Wireless communications have enjoyed tremendous growth and permit both voice and data communications on a global scale. Indeed, WLAN access networks are currently deployed in many public places, such as airports, hotels, shopping malls, and coffee shops. The WLAN market is currently undergoing a rapid expansion and is being offered as a complementary service for mobile operators. PLMN core network operators, such as GPRS and UMTS network operators, traditionally provide access to mobile packet data services via a wide area GPRS or UMTS network. More recently, those mobile operators have also offered that mobile packet data service directly through a high capacity WLAN access network. Ideally, the mobile operators can provide the packet data service seamlessly between PLMN and WLAN.
There are several important requirements for a mobile operator's complementary WLAN service. First, the WLAN must interwork PLMN, e.g., GPRS and UMTS, established standards. GPRS and/or UMTS are used as non-limiting examples of a PLMN. Specifically, it must be possible to reuse existing GPRS/UMTS authentication and authorization mechanisms for WLAN access without degrading the security of the GPRS/UMTS network. Second, roaming must be permitted and specified between wide area cellular radio access and WLAN access networks. Significantly, roaming between different mobile operator WLANs must be supported. A WLAN access network may have a direct or an indirect relationship with one or more service networks.
FIG. 1 illustrates an access configuration where a mobile terminal (MT) 10 initially requests access via a local access network 12. Local access network 12 typically provides “hotspot” wireless connectivity for WLAN clients like the mobile terminal 10 present in its local access coverage area. The local access network 12 is connected to a home service network 14, which provides the ultimate communication service and maintains the direct relationship to the mobile terminal 10. The local access network 12 includes one or more access points 16 (e.g., radio base stations) that provide access to the communication services over the radio or wireless interface. An access router 18 is the data gateway to the Internet and/or an Intranet 13 and to the home service network 14, and it routes data between the mobile terminal 10 and the home service network 14 (although the data path between the access router 18 and the home service network 14 is not shown). The authentication, authorization, and accounting (AAA) server 20 is involved in performing authentication and authorization of the mobile terminal 10 before access to services are permitted. The AAA server 20 is also involved in accounting functions once access is permitted. The home AAA server 24 is coupled to a home subscriber server (HSS) 22, which accesses a home subscriber server data base (not shown). The home AAA server 24 authenticates and authorizes the mobile terminal using authentication and authorization procedures which are often performed using the well-known RADIUS or Diameter protocols.
FIG. 2 illustrates how the local access may have an indirect (i.e., via an intermediary) relationship with a home service network. The local access network has an association with intermediary service networks 30, 34, and 38, and each intermediary service network has its own AAA server 32, 36, and 40, respectively. But only two intermediary service networks 30 and 34 have roaming agreements with the home service network 14. Although not illustrated, there may also be a network (or even multiple networks) between the local access network and the intermediary service networks 30, 34, and 38 in the form of a “roaming consortium.”
When a UMTS/WLAN subscriber accesses a WLAN access network, the subscriber's terminal sends a network access identifier (NAI) of the subscriber to the network. An NAI is an identifier with format “name@operator-realm,” as described in “The Network Access Identifier,” RFC 2486, January 1999. The NAI is sent using Extensible Authentication Protocol (EAP) over LAN (EAPOL). The transfer of the NAI precedes either an EAP Authentication and Key Agreement (AKA) procedure, as described in “EAP AKA Authentication,” J. Arkko et al., Internet-Draft draft-arkko-ppext-eap-aka-10.txt, or an EAP Subscriber Identity Module (SIM) procedure, as described in “EAP SIM Authentication,” H. Haverinen et al., Internet-Draft draft-haverinen-pppext-eap-sim-11.txt. The AAA client located in the WLAN AP 16 or the access router 18 (most commonly in the AP) forwards the NAI via an AAA protocol to a service network AAA server, (e.g., RADIUS, as described C. Rigney et al., “Remote Authentication Dial In User Service (RADIUS),” RFC 2865, or Diameter, as described in Pat R. Calhoun et al., “Diameter Base Protocol” RFC 3588, Pat R. Calhoun et al., “Diameter Network Access Server Application,” Internet-Draft draft-ietf-AAA-diameter-nasreq-12.txt, and Ed P. Eronen, “Diameter Extensible Authentication Protocol (EAP) Application” draft-ietf-AAA-eap-02.txt. This is normally a default AAA server, which may be either the AAA server of the UMTS/WLAN operator or an AAA server of the WLAN network operator (if these operators are not one and the same). In the latter case, the AAA server in the WLAN network forwards the NAI to the AAA server in the subscriber's home UMTS/WLAN network via RADIUS or Diameter. The home AAA server processes the received message and performs an authentication procedure towards the mobile terminal. Subsequent AAA messages (e.g., for accounting during the session) follow the same path between the AAA client and the home AAA server, possibly via an AAA server in the WLAN network.
