User and Location Management System for Wireless

Networks

Andrei Oliveira da Silva

, Daniel Waldman

, Paulo Henrique de Souza Schneider

Fabricio D’Avila Cabral

, Ana Cristina Benso da Silva

, and Jo

ao Batista de Oliveira

CPSE - Research Center on Embedded Software

†

Av. Ipiranga, 6681 - Building 30 - Block 4 - Room 242,

90619-900 Porto Alegre, Brazil

Abstract. This work presents a wireless user low-grain position management

system (up to 5 meters) for Wi-Fi networks. The location system is based on

access point identiﬁcation, where the user’s device is associated, through the

events generated by the access point. In this context, the access point is a sta-

tion managed with SNMP. Hence, the system receives information from other

SNMP agents that interact with the wireless user authentication system to pro-

vide information about users, at what time the client uses to get in the network,

among others. These information will be to reﬁne the management system for

users and resources.

1 INTRODUCTION

Wireless networks have been used in different enterprises and projects to provide In-

ternet access and ubiquitous computing environments [8]. Examples of such projects

are Carnegie Mellon University’s AURA project [8], Massachusetts Institute of Tecnol-

ogy’s Oxygen [7], Hewlett-Packard’s Cooltown [3] and IBM’s ContextSphere [1].

The management of pervasive computing environments is an important task because

of its dynamic nature. In this context, users handle mobile devices and services must be

offered in a plug-and-play fashion. In these environments the monitoring and manage-

ment of users and resources are vital for the network use and its security. The monitoring

of user behavior offers many possibilities at system control and service personalization

levels, which are provided by the environment. An example of such scenario is the

knowledge of the user’s movement through the network, where it is possible to predict

his future location based on this information. This kind of data can be used in many

scenarios, from security to CRM (Costumer Relationship Management) applications.

This work presents a user management system for Wi-Fi networks operating in in-

frastructure mode. The system uses an authentication system and SNMP (Simple Net-

work Management Protocol), respectively validating users in the network and gathering

†

Supported

by the Hewlett-Packard Brazil/ PUCRS (Pontif

ıcia Universidade Cat

olica do Rio

Grande do Sul).

‡

The authors are with CPSE (Centro de Pesquisa em Software Embarcado).

The authors are with Faculdade de Inform

atica, PUCRS.

Oliveira da Silva A., Waldman D., Henrique de Souza Schneider P., D’Avila Cabral F., Cristina Benso da Silva A. and Batista de Oliveira J. (2004).

An User and Location Management System for Wireless Networks.

In Proceedings of the 1st International Workshop on Ubiquitous Computing, pages 160-169

DOI: 10.5220/0002666301600169

 SciTePress

information about them, where its goal is to discover the user location using the identi-

ﬁcation of the access point which user’s device is associated. Through this system, it is

possible to discover the estimated position of a user, based in the access point coverage

area, which can be a range of 5 or 10 meter depending on the device model.

This paper is organized using the following structure: Section 2 shows the related

works; Section 3 shows the authentication system [11] that were used and extended to

support SNMP operations; Section 4 describes the location management system, the

developed MIB and SNMP agents; Section 5 shows a study case and the Section 6

presents the conclusions and future works.

2 RELATED WORKS

According to [8] location management and context awareness are challenges for the

mobility area. Amongst the related projects there is Cricket, part of MIT’s Oxygen

project [7]. This project uses devices, called beacons, that combine radio frequency

and ultra-sound signals to determine the location of devices and applications. Cricket

is focused on the user’s physical location and provides a reasonable precision inside

environments. Beacons can estimate the user’s position based on its signal strength,

identifying user’s position and movement.

Another related project is Cooltown [3], based in an web services architecture and

service location protocols, such as UPnP (Universal Plug’n’Play), which allows the user

to remotely access a service through an URL. This project also uses beacons, but they

are not used to determine the device’s location. These devices are used to divulge a ser-

vice URL. It is also a possibility the use of GPS (Global Positioning System) as a mean

to provide the precise user location in open areas. Kindberg [3] also presents a rather

different perspective from Cricket. Cooltown project describes the use of web services

to provide applications in wide environments, such as a city. This work’s described

system is being initially developed for restricted environments, such as a museum or a

smart room.

The work presented in this paper focus on extracting user’s logical position, iden-

tifying which access point the user is connected and extracting information about his

movement in the system. A log is maintained when the user enters and exit from the

network, how much time he spent online, among other information. Through this in-

formation, it is possible to determine the user’s physical location, based on the access

point’s position. The described system is being initially developed for restricted envi-

ronments, such as a museum or a smart room.

