System and method of controlling access by a wireless client to a network that utilizes a challenge/handshake authentication protocol

US 7,082,535 B1
Filed: 04/17/2002
Issued: 07/25/2006
Est. Priority Date: 04/17/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method of controlling access by a Light Extensible Authentication Protocol (LEAP)-compatible wireless client to a network that utilizes a Challenge Handshake Authentication Protocol (CHAP)-compatible protocol, comprising the steps of:

accessing a proxy service on the network in response to receiving access information from the client;

processing the access information with the proxy service into CHAP-compatible access information; and

forwarding the CHAP-compatible access information to a CHAP-based access control server disposed on the network that determines whether to grant network access to the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Architecture for controlling access by a Light Extensible Authentication Protocol (LEAP)-compatible wireless client to a network that utilizes a challenge/handshake authentication protocol (CHAP). A proxy service is hosted on a network server disposed on the network, and accessed in response to receiving access information from the client. The access information is processed with the proxy service into CHAP-compatible access information, and forwarded to a CHAP-based access control server disposed on the network to determine whether to grant network access to the client.

98 Citations

View as Search Results

42 Claims

1. A method of controlling access by a Light Extensible Authentication Protocol (LEAP)-compatible wireless client to a network that utilizes a Challenge Handshake Authentication Protocol (CHAP)-compatible protocol, comprising the steps of:
- accessing a proxy service on the network in response to receiving access information from the client;
  
  processing the access information with the proxy service into CHAP-compatible access information; and
  
  forwarding the CHAP-compatible access information to a CHAP-based access control server disposed on the network that determines whether to grant network access to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1, wherein the proxy service in the step of accessing is hosted on an access point that is disposed on the network such that the access information is processed into the CHAP-compatible access information on the access point, in the step of processing.
  - 3. The method of claim 2, wherein the access point forwards the CHAP-compatible access information in the step of forwarding to a Remote Authentication Dial-In User Service (RADIUS)-compatible server disposed on the network, in the form of a dial-up request.
  - 4. The method of claim 1, wherein the CHAP-based access control server in the step of forwarding is a Remote Authentication Dial-In User Service (RADIUS)-compatible server.
  - 5. The method of claim 4, wherein the RADIUS-compatible server accesses a database to determine whether the client is granted access to the network, which RADIUS-compatible server sends an Extensible Authentication Protocol (EAP)-compatible failure message to the client when access to the network is denied and sends an EAP-compatible success message to the client when access to the network is granted.
  - 6. The method of claim 5, wherein the EAP-compatible success message includes a key attribute that is decrypted to provide a hashed password.
  - 7. The method of claim 1, wherein the challenge handshake authentication protocol is a MICROSOFT CHAP (MS-CHAP)-based protocol.
  - 8. The method of claim 1, further comprising the step of sending a LEAP-compatible challenge message from the client to the network in response to the grant of network access to the client in the step of forwarding.
  - 9. The method of claim 8, wherein an access point receives the LEAP-compatible challenge message and processes the LEAP-compatible challenge message into the CHAP-compatible access information in the step of processing utilizing the proxy service.
  - 10. The method of claim 1, wherein the proxy service in the step of accessing is LEAP-compatible, and the access information is LEAP-compatible access information.
  - 11. The method of claim 1, wherein the proxy service in the step of accessing responds to receiving the access information from the client by transmitting a LEAP-compatible Challenge message to the client.
  - 12. The method of claim 1, wherein the proxy service in the step of accessing transmits a LEAP-compatible Challenge of an access point and a LEAP-compatible challenge Response of the client to the access control server in the form of CHAP-compatible messages.
  - 13. The method of claim 1, wherein the proxy service in the step of accessing responds to receiving the access information from the client by transmitting a LEAP-compatible Challenge message to the client.
  - 14. The method of claim 1, wherein if the client is granted network access, the client authenticates the network by sending a LEAP-compatible Challenge message to the proxy service.
  - 15. The method of claim 1, wherein the proxy service in the step of accessing is hosted on a Remote Authentication Dial-In User Service (RADIUS)-compatible server disposed on the network, which proxy RADIUS-compatible server receives the access information via an access point disposed on the network and processes the access information into the CHAP-compatible access information in the step of processing.
  - 16. The method of claim 15, wherein access information is an Extensible Authentication Protocol (EAP)-compatible identity response in an EAP-compatible attribute received from the client, in response to which the proxy RADIUS-compatible server utilizes the proxy service to create a LEAP-compatible challenge in an EAP-compatible attribute for transmission to the client via the access point.
  - 17. The method of claim 15, wherein the proxy RADIUS-compatible server is a LEAP-compatible server that forwards the CHAP-compatible access information in the step of forwarding to the CHAP-based access control server that is a second RADIUS-compatible server.
  - 18. The method of claim 17, wherein the CHAP-compatible access information is a MICROSOFT CHAP (MS-CHAP)-compatible request in the form of a dial-up message.
  - 19. The method of claim 18, wherein the MS-CHAP-compatible request includes a MS-CHAP-compatible challenge and a MS-CHAP-compatible response attributes.
  - 20. The method of claim 17, wherein the second RADIUS-compatible server determines whether to grant the network access to the client, which second RADIUS-compatible server sends an Extensible Authentication Protocol (EAP)-compatible failure attribute in a RADIUS-compatible deny message to the access point when the network access is denied to the client and sends an EAP-compatible success attribute in a RADIUS-compatible challenge message to the access point when the network access is granted to the client.
  - 21. The method of claim 20, wherein the client transmits a LEAP-compatible challenge to the access point in response to receiving the EAP-compatible success attribute in the RADIUS-compatible challenge message from the access point.
  - 22. The method of claim 21, wherein the RADIUS-compatible server utilizes the proxy service to format a LEAP-compatible response as an EAP-compatible attribute after receiving the LEAP-compatible challenge, and sends a key to the access point.
  - 23. The method of claim 22, wherein the key is contained within a session key attribute of a RADIUS-compatible accept message that is sent to the access point.
  - 24. The method of claim 15, wherein the proxy RADIUS-compatible server forwards a LEAP-compatible challenge message and a LEAP-compatible challenge response message to a second RADIUS-compatible server as a dial-up message with a vendor attribute CHAP-compatible challenge and CHAP-compatible challenge response.

