Dynamic authentication in secured wireless networks

[0016] Embodiments of the present invention include systems and methods for user-friendly low-maintenance configuration of wireless devices to access restricted wireless networks. Users of wireless devices are allowed to connect to open wireless or wired networks. After the user is authenticated, an application can be generated that will allow the wireless device to connect to a protected or restricted wireless network. After the application is transmitted to and executed on the wireless device, the application configures the wireless device so that it can access the restricted wireless network. The configuration, also called pre-provisioned configuration, can be based on user information, wireless device information, or both. In some embodiments, the application can configure the wireless device so that it can access multiple wireless networks.

[0017] FIG. 1 is a diagram of a system for pre-provisioning a wireless device to access a restricted wireless network 160 according to an exemplary embodiment of the present invention. As shown in FIG. 1, the authentication server 100 includes an authentication module 110, a pre-configuration configuration database 120, an application generation module 130, a processor 140, a pre-configuration module 150 and a policy management module 180. The authentication server 100 can be used to maintain security in the network 160. Various client devices such as wireless workstation 170a, laptop computer 170b, and mobile device 170c belong to potential users of network 160.

[0018] The modules (or applications) mentioned in the present invention should generally be understood as a collection of routines that perform various system-level functions and can be dynamically loaded and unloaded by hardware and device drivers as required. The modular software components described herein can also be combined as part of a larger software platform, or integrated as part of application-specific components.

[0019] The authentication module 110 authenticates the user (such as the laptop computer 170b) and verifies that the user is who he claims to be and that the user has been otherwise authorized to access the network 160. The authentication module 110 may be used to verify the user name and password provided by the user through a wired network or a wireless network. The verification can be performed by comparing with the username and password stored in the authentication database, which can be independent of the authentication module 110 or be incorporated into the authentication module 110. Once authenticated by the authentication module 110, the user can access data and perform actions based on the user’s security permission level in the network 160. The user’s security permission level is defined by the network administrator and can be The parameters of the user's responsibilities in the organization that are further regulated by the pre-configured parameters and policies. The authentication module 110 can implement certain authentication strategies disclosed in the US Patent Application 11/788,371 named "Dynamic Authentication in Secured Wireless Networks" filed on April 18, 2007, the disclosure of which has been previously incorporated herein by reference.

[0020] The provisioning configuration database 120 stores information related to a collection of various parameters and policies that can be used to configure wireless devices to access the network 160. The provisioning configuration database 120 may also store certificates, shared secrets, private keys, and various other information. These parameters and policies can include information used to configure wireless devices to connect to restricted wireless networks, as well as related access policies, such as wireless network names, wireless device parameters, adapter configuration, security-related parameters, access restrictions, and services Quality parameters, safety-related parameters, etc. The provisioning configuration database 120 may also store information related to users and/or wireless devices associated with one or more provisioning configurations.

[0021] In an exemplary embodiment, an authenticated user may request access to a restricted wireless network. The provisioning configuration database 120 can be searched to find the provisioning configuration associated with the user and/or the wireless device belonging to the user. Once the pre-configured configuration is found and then installed on the wireless device belonging to the user, the user is allowed to use the wireless device to access the wireless network 160. In addition, the provisioning configuration restricts the user from accessing any part or subset of the network that the user is not authorized by. The provisioning configuration database 120 can operate in conjunction with other components of the authentication server 100 and provide provisioning configuration information to other components of the authentication server 100, where the other components include (but are not limited to) the application generation module 130 and the provisioning module 150 And an optional policy management module 180.

[0022] In some embodiments, as mentioned above, the provisioning configuration database 120 may operate in conjunction with the application generation module 130. The application generating module 130 uses the pre-configured configuration provided by the pre-configured configuration database 120 to generate an application for configuring the wireless device according to the pre-configured configuration. The application may then be transmitted to the wireless device via the provisioning module 150 discussed in more detail herein. The application may be executed automatically, or the application may be manually executed by the user. Once executed, the application can check the wireless device, configure the wireless device, and/or connect the wireless device to the restricted wireless network 160. The configuration of the wireless device may include installing any or all of the parameters, policies, etc. included in the pre-configured configuration obtained from the database 120. Once configured, the wireless device can access the wireless network 160 within the scope of the pre-configured parameters and policies.

