TW200412158A

TW200412158A - A multi-platform wireless broadband network system providing authorization, authentication and accounting functions

Info

Publication number: TW200412158A
Application number: TW91138203A
Authority: TW
Inventors: Ren-Guey Lee; Yao-Cong Li; qing-hua He; Chao-Hui Lu
Original assignee: Cablesoft Tech Inc; Mobile Internet Telecom Co Ltd; Cypherium Systems Co
Priority date: 2002-12-26
Filing date: 2002-12-26
Publication date: 2004-07-01
Also published as: TWI246334B

Abstract

A multi-platform wireless broadband network system providing authorization, authentication and accounting functions primarily installs wireless network access point abbreviated as CAP device providing authorization, authentication and accounting (AAA) functions in cable TV network. The CAP device can be installed indoors or outdoors, providing subscriber the broadband network services without space and time constraint. Each CAP device is built in with outdoor cable modem and AAA wireless network access point. As the transmitting power of the subscriber's wireless NIC is limited, the signal can't be transmitted to outdoor CAP device and must go through repeater to extend. The subscriber end can target at partial subscribers using EAP standard to provide authentication services. The EAP standard support in existing operating system is not complete. The system provides an authentication means capable of simultaneously supporting subscribers equipped with EAP capability and regular subscribers having no EAP support to facilitate subscriber's operation.

Description

200412158 五、發明說明（l) 「發明之應用領域」本發明係關於一種無線寬頻網路服務的方法，特別是授權、認證及計費方法與支援多作業平台用戶的能力。「發明背景」網際網路的發展改變多數人資訊獲取的管道，愈來愈多的服務使得依靠網路提供資訊的需求成為新的趨勢。網路的發展已從窄頻（Narrow B a n d )進入到寬頻（B r 〇 a d B a n d )服務，從有線（w丨r e )發展到無線（w i r e 1 e s s )配接；從室内（indoor)發展到無時空限制的需求。不管是電信業者、電腦網路業者或是廣播服務供應商，均致力於提供數據、影音等多媒體資訊的服務。近年來’電信業者形成兩股力量致力於寬頻網路的建口又。者為有線網路之xDSL (Digital Subscriber200412158 V. Description of the Invention (l) "Application Fields of the Invention" The present invention relates to a method of wireless broadband network services, especially an authorization, authentication, and accounting method and the ability to support users of multiple operating platforms. "Background of the Invention" The development of the Internet has changed the channels for most people to obtain information. More and more services have made the need to rely on the Internet to provide information a new trend. The development of the network has shifted from narrow band (Narrow B and) to broadband (Br 〇ad B and) services, from wired (w 丨 re) to wireless (wire 1 ess) patching; from indoor (indoor) development To the needs of no time and space restrictions. Whether it is a telecommunications operator, computer network operator or broadcast service provider, they are committed to providing multimedia information services such as data, audio and video. In recent years, telecom operators have formed two forces dedicated to the establishment of broadband networks. XDSL (Digital Subscriber

Line)' FTTB (Fiber to The Building)及 HomePNA等寬頻網路服務。另一股力量則是發展gprsa 3G等無線數據傳輸系統。屬於廣播服務的有線電視業者則提供Cable Modem 上網服務’希望透過數據服務整合影音及資料傳輸能力。電腦網路業者則是從乙太網路（Ethernet)發展到Giga —bi1 Ethernet以及 8 0 2.1 1系列無線網路（WirelessLAN)協定。上述業者均希望提供使用者一個便捷的寬頻網路服務。網際網路若能提供無時空限制的服務，將可嘉惠更多的使用者及提供行動辦公服務的可能。因此發展涵蓋廣大區域1無，寬頻服務成為新的需求。然而，無線電波傳輸，仏號衰減（Free Space Loss)很大，若長距離傳送Line) 'broadband network services such as FTTB (Fiber to The Building) and HomePNA. Another force is the development of wireless data transmission systems such as gprsa 3G. Cable TV service providers that provide broadcast services provide Cable Modem Internet access services, which hope to integrate audio and video and data transmission capabilities through data services. Computer network operators have developed from Ethernet to Giga-bi1 Ethernet and 802.1 1 series wireless LAN (WirelessLAN) protocols. All the above-mentioned operators hope to provide users with a convenient broadband network service. If the Internet can provide services without time and space restrictions, it will benefit more users and the possibility of providing mobile office services. Therefore, the development covers a large area1, and broadband services have become a new demand. However, radio wave transmission has a large Free Space Loss.

第6頁 200412158 五、發明說明（2) 時，可傳送的數據量會大幅減少，不利於寬頻服務。因此目前提供無線寬頻網路服務的業者一般採用有線網路到點再接取無線網路的方式進行配接。換言之，A d s L搭配 WirelesS/LAN或 Cable Modem加上 Wireless LAN等。組合。由於系統建置成本及技術引進的時間先後，均會影響到该項服務的市場佔有率。就乙太網路而言，CSMA/cd協疋稱不上疋最佳的網路通訊協定，但因為導入市場時間較早且價格便宜’ 一直是市場佔有率最高的網路產品。有鑑於此’符合8 0 2 · 1 1 b協定之無線網路也搶先在第三代行動通訊網路還沒建置完成之前進入市場，希望能佔有一定的市場比率。然而，無線空間中電波的傳遞，必須確保合法的電波才能透過無線網路裝置上網取得服務，因此無線網 $裝置必須提供認證能力，確保無關的電波不會佔用頻目别 8 0 2 · 1 1 b協定中支援 ΕΑΡ (Extensible Authentication Protocol)規範，希望能有效阻擋非認證過的“號佔用有限頻寬。然而，ΕΑΡ規範必須在用戶設備、進行#號編碼’無線網路存取橋接器（A c c e s s p 〇 i n t )才能進行辨識。因此，用戶端所用的上網設備必須具有eap 編石馬功能，才能順利透過A c c e s s P 〇 i n t上網。目前E A P之認證方式可分為MD5，TLS，TTLS，PEAP等方式，其中 MD5因為無動態加密的支援，一般較少使用；而tls需搭配智慧卡或其他 Certificate的方式，推廣不易；後兩者則因標準尚未確定，支援之設備及用戶端不易取得，這種種之限制使得802.11 Wireless LAN的用戶普及率不易Page 6 200412158 V. Description of the invention (2) The amount of data that can be transmitted will be greatly reduced, which is not conducive to broadband services. Therefore, the current providers of wireless broadband network services generally use wired network point-to-point and then access wireless networks for patching. In other words, A d s L with WirelesS / LAN or Cable Modem plus Wireless LAN. combination. Because the system construction cost and technology introduction time will affect the market share of this service. As far as Ethernet is concerned, the CSMA / cd protocol is not considered to be the best network protocol, but because of its earlier market introduction and lower price, it has always been the network product with the highest market share. In view of this, the wireless network that conforms to the 80 2 · 1 1 b agreement is also the first to enter the market before the third-generation mobile communication network is completed, hoping to occupy a certain market ratio. However, for the transmission of radio waves in wireless space, it is necessary to ensure that legitimate radio waves can access the service through the wireless network device. Therefore, the wireless network device must provide authentication capabilities to ensure that unrelated radio waves do not occupy the frequency range 8 0 2 · 1 1 The b protocol supports the EAP (Extensible Authentication Protocol) specification, hoping to effectively block non-authenticated "numbers occupying limited bandwidth. However, the EAP specifications must be coded on the user device and the wireless network access bridge (A ccessp 〇int) in order to identify. Therefore, the Internet access equipment used by the client must have eap stone function in order to successfully access the Internet through A ccess P 〇int. The current EAP authentication methods can be divided into MD5, TLS, TTLS, PEAP, etc. Methods, among which MD5 is generally less used because there is no support for dynamic encryption; tls needs to be matched with smart cards or other certificate methods, which is not easy to promote; the latter two are not easy to obtain because of the undefined standards and supported devices and clients. Various restrictions make 802.11 Wireless LAN user penetration difficult

