Description
[001] Restricted WLAN profile for unknown wireless terminal
[002] Technical Field
[003] The present invention relates to a wireless terminal comprising an interface for a
wireless link to a local area network LAN being at least partly a wireless LAN WLAN
and an access point AP of WLAN. The wireless terminal and the AP comprise each an
interface for the wireless link and means for interacting via the interface by exchanging
data frames, the interacting means being adapted for constructing data frames for
transmission and for decoding received data frames. Furthermore, the present invention
is also related to a method for setting up a wireless link between a wireless terminal
and an AP of a WLAN.
[004] Background of the invention
[005] Many public and private sector organizations as well as companies or company
groups use since years so called local area networks LAN. Such LAN are built by
wiring different terminals like computers, printers or other kind of terminals allowing
e.g. the set up of a call (using voice over IP). The automatic management and control
of data flow through the LAN are performed by switches, a task now performed by
powerful servers. Those LANs provide access to local information to persons (users)
who connect to a network access point, e.g. a terminal equipped with a fixed or
removable LAN card. Since LAN are also interconnected with other communication
networks like Internet/IP type public data networks and/or public switched telephone
networks (PSTN), such users may be allow to access those communication networks.
[006] The networking of computers has added a great deal of functionality to the standard
desktop computer. It gives a possibility to share resources allowing people to work
together more conveniently. In order to allow computers to work together, the Institute
of Electrical and Electronics Engineers, Inc. (IEEE) has created standards to promote
commonality and interchangeability throughout various disciplines of the electronic
arts. For example, IEEE Standard 802 defines an Ethernet network. By promoting
standards, IEEE has allowed different types of devices manufactured by different
companies to successfully communicate with each other. All the terminals wired
together to form a network are referred generally as end node devices. A LAN is the
subsection of the network also known to those skilled in the art as a broadcast domain.
Hubs, bridges or switches are used in the same physical segment or segments
connecting all end node devices. End node devices can communicate with other end
node devices on the same LAN without the need for a router. A router or gateway
device is required when communications have to be setup between end node devices
on other LAN segments. Specifically, each LAN is separated from an other LAN by
such a device. As networks expand, more such devices are needed to separate users
into LANs and provide connectivity.
[007] In an attempt to overcome the physical limitations of LANs, virtual LANs (VLAN)
were developed. A VLAN can be viewed as a group of devices on different physical
LAN segments which can communicate with each other as if they were all on the same
physical LAN segment. VLANs provide a number of benefits over a LAN. Using
VLANs, it is possible to group computing devices logically into a single broadcast
domain. This allows to define broadcast traffic for these VLAN to just those devices
that need to see it, thus reducing traffic to the rest of the network. There is an increased
connection speed due to the elimination of latency from router connections. An
additional benefit of increased security is realized if access from foreign networks is
not allowed , i.e., those that originate from another subnet beyond the router. On top of
that, it allows to define specific profiles with a restricted service like access to the
Internet or to some part of the Intranet of a company or to the VoIP or part of it i.e. for
the setup of an emergency call. Such restricted profile will be identified by a logical
address corresponding to a specific WLAN.
[008] Nowadays, a new technology became popular allowing to build a networks using
wireless interfaces. Such technology allows to handle operations for accessing to a
wired LAN through an air based on the standard IEEE 802.3. The wireless LAN
WLAN technology includes various technologies defined in the standards IEEE 802.11
(a, b, g). WLANs can be used either to replace wired LANs, or as an extension of the
wired LAN infrastructure.
[009] A WLAN infrastructure is made of wireless terminal like wireless phones or
portable computers and possibly but not necessarily access points AP, wherein data
transmission between the terminals and the access points are carried out partly or
entirely in a wireless manner using radio waves or infrared technology.
[010] The structure of telecommunications networks is generally described using the OSI
model (Open System Interconnection), which defines the interfaces through which the
different devices and the related software communicate with each other. The OSI
model is based on a concept of layers, the lowest, or first, layer known as a Physical
Layer encompassing all logical, electrical and mechanical issues relating to data
transfer. The second protocol layer, i.e. the Data Link Layer, is responsible for
connection set-up, error correction and connection release. The third protocol layer, i.e.
the Network Layer, provides data transfer not dependent on the network structure. The
subsequent layers are the Transport Layer (fourth layer), Session Layer (fifth layer),
Presentation Layer (sixth layer), and Application Layer (seventh layer).
