.
[0040] In some embodiments, the load indication is obtained from the access point by receiving a wireless transmission from the access point. The wireless transmission may be a broadcast transmission. A broadcast transmission may comprise a transmission that is not addressed to any receiver or group of receivers in particular. In some
embodiments, receiving a broadcast transmission does not require a connected state to the access point.
[0041] In some embodiments, the authentication request comprises a request for the first apparatus to be authenticated for attaching to the access point for internet protocol, IP, connectivity. The first apparatus may need IP connectivity for web browsing, for example. The authentication request may be transmitted toward the authentication server via the access point or via a cellular base station. The cellular base station may be a base station with respect to which the apparatus is in a connected or idle mode.
[0042] In general there is provided a second apparatus, such as for example an authentication server. The authentication server may be configured to be connected, directly or indirectly, to a cellular core network. The second apparatus comprises software and hardware that are configured to cause it to receive an authentication request requesting a mobile terminal to be authenticated for attaching to an access point. The authentication request may comply with an authentication protocol such as an EAP protocol, for example. The authentication request may be received via the access point, or via a cellular network. The second apparatus is further caused to decide, based at least in part on a load indication relating to the access point, whether to grant the authentication request; and to cause an indication of the decision to be transmitted. The load indication may be received from the access point comprised in the authentication request, responsive to a query from the second apparatus, or via a database.
[0043] In some embodiments, the second apparatus is configured to compile historical information on a load situation of an access point from load indications. In these embodiments, the second apparatus may be configured to dynamically adjust, using the historical information, a load status threshold it uses in deciding whether to grant authentication requests concerning the access point. The load indications used in compiling the historical information may be obtained in connection with previously received authentication requests.
[0044] In general there is provided a third apparatus, such as for example an intermediate node comprised or suitable for inclusion in a non-cellular part of a
communication system. An example of an intermediate node is a gateway, such as a trusted WLAN gateway. The third apparatus is caused, by a processor and computer program code stored in a memory of the third apparatus, to receive an authentication request requesting a mobile terminal to be authenticated for attaching to an access point. The authentication request may be received from mobile 110, for example, via access point 120, for example. The third apparatus may be caused to decide, based at least in part on a load indication relating to access point 120, whether to deny the authentication request. The load indication may be obtained in the third apparatus from the authentication request or from a database node, for example. When the decision is to deny the authentication request, the third apparatus is caused to at least one of inform the access point of denial of the authentication request, to not forward the authentication request to an authentication server and to forward the authentication request to an authentication server together with an indication that the authentication request has been denied. When the decision is to not deny the authentication request in the third apparatus, the third apparatus may allow the authentication server to decide whether to allow or deny the authentication request. [0045] FIGURE 3 is a first signaling diagram showing operations an example embodiment of the invention. Along the vertical axes are illustrated, from left to right, mobile 110, access point 120, core network node 160 and authentication server 170. The presence of core network node 160 is optional. Time advances from top to bottom. In phase 310, mobile 110 receives a load indication, such as a load element, for example by receiving a broadcast radio message from access point 120. In phase 320, mobile 110 requests authentication to access access point 120, for example for IP connectivity. Mobile 110 requests authentication by transmitting to authentication server 170 an authentication request, the authentication request comprising the load indication, received in phase 310, or at least information derived from the received load indication, the information being indicative of load of access point 120. In phase 330, authentication server 170 takes a decision on the authentication request sent in phase 320. The decision may be based at least in part on the information indicative of load of access point 120 that authentication server 170 received in the authentication request of phase 320.