第7頁 200412158 五、發明說明（3) ^ 成長。目七’有些業者提供無線上網服務是將εαρ功能關閉，所有使用者才能順利上網。然而關閉ΕΑρ將使得大部分使用者僅需確認Access Point的SS ID (Service SetPage 7 200412158 V. Description of Invention (3) ^ Growth. No. 7 ’Some operators provide wireless Internet access by turning off the εαρ function so that all users can access the Internet smoothly. However, closing ΕΑρ will make most users only need to confirm the Access Point's SS ID (Service Set

Identifier)即可上網，造成安全上的漏洞。因此提出一種兼容於ΕΑΡ並可支援舊有系統的認證方法，不失為一種解決之道。提供上述兼容於ΕΑΡ並可支援舊有系統的認證方法，可採用外加認證祠服器或是内嵌於Access P〇int的認證方式。採外加認證伺服器將會增加設備成本及建置費用。採用内嵌式設計則必須考慮Access Point的運算能力。綜合上述說明，本系統提出一種内嵌授權、認證及計費功此的無線網路存取橋接器（Access p〇int)，提供寬頻服務，是一個重要的發展方向。為使貴審查委員瞭解本發明之特徵及產業利用價值，茲藉由具體實施例，配合所附圖示，對本發明進行說明，分述如后：請參閱第一表，係本發明所依據的無線通訊網路使用之頻道分配表，列出根據不同國家/地區的頻道分配明細’包括頻道編號和頻率。由於無線通訊環境下可供運用的頻帶有一定的限制且常發生同頻或近頻干擾。近頻干擾是因為各頻帶間沒有足夠的頻帶隔離，而使得各頻帶之旁頻帶彼此互相干擾。在802· 11 b/b+協定中定義每個頻道寬度為22MHz，相鄰的兩個頻道頻率則相差是5MHz，為了減少干擾相鄰區域的頻道使用必須依據頻道分配的原則，並Identifier) can go online, causing a security hole. Therefore, it is a solution to propose an authentication method that is compatible with EAP and can support legacy systems. Provide the above-mentioned authentication methods that are compatible with EAP and support the old system, which can be used with an authentication server or an authentication method embedded in Access Point. The use of additional certification servers will increase equipment costs and construction costs. With embedded design, the computing power of Access Point must be considered. Based on the above description, this system proposes a wireless network access bridge (Access point) with embedded authorization, authentication, and cost-effective functions, which provides broadband services and is an important development direction. In order to make your reviewing committee understand the characteristics and industrial utilization value of the present invention, the present invention will be described with specific examples and accompanying drawings, which will be described in the following: The channel allocation table used by wireless communication networks lists channel allocation details according to different countries / regions, including channel numbers and frequencies. Due to the limited frequency band available in wireless communication environment, co-frequency or near-frequency interference often occurs. Near-frequency interference is because there is not enough band isolation between the frequency bands, so that the side bands of each frequency band interfere with each other. In the 802.11 · b / b + agreement, the width of each channel is defined as 22MHz, and the frequency difference between two adjacent channels is 5MHz. In order to reduce the use of channels that interfere with adjacent areas, the principle of channel allocation must be used, and

200412158 五、發明說明（4) 採用自動跳頻技術（Frequency H〇pping)減少同頻或近頻干擾。明參閱弟圖係說明本發明中兩個無線區域網路設備間的放置距離與資料傳輸迷率間之關係。主要係說明無線數位通訊系統中，資料傳輸（Data Transmissi〇n)會依據無線電波傳送的#號品質及對障礙物的穿透能力，調整傳輸速率以避免位元錯誤率太高，影響傳輸效率。根據 80 2· 1 lb協定所定義距離與傳輸速率可分為iMbps、 2Mbps、5· 5Mbps及11 Mbps四種。速率的變化會依據傳輸頻道品質自動調整。請參閱第二圖’為本發明之系統架構圖，係由用戶端裝置（2· 1 )、中繼器（2· 2)、CAP裝置（2· 3)、CMTS頭端裝置 (2 · 4 )、路由器（2 . 5 )、應用伺服器（2 . 6 )及認證、授權及計費伺服器（2 · 7 )與資料庫（2 · 8 )組成。在詳細說明本系統如何運作之前，先依照第二圖中的各元件做扼要的解釋如下：用戶端裝置（2·1):泛指可配接支援802.11a/b/b + /g 協定之無線網路卡的用戶端設備，諸如電腦、個人行動助理器（PDA)或手機等。中繼器（2 · 2 ):係指配接天線裝置並支援 802*lla/b/b + /g無線通訊協定之通訊設備，具有電波頻道轉換與數據中繼能力。主要用於補償用戶端無線通訊網路卡無法長距離傳送到CAP裝置（2 · 3 )，並能提供用戶端 (2. 1 )與CAP裝置（2· 3)採用不同無線通訊頻帶（2. 4GHz或200412158 V. Description of the invention (4) Adopt automatic frequency hopping technology (Frequency Hopping) to reduce co-frequency or near-frequency interference. The relationship between the placement distance between two wireless LAN devices and the data transmission rate in the present invention will be described with reference to the drawings. It mainly explains that in the wireless digital communication system, the data transmission (Data Transmission) will adjust the transmission rate based on the quality of the # transmitted by radio waves and the ability to penetrate obstacles to avoid the bit error rate being too high and affecting the transmission efficiency. . The distance and transmission rate defined according to the 802.1 lb protocol can be divided into four types: iMbps, 2Mbps, 5.5Mbps, and 11 Mbps. The rate change is automatically adjusted according to the quality of the transmission channel. Please refer to the second figure 'is a system architecture diagram of the present invention, which is composed of a client device (2 · 1), a repeater (2 · 2), a CAP device (2 · 3), and a CMTS head-end device (2 · 4 ), Router (2.5), application server (2.6), authentication, authorization and accounting server (2. 7) and database (2. 8). Before explaining how this system works in detail, the following is a brief explanation of each component according to the second figure: Client device (2 · 1): Refers to those that can be configured to support the 802.11a / b / b + / g protocol. Client devices for wireless network cards, such as computers, personal mobile assistants (PDAs), or mobile phones. Repeater (2 · 2): Refers to communication equipment that is connected to an antenna device and supports the 802 * lla / b / b + / g wireless communication protocol. It has the ability to convert radio channels and data relay. It is mainly used to compensate that the client wireless communication network card cannot be transmitted to the CAP device (2 · 3) over a long distance, and can provide the client (2. 1) and the CAP device (2 · 3) using different wireless communication frequency bands (2.4GHz). or

第9頁 200412158 五、發明說明（5) 5. 4GHz等），避免電波干擾。Page 9 200412158 V. Description of the invention (5) 5. 4GHz, etc.) to avoid radio wave interference.

