Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberUS20060193299 A1
Publication typeApplication
Application numberUS 11/066,009
Publication dateAug 31, 2006
Filing dateFeb 25, 2005
Priority dateFeb 25, 2005
Also published asCN100490569C, CN101099134A, CN101189858A, CN101189858B, EP1851981A2, EP1851981A4, EP1851981B1, US7676216, US20060193284, WO2006091944A2, WO2006091944A3
Publication number066009, 11066009, US 2006/0193299 A1, US 2006/193299 A1, US 20060193299 A1, US 20060193299A1, US 2006193299 A1, US 2006193299A1, US-A1-20060193299, US-A1-2006193299, US2006/0193299A1, US2006/193299A1, US20060193299 A1, US20060193299A1, US2006193299 A1, US2006193299A1
InventorsNancy Winget, Mark Krischer, Timothy Olson, Sheausong Yang
Original AssigneeCicso Technology, Inc., A California Corporation
Export CitationBiBTeX, EndNote, RefMan
External Links: USPTO, USPTO Assignment, Espacenet
Location-based enhancements for wireless intrusion detection
US 20060193299 A1
Abstract
In a wireless local area network, a method for detecting the presence of an unauthorized device comprises: detecting the presence of neighboring devices from which management frames can be sent; saving a representation of each neighboring device present; receiving a management frame purporting to be from one of the detected device; determining that the received management frame was sent by an unauthorized device; and indicating the presence of the unauthorized device.
Images(6)
Previous page
Next page
Claims(20)
1. In a wireless local area network, a method for detecting the presence of an unauthorized device, the method comprising:
detecting the presence of neighboring devices from which management frames can be sent;
saving a representation of each neighboring device present;
receiving a management frame purporting to be from one of the detected device;
determining that the received management frame was sent by an unauthorized device; and
indicating the presence of the unauthorized device.
2. The method of claim 1, wherein the neighboring devices comprise access points.
3. The method of claim 1, wherein the neighboring devices comprise stations.
4. The method of claim 1, wherein detecting comprises performing radio discovery to determine individual signal strengths of the neighboring devices.
5. The method of claim 1, wherein detecting the presence of neighboring devices comprises manually configuring a device that manages the neighboring devices with location information for each neighboring device.
6. The method of claim 1, wherein a walkabout is performed to determine the locations of the neighboring devices.
7. The method of claim 1, wherein saving a representation of each neighboring device present comprises saving a representation of each neighboring device and its determined individual signal strength.
8. The method of claim 7, wherein receiving a management frame comprises receiving a management frame containing a signal strength indication and a device identifier.
9. The method of claim 8, further comprising:
matching said access point identifier from the management frame with one of the neighboring devices;
comparing the signal strength indication from the received management frame with the determined signal strength of the matched neighboring device; and
indicating the presence of an unauthorized device if the difference between the signal strength indication and determined signal strength is greater than a threshold amount.
10. The method of claim 1, wherein saving a representation of each neighboring device comprises storing information describing the physical location of each neighboring device.
11. The method of claim 1, wherein at least one of the neighboring devices detects and validates radio traffic.
12. The method of claim 11, wherein validation is performed by detecting a key within a received management frame, the key being unique to one of the neighboring devices.
13. The method of claim 11, wherein validation is performed by detecting a message integrity check within a received management frame.
14. The method of claim 11, wherein the detecting neighboring device maintains location information for its neighboring devices and performs validation by determining if a management frame could be received from the device indicated as the source of the management frame.
15. A wireless local area network managing device, comprising:
means for detecting the presence of neighboring devices from which management frames can be sent;
means for saving a representation of each neighboring device present;
means for receiving a management frame purporting to be from one of the detected device;
means for determining that the received management frame was sent by an unauthorized device; and
means for indicating the presence of the unauthorized device.
16. The wireless local area network managing device of claim 15, wherein neighboring devices comprise access points.
17. The wireless local area network managing device of claim 15, wherein neighboring devices comprise stations.
18. A device managed by a wireless local area network managing device, comprising:
means for detecting the presence of neighboring devices from which management frames can be sent;
means for saving a representation of each neighboring device present;
means for receiving a management frame purporting to be from one of the detected device;
means for determining that the received management frame was sent by an unauthorized device; and
means for indicating the presence of the unauthorized device.
19. The device of claim 18, wherein neighboring devices comprise access points.
20. The device of claim 18, wherein neighboring devices comprise stations.
Description
    FIELD OF THE INVENTION
  • [0001]
    The present invention relates broadly to configuration of wireless local area networks. Specifically, the present invention relates to configuring a wireless local area network of client devices. More specifically, the present invention relates to using management frames in a wireless transmission medium to detect unauthorized access to a wireless local area network.