[0046] After the decision of phase 330, one phase from among phases 340, 350 and 360 is performed in dependence of the decision. Phase 340 is performed when the decision is positive, mobile 110 successfully authenticates and the load level in access point 120 is low enough to admit a new mobile. In phase 340, an indication is sent from authentication server informing access point 120 and/or mobile 110 of acceptance of authentication. In case the decision of phase 330 is negative, either phase 350 or phase 360 is performed. Phase 350 is performed when the decision of phase 330 is negative due to excessive load in access point 120. In phase 350, authentication server informs access point 120 and/or mobile 110 of refusal of authentication with a cause element indicating excessive load. Phase 360 is performed when the decision of phase 330 is negative due to missing information in the authentication request of phase 320. For example, where the authentication request lacks the load indication or other information indicative of load of access point 120, authentication server may refuse the authentication request. In phase 360, authentication server informs access point 120 and/or mobile 110 of refusal of
authentication with a cause element indicating that the authentication request lacked information.
[0047] FIGURE 4 is a second signaling diagram showing operations an example embodiment of the invention. The vertical axes correspond to, from left to right, to mobile
110, access point 120, node 160 and authentication server 170. Node 160 may comprise core network node 160, or node 160 may comprise a node in a non-cellular part such as a trusted WLAN access gateway, for example. In some embodiments, node 160 of FIG. 4 is a node comprised in the non-cellular part and not a core network node of the cellular core network. Time advances from top to bottom. Phase 410 may substantially correspond to phase 310 of FIG.3 and phase 420 may substantially correspond to phase 320 of FIG.3. Responsive to the message of phase 420, authentication server 170 performs authentication of mobile 110 for access to access point 120, for example for IP connectivity access to access point 120. In phase 430, authentication server 170 indicates an accepted
authentication of mobile 110 to access access point 120 to node 160, and provides to node 160 a load indication of access point 120. The load indication may be received in authorization server 170 from the authentication request of phase 420, or from a database, for example. In phase 440, node 160 may perform a load-based admittance decision concerning mobile 110, wherein it may be decided whether to allow mobile 110 to attach to a cell controlled by access point 120. The load-based admittance decision may be based at least in part on the load indication received from authentication server 170. In phase 450, node 160 may inform at least one of access point 120 and mobile 110 of a result of the load-based admittance decision. Where the decision is negative, node 160 may in phase 450 also inform at least one of access point 120 and mobile 110 of a cause for the negative admittance decision, wherein the cause may comprise excessive load or missing load indication, for example. If authentication server 170 indicates in phase 430 failed authentication, node 160 may be configured to convey this indication to access point 120.
[0048] FIGURE 5 is a first flowgraph of a method in accordance with an example embodiment of the invention. The method of FIG. 5 may be performed in mobile 110, or a control device for use in mobile 110, for example. Phase 510 comprises obtaining, in an apparatus, a load indication of an access point. Phase 520 comprises compiling an authentication request comprising the load indication, and finally phase 530 comprises causing the authentication request to be transmitted toward an authentication server. The apparatus may comprise the mobile 110 or control device, for example. The obtaining of phase 510 may comprise obtaining by receiving from a broadcast radio transmission from the access point, for example.
[0049] FIGURE 6 is a second flowgraph of a method in accordance with an example embodiment of the invention. The method of FIG. 6 may be performed in authentication server 170, for example. Phase 610 comprises receiving an authentication request requesting a mobile terminal to be authenticated for attaching to an access point.
Phase 620 comprises deciding, based at least in part on a load indication, whether to grant the authentication request, and phase 630 comprises causing an indication of the decision to be transmitted. The load indication may be received from the access point, from the authentication request or from a database, for example. The indication of phase 630 may be caused to be transmitted to at least one of the access point and the mobile terminal, for example.
