A wireless local area network (WLAN) comprises a Basic Service Set (BSS) in the IEEE 802.11 standard (hereinafter “802.11”). A BSS is a broadcast domain and may be connected to another BSS via a Distribution System (DS) forming an Extended Service Set (ESS) (FIG. 1). A BSS is identified by a hardware address (the BSSID) and a Service Set Identifier (the SSID). The SSID is a 32-octet string that is referenced by users of devices who wish to join the BSS.
There are two common approaches to implementing a standard 802.11 BSS. The first implements the entire 802.11 MAC-PHY protocol on a single device. This is called a local Media Access Control (MAC) and the device is called a thick Access Point (AP). The second implements the PHY layer and perhaps a portion of the MAC layer on one device, called a thin or lightweight AP, and the rest of the MAC layer on a remote device typically called a WLAN switch controller that can be reached over a routed network. This latter approach is called a split MAC. With either a local or split MAC, a wireless device issues an 802.11 Association Request containing an SSID information element (FIG. 5) field to associate with the BSS denoted by the SSID supplied in that field. An SSID may be learned through 802.11 beacons (FIG. 2 shows the data comprising a beacon frame 104 as defined under the 802.11 standard) or through a response (FIG. 4 shows the data comprising a probe response frame 103 as defined under the 802.11 standard) to an 802.11 probe request 102 (FIG. 3) initiated by a device. Whether the MAC is split or local is transparent to the device. It associates with the BSS in the same way whether or not the MAC is split.
With the split-MAC approach, the WLAN switch controller can be located anywhere on the Internet. A wireless device can establish a secure tunnel between itself and the WLAN switch using the standard 802.11 wireless security encapsulation. Such a tunnel makes a conventional VPN client unnecessary on the device. The WLAN switch controller replaces the VPN concentrator. As long as a wireless device can communicate with a split-MAC AP, it can form a secure tunnel to the controller using standard 802.11 security. This type of tunnel has been termed a “WiFi VPN” (see Patent Pub No. US2005/0223111). For example, FIG. 8 shows wireless devices 139 and 140 connected remotely, via a split-MAC AP 135, to the marketing BSS in the domain called COMPANY1.COM, and device 132 connected remotely through the same AP to an engineering BSS in the COMPANY2.COM domain.
If a split-MAC AP is installed in a public hotspot to allow connections to remote WLAN switch controllers then there must be a protocol for allowing a wireless device to specify the switch controller hosting the remote BSS it wishes to join. The split-MAC AP may need to route part of the 802.11 MAC protocol to a WLAN switch for one wireless device and to another switch for another device. How does the split-MAC AP know to which switch it should route the 802.11 MAC protocol for a given wireless device?
One approach is for the AP to send a wireless device an EAPOL (Extensible Authentication Protocol over LANs) request identity message to which the device responds with a cleartext field giving the name of a switch controller or a server that can identify it (e.g., see ¶ [0226] of Patent Pub No. US2005/0223111 incorporated herein by reference for all purposes). The switch-controller name has no relationship to the SSIDs that a user of a wireless device sees displayed in an 802.11 wireless connection manager. A device with only standard 802.11 EAP (Extensible Authentication Protocol) processing does not supply the cleartext field. A modification is needed to standard 802.11 processing to convey the controller name and a device must now manage a switch-controller name space in addition to its existing SSID name space.