| ARUBA NETWORKS, INC. Patent applications |
| Patent application number | Title | Published |
|---|
| 20120020344 | WIRELESS MACRO CELL OVERLAY - Overlaying a Wireless Macro Cell architecture on a Micro Cell network. WLAN MAC Address Translation (WMAT) is used to translate BSSIDs from the BSSID used to initialize a radio in an access node and identify communications between the radio in the access node and a controller, and the BSSID used over the air for Macro Cell operation. WMAT is used for transmit operations, translating the BSSID of outgoing packets to the Macro Cell BSSID prior to wireless transmission. On the receive side, packets undergo WMAT and transmission to the controller if the STN MAC address of the sender is in an ACK table associated with the radio, or the packet is one of a predetermined type. The ACK table is managed by transmit operations, and by control commands from the controller. | 01-26-2012 |
| 20110029771 | Enrollment Agent for Automated Certificate Enrollment - Automated generation of certificates from a Certificate Authority through the use of an Enrollment Agent. Devices needing certificates generate the necessary keys and package public key information with other identifying information about the device and send this information to an Enrollment Agent. The Enrollment Agent takes this information and submits it on behalf of the device to a Certificate Authority, managing the interaction with the Certificate Authority on behalf of the device. The Certificate Authority signs the request, returning a certificate to the Enrollment Agent. The Enrollment Agent packages the certificate along with the other certificates needed to establish a chain of trust and returns these to the device. Certificates may be stored in the device in flash memory. The process is secure as long as the communications path between the devices and the Enrollment Agent is secure; a secure VPN or HTTPS: connection allows the devices and the Enrollment Agent to be in separate locations. | 02-03-2011 |
| 20100313262 | PROVISIONING REMOTE ACCESS POINTS - Provisioning remote access points for use in a telecommunication network. A remote access point contains identity information established during manufacturing; this identity information may be in the nature of a digital certificate. The identity information is stored in the remote access point, and may be stored in a Trusted Platform Module if present. When the remote access node is powered up in unprovisioned state, outside the manufacturing environment, it attempts to establish an internet connection via a first wired interface, and queries a user for information representing the TCP/IP address of its controller via a second wired interface. Once an internet connection is present, and a TCP/IP address has been provided, the remote access point attempts to connect to the controller at that address. The controller may filter connection requests through a whitelist of approved remote access points. Once a connection is established, controller and access point exchange and verify each other's identities. This may be done through the exchange and verification of digital certificates. Provisioning information is downloaded from controller to remote access point and installed. This may be done via a tunnel such as an encrypted tunnel. Software updates may be applied. The provisioned remote access point is placed in operation. | 12-09-2010 |
| 20100281180 | Initiating Peer-to-Peer Tunnels - Initiating peer-to-peer tunnels between clients in a mobility domain. Client traffic in a mobility domain normally passes from the initiating client to an access node, and from the access node through a tunnel to a controller, and then through another tunnel from the controller to the destination access node, and the destination client. When initiated by the controller, the access nodes establish a peer-to-peer tunnel for suitable client traffic, bypassing the “slow” tunnels through the controller with a “fast” peer-to-peer tunnel. Traffic through this “fast” tunnel may be initiated once the tunnel is established, or traffic for the “fast” tunnel may be queued up until traffic has completed passing through the “slow” tunnel. This queue and release process may be bidirectional or unidirectional depending on the traffic. Completion of slow tunnel traffic may be sensed in a number of ways. Slow tunnel traffic may be timed out, and queued traffic released after a preset time since the last packet was sent through the slow tunnel. The identity of the last packet sent through the slow tunnel may be retained, and queued traffic released when an acknowledgement for that packet is received. A special packet may be sent through the slow tunnel and queued traffic released when an acknowledgement for that packet is received. | 11-04-2010 |
