Split authentication network systems and methods

US 10,397,211 B2
Filed: 03/15/2018
Issued: 08/27/2019
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving one or more packets wirelessly transmitted from a user device through a wireless access point to access a trusted network;

determining a type of an extensible authorization protocol (EAP) associated with the user device based on the one or more packets;

upon determining that the type of EAP associated with the user device is a first EAP, routing the one or more packets to a first authentication server provided in the trusted network and associated with the first EAP, for authentication of the user device according to the first EAP;

upon determining that the type of EAP associated with the user device is a second EAP different from the first EAP, routing the one or more packets to a second authentication server provided in the trusted network and associated with the second EAP, for authentication of the user device according to the second EAP;

wherein the first EAP involves a server certificate and does not involve a self-signed user certificate for authentication, and the second EAP involves a server certificate and a self-signed user certificate for authentication.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a system comprising: an authentication datastore; a device presence engine; a traffic monitor engine; an authentication presence monitor engine; an authentication server selection engine; and a traffic routing engine. In operation: the device presence engine is configured to detect presence of a user device on a trusted network; the traffic monitor engine is configured to monitor, in response to the detection, traffic on the trusted network from the device; the authentication presence monitor engine is configured to evaluate onboarding characteristics of the user device in response to the monitoring; the authentication server selection engine is configured to select one of a plurality of authentication servers to authenticate the user device to the trusted network, the selecting based on the onboarding characteristics; and the traffic routing engine is configured to route traffic from the user device to the selected authentication server.

90 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving one or more packets wirelessly transmitted from a user device through a wireless access point to access a trusted network;
  
  determining a type of an extensible authorization protocol (EAP) associated with the user device based on the one or more packets;
  
  upon determining that the type of EAP associated with the user device is a first EAP, routing the one or more packets to a first authentication server provided in the trusted network and associated with the first EAP, for authentication of the user device according to the first EAP;
  
  upon determining that the type of EAP associated with the user device is a second EAP different from the first EAP, routing the one or more packets to a second authentication server provided in the trusted network and associated with the second EAP, for authentication of the user device according to the second EAP;
  
  wherein the first EAP involves a server certificate and does not involve a self-signed user certificate for authentication, and the second EAP involves a server certificate and a self-signed user certificate for authentication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the first authentication server is incorporated in a dedicated authentication server for the trusted network provided in the trusted network separately from the wireless access point, and the second authentication server is incorporated in the wireless access point, andthe first EAP involves a server certificate and does not involve a self-signed user certificate for authentication, and the second EAP involves a server certificate and a self-signed user certificate for authentication.
  - 3. The method of claim 1, wherein the one or more packets are received by the wireless access point, the EAP associated with the user device is determined by the wireless access point, and the one or more packets are routed by the wireless access point.
  - 4. The method of claim 1, wherein the one or more packets are received by the wireless access point, the EAP associated with the user device is determined by the wireless access point, and the one or more packets are routed by the wireless access point, andthe first authentication server is incorporated in a dedicated authentication server for the trusted network provided in the trusted network separately from the wireless access point, and the second authentication server is incorporated in the wireless access point.
  - 5. The method of claim 1, wherein the one or more packets are received by a dedicated authentication server for the trusted network provided in the trusted network separately from the wireless access point, the EAP associated with the user device is determined by the dedicated authentication server, and the one or more packets are routed by the dedicated authentication server.
  - 6. The method of claim 1, wherein the one or more packets are received by a dedicated authentication server for the trusted network provided in the trusted network separately from the wireless access point, the EAP associated with the user device is determined by the dedicated authentication server, and the one or more packets are routed by the dedicated authentication server, andthe first authentication server is incorporated in a dedicated authentication server, and the second authentication server is incorporated in the wireless access point.
  - 7. The method of claim 1, wherein the one or more packets include a media access control (MAC) address of the user device, and the EAP associated with the user device is determined based on the MAC address of the user device.
  - 8. The method of claim 1, wherein the one or more packets include information on an operating system of the user device, and the EAP associated with the user device is determined based on the information on the operating system of the user device.
  - 9. The method of claim 1, further comprising obtaining, from a directory, a listing of authentication servers indicating one or more EAPs supported by the authentication servers, wherein the routing the one or more packets to the first and second authentication server is performed based on the listing.

