HK1159935B - System and method for providing wireless local area networks as a service - Google Patents
System and method for providing wireless local area networks as a service Download PDFInfo
- Publication number
- HK1159935B HK1159935B HK11114073.8A HK11114073A HK1159935B HK 1159935 B HK1159935 B HK 1159935B HK 11114073 A HK11114073 A HK 11114073A HK 1159935 B HK1159935 B HK 1159935B
- Authority
- HK
- Hong Kong
- Prior art keywords
- wlan
- network controller
- access points
- access
- network
- Prior art date
Links
Abstract
A wireless local area network (WLAN) system is provided. The system comprises a WLAN network controller and a plurality of access points. The WLAN network controller is in communication with each of the plurality of access points via a transport data network. The WLAN network controller is configured to perform one or more network control functions for the benefit of the plurality of access points. The network control functions may be selected from management and operation, client authentication, mobility, and per-user administration. The WLAN network controller is remotely located and operated with respect to the plurality of access points.
Description
Technical Field
The present invention relates to wireless local area networks. More particularly, the present invention relates to a system for providing the use of a wireless local area network as a service to a venue owner in need of the network.
Background
For more than a decade, Wireless Local Area Networks (WLANs) were successfully deployed initially at enterprise sites, and subsequently at residential and outdoor public sites. Enterprise WLAN systems have evolved from a) a single Access Point (AP) to b) multiple autonomous APs interconnected to conventional switches/routers, typically via ethernet, recently to: c) the AP is first connected to a tailored field WLAN controller and then to a router.
These on-site controllers are typically deployed by Information Technology (IT) administrators within the wiring closet of the enterprise. The controller separates non-secure WLAN traffic from the secure wired network by authenticating the wireless device before the wireless device accesses any core wired network services. They ensure physical safety by moving any "off the ceiling" sensitive information (i.e., where the AP is located) to the equipment room. They often provide a central, secure power source for the AP. They provide mobility between APs. Most importantly, they allow for centralized management of all WLAN operational aspects such as security, privileges, upgrades, resource allocation, performance monitoring, etc.
Recently, with the trend of outsourcing many IT functions to service providers, and providing network-based (web-based) services and applications, field network controllers have presented obstacles to such service providers. Therefore, there is a need for a system and method that provides WLAN capability and WLAN functionality as a remote operation service.
Disclosure of Invention
In one aspect, the present invention provides a Wireless Local Area Network (WLAN) system. The system includes a WLAN network controller and a plurality of access points. The WLAN network controller communicates with each of the plurality of access points via a transport data network. The WLAN network controller is in communication with at least one additional server, which is co-located with one of the plurality of access points. The at least one additional server is configured to enable each of the plurality of access points to access the enterprise directory database. The enterprise directory database includes information related to authorized users of the WLAN system. The WLAN network controller communicates with at least one additional server computer via a secure data link.
Each of the plurality of access points may be configured to automatically establish a connection with the WLAN network controller. Each of the plurality of access points may autonomously select a communication channel that enables the respective access point to communicate with at least one client device. Autonomous selection of a communication channel requires selection of a channel with an acceptable amount of self-network interference and an acceptable amount of external network interference.
Each of the plurality of access points may be assigned a respective unique identification. The WLAN network controller is further arranged to authenticate the corresponding access point using the respective unique identifier. The respective unique identification may comprise at least one of a MAC address associated with the corresponding access point and a serial number associated with the corresponding access point, or other similar identification.
Each of the plurality of access points is further configured to download the network parameters from the WLAN network controller. The downloaded network parameters may include at least one power level and at least one beacon setting. The downloaded network parameters may be predetermined to enable operation of the WLAN system. Each of the plurality of access points is capable of communicating with a transport data network via any of a wired connection or a wireless mesh connection.
The WLAN network controller may be further configured to provide secure private access and non-secure public access to the WLAN system. The WLAN network controller may be further configured to provide non-secure public access by instructing at least one predetermined access point to transmit a visitor beacon and using a virtual local area network or traffic tunnel to separate traffic of a visitor terminal associated with the transmitted visitor beacon from the rest of the WLAN.
The WLAN network controller may be further configured to enable a field administrator to perform administrative portal functions; wherein the management portal function comprises at least one predetermined per-user management task. The at least one predetermined per-user administrative task may include at least one of activating a new user and providing guest access.