If a UMTS/WLAN subscriber roams into a WLAN network that has no association with the home network of the subscriber, then the subscriber is granted access only if the visited WLAN network has an association with a UMTS network that has a roaming agreement with the roaming subscriber's home UMTS network. This association may be a direct association or an indirect association via an AAA broker or proxy.
The case where the AAA communication between the visited WLAN access network and the home network of the subscriber must go through a visited UMTS network, (i.e., the UMTS network with which the home UMTS network of the subscriber has a roaming agreement), is illustrated in FIG. 2. More specifically, AAA messages sent from the AAA client to the AAA server of the visited WLAN network are then routed via the AAA server of an intermediary visited UMTS network (30 or 34) to the AAA server 24 of the subscriber's home UMTS network 14. AAA messages in the other direction follow the same path in the opposite direction.
A problem with this arrangement is that the AAA server 20 of the visited WLAN network 12 may have associations with multiple UMTS networks. Thus, the WLAN AAA server 20 does not know which of its associated UMTS networks has a roaming agreement with the home UMTS network 14 of the roaming subscriber. Even if the AAA server 20 of the visited WLAN network 12 did have this knowledge, the home UMTS network 14 of the subscriber may well have roaming agreements with more than one of the UMTS networks associated with the visited WLAN network 12. Because the choice of intermediary visited UMTS network is either impossible or arbitrary for the AAA server 20 of the visited WLAN network 12, the home service network 14 and/or the subscriber should be able to make the choice so that the most appropriate intermediary visited service network is selected. For example, in FIG. 2, intermediary service network 1 may be selected as the intermediary visited network, but intermediary service network 2 may be a better choice or simply the intermediary service network the subscriber prefers. In any event, intermediary service network 3 would not be chosen because the home service network 14 does not have a roaming agreement with it.
There are several approaches to this problem. For two approaches, the WLAN network provides the mobile terminal with information about the service networks associated with the WLAN network. The mobile terminal then selects one of the associated service networks as its intermediary visited service network and indicates the selected network through information incorporated in an “extended NAI” or a “decorated NAI.” The format of the decorated NAI could be, for example, home-realm/name@intermediary-visited-network-realm or home-realm!name@intermediary-visited-network-realm. The AAA server of the intermediary visited service network would interpret the decorated NAI, delete the intermediary-visited-network-realm part and move the home-realm part to its normal position after the @ character and delete the slash character or exclamation mark (thus turning the decorated NAI into a regular NAI) before forwarding the AAA message (in which the decorated NAI was included) to the AAA server of the subscriber's home network. Alternatively, the AAA server of the visited WLAN network could perform this operation before sending the AAA message to the AAA server of the intermediary visited service network.
The difference between these two approaches is how the information about associated networks is conveyed to the terminal, and to a certain extent, how the decorated NAI is transferred to the AAA server of the visited WLAN network. In the first approach, the Service Set Identifier (SSID) normally broadcast or “advertised” by the WLAN APs could be modified to contain information about associated UMTS network(s). The mobile terminal could then choose to access the WLAN access network or not, and if it chooses to access the WLAN access network, the mobile terminal can supply network selection information in the decorated NAI in the EAP-Identity Response message (responding to the initial EAP-Identity Request message from the WLAN network) during the authentication procedure.
But because the size of the SSID is limited, (no more than 30 octets of data), this approach relies on the concept of virtual APs to be implemented. With the virtual AP concept, a single physical AP can implement multiple virtual APs so that several WLAN hotspot providers can share the same infrastructure. In the context of network advertising, each associated UMTS network would be represented by its own virtual AP. Each virtual AP would send its own beacon frames advertising a unique SSID that identifies the corresponding UMTS network.
