Unlted States Patent
`[19]
`[11] Patent Number:
`6,151,628
`
`Xu et al.
`[45] Date of Patent:
`Nov. 21, 2000
`
`USOO6151628A
`
`[54] NETWORK ACCESS METHODS,
`INCLUDING DIRECT WIRELESS TO
`INTERNET ACCESS
`
`[75]
`
`Inventors: Yingchun X“, Buffalo GIOVC; Bennett
`S. Cardwell, Evanston, both of Ill.
`.
`_
`.
`[73] Asslgnee: 3Com Corporatlon, Santa Clara, Calif.
`
`[21] Appl. No.: 08/887,313
`[22]
`Filed:
`Jul. 3, 1997
`
`Int. Cl.7 ...................................................... G06F 13/00
`[51]
`[52] US. Cl.
`............................................. 709/225; 713/201
`[58] Field of Search ............................... 395/187.01, 182,
`395/188.01, 200.5, 200.53, 200.54, 200.55,
`20033;: 388,86037T99/33: 9137470113,5361;: :33:
`709/220, 223_225’ 227’ 229’ 250
`
`Kylaenpaeae, M., et al: “Nomadic Access to Information
`Services by a GSM Phone”, Compuers and Graphics, vol.
`20, No. 5, Sep. 1, 1996, pp. 651—658.
`Perkins, C, et al: “IMHP: A mobile host protocol for the
`Internet”, Computer Networks and ISDN Systems, vol. 27,
`No. 3, Dec. 1994’ P~ 479_491.
`Search Report for PCT/US 98/13858, Dated Nov. 23, 1998.
`International Engineering Task Force RFC 2005, “Applica-
`bility Statement for IP Mobility Support”, Oct. 1996 (J.
`Solomon).
`International Engineering Task Force RFC 2004, “Minimal
`Encapsulation Within IP”, Oct. 1996 (C. Perkins).
`International Engineering Task Force RFC 1853, «11) in IP
`Tunneling”, Oct. 1995 (W. Simpson).
`.
`.
`(L1st confirmed on next Page)
`Primary Examiner—Thomas M. Heckler
`Attorney, Agent, or Firm—McDonnell Boehnen Hulbert &
`Berghoff
`
`[56]
`
`References Cited
`
`[57]
`
`ABSTRACT
`
`......................... 379/60
`370/8513
`
`....................... 370/85.1
`
`U.S. PATENT DOCUMENTS
`aVls e a .
`.
`,
`,
`2/1991 D .
`t
`1
`4 991 169
`6/1994 Connolly et al.
`5,325,419
`8/1994 Diepstraten
`5,339,316
`5,371,738 12/1994 Moelard et al.
`5,418,842
`5/1995 Cooper .
`5,519,704
`5/1996 Farinacci et a1.
`5,528,595
`6/1996 Walsh et a1.
`.
`5,577,105
`11/1996 Baum et a1.
`.
`5,588,003
`12/1996 Ohba et al.
`............................. 370/468
`
`577617309
`6/1998 QhaShi et al'
`380/25
`
`6/1998 Slsmnlzadeh et al'
`'
`" 370/400
`537903548
`
`5,841,970
`11/1998 Tabukl
`...............
`713/201
`3/1999 Fleischer ................................. 379/220
`5,878,127
`
`.
`
`FOREIGN PATENT DOCUMENTS
`
`0762261
`WO9508900
`
`3/1997 EumPean Pat Ofl'
`3/1995 WIPO .
`
`~
`
`OTHER PUBLICATIONS
`
`Varma, V.K., et al: “Architecture for Interworking Data Over
`PCS”, Ieee Communications Magazine, vol. 34, No. 9, Sep.
`1996, pp. 124—130.
`
`Amethod is provided for connecting a source of digital data
`-
`-
`-
`-
`-
`to a computer network. The source of digital data transmits
`data. over a. ereless. transmlsslon me‘lmm to. a ereless
`serv1ce carrier, the wireless serv1ce .carrler multlpleXlng the
`dlgltal data onto a hlgh Speed dlgltal telephone hue“ The
`method comprises the steps of receiving the digital data at a
`communications chassis such as a network access server,
`extracting, from the digital data, network access authenti-
`cation data comprising at least one of the following: (a) a
`telephone number called by the source of dlgltal data, or (b)
`a telephone number associated with the source of digital
`data; transmitting the authentication data over a local area or
`.
`Wlde. area computer network conneaed to a network allthen'
`tlcatlon server for the computer network; determlnlng, 1n the
`network authentication server, from the transmitted authen-
`tication data whether the remote user is permitted to access
`the computer network; and the authentication server respon-
`sively notifying the network access server the results of the
`step of determining; and authorizing the source of data to
`access the computer network if the step of determining
`results in a positive response.
`
`18 Claims, 10 Drawing Sheets
`
`26
`
`CORPORATE ENTERPRISE NETWORK
`
`
`
`LE,
`30q
`
`[l
`T
`UNNELING SERVER
`
`25
`
`
`
`
`E
`
`a0
`
`
`
`
`
`
`
`FR
`16
` WlRELESS
`
`NETWORK
`
`
`
`
`
`
`
`
`
` 14
`
`
`
`
`
`
`
`
`
`
`an
`
`J36
`
`34
`Hill]
`TUNNELING SERVER
`
`
`IS? «2
`BACKBDNE
`
`
`
`
`Petitioner Apple Inc. - Exhibit 1007, p. l
`
`Petitioner Apple Inc. - Exhibit 1007, p. 1
`
`

