Deterministic user authentication service for communication network

US 6,339,830 B1
Filed: 03/15/2000
Issued: 01/15/2002
Est. Priority Date: 06/13/1997
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A user authentication method for a communication network having a plurality of nodes, the method comprising:

entering on a first node first user identification information;

transmitting to a second node the first user identification information, the second node having second user identification information;

comparing for a match on the second node the first user identification information with the second user identification information; and

authorizing communication between the first node and a group of nodes on the communication network in response to a match, wherein the group of nodes is represented by a virtual local area network identifier.

View all claims

9 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A user authentication service for a communication network authenticates local users before granting them access to personalized sets of network resources. Authentication agents on intelligent edge devices present users of associated end systems with log-in challenges. Information supplied by the users is forwarded to an authentication server for verification. If successfully verified, the authentication server returns to the agents authorized connectivity information and time restrictions for the particular authenticated users. The agents use the information to establish rules for filtering and forwarding network traffic originating from or destined for particular authenticated users during authorized time periods. An enhanced authentication server may be engaged if additional security is desired. The authorized connectivity information preferably includes identifiers of one or more virtual local area networks active in the network. Log-in attempts are recorded so that the identity and whereabouts of network users may be monitored from a network management station.

236 Citations

40 Claims

1. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- entering on a first node first user identification information;
  
  transmitting to a second node the first user identification information, the second node having second user identification information;
  
  comparing for a match on the second node the first user identification information with the second user identification information; and
  
  authorizing communication between the first node and a group of nodes on the communication network in response to a match, wherein the group of nodes is represented by a virtual local area network identifier.

2. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- entering on a first node first user identification information;
  
  transmitting to a second node the first user identification information, the second node having second user identification information;
  
  comparing for a match on the second node the first user identification information with the second user identification information; and
  
  establishing communicability between the first node and a group of nodes associated with the second user identification information in response to a match, wherein the group of nodes is represented by a virtual local area network identifier.
- View Dependent Claims (3, 4, 5)
- - 3. The method of claim 2, wherein the first, second and group of nodes include devices selected from the group consisting of computers, workstations, and servers.
  - 4. The user authentication method according to claim 2, wherein the communicability is established for an access period associated with the second user identification information.
  - 5. The user authentication method of claim 2, wherein the first node includes an authentication client and the second node includes an authentication server.

6. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- associating a user of the network with a group of nodes represented by a virtual local area network based on a unique user key;
  
  verifying the unique user key in a log-in sequence; and
  
  authorizing communication between the user and the group of nodes upon verifying the unique user key.
- View Dependent Claims (7, 8, 10, 11)
- - 7. The user authentication method according to claim 6, wherein the group of nodes is represented in the association by a virtual local area network identifier.
  - 8. The user authentication method according to claim 6, wherein the unique user key comprises a password.
  - 10. The user authentication method according to claim 8, wherein the group of nodes is represented in the association by a virtual local area network identifier.
  - 11. The user authentication method according to claim 8, wherein the unique user key comprises a password.

9. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- associating a user of the network with a group of nodes and an access period based on a unique user key;
  
  verifying the unique user key in a log-in sequence; and
  
  authorizing communication between the user and the group of nodes for the access period upon verifying the unique user key, wherein the group of nodes is represented by a virtual local area network.

12. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- associating based on a unique user key each of a plurality of users of the network with a group of nodes represented by a virtual local area network selected for the user; and
  
  verifying in a log-in sequence for each of the plurality of users the user'"'"'s unique user key prior to establishing communicability between the user and the group of nodes selected for the user.
- View Dependent Claims (13, 14)
- - 13. The user authentication method according to claim 12, wherein each group of nodes is represented in the association by a virtual local area network identifier.
  - 14. The user authentication method according to claim 12, wherein each unique user key comprises a password.

15. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- entering on a first node first user identification information;
  
  transmitting to a second node the first user identification information, the second node having a database with pairs of user identification information and network resources;
  
  searching the database for paired user identification information matching the first user identification information; and
  
  authorizing communication between the first node and the network resources paired with matching user identification information, wherein the network resources are represented by a virtual local area network.

16. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- entering on a first node a first user identification information;
  
  transmitting to a second node the first user identification information, the second node having second user identification information;
  
  comparing for a match on the second node the first user identification information with the second user identification information; and
  
  initiating upon a match an enhanced authentication for the user, whereby more information is solicited from the user and compared with information on a third node prior to establishing communicability between the user and a group of nodes represented by a virtual local area network identifier with which the user is authorized to communicate.

17. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- entering on a first node first user identification information;
  
  transmitting to an authentication agent on a second node communicating with the first node over a LAN link the first user identification information;
  
  relaying from the authentication agent to an authentication server the first user identification information;
  
  comparing on the authentication server the first user identification information with user identification information in a database of user identification information; and
  
  transmitting from the authentication server to the authentication agent, if the first user identification information matches user identification information in the database of user identification information, information notifying the authentication agent that a user on the first node has been authenticated whereupon the authentication agent authorizes transmission on the second node of packets in data flows involving the first node.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The user authentication method according to claim 17, wherein the first node and second node are co-located in a local area network.
  - 19. The user authentication method according to claim 17, wherein the authentication server resides on the second node.
  - 20. The user authentication method according to claim 17, wherein the authentication server resides on a third node.
  - 21. The user authentication method according to claim 17, wherein the authorization includes data flows for which the first node is the source.
  - 22. The user authentication method according to claim 17, wherein the authorization includes data flows for which the first node is the destination.

23. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- transmitting a log-in response from an end system being used by a user to an authentication agent;
  
  relaying the log-in response to an authentication server;
  
  reviewing the log-in response at the authentication server to determine if the user is authorized; and
  
  transmitting to the authentication agent a list of network resources for which the user is authorized, along with any time restrictions whereupon the authentication agent applies the authorized list of network resources and time restrictions to establish network connectivity rules for the user, wherein the authentication agent is located on a node having a LAN link to the end system.

24. A user authentication system for a communication network comprising:
- a first node for entering user identification information;
  
  a second node for receiving the user identification information from the first node and comparing for a match the user identification information with user identification information in a database of user identification information; and
  
  a port on the second node that is authenticated upon a match for allowing communication between the first node and a group of nodes associated with the user identification information, and is not authenticated upon a mismatch, thereby failing to establish communication between the first node and other nodes, wherein the group of nodes is associated with a virtual local area network.
- View Dependent Claims (25, 26, 27)
- - 25. The system according to claim 24, wherein the database resides on the second node.
  - 26. The system according to claim 24, wherein the database resides on a third node.
  - 27. The authentication system of claim 24, wherein the node is selected from the group consisting of a computer, a workstation, and a server.

28. A user authentication system for a communication network comprising:
- a node interconnected to an edge device over a LAN, the edge device managing the packet flow from the node to a backbone network; and
  
  the backbone network coupled to a network management station, wherein the edge device comprises;
  
  an authentication module interfacing with the node, performing LAN media translations so that the edge device supports nodes operating using disparate LAN media;
  
  a backbone module for interfacing the authentication module to the backbone network;
  
  a switching link for switching packets from the authentication module to the backbone module, thereby allowing packets from authenticated users to flow between the node and the backbone network; and
  
  a management processor module for managing the switching link.
- View Dependent Claims (29, 30, 31)
- - 29. The authentication module of claim 28, wherein the authentication module filters and forwards packets to and from the node.
  - 30. The authentication module of claim 28, wherein the authentication module interprets and modifies packets to and from the node.
  - 31. The authentication system of claim 28, wherein the network management station comprises:

32. A user authentication system for a communication network, comprising:
- a first node being used by a user; and
  
  a second node communicating with the first node over a LAN link, the second node providing the sole interface between the first node and a LAN backbone, wherein the second node denies the first node access to the LAN backbone prior to the user becoming authenticated, except for conducting a user authentication protocol exchange.
- View Dependent Claims (33, 34)
- - 33. The user authentication system according to claim 32, wherein the second node permits the first node access to the LAN backbone for other than the user authentication protocol exchange after the user becomes authenticated.
  - 34. The user authentication system according to claim 32, wherein the second node permits the first node access to the LAN backbone for data exchange after the user becomes authenticated.

35. A user authentication system for a communication network, comprising:
- a first node being used by a user; and
  
  a second node communicating with the first node over a LAN link, the second node providing an exclusive point of access for the first node to the network, wherein the network is an institutional communication network and wherein prior to the user becoming authenticated the second node permits the first node access to the network solely for conducting an authentication protocol exchange with the user.
- View Dependent Claims (36)
- - 36. The user authentication system according to claim 35, wherein after the user becomes authenticated the second node permits the first node access to the network for data exchange.

37. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- entering on a first node first user identification information;
  
  transmitting to an authentication agent on a second node communicating with the first node over a LAN link the first user identification information;
  
  relaying from the authentication agent to an authentication server the first user identification information;
  
  comparing on the authentication server the first user identification information with user identification information in a database of user identification information;
  
  transmitting from the authentication server to the authentication agent, the result of the comparison;
  
  transmitting from the authentication server to the authentication agent a list of network resources for which the user is authorized if the result is a match; and
  
  associating a list of network resources with the first node if the result is a match.
- View Dependent Claims (38, 39)
- - 38. The user authentication method of claim 37 further comprising filtering and forwarding packets between the first node and the network resources of the list according to the association if the result is a match.
  - 39. The user authentication method of claim 38 further comprising dropping packets between the first node and other nodes if the result is a mismatch.

40. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- entering on a first node first user identification information;
  
  transmitting to an authentication agent on a second node the first user identification information;
  
  relaying from the authentication agent to an authentication server the first user identification information;
  
  comparing on the authentication server the first user identification information with user identification information in a database of user identification information;
  
  transmitting from the authentication server to the authentication agent, the result of the comparison;
  
  transmitting from the authentication server to the authentication agent a list of network resources for which the user is authorized if the result is a match;
  
  associating a list of network resources with the first node if the result is a match;
  
  forwarding packets between the first node and a destination node if the result is a match and the nodes share a common VLAN;
  
  dropping packets between the first node and a destination node if the result is not a match; and
  
  dropping packets between the first node and a destination node if the nodes do not share a common VLAN.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Alcatel USA Sourcing Incorporated (Nokia Corporation)
Original Assignee
Alcatel Internetworking Incorporated (Nokia Corporation)
Inventors
Pikover, Yuri, See, Michael E., Panza, Charles L., Stone, Geoffrey C., Bailey, John W.
Primary Examiner(s)
Iqbal, Nadeem

Application Number

US09/525,506
Time in Patent Office

671 Days
Field of Search

713/202, 713/201, 713/200, 380/3, 380/4, 380/29, 380/30, 380/23, 380/25, 370/60, 370/94, 340/825.31, 340/825.34
US Class Current

726/15
CPC Class Codes

G06F 21/31   User authentication

G06F 21/445   by mutual authentication, e...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

Deterministic user authentication service for communication network

First Claim

9 Assignments

Litigations

0 Petitions

Accused Products

Abstract

236 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Deterministic user authentication service for communication network

First Claim

9 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

236 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links