`(12) Patent Application Publication (10) Pub. No.: US 2006/0094403 A1
`Norefors et al.
`(43) Pub. Date:
`May 4, 2006
`
`IJS20060094403A1
`
`ARRANGEMENT AND A METHOD
`RELATING TO IP NETWORK ACCESS
`
`Publication Classification
`
`(54)
`
`(75)
`
`Inventors: Arne Norefors, Stockholm (SE); Ulf
`Schuberth, Stockholm (SE)
`
`Correspondence Address:
`NIXON & VANDERHYE, PC
`901 NORTH GLEBE ROAD, 11TH FLOOR
`ARLINGTON, VA 22203 (US)
`
`(73)
`
`Assignee: Telefonaktiebolaget
`(publ), Stockholm (SE)
`
`LM Ericsson
`
`(2U
`
`Appl. No.:
`
`11/298,568
`
`(22)
`
`Filed:
`
`Dec. 12, 2005
`
`Related U.S. Application Data
`
`(63)
`
`Continuation of application No. PCT/SE03/01053,
`filed on Jun. 18, 2003.
`
`(51)
`
`Int. Cl.
`(2006.01)
`H04M 1/66
`(52) U.S.Cl.
`............................................................ .. 455/411
`
`(57)
`
`ABSTRACT
`
`invention relates to an arrangement and a
`The present
`method respectively for providing an end user with access to
`an IP network (login). It comprises a user station, an access
`server of an access network, a web server and an authenti-
`cation server. The end user station comprises first means for
`communication with the access server and second means for
`
`communication over a moile telecommunication system
`with the authentication server. The access/login procedure
`comprises a first and a second phase, the authentication
`server controls the first phase comprising a one-time-pass-
`word (OTP) login sequence, and, if the one time password
`(OTP) is valid, the second login phase is performed in order
`to login the end user at the access server, by creating a
`temporary account for which user credentials are defined.
`
`MOBHE TELEPHONY SYSTEM
`
`VVEB
`
`SERVER
`
`
` ACCESS
`SERVER
`
`
`
`AUTHENHCATDN
`SERVER
`
`
`
`
`
`
`
`USAA 1032
`
`1
`
`USAA 1032
`
`
`
`Patent Application Publication May 4, 2006 Sheet 1 of 3
`
`US 2006/0094403 A1
`
`
`
`:m_m»m>zo:¢m4mHmime:
`
`zQH<u:zm:»2<
`
`mm>mwm
`
`mm>mmm
`
`mm>>
`
`mmmuU<
`
`mm>mmm
`
`4<;zmmH
`
`.ua.uwV
`
`2
`
`
`
`
`
`Patent Application Publication May 4, 2006 Sheet 2 of 3
`
`US 2006/0094403 A1
`
`ACCESS SERVER AS RESPDNDS WITH LDGIN PAGE
`
`
`
`
`END USER RED. LDEIN PAGE FROM ACCESS SERVER
`
`
`
`
`100
`
`I01
`
`‘I02
`
`‘I03
`
`END USER ENTERS IDENTITY IN WEB SERVER PAGE
`
`
`
`104
`
`
`
`PHASE
`I
`
`TATITH'ENTTc7IfiD'II's'ERV'ER EITEEI<'s'ITSER’DE"IVTITV1/“ 105
`L ---------------------- --J
`MDDIIE TEIEEDM SYSTEM SENDS DTP BY A
`SMS/ VDIEE MESSAGE TD END USER
`
`106
`
`WEB SERVER REDUESTS DTP FROM END USER
`
`107
`
`END USER ENTERS DTP
`
`108
`
`AUTHENTIEATIDN SERVER CHECKS UTP
`
`109
`
`110
`
`
`
`VALID
`DTP ENTERED
`7
`
`
`
`N0 RETURN ERRDR MESSAGE
`TD END USER
`
`WA
`
`YES
`
`TEMPORARY ACCOUNT ADDED/ MODIFIED IN
`AUTHENTICATION SERVER
`
`111
`
`WEB SERVER REDIREETS IDGIN TD AEEESS SERVER IDGIN RAGE
`
`112
`
`PHASE
`11
`
`113
`
`114A
`
`RETURN ERRDR MESSAGE NU
`TD END USER
`
`TIMER T1 STARTED
`114
`
`
`USER
`CREDENTIALS
`
`
`
`115
`TIMER T1 EXPIRED
`
`YES REMOVE/DISABLE TEMP.
