WO2020221454A1 - Dispositif de réseau et procédé pour un accès basé sur une politique à un réseau sans fil - Google Patents
Dispositif de réseau et procédé pour un accès basé sur une politique à un réseau sans fil Download PDFInfo
- Publication number
- WO2020221454A1 WO2020221454A1 PCT/EP2019/061216 EP2019061216W WO2020221454A1 WO 2020221454 A1 WO2020221454 A1 WO 2020221454A1 EP 2019061216 W EP2019061216 W EP 2019061216W WO 2020221454 A1 WO2020221454 A1 WO 2020221454A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- wireless network
- network device
- network
- client
- service
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/086—Access security using security domains
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Definitions
- the present invention relates to the field of wireless computer networks, in particular to a network device and a corresponding method for policy based access to a wireless network.
- the present invention relates to policy based wireless access to a restricted set of services.
- a service set identifier is a name which is associated with a wireless computer network (e.g. a wireless local area network (WLAN)).
- WLAN wireless local area network
- the conventional wireless network client uses the SSID associated with the wireless computer network to join the wireless computer network.
- the conventional wireless network client joined the wireless computer network, the entire network topology of the wireless computer network is exposed to the conventional wireless network client.
- all services which are provided in the wireless computer network are visible to the connected conventional wireless network clients.
- Conventional restriction of service access can be implemented by e.g. using a dedicated portal with service links, or by using double or complex (e.g. token based) authentication.
- Using a security portal may require several steps and access restriction is based on network filter rules (e.g. of a firewall).
- network filter rules e.g. of a firewall.
- different conventional network devices e.g. access points (APs)
- APs access points
- subnets which is why a different set of services is provided to the conventional wireless network client, depending on the AP to which it is connected. This is e.g. illustrated in Fig. 5.
- a WPA pre-shared password based security solution is configured on the wireless network.
- a set of services is configured on one site A and different set of services is configured on site B.
- a device that roams from one site to another will get access to a different set of services.
- On the same site such separation is not feasible with non- identity based authentication such as pre shared password.
- a WPA-enterprise based security solution is configured on the wireless network.
- a conventional wireless network client will get access to a set of services according to a domain group it belongs to, not related to a specific site. Such separation is achieved by provisioning of conventional wireless network client to a specific VLAN group, wherein a policy is enforced by a firewall.
- the present invention aims to improve the conventional network device.
- the present invention in particular enables to determine, which authorized service can be accessed by a wireless network client, based on unique identifier of the wireless network client and based on a policy. In particular, this can be done for several wireless network clients which access a wireless network that is provided by means of a single SSID.
- the wireless network client which attempts to connect to the wireless network has to be policy certified. This is e.g. achieved with a public-key infrastructure (PKI) certificate.
- PKI public-key infrastructure
- Upon successful authentication at a network device authorization and policy enforcement is triggered and a subnet is created which wireless network client is assigned. Thereby, the topology of the wireless network provided by the network device is hidden. Also, no modification of the wireless network client is required.
- Applications running on the wireless network client are agnostic to the solution. No application modification is required.
- This solution also allows for flat service discovery, that is, only these services which are allowed for the wireless network client are present on the subnet to which wireless network client is assigned. Further, the present invention allows for policy based security enforcement, e.g. at domain name system (DNS) request level, or when connecting to a service.
- DNS domain name system
- a first aspect of the present invention provides a network device for policy based access to a wireless network, wherein the network device is configured to obtain a unique identifier of a wireless network client; determine at least one authorized service based on the unique identifier and based on a policy; create a virtual subnet having access to the at least one authorized service; and assign the wireless network client to the virtual subnet.
- the authorized service may include any network service that is not affected by NAT traversal.
- an authorized service is a service that the wireless network client is authorized to use.
- the network client is authorized based on the policy.
- the virtual subnet has access to the at least one authorized service exclusively.
- Authorized services that are accessible can be selected based on the policy and the unique identifier, wherein e.g. other services can be excluded from being accessible.
- the unique identifier includes a passphrase combined with at least one of: device unique id or a user name; or a certificate.
- the certificate is a public key infrastructure, PKI, certificate.
- the network device is configured to offer the wireless network based on a network identifier to allow for the wireless network client to access the virtual subnet.
- the network identifier can be a service set identifier, SSID.
- the network device is configured to create a different virtual subnet for each wireless network client accessing the wireless network, based on the policy.
- the different virtual subnets for each wireless network client are created based on the policy.
- each of the different virtual subnets is created based on the unique identifier of the respective wireless network client and based on the policy.
- the policy is pre-defined and indicates that the at least one authorized service corresponds to the unique identifier.
- the network identifier of the wireless network is the same for all wireless network clients accessing the wireless network.
- the virtual subnet is a virtual subnet in an isolated segregated network.
- a segregated network is an isolated L2 broadcast domain.
