WO2009022052A1 - Network access for a visiting user - Google Patents

Network access for a visiting user Download PDF

Info

Publication number
WO2009022052A1
WO2009022052A1 PCT/FI2008/050442 FI2008050442W WO2009022052A1 WO 2009022052 A1 WO2009022052 A1 WO 2009022052A1 FI 2008050442 W FI2008050442 W FI 2008050442W WO 2009022052 A1 WO2009022052 A1 WO 2009022052A1
Authority
WO
WIPO (PCT)
Prior art keywords
visitor
identifier
captive portal
address
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/FI2008/050442
Other languages
French (fr)
Inventor
Jarkko JÄRVINEN
Veli PIRTTILÄ
Panu Lehti
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Elisa Oyj
Original Assignee
Elisa Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Elisa Oyj filed Critical Elisa Oyj
Priority to EP08787715.5A priority Critical patent/EP2179561B1/en
Publication of WO2009022052A1 publication Critical patent/WO2009022052A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/086Access security using security domains
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present invention relates to solutions enabling a visiting user to access the Internet on his or her terminal.
  • FIG. 1 shows an example.
  • wireless terminals e.g., laptop computers
  • the base station may be in a modem device (e.g., an ADSL modem) that has a connection 35 to the Internet 50.
  • a modem device e.g., an ADSL modem
  • Wireless local area networks may typically be configured so that registration either requires or does not require some kind of a password. In the latter case, the network is usually called open.
  • the present invention discloses a novel solution enabling a visiting user to gain access to the Internet through a wireless short-range network.
  • a method for a visitor in a wireless short-range network to be allowed to access the Internet in a system where the traffic of a holder of a base station of the wireless short-range network has been separated from the visitor's traffic, comprising: intercepting a packet sent by a visiting terminal at a captive portal, the packet identifying the sender's address; selecting or generating an identifier that pertains or is assigned to said address; generating a website on which the identifier is shown to the visitor; receiving the identifier from the visitor via a mobile communication network; and opening access to the Internet for the address associated with the identifier.
  • Visitors' traffic may be routed in its own network separated in a data secure manner from the device owner's traffic.
  • instructions on where or to which number to send the identifier are also shown in connection with showing the identifier.
  • the visitor may send the identifier to the mobile communication network in a suitable message, e.g., a short message service message (or, more specifically, a text message).
  • a network address translation (NAT) function is performed on the visitor's traffic, whereby a gray IP address of the visiting device is translated into a public IP address.
  • NAT network address translation
  • the visitor's traffic is tunneled between said base station of a wireless short-range network and the captive portal, wherein the tunneling may be implemented with, for example, a virtual private network (VPN) connection operating in a NAT traversal operating mode.
  • VPN virtual private network
  • the IPSec protocol or another suitable tunneling protocol can be used as the tunneling protocol.
  • Tunneling protocols include PPTP/PPP/L2TP, for example.
  • the wireless short-range network is a Wippies WLAN network.
  • a visiting user may open access to the Internet with a text message (e.g., through a WLAN network).
  • a text message e.g., through a WLAN network.
  • an identifier for a "captive portal" is generated for the visitor.
  • the visitor is automatically allowed to communicate with the Internet by sending the identifier to a correct number in a text message.
  • the user needs no user name or passwords besides the text message, whereby the authentication process becomes significantly easier for the user.
  • the user identification method is independent of the network, i.e., in principle, the user may be on any mobile telephone operator's network when sending the text message.
  • a captive portal is implemented for a visitor in a wireless short-range network to be allowed to access the Internet in a system where the traffic of a holder of a base station of the wireless short-range network is separated from the visitor's traffic, comprising: means for intercepting a packet sent by a visiting terminal, the packet identifying the sender's address; means for selecting or generating an identifier and assigning the identifier to said address; means for generating a website on which the identifier is shown to the visitor; means for receiving the identifier from the visitor via a mobile communication network; and means for opening Internet access for the address associated with the identifier.
  • a “captive portal” refers to a device or server implementing captive portal functionality.
  • a computer program comprising a computer-executable program code that, when executed, controls a computerized apparatus to implement captive portal functionality performing a method in accordance with the first aspect.