[0050] FIGURE 7 is a third flowgraph of a method in accordance with an example embodiment of the invention. The method of FIG. 7 may be performed in node 160 of FIG. 4, or in an access point 120, for example. Phase 710 comprises receiving from an authentication server an indication of a decision to grant authentication to a mobile terminal to access an apparatus for internet protocol connectivity. Phase 720 comprises receiving from an authentication server a load indication. The receivings of phases 710 and 720 may be accomplished by receiving a single message comprising the indication of the decision and the load indication, or these indications may be received in distinct messages. Finally phase 730 comprises deciding whether to grant the mobile terminal access to the apparatus based at least in part on the load information.
[0051] FIGURE 8 is a fourth flowgraph of a method in accordance with an example embodiment of the invention. Along the vertical axes are illustrated, from left to right, mobile 110, access point 120, non-cellular node TWAN and authentication server 170. Time advances from top to bottom. Phases 810 and 820 may substantially correspond to phases 310 and 320 of FIG. 3, except that the message of phase 820 is received in non- cellular node TWAN instead of authentication server 170, as in FIG. 1. Non-cellular node TWAN is configured to, in phase 840, decide whether to deny the authentication request it received in phase 820. The decision whether to deny may be based at least in part on a load indication relating to access point 120. Non-cellular node TWAN may receive the load indication comprised in the authentication request of phase 820 or from a database node, for example. Phase 830, which is illustrated as 830-A and 830-B comprises non-cellular node TWAN forwarding the authentication request to authentication server 170. Such forwarding may take place before or after phase 840.
[0052] When the forwarding takes place before phase 840 and the decision of phase 840 is to deny the authentication request, non-cellular node TWAN is configured to indicate in phase 860 to at least one of access point 120 and mobile 110 that the authentication request is denied regardless of what authentication server indicates to non- cellular node TWAN in phase 850. When the forwarding takes place after phase 840 and the decision of phase 840 is to deny the authentication request, non-cellular node TWAN is configured to indicate to authentication server that the authentication request is denied. Such an indication may be comprised in the authentication request, a message comprising the authentication request or separate message. In case non-cellular node TWAN indicates the authentication request is denied to authentication server 170, non-cellular node TWAN is configured to indicate in phase 860 to at least one of access point 120 and mobile 110 that the authentication request is denied regardless of what authentication server indicates to non-cellular node TWAN in phase 850. In case the decision of phase 840 is to not deny the authentication request, non-cellular node TWAN may indicate in phase 860 that the authentication request is allowed or denied according to a decision received from authentication server in phase 850, in other words in this case the decision is left to authentication server 170.
[0053] FIGURE 2 illustrates a block diagram of an apparatus 10 such as, for example, a mobile terminal, in accordance with an example embodiment of the invention. While several features of the apparatus are illustrated and will be hereinafter described for purposes of example, other types of electronic devices, such as mobile telephones, mobile computers, portable digital assistants, PDAs, pagers, laptop computers, desktop computers, gaming devices, televisions, routers, home gateways, and other types of electronic systems, may employ various embodiments of the invention.
[0054] As shown, the mobile terminal 10 may include at least one antenna 12 in communication with a transmitter 14 and a receiver 16. Alternatively transmit and receive antennas may be separate. The mobile terminal 10 may also include a processor 20 configured to provide signals to and receive signals from the transmitter and receiver, respectively, and to control the functioning of the apparatus. Processor 20 may be configured to control the functioning of the transmitter and receiver by effecting control signaling via electrical leads to the transmitter and receiver. Likewise processor 20 may be configured to control other elements of apparatus 10 by effecting control signaling via electrical leads connecting processor 20 to the other elements, such as for example a display or a memory. The processor 20 may, for example, be embodied as various means including circuitry, at least one processing core, one or more microprocessors with accompanying digital signal processor(s), one or more processor(s) without an