2.1 Motivation

Location sensitivity is an important feature in an ubiquitous environment. A set of ser-

vices can be created and deployed within this context, such as real time marketing and

load balance systems. This feature can be explored by two different approaches: physi-

cally, which is aided through special hardware devices, and logically, which uses access

point where the device is connected to estimate his position.

161

Physical positioning is more precise, compared to the logical approach, since it can

predict the user location with few meters, or even centimeters, of error rate. A disad-

vantage of this method is that it is necessary to build speciﬁc hardware and protocols to

manage the positioning, such as on GPS systems.

Logical position management deals with a broader range of user location, usually

predicting its position in a range of 10 meters from the access point. A few methods

can be applied for the access point triangulation, where the signal strength between the

device and the nearby access points are measured and mapped in a database.

Another approach using access points is the use of SNMP information provided by

these devices. The location prediction might not be as precise as the previous methods,

since it is based in a database mapped information and positioning relative to the access

point. On the other hand, it is not necessary to build speciﬁc hardware and it also allows

to use public standards, such as SNMP messages. Thus, the logical position manage-

ment can be more feasible, considering development and scalability. It is cheaper to

develop software, since devices do not need to have a new hardware attached, making

this system more extensible.

3 AUTHENTICATION SYSTEM

Whole system was built over an authentication system [11], and some components had

to be adapted and others created to support the user and location management. This sys-

tem protects services from unauthenticated users, in a similar fashion to NoCat [5]. All

events are transmitted through SNMP messages and a few agents and managers were

built to manage users in the network and to gather information about their behavior. The

authentication system’s components are presented in Figure 1:

DHCP

Service

Authentication

Server

Directory

Server

Firewall

Wireless

Station

Fig.2. User authentication

The device disassociation and user deauthentication will be better explained in an

upcoming section, dealing with this system integration with the management features.

163

4 USER MANAGEMENT AND LOCATION SENSITIVITY

The previously described system proposed a mechanism to allow only authorized users

to access the network and make use of its services. However, it’s possible to aggre-

gate other functionalities and information to this architecture within the authentication

process.

Therefore, the management system presented in this work is based on user access

control and user location sensitivity. Its main goals are to:

– Identify user permissions;

– Apply restriction policies;

– Service allocation policies (e.g. services which are physically closer to the user);

– Provide environment personalization;

– Allow resource allocation management.

The management of the user access control is based on the previously presented

authentication system. In order to accomplish its goals, SNMP agents [6] and propri-

etary mechanisms were employed for the information gathering process in entities and

processes related to the authentication procedure.

The location sensitivity management is accomplished through the periodic monitor-

ing of the user movement in a Wi-Fi network, conﬁgured in infrastructure mode. Access

points who have embedded SNMP agents and send association/desassociation SNMP

traps can be used to monitor device’s behavior. Therefore, if a device is associated with

an access point it is certain that he is in the access point’s range, which is usually 10

meters. This information can be used to identify the user’s estimated position, related

to the physical location of the access point.

Besides the management systems described above, the system generated events are

stored in a MIB, where they can be easily accessed and updated through SNMP re-

quests (get or set). This section will explore the implementation of a user management

system based on the access point coverage range, as well as present the base of gath-

ered information and the steps taken to integrate this management with the previous

authentication system.

4.1 User’s MIB

The authentication system provides a collection of user information, such as username,

device’s IP and MAC address, access point which the user is associated, for example.

Combining these features with traps sent by the access point’s embedded SNMP agents,

it is possible to capture the time when the user enters and leaves the network and series

of information that can help in determining the user proﬁle, such as places where he

usually goes, how long does he stay in a given place and so on. These information are

described in a MIB whose attributes are updated whenever a system event occurs. Table

1 presents how this base was modelled.

In order to implement a MIB for user management a Net-SNMP agent [4] was used,

which make it possible to create and support a new repository path. This modiﬁed agent

handles MIB requests, updating and recovering information provided by the authenti-

cation system.

164

Index Information Use Provided by

1 Device’s MAC ad-

dress

Identify the device being used in the

network

Association traps to the ac-

cess point

2 Device’s IP address Identify the IP address associated

with the device, and can be used to

detect network intrusions

DHCP

3 Username The user making use of the network Authentication server

4 Access point’s IP

address

Determine in which access point the

device is associated, making possible

to estimate the device location

Association traps to the ac-

cess point

5 Deauthentication

mode

Determine how a user was deauthen-

ticated.

DHCP or disassociation

traps for the access point

6 Device’s entry time Indicate when the device entered the

network

Association traps to the ac-

cess point

7 Device’s exit time Indicate when a device left the net-

work

DHCP or disassociation

traps for the access point

Table 1. User’s Management MIB

4.2 Authentication system integration

The extension of a Net-SNMP agent can be done through scripts referenced by the

conﬁguration ﬁles. Therefore, in order to integrate the authentication system with the

user management, a SNMP agent was devised to receive system information.