  • the computer program in accordance with the fourth aspect may comprise a program code that is executable by any one of the following, for example: a general-purpose processor, a microprocessor, an application-specific integrated circuit, and a digital signal processor.
  • the program code may be executable by a Linux computer, for example.
  • Figure 1 shows a prior art system
  • FIG. 2 shows a system in accordance with an embodiment of the invention
  • Figure 3 shows a method and a system for identifying visitors and opening access to the Internet in accordance with an embodiment of the invention.
  • FIG. 4 is a block diagram of a device comprising captive portal functionality in accordance with an embodiment of the invention.
  • FIG. 2 shows a system in accordance with an embodiment of the invention.
  • wireless terminals e.g., laptop computers 101 and 102
  • the base station 30 has a permanent connection (e.g., an ADSL connection) 35 to the Internet 50.
  • the base station 30 is located in specific premises, such as the base station owner's home.
  • the base station 30 may provide a plurality of subnetworks.
  • a subnetwork 10 is the base station owner's private subnetwork through which the traffic of the terminals 101 and 102 is routed.
  • a subnetwork 20 is an open network separate from the subnetwork 10 (different SSID identifiers are used in the subnetworks), enabling other terminals 201 and 202 visiting the area of the base station to have contact with the base station 30.
  • visitors' traffic is routed on their own network separated in a data secure manner from the actual device owner's traffic.
  • Wippies where the owner of base station of a wireless local area network (WLAN) may use his or her Internet connection on a number of computers or on any suitable WLAN device. At the same time, it is possible to share part of the Internet connection with other Wippies users potentially visiting the vicinity.
  • WLAN wireless local area network
  • Wippies provides a data secure way of sharing part of one's own connection with other Wippies users. Wippies is designed so that if the owner needs bandwidth himself or herself, visitors will not prevent the owner from using the connection he or she needs. Visiting Wippies users use their own wireless Wippies LAN (the subnetwork 20) separated from the owner's private network (the subnetwork 10).
  • the base station owner's (or holder's) terminals 101 and 102 use the connection 35 to communicate with the Internet 50.
  • the traffic of visitors connected to the open network 20 is routed from the base station 30 over a virtual connection into a tunnel 34 (e.g., an IPSec VPN tunnel), whose one end point is the base station 30 and the other end point is a server 40 in the network, connected to the Internet 50.
  • a tunnel 34 e.g., an IPSec VPN tunnel
  • the tunneled traffic over the virtual connection typically uses the same physical connection as the owner's traffic, albeit separated from the owner's traffic.
  • Server equipment comprises a captive portal 42, which may also be called a traffic capture portal and whose operation will be described below.
  • the server equipment also typically comprises a virtual connection hub, in the VPN case shown in Figure 2, for example, a VPN hub 41 acting as a collector of different VPN connections and as one end point of the virtual connection tunnel.
  • a virtual connection hub in the VPN case shown in Figure 2, for example, a VPN hub 41 acting as a collector of different VPN connections and as one end point of the virtual connection tunnel.
  • the captive portal 42 and the VPN hub 41 may be implemented in the same or different devices.
  • Figure 3 shows a method and system for identifying visitors and opening access to the Internet in accordance with an embodiment of the invention.
  • a terminal 202 visiting a subnetwork 20 and a Wippies service are used as a non-limiting example.
  • the visitor network is an open network, so typically it is always possible for the terminal 202 to contact it.
  • the terminal 202 requests a network address (e.g., an IP address) using a suitable protocol (e.g., the DHCP protocol)-
  • a suitable protocol e.g., the DHCP protocol
  • a base station 30 issues an IP address to the terminal.
  • the IP address may be one of gray IP addresses distributed by a captive portal 42 to the base station 30 in advance, representing a unique address within a network controlled by the captive portal 42 (the network from the captive portal 42 towards the terminal 202).
  • the base station When the terminal 202 attempts to communicate with the Internet, the base station opens a VPN tunnel 34 automatically from the user's point of view, whereby all of the visitor's traffic is automatically routed through a VPN hub 41 to the captive portal 42.
  • the captive portal 42 intercepts all transmitted packets and redirects the connection to a login page (the captive portal 42 opens a login page on the terminal 202) and does not allow the customer's traffic to propagate further before login.
