Extensible authentication and authorization of identities in an application message on a network device
First Claim
1. A data processing apparatus, comprising:
- a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
one or more processors;
a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
a computer-readable storage medium having stored thereon a plurality of authentication methods and a policy that associates the authentication methods with respective message types;
authentication and authorization logic comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
receiving one or more packets representing an application message;
determining a particular type of the application message;
identifying one or more user credential elements in the one or more packets;
selecting, based on the policy and the particular type of the application message, a particular authentication method, andvalidating the application message using the one or more user credential elements and the particular authentication method.
1 Assignment
0 Petitions
Accused Products
Abstract
User credentials are validated within a network infrastructure element such as a packet data router or switch. The network element has authentication and authorization logic for receiving one or more packets representing an input application message logically associated with OSI network model Layer 5 or above; extracting user credentials from the one or more packets; authenticating an identity associated with the user credentials; authorizing privileges to the identity; and forwarding the application message to an intended destination if the identity is successfully authenticated and/or authorized. The authentication and authorization logic in the network element can invoke extension authentication and authorization methods that may be provisioned after the network element is deployed in a networked system.
39 Citations
33 Claims
-
1. A data processing apparatus, comprising:
-
a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto; one or more processors; a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface; a computer-readable storage medium having stored thereon a plurality of authentication methods and a policy that associates the authentication methods with respective message types; authentication and authorization logic comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform; receiving one or more packets representing an application message; determining a particular type of the application message; identifying one or more user credential elements in the one or more packets; selecting, based on the policy and the particular type of the application message, a particular authentication method, and validating the application message using the one or more user credential elements and the particular authentication method. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 31)
-
-
12. A machine-implemented method, comprising:
-
receiving one or more packets representing an application message; determining a particular type of the application message; identifying one or more user credential elements in the one or more packets; selecting, based on a policy and the particular type of the application message, a particular authentication method, wherein the policy associates a plurality of authentication methods with respective message types; and validating the application message using the one or more user credential elements and the particular authentication method. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 32)
-
-
22. A computer-readable medium carrying one or more sequences of instructions, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
receiving one or more packets representing an application message; determining a particular type of the application message; identifying one or more user credential elements in the one or more packets; selecting, based on the policy and the particular type of the application message, a particular authentication method, and validating the application message using the one or more user credential elements and the particular authentication method.
-
-
23. A data processing apparatus, comprising:
-
a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto; one or more processors; a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface; a computer-readable storage medium having stored thereon a plurality of authentication methods and a policy that associates the authentication methods with respective message types; means for receiving one or more packets representing an application message; means for determining a particular type of the application message; means for identifying one or more user credential elements in the one or more packets; means for selecting, based on the policy and the particular type of the application message, a particular authentication method, and means for validating the application message using the one or more user credential elements and the particular authentication method. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 33)
-
Specification