Deterministic user authentication service for communication network

US 6,070,243 A
Filed: 06/13/1997
Issued: 05/30/2000
Est. Priority Date: 06/13/1997
Status: Expired due to Term

First Claim

Patent Images

1. A user authentication service for a communication network including a plurality of nodes each having a different network interface, comprising:

means for accepting and storing, as entries for particular users, user identification information;

means for accepting a log-in response entered on an end system, the system having a LAN interface;

means for comparing for a match the log-in response with the user identification information; and

means for establishing, if a match is found, communicability between the system and a selectable group of the nodes.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user authentication service for a communication network authenticates local users before granting them access to personalized sets of network resources. Authentication agents on intelligent edge devices present users of associated end systems with log-in challenges. Information supplied by the users is forwarded to an authentication server for verification. If successfully verified, the authentication server returns to the agents authorized connectivity information and time restrictions for the particular authenticated users. The agents use the information to establish rules for filtering and forwarding network traffic originating from or destined for particular authenticated users during authorized time periods. An enhanced authentication server may be engaged if additional security is desired. The authorized connectivity information preferably includes identifiers of one or more virtual local area networks active in the network. Log-in attempts are recorded so that the identity and whereabouts of network users may be monitored from a network management station.

Citations

21 Claims

1. A user authentication service for a communication network including a plurality of nodes each having a different network interface, comprising:
- means for accepting and storing, as entries for particular users, user identification information;
  
  means for accepting a log-in response entered on an end system, the system having a LAN interface;
  
  means for comparing for a match the log-in response with the user identification information; and
  
  means for establishing, if a match is found, communicability between the system and a selectable group of the nodes.
- View Dependent Claims (2, 3)
- - 2. The user authentication service according to claim 1, wherein said LAN interface is operative for communicating with said system in a LAN media type.
  - 3. The user authentication service according to claim 2, wherein said LAN media type is Ethernet or Token Ring.

4. A user authentication service for a communication network including a plurality of nodes each having a different network interface, comprising:
- means for accepting and storing, as associated entries for particular users, user identification information and groups of the nodes;
  
  means for accepting a log-in response entered on an end system in the network;
  
  means for comparing for a match the log-in response with the user identification information; and
  
  means for establishing communicability between the system and each member of a group of the nodes associated with matching user identification information.
- View Dependent Claims (5)
- - 5. The user authentication service according to claim 4, wherein the groups of nodes are represented in the entries by virtual local area network identifiers.

6. A user authentication service for a communication network including a plurality of nodes each having a different network interface, comprising:
- means for accepting and storing, as associated entries for particular users, user identification information, time restrictions defining an access period and groups of the nodes;
  
  means for accepting a log-in response entered on an end system in the network;
  
  means for comparing for a match the log-in response with the user identification information;
  
  means for establishing communicability between the system and each member of a group of the nodes associated with matching user identification information, for the defined access period associated with the matching user identification information.
- View Dependent Claims (7)
- - 7. The user authentication service according to claim 6, wherein the groups of nodes are represented in the entries by virtual local area network identifiers.

8. A user authentication service for a communication network including a plurality of nodes each having a different network interface, comprising:
- means for accepting and storing, as associated entries for particular users, user identification information, groups of the nodes, and enhanced authentication information, the enhanced authentication information identifying an enhanced authentication server operative in the network;
  
  means for accepting a log-in response entered on an end system in the network;
  
  means for comparing for a match the log-in response with the user identification information;
  
  means for conducting an enhanced authentication session between the system and the enhanced authentication server associated with matching user identification information; and
  
  means for establishing, if the enhanced authentication is successfully completed, communicability between the system and each member of a group of the nodes associated with the matching user identification information.
- View Dependent Claims (9)
- - 9. The user authentication service according to claim 8, wherein the groups of nodes are represented in the entries by virtual local area network identifiers.

10. A method for authenticating prospective users of a communication network including a plurality of nodes each having a different network interface, comprising:
- (a) accepting and storing, as associated entries for particular users, user identification information and groups of the nodes;
  
  (b) accepting a log-in response on an end system in the network;
  
  (c) comparing for a match the log-in response with the user identification information; and
  
  (d) if a match is found, establishing communicability between the system and each member of a group of the nodes associated with the matching user identification information.

