WO2020221454A1 - Dispositif de réseau et procédé pour un accès basé sur une politique à un réseau sans fil - Google Patents

Dispositif de réseau et procédé pour un accès basé sur une politique à un réseau sans fil Download PDF

Info

Publication number
WO2020221454A1
WO2020221454A1 PCT/EP2019/061216 EP2019061216W WO2020221454A1 WO 2020221454 A1 WO2020221454 A1 WO 2020221454A1 EP 2019061216 W EP2019061216 W EP 2019061216W WO 2020221454 A1 WO2020221454 A1 WO 2020221454A1
Authority
WO
WIPO (PCT)
Prior art keywords
wireless network
network device
network
client
service
Prior art date
Application number
PCT/EP2019/061216
Other languages
English (en)
Inventor
Igor SHAFRAN
Itamar OFEK
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to CN201980095727.3A priority Critical patent/CN113785606B/zh
Priority to PCT/EP2019/061216 priority patent/WO2020221454A1/fr
Publication of WO2020221454A1 publication Critical patent/WO2020221454A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/086Access security using security domains
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • the present invention relates to the field of wireless computer networks, in particular to a network device and a corresponding method for policy based access to a wireless network.
  • the present invention relates to policy based wireless access to a restricted set of services.
  • a service set identifier is a name which is associated with a wireless computer network (e.g. a wireless local area network (WLAN)).
  • WLAN wireless local area network
  • the conventional wireless network client uses the SSID associated with the wireless computer network to join the wireless computer network.
  • the conventional wireless network client joined the wireless computer network, the entire network topology of the wireless computer network is exposed to the conventional wireless network client.
  • all services which are provided in the wireless computer network are visible to the connected conventional wireless network clients.
  • Conventional restriction of service access can be implemented by e.g. using a dedicated portal with service links, or by using double or complex (e.g. token based) authentication.
  • Using a security portal may require several steps and access restriction is based on network filter rules (e.g. of a firewall).
  • network filter rules e.g. of a firewall.
  • different conventional network devices e.g. access points (APs)
  • APs access points
  • subnets which is why a different set of services is provided to the conventional wireless network client, depending on the AP to which it is connected. This is e.g. illustrated in Fig. 5.
  • a WPA pre-shared password based security solution is configured on the wireless network.
  • a set of services is configured on one site A and different set of services is configured on site B.
  • a device that roams from one site to another will get access to a different set of services.
  • On the same site such separation is not feasible with non- identity based authentication such as pre shared password.
  • a WPA-enterprise based security solution is configured on the wireless network.
  • a conventional wireless network client will get access to a set of services according to a domain group it belongs to, not related to a specific site. Such separation is achieved by provisioning of conventional wireless network client to a specific VLAN group, wherein a policy is enforced by a firewall.
  • the present invention aims to improve the conventional network device.
  • the present invention in particular enables to determine, which authorized service can be accessed by a wireless network client, based on unique identifier of the wireless network client and based on a policy. In particular, this can be done for several wireless network clients which access a wireless network that is provided by means of a single SSID.
  • the wireless network client which attempts to connect to the wireless network has to be policy certified. This is e.g. achieved with a public-key infrastructure (PKI) certificate.
  • PKI public-key infrastructure
  • Upon successful authentication at a network device authorization and policy enforcement is triggered and a subnet is created which wireless network client is assigned. Thereby, the topology of the wireless network provided by the network device is hidden. Also, no modification of the wireless network client is required.
  • Applications running on the wireless network client are agnostic to the solution. No application modification is required.
  • This solution also allows for flat service discovery, that is, only these services which are allowed for the wireless network client are present on the subnet to which wireless network client is assigned. Further, the present invention allows for policy based security enforcement, e.g. at domain name system (DNS) request level, or when connecting to a service.
  • DNS domain name system
  • a first aspect of the present invention provides a network device for policy based access to a wireless network, wherein the network device is configured to obtain a unique identifier of a wireless network client; determine at least one authorized service based on the unique identifier and based on a policy; create a virtual subnet having access to the at least one authorized service; and assign the wireless network client to the virtual subnet.
  • the authorized service may include any network service that is not affected by NAT traversal.
  • an authorized service is a service that the wireless network client is authorized to use.
  • the network client is authorized based on the policy.
  • the virtual subnet has access to the at least one authorized service exclusively.
  • Authorized services that are accessible can be selected based on the policy and the unique identifier, wherein e.g. other services can be excluded from being accessible.
  • the unique identifier includes a passphrase combined with at least one of: device unique id or a user name; or a certificate.
  • the certificate is a public key infrastructure, PKI, certificate.