`USER ACCOUNT
`
`
`
`F"Lg. 2
`
`END USER CLICKS LINK/ BUTTDN DN AS SERVER
`LDGIN PAGE TO REACH DPERATDR WEB SERVER
`
`
`
`
`WEB SERVER REDUESTS END USER IDENTITY
`
`
`
`
`
`
`
`3
`
`
`
`Patent Application Publication May 4, 2006 Sheet 3 of 3
`
`US 2006/0094403 A1
`
`vmzm
`
`H5%
`
`=mm<E
`
`
`
`_mmzoamm.m
`
`
`
`zflma.283%:
`
`<_>Em:En_E5
`
`
`
`$28.31.m
`
`.;aI5<E.9.0
`
`mm:3PS.$>Em
`
`.IS<z_Bzmzmfia
`
`%>$m
`
`
`
`£<:EBE92#2285..125$822.2‘
`
`V35mo;%>$m_T_S<E955
`
`V5QB.m
`
`5:25$95$8as.m
`
`
`
`>525Em:EmsamEzmm83.¢
`
`nzommwzmEm:DE.:
`
`a5EE9aamaamEm:DE.2
`
`
`
`as.mz<zEm::_#_%.._1:3#5263EgamNEE.2
`
`_H.:._oEzou%E:%SE
`
`zD_:a_:,mI5<$3mm§<$3
`
`mm>mmm
`
`Ezmmfizmmzozfim
`
`
`
`HmmsammaH_I6
`
`
`
`mmzammNozém253.dz_B58$>Em33Ev_z:.m5:253_.:_3
`
`
`
`
`
`>553%EE<:,_85<am:vasmaswide.8
`
`T||..|I..|'.||_
`
`538$85%.5
`
`E53.855.w_\
`
`n_.E+m_z<z
`
`
`
`382.3zgmmm+E:4<Eon_.2
`
`m_mE
`
`
`
`
`
`Em:.mz_Em253“QC:.9,
`
`4
`
`
`
`
`
`
`
`
`
`
`
`
`US 2006/0094403 A1
`
`May 4, 2006
`
`ARRANGEMENT AND A METHOD RELATING TO
`IP NETWORK ACCESS
`
`FIELD OF THE INVENTION
`
`[0001] The present invention relates to an arrangement
`and a method for providing an end user with access to an IP
`network,
`i.e. here for end user login. The invention also
`relates to an access server of an access network over which
`
`access is provided, i.e. over which the end user can log in at
`the IP network.
`
`STATE OF THE ART
`
`[0002] To get access to some kind of a service in general,
`entering of password and username is needed. However, in
`the society of today the number of passwords etc. that one
`single user needs to remember, keep stored safely etc. is
`high, and might increase still further. There might e.g. be a
`particular password for WLAN access, for Internet services
`etc.
`
`[0003] WISPs (Wireless Internet Service Providers) offer
`IP network access based on a web dialogue with the user for
`login and Radius communication with a Radius server. The
`typical procedure is to use a username and a static password.
`There are described preferred practises for how this could be
`done e.g. from Wi-Fi Alliance industry forum in the WISPr
`best practice document. The involved protocols are HTTP
`and Radius as defined by IETF (www.ietf.org). However, a
`static username is normally used at login. A static user name
`can easily be copied and hence be used by several persons.