25. A method of controlling access by a Light Extensible Authentication Protocol (LEAP)-compatible wireless client to a network that utilizes a Challenge Handshake Authentication Protocol (CHAP)-compatible protocol, comprising the steps of:
- accessing a proxy service hosted on an access point that is disposed on the network, which proxy service is accessed in response to receiving access information from the client;
  
  processing the access information with the proxy service into CHAP-compatible access information; and
  
  forwarding the CHAP-compatible access information to a CHAP-based Remote Authentication Dial-In User Service (RADIUS)-compatible access control server disposed on the network, which access control server accesses a database to determine whether to grant network access to the client.
- View Dependent Claims (26, 27, 28)
- - 26. The method of claim 25, wherein the proxy service in the step of accessing is LEAP-compatible, and the access information is LEAP-compatible access information.
  - 27. The method of claim 25, wherein the proxy service in the step of accessing retrieves a CHAP-compatible key attribute from an accept message transmitted to the access point by the access control server when the client is granted network access.
  - 28. The method of claim 27, wherein a key is decrypted to provide a hashed password that is used to establish network access in a mutual authentication regime.

29. A method of controlling access by a Light Extensible Authentication Protocol (LEAP)-compatible wireless client to a network that utilizes a Challenge Handshake Authentication Protocol (CHAP)-compatible protocol, comprising the steps of:
- accessing a proxy service hosted on a proxy Remote Authentication Dial-In User Service (RADIUS)-compatible server that is disposed on the network, which proxy RADIUS-compatible server is accessed in response to receiving access information from the client;
  
  processing the access information with the proxy service into CHAP-compatible access information; and
  