CAP裝置（2.3):係指内含有線電視纜線數據機（(：abie Modem)及具有授權、認證能力的無線網路存取橋接器 (Access Point)與天線整合而成之戶外式無線^訊裝置。可架设在有線電視網路上’透過有線電視網路線上供電，轉換成CAP裝置電源，並具有串接有線電視放大器戋另一個CAP裝置的能力。CAP裝置内含兩組天線，一組針對用戶端中繼器（Repeater)(2.2)、另一組針對CAp下方用戶提供電波收發的旎力。CAP裝置内含之纜線數據機支援D〇cs j s ι· ο/ι· 1協定並可與有線電視機房端的CMTS(Cable M〇dem Terminal SyStein)(2.4)進行數據通訊。CAp裝置内含之具有授權、認證能力的無線網路存取橋接器應能與機房内的 §忍證祠服器（2 · 7 )進行用戶認證及授權工作。c a p裝置主要係提供用戶端裝置（2· 1 )與有線電視機房端的cmTS設備 (2 · 4 )進行寬頻數據接取服務，並具有合法用戶授權及認證之判定；同時，電波涵蓋範圍達5 〇〇公尺時，數據傳輸能力應達11 M b p s以上。緵線數據頭端裝置（CMTS，Cable Modem TerminationCAP device (2.3): refers to an outdoor wireless device that integrates a cable modem ((: abie Modem) and a wireless network access bridge (Access Point) with authorization and authentication capabilities) and an antenna ^ It can be set up on a cable TV network. It can be powered by a cable TV network cable and converted into a CAP device power supply. It has the ability to connect a cable TV amplifier and another CAP device. The CAP device contains two sets of antennas, one set For the repeater (2.2) on the client side, another group provides the power for transmitting and receiving radio waves to the users under the CAp. The cable modem included in the CAP device supports Docs js ο · ο / ι · 1 agreement and Can perform data communication with CMTS (Cable MODem Terminal SyStein) (2.4) at the end of the cable TV room. The wireless network access bridge with authorization and authentication capabilities included in the CAp device should be able to communicate with the § forbearance temple in the room The server (2 · 7) performs user authentication and authorization. The cap device mainly provides the client device (2 · 1) and the cmTS equipment (2 · 4) at the cable TV room to perform broadband data access services, and has a legitimate user Grant At the same time, when the radio wave covers an area of 500 meters, the data transmission capacity should be more than 11 M b p s. CMTS (Cable Modem Termination)

System) (2· 4):係指支援DOCSIS 1· 0/1. 1協定，並能與 CAP裝置（2· 3)内之Cable Modem組合成數據服務所對應的頭端裝置。CMTS裝置介接於有線電視網路與網際網路路由器（2. 5)間，可同時接取多個Cable Modem所送收的數據信號，轉發給路由器（2 · 5 )進行數據交換服務。路由器（Router) (2. 5):泛指具有支援ISO開放式系統System) (2 · 4): Refers to the headend device that supports the DOCSIS 1. 0/1. 1 protocol and can be combined with the Cable Modem in the CAP device (2 · 3) to form a data service. The CMTS device is connected between the cable television network and the Internet router (2.5). It can simultaneously receive the data signals sent by multiple Cable Modem and forward them to the router (2.5) for data exchange services. Router (2. 5): Refers to an open system that supports ISO

第10頁 200412158 五、發明說明（6) 架構（0S I )之網路層協定所定義之封包交換裝置，主要係提供通訊裝置與網際網路介接，以提供數據服務。應用伺服器（Application Servers)(2· 6)·•泛指提供服務之伺服器系統，諸如WWW祠服器、電子郵件伺服器等。認證、授權與計費伺服器（AAA Server) (2. 7):係由訂戶資料庫及具有認證、授權與計費功能的伺服器組成，負責確認使用者的身份給予認證，並根據資料庫（2 · 8 )内容決定使用者之使用權限，及提供訂月租/計次/計時付費功能。AAA伺服器（2 · 7 )應能與CAP裝置（2 . 3 )内的認證流程相結合，提供可靠的認證及授權服務。認證、授權與計費伺服器：係由訂戶資料庫及具有認證、授權與計費功能的伺服器組成，負責確認使用者的身份給予認證，並根據資料庫内容決定使用者之使用權限，及提供訂月租/計次/計時付費功能。資料庫（2 · 8 ):係指存放使用者基本資料與認證、授權及使用權限等相關資料，並且記錄使用者的登入時間、使用時間等計費相關資訊。在介紹完第二圖中的各元件功能後，在詳細說明整個系統的運作方式。其中CAP裝置（2· 3)配置在適當的位置，其電波可覆蓋較大區域範圍（電波強度可調，範圍約為5 〇〇〜1 0 0 0公尺），CAP裝置（2· 3)會以11M/22M/54Mbps速率（分別對應到802· 1 lb/b + /a協定）接收用戶端裝置所傳來的數據資料。由於CAP|置（2.3)涵蓋範圍大於用戶端裝置内無Page 10 200412158 V. Description of the invention (6) The packet switching device defined by the network layer protocol of the architecture (0S I) is mainly to provide communication devices and the Internet to provide data services. Application Servers (2 · 6) · • Generally refer to server systems that provide services, such as WWW servers, e-mail servers, etc. Authentication, authorization, and accounting server (AAA Server) (2.7): It consists of a subscriber database and a server with authentication, authorization, and accounting functions. It is responsible for confirming the user's identity and giving authentication, and according to the database (2 · 8) The content determines the user's use rights, and provides monthly subscription / counting / timed payment functions. The AAA server (2 · 7) should be able to combine with the authentication process in the CAP device (2.3) to provide reliable authentication and authorization services. Authentication, Authorization and Accounting Server: It consists of a subscriber database and a server with authentication, authorization and accounting functions. It is responsible for confirming the identity of the user and authenticating it, and determining the user's use rights based on the content of the database, Provide monthly subscription / counting / timed payment function. Database (2 · 8): It refers to the storage of user basic information and related information such as authentication, authorization and use rights, and records the user's login time, usage time and other billing related information. After introducing the functions of each component in the second figure, the operation mode of the entire system is explained in detail. Among them, the CAP device (2.3) is arranged at an appropriate position, and the radio wave can cover a large area (the intensity of the radio wave can be adjusted, the range is about 500 ~ 100 meters), and the CAP device (2.3) Will receive data from the client device at 11M / 22M / 54Mbps (corresponding to the 802.1 lb / b + / a agreement respectively). Since the coverage of CAP |