  • BACKGROUND
  • [0002]
    Use of wireless networks such as wireless local area networks (WLANs) is becoming widespread. With the proliferation of WLANs, network security is also becoming more and more important. WLANs present important network security concerns.
  • [0003]
    A WLAN may be ad hoc, in that any client device (referred to herein as a client) may communicate directly with any other client, or have an infrastructure in which a client can only communicate with another client via an access point device (AP). Problems specific to WLANs arise from wireless clients requesting access to the various APs. Often in a deployment of a WLAN environment, AP cells' coverages are overlapped to achieve maximum RF coverage to reduce non-service spots. Wireless clients can move between APs, and thus change the RF environment of the WLAN depending on their location. Additionally, WLANs are often required to grow with increased demand as more and more clients require service from the WLAN. Expanding the WLAN requires reconfiguring equipment, adding APs, and placing APs in locations that do not conflict with other APs or otherwise complicate managing the WLAN.
  • [0004]
    Because wireless is an open medium, anyone can contend for access and send frames over a channel. As 802.11 management frames are sent without any protection, an attacker can easily spoof as a legitimate AP, sending directives to clients as if it were the AP serving the clients. For example, nearly all attacks begin with an attacker spoofing as an AP by sending disassociation or deauthentication requests to a client.
  • [0005]
    Thus, there is a heartfelt need for methods and equipment to efficiently protect a WLAN and provide WLAN managers with information needed to make management and access control decisions.
  • SUMMARY
  • [0006]
    The present invention addresses the problems described above and protects WLANs by verifying that management frames purporting to be from a specific AP originate from near a physical location where the specific AP is known to be located. Thus, the present invention requires attackers to be located in close proximity to the AP they wish to spoof, allowing the AP to detect the spoofed frame and alert a WLAN administrator.
  • [0007]
    In an embodiment, the WLAN administrator deploys a new WLAN as described below. After installing hardware, the APs establish trusted relationships with the campus context manager (CCM). Radio parameters are auto-configured based on AP Radio discovery measurements. If necessary, client walkabouts are performed to gather signal strength measurements, and radio parameters can be re-configured using these measurements. In an embodiment, when a network is first installed, the WLAN administrator positions APs based on heuristic guidance and applies power without any time coordination. Optionally, the WLAN administrator may perform a site survey to optimize the AP placement. Site surveys can range from a quick coverage check using a client utility to detailed signal strength measurements using a third-party tool. After placement and power-up, each AP scans a frequency band to find a usable channel. In an embodiment, the Radio Manager generates a network-wide radio configuration overriding these initial settings. The WLAN administrator initiates radio discovery, auto-configuration and client walkabout measurements at the WLAN Network Manager (WNM) interface. AP Radio discovery involves APs broadcasting beacon signals and simultaneously listening for beacon signals from neighboring APs. The resulting measurements between APs are used to generate an initial radio configuration for the WLAN. Client walkabout measurements are not accompanied by location information, but sets of measurements correspond to specific locations in the WLAN coverage area. The Radio Manager uses these measurement sets to create measurement objects that contain data representing path losses to the strongest controlled APs and received signal strengths from uncontrolled sources at specific locations. A new radio configuration can be generated for the WLAN, using the additional information from the client walkabouts.
  • [0008]
    Depending on the embodiment of the present invention, the physical location of the APs can be either manually configured or achieved during the discovery or walkabout survey. During normal operation, the locations of the APs do not change as APs in general are not expected to be mobile devices. However, in the event that mobile APs are present, resurveying or manually reconfiguring the WLAN can be performed on a periodic basis. Once an AP's location is determined by physical coordinate location and/or through its relative set of neighbors, the AP's location is not expected to change.
  • [0009]
    A signature is conveyed for each management frame the AP transmits and is used for checking that management frames that purport to be from a specific AP actually originate from the expected location. Because the signature is unique to each frame, the dynamic nature of the stored signal strength information ensures a reasonably accurate representation of AP placement within the WLAN. As each AP sends management frames that contain a signal strength indication, this signal strength indication is compared to the AP's signal strength recorded in the radio manager's database. If a significant difference between the signal strength indicator of the management frame and the signal strength recorded in the radio manager's database indicates the possibility of an unauthorized user trying to spoof as a legitimate AP. In an embodiment, the actual validation is based on checking the message integrity code (MIC) of each management frame coupled with the signal strength of the AP by the detector to assert whether both the MIC is valid and whether that detector should have been able to detect that AP.
  • [0010]
    Many other features and advantages of the present invention will be realized by one skilled in the art upon reading the following detailed description when considered with the accompanying drawings, in which:
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • [0011]
    FIGS. 1A and 1B illustrate placement of APs in a WLAN and measurements taken during radio discovery.