| 20100277368 | Multi-Pattern Wireless Frame Transmission - Multi-pattern transmission of wireless frames. A digital device contains a transmitter feeding an electronically steerable antenna system where the radiation pattern produced by the antenna system may be selected. Different antenna radiation patterns are used in transmitting a first portion of a wireless frame and a second portion of a wireless frame in a wireless digital network. In one embodiment, a first portion of a wireless frame is transmitted using a wide radiation pattern while the second portion of the frame is transmitted using a second radiation pattern. Switching among radiation patterns in the electronically steerable antenna system may be accomplished by switching between antenna types, such as an omnidirectional antenna for the wide pattern, and beam-steered or sectorized antennas for the second radiation pattern. Beam-forming and/or phasing approaches may also be used. The first and second portions of the frame may be transmitted at different power levels. For high throughput (HT) frames such as IEEE 802.11n frames, the non-HT preamble and L-Sig are taken as the first portion of the frame, with the HT-Sig, HT-training and HT-data portions of the frame taken as the second portion of the frame, transmitted using a narrower radiation pattern. | 11-04-2010 |
| 20100275017 | Peer-to-Peer Forwarding for Packet-Switched Traffic - Establishing peer-to-peer tunnels between clients in a mobility domain. In normal operation, clients attached to a network having access nodes connected to a central controller transfer all traffic through the central controller. This traffic is passed using tunnels between the access node and the central controller. Tunnels may be encrypted, and GRE tunnels may be used. A mobility manager operating in the controller tracks access nodes connected to the controller, and clients connected to those access nodes. When the mobility controller recognizes traffic passing between clients in its mobility domain that is eligible for peer-to-peer forwarding, it instructs the access nodes supporting the clients to establish a peer-to-peer tunnel between the nodes, and direct the client traffic through this peer-to-peer tunnel. The peer-to-peer tunnel may be session based, or may be aged. Eligibility of traffic for peer-to-peer tunnels may be controlled by rules, such as limiting peer-to-peer tunnels by source or destination, by port or protocol, and the like. | 10-28-2010 |
| 20100272103 | Synchronization of Mobile Client Multicast Membership - Synchronization of mobile multicast membership in a wireless network. A controller supports one or more wireless access points, each of which supports wireless clients. A Mobility Manager (MM) in the controller monitors wireless client activity. The controller establishes an IGMP proxy which intercepts IGMP messages from wireless clients and handles the IGMP messages on clients' behalf. When a wireless client wishes to join a multicast, the client's IGMP join message is intercepted by the controller IGMP proxy, and the controller IGMP proxy joins the multicast for the client. The Mobility Manager observes the actions of the IGMP proxy. If a client moves from its home agent (HA) controller to a different foreign agent (FA) controller, the Mobility Manager in the FA controller locates the Mobility Manager in the HA controller and receives information on the client including information on any multicast streams the client is receiving. The Mobility Manager in the FA controller uses this information to have its own IGMP proxy join the required multicast, and send the multicast stream to the client. | 10-28-2010 |
| 20100199343 | CLASSIFICATION OF WIRED TRAFFIC BASED ON VLAN - Controlling access and capabilities on wired digital networks. According to the invention, rather than use port-centric controls, multiple virtual local area networks (VLANs) are supported by a wired controller, and these VLANS may be terminated on multiple physical ports. Capabilities are then assigned on a VLAN basis, with default capabilities assigned to the port when no VLAN is used. By defining capabilities on a VLAN basis, as an example no access, trusted access, or untrusted access. Trusted access VLANS are not subject to authentication or firewalling. Untrusted VLANS are subject to authentication and firewalling, which may be configured as required for the VLAN and its authorized users. | 08-05-2010 |
| 20100026558 | DISTANCE ESTIMATION - Improved distance estimation of a selected transmitter. An improved distance estimate from a target transmitter to a receiver is produced by assessing the target transmitter to determine transmit power, and combining this information with a propagation model, received signal strength, and reference signal strength indications. Target transmit power may be assessed through knowledge of the target device or device class, and/or transmit power reporting features of target wireless networks. The assessment may be made through looking up reported target device characteristics in a database, making inferences based on target device characteristics, or through standards-based diagnostic and/or reporting mechanisms. | 02-04-2010 |
