Abstract: The present invention relates to arranging data transmission for a mobile node in a telecommunications system comprising a secure network and an insecure network. A connection to a secure network for a mobile node may be arranged by a home agent if the mobile node is accessing the secure network directly or via a third network other than the insecure network, or a connection to the secure network may be arranged by a VPN node if the mobile node is accessing the secure network via the insecure network. According to a first aspect of the invention, the VPN node and the home agent are configured to allocate the same IP address as an internal IP address and as a home address.

Abstract: The invention relates to a method and system for authenticating a user of a data transfer device (such as a terminal in a wireless local area network, i.e. WLAN). The method comprises: setting up a data transfer connection from the data transfer device to a service access point. Next, identification data of the mobile subscriber (for example an MSISDN) are inputted to the service access point. This is followed by checking from the mobile communications system whether the mobile subscriber identification data contains an access right to the service access point. If a valid access right exists, a password is generated, then transmitted to a subscriber terminal (for example a GSM mobile phone) corresponding to the mobile subscriber identification data, and login from the data transfer device to the service access point takes place with the password transmitted to the subscriber terminal.

Abstract: A method for use by a telecommunication terminal (10) in checking whether a candidate RAND in an EAP/SIM RAND challenge is likely a replay, based on using a Bloom filter including a vector data structure (21) for determining (admittedly sometimes erroneously) whether the candidate RAND is in a set of previously used RAND values. The components of the vector data structure (21) are set to one or left at zero depending on whether pointers corresponding to the previously used RAND values point to them. The pointers can be hash functions or can be constructed from the previously used RAND values. To provide for smooth filter performance at points in time when the Bloom filter is full and cannot hold information for any new previously used RAND values, the vector data structure (21) is partitioned into more than one part, and only one part is reset and re-initialized at a time.

Abstract: The invention relates to applying a handover algorithm in a mobile terminal. In the method, the state of a user interface component of the terminal is checked, and the handover algorithm is applied on the basis of the current state of the user interface component. The handover algorithm is applied only if the current state of the user interface component is active.

Abstract: The invention relates to selecting connection settings in a telecommunication system. In accordance with the method, history data is maintained, in which at least one network address is defined and also one connection setting, which has been used for establishing a connection to the network address. In response to the fact that there is a need to arrange a connection to the desired network address, the history data is checked and the selection of the connection settings to be used is arranged by means of the history data.

Abstract: The invention relates to a method for arranging handover in a wireless telecommunications system. Connection settings are stored in a terminal, wherein at least one network identifier is associated with alternative connection settings, the network identifier identifying a target network reachable by a connection from the terminal. The network identifier associated with the currently applied connection settings is compared with the network identifiers associated with the other available connection settings. The connection settings associated with the same network identifier as the one associated with the currently applied connection settings are then selected. The handover may then be carried out by using the selected connection settings.

Abstract: The present invention provides an access point device arranged to receive data packets from one or more client devices and transmit them along an area network characterised wherein the access point device comprises security means arranged to configure the client data packets such that they are directed only to one or more permitted area network device(s).

Abstract: The invention relates to a method for authenticating the user of a terminal (5), in which terminal a device (15) for verifying the rights to use is applied for running an authentication protocol. The device (15) for verifying the rights to use is connected to the terminal (5). In the device (15) for verifying the rights to use, an extendable authentication protocol interface is applied, via which at least some of the authentication functions are carried out.

Abstract: A method and device for routing data packets of a wireless terminal device in a communication network. When Open system Authentication is used, the system operates similarly as the current Nokia Operator Wireless LAN system, in which the terminal device and the access controller are the parties involved in the authentication. The access controller relays information relating to the authentication between the terminal device and an authenticating server, and it is capable of updating independently the list of users it maintains. When authentication according IEEE 802.1X authentication, the access point operates according to the IEEE 802.1X standard, serving as the authenticating party and relaying information relating to the authentication between the terminal device and the authentication server. In addition, the list maintained by the access controller is updated after a successful authentication, for example by the access point or the authenticating server.

Abstract: The present invention relates to Wireless Local Area Networks and Access Points in such networks, in particular it relates to the control and use of varying beacon intervals in such networks. According to the present invention, the beacon frames in the Wireless Local Area Network are provided with an adaptive beacon interval. The interval is adapted in dependence on a current network load such that the length of the beacon interval is decreased when the network load is decreased and increased when network load is increased. The invention is applicable in existing as well as future IEEE 802.11 standards.

Abstract: The invention provides an access point device arranged to receive data packets from one or more client devices and transmit them along a public area network characterised wherein the access point device comprises security means arranged to consider the source/destination of data packets and control the forwarding/discarding of a data packet according to whether the data packet originates from a client device and is destined for a client device.

