HK1176216A

HK1176216A - Method and system of intelligently load balancing of wi-fi access point apparatus in a wlan

Info

Publication number: HK1176216A
Application number: HK13103328.2A
Authority: HK
Inventors: Yang Lit Fang
Original assignee: Medium Access Systems Private Limited
Priority date: 2011-03-08
Filing date: 2013-03-18
Publication date: 2013-07-19

Description

Intelligent load balancing method and system for WI-FI access point device in WLAN

The present application is a continuation-in-part application, co-pending U.S. patent application No. 13/043,226, entitled "Method and System for data Offloading in Mobile Communications", filed 2011, 3, 8, the entire contents of which are incorporated herein by reference.

Technical Field

The present invention relates to a method and system for load balancing in a wireless computer network.

Background

Wireless computer networks tend to suffer from quality of service (QoS) problems due to an increase in the number of users on the wireless network, and an increase in the data and bandwidth required for the large number of applications and services available to devices connected on the wireless network, such as multimedia streaming, video chat, internet browsing, email, file sharing, cloud-based internet services, and other applications.

This is especially true for enterprise Wi-Fi or wireless hotspot networks in dense user environments such as shopping centers, transportation centers such as train stations and airports, and lecture halls and meeting halls. In most wireless computer networks, users (also referred to herein as clients) connect to the wireless network through base stations, referred to herein as access points ("APs"), and service set identifiers ("SSIDs") of these APs.

A problem arises when the number of clients exceeds the number that the AP can manage or support, which can result in some clients being unable to connect. Alternatively, if the capacity of the AP is suitable for large clients, the data rate is significantly reduced because such a system with limited Wi-Fi access data rate accommodates a large number of clients. Furthermore, installing another AP with the same SSID in the vicinity of the choke point does not fully solve the problem because, in such a configuration, the Wi-Fi client is only designed to register with the AP with the strongest signal or the first detected AP. When one or more APs may be used to provide wireless network access, such a system may not determine which AP will provide the best QoS.

Certain prior attempts to address this problem have used methods of reducing radio frequency ("RF") transmission power to reduce Wi-Fi signal area or coverage. Multiple APs can then be deployed in the same volumetric region, and the system adjusts the transmitted RF power to limit client log-in. However, this does not solve the problem of distributing Wi-Fi client connections or balancing data load among several APs. What is needed is a system and method for allowing a client to connect to a particular AP when other APs in the same wireless network cannot support more clients.

Disclosure of Invention

In one aspect, the present invention is a computer network infrastructure for load balancing, comprising: one or more access points, wherein each of the one or more access points has a first service set identifier; a computing device having at least one access profile; a network connected to one or more access points; and a computing system in communication with the network, comprising at least one memory having at least one region for storing executable program code, and at least one processor for executing the program code stored in the memory. When executing the program code, it performs the following steps: receiving a request from a computing device to access a network, wherein the request includes at least one access profile, and the request is received through a second service set identifier of one of the one or more access points; determining whether to allow the computing device to access the network based on the at least one access profile; and in response to determining to allow the computing device to access the network, generating a list comprising at least one of the one or more access points capable of supporting connections with the computing device and transmitting the list to the computing device.

In another aspect, the present invention is a method for load balancing a computer network infrastructure, comprising the steps of: receiving, by a computing system from a computing device, a request to access a network, wherein the computing system comprises at least one memory having at least one region for storing executable program code and at least one processor for executing the program code stored in the memory, the computing device comprising at least one access profile, the network being connected to one or more access points, each of the one or more access points having a first service set identifier (service reliability), the request comprising the at least one access profile, the request being received via a second service set identifier of one of the one or more access points; the computing system determining whether to allow the computing device to access the network based on the at least one access profile; and in response to determining to allow the computing device to access the network, generating, by the computing system, a list comprising at least one of the one or more access points capable of supporting connections with the computing device; and sending, by the computing system, the list to the computing device.

In another aspect, the invention is a computer network infrastructure for load balancing, comprising: a beacon access point having first and second service set identifiers; one or more other access points, each access point having a first service set identifier; a computing device having at least one access profile; a network connected to one or more other access points; and a computing system comprising at least one memory having at least one area for storing executable program code, and at least one processor for executing the program code stored in the memory. When the program code is executed, it performs the following steps: receiving a request from a computing device to access a network, wherein the request includes at least one access profile, and the request is received through a second service set identifier; determining whether to allow the computing device to access the network based on the at least one access profile; determining whether each of the one or more other access points and the beacon access point is capable of supporting a connection with the computing device; generating a list comprising a beacon access point and at least one of one or more other access points capable of supporting a connection with a computing device, wherein the generating step is responsive to determining to allow the computing device to access a network; and sending the list to the computing device.

In another aspect, the present invention is a method for load balancing a computer network infrastructure, comprising the steps of: receiving, by a computing system from a computing device, a request to access a network, wherein the computing system comprises at least one memory having at least one region for storing executable program code and at least one processor for executing the program code stored in the memory, the computing device comprising at least one access profile, the network being connected with one or more other access points, each of the one or more other access points having a first service set identifier, the request comprising the at least one access profile, and receiving the request through a second service set identifier of a beacon access point; determining, by the computing system, whether to allow the computing device to access the network based on the at least one access profile; determining, by the computing system, whether each of the one or more other access points and the beacon access point is capable of supporting a connection with the computing device; generating, by a computing system, a list comprising a beacon access point and at least one of one or more other access points capable of supporting a connection with a computing device, wherein the generating step is responsive to determining to allow the computing device to access a network; and sending, by the computing system, the list to the computing device.

In another aspect, the present invention is a beacon access point in a computer network infrastructure for load balancing. The beacon access point is in communication with a computing device, a computing system, and a network connected with one or more other access points, each of the one or more other access points having a first service set identifier. The beacon access point includes at least one memory having at least one region for storing executable program code and at least one processor for executing the program code stored in the memory. The beacon access point is configured to: receiving a request from a computing device to access a network, wherein the request includes at least one access profile associated with the computing device, and receiving the request through a second service set identifier of a beacon access point; transmitting the request to the computing system; receiving, from a computing system, a list comprising at least one of a beacon access point and one or more other access points capable of supporting connections with a computing device; and transmitting the list to the computing device.

In another aspect, the present invention is a method of operating a beacon access point in a computer network infrastructure for load balancing. The beacon access point is in communication with a computing device, a computing system, and a network connected with one or more other access points, wherein each of the one or more other access points has a first service set identifier. The beacon access point includes at least one memory having at least one region for storing executable program code and at least one processor for executing the program code stored in the memory. The method comprises the following steps: receiving, by a beacon access point from a computing device, a request to access a network, wherein the request includes at least one access profile associated with the computing device, and receiving the request through a second service set identifier of the beacon access point; the beacon access point transmitting a request to the computing system; receiving, by a beacon access point from a computing system, a list comprising at least one of the beacon access point and one or more other access points capable of supporting connections with the computing device; and the beacon access point transmitting the list to the computing device.

