Resolution of attribute overlap on authentication, authorization, and accounting servers

US 20080022392A1
Filed: 07/05/2006
Published: 01/24/2008
Est. Priority Date: 07/05/2006
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method for establishing communications between a remote client and a private network using a gateway, comprising the steps of:

providing a conflict resolution policy to said gateway; and

in said gateway, performing the steps of;

receiving a request from said remote client to instantiate a connection with said private network via a public communications network;

verifying rights of said remote client to access said private network by obtaining first attributes of said remote client from a first server and obtaining second attributes of said remote client from a second server;

identifying an inconsistency between said first attributes and said second attributes; and

applying said conflict resolution policy to said first attributes and said second attributes to determine resolved attributes automatically, without intervention of a human operator;

using said resolved attributes to determine said rights; and

responsively thereto, establishing said communications between said remote client and said private network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In the establishment of a VPN tunnel, a VPN gateway is responsible for resolving user and group attribute overlaps and conflicts when more than one AAA server is accessed during authentication and authorization. An IPSec Aggregator is provided with a governing policy that anticipates such conflicts and sets out precedence rules and alternative values of attributes.

80 Citations

View as Search Results

25 Claims

1. A computer-implemented method for establishing communications between a remote client and a private network using a gateway, comprising the steps of:
- providing a conflict resolution policy to said gateway; and
  
  in said gateway, performing the steps of;
  
  receiving a request from said remote client to instantiate a connection with said private network via a public communications network;
  
  verifying rights of said remote client to access said private network by obtaining first attributes of said remote client from a first server and obtaining second attributes of said remote client from a second server;
  
  identifying an inconsistency between said first attributes and said second attributes; and
  
  applying said conflict resolution policy to said first attributes and said second attributes to determine resolved attributes automatically, without intervention of a human operator;
  
  using said resolved attributes to determine said rights; and
  
  responsively thereto, establishing said communications between said remote client and said private network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, wherein said first server is accessed by said gateway to identify said remote client and said second server is accessed by said gateway to authorize said remote client to access said private network.
  - 3. The method according to claim 1, wherein said first server is configured as a proxy for accesses to said second server and said second attributes are obtained from said second server via said first server.
  - 4. The method according to claim 1, wherein said first attributes and said second attributes each comprise group attributes and user attributes, applying said conflict resolution policy comprises enforcing a precedence between corresponding group attributes and user attributes.
  - 5. The method according to claim 1, wherein when one of said first attributes differs from a corresponding one of said second attributes, applying said conflict resolution policy comprises setting a predetermined value to be used for said one attribute.
  - 6. The method according to claim 1, further comprising the step of storing third attributes of said remote client on said gateway, wherein applying said conflict resolution policy comprises enforcing a precedence between corresponding ones of said first attributes, said second attributes, and said third attributes.
  - 7. The method according to claim 1, wherein applying said conflict resolution policy comprises editing at least one of said first attributes on said first server and said second attributes on said second server.

8. A computer software product for establishing communications between a remote client and a private network using a gateway, including a tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a processor in said gateway, cause the gateway to:
- receive a request from said remote client to instantiate a connection with said private network via a public communications network;
  
  verify rights of said remote client to access said private network, by obtaining first attributes of said remote client from a first server and obtaining second attributes of said remote client from a second server;
  
  identify an inconsistency between said first attributes and said second attributes; and
  
  apply a conflict resolution policy to said first attributes and said second attributes to determine resolved attributes automatically, without intervention of a human operator; and
  
  use said resolved attributes to determine said rights; and
  
  responsively thereto, establish said communications between said remote client and said private network.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computer software product according to claim 8, wherein said first server is accessed by said gateway to identify said remote client and said second server is accessed by said gateway to authorize said remote client to access said private network.
  - 10. The computer software product according to claim 8, wherein said first attributes and said second attributes each comprise group attributes and user attributes, applying said conflict resolution policy comprises enforcing a precedence between corresponding group attributes and user attributes.
  - 11. The computer software product according to claim 8, wherein when one of said first attributes differs from a corresponding one of said second attributes, applying said conflict resolution policy comprises setting a predetermined value to be used for said one attribute.
  - 12. The computer software product according to claim 8, wherein third attributes of said remote client are accessible to said gateway, wherein applying said conflict resolution policy comprises enforcing a precedence between corresponding ones of said first attributes, said second attributes, and said third attributes.

13. A computer-implemented method for establishing communications between a remote client and a remote site using a VPN (Virtual Private Network) gateway having a VPN aggregator, comprising the steps of:
- providing a conflict resolution policy to said VPN aggregator; and
  
  in said VPN aggregator, performing the steps of;
  
  receiving a request from said remote client to instantiate a connection with said remote site via a communications network;
  
  authenticating said remote client and authorizing said remote client to access said remote site, wherein at least one of said steps of authorizing and authenticating comprises obtaining first attributes of said remote client from a first AAA (Authentication, Authorization, and Accounting) server and obtaining second attributes of said remote client from a second AAA server;
  
  identifying an inconsistency between said first attributes and said second attributes; and
  
  automatically applying said conflict resolution policy to said first attributes and said second attributes to determine resolved attributes;
  
  using said resolved attributes in said at least one of said steps of authenticating and authorizing; and
  
  thereafter establishing a VPN tunnel between said remote client and said remote site.
- View Dependent Claims (14)
- - 14. The method according to claim 13, wherein said first AAA server is accessed by said VPN aggregator in said step of authenticating and said second AAA server is accessed by said VPN aggregator in said step of authorizing.

15. A computer software product for establishing communications between a remote client and a remote site using a VPN (Virtual Private Network) gateway having a VPN aggregator, including a tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a processor in said VPN aggregator, cause said VPN aggregator to:
- receive a request from said remote client to instantiate a connection with said remote site via a communications network;
  
  authenticate said remote client and authorize said remote client to access said remote site, wherein at least one of an authentication and an authorization of said remote client comprises an evaluation of first attributes of said remote client from a first AAA (Authentication, Authorization, and Accounting) server and an evaluation of second attributes of said remote client from a second AAA server;
  
  identify an inconsistency between said first attributes and said second attributes; and
  
  apply a conflict resolution policy to said first attributes and said second attributes to determine resolved attributes;
  
  use said resolved attributes to complete at least one of said authentication and said authorization; and
  
  thereafter establish a VPN tunnel between said remote client and said remote site.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer software product according to claim 15, wherein said first attributes and said second attributes each comprise group attributes and user attributes, and an application of said conflict resolution policy comprises an enforcement of a precedence between corresponding group attributes and user attributes.
  - 17. The computer software product according to claim 15, wherein when one of said first attributes differs from a corresponding one of said second attributes, an application of said conflict resolution policy comprises an assignment of a predetermined value for said one attribute.
  - 18. The computer software product according to claim 15, wherein third attributes of said remote client are stored on said VPN aggregator, wherein an application of said conflict resolution policy comprises an enforcement of a precedence between corresponding ones of said first attributes, said second attributes, and said third attributes.
  - 19. The computer software product according to claim 15, wherein an application of said conflict resolution policy comprises an edit of at least one of said first attributes on said first AAA server and said second attributes on said second AAA server.

20. A communications apparatus for providing communications via a communications network, comprising:
- a network interface, linked to a plurality of clients including a remote client and a remote site; and
  
  a VPN aggregator, which is coupled to said network interface, said VPN aggregator operative to;
  
  receive a request from said remote client to instantiate a connection with said remote site via said communications network;
  
  authenticate said remote client and authorize said remote client to access said remote site, wherein at least one of an authentication and an authorization comprises an evaluation of first attributes of said remote client from a first AAA (Authentication, Authorization, and Accounting) server and an evaluation of second attributes of said remote client from a second AAA server;
  
  identify an inconsistency between said first attributes and said second attributes; and
  
  apply a conflict resolution policy to said first attributes and said second attributes to determine resolved attributes;
  
  use said resolved attributes to complete at least one of said authentication and said authorization; and
  
  thereafter establish a VPN tunnel between said remote client and said remote site.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The communications apparatus according to claim 20, wherein said first AAA server is accessed by said VPN aggregator in said authentication and said second AAA server is accessed by said VPN aggregator in said authorization.
  - 22. The communications apparatus according to claim 20, wherein said first AAA server is configured as a proxy for accesses to said second AAA server and said second attributes are obtained from said second AAA server via said first AAA server in said at least one of said authentication and said authorization.
  - 23. The communications apparatus according to claim 20, wherein said first attributes and said second attributes each comprise group attributes and user attributes, and an application of said conflict resolution policy comprises an enforcement of a precedence between corresponding group attributes and user attributes.
  - 24. The communications apparatus according to claim 20, wherein third attributes of said remote client are stored on said VPN aggregator, wherein an application of said conflict resolution policy comprises an enforcement of a precedence between corresponding ones of said first attributes, said second attributes, and said third attributes.

25. A communications apparatus for providing communications via a communications network, comprising:
- a network interface, linked to a plurality of clients including a remote client and a remote site; and
  
  a VPN aggregator, which is coupled to said network interface, said VPN aggregator comprising;
  
  means for receiving a request from said remote client to instantiate a connection with said remote site via said communications network;
  
  means for authenticating said remote client and authorize said remote client to access said remote site, wherein at least one of an authentication and an authorization of said remote client comprises an evaluation of first attributes of said remote client from a first AAA (Authentication, Authorization, and Accounting) server and an evaluation of second attributes of said remote client from a second AAA server;
  
  means for identifying an inconsistency between said first attributes and said second attributes; and
  
  means for applying a conflict resolution policy to said first attributes and said second attributes to determine resolved attributes and using said resolved attributes to complete at least one of said authentication and said authorization; and
  
  means for establishing a VPN tunnel between said remote client and said remote site responsively to said authentication and said authorization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Zilberman, Alon, Karpati, Dan, Halevi, Ido, Amos, Eitan Ben

Application Number

US11/481,858
Publication Number

US 20080022392A1
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 63/0272 Virtual private networks

H04L 63/20 for managing network securi...

Resolution of attribute overlap on authentication, authorization, and accounting servers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

80 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Resolution of attribute overlap on authentication, authorization, and accounting servers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links