200412158200412158

線網卡所能發射的距離，因此若用戶所在距離無法將電傳到CAP裝置時（2 . 3 )，用戶需裝設本發明所設計的專用中繼器（2 · 2 )，才能將電波傳達到c Ap裝置（2 · 3 )。由於系統提供收費服務，因此必須判定是否為合法使用者’必須透過認證及授權程序。一般而言，為了記錄大量的使用者資料及密碼，均將資料庫（2 · 8 )放置於機房端而非用戶端，然而認證流程由機房端進行，會使得用戶與機房間的頻寬被不合法用戶的數據資料佔用，使得合法用戶的傳輸速率下降，為了避免此問題，本系統將認證分成 AAA祠服器（2. 7)端及用戶端，並將AAA伺服器（2· 7)置於機房内；用戶端置於CAP裝置内（2.3)。因此用戶封包必須先由CAP裝置（2· 3)進行檢測，通過認證後才能由CAP裝置 (2· 3)内的Cable Modem傳送到機房的CMTS系統（2. 4)，採用此種架構CMTS(2.4)與Cable Modem間的數據頻寬才能有效利用。相關認證程序由第四圖、第五圖分別說明。當用戶完成認證後，A A A伺服器（2 · 7 )依據資料庫（2 · 8 )内記錄的用戶權限及計費記錄，提供授權服務，用戶即可使用所需的服務並進行計費。请參閱第三圖’係為本發明之CAP裝置（2 · 3 )方塊圖。如圖中所示，包括無線區域網路卡驅動程式（3·丨）、乙太網路網卡驅動程式（3 · 2 )、符合8 0 2 . 1 X之擴展認證協定模組（3 · 3 )、8 0 2 · 1 q虛擬區域網路模組（3 · 4 )、封包轉送器模組（3· 5)、路由政策引擎（3· 6)、CAP存取管理模組（3. 7)、The distance that the line network card can transmit, so if the user is unable to transmit the telegram to the CAP device (2.3), the user needs to install the special repeater (2 · 2) designed by the present invention to transmit the radio wave. Go to c Ap device (2 · 3). Since the system provides fee-based services, it must be determined whether it is a legitimate user ’and must go through an authentication and authorization process. In general, in order to record a large amount of user data and passwords, the database (2 · 8) is placed on the computer room side instead of the user side. However, the authentication process is performed by the computer room side, which will cause the bandwidth between the user and the computer room to be affected. The data of illegal users is occupied, which reduces the transmission rate of legitimate users. In order to avoid this problem, the system divides the authentication into AAA server (2.7) and users, and AAA server (2.7) Placed in the computer room; the client is placed in the CAP device (2.3). Therefore, the user packet must be detected by the CAP device (2.3) before passing the authentication before being transmitted to the CMTS system (2.4) by the Cable Modem in the CAP device (2.3). 2.4) Data bandwidth between Cable Modem can be effectively used. Relevant certification procedures are illustrated by the fourth and fifth figures, respectively. After the user completes the authentication, the A A A server (2 · 7) provides authorized services based on the user rights and billing records recorded in the database (2 · 8), and the user can use the required services and perform billing. Please refer to the third figure 'is a block diagram of the CAP device (2 · 3) of the present invention. As shown in the figure, it includes the wireless LAN card driver (3 · 丨), the Ethernet network card driver (3 · 2), and the extended authentication protocol module conforming to 80 2. 1 X (3 · 3 ), 8 0 2 · 1 q virtual LAN module (3 · 4), packet transfer module (3.5), routing policy engine (3.6), CAP access management module (3.7 ),

200412158 五、發明說明（8) * 認證、授權與計費模組（3·8)、封包監測模組（3.9)、網 ' 際、、周路服務模組（3 · 1 〇 )、簡易型全球資訊網路伺服器 (3 · 11 )、連線監控模組（3 · 1 2 )、網管協定代理器（3 1 3 ) 、，對點協定/網路安全協定引擎（3· 14)等方塊組成，提心、付a 8 0 2 · 11 a / b / b + / g協定需求之無線網路接取能力，其 =封包監測模組（3 · 9 )、連線監控模組（3. i 2 )及認證、授權與片費模組（3 · 8 )為本發明植入的模組，以提供c a P裝置 (2 · 3 )具有認證、授權及計費的能力。各方塊功能說明如下：無線區域網路網卡驅動程式（WLAN NIC Driver) _ (3·1):可以驅動放置於CAP裝置（2· 3)内的無線區域網路網卡，該網卡支援802· lla/b/b + /g協定，具有讀取無線電波並將封包解碼並傳送到上層的能力。乙太網路網卡驅動程式（Ethernet NIC Driver) (3· 2):係提供CAP裝置（2· 3)與乙太網路卡界接時所需的驅動程式。符合802. lx之擴展認證協定模組（ 8 0 2. IX ΕΑΡ Module)(3.3):擴展驗證協議（Extensible Authentication Protocol ，ΕΑΡ)是由 IETF提出的 ppp協議的擴充，主要在ρρρ中提供額外的認證機制，以提供遠 _ 端登入之認證機制，基於不同的安全考慮，ΕΑΡ可以支援多種認證方式。該模組為8 0 2· 1 lb/b+協定所支持。 - 80 2· lq虛擬區域網路模組（ 802· lQ VLAN Module)200412158 V. Description of the invention (8) * Authentication, authorization and billing module (3 · 8), packet monitoring module (3.9), Internet, Internet service module (3 · 10), simple type Global information network server (3 · 11), connection monitoring module (3 · 1 2), network management protocol agent (3 1 3), peer protocol / network security protocol engine (3 · 14), etc. Composed of blocks, worrying, paying a 8 0 2 · 11 a / b / b + / g protocol required wireless network access capabilities, which = packet monitoring module (3 · 9), connection monitoring module (3 i 2) and the authentication, authorization and chip fee module (3.8) are the modules implanted in the present invention to provide the CA P device (2. 3) with the ability to authenticate, authorize and charge. The functions of each block are described as follows: WLAN NIC Driver _ (3 · 1): It can drive the wireless LAN card placed in the CAP device (2 · 3), which supports 802 · lla / b / b + / g agreement, with the ability to read radio waves and decode and transmit packets to the upper layer. Ethernet NIC Driver (3.2): It is the driver needed to provide the CAP device (2.3) with the Ethernet interface. 802.1x Extended Authentication Protocol Module (802. IX ΕΑΡ Module) (3.3): Extensible Authentication Protocol (ΕΑΡ) is an extension of the ppp protocol proposed by the IETF, which mainly provides additional ρρρ Authentication mechanism to provide remote-end login authentication mechanism. Based on different security considerations, EAP can support multiple authentication methods. This module is supported by the 80 2 · 1 lb / b + protocol. -80 2 · lq virtual LAN module (802 · lQ VLAN Module)

200412158 五、發明說明（9) ( 3.4 ): 802.1 1 a/b/b+協定支持 1 9 98年訂定的 ieee 8〇2.lq標準，該協定提供了一套機制，能讓連接於lm 上不同位置的裝置加以群組化。這矣杳祖# ^ k衾貝枓傳輸的區隔機200412158 V. Description of the invention (9) (3.4): The 802.1 1 a / b / b + agreement supports the ieee 802.lq standard established in 1998. The agreement provides a mechanism for connecting to lm Group devices at different locations. This 矣杳祖 # ^ k 衾贝枓 transmission segmentation machine

制，使用虛擬區域網路識別碼」的概念（Virtual LAN ID或稱VLAN ID) ’用來將Ethernet傳輸資料導向到具有相同VLAN的Ethernet交換埠，如此能確保被標上VLA'N ID 的資料訊框（Frames )只能被某些特定的使用者來存取。封包轉送器模組（Packet Forwarder)(3.5):負責封包傳送轉發，並可依據數據傳送速率進行流量控制'。路由政策引擎（Policy R0uting Engine)(3· 6):係提供路由管理，進入到CAP裝置（2. 3)之封包，透過EAP模組 (3 · 3 )及A A Α模組（3 · 8 )認證後，是否可轉發，是由本引擎内的路由規則決定。 CAP存取管理模組（Access Point Management module) (3. 7):負責整個CAP流程控制及管理核心。吞忍證、授權與計費模組（AAA Client Module)(3.8): 係對應於機房内的A A A祠服器（2.7)，提供用戶認證及授權服務’避免非法封包佔用CMTS( 2. 4)及Cable Modem間的數據通道。封包監測模組（Packet Inspector)(3.9): CAP裝置 (2 · 3 )提供流量計費管理機制，因此通過CAP裝置（2 · 3 )之封包均可由本模組進行流量監測與管制。網際網路服務模組（Basic Internet Services,"Virtual LAN ID or VLAN ID" concept is used to direct Ethernet transmission data to Ethernet switch ports with the same VLAN, so as to ensure the data marked with VLA'N ID Frames can only be accessed by certain users. Packet Forwarder (3.5): Responsible for packet transmission and forwarding, and can perform flow control based on the data transmission rate. Routing Policy Engine (3 · 6): Provides routing management, packets that enter the CAP device (2.3), through the EAP module (3 · 3) and AA Α module (3 · 8) Whether it can be forwarded after authentication is determined by the routing rules in this engine. CAP Access Point Management module (3.7): Responsible for the entire CAP process control and management core. AAA Client Module (3.8): Corresponds to the AAA server server (2.7) in the computer room, providing user authentication and authorization services' to prevent illegal packets from occupying the CMTS (2.4) And data channel between Cable Modem. Packet Inspector (3.9): The CAP device (2 · 3) provides a flow rate management mechanism. Therefore, packets passing through the CAP device (2 · 3) can be monitored and controlled by this module. Internet Service Module (Basic Internet Services,

