Command authorization via RADIUS
First Claim
1. A method for authorizing a command from a user received at a network device separate and distinct from an Authentication, Authorization, and Accounting (AAA) server, the method including:
- establishing an access control protocol session with the user;
receiving a user profile for the user at the network device from a AAA server, the user profile containing information regarding which commands the user is authorized to execute, the information including a command set described by regular expressions;
storing the user profile in a memory accessible by the network device;
receiving the command from the user;
comparing the command to said command set contained in said user profile; and
authorizing the command if the command is contained in said command set.
2 Assignments
0 Petitions
Accused Products
Abstract
Command authorization may be accomplished using the RADIUS protocol by providing a user profile on the server for each user. This user profile may be transferred to a network device, such as a NAS, when the user initiates a NAS session. It may be stored in a local cache and accessed each time the user attempts to execute a command. The user profile may contain a command set defined by regular expressions which can then be used to determine whether or not the command should be authorized. The command may then be authorized or rejected based on the results of this determination. After the session is completed, the user profile may be purged from the cache. The present invention allows for a dramatic savings in the traffic associated with command authorization and allows command authorization to be accomplished using the RADIUS protocol, which increases flexibility and NAS security.
57 Citations
18 Claims
-
1. A method for authorizing a command from a user received at a network device separate and distinct from an Authentication, Authorization, and Accounting (AAA) server, the method including:
-
establishing an access control protocol session with the user; receiving a user profile for the user at the network device from a AAA server, the user profile containing information regarding which commands the user is authorized to execute, the information including a command set described by regular expressions; storing the user profile in a memory accessible by the network device; receiving the command from the user; comparing the command to said command set contained in said user profile; and authorizing the command if the command is contained in said command set. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus for authorizing a command from a user received at a network device separate and distinct from an Authentication, Authorization, and Accounting (AAA) server, the apparatus including:
-
a RADIUS session initiator; a user profile receiver coupled to said RADIUS session initiator and coupled to a AAA server; a memory containing a user profile having a command set; a user profile storer coupled to said user profile receiver and said memory; a command receiver; a command set comparer coupled to said memory and to said command receiver; and a command authorizer coupled to said command set comparer. - View Dependent Claims (8, 9, 10, 11)
-
-
12. An apparatus for authorizing a command from a user received at a network device separate and distinct from an Authentication, Authorization, and Accounting (AAA) server, the method including:
-
means for establishing an access control protocol session with the user; means for receiving a user profile for the user at the network device from a AAA server, the user profile containing information regarding which commands the user is authorized to execute, the information including a command set described by regular expressions; means for storing the user profile in a memory accessible by the network device; means for receiving the command from the user; means for comparing the command to said command set contained in said user profile; and means for authorizing the command if the command is contained in said command set. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform a method for authorizing a command from a user received at a network device separate and distinct from an Authentication, Authorization, and Accounting (AAA) server, the method including:
-
establishing an access control protocol session with the user; receiving a user profile for the user at the network device from a AAA server, the user profile containing information regarding which commands the user is authorized to execute, the information including a command set described by regular expressions; storing the user profile in a memory accessible by the network device; receiving the command from the user; comparing the command to said command set contained in said user profile; and authorizing the command if the command is contained in said command set.
-
Specification