[go: up one dir, main page]

WO2013041880A1 - Système et procédé de surveillance de connexions de réseau - Google Patents

Système et procédé de surveillance de connexions de réseau Download PDF

Info

Publication number
WO2013041880A1
WO2013041880A1 PCT/GB2012/052346 GB2012052346W WO2013041880A1 WO 2013041880 A1 WO2013041880 A1 WO 2013041880A1 GB 2012052346 W GB2012052346 W GB 2012052346W WO 2013041880 A1 WO2013041880 A1 WO 2013041880A1
Authority
WO
WIPO (PCT)
Prior art keywords
client device
authenticated
connection
wireless client
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/GB2012/052346
Other languages
English (en)
Inventor
Kevin EPSWORTH
Andrew LOUKE
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cloud Networks Ltd
Original Assignee
Cloud Networks Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cloud Networks Ltd filed Critical Cloud Networks Ltd
Publication of WO2013041880A1 publication Critical patent/WO2013041880A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions

Definitions

  • This invention relates to a network access system, and more particularly to a system to enable improved monitoring of network connections within a publicly accessible wireless network.
  • Publicly accessible network access systems are generally known, in which wireless networking devices registered with the system can connect to a protected service or resource, such as access to the Internet, via wireless access points in the system, commonly referred to as hotspots.
  • a protected service or resource such as access to the Internet
  • hotspots wireless access points in the system
  • network activity by the connected devices though the core network of the system is typically monitored for tracking, management, accounting and billing purposes.
  • a captive portal may be provided to intercept all network data packets from a client device connecting to the network until the device and user are authenticated and authorized.
  • the captive portal stores a login web page that is displayed by a browser on the client device to force authentication before the device is permitted access to a requested protected service or resource.
  • the level of authentication may differ depending on the service provider and may involve one or more of device and user authentication, transfer and confirmation of payment, and output and acceptance of usage policies.
  • RADIUS Remote Authentication Dial In User Service
  • AAA Authentication, Authorization and Accounting
  • an apparatus for controlling access to a network service or resource by a wireless client device, the apparatus comprising means for intercepting data packets transmitted from the wireless client device; means for determining that the wireless client device is a non- authenticated device; means for processing the intercepted data packets to determine whether the non-authenticated client device is allowed access to the network service or resource, wherein the non-authenticated client device is allowed access when it is determined that the data packets match a connection profile defining at least one network characteristic for the data packets; and means for monitoring the intercepted data packets for the non-authenticated device.
  • a system for controlling access to a protected service or resource by authenticated and authorized devices, the system comprising a connection tracker in a network router, the connection tracker adapted to provide access to the protected service or resource to a non-authenticated and non- authorized device based on an associated connection profile.
  • the present invention provides a method for controlling access to a protected service or resource by authenticated and authorized devices, by providing access to the protected service or resource to a non-authenticated and non-authorized device based on an associated connection profile.
  • Figure 1 is a block diagram showing the main components of a network access system according to an embodiment of the invention.
  • Figure 2 is a flow diagram illustrating the main processing steps performed by the system of Figure 1 according to an embodiment.
  • Figure 3 which comprises Figures 3a and 3b, is a flow diagram illustrating in more detail main processing steps performed by the connection tracker and network access controller components of the system of Figure 1 according to an embodiment.
  • Figure 4 which comprises Figures 4a and 4b, is an illustration of exemplary profile and connection profile tables of the profile definition data used by the system to control access according to an embodiment.
  • Figure 5 is a state diagram illustrating the main states of a network connection according to an exemplary embodiment.
  • a network access system 1 comprises a client device 3 connected to a node of a core communication network 5, illustrated in this embodiment as a wireless access point 7.
  • the client device 3 may be any form of electronic device such as a computer terminal, laptop, mobile telephone or other computing device, with a wireless network interface for Local Area Network (LAN) communications.
  • LAN Local Area Network
  • the core communication network 5 may include both wireless and wired data links through a plurality of communication networks.
  • a captive portal 9 intercepts network data packets from the client device 3 connected to the core network 5, to provide for authentication, authorization and accounting of the network connections.
  • the captive portal 9 includes a central network router 11 for intercepting and tracking network connections to requested application services.
  • the captive portal 9 also includes a central web server 15 for facilitating communication of network data and messages between components of the captive portal 9.
