Method for providing single step log-on access to a differentiated computer network
First Claim
1. A method for providing single step log-on access to a subscriber of a computer network having a first area and a second area, said method comprising:
- linking a Service Selection Gateway (SSG) Server to a Network Access Server (NAS), said NAS providing the subscriber with access to the first area, and said SSG Server providing the subscriber with access to the second area, wherein the subscriber supplies data packets to log-on to said NAS for said access to the first area;
linking said SSG Server to an Authentication Authorization and Accounting (AAA) Server;
intercepting and forwarding said data packets sent between said NAS and said AAA Server by said SSG Server;
processing information in said data packets for enabling said SSG Server to automatically log the subscriber on to said SSG Server when the subscriber logs on to said NAS.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for providing single step log-on access for a subscriber to a computer network. The computer network is differentiated into public and private areas. Secure access to the private areas is provided by a Service Selection Gateway (SSG) Server, introduced between a conventional Network Access Server (NAS) and an Authentication Authorization and Accounting (AAA) Server. The SSG Server intercepts and manipulates packets of data exchanged between the NAS and the AAA Server to obtain all the information it needs to automatically log the user on when the user logs on to the NAS. An authorized user is thus spared the task of having to re-enter username and password data or launch a separate application in order to gain secure access to private areas of the network.
208 Citations
28 Claims
-
1. A method for providing single step log-on access to a subscriber of a computer network having a first area and a second area, said method comprising:
-
linking a Service Selection Gateway (SSG) Server to a Network Access Server (NAS), said NAS providing the subscriber with access to the first area, and said SSG Server providing the subscriber with access to the second area, wherein the subscriber supplies data packets to log-on to said NAS for said access to the first area;
linking said SSG Server to an Authentication Authorization and Accounting (AAA) Server;
intercepting and forwarding said data packets sent between said NAS and said AAA Server by said SSG Server;
processing information in said data packets for enabling said SSG Server to automatically log the subscriber on to said SSG Server when the subscriber logs on to said NAS.
-
-
2. A method for providing single step log-on access for a subscriber of a computer network having a first area and a second separate area, said method comprising:
-
establishing a connection between the subscriber and a Network Access Server (NAS);
routing access-request packets from said NAS to a Service Selection Gateway (SSG) Server;
utilizing information in said access-request packets to initiate log-on for the subscriber to the second area;
routing said access-request packets from said SSG Server to an Authentication Authorization and Accounting (AAA) Server to initiate log-on for the subscriber to the first area; and
routing access-reply packets responsive to said access-request packets from said AAA Server back to said NAS via said SSG Server to complete log-on for the subscriber to the first and second areas.
-
-
3. A method for providing single step log-on access to a subscriber of a computer network, said computer network differentiated into a plurality of areas, said method including:
-
sending an access-request packet from a Network Access Server (NAS) to a Service Selection Gateway (SSG) Server when said subscriber connects to said NAS, according to a communications protocol;
forwarding said access-request packet to an Authentication Authorization and Accounting (AAA) Server;
in reply to said access-request packet, sending an access-reply packet from said AAA Server back to said SSG Server according to said communications protocol;
checking if said access-reply packet contains an Internet Protocol (IP) address for said subscriber, said IP address assigned by said AAA Server;
if said access-reply packet contains said IP address, then;
logging said subscriber on to said SSG Server with said IP address, if said access-reply packet contains authorization from said AAA Server;
forwarding said access-reply packet to said NAS according to said communications protocol; and
logging said subscriber on to said NAS with said IP address, if said forwarded access-reply packet contains authorization from said AAA Server;
orif said access-reply packet does not contain said IP address, then;
logging said subscriber on to said SSG server with a temporary dummy IP address, if said access-reply packet contains authorization from said AAA Server;
assigning a user identification number to said subscriber;
forwarding said access-reply packet and said user identification number to said NAS, according to said communications protocol;
logging said subscriber on to said NAS with a genuine IP address, if said forwarded access-reply packet contains authorization from said AAA Server;
sending an accounting-start packet from said NAS to said SSG Server, said accounting-start packet containing said genuine IP address and said user identification number, according to said communications protocol;
reading said accounting-start packet to determine said genuine IP address of said subscriber;
replacing said temporary dummy IP address with said genuine IP address on said SSG Server; and
forwarding said accounting-start packet to said AAA Server. - View Dependent Claims (4, 5, 6, 7)
writing said user identification number into said access-reply packet as a RADIUS Attribute.