The WLAN network controller may be further configured to perform at least one of additional server functions. The WLAN system may further include a local processor. The local processor is coupled to each of the plurality of access points and communicates with the WLAN network controller via the transport data network. The local processor may be arranged to perform at least one predetermined processing function.
In another aspect, the present invention provides a method of providing Wireless Local Area Network (WLAN) capabilities as a service. The method comprises the following steps: identifying a plurality of access points belonging to a WLAN; communicating with each of the plurality of access points from a remotely located WLAN network controller via a transport data network; remotely operating the WLAN by performing at least one network control function that is beneficial to the plurality of access points; and connecting to at least one additional server computer co-located with one of the plurality of access points and configured to enable each of the plurality of access points to access the enterprise directory database. The enterprise directory database includes information related to authorized users of the WLAN. The WLAN network controller communicates with at least one additional server computer via a secure data link.
The method further includes the step of automatically downloading management and operational parameters to each of the plurality of access points. The management and operational parameters include at least one radio frequency transmit power level and at least one beacon setting. The management and operational parameters are configurable in the WLAN network controller.
The method further includes the step of automatically downloading at least one software image to at least one selected access point. The at least one selected access point is capable of storing the at least one software image in a first operating library and running on the WLAN from a second operating library. The WLAN network controller is capable of controlling the first and second operating libraries.
The method may further include the step of receiving information corresponding to the selected local operating parameters from each of the plurality of access points, the step including at least one of: receiving an operational alert associated with a fault condition; receiving information related to traffic throughput and load; receiving information related to self-network interference or external network interference; information relating to radio coverage is received. The method may further comprise the step of applying a threshold to the incoming operational alert. The method may further comprise the step of recording a parameter corresponding to the received information.
The method may further comprise the step of authenticating the client device to the WLAN network by transmitting a message to the at least one access point, the message comprising information relating to the authentication. The authenticating step further includes tunneling the client device MAC address through the transport data network using a predetermined tunneling protocol. The client MAC address may be determined utilizing a Dynamic Host Configuration Protocol (DHCP) snoop operation performed in at least one access point.
The method may further comprise the step of assigning a respective unique identity to each of the plurality of access points; and authenticating the corresponding access point using the respective unique identifiers. The respective unique identification may comprise a MAC address or a serial number associated with the corresponding access point, or any other similar identification.
The method may further comprise the step of providing secure private access and non-secure public access to the WLAN system. The step of providing non-secure public access to the WLAN system further comprises: instructing at least one predetermined access point to transmit a visitor beacon and separating traffic of the visitor terminal associated with the transmitted visitor beacon from the rest of the WLAN using a virtual local area network or traffic tunnel. The method may further comprise the step of enabling a user of a predetermined one of the plurality of access points to perform the step of managing a portal function, thereby enabling the user of the predetermined access point to manage the at least one network control function.
Drawings
FIG. 1 is a block diagram of a Wireless Local Area Network (WLAN) using a remote network controller in accordance with a preferred embodiment of the present invention;
fig. 2 is a block diagram of communications within the WLAN of fig. 1 using a conditional access control switch controlled by an authentication message sent to an access point in accordance with a preferred embodiment of the present invention;
fig. 3 is a block diagram of communications within the WLAN of fig. 1 utilizing a tunneling protocol for authenticating traffic in accordance with a preferred embodiment of the present invention;
fig. 4 is a block diagram of communications within the WLAN of fig. 1 utilizing a tunneling protocol for data traffic in accordance with a preferred embodiment of the present invention;
fig. 5 is a block diagram of communications within the WLAN of fig. 1 using a directory database securely maintained behind an enterprise firewall in accordance with a preferred embodiment of the present invention.
Detailed Description
Recently, with the trend of outsourcing many IT functions to service providers, and providing Web-based services and applications, the present inventors have recognized that there is an opportunity to "externalize" WLAN controller functions. This trend is also in line with the recent movement to focus on "cloud computing"; in which many IT-related capabilities are provided "as services" from the internet without the need for customers to know, specialize in, or control the technical infrastructure supporting the capabilities. Historically, this evolution has been similar to that of the enterprise voice Telephone system, which initially used a pre-fabricated (on-premise) Private Automatic Branch Exchange (PABX) and an Electronic Key Telephone System (EKTS). Subsequently, telephone companies have also started to deliver feature-rich services from within the network using virtual private branch exchange software as well as feature phones.
