Method and apparatus providing distributed authorization management of communication sessions

US 7,028,073 B1
Filed: 01/16/2002
Issued: 04/11/2006
Est. Priority Date: 01/14/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-readable medium carrying one or more sequences of instructions for authorizing a data communication session between a client and a first server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:

receiving a request to establish the session, wherein the request is associated with a particular entity that is associated with the client;

determining whether authorization of the session can be performed locally at a second server;

if authorization of the session can be performed locally at the second server, theninforming the first server that the session may be established between the client and the first server for the particular entity;

and after informing the first server, informing a third server that is associated with the particular entity that the session has been authorized to be established for the particular entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for authorizing a data communication session between a client and a first server is disclosed. When a request is received to establish a session with a particular entity that is associated with the client, it is determined whether authorization of the session can be performed locally at a second server. If it is determined that authorization of the session can be performed locally at the second server then, the first server is informed that the session may be established between the client and the first server for the particular entity. A third server that is associated with the particular entity is identified and once the first server is informed that the session may be established, the third server is informed that the session has been authorized to be established for the particular entity. However, if authorization of the session cannot be performed locally at the second server then, the third server is requested to authorize the session between the client and the first server. Thereafter, based on the response that is received from the third server, the first server is informed as to whether the session may be authorized.

Citations

46 Claims

1. A computer-readable medium carrying one or more sequences of instructions for authorizing a data communication session between a client and a first server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- receiving a request to establish the session, wherein the request is associated with a particular entity that is associated with the client;
  
  determining whether authorization of the session can be performed locally at a second server;
  
  if authorization of the session can be performed locally at the second server, theninforming the first server that the session may be established between the client and the first server for the particular entity;
  
  and after informing the first server, informing a third server that is associated with the particular entity that the session has been authorized to be established for the particular entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computer-readable medium of claim 1 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
    - if authorization of the session cannot be performed locally at the second server, then,requesting the third server to authorize the session between the client and the first server; and
      
      informing the first server, based on a response received from the third server, whether the session may be authorized.
  - 3. The computer-readable medium of claim 1 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of determining whether authorization of the session can be performed locally at the second server by performing the steps of:
    - determining a session counter value, wherein the session counter value indicates the number of sessions that are currently active for the particular entity;
      
      determining a session threshold value, wherein the session threshold value indicates a threshold as to a number of sessions that may be currently active before sessions cannot be authorized locally by the second server; and
      
      comparing the session counter value with the session threshold value to determine whether authorization of the session can be performed locally at the second server.
  - 4. The computer-readable medium of claim 1 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of determining whether authorization of the session can be performed locally at the second server by performing the step of:
    - determining whether the second server has received a prior request for the particular entity.
  - 5. The computer-readable medium of claim 1 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of:
    - prior to receiving the request, maintaining data that is associated with the second server, wherein the data includes,a session counter value, wherein the session counter value indicates the number of sessions that are currently active for the particular entity; and
      
      a session threshold value, wherein the session threshold value indicates a particular number of sessions that may be currently active before sessions cannot be authorized locally by the second server.
  - 6. The computer-readable medium of claim 5 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of maintaining data that is associated with the second server by performing the step of:
    - maintaining a server identifier, wherein the server identifier identifies a particular server that is assigned to the particular entity.
  - 7. The computer-readable medium of claim 1 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of receiving the request to establish the session by performing the step of:
    - receiving a connection request, wherein the connection request requests authorization to establish a Point-to-Point Protocol connection between the client and the first server.
  - 8. The computer-readable medium of claim 1 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of:
    - identifying the third server by retrieving global data, wherein the global data maps a particular server to each of one or more entities.
  - 9. The computer-readable medium of claim 1 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of:
    - identifying the third server by retrieving a server identifier, wherein the server identifier identifies a particular server that is assigned to the particular entity.
  - 10. The computer-readable medium of claim 1 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of informing the third server by performing the steps of:
    - determining, at the third server, whether other servers have previously authorized sessions for the particular entity; and
      
      if other servers have previously authorized sessions for the particular entity, theninforming the other servers that the session has been authorized for the particular entity.
  - 11. The computer-readable medium of claim 10 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
    - prior to informing the other servers,maintaining session counter values at each of the other servers, wherein the session counter values indicate the number of sessions that are currently active for the particular entity; and
      
      after being informed that the session has been authorized for the particular entity,updating the session counter values at each of the other servers to reflect that the session has been authorized for the particular entity.
  - 12. The computer-readable medium of claim 1, wherein the request to establish a session is encrypted to maintain a secure communication, and wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of receiving the request based on the encrypted request.
  - 13. The computer-readable medium of claim 1, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of informing the first server by informing with an encrypted communication.
  - 14. The computer-readable medium of claim 1, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of informing the third server by informing with an encrypted communication.
  - 15. The computer-readable medium of claim 1, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of:
    - receiving at the second server a connection termination message indicating that a session that was authorized locally at the second server has terminated.
  - 16. The computer-readable medium of claim 15, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
    - identifying an authoritative server assigned to the particular entity; and
      
      if the second server is identified as the authoritative server for the particular entity, thenupdating global session information of the second server to reflect termination of the terminated session.