`One attempt
`to solve this problem consists in using a
`one-time password (OTP), which only can be used during a
`limited time period, thereafter it is blocked. To get access or
`login to Internet at e.g. public places, such as airports,
`railway stations, hotels etc. generally a WLAN may be used
`as access network. Generally the coverage is not so large and
`depends on construction etc. of the building, and moreover
`there are not so many frequencies available. The building
`and integration of radio networks is complicated and expen-
`sive. Access issues are thus complicated for serveral reasons,
`both for operators, users and network owners.
`
`SUMMARY OF THE INVENTION
`
`therefore an arrangement
`is needed is
`[0004] What
`through which access to an IP network,
`login, can be
`provided for in an easy manner, both from the point of view
`of the end user and from the point of view of the operator.
`An arrangement is also needed through which login can be
`provided with a minimum risk of abuse, e.g. through copy-
`ing of usemames, finding usemames written down some-
`where or similar. Further yet an arrangement
`is needed
`through which access/login can be provided without sub-
`stantial impact on access servers, and through which exist-
`ing access servers can be used without requiring access
`server upgrading. This is an important aspect since the
`organisation running the access server can be a dififerent
`from the operator that controls the web and authentication
`nodes, and has the commercial relation with the user. Reuse
`of existing access network is especially advantageous when
`a radio based access is used as an additional radio network
`
`might cause interference with the already installed one. Still
`further a method is needed through which one or more of the
`above mentioned objects can be achieved. Further yet an
`
`access server is needed through which one or more of the
`objects referred to can be achieved, and which can be used
`to provide login.
`
`[0005] An arrangement is also needed through which a
`unifomi login interface is achieved, even if the end user is
`served by different WISP:s, independent of each other.
`
`[0006] Therefore an arrangement as initially referred to is
`provided which comprises a user station, an access network
`access server, a web server and an authentication server
`having the characterizing features of claim 1. Thus, the user
`station may here be seen as comprising two means, a first
`means, e.g. a PC, and a second means, e.g. a mobile
`telephone, the main thing however being that a one-time-
`password or similar that is used during the first phase is
`provided or transferred to the user over a mobile telecom-
`munications network and that the login procedure is per-
`formed in two steps, or phases. A method for providing end
`users with access (logging in) to an IP network is also
`providcd which has thc charactcrizing fcaturcs of claim 26.
`
`[0007] Therefore also an access server for an access
`network is provided which communicates with an end user
`station for providing said end user station with access to an
`IP network, and with a web server and an authentication
`server. The access server has the characterizing features of
`claim 24.
`
`[0008] Preferred or advantageous implementations are
`given by the appended subclaims.
`
`[0009] According to the invention is thus an arrangement,
`for providing an end user station, an access server of an
`access network, a web server and an authentication server
`suggested. It comprises an end user station with first means
`for communication with an access server, second means for
`communication with an authentication server over a mobile
`
`telecommunications system and the access/login procedure
`comprises a first and a second phase. The authentication
`server controls the first phase, said first phase comprising a
`one-time password (OTP) login sequence, and the second
`login phase is performed by creating/modifying a temporary
`account for which user credentials are defined in order to log
`in the end user at the access server. Particularly the second
`login phase only is performed if the OTP is valid. For the
`second phase a user account
`is created/modified in the
`authentication server, which particularly is temporary, i.e.
`that it allows login only for a limited time period. The access
`server (AS) is particularly run by an Internet Service Pro-
`vider or a WISP. The one-time-password (OTP) used in the
`first phase is in one implementation reused in the second
`phase. Particularly thc onc-timc-password (OTP) is crcatcd
`by, and transfered from, the authentication server to the
`second means of the end user station over the mobile
`
`telecommunication system. The first means of the user
`station may comprise a PC, and the second means may
`comprise a mobile telephone. Other alternatives are also
`possible.
`
`[0010] The OTP is most particularly transfered by an alfa
`numeric text message, e.g. a SMS or a voice message to the
`second means (e.g. mobile telephone) of the user station.