- a subnet or a virtual subnet is an L3 domain (that is, a network layer domain).
- only the wireless network client assigned to the virtual subnet in the isolated segregated network has access to the virtual subnet.
- no other clients can reach or access the isolated segregated network.
- the isolated segregated network may also be called isolated virtual subnet.
- the at least one authorized service provided to the wireless network client can access the isolated segregated network to communicate with the wireless network client.
- the network device is further configured to provide a service discovery function to the wireless network client.
- the service discovery function provides a service identifier of the at least one authorized service to the wireless network client.
- the service identifier can include an address (e.g. an IPv4 or IPv6 address), a port or a protocol of the at least one authorized service.
- an address e.g. an IPv4 or IPv6 address
- the service identifier provided to the wireless network client relates to the virtual subnet to which the wireless network client is assigned.
- the service identifier correlates with the domain of the virtual subnet, e.g. an address range of the virtual subnet.
- the at least one authorized service is operated in a network different from the virtual subnet assigned to the wireless network client.
- the network device further includes communication means to allow for communication with the at least one authorized service provided in a network different from the virtual subnet by means of the service identifier relating to the virtual subnet.
- the communication means includes address routing or address remapping.
- the network device is an access point, AP.
- a second aspect of the present invention provides a method for providing policy based access to a wireless network, wherein the method comprises the steps of obtaining, by a network device, a unique identifier of a wireless network client; determining, by the network device, at least one authorized service based on the unique identifier and based on a policy; creating, by the network device, a virtual subnet having access to the at least one authorized service; and assigning, by the network device, the wireless network client to the virtual subnet.
- the authorized service may include any network service that is not affected by NAT traversal.
- an authorized service is a service that the wireless network client is authorized to use.
- the network client is authorized based on the policy.
- the virtual subnet has access to the at least one authorized service exclusively.
- the unique identifier includes a passphrase combined with at least one of: device unique id or a user name; or a certificate.
- the certificate is a public key infrastructure, PKI, certificate.
- the method further includes offering, by the network device, the wireless network based on a network identifier to allow for the wireless network client to access the virtual subnet.
- the network identifier can be a service set identifier, SSID.
- the method further includes creating, by the network device, a different virtual subnet for each wireless network client accessing the wireless network, based on the policy.
- the different virtual subnets for each wireless network client are created based on the policy.
- each of the different virtual subnets is created based on the unique identifier of the respective wireless network client and based on the policy.
- the policy is pre-defined and indicates that the at least one authorized service corresponds to the unique identifier.
- the network identifier of the wireless network is the same for all wireless network clients accessing the wireless network.
- the virtual subnet is a virtual subnet in an isolated segregated network.
- a segregated network is an isolated L2 broadcast domain.
- a subnet or a virtual subnet is an L3 domain (that is, a network layer domain).
- only the wireless network client assigned to the virtual subnet in the isolated segregated network has access to the virtual subnet.
- no other clients can reach or access the isolated segregated network.
- the isolated segregated network may also be called isolated virtual subnet.
- the at least one authorized service provided to the wireless network client can access the isolated segregated network to communicate with the wireless network client.
- the method further includes providing, by the network device, a service discovery function to the wireless network client.
- the service discovery function provides a service identifier of the at least one authorized service to the wireless network client.
- the service identifier can include an address (e.g. an IPv4 or IPv6 address), a port or a protocol of the at least one authorized service.
- an address e.g. an IPv4 or IPv6 address
- the service identifier provided to the wireless network client relates to the virtual subnet to which the wireless network client is assigned.
- the service identifier correlates with the domain of the virtual subnet, e.g. an address range of the virtual subnet.
- the at least one authorized service is operated in a network different from the virtual subnet assigned to the wireless network client.
- the method further includes allowing, by communication means of the network device, for communication with the at least one authorized service provided in a network different from the virtual subnet by means of the service identifier relating to the virtual subnet.
- the communication means includes address routing or address remapping.
- the network device is an access point, AP.
- the second aspect and its implementation forms include the same advantages as the first aspect and its respective implementation forms.
- FIG. 1 shows a schematic view of a network device according to an embodiment of the present invention.
- FIG. 2 shows a schematic view of an operating manner of a network device according to an embodiment of the present invention.
- FIG. 3 shows another schematic view of an operating manner of a network device according to an embodiment of the present invention.
- FIG. 4 shows a schematic view of a method according to an embodiment of the present invention.
- FIG. 5 shows an operating principle of a network device according to the prior art.
- FIG. 1 shows a network device 100 for policy based access to a wireless network 101.
- the network device 100 can e.g. be an AP, or a router including an AP.
- the wireless network 101 can e.g. be a WLAN.