  • Login is carried out using a message sent to a mobile communication network, e.g., a text message or another short message service message (in the following, a text message is used as an example).
  • a message sent to a mobile communication network e.g., a text message or another short message service message (in the following, a text message is used as an example).
  • An identifier is shown to the visitor on the page generated by the captive portal.
  • brief instructions may be provided on the page, indicating to which number the identifier may be sent, e.g., in a text message.
  • the captive portal 42 may use identifiers in various ways. For example, the captive portal 42 may have a certain number of identifiers in an "identifier pool", from which the captive portal 42 may select the identifier for the login page. Alternatively, the captive portal 42 may generate an identifier as necessary.
  • the identifier may be generated, for example, from the visitor's IP address, on the basis of it, or in some other way.
  • a certain identifier may previously have been linked to correspond to a specific gray IP address in the network controlled by the captive portal.
  • the linking may be performed dynamically when selecting/generating the identifier.
  • the identifier may be shown to the visitor indirectly. In this case, the actual identifier is not shown in writing to the visitor; rather, only a hint is shown, on the basis of which the visitor will recognize the identifier and know how to send it in a message to a mobile communication network.
  • the visitor Upon receiving the identifier, the visitor sends the identifier in a text message (e.g., on his or her terminal 202 or another terminal (e.g., a cellular telephone/device 302)) to a predetermined number or a number shown on the login page.
  • the text message is passed to a cellular telephone network 80.
  • the cellular telephone network has a connection 84 to a system comprising the captive portal 42.
  • the text message (or, depending on the implementation, only its contents or only information that a correct identifier has been sent to the mobile communication network 80 (even in such cases, the identifier may be considered to be passed to the captive portal 42)) is passed through the connection 84 to the captive portal 42, which will deduce the IP address with which the identifier is associated (this correspondence has previously been stored on the portal 42).
  • the captive portal 42 opens access to the Internet 50 for the IP address in question.
  • the visitor's traffic is routed through the VPN tunnel 34 and a server 40 to the Internet 50.
  • the customer can use the Internet normally on his or her terminal 202.
  • the captive portal 42 typically performs an NAT function for outgoing and incoming packets from/to the terminal 202.
  • the visitor's gray IP address is typically replaced by a public IP address of the captive portal 42.
  • the public IP address is replaced by the gray IP address.
  • a NAT Traversal operating method or similar is used for tunneling in accordance with an embodiment.
  • the captive portal 42 may close the access to the Internet 50 and generate a new identifier on a page, sending which access may be opened again.
  • FIG. 4 shows a block diagram of a captive portal device or a server comprising captive portal functionality.
  • a device 40 comprises a processor 401 for controlling the operation of the device and a memory 402 comprising a computer program/software 403.
  • the computer software 403 may comprise instructions for the processor to control the device 40, such as an operating system and various applications.
  • the computer software 403 comprises a program code providing captive portal functionality.
  • the memory 402 comprises a database or a comparable data warehouse 404 for storing identifiers used in certain embodiments and IP addresses corresponding to them.
  • the device 40 comprises an input/output unit 405 that provides an interface for communication with a cellular mobile communication network.
  • the interface may be a wired connection, for example.
  • the device may also comprise a VPN hub 41 enabling communication in a tunneling manner with a base station 30 in a wireless short-range network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a method for a visitor (202) in a wireless short-range network to be allowed to access the Internet (50) in a system where the Internet traffic of a holder of a base station (30) of the wireless short-range network is separated from the visitor's traffic. The method comprises intercepting a packet sent by the visiting terminal (202) at a captive portal (42). The packet identifies the sender's address. The method comprises selecting or generating an identifier that pertains or is assigned to said address. Furthermore, the method comprises generating a website on which an identifier is shown to the visitor (202), receiving the identifier from the visitor via a mobile communication network (80) and opening access to the Internet (50) for the address associated with the identifier from the captive portal (42). Furthermore, the invention relates to a captive portal device, system and computer program including corresponding elements.