  • An application cluster 17 in the captive portal 9 includes a network access controller (NAC) 19 in communication with the router 11 via the web server 15, for provisioning and maintaining sessions in the core network 5.
  • the NAC 19 stores and maintains session data 20 in a central database or data store 35.
  • the web server 15 is illustrated as a separate central component of the captive portal 9 in Figure 1, those skilled in the art will appreciate that the application cluster 17, AAA module 21, DHCP server 39 and database 35 may form part of the web server 15 of the captive portal 9.
  • the NAC 19 is also in communication with an Authentication, Authorization and Accounting (AAA) module 21 for handling the authentication of the client device 3 before granting access to the core network, the authorization of the client device 3 for particular protected services and resources including external application services, and the accounting of usage by the client device 3 of those services and resources.
  • AAA Authentication, Authorization and Accounting
  • the AAA module 21 may include one of more AAA sub-modules for respective specific forms of authentication, authorization and accounting.
  • a voucher AAA sub-module 23 may be included for providing temporary access to the protected services and resources by way of time- based vouchers.
  • One or more vendor AAA sub-modules 25 may be included for controlling and restricting access based on a specific vendor associated with the client device 3.
  • a client device 3 may be pre-registered with a particular mobile telephone service provider that allows access to protected services and resources via the communication network 5.
  • the device 3 is an authenticated device and the respective vendor AAA sub-module 25 will be identified and used to perform authentication, authorization and accounting for the client device 3.
  • the AAA module 17 may be a hosted AAA server farm (not shown) based on the well known RADIUS (Remote Authentication Dial In User Service) protocol, and in this embodiment, includes a Roampoint Radius proxy 25 for secure communication with an external RADIUS server and for logging all RADIUS accounting records, starts, interims and stops used and mediated, that form the basis for generation of Charging Data Records (CDR).
  • the proxy 25 can log the accounting records in an accounting table 22 in the database 35.
  • the AAA module 21 can receive requests from the NAC 19 to create and maintain Radius sessions in the system 1, for example requests to start new Radius sessions, start accounting for created Radius sessions and stop existing Radius sessions.
  • AAA module 21 may instead be implemented for the AAA module 21.
  • a billing system (not shown) coupled to the AAA module 21 may be provided for performing administrative and billing functions for the services and resources, based on the information of accounting usage by the client devices logged by the AAA module 21.
  • the network router 11 identifies and stores connection information 26 about the current or last known state of each network connection passing through the network, for example using tables stored at the operating system kernel level, "iptables" for example is a known application program for accessing connection tables in an IP-based communications network.
  • a connection tracker 27 in the router 11 is an administration tool for netfilter connection tracking and is used to search, list inspect and maintain the current connections information 26.
  • the connection tracker 27 is a daemon process running in the operating system kernel of the router 11.
  • the connection tracker 27 may track the network connections within an in memory hash table based on calculated packet and byte counters.
  • the connection tracker 27 may also determine connection state changes and communicate the state changes as events to the NAC 19.
  • the kernel tracks and stores a list of connections in memory, which are obtained by the connection tracker 27 for example by connecting to an associated API or by calling a system command with a predefined set of arguments.
  • the connection tracker 27 is configured to determine if an active connection is associated with an authenticated client device 3, that is a client device 3 which is registered with the service provider and therefore suitable for AAA processing according to the protocol of the network access system 1.
  • the connection tracker 27 is configured to also track Accounting Non-Authenticated Session (ANAS) connections, that is connections from client devices 3 that are not registered with the system 1 and therefore not suitable for authentication and authorization by an AAA module, but must also be tracked for accounting purposes.
  • the connection tracker 27 tracks ANAS connections based on profile definition data 31 stored for example as tables in a database 35, as will be described in more detail below.
  • the connection tracker 27 communicates with a remote service in the NAC 19 to access and retrieve an up-to-date copy of the profile definition data 31 from the database 35, and to store the retrieved profile definition data as cached profile definition data 33 in a profile cache 37 for improved database performance.
  • Updated profile definition data may be retrieved from the database 35 at predefined time intervals, for example hourly or daily, or in response to an update event notification.
  • the profile cache 37 may be configured with eviction policies to ensure that the cached profile definition data 33 stored in the profile cache 37 is always up-to-date. For example, each profile may be associated with a start and end date, and the NAC 19 may determine if a particular profile is still valid.
  • the captive portal 9 also includes a DHCP server 39 for automatically configuring the client device 3 with an assigned network parameter in response to a DHCP request packet received from the client device 3 via the router 11, as is well known in the art.