`When transferred to the user station (mobile telephone), the
`OTP is to be entered on the first means of the user station
`(PC) and provided to the authentication server for authen-
`tication/validation. If the OTP is valid, the OTP from the first
`
`5
`
`
`
`US 2006/0094403 A1
`
`May 4, 2006
`
`phase may be reused in the second phase. If the OTP is valid,
`a user name and a password of the created/modified account
`are particularly defined, which are uniquely tied to the OTP
`sequence. The second phase can be performed on dififerent
`ways, and user name and password can be used in dififerent
`ways.
`
`In one embodiment, in the second phase, the same
`[0011]
`user name is used as in the first phase and the OTP is used
`as password. In another embodiment a dynamic user name
`is used and the OTP (of the first phase) is used as password.
`Still further a static user name (common for all users) may
`be used and the OTP (of the first phase) may be used as
`password. In still another embodiment a static user name
`(common for all users) is used and a random number is used
`as password. Still further a dynamic user name may be used
`and a random value can be used as password. Other alter-
`natives are also possible.
`
`[0012] Advantageously the web server redirects the login
`message to the access server login page when an account has
`been created/modified in the authentication server and a
`
`to a given time period during which user
`timer is set
`credentials are checked, and if they are not valid, an error
`message is returned to the user. Particularly, if the user
`credentials comprise user name and password, and if they
`are verified/authenticated within the given time period, the
`user is given access and the added/modified temporary user
`account
`is removed/disabled. In one implementation the
`authentication server comprises a Radius server, in another
`a Diameter server. However, any appropriate authentication
`server can be used. In some embodiments one or more proxy
`servers are provided between the access server (AS) and the
`authentication (Radius, Diameter etc.) server. The access
`network particularly comprises a WLAN, an Ethernet or
`similar.
`
`[0013] Advantageously login syntax is stored in the access
`server, and the login syntax is transferred to the web server
`to subsequently form part of a redirect message. Alterna-
`tively login syntax is stored with the operator, which how-
`ever is more difficult to administrate since the operator needs
`detailed knowledge about the different access servers of the
`(W)ISP:s. (For an operator normally access servers of sev-
`eral manufacturers are to be used.)
`[0014] The invention also discloses an access server in an
`access network communicating with an end user station, for
`providing said end user station with an end user station, for
`providing said end user station with access to an IP network,
`with a web server and with an authentication server. The
`
`access server allows any user to perform an access attempt
`to the web server, e.g. by using a white list function, a login
`link to the operator, and supports authentication server
`roaming. The access server supports a second phase of a
`login procedure following on a first phase during which a
`one-time-password is given. For said second phase a tem-
`porary user account is created/modified, the password and
`user name of which are defined and uniquely associated with
`the one-time-password given by the authentication server
`and provided to the user station over a mobile communica-
`tion system e.g. as an SMS, voice message or similar in the
`first phase. It may e.g. be an access server of a WLAN, an
`Ethernet or similar, run by an Internet Service Provider, e.g.
`a wireless ISP.
`
`[0015] The invention also suggests a method for providing
`an end user with access to an IP network over an access
`
`network comprising an access server. For the login proce-
`dure, the method comprises the steps of:
`
`performing a first phase of a login procedure
`[0016]
`whereby a one-time-password (OTP) is provided by an
`authentication server and transferred to the end user
`
`over a mobile communication system, e.g. by a SMS or
`voice message,
`
`checking the validity/authenticity of the one-
`[0017]
`time-password, (and if valid),
`
`in the
`adding/modifying a temporary account
`[0018]
`authentication server, for a second phase of the login
`procedure,
`
`defining a user name and a password uniquely
`[0019]
`tied to the one-time-password of the first phase,
`
`checking the validity of the user name and the
`[0020]
`password in the authentication server, and if valid,
`
`[0021]
`
`allowing the user login request,
`
`removing/disabling the temporary user account
`[0022]
`after lapse of a predetermined time period.
