Centralized authentication, authorization and accounting server with support for multiple transport protocols and multiple client types
First Claim
1. A system for authenticating and authorizing user access to a computer network comprising:
- a database management system; and
a server comprising;
a plurality of authentication transport protocol support modules, each providing support for receiving user initiated requests from clients and sending answers to clients in a particular authentication transport protocol; and
first means coupled to said plurality of transport protocol modules and said database management system for translating a request into a standard internal format, determining a service associated with said request, determining if information provided in said request matches information stored in a user record, determining if a user initiating said request is authorized to access said service associated with said request, and preventing said user initiating said request from logging onto the computer network more than a specified number of times.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for authenticating and authorizing user access to a computer network. An AAA server comprises a plurality of Authentication transport protocol modules that interface with one or more clients using a native authentication transport protocol. The AAA server is coupled with a DBMS system that stores user authentication, authorization and accounting information in a standard format. Authentication and authorization are performed using a five phase process comprising the phases: Augmentation; Selection; Authentication; Authorization and Confirmation. During the Augmentation phase, client requests are translated into a standard internal format. The requests are parsed into a set of attribute/value pairs according to a parse rules table. In the Selection phase, the AAA server determines the details of the access request and identifies the permit required to authorize access. A rules table is used, wherein a particular row in the rules table is selected according to the attribute/value pairs from the Augmentation phase. The rules table provides the necessary details for the AAA server to formulate a proper response to the client. In the Authentication phase, the AAA server determines if the log in information provided by the user matches information stored in the user record. In the Authorization phase, the AAA server determines if the user is authorized to access the requested service by determining if the permit retrieved in the Selection phase matches the permit stored in the user database. In the Confirmation phase, the AAA server determines if a port limit has been exceeded and checks the client request for inconsistencies.
339 Citations
19 Claims
-
1. A system for authenticating and authorizing user access to a computer network comprising:
-
a database management system; and
a server comprising;
a plurality of authentication transport protocol support modules, each providing support for receiving user initiated requests from clients and sending answers to clients in a particular authentication transport protocol; and
first means coupled to said plurality of transport protocol modules and said database management system for translating a request into a standard internal format, determining a service associated with said request, determining if information provided in said request matches information stored in a user record, determining if a user initiating said request is authorized to access said service associated with said request, and preventing said user initiating said request from logging onto the computer network more than a specified number of times. - View Dependent Claims (2, 3, 16, 17)
an augmentation module coupled with a parse rules table for parsing said request and creating a tuple vector according to said parse rules table;
a selection module coupled with a rules table for selecting a selected row in said rules table by matching one or more tuples in said tuple vector with values in said rules table and for retrieving a permit from said selected row;
an authentication module coupled with a user database for comparing one or more tuples in said tuple vector with a user record in said database, wherein said user record corresponds with said user initiating said request; and
an authorization module for authorizing said request by comparing said permit with a permit stored in said user record.
-
-
3. The system of claim 2, wherein said first means further comprises:
a confirmation module for confirming said request by determining whether said user has exceeded a predetermined port limit according to the number of current active log on sessions associated with said user and a port limit value stored in said user record.
-
16. The system of claim 1, wherein said server provides information and reports.
-
17. The system of claim 16 wherein said reports include:
-
a summary report of activity for a particular log-in ID;
a detail report of activity for a particular log-in ID;
a summary report of activity for all log-in Ids associated with a particular customer; and
a report showing modem/line utilization statistics.
