Method and System for Load Balancing over a Cluster of Authentication, Authorization and Accounting (AAA) Servers

US 20090265467A1
Filed: 04/17/2008
Published: 10/22/2009
Est. Priority Date: 04/17/2008
Status: Active Grant

First Claim

Patent Images

1. A method for load balancing over a cluster of authentication, authorization and accounting (AAA) servers, comprising:

receiving a AAA connection establishment request;

forwarding the AAA connection establishment request to more than one AAA server in the cluster of AAA servers;

receiving a AAA request; and

forwarding the AAA request to one of the AAA servers in the cluster of AAA servers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for load balancing over a cluster of authentication, authorization and accounting (AAA) servers. The method performs a distribution of AAA requests among AAA servers having an active AAA connection with an AAA client. The method includes establishing TCP connections with a plurality of AAA servers, using a TCP connection request received from at least one AAA client; opening AAA connections with a plurality of AAA servers, using an AAA connection request received from at least one AAA client, and distributing AAA requests to AAA servers with an active AAA connection according to a predefined load balancing algorithm. The invention is further capable of multiplexing outbound messages and requests received from a plurality of AAA servers. The AAA protocol supported by the invention includes, but is not limited to, a Diameter protocol, a lightweight directory access protocol (LDAP), and the likes.

195 Citations

33 Claims

1. A method for load balancing over a cluster of authentication, authorization and accounting (AAA) servers, comprising:
- receiving a AAA connection establishment request;
  
  forwarding the AAA connection establishment request to more than one AAA server in the cluster of AAA servers;
  
  receiving a AAA request; and
  
  forwarding the AAA request to one of the AAA servers in the cluster of AAA servers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the connection establishment request and the AAA request are sent from an AAA client.
  - 3. The method of claim 2, further comprising:
    - sending to the AAA client a first connection establishment reply message sent from one of the AAA servers; and
      
      saving in a connection table an identifier of each AAA server that establishes a connection with the AAA client.
  - 4. The method of claim 3, wherein forwarding the AAA request further comprising:
    - forwarding the AAA request to one of the AAA servers designated in the connection table.
  - 5. The method of claim 1, wherein the AAA server is selected according to a load balancing algorithm, wherein the load balancing algorithm comprises at least one of:
    - a round robin, a weighted round robin, weighted sessions, and weighted requests.
  - 6. The method of claim 1, wherein receiving the AAA request further comprising:
    - identifying a session identifier (ID) in the AAA request;
      
      searching for the session ID in a session-tracking table;
      
      forwarding the request to an AAA server associated with the session ID in the session-tracking table; and
      
      when the session ID is not found in the session-tracking table selecting one of the AAA servers;
      
      updating the session-tracking table to include the session ID and the selected AAA server; and
      
      forwarding the request to the selected AAA server.
  - 7. The method of claim 1, wherein the AAA servers are Diameter servers and the AAA requests are Diameter requests.
  - 8. The method of claim 7, wherein the connection establishment request is at least a Diameter CER message.
  - 9. The method of claim 1, wherein the AAA servers are lightweight directory access protocol (LDAP) servers and the AAA requests are LDAP requests.
  - 10. The method of claim 9, wherein the connection establishment request is at least a LDAP BIND message.
  - 11. The method of claim 1, wherein the AAA requests are sent over at least a transport protocol, wherein the transport protocol includes at least one of:
    - a transmission control protocol (TCP) and a stream control transmission protocol (SCTP).

12. A computer program product including a computer-readable medium comprising software instructions operable to enable a computer to perform a method for load balancing over a cluster of authentication, authorization and accounting (AAA) servers, comprising:
- receiving an incoming AAA connection establishment request;
  
  forwarding the AAA connection establishment request to more than one AAA server in the cluster of AAA servers;
  
  receiving an AAA request; and
  
  forwarding the AAA request to one of the AAA servers in the cluster of AAA servers.

13. A method for multiplexing authentication, authorization and accounting (AAA) requests, comprising:
- establishing an AAA connection with a destination AAA server;
  
  receiving AAA requests from a plurality of source AAA servers to the destination AAA server; and
  
  forwarding the AAA requests received from the plurality of source AAA servers over the AAA connection to the destination AAA server.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, wherein establishing the AAA connection further comprising:
    - sending to the destination AAA server a first connection establishment request message sent from one of the plurality of source AAA servers;
      
      saving in a connection table a connection establishment reply message received from the destination AAA server; and
      
      replying with the establishment reply message to each subsequent connection establishment request message sent from the plurality of source AAA servers.
  - 15. The method of claim 13, wherein forwarding the AAA requests further comprising:
    - for each AAA request, replacing a hop-by-hop identifier with a unique server-hop-by-hop identifier; and
      