[011] Standardization provides a framework for hardware and software manufacturers to
enable products of different manufacturers to be used side by side. The title of the
WLAN standard is IEEE 802.11 and it has gradually been supplemented by a number
of sub-standards. According to the forthcoming IEEE 802.1 li standard, WLAN authentication
will be carried out according to a second protocol layer authentication
method, such as an IEEE 802.1x protocol before transmission of IP packets between
terminal device and the network. An Access Point enables authentication of the second
protocol layer, such as IEEE 802. Ix authentication.
[012] The basic topology of a WLAN infrastructure is usually called a basic service set
BSS consisting of two or more wireless nodes or stations (the wireless terminals),
which have recognized each other and have established communications. In the most
basic form, stations communicate directly with each other on a peer-to-peer level
sharing a given cell coverage area. Such type of infrastructure is often formed on a
temporary basis, and is commonly referred to as an adhoc network or independent
basic service set IBSS.
[013] In most instances, the BSS contains at least an access point AP. The main functions
of an AP is to form a bridge between wireless and wired LANs. The AP is analogous
to a base station to be used in cellular phone networks. When an AP is present, stations
do not communicate on a peer-to-peer basis. All communications between stations or
between a station and a wired network client go through the AP. AP's are not mobile
and form part of the wired network infrastructure.
[014] In wired LANs, an address is equivalent to a physical location. This is explicitly
assumed in the design of wired LANs. In IEEE 802.11, the addressable unit is a station
(STA). The STA is a message destination, but not (in general) a fixed location i.e. a
wireless terminal. The logical addressing in this standard is defined such that the
wireless media, distribution system, and wired LAN infrastructure can all use different
address spaces usually medium access control MAC address. The standard IEEE
802.11 only specifies addressing for over the wireless medium, though it was intended
specifically to facilitate integration with IEEE 802.3 wired Ethernet LANs. IEEE 802
48-bit addressing scheme was therefore adopted for 802.11, thereby maintaining
address compatibility with the entire family of IEEE 802 standards. But in the vast
majority of installations, the distribution system is a IEEE 802 wired LAN and all three
logical addressing spaces are identical.
[015] For WLAN, the security is rather a hot topic. Indeed, a restriction to an access is not
physically given as for wired LAN through the physical wiring of the different
terminals. Therefore, specific limitations were developed for WLAN. In the standard
IEEE 802.11 was defined two methods for securing the communication between
different entities of a WLAN, namely authentication and encryption. Authentication is
the means by which one station is verified to have authorization to communicate with a
second station in a given coverage area. In the infrastructure mode, authentication is
established between an AP and each station (wireless terminal). Authentication can be
either Open System or Shared Key. In an Open System, any station may request authentication.
Open System authentication is the simplest of the available authentication
algorithm where any station that requests authentication may become authenticated.
But in real world, it has come that such authentication is simply of no use due to the
lack of control which wireless terminals may get an access to the WLAN. And may be
more than 90% of the implemented WLANs use a login procedure based on the
medium access control MAC address of the different stations or wireless terminals.
This procedure is based on the administration usually by some system manager of a list
of the different MAC-addresses of the wireless terminals allowed to build a wireless
link to the WLAN. Such user-defined list is a restrictive list of all the MAC addresses
of the known and allowed stations which are granted an access to the WLAN. The
system manager may administer the list from some desktop connected to the LAN.
Each new entry or correction of a MAC address can be transmitted from the desktop to
a switch of the LAN using simple network management protocol SNMP. To such
switch may be connected a different server dealing with the authentication. Such a
user-list as well as any updates has to be forward to each AP of the WLAN, the AP
being connected to the LAN.
