阅读说明：本技术 对多个接入点的基于云的wifi网络设置 (Cloud-based WIFI network setup for multiple access points ) 是由 M.I.塔斯金 M.帕坎 I.阿卡尔 K.卡克马克 于 2018-05-11 设计创作，主要内容包括：本文公开了用于便于一个或多个新的802.11接入点(AP)的自动化配置的方法、系统和设备。云服务器可以接收与一个或多个新AP的客户账户相关联的消息。云服务器可以基于该消息关联一个或多个新AP中的第一AP。云服务器然后可以检索与第一AP相关联的公钥，该第一AP具有对等私钥。云服务器可以向与客户账户相关联的网关(GW)发送该公钥。该GW可以使用该公钥将GW凭证(诸如密码和SSID)加密成密文，然后广播该信息。当该第一AP上电时，它可以使用私钥解密密文，并使用凭证作为该网关的网络中的节点。(Methods, systems, and devices for facilitating automated configuration of one or more new 802.11 Access Points (APs) are disclosed herein. The cloud server may receive messages associated with the customer accounts of the one or more new APs. The cloud server may associate a first AP of the one or more new APs based on the message. The cloud server may then retrieve a public key associated with the first AP, the first AP having a peer-to-peer private key. The cloud server may send the public key to a Gateway (GW) associated with the customer account. The GW may encrypt GW credentials (such as a password and SSID) into a cipher text using the public key and then broadcast the information. When the first AP powers up, it may decrypt the ciphertext using the private key and use the credential as a node in the gateway's network.)

1. A cloud server for facilitating automated configuration of one or more new 802.11 Access Points (APs), the cloud server comprising:

a processor;

a communication interface operatively connected to the processor, the communication interface and processor configured to receive a message associated with a customer account with one or more new APs, associate a first AP of the one or more new APs with the customer account based on the message, and retrieve first public key information associated with the first AP; and

the communications interface and processor are further configured to transmit the first public key information to a Gateway (GW) associated with the customer account, and instruct the GW to encrypt credentials of the GW into a first cryptogram based on the first public key information, and broadcast the first cryptogram to configure a first AP when the first AP has been powered on.

2. The server of claim 1, further comprising:

the communications interface and processor configured to associate a second AP of the one or more new APs with the customer account and retrieve second public key information associated with the second AP; and

the communications interface and processor are further configured to transmit second public key information to the GW, and to instruct the GW to encrypt credentials of the GW into a second cryptogram based on the second public key information, and to cause the GW and first AP to broadcast the second cryptogram to configure a second AP when the second AP has been powered on.

3. The server of claim 1, wherein the message further includes login information for the customer account, and the communication interface and processor are further configured to authorize access to the customer account based on the login information.

4. The server of claim 1, wherein the communications interface and processor are further configured to receive WiFi diagnostics for the one or more new APs and, based on the received WiFi diagnostics, send a first recommendation to the mobile STA to move the one or more new APs to be visually displayed on the mobile STA.

5. The server of claim 4, wherein the communication interface and processor are further configured to send a second recommendation to further move the one or more new APs for visual display on the mobile STA based on receiving a second WiFi diagnosis.

6. The server of claim 4, wherein the first public key is retrieved from a database.

7. A method performed by a cloud server for facilitating automated configuration of one or more new 802.11 Access Points (APs), the method comprising:

receiving a message associated with a customer account with one or more new APs;

associating a first AP of the one or more new APs with the customer account based on the message;

retrieving first public key information associated with the first AP;

sending the first public key information to a Gateway (GW) associated with the customer account; and

instructing the GW to encrypt a credential of the GW into a first ciphertext based on the first public key information, and broadcasting the first ciphertext to configure a first AP when the first AP has been powered on.

8. The method of claim 7, further comprising:

associating a second AP of the one or more new APs with the customer account;

retrieving second public key information associated with the second AP;

sending second public key information to the GW; and

instructing the GW to encrypt a credential of the GW into a second ciphertext based on the second public key information, and instructing the GW and the first AP to broadcast the second ciphertext to configure a second AP when the second AP has been powered on.