| 20100023749 | Harvesting Entropy from Trusted Cryptographic Sources - Extending entropy in a random number generation utility. Where a device has access to trusted sources of encrypted data, such as encrypted network traffic, such encrypted network traffic may be sampled and the bits fed into the entropy seeding routines of the random number generation utility. | 01-28-2010 |
| 20090274129 | DISTRIBUTED LOAD BALANCING IN WIRELESS NETWORKS - Distributed load balancing in wireless digital networks. In a network having a plurality of access nodes with at least one wireless client connected to a first access node, the client is encouraged to move to a different access node by reducing the apparent signal strength of transmissions from the access node to the client. Apparent signal strength can be reduced by reducing transmit power, by using beam forming, antenna switching, or a combination. Other access nodes may send unsolicited frames, such as probe response frames to the client, encouraging the client to move. | 11-05-2009 |
| 20090268915 | Secure Creation and Management of Device Ownership Keys - Secure creation and management of device ownership keys. TPM ownership keys are generated by cryptographically combining manufacturer information with device specific information. Ownership keys are established in the TPM containing device. The manufacturer retains necessary information to reconstruct the ownership key if needed. | 10-29-2009 |
| 20090258668 | ENTERPRISE LOCATION DISCOVERY IN DUAL-MODE PHONES - Enterprise location discovery in dual-mode phones. As dual-mode phones move within the enterprise Wi-Fi network, they track which cell tower they are associated with, reporting this information to an enterprise mobility controller. The enterprise mobility controller builds a list of cell tower identifiers which are associated with enterprise Wi-Fi coverage, and makes this list available to subscribing dual-mode phones. Subscribing dual-mode phones can use this list to only scan for Wi-FI availability when they are associated with a cell tower which is on the list. | 10-15-2009 |
| 20090252097 | BAND STEERING FOR MULTI-BAND WIRELESS CLIENTS - Band steering for multi-band wireless clients. In a wireless digital network having at least one central controller and a plurality of access nodes connected to the central controller, and wherein some of the access nodes support a preferred wireless band and at least one non-preferred wireless band, the central controller identifies wireless client devices capable of multi-band operation, and encourages them to connect to the preferred wireless band. Client devices may be identified as multi-band capable by tracking probe requests. The central controller keeps a list of multi-band capable clients, for example in a database. This information is provided to other central controllers, and to access nodes attached to the central controller. Multi-band capable clients are encouraged to connect on the preferred wireless band for example by having the access nodes not respond to probe requests on the non-preferred wireless bands. Connections made on the non-preferred wireless bands may be moved to the preferred wireless band. | 10-08-2009 |
| 20090163232 | ENTERPRISE SEAMLESS MOBILITY - Extending dual-mode phones using SMS messages. When operating in cellular mode, SMS messages originated by a mobility controller in the enterprise command features such as indicators on the dual-mode phone. SMS messages are received by an agent in the dual-mode phone. A mobility controller connected to the enterprise SIP PBX and voicemail system receives messages for example indicating voicemail status and sends specially formatted SMS messages to the cellular phone to operate indicators. Similarly, the dual-mode phone issues SMS messages to the enterprise mobility controller to request the enterprise PBX perform features such as call conferencing, call pickup, and call pull. | 06-25-2009 |
| 20090163229 | Indicators for Dual-Mode Phones - Indicator control for dual-mode phones. While under control of an enterprise Wi-Fi network, indicators on a dual-mode phone can be controlled using SIP messages. When operating in cellular mode, indicators on the dual-mode phone are controlled by SMS messages which are intercepted on arrival. A software agent connected to the enterprise SIP PBX and voicemail system receives messages for example indicating voicemail status which cause the software agent to send specially formatted SMS messages to the cellular phone and operate indicators. | 06-25-2009 |