  • [0012]
    FIG. 2 illustrates a network configuration in which radio measurements are introduced by embodiments of the present invention.
  • [0013]
    FIG. 3 illustrates an exemplary access point device containing measurement modules used in accordance with embodiments of the present invention.
  • [0014]
    FIG. 4 illustrates an exemplary access radio manager device used in accordance with embodiments of the present invention
  • DETAILED DESCRIPTION
  • [0015]
    The WLAN administrator initiates AP radio discovery at deployment and schedules AP radio discovery during brief maintenance periods when the WLAN is not in use (e.g., 2:00 AM each morning). The result of AP radio discovery is a snapshot of the RF interference at each AP and a set of signal strength measurements indicating the strength level at which each AP receives each neighboring AP's signal. Directing attention to FIG. 1A, a WLAN configuration having AP 1, AP 2, AP 3, AP 4, AP 5 and AP 6 and radio manager 10 and wireless network manager (WNM) 14 are shown. When the APs perform radio scans in accordance with the present invention is performed, APs are determined not in terms of physical location, but mapped in terms of signal strength received from each AP's neighboring APs. In other words, each AP is described in terms of what other APs the AP can detect, in terms of signal strength. For example, in accordance with the present invention, AP 4 is defined as AP 1 (50); AP 2 (55); AP 3 (58); AP 5 (56). In this example, AP 6 is not detected by AP 4, and thus is not included in the definition of AP 4. The values defining AP 4 are stored in a database maintained by radio manager 10. Radio manager 10 uses each AP's current transmission signal strength level to compute the path loss between each AP that the APs can detect. The computed path loss is saved in a database to characterize the RF environment, such as potential coverage redundancy in a set of 802.11 stations associated with a single AP (referred to herein as BSS), and overlap on the downlink. When the neighboring AP is not controlled, radio manager 10 saves the received signal strength. Radio manager 10 sets all controlled APs to transmit at their highest power level and then steps down through subsequent levels to characterize each AP's true power steps. AP Radio discovery is accomplished in the following event sequence. Radio manager 10 commands all APs to scan passively for RF energy over a predetermined time interval and return the results. This action is performed to detect uncontrolled 802.11 WLAN stations and interferers. Radio manager 10 uses the AP scan results to choose one test frequency for all APs in a particular region. Radio manager 10 sets all APs in a particular region to transmit beacons on the selected frequency at maximum transmit power. Each AP is assigned a unique beacon interval to minimize collisions. Radio manager 10 then commands each AP to report beacons that it receives from other APs along with accompanying signal strengths. This action is repeated with APs transmitting at each successively lower power level until reaching the lowest setting.
  • [0016]
    Directing attention to FIG. 1B, campus context manager (CCM) 15 can be utilized in a similar capacity as radio manager 10, database 12 and WNM 14. In an embodiment, CCM 15 stores the database of location information for each AP. This information can be manually configured or obtained through walkabouts based on signal strengths. As shown in FIG. 1B, AP 2's detected neighbors are AP 1 and AP 3. Similarly, AP 4's detected neighbors are only AP 3 and AP 5. In this embodiment, AP 2 and AP 4 are used to detect and validate all traffic they are able to receive. So if AP 4 receives frames that are from AP 1, then it is suspected to be a spoofed frame and AP 4 can report AP 1 to CCM 15 (or radio manager 10) as a potential rogue AP.
  • [0017]
    In an embodiment, a trust relationship is established between CCM 15 and all APs. APs issue their unique key used to protect their respective management frames. The management frame is protected, for example, by using a keyed one-way hash function such as HMAC-SHA1 and its resulting value, which serves as a message integrity code (MIC) that is also sent in the management frame. Sensor APs, such as AP2 and AP4 can validate these management frames as they receive them to also ensure that its neighboring APs are not under attack. In an embodiment, if AP 4 receives frames that are from AP 1 it can also validate that received frame using AP 1's key. Since APs may be moved occasionally, or some APs can even be mobile, the combination of location tracking and validation of the MIC provides for a better determination if a rogue is encountered.
  • [0018]
    The information stored in radio manager 10's database is also useful for checking that management frames that purport to be from a specific AP actually originate from the expected location. Because radio manager 10's database is updated periodically, the dynamic nature of the stored signal strength information associated with individual APs ensures a reasonably accurate representation of AP placement within the WLAN. As each AP sends management frames that contain a signal strength indication as well as the message integrity check (MIC), this signal strength indication is compared to the AP's signal strength recorded in radio manager 10's database. If a difference between the signal strength indicator of the management frame and the signal strength recorded in radio manager 10's database is outside of a threshold amount, this difference indicates the possibility of an unauthorized user trying to spoof as a legitimate AP. In such cases, a warning can be sent to the WLAN administrator to alert the administrator to the possibility of an attack on the WLAN.