In another aspect, the present invention is a computing system for load balancing. The computing system is in communication with one or more access points, computing devices, and a network. The computing system includes at least one memory having at least one area for storing executable program code, and at least one processor for executing the program code stored in the memory. When executing the program code, it performs the following steps: receiving a request from a computing device to access a network, wherein the request includes at least one profile associated with the computing device, and the request is received through a second service set identifier associated with one of the one or more access points; determining whether to allow the computing device to access the network based on the at least one access profile; and generating a list comprising at least one of the one or more access points capable of supporting a connection with the computing device, wherein the generating step is responsive to determining to allow the computing device to access the network; and sending the list to the computing device.

In another aspect, the invention is a method of operating a computing system for load balancing, where the computing system is in communication with one or more access points, computing devices, and a network. The computing system includes at least one memory having at least one area for storing executable program code, and at least one processor for executing the program code stored in the memory. The method comprises the following steps: the computing system receiving a request from the computing device to access the network, wherein the request includes at least one access profile associated with the computing device and the request is received through a second service set identifier associated with one of the one or more access points; determining, by the computing system, whether to allow the computing device to access the network based on the at least one access profile; and generating, by the computing system, a list comprising at least one of the one or more access points capable of supporting connections with the computing device, wherein the generating step is responsive to determining to allow the computing device to access the network; and sending, by the computing system, the list to the computing device.

Drawings

Exemplary embodiments according to the present invention will now be described, by way of example only, with reference to the accompanying drawings, in which:

FIG. 1 depicts a schematic diagram of load balancing in a wireless network communication infrastructure, in accordance with an aspect of the present invention;

FIG. 2 depicts a schematic diagram of another aspect of the present invention for load balancing in a wireless network communication infrastructure;

FIGS. 3A and 3B depict a flow diagram of a method of load balancing in a wireless network communication infrastructure in accordance with an aspect of the present invention;

FIG. 4 depicts a data flow in a load balancing protocol sequential process, in accordance with an aspect of the present invention;

the drawings are exemplary, and not limiting. In the drawings, the same reference numerals are used throughout the several figures to designate the same items.

Detailed Description

SUMMARY

Embodiments of the present invention will be described in more detail below with reference to the accompanying drawings.

Referring to FIG. 1, a system 100 illustrates an embodiment of the load balancing system of the present invention. The network infrastructure 101 includes a Wireless Local Area Network (WLAN) accessible through one or more wireless APs 105a, 105b, 105c, 106, 107a, 107b, and 107c and connected to the system core 103 and the internet 102. In a preferred embodiment, the AP is a Wi-Fi access point that operates according to an IEEE 802.11-based standard and connects to the network infrastructure 101 through a wireless or wired connection.

As shown in fig. 1, customer premises equipment ("CPE") 104 is located within the wireless signal coverage (also referred to herein as "zone") of APs 105a, 105b, and 105c, wherein the wireless signal coverage substantially overlaps. The wireless signal coverage of AP 106 does not intersect the wireless signal coverage of any other AP. A portion of the wireless signal coverage of AP 107a overlaps a portion of the wireless signal coverage of AP 107b, while another portion of the wireless signal coverage of AP 107b overlaps a portion of the wireless signal coverage of AP 107 c. The APs 105a, 105b, 105c, 106, 107a, 107b, and 107c operate the beacon SSIDs 108, respectively. Each AP shown in fig. 1 also operates a unique SSID according to the following table:

AP	SSID
		105a	105a_SSID
105b	105b_SSID
		105c	105c_SSID
106	106_SSID
		107a	107a_SSID
107b	107b_SSID
		107c	107c_SSID

table 1: access point and unique SSID of fig. 1

CPE104 may be a cellular phone, smart phone, tablet, portable computer, desktop computer, laptop computer, game console, personal media player, handheld computing device, portable gaming device, or similar device, and is not limited to CPU-based devices. An access controller 109 is installed on the CPE104 and communicates with the system core 103 via the beacon SSID108, any AP (e.g., APs 107a, 107b, 107c), and the network infrastructure 101, allowing the CPE104 to access the internet 102 or any wired or wireless network associated with, connected to, or accessible by the network infrastructure 101. The access controller 109 may be a service, a daemon, or a driver. The physical locations of CPEs 104 shown in fig. 1 are exemplary, and CPEs 104 may be located anywhere on the system, and not even in the wireless signal coverage of any AP. In addition, the system 100 has sufficient capacity to operate more than one CPE104 in a dense customer environment. In one aspect, system 100 operates multiple CPEs. Each CPE104 may have a unique token, profile, certificate, or other authentication information, referred to herein as a CPE TPC, used in the system 100 to authenticate each CPE 104.

As shown, network infrastructure 101 may access or connect to a data network, such as the Internet 102. In another aspect, network infrastructure 101 facilitates connection to any other private or public data network, server, database, whether through the Internet or through a direct connection. Further, the network infrastructure 101 may have direct communication links or indirect communication links with the Internet 102 or any other intermediate communication network. The network infrastructure 101 may include one or more computer servers, one or more network systems or devices, or one or more mobile telecommunications systems or devices.

System 100 is configured to provide improved QoS to CPEs of a network, such as CPE 104. For example, system core 103 directs the CPE to log on to a particular AP by communicating with access controller 109, as will be described in more detail below. The system core 103 holds information about the AP load, e.g., the number of CPEs connected to each AP. System core 103 also determines whether the AP has sufficient capacity to accept or support the new CPE connection or, in other words, sufficient capacity does not cause a customer load imbalance for system 100 nor overload the AP-such an AP is referred to herein as an "available AP". In this case, system core 103 can perform load balancing of the AP and system 100 by directing the CPE to the AP with available bandwidth and customer capacity.

Core of system

Fig. 2 shows another configuration of the system 100. Referring to fig. 2, the system core 103 includes 3 main elements or modules for performing its main functions. The system core 103 includes a policy server 201, a resource server 202, and an authentication, authorization, and accounting server ("AAA server") 203. The servers 201, 202, and 203 of the system core 103 may be located on one or more computer systems or configurable hardware devices. Such a computer system or configurable hardware may include one or more processors, memory, operating systems, and network interfaces. In one aspect, all of the servers 201, 202, and 203 of the system core 103 are disposed on one computer system having at least one processor and at least one memory. Alternatively, servers 201, 202, and 203 may be one or more programmable or encodable applications that perform server functions. The server functions may be implemented or configured in a variety of ways to provide communication and data transfer between servers. Each server will be described in more detail below.