9. The method of claim 7, wherein receiving the message further comprises login information for the customer account, and access to the customer account is authorized based on the login information.

10. The method of claim 7, further comprising:

receiving a first WiFi diagnosis for the one or more new APs; and

based on the received first WiFi diagnosis, sending a first recommendation to move the one or more new APs for visual display on the mobile STA.

11. The method of claim 10, further comprising:

receiving a second WiFi diagnosis after the first WiFi diagnosis with respect to the one or more new APs; and

sending, based on the second received WiFi diagnostics, a second recommendation to further move the one or more new APs for visual display on the mobile STA.

12. The method of claim 10, wherein the first public key is retrieved from a database.

13. A Gateway (GW) for facilitating automated configuration of one or more new 802.11 Access Points (APs) in a network of the GW, the GW comprising:

a processor; and

a communication interface operatively connected to the processor, the communication interface and processor configured to receive a first public key associated with a first AP of the one or more new APs from a cloud server, receive instructions from a cloud server to encrypt credentials of the GW into a first cryptogram using the first public key, broadcast the first cryptogram to configure the first AP when the first AP has been powered on, and register the first AP into a network of the GW once the configuration is complete.

14. The GW of claim 13, further comprising:

the communications interface and processor are further configured to receive a second public key associated with a second AP of the one or more new APs, receive instructions from the cloud server to encrypt credentials of the GW with the second public key into a second ciphertext, and broadcast the second ciphertext through the first AP to configure the second AP when the second AP has been powered on.

15. The GW of claim 13, wherein the communication interface and processor are further configured to receive a first WiFi diagnostic from a first AP to send the first WiFi diagnostic to a cloud server.

16. The GW of claim 14, wherein the communication interface and processor are further configured to receive a second WiFi diagnostic from a second AP through a first AP and to transmit the second WiFi diagnostic to a cloud server.

17. The GW of claim 13, wherein the first ciphertext is added to an application extension attribute of a WiFi Simple Configuration (WSC) Information Element (IE).

18. The GW of claim 17, wherein the application extension attribute is encoded in binary type identifier, length, and value (TLV) format.

19. The GW of claim 13, wherein the first cryptogram is transmitted using a Generic Advertisement Service (GAS) request/response and is transmitted in an 802.11u public action frame.

Technical Field

The present disclosure relates to wireless communication networks.

Background

Business or residential customers may access the internet using DSL, cable or fiber modems/gateways provided by Broadband Service Providers (BSPs). The gateway may also have an integrated wireless Access Point (AP), or there may be a separate wireless AP connected to an ethernet port of the gateway, providing internet access for WiFi devices throughout the house/premises. In large areas, the gateway may not be able to provide full WiFi coverage for the premises. In this case, the customer may complain of insufficient WiFi coverage and request the BSP to solve the problem. The BSP may suggest to the client to use one or more additional wireless APs to improve WiFi coverage. There is a need for systems, methods, and devices to assist BSPs and clients in improving and making efficient the setup and configuration of new APs.

Disclosure of Invention

Methods, systems, and devices for facilitating automated configuration of one or more new 802.11 Access Points (APs) are disclosed herein. The cloud server may receive messages associated with the customer accounts of the one or more new APs. The cloud server may associate a first AP of the one or more new APs based on the message. The cloud server may then retrieve a public key associated with the first AP, the first AP having a peer-to-peer private key. The cloud server may send the public key to a Gateway (GW) associated with the customer account. The GW may encrypt GW credentials (such as a password and SSID) into a cipher text using the public key and then broadcast the information. When the first AP has been powered up, it may decrypt the ciphertext using the private key and use the credential as a node in the network of the gateway.

Drawings

The drawings may be understood in more detail in the following description, but are not intended to limit the scope of the embodiments, but are merely exemplary in combination with the accompanying drawings, in which like reference numerals indicate like elements, and in which:

fig. 1A illustrates an example communication system in which an access point is added to a wireless network;

fig. 1B illustrates an example process for locally adding an access point to a communication system;

fig. 2A illustrates an example communication system in which an access point is added to a wireless network;

fig. 2B illustrates an example process of adding an access point to a communication system using cloud assistance;

fig. 3A illustrates an example communication system in which one or more second access points are added to a wireless network;

fig. 3B illustrates an example process of adding one or more second access points and determining an optimal physical location in a network using cloud assistance;

fig. 4A illustrates an example communication system in which an access point is added to a wireless network; and is

Fig. 4B illustrates an example process for adding an access point to a communication system using cloud assistance in an automated manner.

