Deterministic user authentication service for communication network
DCFirst Claim
1. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- entering on a first node first user identification information;
transmitting to an authentication agent on a second node communicating with the first node over a LAN link the first user identification information;
relaying from the authentication agent to an authentication server the first user identification information;
comparing on the authentication server the first user identification information with user identification information in a database of user identification information; and
transmitting from the authentication server to the authentication agent, if the first user identification information matches user identification information in the database of user identification information, notification information notifying the authentication agent that a user on the first node has been authenticated whereupon the authentication agent authorizes transmission on the second node of packets in data flows involving the first node, wherein the first user identification information is transmitted to the authentication agent as part of a MAC-based authentication flow between an authentication client on the first node and the authentication agent.
11 Assignments
Litigations
0 Petitions
Reexamination
Accused Products
Abstract
A user authentication service for a communication network authenticates local users before granting them access to personalized sets of network resources. Authentication agents on intelligent edge devices present users of associated end systems with log-in challenges. Information supplied by the users is forwarded to an authentication server for verification. If successfully verified, the authentication server returns to the agents authorized connectivity information and time restrictions for the particular authenticated users. The agents use the information to establish rules for filtering and forwarding network traffic originating from or destined for particular authenticated users during authorized time periods. An enhanced authentication server may be engaged if additional security is desired. The authorized connectivity information preferably includes identifiers of one or more virtual local area networks active in the network. Log-in attempts are recorded so that the identity and whereabouts of network users may be monitored from a network management station.
120 Citations
33 Claims
-
1. A user authentication method for a communication network having a plurality of nodes, the method comprising:
-
entering on a first node first user identification information;
transmitting to an authentication agent on a second node communicating with the first node over a LAN link the first user identification information;
relaying from the authentication agent to an authentication server the first user identification information;
comparing on the authentication server the first user identification information with user identification information in a database of user identification information; and
transmitting from the authentication server to the authentication agent, if the first user identification information matches user identification information in the database of user identification information, notification information notifying the authentication agent that a user on the first node has been authenticated whereupon the authentication agent authorizes transmission on the second node of packets in data flows involving the first node, wherein the first user identification information is transmitted to the authentication agent as part of a MAC-based authentication flow between an authentication client on the first node and the authentication agent. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A user authentication method for a communication network having a plurality of nodes, the method comprising:
-
entering on a first node first user identification information;
transmitting to an authentication agent on a second node communicating with the first node over a LAN link the first user identification information;
relaying from the authentication agent to an authentication server the first user identification information;
comparing on the authentication server the first user identification information with user identification information in a database of user identification information; and
transmitting from the authentication server to the authentication agent, if the first user identification information matches user identification information in the database of user identification information, information notifying the authentication agent that a user on the first node has been authenticated whereupon the authentication agent authorizes transmission on the second node of packets in data flows involving the first node, wherein the authorization comprises authorizing an interface to the LAN link to allow packets in data flows. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A user authentication method for a communication network having a plurality of nodes, the method comprising:
-
entering on a first node first user identification information;
transmitting to an authentication agent on a second node communicating with the first node over a LAN link the first user identification information;
relaying from the authentication agent to an authentication server the first user identification information;
comparing on the authentication server the first user identification information with user identification information in a database of user identification information; and
transmitting from the authentication server to the authentication agent, if the first user identification information matches user identification information in the database of user identification information, notification information notifying the authentication agent that a user on the first node has been authenticated whereupon the authentication agent authorizes transmission on the second node of packets in data flows involving the first node and one or more nodes reachable by the first node via the second node and relays to the first node the notification information. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A user authentication method for a communication network having a plurality of nodes, the method comprising:
-
entering on a first node first user identification information;
transmitting to an authentication agent on a second node communicating with the first node over a LAN link the first user identification information;
relaying from the authentication agent to an authentication server the first user identification information;
comparing on the authentication server the first user identification information with user identification information in a database of user identification information; and
transmitting from the authentication server to the authentication agent, if the first user identification information matches user identification information in the database of user identification information, information notifying the authentication agent that a user on the first node has been authenticated whereupon the authentication agent authorizes transmission on the second node of packets in data flows involving the first node, wherein the packets that are transmitted pursuant to the authorization bypass the authentication agent.
-
-
25. A user authentication method for a communication network having a plurality of nodes, the method comprising:
-
entering on a first node first user identification information;
transmitting to an authentication agent on a second node communicating with the first node over a LAN link the first user identification information;
relaying from the authentication agent to an authentication server the first user identification information;
comparing on the authentication server the first user identification information with user identification information in a database of user identification information; and
transmitting from the authentication server to the authentication agent, if the first user identification information matches user identification information in the database of user identification information, information notifying the authentication agent that a user on the first node has been authenticated and information identifying a VLAN for which the user has been authenticated whereupon the authentication agent authorizes transmission on the second node of packets in data flows that involve the first node and are within the VLAN. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33)
-
Specification