  • the DHCP server 39 assigns the client device 3 with an IP address and a lease time for the allocated IP address.
  • the DHCP server 39 may also assign the client device 3 with other IP configuration parameters.
  • the DHCP server 39 may be configured to automatically allocate IP addresses from a predefined range of IP addresses assigned to the captive portal 9 or to perform allocation based on a table defining IP address and client device Media Access Control (MAC) address pairs.
  • the DHCP server 39 manages the pool of IP address and information about client device configuration as DHCP configuration data 41 in the data storage 35.
  • the application cluster 17 also includes a Secure Access Portal 43 (SAP) for providing secure access by allowed devices to protected services and resources external to the system 1 and the core network 5, a redirect application 45 for forwarding data packets from allowed devices on to intended destinations external to the system 1 and the core network 5, and an extranet 47 for providing the presentation layer that may be used by the NAC 19 to provision new profile definitions 31 in the database 35.
  • SAP Secure Access Portal 43
  • redirect application 45 for forwarding data packets from allowed devices on to intended destinations external to the system 1 and the core network 5
  • an extranet 47 for providing the presentation layer that may be used by the NAC 19 to provision new profile definitions 31 in the database 35.
  • the web server 15 may include a plurality of servers forming a web server farm and all HTTP/HTTPS traffic between the connection tracker 27 and the NAC 19 would go via the web server farm to be load balanced.
  • the web server 15, network router 11, application services module 13, AAA module 21, DHCP server 39 and application cluster 17 of the captive portal 9 may be arranged as components in a wired network.
  • the process begins at step S2-1 where the client device 3 identifies a wireless access point 7 of the core network 5 of the system 1.
  • the client device 3 transmits a join request message to the wireless access point 7.
  • the router 11 in the captive portal 9 intercepts the join request and processes the join request at step S2-7 to establish an active connection for the client device 3, for example using the DHCP server 39 to assign the client device 3 with an IP address and a lease time for the allocated IP address for automatically configuring the client device 3 as is known in the art.
  • the connection tracker 27 in the router 11 determines if the client device 3 is registered with the system 1 and eligible for an authenticated session.
  • step S2-11 the connection tracker 27 in the router 11 determines if the connection is eligible for a non- authenticated session based on stored connection profile definition data, as will be described in more detail below. If the connection is not eligible as an ANAS, then processing proceeds to step S2-13 where the client device 3 informs the user that registration is required before the client device 3 is allowed access to the requested protected service or resource via a MAC authenticated session. This may be in the form of a web page prompting the user to sign up and register the client device 3 with the system 1.
  • the NAC 19 provisions a new ANAS for the active connection and sends an accounting start to the AAA module 21.
  • the AAA module 21 logs the accounting record for the new session in the accounting table 22 of the database 35.
  • the NAC 19 transmits confirmation of the new session to the connection tracker 27 of the router 11 at step S2-19, and confirmation of the new session is passed on by the connection tracker 27 to the client device 3 at step S2-21 to indicate to the client device 3 that tracked and accounted access to the requested protected service or resource has been granted for the non- authenticated session.
  • the client device 3 commences transmission of network data over the active connection.
  • the network data is intercepted by the router 11 and the connection tracker 27 continues to track the connection and transmit session update events to the NAC 19 at step S2-25.
  • the NAC 19 maintains the session at step S2-27 and updates packet counters within the active session records responsive to receiving session update requests from the connection tracker 27.
  • the NAC 19 also transmits accounting interim packets to the AAA module 21 to update the accounting record in the accounting table 22, at step S2-29.
  • the processing of steps S2-23 to S2-29 are then repeated until the connection tracker 27 determines that the connection is closed or no longer active and informs the NAC 19 accordingly.
  • the NAC 19 updates the packet counters in the session record one final time, closes the tracked session and transmits a session stop instruction to the AAA module 21 at step S2-27.
  • the AAA module 21 removes the active session record from the accounting table 22 at step S2-29.
  • the AAA module 21 may be configured to generate or update a separate accounting record for all connections that match the profile associated with this connection. In this way, accounting may be carried out to track all network usage in the system from non-authenticated client devices that match a particular profile, for example for all ANAS associated with a Session Initial Protocol (SIP) session where the profile is defined by the known destination IP address.
  • SIP Session Initial Protocol
  • step S2-31 the NAC 19 transmits a request for MAC authentication of the client device 3 to the AAA module 21 in accordance with the AAA protocol implemented by the system for handling authenticated sessions.
  • the AAA module 21 carries out MAC authentication and user authorization as required and informs the NAC 19 on successful authentication and authorization.
