FAST RE-AUTHENTICATION WITH DYNAMIC CREDENTIALS

US 20080301790A1
Filed: 08/12/2008
Published: 12/04/2008
Est. Priority Date: 02/26/2003
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a proxy authentication server configured to be in communication with a network access server and an authentication server;

wherein the proxy authentication server is configured to intercept a first authentication request from the network access server for a supplicant;

wherein the proxy authentication server is configured to forward the first authentication request to the authentication server responsive to determining the proxy authentication server does not have authentication data for the supplicant;

wherein the proxy authentication server is configured to intercept a response to the first authentication request from the authentication server, the response comprising authentication data for the client; and

wherein the proxy authentication server is configured to store the authentication data for the supplicant and to forward the authentication data for the supplicant to the network access server

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A proxy server that is inserted between a plurality of network access servers, typically an access points, and an authentication server. When an original authentication request is received by a network access server, the network access server forwards the request to the proxy server which forwards the request to an authentication server. The authentication server then sends the session information to the proxy server which stores the keying material as a dynamic credentials. When the client re-authenticates with one of the plurality of access servers, the re-authentication request is handled by the proxy server using the dynamic credentials. The proxy server may re-authenticate the client using a different method than the method that was originally used. For example, the original authentication may be by Extensible Authentication Protocol—Transport Layer Security (EAP-TLS) and subsequent re-authentications may use Wi-Fi Protected Access (WPA).

Citations

20 Claims

1. An apparatus, comprising:
- a proxy authentication server configured to be in communication with a network access server and an authentication server;
  
  wherein the proxy authentication server is configured to intercept a first authentication request from the network access server for a supplicant;
  
  wherein the proxy authentication server is configured to forward the first authentication request to the authentication server responsive to determining the proxy authentication server does not have authentication data for the supplicant;
  
  wherein the proxy authentication server is configured to intercept a response to the first authentication request from the authentication server, the response comprising authentication data for the client; and
  
  wherein the proxy authentication server is configured to store the authentication data for the supplicant and to forward the authentication data for the supplicant to the network access server
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus set forth in claim 1, wherein the proxy authentication server is configured to intercept a second authentication request for the supplicant from a second network access server;
    - andwherein the proxy authentication server is configured to authenticate the second authentication request with the stored authentication data and reply to the second network access server responsive to determining the proxy authentication server has the authentication data for the supplicant.
  - 3. The apparatus set forth in claim 2, wherein the first authentication request employs a first authentication protocol and the second authentication request employs a second authentication protocol.
  - 4. The apparatus set forth in claim 3, wherein the first authentication protocol is an Extensible Authentication Protocol—
    - Transport Layer Security (EAP-TLS) compatible protocol.
  - 5. The apparatus set forth in claim 4, wherein the second authentication protocol is a Lightweight Extensible Authentication Protocol (LEAP) compatible protocol.
  - 6. The apparatus set forth in claim 4, wherein the second authentication protocol is a WiFi Protected Access (WPA) compatible protocol.
  - 7. The apparatus of claim 1, wherein the proxy authentication server is configured to intercept a third authentication request for the supplicant from a third network access server;
    - andwherein the proxy authentication server is configured to authenticate the third authentication request with the stored authentication data and reply to the third network access server responsive to determining the proxy authentication server has the authentication data for the supplicant.
  - 8. The apparatus set forth in claim 1, wherein the first and second network access servers are wireless access points and the supplicant is a wireless device.
  - 9. The apparatus set forth in claim 1, wherein the authentication data for the client comprises keying material.

10. A method, comprising:
- intercepting a first request to authenticate a supplicant from a first network access server;
  
  determining whether authentication credentials are available for the supplicant;
  
  forwarding the first request to authenticate a supplicant from to an authentication server responsive to determining authentication credentials are not available for the supplicant;
  
  intercepting a response to the first request to authenticate from the authentication server, the response comprising authentication data;
  
  storing the authentication data; and
  
  forwarding the response to the first request to the first network access server.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method according to claim 10, further comprising:
    - intercepting a second request to authenticate the supplicant from a second network access server;
      
      determining whether authentication credentials are available for the supplicant; and
      
      authenticating the second request to authenticate and sending a reply to the second network access server responsive to determining that authentication credentials are available for the supplicant.
  - 12. The method according to claim 11, wherein the first authentication request employs a first authentication protocol and the second authentication request employs a second authentication protocol.
  - 13. The method according to claim 12, wherein the first authentication protocol is an Extensible Authentication Protocol—
    - Transport Layer Security (EAP-TLS) compatible protocol.
  - 14. The method according to claim 13, wherein the second authentication protocol is selected from a group consisting of a Lightweight Extensible Authentication Protocol (LEAP) compatible protocol and a WiFi Protected Access (WPA) compatible protocol.
  - 15. The method according to claim 14, further comprising:
    - intercepting a third request to authenticate the supplicant from a third network access server; and
      
      authenticating the third request to authenticate and sending a reply to the third network access server responsive to determining that that authentication credentials are available for the supplicant.

16. An apparatus, comprising:
- a proxy authentication server configured to be in communication with a network access server and an authentication server;
  
  wherein the proxy authentication server is configured to receive a first authentication request from the network access server for a supplicant;
  
  wherein the proxy authentication server is configured to forward the first authentication request to the authentication server responsive to determining the proxy authentication server does not have authentication data for the supplicant;
  
  wherein the proxy authentication server is configured to receive a response to the first authentication request from the authentication server, the response comprising authentication data for the client; and
  
  wherein the proxy authentication server is configured to store the authentication data for the supplicant and to forward the authentication data for the supplicant to the network access server
- View Dependent Claims (17)
- - 17. The apparatus set forth in claim 16, wherein the proxy authentication server is configured to receive a second authentication request from a second network access server for the supplicant;
    - andwherein the proxy authentication server is configured to authenticate the second authentication request with the stored authentication data and reply to the second network access server responsive to determining the proxy authentication server has the authentication data for the supplicant.

18. A method, comprising:
- receiving a first request to authenticate a supplicant from a first network access server;
  
  determining whether authentication credentials are available for the supplicant;
  
  forwarding the first request to authenticate a supplicant from to an authentication server responsive to determining authentication credentials are not available for the supplicant;
  
  receiving a response to the first request to authenticate from the authentication server, the response comprising authentication data;
  
  storing the authentication data; and
  
  forwarding the response to the first request to the first network access server.
- View Dependent Claims (19, 20)
- - 19. The method according to claim 18, further comprising:
    - receiving a second request to authenticate the supplicant from a second network access server;
      
      determining whether authentication credentials are available for the supplicant; and
      
      authenticating the second request to authenticate with the stored authentication credentials and sending a reply to the second network access server responsive to determining that authentication credentials are available for the supplicant.
  - 20. The method according to claim 19, wherein the first authentication request employs a first authentication protocol and the second authentication request employs a second authentication protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
David E. Halasz, Glen W. Zorn
Original Assignee
David E. Halasz, Glen W. Zorn
Inventors
Halasz, David E., Zorn, Glen W.

Granted Patent

US 7,802,091 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

H04L 12/2856   Access arrangements, e.g. I...

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/162   at the data link layer

H04L 69/18   Multiprotocol handlers, e.g...

H04W 12/062   Pre-authentication

H04W 36/0038   of security context informa...

H04W 84/12   WLAN [Wireless Local Area N...

H04W 88/182   Network node acting on beha...

FAST RE-AUTHENTICATION WITH DYNAMIC CREDENTIALS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FAST RE-AUTHENTICATION WITH DYNAMIC CREDENTIALS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links