`

`6,151,628
`Page 2
`
`OTHER PUBLICATIONS
`
`International Engineering Task Force RFC 854, “Telnet
`Protocol Specification”, May 1983 (J. Postel et al.).
`
`International Engineering Task Force RFC 2059, “Radius
`Accounting”, Jan. 1997 (C. Rigney).
`
`International Engineering Task Force RFC 1701, “Generic
`Routing Encapsulation (GRE)”, Oct. 1994 (S. Hanks et al.).
`
`International Engineering Task Force RFC 822, “Standard
`for the Format of ARPA Internet Text Message”, Aug. 1982
`(David H. Crocker).
`International Engineering Task Force RFC 2058, “Remote
`Authentication Dial in User Service (RADIUS)”, Jan. 1997
`(C. Rigney et al.).
`Draft International Engineering Task Force, “Point—to—Point
`Tunneling Protocol—PPTP”, Jun. 1996 (Kory Harnzeh et
`al.).
`
`Petitioner Apple Inc. - Exhibit 1007, p. 2
`
`Petitioner Apple Inc. - Exhibit 1007, p. 2
`
`

`

`US. Patent
`
`Nov. 21,2000
`
`Sheet 1 0f 10
`
`6,151,628
`
`FIG. 1
`
`CORPORATEENTERPWSENENNORK
`
`127
`E]
`0°:°:”:°:°:°:°:°°
`
`EHBDUUUD
`28
`TUNNELING SERVER
`
`WIRELESS
`— “ " ‘7
`NETWORK EE E E
`<TELCO co
`
`PR1rr1/E1
`
`ISP #1
`BACKBONE
`
`AUTH.
`SERVER
`
`AUTH
`SERVER
`
`I
`
`;
`
`I
`
`lI
`
`l
`
`32A
`
`E
`
`—
`m
`
`|
`42\//l
`l
`L __ __ __
`
`§_Bannnnn
`
`TUNNELING SERVER
`
`ISP #2
`BACKBONE
`
`_
`AUTH.
`SERVER
`
`Petitioner Apple Inc. - Exhibit 1007, p. 3
`
`Petitioner Apple Inc. - Exhibit 1007, p. 3
`
`

`

`US. Patent
`
`Nov. 21, 2000
`
`Sheet 2 0f 10
`
`6,151,628
`
`
`
`mmzozwebzgz
`
`moEmEzmosmo=Di.
`
`IlillxmaEns:23mm:
`
`wz_._.z_OmCE
`
`_:.1I.
`
`_
`
`llllllllllllllllllllllllllllllll‘IlL
`(IE.3uFEESm.9”.E
`
`__TT__mm__mm..__mm—_SSI.ll,_wWau-"'mlml
`
`$515.00Emacs.-.BESS—2int—E:
`
`
`
`
`
`
` lam—ElI.lNN.__OlaI.__mlml__aran_0.26:5?_2585.55.asBEE?“xmoEmz“...éoamzo9<z<x8252
`
`_
`
`on
`
`_______.__
`
`89>EF"_.1
`
`Iflan—Hamid”
`
`mofimmkz.359%cm
`
`
`
`,moimmzz
`
`BESS—2Emma—2..Ear—.432int—EC.
`
`
`
`
`58.2$0széozfiz
`
`
` 62543ES3292020.22:":20:53;
`
`
`___
`
`Petitioner Apple Inc. - Exhibit 1007, p. 4
`
`Petitioner Apple Inc. - Exhibit 1007, p. 4
`
`
`
`
`

`

`US. Patent
`
`Nov. 21,2000
`
`Sheet 3 0f 10
`
`6,151,628
`
`FIG. 2A
`
`MO
`
`102
`
`USER
`
`104
`APPLICATION
`
`DIAL USER12
`
`COMMUNICATION
`CHASSIS 20
`
`ROUTER
`
`TUNNELING SERVER 23
`
`Petitioner Apple Inc. - Exhibit 1007, p. 5
`
`Petitioner Apple Inc. - Exhibit 1007, p. 5
`
`