[016] Therefore, for most of the existing WLAN and particularly in the infrastructure
mode i.e. a WLAN comprising one or more AP, the access to such WLAN is simply
restricted to the stations or wireless terminals known by the WLAN. Any other
wireless terminals comprising a wireless interface but unknown to the WLAN will
simply not have any access to it. In fact, a communication or link between such
wireless terminal and a AP of the WLAN will simply not be possible to setup due to
the unknown addressing (MAC) of such wireless terminal.
[017] In EP 1 398 939 is described a processing server allocating user terminals resources
of a LAN being a WLAN. The server is connected to at least one AP to the WLAN and
includes control means. Latter is adapted to classify the wireless terminals in a first
group or a second group according to whether or not they are adapted to establish with
the WLAN communications encrypted in accordance with at least one format. The
control means are also adapted to allocate resources of the WLAN to the wireless
terminals attempting to establish communication therewith as a function of whether
they are classified in said first group or said second group. The control means
determine the MAC address of each wireless terminal attempting to establish communication
with the WLAN. And the server allocates an IP address to the wireless
terminal having the MAC address determined in this way using the dynamic host configuration
protocol DHCP. The use of such a server as disclosed in EP 1 398 939 shall
give a possibility to set up a connection of a restricted kind to the WLAN in the case
the MAC address of the wireless terminal does not correspond to one of these two
groups. The invention as disclosed in this prior art despite being quite attractive cannot
be used in existing and to be built WLAN since not compliant with the applied
standard. Indeed, in existing WLAN an AP is not able even to start any communication
or set up a wireless link with an unknown wireless terminal. Therefore, it is simply not
possible to let access to the WLAN in the case the corresponding MAC address of the
wireless terminal was not identified and known.
[018] Summ ary of the invention
[019] In view of the above, it is an object of the present invention to provide a wireless
terminal and an access point AP of a wireless local area network WLAN able to
exchange data for the setup of a communication while the wireless terminal being
unknown to the AP. It is also an object of the present invention to provide a method for
the setup of such an access to a local area network LAN between an AP of the WLAN
being part of the LAN and a wireless terminal unknown to the AP, such an access
being possibly adapted for a telecommunication like an emergency call.
[020] This object is achieved in accordance with the invention by providing a wireless
terminal and at least an access point AP of a WLAN, the wireless terminal and the AP
comprising an interface for a wireless connection between each other and means for interacting
via the interface by exchanging data frames. The interacting means are
adapted for constructing generated data frames for transmission and for decoding
received data frames. The wireless terminal and the AP are able to perform a restricted
association while the wireless terminal being unknown to the AP. Such restricted association
is identified by a specific data from an exchanged data frame. And the
restricted association corresponds to a restricted access within the LAN being at least
partly the WLAN, the restricted access being defined by a dedicated virtual LAN
VLAN.
[021] In an alternative of the embodiment according to the invention, the specific data is
being sent from the wireless terminal to be received by the AP. Such action can be advantageously
activated by an user of the wireless terminal when the user wishes the
restricted access to the WLAN. This may be of great importance when an emergency
call is required.
[022] In another alternative according to the invention, it is the AP which transmits the
specific data into a broadcast data frame to be received by the wireless terminal. It may
be possible to implement the invention such that the AP transmits such broadcast data
frame periodically. In a further embodiment of the present invention, the information
relative to the dedicated VLAN identifying the restricted access within the LAN corresponding
to the restricted association is provided by a switch of the LAN to the AP.
In that way, the AP is able in an independent manner (without the need to negotiate
with a switch for each restricted association) to let the wireless terminal having a
restricted access to the WLAN.
[023] In accordance with another aspect of the invention, its object is achieved by a
method for setting up a wireless connection between a wireless terminal and an AP of
a WLAN. The method comprises the step of starting a restricted association by
exchanging a specific data between the wireless terminal and the AP while the wireless
terminal being unknown to the AP. Such specific data identifies the restricted association
corresponding to a restricted access within a LAN being at least partly the
WLAN. And the restricted access is defined by a dedicated VLAN. The restricted
access corresponds in an embodiment of the invention to a profile within the LAN for
the user of the wireless terminal. Such profile can define a restricted access to e.g. an
Intranet i.e. restricted access to a private network or to the Internet or to part or
complete VLAN affected for voice communications.