  • the network device is configured to offer the wireless network based on a network identifier to allow for the wireless network client to access the virtual subnet.
  • the network identifier can be a service set identifier, SSID.
  • the network device is configured to create a different virtual subnet for each wireless network client accessing the wireless network, based on the policy.
  • the different virtual subnets for each wireless network client are created based on the policy.
  • each of the different virtual subnets is created based on the unique identifier of the respective wireless network client and based on the policy.
  • the policy is pre-defined and indicates that the at least one authorized service corresponds to the unique identifier.
  • the network identifier of the wireless network is the same for all wireless network clients accessing the wireless network.
  • the virtual subnet is a virtual subnet in an isolated segregated network.
  • a segregated network is an isolated L2 broadcast domain.
  • a subnet or a virtual subnet is an L3 domain (that is, a network layer domain).
  • only the wireless network client assigned to the virtual subnet in the isolated segregated network has access to the virtual subnet.
  • no other clients can reach or access the isolated segregated network.
  • the isolated segregated network may also be called isolated virtual subnet.
  • the at least one authorized service provided to the wireless network client can access the isolated segregated network to communicate with the wireless network client.
  • the network device is further configured to provide a service discovery function to the wireless network client.
  • the service discovery function provides a service identifier of the at least one authorized service to the wireless network client.
  • the service identifier can include an address (e.g. an IPv4 or IPv6 address), a port or a protocol of the at least one authorized service.
  • an address e.g. an IPv4 or IPv6 address
  • the service identifier provided to the wireless network client relates to the virtual subnet to which the wireless network client is assigned.
  • the service identifier correlates with the domain of the virtual subnet, e.g. an address range of the virtual subnet.
  • the at least one authorized service is operated in a network different from the virtual subnet assigned to the wireless network client.
  • the network device further includes communication means to allow for communication with the at least one authorized service provided in a network different from the virtual subnet by means of the service identifier relating to the virtual subnet.
  • the communication means includes address routing or address remapping.
  • the network device is an access point, AP.
  • a second aspect of the present invention provides a method for providing policy based access to a wireless network, wherein the method comprises the steps of obtaining, by a network device, a unique identifier of a wireless network client; determining, by the network device, at least one authorized service based on the unique identifier and based on a policy; creating, by the network device, a virtual subnet having access to the at least one authorized service; and assigning, by the network device, the wireless network client to the virtual subnet.
  • the authorized service may include any network service that is not affected by NAT traversal.
  • an authorized service is a service that the wireless network client is authorized to use.
  • the network client is authorized based on the policy.
  • the virtual subnet has access to the at least one authorized service exclusively.
  • the unique identifier includes a passphrase combined with at least one of: device unique id or a user name; or a certificate.
  • the certificate is a public key infrastructure, PKI, certificate.
  • the method further includes offering, by the network device, the wireless network based on a network identifier to allow for the wireless network client to access the virtual subnet.
  • the network identifier can be a service set identifier, SSID.
  • the method further includes creating, by the network device, a different virtual subnet for each wireless network client accessing the wireless network, based on the policy.
  • the different virtual subnets for each wireless network client are created based on the policy.
  • each of the different virtual subnets is created based on the unique identifier of the respective wireless network client and based on the policy.
  • the policy is pre-defined and indicates that the at least one authorized service corresponds to the unique identifier.
  • the network identifier of the wireless network is the same for all wireless network clients accessing the wireless network.
  • the virtual subnet is a virtual subnet in an isolated segregated network.
  • a segregated network is an isolated L2 broadcast domain.
  • a subnet or a virtual subnet is an L3 domain (that is, a network layer domain).
  • only the wireless network client assigned to the virtual subnet in the isolated segregated network has access to the virtual subnet.
  • no other clients can reach or access the isolated segregated network.
  • the isolated segregated network may also be called isolated virtual subnet.
  • the at least one authorized service provided to the wireless network client can access the isolated segregated network to communicate with the wireless network client.
  • the method further includes providing, by the network device, a service discovery function to the wireless network client.
  • the service discovery function provides a service identifier of the at least one authorized service to the wireless network client.
  • the service identifier can include an address (e.g. an IPv4 or IPv6 address), a port or a protocol of the at least one authorized service.
  • an address e.g. an IPv4 or IPv6 address
  • the service identifier provided to the wireless network client relates to the virtual subnet to which the wireless network client is assigned.
  • the service identifier correlates with the domain of the virtual subnet, e.g. an address range of the virtual subnet.