In Wireless Local Area Networks (WLANs), service providers, wired or wireless, have the opportunity to: possession of the WLAN device, deployment of the WLAN device within the enterprise, and remote operation and maintenance of the device are all monthly charged. Generally, a fixed fee will be paid monthly based on the area covered, performance offered, etc., thus making a differentiated bronze/silver/gold "royalty" plan ("tariff" scheme) possible. This approach eliminates upfront capital costs for the enterprise. Another benefit of this approach is that IT frees Information Technology (IT) managers from the complex task of deploying and operating wireless systems and eliminates the risks and operating costs associated with equipment failure, performance deficiencies, and ongoing upgrades. The service provider performs continuous network monitoring, troubleshooting, repair or replacement of Access Points (APs) for seven days per week and 24 hours per day for WLAN operation and performance as required. Service providers add or upgrade equipment to meet the agreed coverage and capacity specifications specified in customer service agreements.
This new "hosted" WLAN service provides service providers with the opportunity to participate in enterprise data traffic, resulting in a new value-added revenue stream. By operating centrally on multiple customers, service providers are often able to offer services at a very cost competitive price compared to the cost of direct purchase.
In a system according to a preferred embodiment of the invention, the architecture also allows an additional layer of indirection where a third party, such as a device vendor or a system integrator, provides a service provider with a network controller and application software hosted on its own computing platform. The service provider, in turn, conducts transactions directly with the venue owner.
These WLAN networks enable secure private access by groups of users within the enterprise and ready access to the enterprise by roaming visitors, in accordance with a preferred embodiment of the present invention. In the latter case, the network appears to the visitor to be a common "hotspot" consistent with hotspots provided by service providers in a wide variety of other common areas. This common access provides additional revenue streams for the service provider deploying the management network.
Function(s)
Controller
In a preferred embodiment of the present invention, and with reference to fig. 1, a Wireless Local Area Network (WLAN)100 includes an Access Point (AP)115 and an off-site WLAN network controller 105 connected to the AP115 via a transmission data network 120. The WLAN controller 105 is centrally located in the service provider network 100. The network controller 105 performs all of the functions normally performed by a prefabricated WLAN controller for a conventional WLAN; and the network controller 105 may also perform additional functions. The "hosted" network controller 105 may be owned and operated by a service provider; alternatively, the controller 105 may even be outsourced to a third party that provides the controller 105 and/or management application software, which in turn, the controller 105 and/or management application software is operated by a service provider.
The client device 125 connects with the WLAN network 100 via one or more APs 115. The network 100 is also connected to the internet 130 via a network controller 150 or directly to the internet 130 via a transmission data network 120.
The network controller 105 is preferably implemented using one or more general purpose computers, such as a dell PowerEdge server or a hp ProLiantDL server. The client device 125 is typically a Personal computer, such as a laptop or a palmtop/Personal Digital Assistant (PDA) device. Each of the network controller 105, the AP115, and the client device 125 may include a microprocessor. The microprocessor may be any type of processor, such as any type of general purpose microprocessor or microcontroller, a DSP processor (DSP: Digital Signal processing), an Application-Specific Integrated Circuit (ASIC), a Programmable Read-Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), etc. Each of the network controller 105, the AP115, and the client device 125 may also include a computer Memory, such as a Random-Access Memory (RAM) or an Electrically-Erasable-programmable-read-Only-Memory (EEPROM)/flash Memory. However, the computer Memory of the network controller 105 may be any type of computer Memory or any other type of electronic storage medium located inside or outside the network controller 105, such as Read-Only Memory (ROM), Compact Disc Read-Only Memory (CDROM), electro-optical Memory, magneto-optical Memory, EEPROM, etc.
According to an exemplary embodiment, the respective RAM or EEPROM may contain, for example, operating programs for any of the network controller 105, the AP115, and the client device 125. It will be appreciated based on the following description that the RAM may be programmed using conventional techniques known to those of ordinary skill in the art of computer programming, for example. The actual source code or object code used to perform the steps of, for example, a computer program, may be stored in RAM. Each of the network controller 105, the AP115, and the client device 125 may also include a database. The database may be any type of computer database used to store, maintain, and allow access to electronic information stored therein.
The network controller 105 functionality is divided into four main parts. The first part includes the management and operation of physical network resources, typically performed by a service provider. The second part includes providing a client authentication function to restrict network access to authorized users. The third part includes providing cross-location (also commonly referred to as "cross-subnetwork") mobility. A fourth set of functions includes managing all remaining "per-user" functions, which are typically performed by on-site IT personnel.