Abstract: A method (and corresponding equipment) for use in reauthentication—after a first, full authentication by a first authentication server (23a)—of a communication session involving the exchange of information between a terminal (21) and a server (24), the method including: a step (11) in which the first authentication server (23a) and other authentication servers (23b) are each assigned a respective unique realm name; and a step (13) in which during authentication between the terminal and the first authentication server (23a), the first authentication server (23a) transmits to the terminal (21) a reauthentication identity including the unique realm name assigned to the first authentication server. Then, later, during reauthentication, to make possible that the reauthentication is performed by the same authentication server (23a) as performed the full authentication—i.e. by the first authentication server (23a)—the reauthentication identity is included in a request for reauthentication.

Abstract: A method and device for ensuring address information of a wireless terminal device in a wireless local area network, the network comprising; an access point for setting up a communication connection to the terminal device, the method comprising establishing a communication connection between the terminal device and the access point (101), and relaying data packets from the terminal device to the network and from the network to the terminal device (105). The method further comprising the steps at the access point: detecting an IP address of the terminal device in response to the established communication connection (103), associating the detected IP address of the terminal device to the MAC address of the terminal device (104), and comparing that the address information of the terminal device on the relayed data packets are corresponding to the associated address information (111, 112).

Abstract: Method of authenticating a client comprising the steps of sending a subscriber identity to an authentication server; obtaining at least one challenge and at least one first secret to the authentication server based on a client's secret specific to the client; forming first credentials; forming a first authentication key using the at least one first secret; encrypting the first credentials using the first authentication key; sending the at least one challenge and the encrypted first credentials to the client; forming an own version of the first authentication key at the client; decrypting the encrypted first credentials using the own version of the first authentication key. In the method, the encrypted credentials are sent together with the at least one challenge to the client so that the client can proceed authentication only if it can derive the first secret from the at least one challenge.

Abstract: This is a method and system to efficiently do handovers for mobile IP. The mobile node registers itself with several foreign agents using a new registration type. Only one of the foreign agents is selected to forward the data packets of a data message to the mobile node. The selection algorithm may be one based on randomness, dynamic learning, message traffic congestion, or statistical information collected at the mobile node.

Abstract: A method for user equipment (UE) resident in a wireless access network (WLAN) to obtain access to at least one other network is disclosed. The method includes storing the identification (SSID) of the at least one other network (visited PLMNs 1-3 and home PLMNs 4 and 5) in the user equipment; transmitting from the user equipment a request for connection to one of the at least one other network, which includes an identification of at least one of the at least one other network, to the wireless access network; and in response to the wireless access network receiving the identification, the user equipment is connected to the identified at least one other network through the wireless access network.

Abstract: A method in a system for transferring accounting information, a system for transferring accounting information, a method in a terminal, a terminal, a method in an Extensible Authentication Protocol (EAP) service authorization server, an EAP service authorization server, a computer program, an Extensible Authentication Protocol response (EAP-response) packet, wherein the method:

Abstract: A method in a system, a system, a method in a terminal and a terminal for service selection in a data network. The method sends, from a Wireless Local Area Network (WLAN) terminal, a Network Access Identifier (NAI) including a service selection indicator via a WLAN access point; receives, at an authentication server, the NAI including a service selection indicator, and provides the WLAN terminal with a connection to the service indicated by said selection indicator. The system comprises at least one WLAN access point and terminal comprising means for including a service selection indicator in a NAI and means for sending said NAI including said service selection indicator via the WLAN access point, at least one authentication server comprising means for receiving said NAI, means for extracting said service selection indicator from said NAI and means for initiating connection to a service indicated by said service selection indicator.

Abstract: The invention relates to a terminal (A), which comprises at least one network interface card (NIC1, NIC2, NIC3) for setting up a data transmission connection to a communication network (NW1, NW2, NW3, MNW) for packet switched data transmission, and means (PD) for forming packets of the information to be transmitted and for unpacking information from the received packets. The terminal (A) is allocated at least one first address identifying the terminal (A), and at least one data network-specific second address.

Abstract: The invention relates to a method of transferring required messages for acquiring a temporary MAC address in a wireless local area network. In a first device in the local area network, a first identifier is determined to identify the first device. A message comprising the first identifier is transmitted from the first device to a second device to arrange a temporary MAC address. A response message relating to the acquisition of the MAC address and comprising the first identifier is transmitted from the second device to the first device. The first device identifies on the basis of the first identifier that the response message is intended for it.