-
-
4. A process for authenticating and authorizing a request for access to a computer network from a client comprising the steps of:
-
receiving, at one of a plurality of transport protocol support modules, the request, wherein the request is formatted in accordance with a particular authentication transport protocol corresponding with said one of a plurality of transport protocol support modules;
translating, at said one of a plurality of transport protocol support modules, the request from said particular authentication transport protocol into a standard format;
augmenting the request, wherein said augmenting step includes parsing said standard format to create a tuple vector in accordance with a parse rules table;
selecting a row in a rules table by matching one or more tuples in said tuple vector with one or more values in said rules table;
retrieving a permit from said selected row in said selecting step;
authenticating the request by comparing one or more tuples in said tuple vector with a user record in a database management system, wherein said user record corresponds with a particular user specified in the request;
authorizing the request by comparing said permit from said retrieving step with a permit stored in said user record;
constructing an answer to the client in accordance with results from said augmentation, selection, authentication and authorization steps; and
sending said answer to the client. - View Dependent Claims (5, 6, 7, 8, 9, 18)
confirming the request by determining whether said particular user has exceeded a predetermined port limit according to the number of current active log on sessions associated with said particular user and a port limit value stored in said user record; and
sending an authorization response to the client if said confirming step indicates that said port limit value has not been exceeded; and
sending a reject message to the client if said confirming step indicates that said port limit value has been exceeded.
-
-
6. The process of claim 4, wherein said constructing step comprises the step of constructing a reject message if said authenticating step indicates a mismatch between said one or more tuples and said user record.
-
7. The process of claim 4, wherein said sending step comprises the step of sending a reject message to the client if said authorization step indicates a mismatch between said permit from said retrieving step and said permit stored in said user record.
-
8. The process of claim 4, wherein said sending step comprises the step of sending an appropriate authorization response to the client, if a match is found in said authenticating and said authorizing steps, said appropriate authorization response includes information from said selected row in said rules table.
-
9. The process of claim 4, further comprising the step of providing accounting data to the user record stored in the database, said accounting data including user access time and services accessed.
-
18. The process of claim 9, further comprising the step of generating reports using said accounting data.
-
10. A computer program product comprising a computer useable medium having computer program logic stored therein, said computer program logic for authenticating and authorizing a request for access to a computer network from a client, wherein said computer program logic comprises:
-
means for enabling the computer to receive, at one of a plurality of transport protocol support modules, the request, wherein the request is formatted in accordance with a particular authentication transport protocol corresponding with said one of a plurality of transport protocol support modules;
means for enabling the computer to translate, at said one of a plurality of transport protocol support modules, the request from said particular authentication transport protocol into a standard format;
means for enabling the computer to augment the request, wherein said augmenting means includes means for enabling the computer to parse said standard format and create a tuple vector in accordance with a parse rules table;
means for enabling the computer to select a row in a rules table by matching one or more tuples in said tuple vector with one or more values in said rules table;
means for enabling the computer to retrieve a permit from said selected row;
means for enabling the computer to authenticate the request by comparing one or more tuples in said tuple vector with a user record in a database management system, wherein said user record corresponds with a particular user specified in the request;
means for enabling the computer to authorize the request by comparing said permit from said retrieving means with a permit stored in said user record;
means for enabling the computer to construct an answer to the client in accordance with results from said augmentation, selection, authentication and authorization means; and
means for enabling the computer to send said answer to the client. - View Dependent Claims (11, 12, 13, 14, 15, 19)
means for enabling the computer to confirm the request by determining whether said particular user has exceeded a predetermined port limit according to the number of current active log on sessions associated with said particular user and a port limit value stored in said user record; and
means for enabling the computer to send an authorization response to the client, if said confirming means indicates that said port limit value has not been exceeded; and
means for enabling the computer to send a reject message to the client if said confirming means indicates that said port limit value has been exceeded.
-
-
12. The computer program product of claim 10, wherein said constructing means comprises means for enabling the computer to construct a reject message if said authenticating means indicates a mismatch between said one or more tuples and said user record.
-
13. The computer program product of claim 10, wherein said sending means comprises means for enabling the computer to send are reject message to the client if said authorization means indicates a mismatch between said permit from said retrieving means and said permit stored in said user record.
-
14. The computer program product of claim 10, wherein said sending means comprises means for enabling the computer to send an appropriate authorization response to the client, if a match is found in said authenticating means and said authorizing means, said appropriate authorization response includes information from said selected row in said rules table.
-
15. The computer program product of claim 10, wherein said computer program logic further comprises:
means for enabling the computer to provide accounting data to the user record stored in the database, said accounting data including user access time and services accessed.
-
19. The computer program product of claim 15, wherein said computer program logic further comprises means for enabling the computer to provide reports using said accounting data.
Specification