In the second approach, the information about associated UMTS networks could be included in an EAP-Identity Request message, (the EAP Identity Request message format is described in L. Blunk, et al., “PPP Extensible Authentication Protocol (EAP),” RFC 2284), from the WLAN network to the terminal. Specifically, the intermediary network information could be included after a NULL character in the Type-Data field in the EAP-Identity Request message. The EAP-Identity Request message may originate from the WLAN AP (in case it is the initial EAP-Identity Request message) or the AAA server of the visited WLAN network (in case it is a subsequent EAP-Identity Request message). In the former case, the AP includes this information in the initial EAP-Identity Request message provided that the AP, and not the access router, is the EAP authenticator. In the latter case, the AAA server of the visited WLAN network sends the information about associated UMTS networks to the terminal in a second EAP-Identity Request message only if the NAI received from the user/terminal in the response to the initial EAP-Identity Request message is not enough to route the AAA request to the home AAA server of the user. The mobile terminal could also explicitly request the AAA server of the visited WLAN network to send the network information in a second EAP-Identity Request message by providing a NAI with a dedicated request string (e.g., “Network-Info-Requested”) in the name portion of the NAI in the first EAP-Identity Response message.
These approaches are terminal-based network selection methods in that the selection of the intermediary visited service network is based on criteria available in the terminal and/or manually input from the user. Available data that can be used for this purpose (besides manual user input) include, e.g., the following USIM files: User controlled PLMN selector with Access Technology (USIM file: EFPLMNwAcT), which is a user defined PLMN priority list, Operator controlled PLMN selector with Access Technology (USIM file: EFOPLMNwACT), which is an operator defined PLMN priority list, and the Forbidden PLMNs (USIM file: EFFPLMN), which is a list of forbidden PLMNs in which roaming is not allowed (see 3 GPP TS 31.102 v6.2.0, “3rd Generation Partnership Project; Technical Specification Group Terminals; Characteristics of the USIM application (Release 6)”.
A problem with the first approach, as identified earlier, is the limited space in the SSID field, which makes it necessary to use the virtual AP concept. Using the virtual AP concept for this purpose is problematic for several reasons. The fact that each virtual AP sends its own beacon frame increases signaling overhead (in terms of resources consumed by beacons) and has substantial scaling problems. Even a few virtual APs produce beacons that consume on the order of 10% of the total AP capacity. If numerous UMTS networks, e.g., UMTS networks associated with the WLAN network via a roaming consortium, were advertised, the beacons would consume the entire AP capacity. In addition, most deployed APs do not implement the virtual AP concept, and its presence in future APs is still uncertain. Thus, numerous installed APs would have to be upgraded. Another problem is that many deployed WLAN access networks may not be in a position to change their SSID.
The second approach is also problematic. In the variant where the network information is sent in the first EAP-Identity Request message, the behavior of the APs must be modified (which is particularly undesirable considering the number of deployed APs). In the other variant, a roundtrip delay between the terminal and the AAA server in the visited WLAN network is added to the overall access delay. In addition, since some EAP implementations already use the space beyond a NULL character in the Type-Data field of the EAP-Identity Request to convey various options, there is a potential risk for interference between intermediary UMTS network information transfer and existing use of the data space.
A general problem with all of these approaches is that they require the WLAN network to be knowledgeable about all the potential intermediary UMTS networks. This may not always be the case or even possible, e.g., when there is a roaming consortium between the WLAN network and one or several of the potential intermediary UMTS networks. Thus, schemes relying on network information advertised by the WLAN network may fail in some situations. An additional problem with these approaches is that they require EAPOL to be supported in the WLAN access network, which excludes, e.g., WLAN access networks that use web-based log-in procedures.
Terminal-assisted network selection may also be constrained by limited and possibly outdated input data. For instance, as roaming agreements are established, changed, and even cancelled, an operator-defined PLMN priority list stored in a USIM file may become outdated. Likewise, the mobile terminal or the user may not have the latest information on charging rates and available services for the available PLMNs, which may be prime criteria for PLMN prioritization. If the network selection could instead be based on fresh data from the home network, a better choice of intermediary UMTS network could be made.
Ultimately, if the local access WLAN is not associated with any intermediary UMTS networks included in an operator-defined or a user-defined priority list, the mobile terminal either must assume that roaming is not possible or must select an intermediary UMTS network at random. If the mobile terminal assumes that roaming is not possible, this may be an unnecessary relinquishment of service, because intermediary UMTS networks not listed in the priority lists in the USIM files that have roaming agreements with the home network may still be available. On the other hand, if the user or mobile terminal selects an intermediary network at random, and access through the randomly selected intermediary network is rejected, the user/terminal has to select another intermediary network until access is successful or there are no more intermediary networks to select.
