Resolution of attribute overlap on authentication, authorization, and accounting servers
First Claim
Patent Images
1. A computer-implemented method for establishing communications between a remote client and a private network using a gateway, comprising the steps of:
- providing a conflict resolution policy to said gateway; and
in said gateway, performing the steps of;
receiving a request from said remote client to instantiate a connection with said private network via a public communications network;
verifying rights of said remote client to access said private network by obtaining first attributes of said remote client from a first server and obtaining second attributes of said remote client from a second server;
identifying an inconsistency between said first attributes and said second attributes; and
applying said conflict resolution policy to said first attributes and said second attributes to determine resolved attributes automatically, without intervention of a human operator;
using said resolved attributes to determine said rights; and
responsively thereto, establishing said communications between said remote client and said private network.
1 Assignment
0 Petitions
Accused Products
Abstract
In the establishment of a VPN tunnel, a VPN gateway is responsible for resolving user and group attribute overlaps and conflicts when more than one AAA server is accessed during authentication and authorization. An IPSec Aggregator is provided with a governing policy that anticipates such conflicts and sets out precedence rules and alternative values of attributes.
80 Citations
25 Claims
-
1. A computer-implemented method for establishing communications between a remote client and a private network using a gateway, comprising the steps of:
-
providing a conflict resolution policy to said gateway; and in said gateway, performing the steps of; receiving a request from said remote client to instantiate a connection with said private network via a public communications network; verifying rights of said remote client to access said private network by obtaining first attributes of said remote client from a first server and obtaining second attributes of said remote client from a second server; identifying an inconsistency between said first attributes and said second attributes; and applying said conflict resolution policy to said first attributes and said second attributes to determine resolved attributes automatically, without intervention of a human operator; using said resolved attributes to determine said rights; and
responsively thereto, establishing said communications between said remote client and said private network. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer software product for establishing communications between a remote client and a private network using a gateway, including a tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a processor in said gateway, cause the gateway to:
-
receive a request from said remote client to instantiate a connection with said private network via a public communications network; verify rights of said remote client to access said private network, by obtaining first attributes of said remote client from a first server and obtaining second attributes of said remote client from a second server; identify an inconsistency between said first attributes and said second attributes; and apply a conflict resolution policy to said first attributes and said second attributes to determine resolved attributes automatically, without intervention of a human operator; and use said resolved attributes to determine said rights; and
responsively thereto, establish said communications between said remote client and said private network. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A computer-implemented method for establishing communications between a remote client and a remote site using a VPN (Virtual Private Network) gateway having a VPN aggregator, comprising the steps of:
-
providing a conflict resolution policy to said VPN aggregator; and in said VPN aggregator, performing the steps of; receiving a request from said remote client to instantiate a connection with said remote site via a communications network; authenticating said remote client and authorizing said remote client to access said remote site, wherein at least one of said steps of authorizing and authenticating comprises obtaining first attributes of said remote client from a first AAA (Authentication, Authorization, and Accounting) server and obtaining second attributes of said remote client from a second AAA server; identifying an inconsistency between said first attributes and said second attributes; and automatically applying said conflict resolution policy to said first attributes and said second attributes to determine resolved attributes; using said resolved attributes in said at least one of said steps of authenticating and authorizing; and thereafter establishing a VPN tunnel between said remote client and said remote site. - View Dependent Claims (14)
-
-
15. A computer software product for establishing communications between a remote client and a remote site using a VPN (Virtual Private Network) gateway having a VPN aggregator, including a tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a processor in said VPN aggregator, cause said VPN aggregator to:
-
receive a request from said remote client to instantiate a connection with said remote site via a communications network; authenticate said remote client and authorize said remote client to access said remote site, wherein at least one of an authentication and an authorization of said remote client comprises an evaluation of first attributes of said remote client from a first AAA (Authentication, Authorization, and Accounting) server and an evaluation of second attributes of said remote client from a second AAA server; identify an inconsistency between said first attributes and said second attributes; and apply a conflict resolution policy to said first attributes and said second attributes to determine resolved attributes; use said resolved attributes to complete at least one of said authentication and said authorization; and thereafter establish a VPN tunnel between said remote client and said remote site. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A communications apparatus for providing communications via a communications network, comprising:
-
a network interface, linked to a plurality of clients including a remote client and a remote site; and a VPN aggregator, which is coupled to said network interface, said VPN aggregator operative to; receive a request from said remote client to instantiate a connection with said remote site via said communications network; authenticate said remote client and authorize said remote client to access said remote site, wherein at least one of an authentication and an authorization comprises an evaluation of first attributes of said remote client from a first AAA (Authentication, Authorization, and Accounting) server and an evaluation of second attributes of said remote client from a second AAA server; identify an inconsistency between said first attributes and said second attributes; and apply a conflict resolution policy to said first attributes and said second attributes to determine resolved attributes; use said resolved attributes to complete at least one of said authentication and said authorization; and thereafter establish a VPN tunnel between said remote client and said remote site. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A communications apparatus for providing communications via a communications network, comprising:
-
a network interface, linked to a plurality of clients including a remote client and a remote site; and a VPN aggregator, which is coupled to said network interface, said VPN aggregator comprising; means for receiving a request from said remote client to instantiate a connection with said remote site via said communications network; means for authenticating said remote client and authorize said remote client to access said remote site, wherein at least one of an authentication and an authorization of said remote client comprises an evaluation of first attributes of said remote client from a first AAA (Authentication, Authorization, and Accounting) server and an evaluation of second attributes of said remote client from a second AAA server; means for identifying an inconsistency between said first attributes and said second attributes; and means for applying a conflict resolution policy to said first attributes and said second attributes to determine resolved attributes and using said resolved attributes to complete at least one of said authentication and said authorization; and means for establishing a VPN tunnel between said remote client and said remote site responsively to said authentication and said authorization.
-
Specification