17. A computer-readable medium carrying one or more sequences of instructions for broadcasting session information to one or more servers, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- receiving a message from a first server, wherein the message indicates that a session has been authorized for a particular entity;
  
  determining whether one or more other servers have previously authorized sessions for the particular entity; and
  
  if one or more other servers have previously authorized sessions for the particular entity, theninforming the one or more other servers that another session has been authorized for the particular entity.
- View Dependent Claims (18)
- - 18. The computer-readable medium of claim 17 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of:
    - prior to receiving the message from the first server,maintaining data that is associated with a second server, wherein the data includesa session counter value, wherein the session counter value indicates the number of sessions that are currently active for the particular entity; and
      
      a server list, wherein the server list identifies the one or more other servers that have previously authorized sessions for the particular entity.

19. A computer-readable medium carrying one or more sequences of instructions for authorizing a data communication session between a client and a server in a network, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- receiving a connection request at a distributed session counter for authorization to establish a session between the client and the server, wherein the connection request is associated with a particular entity;
  
  determining whether authorization of the session can be performed locally at the distributed session counter;
  
  if authorization of the session can be performed locally at the distributed session counter, thensending an authorization granted message to the server to indicate that the session may be established between the client and the server for the particular entity;
  
  identifying an authoritative distributed session counter that is associated with the particular entity; and
  
  after sending the authorization granted message to the server, sending an authorization update message to the authoritative distributed session counter, wherein the authorization update message notifies the authoritative distribution counter that the session has been authorized to be established for the particular entity.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 20. The computer-readable medium of claim 19 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
    - if authorization of the session cannot be performed locally at the distributed session counter, thensending an authorization request message to the authoritative distributed session to request authorization to authorize the session between the client and the server; and
      
      sending a response to the server based on a response message that is received from the authoritative distributed session, wherein the response message indicates whether the session should be authorized.
  - 21. The computer-readable medium of claim 19, wherein global session threshold values are assigned to indicate thresholds as to a number of sessions that may be concurrently active for each of a plurality of entities, and wherein a particular user is associated with two or more entities of the plurality of entities, and wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of:
    - for the particular user, determining whether authorization of the session can be performed, by,for each of the two or more entities, comparing the global threshold value with the number of active sessions for the corresponding entity; and
      
      if the number of active sessions for any of the entities is greater or equal to the corresponding global threshold value, then denying authorization of the session.
  - 22. The computer-readable medium of claim 19 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of determining whether authorization of the session can be performed locally at the distributed session counter by performing the steps of:
    - determining a local session counter value, wherein the local session counter value indicates the number of sessions that are currently active for the particular entity;
      
      determining a local session threshold value, wherein the local session threshold value indicates a threshold as to a number of sessions that may be currently active before sessions cannot be authorized locally by the distributed session counter; and
      
      comparing the local session counter value with the local session threshold value to determine whether authorization of the session can be performed locally at the distributed session counter.
  - 23. The computer-readable medium of claim 19, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of:
    - maintaining distributed session information, wherein the distributed session information includes over-subscription information that identifies for the distributed session counter the number of times that the number of sessions established for a particular user or group of users was greater than the number authorized.
  - 24. The computer-readable medium of claim 19 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of determining whether authorization of the session can be performed locally at the distributed session counter by performing the step of:
    - determining whether the distributed session counter has received a prior connection request for the particular entity.
  - 25. The computer-readable medium of claim 19 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of:
    - prior to receiving the connection request,maintaining a connection data storage area, wherein the connection data storage area includesa local session counter value, wherein the local session counter value indicates the number of sessions that are currently active for the particular entity; and
      