Management and operation
The network controller 105 performs various configuration, fault monitoring, and performance monitoring functions, including the following:
● automatically download all required configuration information to the AP115 upon power up/restart (power cycle), including, for example:
o power level
O Beacon (service set identification or SSID) settings
● upgrade AP115 to the latest software load without field human intervention
● remote debugging all APs 115
● continuous real-time monitoring of network operation
O periodically contact all APs 115 to ensure that they are working properly
To monitor all alarms from the AP115 in real time
Alarm is carried out when the parameter reaches a threshold value
O record events
● remote diagnosis of all APs 115
● continuously monitor network performance in real time, including, for example,
throughput and load
Interference-from own and external networks and devices
O coverage
O all thresholdable alarm signals
O maintain a record of all selected parameters
Client authentication
The network controller 105 provides conditional access (conditional access) to the centralized client device to support user authentication, thereby simplifying operation and enabling measurements on large networks with thousands of users. The authentication may be used to provide private access to the network as well as public access as desired.
Mobility
When the AP115 or group of APs 115 are located in different buildings, different APs 115 within the same WLAN network may be connected to the transport network 120 via different routers and different IP subnets. In order to facilitate Layer-2 (e.g., Wi-Fi) devices moving between subnets, Layer-MAC address information must be passed to the central network controller 105.
Per user administrator access
In a preferred embodiment of the present invention, an administrator portal may be included to facilitate field personnel performing any required per-user administrative tasks. Such tasks may include activating a new WLAN user and providing guest access to the WLAN. The administrator portal is preferably implemented as: a Web-based application running on the network controller 105 that enables a site administrator to access via a conventional Web browser.
Using the administrator portal 110, the site administrator may configure specialized enterprise accounts and settings, including the following information:
● Website name and Address
● network beacons (e.g. SSIDs) -broadcast or hidden
● registered user list
● other configuration files
Additional functions
Additional functions that may be performed by the network controller 105 include the following:
● bandwidth per user rate limit
● traffic priority
● content filtering
● client-to-client isolation
● intrusion monitoring and protection
● AP load balancing
The network controller 105 is typically connected to additional network servers, such as:
● Web Server 150 for authenticating overlay pages, advertisements, etc
● Remote Authentication Dial In User Service (RADIUS) server 135 for Authentication, Authorization, accounting (AAA)
● Dynamic Host Configuration Protocol (DHCP) server 145 for automatic client Internet Protocol (IP) address assignment
● Domain Name Service (DNS) server 140 for Internet Name resolution
● billing server
● Customer Relationship Management (CRM) server that tracks account and trouble ticket information
● database for off-line processing data (e.g. Structured Query Language (SQL)) and interactive interface (e.g. Comma Separated Values (CSV) file)
Any or all of these servers may be integrated into the network controller 105 to miniaturize the deployment, thereby simplifying and reducing the cost of such deployments.
To facilitate installation by non-IT personnel, such as an electrician, only power needs to be supplied to the on-site AP 115. In this case, the APs 115 are interconnected to form a path back to the wired connection point and then back to the network 100 using the wireless mesh wireless connection.
In the preferred embodiment of the present invention, the AP115 allows each of the following to occur:
● back to the wired connection point and back to the wired and wireless connections of the APs 115 of the network 100. If there is a wired connection, the wired connection may be automatically selected, and if the AP115 is able to use a wireless mesh connection, the wireless mesh connection between the APs 115 is preferentially used
● full automatic configuration of operating parameters, including channel selection to minimize self and adjacent network interference
● the network controller 105 discovers automatically
● each AP115 has a unique identification assigned by the service provider (e.g., a serial number or MAC address stored in a Media Access Control (MAC) address server 155 as shown in fig. 2) that is used to authenticate the AP115 when the network controller 105 is powered on
● automatically download all operational configuration parameters including power level, beacon (SSID) settings, etc
● the AP115 may have dual memory banks, thereby allowing one memory bank to receive download data from the controller while the AP continues to perform operations through the other memory bank
● may then be upgraded in a predetermined maintenance window by simply switching the active memory banks
Architecture for a computer system
Referring to fig. 1, in accordance with a preferred embodiment of the present invention, APs 115 are connected to a transport data network 120 either directly (e.g., via a Digital Subscriber Line (DSL) or cable modem) or, when multiple APs 115 are available at each location, via a prefabricated switch (not shown) to transport data network 120. In general, data traffic may be routed directly to its destination via transport data network 120 and then via internet 130, although for some applications, data traffic may be "stretched" by network controller 105 for mobility considerations, as will be further described below.