  • step S2-35 the NAC 19 receives confirmation of authentication and authorization by the AAA module 21, creates a new session record for the authenticated session and sends an accounting start instruction back to the AAA module 21.
  • step S2-17 the AAA module 21 logs the accounting record for the new session in a similar way to handling of an ANAS, except that the accounting record is associated with an authenticated client device that is registered with the system 1 and the account record may therefore include additional information about the particular client device 3.
  • Figure 3 which comprises Figures 3a and 3b, is a flow diagram illustrating in more detail exemplary steps of an embodiment for tracking current connections by the connection tracker 27 in the router 11 and transmitting connection events to the NAC 19.
  • this process begins at step S3-1 where the connection tracker 27 instructs the NAC 19 to initialise the network access provisioning services. Responsive to the received instruction, the NAC 19 retrieves the profile data 31 and connection profile 33 from the database 35 and communicates the retrieved profile definition data to the connection tracker 27.
  • the connection tracker 27 receives the profile definition data from the NAC 27 at step S3-3 and stores the received profile definition data in the profile cache 37 at step S3-5.
  • the connection tracker 27 obtains a list of the active connections passing through the network 5, from the current connections information 26 maintained by the router 11 at kernel level. As discussed above, the connection tracker 27 tracks the connections and can communication information about the connections to the NAC 27 in batches or periodically. The connection tracker 27 can track connections that are buffered for a period of time, where duplicate connections are merged and packet and byte counters are summed before the connections information is sent over to the NAC 27.
  • the connection tracker 27 identifies an active connection from the list of active connections to be processed, this being a first active connection from the list when the process is carried out for the first time.
  • the identified active connection is processed to determine if the connection is associated with an authenticated session.
  • an active connection from a client device 3 may be associated with an authenticated session because the client device 3 is pre- registered with a particular mobile telephone service provider that allows access to protected services and resources via the communication network 5.
  • the client device 3 is an authenticated device and the connection tracker 27 can determine that an active network session is an authenticated session based on the accounting records stored in the accounting table 22 in the database 35.
  • connection tracker 27 determines, at step S3-11, that the present active connection is associated with an authenticated session, then subsequent processing of the active connection proceeds in accordance with a known protocol for handling authenticated sessions.
  • the active connection may be processed using a respective vendor AAA sub-module 25 to perform authentication, authorization and accounting for the client device 3 before allowing access to the requested protected service or resource.
  • connection tracker 27 determines that the active connection is not associated with an authenticated session, then the active connection is considered to be from a client device 3 that is requesting access to protected services or resources through an Accounting Non-Authenticated Session (ANAS).
  • ANAS Accounting Non-Authenticated Session
  • the connection tracker 27 processes the ANAS by determining if the active connection matches a predefined profile. Accordingly, at step S3- 13, the connection tracker 27 determines if the active connection matches a connection profile 33 in the profile cache 37.
  • step S3- 15 the connection tracker 27 determines if the active connection is a new connection, that is a connection from a client device 3 that is being processed for the first time and therefore does not have an associated session record in the session data 20 of the database 35. As this is the first active connection being processed, the processing proceeds to step S3- 17 where the connection tracker 27 transmits information about the tracked connections, including the new active connection, to the NAC 27.
  • the NAC 27 determines if the new active connection is eligible to be transformed into a session. For example, the connection tracker 27 can determine if a connection is eligible by firstly performing a lookup to determine if a user is in a valid venue and secondly, based on the IP address, performing a lookup of the DHCP lease information that is used to create the session record. If it is determined that the connection is not eligible as a session, then the current connection is not considered further and processing proceeds to step S3-29 described below.
  • the NAC 19 receives the session start request from the connection tracker 27 and creates a new active session record for the ANAS session and stores the created session record as session data 20 in the database 35.
  • the NAC 19 then sends an accounting start instruction to the AAA module 21 at step S3-23.
  • the accounting start instruction includes information associated with the matching connection profile, such as a particular destination IP address, so that the AAA module 21 can create a Charging Data Record to track that ANAS session, that is network traffic addressed to that particular destination IP address that matches the same connection profile.
  • the AAA module 21 also stores a log of all accounting records in the accounting table 22 in the database 35.