-
-
6. The method of claim 5, wherein said RADIUS Attribute is a RADIUS Class Attribute.
-
7. The method of claim 3, wherein said user identification number is said temporary dummy IP address.
-
8. An apparatus for providing a single step log-on access for a subscriber of a computer network having a first area and a second area, said computer network having a Network Access Server (NAS) and an Authentication Authorization and Accounting (AAA) Server, said NAS providing access for the subscriber to said first area, said apparatus comprising:
-
a Service Selection Gateway (SSG) Server for providing access for the subscriber to the second area, said SSG Server connected between the NAS and the AAA Server, said SSG Server receiving an access-request packet from the NAS when the subscriber connects to the NAS, forwarding said access-request packet to the AAA Server, receiving an access-reply packet from the AAA Server when the AAA Server receives said access-request packet, and forwarding said access-reply packet to the NAS; and
a processor for processing information in said access-reply packet for enabling said SSG Server to automatically log the subscriber onto said SSG Server when the subscriber logs onto the NAS. - View Dependent Claims (9, 10, 11)
-
-
12. A system for providing a single step log-on access for a subscriber of a computer network having a first area and a second area, said apparatus comprising:
-
a Network Access Server (NAS) for providing access for the subscriber to the first area, said NAS sending an access-request packet when the subscriber connects to said NAS according to a communications protocol;
an Authentication Authorization and Accounting (AAA) Server for receiving said access-request packet and sending an access-reply packet in response;
a Service Selection Gateway (SSG) Server for providing access for the subscriber to the second area, said SSG Server connected between said NAS and said AAA Server, said SSG Server receiving said access-request packet from said NAS, forwarding said access-request packet to said AAA Server, receiving said access-reply packet in from said AAA Server, and forwarding said access-reply packet to said NAS; and
a processor for processing information in said access-reply packet for enabling said SSG Server to automatically log the subscriber onto said SSG Server when the subscriber logs onto said NAS. - View Dependent Claims (13, 14)
-
-
15. A programmable storage device readable by a machine tangibly embodying a program of instructions executable by the machine to perform method steps for providing single step log-on access to a subscriber of a computer network having a first area and a second area, said method steps comprising:
-
linking a Service Selection Gateway (SSG) Server to a Network Access Server (NAS), said NAS providing the subscriber with access to the first area, and said SSG Server providing the subscriber with access to the second area, wherein the subscriber supplies data packets to log-on to said NAS for said access to the first area;
linking said SSG Server to an Authentication Authorization and Accounting (AAA) Server;
intercepting and forwarding said data packets sent between said NAS and said AAA Server by said SSG Server;
processing information in said data packets for enabling said SSG Server to automatically log the subscriber on to said SSG Server when the subscriber logs on to said NAS.
-
-
16. A programmable storage device readable by a machine tangibly embodying a program of instructions executable by the machine to perform method steps for providing single step log-on access for a subscriber of a computer network having a first area and a second separate area, said method steps comprising:
-
establishing a connection between the subscriber and a Network Access Server (NAS);
routing access-request packets from said NAS to a Service Selection Gateway (SSG) Server;
utilizing information in said access-request packets to initiate log-on for said subscriber to the second area;
routing said access-request packets from said SSG Server to an Authentication Authorization and Accounting (AAA) Server to initiate log-on for the subscriber to the first area; and
routing access-reply packets responsive to said access-request packets from said AAA Server back to said NAS via said SSG Server to complete log-on for the subscriber to the first and second areas.
-
-
17. A programmable storage device readable by a machine tangibly embodying a program of instructions executable by the machine to perform method steps for providing single step log-on access to a subscriber of a computer network, said computer network differentiated into a plurality of areas, said method steps comprising:
-
sending an access-request packet from a Network Access Server (NAS) to a Service Selection Gateway (SSG) Server when said subscriber connects to said NAS, according to a communications protocol;
forwarding said access-request packet to an Authentication Authorization and Accounting (AAA) Server;
in reply to said access-request packet, sending an access-reply packet from said AAA Server back to said SSG Server according to said communications protocol;
checking if said access-reply packet contains an Internet Protocol (IP) address for said subscriber, said IP address assigned by said AAA Server;
if said access-reply packet contains said IP address, then;
logging said subscriber on to said SSG Server with said IP address, if said access-reply packet contains authorization from said AAA Server;
forwarding said access-reply packet to said NAS according to said communications protocol; and
logging said subscriber on to said NAS with said IP address, if said forwarded access-reply packet contains authorization from said AAA Server;
orif said access-reply packet does not contain said IP address, then;
logging said subscriber on to said SSG server with a temporary dummy IP address, if said access-reply packet contains authorization from said AAA Server;
assigning a user identification number to said subscriber;
forwarding said access-reply packet and said user identification number to said NAS, according to said communications protocol;
logging said subscriber on to said NAS with a genuine IP address, if said forwarded access-reply packet contains authorization from said AAA Server;
sending an accounting-start packet from said NAS to said SSG Server, said accounting-start packet containing said genuine IP address and said user identification number, according to said communications protocol;
reading said accounting-start packet to determine said genuine IP address of said subscriber;
replacing said temporary dummy IP address with said genuine IP address on said SSG Server; and
forwarding said accounting-start packet to said AAA Server. - View Dependent Claims (18, 19, 20, 21)
writing said user identification number into said access-reply packet as a RADIUS Attribute.