Detailed Description

As discussed herein, any embodiment, example, or description may be considered in connection with one or more figures and is not intended to represent an exclusive example. Furthermore, any feature of a system, method, or apparatus described in relation to one example or embodiment may be used in another example or embodiment and is not intended to be exclusive to one example or embodiment.

In some cases, it may be desirable to simplify, automate, and/or more efficiently add a new Access Point (AP) to an 802.11 wireless communication system. In particular, in one case, an enterprise or residential customer may access the internet using a DSL, cable or fiber modem/Gateway (GW) provided by a Broadband Service Provider (BSP). The GW may also have an integrated wireless AP (e.g., GW/AP), or there may be a separate wireless AP connected to the ethernet port of the GW, providing internet access for WiFi devices throughout the house/house. For large premises, the AP may not be able to provide full WiFi coverage. In this case, the customer may complain of insufficient WiFi coverage and request the BSP to solve the problem. The BSP may then suggest to the client to use one or more additional wireless APs to improve WiFi coverage. The BSP and client must then coordinate such added logic (logistics), such as adding settings and configurations of one or more new APs. Further, the new AP may form a WiFi mesh network, or the new AP may act as a range extender for an existing network. In either case, establishing such a network may be difficult for some customers.

A client may subscribe to one or more new APs from the BSP, which may reserve the new AP(s) for the client via a globally unique serial number from the warehouse inventory database. Once the new AP arrives, the client can set up and configure the new AP with the BSP. Alternatively, the BSP may be able to remotely set up and configure the AP with the assistance of the BSP's cloud resources. Alternatively, the BSP may pre-configure the existing AP so that when the new AP arrives and is powered on, the new AP may be automatically configured to the existing GW/AP without the customer going through any configuration or setup procedures.

The AP may use public key (e.g., asymmetric) encryption techniques to securely transmit network credentials to the new WiFi device/AP so that it can join the existing network. Public key-based identification of devices may be facilitated through Out-of-band (Out-of-band) techniques (e.g., QR codes). The customer may trigger the provisioning of a new device by scanning the QR code with a mobile application, or the BSP may trigger the process for a new device ordered by the customer, so that the device may automatically join the network after the customer's premises is first powered up, without the customer going through the setup process.

Fig. 1A illustrates an example communication system in which an access point is added to a wireless network. In such an example communication system, there may be an existing GW/AP101 that broadcasts wireless signals to create network 100. As discussed herein, the GW/AP may have a processor, memory, storage, etc. The GW/AP101 may connect to the internet 103 based on a service contract between the BSP and the client. The client may operate a Station (STA) 102, such as a smartphone. As discussed herein, a STA may be any wired or wireless device, such as a smartphone, laptop, personal computer, tablet, sensor, control switch, and the like. The STAs 102 may connect to the network 100 through the GW/AP101 using wired or wireless connections.

It may be desirable (such as for the reasons described above) to add a new AP111 to the network 100. The new AP111 may be assigned a public key identification, which may be revealed (exposed) via a machine-readable code, such as a QR code tag. The BSP may assign the AP111 a public key identification with an associated QR code. For example, in the device Provisioning (Provisioning) protocol of the WiFi alliance, public key (asymmetric) encryption techniques may be used without a central authority or public key infrastructure. The AP111 may have firmware that includes software that generates a pair of keys at first boot-up after the hardware is manufactured and the firmware is installed on its flash drive. The system initialization script on the AP111 may check if a key pair exists and, if not, generate a key pair.

To ensure that the identity of the device does not change throughout its lifetime, the key pair may be stored in a Write Once Read Many (WORM) data storage device. If the hardware does not support WORM, the key pair may be stored in a separate partition and access to it may be restricted to emulate similar functionality. For example, an IOCTL (Input/Output Control) system call may be used to store and read the key pair. This approach will significantly reduce the probability of accidental erasure or corruption during a firmware upgrade.