[0023]The processor 140 is configured to perform various operations. For example, by using authentication information related to the user and/or the wireless device, the processor 140 may search the provisioning configuration database 120 for the provisioning configuration associated with the user and/or the wireless device. Then, by executing the instruction and/or applying the data set related to the application generating module 130 and/or the data set provided by the application generating module 130, the processor 140 may generate the configuration application described above. By executing instructions and/or applying a data set related to the provisioning module 150 and/or a data set provided by the provisioning module 150, the processor 140 may provide for transmission of the configuration application to the wireless device via the network 160.

[0024] In an exemplary embodiment of the present invention, the user submits a request for authentication and access to the restricted wireless network 160. The request may include user information (such as user name and password) and/or wireless device information. After the optional authentication operation, the processor 140 uses the information from the request to search the provisioning configuration database 120 for parameters and policies associated with the user and/or wireless device. The information related to the aforementioned parameters and policies may then be provided to the application generation module 120 for use in generating a pre-configured application.

[0025] The provisioning module 150 is configured to deliver (or allow the delivery/transmission) of the self-configuring application generated by the application generating module 130 to the wireless device. This transfer can be done through an open access network as part of the wireless download operation. Transmission can also be carried out via a wired network. The parameters and policies included in the pre-configuration configuration determine whether and to what extent a user can access a specific wireless network. For example, the user may be authorized to access only one wireless network and/or only perform certain operations. The provisioning access application provided by the provisioning module 150 can realize the US patent application 11/788,371 filed on April 18, 2007 and filed on April 18, 2007, whose disclosure content has been incorporated herein by reference. Certain security policies and/or access policies disclosed in.

[0026] The network 160 may be configured to transmit various electromagnetic waves, including, for example, radio signals. The network 160 may be an IEEE 802.11 (Wi-Fi or wireless LAN) network, an IEEE 802.16 (WiMAX) network, an IEEE 802.16c network, and so on. The network 160 can deliver various information to interface devices such as client interface devices 180a-c. The network 160 may be a private local area network or may be part of a larger wide area network.

[0027] Various auxiliary networks may exist within the range of the larger network 160, such as peer-to-peer networks and wireless mesh networks. Some parts of the network 160 may be "open" to allow provisioning before the device is allowed to access the "closed" part of the network 160. In some embodiments, the network 160 may include a wired network for the devices 170a-c (described below) to be authenticated and to download executable applications with pre-configured configurations. Some parts of the network 160 may be dedicated to authentication and downloading executable pre-provisioned applications, while other parts may be dedicated to conventional wireless applications.

[0028] The client wireless interface devices 170a-c show various devices with wireless capabilities, including desktop computers, laptop computers, handheld computers, and so on. For example, a user who wants to access the wireless network 160 via the wireless device 170a can do so by copying, downloading a copy of the application generated by the application generating module 130 that can be used by the provisioning module, or transmitting it to the wireless device 170a . The application configures the wireless device 170a so that the wireless device 170a can access the wireless network 160 within the range of the pre-configured parameters. The wireless device 170b and the wireless device 170c can be configured in a similar manner.

[0029] The optional policy management module 180 may also be included as part of the authentication server 100. The policy management module 180 may be responsible for the management and implementation of parameters and policies for access to the device access network 160. The parameters and strategies may include parameters and strategies that are implemented as part of the provisioning configuration process. These parameters and policies can also include which users are allowed to access a specific network and to what extent (for example, specific operations, restricted access, etc.). Some wireless networks can implement policy management and enforcement through a separate server dedicated to policy management and enforcement.

