247 results about "Rogue access point" patented technology

A device for and method of detecting intrusion into a wireless network that includes a configuration file, a rules files, a main processor, a set packet processor, an initialize preprocessor, a parse rules file, an interface thread unit, a process packet unit, a decoder, a preprocess unit connected to the process packet unit; at least one preprocessor consisting of a rogue access point and transmit channel preprocessor, a NETSTUMBLER preprocessor, a MAC spoofing preprocessor, a DEAUTH flood preprocessor, an AUTH flood preprocessor, a rogue client preprocessor, a bridged network preprocessor, a rogue client valid access point preprocessor, valid client rogue access point preprocessor, an ad-hoc network preprocessor, a wrong channel preprocessor, a cloaking policy violation preprocessor, an encryption policy violation preprocessor, and a null SSID association policy violation preprocessor; and a detector.

Methods, apparatuses and systems facilitating automated detection of rogue wireless access points in a wireless network environment. The present invention, in one embodiment, integrates automated detection of rogue access points into wireless network systems. As discussed more fully below, the present invention can be applied to a variety of wireless network system architectures.

A communication system in which multiple protocols and proxy services are executed by an access point. In one embodiment of the invention, GVRP and GMRP registrations are combined in a single packet when a wireless device roams to a different VLAN. In addition, outbound GVRP and GMRP multicast messages are handled by an access point (also referred to as a GVRP and GMRP “gateway”) such that the wireless device is not burdened with the associated computational overhead. In a further embodiment, a wireless device may dynamically switch between a VLAN-aware state and a VLAN-unaware state depending on the nature of a detected access point. For example, if a relevant access point supports GVRP, the wireless device may operate as a VLAN terminal. If a wireless device is not attached to an access point with a matching VLAN ID, the wireless device sends and receives VLAN tagged frames. If a wireless device configured with a VLAN ID is attached to an access point with a matching VLAN ID, or if the wireless device is attached to a non-VLAN access point, then the wireless device may send and receive raw/untagged frames. In addition to the gateways described below, the ability of a wireless device to detect when it can send untagged frames is considered novel. In another embodiment of the invention, a special ID that is different than the native VLAN ID for a switch port is used for VLAN-unaware devices. This allows such devices that do not issue tagged frames to belong to a single VLAN ID.

Methods and apparatus are disclosed for locating and disabling the switch port of a rogue wireless access point. In one embodiment, a network management device is configured to detect the presence of a rogue access point on a managed wireless network. Once detected, the management device may then instruct a special client, such as a scanning AP, to associate with the rogue access point and send a discovery packet through the rogue access point to network management device. The network management device upon receiving the discovery packet may thereby determine that the rogue access point is connected to a network managed by said network device. The network device may then utilize information contained in the discovery packet to locate the switch port to which the rogue access point is connected, and ultimately disable the switch port to which the rogue access point is connected.

A method of detecting a rogue access point is disclosed. A message is directed from a supplicant to a network through an access point. A network response message is received by the supplicant from the access point. A step of determining whether the access point is one of a valid network access point and a rogue access point is performed based on whether the received network response message is respectively in conformity or nonconformity with predetermined expectations. If the access point is determined to be a rogue access point, it is reported to the network. If the access point is determined to be a valid network access point, the supplicant is authenticated to the network.

A method of roaming between access points on the same or different wireless networks using a single wireless network interface adaptor. A device will establish a connection with a second wireless network access point while still connected with a first wireless network access point such that the device can concurrently communicate with both wireless access points. During and after connection with the second wireless network access point real-time IP data transfer is maintained with another network device by switching between the first and second access points for concurrently sending and receiving data packets via both access points using a switching strategy based at least in part on a number of the data packets to be send to each network access point. The method also determines when to roam, scans for candidate wireless network access points to connect to and selects the best access point for roaming based on selection criteria.

Methods to detect rogue access points (APs) and prevent unauthorized wireless access to services provided by a communication network are provided. A mobile station (MS) reports to a serving AP the received signal strength (RSS) for all APs in the area it travels. The serving AP detect a rogue AP based on inconsistencies perceived in the RSS reports, assessed during the handover phase or whilst the communication is active.

Disclosed is a method for authenticating a mobile node in a wireless local area network including at least two access points and an authentication server. When the mobile node associates with a first access point and performs initial authentication, the mobile node receives a first session key for secure communication from the authentication server by using a first private key generated with a secret previously shared with the authentication server, and the first access point receives the first session key from the authentication server by using a second private key previously shared with the authentication server. When the mobile node is handed over from the first access point to a second access point and performs re-authentication, the mobile node receives a second session key for secure communication from the authentication server by using a third private key generated with authentication information generated during previous authentication and shared with the authentication server and the second access point receives the second session key from the authentication server by using the second private key previously shared with the authentication server.

A wireless network permits wireless devices to determine their own location and receive location-based services. The network includes a communication server coupled to a plurality of access points and at least one mobile wireless device that wirelessly communicates through the access points. Each wireless device includes a location table through which the wireless device can determine its physical location. The location table includes the physical location of the various access points indexed by their network addresses. When the wireless device communicates with an access point, the access point provides the wireless device its address. The wireless device uses the address of the access point as an index into the location table to determine its own location based on the location of the access point. Once the wireless device has determined its own physical location, it requests location-based services from or through the communication server.