  • [0019]
    In an embodiment, radio manager 10 uses the measured signal strength to calculate path loss information from AP to AP and from client location to AP. With this calculated path loss information and the configured power and channel settings of each AP, neighboring APs suffering from black holes are identified.
  • [0020]
    After AP Radio discovery and initial radio configuration, the WLAN administrator may initiate one or more client walkabouts. In a walkabout, a person walks around a coverage area while holding a client device, so that measurements can be gathered and all detected APs reported. The gathered information is used to characterize the RF environment of the WLAN, such as potential BSS coverage redundancy and overlap on the downlink. At the WNM user interface, the administrator specifies the media access control (MAC) addresses of clients from which the controlled APs will request frequent measurements, typically at five-second intervals. The WLAN administrator may select a walkabout with APs transmitting at maximum power or at the levels used during normal operation. During the walkabout, the WLAN administrator is not required to remain in a particular location for any length of time. Client measurements are taken quickly enough to allow the WLAN administrator to continue walking throughout the desired coverage area. Radio manager 10 makes requests to the client device 20 through the AP that is currently serving client 20, instructing client 20 to make a particular measurement. Typically, client 20 is requested to measure the signal strength of all beacon signals it can detect at any given spot at one point in time, and return the recorded signal strength indicator (RSSI) values of the received beacon signals. Where client 20 loses association from all APs, the WLAN administrator records the location. As the WLAN administrator walks the coverage area, the serving AP changes as its client moves from one BSS to another. As long as client 20 remains inside the coverage area, the serving AP continuously commands client 20 to measure and report the signal strength and background RF energy it receives from neighboring APs. All measurements are passed to radio manager 10, which incorporates them into its RF environment database 12. Database 12 provides data used to compute the next radio configuration. By performing radio discovery and client walkabout as described above, radio manager 10 is able to visualize the radio environment of the WLAN.
  • [0021]
    In an embodiment, the WLAN administrator can also walk through the coverage area using an 802.11 sniffer, such as available from Kismet Wireless, Inc., to locate the APs that can be seen at signal strengths sufficient to cause black hole problems among neighboring APS. Regardless of how black holes are detected among neighboring APS, either through transmitting beacon signals at stepped intervals or using an 802.11 sniffer during the walkabout, once black holes are detected, the APs suffering this problem are adjusted by radio manager 10 instructing each AP to change its beacon signal interval so that it is staggered with respect to the neighboring AP also suffering the black hole problem. The process of black hole detection can be an iterative process, performed after each occurrence of a black hole is corrected. This ensures that whatever beacon interval an AP selects to correct the detected black hole problem does not create a new black hole with a different, neighboring AP. In the preferred embodiment, skewing the beacon signals by one or two milliseconds with respect to the neighboring AP in the black hole is sufficient to prevent any extended period of time during which a black hole can occur.
  • [0022]
    During normal operation, radio manager 10 gathers RF statistics and identifies specific signal sources. This allows radio manager 10 to monitor the RF environment, and indicate when new APs appear, and roughly locate clients. Radio manager 10 may request measurements from APs and clients to monitor the WLAN RF environment. These measurements occur less frequently than during the walkabout, typically one or more minutes apart. Radio manager 10 typically asks only the clients to measure non-serving channels, allowing APs to remain on their serving channels to better serve their respective BSSs.
  • [0023]
    Each radio configuration includes parameters of AP channel, AP transmit power, BSS data rates, and BSS power limit. In computing a new radio configuration, radio manager 10 may be given free reign to select various combinations of parameters, or it may be limited to particular range of values for some or all of these parameters on some or all APs. After computing a new radio configuration, radio manager 10 quantifies the expected system performance and then waits for direction from WNM 14, which may request another configuration using a new set of constraints or may apply the computed radio parameters to the WLAN.
  • [0024]
    After the WLAN is deployed, radio manager 10 continuously collects measurements and monitors the RF state of the WLAN. Radio manager 10 alerts WNM 14 to changes that may require radio reconfiguration, but waits for further direction from WNM 14 before computing a new radio configuration and again before applying new radio parameters to the WLAN. Every action by radio manager 10 is made in response to a command received from WNM 14. This makes WNM 14 responsible for managing the degree of reconfiguration autonomy granted to the entire system by the WLAN administrator. The WLAN administrator uses the WNM interface to specify the conditions, if any, under which radio parameters may be automatically changed. All other conditions require explicit approval at each instance.