Policy server

Policy server 201 includes information about each CPE and an access profile associated with each CPE, where the profile determines whether the CPE is eligible or allowed to access the network. The access profile may be configured according to a data service scheme of the CPE, wherein the data service scheme includes whether the CPE is a prepaid subscriber or a postpaid subscriber. The access profile may further include information relating to the bandwidth of the CPE service arrangement. The access profile may also include information unique to the CPE, customer, or subscriber. The access profile may also include information associated with or included in the CPE TPC. The access profile may be stored in policy database 205 of policy server 201 or in policy database 205 accessible to policy server 201. Policy database 205 may be a storage system maintained and updated by a wireless network service operator (e.g., an operator of system 100). Such operators include internet service providers, wireless hotspot managers (e.g., shopping centers, bookstores, coffee shops), wireless connectivity managers (e.g., hotels, universities, colleges, apartment buildings), and similar providers of wireless network or internet access. In addition, the wireless network operator may dynamically change CPE access policies and profiles to control the access capabilities of a particular CPE or group of CPEs. For example, access priority may be assigned to a pre-paid user as compared to a post-paid user, and vice versa, or based on a subscription package.

The capacity or traffic on each AP is tracked by resource server 202 and provided to policy server 201 in the form of resource status information. Finally, policy server 201 is configured to assign one or more APs to the CPE to provide the best QoS. The allocation may be determined based on load factors for each AP held by the resource server 202. In addition, policy server 201 communicates with AAA server 203 to determine whether the CPE has sufficient credit to continuously access internet 102. Fig. 3A and 3B depict one aspect of the present invention for determining, by system 100, a grant to access a CPE. Fig. 3A and 3B will be described in more detail below.

Resource server

Resource server 202 is configured to track the status of APs in system 100. For example, the resource server 202 may be configured to determine the number of CPEs connected to each AP, the maximum number of CPEs that each AP can support, traffic conditions or quantity or capacity information, and individual and overall status of the APs (collectively referred to as "capacity or status information"). In one aspect, the tracking performed by the resource server 202 is real-time. The AP status information may include whether the AP is deactivated, removed, unable to access the internet, unresponsive for a certain period of time, or otherwise inoperable. In another aspect, when there is a problem with the AP, the resource server 202 can alert the wireless network service operator to correct the problem.

In another aspect, the resource server 202 may also store location information, connection range, or wireless signal coverage information for each AP in the resource database 208 of the resource server 202, or in a resource database 208 accessible to the resource server 202. This information may be used to determine which AP is a usable AP. The resource database 208 may be stored in a storage system.

AAA server

The AAA server 203 handles authorization of the CPE to access the data network, the network infrastructure 101 or the internet 102. The AAA server 203 may store accounting information for CPE usage data. In one aspect, the data usage information is stored by the AP during the data session and sent to the AAA server 203 periodically at the end of the data session or when the connection is lost. The AAA server 203 may also update the resource server 202 with information relating to CPE connection with the AP.

In another aspect, the AAA server 203 maintains credit information and deductive usage for CPEs on a pay-before-payment service plan. The AAA server 203 may also communicate with the billing system for CPE on post-pay service plans.

On the other hand, the transmission information generated or stored by the AAA server 203 is stored in the AAA database 210 of the AAA server 203 or in the AAA database 210 accessible to the AAA server 203. AAA database 210 may be stored in a storage system.

Beacon SSID

The AP may transmit a beacon SSID108 operating in accordance with the IEEE 802.11 standard. The AP may also transmit a unique SSID to the CPE for access to the network infrastructure 101 and internet 102. In the system 100, as shown in fig. 1 and 2, the beacon SSID is the same in all APs that transmit or operate the beacon SSID. On the other hand, not shown in the figure, APs in the same network may use different beacon SSIDs.

On the other hand, the beacon SSID108 operates on a communication port that authenticates and communicates with the policy server 201. For example, the communication port for the beacon SSID108 may be port 1812 (also referred to as an "authentication port"). The beacon SSID108 provides an administrative path between the access controller 109 and the policy server 201, e.g., requesting connection to the internet 102 through an AP, improving credit, or detecting usage information.

In another aspect, the communication port for the beacon SSID108 may not be used for internet connectivity. Here, access to port 80(http), port 8080 (alternatively http), port 21(ftp), and other communication ports may be blocked or restricted.

Access point

The APs (e.g., APs 105a, 105b, 105c, 106, 107a, 107b, and 107c) provide wireless access to the network infrastructure 101. The AP may include one or more processors, memory, an operating system, a wireless broadcast device, a transceiver, an antenna, and a network interface. The AP may use the existing ISP network infrastructure to connect the CPE to the internet. The AP may be configured to provide accounting information regarding CPE data usage to the AAA server 203. In one aspect, a large amount of traffic or user data may instead be routed directly to an ISP or wireless network service operator.

As shown in fig. 1, each AP 105a, 105b, 105c, 106, 107a, 107b, and 107c has a unique SSID, which may be hidden or searchable as described above with reference to table 1.

The AP may or may not broadcast the beacon SSID 108. Whether or not the beacon SSID108 is broadcast by a particular AP depends on the type of AP configuration deployed. For example, an AP may be deployed without any other AP within its Wi-Fi coverage (fig. 1, configuration 130), in an overlapping AP configuration of Wi-Fi coverage (configuration 140), or in multiple AP configurations that substantially cover the same geographic area (configuration 120). The type of configuration may depend on the coverage scheme or the user's demographics. In configuration 140, each AP may broadcast its own beacon SSID, as shown in fig. 1. For example, configuration 120 may be deployed in lecture halls and conference halls with hundreds of CPEs. In such a scenario, there may be multiple APs that substantially cover the same geographic area, but only one or two APs may broadcast the beacon SSID 108.

Where the AP broadcasts the beacon SSID108, the beacon SSID108 and its unique SSID may be broadcast simultaneously. For example, in fig. 1, the AP 107a shown broadcasts a beacon SSID108 and an SSID107a _ SSID.

Access controller/daemon

As previously described, each CPE in the system 100 has an access controller 109. In one aspect, the access controller 109 may be a daemon or service running in the background of the CPE software system with little or no interaction with the user. In another aspect, the access controller 109 may be an application. In another aspect, the access controller 109 may be a user activated system service, wherein the access controller 109 activates a Wi-Fi radio and begins scanning for a beacon SSID. On the other hand, when the Wi-Fi radio is active or the hardware Wi-Fi switch is in the "on" position, the access controller 109 runs on the CPE boot and scans for the beacon SSID. In yet another aspect, the access controller 109 may be in a dormant state until an application or service on the CPE requests a network connection.