10. A system comprising:
- one or more processors;
  
  memory coupled to the one or more processors, the memory configured to store instructions to instruct the one or more processors to perform a computer-implemented method, the computer-implemented method comprising;
  
  receiving one or more packets wirelessly transmitted from a user device through a wireless access point to access a trusted network;
  
  determining a type of an extensible authorization protocol (EAP) associated with the user device based on the one or more packets;
  
  upon determining that the type of EAP associated with the user device is a first EAP, routing the one or more packets to a first authentication server provided in the trusted network and associated with the first EAP, for authentication of the user device according to the first EAP;
  
  upon determining that the type of EAP associated with the user device is a second EAP different from the first EAP, routing the one or more packets to a second authentication server provided in the trusted network and associated with the second EAP, for authentication of the user device according to the second EAP;
  
  wherein the first EAP involves a server certificate and does not involve a self-signed user certificate for authentication, and the second EAP involves a server certificate and a self-signed user certificate for authentication.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, wherein the first authentication server is incorporated in a dedicated authentication server for the trusted network provided in the trusted network separately from the wireless access point, and the second authentication server is incorporated in the wireless access point, andthe first EAP involves a server certificate and does not involve a self-signed user certificate for authentication, and the second EAP involves a server certificate and a self-signed user certificate for authentication.
  - 12. The system of claim 10, wherein the system is incorporated in the wireless access point.
  - 13. The system of claim 10, wherein the system and the second authentication server are incorporated in the wireless access point, and the first authentication server is incorporated in a dedicated authentication server for the trusted network provided in the trusted network separately from the wireless access point.
  - 14. The system of claim 10, wherein the system is incorporated in a dedicated authentication server for the trusted network provided in the trusted network separately from the wireless access point.
  - 15. The system of claim 10, wherein the system and the first authentication server are incorporated in a dedicated authentication server for the trusted network provided in the trusted network separately from the wireless access point, and the second authentication server is incorporated in the wireless access point.
  - 16. The system of claim 10, wherein the one or more packets include a media access control (MAC) address of the user device, and the EAP associated with the user device is determined based on the MAC address of the user device.
  - 17. The system of claim 10, wherein the one or more packets include information on an operating system of the user device, and the EAP associated with the user device is determined based on the information on the operating system of the user device.

18. A method comprising:
- receiving one or more packets wirelessly transmitted from a user device through a wireless access point to access a trusted network;
  
  determining a type of an EAP associated with the user device based on the one or more packets;
  
  upon determining that the type of extensible authorization protocol (EAP) associated with the user device is a first EAP, routing the one or more packets to a first authentication server provided in the trusted network and associated with the first EAP, for authentication of the user device according to the first EAP;
  
  upon determining that the type of EAP associated with the user device is a second EAP different from the first EAP, routing the one or more packets to a second authentication server provided in the trusted network and associated with the second EAP, for authentication of the user device according to the second EAP;
  
  wherein the one or more packets include information on an operating system of the user device, and the EAP associated with the user device is determined based on the information on the operating system of the user device.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein the one or more packets are received by the wireless access point, the EAP associated with the user device is determined by the wireless access point, and the one or more packets are routed by the wireless access point.
  - 20. The method of claim 18, wherein the one or more packets include a media access control (MAC) address of the user device, and the EAP associated with the user device is determined based on the MAC address of the user device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Aerohive Networks Incorporated (Extreme Networks, Inc.)
Inventors
Zou, Xu, Sakura, Kenshin, Li, Mingliang
Primary Examiner(s)
Pyzocha, Michael
Assistant Examiner(s)
Callahan, Paul E

Application Number

US15/922,019
Publication Number

US 20180205717A1
Time in Patent Office

530 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/205   involving negotiation or de...

Split authentication network systems and methods

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Split authentication network systems and methods

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links