`

`US. Patent
`
`Nov. 21,2000
`
`Sheet 4 0f 10
`
`6,151,628
`
`
`
`COMMUNICATIONS
`CHASSIS 20
`
`ROUTER
`
`ATION
`
`AUTHENTIC
`SERVER 32
`
`
`
`Petitioner Apple Inc. - Exhibit 1007, p. 6
`
`Petitioner Apple Inc. - Exhibit 1007, p. 6
`
`

`

`US. Patent
`
`Nov. 21, 2000
`
`Sheet 5 0f 10
`
`6,151,628
`
`
`
`
`
`
`
`.EmUUt.._._<uuzfiwzzz...FEE
`
`
`
`Hmzmmpéoz_._mzzazOF<onwIS<2922222200
`
`
`
`
`
`om—4<zo_.Eo
`
`o:pmwscwmwmmoo,‘
`
`d>>mn_.w_2<zmm3
`
`Ermh
`
`.mOZmd<10-mmwoo<
`
`$383802
`
`$22me
`
`Emoo<.mwmoo<
`
`
`
`Ems—z.dug”:
`
`mm—
`
`
`
`mon=.omImjmflrmmman.
`
`wwzmj<Io
`
`0220I
`
`Buzzoofléézsooz.
`
`ammmmémzzoo.
`
`EmmfléézSooz.
`
`Comzzoofismmmv
`
`Ezoaizag
`
`N:
`
`Hmmoo<uj<o
`
`3.F
`
`6mmmoo<m3muaw4<5£02339
`
`
`
`hmmncmmgioéziooz3F
`
`gammaoamnz
`
`
`
`$5229.eE2.Eméa52:59
`
`Emm.mmm_oo<
`
`:EE$853“:
`
`445.9382.
`
`Em§_o8".BE
`
`«9
`
`oo—
`
`.50:X”.mw>mmm<wm.m>mmmom.m_mm<zo
`
`
`
`Nfimmm:.25
`
`
`
`
`
`mmmmz<mhhmxodEn:
`
`Petitioner Apple Inc. - Exhibit 1007, p. 7
`
`o.9".
`
`Petitioner Apple Inc. - Exhibit 1007, p. 7
`
`
`
`
`

`

`US. Patent
`
`S
`
`826,fl
`
`
`
`
`
`Bzme.023222.zofi<ofizm15<2922232200
`
`
`50:3...mmem5.»..m5%cm.m_mm<zo
`
`
`
`
`
`
`
`.5506.4.75OZINZZDH.EZJM...
`
`
`
`weN62awash:.9 mmmzééBEEw822.28%:23.3%:m,22%Bmzzoom22:n.2&8$3.5chwEmmamwoflz
`
`
`
`528532
`
`
`
`.EE.355052:59
`
`22%
`
`502.362
`
`
`
`0.ogmmimzémmanP3385302MI8262“..mEzmwaz_wo._
`t_m:32:269
`
`$2:$5:
`
`1,$525:$5oz>m<6I
`
`.502269
`
`292.582«2
`
`Emoo<.._._<o
`
`Petitioner Apple Inc. - Exhibit 1007, p. 8
`
`h.6."—
`
`429025002.
`
`5398m",53
`
`09
`
`
`
`Ntmwwa._<_o
`
`Petitioner Apple Inc. - Exhibit 1007, p. 8
`
`
`

`

`US. Patent
`
`8261,516,
`
`
`
`HmeOmm.mwmo<fi<0.02_2002_ Eamsé.9mE91333$235959.8.08"—55m.
`
`
`
`
`
`
`we
`
`Smam.mmmoo<2:
`
`
`
`mm:.=<n_zo_._.<u_._.zm_I._.:<Pmw<zm
`
`
`
`
`
`zo_Eo_Em:S<20.20.232.28m.0."—2.$25«an.m#58.9856_«Emma25mozsmzza
`
`
`
`
`
`3252wEmammEmmamsa%:<zo_r_o-wo<mmm2snag
`m.56NEswamMmo:<zoEo§<o
`758225".
`
`Petitioner Apple Inc. - Exhibit 1007, p. 9
`
`Petitioner Apple Inc. - Exhibit 1007, p. 9
`
`