  • the NAC 19 receives confirmation from the AAA module 21 that accounting has been initiated for the ANAS session, and the NAC 19 informs the connection tracker 27 that an active ANAS record has been created.
  • the connection tracker 27 receives at step S3-27 confirmation from the NAC 19 that the active session record has been created and the processing proceeds to step S3- 29 where the connection tracker 27 determines if it is necessary to perform an update of the profile definition data in the profile cache 37.
  • the cached profile definition data may be updated in regular time-based intervals or may be based on other determining factors such as responsive to an update instruction or to an empty cache if all of the profiles have expired. If at step S3-29 it is determined that the cached profile data requires updating, then processing returns to step S3-3 where the connection tracker 27 obtains a latest copy of the profile definition data 31 from the database 35 via the NAC 19 as described above.
  • step S3-29 determines if there is another active connection in the obtained list of active connections to be processed.
  • step S3- 9 the connection tracker 27 determines if there is another active connection in the obtained list of active connections to be processed. The above-described steps are repeated for the next active connection in the obtained list.
  • step S3-15 it is determined that the next active connection is not a new connection, that is a session record has already been created and is present in the session data 20 of the database 35, then processing proceeds to step S3-31 where the connection tracker 27 determines and updates if necessary the state of the active connection in the current connection information 26.
  • step S3-33 the connection tracker 27 sends any change of state for the tracked connection to the NAC 19, for subsequent updating of the tracking and accounting information according to the implemented accounting protocols. Processing then returns to step S3-29 as described above.
  • the system 1 provides a connection tracker 27 in the router 11 that advantageously controls, tracks and enables accounting of network access to protected services or resources via both authenticated sessions and Accounting Non- Authenticated Sessions through the communications network 5, established between client devices 3 and the captive portal 9 via one or more wireless access points 7, using profiles which effectively define a whitelist of criteria such as particular destination IP addresses, ports and bandwidth for which active network connections matching the whitelisted criteria can be established and tracked without requiring authentication and authorization of the requesting client devices.
  • a connection tracker 27 in the router 11 that advantageously controls, tracks and enables accounting of network access to protected services or resources via both authenticated sessions and Accounting Non- Authenticated Sessions through the communications network 5, established between client devices 3 and the captive portal 9 via one or more wireless access points 7, using profiles which effectively define a whitelist of criteria such as particular destination IP addresses, ports and bandwidth for which active network connections matching the whitelisted criteria can be established and tracked without requiring authentication and authorization of the requesting client devices.
  • connection tracker 27 tracks ANAS connections based on profile definition data 31 stored as tables in the database 35.
  • Figure 4 which comprises Figures 4a and 4b, is a schematic diagram of an exemplary data structure for storing the profile definition data 31 for use by the connection tracker 27 to control access according to the embodiment.
  • the profile definition data 31 is configured using a profile table 31a for example as illustrated in Figure 4a, and a connection_profile table 31b for example as illustrated in Figure 4b.
  • CDR Charging Data Records
  • the profile table 31a in this exemplary embodiment includes the following fields for each profile or row in the table:
  • a valid_from and valid_to value which may define a time-based window of validity for the profile, whereby only profiles that are currently valid will be considered
  • an interval_time value which may define a number of seconds between interim update for packets in an active session
  • an idle_timeout value which may define a number of seconds that a session can be active with no connections before the session is idled out
  • a hard_timeout value which may define a maximum time that a session will be tracked for, to stop stale sessions that can occur during a system failover
  • a username value which may be the actual name of a user which can be used in the generated CDR records.
  • connection_profile table 31b in this exemplary embodiment includes the following fields for each profile or row in the table:
  • protocol value which may define the type of connection to track, such as TCP or UDP
  • dst_range value which may define a destination IP address or range to be monitored
  • dst_port_start and dst_port_end value which may be used to define which particular destination ports or range of ports to monitor, a profile_id value, which may define a 1-N foreign key to profile table association,
  • pkt_threshold_in and pkt_threshold_out value which may define a number of packets that must be transferred per second for this connection to be considered 'active'
  • byte_threshold_in and byte_threshold_out value which may define a number of bytes that must be transferred per second for this connection to be considered 'active'
  • an idle_timeout value which may define a number of seconds that a connection can remain in an IDLE state before the connection is considered closed. This means that a connection may still be in the kernel table but would be considered idled out. If traffic starts up again, then this can trigger an entirely new session.