  forwarding the CHAP-compatible access information to a second CHAP-based RADIUS-compatible access control server disposed on the network, which access control server accesses a database to determine whether to grant network access to the client.
- View Dependent Claims (30, 31, 32, 33)
- - 30. The method of claim 29, wherein the proxy service in the step of accessing is LEAP-compatible, and the access information is LEAP-compatible access information.
  - 31. The method of claim 29, wherein the proxy service in the step of accessing transmits a LEAP-compatible challenge to the client via an access point on the network, and in response to which the client transmits a LEAP-compatible response.
  - 32. The method of claim 29, wherein the proxy RADIUS-compatible server transmits both a LEAP-compatible challenge message and a LEAP-compatible response from the client to the second RADIUS-compatible server as a dial-up request with a vendor attribute CHAP-compatible challenge and CHAP-compatible response.
  - 33. The method of claim 29, wherein if network access is granted, a key is decrypted to provide a hashed password that is used to establish network access in a mutual authentication regime.

34. A network access control system for a Light Extensible Authentication Protocol (LEAP)-compatible wireless client that utilizes a Challenge Handshake Authentication Protocol (CHAP)-compatible protocol, comprising:
- a proxy service hosted on an access point that is disposed on the network, which proxy service is accessed in response to receiving access information from the client, the access information processed with the proxy service into CHAP-compatible access information; and
  
  a CHAP-based Remote Authentication Dial-In User Service (RADIUS)-compatible access control server disposed on the network to which the CHAP-compatible access information is forwarded, which RADIUS-compatible access control server accesses a database to determine whether to grant network access to the client.
- View Dependent Claims (35, 36, 37)
- - 35. The system of claim 34, wherein the proxy service is LEAP-compatible, and the access information is LEAP-compatible access information.
  - 36. The system of claim 34, wherein the proxy service retrieves a CHAP-compatible key attribute from an accept message transmitted to the access point by the access control server when the client is granted network access.
  - 37. The system of claim 34, wherein a key is decrypted to provide a hashed password that is used to establish network access in a mutual authentication regime.

38. A network access control system for a Light Extensible Authentication Protocol (LEAP)-compatible wireless client that utilizes a Challenge Handshake Authentication Protocol (CHAP) compatible protocol, comprising:
- a proxy service hosted on a proxy Remote Authentication Dial-In User Service (RADIUS)-compatible server that is disposed on the network, which proxy RADIUS-compatible server is accessed in response to receiving access information from the client, the access information processed with the proxy service into CHAP-compatible access information; and
  
  a second CHAP-based RADIUS-compatible access control server disposed on the network to which the CHAP-compatible access information is forwarded, which RADIUS-compatible access control server accesses a database to determine whether to grant network access to the client.
- View Dependent Claims (39, 40, 41, 42)
- - 39. The system of claim 38, wherein the proxy service is LEAP-compatible, and the access information is LEAP-compatible access information.
  - 40. The system of claim 38, wherein the proxy service transmits a LEAP-compatible challenge to the client via an access point on the network, and in response to which the client transmits a LEAP-compatible response.
  - 41. The system of claim 38, wherein the proxy RADIUS-compatible server transmits both a LEAP-compatible challenge message and a LEAP-compatible response from the client to the second RADIUS-compatible server as a dial-up request with a vendor attribute CHAP-compatible challenge and CHAP-compatible response.
  - 42. The system of claim 38, wherein if network access is granted, a key is decrypted to provide a hashed password that is used to establish network access in a mutual authentication regime.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Halasz, David E., Norman, Stuart
Primary Examiner(s)
NGUYEN BA, HOANG VU A

Application Number

US10/124,285
Time in Patent Office

1,560 Days
Field of Search

709/200, 709223-225, 709/229, 709/230, 709/237, 709/210, 709217-219, 709202-203, 709/239, 713/155, 713/161, 713/164, 713/166, 713168-171, 713200-202, 713/163, 713/182
US Class Current

713/163
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/162   at the data link layer

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 48/02   Access restriction performe...

H04W 84/12   WLAN [Wireless Local Area N...

System and method of controlling access by a wireless client to a network that utilizes a challenge/handshake authentication protocol

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

98 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of controlling access by a wireless client to a network that utilizes a challenge/handshake authentication protocol

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links