`

`US. Patent
`
`mm.
`
`wM00mS
`
`
`
`
`
`
`
`$.53Bum—zwmmuu<”EB—mmuZZmzza.
`
`826,151,6
`
`Emmaéazsooz
`
`E8252858mm.
`
`
`
`
`
`Ammmmoo<m2m£3.25£02339
`
`
`
`kmmDOmm4._<o.wz=2002_
`
`3F-—Eton.n=.mhPEA“:
`
`
`
`>..n_mm-mmwoo<
`
`n.855%mazamzzB
`
`Emacmm-mmmo<
`
`
`
`zOF<ofiszb<29.50.232.200
`
`<Nm.m>mwmom.m.m<Io
`
`
`
`
`
`.3350.EzzseN2Ewméov.9Eon.
`
`
`
`30.02.28;
`
`Emsu.83.65
`
`oo—
`
`Ema5:58magic
`
`
`
`58225“..2252
`
`:0320.5930
`
`
`
`:5we.Swan
`
`m.0.”—
`
`
`
`mtmwm:.25
`
`Petitioner Apple Inc. - Exhibit 1007, p. 10
`
`Petitioner Apple Inc. - Exhibit 1007, p. 10
`
`
`
`

`

`US. Patent
`
`Nov. 21, 2000
`
`Sheet 9 0f 10
`
`6,151,628
`
`Smacmmmmwonz
`
`.ozmméfizémma
`
`ETE
`
`.mozmwjéommmoo,‘
`
`A._<zo_Eo.mwzmj<xov
`
`amscmm-mmmoo<
`
`
`
`.mmzonammuszzmma
`
`57$
`
`swam.mmmoos
`
`
`
`305$:Ema
`
`023mzza.ZO_._.<0_._.zmI.5<ZOC<0_ZDEEOOOF.0—l
`
`3.5%$.32“.zoF<onmES<:was:
`
`
`
`
`
`
`
`853.3.$22%8.335$5825
`
`Buzzoo-.:<o-wz_zooz_
`
`amwmmémzzoov
`
`Awmwmoo<m3wu3m4<a£wz_._<_n_v
`
`Emmflfiézsooz.
`
`c822852805385
`
`mop
`
`N:
`
`GunsmmflSézSooz.3.
`
`:EE.méfii
`
`._.n_moo<.._._<o
`
`3F
`
`o:
`
`
`
`
`E8.3359.Ezzse538.so".BE
`
`
`pmmacmmammg‘332.282.
`
`>._nmm-mmm8<
`
`90.3..9N28—
`
`
`
`55$“.£32.03
`
`
`
`220.30.mozm.:<zo263
`
`
`
`‘5me2.004
`
`
`
`
`
`
`
`._<zoz.n_o.meOmmmm$0ng.352.60..
`
`Petitioner Apple Inc. - Exhibit 1007, p. 11
`
`Petitioner Apple Inc. - Exhibit 1007, p. 11
`
`
`
`
`
`
`
`

`

`US. Patent
`
`Nov. 21, 2000
`
`Sheet 10 0f 10
`
`6,151,628
`
`
`
`
`
`023223zo_._.<o:.zmz.5<2952222200
`
`
`
`Esz5.32“.20.255532..0.“—
`
`
`
`
`
` sag..eE2.33352:59nava—83BE
`
`amzow¢¢mmo<
`
`
`
`42902.28;8.mmimw<~m.m>mwm865210«Emma.25
`
`Swamfimmog
`
`.agmw<n_.mz<zmw2
`
`$3
`
`.Bmam.mmmuo<
`
`mo<mmm2.>:m5
`
`
`
`Smwmm2.00..
`
`
`
`
`
`63mm<m.m_2<zmm22.004
`
`
`
`
`
`zo:<_...00mzmwmz<m<a524w...
`
`
`
`nsmmzozomzzoo“.2
`
`
`
`623182.;><ammmzc
`
`>.Em.mmm_8<
`
`:52$8.552.
`
`
`
`.Ezoan.z_wo._
`
`Emoo<.._..<o
`
`Petitioner Apple Inc. - Exhibit 1007, p. 12
`
`Petitioner Apple Inc. - Exhibit 1007, p. 12
`
`
`
`
`
`