Description

NETWORK ACCESS FOR A VISITING USER
Generally, the present invention relates to solutions enabling a visiting user to access the Internet on his or her terminal.
For years, Internet access has been possible not only on fixed terminals but also on wireless terminals. Different Internet operators currently provide several different access mechanisms enabling a user to access the Internet.
Figure 1 shows an example. In the figure, wireless terminals (e.g., laptop computers) 101 and 102 of an Internet user are connected to a base station 30 through a wireless local area network (e.g., WLAN). The base station may be in a modem device (e.g., an ADSL modem) that has a connection 35 to the Internet 50.
Wireless local area networks may typically be configured so that registration either requires or does not require some kind of a password. In the latter case, the network is usually called open.
The present invention discloses a novel solution enabling a visiting user to gain access to the Internet through a wireless short-range network.
According to a first aspect of the invention, a method is implemented for a visitor in a wireless short-range network to be allowed to access the Internet in a system where the traffic of a holder of a base station of the wireless short-range network has been separated from the visitor's traffic, comprising: intercepting a packet sent by a visiting terminal at a captive portal, the packet identifying the sender's address; selecting or generating an identifier that pertains or is assigned to said address; generating a website on which the identifier is shown to the visitor; receiving the identifier from the visitor via a mobile communication network; and opening access to the Internet for the address associated with the identifier. Visitors' traffic may be routed in its own network separated in a data secure manner from the device owner's traffic.
In an embodiment of the invention, instructions on where or to which number to send the identifier are also shown in connection with showing the identifier. The visitor may send the identifier to the mobile communication network in a suitable message, e.g., a short message service message (or, more specifically, a text message).
In an embodiment of the invention, a network address translation (NAT) function is performed on the visitor's traffic, whereby a gray IP address of the visiting device is translated into a public IP address.
In an embodiment of the invention, the visitor's traffic is tunneled between said base station of a wireless short-range network and the captive portal, wherein the tunneling may be implemented with, for example, a virtual private network (VPN) connection operating in a NAT traversal operating mode. For example, the IPSec protocol or another suitable tunneling protocol can be used as the tunneling protocol. Tunneling protocols include PPTP/PPP/L2TP, for example.
In an embodiment of the invention, the wireless short-range network is a Wippies WLAN network.
In a method in accordance with an embodiment of the invention, a visiting user may open access to the Internet with a text message (e.g., through a WLAN network). In one such embodiment, an identifier for a "captive portal" is generated for the visitor. The visitor is automatically allowed to communicate with the Internet by sending the identifier to a correct number in a text message. In this case, the user needs no user name or passwords besides the text message, whereby the authentication process becomes significantly easier for the user. The user identification method, as such, is independent of the network, i.e., in principle, the user may be on any mobile telephone operator's network when sending the text message. In accordance with a second aspect of the invention, a captive portal is implemented for a visitor in a wireless short-range network to be allowed to access the Internet in a system where the traffic of a holder of a base station of the wireless short-range network is separated from the visitor's traffic, comprising: means for intercepting a packet sent by a visiting terminal, the packet identifying the sender's address; means for selecting or generating an identifier and assigning the identifier to said address; means for generating a website on which the identifier is shown to the visitor; means for receiving the identifier from the visitor via a mobile communication network; and means for opening Internet access for the address associated with the identifier.
Herein, a "captive portal" refers to a device or server implementing captive portal functionality.
In accordance with a third aspect of the invention, a system according to claim 19 is implemented.
In accordance with a fourth aspect of the invention, a computer program is implemented, comprising a computer-executable program code that, when executed, controls a computerized apparatus to implement captive portal functionality performing a method in accordance with the first aspect.
The computer program in accordance with the fourth aspect may comprise a program code that is executable by any one of the following, for example: a general-purpose processor, a microprocessor, an application-specific integrated circuit, and a digital signal processor. The program code may be executable by a Linux computer, for example.
Some embodiments of the invention have only been or will only be described in connection with some aspects of the invention. However, as a rule, the corresponding embodiments are also applicable to other aspects as well.
