A. Field of the Invention
The present invention is directed to systems and methods for wireless network communications, and specifically to preventing or limiting the number of simultaneous wireless local area network sessions.
B. Background
3rd Generation Partnership Project (3GPP) wireless local area network (WLAN) interworking specifies several different interworking scenarios. Scenario 2 specifies, among other things, network access authentication based on the Extensible Authentication Protocol (EAP). In the radio interface, the IEEE 802.11i protocol is used. The WLAN access network communicates with the backend authentication server using an Authentication, Authorization and Accounting (AAA) protocol. The current working assumption is Diameter. As a result of the authentication, a Pairwise Master Key (PMK) is shared by the terminal and a WLAN Access Point (AP).
In the 3GPP architecture, the EAP is executed by the terminal and an AAA server in the home operator's network. The home operator can have several AAA servers, for example, for load balancing reasons. The AAA server also registers all WLAN sessions with the centralized Home Subscription Server (HSS).
IEEE 802.11i specifies the concepts of Pairwise Master Key caching and pre-authentication. In pre-authentication, the terminal can authenticate with several APs (AP2, AP3, . . . ) while associated with a single AP (AP1). The AP1 with which the terminal is associated relays authentication information to the other APs (AP2, AP3, . . . ), in other words, the terminal is not in radio communications with AP2, AP3, . . . .
The purpose of pre-authentication is to enable the terminal and other APs to establish Pairwise Master Keys in advance, so that handovers can later be performed quickly. PMK caching refers to the procedure where the terminal maintains copies of PMKs shared with several APs, and is able to quickly handover back to previously visited APs.
According to one embodiment of the invention, the inventors have determined that it would be advantageous to limit the number of scenario 2 sessions to at most one session per subscriber in order to eliminate certain fraud scenarios. For example, a malicious user might buy a subscription, share the subscription with a large number of users and later refuse to pay the incurred bills. Another example is that a malicious use buys a flat-rate subscription, and charges for connectivity provided for other users. Current WLAN implementations do not try to prevent simultaneous sessions with the same user credentials.
The Diameter protocol supports server-initiated disconnect operation whereby the AAA server can disconnect a session. The 3GPP technical standard (TS 23.234) also describes a procedure by which the HSS can indicate the current AAA server to disconnect the WLAN scenario 2 session. When simultaneous sessions are to be prevented, it would be advantageous to disconnect the old sessions when a new session is established, rather than to block new session attempts when there is an ongoing session. Blocking new session attempts would be problematic because it may be difficult to close all WLAN sessions in a timely manner. The valid user might have left the radio coverage of some previous WLAN network without explicitly closing the session, so an old WLAN session might still be dangling. Such dangling sessions should not prevent the user from creating new sessions.
However, the main problem in closing the old sessions upon establishment of new sessions is the fact that due to pre-authentication and PMK caching, WLAN authentication exchanges do not have a one-to-one correspondence to WLAN sessions. When the user pre-authenticates with an AP, the AAA server should not close the connection with the original AP. Hence it is unclear when the old WLAN sessions can be closed without disturbing the operation of pre-authentication.