Recognizing these various problems and drawbacks, the inventor determined that if the intermediary network selection was based on fresh data from the home network, an intermediary network not listed in the USIM files (e.g., because of a new roaming agreement) could be selected. As a result, useless access attempts through networks without roaming agreements could be avoided.
Home network-assisted selection of an intermediary service network for a roaming mobile subscriber overcomes these various problems and drawbacks. The selection is based on a list of desired intermediary service networks generated using information from the mobile's own home service network. The list is provided to a central access server which collects information regarding roaming agreements and visited PLMN priority lists from both local access operators and PLMN operators. This home service network-based information regarding intermediary service networks may be collected using real-time operations, non-real-time operations, semi-automatically, and/or manually.
To select an intermediary service network, the visited local access network sends a request for access which includes the user's identifier, e.g., an NAI. The term “request for access” or “access request” is to be broadly understood and includes a request for one or more communications services, a request to connect to the local network, a request for authentication, a request for an IP address, etc. The term “mobile terminal” encompasses mobile terminal equipment, the user or subscriber of the mobile terminal, and the identity of a personal entity such as a SIM-card. So for example, authorization or authentication of the mobile terminal includes authorization or authentication of the user identity and authorization or authentication of the mobile terminal. The term “service network” encompasses any type of entity that can serve subscribers or facilitate serving of subscribers by participating in authentication, authorization and/or accounting signaling, e.g., a network serving its subscribers, an intermediary network, or a roaming consortium, e.g., in the form of a AAA server.
The local access network sends the request for access to a central access or AAA server, which returns a list of intermediary service networks. The local access network selects one of the listed intermediary service networks to be used in an authentication procedure between the mobile terminal and the home service network. The intermediary service networks are preferably listed by priority to permit the local access network to select the highest priority intermediary service network with which it has an association.
In one, non-limiting, example implementation, the home service network is a public land mobile radio network (PLMN) that includes a PLMN access server and a memory that stores a list of intermediary PLMNs with which the home PLMN is associated. There are multiple intermediary PLMNs in the system, and at least one is included on the list. The intermediary PLMNs may be identified on the list using a domain name or a fully-qualified domain name of an authentication server of the intermediary PLMN. The term “fully-qualified domain name” (FQDN) as used herein encompasses host names, identifying individual hosts/nodes, as well as domain names of the Domain Name System (DNS) in general. A wireless local area network (WLAN) includes a WLAN access server for receiving an access request message from the mobile terminal that requires authentication with the home PLMN. In response, WLAN access server forwards the access request message to a central access server. The central access server obtains the list of intermediary service networks with which the home PLMN is associated and provides that list to the WLAN access server. The WLAN access server selects from the provided list an intermediary PLMN to be used in authenticating the mobile terminal's access to the home PLMN and forwards the access request message to the selected intermediary PLMN. The selected intermediary PLMN conveys the access request message towards the home PLMN either directly or via one or more other intermediary access servers, e.g., an AAA server.
In another, non-limiting, example implementation, the PLMNs are universal mobile telecommunications system (UMTS) networks and the authentication server, the central access server, the WLAN access server, and the home UMTS network access server are authentication, authorization, and/or accounting (AAA) servers. Although any AAA protocol may be used, in a preferred, but still example detailed implementation, the central AAA server may be a Diameter redirect agent used by the WLAN access server to route an AAA request message concerning the mobile terminal which is not routable by the WLAN AAA server. Domain names of the listed intermediary UMTS networks are included by the Diameter redirect agent in Redirect-Host attribute value pairs (AVPs) in a Diameter answer message. The AAA request message includes a name part and a realm part with the realm part, having a specific ending used by the WLAN AAA server to send the AAA request message to the redirect agent. The WLAN AAA server selects an intermediary UMTS network from the list and forwards the AAA request message to the selected intermediary UMTS network, which recognizes the realm part and forwards the AAA request message to the home UMTS network. Subsequent Diameter messages are conveyed between the mobile terminal and the home UMTS network by the WLAN AAA server and the selected UMTS network AAA server.
In another example implementation, the central access server may also be a RADIUS proxy server or relay agent. The WLAN access server may select an intermediary PLMN using the home PLMN based list in combination with another scheme for selecting an intermediary PLMN. An example of another such scheme is the commonly-assigned application entitled, “Terminal-Assisted Selection of Intermediary Network For A Roaming Mobile Terminal,” cross-referenced above.