Deterministic user authentication service for communication network

US 6,874,090 B2
Filed: 06/21/2001
Issued: 03/29/2005
Est. Priority Date: 06/13/1997
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A user authentication method for a communication network having a plurality of nodes, the method comprising:

entering on a first node first user identification information;

transmitting to an authentication agent on a second node communicating with the first node over a LAN link the first user identification information;

relaying from the authentication agent to an authentication server the first user identification information;

comparing on the authentication server the first user identification information with user identification information in a database of user identification information; and

transmitting from the authentication server to the authentication agent, if the first user identification information matches user identification information in the database of user identification information, notification information notifying the authentication agent that a user on the first node has been authenticated whereupon the authentication agent authorizes transmission on the second node of packets in data flows involving the first node, wherein the first user identification information is transmitted to the authentication agent as part of a MAC-based authentication flow between an authentication client on the first node and the authentication agent.

View all claims

11 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

A user authentication service for a communication network authenticates local users before granting them access to personalized sets of network resources. Authentication agents on intelligent edge devices present users of associated end systems with log-in challenges. Information supplied by the users is forwarded to an authentication server for verification. If successfully verified, the authentication server returns to the agents authorized connectivity information and time restrictions for the particular authenticated users. The agents use the information to establish rules for filtering and forwarding network traffic originating from or destined for particular authenticated users during authorized time periods. An enhanced authentication server may be engaged if additional security is desired. The authorized connectivity information preferably includes identifiers of one or more virtual local area networks active in the network. Log-in attempts are recorded so that the identity and whereabouts of network users may be monitored from a network management station.

120 Citations

View as Search Results

33 Claims

1. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- entering on a first node first user identification information;
  
  transmitting to an authentication agent on a second node communicating with the first node over a LAN link the first user identification information;
  
  relaying from the authentication agent to an authentication server the first user identification information;
  
  comparing on the authentication server the first user identification information with user identification information in a database of user identification information; and
  
  transmitting from the authentication server to the authentication agent, if the first user identification information matches user identification information in the database of user identification information, notification information notifying the authentication agent that a user on the first node has been authenticated whereupon the authentication agent authorizes transmission on the second node of packets in data flows involving the first node, wherein the first user identification information is transmitted to the authentication agent as part of a MAC-based authentication flow between an authentication client on the first node and the authentication agent.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising relaying from the authentication agent to the authentication client as part of the MAC-based authentication flow the notification information.
  - 3. The method of claim 1, further comprising, prior to transmitting the first user identification information to the authentication agent, transmitting from the authentication client to the authentication agent as part of the MAC-based authentication flow a request to establish an authentication session.
  - 4. The method of claim 1, further comprising transmitting from the authentication client to the authentication agent as part of the MAC-based authentication flow a logoff request, whereupon the authentication agent revokes the authorization.
  - 5. The method of claim 1, further comprising transmitting from the authentication server to the authentication agent, if the first user identification information does not match user identification information in the database, second notification information notifying the authentication agent that the user on the first node has failed to become authenticated, whereupon the authentication agent fails to authorize transmission on the second node of packets in data flows involving the first node and relays to the authentication client as part of the MAC-based authentication flow the second notification information.
  - 6. The method of claim 5, wherein if the authentication agent determines that the user has made a predetermined number of failed authentication attempts, the authentication agent transmits to the authentication client as part of the MAC-based authentication flow information notifying the authentication client that further authentication attempts will be inhibited.
  - 7. The method of claim 1, wherein the packets transmitted pursuant to the authorization are neither encrypted nor decrypted by the second node.

8. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- entering on a first node first user identification information;
  
  transmitting to an authentication agent on a second node communicating with the first node over a LAN link the first user identification information;
  
  relaying from the authentication agent to an authentication server the first user identification information;
  
  comparing on the authentication server the first user identification information with user identification information in a database of user identification information; and
  
  transmitting from the authentication server to the authentication agent, if the first user identification information matches user identification information in the database of user identification information, information notifying the authentication agent that a user on the first node has been authenticated whereupon the authentication agent authorizes transmission on the second node of packets in data flows involving the first node, wherein the authorization comprises authorizing an interface to the LAN link to allow packets in data flows.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the interface is on the second node.
  - 10. The method of claim 8, wherein the LAN link is an Ethernet link.
  - 11. The method of claim 8, wherein the authentication server is a RADIUS server.
  - 12. The method of claim 8, wherein the authentication server is on a third node.
  - 13. The method of claim 8, wherein prior to the authorization, the second node drops all packets received from the first node that are not part of an authentication flow.
  - 14. The method of claim 8, wherein prior to the authorization, the second node drops all packets received from the first node that are not addressed to the authentication agent.

15. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- entering on a first node first user identification information;
  
  transmitting to an authentication agent on a second node communicating with the first node over a LAN link the first user identification information;
  
  relaying from the authentication agent to an authentication server the first user identification information;
  
  comparing on the authentication server the first user identification information with user identification information in a database of user identification information; and
  
  transmitting from the authentication server to the authentication agent, if the first user identification information matches user identification information in the database of user identification information, notification information notifying the authentication agent that a user on the first node has been authenticated whereupon the authentication agent authorizes transmission on the second node of packets in data flows involving the first node and one or more nodes reachable by the first node via the second node and relays to the first node the notification information.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The method of claim 15, wherein prior to the authorization, the second node inhibits transmission to any nodes reachable by the first node via the second node of all packets received from the first node that are not part of an authentication flow.
  - 17. The method of claim 15, wherein prior to the authorization, the second node inhibits transmission to any nodes reachable by the first node via the second node of all packets received from the first node that are not addressed to the authentication agent.
  - 18. The method of claim 15, further comprising, prior to transmitting the first user identification information to the authentication agent, transmitting from the first node to the authentication agent a request to establish an authentication session.
  - 19. The method of claim 15, further comprising transmitting from the first node to the authentication agent a logoff request, whereupon the authentication agent revokes the authorization.
  - 20. The method of claim 15, further comprising transmitting from the authentication serve to the authentication agent, if the first user identification information does not match user identification information in the database, second notification information notifying the authentication agent that the user on the first node has failed to become authenticated, whereupon the authentication agent fails to authorize transmission on the second node of packets in data flows involving the first node and any nodes reachable by the first node via the second node and relays to the first node the second notification information.
  - 21. The method of claim 20, wherein upon receipt of the second notification information, the authentication agent determines the number of failed authentication attempts made by the user.
  - 22. The user authentication method of claim 21, wherein if the authentication agent determines that the user has made a predetermined number of failed authentication attempts, the authentication agent inhibits further authentication attempts.
  - 23. The user authentication method of claim 21, wherein if the authentication agent determines that the user has made a predetermined number of failed authentication attempts, the authentication agent transmits to the first node information notifying the first node that further authentication attempts will be inhibited.

24. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- entering on a first node first user identification information;
  
  transmitting to an authentication agent on a second node communicating with the first node over a LAN link the first user identification information;
  
  relaying from the authentication agent to an authentication server the first user identification information;
  
  comparing on the authentication server the first user identification information with user identification information in a database of user identification information; and
  
  transmitting from the authentication server to the authentication agent, if the first user identification information matches user identification information in the database of user identification information, information notifying the authentication agent that a user on the first node has been authenticated whereupon the authentication agent authorizes transmission on the second node of packets in data flows involving the first node, wherein the packets that are transmitted pursuant to the authorization bypass the authentication agent.

25. A user authentication method for a communication network having a plurality of nodes, the method comprising:
- entering on a first node first user identification information;
  
  transmitting to an authentication agent on a second node communicating with the first node over a LAN link the first user identification information;
  
  relaying from the authentication agent to an authentication server the first user identification information;
  
  comparing on the authentication server the first user identification information with user identification information in a database of user identification information; and
  
  transmitting from the authentication server to the authentication agent, if the first user identification information matches user identification information in the database of user identification information, information notifying the authentication agent that a user on the first node has been authenticated and information identifying a VLAN for which the user has been authenticated whereupon the authentication agent authorizes transmission on the second node of packets in data flows that involve the first node and are within the VLAN.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33)
- - 26. The method of claim 25, wherein the information notifying the authentication agent that the user on the first node has been authenticated and the information identifying the VLAN for which the user has been authenticated are transmitted from the authentication server to the authentication agent in a single packet.
  - 27. The method of claim 25, wherein one or more of the packets that are transmitted pursuant to the authorization are appended on the second node and transmitted from the second node to a backbone network with an identifier of the VLAN.
  - 28. The method of claim 25, further comprising dropping on the second node of packets in data flows involving the first node and other nodes that are not within the VLAN.
  - 29. The method of claim 25, further comprising, before the authorization, dropping on the second node of packets in data flows involving the first node.
  - 30. The method of claim 25, further comprising, after the authorization, forwarding on the second node of packets in data flows involving the first node and other nodes that are within the VLAN.
  - 31. The method of claim 25, wherein the first user identification information is transmitted front the first node to the authentication agent as part of a MAC-based authentication flow between an authentication client on the first node and the authentication agent.
  - 32. The method of claim 25, wherein the authorization comprises authorizing an interface to the LAN link to allow packets in data flows.
  - 33. The method of claim 25, wherein the packets that are transmitted pursuant to the authorization bypass the authentication agent.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Alcatel-Lucent SA (Nokia Corporation), Alcatel SA (Nokia Corporation)
Original Assignee
Alcatel SA (Nokia Corporation)
Inventors
Pikover, Yuri, See, Michael E., Panza, Charles L., Bailey, John W., Stone, Geoffrey C.
Primary Examiner(s)
Wu, Kim
Assistant Examiner(s)
Wu, Allen S.

Application Number

US09/886,930
Publication Number

US 20020040441A1
Time in Patent Office

1,377 Days
Field of Search

713/200, 713/201, 713/151, 713/155, 713/168, 713/202
US Class Current

726/13
CPC Class Codes

G06F 21/31   User authentication

G06F 21/445   by mutual authentication, e...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

Deterministic user authentication service for communication network

First Claim

11 Assignments

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

120 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Deterministic user authentication service for communication network

First Claim

11 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Reexamination

Accused Products

Subscription Required

Abstract

120 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links