Traditional mobile and fixed telephony operators are entering the WLAN market in order to provide WLAN access to their subscribers as using WLAN enabled terminals on hot spot areas. In this context, a user has a business relation with his home network operator, such as a telephony operator, which establishes roaming agreements with a number of WLAN Access Providers (hereinafter referred to as WISP's). In particular, a home network operator itself could also deploy WLAN access infrastructure and act as a WISP.
Thus, a quite common scenario is where a user gets WLAN access from different WISP's that have roaming agreements with the user's home network operator. The user's home network operator charges the user for usage of the WLAN access, and pays to corresponding WISP's for providing such WLAN access to its subscribers. Under this scenario, a user's home network carries out an authentication of the user, and receives accounting information from the WISP providing the WLAN access.
Bearing in mind the intermediary position of network operators from a charging perspective, the network operators are presently interested on having further control on those WLAN access sessions that their users might establish. The control of the WLAN access sessions is generally carried out by each WISP and varies from one scenario to another or, in other words, from one WLAN infrastructure version to another.
A typical WLAN infrastructure in a first scenario, the so-called Web-based WLAN access, includes a number of WLAN Access Points (hereinafter AP's), which provide users with WLAN connectivity over a radio interface; and a WLAN Access Server (hereinafter AS), which implements access control and other functions such as, for example, IP address allocation and authorisation enforcement. In this first scenario, each AP provides WLAN access to a user (UE) by letting the user get IP connectivity towards the AS, but the AS blocks any user traffic beyond until the user has been successfully authenticated.
Therefore, as FIG. 1 illustrates, the user equipment (UE-1) includes a Web browser wherein the AS presents (S-04) a login page to the user. The user introduces (S-05) user's credentials into said login page, and the AS sends (S-06) such credentials towards an Authentication Server (Auth-S) in the home network (HOME) for verification. Upon successful authentication, that is, upon credentials verification, the AS grants access to the user, sends (S-07) an indication of accounting start towards an Accounting Server (Acc-S) in the home network (HOME), and initiates an access session.
For the purpose of the present invention, an access session is a repository of data that an entity responsible for access control to an access network maintains in relation to a user of said access network. Typically, this access session is initiated once the user has been authenticated, and is kept alive whilst the user is accessing the access network under control of said entity. Data included in the access session typically includes a user identifier, a unique access session identifier and other parameters such as, for example, a terminal identifier and security keys.
Under this first embodiment, once the access session has been initiated for the user, information about this access session is sent to the home network. Now, provided that the user moves amongst different AP's within the infrastructure of the same WISP, said different AP's are connected to the same AS, and a re-authentication is not necessary. Moreover, the AS is able to keep the same access session that was created when accessing from the first AP.
That is, under this first scenario there is a unique access session for a user even if the user moves from a first to a second AP, both under control of an AS. Thereby, since this approach centralises the access control in the AS, the access session information handled by the AS, and sent from the AS to the home network, is enough to allow the home network to have control of the WLAN access sessions that its subscribers establish as users of the WLAN access network.
A currently developed WLAN infrastructure in a second scenario, which follows the IEEE standard 802.1x, includes a number of WLAN Access Points (AP's) that provide users with WLAN connectivity over a radio interface, as in the previous scenario, and carry out an access control in accordance with said IEEE standard 802.1x; and, optionally, a WLAN Access Server (AS), which implements functions such as, for example, IP address allocation.
Under this second scenario shown in FIG. 2, each AP (AP-1) is responsible for enforcing a user authentication (S-10) based on IETF RFC 2284 “PPP Extensible Authentication Protocol (EAP)”. This EAP method is executed end-to-end (S-11) between the user (UE-1) and an Authentication Server (Auth-S) at the user's home network (HOME), and before giving IP connectivity to the user. Once the user authentication is successfully completed, the AP (AP-1) grants access to the user by allowing establishment of the WLAN connection (S-01), sending (S-07) an indication of accounting start towards an Accounting Server (Acc-S) in the home network (HOME), and initiating an access session for the user, as the AS does in the above first scenario. Then, the AP (AP-1) in this second scenario sends access session information to the home network for the latter to have control of the WLAN access sessions that its subscribers establish as users of the WLAN access network. Given that the WLAN Access Server (AS) is optional in this second scenario, the user (UE) might get IP connectivity from the AS, provided that it exists, or from the AP otherwise.
The second scenario described above presents some advantages versus the first one. On the one hand, access control is carried out prior to the establishment of IP connectivity, what is considered more secure. On the other hand, a greater variety of authentication methods can be used within an EAP framework, as exemplary depicted for the second scenario. This variety of authentication methods to use in the second scenario, and which cannot be used in the first one, includes SIM-based authentication methods such as those respectively explained in IETF draft-haverinen-pppext-eap-sim-12 “EAP SIM Authentication”, October 2003; and in IETF draft-arkko-pppext-eap-aka-11 “EAP AKA Authentication”, October 2003.
However, the second scenario also presents some disadvantages versus the first scenario. For instance, when a user moves between a first and a second AP in the second scenario, a new authentication of the user is required again. This is due to the fact that each AP is arranged to control independent access sessions, thus allowing a user to keep alive different access sessions at a time through different AP's, and the different AP's belonging to a same WISP or to different WISP's.