The invention will be described in the following by way of example with reference to the appended drawings, wherein:
Figure 1 shows a prior art system;
Figure 2 shows a system in accordance with an embodiment of the invention;
Figure 3 shows a method and a system for identifying visitors and opening access to the Internet in accordance with an embodiment of the invention; and
Figure 4 is a block diagram of a device comprising captive portal functionality in accordance with an embodiment of the invention.
The same reference numbers are used in the figures to refer to the same subjects or elements. Figure 1 was discussed above in connection with prior art.
Figure 2 shows a system in accordance with an embodiment of the invention. As in Figure 1 , wireless terminals (e.g., laptop computers 101 and 102) are connected to a base station 30 through a wireless short-range network (e.g., WLAN) 10. The base station 30 has a permanent connection (e.g., an ADSL connection) 35 to the Internet 50. The base station 30 is located in specific premises, such as the base station owner's home. The base station 30 may provide a plurality of subnetworks. A subnetwork 10 is the base station owner's private subnetwork through which the traffic of the terminals 101 and 102 is routed. In turn, a subnetwork 20 is an open network separate from the subnetwork 10 (different SSID identifiers are used in the subnetworks), enabling other terminals 201 and 202 visiting the area of the base station to have contact with the base station 30. Thus visitors' traffic is routed on their own network separated in a data secure manner from the actual device owner's traffic.
As an example of a service using a system as described above we mention Wippies, where the owner of base station of a wireless local area network (WLAN) may use his or her Internet connection on a number of computers or on any suitable WLAN device. At the same time, it is possible to share part of the Internet connection with other Wippies users potentially visiting the vicinity.
Wippies provides a data secure way of sharing part of one's own connection with other Wippies users. Wippies is designed so that if the owner needs bandwidth himself or herself, visitors will not prevent the owner from using the connection he or she needs. Visiting Wippies users use their own wireless Wippies LAN (the subnetwork 20) separated from the owner's private network (the subnetwork 10).
In the example shown in Figure 2, the base station owner's (or holder's) terminals 101 and 102 use the connection 35 to communicate with the Internet 50. In contrast, the traffic of visitors connected to the open network 20 is routed from the base station 30 over a virtual connection into a tunnel 34 (e.g., an IPSec VPN tunnel), whose one end point is the base station 30 and the other end point is a server 40 in the network, connected to the Internet 50. However, the tunneled traffic over the virtual connection typically uses the same physical connection as the owner's traffic, albeit separated from the owner's traffic. Server equipment comprises a captive portal 42, which may also be called a traffic capture portal and whose operation will be described below. The server equipment also typically comprises a virtual connection hub, in the VPN case shown in Figure 2, for example, a VPN hub 41 acting as a collector of different VPN connections and as one end point of the virtual connection tunnel. The captive portal 42 and the VPN hub 41 may be implemented in the same or different devices.
Figure 3 shows a method and system for identifying visitors and opening access to the Internet in accordance with an embodiment of the invention. A terminal 202 visiting a subnetwork 20 and a Wippies service are used as a non-limiting example.
When a customer (visitor) and his or her terminal (e.g., a laptop computer, a mobile station, or another WLAN device) enter the area of a Wippies visitor network 20, communication between devices becomes possible. The visitor network is an open network, so typically it is always possible for the terminal 202 to contact it. During contact, the terminal 202 requests a network address (e.g., an IP address) using a suitable protocol (e.g., the DHCP protocol)- A base station 30 issues an IP address to the terminal. The IP address may be one of gray IP addresses distributed by a captive portal 42 to the base station 30 in advance, representing a unique address within a network controlled by the captive portal 42 (the network from the captive portal 42 towards the terminal 202).
When the terminal 202 attempts to communicate with the Internet, the base station opens a VPN tunnel 34 automatically from the user's point of view, whereby all of the visitor's traffic is automatically routed through a VPN hub 41 to the captive portal 42. Thus when the terminal 202 attempts to communicate with the Internet 50 (e.g., tries to open a connection to some WWW service), the captive portal 42 intercepts all transmitted packets and redirects the connection to a login page (the captive portal 42 opens a login page on the terminal 202) and does not allow the customer's traffic to propagate further before login.
