DISTRIBUTED AUTHENTICATION, AUTHORIZATION AND ACCOUNTING

US 20110055900A1
Filed: 12/12/2007
Published: 03/03/2011
Est. Priority Date: 12/13/2006
Status: Active Grant

First Claim

Patent Images

1. A first computer system, residing on a first computer network of a plurality of computer networks, for controlling access to the plurality of computer networks, the first computer system configured to:

store authentication routing data comprising;

address information related to at least two authentication databases against which credentials related to connecting devices may be authenticated, wherein at least one of the at least two authentication databases is contained on a second computer system residing on a second computer network; and

a criterion for selecting which of the at least two authentication databases a given credential is authenticated against;

receive a first credential from a network access controller on the first computer network, the first credential being relatable to a first connecting device requesting access to the plurality of computer networks at the network access controller;

determine the criterion;

based on the determined criterion, select a first authentication database of the at least two authentication databases against which the first credential is to be authenticated;

communicate the first credential to the first authentication database using the address information;

receive an authentication response from the first authentication database; and

communicate the authentication response to the network access controller.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, computer systems, storage mediums, and methods are provided for controlling a connecting device'"'"'s access to a plurality of computer networks. In other embodiments, the provided computer systems, storage mediums, and methods may provide for authentication, authorization, and accounting of connecting devices connecting to a plurality of computer networks. In other embodiments, the provided computer systems, storage mediums, and methods may provide for the distribution of authentication routing data and authorization policies among a plurality of computer networks. In yet other embodiments, the provided computer systems, storage mediums, and methods may provide for the distribution of accounting among a plurality of computer networks.

Citations

24 Claims

1. A first computer system, residing on a first computer network of a plurality of computer networks, for controlling access to the plurality of computer networks, the first computer system configured to:
- store authentication routing data comprising;
  
  address information related to at least two authentication databases against which credentials related to connecting devices may be authenticated, wherein at least one of the at least two authentication databases is contained on a second computer system residing on a second computer network; and
  
  a criterion for selecting which of the at least two authentication databases a given credential is authenticated against;
  
  receive a first credential from a network access controller on the first computer network, the first credential being relatable to a first connecting device requesting access to the plurality of computer networks at the network access controller;
  
  determine the criterion;
  
  based on the determined criterion, select a first authentication database of the at least two authentication databases against which the first credential is to be authenticated;
  
  communicate the first credential to the first authentication database using the address information;
  
  receive an authentication response from the first authentication database; and
  
  communicate the authentication response to the network access controller.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 14, 15, 16)
- - 2. The first computer system of claim 1 further configured to cache a copy of the first credential.
  - 3. The first computer system of claim 2 further configured to receive a second credential and authenticate the second credential against the cached copy of the first credential.
  - 4. The first computer system of claim 1 wherein the criterion is used to select which of the at least two authentication databases the first credential is to be authenticated against based on attributes of the network access controller through which the first connecting device is requesting access to the plurality of computer networks.
  - 5. The first computer system of claim 1 wherein the criterion is used to select which of the at least two authentication databases the first credential is to be authenticated against based on attributes of the first connecting device.
  - 6. The first computer system of claim 5 wherein the attributes of the first connecting device include the first connecting device'"'"'s realm.
  - 7. The first computer system of claim 1 further configured to receive at least a portion of the authentication routing data from a third computer system residing on a computer network different than the first computer network.
  - 8. The first computer system of claim 1 further configured to:
    - store an authorization policy comprising one or more rules for controlling a connecting device'"'"'s access to the plurality of computer networks;
      
      receive first authorization information related to the first connecting device;
      
      compare the first authorization information to the authorization policy; and
      
      control the first connecting device'"'"'s access to the plurality of computer networks based on a result of the comparison.
  - 9. The first computer system of claim 8 further configured to receive at least a portion of the first authorization information from the first authentication database.
  - 10. The first computer system of claim 8 further configured to receive at least a portion of the authorization policy from a third computer system residing on a computer network different than the first computer network.
  - 11. The first computer system of claim 8 wherein the authorization policy includes a rule for controlling access to the plurality of computer networks based on at least one of attributes of a network access controller through which a connecting device requests access to the plurality of computer networks, a time of day at which a connecting device requests access to the plurality of computer networks and attributes of one or more groups of which a user of a connecting device is a member, and the authorization information includes at least one of attributes of the network access controller through which the first connecting device is requesting access to the plurality of computer networks, the time of day at which the first connecting device is requesting access to the plurality of computer networks and attributes of one or more groups of which a first user of the first connecting device is a member.
  - 14. The first computer system of claim 8 wherein controlling the first connecting device'"'"'s access to the plurality of computer networks includes instructing the network access controller to permit the first connecting device access to a first network resource residing on the plurality of computer networks and deny the first connecting device access to a second network resource residing on the plurality of computer networks.
  - 15. The first computer system of claim 1 further comprising an accounting computer system configured to:
    - monitor the first connecting device'"'"'s use of the plurality of computer networks;
      