Each AP115 performs conditional access functions so that user traffic cannot be transmitted onto the network 100 until the user client device is authenticated. The conditional access function is similar to that performed by an IEEE 802.1x authenticator device. In the preferred embodiment of the present invention, the conditional access function is performed regardless of the type of authentication performed. There are several different authentication schemes that can be used, including: MAC address "white list" authentication, web page redirection authentication, and IEEE 802.1x (username/password) authentication.
Referring to fig. 2, in a preferred embodiment of the present invention, the AP115 performs a conditional access function, ignoring all packets from clients (also referred to as "requesters") until the network controller 105 notifies the user that the authentication was successful, at which point the AP115 is utilized to transmit data traffic onto the network 100. For the case where MAC authentication is employed, the MAC address is forwarded from the server 155 to the network controller 105 for verification, as will be further described below. For the case of network redirection and 802.1x authentication, regardless of which authentication method is used by the network controller 105, messages used in Extensible Authentication Protocol (EAP) or in custom hypertext markup language messages may be used to communicate between the AP115 and the network controller 105. The 802.1x RADIUS server 160 and the Web server 150 are centrally connected through the network controller 105. In addition, the same method can be extended for use with various other authentication schemes. Various schemes are needed to meet the requirements of private as well as public network access control.
Referring to fig. 3, the client MAC address information required for MAC authentication may be communicated to the centralized network controller 105 in several ways, including DHCP snooping, which allows for checking of received MAC addresses, or tunneling. Any of these communication means may be used to pass the MAC address information back through the network 100 to the network controller 105. Tunneling may be performed by any of a variety of protocols, including Layer 2 Tunneling Protocol (L2 TP), Generic Routing Encapsulation (GRE), or other similar techniques. For example, in the case of using L2TP, the AP115 performs an L2TP Access Control (LAC, L2TP Access Control) function, and the Network controller 105 performs an L2TP Network Server (LNS, L2TP Network Server) function. In general, tunneling protocols provide additional benefits: an encrypted link is provided between the AP115 and the network controller 105.
Referring to fig. 4, for the case where a client is required to move between APs 115 or network locations, a tunneling protocol may be further employed to forward all client MAC addresses from AP115 between Tunnel End Points (TEPs). In this configuration, preferably all traffic is tunneled to the network controller 105. The network controller 105 utilizes standard MAC address based forwarding techniques, such as Rapid Spanning Tree Protocol (RSTP), to ensure that packets are forwarded to the appropriate switch port for transmission to the appropriate location and AP 115. Regardless of the IP routing configuration used to interconnect each of these locations with the transport data network 120, the IP address of the client device is not required to change as the client moves from one AP115 or network location to another AP115 or network location. However, measuring large second layer forwarding networks requires appropriate consideration of several aspects, including the size of the MAC address table, bridging configuration and awareness, broadcast filtering, and other related factors.
In the preferred embodiment of the present invention, the computer hardware used as the network controller 105 is generally selected from a variety of industry standard computing platforms that can provide hardware acceleration for tunnel endpoints in large networks. The key attributes include:
● Rack-mounted network computing device
● optional hardware acceleration, e.g. for tunnel endpoint encryption functions
● high speed core network interface, e.g. 10Gig Ethernet
● local 10/100/1000BaseT Ethernet and other industry standard computing interfaces, such as Peripheral Component Interconnect (PCI) and Universal Serial Bus (USB)
● industry Standard operating System software, e.g. Windows, Linux, and Solaris
For situations where the size of the network 100 does not merit investment in a fully centralized network controller 105-such as a small vendor, a highly localized deployment, or an insufficient connection of the enterprise to the network-all of the same functionality may be provided by a local field version of the network controller 105. Such local network controllers 105 may still be remotely accessed and operated by the service provider.
In very large network 100, the network controller 105 functions may be allocated as: low level functions, such as data acquisition, may be performed using field devices; top-level coordination and analysis of per-site devices may be centralized at the remote network controller 105. A specific example of this is that the DHCP client IP address assignment function is performed locally inside the AP115 in order to reduce the number of unique addresses that need to traverse the entire network, for example. In this example, a Network Address Translation (NAT) function is also performed within the AP to isolate the local address.