`
`[0023] Particularly the steps of performing the first phase
`of the login comprises the steps of:
`
`sending a login request to an access server froin
`[0024]
`the user station,
`
`receiving a response from the access server if the
`[0025]
`user station enabling activation of a link to the operator
`web (login) server,
`
`[0026]
`
`accessing the web server,
`
`[0027]
`
`entering end user station identity in web server,
`
`providing a one-time-password (OTP) to the
`[0028]
`user station from the authentication server and trans-
`ferring it to the user station over the mobile commu-
`nications system, e.g. by SMS or a voice message;
`
`[0029]
`server,
`
`requesting the one-time-password by web
`
`verifying validity/authenticity of the one-time-
`[0030]
`password, whereas the second phase advantageously
`comprises the steps of:
`
`redirecting the login request to the login page of
`[0031]
`the access server;
`
`[0032]
`
`setting a timer,
`
`checking the validity/authenticity of the user
`[0033]
`credentials, e.g. password, user name, in authentication
`server, and if valid,
`
`removing/disabling the temporary account at
`[0034]
`expiry of the set timer.
`
`[0035] Particularly the same user name may be used in the
`second phase as in the first phase, and the OTP may be used
`as password. In one embodiment the method comprises the
`steps of; in the second phase:
`
`[0036]
`
`using a dynamic user name,
`
`[0037]
`
`using the OTP of the first phase as password.
`
`6
`
`
`
`US 2006/0094403 A1
`
`May 4, 2006
`
`[0038] Alternatively it comprises the steps of:
`
`[0039]
`
`using a static user name common for all users,
`
`using the OTP of the first phase or random
`[0040]
`number as password.
`
`[0041] Further still it may comprise the steps of, in the
`second step:
`
`[0042]
`
`using a dynamic user name,
`
`[0043]
`
`using a random value as password.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`in the following be further
`[0044] The invention will
`described, in a non-limiting manner, and with reference to
`the accompanying drawings, in which:
`
`[0045] FIG. 1 is a very schematical block diagram illus-
`trating an arrangement according to the invention,
`
`[0046] FIG. 2 is a schematical flow diagram describing
`the inventive concept,
`
`[0047] FIG. 3 is a signalling diagram describing one
`implementation of the invention concept.
`
`DETAILED DESCRIPTION OF THE
`INVENTION
`
`[0048] FIG. 1 shows a user 1 with a user station 2
`comprising a first means, a terminal, e.g. PC 2A and a
`second means, a mobile telephone 2B. The terminal 2A
`communicates with access server AS 3 which is run by an
`ISP (Internet Service Provider) or a WISP (Wireless ISP).
`The access server 3 is an AS of an access network, e.g. a
`WLAN (Wireless Local Access Network) or an Ethernet,
`communicating with a web server 4 and an authentication
`server 5. Through the implementation of the inventive
`concept substantially any access server can be used in
`principle without modification, it only needs some recon-
`figuration. Only limited, slight requirements are put on the
`access server, such as addition of a login link to the operator,
`support of authentication server roaming and the provision-
`ing of a white list or similar, i.e. the user can reach the web
`server prior to successful authentication. The authentication
`server 5 may e.g. be a Radius (Remote Access Dial-in
`server) server or a Diameter server or similar. Radius is
`described in Radius, IEEE RFC (Request for Comments)
`2865 which herewith is incorporated herein by reference.
`There may also be more than one authentication server. For
`example there can be two authentication servers, each sup-
`porting one phase in the login procedure.
`
`[0049] The mobile telecommunications system 6 with
`SMS-C (Short Message Service Center) 7 is here used to
`provide the user with an OTP as will be further described
`below.
`
`[0050] To initiate the procedure the terminal, e.g. a PC 2A
`establishes communication with the access server 3 run by
`an (W)ISP, which enables user contact with the web server
`4, through which an OTP can be requested from authenti-
`cation server 5. Authentication server then provides an OTP
`and transfers it to the user station (second means, mobile
`telephone 2B) over mobile telephony system 6 by means of
`SMS-C7. The login procedure is handled in a first and a
`second phase, of which the first is an OTP sequence con-
`
`trolled by the authentication server 5. If this first phase is
`successful, i.e. when an OTP is delivered and verified, the
`second login phase follows that logs in the user at the access
`server 3. The OTP obtained and used in the first phase may
`be reused in the second phase. Other alternatives are how-
`ever also possible as will be further described below.
