Biometric authentication of a client network connection

US 7,249,177 B1
Filed: 11/27/2002
Issued: 07/24/2007
Est. Priority Date: 11/27/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method of authenticating a connection for a client to a network access device wherein said client is coupled to a biometric sensor, said method comprising the steps of:

said client signaling a request to said network access device;

said network access device initiating a point-to-point LAN authentication protocol between said network access device and said client, wherein said point-to-point LAN authentication protocol is comprised of extensible authentication protocol (EAP);

said network access device requesting biometric data from said client via said LAN authentication protocol;

said client capturing biometric data of an attendant user of said client;

said client transmitting said captured biometric data to said network access device via said LAN authentication protocol;

said network access device encapsulating said biometric data in said LAN authentication protocol into an authentication server protocol and forwarding said encapsulated biometric data to an authentication server, wherein said authentication server protocol is comprised of remote authentication dial-in user service (RADIUS);

said authentication server comparing said biometric data to a biometric template stored in conjunction with said authentication server for making a determination whether said attendant user should be granted access to said network access device;

said authentication server sending either an access-accept message or an access-deny message in said authentication server protocol to said network access device in response to said determination; and

said network access device granting access to said client only after receiving an access-accept message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client is authenticated to a network resource wherein the client is coupled to a biometric sensor. The client signals a request to the network resource (e.g., by connecting to an access point). The network resource initiates a point-to-point LAN authentication protocol between the network resource and the client. The network resource requests biometric data from the client via the LAN authentication protocol (optionally either before or after authenticating with other credentials). The client captures biometric data of an attendant user of the client. The client transmits the captured biometric data to the network resource via the LAN authentication protocol. The network resource encapsulates the biometric data in the LAN authentication protocol into an authentication server protocol and forwards the encapsulated biometric data to an authentication server. The authentication server compares the biometric data to a biometric template stored in conjunction with the authentication server for making a determination whether the attendant user should be granted access to the network resource. The authentication server sends either an access-accept message or an access-deny message in the authentication server protocol to the network resource in response to the determination. The network resource grants access to the client only after receiving an access-accept message.

Citations

21 Claims

1. A method of authenticating a connection for a client to a network access device wherein said client is coupled to a biometric sensor, said method comprising the steps of:
- said client signaling a request to said network access device;
  
  said network access device initiating a point-to-point LAN authentication protocol between said network access device and said client, wherein said point-to-point LAN authentication protocol is comprised of extensible authentication protocol (EAP);
  
  said network access device requesting biometric data from said client via said LAN authentication protocol;
  
  said client capturing biometric data of an attendant user of said client;
  
  said client transmitting said captured biometric data to said network access device via said LAN authentication protocol;
  
  said network access device encapsulating said biometric data in said LAN authentication protocol into an authentication server protocol and forwarding said encapsulated biometric data to an authentication server, wherein said authentication server protocol is comprised of remote authentication dial-in user service (RADIUS);
  
  said authentication server comparing said biometric data to a biometric template stored in conjunction with said authentication server for making a determination whether said attendant user should be granted access to said network access device;
  
  said authentication server sending either an access-accept message or an access-deny message in said authentication server protocol to said network access device in response to said determination; and
  
  said network access device granting access to said client only after receiving an access-accept message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1 wherein said network access device is comprised of a port on a LAN switch.
  - 3. The method of claim 2 wherein said client and said LAN switch communicate via wireless transmissions and wherein said port is comprised of a logical port.
  - 4. The method of claim 2 wherein said client is coupled to said LAN switch via a cable and wherein said port is comprised of a physical port.
  - 5. The method of claim 1 wherein said network access device is comprised of a server application.
  - 6. The method of claim 5 wherein said point-to-point LAN authentication protocol between said client and said server application is encapsulated in HTTP.
  - 7. The method of claim 1 wherein said network access device is comprised of a firewall.
  - 8. The method of claim 7 wherein said point-to-point LAN authentication protocol between said firewall and said client is encapsulated in HTTP.
  - 9. The method of claim 1 further comprising the steps of:
    - said attendant user signifying a claimed identity; and
      
      said authentication server selecting a biometric template corresponding to said claimed identity to use in said comparison.
  - 10. The method of claim 1 wherein said biometric comparison is comprised of:
    - selecting a group of biometric templates corresponding to authorized users of said network access device;
      