  • [0025]
    In a preferred embodiment, nightly measurements are performed automatically to check the RF state of the WLAN. These measurements are typically scheduled in a WNM job that runs AP Radio discovery early each morning, perhaps at 2:00 AM. During this brief maintenance time, which could last about a minute, the WLAN becomes unavailable while the APs change channels and power levels. After the new measurements have been accumulated, the WLAN reverts to its previous state and resumes normal operation. Radio manager 10 consolidates the new measurements into its radio environment database and alerts the WLAN administrator of any anomalies.
  • [0026]
    Radio manager 10 alerts WNM 14 whenever it detects a new AP's beacon during normal operation. At the administrator's command, WNM instructs radio manager 10 to ask all new APs to scan the radio spectrum and report their results. Meanwhile, existing APs and clients detect the new APs' beacons. The combination of measurements from the new APs, existing APs and clients provide the information to reconfigure the WLAN to best incorporate the new APs. If desired, the WLAN administrator may perform another client walkabout in the vicinity of the new APs.
  • [0027]
    During normal operation, APs and clients measure the 802.11 traffic load at their location on the serving channel. The traffic load at the AP is best managed by dynamic load balancing. High traffic loads at client locations may indicate inter-BSS contention, which can be remedied by an improved radio configuration. If a client reports a load that is much higher than its serving AP, it may indicate contention from stations (also referred to herein as STAs) in a neighboring BSS. In response to this condition, radio manager 10 schedules measurements to capture frames from the neighboring clients and/or AP to identify the BSS and the number of clients responsible for the contention. This information is used to serve two purposes. First, radio manager 10 consolidates and sends it to WNM 14 to use for performance visualization. Second, the information may prompt WNM 14 to ask radio manager 10 to suggest a new radio configuration that incorporates the new information and achieves better overall performance, possibly by reducing the transmit power in one BSS or by reassigning channels.
  • [0028]
    During normal operation, APs and clients, referred to herein collectively as stations (STAs) measure the non-802.11 interference strength at their locations on the serving channel. In addition, clients measure received interference strength on alternative channels. When radio manager 10 receives reports that indicate non-802.11 interference, it correlates the measurements to locate the interferer, if possible, and alerts WNM 14. The response by WNM 14 depends on the number of reporting STAs, severity and duration of the interference. If a small number of clients report moderate interference, WNM 14 may simply inform the clients of their situation. If the interference is persistent, pervasive and severe, WNM 14 may ask radio manager 10 to suggest a new radio configuration to avoid the interferer.
  • [0029]
    During normal operation, each client may detect a condition where another client is hidden from it. The WLAN administrator uses the WNM interface to specify when and how to act on this information. These instructions are sent by radio manager 10 to each AP. Clients may be instructed to periodically report hidden stations so that APs may take corrective action by lowering the ready to send (RTS) thresholds of the hidden clients. As a result, the serving AP clears the channel by issuing a clear to send (CTS) notification before either of the clients transmits data, which alleviates the hidden node problem.
  • [0030]
    Radio manager 10 gains knowledge of the WLAN radio environment through measurement reports obtained from APs and clients. An embodiment of the present invention introduces five types of radio measurement reports: Beacon Reports, Frame Reports CCA Reports, received power indicator (RPI) Histograms, and Hidden Node Reports, each of which indicates a particular RF characteristic or reports a particular RF event.
  • [0031]
    Beacon and Frame Reports identify sources of 802.11 contention. CCA Reports and RPI Histogram Reports characterize the degree of contention and interference. Hidden Node Reports identify stations colliding within the same BSS.
  • [0032]
    FIG. 2 illustrates the radio measurements introduced by embodiments of the present invention. As shown, the measuring client and one other client are associated with AP 1, but neither client detects the other's signal. AP 2 is close enough to be detected by the measuring client. AP 3 is out of range, but the measuring client does detect some of its associated clients.
  • [0033]
    Measuring client 20-2 issues a Beacon Report identifying AP 2 as a source of 802.11 contention. Client 20-2 issues a Frame Report indicating contention from a client in another BSS, and identifies AP 3 as the BSS access point. Measuring client 20-2 reports significant contention due to clients in another BSS. After receiving this report, radio manager 10 may request a Frame Report, which would identify AP 3 as the destination of the contenting frames. Measuring client 20-2 issues a RPI Histogram Report indicating intermittent, non-802.11 interference and describing the statistics of its received strength. Measuring client 20-2 issues a Hidden Node Report identifying another client in its BSS that appears to be hidden from it.
  • [0034]
    CCA and RPI Histogram Reports must achieve statistical significance and are therefore utilize measurements having longer durations (e.g., 60 seconds). Beacon, Frame and Hidden Node Reports capture and summarize 802.11 frames to identify specific signal sources. Beacon Reports utilize measurements having shorter durations (e.g., 1 second or less). Frame and Hidden Node Reports typically filter out most of the STA's received traffic and report on a small subset. These reports utilize measurements having medium to longer durations.
