Command authorization via RADIUS

US 7,047,563 B1
Filed: 12/07/2000
Issued: 05/16/2006
Est. Priority Date: 12/07/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method for authorizing a command from a user received at a network device separate and distinct from an Authentication, Authorization, and Accounting (AAA) server, the method including:

establishing an access control protocol session with the user;

receiving a user profile for the user at the network device from a AAA server, the user profile containing information regarding which commands the user is authorized to execute, the information including a command set described by regular expressions;

storing the user profile in a memory accessible by the network device;

receiving the command from the user;

comparing the command to said command set contained in said user profile; and

authorizing the command if the command is contained in said command set.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Command authorization may be accomplished using the RADIUS protocol by providing a user profile on the server for each user. This user profile may be transferred to a network device, such as a NAS, when the user initiates a NAS session. It may be stored in a local cache and accessed each time the user attempts to execute a command. The user profile may contain a command set defined by regular expressions which can then be used to determine whether or not the command should be authorized. The command may then be authorized or rejected based on the results of this determination. After the session is completed, the user profile may be purged from the cache. The present invention allows for a dramatic savings in the traffic associated with command authorization and allows command authorization to be accomplished using the RADIUS protocol, which increases flexibility and NAS security.

57 Citations

View as Search Results

18 Claims

1. A method for authorizing a command from a user received at a network device separate and distinct from an Authentication, Authorization, and Accounting (AAA) server, the method including:
- establishing an access control protocol session with the user;
  
  receiving a user profile for the user at the network device from a AAA server, the user profile containing information regarding which commands the user is authorized to execute, the information including a command set described by regular expressions;
  
  storing the user profile in a memory accessible by the network device;
  
  receiving the command from the user;
  
  comparing the command to said command set contained in said user profile; and
  
  authorizing the command if the command is contained in said command set.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the network device is a Network Access Server (NAS).
  - 3. The method of claim 1, further including purging said user profile from said memory when said access control protocol session is terminated.
  - 4. The method of claim 1, wherein said access control protocol session is a RADIUS session.
  - 5. The method of claim 1, wherein said command set is a list of previously authorized commands.
  - 6. The method of claim 1, wherein said command set is described by regular expressions.

7. An apparatus for authorizing a command from a user received at a network device separate and distinct from an Authentication, Authorization, and Accounting (AAA) server, the apparatus including:
- a RADIUS session initiator;
  
  a user profile receiver coupled to said RADIUS session initiator and coupled to a AAA server;
  
  a memory containing a user profile having a command set;
  
  a user profile storer coupled to said user profile receiver and said memory;
  
  a command receiver;
  
  a command set comparer coupled to said memory and to said command receiver; and
  
  a command authorizer coupled to said command set comparer.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The apparatus of claim 7, wherein the network device is a Network Access Server (NAS).
  - 9. The apparatus of claim 7, further including a user profile purger coupled to said memory.
  - 10. The apparatus of claim 7, wherein said command set is a list of previously authorized commands.
  - 11. The apparatus of claim 7, wherein said command set is described by regular expressions.

12. An apparatus for authorizing a command from a user received at a network device separate and distinct from an Authentication, Authorization, and Accounting (AAA) server, the method including:
- means for establishing an access control protocol session with the user;
  
  means for receiving a user profile for the user at the network device from a AAA server, the user profile containing information regarding which commands the user is authorized to execute, the information including a command set described by regular expressions;
  
  means for storing the user profile in a memory accessible by the network device;
  
  means for receiving the command from the user;
  
  means for comparing the command to said command set contained in said user profile; and
  
  means for authorizing the command if the command is contained in said command set.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The apparatus of claim 12, wherein the network device is a Network Access Server (NAS).
  - 14. The apparatus of claim 12, further including means for purging said user profile from said memory when said access control protocol session is terminated.
  - 15. The apparatus of claim 12, wherein said access control protocol session is a RADIUS session.
  - 16. The apparatus of claim 12, wherein said command set is a list of authorized commands.
  - 17. The apparatus of claim 12, wherein said command set is described by regular expressions.

18. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform a method for authorizing a command from a user received at a network device separate and distinct from an Authentication, Authorization, and Accounting (AAA) server, the method including:
- establishing an access control protocol session with the user;
  
  receiving a user profile for the user at the network device from a AAA server, the user profile containing information regarding which commands the user is authorized to execute, the information including a command set described by regular expressions;
  
  storing the user profile in a memory accessible by the network device;
  
  receiving the command from the user;
  
  comparing the command to said command set contained in said user profile; and
  
  authorizing the command if the command is contained in said command set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Weber, Gregory, Grant, Laurence
Primary Examiner(s)
Sheikh, Ayza
Assistant Examiner(s)
Sherkat, Arezoo

Application Number

US09/733,617
Time in Patent Office

1,986 Days
Field of Search

713/201, 713/200, 709/225, 709/227, 709/229, 704/228, 370/230, 455/418, 716/17, 726/12
US Class Current

726/17
CPC Class Codes

H04L 63/0892 by using authentication-aut...

H04L 63/102 Entity profiles

Command authorization via RADIUS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Command authorization via RADIUS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links