11. A method for authenticating prospective users of a communication network including a plurality of nodes each having a different network interface, comprising:
- (a) accepting and storing, as associated entries for particular users, user identification information, time restrictions and groups of the nodes, the time restrictions defining authorized times;
  
  (b) accepting a log-in response on an end system in the network during a log-in attempt;
  
  (c) comparing for a user match the log-in response with the user identification information;
  
  (d) upon finding a user match, comparing for a time match the authorized times associated with the matching user identification information with the time of the log-in attempt;
  
  (e) upon finding a time match, establishing communicability between said system and each member of a group of the nodes associated with the matching user identification information for the authorized time associated with the matching user identification information.

12. A method for authenticating prospective users of a communication network including a plurality of nodes each having a different network interface, comprising:
- (a) accepting and storing, as associated entries for particular users, user identification information, groups of the nodes and enhanced authentication information, the enhanced authentication information identifying an enhanced authentication server operative in the network;
  
  (b) accepting a log-in response on an end system in the network;
  
  (c) comparing for a match the log-in response with the user identification information;
  
  (d) if a match is found, conducting an enhanced authentication method between the system and the identified enhanced authentication server associated with the matching user identification information; and
  
  (e) if the enhanced authentication method is successfully completed, establishing communicability between the system and each member of a group of the nodes associated with the matching user identification information.

13. An authentication agent for a user authentication service for a communication network, comprising:
- means for receiving a log-in response from an end system;
  
  means for communicating the log-in response to an authentication server;
  
  means for receiving authorized subnetwork information from the authentication server in response to the log-in response; and
  
  means for communicating the authorized subnetwork information to a processing means, the processing means applying the authorized subnetwork information to establish rules for communicability between the system and members of different groups of nodes in the network, wherein each node has a different network interface.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The authentication agent according to claim 13, further comprising:
    - means for receiving user status information from said authentication server in response to said log-in response; and
      
      means for communicating said user status information to said system.
  - 15. The authentication agent according to claim 13, further comprising means for establishing a secure connection for communicating with said authentication server.
  - 16. The authentication agent according to claim 15, wherein said secure connection is established through the exchange of authentication keys.
  - 17. The authentication agent according to claim 13, further comprising means for terminating connectivity with said system after a configurable number of failed log-in attempts.
  - 18. The authentication agent according to claim 13, wherein said authorized subnetwork information includes time restrictions defining an access period, and wherein said processing means is operative for abolishing the established rules when said access period expires.
  - 19. The authentication agent according to claim 13, wherein said processing means is operative for abolishing the established rules if said system becomes disconnected from the network.
  - 20. The authentication agent according to claim 13, wherein said processing means is operative for abolishing the established rules if said agent receives from said server a deactivation instruction for said system.
  - 21. The authentication agent according to claim 13, wherein said processing means is operative for abolishing the established rules when said system fails to transmit packets for a predetermined length of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel USA Sourcing Incorporated (Nokia Corporation)
Original Assignee
Xylan Corp. (Nokia Corporation)
Inventors
Stone, Geoffrey C., Pikover, Yuri, See, Michael E., Panza, Charles L., Bailey, John W.
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
Iqbal, Nadeem

Application Number

US08/874,754
Time in Patent Office

1,082 Days
Field of Search

395/187.01, 395/180, 395/182.02, 395/186, 395/188, 395/413, 395/200.1, 395/200.11-200.2, 380/374, 380/25, 380/23, 380/42-95, 380/49, 380/50, 380/3, 380/4, 364/222.2, 364/222.4, 364/222.5, 371/67.1, 371/68.2, 379/88, 379/188, 379/197, 370/60, 370/94.1, 713/201, 713/200, 713/202
US Class Current

726/2
CPC Class Codes

G06F 21/31   User authentication

G06F 21/445   by mutual authentication, e...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

Deterministic user authentication service for communication network

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Deterministic user authentication service for communication network

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links