accompanying digital signal processor, one or more coprocessors, one or more multi-core processors, one or more controllers, processing circuitry, one or more computers, various other processing elements including integrated circuits such as, for example, an application specific integrated circuit, ASIC, or field programmable gate array, FPGA, or some combination thereof. Accordingly, although illustrated in FIG. 2 as a single processor, in some embodiments the processor 20 comprises a plurality of processors or processing cores. Signals sent and received by the processor 20 may include signaling information in accordance with an air interface standard of an applicable cellular system, and/or any number of different wireline or wireless networking techniques, comprising but not limited to Wi-Fi, wireless local access network, WLAN, techniques such as Institute of Electrical and Electronics Engineers, IEEE, 802.11, 802.16, and/or the like. In addition, these signals may include speech data, user generated data, user requested data, and/or the like. In this regard, the apparatus may be capable of operating with one or more air interface standards, communication protocols, modulation types, access types, and/or the like. More particularly, the apparatus may be capable of operating in accordance with various first generation, 1G, second generation, 2G, 2.5G, third-generation, 3G, communication protocols, fourth-generation, 4G, communication protocols, Internet Protocol Multimedia Subsystem, IMS, communication protocols, for example, session initiation protocol, SIP, and/or the like. For example, the apparatus may be capable of operating in accordance with 2G wireless communication protocols IS- 136, Time Division Multiple Access TDMA, Global System for Mobile communications, GSM, IS-95, Code Division Multiple Access, CDMA, and/or the like. Also, for example, the mobile terminal may be capable of operating in accordance with 2.5G wireless communication protocols General Packet Radio Service. GPRS, Enhanced Data GSM Environment, EDGE, and/or the like. Further, for example, the apparatus may be capable of operating in accordance with 3G wireless communication protocols such as Universal Mobile Telecommunications System, UMTS, Code Division Multiple Access 2000, CDMA2000, Wideband Code Division Multiple Access, WCDMA, Time Division-Synchronous Code Division Multiple Access, TD- SCDMA, and/or the like. The apparatus may be additionally capable of operating in accordance with 3.9G wireless communication protocols such as Long Term Evolution, LTE, or Evolved Universal Terrestrial Radio Access Network, E-UTRAN, and/or the like. Additionally, for example, the apparatus may be capable of operating in accordance with fourth-generation, 4G, wireless communication protocols such as LTE Advanced and/or the like as well as similar wireless communication protocols that may be developed in the future.
[0055] Some Narrow-band Advanced Mobile Phone System, NAMPS, as well as
Total Access Communication System, TACS, mobile terminal apparatuses may also benefit from embodiments of this invention, as should dual or higher mode phone apparatuses, for example, digital/analogue or TDMA/CDMA/analogue phones.
Additionally, apparatus 10 may be capable of operating according to Wi-Fi or Worldwide Interoperability for Microwave Access, WiMAX, protocols.
[0056] It is understood that the processor 20 may comprise circuitry for implementing audio/video and logic functions of apparatus 10. For example, the processor 20 may comprise a digital signal processor device, a microprocessor device, an analogue- to-digital converter, a digital-to-analogue converter, and/or the like. Control and signal processing functions of the mobile terminal may be allocated between these devices according to their respective capabilities. The processor may additionally comprise an internal voice coder, VC, 20a, an internal data modem, DM, 20b, and/or the like. Further, the processor may comprise functionality to operate one or more software programs, which may be stored in memory. In general, processor 20 and stored software instructions may be configured to cause apparatus 10 to perform actions. For example, processor 20 may be capable of operating a connectivity program, such as a web browser. The connectivity program may allow the mobile terminal 10 to transmit and receive web content, such as location-based content, according to a protocol, such as wireless application protocol, WAP, hypertext transfer protocol, HTTP, and/or the like
[0057] Apparatus 10 may also comprise a user interface including, for example, an earphone or speaker 24, a ringer 22, a microphone 26, a display 28, a user input interface, and/or the like, which may be operationally coupled to the processor 20. In this regard, the processor 20 may comprise user interface circuitry configured to control at least some functions of one or more elements of the user interface, such as, for example, the speaker 24, the ringer 22, the microphone 26, the display 28, and/or the like. The processor 20 and/or user interface circuitry comprising the processor 20 may be configured to control one or more functions of one or more elements of the user interface through computer program instructions, for example, software and/or firmware, stored on a memory accessible to the processor 20, for example, volatile memory 40, non-volatile memory 42, and/or the like. Although not shown, the apparatus may comprise a battery for powering various circuits related to the mobile terminal, for example, a circuit to provide mechanical vibration as a detectable output. The user input interface may comprise devices allowing the apparatus to receive data, such as a keypad 30, a touch display, which is not shown, a joystick, which is not shown, and/or at least one other input device. In embodiments including a keypad, the keypad may comprise numeric 0-9 and