The public key can be widely spread, but the private key must be kept secret. Only the paired private key can decrypt the message encrypted with the public key. The existing credentials of network 100 may be encrypted with the public key and broadcast by GW/AP 101.

In one case, the public key can be accessed by a human operator at the place where the AP111 is manufactured, through a console of the GW/AP101 via a specific command that reads the public key out of the WORM device or a separate partition. The public key may be unique information as well as identification information, such as a serial number and/or a MAC address, and the unique information may be converted into a two-dimensional QR code, which is then printed on a label to be attached to the device. In another case, the public key and the identification information may be stored in a database for later use (i.e., to provide a new AP).

The GW/AP101 public key may also be accessed, for example, through a network (web) server on GW/AP 101. However, GW/AP101 must have obtained the IP address already in order to be able to download the public key (or QR code text and/or image) from another computer on the local network. This feature may be helpful when QR code labels are lost or damaged, and console access is not available.

Fig. 1B illustrates an example process for locally adding an access point to a communication system such as that shown in fig. 1A. As discussed, the AP111 may be assigned unique information, such as public key based identification and an associated QR code tag that may be affixed to the AP 111. The client may use the STA102 (such as a smartphone) with a rich user interface to set up the AP 111. Home network management may be performed using a dedicated mobile application on the STA 102. The customer can configure his/her network using this application and can also log into his/her cloud server account. The application can also have the function of an embedded QR code scanner or other out-of-band functions and is used for opening new equipment.

After the customer receives the new device (e.g., AP 111), he or she simply scans the QR code on the device with the mobile application on the STA102 at 151. At 152, the application extracts the public key of the new device from the QR code and sends it to GW/AP 101.

In one case, when the STA102 connects to the WiFi network 100 of the GW/AP101 via, for example, a WiFi Protected access II (WPA 2) personal security protocol, the STA102 may send the public key contained in the body of the request message to the network server on the GW/AP101 using the HTTP POST request method. A Common Gateway Interface (CGI) script on GW/AP101 may receive the public key of new AP 111. GW/AP101 may then encrypt its network credentials (e.g., SSID, password, security protocol) with the public key of new AP 111. GW/AP101 may then add the ciphertext to the application extension attribute of the WiFi Simple Configuration (WSC) Information Element (IE) of its beacon (beacon) and probe response (probe response). This information may be encoded in a binary type identifier, length, and value (TLV) format. The particular 16 byte UUID of the application extension attribute identifies that the following data is the ciphertext of the network credential.

At 153, GW/AP101 may encrypt the credentials of network 100 using the public key and broadcast the resulting ciphertext. When the new AP111 is turned on, it may start in STA mode and scan all available channels at 154. In this STA mode, the new AP111 may perform both passive and active scanning by processing the received beacons in each channel and also sending probe requests, and then processing the received probe responses. In addition, new AP111 may look for WSC IEs and when it finds a WSC IE, it looks for an application extension attribute with a specific 16-byte UUID that identifies the credential cryptogram for the new device to open. When the new AP111 finds the data, it may try to decrypt the ciphertext with its own private key. If successful and the decrypted plaintext is in the correct format, the new AP111 can connect to GW/AP101 with these credentials.

If the new AP111 is configured as a range extender, it may enable its AP functionality and begin accepting connections from stations in the network 100. If the new AP111 is configured as a mesh node, it can now establish a Wireless Distribution System (WDS) link between itself and GW/AP 101. In either case, the new AP111 becomes another AP in the network 100 and may provide wider and improved WiFi coverage for the network 100 through the broadcast WiFi network 110. This can be seen as a local opening of configuration information by completing the new AP registration process without using resources outside the network.

Even if no cloud connection is required, the methods of fig. 1A and 1B may be integrated with centralized remote management of the customer's network 100 and may also provide another layer of security if the STAs 102 are required to log into the customer's cloud account during the addition process of the AP111, since anyone connected to the local network may send an HTTP POST request to the network server of the GW/AP101 if no STAs 102 are required to log in.

