USE OF AUTHENTICATION INFORMATION TO MAKE ROUTING DECISIONS

US 20080028445A1
Filed: 07/07/2007
Published: 01/31/2008
Est. Priority Date: 07/31/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

providing an augmented authentication database including routing information for each of a plurality of users, the routing information intended to be used to facilitate routing of traffic flows associated with the plurality of users to appropriate virtual networks of a plurality of virtual networks associated with a network accessible by the plurality of users;

receiving at an authentication interface of the network a request on behalf of a user of the plurality of users for access to a service provided by a first virtual network of the plurality of virtual networks;

responsive to the request, the authentication interface causing login credentials of the user to be authenticated against the augmented authentication database;

responsive to successful authentication of the login credentials,the authentication interface receiving from the augmented authentication database routing information associated with the user; and

the authentication interface causing the user to be granted access to the service by causing traffic flow associated with the user to be routed to the first virtual network based on the routing information associated with the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for utilizing authentication attributes to determine how to direct traffic flows are provided. In one embodiment, an augmented authentication database is provided, which includes routing information for multiple users. The routing information is intended to be used to facilitate routing of traffic flows to appropriate virtual networks of a network. A request on behalf of one of the users is received at an authentication interface of the network for access to a service provided by a first virtual network. Responsive to the request, login credentials of the user are authenticated against the augmented authentication database. Responsive to successful authentication, the authentication interface receives from the augmented authentication database routing information associated with the user and causes the user to be granted access to the service by causing traffic flow associated with the user to be routed to the first virtual network based on the routing information returned.

Citations

29 Claims

1. A method comprising:
- providing an augmented authentication database including routing information for each of a plurality of users, the routing information intended to be used to facilitate routing of traffic flows associated with the plurality of users to appropriate virtual networks of a plurality of virtual networks associated with a network accessible by the plurality of users;
  
  receiving at an authentication interface of the network a request on behalf of a user of the plurality of users for access to a service provided by a first virtual network of the plurality of virtual networks;
  
  responsive to the request, the authentication interface causing login credentials of the user to be authenticated against the augmented authentication database;
  
  responsive to successful authentication of the login credentials,the authentication interface receiving from the augmented authentication database routing information associated with the user; and
  
  the authentication interface causing the user to be granted access to the service by causing traffic flow associated with the user to be routed to the first virtual network based on the routing information associated with the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the authentication interface comprises a network gateway fronting the network and wherein said causing traffic flow associated with the user to be routed to the first virtual network based on the routing information comprises creating a routing entry within a routing table of the network gateway.
  - 3. The method of claim 2, wherein said causing login credentials of the user to be authenticated against the augmented authentication database comprises requesting authentication of the login credentials by an authentication server with which the augmented authentication database is associated.
  - 4. The method of claim 3, wherein the authentication server comprises a Remote Authentication Dial-in User Service Protocol (RADIUS) server.
  - 5. The method of claim 4, wherein said receiving at an authentication interface of the network a request on behalf of a user of the plurality of users for access to a service comprises intercepting a connection request at the network gateway that is directed to the RADIUS server.
  - 6. The method of claim 3, wherein the plurality of virtual networks comprise virtual local area networks (VLANs).
  - 7. The method of claim 3, wherein said requesting authentication of the login credentials by an authentication server comprises the network gateway issuing an authentication request via a Terminal Access Controller Access Control System (TACACS) authentication protocol.
  - 8. The method of claim 3, wherein said requesting authentication of the login credentials by an authentication server comprises the network gateway issuing an authentication request via a directory access protocol-based authentication protocol.
  - 9. The method of claim 3, further comprising the authentication interface receiving an authentication response from the authentication server, the authentication response containing one or more attributes carrying the routing information associated with the user.
  - 10. The method of claim 3, wherein the network comprises a public network.
  - 11. The method of claim 3, wherein the network comprises a private network.

12. A method comprising:
- receiving, by a network device associated with a service provider, a connection request from an end user of one of a plurality of customers for which the service provider delivers services;
  
  the network device causing the end user to be prompted for login credentials;
  
  responsive to receiving the login credentials, the network device requesting authentication of the login credentials by an authentication server;
  
  responsive to receiving an indication of successful authentication of the login credentials from the authentication server, the network device establishing a service session for the end user and maintaining customer separation among the plurality of customers by creating a routing entry corresponding to an address associated with the connection request based on one or more authentication attributes associated with the indication and routing subsequent packets associated with the service session in accordance with the routing entry.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 13. The method of claim 12, wherein said receiving, by a network device associated with a service provider, a connection request comprises intercepting a connection request directed to a server for which the network device is fronting.
  - 14. The method of claim 12, wherein said authentication server comprises a Remote Authentication Dial-in User Service Protocol (RADIUS) server.
  - 15. The method of claim 14, further comprising providing an augmented authentication database including information intended to be used to facilitate routing of traffic flows to appropriate virtual local area networks (VLANs) with which the plurality of customers are associated.
  - 16. The method of claim 15, wherein the information comprises a VLAN name.
  - 17. The method of claim 16, wherein the indication comprises a RADIUS Access-Accept packet including an attribute field and wherein the RADIUS Access-Accept packet contains the VLAN name within a VLAN attribute of the attribute field.
  - 18. The method of claim 14, further comprising providing an augmented authentication database including information intended to be used to facilitate routing of traffic flows to appropriate virtual domains (VDOMs) with which the plurality of customers are associated.
  - 19. The method of claim 14, further comprising providing an augmented authentication database including information intended to be used to facilitate routing of traffic flows to appropriate interfaces of the network device with which the plurality of customers are associated.
  - 20. The method of claim 19, wherein the information comprises an interface name.
  - 21. The method of claim 20, wherein the indication comprises a RADIUS Access-Accept packet including an attribute field and wherein the RADIUS Access-Accept packet contains the interface name within an interface name attribute of the attribute field.
  - 22. The method of claim 12, wherein said requesting authentication of the login credentials by an authentication server comprises the network device issuing an authentication request via a Terminal Access Controller Access Control System (TACACS) authentication protocol.
  - 23. The method of claim 12, wherein said requesting authentication of the login credentials by an authentication server comprises the network device issuing an authentication request via a directory access protocol-based authentication protocol.
  - 24. The method of claim 12, wherein the network device comprises a network gateway.
  - 25. The method of claim 12, wherein the network device comprises a firewall.
  - 26. The method of claim 12, where said creating a routing entry comprises:
    - determining a physical interface of the network device to which the subsequent packets are to be forwarded based on the one or more attributes;
      
      creating a routing entry that associates a source Internet Protocol (IP) address of the end user with the physical interface.
  - 27. The method of claim 12, wherein the services are delivered to the plurality of customers from a co-location network fronted by the network device.
  - 28. The method of claim 12, wherein the services comprise network security management including one or more of virus blocking, spam blocking, intrusion detection, firewalls, and virtual private network (VPN) management.
  - 29. The method of claim 12, wherein a protocol of the connection request comprises HyperText Transport Protocol (HTTP), HyperText Transfer Protocol, Secure (HTTPS), Telnet or File Transfer Protocol (FTP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Rozhavsky, Michael, Lee, Randy, Dubuc, Yannick

Application Number

US11/774,575
Publication Number

US 20080028445A1
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

USE OF AUTHENTICATION INFORMATION TO MAKE ROUTING DECISIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

USE OF AUTHENTICATION INFORMATION TO MAKE ROUTING DECISIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links