Login is carried out using a message sent to a mobile communication network, e.g., a text message or another short message service message (in the following, a text message is used as an example). An identifier is shown to the visitor on the page generated by the captive portal. In addition, brief instructions may be provided on the page, indicating to which number the identifier may be sent, e.g., in a text message. Depending on the implementation, the captive portal 42 may use identifiers in various ways. For example, the captive portal 42 may have a certain number of identifiers in an "identifier pool", from which the captive portal 42 may select the identifier for the login page. Alternatively, the captive portal 42 may generate an identifier as necessary. The identifier may be generated, for example, from the visitor's IP address, on the basis of it, or in some other way. A certain identifier may previously have been linked to correspond to a specific gray IP address in the network controlled by the captive portal. Alternatively, the linking may be performed dynamically when selecting/generating the identifier. Further alternatively, the identifier may be shown to the visitor indirectly. In this case, the actual identifier is not shown in writing to the visitor; rather, only a hint is shown, on the basis of which the visitor will recognize the identifier and know how to send it in a message to a mobile communication network. Upon receiving the identifier, the visitor sends the identifier in a text message (e.g., on his or her terminal 202 or another terminal (e.g., a cellular telephone/device 302)) to a predetermined number or a number shown on the login page. The text message is passed to a cellular telephone network 80. The cellular telephone network has a connection 84 to a system comprising the captive portal 42. The text message (or, depending on the implementation, only its contents or only information that a correct identifier has been sent to the mobile communication network 80 (even in such cases, the identifier may be considered to be passed to the captive portal 42)) is passed through the connection 84 to the captive portal 42, which will deduce the IP address with which the identifier is associated (this correspondence has previously been stored on the portal 42). Subsequently, the captive portal 42 opens access to the Internet 50 for the IP address in question. The visitor's traffic is routed through the VPN tunnel 34 and a server 40 to the Internet 50. When access to the Internet 50 has been opened, the customer can use the Internet normally on his or her terminal 202. The captive portal 42 typically performs an NAT function for outgoing and incoming packets from/to the terminal 202. In packets moving towards the Internet, the visitor's gray IP address is typically replaced by a public IP address of the captive portal 42. In packets moving in the opposite direction, the public IP address is replaced by the gray IP address. If the virtual connection tunnel has to traverse some other NAT (e.g., an ADSL modem or another firewall device) in the network controlled by the captive portal 42, a NAT Traversal operating method or similar is used for tunneling in accordance with an embodiment.
After a certain period has passed, the captive portal 42 may close the access to the Internet 50 and generate a new identifier on a page, sending which access may be opened again.
Figure 4 shows a block diagram of a captive portal device or a server comprising captive portal functionality. A device 40 comprises a processor 401 for controlling the operation of the device and a memory 402 comprising a computer program/software 403. The computer software 403 may comprise instructions for the processor to control the device 40, such as an operating system and various applications. In addition, the computer software 403 comprises a program code providing captive portal functionality. Depending on the implementation, the memory 402 comprises a database or a comparable data warehouse 404 for storing identifiers used in certain embodiments and IP addresses corresponding to them.
Furthermore, the device 40 comprises an input/output unit 405 that provides an interface for communication with a cellular mobile communication network. An identifier sent by a visitor to a mobile communication network 80, for example, is received through it. The interface may be a wired connection, for example. The device may also comprise a VPN hub 41 enabling communication in a tunneling manner with a base station 30 in a wireless short-range network.
The description given above provides non-limiting examples of some embodiments of the invention. It is apparent to persons skilled in the art that the invention is not confined to the details presented above, but that the invention may also be implemented in other equivalent ways. For example, it is to be appreciated that, in the above methods, the order of the individual steps of the method may be changed and some steps may be repeated several times or omitted altogether. The protocols presented in the description are also provided as examples. It is also to be appreciated that the terms 'comprise' and 'include' as used in this document are open-ended expressions and not intended to be limiting.
In addition, some features of the embodiments presented may be utilized without employing other features. The above description must be regarded as an explanation describing the principles of the invention and not as limiting the invention. The scope of the invention is only limited by the appended claims.