      for each AAA response, replacing the server-hop-by-hop identifier with the original hop-by-hop identifier of the respective AAA request.
  - 16. The method of claim 15, further comprising:
    - sending each AAA response to the source AAA server that is identified by the server-hop-by-hop identifier.
  - 17. The method of claim 16, wherein mapping information between hop-by-hop identifiers and server-hop-by-hop identifiers is saved in a hop-by-hop table.
  - 18. The method of claim 13, wherein the method operates according an AAA protocol, wherein the AAA protocol comprises at least one of:
    - a Diameter protocol and a lightweight directory access protocol (LDAP).
  - 19. The method of claim 13, wherein the transport connection comprises at least one of:
    - a transmission control protocol (TCP) connection and a stream control transmission protocol (SCTP) connection.

20. A computer program product including a computer-readable medium comprising software instructions operable to enable a computer to perform a method for multiplexing authentication, authorization and accounting (AAA) requests, comprising:
- establishing an AAA connection with a destination AAA server;
  
  receiving AAA requests from a plurality of source AAA servers to the destination AAA server; and
  
  forwarding the AAA requests received from the plurality of source AAA servers over the AAA connection to the destination AAA server.

21. An apparatus for load balancing over a cluster of authentication, authorization and accounting (AAA) servers, comprises:
- a splitting engine for managing an AAA connection between an AAA client and AAA servers in the cluster of AAA servers, wherein the spitting engine is further capable of forwarding AAA requests over the AAA client connection to at least two AAA servers in the cluster of AAA servers; and
  
  a switching engine for sending AAA requests and messages received from the AAA client to the splitting engine.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The apparatus of claim 21, wherein the splitting engine further comprises:
    - a memory for storing at least one of a connection table, a session-tracking table, a MessageID table and a hop-by-hop table.
  - 23. The apparatus of claim 22, wherein the switching engine is configured with a virtual IP (VIP) address, wherein the VIP address is used by the AAA client to access the AAA servers.
  - 24. The apparatus of claim 23, wherein the switching engine continually monitors the health of the AAA servers and the AAA connections established with the AAA servers.
  - 25. The apparatus of claim 24, wherein the switching engine blocks invalid AAA messages.
  - 26. The apparatus of claim 21, wherein each of the AAA servers is at least one of:
    - a Diameter server and a lightweight directory access protocol (LDAP) server.

27. An apparatus for load balancing over a cluster of authentication, authorization and accounting (AAA) servers, comprises:
- an active splitting engine for managing an AAA connection between an AAA client and AAA servers in the cluster of AAA servers, wherein the spitting engine is further capable of forwarding AAA requests from the AAA client connection to at least two AAA server in the cluster of AAA servers;
  
  a backup splitting engine for backing up the active splitting engine;
  
  an active switching engine for sending AAA requests and messages received from the AAA client to the splitting engine; and
  
  a backup switching engine for backing up the active switching engine.
- View Dependent Claims (28, 29, 30, 31)
- - 28. The apparatus of claim 27, wherein the backup splitting engine takes over the functions of the active splitting engine in an event of a predefined condition.
  - 29. The apparatus of claim 28, wherein the backup switching engine takes over the functions of the active switching engine in an event of a predefined condition.
  - 30. The apparatus of claim 29, wherein the predefined condition comprises:
    - overload of at least one of the active splitting engine and the active switching engine; and
      
      a failure of at least one of the active splitting engine and active switching engine.
  - 31. The apparatus of claim 27, wherein each of the AAA servers is at least one of:
    - a Diameter server and a lightweight directory access protocol (LDAP) server.

32. An authentication, authorization and accounting (AAA) system, comprises:
- a cluster of AAA servers, wherein each AAA server is capable of performing authentication, authorization and accounting functions according to the AAA requests; and
  
  a load balancer for distributing AAA requests among a plurality of AAA servers in the cluster of AAA servers, wherein the AAA requests are received over an AAA client connection.
- View Dependent Claims (33)
- - 33. The AAA system of claim 32, wherein the AAA system is at least one of:
    - a Diameter system and a LDAP system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Radware Limited
Original Assignee
Radware Limited
Inventors
Peles, Amir

Granted Patent

US 9,749,404 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/226
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 63/0892   by using authentication-aut...

H04L 67/1001   for accessing one among a p...

H04L 67/1017   based on a round robin mech...

H04L 67/1023   based on a hash applied to ...

H04L 67/1036   Load balancing of requests ...

Method and System for Load Balancing over a Cluster of Authentication, Authorization and Accounting (AAA) Servers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

195 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method and System for Load Balancing over a Cluster of Authentication, Authorization and Accounting (AAA) Servers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

195 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links