`
`[0051] According to the invention operators owmng net-
`works and having a large amount of customers are enabled
`to offer branded services based on OTP to their customers
`
`based on partnership agreements with access network pro-
`viders having access servers, without there being any con-
`siderable requirements on the access servers. Login to
`different types/brands of access servers can easily be man-
`aged since the login syntax is handled by a (W)ISP. Accord-
`ing to the invention a temporary account allowing access
`during a limited time period is provided and used during the
`second login phase.
`
`In the flow diagram of FIG. 2 a general imple-
`[0052]
`mentation of the invention concept is illustrated. Thus it is
`supposed that communication is established between the end
`user station (i.e. the first means of the end user station, e.g.
`a PC) and the access server by the user requesting a login
`page, 100. The access server reponds to the request by
`furnishing the end user with a login page, 101. The user then
`clicks an operator link/button on the access server login page
`to reach the web server, 102. The web server then requests
`a user identity from the end user, 103. The end user identity
`is then entered by the user in the web server page, 104.
`Subsequently an authentication server may check the user
`identity. This, however, is an optional step, the box of step
`105 is therefore indicated within dashed lines in the figure.
`Unless a valid user identity was given, the procedure is
`interrupted, and the user receives an error message.
`
`[0053] The authentication server is in an advantageous
`implementation a Radius server. In another embodiment it
`comprises a Diameter server. It may however be any authen-
`tication server.
`
`subsequently via a
`[0054] The authentication server
`mobile telephony system sends an OTP e.g. by SMS or as a
`voice message to the end user, 106. (Also here the procedure
`is interrupted, e.g. an error message sent to the receiver
`unless a valid user identity was given within a predeter-
`mined time period.) Subsequently the web server reqests the
`OTP from the end user, 107, who enters the OTP received by
`e.g. SMS, 108. Thereupon the authentication server checks
`the OTP, 109. If a valid OTP was entered, 110, it is proceded
`with the second phase of the login procedure as will be
`described below. (Thus, the first phase of me login procedure
`comprises steps 100-110.) If no valid OTP was entered, an
`error message is returned to the user, 110A, and the proce-
`dure is interrupted.
`
`In the second phase of the login procedure (sup-
`[0055]
`posing a valid OTP was entered by the user), a temporary
`account is added/modified by the authentication server, 111.
`User credentials (e.g. user name and password) are given for
`the temporary account. The web server then redirects the
`login request message to the access server login page, 112.
`Then also a timer T1 is started, 113. An authentication
`request is then sent from the access server to the authenti-
`cation server, which checks the user credentials, 114,
`to
`verify if they are valid. If not, an error message is returned
`
`7
`
`
`
`US 2006/0094403 A1
`
`May 4, 2006
`
`to the end user, 114A. If yes, e.g. at expiry of the timer T1
`(or earlier),
`the temporary user account
`is removed or
`disabled, 115.
`
`[0056] One implementation will now somewhat more
`thoroughly be described with reference to the signalling
`diagram of FIG. 3. First a HTTP request is sent from the
`user station (first means) to the access server, 1 . The request
`goes to the login page of the access server. The access server
`returns a response with the login page to the user, 2. The
`login page contains a button or similar, the activation of
`which results in a link to the login server of the operator. The
`user is subsequently supposed to click the link and then
`reaches the web server of the operator, since the access to
`this web server is open in the access server by configuration,
`3. Particularly the syntax of the login message to be used in
`the second phase of the login procedure may be transferred
`in this message. Then the web server request
`the user
`identity, 4, and in response thereto the user enters his
`identity, e.g. MSISDN 5. This is forwarded to the authen-
`tication server, 6, which provides an OTP and forwards it to
`SMS-C of a mobile communications system, which transfers
`the OTP to the user e.g. by an SMS, 7. Information thereon
`is provided to the authentication server and the web server,
`8, and the user is requested to enter the OTP by the
`authentication server, 9, over the web server, 10. The user
`then enters the OTP given by e.g. SMS or a voice message
`on the first means of the user station (e. g. a PC), and the OTP
`is via the web server provided to the authentication server,
`11, 12. The authentication server then verifies the OTP to see
`if it is valid. If yes, a message with information to that fact
`is sent to the web server, 13. (In one implementation a
`dynamic account could be created before a correct OTP has
`been returned, e.g. for reasons of performance.) At this stage
`of the login procedure the first phase is terminated and it is
`proceeded with the second login phase.