Claims

Claims
1. A method for a visitor in a wireless short-range network to be allowed to access the Internet in a system where the traffic of a holder of a base station of the wireless short-range network is separated from the visitor's traffic, comprising: intercepting a packet sent by a visiting terminal at a captive portal, the packet identifying the sender's address; selecting or generating an identifier that pertains or is assigned to said address; generating a website on which the identifier is shown to the visitor; receiving the identifier from the visitor via a mobile communication network; and opening access to the Internet for the address associated with the identifier.
2. A method as claimed in claim 1 , wherein instructions on where or to which number to send the identifier are also shown in connection with showing the identifier.
3. A method as claimed in claim 1 or 2, wherein the identifier sent by the visitor is passed to the mobile communication network in a short message service message.
4. A method as claimed in any preceding claim, wherein said visitor's address is a gray IP address of a visiting device.
5. A method as claimed in claim 4, wherein a network address translation (NAT) function is performed on the visitor's traffic, whereby the gray IP address of the visiting device is translated into a public IP address.
6. A method as claimed in any preceding claim, wherein the visitor's traffic is tunneled between said base station of the wireless short-range network and the captive portal.
7. A method as claimed in claim 6, wherein the tunneling is implemented over a VPN connection operating in a NAT traversal operating mode.
8. A method as claimed in claim 6 or 7, wherein the tunneling is implemented with a VPN IPSec tunnel.
9. A method as claimed in any preceding claim, wherein the wireless short- range network is a Wippies WLAN network.
10. A captive portal for a visitor in a wireless short-range network to be allowed to access the Internet in a system where the traffic of a holder of a base station of the wireless short-range network is separated from the visitor's traffic, comprising: means for intercepting a packet sent by a visiting terminal, the packet identifying the sender's address; means for selecting or generating an identifier and assigning the identifier to said address; means for generating a website on which the identifier is shown to the visitor; means for receiving the identifier from the visitor via a mobile communication network; and means for opening Internet access for the address associated with the identifier.
11. A captive portal as claimed in claim 10, wherein the captive portal is also configured to show instructions on where or to which number to send the identifier in connection with showing the identifier.
12. A captive portal as claimed in claim 10 or 11 , wherein the identifier sent by the visitor is passed to the mobile communication network in a short message service message.
13. A captive portal as claimed in any one of claims 10 to 12, wherein said visitor's address is a gray IP address of a visiting device.
14. A captive portal as claimed in claim 13, wherein the captive portal is also configured to execute a network address translation (NAT) function on the visitor's traffic, whereby the gray IP address of the visiting device is translated into a public IP address.
15.A captive portal as claimed in any one of claims 10 to 14, wherein the captive portal is also configured to tunnel the visitor's traffic between said base station of the short-range network and the captive portal.
16. A captive portal as claimed in claim 15, wherein the tunneling is implemented over a VPN connection operating in a NAT traversal operating mode.
17. A captive portal as claimed in claim 15 or 16, wherein the tunneling is implemented with a VPN IPSec tunnel.
18.A captive portal as claimed in any one of claims 10 to 17, wherein the wireless short-range network is a Wippies WLAN network.
19. A system comprising a base station of a wireless short-range network and a captive portal in accordance with any one of claims 10 to 18.
20. A computer program comprising a computer-executable program code that, when executed, controls a computerized apparatus to carry out captive portal functionality performing a method in accordance with any one of claims 1 to 9.
PCT/FI2008/050442 2007-08-15 2008-07-22 Network access for a visiting user Ceased WO2009022052A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP08787715.5A EP2179561B1 (en) 2007-08-15 2008-07-22 Network access for a visiting user

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20075571 2007-08-15
FI20075571A FI121617B (en) 2007-08-15 2007-08-15 A visiting user's access to a network

Publications (1)

Publication Number Publication Date
WO2009022052A1 true WO2009022052A1 (en) 2009-02-19

Family

ID=38468737

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2008/050442 Ceased WO2009022052A1 (en) 2007-08-15 2008-07-22 Network access for a visiting user

Country Status (3)