[0030] figure 2 It is a flowchart showing a method 200 for generating a configuration application according to an exemplary embodiment of the present invention. In method 200, wireless devices are allowed to connect to an open wireless network. Then determine whether the user has been successfully authenticated. If the user has not been authenticated, the user and the wireless device are denied access to the restricted wireless network. If the user has been successfully authenticated, the provisioning configuration associated with the authenticated user and/or wireless device is found. Generate an application for configuring the wireless device based on the pre-configured configuration.

[0031] In step 210, the wireless device accesses an open wireless network. The open wireless network is unprotected so that unauthenticated users and/or wireless devices belonging to the user can form a connection. Once the wireless device is connected to the open wireless network, the user and/or wireless device may be allowed to perform various operations including authentication. In step 210, direct wired access can also be performed.

[0032] In step 220, it is determined whether the user has been successfully authenticated. The authentication module 110 may be used to authenticate the user using information from the user and/or wireless device. The initial authentication can include providing a username and password that identifies the user as a specific user. The determination of whether the user is successfully authenticated may include verifying that the authentication information from the user and/or the wireless device corresponds to the authentication information from the authentication database or the authentication module 110.

[0033] In step 230, the user is not authenticated. This may happen in the following situations: the user is not currently authorized to access the restricted wireless network, the user has entered incorrect authentication information, and so on. If the user cannot be authenticated, the user may not be allowed to access the restricted wireless network 160.

[0034] In step 240, the user has been successfully authenticated. The authentication information from the user and/or wireless device can be used to find the provisioning configuration associated with the user and/or wireless device. The provisioning configuration database 120 can be searched, and the provisioning configuration associated with the user and/or wireless device can be retrieved.

[0035] In optional step 245, a certificate, a shared secret (like the shared secret described in the U.S. co-pending application 11/788,371 named "Dynamic Authentication in Secured Wireless Networks") and/or a private key can be generated. These certificates and the like may be generated by the application generation module 130 or by combining it with another optional application dedicated to certificate generation and the like.

[0036] In step 250, the application generating module 130 generates an application including the pre-configured configuration. The application may include the certificate and the like generated in optional step 245. In some embodiments, the generating operations of steps 245 and 250 may be combined into a single operation. Using the pre-configured configuration found in step 240, the application generating module 130 generates an application that configures the wireless device or another wireless device when the application is executed, so that the wireless device can The restricted wireless network 160 is accessed within the parameters and policies for the user and/or wireless device.

[0037] image 3 It is a flowchart showing a method 300 for enabling a wireless device to access a restricted wireless network 160 according to an exemplary embodiment of the present invention. In the method 300, a request for access to a restricted wireless network from a wireless device is received. Then determine whether the user has been successfully authenticated. If the user cannot be successfully authenticated, the access request is rejected. If the user has been successfully authenticated, then it is determined whether the wireless device has a pre-configured configuration that will allow access to the restricted wireless network 160. If the wireless device does not have such a pre-configured configuration, the request for access to the restricted wireless network 160 is rejected. If the wireless device has a pre-configured configuration that allows access, then the request is granted. In addition, the specific pre-configured parameters and policies are implemented for the user, the wireless device, and the operation of the user and the wireless device in the restricted wireless network.

[0038] In step 310, a request for access to the restricted wireless network 160 is received from a wireless device belonging to the user. The access request can be received through an open wireless network, a wired connection, or the like.

[0039] In step 320, it is determined whether the user has been successfully authenticated. The determination may be performed in a manner similar to step 220. If the result of the determination is that the user has been successfully authenticated, the method proceeds to step 330. If the result of the determination is that the user has not been successfully authenticated, the method proceeds to step 340.

[0040] In step 330, it has been determined that the user has not been successfully authenticated, and the request for access to the restricted wireless network 160 is rejected. This may happen in the following situations: the user is not currently authorized to access the restricted wireless network, the user has entered incorrect authentication information, and so on. The refusal of the access request may include terminating the connection, implementing various security measures (for example, identifying illegal or unauthorized access attempts based on the date, time, and flag of the user's attempt to access), and so on.