Fig. 2A illustrates an example communication system in which access points are added to a wireless network using cloud assistance. Cloud assistance may allow for a more efficient and/or improved AP addition process. There may be a GW/AP201 that creates the network 200. STA202 may connect to WiFi of network 200. There may also be an authentication service 205 and a remote management service 204 which may be accessed through the GW/AP201 over the internet connection 203. The remote management service 204 may be reachable via a Uniform Resource Locator (URL). The authentication service 205 may authenticate the customer account and store the network 200 information under the user's account. The authentication service 205 may also accept new AP addition requests from management applications on the STA202 and approve or deny these requests. In some implementations, the authentication service 205 can employ or consult another security service or database for authentication. The authentication service 205 may inform the remote management service 204 which APs are authenticated as being included in the network 200. The remote management service 204 may be responsible for communicating with APs to set their WiFi credentials, providing instructions to APs to connect to each other, collecting WiFi diagnostic data, and/or providing positioning data for AP placement.

The example shown in fig. 2A is similar to fig. 1A in that a new AP211 needs to be added to extend or add to the network 200, however, cloud assistance may be used rather than local means to facilitate the addition. As discussed herein, the remote management service (e.g., 204) may run on one or more cloud servers connected to the internet (e.g., 203). The authentication service (e.g., 205) may run on the same or a remote cloud server as the remote management service (e.g., 204). The cloud server may be one or more networked computers having one or more processors, memory, storage, and a communication interface.

Fig. 2B illustrates a more detailed example process of adding an access point to a communication system using cloud assistance. In this example, an AP (such as GW/AP201 or AP 211) may be configured with a generic and unique MAC address or serial number and a configuration PIN embedded into the AP during manufacture. Both identifiers may be displayed externally, such as by a QR code, barcode, or printed text on the AP, so that they are easily accessible. The new AP211 may factory default to turning off its WiFi services and store the URL of the remote management service 204 internally.

At 251, adding the new AP211 may begin with the user 206 providing credentials (such as a pre-arranged username/password) to a management application on the STA 202. At 252, the user login may be sent to the authentication service 205 and use the pre-arranged credentials. The management application on STA202 may also require a username/password. At 253, the authentication service 205 can generate a User Identification (UID).

At 254, the user 206 may identify a new AP211 to be added to the network 200. This may be done at 255 by the user 206 using a management application on the STA202 to scan a QR code on the AP211 that has encoded unique information of the AP211, such as the MAC address/serial number (MAC1) and personal identification number (PIN1) of the AP 211. This manner of scanning the QR code, or similar means discussed herein, ensures physical proximity with the new AP211, indicating that the user 206 is physically proximate, thereby preventing malicious or benign attempts to identify and configure other devices. After collecting the unique information, at 256, the management application on the STA202 may send the identifier of the AP211 and the PIN (UID, MAC1, PIN1) to the authentication service 205 running on the cloud server over a secure internet link.

At 257, the authentication service 205 associates the incoming AP211 identifier and PIN information in the database with the previously sent user 206 login information. It creates a random Network Identifier (NID) for network 200 under the information of user 206, associates AP211 with the NID, and stores it permanently. After this is successful, the authentication service 205 notifies the remote management service 204 at 258: the AP211 is now authenticated for accepting messages from it and further management.

At 259, when AP211 identification is complete, a success indicator is applied to management on STA 202. The user 206 is then instructed to connect the first AP211 to the GW/AP201 providing the connection to the internet 203 using a wired connection (e.g., ethernet or MOCA) and then to power up the AP 211. At 261, AP211 does not allow any WiFi client device association requests because its WiFi is not yet configured. AP211 receives the IP address from GW/AP201 and can connect without any configuration because it is connected over a wired connection because WiFi is disabled by default. At 262, the AP211 sends a message to the remote management service 204 indicating that it has started and is running and is waiting for configuration. The remote management service 204 only accepts messages from previously authenticated APs. Since the AP211 has been previously authenticated, the remote management service 204 accepts the message and sends a message to the AP211 to start sending WiFi data at 263. Upon receiving the message at 264, the AP211 begins sending WiFi diagnostic data to the remote management service 204.