`

`6,151,628
`
`1
`NETWORK ACCESS METHODS,
`INCLUDING DIRECT WIRELESS TO
`INTERNET ACCESS
`
`BACKGROUND OF THE INVENTION
`
`A. Field of the Invention
`This invention relates to the field of data communication
`
`and more particularly to a method of connecting a wireless
`user generating digital data (for example, a computer having
`a cellular telephone modem) to a computer network, such as
`a corporate backbone LAN or the Internet.
`B. Description of Related Art
`Network access servers that provide local or wide area
`network access for remote users dialing in over the public
`switched telephone network are known in the art. These
`devices are available from 3COM Corporation (previously
`from US. Robotics Access Corp.),
`the assignee of the
`present invention. The Total Control Network Enterprise
`Hub from 3COM is a representative network access server.
`It is described in US. Pat. No. 5,577,105 of Baum et al.,
`entitled “Telephone Call Switching and Routing Techniques
`for Data Communications,” and US. Pat. No. 5,528,595 of
`Walsh et al., entitled “Modem Input/Output Signal Process-
`ing Techniques.” The Walsh et al. and Baum et al. patents are
`both fully incorporated by reference herein.
`The network access server described in the Walsh et al.
`
`and Baum et al. patents provides an interface to a multi-
`plexed digital telephone line, a plurality of modems for
`performing signal conversions for the data from the remote
`users, and a network interface for transmitting demodulated
`data from the modems onto a local or wide area network. A
`
`high speed midplane bus structure comprising a time divi-
`sion multiplexed bus provides a signal path between the
`channels of the telephone line and the modems. The high
`speed midplane also includes a parallel bus that couples the
`modems to the network interface.
`
`This network access server architecture in a single chassis
`has proven to be very popular in a variety of applications,
`particularly corporate network access. The network access
`server is also particularly popular with Internet service
`providers for land-based Internet users. With a single net-
`work access server, the Internet service provider can handle
`a large number of simultaneous Internet access calls and
`provide full duplex communication between the multiple
`remote users and host computers on the Internet.
`The technology for Internet access for wireless users is
`now emerging. There are two competing standards for
`wireless service, CDMA (Code Division Multiple Access,
`described in the standards documents IS-130 and IS-135,
`incorporated by reference herein) and TDMA (Time Divi-
`sion Multiple Access, described in standards document
`IS-99, also incorporated by reference herein). These stan-
`dards specify a feature rich sets of digital wireless
`communications, for both voice and data. The two standards
`differ in how digital data from multiple users are multiplexed
`on the radio interface.
`
`In accordance with both wireless technologies, a wireless
`user transmits data to a mobile switching center. The mobile
`switching center provides connectivity to the public
`switched telephone network, certain multiplexing and con-
`trol functions, and switching functions for the mobile users.
`Multiplexed digital data from a plurality of remote wireless
`users is then capable of being transmitted via high speed
`communication formats (such as Frame Relay) to commu-
`nication elements in the public switched telephone network.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`2
`The present invention provides for network access meth—
`ods and apparatus that are particularly suitable for wireless
`users. The present
`invention also provides for network
`access methods by which a network access server, in com-
`bination with one or more authentication servers, can pro-
`vide for Internet and corporate network authentication and
`access. The network access server provides for the functions
`needed for terminal equipment connected to a TDMA or
`CDMA mobile telephone to inter-work with terminal equip-
`ment connected to the public switched telephone network
`(PSTN) and the Internet. Further, the invention provides for
`Internet access methods for a plurality of remote users that
`are subscribers of more than one Internet service provider,
`thereby giving more flexibility in the ability of a particular
`Internet service provider to serve diverse Internet users.
`SUMMARY OF THE INVENTION
`
`A method is provided for connecting a source of digital
`data to a computer network,
`the source of digital data
`generating digital data and communicating over a wireless
`transmission medium to a wireless service carrier. The
`
`wireless service carrier multiplexes the digital data onto a
`high speed digital
`telephone line for transmission to a
`communications chassis or server providing network access.
`The method comprises the steps of receiving the digital data
`at
`the communications chassis and extracting, from the
`digital data, network access authentication data comprising
`at least one of the following: (a) a telephone number called
`by the source of digital data, or (b) a telephone number
`associated with the source of digital data. The communica-
`tions chassis transmits the authentication data over a local
`
`area or wide area computer network connected to the net-
`work access server to a network authentication server for the
`
`computer network. The network authentication server deter-
`mines from the transmitted authentication data whether the
`
`remote user is permitted to access the computer network.
`The authentication server responsively notifies the network
`access server the results of the step of determining. The
`remote user is authorizes to access the computer network if
`the step of determining results in a positive response.
`The method may also comprise the further step of iden-
`tifying a tunneling server linked via a local area or wide area
`network to the communications chassis to be used to provide
`access for the source of digital data to the computer network,
`and routing digital data from the source to the tunneling
`server to provide the access to the computer network. The
`identification of the tunneling server is determined from the
`authentication data from the remote user, such the remote
`user’s phone number or
`the dialed number.
`In this
`embodiment,
`the invention may also be practiced by
`determining, in the authentication server, a tunneling pro-
`tocol for the source of digital data for use in tunneling digital
`data between the communications device and the tunneling
`server. This step of determining may be practiced,
`for
`example, by looking in a software look up table the tunnel-
`ing server and required protocol associated with the remote
`user (identified, for example by the remote user’s telephone
`number). The digital data is routed via the tunneling server
`in accordance with the tunneling protocol. Either PPTP or
`TELNET protocols will be used in accordance with a
`preferred embodiment of the invention.
`A second phase of access authentication may be option-
`ally provided, comprising a password authentication routine
`that takes place between the remote user and the authenti-
`cation server or the tunneling server.
`Aprincipal object of the invention is thus to provide direct
`access to the Internet and other computer networks for
`
`Petitioner Apple Inc. - Exhibit 1007, p. 13
`
`Petitioner Apple Inc. - Exhibit 1007, p. 13
`
`