[024] Advantageous developments of the invention are described in the dependent claims,
the following description and the drawings.
[025] Description of the drawings
[026] An exemplary embodiment of the invention will now be explained further with the
reference to the attached drawings in which:
[027] Fig. 1 is a schematic view of an architecture as used for the present
[028] invention;
[029] Fig. 2, 3 are two possible ways to perform an association according to the
invention;
[030] Fig. 4 is a schematic view of a typical data frame comprising the specific data
according to the invention.
[031] Detailed description of preferred embodiments
[032] On figure 1 is shown an example of a network architecture as used for implementing
the present invention. The network comprises a local area network LAN 1.
Such LAN is made of a plurality of terminals like PCs, printers or IP-like phones not
all shown on figure 1. Furthermore, the LAN 1 is made of several switches 3 interconnected
between each other. This may be a typical architecture for a campus-like
network i.e. a private network of a middle to big size. To this LAN 1 are connected
several access points APs 4 building a WLAN. The APs 4 are possibly connected to
the same switch 3 but could also be spread over the entire LAN 1. Wireless terminals
called usually stations at the standard IEEE 802.11 are depicted as wireless phones 5.
But other wireless terminals like PCs or laptops or any other kind of terminal
comprising a wireless interface may also set up a link to the APs 4 as long as an association
is possible (see below). A PC 6 connected to a switch 3 of the LAN 1 is
shown and could correspond to the one of the system manager administering the
present LAN 1. Also a authentication server 7 connected to a server 3 of the LAN 1 is
shown while such authentication server could be also part of a switch 3 or the PC from
the system manager 6. Such authentication server 7 is necessary when for example
login procedure has to be performed before a user is able to connect to this LAN 1. It
can be also used when authentication is required at the WLAN.
[033] The standard IEEE 802.11 used as a standard for the WLAN provides link-level authentication
between the different stations or wireless terminals and the APs. That
standard does not provide either end-to-end (message origin to message destination) or
user-to-user authentication. Rather authentication is used simply to bring the wireless
link up to the assumed physical standards of a wired link. Such an authentication is independent
of any authentication profiles that may be used in higher levels of a network
protocol stack. As described above most of the implemented WLAN use as authentication
procedure a restricted one based on the knowledge of the MAC-address by
the WLAN of the different wireless terminals allowed to build a link with that LAN.
Such MAC-addresses are administer usually but not exclusively by some system
manager as a MAC-address list. This MAC-address list will be possibly stored at an
authentication server like 7 of the LAN 1. The system manager has the task to update it
via its PC 6 using e.g. simple network management protocol SNMP. Each APs 4 of the
WLAN are provided by the updated MAC-address list from the corresponding switch
3. In that way, a wireless connection or link of a wireless terminal 5 and an AP 4 will
take place only if the MAC-address of the wireless terminal 5 was already entered in
that list of the MAC-address by the system manager. Otherwise, no association can
take place.
[034] When implementing the present invention, a wireless connection or link between an
AP 4 and some unknown wireless terminal i.e. with a MAC-address not stored on the
MAC-address list let available to the AP can nevertheless be set up according to the
following specific requirement. Such wireless link corresponding to a restricted association
between the AP of the WLAN and the wireless terminal when within its
reach, will take place if specific data is exchanged via the wireless link identifying
such restricted association. In such a way, after a restricted association was set up successfully
with the wireless terminal, latter will have a restricted access within the LAN
while such restricted access being identified by a dedicated virtual LAN VLAN.
[035] On figure 2 and 3 are shown two alternative ways to set up a wireless link for a
restricted association according to the present invention. On figure 2 is shown the case
where a wireless terminal or mobile station attempts to quickly locate an AP of a
WLAN possibly but not exclusively after a user request at the wireless terminal for the
restricted access. At first, a probe request frame a is transmitted by the wireless
terminal without necessarily knowing if an AP is present and reachable. Such probe
request frame contains together with the MAC-address of the wireless terminal
unknown to the AP also the specific data identifying the required restricted association.
