Integration of authentication authorization and accounting service and proxy service
First Claim
1. A method for managing network access to a data communications network, said method comprising:
- maintaining a central database;
maintaining at least one authentication, authorization and accounting (AAA) service at a point of presence (PoP) of the data communications network; and
configuring a database associated with the AAA service from the central database, wherein said configuring includes publishing information from said central database on an information bus as at least one event, said AAA service subscribing to said event so as to receive said published information so as to thereby update its associated database.
2 Assignments
0 Petitions
Accused Products
Abstract
A single database maintained centrally hosts both proxy service data and authentication, authorization and accounting (AAA) data. Data is then copied to storage used locally by each system when both systems are instantiated. Therefore the ISP/Telco need not maintain two different data bases. A protocol gateway (PGW) is used to determine if the incoming user is a wholesale or retail user. The PGW filters the domain portion of the access request to locate a remote AAA service. If one such service is found, the PGW routes the communication via the proxy service to proxy it to the remote AAA service. The returned packet from the remote AAA service is then searched for an IP address to be assigned to the incoming user. If one is not found the PGW obtains a dynamically allocated IP address from a DHCP server (using an IP-Pool-ID if supplied in the returned packet from the remote AAA service). The same mechanism is used to forward accounting event packets from the NAS to the remote AAA server. The PGW may monitor more than one proxy and/or AAA service and load balance among them.
-
Citations
30 Claims
-
1. A method for managing network access to a data communications network, said method comprising:
-
maintaining a central database;
maintaining at least one authentication, authorization and accounting (AAA) service at a point of presence (PoP) of the data communications network; and
configuring a database associated with the AAA service from the central database, wherein said configuring includes publishing information from said central database on an information bus as at least one event, said AAA service subscribing to said event so as to receive said published information so as to thereby update its associated database. - View Dependent Claims (2, 3, 4, 5, 24, 25, 26)
receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
parsing the network access request for an identification of the user'"'"'s domain;
routing the network access request to the AAA service at the PoP if the user'"'"'s domain corresponds to that of the PoP;
looking up a domain identification entry corresponding to the user'"'"'s domain in the AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the PoP;
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP.
-
-
3. A method in accordance with claim 2, further comprising:
obtaining an IP address for the user from the AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the PoP.
-
4. A method in accordance with claim 2, further comprising:
assigning an IP address to the user from a local DHCP pool of IP address if the user'"'"'s domain does not correspond to that of the PoP.
-
5. A method in accordance with claim 2, further comprising:
assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the PoP.
-
24. A method in accordance with claim 1, further comprising:
obtaining an IP address for the user from the AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the PoP.
-
25. A method in accordance with claim 1, further comprising:
assigning an IP address to the user from a local DHCP pool of IP address if the user'"'"'s domain does not correspond to that of the PoP.
-
26. A method in accordance with claim 1, further comprising:
assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the PoP.
-
6. A method for managing network access to a data communications network, said method comprising:
-
maintaining a central database;
maintaining a plurality of authentication, authorization and accounting (AAA) services at a point of presence (PoP) of the data communication network; and
configuring databases associated with the AAA services from the central database, wherein said configuring includes publishing information from said central database on an information bus as at least one event, said AAA services subscribing to said event so as to receive said published information so as to thereby update their associated databases. - View Dependent Claims (7, 8, 9, 10)
receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
parsing the network access request for an identification of the user'"'"'s domain;
routing the network access request to one of said plurality of AAA services at the PoP if the user'"'"'s domain corresponds to that of the PoP while load balancing among said plurality of AAA services;
looking up a domain identification entry corresponding to the user'"'"'s domain in one of said plurality of AAA service'"'"'s databases if the user'"'"'s domain does not correspond to that of the PoP;
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP.
-
-
8. A method in accordance with claim 7, further comprising:
obtaining an IP address for the user from the AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the PoP.
-
9. A method in accordance with claim 7, further comprising:
assigning an IP address to the user from a local DHCP pool of IP address if the user'"'"'s domain does not correspond to that of the PoP.
-
10. A method in accordance with claim 7, further comprising:
assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the PoP.
-
11. A method for managing network access to a data communications network, said method comprising:
-
maintaining a central database, said central database containing access information for authentication, authorization and accounting services associated with domains of the data communications network;
maintaining at a point of presence (PoP) of the data communications network at least one AAA service and at least one proxy service and at least one protocol gateway in communication with a network access server (NAS);
periodically publishing information contained in said central database;
subscribing at said AAA and said proxy service to information published from said central database;
receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
parsing the network access request at the protocol gateway for an identification of the user'"'"'s domain;
routing the network access request to an AAA service at the PoP if the user'"'"'s domain corresponds to that of the PoP;
looking up access information within a domain identification entry corresponding to the user'"'"'s domain in a database associated with the proxy server if the user'"'"'s domain does not correspond to that of the PoP; and
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the access information if the user'"'"'s domain does not correspond to that of the PoP. - View Dependent Claims (12, 13, 14)
obtaining an IP address for the user from an AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the PoP.