In one embodiment, access controller 109 detects beacon SSID108 and sends a message to policy server 201 by requesting access to beacon SSID108 of network infrastructure 101 or internet 102. In an aspect, the access controller 109 may also perform authentication with the system core 103 based on the CPE TPC of the CPE 104. The CPE TPC may be provided by or obtained from a USB device (e.g., a USB authentication device), SD card, micro SD card, SIM card, integrated circuit fixed to the CPE104 or embedded in the CPE104, or similar device attached to the CPE104 or accessible to the CPE 104. The CPE TPC may consist of an ID number ("IDN") that identifies the subscriber or CPE and may be write-once/read-many. Each CPE TPC may also include a unique Ki. The same Ki is also stored in the policy server 201, and in one aspect, Ki may be part of the access profile. The CPE TPC may also store a list of beacon SSIDs. The CPETPC may use an encryption algorithm for signing and using Ki. The use and explanation of Ki and authentication will be described below.

Access controller 109 may receive information from policy server 201 concerning available AP access network infrastructure 101 or internet 102. Such information may include the SSID of each AP.

In another aspect, each CPE maintains a list of beacon SSIDs 108, where such a list may be different from a known list or history of SSIDs. Alternatively, such a list may be stored on the CPETPC. The access controller 109 may connect with any of the available beacon SSIDs included on the list.

In another aspect, connecting with a particular beacon SSID may be based on a priority basis. This can be illustrated by way of example: the enterprise company EntCo operates the network with the beacon SSID "ENT _ a" and EntCo is also a subscriber to IntServ's internet service, which provides additional coverage for employees outside the entro's office. IntServ operates its network with the beacon SSID "ISP _ X". The employee's CPE stores information relating to ENT _ A and ISP _ X, with ENT _ A having the highest priority. Thus, if the employee is in an area where ENT _ a and ISP _ X are accessible, access controller 109 will connect ENT _ a. In this example, EntCo may preferably provide employees with low-cost internet access when access is available and only allow the use of IntServ services that cover the outside of ENT _ a availability. Here, EntCo may have a service agreement with IntServ to provide Wi-Fi roaming for EntCo employees in the IntServ coverage area.

In another example of providing priority to a particular beacon SSID, a user may subscribe to IntServ's internet service and IntRoam's roaming internet service, where the roaming internet service provides internet service to users in different areas. In this example, IntServ operates the beacon SSID "ISP _ Y", and IntRoam operates the beacon SSID "ISP _ Roam". Here, ISP _ Y may be given a higher priority than ISP _ Roam, and thus when the user has access to, or is within range of, ISP _ Y and ISP _ Roam, access controller 109 may preferentially handle ISP _ Y. In this example, IntServ and IntDiff may each have their own policy server or system core, and the bridging protocol between IntServ and IntDiff may allow the two policy servers or system cores to communicate with each other (e.g., over the internet) confirming the validity of CPE identity and usage. Accounting may also be managed by one or more AAA servers.

System operation

Referring to fig. 2 and 4, the general system operation is described by way of example.

Subscribers or users in the system 100 attempting to access the internet 102 have access controllers 109 running on their CPEs 104. In the system configuration of fig. 2, the CPE104 and/or access controller 109 scans for available beacon SSIDs. Here, the CPE104 and/or access controller 109 detects the beacon SSID108 of the APs 207a and 207 b. In this embodiment, the access controller 109 connects to the beacon SSID108 through the AP 207a and transmits a request to the policy server 201 through the beacon SSID108 to access the internet 102. The request may include information relating to the CPE104 and authentication information, such as the CPE TPC described above. The requests are depicted in fig. 4 as data 1 and data 2.

Policy server 201 receives requests from CPE 104. If the CPE104 is in a pre-pay scheme, the policy server 201 queries the AAA database 210 to determine if the CPE104 is authenticated to access the Internet 102. Such a determination may be based on the CPE TPC of the CPE104 and/or an access profile associated with the CPE 104. Policy server 201 may apply the query directly to AAA database 210 or may apply the query through AAA server 203. If the CPE104 has been authenticated, the policy server 201 sends a request for available APs (also referred to as a "resource status request") to the resource server 202 (FIG. 4, data 3). The request may include information relating to the physical location of the AP 207a and/or the relative location of the CPE104 to the AP 207 a.

Upon receiving data 3, resource server 202 generates a list of one or more APs in the wireless signal coverage area of AP 207a, where the APs are available APs, e.g., the APs are able to accept or support the new CPE connection. In generating the list of available APs, the resource server 202 may obtain capacity or status information from the resource database 208. The list may further include the SSID of the APs on the list, or capability or status information. For example, the APs within range may be APs 207a and 207b, but resource server 202 shows that AP 207a has no capacity to allow access by another CPE. Thus, the list of available APs may only include AP 207 b. This list is then sent to policy server 201 (fig. 4, data 4, also referred to as a "resource status response").

When receiving data 4, policy server 201 notifies AAA server 203: the CPE104 attempts to access the internet 102 (fig. 4, data 5). If the service plan of the CPE104 is prepaid, the AAA server 203 determines if the CPE104 has sufficient credit to access the Internet 102. The AAA server 203 also notifies the policy server 201 if the CPE104 subscribes to a pre-paid service plan with sufficient credit, or subscribes to a post-paid service technology (fig. 4, data 6). Alternatively, if the CPE104 does not have sufficient credit for subscription to the prepaid service arrangement, the AAA server 203 also notifies the policy server 201 (not shown in fig. 4). In one aspect, policy server 201 communicates with access controller 109: CPEs 104 do not have sufficient credit for the CPE104 (also not shown in fig. 4).

Upon receiving data 6, policy server 201 generates a token, one-time password, or one-time certificate (collectively "TOTPC"). Policy server 201 then sends data 4 (or its contents, e.g., a list of available APs with the AP SSID) and tpc to access controller 109 (fig. 4, data 7). Data 7 may further include information needed by CPE104 to access internet 102 via one of the available APs. Policy server 201 may also send the TOTPC generated by policy server 201 for later authentication or validation purposes to AAA server 202 or AAA database 210.

When receiving data 7, the access controller 109 connects with the internet 102 using the list of available APs and the tpc. If the list of available APs is ordered according to signal strength, the access controller 109 may first initiate a connection with the available AP having the greatest signal strength. In one aspect, such a connection may be made through an SSID other than the beaconing SSID 108. In this embodiment, the access controller 109 will attempt to log onto AP 207b (the only AP in the list) via 207b SSID using the TOTPC (fig. 4, data 8).