`
`in this implementation, a temporary user
`[0057] Then,
`account is created or modified to an account with a user id
`
`and with OTP as password, 14. A redirect message is then
`sent to the user station with the login URL, e.g. http://
`<access
`server
`IP address>/login ? user name=<user-
`name>& <password=OTP where anything between < > is
`replaced with current values, 15. The login message is then
`sent to the access server run by the (W)ISP, 16. An authen-
`tication request is subsequently sent to the authentication
`server, possibly relayed by one or more proxy servers, 17. In
`this particular embodiment the authentication server com-
`prises a Radius server, as refered to earlier in the application.
`The Radius server (in this case) responds with an access
`accept message to the access server and the access server
`opens the communication, after verifying that
`the user
`credentials are correct, 18. The user receives the response
`when/if the authentication is successful, 19. It may contain
`a forced web portal and a session window branded by the
`operator.
`
`[0058] Finally the credentials stored for the second login
`phase are removed or blocked after a delay corresponding to
`a given time period to prevent multiple logins, unless
`immediately followed by the OTP login sequence, 20. I11 one
`implementation a timer is used for this purpose. Other ways
`are also possible.
`
`[0059] The second phase of the login procedure can be
`performed in different manners. The credentials (e.g. user
`
`name and password) of the temporary account can be
`defined in different manners according to different embodi-
`ments. They may have static or dynamic values. The com-
`bination of user name and password must be uniquely tied
`to the earlier OTP sequence (of the first login phase). In one
`implementation the same user name as for the first phase
`(OTP part) is used, and the OTP is used as password. In
`another implementation a dynamic user name is used and the
`OTP is used as password.
`
`Still further a dynamic user name may be used,
`[0060]
`whereas a random value is used as password. According to
`still another embodiment a static user name that is common
`
`for all users is used. Then may e.g. the OTP be used as
`password, or alternatively a random value may be used as
`password. A number of other alternatives are also possible.
`Also in other aspects the invention is not limited to the
`specifically illustrated embodiments, but it can be varied in
`a number of ways within the scope of the appended claims.
`
`1. An arrangement, for providing an end user with access
`to an
`
`IP network, comprising
`
`a user station,
`
`an access server of an access network,
`
`a web server and an authentication server,
`an end user station with first means for communication
`with an access server and a web server, second means
`for communication with an authentication server over a
`
`mobile telecommunications system,
`
`an access/login procedure comprising a first and a second
`phase, wherein the authentication server controls the
`first phase, said first phase comprising a one-time
`password (OTP) login sequence, and wherein the sec-
`ond login phase is performed by creating/modifying a
`temporary account
`for which user credentials are
`defined in order to log in the end user at the access
`server.
`
`2. An arrangement according to claim 1,
`
`wherein for the second phase a user account is created/
`modified in the authentication server.
`
`3. An arrangement according to claim 2,
`
`wherein said created/modified account is temporary for
`allowing login only for a limited time period.
`4. An arrangement according to claim 1,
`
`wherein the access server (AS) is run by an Internet
`Service Provider.
`
`5. An arrangement according to claim 4,
`wherein the Internet Service Provider offers a wireless
`
`service (i.e. is a WISP).