-
-
13. A method in accordance with claim 11, further comprising:
assigning an IP address to the user from a local DHCP pool of IP address if the user'"'"'s domain does not correspond to that of the PoP.
-
14. A method in accordance with claim 11, further comprising:
assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the PoP.
-
15. A method of managing network access requests to a data communications network, said method comprising:
-
receiving at a protocol gateway in a point of presence (PoP) of the data communications network a network access request from a user through a network access server (NAS);
parsing the network access request for an identification of the user'"'"'s domain;
routing the network access request to one of the plurality of authentication, authorization and accounting (AAA) services associated with the PoP if the user'"'"'s domain corresponds to that of the PoP while load balancing among the plurality of AAA services;
looking up a domain identification entry corresponding to the user'"'"'s domain in a database if the user'"'"'s domain does not correspond to that of the PoP;
proxying the network access request via one of a plurality of proxy services to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP while load balancing among the plurality of proxy services. - View Dependent Claims (16, 17, 18)
obtaining an IP address for the user from the AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the PoP.
-
-
17. A method in accordance with claim 15, further comprising:
assigning an IP address to the user from a local DHCP pool of IP address if the user'"'"'s domain does not correspond to that of the PoP.
-
18. A method in accordance with claim 15, further comprising:
assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the PoP.
-
19. A method for managing network access to a data communications network, said method comprising:
-
maintaining a central database, said central database containing access information for authentication, authorization and accounting services associated with domains of the data communications network;
maintaining at a point of presence (PoP) of the data communications network a plurality of AAA services at least one AAA service and at least one proxy service and at least one protocol gateway in communication with a network access server (NAS);
periodically publishing information contained in said central database;
subscribing at said AAA and said proxy service to information published from said central database;
receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
parsing the network access request at the protocol gateway for an identification of the user'"'"'s domain;
routing the network access request to one of said plurality of AAA services at the PoP if the user'"'"'s domain corresponds to that of the PoP while load balancing among said plurality of AAA services;
looking up access information within a domain identification entry corresponding to the user'"'"'s domain in a database associated with one of said plurality of proxy services if the user'"'"'s domain does not correspond to that of the PoP while load balancing among said plurality of proxy services; and
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the access information if the user'"'"'s domain does not correspond to that of the PoP. - View Dependent Claims (20, 21, 22)
obtaining an IP address for the user from an AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the PoP.
-
-
21. A method in accordance with claim 19, further comprising:
assigning an IP address to the user from a local DHCP pool of IP address if the user'"'"'s domain does not correspond to that of the PoP.
-
22. A method in accordance with claim 19, further comprising:
assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the PoP.
-
23. A method of managing network access requests to a data communications network, said method comprising:
-
receiving at a protocol gateway in a point of presence (PoP) of the data communications network a network access request from a user through a network access server (NAS);
parsing the network access request for an identification of the user'"'"'s domain;
routing the network access request to an authentication, authorization and accounting (AAA) service associated with the PoP if the user'"'"'s domain corresponds to that of the PoP;
looking up a domain identification entry corresponding to the user'"'"'s domain in a database if the user'"'"'s domain does not correspond to that of the PoP;
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP.
-
-
27. A system for data communications network access management, comprising:
-
a central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
a publisher, said publisher publishing information from said central database to subscribers over an information bus;
a point of presence (PoP) on the data communications network, said PoP including a protocol gateway in communication with at least one network access server (NAS);
an AAA service associated with said PoP and in communication with said protocol gateway, said AAA service subscribing to information published by said publisher; and
a proxy service associated with the PoP and in communication with said protocol gateway, said proxy service subscribing to information published by said publisher, said protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the PoP to the proxy service, said proxy service routing network access requests to AAA services in remote domains in accordance with said access information. - View Dependent Claims (28)
said AAA database populated at instantiation of said AAA service by receiving information published by said publisher from said central database, said proxy database populated at instantiation of said proxy service by receiving information published by said publisher from said database.
-
-
29. A system for data communications network access management, comprising:
-
a central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
a publisher, said publisher publishing information from said central database to subscribers over an information bus;
a point of presence (PoP) on the data communications network, said PoP including a protocol gateway in communication with at least one network access server (NAS);
a plurality of AAA services associated with said PoP and in communication with said protocol gateway, said AAA services subscribing to information published by said publisher; and
a plurality of proxy services associated with said PoP and in communication with said protocol gateway, said proxy services subscribing to information published by said publisher, said protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the PoP to one of said plurality of proxy services while load balancing among them, said proxy service routing network access requests to AAA services in remote domains in accordance with said access information. - View Dependent Claims (30)
a plurality of AAA databases associated with said respective AAA services; and
a plurality of proxy databases associated with said respective proxy services, said AAA databases populated at instantiation of said respective AAA services by receiving information published by said publisher from said central database, said proxy databases populated at instantiation of said respective proxy services by receiving information published by said publisher from said database.
-
Specification