Country Link
EP (1) EP2179561B1 (en)
FI (1) FI121617B (en)
WO (1) WO2009022052A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2373075A1 (en) 2010-03-30 2011-10-05 British Telecommunications public limited company System and method for WLAN traffic monitoring
WO2011121295A1 (en) 2010-03-30 2011-10-06 British Telecommunications Public Limited Company System and method for wlan roaming traffic authentication

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002019593A2 (en) * 2000-08-30 2002-03-07 Telefonaktiebolaget Lm Ericsson (Publ) End-user authentication independent of network service provider
EP1320236A1 (en) 2001-12-12 2003-06-18 Markport Limited Access control for network services for authenticating a user via separate link
US20060074814A1 (en) * 2004-10-06 2006-04-06 Lovell Robert C Jr System and method for message-based access
US20060236105A1 (en) * 2005-03-31 2006-10-19 Jacco Brok Authenticating a user of a communication device to a wireless network to which the user is not associated with

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2367213B (en) * 2000-09-22 2004-02-11 Roke Manor Research Access authentication system
JP2007102778A (en) * 2005-10-04 2007-04-19 Forval Technology Inc User authentication system and method therefor

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002019593A2 (en) * 2000-08-30 2002-03-07 Telefonaktiebolaget Lm Ericsson (Publ) End-user authentication independent of network service provider
EP1320236A1 (en) 2001-12-12 2003-06-18 Markport Limited Access control for network services for authenticating a user via separate link
US20060074814A1 (en) * 2004-10-06 2006-04-06 Lovell Robert C Jr System and method for message-based access
US20060236105A1 (en) * 2005-03-31 2006-10-19 Jacco Brok Authenticating a user of a communication device to a wireless network to which the user is not associated with

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LA FONERA +: "User Manual", 26 July 2007
See also references of EP2179561A4

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2373075A1 (en) 2010-03-30 2011-10-05 British Telecommunications public limited company System and method for WLAN traffic monitoring
WO2011121295A1 (en) 2010-03-30 2011-10-06 British Telecommunications Public Limited Company System and method for wlan roaming traffic authentication
EP2405678A1 (en) 2010-03-30 2012-01-11 British Telecommunications public limited company System and method for roaming WLAN authentication

Also Published As

Publication number Publication date
FI121617B (en) 2011-01-31
EP2179561A4 (en) 2013-11-06
EP2179561B1 (en) 2018-09-05
FI20075571A0 (en) 2007-08-15
FI20075571L (en) 2009-02-16
EP2179561A1 (en) 2010-04-28

Similar Documents

Publication Publication Date Title
JP5958864B2 (en) Secure tunnel platform system and method
EP1705855B1 (en) Method and System for establishing a Peer-to-peer communications channel
EP1500223B1 (en) Transitive authentication authorization accounting in interworking between access networks
EP1563666B1 (en) Mobile ip registration supporting port identification
CN101702717B (en) Method, system and equipment for authenticating Portal
EP2498450B1 (en) Broadband network system and implementation method thereof
JP2004505383A (en) System for distributed network authentication and access control
KR101640209B1 (en) Apparatus and method for supporting portable mobile VPN service
Luo et al. Integrating wireless LAN and cellular data for the enterprise
EP1886455B1 (en) System and method for accessing a web server on a device with a dynamic ip-address residing a firewall
EP2179561B1 (en) Network access for a visiting user
US10805260B2 (en) Method for transmitting at least one IP data packet, related system and computer program product
KR20040004724A (en) Wireless LAN service system providing proxy gateway and method thereof
JP2007006248A (en) Remote access method and remote access system
JP5982706B2 (en) Secure tunneling platform system and method
JP5864453B2 (en) Communication service providing system and method
US20230413353A1 (en) Inter-plmn user plane integration
US7716338B1 (en) Rehoming via tunnel switching
JP2005073090A (en) COMMUNICATION SYSTEM, AUTHENTICATION METHOD, AND AUTHENTICATION PROGRAM
JP2006352710A (en) Packet relay apparatus and program
Molloy Seamless handoff between 802.11 b and CDMA2000 networks
JP2006319905A (en) Remote access relay server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08787715

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2008787715

Country of ref document: EP

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE