Extensible authentication and authorization of identities in an application message on a network device

US 20070289005A1
Filed: 05/26/2006
Published: 12/13/2007
Est. Priority Date: 05/26/2006
Status: Active Grant

First Claim

Patent Images

1. A data processing apparatus, comprising:

a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;

one or more processors;

a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;

a computer-readable storage medium having stored thereon a plurality of authentication methods and a policy that associates the authentication methods with respective message types;

authentication and authorization logic comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;

receiving one or more packets representing an application message;

determining a particular type of the application message;

identifying one or more user credential elements in the one or more packets;

selecting, based on the policy and the particular type of the application message, a particular authentication method, andvalidating the application message using the one or more user credential elements and the particular authentication method.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

User credentials are validated within a network infrastructure element such as a packet data router or switch. The network element has authentication and authorization logic for receiving one or more packets representing an input application message logically associated with OSI network model Layer 5 or above; extracting user credentials from the one or more packets; authenticating an identity associated with the user credentials; authorizing privileges to the identity; and forwarding the application message to an intended destination if the identity is successfully authenticated and/or authorized. The authentication and authorization logic in the network element can invoke extension authentication and authorization methods that may be provisioned after the network element is deployed in a networked system.

39 Citations

View as Search Results

33 Claims

1. A data processing apparatus, comprising:
- a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
  
  one or more processors;
  
  a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
  
  a computer-readable storage medium having stored thereon a plurality of authentication methods and a policy that associates the authentication methods with respective message types;
  
  authentication and authorization logic comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
  
  receiving one or more packets representing an application message;
  
  determining a particular type of the application message;
  
  identifying one or more user credential elements in the one or more packets;
  
  selecting, based on the policy and the particular type of the application message, a particular authentication method, andvalidating the application message using the one or more user credential elements and the particular authentication method.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 31)
- - 2. The apparatus of claim 1, wherein the one or more packets comprise one or more protocol headers, and wherein a subset of the one or more user credential elements is located in the one or more protocol headers.
  - 3. The apparatus of claim 1, wherein the application message comprises an application message header, and wherein a subset of the one or more user credential elements is located in the application message header.
  - 4. The apparatus of claim 1, wherein the authentication and authorization logic further comprises sequences of instructions which, when executed by the processor, cause the processor to perform extracting an application message payload from the application message, and identifying a subset of the one or more user credential elements in the application message payload.
  - 5. The apparatus of claim 1, wherein the authentication and authorization logic further comprises sequences of instructions which, when executed by the processor, cause the processor to perform forwarding an outgoing message associated with the application message to a destination.
  - 6. The apparatus of claim 1, wherein the authentication and authorization logic further comprises sequences of instructions which, when executed by the processor, cause the processor to perform authenticating an identity associated with the one or more user credential elements.
  - 7. The apparatus of claim 6, wherein the authentication and authorization logic further comprises sequences of instructions which, when executed by the processor, cause the processor to perform executing the particular authentication method by sending the user credentials to an authentication service provider and requesting authentication of the user credentials.
  - 8. The apparatus of claim 6, wherein the authentication and authorization logic further comprises sequences of instructions which, when executed by the processor, cause the processor to perform authorizing one or more privileges associated with the identity.
  - 9. The apparatus of claim 8, wherein the computer-readable medium has stored thereon a plurality of authorization methods, wherein the policy associates the authorization methods with the respective message types, and wherein the authentication and authorization logic further comprises sequences of instructions which, when executed by the processor, cause the processor to perform selecting, based on the policy and the particular type of the application message, a particular authorization method, and executing the particular authorization method by sending the identity to an authorization service provider and requesting authorization of the one or more privileges associated with the identity.
  - 10. The apparatus of claim 1, wherein the computer-readable storage medium further comprises a plurality of user credential location definitions that specify locations of user credentials for various types of application messages, and wherein identifying one or more user credential elements includes selecting a particular user credential location definition and performing the identifying based on the particular user credential location definition.
  - 11. The apparatus of claim 1, wherein the apparatus comprises any of a packet data router and a packet data switch in a packet-switched network.
  - 31. The apparatus of claim 1, wherein the one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform determining a particular type of the application message further comprises one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform enabling a user to define a plurality of message types and wherein the one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform selecting a particular authentication method further comprises one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform enabling a user to define an association between a particular authentication method with a corresponding message type.