      comparing said biometric data to individual templates in said group;
      
      if a match is found then ceasing further comparisons and making a determination that said attendant user should be granted access; and
      
      if no match is found after comparing to all said templates in said group then making a determination that said attendant user should not be granted access.
  - 11. The method of claim 1 wherein said biometric data is comprised of video image data.
  - 12. The method of claim 1 wherein said authentication server is comprised of a local proxy RADIUS server and a remote RADIUS authentication server, and wherein said local proxy RADIUS server collects said biometric data and forwards it to said remote RADIUS authentication server for said comparison.
  - 13. The method of claim 12 wherein said remote RADIUS authentication server forwards a biometric template to said local proxy RADIUS server for storing in a cache, and wherein said local proxy RADIUS server checks said cache for a corresponding biometric template prior to forwarding biometric data to said remote RADIUS authentication server.
  - 14. The method of claim 1 wherein said authentication further includes a non-biometric authentication credential, and said method further comprises the steps of:
    - said client collecting credential data from said attendant user;
      
      said client transmitting said credential data to said authentication server via said network access device;
      
      said authentication server comparing said credential data to user data from a user database; and
      
      generating said access-accept message only if both said biometric data and said credential data indicate that said attendant user should be granted access to said network access device.
  - 15. The method of claim 14 wherein said non-biometric authentication credential is comprised of a user ID and password.
  - 16. The method of claim 14 wherein said non-biometric authentication credential is comprised of a digital certificate.
  - 17. The method of claim 14 wherein said credential data is collected during a single sign-on during initialization of said client.

18. A network architecture for authenticating a client using biometrics, comprising:
- an authenticator located in a local area network (LAN) at an access point interfacing said client to desired network resources, said authenticator exchanging authentication messages with said client via a LAN authentication protocol, wherein an EAP protocol is used to transmit authentication messages between said client and said authenticator, said authentication messages including biometric data of an attendant user of said client, wherein network communication between said authenticator and said client is limited to said authentication messages until said authenticator receives an access-accept message;
  
  an authentication server located remotely from said LAN for processing authentication messages;
  
  a local proxy server located in said LAN for relaying authentication messages between said authenticator and said authentication server;
  
  a biometric verification server coupled to said authentication server for comparing said biometric data with biometric templates in a biometric template database of authorized users to determine whether said attendant user should be granted access to said desired network resources;
  
  wherein said authentication server sends said access-accept message to said authenticator if said biometric verification server determines that said attendant user should be granted access; and
  
  wherein a RADIUS protocol is used to relay authentication messages between said authenticator, said local proxy server, and said authentication server.
- View Dependent Claims (19, 20, 21)
- - 19. The network architecture of claim 18 further comprising:
    - a certificate server coupled to said authentication server for comparing a digital certificate provided by said client via said authentication messages with a certificate database of authorized users to determine whether said attendant user should be granted access to said desired network resources;
      
      wherein said authentication server sends said access-accept message to said authenticator only if both said biometric verification server and said certificate server determine that said attendant user should be granted access.
  - 20. The network architecture of claim 18 further comprising:
    - a password server coupled to said authentication server for comparing a username and password provided by said client via said authentication messages with a password database of authorized users to determine whether said attendant user should be granted access to said desired network resources;
      
      wherein said authentication server sends said access-accept message to said authenticator only if both said biometric verification server and said password server determine that said attendant user should be granted access.
  - 21. The network architecture of claim 19 further comprising:
    - a password server coupled to said authentication server for comparing a username and password provided by said client via said authentication messages with a password database of authorized users to determine whether said attendant user should be granted access to said desired network resources;
      
      wherein said authentication server sends said access-accept message to said authenticator only if all three of said biometric verification server, said certificate server, and said password server determine that said attendant user should be granted access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Original Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Inventors
Miller, Eric E.
Primary Examiner(s)
WON, MICHAEL YOUNG

Application Number

US10/306,582
Time in Patent Office

1,700 Days
Field of Search

709/217, 709/225, 709/229, 713/186, 725/3, 725/12, 725/21, 725/28
US Class Current

709/225
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 2221/2115   Third party

H04L 63/0861   using biometrical features,...

Biometric authentication of a client network connection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Biometric authentication of a client network connection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links