  • [0035]
    FIG. 3 illustrates an AP in accordance with embodiments of the present invention. In the preferred embodiment, AP 1,2,3,4,5,6 includes processor 28 that executes software modules 34, 36, 38, 40, and 42 for operatively controlling transmitter 30 and receiver 32 to perform the radio measurements of the present invention. Those skilled in the art will know that these software modules can also be implemented as firmware or circuitry as desired in various embodiments.
  • [0036]
    Beacon measurement module 34 performs measurements to obtain received signal strength, identity and other information of neighbor AP beacon or probe response, and generates a message containing this information. AP 1,2,3,4,5,6 send beacon signals to identify themselves to neighboring devices. During walkabout and AP discovery, beacon measurement module 34 measures radio connectivity of APs and characterize potential BSS downlink coverage. During normal operation, beacon measurement module 34 monitors known APs, detects new APs, and roughly locates clients. Frame measurement module 36 obtains signal strength of neighboring STAs and identity of their respective BSS and generates a message containing this information. During walkabout and AP discovery, frame measurement module 36 identifies uncontrolled STAs to be avoided in the radio configuration. During normal operation, frame measurement module 36 identifies contending neighbor STAs (controlled or not). Clear channel assessment (CCA) measurement module 38 measures the fraction of time that an STA observes a channel busy with 802.11 traffic and generates a message containing this information. During walkabout and AP discovery, CCA module 38 finds channels already busy with 802.11 traffic to avoid in radio configuration. During normal operation, CCA measurement module 38 characterizes 802.11 contention at reporting STA's locations. RPI Histogram measurement module 40 measures received strength and statistics of non-802.11 energy and generates a message containing this information. During walkabout and AP discovery, RPI Histogram measurement module 40 find channels with non-802.11 RF energy to avoid in radio configuration, if possible. During normal operation, RPI Histogram measurement module 40 monitors STAs for new non-802.11 RF energy and alarm, if appropriate. Hidden Node measurement module 42 is not used in walkabouts or AP discovery, but during normal operation improves AP performance by enabling dynamic hidden station control. The messages generated by modules 34, 36, 38, 40, 42 can be transmitted by transmitter 30 to radio manager 10, stored in database 12 and passed to WNM 14.
  • [0037]
    Radio manager 10 may request a STA to measure on its serving channel or on another channel. When measuring on the serving channel, the STA continues its normal traffic processing while concurrently accumulating the measurement. When measuring on a non-serving channel, the STA must postpone normal traffic and dedicate itself to the measurement since it cannot operate on two channels simultaneously.
  • [0038]
    During AP Radio discovery, radio manager 10 typically requests APs to scan multiple channels and then assigns one channel and requests beacon reports on that channel. During client walkabout, radio manager 10 requests the walkabout clients to measure on the serving channel and on non-serving channels. During normal operation, radio manager 10 requests APs to measure on their serving channels and clients to measure on serving and non-serving channels.
  • [0039]
    Radio manager 10 may request Beacon Reports on a serving or non-serving channel. Beacon Reports ask the measuring STA to report both beacons and probe responses. The Beacon Report may be requested of any STA, and typically contains information such as received signal strength, transmitting station address, computed TSF offset between detected BSS and serving BSS, beacon interval, capability information, SSID and supported rates.
  • [0040]
    The purpose of the Beacon Report is to discover and monitor the presence of neighboring APs, regardless of whether they are controlled by radio manager 10. This helps radio manager 10 characterize the overlap of cochannel BSSs and the redundancy of other-channel BSSs on the downlink. The Beacon Report is used during AP Radio discovery, Client walkabout and normal operation. The transmitting station address identifies the neighbor AP to radio manager 10. In an embodiment, the computed TSF offset allows the serving AP to schedule brief measurements of signal strength from the particular neighbor AP. The signal strength helps radio manager 10 assess the overlap of cochannel BSSs and the coverage redundancy of other-channel BSSs. If two cochannel BSSs contain power-save clients, in an embodiment, the computed TSF offset is used to instruct each AP to schedule its multicast traffic in a manner that is less likely to collide with its neighbor's traffic.
  • [0041]
    Radio manager 10 may request Frame Reports on a serving or non-serving channel. Frame Reports may be requested of any STA. The Frame Report summarizes each 802.11 frame received from a STA in another BSS, and includes information such as received signal strength, transmitting station address, receiving station address, and frame type and length. The purpose of the Frame Report is to identify STAs that belong to another BSS but are located within radio range of the measuring STA. It also identifies the BSS to which the contending STAs belong. This report helps characterize and monitor the region of uplink RF influence of each neighboring BSS. This includes BSSs controlled by radio manager 10 and BSSs that are not under its control.