  • connection tracker 27 is configured to obtain an updated copy of the changed data so that the cached profile definition data 35 is not out of sync with the updated profile definition data 31 for a period that exceeds the iteration time period of the connection tracker's execution.
  • connection tracker 27 determines and updates if necessary the state of an existing connection that matches a profile and is currently being tracked, that is a connection having a session record in the session data 20 of the database 35.
  • Figure 5 is a state diagram illustrating the main states of a network connection according to an exemplary embodiment.
  • connections that are active but are not yet being tracked have a NEW state 101. If the packet or byte count is above a predefined threshold, then the connection is added to the tracked connections as NEW to be tracked. A NEW event with current traffic statistics is sent to NAC 19. If the packet or byte count is below the predefined threshold, then the connection is not added to the tracked connections.
  • Connections that are active and are already in tracked connections have an ACTIVE state 102. If the packet or byte count is above a predefined threshold, then the connection remains in the ACTIVE state 102 and the connection tracker 27 updates the traffic counts for that connection and records the timestamp of the last measurement. An UPDATE event is sent to the NAC 19 with the traffic update statistics. If the packet or byte count is below the predefined threshold, then the connection has become PASSIVE 103.
  • Connections that are active and are already tracked as NEW 101 are processed in a similar manner to a connection with an ACTIVE state 102. If the packet or byte count is above a predefined threshold, then the connection is updated with an ACTIVE state 102 and the connection tracker 27 updates the traffic counts for that connection. The timestamp of the last measurement is also recorded. An UPDATE event is sent to the NAC 19 with the traffic update statistics. If the packet or byte count is below the predefined threshold, then the connection is updated with a PASSIVE state 103.
  • the connection tracker 27 also determines if a connection has been in the PASSIVE state 103 for an amount of time exceeding a predefined timeout limit, and if so, the connection is DELETED 104 and removed from the tracked connections. A DELETE or STOP event is sent to the NAC 19 with an indication that the cause for termination is an Idle Timeout.
  • connections that are ACTIVE and tracked but identified by the connection tracker 27 to have been closed and therefore not having any network activity are also DELETED 104 and removed from the tracked connections.
  • a DELETE or STOP event is sent to the NAC 19 with an indication that the cause for termination is user based.
  • the connection tracker 27 may determine that a connection has been closed for example if it is no longer in an ESTABLISHED TCP state, or if a timestamp for a last measurement of updated traffic statistics does not match the most recent update.
  • the system includes a captive portal for processing active connections based on stored profile definitions, and allowing and tracking non-authenticated sessions for connections matching a profile.
  • the components of the captive portal communicate therebetween via a web server and network communication links of a secured LAN.
  • the captive portal may be implemented as a distributed system and the components of the captive portal in communication therebetween using any combination of network communication paths.
  • the components of the captive portal such as the connection tracker and network access controller, may be adapted for direct communication therebetween.
  • the network access system is illustrated with a single captive portal having a single network router.
  • the network access system may include a plurality of captive portals and/or network routers, and a respective connection tracker may be provided on each instance of a network router.
  • the captive portal comprises a plurality of separate components, including servers, routers and application modules.
  • the components of the captive portal may be implemented as any combination of hardware and/or software, and the system may store a plurality of computer programs or software in memory, which when executed enable the system components to implement embodiments of the present invention as discussed herein.
  • the software may be stored on a non-transitory computer program medium or product, and loaded into the system using any known instrument, such as removable storage disk or drive, hard disk drive, or communication interface, to provide some examples.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne un système et un procédé servant à commander des accès à un service ou à une ressource de réseau par un dispositif client sans fil. Le système intercepte des paquets de données transmis par le dispositif client sans fil, détermine que le dispositif client sans fil est un dispositif non authentifié, traite les paquets de données interceptés afin de déterminer que le dispositif client non authentifié est autorisé à accéder au service ou à la ressource de réseau lorsque les paquets de données correspondent à un profil de connexion définissant des caractéristiques de réseau pour les paquets de données, et permet la surveillance et la comptabilisation des paquets de données interceptés pour le dispositif non authentifié.
PCT/GB2012/052346 2011-09-21 2012-09-21 Système et procédé de surveillance de connexions de réseau Ceased WO2013041880A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB1116324.3 2011-09-21
GB1116324.3A GB2494892A (en) 2011-09-21 2011-09-21 System and Method for Monitoring Network Connections