related keys, and/or other keys for operating the apparatus. [0058] As shown in FIG. 2, apparatus 10 may also include one or more means for sharing and/or obtaining data. For example, the apparatus may comprise a short-range radio frequency, RF, transceiver and/or interrogator 64 so data may be shared with and/or obtained from electronic devices in accordance with RF techniques. The apparatus may comprise other short-range transceivers, such as, for example, an infrared, IR, transceiver 66, a Bluetooth™' BT, transceiver 68 operating using Bluetooth™ brand wireless technology developed by the Bluetooth™ Special Interest Group, a wireless universal serial bus, USB, transceiver 70 and/or the like. The Bluetooth™ transceiver 68 may be capable of operating according to low power or ultra-low power Bluetooth™ technology, for example, Wibree™, radio standards. In this regard, the apparatus 10 and, in particular, the short-range transceiver may be capable of transmitting data to and/or receiving data from electronic devices within a proximity of the apparatus, such as within 10 meters, for example. Although not shown, the apparatus may be capable of transmitting and/or receiving data from electronic devices according to various wireless networking
techniques, including 6LoWpan, Wi-Fi, Wi-Fi low power, WLAN techniques such as
IEEE 802.11 techniques, IEEE 802.15 techniques, IEEE 802.16 techniques, and/or the like.
[0059] The apparatus 10 may comprise memory, such as a subscriber identity module, SIM, 38, a removable user identity module, R-UIM, and/or the like, which may store information elements related to a mobile subscriber. In addition to the SIM, the apparatus may comprise other removable and/or fixed memory. The apparatus 10 may include volatile memory 40 and/or non-volatile memory 42. For example, volatile memory 40 may include Random Access Memory, RAM, including dynamic and/or static RAM, on-chip or off-chip cache memory, and/or the like. Non-volatile memory 42, which may be embedded and/or removable, may include, for example, read-only memory, flash memory, magnetic storage devices, for example, hard disks, floppy disk drives, magnetic tape, etc., optical disc drives and/or media, non-volatile random access memory, NVRAM, and/or the like. Like volatile memory 40, non-volatile memory 42 may include a cache area for temporary storage of data. At least part of the volatile and/or non-volatile memory may be embedded in processor 20. The memories may store one or more software programs, instructions, pieces of information, data, and/or the like which may be used by the apparatus for performing functions of the mobile terminal. For example, the memories may comprise an identifier, such as an international mobile equipment identification, IMEI, code, capable of uniquely identifying apparatus 10. [0060] Without in any way limiting the scope, interpretation, or application of the claims appearing below, a technical effect of one or more of the example embodiments disclosed herein is that overload situations in non-cellular systems may be avoided.
Another technical effect of one or more of the example embodiments disclosed herein is that an operator is enabled to control access to non-cellular cells in heterogeneous networks.
[0061] Embodiments of the present invention may be implemented in software, hardware, application logic or a combination of software, hardware and application logic. The software, application logic and/or hardware may reside on memory 40, the control apparatus 20 or electronic components, for example. In an example embodiment, the application logic, software or an instruction set is maintained on any one of various conventional computer-readable media. In the context of this document, a "computer- readable medium" may be any media or means that can contain, store, communicate, propagate or transport the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer, with one example of a computer described and depicted in FIGURE 2. A computer-readable medium may comprise a computer-readable non-transitory storage medium that may be any media or means that can contain or store the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer. The scope of the invention comprises computer programs configured to cause methods according to embodiments of the invention to be performed.
[0062] If desired, the different functions discussed herein may be performed in a different order and/or concurrently with each other. Furthermore, if desired, one or more of the above-described functions may be optional or may be combined.
[0063] Although various aspects of the invention are set out in the independent claims, other aspects of the invention comprise other combinations of features from the described embodiments and/or the dependent claims with the features of the independent claims, and not solely the combinations explicitly set out in the claims.
[0064] It is also noted herein that while the above describes example
embodiments of the invention, these descriptions should not be viewed in a limiting sense. Rather, there are several variations and modifications which may be made without departing from the scope of the present invention as defined in the appended claims.