  • [0042]
    Radio manager 10 may request CCA Reports on a serving or non-serving channel. It is typically scheduled to run concurrently with normal traffic processing on the serving channel or in parallel with other dedicated measurements on a non-serving channel. This report may be requested of any STA. The report contains the CCA Busy Fraction. The CCA Busy Fraction measures the accumulated duration of all packets divided by the measurement interval length. This value includes successful packets and erroneous packets. The value range is 0-255, where 0 represents no traffic and 255 represents traffic occurring 100% of the time.
  • [0043]
    Radio manager 10 may request Received Power Indicator (RPI) Histogram Reports on a serving or non-serving channel. The RPI Histogram Report conveys the relative fraction of time during which RF energy from non-802.11-decodable sources falls into each of eight different received power ranges. The RPI Histogram report provides a measurement of RF energy due to a combination of background noise and background signals, including non-802.11 devices and 802.11 devices whose signals cannot be properly decoded. The histogram helps radio manager 10 assess the non-802.11-decodable RF energy contending with the WLAN at different locations. This information helps radio manager 10 to decide the best channel for each BSS in the vicinity of the measuring STA.
  • [0044]
    Radio manager 10 may request a Hidden Node Report from clients as a concurrent measurement on the serving channel. The Hidden Node Report includes the received signal strength and destination address of 802.11 frames sent by the serving AP for which the measuring client detected no acknowledgement. The purpose of the Hidden Node Report is to discover and monitor clients within the same BSS that are hidden from each other. This report helps radio manager 10 decide the best transmit power for each BSS and the appropriate RTS threshold for the hidden nodes, if it has a means of setting these thresholds at the clients.
  • [0045]
    FIG. 4 illustrates the functional components of radio manager 10. Besides database 12, described above, radio manager 10 also includes processor 50, memory 52, transmitter 54 and receiver 56. Transmitter 54 communicates the requests described above to APs and clients, as well as radio configuration information to WNM 14. Receiver 56 receives the report information described above from the APS and clients, as well as instructions from WNM 14.
  • [0046]
    While a method, computer program product, and apparatus for managing a radio environment without location information have been described and illustrated in detail, it is to be understood that many modifications can be made to various embodiments of the present invention without departing from the spirit thereof.
Patent Citations
Cited PatentFiling datePublication dateApplicantTitle
US6754488 *Mar 1, 2002Jun 22, 2004Networks Associates Technologies, Inc.System and method for detecting and locating access points in a wireless network
US6990428 *Jul 28, 2003Jan 24, 2006Cisco Technology, Inc.Radiolocation using path loss data
US7110756 *Aug 2, 2004Sep 19, 2006Cognio, Inc.Automated real-time site survey in a shared frequency band environment
US7286515 *Jan 28, 2004Oct 23, 2007Cisco Technology, Inc.Method, apparatus, and software product for detecting rogue access points in a wireless network
US7295524 *Feb 18, 2003Nov 13, 2007Airwave Wireless, IncMethods, apparatuses and systems facilitating management of airspace in wireless computer network environments
US20010032254 *May 29, 1998Oct 18, 2001Jeffrey C. HawkinsMethod and apparatus for wireless internet access
US20040023640 *Aug 2, 2002Feb 5, 2004Ballai Philip N.System and method for detection of a rogue wireless access point in a wireless communication network
US20040190718 *Mar 25, 2003Sep 30, 2004Dacosta Behram MarioApparatus and method for location based wireless client authentication
US20040218602 *Feb 6, 2004Nov 4, 2004Hrastar Scott E.Systems and methods for dynamic sensor discovery and selection
US20040266533 *Apr 15, 2004Dec 30, 2004Gentles Thomas AGaming software distribution network in a gaming system environment
US20050073979 *May 5, 2003Apr 7, 2005Instant802 Networks, Inc.Visitor gateway in a wireless network
US20050073980 *Sep 17, 2003Apr 7, 2005Trapeze Networks, Inc.Wireless LAN management