Upon receiving data 8, AP 207b forwards the attempt by access controller 109 to login to AP 207b to AAA server 203 (fig. 4, data 9). The AAA server 203 then authenticates and authorizes the attempt of the access controller 109 by comparing the tpc sent by the access controller 109 with the tpc stored in the AAA database 210. If the TOTPC sent by the access controller 109 matches one or more TOTPCs in the AAA database 210, the AAA server 203 communicates with the AP 207b to allow the CPE104 to access the Internet 102 and to communicate with the resource server 202: another CPE has logged onto AP 207b (data 10 and data 11 in fig. 4, respectively). The resource server 202 may update the capacity information stored in the resource database 208. In another aspect, the AAA server 203 may also begin accounting for data usage by the CPE 104. In yet another aspect, the AAA server 203 may represent the TOTPC as "used" or "discarded" to prevent further use of the TOTPC.

Upon receiving data 10, AP 207b forwards the authorization information to access controller 109 (fig. 4, data 12). Upon receiving the data 12, the access controller 109 completes the connection and authentication with the AP 207 b. In one aspect, the connection and authentication may use an IEEE 802.11 based protocol. Once the connection is established, the CPE104 may access the internet 102 (fig. 4, data connection 13) either directly or through an access controller 109.

In one aspect, the AP 207b updates the AAA server 203 with data application information periodically or at the end of the session for the CPE104 (fig. 4, data 14). In another aspect, the data application information for the CPE104 may be collected by the AP 207b, as opposed to routing all traffic to the AAA server 203.

In one embodiment, the steps and processes for load balancing in the Wi-Fi environment described above require minimal, if any, user interaction.

In another embodiment, rather than generating a list of available APs, resource server 202 may generate a list of SSIDs associated with the available APs. Here, those skilled in the art are able to modify the policy server 201, AAA server 203, CPE104, access controller 109, network infrastructure 101, and APs 207a, 207b, and 207c to facilitate proper operation of the access control protocols described above.

In another embodiment, if the CPE104 is disconnected from the AP 207b, all of the steps described above are performed and communications and data transmissions are re-sent in sequence to facilitate the CPE104 re-accessing the internet 102.

In another embodiment, the CPE104 may attempt to access the network infrastructure 101 in substantially the same manner as described for accessing the internet 102 in other embodiments of the invention.

In another embodiment, data 1 and data 2 sent to policy server 201 may include a list of all SSIDs detected by CPE104, where the list may be sorted by signal strength. In this embodiment, policy server 201 forwards the list to resource server 202, resource server 202 determines which of the detected APs belongs to system 100, and returns a list of APs belonging to system 100 with sufficient bandwidth or load capacity for CPE104 connection to policy server 201. In this regard, the other steps taken in accessing the Internet 102 operate in substantially the same manner as described above.

In another embodiment, the CPE104 may replenish (top-up) credits on a pay-ahead service plan without connecting to the Internet 102. In this embodiment, CPE104 may use access controller 109 and beacon SSID108 to communicate with policy server 201 and AAA server 203. In this type of complement, the access controller 109 provides the policy server 201 with the CPE104 credit credentials and informs the AAA server 203 of the new credit. In one aspect, the replenishment process may request user interaction to provide a replenishment number and PIN, similar to providing replenishment credit for a prepaid mobile service arrangement. In another embodiment, subscribers and users may supplement their prepayment schemes through the Internet.

In another embodiment, the present invention may coexist with a captive portal. In this embodiment, the captive portal may operate on AP 207a, but may also operate on an SSID other than the beaconing SSID108 or the non-207 a _ SSID. Such a captive portal may force the CPE to look for internet access to view the authentication web page first before using the internet 102. The authentication web page may require the CPE to authenticate or make a payment before accessing the internet 102. The invention may also be implemented on an RF power control AP.

Fig. 3A and 3B depict a process 300 according to another aspect of the present invention. Specifically, the process 300 illustrates a determination flow by the system core 103 to allow the CPE104 to access the internet 102 or to supplement a prepaid service plan. The process begins at step 305, where the CPE104 attempts to establish a connection at an AP in the network ("beaconing AP") via the beaconing SSID 108. The policy server 201 receives information relating to the CPE104 including authentication information of the CPE 104. Next, at step 310, the policy server 201 determines whether the authentication information of the CPE104 allows the CPE104 to access the internet 102. If the policy server 201 determines that the authentication information of the CPE104 does not allow the CPE104 to access the Internet, the process 300 proceeds to step 375, where the process ends. If the authentication information of the CPE104 allows the CPE104 to access the Internet 102, the process 300 proceeds from step 310 to step 315.

At step 315, policy server 201 determines whether CPE104 requests a connection to internet 102 or supplements a prepaid service plan. If the CPE104 requests supplemental, the process 300 proceeds to step 320, where the measurement server 201 sends the supplemental information to the AAA server 203. Process 300 then proceeds to step 325 where AAA 203 determines whether the supplemental credit may be approved. If the supplemental credit is not approved, the process 300 proceeds to step 375, where the process 300 ends. Alternatively, if the supplemental credit is approved, process 300 proceeds from step 325 to step 330.

Alternatively, at step 315, if the CPE104 requests a connection to the internet 102, the process 300 proceeds to step 330. At step 330, the policy server 201 determines whether the CPE104 subscribes to a prepaid service plan. If the CPE104 subscribes to the pay-per-view service arrangement, the process 300 proceeds to step 335 where the policy server determines whether the CPE104 has sufficient credit to access the Internet 102. If the CPE104 does not have sufficient credit to access the Internet 102, the process 300 proceeds to step 340, where the policy server sends an indication to the CPE104 or the access controller 109 that the CPE104 does not have sufficient credit. When such an indication is sent, process 300 proceeds to step 375, where the process ends.

However, if the CPE104 has sufficient credit for the prepaid service plan at step 335, the process 300 proceeds from step 335 to step 345. Also, at step 330, if the CPE104 is not on a postpaid service plan, i.e., it is on a postpaid service plan, the process 300 proceeds from step 330 to step 345.

At step 345, policy server 201 determines whether CPE104 sends the list of APs detected by CPE 104. If a list of detected APs has been sent, process 300 proceeds from step 345 to step 350, where policy server 201 communicates with resource server 202 to receive traffic information or capacity or status information about the APs on the list. Alternatively, if the list is not transmitted, process 300 proceeds from step 345 to step 355 where policy server 201 communicates with resource server 202 to receive a list of APs at or near the beacon AP and capability or status information for those APs. Alternatively, policy server 201 may receive from resource server 202 a list of APs having substantially the same wireless coverage as the beacon AP, and capability or status information about those APs, at step 355. The list may be ordered according to signal strength and distance from the beacon AP.

In steps 350 and 355, policy server 201 may also send other information to resource server 202, such as authentication information associated with CPE 104.

Step 350 and step 355 both proceed to step 360 where the policy server processes the list of APs from step 350 or step 355, determines if any AP cannot provide a connection to another CPE-e.g., the traffic or CPE capacity may have reached the maximum value of the AP-as the case may be-and generates a list of available APs. Similar to the techniques mentioned above, determining which APs are available may also be performed. In one aspect, policy server 201 processes the list and capacity information in order from best to worst AP to generate an ordered list of APs. Policy server 201 may also alternatively rank the APs according to the distance, or signal strength, between the CPE and the AP.