At 265, the user 206 may now enter a new WiFi SSID and credentials for the new WiFi network 210 via the management application on the STA 202. Depending on the reason for adding the AP211 (e.g., extending coverage using repeater APs), these credentials may be completely new or the same as the credentials from the network 200. The user 206 enters the new credentials into the management application on the STA202, which in turn sends them to the remote management service 204 at 266. The remote management service 204 then sends the new credentials to the AP211 to take effect at 267. The AP211 acquires the new WiFi credentials and changes its configuration accordingly. At 268, AP211 begins to beacon with the new SSID and to authenticate incoming client requests with the new credentials.

In one case, at 269, the management application running on STA202 attempts to connect to the new WiFi network 210 using the new credentials. Once the new credentials are validated on AP211, STA202 can associate to AP211 with the new credentials and connect to network 210.

In an alternative procedure based on the example of fig. 2A and similar to the procedure of fig. 2B, an AP211 may be added to the network 200. However, the STA202 may scan and send the public key of the new AP211 to a cloud server (e.g., the remote management service 204) through the authentication service 205. The customer's STA202 may connect to the cloud server via the internet through a mobile phone network (not shown) or an existing WiFi network 200. The cloud server may then respond to the GW/AP201 with this public key as a parameter of a custom command (such as "AddNewNode") through its internet connection (e.g., via for TR-069 and XMPP). GW/AP201 may proceed to transmit ciphertext, which AP211 may decode and may be configured similar to the examples discussed herein in relation to fig. 1A and 1B.

Fig. 3A illustrates an example communication system in which multiple access points are added to a wireless network. As in fig. 2A, a new AP311 may be added to the network 300 of GW/AP 301 connected to the internet 303. Once the new AP311 is added, it may provide coverage to any client devices that may be associated with the new credentials through the WiFi network 310. To extend WiFi coverage, a customer may add another new AP312 to generate WiFi network 320, add another new AP313 to generate WiFi network 330, and so on until the customer's goal is achieved (e.g., full coverage of the house).

Fig. 3B illustrates an example process of adding one or more second access points and determining an optimal physical location in a network using cloud assistance. To add a second new AP312 to network 300, user 306 may first be instructed via a management application on STA302 to place AP312 in proximity to AP 311. Similar to the example of fig. 2B, user 306 may undergo an AP addition process similar to adding AP 211. At 354, user 306 may identify the additional AP (i.e., AP 312) by entering unique information about the AP at 355 (e.g., with a QR code, manually, etc.). After the input is collected, the management application on the STA302 may send unique information including the MAC address/serial number and PIN to the authentication service 305 over a secure internet link.

When the authentication service 305 receives the information of the new AP312, it may associate the information with the user 306 through a login session from the management application on the STA 302. In some cases, the session may periodically require the user to re-enter login credentials for security reasons. Once user 306 is identified, authentication service 305 determines that user 306 already has a network id (nid), indicating that there is already a network 300 for the user and that AP312 should be added to network 300, at 356. At 357, the authentication service 305 permanently stores the information for the new AP312 under the same NID. At 358, the authentication service 305 notifies the remote management service 304 to: this new AP312 is now authenticated for accepting messages and further management.

The authentication service 305 may then notify the management application on the STA302 of: the addition of the AP312 is successful. At 360, the user 306 is given a success indicator of the completion of the new AP312 identification by the management application on the STA 302. User 306 may then power up the new AP312 at 361. Once AP312 powers up, it waits for a WiFi Protected Start (WPS) transaction from another access point (i.e., AP311) to admit it to WiFi network 310. However, it does not allow any WiFi client device association request because its WiFi is not yet configured.