And the coverage of the WLAN will depend on topology as well as the used wireless
interface being radio or infrared and the used frequency band with e.g. around 2.4 GHz
or 5 GHz and the data rates, such coverage reaching up to few kilometres while usually
being more of few tens of meters. In the positive case that the AP received the specific
data, then the AP will answer by a probe response b corresponding to this restricted association.
Indeed, the AP when receiving the probe request frame a from the wireless
terminal with its unknown address performs the procedure to find that address in its
address list of the wireless terminal allowed to access to the WLAN. But since that
address is not registered in the address list, the AP would lock any access from that
wireless terminal to the WLAN if not receiving the specific data identifying the
required restricted association. Therefore, despite being unknown to the AP a restricted
association take place between the wireless terminal and the AP with first the authentication
c followed by an association request d and finalized by the association
response e opening the restricted association for the wireless terminal to the WLAN.
Such restricted association corresponds to a restricted access within the LAN identified
by a dedicated VLAN. Latter correspondence is only possible if the AP receives the information
identifying such dedicated VLAN transmitted by some switch 3 of the LAN
1 using e.g. the logical link discovery protocol LLDP.
[036] On figure 3 is shown the other alternative where such restricted association is
started by the APs of the WLAN. This is the case when the AP transmits usually periodically
a beacon broadcast to allow stations i.e. wireless terminals to locate and
identify a BSS of a WLAN. In the context of the present invention, the APs of the
WLAN may transmit the usual beacon broadcast assigned for known wireless terminal
alternately with the beacon broadcast offering a restricted association to unknown
wireless terminal. It is also possible to conceive that the beacon broadcast corresponding
to the restricted access is transmitted in a parallel way by the APs or only
by some limited numbers of such APs. In the present case of a beacon broadcast corresponding
to the restricted association, the AP transmit the beacon frame a' to be
received by the station or wireless terminal. After receiving such specific beacon frame
comprising the specific data the wireless terminal proceeds with the usual authentication
c followed by the association request d answered by the AP with an association
response e opening the restricted access to the WLAN.
[037] On figure 4 is shown a typical data frame exchanged between wireless terminals
and APs within a WLAN. The broadcast probe request a of alternative shown on figure
2 as well as the beacon broadcast a' shown on alternative figure 3 are usually
constructed according to the data frame as shown on figure 4. The data frame includes
fixed fields such as times stamp, beacon interval, and capability information. The time
stamp is a 64 bit field that contains the value of the stations (alternative 2) or the AP
(alternative 3) synchronization timer at the time that a frame was transmitted. The
beacon interval is the period of beacon transmission. The capability information field
is a 16 bit field that identifies the capabilities of the station or AP. The information
elements in a beacon or probe frame are the server set identifier SSID, supported rates,
physical parameter sets (FH and DS) optional contention free CF parameter set,
optional independent basic service set IDSS parameter set, and an optional traffic
indication map TIM. The SSID will contain usually the MAC-address of the unknown
wireless terminal at alternative 2. In both alternatives, the specific data identifying the
restricted association may be inserted either within the SSID or within the IBSS. Other
possibilities for inserting the specific data may be conceivable as long as agreed in a
standard way. Indeed, any wireless terminal of different manufacturers which have
stored that specific data will be able to insert it into a data frame by their interacting
means devoted for constructing data frames for transmission and for decoding received
data frames via the wireless link. And any APs possibly of different manufacturers but
provided or updated possibly via the link by the switch e.g. using LLDP with this
specific data will be able to set up such restricted association when exchanging that
specific data within a data frame with a wireless terminal.
[038] A restricted association corresponding to a restricted access within the LAN
identified by a dedicated VLAN can be applied for different restricted profiles
depending on the requirement. Each restricted profile will be identified by a specific
dedicated VLAN, such identification being let available to the APs of the WLAN by
the switch possibly using LLDP. A restricted profile could well be dedicated for the
setup of an emergency call using the usual phone number 112 in Europe and 009 in the
US. In that case, when a user of a wireless terminal starts to dial the emergency phone
number on his wireless terminal comprising the wireless interface and interacting
means for inserting the specific data, the following procedure could take place. Even
before starting to try to set up this emergency phone call and with the requirement to
be within the coverage of a WLAN, the interacting means of the wireless terminal will
first transmits the specific data corresponding to such emergency call over the data
frame a (broadcast probe request) as shown on figure 2. And in the case, the association
with a AP was successfully performed only then the AP will let (in a
transparent way) the wireless terminal have an access (usually restricted) to the
dedicated VLAN for such emergency call.