Referring to fig. 5, another example of distributing network controller functionality is shown in a block diagram illustrating the use of one or more enterprise directory databases 180 by a network controller to maintain information for authorized users of a wireless network. In many enterprises, servers such as Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) are maintained stationary behind the enterprise firewall 170 and are used to maintain a list of authorized users of existing networks. The network controller is treated as a trusted partner with the enterprise and is granted remote access to the enterprise directory, for example, using active directory federation services. With these services, the network controller 105 may remotely access the enterprise directory database 180 using a secure data link without copying the database directory at the service provider's central location. The database catalog 180 may be located at any one of a plurality of branch office locations or at a centralized headquarters location and used by the network controller 105 to authorize access at all locations.
While the foregoing has described a particularly preferred embodiment of the invention, it is to be understood that the foregoing description is illustrative of the disclosed invention and is not to be construed as limiting thereof. While the invention has been shown and described with respect to the preferred embodiments thereof, it will be obvious to those skilled in the art that such embodiments are provided by way of example only. Numerous variations, changes, and substitutions will now occur to those skilled in the art without departing from the invention.
Claims (36)
1. A wireless local area network, WLAN, control system, comprising:
a WLAN network controller; and
a plurality of access points;
the WLAN network controller is in communication with each of the plurality of access points via a transport data network;
the WLAN network controller is arranged to perform substantially all WLAN network control functions beneficial to at least one of the plurality of access points, the substantially all WLAN network control functions including at least: (i) management and operation of physical network resources, (ii) providing client authentication functions to restrict network access to authorized users, (iii) providing cross-subnetwork mobility, and (iv) management of per-user functions;
wherein the WLAN network controller is located at a service provider device that is remote from the WLAN and the plurality of access points that are not disposed at the service provider device, and wherein the substantially all WLAN network control functions are performed outside of the WLAN;
wherein at least one of the plurality of access points is arranged to determine a client media access control, MAC, address using a dynamic host configuration protocol, DHCP, snoop operation and pass the client MAC address to the WLAN network controller for MAC authentication; and is
Wherein the WLAN network controller is arranged to authenticate the client to the WLAN by transmitting a message to at least one access point, the message comprising information relating to the authentication.
2. The WLAN system of claim 1, wherein the substantially all WLAN network control functions performed by the WLAN network controller include automatically downloading all required configuration information for the plurality of access points in the WLAN.
3. The WLAN system of claim 1, wherein each of the plurality of access points is configured to automatically establish a connection with a WLAN network controller.
4. The WLAN system of claim 1, wherein each of the plurality of access points is capable of autonomously selecting a communication channel that enables the respective access point to communicate with at least one client device.
5. The WLAN system of claim 1, wherein each of the plurality of access points is assigned a respective unique identifier, wherein the WLAN network controller is further configured to authenticate the corresponding access point using the respective unique identifier, and wherein the respective unique identifier comprises at least one of: a media access control MAC address associated with the corresponding access point, a serial number associated with the corresponding access point.
6. The WLAN system of claim 1, wherein each of the plurality of access points is further configured to download network parameters from a WLAN network controller, wherein the downloaded network parameters include at least one power level and at least one beacon setting, and wherein the downloaded network parameters are predetermined to enable operation of the WLAN system.
7. The WLAN system of claim 1, wherein each of the plurality of access points is capable of communicating with a transport data network via a wired connection or a wireless mesh connection.
8. The WLAN system of claim 1, wherein the WLAN network controller is further configured to provide secure private access and non-secure public access to the WLAN system.
9. The WLAN system of claim 8, wherein the WLAN network controller is further configured to provide non-secure public access to the WLAN system by: instructing at least one predetermined access point to transmit a visitor beacon and separating traffic of the visitor terminal associated with the transmitted visitor beacon from the rest of the WLAN using a virtual local area network or traffic tunnel.
10. The WLAN system of claim 1, wherein the WLAN network controller is further configured to enable a presence administrator to perform administrative portal functions including at least one predetermined per-user administrative task comprising at least one of: activate new user, provide guest access.
11. The WLAN system of claim 1, wherein the WLAN network controller is coupled to at least one additional server configured to enable each of the plurality of access points to use at least one additional server function, wherein the at least one additional server function comprises at least one of: the system comprises an internet portal function, an authentication authorization charging management function, an automatic client Internet Protocol (IP) address allocation function, a Domain Name System (DNS) internet name resolution function, a charging function, an account tracking function, a fault list tracking function and a database management function.