`

`6,151,628
`
`3
`remote users such as wireless users. This, and other objects
`of the invention will be more apparent from the following
`detailed description.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Presently preferred embodiments of the invention will be
`described in conjunction with the drawings, in which like
`reference numerals refer to like elements in the various
`views, and in which:
`FIG. 1 is an illustration of an example of a preferred
`network access system for wireless users in accordance with
`an embodiment of the invention;
`FIG. 2 is a simplified functional block diagram of a
`preferred form of the communications chassis of FIG. 1 that
`can service not only wireless users but also users dialing in
`over the public switched telephone network;
`FIG. 2A is a simplified block diagram of a communica-
`tions chassis suitable in an embodiment in which analog
`modem calls are not supported;
`FIG. 3 is an illustration of the protocol stacks for the
`tunnel interface between the remote user and the tunneling
`server of FIG. 1;
`FIG. 4 is an illustration of the protocol stacks for authen-
`tication and accounting interface between the communica-
`tions chassis and the authentication server of FIG. 1;
`FIG. 5 is an illustration of the protocol stacks for a
`non-tunneling interface between the remote dial user and the
`router connecting the user with a destination terminal equip-
`ment;
`
`FIG. 6 is a diagram of the call flow for PPTP protocol
`tunneling for a call acceptance scenario in accordance with
`a preferred embodiment of the invention;
`FIG. 7 is a diagram of the call flow for TELNET protocol
`tunneling for a call acceptance scenario in accordance with
`a preferred embodiment of the invention;
`FIG. 8 is a diagram of the call flow for an authentication
`failure scenario;
`FIG. 9 is a diagram of the call flow for a tunneling server
`access rejection scenario;
`FIG. 10 is a diagram of the call flow for an authentication
`failure scenario for the PPTP protocol in which a log-in
`password authentication procedure is performed as a second
`phase of a network access authentication procedure; and
`FIG. 11 is a diagram of the call flow for an authentication
`failure scenario for the TELNET in which a log-in password
`authentication procedure is performed as a second phase of
`a network access authentication procedure.
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`FIG. 1 is an illustration of a preferred network access
`system 10 for users of wireless equipment 12, 14 that can be
`used to practice the invention. Remote devices such as a
`laptop computer 12 with a wireless modem or a wireless
`personal data assistant (PDA) 14 communicate via wireless
`modem to a wireless digital communications network 16 in
`accordance with the TDMA (Time Division Multiple
`Access) or the CDMA (Code Division Multiple Access)
`standards.
`
`The wireless network 16 includes a Mobile Switching
`Center (MSC) (not shown), which is an element within the
`wireless telecommunications network 16 that provides pub-
`lic switched telephone network connectivity, control func-
`tions and switching functions for the wireless users. In the
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`embodiment of FIG. 1, the MSC places data from the remote
`wireless users onto a high speed digital frame relay line FR
`for transmission to a communications chassis 20 in the local
`calling area. In a preferred embodiment, the communica-
`tions chassis 20 comprises an integrated network access
`server such as the Total Control Network Enterprise Hub of
`3Com Corporation (formerly from US. Robotics), modified
`to interface with the frame relay line FR and perform
`tunneling, authentication and accounting functions as
`described below.
`
`The communications chassis 20 functions as a gateway
`between the CDMA/TDMA wireless network 16 and an
`Internet service provider (ISP) backbone network 26, the
`Internet 22, or other computer network such as a corporate
`or private LAN/WAN 24 via an Ethernet or other local area
`network ETH and the Internet service provider backbone
`network 26. The chassis 20 provides the functions needed
`for terminal equipment connected to a CDMA or TDMA
`mobile phone to intercommunicate with terminal equipment
`connected to the PSTN and Internet networks.
`In one
`
`possible and presently preferred embodiment, the commu-
`nications chassis 20 is installed at the telephone company
`central office (TELCO CO) and managed by an Internet
`Service Provider (ISP). The chassis 20 receives calls from
`wireless users 12, 14 via the MSC in the wireless network
`16 as local calls on the line FR.
`
`The wireless terminals 12, 14 access the corporate/private
`network 24 using a tunneling protocol over LAN or WAN
`line 28 between the communications chassis 20 and a
`
`tunneling server 30. The tunneling server is connected to a
`corporate/private network 24 and is connected via a back-
`bone network 26 connected to the communications chassis
`
`20. In a preferred embodiment, the tunneling is according to
`a Point-to-Point Tunneling Protocol (PPTP) described in the
`PPTPRFC (June 1996), a publicly available Request for
`Comments document, which is incorporated by reference
`herein. The tunneling could of course be in accordance with
`other emerging and equivalent protocols, such as L2TP.
`Since PPTP and L2TP are not designed to support non-PPP
`(Point-to-Point) Asynchronous protocol, the TELNET pro-
`tocol is used to tunneling non-PPP asynchronous traffic over
`line 28. The tunneling server is also preferably an integrated
`network access server such as the Total Control Enterprise
`Network Hub or the equivalent.
`With this architecture, it is possible to divorce the location
`of the initial dial-up server (communications chassis 20)
`from the location at which the intermediate network termi-
`
`nates the dial-up protocol connection (PPP) and provides
`access to the target network 22 or 24 at the tunneling server
`30. In addition to supporting the Internet 22 as the target
`network, this architecture also supports access to virtual
`private networks, allowing the remote wireless user to gain
`secure access to their corporate or private network such as
`the corporate enterprise network 24 illustrated in FIG. 1.
`The architecture also allows the Internet Service Provider
`
`operating the local communications chassis 20 at the central
`office to provide Internet access for not only the ISP’s
`customers, but also customers of other Internet service
`providers. This is achieved by use of one or more authen-
`tication servers 32A, 32B connected to the Internet service
`provider’s backbone network 26. The authentication servers
`32A, 32B perform authentication and access authorization
`for the first ISP’s customers. A second tunneling server 34
`is connected via a dedicated line 36 (or LAN or WAN) or
`otherwise to a second ISP’s backbone network 38. In this
`
`embodiment, the authentication server 32A has a profile of
`its customer base for the first ISP managing the communi-
`
`Petitioner Apple Inc. - Exhibit 1007, p. 14
`
`Petitioner Apple Inc. - Exhibit 1007, p. 14
`
`