  • the at least one authorized service is operated in a network different from the virtual subnet assigned to the wireless network client.
  • the method further includes allowing, by communication means of the network device, for communication with the at least one authorized service provided in a network different from the virtual subnet by means of the service identifier relating to the virtual subnet.
  • the communication means includes address routing or address remapping.
  • the network device is an access point, AP.
  • the second aspect and its implementation forms include the same advantages as the first aspect and its respective implementation forms.
  • FIG. 1 shows a schematic view of a network device according to an embodiment of the present invention.
  • FIG. 2 shows a schematic view of an operating manner of a network device according to an embodiment of the present invention.
  • FIG. 3 shows another schematic view of an operating manner of a network device according to an embodiment of the present invention.
  • FIG. 4 shows a schematic view of a method according to an embodiment of the present invention.
  • FIG. 5 shows an operating principle of a network device according to the prior art.
  • FIG. 1 shows a network device 100 for policy based access to a wireless network 101.
  • the network device 100 can e.g. be an AP, or a router including an AP.
  • the wireless network 101 can e.g. be a WLAN.
  • the network device 100 is configured to obtain a unique identifier 102 of a wireless network client 103; to determine at least one authorized service 104 based on the unique identifier 102 and based on a policy 105; to create a virtual subnet 106 having access to the at least one authorized service 104; and to assign the wireless network client 103 to the virtual subnet 106.
  • the policy 105 may be pre-stored in the network device and may indicate to which wireless network client 103 which service 104 is offered.
  • FIG. 2 shows a schematic view of an operating manner of the network device 100. As it is illustrated in FIG. 2, the network device 100 allows for a flat view of allowed services in a wireless network 101.
  • a wireless network client 103 wirelessly connects to the network device 100 (e.g. an AP) associated with an SSID by presenting the unique identifier 102 (e.g. credentials, or a certificate).
  • the network device 100 provides an isolated, uniquely identified subnet 106 to the authenticated wireless network client 103. No other clients can reach this subnet 106, unless it is explicitly exposed to them.
  • This subnet 106 is not directly routable from the network device 100. Same subnet Classless Inter-Domain Routing (CIDR) can be overlapped.
  • CIDR Classless Inter-Domain Routing
  • the network device 100 in particular can provide the subnet 106 and/or an IP address of the wireless network client 103 by using Dynamic Host Configuration Protocol (DHCP).
  • DHCP Dynamic Host Configuration Protocol
  • the network device 100 also can provide a local DNS address and/or a local domain for service discovery. This allows to resolve host names to local subnet addresses. This also allows to limit the network view of the wireless network client 103 to the authorized services only.
  • the service discovery is“white list” based, in particular according to the unique identifier 102 of the wireless network client 103.
  • the service forwarding rules are applied:
  • the wireless network client 103 connects to the authorized service 104 using a local isolated IP address (from the subnet 106) of the authorized service 104.
  • the network device 100 To enable forwarding of egress packets, the network device 100 translates the destination IP of the packet to a routable service IP.
  • the source IP address can be connection tracked using network address translation (NAT).
  • NAT network address translation
  • reverse translation is applied.
  • FIG. 3 shows another schematic view of an operating manner of the network device 100. In particular, the following steps are performed in the operating manner shown in FIG. 3:
  • the wireless network client 103 i.e. the Client Device in FIG. 3 connects to the network device 100 (i.e. the Access Point in FIG. 3) using predefined connection settings.
  • the network device 100 authenticates the wireless network client 103, e.g. by delegating this authentication session to an external AAA server and/or by using an internally implemented WPA-enterprise backend.
  • the network device 100 obtains a list of allowed services from an enterprise service domain, provisions a separate subnet 106 for the wireless client 103, add the service discovery endpoint to this subnet and populates information regarding all allowed services. Further, the network device 100 adds local logical ports for every allowed service 104 on this subnet 106. All logical ports can be software defined network (SDN) ports and network traffic directed to and from them can be intercepted and modified by and SDN controlled switch. Logical ports produce an illusion from the wireless network clients 103 point of view, of a limited and well-defined network topology.
  • SDN software defined network
  • the network device 100 returns a service discovery domain (SSDP/DNS-SD), subnet 106 and its local IP address to the wireless network client 103.
  • SSDP/DNS-SD service discovery domain
  • FIG. 4 shows a schematic view of a method 400 according to an embodiment of the present invention.
  • the method comprises a step of obtaining 401, by a network device 100, a unique identifier 102 of a wireless network client 103.
  • the method comprises a step of determining 402, by the network device 100, at least one authorized service 104 based on the unique identifier 102 and based on a policy 105.
  • the method comprises a step of creating 403, by the network device 100, a virtual subnet 106 having access to the at least one authorized service 104.
  • the method comprises a step of assigning 404, by the network device 100, the wireless network client 103 to the virtual subnet 106.