The access point was conﬁgured to send association/desassociation traps to the au-

thentication server, which will update these information to the SNMP agent. This be-

havior is executed every time a new event occurs.

Some original authentication system components had to be modiﬁed for the integra-

tion of the location sensitivity management, and a few had to be created. The following

items enumerate the required modiﬁcation:

– Modify the authentication server in order for it to act as an agent (receiving infor-

mation from other agents/managers, such as traps from access points) and to update

the MIB, as shown in Table 1;

– Event handling by the authentication server, such as dealing with association/disassociation

traps;

– Creation of a SNMP agent, with an implemented MIB 1, which stores events in a

database 2.

In the following sections, the events generated by the system integration will be

studied, exploring its purposes and motivations.

Device association When a device is associated in the access point, the access point’s

embedded SNMP agent will send a trap message, indicating this association to the

authentication server, as can be seen in Figure 3. This event is sent to the agent, which

combines this information in a database containing the previously stored events.

165

The events and messages generated by this association are the following, in chrono-

logical order:

1. When entering the access point range a trap message is sent to the authentication

server, containing the device’s MAC and IP addresses and access point’s IP address

which is associated with this device;

2. It is veriﬁed if a user is transiting between networks or if he is reassociating in

the same network, depending on disassociation events. In both cases, the transition

time between networks is calculated. If this time is higher then the deﬁned timeout,

the user must reauthenticate itself as it is the ﬁrst time it gets in the network;

3. If it’s a new user, DHCP must return a valid IP address, binding it to the device’s

MAC address, and must authenticate itself in the network;

Device disassociation When the access point’s SNMP agent detects a device which

left his access range, as seen in Figure 3, it generates a SNMP trap indicating the disas-

sociation of this device. The trap message will carry information such as MAC and IP

address of the device. When the SNMP agent receives this message, it will update the

database with this event. When the device returns to the network the timeout between

events is calculated, thus blocking the ﬁrewall for the device or not. This block is based

on the device’s MAC address, in order to avoid unwanted accesses by other devices

who might try to use the same IP address.

Wireless

access point

Wireless

station

Authentication

Server

Association/

Desassociation

trap

Temporal

Database

Log event

SNMP

agent

SNMP set

Fig.3. Device (des)association

Device turned off The action of turning off a device does not represent an disassocia-

tion for the access point’s SNMP agent. In order to avoid a scenario where another user

makes use of the same device, thus inheriting the access privileges of the previous user,

the ﬁrewall rules must be conﬁgured based on the device’s MAC address. Therefore,

when a device, which was turned off, retries to associate in the network, all its rules

will be blocked by the ﬁrewall. The same case happens when tries to enter the net-

work with a fake IP address, since the ﬁrewall rules are conﬁgured based on the MAC

address, forcing the authentication process.

166

Data storage A desirable feature in managements system is the user and network

statistics processing. To make it easier in identifying the user behavior, an event registry

was built based on the agent’s integration with a database. The updated information is

recovered in the user management MIB through database queries sent by the SNMP

agent. This process is done using scripts that handle communication with the MIB, and

store the information on a temporal database [10].

Device’s MAC

address

Device’s IP

address

Username Access Point IP

address

Deauthentication

mode

Entry

time

Exit

time

MAC1 IPDEV1 Claudia IPAP1 DHCP 15:30 15:35

MAC1 IPDEV2 Eugenio IPAP1 TRAP 15:35 15:37

MAC1 IPDEV2 Eugenio IPAP2 TRAP 15:37 NULL

Table 2. Temporal database example

The database registers the event occurrences, such as an user authentication and

the start and end time for this event. Table 2 exempliﬁes this scenario. In the ﬁrst en-

try, Claudia is deauthenticated through the DHCP lease. Afterward, Eugenio, using the

same device, associates itself in an access point I P AP 1 and, minutes later, changes it

to access point IP AP 2.

This process is executed for all information contained in the MIB, where new up-

dates are recovered every time a request is made.

5 CASE STUDY

A simple model that exemplify the use of the presented system is a university campus

or an ofﬁce building, where the scenario focuses on an user who wants to print a doc-

ument in the nearest color printer. When this user access the network, his device will

be associated with an access point and will be authenticated through the authentication

server.

The access points and printers have their physical position and descriptions mapped

in a database. Matching the user’s position with the printer’s description and location it

is possible to send a printer job to the nearest printer through a web service [9].