      store one or more records of events involving the first connecting device'"'"'s use of the plurality of computer networks; and
      
      transmit at least one of the one or more records to a third computer system residing on a computer network different from the first computer network.
  - 16. The first computer system of claim 1 further configured to receive network service parameters allocating at least one logical address for a first type of network resource from a fourth computer system residing on a computer network different from the first computer network, store the network service parameters, and to provide a first network resource of the first type, executing on a third computer system residing on the first computer network, with an address containing the logical address.

12-13. -13. (canceled)

17. (canceled)

18. A first computer system, residing on a first computer network of a plurality of computer networks, for controlling access to the plurality of computer networks, the first computer system configured to:
- receive, from a second computer system, residing on a computer network different than the first computer network, at least a portion of an authorization policy comprising one or more rules for controlling a connecting device'"'"'s access to the plurality of computer networks;
  
  store an authorization policy including the at least a portion of an authorization policy;
  
  receive first authorization information related to a first connecting device requesting access to the plurality of computer networks at a network access controller residing on the first network;
  
  compare the first authorization information to the authorization policy; and
  
  control the first connecting device'"'"'s access to the plurality of computer networks based at least in part on the result of the comparison.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The first computer system of claim 18 wherein the authorization policy includes a rule for controlling access to the plurality of computer networks based on attributes of a network access controller through which a connecting device requests access to the plurality of computer networks, and the authorization information includes attributes of the network access controller through which the first connecting device is requesting access to the plurality of computer networks.
  - 20. The first computer system of claim 18 wherein the authorization policy includes a rule for controlling access to the plurality of computer networks based on a time of day at which a connecting device requests access to the plurality of computer networks, and the authorization information includes the time of day which the first connecting device is requesting access to the plurality of computer networks.
  - 21. The first computer system of claim 18 wherein the authorization policy includes a rule for controlling access to the plurality of computer networks based on attributes of one or more groups of which a first user of a connecting device is a member, and the authorization information includes attributes of one or more groups of which a first user of the connecting device is a member.
  - 22. The first computer system of claim 18 wherein controlling the first connecting device'"'"'s access to the plurality of computer networks includes instructing the network access controller to permit the first connecting device access to a first network resource residing on the plurality of computer networks and deny the first connecting device access to a second network resource residing on the plurality of computer networks.

23. A storage medium, readable by a first processor of a first computer system residing on a first computer network of a plurality of computer networks, having embodied therein a program of commands executable by the first processor, the program being adapted to be executed to:
- store authentication routing data comprising;
  
  address information related to at least two authentication databases against which credentials related to connecting devices may be authenticated, wherein at least one of the authentication databases is contained on a second computer system residing on a second computer network; and
  
  a criterion for selecting which of the at least two authentication databases a given credential is authenticated against;
  
  receive a first credential from a network access device on the first computer network, the first credential being relatable to a first connecting device requesting access to the plurality of computer networks at the network access device;
  
  determine the criterion;
  
  based on the determined criterion, select a first authentication database of the at least two authentication databases against which the first credential is to be authenticated;
  
  communicate the first credential to the first authentication database using the address information;
  
  receive an authentication response from the first authentication database;
  
  communicate the authentication response to the network access device;
  
  receive at least a portion of an authorization policy comprising one or more rules for controlling a connecting device'"'"'s access to the plurality of computer networks from a third computer system residing on a computer network different than the first computer network;
  
  store the authorization policy;
  
  receive first authorization information related to the first connecting device;
  
  compare the first authorization information to the authorization policy; and
  
  control the first connecting device'"'"'s access to the plurality of computer networks based on a result of the comparison.

24-66. -66. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Clearinghouse LLC (RPX Corporation)
Original Assignee
Nortel Networks Limited (Nortel Networks Corporation)
Inventors
Thusoo, Ashish, Pearce, Andrew Keith, Convery, Sean Joseph, Chua, Roy Liang

Granted Patent

US 8,763,088 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0892   by using authentication-aut...

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

DISTRIBUTED AUTHENTICATION, AUTHORIZATION AND ACCOUNTING

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

DISTRIBUTED AUTHENTICATION, AUTHORIZATION AND ACCOUNTING

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links