第14頁 200412158 五、發明說明（ίο) DHCP/Proxy) (3· 10):提供HTTP代理服務及用戶動態IP核發功能。簡易型全球資訊網路伺服器（Light Weight W3Page 14 200412158 V. Description of the invention (ίο) DHCP / Proxy) (3 · 10): Provides HTTP proxy service and user dynamic IP verification function. Lightweight World Wide Web Server (Light Weight W3

Server )( 3. 11): CAP裝置（2· 3)具有首次使用者登錄的能力，裝置内必須内建有登錄頁面（H〇me page)。因此CAP裝置（2· 3)必須内建有WWW伺服器的能力。連線監控模組（Watchdog & monitoring Module) (3 · 1 2 ):可監測使用者連上網路的狀況，並且可以根據使用者是否繼續進行存取，而判斷使用者是否仍在使用中，以決定是否繼續計費。網管協定代理器（SNMP Agent) (3. 13) : CAP裝置（2· 3) 提供網管能力，可透過 SNMP(Simple Network Management Protocol )指令讀取設備之MIB參數值，作為判讀設備是否正常的依據。點對點協定/網路安全協定引擎（PPTP / IPSec Engine) (3· 14) : CAP裝置（2· 3)支援PPTP協定，讓區域網路中的節點可以透過 Internet相互連結。IPSec (Internet Protocol Security)網路安全協定由作業系統提供應用程式之間安全溝通的編碼加密服務，透過IPSec 通訊協定，可確保資料具隱密性、完整性及可靠性，封包傳送時發生錯誤自動修正（anti-replay)等安全服務。請參閱第四圖，係本發明之AAA用戶端流程圖，可分為網路第二層流程及第三層流程。主要係考慮CAP裝置Server) (3.11): The CAP device (2.3) has the ability to log in for the first time, and the device must have a login page (Home page) built in. Therefore, the CAP device (2.3) must have the built-in WWW server capability. Connection monitoring module (Watchdog & monitoring Module) (3 · 1 2): can monitor the user's connection to the network, and can determine whether the user is still in use according to whether the user continues to access, To decide whether to continue billing. Network Management Protocol Agent (SNMP Agent) (3. 13): The CAP device (2 · 3) provides network management capabilities. The MIB parameter value of the device can be read through SNMP (Simple Network Management Protocol) instructions as a basis for judging whether the device is normal. . Point-to-point protocol / network security protocol engine (PPTP / IPSec Engine) (3.14): CAP devices (2.3) support the PPTP protocol, so that nodes in a regional network can connect to each other through the Internet. IPSec (Internet Protocol Security) network security protocol. The operating system provides encoding and encryption services for secure communication between applications. Through the IPSec communication protocol, data can be kept confidential, complete, and reliable. Errors occur automatically when packets are transmitted. Security services such as anti-replay. Please refer to the fourth figure, which is a flowchart of the AAA client of the present invention, which can be divided into the second layer process and the third layer process of the network. CAP device

nHii 画臑__ H1 HU 睡__ 1 第15頁 200412158 五、發明說明（11) (2· 3)應具有支援網路第二層（Layer 2)之MAC位址轉譯能力及第三層（Layer 3)的路由（routing)轉發功能。係因 C A P裝置（2 · 3 )必須具備在認證通過前阻擔所有或部分使用者全部或特定之網路封包能力。另外CAp裝置（2. 3)能動態依使用者不同由認證伺服器（2· 7)所傳送來的路由政策 (Routing Pol icy)並作用在CAP裝置（2· 3)的路由政策引擎 (Policy routing Engine) (3· 6)中。其中授權、認證功能應具備相谷於8 0 2 . 1 X之標準E A P認證能力及不具有e a p能力之用戶端裝置。認證流程是由CAP裝置（2·3)收到8〇211封包（Packet )(4. 2)後，取出MAC位址資訊並與已通過ΕΑρ驗證之MAC Table(4.4)進行比對’若為mac Table(4.4)中的資料’表示為支援8 0 2· lx ΕΑΡ協定的合法用戶，即可將 802.11封包依據如有線網路同等私密機制（wep，wired Equivalent Privacy)進行解碼（4·1〇)。並將虛擬網路 (VLAN)的標記（Tagged)進行標訂（4· η )，如χ，並拋到網路第三層A (4. 12)進行控制。若封包MAC位址不是合法用戶’則進行封包型態過濾（Frame Type Filter)(4.6)，若封包為ΕΑΡ-〇W (無線區域網路標準認證格式）（4· 7)，則依，8 0 2. lx ΕΑΡ協定進行認證程序（表示該用戶支援ΕΑρ規範），並成為合法用戶，其MAC位址將會記錄在MAC Table (4·4)中。若封包不為ΕΑΡ-0W表示該封包不支援EAp — 〇w，可能是tcp/ip封包或其他格式，則先將虛擬網路（vlan^ 標記（Tagged)進行標訂為γ(4· 9)，並拋到網路第三声b (4· 13)進行控制。一曰nHii Screen __ H1 HU Sleep __ 1 Page 15 200412158 V. Description of the invention (11) (2 · 3) should have MAC address translation capability and Layer 3 (Layer 2) Layer 3) routing and forwarding function. The reason is that the CA device (2 · 3) must have the ability to block all or part of the user's entire or specific network packets before passing the authentication. In addition, the CAp device (2.3) can dynamically change the routing policy (Routing Pol icy) sent by the authentication server (2.7) according to the user and act on the routing policy engine (Policy routing) of the CAP device (2.3) Engine) (3.6). Among them, the authorization and authentication functions should have the standard E A P authentication capability of Aya Valley 802. 1 X and a client device without e a p capability. The authentication process is that after the CAP device (2.3) receives 80211 packets (4.2), it takes out the MAC address information and compares it with the MAC Table (4.4) that has been verified by ΑΑρ. The data in mac Table (4.4) indicates that it is a legitimate user who supports the 802 · lx EAP protocol, and can decode 802.11 packets according to the wired network equivalent privacy mechanism (wep, wired Equivalent Privacy) (4 · 1〇 ). The tag of the virtual network (VLAN) is tagged (4 · η), such as χ, and thrown to the third layer of the network (4. 12) for control. If the MAC address of the packet is not a legitimate user, then the packet type filter (Frame Type Filter) (4.6) is performed, and if the packet is ΕΑΡ-〇W (Wireless LAN Standard Authentication Format) (4 · 7), then, 8 0 2. The lx EAP protocol performs the authentication procedure (indicating that the user supports the EAp specification) and becomes a legitimate user. Its MAC address will be recorded in the MAC Table (4 · 4). If the packet is not ΕΑΡ-0W, it means that the packet does not support EAp — 〇w, it may be a TCP / IP packet or other format, then the virtual network (vlan ^ tagged) is marked as γ (4 · 9) , And throw it to the third b (4 · 13) on the Internet for control.