-
-
20. The programmable storage device of claim 19, wherein said RADIUS Attribute is a RADIUS Class Attribute.
-
21. The programmable storage device of claim 17, wherein said user identification number is said temporary dummy IP address.
-
22. An apparatus for providing single step log-on access to a subscriber of a computer network having a first area and a second area, said apparatus comprising:
-
means for linking a Service Selection Gateway (SSG) Server to a Network Access Server (NAS), said NAS providing the subscriber with access to the first area, and said SSG Server providing the subscriber with access to the second area, wherein the subscriber supplies data packets to log-on to said NAS for said access to the first area;
means for linking said SSG Server to an Authentication Authorization and Accounting (AAA) Server;
means for intercepting and forwarding said data packets sent between said NAS and said AAA Server by said SSG Server;
means for processing information in said data packets for enabling said SSG Server to automatically log the subscriber on to said SSG Server when the subscriber logs on to said NAS.
-
-
23. An apparatus for providing single step log-on access for a subscriber of a computer network having a first area and a second separate area, said apparatus comprising:
-
means for establishing a connection between the subscriber and a Network Access Server (NAS);
means for routing access-request packets from said NAS to a Service Selection Gateway (SSG) Server;
means for utilizing information in said access-request packets to initiate log-on for said subscriber to the second area;
means for routing said access-request packets from said SSG Server to an Authentication Authorization and Accounting (AAA) Server to initiate log-on for the subscriber to the first area; and
means for routing access-reply packets responsive to said access-request packets from said AAA Server back to said NAS via said SSG Server to complete log-on for the subscriber to the first and second areas.
-
-
24. A method for providing single step log-on access to a subscriber of a computer network, said computer network differentiated into a plurality of areas, said method comprising:
-
means for sending an access-request packet from a Network Access Server (NAS) to a Service Selection Gateway (SSG) Server when said subscriber connects to said NAS, according to a communications protocol;
means for forwarding said access-request packet to an Authentication Authorization and Accounting (AAA) Server;
means for sending an access-reply packet from said AAA Server back to said SSG Server according to said communications protocol in reply to said access-request packet;
means for checking if said access-reply packet contains an Internet Protocol (IP) address for said subscriber, said IP address assigned by said AAA Server;
means for logging said subscriber on to said SSG Server with said IP address, if said access-reply packet contains authorization from said AAA Server if said access-reply packet contains said IP address;
means for forwarding said access-reply packet to said NAS according to said communications protocol; and
means for logging said subscriber on to said NAS with said IP address, if said forwarded access-reply packet contains authorization from said AAA Server;
or means for logging said subscriber on to said SSG server with a temporary dummy IP address, if said access-reply packet contains authorization from said AAA Server if said access-reply packet does not contain said IP address;
means for assigning a user identification number to said subscriber;
means for forwarding said access-reply packet and said user identification number to said NAS, according to said communications protocol;
means for logging said subscriber on to said NAS with a genuine IP address, if said forwarded access-reply packet contains authorization from said AAA Server;
means for sending an accounting-start packet from said NAS to said SSG Server, said accounting-start packet containing said genuine IP address and said user identification number, according to said communications protocol;
means for reading said accounting-start packet to determine said genuine IP address of said subscriber;
means for replacing said temporary dummy IP address with said genuine IP address on said SSG Server; and
means for forwarding said accounting-start packet to said AAA Server. - View Dependent Claims (25, 26, 27, 28)
means for writing said user identification number into said access-reply packet as a RADIUS Attribute.
-
-
27. The apparatus of claim 26, wherein said RADIUS Attribute is a RADIUS Class Attribute.
-
28. The apparatus of claim 24, wherein said user identification number is said temporary dummy IP address.
Specification