Claims

WHAT IS CLAIMED IS
1. An apparatus, comprising:
a receiver configured to obtain a load indication of an access point;
at least one processing core configured to compile an authentication request comprising the load indication, and
a transmitter configured to cause the authentication request to be transmitted toward an authentication server.
2. An apparatus according to claim 1, wherein the access point is a non-cellular access point.
3. An apparatus according to any preceding claim, wherein the load indication is obtained in the apparatus from the access point by receiving a wireless transmission from the access point.
4. An apparatus according to any preceding claim, wherein the authentication request comprises a request for the apparatus to be authenticated for attaching to the access point for internet protocol, IP, connectivity.
5. An apparatus according to any preceding claim, wherein the transmitter is configured to cause the authentication request to be transmitted toward the authentication server via the access point.
6. An apparatus according to any of claims 1 - 4, wherein the transmitter is configured to cause the authentication request to be transmitted toward the authentication server via a cellular base station distinct from the access point.
7. An apparatus according to any preceding claim, wherein the authentication request complies with an extensible authentication protocol.
8. An apparatus according to claim 1, wherein the apparatus comprises a mobile communication device, the apparatus further comprising an antenna coupled to the receiver and configured to provide signals to the at least one processing core.
9. A method, comprising:
obtaining, in an apparatus, a load indication of an access point; compiling an authentication request comprising the load indication, and
causing the authentication request to be transmitted toward an authentication server.
10. A method according to claim 9, wherein the access point is a non-cellular access point.
11. A method according to claim 9 or 10, wherein the load indication is obtained in the apparatus from the access point by receiving a wireless transmission from the access point.
12. A method according to any of claims 9 - 11, wherein the authentication request comprises a request for the apparatus to be authenticated for attaching to the access point for internet protocol, IP, connectivity.
13. A method according to any of claims 9 - 12, wherein the authentication request is caused to be transmitted toward the authentication server via the access point.
14. A method according to any of claims 9 - 12, wherein the authentication request is caused to be transmitted to the authentication server via a cellular base station distinct from the access point.
15. A method according to any of claims 9 - 14, wherein the authentication request complies with an extensible authentication protocol.
16. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following:
receive an authentication request requesting a mobile terminal to be authenticated for attaching to an access point;
decide, based at least in part on a load indication relating to the access point, whether to grant the authentication request, and
cause an indication of the decision to be transmitted.
17. An apparatus according to claim 16, wherein the apparatus is caused to receive the authentication request from the mobile terminal via the access point.
18. An apparatus according to any of claims 16 - 17, wherein the apparatus is caused to decide whether to grant the authentication request at least in part based on load information obtained in connection with previously received authentication requests.
19. An apparatus according to any of claims 16 - 18, wherein in case the decision is to not grant the authentication request, the indication comprises an indication as to cause of the not granting, the cause comprising load status in the access point.
20. An apparatus according to any of claims 16 - 19, wherein the apparatus comprises an authentication, authorization and accounting server configured to be operative in a cellular core network.
21. A method, comprising :
receiving an authentication request requesting a mobile terminal to be authenticated for attaching to an access point;
deciding, based at least in part on a load indication relating to the access point, whether to grant the authentication request, and
causing an indication of the decision to be transmitted.
22. A method according to claim 16, comprising receiving the authentication request from the mobile terminal via the access point.
23. A method according to any of claims 16 - 17, comprising deciding whether to grant the authentication request at least in part based on load information derived from previously received authentication requests.
24. A method according to any of claims 16 - 18, wherein in case the decision is to not grant the authentication request, the indication comprises an indication as to cause of the not granting, the cause comprising load status in the access point.
25. A method according to any of claims 16 - 19, further comprising performing the method in an authentication, authorization and accounting server configured to be operative in a cellular core network
26. An apparatus, comprising:
means for obtaining, in an apparatus, a load indication of an access point;
means for compiling an authentication request comprising the load indication, and
means for causing the authentication request to be transmitted toward an authentication server.
27. An apparatus, comprising:
means for receiving an authentication request requesting a mobile terminal to be authenticated for attaching to an access point;
means for deciding, based at least in part on a load indication relating to the access point, whether to grant the authentication request, and
means for causing an indication of the decision to be transmitted.
28. A computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer, the computer program code comprising:
code for obtaining, in an apparatus, a load indication of an access point; code for compiling an authentication request comprising the load indication, and
code for causing the authentication request to be transmitted toward an authentication server.
29. A computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer, the computer program code comprising:
code for receiving an authentication request requesting a mobile terminal to be authenticated for attaching to an access point;
code for deciding, based at least in part on a load indication relating to the access point, whether to grant the authentication request, and
code for causing an indication of the decision to be transmitted.
30. A computer program configured to cause a method according to at least one of claims 9 - 15 or 21 - 25 to be performed.
31. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code
the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following:
receive an authentication request requesting a mobile terminal to be authenticated for attaching to an access point;
decide whether to grant the authentication request;
transmit, responsive to a decision that the authentication request is to be granted, an indication of the decision toward the access point, and
transmit, responsive to a decision that the authentication request is to be granted, a load indication comprised in the authentication request toward the access point.
32. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following:
receive from an authentication server an indication of a decision to grant authentication to a mobile terminal to access the apparatus for internet protocol connectivity;
receive from an authentication server a load indication relating to the apparatus, and
decide whether to grant the mobile terminal access to the apparatus based at least in part on the load information.
33. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code
the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following:
receive an authentication request requesting a mobile terminal to be authenticated for attaching to an access point;
decide at least in part based on a load indication relating to the access point, whether to deny the authentication request, and
wherein when the decision is to deny the authentication request, apparatus is caused to at least one of inform the access point of denial of the authentication request, to not forward the authentication request to an
authentication server and to forward the authentication request to an authentication server together with an indication that the authentication request has been denied.
PCT/FI2013/050496 2013-05-06 2013-05-06 Method and apparatus for access control WO2014181028A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/FI2013/050496 WO2014181028A1 (en) 2013-05-06 2013-05-06 Method and apparatus for access control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI2013/050496 WO2014181028A1 (en) 2013-05-06 2013-05-06 Method and apparatus for access control

Publications (1)

Publication Number Publication Date
WO2014181028A1 true WO2014181028A1 (en) 2014-11-13