200412158 五、發明說明（12) CAP裝置（2 · 3 )應具備網路第三層之路由篩選功能。流程說明如下：網路第三層A ( 4 · 1 2 )接收到第二層傳送來的& 兩種封包’一種是標準8 0 2 · 1 X的合法用戶，封包會直接進入到「路由政策引擎」（4 · 1 4 )中進行路由轉發判讀；另一種為非合法訂戶封包（4 · 1 3)。若是屬於非合法訂戶封包，則先判斷是否做DHCP要求IP位址（4· 15)，若是，表示該用戶還沒擁有CAP襄置（2 · 3 )内設的I P網段的合法I p，此時 CAP裝置（2· 3)會透過DHCP服務或DHCP relay服矛务提供一個I P位址給該用戶（4. 1 6 )。並重新回到如申請專利範圍第 3項所述之網路第二層控制流程。若該用戶已擁有CAp裝置 (2 . 3 )合法的I p位址，則封包視為一般的合法用戶進入到「路由政策引擎」（4· 14)中進行路由轉發判讀。「路由政策引擎」（4. 14)會依據申請專利範圍第2項所儲存的路由政策’篩選封包是否可以轉發，若封包屬於不需要阻擋的 IP°流程會測試MAC位址是否在MAC Table (4· 17)中，判斷是新用戶還是既有客戶，若是為既有客戶，則封包會透過200412158 V. Description of the invention (12) The CAP device (2 · 3) should have the routing filtering function of the third layer of the network. The flow description is as follows: The third layer of the network (4 · 1 2) receives the two types of packets sent from the second layer 'one is a standard 80 2 · 1 X legitimate user, the packet will directly enter the "routing The policy engine "(4 · 1 4) performs routing and forwarding interpretation; the other is an illegal subscriber packet (4 · 1 3). If it belongs to a packet of an illegal subscriber, first determine whether the DHCP requires an IP address (4 · 15). If it is, it means that the user does not have the legal IP of the IP network segment built in CAP (2 · 3). At this time, the CAP device (2.3) will provide an IP address to the user (4.1.6) through the DHCP service or the DHCP relay service. And return to the second-level control flow of the network as described in item 3 of the scope of patent application. If the user already has a legal IP address of the CAp device (2.3), the packet is regarded as a normal legitimate user to enter the "Routing Policy Engine" (4 · 14) for routing and forwarding interpretation. The "Routing Policy Engine" (4. 14) will filter whether packets can be forwarded according to the routing policy stored in item 2 of the patent application scope. If the packet belongs to an IP that does not need to be blocked, the flow will test whether the MAC address is in the MAC Table ( 4.17), determine whether it is a new user or an existing customer. If it is an existing customer, the packet will pass through

Next Η0Ρ(4·19)傳到 Cable Modem往上送到 CMTS(2.4)進入到認證伺服器（2 · 7 )，完成認證登錄，即可提供上網服務。若封包屬於新用戶且為WWW request，CAP裝置（2· 3) 會將系統設置的認證登錄頁面（L 〇 g i η P 〇 r t a 1 ) ( 4. 1 8 )的網址傳到用戶端上網裝置，若用戶完成認證登錄，表示成為合法用戶則封包會則透過Next HOP (4· 19)傳到Cable Modem往上送到CMTS(2.4)進入到認證伺服器（2·7)，完成認證登錄’即可提供上網服務。若用戶所需的服務不是The next Η0P (4 · 19) is transmitted to the Cable Modem and sent to the CMTS (2.4) to enter the authentication server (2 · 7). After completing the authentication and login, the Internet service can be provided. If the packet belongs to a new user and is a WWW request, the CAP device (2.3) will transmit the URL of the authentication login page (L 〇gi η P 〇rta 1) (4.18) set by the system to the client-side Internet access device, If the user completes the authentication and registration, indicating that he is a legitimate user, the packet will be transmitted to the Cable Modem through Next HOP (4 · 19), and sent to the CMTS (2.4) to enter the authentication server (2 · 7), and the authentication registration is completed. Internet access is available. If the user needs a service other than

第17頁 200412158 五、發明說明（13) 「$忍證登錄頁面」（4 · 1 8 )的網址，則流程會彳貞測是否開啟 WWW上網服務的8〇 p〇rt(4.20)，若是，表示用戶要上網則 CAP裝置（2 · 3 )會強制進行網址轉向到「認證登錄頁面」 (4 · 2 2 )的網址。若用戶所需的服務不是上網則將該封包丟棄（4·21)。请參閱第五圖，係本發明之A A A祠服器（2 . 7 )端流程圖。如圖所示，當使用者完成CAP裝置（2. 3)端登入後，系統會將認證頁傳送至使用者端（5 · 2)，使用者便可輪入使用者名稱密碼等相關認證資訊，伺服器（2 · 7 )端根據資料庫（2 · 8 )中資料加以判別是否通過驗證（5 · 3)，直到使用者通過驗證會再比對該使用者的使用權限（5 · 4)，根據權限決定使用者可以使用存取的資料。完成權限確認後，AAA伺服器會將確認指令傳送到網路存取管理器 (Network Access Manager)(5.5)，同時將計費機制载入 (5.6)，既完成認證、授權及計費程序。Page 17 200412158 V. Description of the invention (13) The URL of the "$ tolerance card login page" (4 · 1 8), the process will test whether to enable the 80prt (4.20) of the WWW Internet service, if yes, If the user wants to go online, the CAP device (2 · 3) will force the URL to be redirected to the URL of the "authentication login page" (4 · 2 2). If the service required by the user is not online, the packet is discarded (4.21). Please refer to the fifth diagram, which is a flowchart of the AA A temple server (2.7) end of the present invention. As shown in the figure, after the user completes the login on the CAP device (2.3), the system will send the authentication page to the user (5 · 2), and the user can enter the relevant authentication information such as the username and password. , The server (2 · 7) judges whether to pass the verification (5 · 3) according to the data in the database (2 · 8), until the user passes the verification and then compares the user's use authority (5 · 4) To determine what data users can access based on their permissions. After the permission confirmation is completed, the AAA server will send the confirmation command to the Network Access Manager (5.5) and load the accounting mechanism (5.6), which completes the authentication, authorization and accounting procedures.

第18頁 200412158 圖式簡單說明圖示說明：第一表係為本發明中所使用的無線跳頻技術。第一圖係為本發明中無線區域網路距離與速度的關係第二圖係為本發明中之CAP系統架構圖。第三圖係為本發明中之CAP裝置方塊圖。第四圖係本發明中之AAA用戶端流程圖。第五圖係本發明中之AAA祠服器端流程圖。Page 18 200412158 Brief Description of the Drawings Schematic Description: The first table is the wireless frequency hopping technology used in the present invention. The first diagram is the relationship between the distance and speed of the wireless LAN in the present invention. The second diagram is the architecture diagram of the CAP system in the present invention. The third figure is a block diagram of the CAP device in the present invention. The fourth diagram is a flowchart of the AAA client in the present invention. The fifth figure is a flowchart of the AAA temple server in the present invention.

