Virtual networking services (VNS) is a network service provided on a managed IP network that provides for the definition of several virtual wireless LAN networks within a single physical wireless LAN network. By grouping mobile units together using a VNS and controlling their sessions centrally, specific policies can be applied to such groups of users such as which security mechanism is applied, what grade of service is to be provided, or even what network their traffic is associated with (e.g. intranet, Internet etc.) Existing strategies for the deployment of virtual wireless local area networks fail to provide flexible and customizable network connection services to mobile users within a wireless LAN.
One current strategy for segmenting mobile units involves the use of highly intelligent access points that adds functionality directly to the access point to increase its capability to perform higher layer policy services. Such commercially available access points have generally been designed as an extension of a single Ethernet port. That is, data that arrives on the wireless interface is forwarded out to the Ethernet LAN with no mechanisms to segment user traffic. This has been done for practical reasons. In order for access points to support user traffic segmentation, every access point would have to support multiple interfaces (one for each network). This approach would be unmanageable and costly as the network grew in number of access points and networks.
Another strategy is to use an overlay controller to insert a device in the network to act as a policy engine between the network and the mobile devices that connect to an access point. Although an overlay controller centralizes the networking and access components of a wireless LAN, an overlay controller does not have direct ties to the capabilities of the access point and hence relies on higher level connections to determine the state of a mobile unit. In other words, these overlay controllers are not involved in the wireless connection process and do not have access to decision points that occur during the connection process. This limits their ability to be able to effect flexible segmentation functionality. Also, these controllers cannot provide segmentation to individual users at the access point level, and hence cannot provide the flexibility of offering secure traffic segmentation to different mobile units on the same access point.
Further, U.S. Patent Application No. 2001/0055283 to Beach discloses a method for creating separate virtual wireless local area networks on the same physical wireless local area network. This reference discloses a method to configure the access points with a number of different ESS identifiers, one ESS identifier for each virtual wireless LAN. Mobile units are therefore segmented on the wireless LAN based on what ESS identifier they are using to access the access point of the wireless local network. This method, is limited to providing user segmentation on the basis of the ESS identifier only and cannot provide meaningful discrimination amongst mobile units. Also, a specific mobile user's segmentation cannot be altered over time and the parameters of the segmentation must be determined in advance of the mobile unit's connection to the wireless LAN.