| 20090156217 | Delayed ACK in dual-mode call handover - Handover of a call to a dual-mode phone from cellular to Wi-Fi. When handing over a call mediated by a mobility controller to a dual-mode phone and switching the call from a cellular to a Wi-Fi call, the mobility controller initates a Wi-Fi connection to the dual mode phone. When the Wi-Fi connection is established, and with the cellular connection through the mobility controller still in place, the mobility controller starts a timer with a predetermined value and the dual-mode phone initiates release of the cellular connection. When the timer expires, the mobility controller switches the call from the cellular connection to the Wi-Fi connection. | 06-18-2009 |
| 20090156175 | Single Voicemail For Dual-Mode Phones - Single voicemail for dual-mode phones. Functionality is added to a dual-mode phone such that the dual-mode phone when operating in cellular mode sends a predetermined signal when it answers an incoming call. An enterprise mobility controller, on forwarding a call to the cellular side of a dual-mode phone after failing to complete a Wi-Fi connection, starts a timer. If the mobility controller does not receive the predetermined signal before the timer expires, it assumes that the cellular call has been handed off to the cellular voicemail system, terminates the cellular call, and sends the call to the enterprise voicemail system. | 06-18-2009 |
| 20090156164 | Single Number Presentation for Dual-Mode Phones - Providing a single number presentation to the party called by a dual-mode phone. The operation of the cellular side of a dual-mode phone is altered such that when the user attempts to place an outgoing call using the cellular phone, the call is redirected to a preprogrammed incoming phone number associated with the enterprise. When the enterprise PBX answers this call, the dual-mode phone transmits the desired number to the enterprise PBX. The enterprise PBX then places the call to the desired number, and in the process transmits the caller-id information assigned to the dual-mode phone. | 06-18-2009 |
| 20090113535 | Securely Virtualizating Network Services - Services in a network device are added through providing virtual environments. Virtualization allows services based on other platforms or architectures to be run with minimum modification and in a secure manner. Connecting services to the host through a stateful firewall allows dynamic integration, and passes only traffic of interest to the service. Virtualization allows services written for different instruction architectures to be supported. Multiple virtualized environments each supporting a service may be run. | 04-30-2009 |
| 20090113516 | Setting Policy Based on Access Node Location - Policy setting in an access node remotely located from a controller. A remote access node connects to a controller over a digital network such as the internet. Operating policy is established based on the location of the access node. In one embodiment, the location of the access node is determined through a GPS receiver associated with the node. In a second embodiment, the location of the access node is determined through its public IP address. Location information is used to establish policy at the access node, which may include aspects such as operating parameters, access controls, and availability of services through the controller. | 04-30-2009 |
| 20090108964 | Ethernet Coupling - Improved coupler for Ethernet over twisted pair. An improved coupler has a first common mode choke for connecting an Ethernet PHY to the primary winding of a transformer. The secondary winding of the transformer connects through a second common mode choke for connection to a twisted pair line. In one embodiment, the first common mode choke, transformer, and second common mode choke are placed in the same package. In a second environment, a plurality of choke-transformer-choke units are placed in the same package. In a third embodiment, the plurality of choke-transformer-choke units may be integrated into a connector. Pairs of the second common mode chokes may share cores. | 04-30-2009 |
| 20090082034 | WIRELESS CLIENT POSITION ESTIMATING SYSTEM AND METHOD - The present invention comprises a system and method for determining an estimated position of a wireless mobile client device operating in a communications environment covered by a wireless local area network. The received signal strength of the wireless mobile client device is measured by one or more access points serving devices in the communications environment. In a preferred embodiment, the error between the received signal strength measured by the access points and the expected received signal strength at a plurality of locations in the communications environment is calculated. The location of the device is determined from the error. | 03-26-2009 |
