Abstract: The invention relates to a method for authenticating the user of a terminal (5), in which terminal a device (15) for verifying the rights to use is applied for running an authentication protocol. The device (15) for verifying the rights to use is connected to the terminal (5). In the device (15) for verifying the rights to use, an extensible authentication protocol interface is applied, via which at least some of the authentication functions are carried out.

Abstract: A method for user equipment (UE) resident in a wireless access network (WLAN) to obtain access to at least one other network is disclosed. The method includes storing the identification (SSID) of the at least one other network (visited PLMNs 1-3 and home PLMNs 4 and 5) in the user equipment; transmitting from the user equipment a request for connection to one of the at least one other network, which includes an identification of at least one of the at least one other network, to the wireless access network; and in response to the wireless access network receiving the identification, the user equipment is connected to the identified at least one other network through the wireless access network.

Abstract: The invention relates to a method for arranging handover in a wireless telecommunications system. Connection settings are stored in a terminal, wherein at least one network identifier is associated with alternative connection settings, the network identifier identifying a target network reachable by a connection from the terminal. The network identifier associated with the currently applied connection settings is compared with the network identifiers associated with the other available connection settings. The connection settings associated with the same network identifier as the one associated with the currently applied connection settings are then selected. The handover may then be carried out by using the selected connection settings.

Abstract: A method in a system, a system, a method in a terminal and a terminal for service selection in a data network. The method sends, from a Wireless Local Area Network (WLAN) terminal, a Network Access Identifier (NAI) including a service selection indicator via a WLAN access point; receives, at an authentication server, the NAI including a service selection indicator, and provides the WLAN terminal with a connection to the service indicated by said selection indicator. The system comprises at least one WLAN access point and terminal comprising means for including a service selection indicator in a NAI and means for sending said NAI including said service selection indicator via the WLAN access point, at least one authentication server comprising means for receiving said NAI, means for extracting said service selection indicator from said NAI and means for initiating connection to a service indicated by said service selection indicator.

Abstract: The invention proposes a method and a network device comprising an operation entity (3) for handling network connection and at least one access client entity (1, 2) providing connection handling to a specific network access device, wherein the operation entity is adapted to identify a need for a network connection and to inform the access client entity, and the at least one access client entity is adapted to perform an authentication. Hence, an authentication procedure is delegated to a separate entity so that depending on the specification of a specific network connection, a suitable access entity for performing the authentication can be selected.

Abstract: The invention proposes a method for handling authentication requests in a network, wherein the authentication requests may have different types, the method comprising the steps of determining (S1, S3, S4) types of the authentication requests, and applying (S5-S7) a policy for handling the received authentication requests based on the determined types of authentication requests. The invention also proposes a corresponding network control element and a computer program product.

Abstract: For supporting an access to a destination network by a mobile device via a wireless access network, the mobile device generates a predetermined request, which is addressed to a connectivity test server in the destination network. The predetermined request is transmitted to the wireless access network. In case the predetermined request reaches the connectivity test server, it generates a predetermined response and transmits it to the mobile device via the wireless access network. The mobile device determines whether a response to the predetermined request is received from the wireless access network and whether a received response corresponds to the predetermined response.

Abstract: Method of authenticating a client comprising the steps of sending a subscriber identity to an authentication server; obtaining at least one challenge and at least one first secret to the authentication server based on a client's secret specific to the client; forming first credentials; forming a first authentication key using the at least one first secret; encrypting the first credentials using the first authentication key; sending the at least one challenge and the encrypted first credentials to the client; forming an own version of the first authentication key at the client; decrypting the encrypted first credentials using the own version of the first authentication key. In the method, the encrypted credentials are sent together with the at least one challenge to the client so that the client can proceed authentication only if it can derive the first secret from the at least one challenge.

Abstract: The invention allows utilizing Generic Authentication Architecture for Mobile Internet Protocol key distribution. A Generic Authentication Architecture bootstrapping is performed between a mobile terminal device and a Bootstrapping Server Function. In an embodiment a resulting Bootstrapping Transaction Identifier is sent to a Home Agent which uses it to obtain a Home Agent specific key to be used in authenticating a Mobile Internet Protocol Registration Request.

Abstract: Authentication method for authenticating a mobile node to a packet data network, in which a shared secret for both the mobile node and the packet data network is arranged by using a shared secret of the mobile node and a telecommunications network authentication centre. In the method, the mobile node sends its subscriber identity to the packet data network together with a replay attack protector. The packet data network obtains authentication triplets, forms a session key using them, and sends back to the mobile node challenges and a cryptographic authenticator made by using the session key. The mobile node can then form the rest of the authentication triplets using the challenges and then form the session key. With the session key, the mobile node can check the validity of the cryptographic authenticator. If the authenticator is correct, the mobile node sends a cryptographic response formed using the session key to the packet data network for authenticating itself to the packet data network.

Abstract: A method and device for ensuring address information of a wireless terminal device in a wireless local area network, the network comprising; an access point for setting up a communication connection to the terminal device, the method comprising establishing a communication connection between the terminal device and the access point (101), and relaying data packets from the terminal device to the network and from the network to the terminal device (105). The method further comprising the steps at the access point: detecting an IP address of the terminal device in response to the established communication connection (103), associating the detected IP address of the terminal device to the MAC address of the terminal device (104), and comparing that the address information of the terminal device on the relayed data packets are corresponding to the associated address information (111, 112).