Meanwhile, at 362, the authentication service 305 tells the remote management service 304 to: AP312 needs to connect to the existing WiFi network 310 broadcast by AP 311. At 363, remote management service 304 may send a message to AP311 including the MAC address and PIN of AP312 indicating that AP311 should connect to AP312 using the WPS PIN method using the PIN of AP 312. Upon receiving the message, at 364, AP311 may begin a WPS PIN transaction to AP312 using the PIN of AP 312. Upon successful completion of the WPS PIN transaction, at 365, AP312 may receive the same WiFi credentials as AP311, join WiFi network 310, receive an IP address from the gateway, and be able to connect to the internet. It may also start broadcasting a new or same SSID and create a WiFi network 320 and start accepting authentication requests from any WiFi client devices. At 366, the AP312 sends an UP message to the remote management service 304 indicating that it has started and is running. Remote management service 304 only accepts messages from previously authenticated APs. Since the AP312 has been previously authenticated, the remote management service 304 accepts the message and sends a message to the AP312 to begin transmitting WiFi data at 367. Upon receiving the message, the AP begins sending WiFi diagnostic data to the remote management service at 368.

At this point, AP311 and AP312 may be in the same network, communicating, and providing internet access to any WiFi client device that may be associated using WiFi credentials set by user 306 through a management application on STA 302. The user 306 may now move the AP312 to obtain the best performance from the WiFi network. Based on the WiFi diagnostics provided by both AP311 and AP312, the remote management service may determine feedback regarding how AP312 should be repositioned relative to AP 311. At 368, the feedback is sent as a message to the management application of STA302, and the application provides visual guidance to user 306 to reposition AP 312. As the user 306 follows the instructions and relocates the AP312, the remote management service 304 continues to process the incoming WiFi diagnostic data to refine the location decision and provides continuous feedback at 369 to the management application on the STA302, which in turn provides feedback to the user 306 at 370.

The same approach described above can be used if the user wants to add more APs to the network to extend coverage. User 306 may be instructed to place new AP313 near AP311, where user 306 identifies new AP313 by entering the code of new AP313 through the management application on STA 302. The new AP313 may be authenticated by the authentication service 305 and the remote management service 304 may request the AP311 to use the WPS PIN method using the PIN of the AP313 to add the AP313 to the network. Finally, at 370, user 206 may use positioning feedback received from the management application on STA302 to reposition AP 313. Using the techniques described herein, any number of new APs may be added to the network.

In an alternative process based on the example of fig. 3A and similar to the process of fig. 3B, an AP312 may be added to the network 300. However, STA302 may scan and send the public key of new AP312 to a cloud server (e.g., remote management service 304) through authentication service 305. The customer's STA302 may connect to the cloud server via the internet through a mobile phone network (not shown) or an existing WiFi network 310. The cloud server may then respond to the GW/AP201 with this public key as a parameter of a custom command (such as "AddNewNode") through its internet connection (e.g., via for TR-069 and XMPP). GW/AP 301 may proceed to transmit the ciphertext and AP312 may decode it and may be configured similar to the examples discussed herein in relation to fig. 1A and 1B. Alternatively/additionally, AP312 may receive ciphertext from AP 311.

For the example in fig. 2A-3B, a new AP may be added as a mesh node or range extender. In either case, the customer may trigger the provisioning process by scanning the QR code on the new AP using a dedicated application on his or her mobile device. While this process is very straightforward and simplified by using the rich user experience provided by mobile devices, it can be further automated by eliminating customer involvement altogether.

Fig. 4A illustrates an example communication system in which an access point is added to a wireless network. There may be a GW/AP401 with network 400 (wired and/or wireless) and a new AP411 may be added using one or a combination of the techniques described herein. GW/AP401 may be connected to cloud server 407 through internet 403. The cloud server may be connected to a database 408 that stores public key information.

Fig. 4B illustrates an example process of adding an access point to a communication system using cloud assistance. At 451, the public key information of the AP411 may be stored in the database 408. At 452, the customer may contact the BSP and subscribe to the new WiFi AP 411. At 453, the BSP may process the order for the customer account using the cloud server. Alternatively, the BSP may process the order using a separate inventory management and order processing system. The cloud server may reserve AP411 to the customer's account and mark a serial number and/or MAC address identifying the new AP to be shipped. The cloud server may then access a database with public key information based on the information about AP411 marked in the order at 545. The database 408 may be a local database of a cloud server or a remote database.

At 455, since the cloud server knows which particular AP411 is to be shipped to the customer, it can send the public key to GW/AP401 over internet connection 403 as a parameter of the custom command "AddNewNode" based on which GW/AP401 is associated with the customer's account.