On the other hand, the support for different access sessions through different AP's, as the second scenario does, may be regarded as a further advantage that gives support for carrying out a pre-authentication. In this respect, a pre-authentication allows that a user, who has gotten access at a given first AP, may carry out an authentication procedure for a second AP, which is different from the first AP, prior to actually moving to said second AP. This way, the handover from one AP to another can be done faster, thus giving a perception of a continuous user session to the user.
An exemplary mixture of the above first and second scenario may be learnt from the international publication WO 2004/029823 wherein WLAN Access Points (AP's) are provided with access control functions in accordance with IEEE 802.1x and including an “Extensible Authentication Protocol (EAP)” application. An access control function, which is active at an AP, requests an access code from any user attempting to access the access network. The user might have obtained such access code from different sources such as the access network operator (WISP), for example. The access code includes a variety of information about usage parameters and business rules that may be used by the AP to control the access by the user. Access codes may be generated by the access control function at the AP, or by a remote Control Server in connection with the AP, and communicated to the access network operator (WISP). In accordance with this publication, the generation of access codes are based on specific business rules and usage parameters of the access network operator for which the access codes are generated.
The Control Server in this international publication is arranged for communicating with a number of AP's, and for directing a new network access operator (WISP) through the process of establishing a new account. The account is set up so that the Control Server can monitor and keep track of activities related to the corresponding AP. That is, accounts and control of activities are carried out on a per AP basis. There is no citation, or even suggestion, throughout this publication on possible impacts or interferences derived from access sessions simultaneously active for a user through different AP's and, even less, when more than one access network operator (WISP) is involved. Moreover, this publication neither considers nor suggests that the authentication of users is carried out by a home network operator holding a subscription for the users and involved as a charging intermediate entity.
However, the simultaneous existence of several access sessions for a user through different AP's, and the reasons why the several access sessions were initiated, lead to consider different situations, wherein some of them are perfectly permissible from home network operators perspective whereas others might be indicative of fraudulent activities. Indeed, each AP initiating an access session for a user might send information about this access session to the home network, but the home network cannot distinguish whether several access sessions for a user derive from a permissible flow of actions carried out by the user. In this respect, different access sessions and flow of actions may result from re-authentication, pre-authentication, handover, or simply simultaneous accesses.
Generally speaking, fraud occurs when non-authorized users are using the credentials of a legitimate user. This may occur because such credentials have been stolen or because the legitimate user commits fraud towards the home network operator by sharing the credentials with other users.
A first illustrative example deals with prepaid users that make use of a username-password authentication and have a flat rate charging. In this case, a fraud situation occurs if several users make use of the same username and password for accessing the network. For instance, as FIG. 3 shows, a first user (UE-1) performs an authentication procedure (S-09, S-10, S-11) with a first WLAN Access Point (AP-1) and gets a granted access and WLAN connectivity (S-01) through the first WLAN Access Point. Then, either the first user (UE-1) gives his user identity and password to a second user (UE-2), or the second user (UE-2) spoofs the user identity and password of the first user (UE-1), both ways can be considered a fraud. This second user (UE-2) accesses the network from a different terminal and contacts a different WLAN Access Point (AP-2). From the network point of view, both first and second users (UE-1, UE-2) are the same user. For both cases the access is granted.
A second illustrative example deals with users making use of a SIM for having a SIM-card based authentication. Fraud can occur if there is a SIM card cloning, or if several subscribers make use of the same SIM card by connecting the SIM card via a dongle, and the dongle being moved between users' terminals.
Nevertheless, the situation presented above is not always a fraud situation. An operator might be interested in allowing certain subscribers to keep more than one session in a controlled manner, for example, gold subscribers might be allowed to access the network from different terminals, so that distinguishing fraud situations from other acceptable situations is an important issue for the operators, and thus addressed by the present invention.
Currently existing techniques between an access network, such as WLAN, and a home network, such as mobile network, do not allow the detection of these fraud situations since an Accounting Server is the entity receiving accounting information in the home network, and thus receiving information about the access sessions for a user, and the Accounting Server has no means to distinguish whether several access sessions for a user derive from a permissible flow of actions carried out by the user or not. For example, a home network operator cannot take for granted that the reception of a new indication of accounting start implies a new access session for a user, since it may be rather due to a handover procedure between two different AP's.
On the other hand, the centralized solution offered by the Control Server in the above international publication is rather directed to facilitate a local access control on a per AP basis, and under each WLAN operator premises. This prior art solution does not teach any mechanism whereby the fraud situations above may be distinguished from permissible situations from a home network operator perspective.
An object of the present invention is the provision of a mechanism to allow detection of possible fraud situations when several access sessions are simultaneously active for a user through different Access Points (AP's).
Furthermore, the concept of access codes described in the above international publication, including generation and handling, is not a standard issue supported by currently existing AP's following the IEEE 802.1x in the above second scenario. Any further development over the teaching in the above international publication to include a mechanism for fraud detection when several access sessions are active for a user would imply the modification of currently existing AP's.
Thereby, it is a further object aiming the present invention that the mechanism to allow detection of possible fraud situations does not produce any impact on the existing Access Points operating in accordance with the above second scenario.