      a local session threshold value, wherein the local session threshold value indicates a particular number of sessions that may be currently active before sessions cannot be authorized locally by the distributed session counter.
  - 26. The computer-readable medium of claim 25 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of maintaining the connection data storage area by performing the step of:
    - maintaining an authoritative distributed session counter identifier, wherein the authoritative distributed session counter identifier identifies a particular authoritative distributed session counter that is assigned to the particular entity.
  - 27. The computer-readable medium of claim 19 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of identifying the authoritative distributed session counter by performing the step of:
    - interfacing with a global storage area, wherein the global storage area maps a particular authoritative distributed session counter to each entity.
  - 28. The computer-readable medium of claim 19 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of identifying the authoritative distributed session counter by performing the step of:
    - retrieving an authoritative distributed session counter identifier, wherein the authoritative distributed session counter identifier identifies the authoritative distributed session counter that is assigned to the particular entity.
  - 29. The computer-readable medium of claim 19 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of sending the authorization update message to the authoritative distributed session counter by performing the steps of:
    - determining, by the authoritative distributed session counter, whether other distributed session counters have previously authorized sessions for the particular entity; and
      
      if other distributed session counters have previously authorized sessions for the particular entity, then broadcasting an update message to the other distributed session counters to indicate that another session has been authorized for the particular entity.
  - 30. The computer-readable medium of claim 29 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
    - prior to the other distributed session counters receiving the update message,maintaining a local session counter value at each of the other distributed session counters, wherein the local session counter value indicates the number of sessions that are currently active for the particular entity; and
      
      after receiving the update message,updating the local session counter value at each of the other distributed session counters based on the update message.
  - 31. The computer-readable medium of claim 19, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of receiving the connection request, sending an authorization granted message, and sending an authorization update message with an encrypted communication.
  - 32. The computer-readable medium of claim 19, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the step of:
    - maintaining distributed session information, wherein the distributed session information includes connection identity information that identifies for the distributed session counter the server and associated port used to establish the session.
  - 33. The computer-readable medium of claim 19, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
    - receiving at the distributed session counter a connection termination message indicating that a session that was authorized locally at the distributed session counter has terminated;
      
      if the distributed session counter was identified as the authoritative distributed session counter for the particular entity, thenupdating global session information of the distributed session counter to reflect termination of the terminated session;
      
      identifying other distributed session counters that have sent an authorization request for the particular entity; and
      
      broadcasting a session termination message to the other distributed session counters indicating that the session has terminated.
  - 34. The computer-readable medium of claim 33, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
    - if the distributed session counter was not identified as the authoritative distributed session counter for the particular entity, thensending a session termination message to the authoritative distributed session counter indicating that the session has terminated.

35. A computer-readable medium carrying one or more sequences of instructions for broadcasting session update information to distributed session counters, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- receiving an authorization update message from a distributed session counter, wherein the authorization update message indicates that a session has been authorized for a particular entity;
  
  determining whether other distributed session counters have previously authorized sessions for the particular entity; and
  
  if other distributed session counters have previously authorized sessions for the particular entity, then broadcasting an update message to the other distributed session counters, wherein the update message notifies the other distributed session counters that another session has been authorized for the particular entity.
- View Dependent Claims (36)
- - 36. The computer-readable medium of claim 35 wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
    - prior to receiving the authorization update message,maintaining a connection data storage area, wherein the connection data storage area includesa global session counter value, wherein the global session counter value indicates a global value of the number of sessions that are currently active for the particular entity; and
      
      a local distributed session counter list, wherein the local distributed session counter list identifies the other distributed session counters that have previously authorized sessions for the particular entity.

37. A computer apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, the memory containing one or more sequences of instructions for authorizing a data communication session between a client and a server in a network, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of;
  
  receiving a connection request at a distributed session counter for authorization to establish a session between the client and the server, wherein the connection request is associated with a particular entity;
  
  determining whether authorization of the session can be performed locally at the distributed session counter;
  
  if authorization of the session can be performed locally at the distributed session counter, thensending an authorization granted message to the server to indicate that the session may be established between the client and the server for the particular entity;
  
  identifying an authoritative distributed session counter that is associated with the particular entity; and
  
  after sending the authorization granted message to the server, sending an authorization update message to the authoritative distributed session counter, wherein the authorization update message notifies the authoritative distribution counter that the session has been authorized to be established for the particular entity.
- View Dependent Claims (38, 39, 40, 41)
- - 38. The computer apparatus of claim 37, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of:
    - if authorization of the session cannot be performed locally at the distributed session counter, thensending an authorization request message to the authoritative distributed session to request authorization to authorize the session between the client and the server; and
      