Family

ID=51866846

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2013/050496 WO2014181028A1 (en) 2013-05-06 2013-05-06 Method and apparatus for access control

Country Status (1)

Country Link
WO (1) WO2014181028A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539539A (en) * 2014-12-31 2015-04-22 西安大唐电信有限公司 Multi-service-board data forwarding method for AC device
CN104936259A (en) * 2015-06-17 2015-09-23 杭州阿宅订网络科技有限公司 Method and system for attracting customers for Internet of things
CN105005223A (en) * 2015-06-17 2015-10-28 杭州阿宅订网络科技有限公司 Method and system for attracting customers again through Internet of Things

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001017310A1 (en) * 1999-08-31 2001-03-08 Telefonaktiebolaget L M Ericsson (Publ) Gsm security for packet data networks
EP1890233A1 (en) * 2006-08-04 2008-02-20 Fujitsu Ltd. Load balancing apparatus
US20080170497A1 (en) * 2007-01-11 2008-07-17 Moo Ryong Jeong Proactive Per-Class Load Management
EP2187686A1 (en) * 2008-03-18 2010-05-19 Nec Corporation Load distribution system, load distribution method, and authentication server
EP2661127A1 (en) * 2012-05-03 2013-11-06 Itron, Inc. Efficient device handover/migration in mesh networks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001017310A1 (en) * 1999-08-31 2001-03-08 Telefonaktiebolaget L M Ericsson (Publ) Gsm security for packet data networks
EP1890233A1 (en) * 2006-08-04 2008-02-20 Fujitsu Ltd. Load balancing apparatus
US20080170497A1 (en) * 2007-01-11 2008-07-17 Moo Ryong Jeong Proactive Per-Class Load Management
EP2187686A1 (en) * 2008-03-18 2010-05-19 Nec Corporation Load distribution system, load distribution method, and authentication server
EP2661127A1 (en) * 2012-05-03 2013-11-06 Itron, Inc. Efficient device handover/migration in mesh networks

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539539A (en) * 2014-12-31 2015-04-22 西安大唐电信有限公司 Multi-service-board data forwarding method for AC device
CN104539539B (en) * 2014-12-31 2018-01-09 西安大唐电信有限公司 A kind of AC equipment multi-service plate data forwarding method
CN104936259A (en) * 2015-06-17 2015-09-23 杭州阿宅订网络科技有限公司 Method and system for attracting customers for Internet of things
CN105005223A (en) * 2015-06-17 2015-10-28 杭州阿宅订网络科技有限公司 Method and system for attracting customers again through Internet of Things

Similar Documents

Publication Publication Date Title
CN109196890B (en) Method and apparatus for creating and using roaming lists based on user roaming plans
EP3259939B1 (en) Access point steering
US20200178158A1 (en) Network slice-specific access barring for wireless networks
WO2018161796A1 (en) Connection processing method and apparatus in multi-access scenario
US10021591B2 (en) Limiting access to service providers based on the network traffic load of a wireless access point
EP3211943B1 (en) System and method to provide power management for a multimode access point in a network environment
CN111404814B (en) Data transmission method and communication device
EP3860176B1 (en) Method, apparatus, and system for obtaining capability information of terminal
CN111918271A (en) Information configuration method and device
US20220377659A1 (en) Network Slice Aware Cell Selection
WO2012087189A1 (en) Methods and user equipments for granting a first user equipment access to a service
US12022418B2 (en) Establishing a multiple access connection
US20210112400A1 (en) Subscriber Data Management Method and Apparatus
WO2014181028A1 (en) Method and apparatus for access control
US20150139189A1 (en) Method and apparatus for managing information in a communication system
US10440692B2 (en) Reporting idle mode equipment data
KR20220152950A (en) Network slice admission control (nsac) discovery and roaming enhancements
US10736027B2 (en) Method and apparatus for distributing load
CN116472729A (en) Handling PLMN prioritization
US10602437B2 (en) Intelligent network selection
US20240137910A1 (en) Methods and apparatuses for controlling multi-usim behaviour of user equipment
US20240236942A9 (en) Methods and apparatuses for controlling multi-usim behaviour of user equipment
WO2024032218A1 (en) Communication method and communication apparatus
US20220386401A1 (en) Multiple Access
US20240064626A1 (en) Support For Network Service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13884091

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13884091

Country of ref document: EP

Kind code of ref document: A1