`

`6,151,628
`
`5
`cations chassis 20 and can determine, using a variety of
`simple techniques (discussed below) whether the remote
`user dialing into the communications device 20 is allowed to
`access the Internet 22 via the ISP’s backbone 26. If access
`
`is allowed (due to the call originating from one of the first
`Internet service provider customers),
`the call
`is routed
`through the network 22 to the Internet. If not, other
`procedures, described below, can be initiated.
`The present invention takes advantage of the fact that the
`call from the remote user 12 contains information identify-
`ing the telephone number of the call originator, and the
`telephone number that is dialed. This information is used as
`a first stage authentication mechanism. When the authenti-
`cation server 32Aperforms the first phase authentication and
`determines that the remote user is not one of the first Internet
`
`the
`for example,
`service provider’s customers (due to,
`telephone number not matching up to a table of customer
`phone numbers), but rather is a customer of a second
`Internet service provider,
`the authentication server 32A
`directs the authentication request to a second authentication
`server 40 connected to the second Internet service provider’s
`backbone 38, and the first phase authentication can take
`place. This communication is facilitated by providing a
`dedicated line 42 (e.g., leased line, POTS line, etc.) between
`the authentication server 32A and the authentication server
`
`40 managed by a second Internet service provider.
`If the authentication results in a positive response, the
`authentication server 40 notifies authentication server 32A
`
`of the result and the remote wireless user 12 is either given
`Internet 22 access over network 26 or via tunneling server
`34, or an optional second phase pass-word type authentica-
`tion may take place between the remote user 12 and the
`second authentication server 40.
`These combination of features allow the ISP or other
`
`entity managing the communications chassis 20 and authen-
`tication server 32A the ability to significantly increase the
`features it provides to its customers. It also allows the ISP to
`provide Internet access for other Internet service providers,
`and in the process presumably generate revenue for such
`services. For the wireless users, the Internet or corporate
`network access is a matter of a local call through the wireless
`network 16 to the communications device 20.
`
`In a preferred form of the invention, the communications
`chassis 20 is a robust communications platform such as the
`Total Control Enterprise Network Hub incorporating an
`integral general purpose computing platform,
`i.e.,
`the
`EdgeServerTM card commercially available from 3COM.
`This product allows the communications chassis to run a
`commercially available stand alone operating system, such
`as WINDOWS NTTM from Microsoft Corporation, as well
`as other remote access software products such as RADIUS
`(Remote Authentication Dial In User Service). In the above-
`described Internet access methods,
`the accounting and
`authentication functions are preferably employed using the
`RADIUS protocol, which is a widely known protocol
`described in Request for Comments (RFC) 2058, January
`1997, which is incorporated by reference herein, or other
`commercially available or known accounting software pro-
`grams.
`
`In accordance with a preferred embodiment of the
`invention, two phases of authentication are implemented in
`order to control access to the Internet 22 or corporate/private
`network 24 to those wireless users that are permitted access
`via network 26. The first phase of authentication is based on
`the called number dialed by the remote user 12, 14 and the
`calling number of the wireless user 12, 14 (the user’s phone
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`6
`number associated with the computer 12 or PDA 14). The
`second phase of the authentication is based on a test user
`name and password authentication protocol (for PPP and
`TELNET tunneling) or Challenge/Response protocol (for
`PPP tunneling only). These authentication procedures are
`described in further detail below.
`
`Still referring to FIG. 1, the communications device 20
`also preferably supports non-tunneling Internet 22 access
`directly from an Internet interface in the communications