There is disclosed a method of helping mobile stations such as voice over IP devices to roam between wireless access points, by each access point transmitting the MAC address of a spanning tree algorithm root switch of the local network domain. This MAC address is used by mobile stations to detect if two access points are in a common network domain.

A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.

The invention discloses a method for selecting access points (APs), comprising the following steps: an access controller (AC) is made to receive the information on the same client side, which is reported by all access points (APs), and the AC is made to select the APs of the client side according to the information on the client side, which is reported by all the APs; the AC is made to dynamically allot the special media access control (MAC) which is used to communicate with the client side to the selected APs, send the special MAC to the APs and communicate with the client side by the APs according to the special MAC. In the invention, the selection of the APs by the user can be controlled by the client side, and the work load of the client side can be reduced.

Methods, devices and system for access point facilitated fast handoff are provided. Each access point (AP) in a wireless local area network is provided with a primary interface and a secondary interface wherein the primary interface performs normal communication with user terminals and broadcasts standard beacon frames on its working channel, and the secondary interface broadcasts extended beacon frames on working channels of neighbor APs sequentially. The extended beacon frame includes at least information of BSSID, SSID, working channel and the like of the primary interface of the corresponding AP. The user terminal may receive the standard beacons from the serving AP it is communicating with and the extended beacons from the neighbor APs, and according to the two kinds of beacons, the terminal may calculate the signal quality with the primary interface of the serving AP and the signal qualities with the neighbor APs at the current position. By an algorithm of comparing the signal qualities of the best neighbor AP and the serving AP, the terminal may accurately and quickly determine whether to perform handoff with minimized cost.

A wireless local area network (WLAN) includes mobile devices that are allowed to transfer wireless connections between WLAN subnets or channels having different access points. The access points connect to a central controller or roaming server that supports seamless hand-offs of mobile devices from one access point to another access point. The roaming server supports the reassignment of session data parameters from one access point to another (e.g., access point address spoofing) so that the mobile device can use the same parameters for communicating to a new access point. The roaming server also supports the seamless handoff of a mobile device from one access point to another by using a master-slave switch technique across two piconets. The roaming server also facilitates the control of access points by establishing a host controller interface and wireless protocol stack in the roaming server and another, complementary wireless protocol stack in the access point. The roaming server then encapsulates host controller commands in a packet based network protocol used for communication between the roaming server and the access points.

A wireless network client is described which obtains access to the resources of a backbone network provided by a wireless access point. The client is adapted to receive a reassociation request from an access point which is able to detect a degraded condition on the backbone network and inform clients of the degraded condition. Upon detecting the degraded condition, the access point transmits or broadcasts a reassociation request to one or more clients associated with the access point. Information can also be sent identifying the degraded performance of the backbone network and can include other information useful to clients. Once a client has received the reassociation request and/or the informed identifying the degraded performance, the clients seek access to the backbone network through other access points which are not experiencing degraded performance. The seek preferably omits the access point identified as experiencing degraded backbone performance.

The invention relates to a rapid switching method for a wireless local area network, wherein, in a beacon frame being sent, an access point contains a channel used by an adjacent access point, SSID (service set identifier) and BSSID (basic service set identifier) information; a mobile station receives and stores the information of a target access point in the beacon frame, and when switching condition is satisfied, the information is used as a reference for selecting the target access point in switching. The mobile station preferentially searches the beacon frame or sends a polling request frame on a channel appointed by the information, and selects a next access point needing to be switched according to the RSSI (received signal quality indication) of the beacon frame or a polling response frame. Through the rapid switching algorithm of the invention, the mobile station does not need to scan all channels in the wireless local area network, thus greatly reducing switching delay.

The invention provides an access point authorizing method, device and system. The access point authorizing method comprises the following steps of: receiving an authorization request message sent by a communication service platform, wherein the authorization request message comprises an SSID (Service Set Identifier) and an MAC (Media Access Control) address of an access point (AP) to be accessed of a user terminal; determining whether the MAC address of the AP is a legal MAC address resource corresponding to the SSID; if yes, returning an authorization passing response message to the communication service platform to ensure that the communication service platform sends the authorization passing response message to the user terminal. According to the invention, the user terminal authorizes an authorization request of legality of the AP to be accessed, which is initiated by the communication service platform, and an authorization passing result is returned to the user terminal through the communication service platform, therefore the guarantee is provided for accessing the safety AP to the user terminal.

According to one embodiment of the invention, a method comprises an exchange of messages between an access point and a wireless network switch. One message, a PROXY IGMP JOIN message, is transmitted to the access point for propagation to a multicast router. This is performed so that multicast data associated with the multicast group identified by the PROXY IGMP JOIN message is routed to the access point without any unnecessary involvement by the wireless network switch.

There are provided measures for trustworthiness decision making for access authentication, for example relating to the trustworthiness of non-3GPP access networks within a 3GPP-compliant packet data system, exemplary comprising receiving an indication about a provisional trustworthiness of an access network, which provides packet data access for a roaming user, with respect to a visited network of said user from a network element of said visited network, determining the applicability of local breakout or home routing for each subscribed access point name of said user, and deciding about a final trustworthiness of said access network based upon the received provisional trustworthiness indication and the determined routing applicability for each subscribed access point name of said user.