Fast re-authentication with dynamic credentials

US 20040168054A1
Filed: 02/26/2003
Published: 08/26/2004
Est. Priority Date: 02/26/2003
Status: Active Grant

First Claim

Patent Images

1. A method for a proxy server to re-authenticate clients, the steps comprising:

receiving an authentication request for a client from a network access server;

forwarding the request to an authentication server;

receiving authentication keying material from the authentication; and

storing the authenticating keying material as dynamic credentials; and

forwarding the session key to the network access server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A proxy server that is inserted between a plurality of network access servers, typically an access points, and an authentication server. When an original authentication request is received by an network access server, the network access server forwards the request to the proxy server which forwards the request to an authentication server. The authentication server then sends the session information to the proxy server which stores the keying material as a dynamic credentials. When the client re-authenticates with one of the plurality of access servers, the re-authentication request is handled by the proxy server using the dynamic credentials. The proxy server may re-authenticate the client using a different method than the method that was originally used. For example, the original authentication may be by Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and subsequent reauthentications may use Wi-Fi Protected Access (WPA).

Citations

21 Claims

1. A method for a proxy server to re-authenticate clients, the steps comprising:
- receiving an authentication request for a client from a network access server;
  
  forwarding the request to an authentication server;
  
  receiving authentication keying material from the authentication; and
  
  storing the authenticating keying material as dynamic credentials; and
  
  forwarding the session key to the network access server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising receiving an authentication request for the client from a second network access server and authenticating the client using the dynamic credentials.
  - 3. The method of claim 1 further comprising receiving an authentication request for the client from a second network access server and authenticating the client using the dynamic credentials and a different authentication method than used by the authentication server.
  - 4. The method of claim 1 wherein the dynamic credentials comprise a multicast key and the session key.
  - 5. The method of claim 1 wherein the authentication server is a Remote Authentication Dial-In User Server.
  - 6. The method of claim 1 wherein the network access device is an access point.
  - 7. The method of claim 1 wherein the client is a wireless client.

8. A system for providing fast re-authentication with dynamic credentials, comprising:
- a network access server a proxy authentication server connected to the plurality of network servers; and
  
  an authentication server connected to the proxy authentication server;
  
  wherein the proxy authentication servers appears as the authentication server to the network access server and the proxy authentication server appears as a network access server to the authentication server.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8 further comprising a plurality of network access servers connected to the proxy authentication server.
  - 10. The system of claim 9 wherein the network access servers are 802.1X access points.
  - 11. The system of claim 8 wherein the authentication server is a Remote Authentication Dial-In User Server.
  - 12. The system of claim 8 wherein when an original authentication request from a client is received by a one of the plurality of network servers, the original authentication request is forwarded to the proxy authentication server, the proxy authentication server forwards the original authentication request to the authentication server for authentication, the proxy authentication server storing keying material.
  - 13. The system of claim 12 wherein when a re-authentication request is received by a one of the plurality of network access servers, the proxy authentication server authenticates the client using the keying material.
  - 14. The system of claim 12 wherein the client is a wireless client.

15. A computer-readable medium of instructions, comprising:
- means for receiving an authentication request for a client from a network access server;
  
  means for forwarding the request to an authentication server;
  
  means for receiving authentication keying material from the authentication; and
  
  means for storing the authenticating keying material as dynamic credentials; and
  
  forwarding the session key to the network access server.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer-readable medium of instructions of claim 15 further comprising means for receiving an authentication request for the client from a second network access server and means for authenticating the client using the dynamic credentials.
  - 17. The computer-readable medium of instructions of claim 15 further comprising means for receiving an authentication request for the client from a second network access server and means for authenticating the client using the dynamic credentials and a different authentication method than used by the authentication server.
  - 18. The computer-readable medium of instructions of claim 15 wherein the dynamic credentials comprise a multicast key and the session key.
  - 19. The computer-readable medium of instructions of claim 15 wherein the authentication server is a Remote Authentication Dial-In User Server.
  - 20. The computer-readable medium of instructions of claim 15 wherein the network access device is an access point.
  - 21. The computer-readable medium of instructions of claim 15 wherein the client is a wireless client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Halasz, David E., Zorn, Glen W.

Granted Patent

US 7,434,044 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

H04L 12/2856   Access arrangements, e.g. I...

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/162   at the data link layer

H04L 69/18   Multiprotocol handlers, e.g...

H04W 12/062   Pre-authentication

H04W 36/0038   of security context informa...

H04W 84/12   WLAN [Wireless Local Area N...

H04W 88/182   Network node acting on beha...

Fast re-authentication with dynamic credentials

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Fast re-authentication with dynamic credentials

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links