Internetwork authentication

US 10,243,956 B2
Filed: 04/25/2018
Issued: 03/26/2019
Est. Priority Date: 08/30/2012
Status: Active Grant

First Claim

Patent Images

1. A internetwork authentication method comprising:

receiving, by an internetwork authentication proxy, an authentication request for a station in a first network to access a second network from a first local authoritative user datastore interface in the first network;

determining, by the internetwork authentication proxy, a second local authoritative user datastore interface in the second network as a destination of the authentication request, based on the authentication request and an authentication proxy rule;

upon determining the second local authoritative user datastore interface as the destination, routing, by the internetwork authentication proxy, the authentication request to the second local authoritative user datastore interface in the second network, such that internetwork authentication for the station in the first network is carried out in the second network;

receiving, by the internetwork authentication proxy, an authentication result of the internetwork authentication from the second local authoritative user datastore interface in the second network;

sending, by the internetwork authentication proxy, the authentication result of the internetwork authentication to the first local authoritative user datastore interface in the first network, such that the station in the first network gets access to the second network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for network authentication interoperability involves initiating an authentication procedure on a first network, authenticating on a second network, and allowing access at the first network. The technique can include filtering access to a network, thereby restricting access to users with acceptable credentials. Offering a service that incorporates these techniques can enable incorporation of the techniques into an existing system with minimal impact to network configuration.

Citations

20 Claims

1. A internetwork authentication method comprising:
- receiving, by an internetwork authentication proxy, an authentication request for a station in a first network to access a second network from a first local authoritative user datastore interface in the first network;
  
  determining, by the internetwork authentication proxy, a second local authoritative user datastore interface in the second network as a destination of the authentication request, based on the authentication request and an authentication proxy rule;
  
  upon determining the second local authoritative user datastore interface as the destination, routing, by the internetwork authentication proxy, the authentication request to the second local authoritative user datastore interface in the second network, such that internetwork authentication for the station in the first network is carried out in the second network;
  
  receiving, by the internetwork authentication proxy, an authentication result of the internetwork authentication from the second local authoritative user datastore interface in the second network;
  
  sending, by the internetwork authentication proxy, the authentication result of the internetwork authentication to the first local authoritative user datastore interface in the first network, such that the station in the first network gets access to the second network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising establishing an encrypted tunnel between the internetwork authentication proxy and the first local authoritative user datastore interface, wherein the authentication request is received by the internetwork authentication proxy from the first local authoritative user datastore interface through the encrypted tunnel.
  - 3. The method of claim 1, further comprising establishing an encrypted tunnel between the internetwork authentication proxy and the first local authoritative user datastore interface, wherein the authentication result is sent by the internetwork authentication proxy to the first local authoritative user datastore interface through the encrypted tunnel.
  - 4. The method of claim 1, further comprising establishing an encrypted tunnel between the internetwork authentication proxy and the second local authoritative user datastore interface, wherein the authentication request is routed by the internetwork authentication proxy to the second local authoritative user datastore interface through the encrypted tunnel.
  - 5. The method of claim 1, further comprising establishing an encrypted tunnel between the internetwork authentication proxy and the second local authoritative user datastore interface, wherein the authentication result is received by the internetwork authentication proxy from the second local authoritative user datastore interface through the encrypted tunnel.
  - 6. The method of claim 1, further comprising:
    - establishing a first encrypted tunnel between the internetwork authentication proxy and the first local authoritative user datastore interface for communication therebetween using a first pre-shared key (PSK);
      
      establishing a second encrypted tunnel between the internetwork authentication proxy and the second local authoritative user datastore interface for communication therebetween using a second PSK.
  - 7. The method of claim 1, further comprising determining, by the internetwork authentication proxy, whether the authentication request is allowed to be routed to the destination, based on the authentication request and a filtering rule, wherein the authentication request is routed to the second local authoritative user datastore interface upon determining that the authentication request is allowed to be routed to the destination.
  - 8. The method of claim 1, further comprising determining, by the internetwork authentication proxy, whether the authentication request is allowed to be routed to the destination, based on the authentication request and a filtering rule, wherein authentication request routing is terminated upon determining that the authentication request is not allowed to be routed to the destination.
  - 9. The method of claim 1, further comprising:
    - receiving, by the internetwork authentication proxy, a second authentication request for a second station in the second network to access the first network from the second local authoritative user datastore interface in the second network;
      
      determining, by the internetwork authentication proxy, the first local authoritative user datastore interface in the first network as a second destination of the second authentication request, based on the second authentication request and the authentication proxy rule;
      
      upon determining the first local authoritative user datastore interface as the second destination, routing, by the internetwork authentication proxy, the second authentication request to the first local authoritative user datastore interface in the first network, such that second internetwork authentication for the second station in the second network is carried out in the first network;
      
      receiving, by the internetwork authentication proxy, a second authentication result of the second internetwork authentication from the first local authoritative user datastore interface in the first network;
      
      sending, by the internetwork authentication proxy, the second authentication result of the second internetwork authentication to the second local authoritative user datastore interface in the second network, such that the second station in the second network gets access to the first network.
  - 10. The method of claim 1, wherein the internetwork authentication proxy is provided outside the first network and the second network.