Moreover, the events generated by the system can determine which places are being

frequently visited by a given user, thus allowing resource allocation based on his move-

ment patterns. It is possible to imagine the implementation of this system in a mall or

super market, where the clients can receive announcements through their PDA based

on the their most visited places or favorite products.

When the user access the network, his device is associated with one access point

that sends a trap to the authentication server indicating the MAC address of the user’s

device. This event updates the user management MIB with the MAC address of the

user’s device and the access point’s IP address. Thus, the user goes to the authentication

step, where the authentication server updates the MIB with the device’s user name and

IP address.

167

A disassociation trap indicates that the user has left the access point’s range. It

indicates that the user is moving, thus when the device reassociates with another access

point a new trap is sent to the authentication server, which updates the MIB. All these

events are stored in a temporal database and they can be analyzed in the search for

movement patterns in order to place services for the user.

Authentication

Server

Printer 1

Printer 2

Access

Point 2

Access

Point 1

Wireless

station 1

Wireless

station 2

SNMP

Agent

Temporal

Database

MIB Requests

SNMP set/get

Association

trap

Association

trap

Fig.4. Case study

Figure 4 presents the events in an environment with two access points. The system

would redirect the printer job of Station 1 to the nearest printer, based in the location

information mapped in the database. If the station enters the range of the Access Point

2, a trap will be generated to the authentication server indicating that Station 1 has left

Access Point 1 and its printer jobs must be sent to Printer 2, since it is closer to (Access

Point 2).

Trough the analysis of the temporal database events, it is possible to determine the

behavior of each user on every week’s day, thus offering discounts in printer jobs and

placing more services inside the most used network printers.

6 FINAL CONSIDERATIONS

The system presented in this work allows the management of the user’s access control,

the network access and its resources and services, as well as being able to identify the

approximate position of users and devices in a wireless environment. The integration of

these proposals will allow, in the future, the creation of an integrated user management

168

environment, based on locations, in order to personalize and manage the use of services

in a ubiquitous environments.

The collected information can be used to create models that allow the prediction of

environment needs, as well as to model user proﬁles. But it depends on the speciﬁca-

tion of the access point, if it supports association/desassociation traps, what can be an

disadvantage of the proposed system.

This work must still be validated in a real environment, with more users access-

ing the network and its services. Based on these results, it will be possible to better

validate the system. However, it’s necessary, foremost, to aggregate security into the

authentication system, through the use of SNMPv3.

The future work is focused in integrating this system with sensor devices (such as

beacons) in order to obtain a precise information about the user and device location,

thus allowing to upgrade the management process.

References

1. Bisdikian, C., Christensen, J., Ebling, M. R., Hunt, G., Jerome, W., Lei, H., Maes, S., Sow,

D.: Enabling location-based applications. First international workshop on Mobile commerce,

Rome, Italy (2001)

2. Congdon, P., Aboba, B., Smith, A., Zorn, G., Roese, J.: Ieee 802.1x remote authentication

dial in user service (radius). RFC 3580. (2003)

3. Kindberg, T., Barton, J., Morgan, J., Becker, G., Caswell, D., Debaty, P., Gopal, G., Frid, M.,

Krishnan, V., Morris, H., Schettino, J., Serra, B., Spasojevic, M.: People, places, things: Web

presence for the real world. Mobile Networks and Applications, 7. (2002)

4. NET-SNMP: The NET-SNMP home project. http://www.netsnmp.com (2003)

5. NoCatNet: NoCat. http://www.nocat.net (2003)

6. Perkins, D., McGinnis, E: Understanding SNMP MIBs. 1st edition. Prentice-Hall, Upper

Saddle River, New Jersey (1997)

7. Priyantha, N. B., Chakraborty, A., Balakrishnan, H.: The cricket location-support system.

Proc. of the Sixth Annual ACM International Conference on Mobile Computing and Net-

working (MOBICOM), Boston, United States. (2000)

8. Satyanarayanan, M. (ed.): Pervasive computing: Vision and challenges.. IEEE Personal

Communications, August. (2001)

9. Silva, A. O., Meneguzzi, F. R., Schneider, P. H. S., Barcelos, R. B., Rodrigues, V. O., Wald-

man, D., Silva, A. C. B.): Providing printing web services. Fifth IEEE InternationalWorkshop

on Networked Appliances, Liverpool, England. (2002)

10. Simonetto, E. O., Ruiz, D. D. A: Temptool: A tool for temporal data modelling in: Advances

in databases and information systems. 5th East-European Conference ADBIS’2001 Profes-

sional Communications, Vilnius, Lituania (2001)

11. Waldman, D., Silva, A. O., and Silva, A. C. B.: An extensible authentication architecture for

wireless networks. VIII Simp

osio de Inform

atica, Uruguaiana, Brazil (1995)

169