- the network device 100 is configured to obtain a unique identifier 102 of a wireless network client 103; to determine at least one authorized service 104 based on the unique identifier 102 and based on a policy 105; to create a virtual subnet 106 having access to the at least one authorized service 104; and to assign the wireless network client 103 to the virtual subnet 106.
- the policy 105 may be pre-stored in the network device and may indicate to which wireless network client 103 which service 104 is offered.
- FIG. 2 shows a schematic view of an operating manner of the network device 100. As it is illustrated in FIG. 2, the network device 100 allows for a flat view of allowed services in a wireless network 101.
- a wireless network client 103 wirelessly connects to the network device 100 (e.g. an AP) associated with an SSID by presenting the unique identifier 102 (e.g. credentials, or a certificate).
- the network device 100 provides an isolated, uniquely identified subnet 106 to the authenticated wireless network client 103. No other clients can reach this subnet 106, unless it is explicitly exposed to them.
- This subnet 106 is not directly routable from the network device 100. Same subnet Classless Inter-Domain Routing (CIDR) can be overlapped.
- CIDR Classless Inter-Domain Routing
- the network device 100 in particular can provide the subnet 106 and/or an IP address of the wireless network client 103 by using Dynamic Host Configuration Protocol (DHCP).
- DHCP Dynamic Host Configuration Protocol
- the network device 100 also can provide a local DNS address and/or a local domain for service discovery. This allows to resolve host names to local subnet addresses. This also allows to limit the network view of the wireless network client 103 to the authorized services only.
- the service discovery is“white list” based, in particular according to the unique identifier 102 of the wireless network client 103.
- the service forwarding rules are applied:
- the wireless network client 103 connects to the authorized service 104 using a local isolated IP address (from the subnet 106) of the authorized service 104.
- the network device 100 To enable forwarding of egress packets, the network device 100 translates the destination IP of the packet to a routable service IP.
- the source IP address can be connection tracked using network address translation (NAT).
- NAT network address translation
- reverse translation is applied.
- FIG. 3 shows another schematic view of an operating manner of the network device 100. In particular, the following steps are performed in the operating manner shown in FIG. 3:
- the wireless network client 103 i.e. the Client Device in FIG. 3 connects to the network device 100 (i.e. the Access Point in FIG. 3) using predefined connection settings.
- the network device 100 authenticates the wireless network client 103, e.g. by delegating this authentication session to an external AAA server and/or by using an internally implemented WPA-enterprise backend.
- the network device 100 obtains a list of allowed services from an enterprise service domain, provisions a separate subnet 106 for the wireless client 103, add the service discovery endpoint to this subnet and populates information regarding all allowed services. Further, the network device 100 adds local logical ports for every allowed service 104 on this subnet 106. All logical ports can be software defined network (SDN) ports and network traffic directed to and from them can be intercepted and modified by and SDN controlled switch. Logical ports produce an illusion from the wireless network clients 103 point of view, of a limited and well-defined network topology.
- SDN software defined network
- the network device 100 returns a service discovery domain (SSDP/DNS-SD), subnet 106 and its local IP address to the wireless network client 103.
- SSDP/DNS-SD service discovery domain
- FIG. 4 shows a schematic view of a method 400 according to an embodiment of the present invention.
- the method comprises a step of obtaining 401, by a network device 100, a unique identifier 102 of a wireless network client 103.
- the method comprises a step of determining 402, by the network device 100, at least one authorized service 104 based on the unique identifier 102 and based on a policy 105.
- the method comprises a step of creating 403, by the network device 100, a virtual subnet 106 having access to the at least one authorized service 104.
- the method comprises a step of assigning 404, by the network device 100, the wireless network client 103 to the virtual subnet 106.
Abstract
La présente invention concerne le domaine des réseaux informatiques sans fil, en particulier un dispositif de réseau et un procédé correspondant pour un accès basé sur une politique à un réseau sans fil. Par conséquent, la présente invention concerne un dispositif de réseau (100) pour un accès basé sur une politique à un réseau sans fil (101), le dispositif de réseau (100) étant configuré pour obtenir un identifiant unique (102) d'un client de réseau sans fil (103) ; déterminer au moins un service autorisé (104) sur la base de l'identifiant unique (102) et sur la base d'une politique (105) ; créer un sous-réseau virtuel (106) ayant accès à l'au moins un service autorisé (104) ; et attribuer le client de réseau sans fil (103) au sous-réseau virtuel (106).