11. An internetwork authentication proxy system comprising:
- one or more processors;
  
  memory storing instructions, when executed by the one or more processors, configured to cause the one or more processors to;
  
  receive an authentication request for a station in a first network to access a second network from a first local authoritative user datastore interface in the first network;
  
  determine a second local authoritative user datastore interface in the second network as a destination of the authentication request, based on the authentication request and an authentication proxy rule;
  
  upon determining the second local authoritative user datastore interface as the destination, route the authentication request to the second local authoritative user datastore interface in the second network, such that internetwork authentication for the station in the first network is carried out in the second network;
  
  receive an authentication result of the internetwork authentication from the second local authoritative user datastore interface in the second network;
  
  send the authentication result of the internetwork authentication to the first local authoritative user datastore interface in the first network, such that the station in the first network gets access to the second network.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the instructions are further configured to cause the one or more processors to:
    - establish an encrypted tunnel between the internetwork authentication proxy and the first local authoritative user datastore interface;
      
      receive the authentication request from the first local authoritative user datastore interface through the encrypted tunnel.
  - 13. The system of claim 11, wherein the instructions are further configured to cause the one or more processors to:
    - establish an encrypted tunnel between the internetwork authentication proxy and the first local authoritative user datastore interface;
      
      send the authentication result to the first local authoritative user datastore interface through the encrypted tunnel.
  - 14. The system of claim 11, wherein the instructions are further configured to cause the one or more processors to:
    - establish an encrypted tunnel between the internetwork authentication proxy and the second local authoritative user datastore interface;
      
      route the authentication request to the second local authoritative user datastore interface through the encrypted tunnel.
  - 15. The system of claim 11, wherein the instructions are further configured to cause the one or more processors to:
    - establish an encrypted tunnel between the internetwork authentication proxy and the second local authoritative user datastore interface;
      
      receive the authentication result from the second local authoritative user datastore interface through the encrypted tunnel.
  - 16. The system of claim 11, wherein the instructions are further configured to cause the one or more processors to:
    - establish a first encrypted tunnel between the internetwork authentication proxy and the first local authoritative user datastore interface for communication therebetween using a first pre-shared key (PSK);
      
      establish a second encrypted tunnel between the internetwork authentication proxy and the second local authoritative user datastore interface for communication therebetween using a second PSK.
  - 17. The system of claim 11, wherein the instructions are further configured to cause the one or more processors to:
    - determine whether the authentication request is allowed to be routed to the destination, based on the authentication request and a filtering rule;
      
      route the authentication request to the second local authoritative user datastore interface upon determining that the authentication request is allowed to be routed to the destination.
  - 18. The system of claim 11, wherein the instructions are further configured to cause the one or more processors to:
    - determine whether the authentication request is allowed to be routed to the destination, based on the authentication request and a filtering rule;
      
      terminate authentication request routing upon determining that the authentication request is not allowed to be routed to the destination.
  - 19. The system of claim 11, wherein the instructions are further configured to cause the one or more processors to:
    - receive a second authentication request for a second station in the second network to access the first network from the second local authoritative user datastore interface in the second network;
      
      determine the first local authoritative user datastore interface in the first network as a second destination of the second authentication request, based on the second authentication request and the authentication proxy rule;
      
      upon determining the first local authoritative user datastore interface as the second destination, route the second authentication request to the first local authoritative user datastore interface in the first network, such that second internetwork authentication for the second station in the second network is carried out in the first network;
      
      receive a second authentication result of the second internetwork authentication from the first local authoritative user datastore interface in the first network;
      
      send the second authentication result of the second internetwork authentication to the second local authoritative user datastore interface in the second network, such that the second station in the second network gets access to the first network.

20. An internetwork authentication proxy system comprising:
- a means for receiving an authentication request for a station in a first network to access a second network from a first local authoritative user datastore interface in the first network;
  
  a means for determining a second local authoritative user datastore interface in the second network as a destination of the authentication request, based on the authentication request and an authentication proxy rule;
  
  a means for routing, upon determining the second local authoritative user datastore interface as the destination, the authentication request to the second local authoritative user datastore interface in the second network, such that internetwork authentication for the station in the first network is carried out in the second network;
  
  a means for receiving an authentication result of the internetwork authentication from the second local authoritative user datastore interface in the second network;
  
  a means for sending the authentication result of the internetwork authentication to the first local authoritative user datastore interface in the first network, such that the station in the first network gets access to the second network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Aerohive Networks Incorporated (Extreme Networks, Inc.)
Inventors
Sakura, Kenshin, Gast, Matthew Stuart, Fu, Long
Primary Examiner(s)
Chang, Kenneth W

Application Number

US15/962,816
Publication Number

US 20180248876A1
Time in Patent Office

335 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/0892   by using authentication-aut...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04W 12/069   using certificates or pre-s...

Internetwork authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Internetwork authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links