Publications (1)

Publication Number Publication Date
WO2013041880A1 true WO2013041880A1 (fr) 2013-03-28

Family

ID=44937637

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2012/052346 Ceased WO2013041880A1 (fr) 2011-09-21 2012-09-21 Système et procédé de surveillance de connexions de réseau

Country Status (2)

Country Link
GB (1) GB2494892A (fr)
WO (1) WO2013041880A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018172818A1 (fr) * 2017-03-23 2018-09-27 Pismo Labs Technology Ltd. Procédé et système pour restreindre la transmission de trafic de données pour des dispositifs ayant des capacités de réseautage

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7269727B1 (en) * 2003-08-11 2007-09-11 Cisco Technology, Inc. System and method for optimizing authentication in a network environment
US20070237093A1 (en) * 2006-03-31 2007-10-11 Bala Rajagopalan Methods and apparatus for providing an access profile system associated with a broadband wireless access network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3419391B2 (ja) * 2000-10-05 2003-06-23 日本電気株式会社 認証拒否端末に対し特定条件でアクセスを許容するlan
US7539186B2 (en) * 2003-03-31 2009-05-26 Motorola, Inc. Packet filtering for emergency service access in a packet data network communication system
US20080250478A1 (en) * 2007-04-05 2008-10-09 Miller Steven M Wireless Public Network Access