Abstract

La présente invention concerne le domaine des réseaux informatiques sans fil, en particulier un dispositif de réseau et un procédé correspondant pour un accès basé sur une politique à un réseau sans fil. Par conséquent, la présente invention concerne un dispositif de réseau (100) pour un accès basé sur une politique à un réseau sans fil (101), le dispositif de réseau (100) étant configuré pour obtenir un identifiant unique (102) d'un client de réseau sans fil (103) ; déterminer au moins un service autorisé (104) sur la base de l'identifiant unique (102) et sur la base d'une politique (105) ; créer un sous-réseau virtuel (106) ayant accès à l'au moins un service autorisé (104) ; et attribuer le client de réseau sans fil (103) au sous-réseau virtuel (106).
PCT/EP2019/061216 2019-05-02 2019-05-02 Dispositif de réseau et procédé pour un accès basé sur une politique à un réseau sans fil WO2020221454A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201980095727.3A CN113785606B (zh) 2019-05-02 2019-05-02 用于基于策略的无线网络接入的网络设备及方法
PCT/EP2019/061216 WO2020221454A1 (fr) 2019-05-02 2019-05-02 Dispositif de réseau et procédé pour un accès basé sur une politique à un réseau sans fil

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2019/061216 WO2020221454A1 (fr) 2019-05-02 2019-05-02 Dispositif de réseau et procédé pour un accès basé sur une politique à un réseau sans fil

Publications (1)

Publication Number Publication Date
WO2020221454A1 true WO2020221454A1 (fr) 2020-11-05

Family

ID=66448529

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2019/061216 WO2020221454A1 (fr) 2019-05-02 2019-05-02 Dispositif de réseau et procédé pour un accès basé sur une politique à un réseau sans fil

Country Status (2)