      sending a response to the server based on a response message that is received from the authoritative distributed session, wherein the response message indicates whether the session should be authorized.
  - 39. The computer apparatus of claim 37, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of determining whether authorization of the session can be performed locally at the distributed session counter by performing the steps of:
    - determining a local session counter value, wherein the local session counter value indicates the number of sessions that are currently active for the particular entity;
      
      determining a local session threshold value, wherein the local session threshold value indicates a threshold as to a number of sessions that may be currently active before sessions cannot be authorized locally by the distributed session counter; and
      
      comparing the local session counter value with the local session threshold value to determine whether authorization of the session can be performed locally at the distributed session counter.
  - 40. The computer apparatus of claim 37, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of:
    - prior to receiving the connection request,maintaining a connection data storage area, wherein the connection data storage area includesa local session counter value, wherein the local session counter value indicates the number of sessions that are currently active for the particular entity; and
      
      a local session threshold value, wherein the local session threshold value indicates a particular number of sessions that may be currently active before sessions cannot be authorized locally by the distributed session counter.
  - 41. The computer apparatus of claim 37, wherein the distributed session counter is constituent to an Authentication, Authorization, and Accounting server.

42. A computer apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, the memory containing one or more sequences of instructions for broadcasting session update information to distributed session counters, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of;
  
  receiving an authorization update message from a distributed session counter, wherein the authorization update message indicates that a session has been authorized for a particular entity;
  
  determining whether other distributed session counters have previously authorized sessions for the particular entity; and
  
  if other distributed session counters have previously authorized sessions for the particular entity, then broadcasting an update message to the other distributed session counters, wherein the update message notifies the other distributed session counters that another session has been authorized for the particular entity.

43. An apparatus for authorizing a data communication session between a client and a first server, the apparatus comprising:
- means for receiving a request to establish the session, wherein the request is associated with a particular entity that is associated with the client;
  
  means for determining whether authorization of the session can be performed locally at a second server;
  
  if authorization of the session can be performed locally at the second server, thenmeans for informing the first server that the session may be established between the client and the first server for the particular entity; and
  
  means for informing a third server that is associated with the particular entity that the session has been authorized to be established for the particular entity after informing the first server.

44. An apparatus for broadcasting session information to one or more servers, the apparatus comprising:
- means for receiving a message from a first server, wherein the message indicates that a session has been authorized for a particular entity;
  
  means for determining whether one or more other servers have previously authorized sessions for the particular entity; and
  
  if one or more other servers have previously authorized sessions for the particular entity, then means for informing the one or more other servers that another session has been authorized for the particular entity.

45. An apparatus for authorizing a data communication session between a client and a server in a network, the apparatus comprising:
- means for receiving a connection request at a distributed session counter for authorization to establish a session between the client and the server, wherein the connection request is associated with a particular entity;
  
  means for determining whether authorization of the session can be performed locally at the distributed session counter;
  
  if authorization of the session can be performed locally at the distributed session counter, thenmeans for sending an authorization granted message to the server to indicate that the session may be established between the client and the server for the particular entity;
  
  means for identifying an authoritative distributed session counter that is associated with the particular entity; and
  
  means for sending an authorization update message to the authoritative distributed session counter, wherein the authorization update message notifies the authoritative distribution counter that the session has been authorized to be established for the particular entity after sending the authorization granted message to the server.

46. An apparatus for broadcasting session update information to distributed session counters, the apparatus comprising:
- means for receiving an authorization update message from a distributed session counter, wherein the authorization update message indicates that a session has been authorized for a particular entity;
  
  means for determining whether other distributed session counters have previously authorized sessions for the particular entity; and
  
  if other distributed session counters have previously authorized sessions for the particular entity, thenmeans for broadcasting an update message to the other distributed session counters, wherein the update message notifies the other distributed session counters that another session has been authorized for the particular entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Patil, Kavita Shekhar, Roden, Thomas Anthony, Knight, John, Bui, Sonny, Kerstetter, Terry, Cates, David, Chen, Pauline
Primary Examiner(s)
Etienne, Ario
Assistant Examiner(s)
Halim, Sahera

Application Number

US10/051,834
Time in Patent Office

1,546 Days
Field of Search

709/203, 709/227, 709/219, 709/249, 709/217, 709/228, 709/204, 709/229, 709/225, 709/230, 709/226, 709/245, 709/206
US Class Current

709/203
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 67/14   Session management for real...

H04L 67/535   Tracking the activity of th...

H04L 69/329   in the application layer [O...

Method and apparatus providing distributed authorization management of communication sessions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus providing distributed authorization management of communication sessions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links