第19頁Page 19

Claims

200412158 六、申請專利範圍申請範圍 1· 一種内建具有使用者授權（Authorization)、認證 (Authenti cat ion)及計費（Accounting)能力稱為 AAA功能的無線區域網路裝置，稱為CAP裝置。主要係由纜線數據機及含有AAA功能的無線網路存取橋接器組合而成。CAp裝置是架設在有線電視網路上，透過有線電視網路線上供電設計，轉換成CAP裝置所需的電源供應，並具有串接有線電視幹線放大器（Trunk amplifier)、延伸放大器（Line extender)或另一個CAP裝置的能力。CAP裝置具有防水設計，可架設在室内或戶外使用。每個CAP裝置内含一組或更多組2· 4/5· 2/5. 7GHz全向天線或指向天線，針對用戶端中繼器，另一組針對CAP下方用戶或用戶端中繼器提供電波收發的能力。CAP裝置内的纜線數據機可與有線電視機房端的C Μ T S進行數據通訊，每個有線電視頻道速率可達到 27Mbps或 36Mbps以上。 2.如申請專利範圍第1項所述之CAP裝置，具有支援網路第二層（Layer 2)之MAC位址轉譯能力及第三層（Layer 3)的路由（routing)轉發功能。CAP裝置必須具備在認證通過前阻擋所有或部分使用者全部或特定之網路封包能力。另外 CAP裝置能動態依使用者不同由認證伺服器 (Authentication Server)所傳送來的路由政策（R0Uting Policy)並作用在CAP裝置的路由政策引擎（p〇nCy routing Engine)中〇200412158 VI. Scope of Patent Application Scope of Application 1. A wireless LAN device with built-in user authorization (Authorization), Authentication and Accounting capabilities called AAA function, called CAP device. It is mainly composed of cable modem and wireless network access bridge with AAA function. The CAp device is set up on a cable TV network. It is designed to be powered by a cable network. It is converted into the power supply required by the CAP device. It has a trunk cable amplifier, a line extender, or another Capability of a CAP device. The CAP device is waterproof and can be installed indoors or outdoors. Each CAP device contains one or more groups of 2 · 4/5 · 2/5. 7GHz omnidirectional antennas or directional antennas, aimed at user-side repeaters, and another group is targeted at users or user-side repeaters below the CAP. Provides the ability to transmit and receive radio waves. The cable modem in the CAP device can perform data communication with the CM T S at the cable TV room. Each cable television channel can reach a rate of 27 Mbps or above. 2. The CAP device described in item 1 of the scope of the patent application, has the ability to support MAC address translation of Layer 2 and routing and forwarding functions of Layer 3. The CAP device must have the ability to block all or some users from all or specific network packets before passing authentication. In addition, the CAP device can dynamically change the routing policy (Routing Policy) sent by the authentication server according to the user and act on the routing policy engine (ponn routing engine) of the CAP device.

第20頁 200412158 六、申請專利範圍 3.如申請專利範圍第1項所述之CAP裝置，其中授權、認證功能應具備相容於802. lx之標準ΕΑΡ認證能力及不具有ΕΑΡ 能力之用戶端裝置。認證流程是由CAP裝置收到8 0 2 . 1 1封包（Packet)後，取出MAC位址資訊並與已通過ΕΑΡ驗證之 MAC Table進行比對，若為MAC Table中的資料，表示為支援80 2· lx ΕΑΡ協定的合法用戶，即可將80 2· 11封包依據如有線網路同等私密機制（WEP，Wired Equivalent Privacy)進行解碼。並將虛擬網路（VLAN)的標記（Tagged) 進行標訂，如X，並拋到網路第三層（Layer 3)進行控制。若封包MAC位址不是合法用戶，則進行封包型態過濾 (Frame Type Fi Iter)，若封包為EAp_〇w (無線區域網路標準認證格式），則依據8 0 2 · 1 X EAp協定進行認證程序（表示該用戶支援ΕΑΡ規範），並成為合法用戶，其MAC位址將會記錄在MAC Table中。若封包不為έαρ-OW表示該封包不支援EAP-0W，可能是TCP/IP封包或其他格式，則先將虛擬網路（V L A Ν)的標記（T a g g e d )進行標訂為γ。並拋到網路第三層（Layer 3)進行控制。 4·如申請專利範圍第3項所述之授權、認證流程，CAp裝置應具備網路第二層之路由篩選功能。流程說明如下：網路第二層接收到苐^一層傳送來的兩種封包，一種是標準 802.1 X的合法用戶’封包會直接進入到「路由政策引擎」中進行路由轉發判讀；另一種為非合法訂戶封包。若是屬Page 20 200412158 6. Scope of patent application 3. The CAP device as described in item 1 of the scope of patent application, in which the authorization and authentication functions should be compatible with standard EAP authentication capabilities compatible with 802.1x and users without EAP capabilities Device. The authentication process is that the CAP device receives 80.2.1 packets and compares the MAC address information with the MAC Table that has been verified by EAP. If it is the data in the MAC Table, it means it supports 80. 2. lx EAP protocol legitimate users can decode 80 2 · 11 packets according to the Wired Equivalent Privacy (WEP). The tag of the virtual network (VLAN) is tagged, such as X, and it is thrown to the third layer of the network (Layer 3) for control. If the MAC address of the packet is not a legitimate user, the packet type filtering is performed (Frame Type Fi Iter). If the packet is EAp_〇w (Wireless LAN Standard Authentication Format), it is performed according to the 802.1 · 1 X EAp protocol Authentication procedure (indicating that the user supports the EAP specification) and becoming a legitimate user, its MAC address will be recorded in the MAC Table. If the packet is not αα-OW, it means that the packet does not support EAP-0W, it may be a TCP / IP packet or other format, then the tag (T a g e d) of the virtual network (V L A Ν) is marked as γ. And throw it to the third layer of the network (Layer 3) for control. 4. According to the authorization and certification process described in item 3 of the scope of patent application, the CAp device should have the routing filtering function of the second layer of the network. The description of the process is as follows: The second layer of the network receives two kinds of packets transmitted from the first layer. One is a standard 802.1X legitimate user's packet. It will directly enter the "routing policy engine" for routing and forwarding interpretation; the other is non- Legal subscriber packets. If it is