[0041] In step 340, it has been determined that the user has been successfully authenticated. It is then determined whether the wireless device is configured to access the restricted wireless network. The determination may be performed in the following manners: checking the wireless device or information from the authentication request, comparing the configuration of the wireless device with the pre-configured configuration in the pre-configured configuration database 120, and so on. If the wireless device has been configured to access the restricted wireless network 160, the method proceeds to step 350. If it is determined that the wireless device is not configured, the method proceeds to step 330. The determination made in step 350 can utilize those techniques disclosed in the US Patent Application 11/788,371 filed on April 18, 2007 and named "Dynamic Authentication in Secured Wireless Networks", the disclosure of which was previously incorporated herein by reference. .

[0042] In step 350, the wireless device has been determined to have been configured to access the restricted wireless network 160, and the access request is granted. In some embodiments, the wireless device may automatically connect to the restricted wireless network 160. Alternatively, the connection can be made manually.

[0043] In step 360, the access of the wireless device to the restricted wireless network 160 is regulated according to the pre-configured parameters and policies. The optional policy enforcement module 180 can implement these parameters and policies so that the user can only access one or more networks to which the user is authorized.

[0044] Figure 4 It is a flowchart showing a method for pre-provisioning a wireless device to access a restricted wireless network 160 according to an exemplary embodiment of the present invention. Wireless devices belonging to users are allowed to connect to open wireless networks. Authenticate the user. Use the information from the authentication to generate a configuration application. The application is then transferred to the wireless device. The application provides a pre-configured configuration for the wireless device. Once the wireless device has been configured, the wireless device may be allowed to access the restricted wireless network 160.

[0045]In step 410, wireless devices belonging to the user are allowed to access the open wireless network. The connection with the open wireless network may be similar to the connection in step 210. Also as in step 210, direct wired access can be provided.

[0046] In step 420, the user is authenticated by the authentication module 110. The authentication of the user and/or the wireless device may be performed by comparing various information such as the user name and password with the information in the authentication database or the authentication module 110. It is also possible to use the technology disclosed in US Patent Application No. 11/788,371 filed on April 18, 2007 and named "Dynamic Authentication in Secured Wireless Networks", the disclosure content of which has been previously incorporated herein by reference.

[0047] In step 430, the application generating module 130 generates an application including the pre-configured configuration. The application generation can be performed similarly to the application generation in step 250.

[0048] In step 440, the application is transmitted to the wireless device via the provisioning module 150. The application can be copied, downloaded, or otherwise transferred to the wireless device. In some embodiments, after the application is generated in step 430, the application may be automatically transmitted to the wireless device. Alternatively, the application may be used by the user to copy, download, or transmit in other ways through an open wireless network. The application may also be provided as a part of a computer-readable medium such as an installation disc, or provided via a portable flash memory card.

[0049] In step 450, the application provided by the provisioning module 150 is executed, and a provisioning configuration for allowing the wireless device to access the restricted wireless network 160 is provided. The application transmitted in step 440 may be automatically executed or executed by the user to install the pre-configured configuration including various parameters and policies associated with the user and/or the wireless device. After the pre-configured configuration is installed, the wireless device becomes able to access the restricted wireless network 160.

[0050] In step 460, the wireless device connects to the restricted wireless network 160 and accesses the restricted wireless network 160. The wireless device may be connected to the restricted wireless network 160 automatically or manually. Access to the restricted wireless network 160 is regulated by the following: pre-configured parameters and policies installed on the wireless device, and other security measures that may be implemented on the server side to maintain the security of the network 160. The parameters and policies can be implemented by the policy management module 180.

[0051] Although the present invention has been described in connection with a series of preferred embodiments, these descriptions are not intended to limit the scope of the present invention to the specific form set forth herein. On the contrary, the present invention is intended to cover the alternatives, modifications and equivalents defined by the appended claims and recognized by those skilled in the art in other aspects, which may be included within the spirit and scope of the present invention. content.