12. A machine-implemented method, comprising:
- receiving one or more packets representing an application message;
  
  determining a particular type of the application message;
  
  identifying one or more user credential elements in the one or more packets;
  
  selecting, based on a policy and the particular type of the application message, a particular authentication method, wherein the policy associates a plurality of authentication methods with respective message types; and
  
  validating the application message using the one or more user credential elements and the particular authentication method.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 32)
- - 13. The method of claim 12, wherein the one or more packets comprise one or more protocol headers, and wherein a subset of the one or more user credential elements is located in the one or more protocol headers.
  - 14. The method of claim 12, wherein the application message comprises an application message header, and wherein a subset of the one or more user credential elements is located in the application message header.
  - 15. The method of claim 12, further comprising the steps of extracting an application message payload from the application message, and identifying a subset of the one or more user credential elements in the application message payload.
  - 16. The method of claim 12, further comprising the step of forwarding an outgoing message associated with the application message to a destination.
  - 17. The method of claim 12, further comprising the step of authenticating an identity associated with the one or more user credential elements.
  - 18. The method of claim 17, further comprising the step of executing the particular authentication method by sending the user credentials to an authentication service provider and requesting authentication of the user credentials.
  - 19. The method of claim 17, further comprising the step of authorizing one or more privileges associated with the identity.
  - 20. The method of claim 19, further comprising the steps of selecting, based on the policy and the particular type of the application message, a particular authorization method, and executing the particular authorization method by sending the identity to an authorization service provider and requesting authorization of the one or more privileges associated with the identity.
  - 21. The method of claim 12, wherein the step of identifying one or more user credential elements includes selecting a particular user credential location definition and performing the identifying based on the particular user credential location definition.
  - 32. The method of claim 12, wherein the step of determining a particular type of the application message further comprises enabling a user to define a plurality of message types and wherein the step of selecting a particular authentication method further comprises enabling a user to define an association between a particular authentication method with a corresponding message type.

22. A computer-readable medium carrying one or more sequences of instructions, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving one or more packets representing an application message;
  
  determining a particular type of the application message;
  
  identifying one or more user credential elements in the one or more packets;
  
  selecting, based on the policy and the particular type of the application message, a particular authentication method, andvalidating the application message using the one or more user credential elements and the particular authentication method.

23. A data processing apparatus, comprising:
- a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
  
  one or more processors;
  
  a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
  
  a computer-readable storage medium having stored thereon a plurality of authentication methods and a policy that associates the authentication methods with respective message types;
  
  means for receiving one or more packets representing an application message;
  
  means for determining a particular type of the application message;
  
  means for identifying one or more user credential elements in the one or more packets;
  
  means for selecting, based on the policy and the particular type of the application message, a particular authentication method, andmeans for validating the application message using the one or more user credential elements and the particular authentication method.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 33)
- - 24. The apparatus of claim 23, wherein the one or more packets comprise one or more protocol headers, and wherein a subset of the one or more user credential elements is located in the one or more protocol headers.
  - 25. The apparatus of claim 23, wherein the application message comprises an application message header, and wherein a subset of the one or more user credential elements is located in the application message header.
  - 26. The apparatus of claim 23, further comprising means for extracting an application message payload from the application message, and identifying a subset of the one or more user credential elements in the application message payload.
  - 27. The apparatus of claim 23, further comprising means for forwarding an outgoing message associated with the application message to a destination.
  - 28. The apparatus of claim 23, further comprising means for authenticating an identity associated with the one or more user credential elements.
  - 29. The apparatus of claim 28, further comprising means for authorizing one or more privileges associated with the identity.
  - 30. The apparatus of claim 23, wherein the means for identifying one or more user credential elements includes means for selecting a particular user credential location definition and performing the identifying based on the particular user credential location definition.
  - 33. The method of claim 23, wherein the means for determining a particular type of the application message further comprises means for enabling a user to define a plurality of message types and wherein the means for selecting a particular authentication method further comprises means for enabling a user to define an association between a particular authentication method with a corresponding message type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kumar, Sandeep, Jiang, Yuquan, Dashora, Vinod K., Iyer, Subramanian N.

Granted Patent

US 8,613,056 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/104 Grouping of entities

Extensible authentication and authorization of identities in an application message on a network device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Extensible authentication and authorization of identities in an application message on a network device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links