In recent years, Wireless Fidelity (Wi-Fi) networks have been increasingly deployed in urban areas, office buildings, and college campuses, as well as public venues such as airports, stadiums, and coffee shops. In response to such increased Wi-Fi network deployment, broadband service providers have sought to provide their mobile subscribers with the capability of accessing Wi-Fi networks in a manner that is easy, quick, and seamless. By providing easy, quick, and seamless access to Wi-Fi networks, such broadband service providers can assure that their mobile subscribers can have convenient access to the Internet from virtually any Wi-Fi-enabled device in a wide range of mobile environments.
In a typical scenario, a mobile subscriber with a Wi-Fi-enabled device (e.g., a Wi-Fi-enabled smartphone, tablet computer, or laptop computer) can enter a communication range of a wireless access point within a Wi-Fi network. For example, such a wireless access point may include a Wi-Fi controller configured to support Hotspot 2.0, which is a technology based on the Institute of Electrical and Electronic Engineers (IEEE) 802.11u, 802.11i, and 802.1x standards and generally known as Wi-Fi-certified Passpoint™. Having entered the communication range of the wireless access point, the Wi-Fi-enabled device can receive, from the wireless access point, a beacon message indicating that the wireless access point is configured to support Hotspot 2.0. If the Wi-Fi-enabled device is also configured to support Hotspot 2.0, then the Wi-Fi-enabled device can send, using the Access Network Query Protocol (ANQP) defined in the IEEE 802.11u standard, an ANQP query message to the wireless access point to determine what authentication types and/or protocols are supported within the Wi-Fi network. The wireless access point can receive the ANQP query message from the Wi-Fi-enabled device, and forward the ANQP query message to an ANQP server configured to provide ANQP service for the Wi-Fi network.
In response to the ANQP query message, the ANQP server can provide, in an ANQP response message, a list of supported authentication types and/or protocols to the wireless access point, which can forward the list of supported authentication types and/or protocols to the Wi-Fi-enabled device. For example, such authentication types and/or protocols supported within the Wi-Fi network may be based on the Extensible Authentication Protocol (EAP), and may include the EAP-Transport Layer Security (EAP-TLS), the EAP-Tunneled Transport Layer Security (EAP-TTLS), the EAP for GSM Subscriber Identity Module (EAP-SIM), the EAP Method for Universal Mobile Telecommunications System (UMTS) Authentication and Key Agreement (EAP-AKA), and/or any other suitable authentication types and/or protocols. The ANQP server can also provide, in an ANQP response message, a list of domain names of supported roaming service providers to the wireless access point, which can forward the list of domain names to the Wi-Fi-enabled device. Such a list of domain names can include the domain name of the mobile subscriber's broadband service provider.
In the event the mobile subscriber's broadband service provider is pre-registered in the Wi-Fi-enabled device, the Wi-Fi-enabled device can be associated with the wireless access point within the Wi-Fi network, as well as be authenticated by an authentication server within the broadband service provider's network, in a seamless fashion. Once the Wi-Fi-enabled device is associated with the wireless access point, the Wi-Fi-enabled device can initiate the EAP by sending an EAP-Start message to the wireless access point. In response to the EAP-Start message, the wireless access point can request the Wi-Fi-enabled device to identify itself by sending an EAP-Request/Identity message to the Wi-Fi-enabled device. For example, the Wi-Fi-enabled device may identify itself to the wireless access point by sending an EAP-Response/Identity message containing an anonymous user identifier (ID) of the Wi-Fi-enabled device. The wireless access point can receive the EAP-Response/Identity message from the Wi-Fi-enabled device, encapsulate the EAP-Response/Identity message in an Access-Request message, and forward the Access-Request message over the Internet to the authentication server within the broadband service provider's network. For example, such an Access-Request message may conform to the Remote Authentication Dial-In User Service (RADIUS) protocol, and include a Calling-Station-ID attribute that can be used for storing the MAC address of the Wi-Fi-enabled device, as well as an EAP-Identity attribute that can be used for storing the anonymous user ID of the Wi-Fi-enabled device. Further, the authentication server within the broadband service provider's network may be a RADIUS-based authentication server.
Having received the Access-Request message from the wireless access point, the authentication server within the broadband service provider's network can then engage in an authentication session with the Wi-Fi-enabled device via the wireless access point. During such an authentication session, the authentication server can send one of three possible messages to the wireless access point, namely, an Access-Reject message, an Access-Challenge message, or an Access-Accept message, each of which can conform to the RADIUS protocol. For example, in response to the Access-Request message from the wireless access point, the authentication server may send (1) an Access-Reject message to deny the Wi-Fi-enabled device access to the Wi-Fi network, (2) one or more Access-Challenge messages to request additional information from the Wi-Fi-enabled device before determining whether to deny or grant the Wi-Fi-enabled device access to the Wi-Fi network, or (3) an Access-Accept message to grant the Wi-Fi-enabled device access to the Wi-Fi network. The wireless access point can forward the Access-Reject message, the Access-Challenge message, or the Access-Accept message from the authentication server to the Wi-Fi-enabled device in an EAP-Request/Failure message, an EAP-Request/Challenge message, or an EAP-Request/Success message, as appropriate. The sending of a challenge message (Access-Challenge message, EAP-Request/Challenge message) from the authentication server to the Wi-Fi-enabled device via the wireless access point can lead to a further exchange of messages between the authentication server and the Wi-Fi-enabled device involving, for example, an exchange of shared keys (broadcast keys, session keys, Wireless Encryption Protocol (WEP) keys), as well as the encryption/decryption of exchanged messages using such shared keys.
The typical scenario described herein for accessing a Wi-Fi network using a Wi-Fi-enabled device has drawbacks, however, in that it can frequently be difficult to successfully troubleshoot an authentication session that might fail in an unexpected manner. For example, an authentication session might unexpectedly fail due to problems such as packet losses and/or latencies existing within the Wi-Fi network, the broadband service provider's network, and/or the Internet. However, it can be difficult if not impossible to correlate the many messages (e.g., Access-Request messages, Access-Reject messages, Access-Challenge messages, and/or Access-Accept messages) that can potentially be exchanged between an authentication server and the Wi-Fi-enabled device via a wireless access point in order to identify the authentication session to which the various messages belong. The inability to easily troubleshoot an unexpected authentication failure within a Wi-Fi network can hinder a broadband service provider's overall goal of providing optimal network service to its mobile subscribers.
It would therefore be desirable to have systems and methods of tracking authentication sessions performed between Wi-Fi-enabled devices and authentication servers via wireless access points within Wi-Fi networks that can overcome at least some of the drawbacks of existing authentication systems and methods.