Abstract: Method of authenticating a client comprising the steps of sending a subscriber identity to an authentication server; obtaining at least one challenge and at least one first secret to the authentication server based on a client's secret specific to the client; forming first credentials; forming a first authentication key using the at least one first secret; encrypting the first credentials using the first authentication key; sending the at least one challenge and the encrypted first credentials to the client; forming an own version of the first authentication key at the client; decrypting the encrypted first credentials using the own version of the first authentication key. In the method, the encrypted credentials are sent together with the at least one challenge to the client so that the client can proceed authentication only if it can derive the first secret from the at least one challenge.

Abstract: A method for use by a telecommunication terminal (10) in checking whether a candidate RAND in an EAP/SIM RAND challenge is likely a replay, based on using a Bloom filter including a vector data structure (21) for determining (admittedly sometimes erroneously) whether the candidate RAND is in a set of previously used RAND values. The components of the vector data structure (21) are set to one or left at zero depending on whether pointers corresponding to the previously used RAND values point to them. The pointers can be hash functions or can be constructed from the previously used RAND values. To provide for smooth filter performance at points in time when the Bloom filter is full and cannot hold information for any new previously used RAND values, the vector data structure (21) is partitioned into more than one part, and only one part is reset and re-initialized at a time.

Abstract: The invention relates to a method and system for authenticating a user of a data transfer device (such as a terminal in a wireless local area network, i.e. WLAN). The method comprises: setting up a data transfer connection from the data transfer device to a service access point. Next, identification data of the mobile subscriber (for example an MSISDN) are inputted to the service access point. This is followed by checking from the mobile communications system whether the mobile subscriber identification data contains an access right to the service access point. If a valid access right exists, a password is generated, then transmitted to a subscriber terminal (for example a GSM mobile phone) corresponding to the mobile subscriber identification data, and login from the data transfer device to the service access point takes place with the password transmitted to the subscriber terminal.

Abstract: A method, apparatus and computer program product for controlling an extent to which a user equipment is operable to use a service, at least partly based on an extent to which an operator of a first access network has certified application software associated with use of the service and/or one or more other characteristics of using the service.

Abstract: The invention relates to a method of transferring required messages for acquiring a temporary MAC address in a wireless local area network. In a first device in the local area network, a first identifier is determined to identify the first device. A message comprising the first identifier is transmitted from the first device to a second device to arrange a temporary MAC address. A response message relating to the acquisition of the MAC address and comprising the first identifier is transmitted from the second device to the first device. The first device identifies on the basis of the first identifier that the response message is intended for it.

Abstract: The present invention relates to Wireless Local Area Networks and Access Points in such networks, in particular it relates to the control and use of varying beacon intervals in such networks. According to the present invention, the beacon frames in the Wireless Local Area Network are provided with an adaptive beacon interval. The interval is adapted in dependence on a current network load such that the length of the beacon interval is decreased when the network load is decreased and increased when network load is increased. The invention is applicable in existing as well as future IEEE 802.11 standards.

Abstract: A method in a system for transferring accounting information, a system for transferring accounting information, a method in a terminal, a terminal, a method in an Extensible Authentication Protocol (EAP) service authorization server, an EAP service authorization server, a computer program, an Extensible Authentication Protocol response (EAP-response) packet, wherein the method: meters data related to a service used by at least one terminal, provides the metered data as accounting information to at least one Extensible Authentication Protocol (EAP) service authorization server, sends, by means of an Extensible Authentication Protocol request (EAP-request), a service authorization request from the at least one EAP service authorization server to the at least one terminal, digitally signs accounting information, in the at least one terminal, includes, at the at least one terminal, the digitally signed accounting information in an Extensible Authentication Protocol response (EAP-response), and sends the digitally

Abstract: The present invention relates to a method, terminal device, network element, authentication server, and computer-readable medium for controlling prioritized access to a wireless access network. An identifier portion in an authentication response is set to a service-specific unique default identifier portion, dedicated to a predetermined prioritized call, at a terminal device, when the predetermined prioritized call is activated. The authentication response is forwarded to a predetermined default authentication server where a predetermined default service-specific authentication method is initiated for authorizing the terminal device to access the predetermined prioritized service. Thereby, emergency calls or services are made by terminal devices without SIM or USIM, and no new authentication functionality related to prioritized calls is required due to the transparent character of the service-specific unique default identifier portion.

Abstract: The present invention relates to a method, system, client device, gateway device and computer program product for maintaining a state information in an intermediate network function, wherein the state information expires after a predetermined idle period. Detecting means are provided for detecting an idle state of a connection. In response to the detecting means, a transport protocol used for encapsulating data is changed from a first protocol with a first predetermined idle period to a second protocol with a second predetermined idle period, said second predetermined idle period being longer than said first predetermined idle period. Alternatively, a connection parameter is provided to a device for a parallel second connection in a set-up negotiation via said first connection. This connection parameter is then used for setting up a parallel second connection to the device based on the second transport protocol used for encapsulating data with the second predetermined idle period.