Country Link
CN (1) CN113785606B (fr)
WO (1) WO2020221454A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080301801A1 (en) * 2007-05-31 2008-12-04 Premkumar Jothimani Policy based virtual private network (VPN) communications
US8363658B1 (en) * 2008-11-13 2013-01-29 Sprint Communications Company L.P. Dynamic firewall and dynamic host configuration protocol configuration
US20160112452A1 (en) * 2014-10-15 2016-04-21 Adtran, Inc. Network access control using subnet addressing
US20160345170A1 (en) * 2015-05-21 2016-11-24 Ftac Systems, Inc. Wireless network segmentation for internet connected devices using disposable and limited security keys and disposable proxies for management

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7627123B2 (en) * 2005-02-07 2009-12-01 Juniper Networks, Inc. Wireless network having multiple security interfaces
US20100074261A1 (en) * 2008-09-24 2010-03-25 At&T Intellectual Property I, L.P. Providing access to multiple different services by way of a single network identifier
US9197498B2 (en) * 2012-08-31 2015-11-24 Cisco Technology, Inc. Method for automatically applying access control policies based on device types of networked computing devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080301801A1 (en) * 2007-05-31 2008-12-04 Premkumar Jothimani Policy based virtual private network (VPN) communications
US8363658B1 (en) * 2008-11-13 2013-01-29 Sprint Communications Company L.P. Dynamic firewall and dynamic host configuration protocol configuration
US20160112452A1 (en) * 2014-10-15 2016-04-21 Adtran, Inc. Network access control using subnet addressing
US20160345170A1 (en) * 2015-05-21 2016-11-24 Ftac Systems, Inc. Wireless network segmentation for internet connected devices using disposable and limited security keys and disposable proxies for management

Also Published As

Publication number Publication date
CN113785606B (zh) 2023-10-27
CN113785606A (zh) 2021-12-10

Similar Documents

Publication Publication Date Title
KR100826736B1 (ko) 클라이언트 노드를 서빙 네트워크로 동적으로 접속시키는 방법, 클라이언트 노드를 복수의 인터넷 서비스 제공자로 접속시키는 방법, 및 클라이언트 노드를 서빙 네트워크로 접속시키는 방법
JP4988143B2 (ja) コンピュータネットワーク
US8681695B1 (en) Single address prefix allocation within computer networks
US6954790B2 (en) Network-based mobile workgroup system
US7444415B1 (en) Method and apparatus providing virtual private network access
US20050114490A1 (en) Distributed virtual network access system and method
US7369560B2 (en) System for converting data based upon IPv4 into data based upon IPv6 to be transmitted over an IP switched network
CN110140415B (zh) 使用无线设备的wlan连接
US20140075505A1 (en) System and method for routing selected network traffic to a remote network security device in a network environment
US20020133534A1 (en) Extranet workgroup formation across multiple mobile virtual private networks
JP3858884B2 (ja) ネットワークアクセスゲートウェイ及びネットワークアクセスゲートウェイの制御方法並びにプログラム
KR100714368B1 (ko) 인증 서버와 연동되는 ip 주소 관리 시스템
JP4253520B2 (ja) ネットワーク認証装置及びネットワーク認証システム
CN113785606B (zh) 用于基于策略的无线网络接入的网络设备及方法
Stenberg et al. Home networking control protocol
Aura et al. Securing network location awareness with authenticated DHCP
WO2006075823A1 (fr) Systeme de gestion d'adresses de protocole internet fonctionnant conjointement avec un serveur d'authentification
JP5461465B2 (ja) コンピュータネットワーク
Patil et al. Traversal Using Relays around NAT (TURN) Server Auto Discovery
Stenberg et al. RFC 7788: Home Networking Control Protocol
Patil et al. RFC 8155: Traversal Using Relays around NAT (TURN) Server Auto Discovery
Garcia et al. On Auto-configurable Network Devices.

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19722835

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19722835

Country of ref document: EP

Kind code of ref document: A1