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7269727B1 (en) * 2003-08-11 2007-09-11 Cisco Technology, Inc. System and method for optimizing authentication in a network environment
US20070237093A1 (en) * 2006-03-31 2007-10-11 Bala Rajagopalan Methods and apparatus for providing an access profile system associated with a broadband wireless access network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
KOK-KIONG YAP ET AL: "Separating Authentication, Access and Accounting: A Case Study with OpenWiFi", OPENFLOW-TR-2011-1, 15 September 2011 (2011-09-15), pages 1 - 7, XP055051802, Retrieved from the Internet <URL:https://www.opennetworking.org/images/stories/downloads/technical-reports/openflow-tr-2011-1-openwifi.pdf> [retrieved on 20130130] *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018172818A1 (fr) * 2017-03-23 2018-09-27 Pismo Labs Technology Ltd. Procédé et système pour restreindre la transmission de trafic de données pour des dispositifs ayant des capacités de réseautage
GB2566765A (en) * 2017-03-23 2019-03-27 Pismo Labs Technology Ltd Method and system for restricting transmission of data traffic for devices with networking capabilities
CN109804610A (zh) * 2017-03-23 2019-05-24 柏思科技有限公司 限制具有网络功能的设备的数据流量传输的方法和系统
US10931636B2 (en) 2017-03-23 2021-02-23 Pismo Labs Technology Limited Method and system for restricting transmission of data traffic for devices with networking capabilities
CN109804610B (zh) * 2017-03-23 2022-05-13 柏思科技有限公司 限制具有网络功能的设备的数据流量传输的方法和系统
GB2566765B (en) * 2017-03-23 2022-09-14 Pismo Labs Technology Ltd Method and system for restricting transmission of data traffic for devices with networking capabilities
US11722458B2 (en) 2017-03-23 2023-08-08 Pismo Labs Technology Limited Method and system for restricting transmission of data traffic for devices with networking capabilities

Also Published As

Publication number Publication date
GB2494892A (en) 2013-03-27
GB201116324D0 (en) 2011-11-02

Similar Documents

Publication Publication Date Title
US7894359B2 (en) System and method for distributing information in a network environment
Cheng et al. Automating cross-layer diagnosis of enterprise wireless networks
US8041812B2 (en) System and method for supplicant based accounting and access
US7062253B2 (en) Method and system for real-time tiered rating of communication services
US11297047B2 (en) Network communications
US8006282B2 (en) Method and system for tracking a user in a network
CA2570783C (fr) Systemes, methodes et medias traitables par ordinateur pour controler l&#39;acces distant a un reseau de donnees
US12166798B2 (en) Systems and methods for application security utilizing centralized security management
EP1054529A2 (fr) Méthode et appareils pour associer l&#39;utilisation de réseau aux utilisateurs particuliers
US20020026503A1 (en) Methods and system for providing network services using at least one processor interfacing a base network
US20040177247A1 (en) Policy enforcement in dynamic networks
CN103229560A (zh) 自动远程访问ieee802.11网络
Li et al. Transparent AAA security design for low-latency MEC-integrated cellular networks
US11968238B2 (en) Policy management system to provide authorization information via distributed data store
US20110191223A1 (en) Internet Control Management and Accounting in a Utility Computing Environment
US20160105787A1 (en) Method and System for Discovering User Equipment in a Network
JP2019537176A (ja) 接続要求及び認証要求がリダイレクトされるポータルアドレスに加入者デバイス識別子をマッピングすると共に大量の加入者装置構成を容易にするポータル集約サービス
US7424538B2 (en) Service control network system
CN111565165B (zh) 一种云手机认证、维持和状态变更系统及方法
EP1705869A1 (fr) Procédé et dispositif de localisation des utilisateurs des terminaux mobiles dans un réseaux sans fil.
US7966653B2 (en) Method and data processing system for determining user specific usage of a network
WO2013041880A1 (fr) Système et procédé de surveillance de connexions de réseau
US20200287868A1 (en) Systems and methods for in-band remote management
Zaghloul et al. Relating the AAA and the radio access rates in 3G cellular networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12790938

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12790938

Country of ref document: EP

Kind code of ref document: A1