200412158 六、申請專利範圍於非合法訂戶封包，則先判斷是否做DHCP要求I P位址，若是，表示該用戶還沒擁有CAP裝置内設的I p網段的合法 IP，此時CAP裝置會透過DHCP服務或DHCP relay服務提供一個I P位址給該用戶。並重新回到如申請專利範圍第3 項所述之網路第二層控制流程。若該用戶已擁有CAp裝置合法的I P位址’則封包視為一般的合法用戶進入到「路由政策引擎」中進行路由轉發判讀。「路由政策引擎」會依據申請專利範圍第2項所儲存的路由政策，篩選封包是否可以轉發，若封包屬於不需要阻擋的！ p。流程會測試mac 位址是否在MAC Table中，判斷是新用戶還是既有客戶，若是為既有客戶，則封包會透過Next H0P傳到cable Modem往上送到CMTS進入到認證伺服器，完成認證登錄，即可提供上網服務。若封包屬於新用戶且為而界 request，CAP裝置會將系統設置的認證登錄頁面（L〇gi n PortaU的網址傳到用戶端上網裝置，若用戶完成認證登錄，表示成為合法用戶則封包會則透過N e χ七η 〇 p傳到 Cable Modem往上送到CMTS進入到認證伺服器，完成認證登錄，即可提供上網服務。若用戶所需的服務不是「認證登錄頁面」的網址，則流程會偵測是否開啟tfWW上網服務的80 port，若是，表示用戶要上網則CAp褒置會強制進行網址轉向到「認證登錄頁面」的網址。若用戶所需的服務不是上網則將該封包丟棄。 5.如申請專利範圍第3、4項所述之CAp裝置端認證及授權200412158 VI. The scope of the patent application is for packets from illegal subscribers, first determine whether the DHCP requires an IP address. If so, it means that the user does not have a legal IP in the IP network segment of the CAP device. At this time, the CAP device will pass The DHCP service or DHCP relay service provides an IP address to the user. And return to the second-layer control flow of the network as described in item 3 of the scope of patent application. If the user already has a CA IP device's legal IP address ’, the packet is considered as a normal legitimate user to enter the“ Routing Policy Engine ”for routing and forwarding interpretation. The "Routing Policy Engine" will filter whether packets can be forwarded according to the routing policy stored in item 2 of the scope of patent application. If the packets are not blocked! p. The process will test whether the MAC address is in the MAC Table and determine whether it is a new user or an existing customer. If it is an existing customer, the packet will be transmitted to the Cable Modem through Next H0P and sent to the CMTS to enter the authentication server to complete the authentication. Log in to provide Internet access. If the packet belongs to a new user and the request is bound, the CAP device will transmit the authentication login page (the URL of the PortaU set by the system) to the client's Internet access device. It is transmitted to the Cable Modem through N e χ 七 η 〇p and sent to the CMTS to enter the authentication server, complete the authentication login, and provide Internet access services. If the service required by the user is not the URL of the "authentication login page", the process is It will detect whether the 80 port of tfWW Internet service is enabled. If it is, it means that the user wants to go online. CAp settings will force the URL to redirect to the URL of the "authentication login page". If the service required by the user is not online, the packet will be discarded. 5. CAp device-side authentication and authorization as described in item 3 and 4 of patent application scope

200412158 六、申請專利範圍流程，對應的認證伺服器具備權限管理及計費功能。說明如下：當CAP裝置完成如申請專利範圍第3、4項所述之認證及授權流程後，透過C a b 1 e Μ 〇 d e m傳到C Μ T S再傳到「認證伺服器」後，「認證伺服器」會檢查用戶的權限，並將認證完成通知「網路存取管理器」。「認證伺服器」與訂戶資料庫相連，儲存上網紀錄，以作為計費（A c c 〇 u n t i n g ) 依據。計費方式可採固定月費方式或是用戶上網計時、計次、計量方式收費，系統均可支援。 6·—種用戶端無線網路中繼器裝置，主要係由802.11b +或 802.11 b協定雙重介面及一組指向天線與全向天線組成，透過全向天線接收用戶端網卡發射的8 0 2 . 1 1 b電波，轉發成8 0 2· 1 lb+電波，透過指向天線傳給CAP裝置。發射信號強度必須符合8 0 2 · 11 b協定中規範之用戶端功率。中繼器與CAP裝置收發則使用指向天線增加發射增益，與CAP裝置最大距離可達1公里。 7 ·如申請專利範圍第1 - 5項所述之具有授權、認證及計費功能的無線寬頻網路系統。主要係由用戶端裝置、中繼器、CAP裝置、CMTS頭端裝置、路由器、應用伺服器及認證、授權及計費伺服器與資料庫組成。其中CAP裝置配置在用戶端適當位置，其電波覆蓋大區域範圍並以 1 1M/2 2 Mbps速率（分別對應到802. 1 lb/b+協定）接收用戶端裝置所傳來的數據資料。CAP裝置涵蓋範圍大於用戶端裝200412158 VI. Patent application process, corresponding authentication server has authority management and accounting functions. The explanation is as follows: After the CAP device completes the authentication and authorization process as described in items 3 and 4 of the scope of patent application, it is transmitted to C MM through C ab 1 e Μ dem and then to the "authentication server". The server will check the user's permissions and notify the Network Access Manager of the authentication completion. The "authentication server" is connected to the subscriber database and stores online records as a basis for billing (A c c 〇 u n t i n g). The billing method can be a fixed monthly fee method or a user's online timekeeping, metering, and metering method. The system can support it. 6 · —A kind of user-side wireless network repeater device, which is mainly composed of 802.11b + or 802.11 b protocol dual interface and a set of directional antenna and omnidirectional antenna. It receives 802. The 1 1 b radio wave is forwarded to 80 2 · 1 lb + radio wave and transmitted to the CAP device through the pointing antenna. The transmitted signal strength must comply with the user power specified in the 80 2 · 11 b agreement. The repeater uses directional antennas to increase the transmission gain when transmitting and receiving to and from the CAP device. The maximum distance to the CAP device is 1 km. 7 · A wireless broadband network system with authorization, authentication and accounting functions as described in items 1 to 5 of the scope of patent application. It is mainly composed of client devices, repeaters, CAP devices, CMTS head-end devices, routers, application servers, and authentication, authorization and accounting servers and databases. Among them, the CAP device is arranged at a proper position of the user terminal, and its radio wave covers a large area and receives data from the user terminal device at a rate of 11M / 2 2 Mbps (corresponding to the 802.1 lb / b + agreement respectively). CAP device covers a larger area than the client

第23頁 200412158 六、申請專利範圍， ^ 置内無線網卡所能發射的距離’因此若用戶所在距離無法將電波傳到CAP裝置，用戶需裝設如專利申請範圍第6項之專用中繼器，才能將電波傳達到CAP裝置。本系統判定是否為合法使用者，必須透過認證及授權程序。一般認證程序，為了記錄大量的使用者資料及密碼，將資料庫放置於機房端而非用戶端，當認證流程由機房端進行，會使得用戶端與機房間的頻寬被不合法用戶的數據資料伯用，使得合法用戶的傳輸速率下降，為了避免此問題，本系統將認證分成AAA伺服器端及用戶端，並將AAM司服器置於機房内；用戶端置於CAp裝置内。因此用戶封包必須先由CAp裝 ' B|| 通過初步$忍證後才能由C A P裝置内的C a b 1 e Modem傳送至,I换^ 从缸诚相〜機房的CMTS系統’達到CMTS與Cable Modem間的數據頻寬右μ , μ太妙庙〜政利用。當用戶完成認證後’ ΑΑΑ伺服器依田占印可a 錄的用戶權限及計費記錄，提供授權服務，用戶即可使m 用所需的服務並進行計費。Page 23 200412158 VI. Patent application scope, ^ the distance that the wireless network card in the device can transmit ', so if the user's distance cannot transmit the radio wave to the CAP device, the user needs to install a special repeater as described in item 6 of the patent application scope In order to transmit the radio wave to the CAP device. The system determines whether it is a legitimate user and must go through authentication and authorization procedures. In general authentication procedures, in order to record a large amount of user data and passwords, the database is placed on the computer room side instead of the user side. When the authentication process is performed by the computer room side, the bandwidth of the user terminal and the computer room will be affected by data of illegal users The primary purpose of data is to reduce the transmission rate of legitimate users. In order to avoid this problem, the system divides the authentication into AAA server and client, and places the AAM server in the computer room; the client is placed in the CAp device. Therefore, the user's packet must be installed by CAp 'B || After passing the initial $ tolerance test, it can be transmitted to the C ab 1 e Modem in the CAP device, and I can change it. The data bandwidth between the right μ, μ Tai Miao Temple ~ political use. After the user completes the authentication, the ΑΑΑ server provides user authorization and billing records based on Tian Zhanke's records and provides authorization services. The user can then use the required services and perform billing.

第24頁Page 24