12. The WLAN system of claim 11, wherein the WLAN network controller is further configured to perform at least one additional server function.
13. The WLAN system of claim 1, further comprising a local processor local to the plurality of access points and remote from the network controller, the local processor coupled to each of the plurality of access points and in communication with the WLAN network controller via the transmission data network, the local processor configured to perform at least one predetermined processing function.
14. The WLAN system of claim 1 wherein the WLAN network controller is configured to perform network control functions including automatic upgrades to access point software.
15. A method for providing WLAN control capability as a service, the method comprising the steps of:
identifying a plurality of access points belonging to a wlan;
communicating with each of the plurality of access points via a transport data network from a WLAN network controller disposed at a service provider location, the service provider being located remotely from the plurality of access points, the WLAN and the access points not being disposed at the service provider,
operating the WLAN by performing substantially all WLAN network control functions at the service provider location that are beneficial to the plurality of access points, the substantially all WLAN network control functions including at least: (i) management and operation of physical network resources, (ii) providing client authentication functions to restrict network access to authorized users, (iii) providing cross-subnetwork mobility, and (iv) management of per-user functions, and wherein substantially all WLAN network control functions are performed outside of the WLAN,
at least one of the plurality of access points utilizes a dynamic host configuration protocol, DHCP, snoop operation to determine a client media access control, MAC, address and to pass the client MAC address to the WLAN network controller for MAC authentication, and
the WLAN network controller authenticates the client to the WLAN by transmitting a message to at least one access point, the message including information related to the authentication.
16. The method of claim 15, wherein the substantially all WLAN network control functions performed by the WLAN network controller include automatically downloading all required configuration information for the plurality of access points in the WLAN.
17. The method of claim 16, further comprising the step of providing secure private access and non-secure public access to the WLAN at the WLAN network controller.
18. The method of claim 17, wherein the step of providing non-secure public access to the WLAN system further comprises: instructing, at the WLAN network controller, at least one predetermined access point to transmit a visitor beacon and separating traffic of a visitor terminal associated with the transmitted visitor beacon from the rest of the WLAN using a virtual local area network or a traffic tunnel.
19. The method of claim 16, further comprising the step of causing, at the WLAN network controller, a user of a predetermined one of the plurality of access points to perform an administration portal function, thereby enabling the user of the predetermined access point to manage the at least one network control function.
20. The method of claim 15, further comprising the steps of:
automatically downloading management and operational parameters from the WLAN network controller to each of the plurality of access points, the management and operational parameters including at least one radio frequency transmit power level and at least one beacon setting, wherein the management and operational parameters are configurable in the WLAN network controller.
21. The method of claim 15, further comprising the step of automatically downloading at least one software image from the WLAN network controller to at least one selected access point, the at least one selected access point capable of storing the at least one software image in a first library of operations and operating on the WLAN through a second library of operations, and the WLAN network controller capable of controlling the first and second libraries of operations.
22. The method of claim 15, further comprising the step of receiving, at the WLAN network controller, information corresponding to the selected local operating parameters from each of the plurality of access points, the step comprising at least one of: receiving an operational alert associated with a fault condition; receiving information related to traffic throughput and load; receiving information related to self-network interference or external network interference; information relating to radio coverage is received.
23. The method of claim 22, further comprising the step of applying a threshold to incoming operational alerts at the WLAN network controller.
24. The method of claim 22, further comprising the step of recording parameters corresponding to the received information at the WLAN network controller.
25. The method of claim 15, wherein the authenticating step further comprises tunneling a client device MAC address over a transport data network using a predetermined tunneling protocol at the WLAN network controller.
26. The method of claim 15, further comprising the step of connecting to at least one additional server computer at the WLAN network controller, the at least one additional server computer configured to enable each of the plurality of access points to use at least one additional server function.
27. The method of claim 26, wherein the at least one additional server function comprises at least one of: the system comprises an internet portal function, an authentication authorization charging management function, an automatic client IP address allocation function, a DNS internet name resolution function, a charging function, an account tracking function, a fault list tracking function and a database management function.
28. The method of claim 15, further comprising the steps of:
assigning, at the WLAN network controller, a respective unique identifier to each of the plurality of access points; and
authenticating, at the WLAN network controller, the corresponding access points using the respective unique identifications;
wherein the respective unique identification is selected from the group consisting of a MAC address associated with the corresponding access point and a serial number associated with the corresponding access point.