US20050128989 *Oct 15, 2004Jun 16, 2005Airtight Networks, IncMethod and system for monitoring a selected region of an airspace associated with local area networks of computing devices
US20050174961 *Feb 6, 2004Aug 11, 2005Hrastar Scott E.Systems and methods for adaptive monitoring with bandwidth constraints
US20050248452 *Aug 26, 2003Nov 10, 2005Medical Tracking Systems, Inc.Wide area multipurpose tracking system
US20060068811 *Jan 31, 2005Mar 30, 2006Microsoft CorporationCollaboratively locating disconnected clients and rogue access points in a wireless network
Referenced by
Citing PatentFiling datePublication dateApplicantTitle
US7561554 *Jul 14, 2009Hon Hai Precision Industry Co., Ltd.Method and system for detecting rogue access points and device for identifying rogue access points
US7577424 *Dec 19, 2005Aug 18, 2009Airdefense, Inc.Systems and methods for wireless vulnerability analysis
US8069483Nov 29, 2011The United States States of America as represented by the Director of the National Security AgencyDevice for and method of wireless intrusion detection
US8081615 *May 22, 2009Dec 20, 2011Mediatek Inc.Method and apparatus to allow coexistence between wireless devices
US8126476 *Jul 25, 2008Feb 28, 2012Wefi, Inc.System and method for mapping wireless access points
US8626240Mar 26, 2012Jan 7, 2014Ubiquisys LimitedLocation of basestation
US8738033Jun 29, 2012May 27, 2014Ubiquisys LimitedLocation of basestation
US8774140 *Nov 22, 2006Jul 8, 2014Intel CorporationMethod and apparatus to provide hidden node protection
US8958401 *May 3, 2010Feb 17, 2015Nokia CorporationMethod and apparatus for assisted network discovery
US9178896 *May 9, 2013Nov 3, 2015Avaya Inc.Rogue AP detection
US9357458 *Apr 30, 2014May 31, 2016Aruba Networks, Inc.Distributed method for client optimization
US20070058598 *Dec 30, 2005Mar 15, 2007Hon Hai Precision Industry Co., Ltd.Method and system for detecting rogue access points and device for identifying rogue access points
US20070081503 *Oct 7, 2005Apr 12, 2007Carl MowerSystem and method for evaluating operation of a wireless device in a wireless network
US20070142030 *Dec 19, 2005Jun 21, 2007Airdefense, Inc.Systems and methods for wireless vulnerability analysis
US20080095137 *Nov 22, 2006Apr 24, 2008Shmuel LevyMethod and apparatus to provide hidden node protection
US20080188243 *May 8, 2007Aug 7, 2008Ubiquisys LimitedLocation of basestation
US20090042557 *Jul 25, 2008Feb 12, 2009Wefi, Inc.System and Method For Mapping Wireless Access Points
US20090160696 *Dec 21, 2007Jun 25, 2009Ralink Technology CorporationConfigurable radar detection and avoidance system for wireless ofdm tranceivers
US20100091670 *May 22, 2009Apr 15, 2010Ralink Technology (Singapore) CorporationMethod and apparatus to allow coeixtence between wireless devices
US20100102926 *Mar 13, 2008Apr 29, 2010Syngenta Crop Protection, Inc.Methods and systems for ad hoc sensor network
US20100254298 *Sep 19, 2008Oct 7, 2010Lee John CWireless access system
US20110267977 *May 3, 2010Nov 3, 2011Nokia CorporationMethod and Apparatus for Assisted Network Discovery
US20120026887 *Feb 2, 2012Ramprasad VempatiDetecting Rogue Access Points
US20120249300 *Mar 30, 2011Oct 4, 2012Avital ShlomoDetermination of location using rssi and transmit power
US20130305369 *May 13, 2013Nov 14, 2013ZimperiumDetection of threats to networks, based on geographic location
US20140286319 *Jun 3, 2014Sep 25, 2014Shmuel LevyMethod and apparatus to provide hidden node protection
US20140334317 *May 9, 2013Nov 13, 2014Avaya Inc.Rogue AP Detection
US20150319657 *Apr 30, 2014Nov 5, 2015Aruba Networks, Inc.Distributed Method for Client Optimization
US20160037363 *Jul 29, 2014Feb 4, 2016Qualcomm IncorporatedInterference management in a bursty-interference environment
US20160165396 *Jul 21, 2014Jun 9, 2016Here Global B.V.Assigning Location Information to Wireless Local Area Network Access Points
US20160192281 *Mar 4, 2016Jun 30, 2016Aruba Networks, Inc.Distributed method for client optimization
Classifications
U.S. Classification370/338
International ClassificationH04W12/06, H04W84/18, H04W84/12, H04W12/12, H04W40/24
Cooperative ClassificationH04W84/12, H04L63/107, H04W84/18, H04W12/06, H04W12/12, H04L63/1408, H04W40/246, H04L63/1466, H04L63/0492
European ClassificationH04L63/10E, H04L63/04B16, H04L63/14D4, H04L63/14A, H04W12/12
Legal Events
DateCodeEventDescription
Feb 25, 2005ASAssignment
Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WINGET, NANCY CAM;KRISCHER, MARK;OLSON, TIMOTHY S.;AND OTHERS;REEL/FRAME:016338/0975;SIGNING DATES FROM 20050223 TO 20050225