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201980095727.3A CN113785606B (zh) | 2019-05-02 | 2019-05-02 | 用于基于策略的无线网络接入的网络设备及方法 |
PCT/EP2019/061216 WO2020221454A1 (fr) | 2019-05-02 | 2019-05-02 | Dispositif de réseau et procédé pour un accès basé sur une politique à un réseau sans fil |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/EP2019/061216 WO2020221454A1 (fr) | 2019-05-02 | 2019-05-02 | Dispositif de réseau et procédé pour un accès basé sur une politique à un réseau sans fil |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020221454A1 true WO2020221454A1 (fr) | 2020-11-05 |
Family
ID=66448529
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2019/061216 WO2020221454A1 (fr) | 2019-05-02 | 2019-05-02 | Dispositif de réseau et procédé pour un accès basé sur une politique à un réseau sans fil |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN113785606B (fr) |
WO (1) | WO2020221454A1 (fr) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080301801A1 (en) * | 2007-05-31 | 2008-12-04 | Premkumar Jothimani | Policy based virtual private network (VPN) communications |
US8363658B1 (en) * | 2008-11-13 | 2013-01-29 | Sprint Communications Company L.P. | Dynamic firewall and dynamic host configuration protocol configuration |
US20160112452A1 (en) * | 2014-10-15 | 2016-04-21 | Adtran, Inc. | Network access control using subnet addressing |
US20160345170A1 (en) * | 2015-05-21 | 2016-11-24 | Ftac Systems, Inc. | Wireless network segmentation for internet connected devices using disposable and limited security keys and disposable proxies for management |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7627123B2 (en) * | 2005-02-07 | 2009-12-01 | Juniper Networks, Inc. | Wireless network having multiple security interfaces |
US20100074261A1 (en) * | 2008-09-24 | 2010-03-25 | At&T Intellectual Property I, L.P. | Providing access to multiple different services by way of a single network identifier |
US9197498B2 (en) * | 2012-08-31 | 2015-11-24 | Cisco Technology, Inc. | Method for automatically applying access control policies based on device types of networked computing devices |
-
2019
- 2019-05-02 WO PCT/EP2019/061216 patent/WO2020221454A1/fr active Application Filing
- 2019-05-02 CN CN201980095727.3A patent/CN113785606B/zh active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080301801A1 (en) * | 2007-05-31 | 2008-12-04 | Premkumar Jothimani | Policy based virtual private network (VPN) communications |
US8363658B1 (en) * | 2008-11-13 | 2013-01-29 | Sprint Communications Company L.P. | Dynamic firewall and dynamic host configuration protocol configuration |
US20160112452A1 (en) * | 2014-10-15 | 2016-04-21 | Adtran, Inc. | Network access control using subnet addressing |
US20160345170A1 (en) * | 2015-05-21 | 2016-11-24 | Ftac Systems, Inc. | Wireless network segmentation for internet connected devices using disposable and limited security keys and disposable proxies for management |
Also Published As
Publication number | Publication date |
---|---|
CN113785606B (zh) | 2023-10-27 |
CN113785606A (zh) | 2021-12-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR100826736B1 (ko) | 클라이언트 노드를 서빙 네트워크로 동적으로 접속시키는 방법, 클라이언트 노드를 복수의 인터넷 서비스 제공자로 접속시키는 방법, 및 클라이언트 노드를 서빙 네트워크로 접속시키는 방법 | |
JP4988143B2 (ja) | コンピュータネットワーク | |
US8681695B1 (en) | Single address prefix allocation within computer networks | |
US6954790B2 (en) | Network-based mobile workgroup system | |
US7444415B1 (en) | Method and apparatus providing virtual private network access | |
US20050114490A1 (en) | Distributed virtual network access system and method | |
US7369560B2 (en) | System for converting data based upon IPv4 into data based upon IPv6 to be transmitted over an IP switched network | |
CN110140415B (zh) | 使用无线设备的wlan连接 | |
US20140075505A1 (en) | System and method for routing selected network traffic to a remote network security device in a network environment | |
US20020133534A1 (en) | Extranet workgroup formation across multiple mobile virtual private networks | |
JP3858884B2 (ja) | ネットワークアクセスゲートウェイ及びネットワークアクセスゲートウェイの制御方法並びにプログラム | |
KR100714368B1 (ko) | 인증 서버와 연동되는 ip 주소 관리 시스템 | |
JP4253520B2 (ja) | ネットワーク認証装置及びネットワーク認証システム | |
CN113785606B (zh) | 用于基于策略的无线网络接入的网络设备及方法 | |
Stenberg et al. | Home networking control protocol | |
Aura et al. | Securing network location awareness with authenticated DHCP | |
WO2006075823A1 (fr) | Systeme de gestion d'adresses de protocole internet fonctionnant conjointement avec un serveur d'authentification | |
JP5461465B2 (ja) | コンピュータネットワーク | |
Patil et al. | Traversal Using Relays around NAT (TURN) Server Auto Discovery | |
Stenberg et al. | RFC 7788: Home Networking Control Protocol | |
Patil et al. | RFC 8155: Traversal Using Relays around NAT (TURN) Server Auto Discovery | |
Garcia et al. | On Auto-configurable Network Devices. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19722835 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19722835 Country of ref document: EP Kind code of ref document: A1 |