Next, at step 365, the policy server 201 generates a TOTPC for the CPE104 that is adapted to establish a connection with the internet 102. Policy server 201 may also send the TOTPC to AAA server 203 (not shown). Next, in step 370, policy server 201 sends the list of available APs and the TOTPC to CPE 104. After step 370, process 300 proceeds to step 375, where it ends.

After step 375, not shown, CPE104 may use the list of available APs and the tpc to connect to the available APs to access internet 102, as described above.

In an aspect, communications to or from CPE104 in any of the steps of method 300 may be transmitted or processed through a beacon AP and/or a beacon SSID.

In another aspect of process 300, generating the list of available APs may be performed by resource server 202 instead of policy server 201. Here, steps 350, 355, and 360, policy server 201, resource server 202, and/or system core 103 may be modified accordingly by one skilled in the art to facilitate proper operation of process 300 as described above.

Token authentication (CPE TPC) procedure

One aspect of CPE104 authentication using CPE TPC is described below. This aspect may be used in any of the embodiments described above, including step 310 of process 300.

When the access controller 109 running on the CPE104 attempts to access the network infrastructure 101 or the internet 102, the access controller 109 begins by obtaining a list of beacon SSIDs stored in the CPE TPC of the CPE104 and searching for a beacon SSID that matches the list of beacon SSIDs. The access controller 109 further obtains the IDN from the CPE TPC and passes the IDN (e.g., via a beacon SSID) to the policy server 201. In one aspect, a PIN may be requested to obtain the IDN.

Policy server 201 would then query policy database 205 for Ki with IDN. The policy server 201 then generates a random number ("RAND") and signs the RAND with a Ki associated with the IDN, which in turn generates a signed response 1 ("SRES 1").

The policy server 201 then sends the RAND to the access controller 109 and the access controller 109 signs the RAND with Ki stored on the CPE TPC, producing a signed response 2 ("SRES 2"). Access controller 109 communicates SRES2 to policy server 201, where the policy server compares SRES2 with SRES 1. If SRES2 and SRES1 match, the CPE TPC is authenticated and the CPE104 is allowed to access the beacon SSID108 and begin negotiation with available APs that are accessible.

The foregoing description of the embodiments has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the invention. Individual elements or features of a particular embodiment are generally not limited to that particular embodiment, but rather, are interchangeable as applicable and can be applied in a selected embodiment, even if not specifically illustrated or described. The same content may be transformed in a variety of ways. Such variations are not to be regarded as a departure from the invention, and all such modifications are intended to be included within the scope of the invention.

Claims

1. A computer network infrastructure for load balancing, comprising:

one or more access points, wherein each of the one or more access points has a first service set identifier;

a computing device having at least one access profile;

a network connected to one or more access points; and

a computing system in communication with the network having at least one memory having at least one area for storing executable program code and at least one processor for executing the program code stored in the memory, wherein when the program code is executed:

(a) receiving a request from a computing device to access a network, wherein the request includes at least one access profile, and the request is received through a second service set identifier of one of the one or more access points;

(b) determining whether to allow the computing device to access the network based on the at least one access profile;

(c) generating a list comprising at least one of one or more access points capable of supporting connections with the computing device, wherein the generating is responsive to a determination to allow the computing device to access the network; and

(d) transmitting the list to the computing device, wherein the transmitting is in response to a determination to allow the computing device to access the network.

2. The computer network infrastructure of claim 1, wherein the list comprises a first service set identifier for each of at least one of the one or more access points.

3. The computer network infrastructure of claim 1, wherein the second service set identifier provides a communication medium for providing authentication for the computing device to access the network.

4. The computer network infrastructure of claim 1, wherein the second service set identifier is restricted to providing authentication for access to the network by the computing device.

5. The computer network infrastructure of claim 1, wherein the computing device further comprises a daemon and a software application, and wherein information is sent and received between the computing device and the computing system by the daemon and software application.

6. The computer network infrastructure of claim 5, wherein the daemon and software application detect the first and second service set identifiers.

7. The computer network infrastructure of claim 1, wherein the generating of the list further comprises determining whether each of the one or more access points is capable of supporting a connection with the computing device based on a capacity to support computing devices associated with the respective access point.

8. The computer network infrastructure of claim 1, wherein the computing system further comprises resource status information associated with each of the one or more access points, and wherein the generating of the list further comprises determining whether each of the one or more access points is capable of supporting a connection with the computing device based on the resource status information associated with the respective access point.

9. The computer network infrastructure of claim 1, wherein:

when the program code executes:

generating a token, a one-time password or a one-time certificate, and

sending the token, the one-time password, or the one-time certificate to the computing device; and

the computing device is configured to access the network through one of the at least one of the one or more access points on the list using the token, the one-time password, or the one-time certificate.

10. The computer network infrastructure of claim 1, wherein at least one access profile is stored on a USB device, SD card, micro SD card, SIM card, or integrated circuit.

11. The computer network infrastructure of claim 1, wherein the first service set identifier for each of the one or more access points is hidden or not broadcast.

12. The computer network infrastructure of claim 1, wherein at least one of the one or more access points is further configured to collect data utilization information for at least one computing device.

13. The computer network infrastructure of claim 1, wherein:

when the program code executes:

receiving a request from a computing device to add credit for a service offering associated with the computing device, wherein the request includes an amount of credit; and

credits are added to a service plan associated with a computing device.

14. The computer network infrastructure of claim 1, wherein the list is ordered according to a signal strength of the first service set identifier associated with the computing device or according to a signal strength of the first service set identifier detected by the computing device.

15. The computer network infrastructure of claim 1, wherein the list is ordered according to a distance between each access point and a location of the computing device.

16. The computer network infrastructure of claim 1, wherein the network is connected to or includes the internet.

17. A method for load balancing a computer network infrastructure, the method comprising:

(a) receiving, by a computing system from a computing device, a request to access a network, wherein the computing system comprises at least one memory having at least one region for storing executable program code, and at least one processor for executing the program code stored in the memory, the computing device comprising at least one access profile, the network being connected with one or more access points, each of the one or more access points having a first service set identifier, the request comprising the at least one access profile, and receiving the request through a second service set identifier of one of the one or more access points;

(b) the computing system determining whether to allow the computing device to access the network based on the at least one access profile;

(c) generating, by a computing system, a list comprising at least one of one or more access points capable of supporting a connection with a computing device, wherein the generating is responsive to a determination to allow the computing device to access a network; and

(d) transmitting, by the computing system, the list to the computing device, wherein the transmitting is in response to a determination to allow the computing device to access the network.