[039] A restricted profile may have other application like the possibility to let available to
unknown wireless terminal to some specific services of a private network when within
the coverage of that WLAN. Such specific services are possibly not confidential or
st intensive like the access (restricted) to the Internet or to some part of the intranet
of that private network or to some private phone book. All these different restricted
accesses corresponding to different specific data to be exchanged will be identified by
different dedicated VLAN, well known by the APs of the WLAN being at least part of
the LAN.
[040]

Claims
[001] A wireless terminal comprising an interface for a wireless link to a Local Area
Network LAN being at least partly a Wireless LAN WLAN and means for interacting
via the interface with the WLAN by exchanging data frames, the interacting
means being adapted for constructing data frames for transmission and
for decoding received data frames and are characterised in that they are able to
perform a restricted association with an Access Point AP of the WLAN when
within its reach while the wireless terminal being unknown to the AP and the
restricted association being identified by specific data from an exchanged data
frame, the restricted association corresponding to a restricted access within the
LAN identified by a dedicated Virtual LAN VLAN.
[002] The wireless terminal according to claim 1 characterised in to send the specific
data into a data frame to be received by the AP via that wireless link when
enabled on the wireless terminal by an user requesting the restricted access.
[003] The wireless terminal according to claim 1 or 2 characterised in that the
restricted access being adapted for the setup of an emergency call.
[004] An Access Point AP of a Wireless Local Area Network WLAN, the AP
comprising an interface for wireless links with wireless terminals and means for
interacting via the interface with the wireless terminals, the interacting means
being adapted for constructing data frames for transmission and for decoding
received data frames and are characterised in that it is able to perform a
restricted association with a wireless terminal when within its reach while the
wireless terminal being unknown to the AP and the restricted association being
identified by specific data from an exchanged data frame, the restricted association
corresponding to a restricted access within a LAN being at least partly
the WLAN, the restricted access being defined by a dedicated Virtual LAN
VLAN.
[005] The AP according to claim 4 characterised in that it is provided with the identification
of the dedicated VLAN by a switch of the LAN, allowing the AP to let
the wireless terminal an access to the VLAN.
[006] The AP according to claim 4 characterised in that it broadcasts data frames with
the specific data to be received by the wireless terminal via the wireless link
providing the restricted access to an user of the wireless terminal.
[007] A method for setting up a wireless link between a wireless terminal and an
Access Point AP of a Wireless Local Area Network WLAN, the wireless
terminal and the AP comprising an interface for the wireless link and means for
interacting via the interface by exchanging data frames, the interacting means
being adapted for constructing data frames for transmission and for decoding
received data frames, the method being characterised by the step of starting a
restricted association by exchanging specific data between the wireless terminal
and the AP while the wireless terminal being unknown to the AP, the specific
data identifying the restricted association corresponding to a restricted access
within a LAN being at least partly the WLAN, the restricted access being defined
by a dedicated Virtual LAN VLAN.
[008] The method according to claim 7 characterised by providing the AP by a switch
of the LAN with the identification of the dedicated VLAN allowing the AP to let
the wireless terminal to access the VLAN.
[009] The method according to claim 7 characterised by sending the specific data into a
data frame to be received by the AP of the WLAN when enabled on the wireless
terminal by an user requesting the restricted access.
[010] The method according to claim 7 characterised by providing to an user of the
wireless terminal the restricted access when the specific data being received in a
data frame from an AP.
[Oil] The method according to one of the claim 7 to 10 characterised by applying it for
a restricted access being adapted for the setup of an emergency call.
[012] The method according to the claim 7 characterised by applying it for a restricted
access corresponding to a profile within the LAN for the user of the wireless
terminal being unknown to the WLAN.