Abstract: In an example embodiment, an apparatus such as an RFID tag, is configured to operate in a first mode that allows the tag to associate with the network and receive configuration data and to operate in a second mode wherein the apparatus is not associated with the network. The apparatus sends announcement packets while in the second mode in accordance with the configuration data received while in the first mode of operation.

Abstract: In one embodiment, a method includes receiving security context information relevant to a connection between a wireless network infrastructure component and a wireless client, wherein the security context information comprises at least, an identification of the wireless client, and wherein the security context information identifies any security protocols associated with the connection; validating the connection based on the security context information; and transmitting the security context information to one or more detector wireless access points.

Abstract: A method for encrypted communications between a first transceiver and a second transceiver is provided. The method includes sending from a first transceiver to a second transceiver a request to initiate derivation of a new encryption key. The request to initiate a new encryption key derivation includes an exchange threshold indicative of when the new encryption key is to be used to encrypt communication packets.

Abstract: A method for multicast load balancing in a wireless network having a plurality of access points. The method includes setting a maximum Internet protocol multicast bandwidth for the access points, receiving an admissions control request from a client at one of the access points, and determining whether the admissions control request from the client is for an admitted or unadmitted multicast stream at the access point. The access point is responsive to the admissions control request for the admitted multicast stream by servicing the admitted multicast stream and to the admissions control request for the unadmitted multicast stream by servicing the unadmitted multicast stream where the bandwidth required for the unadmitted multicast stream, plus that portion of the access point bandwidth currently used for all existing downlink multicast streams, does not exceed the maximum internet protocol multicast bandwidth for the access point.

Abstract: A mesh access point that includes an access point profile storing one ore more parameters in non-volatile memory, and a method of using the mesh access point having the access point profile to select and carry out mutual authentication on a wireless mesh network to establish itself to the mesh network using information in the access point profile, and further to provide services to wireless clients according to information in the access point profile. Access point profiles can be pre-configured/configured/updated suitably in order to adapt the mesh access point in a mesh network according to its capabilities and requirements.

Abstract: A method for multicast load balancing in a wireless network having a plurality of access points. The method includes setting a maximum Internet protocol multicast bandwidth for the access points, receiving an admissions control request from a client at one of the access points, and determining whether the admissions control request from the client is for an admitted or unadmitted multicast stream at the access point. The access point is responsive to the admissions control request for the admitted multicast stream by servicing the admitted multicast stream and to the admissions control request for the unadmitted multicast stream by servicing the unadmitted multicast stream where the bandwidth required for the unadmitted multicast stream, plus that portion of the access point bandwidth currently used for all existing downlink multicast streams, does not exceed the maximum internet protocol multicast bandwidth for the access point.

Abstract: A method and system for handling roaming mobile nodes in a wireless network. The system uses a Subnet Context Manager to store current Network session keys, security policy and duration of the session (e.g. session timeout) for mobile nodes, which is established when the mobile node is initially authenticated. Pairwise transit keys are derived from the network session key. The Subnet Context Manager handles subsequent reassociation requests. When a mobile node roams to a new access point, the access point obtains the network session key from the Subnet Context Manager and validates the mobile node by computing a new pairwise transient key from the network session key.

Abstract: A method is disclosed for enabling stateless server-based pre-shared secrets. Based on a local key that is not known to a client, a server encrypts the client's state information. The client's state information may include, for example, the client's authentication credentials, the client's authorization characteristics, and a shared secret key that the client uses to derive session keys. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client's state information. When the server needs the client's state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client's own state information in encrypted form, the server does not need to store any client's state information permanently.

Abstract: In one embodiment, a method for facilitating authentication and ease the configuration of authentication includes receiving a credential type selection and selecting one or more authentication types based on the credential type selection and one or more policies set by the administrators. The policies can be preconfigured or dynamically pushed or fetched and updated to the client.

Abstract: A method is disclosed for enabling stateless server-based pre-shared secrets. Based on a local key that is not known to a client, a server encrypts the client's state information. The client's state information may include, for example, the client's authentication credentials, the client's authorization characteristics, and a shared secret key that the client uses to derive session keys. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client's state information. When the server needs the client's state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client's own state information in encrypted form, the server does not need to store any client's state information permanently.

Abstract: A method and system for pre-authenticating a pre-establishing key management on a roaming device prior to re-association to facilitate fast hand-off in a wireless network is described. For enhanced mobility, both authentication and key establishment is performed prior to re-association of the roaming device between access points. When the roaming device enters in contact with one of the access points, a local authentication is performed between the access point and the roaming device prior to re-association with the access point to allow for fast hand-offs of the device between access points within the network.