GW/AP401 may then encrypt its network credentials and place the resulting ciphertext in the application extension attribute of its WSC IE at 456. At 457, once AP411 arrives and turns on, AP411 may decrypt the ciphertext and configure, similar to other processes discussed herein. However, if a new AP411 is shipped to a customer, it may take one or more days to arrive, and unnecessarily increasing the length of beacons and probe responses during this period may waste valuable airtime (airtime). In one approach, the credential cryptogram may not be included in every beacon, but may be inserted in every nth beacon (e.g., every 10 th beacon). The period can be adjusted to strike a balance between airtime savings and setup delays introduced when a new AP arrives and powers up (due to having to wait longer for the next beacon with ciphertext and the increased probability of losing a beacon with ciphertext when scanning all available channels).

In another approach, the ciphertext may be included only in the WSC IE of the probe response and then only when GW/AP401 receives the probe request from the MAC address of new AP 411. In one embodiment, the MAC address may be transmitted with the order, or may be included as identifying information in the QR code for embodiments where the mobile STA triggers a new AP. While this approach does have benefits, in some cases, it may not always be possible to configure a customized probe request due to limitations of the wireless device driver.

As discussed herein, to simultaneously turn on multiple APs, the cryptogram for each new device may be added to the beacon WSC IE together, or up to a predetermined number of cryptograms may be added to each beacon in a round-robin manner to save airtime. Further, for probe responses, the GW/AP may respond with only one ciphertext of the application extension attribute of the WSC IE that corresponds to the public key of the new AP that sent the probe request.

The strength of a public key encryption system may depend on the computational infeasibility of determining a properly generated private key from its corresponding public key. Common public key Cryptography systems may be Rivest-Shamir-adleman (rsa) and Elliptic-Curve Cryptography (ECC). For RSA, one recommended key size may be at least 2048 bits. For ECC, a 256-bit length key may achieve a similar level of encryption strength. The resulting QR code of the ECC key may be less dense and therefore more easily read by mobile scanner applications, because the smaller key size means that less information must be encoded into the QR code.

The amount of information that may be encrypted with asymmetric encryption may be limited and may be a very small amount of information. If the size of the network credential is above this limit, it may be necessary to use symmetric encryption (e.g., AES) to encrypt the credential with a randomly generated key, then encrypt the random AES key with the new AP's public key, and include two ciphertexts in the WSC IE so that the new AP can first decrypt the random AES key with its private key and then decrypt the credential with the AES key.

Although multiple WSC IEs may be sent in a WiFi frame, in some cases there may be wireless driver limitations that do not enable this feature. In this case, it may be helpful to use the public action frame defined in 802.11u when the WiFi client and AP are in an unauthenticated and unassociated state. Frame exchange procedures generic advertisement Protocol (GAS) requests/responses and the frame format (802.11 action frames) provided by the GAS for the advertisement service may be used for transmission of the cipher text from the GW/AP to the new AP.

While a QR code is discussed in the embodiments and examples herein, this is not intended to limit the present disclosure, and this is merely one possible out-of-band method for initiating secure opening of a new AP. Other technologies such as Near Field Communication (NFC), Bluetooth Low Energy (BLE), and other technologies from WiFi alliance device provisioning protocols may be used as out-of-band methods for securely provisioning a new AP. Thus, displaying the public key by the QR code may be extended to transmitting the public key via NFC or BLE.

Although features and elements are described above in particular combinations, one of ordinary skill in the art will appreciate that each feature or element can be used alone or in any combination with other features and elements. Furthermore, the methods described herein may be implemented in a computer program, software, or firmware incorporated in a computer-readable medium for execution by a computer or processor. Examples of computer readable media include electronic signals (transmitted over a wired or wireless connection) and computer readable storage media. Examples of computer readable storage media include, but are not limited to, Read Only Memory (ROM), Random Access Memory (RAM), registers, cache memory, semiconductor memory devices, magnetic media such as internal hard disks and removable disks, magneto-optical media, and optical media such as CD-ROM disks and Digital Versatile Disks (DVDs). A processor associated with software may be used to implement a communication interface for use in a GW, STA, AP, terminal, base station, RNC, or any host computer.