`6. An arrangement according to claim 1,
`
`wherein the one-time-password (OTP) used in the first
`phase is reused in the second phase.
`7. An arrangement according to claim 1,
`
`wherein the first means of the user station comprises a PC,
`and in that
`the second means comprises a mobile
`telephone.
`
`8
`
`
`
`US 2006/0094403 A1
`
`May 4, 2006
`
`8. An arrangement according to claim 1,
`
`wherein the one-time-password (OTP) is created by, and
`transferred from, the authentication server to the sec-
`ond means of the end user station over the mobile
`
`telecommunication system.
`9. An arrangement according to claim 8,
`
`wherein the OTP is transferred by an alfa numeric text
`message, e.g. a SMS or a voice message to the second
`means of the user station.
`
`10. An arrangement according to claim 7,
`wherein the OTP is entered on the first means of the user
`
`station and provided to the authentication server for
`authentication/validation.
`
`11. An arrangement according to claim 10,
`
`wherein if the OTP is valid, the OTP from the first phase
`is reused in the second phase.
`12. An arrangement at least according to claim 2,
`
`wherein, if the OTP is valid, the user name and a password
`of the created/modified account are defined, which are
`uniquely tied to the OTP sequence.
`13. An arrangement according to claim 12,
`
`wherein the second phase the same user name is used as
`in the first phase and in that the OTP is used as
`password.
`14. An arrangement according to claim 12,
`
`wherein for the second phase a dynamic user name is used
`and in that the OTP (of the first phase) is used as
`password.
`15. An arrangement according to claim 12,
`
`wherein for the second phase a static user name (common
`for all users) is used and in that the OTP (of the first
`phase) is used as password.
`16. An arrangement according to claim 12,
`
`wherein for the second phase static user name (common
`for all users) is used and in that a random number is
`used as password.
`17. An arrangement according to claim 12,
`wherein
`
`for the second phase a dynamic user name is used and in
`that a random value is used as password.
`18. An arrangement according to claim 1,
`wherein
`
`web server redirects the login message to the access
`server login page when an account has been created/
`modified in the authentication server and in that a timer
`
`is set to a given time period during which user creden-
`tials are checked, and if they are not valid, an error
`mcssagc is rcturncd to thc uscr.
`19. An arrangement according to claim 18,
`
`wherein,
`
`if the user credentials comprise user name and password,
`and if they are verified/authenticated within the given
`time period,
`the
`added/modified temporary user
`account is removed/disabled.
`
`20. An arrangement according to claim 1,
`wherein
`
`the authentication server comprises a Radius server or an
`Diameter server.
`
`21. An arrangement according to claim 20,
`wherein
`
`one or more proxy servers are provided between the
`access server (AS) and the authentication (Radius,
`Diameter etc.) server.
`22. An arrangement according to claim 21,
`wherein
`
`the access network comprises a WLAN, an Ethernet or
`similar.
`
`23. An arrangement according to claim 1,
`wherein
`
`login syntax is stored in the access server and in that the
`login syntax is transferred to the web server to subse-
`quently form part of a redirect message.
`24. An access server in an access network communicating
`with an end user station for providing said end user station
`with access to an IP network, with a web server and with an
`.
`.
`authentication server,
`wherein
`
`the access server allows any user to perform an access
`attempt to the web server, e.g. by using a white list
`function, a login link to the operator, and supports
`authentication server roaming, and in that tl1e access
`server supports a second phase of a login procedure
`following on a first phase during which a one-time-
`password is given, and in that for said second phase a
`temporary user account is created/modified, the pass-
`word and user name of which are defined and uniquely
`associated with the one—time—password given by the
`authentication server and provided to the user station
`over a mobile communication system e.g. as an SMS,
`voice message or similar in the first phase.
`25. An access server according to claim 24,
`wherein the
`
`access server is of a WLAN, an Ethernet and is run by an
`lntemet Service Provider or a wireless ISP.
`
`26. A method for providing an end user with access to an
`IP network over an access network