18. The method of claim 17, wherein the list comprises a first service set identifier for each of at least one of the one or more access points.

19. The method of claim 17, wherein the second service set identifier provides a communication medium for providing authentication of access to the network by the computing device.

20. The method of claim 17, wherein the second service set identifier is restricted to providing authentication of access to the network by the computing device.

21. The method of claim 17, wherein the computing device further comprises a daemon and a software application, and wherein information is sent and received between the computing device and the computing system by the daemon and software application.

22. The method of claim 21, wherein the daemon and software application detect the first and second service set identifiers.

23. The method of claim 17, wherein generating the list further comprises determining whether each of the one or more access points is capable of supporting a connection with the computing device based on a capacity required to support the computing device associated with the respective access point.

24. The method of claim 17, wherein the computing system further comprises resource state information associated with each of the one or more access points, and wherein generating the list further comprises determining whether each of the one or more access points is capable of supporting a connection with the computing device based on the resource state information associated with the respective access point.

25. The method of claim 17, wherein:

the method further comprises the following steps:

generating a token, a one-time password or a one-time certificate, and

the computing device is configured to access the network through one of the at least one of the one or more access points using the token, the one-time password, or the one-time certificate.

26. The method of claim 17, wherein at least one access profile is stored on a USB device, SD card, micro SD card, SIM card, or integrated circuit.

27. The method of claim 17, wherein the first service set identifier for each of the one or more access points is hidden or not broadcast.

28. The method of claim 17, wherein at least one of the one or more access points is further configured to collect data utilization information for the at least one computing device.

29. The method of claim 17, further comprising:

receiving a request from a computing device to add credit to a service offering associated with the computing device, wherein the request includes an amount of credit; and

a credit amount for a service offering associated with the computing device is increased.

30. The method of claim 17, wherein the list is ordered according to a signal strength of the first service set identifier associated with the computing device or according to a signal strength of the first service set identifier detected by the computing device.

31. The method of claim 17, wherein the list is ordered according to a distance between each access point and a location of the computing device.

32. The method of claim 17, wherein the network is connected to or includes the internet.

33. A computer network infrastructure for load balancing, comprising:

a beacon access point having first and second service set identifiers;

one or more other access points, each access point having a first service set identifier;

a computing device having at least one access profile;

a network connected to one or more other access points; and

a computing system having at least one memory having at least one area for storing executable program code and at least one processor for executing the program code stored in the memory, wherein when the program code is executed:

(a) receiving a request from a computing device to access a network, wherein the request includes at least one access profile, and receiving the request through a second service set identifier;

(c) determining whether each of the beacon access point and the one or more other access points are capable of supporting a connection with the computing device;

(d) generating a list comprising at least one of a beacon access point and one or more access points capable of supporting a connection with a computing device, wherein the generating is in response to a determination to allow the computing device to access a network; and

(e) transmitting the list to the computing device, wherein the transmitting is in response to a determination to allow the computing device to access the network.

34. A computer network infrastructure as in claim 33, where the list does not include beacon access points.

35. A computer network infrastructure according to claim 33 wherein:

determining whether each of the beacon access point and the one or more other access points are capable of supporting a connection with the computing device includes determining whether each of the one or more other access points has a location that is substantially the same as a location of the beacon access point; and

the list includes only at least one of the one or more other access points that are capable of supporting a connection with the computing device and are located substantially the same as the beacon access point location.

36. A computer network infrastructure according to claim 33 wherein:

the beacon access point is associated with a beacon wireless coverage area, wherein the beacon wireless coverage area comprises a coverage area of the second service set identifier;

the one or more other access points are respectively associated with other wireless coverage areas, wherein the other wireless coverage areas include coverage areas for the first service set identifiers associated with respective ones of the one or more other access points;

determining whether each of the beacon access point and the one or more other access points are capable of supporting a connection with the computing device includes determining whether each of the other wireless coverage areas of the one or more other access points overlap with the beacon wireless coverage area; and

the other wireless coverage of each of the one or more other access points on the list overlaps with the beacon wireless coverage.

37. A computer network infrastructure according to claim 33 wherein:

each of the one or more other access points is associated with other wireless coverage, wherein the other wireless coverage includes a coverage area for a first service set identifier associated with a respective access point of the one or more other access points;

determining whether each of the beacon access point and the one or more other access points can support a connection with the computing device includes determining whether any portion of each of the other wireless signal coverage of the one or more other access points overlaps with any portion of the beacon wireless coverage; and

any portion of the other wireless coverage of each of the one or more other access points on the list overlaps with any portion of the beacon wireless coverage.

38. A method for load balancing a computer network infrastructure, the method comprising:

(a) receiving, by a computing system from a computing device, a request to access a network, wherein the computing system comprises at least one memory having at least one region for storing executable program code and at least one processor for executing the program code stored in the memory, the computing device comprises at least one access profile, the network is connected with one or more other access points, each of the one or more other access points has a first service set identifier, the request comprises the at least one access profile, and the request is received through a second service set identifier of a beacon access point;

(b) determining, by the computing system, whether to allow the computing device to access the network based on the at least one access profile;

(c) determining, by the computing system, whether each of the beacon access point and the one or more other access points are capable of supporting a connection with the computing device;

(d) generating, by the computing system, a list comprising at least one of a beacon access point and one or more other access points capable of supporting a connection with the computing device, wherein the generating is responsive to a determination to allow the computing device to access the network; and

(e) transmitting, by the computing system, the list to the computing device, wherein the transmitting is in response to a determination to allow the computing device to access the network.

39. The method of claim 38, wherein the list does not include beacon access points.

40. The method of claim 38, wherein:

determining whether each of the beacon access point and the one or more other access points are capable of supporting a connection with the computing device includes determining whether each of the one or more other access points is at substantially the same location as the location of the beacon access point; and

the list includes only at least one of the one or more other access points that are capable of supporting a connection with the computing device and that are in substantially the same location as the beacon access point.

41. The method of claim 38, wherein:

the one or more other access points are each associated with other wireless coverage, wherein the other wireless coverage includes a coverage area for the first service set identifier associated with a respective access point of the one or more other access points;

42. The method of claim 38, wherein:

the one or more other access points are each associated with other wireless coverage areas, wherein the other wireless coverage areas include coverage areas for the first service set identifiers associated with respective ones of the one or more other access points;

43. A beacon access point in a computer network infrastructure for load balancing in communication with a computing device, a computing system, and a network, wherein the network is connected to one or more other access points, each access point having a first service set identifier, wherein:

the beacon access point includes at least one memory having at least one region for storing executable program code, and at least one processor for executing the program code stored in the memory and configured to:

(a) receiving a request from a computing device to access a network, wherein the request includes at least one access profile associated with the computing device, and the request is received through a second service set identifier of a beacon access point;

(b) transmitting the request to the computing system;

(c) receiving a list from the computing system, the list including at least one of a beacon access point and one or more other access points capable of supporting connections with the computing device; and

(d) the list is transmitted to the computing device.