Abstract: In one embodiment, a system and method for optimizing a neighbor AP list for a wireless station. The list is optimized based on the current location of the wireless station and the direction of motion. Neighbor APs that are not near the wireless station and/or not in the direction of motion are pruned for the neighbor AP list.

Abstract: A method of providing a protocol for rekeying between two stations is disclosed. The method can include providing a first set of messages for computing a new key and reserving an auxiliary storage area for the new key. The first set of messages comprises an enable exchange. The method also includes providing a second set of messages to obsolete an old key and switch to the new key. The second set of messages comprises a transition exchange. In one embodiment, the protocol includes rekeying between multiple stations, and the rekey coordinator sends the first set of messages to a plurality of rekey participants. The auxiliary storage area allows multiplexing in both the enable and transition exchanges, thereby facilitating an efficient and safe rekey operation.

Abstract: A method and logic encoded in tangible media and apparatus for securing links between a mesh point and one or more identities of one or more parent mesh points of a wireless mesh network in order to secure the links. A first association is carried out to one of the identities of one of the parent mesh points. The first mesh point undergoes a mutual authentication with an authenticator and announces the possibility of multiple links and/or multiple paths. The authentication generates a first master key from which the root master key of the key hierarchy is derived so that other master keys for different identities are derivable using a hierarchy. The mesh point undergoes a 4-way handshake to derive a first transient key. Other transient keys are obtained by a fast roaming method without having to re-undergo a backend authentication, the other transient keys being for other links and/or paths and derived using the hierarchy.

Abstract: A method and system for pre-authenticating a pre-establishing key management on a roaming device prior to reassociation to facilitate fast hand-off in a wireless network is described. For enhanced mobility, both authentication and key establishment is performed prior to reassociation of the roaming device between access points. When the roaming device enters in contact with one of the access points, a local authentication is performed between the access point and the roaming device prior to reassociation with the access point to allow for fast hand-offs of the device between access points within the network.

Abstract: Methods, apparatuses and systems directed to detecting address spoofing in wireless networks by, after receiving a wireless management frame, transmitting verification messages to determine whether a given wireless node (e.g., a wireless access point, or wireless client) has legitimately lost its connection state.

Abstract: An authentication method in a mesh AP including using standard IEEE 802.11i mechanisms between the mesh AP and an authenticator for authenticating the mesh AP to become a child mesh AP with a secure layer-2 link to a first parent mesh AP that has a secure tunnel to a Controller, including, after a layer-2 link between the child mesh AP and the first parent mesh AP is secured, undergoing a join exchange for form a secure tunnel between the child mesh AP and the Controller. Further, a fast roaming method for re-establishing a secure layer-2 link with a new parent mesh AP including, while the mesh AP is a child mesh AP to the first parent mesh AP and has a secure layer-2 link to the first parent mesh AP, caching key information and wireless mesh network identity information, and using the cached information to establish a secure layer-2 link with a new parent mesh AP without having to undergo a 4-way authentication.

Abstract: A system and method to enable an access point to dynamically provision a WLAN client with a new wireless profile once an association is established based on the infrastructure policy. A client can be directed to use a new profile without the need for pre-configuration and going through another authentication process. The new wireless profile can be provided to the client either during or after association, with or without the protection of link layer security key.

Abstract: A method of providing a protocol for rekeying between two stations is disclosed. The method can include providing a first set of messages for computing a new key and reserving an auxiliary storage area for the new key. The first set of messages comprises an enable exchange. The method also includes providing a second set of messages to obsolete an old key and switch to the new key. The second set of messages comprises a transition exchange. In one embodiment, the protocol includes rekeying between multiple stations, and the rekey coordinator sends the first set of messages to a plurality of rekey participants. The auxiliary storage area allows multiplexing in both the enable and transition exchanges, thereby facilitating an efficient and safe rekey operation.

Abstract: Methods, apparatuses, and systems directed to facilitating the application of pre-allocation policies in a wireless network environment. According to one implementation of the present invention, a central controller, or other control point in a wireless network infrastructure, applies one or more policies that limit the number of resource pre-allocations a given wireless client may establish with one or more wireless access points. In one implementation, the central controller provides a pre-allocation list to a wireless client that is requesting pre-allocation. By limiting a wireless client's ability to pre-allocate resources, the central controller optimally manages the resources of the wireless network. In alternative embodiments, the central controller can terminate pre-allocations between a wireless client and one or more wireless access points to enforce pre-allocation policy on the wireless network infrastructure.