System and method for authentication of SP Ethernet aggregation networks

US 20060268856A1
Filed: 05/31/2005
Published: 11/30/2006
Est. Priority Date: 05/31/2005
Status: Active Grant

First Claim

Patent Images

1. A processor-implemented method of operation for a user-facing provider edge (u-PE) device of an Ethernet access network, the method comprising:

receiving a message from a subscriber-premises device, the message being compatible with an authentication protocol and being transported from the subscriber-premises device to the u-PE device in compliance with an IEEE 802.1x compatible protocol; and

allowing or denying access to the Ethernet access network based on a logical identifier contained in the message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Service Provider (SP) authentication method includes receiving a message from a subscriber-premises device, the message being compatible with an authentication protocol and being transported from the subscriber-premises device to a u-PE device operating in compliance with an IEEE 802.1x compatible protocol. Access to the SP network is either allowed or denied access based on a logical identifier contained in the message. It is emphasized that this abstract is provided to comply with the rules requiring an abstract that will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. 37 CFR 1.72(b).

121 Citations

View as Search Results

27 Claims

1. A processor-implemented method of operation for a user-facing provider edge (u-PE) device of an Ethernet access network, the method comprising:
- receiving a message from a subscriber-premises device, the message being compatible with an authentication protocol and being transported from the subscriber-premises device to the u-PE device in compliance with an IEEE 802.1x compatible protocol; and
  
  allowing or denying access to the Ethernet access network based on a logical identifier contained in the message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The processor-implemented method of claim 1 wherein the subscriber-premises device comprises a residential gateway (RG) device.
  - 3. The processor-implemented method of claim 1 wherein the Ethernet access network comprises an Ethernet Digital Subscriber Line Access Multiplexer (DSLAM) aggregation network.
  - 4. The processor-implemented method of claim 1 wherein the message comprises an Extensible Authentication Protocol (EAP) message.
  - 5. The processor-implemented method of claim 1 wherein the logical identifier comprises a Media Access Control (MAC) address.
  - 6. The processor-implemented method of claim 1 further comprising validating user credentials provided by the subscriber-premises device at an authentication, authorization, and accounting (AAA) server.
  - 7. The processor-implemented method of claim 3 further comprising:
    - opening a port of a Broadband Remote Access Server (BRAS) device to traffic that includes frames that contain information other than the EAP messages.
  - 8. The processor-implemented method of claim 4 further comprising:
    - executing a Dynamic Host Configuration Protocol (DHCP) process to provide the subscriber-premises device with an Internet protocol (IP) address.

9. A processor-implemented method of operation for a user-facing provider edge (u-PE) device of a Service Provider (SP) subscriber Ethernet aggregation network, the method comprising:
- receiving a message from a subscriber-premises device, the message being compatible with a first protocol and being transported from the subscriber-premises device to the u-PE device in compliance with an IEEE 802.1x compatible protocol;
  
  sending a network access request to a server in accordance with a second protocol, the network access request including subscriber identity information;
  
  receiving a validation message from the server;
  
  authorizing traffic associated with a particular application layer service between the subscriber-premises device and the SP subscriber Ethernet aggregation network based on a first logical identifier.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The processor-implemented method of claim 9 wherein the first logical identifier comprises a Media Access Control (MAC) address.
  - 11. The processor-implemented method of claim 9 wherein the particular application layer service includes a voice over Internet protocol service.
  - 12. The processor-implemented method of claim 9 wherein the particular application layer service includes a data service.
  - 13. The processor-implemented method of claim 9 wherein the particular application layer service includes a video service.
  - 14. The processor-implemented method of claim 9 further comprising:
    - authorizing traffic associated with a different service between the subscriber-premises device and the SP subscriber Ethernet aggregation network based on a second logical identifier.
  - 15. The processor-implemented method of claim 9 wherein the server comprises a Broadband Remote Access Server (BRAS) device and the message comprises an Extensible Authentication Protocol (EAP) message.
  - 16. The processor-implemented method of claim 15 further comprising:
    - opening a port of the BRAS device to traffic that includes frames that contain information other than EAP messages.
  - 17. The processor-implemented method of claim 9 further comprising:
    - executing a Dynamic Host Configuration Protocol (DHCP) process to provide the subscriber-premises device with an Internet protocol (IP) address.

18. A user-facing provider edge (u-PE) device for association with an Ethernet access network, the u-PE device comprising:
- a port;
  
  an authenticator compatible with an IEEE 802.1x compatible protocol, the authenticator being configured to communicate with a supplicant device of a residential gateway (RG) device over the IEEE 802.1x compatible protocol, and with a network server that stores credential information of the supplicant device via a different authentication protocol, the authenticator opening the port to traffic between the RG device and the Ethernet access network on a per application layer service basis.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The u-PE device of claim 18 wherein the different authentication protocol comprises the Remote Authentication Dial-In User Service (RADIUS) protocol.
  - 20. The u-PE device of claim 18 wherein a particular application layer service is identified by a Media Access Control (MAC) address.
  - 21. The u-PE device of claim 18 wherein a particular application layer service is identified by an Ethertype.
  - 22. The u-PE device of claim 21 wherein the particular application layer service comprises a data service.
  - 23. The u-PE device of claim 20 wherein the particular application layer service comprises a video service.

24. A user-facing provider edge (u-PE) device for association with an Ethernet access network, the u-PE device comprising:
- a port;
  
  means for communicating with a subscriber-premises device via Extensible Authentication Protocol (EAP) messages carried over an IEEE 802.1x compatible protocol, and for communicating with an authentication, authorization, and accounting (AAA) server that stores user credential information, the means opening the port to traffic between the subscriber-premises device and the Ethernet access network on a per application layer service basis upon validation of credential information provided by the subscriber-premises device.

25. A Service Provider (SP) subscriber Ethernet access network, comprising:
- a Layer 1 (L1) transport device that connects with a subscriber-premises device;
  
  an authentication, authorization, and accounting (AAA) server that stores user credential information;
  
  a user-facing provider edge (u-PE) device coupled to the AAA server and to the subscriber-premises device through the L1 transport device, the u-PE having a physical port and including means for communicating with a subscriber-premises device via Extensible Authentication Protocol (EAP) messages carried over an IEEE 802.1x compatible protocol, and for communicating with the AAA server via a different protocol, the means opening the physical port to traffic between the subscriber-premises device and the SP subscriber Ethernet access network on a per application layer service basis upon validation of credential information provided by the subscriber-premises device, with individual application layer services being identified by a Media Access Control (MAC) address.
- View Dependent Claims (27)
- - 27. The computer program product of claim 25 wherein the individual application layer services are identified by a Media Access Control (MAC) address.

26. A computer program product comprising a computer useable medium and computer readable code embodied on the computer useable medium, execution of the computer readable code causing the computer program product to configure a user-facing provider edge (u-PE) device to:
- communicate with a subscriber-premises device via Extensible Authentication Protocol (EAP) messages carried over an IEEE 802.1x compatible protocol; and
  
  communicate with the AAA server via a different protocol;
  
  open a physical port to traffic between the subscriber-premises device and an Ethernet access network on a per application layer service basis upon validation of credential information provided by the subscriber-premises device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Foo, Ian, Roiger, Wayne, Voit, Eric

Granted Patent

US 8,094,663 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

H04L 63/0838   using one-time-passwords

H04L 63/0892   by using authentication-aut...

H04L 63/162   at the data link layer

System and method for authentication of SP Ethernet aggregation networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

121 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for authentication of SP Ethernet aggregation networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links