44. The beacon access point of claim 43, wherein the beacon access point is further configured to collect data utilization information for the at least one computing device.

45. The beacon access point of claim 43, wherein the list does not include beacon access points.

46. The beacon access point of claim 43, wherein the list includes only one or more of the one or more other access points that are capable of supporting connections with the computing device and are in substantially the same location as the beacon access point location.

47. The beacon access point of claim 43, wherein:

the one or more other access points are each associated with other wireless coverage, wherein the other wireless coverage includes a coverage area for the first service set identifier associated with a respective access point of the one or more other access points; and

48. The beacon access point of claim 43, wherein:

49. In a computer network infrastructure for load balancing, a method of operating a beacon access point, the beacon access point in communication with a computing device, a computing system, and a network, the network connected to one or more other access points, each access point having a first service set identifier, wherein the method comprises:

(a) receiving, by a beacon access point from a computing device, a request to access a network, wherein the beacon access point comprises at least one memory having at least one region for storing executable program code, and at least one processor for executing the program code stored in the memory, the request comprising at least one access profile associated with the computing device, and receiving the request through a second service set identifier of the beacon access point;

(b) transmitting, by the beacon access point, the request to the computing system;

(c) receiving, by a beacon access point from a computing system, a list comprising at least one of the beacon access point and one or more other access points capable of supporting a connection with a computing device; and

(d) the list is transmitted by the beacon access point to the computing device.

50. The method of claim 49, further comprising collecting, by the beacon access point, data utilization information for the at least one computing device.

51. The method of claim 49, wherein the list does not include beacon access points.

52. The method of claim 49, wherein the list includes only one or more of the one or more other access points that can support connections with the computing device and are in substantially the same location as the beacon access point location.

53. The method of claim 49, wherein:

54. The method of claim 49, wherein:

the one or more other access points are each associated with other wireless coverage areas, wherein the other wireless coverage areas include coverage areas for the first service set identifier associated with respective ones of the one or more other access points; and

55. A computing system for load balancing, the computing system in communication with one or more access points, access devices, and a network, comprising:

at least one memory having at least one area for storing executable program code, and at least one processor for executing the program code stored in the memory, wherein the program code when executed:

(a) receiving a request from a computing device to access a network, wherein the request includes at least one profile associated with the computing device, and the request is received through a second service set identifier associated with one of the one or more access points;

(c) generating a list comprising at least one of one or more access points capable of supporting a connection with a computing device, wherein the generating is responsive to a determination to allow the computing device to access a network; and

56. The computer system of claim 55, wherein the list comprises a first service set identifier for each of at least one of the one or more access points.

57. The computer system of claim 55, wherein the second service set identifier provides a communication medium for providing authentication of access to the network by the computing device.

58. The computer system of claim 55, wherein the second service set identifier is restricted to providing authentication of access to the network by the computing device.

59. The computer system of claim 55, wherein the computing device further comprises a daemon and a software application, and wherein information is sent and received between the computing device and the computing system by the daemon and software application.

60. The computer system of claim 59, wherein the daemon and software application detect the first and second service set identifiers.

61. The computer system of claim 55, wherein the generating of the list further comprises determining whether each of the one or more access points is capable of supporting a connection with the computing device based on a capacity to support computing devices associated with the respective access point.

62. The computer system of claim 55, wherein the computing system further comprises resource state information associated with each of the one or more access points, and wherein the generating of the list further comprises determining whether each of the one or more access points is capable of supporting a connection with the computing device based on the resource state information associated with the respective access point.

63. The computer system of claim 55, wherein:

when the program code executes:

generating a token, a one-time password or a one-time certificate, and

64. The computer system of claim 55, wherein at least one access profile is stored on a USB device, SD card, micro SD card, SIM card, or integrated circuit.

65. The computer system of claim 55, wherein the first service set identifier for each of the one or more access points is hidden or not broadcast.

66. The computer system of claim 55, wherein at least one of the one or more access points is further configured to collect data utilization information for the at least one computing device.

67. The computer system of claim 55, wherein:

when the program code executes:

68. The computer system of claim 55, wherein the list is ordered according to a signal strength of the first service set identifier associated with the computing device or according to a signal strength of the first service set identifier detected by the computing device.

69. The computer system of claim 55, wherein the list is ordered according to a distance between each access point and a location of the computing device.

70. The computer system of claim 55, wherein the network is connected to or includes the Internet.

71. A method of operating a computing system for load balancing, wherein the computing system is in communication with one or more access points, computing devices, and a network, comprising:

(a) receiving, by a computing system from a computing device, a request to access a network, wherein the computing system comprises at least one memory having at least one region for storing executable program code, and at least one processor for executing the program code stored in the memory, the request comprising at least one access profile associated with the computing device, and the request is received through a second service set identifier associated with one of the one or more access points;

72. The method of claim 71, wherein the list comprises a first service set identifier for each of at least one of the one or more access points.

73. The method of claim 71, wherein the second service set identifier provides a communication medium for providing authentication of access to the network by the computing device.

74. The method of claim 71, wherein the second service set identifier is restricted to providing authentication of access to the network by the computing device.

75. The method of claim 71, wherein the computing device further comprises a daemon and a software application, and wherein information is sent and received between the computing device and the computing system by the daemon and software application.

76. The method of claim 75, wherein the daemon and software application detect the first and second service set identifiers.

77. The method of claim 71, wherein generating the list further comprises determining whether each of the one or more access points is capable of supporting a connection with the computing device based on a capacity required to support the computing device associated with the respective access point.

78. The method of claim 71, wherein the computing system further comprises resource status information associated with each of the one or more access points, and wherein generating the list further comprises determining whether each of the one or more access points is capable of supporting a connection with the computing device based on the resource status information associated with the respective access point.

79. The method of claim 71, wherein:

the method further comprises the following steps:

generating a token, a one-time password or a one-time certificate, and

80. The method of claim 71, wherein at least one access profile is stored on a USB device, SD card, micro SD card, SIM card, or integrated circuit.

81. The method of claim 71, wherein the first service set identifier for each of the one or more access points is hidden or not broadcast.

82. The method of claim 71, wherein at least one of the one or more access points is further configured to collect data utilization information for the at least one computing device.

83. The method of claim 71, further comprising:

84. A method as defined in claim 71, wherein the list is ordered according to a signal strength of a first service set identifier associated with the computing device or according to a signal strength of a first service set identifier detected by the computing device.

85. The method of claim 71, wherein the list is ordered according to a distance between each access point and a location of the computing device.

86. The method of claim 71, wherein the network is connected to or includes the Internet.