`device. With this feature, the communications device per-
`forms both phases of authentication, termination of the PPP
`protocol, and routes Internet Protocol traffic.
`One other possible embodiment of the invention is a
`scenario in which the communications device 20 provides
`direct PSTN (Public Switched Telephone Network) connec-
`tivity for mobile or land originated data calls.
`In this
`scenario, the communications chassis 20, such as the Total
`Control Network Enterprise Hub described previously, con-
`tains the required modems and telephone line interface and
`processing circuitry to perform these functions. This
`embodiment would be a particularly advantageous in the
`case where the Internet service provider is also the local
`telephone company. With the present
`Internet access
`invention,
`the communications device 20 will extract or
`screen the called number in the ATD command issued by the
`mobile data user during a mobile originated data call. For
`most called numbers, the communications device 20 pro-
`cesses the call as a standard PSTN modem call. However, if
`the called number is associated with Internet access, the
`communications chassis 20 will perform the first phase of
`authentication with an authentication server 32A associated
`
`with the called number (either on the ISP’s backbone
`network 26 or connected via dedicated line 36, 42 or other
`network to the communications chassis 20). The authenti-
`cation server 32A determines whether the remote user is
`authorized to access the Internet 22 or network 24 serviced
`
`by the authentication server 32A.
`FIG. 2 is a simplified functional block diagram of a
`preferred form of the communications chassis or network
`access server 20 of FIG. 1 that can service not only wireless
`users but also users dialing in over the public switched
`telephone network. As such, the chassis contains features
`that are not required to practice the invention, and which
`perform additional functions due to a particular embodiment
`of the invention in which PSTN connectivity is also enabled.
`The network access server 20 shown in FIG. 2 is essentially
`the architecture and design of the current model of the Total
`Control Network Enterprise Hub, the commercially avail-
`able product of the applicant’s assignee. It will be under-
`stood that integrated access servers of other manufacturers
`in the industry can be modified as needed to provide the
`features of the present invention, and the invention should
`not be considered limited to the particular preferred embodi-
`ment described herein.
`
`The network access server 20 includes the telephone
`network interface card 50 connected to time division mul-
`
`tiplexed digital telephone lines such as T1, E1 and ISDN
`Primary Rate Interface (PRI) lines as well as a frame relay
`line. The network interface card receives digital data from
`the wireless remote users via the wireless service switch on
`
`the Frame Relay line FR. The interface card 50 has connec-
`tors that physically receive the telephone lines, and a CSU
`line interface unit to recover clock signals and data from the
`incoming signals and perform multiplexing and demulti-
`plexing filnctions for outgoing and incoming data streams to
`place the calls into the time slots of the carrier. The card 50
`transmits the incoming telephone signals via a NIC/NAC
`
`Petitioner Apple Inc. - Exhibit 1007, p. 15
`
`Petitioner Apple Inc. - Exhibit 1007, p. 15
`
`

`

`6,151,628
`
`7
`(network interface card/network application card) bus 54 to
`a T1/E1/ISDN PRI/network application card 56. The appli-
`cation card 56 provides framing for the recovered telephone
`line data to extract the Frame Relay time division multi-
`plexed data, T1 DSO channel data, or ISDN 2B+D channel
`data incorporated into the ISDN PRI signal, and then
`switches with a time/space switch the channel data to time
`slots on a time division multiplexed bus 60 that is part of an
`internal chassis bus midplane 52.
`Where the incoming call is from the wireless service
`central office and arrives at the server on the Frame Relay
`line, the channel data does not need any signal conversion
`processing ordinarily performed in a modem and is routed
`over the TDM bus 60 to the routing and LAN/WAN inter-
`face card 62. In the Total Control Enterprise Network Hub,
`this card 62 is known as the