Client device ticket

US 10,541,990 B2
Filed: 07/31/2017
Issued: 01/21/2020
Est. Priority Date: 07/31/2017
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a network device including an interface to provide access to a network, the network device being communicatively coupled to a client device, the network device to;

determine that the client device has been authenticated to the network via a captive portal page;

create a ticket comprising information identifying the client device and a timestamp value, encrypt the ticket using a secret key, and insert an identifier for the secret key in the encrypted ticket, the secret key being stored on a second network device;

transmit the encrypted ticket to the client device for storage on the client device;

receive a request from the client device to reconnect to the network, wherein the client device provides the encrypted ticket;

identify the secret key based on the identifier in the ticket, determine that the secret key is stored on the second network device, and retrieve the secret key from the second network device;

decrypt the ticket using the retrieved secret key; and

upon determining that the decrypted ticket corresponds to an authenticated session to the network by the client device, reauthenticate the client device to the network without direction of the client device to the captive portal page.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system may include a client device to connect to a network and a network device communicatively coupled to the client device. The network device may determine that the client device has been authenticated to the network via a captive portal page. The network device may further create a ticket corresponding to the client device. Possession of the ticket by the client device may indicate authentication of the client device to the network. The network device may then transmit the ticket to the client device for storage on the client device. The stored ticket may enable the client device to remain authenticated to the network after a period of inactivity.

Citations

15 Claims

1. A system, comprising:
- a network device including an interface to provide access to a network, the network device being communicatively coupled to a client device, the network device to;
  
  determine that the client device has been authenticated to the network via a captive portal page;
  
  create a ticket comprising information identifying the client device and a timestamp value, encrypt the ticket using a secret key, and insert an identifier for the secret key in the encrypted ticket, the secret key being stored on a second network device;
  
  transmit the encrypted ticket to the client device for storage on the client device;
  
  receive a request from the client device to reconnect to the network, wherein the client device provides the encrypted ticket;
  
  identify the secret key based on the identifier in the ticket, determine that the secret key is stored on the second network device, and retrieve the secret key from the second network device;
  
  decrypt the ticket using the retrieved secret key; and
  
  upon determining that the decrypted ticket corresponds to an authenticated session to the network by the client device, reauthenticate the client device to the network without direction of the client device to the captive portal page.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, further comprising the network device to:
    - receive, from the client device, information corresponding to the client device, wherein the information includes;
      
      a Media Access Control (MAC) address of the client device;
      
      an Internet Protocol (IP) address of the client device; and
      
      a user agent of the client device; and
      
      create the ticket corresponding to the client device in response to receipt of the information corresponding to the client device, wherein the ticket includes at least the MAC address of the client device, the IP address of the client device, and the user agent of the client device.
  - 3. The system of claim 1, wherein, in response to a determination that the decrypted ticket does not correspond to an authenticated session to the network by the client device, the network device to:
    - deny the request to reconnect to the network;
      
      redirect the client device to the captive portal page; and
      
      create a second ticket upon authentication of the client device at the captive portal page.
  - 4. The system of claim 1, wherein determining that the decrypted ticket corresponds to an authenticated session to the network by the client device includes the network device to determine if a data path for a session entry includes the information identifying the client device from the decrypted ticket.
  - 5. The system of claim 1, wherein the network device is further to perform a message authenticity check to authenticate an origin of the ticket.
  - 6. The system of claim 1, wherein the second network device is designated as a storage for a plurality of secret keys.

7. An access point, comprising:
- a processing resource and a memory resource;
  
  a transmitter and receiver; and
  
  an interface with a network, wherein the access point is to;
  
  receive a request from a client device to connect to the network and direct the client device to a captive portal page for authentication;
  
  upon authentication of the client device, create a ticket comprising information identifying the client device and a timestamp value, encrypt the ticket using a secret key, and insert an identifier for the secret key in the encrypted ticket, the secret key being stored on a network device connected with the network;
  
  transmit the encrypted ticket to the client device for storage on the client device;
  
  receive a request from the client device to reconnect to the network, wherein the client device provides the encrypted ticket;
  
  identify the secret key based on the identifier in the ticket, determine that the secret key is stored on the network device, and retrieve the secret key from the network device;
  
  decrypt the ticket using the retrieved secret key; and
  
  upon determining that the decrypted ticket corresponds to an authenticated session to the network by the client device, reauthenticate the client device to the network without direction of the client device to the captive portal page.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The access point of claim 7, wherein, in response to a determination that the decrypted ticket does not correspond to an authenticated session to the network by the client device, the access point to:
    - deny the request to reconnect to the network;
      
      redirect the client device to the captive portal page; and
      
      create a second ticket upon authentication of the client device at the captive portal page.
  - 9. The access point of claim 8, wherein determining that the decrypted ticket does not correspond to an authenticated session to the network by the client device includes the access point to:
    - determine that the timestamp of the decrypted ticket is expired.
  - 10. The access point of claim 7, wherein determining that the decrypted ticket corresponds to an authenticated session to the network by the client device includes the access point to:
    - determine that information included in the decrypted ticket matches information of the client device.
  - 11. The access point of claim 7, wherein a user context for the client device is deleted from the access point upon the client device being disconnected from the network.

12. A method, comprising:
- creating at a first network device a ticket corresponding to a client device authenticated to a network via a captive portal page, the ticket comprising information identifying the client device and a timestamp value;
  
  encrypting the ticket using a secret key and inserting an identifier for the secret key in the encrypted ticket, the secret key being stored on a second network device;
  
  transmitting the encrypted ticket to the client device for storage on the client device;
  
  receiving, at the first network device, a request from the client device to reconnect to the network, wherein the client device provides the encrypted ticket;
  
  identifying the secret key based on the identifier in the ticket, determining that the secret key is stored on the second network device, and retrieving the secret key from the second network device;
  
  decrypting the ticket using the retrieved secret key; and
  
  upon determining that the decrypted ticket corresponds to an authenticated session to the network by the client device, reauthenticate the client device to the network without direction of the client device to the captive portal page.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, upon determining that the decrypted ticket does not correspond to an authenticated session to the network by the client, further comprising:
    - denying the client device access to the network,redirecting the client device to the captive portal page; and
      
      creating a second ticket upon authentication of the client device at the captive portal page.
  - 14. The method of claim 12, wherein the encrypted includes information received at the first network device, wherein the information corresponds to the client device and a determined time at which the client device connected to the network.
  - 15. The method of claim 12, wherein determining that the decrypted ticket corresponds to an authenticated session to the network by the client includes:
    - determining that a Media Access Control (MAC) address included in the decrypted ticket matches a MAC address of the client device;
      
      determining that an Internet Protocol (IP) address included in the decrypted ticket matches an IP address of the client device; and
      
      determining that a user agent information included in the decrypted ticket matches a user agent information of the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Aruba Networks Incorporated (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Roy, Sudeepto Kumar, Kumar, Vaibhav, Bandlamudi, Vamsi Krishna
Primary Examiner(s)
Bayou, Yonas A

Application Number

US15/665,267
Publication Number

US 20190036905A1
Time in Patent Office

904 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 2463/121   Timestamp

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 63/068   using time-dependent keys, ...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0876   based on the identity of th...

H04L 63/12   Applying verification of th...

H04L 67/02   based on web technology, e....

H04L 67/30   Profiles

H04L 9/3213   using tickets or tokens, e....

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

Client device ticket

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Client device ticket

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links