29. The method of claim 15, wherein the step of operating the WLAN by performing at least one network control function at the service provider location comprises the step of automatically upgrading access point software.
30. A method for providing WLAN control capability as a service, the method comprising the steps of:
providing a WLAN having a plurality of access points on site at the WLAN;
providing a WLAN network controller at a service provider, the service provider being remote from and not in the field of the WLAN, the plurality of WLAN access points not being located at the service provider;
remotely managing the plurality of access points located on a WLAN site with the WLAN network controller not located on the WLAN site, the WLAN network controller performing substantially all WLAN network control functions located remotely from the WLAN, the substantially all WLAN network control functions including at least: (i) management and operation of physical network resources, (ii) providing client authentication functions to restrict network access to authorized users, (iii) providing cross-subnetwork mobility, and (iv) management of per-user functions, and wherein substantially all WLAN network control functions are performed outside of the WLAN;
at least one of the plurality of access points utilizes a dynamic host configuration protocol, DHCP, snoop operation to determine a client media access control, MAC, address and to pass the client MAC address to the WLAN network controller for MAC authentication, and
the WLAN network controller authenticates the client to the WLAN by transmitting a message to at least one access point, the message including information related to the authentication.
31. The method of claim 30, wherein the substantially all WLAN network control functions performed by the WLAN network controller comprise automatically downloading all required configuration information for the plurality of access points in the WLAN.
32. The method of claim 31, wherein the service provider causes the network controller to perform substantially all WLAN network control functions.
33. The method of claim 31, wherein the network controller is disposed at a center of the service provider network.
34. The method of claim 31, wherein the network controller is owned and operated by the service provider.
35. The method of claim 31, wherein the network controller performs user authentication for a user of the WLAN access point.
36. The method of claim 30, wherein the step of remotely managing the plurality of access points located on a WLAN site with the network controller off-site from the WLAN site comprises the step of automatically upgrading access point software.
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US12/358,049 US8428036B2 (en) | 2009-01-22 | 2009-01-22 | System and method for providing wireless local area networks as a service |
| US12/358,049 | 2009-01-22 | ||
| US12/433,491 | 2009-04-30 | ||
| US12/433,491 US8467355B2 (en) | 2009-01-22 | 2009-04-30 | System and method for providing wireless local area networks as a service |
| PCT/CA2010/000049 WO2010083585A1 (en) | 2009-01-22 | 2010-01-18 | System and method for providing wireless local area networks as a service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1159935A1 HK1159935A1 (en) | 2012-08-03 |
| HK1159935B true HK1159935B (en) | 2015-11-20 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8467355B2 (en) | System and method for providing wireless local area networks as a service | |
| US8428036B2 (en) | System and method for providing wireless local area networks as a service | |
| US8472920B2 (en) | System and method for providing wireless networks as a service | |
| US9119225B2 (en) | Centralized access control system and methods for distributed broadband access points | |
| RU2517684C2 (en) | Access point, server and system for distributing unlimited number of virtual ieee 802,11 wireless networks through heterogeneous infrastructure | |
| US9015855B2 (en) | Secure tunneling platform system and method | |
| EP2643996B1 (en) | Automatic remote access to ieee 802.11 networks | |
| JP2016526319A (en) | Control and management of virtual enterprise access points | |
| JP5293445B2 (en) | Wireless communication method, wireless communication system, and computer-readable medium | |
| EP2606663A1 (en) | A system and method for wi-fi roaming | |
| WO2011041058A2 (en) | Methods and systems for enhancing wireless coverage | |
| CN113765874A (en) | Private network and dual-mode networking method based on 5G mobile communication technology | |
| US9258309B2 (en) | Method and system for operating a wireless access point for providing access to a network | |
| JP3601434B2 (en) | Pseudo public wireless access service | |
| Battiti et al. | Global growth of open access networks: from warchalking and connection sharing to sustainable business | |
| JP2010074481A (en) | Lan system, terminal device, utilization application device, and user account acquiring method | |
| HK1159935B (en) | System and method for providing wireless local area networks as a service | |
| US10470054B2 (en) | Mobile communications transmission system for providing a multiplicity of mobile communications cells in a building or campus | |
| JP2005341456A (en) | Public wireless LAN shared access point providing system | |
| EP1307004A1 (en) | Wireless communication network | |
| HK1187759A (en) | Automatic remote access to ieee 802.11 networks |