System and method for optimizing authentication in a network environment

US 7,269,727 B1
Filed: 08/11/2003
Issued: 09/11/2007
Est. Priority Date: 08/11/2003
Status: Active Grant

First Claim

Patent Images

1. An apparatus for executing authentication in a network environment, comprising:

a packet gateway operable to retrieve a group profile from an authentication, authorization, and accounting (AAA) server in response to receiving a request from a first end user and to locally cache the group profile, wherein the packet gateway determines if the first end user is authenticated and if the first end user is unauthenticated, then the packet gateway searches a local cache for the group profile associated with network digits of the first end user'"'"'s mobile station identifier (MSID), whereby if the group profile is not in the local cache or has expired, then the packet gateway purges the expired group profile and requests the group profile from the AAA server, caches the group profile, and marks an expiry time that is provided within the group profile, once the group profile is in the cache, subsequent users that belong to a same group can be authorized with a realm and with authorization attributes and without involving the AAA server, the packet gateway being operable to provide a service to the first end user based on information included within the group profile and associated with the first end user, wherein the packet gateway is further operable to receive a request from a second end user and to determine if the second end user is included within the group profile such that in cases where the second end user is included in the group profile the packet gateway can locally cache the group profile in order to provide a service to the second end user without having to communicate with the AAA server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for executing authentication in a network environment is provided that includes retrieving a group profile from an authentication, authorization, and accounting (AAA) server in response to receiving a request from a first end user and locally caching the group profile. A service may be provided to the first end user based on information included within the group profile and associated with the first end user. A request may be received from a second end user. It is then determined if the second end user is included within the group profile such that in cases where the second end user is included in the group profile the group profile can be locally cached in order to provide a service to the second end user without having to communicate with the AAA server.

112 Citations

View as Search Results

22 Claims

1. An apparatus for executing authentication in a network environment, comprising:
- a packet gateway operable to retrieve a group profile from an authentication, authorization, and accounting (AAA) server in response to receiving a request from a first end user and to locally cache the group profile, wherein the packet gateway determines if the first end user is authenticated and if the first end user is unauthenticated, then the packet gateway searches a local cache for the group profile associated with network digits of the first end user'"'"'s mobile station identifier (MSID), whereby if the group profile is not in the local cache or has expired, then the packet gateway purges the expired group profile and requests the group profile from the AAA server, caches the group profile, and marks an expiry time that is provided within the group profile, once the group profile is in the cache, subsequent users that belong to a same group can be authorized with a realm and with authorization attributes and without involving the AAA server, the packet gateway being operable to provide a service to the first end user based on information included within the group profile and associated with the first end user, wherein the packet gateway is further operable to receive a request from a second end user and to determine if the second end user is included within the group profile such that in cases where the second end user is included in the group profile the packet gateway can locally cache the group profile in order to provide a service to the second end user without having to communicate with the AAA server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein the group profile includes a plurality of end users that share a common prefix associated with their mobile station identifiers (MSIDs).
  - 3. The apparatus of claim 1, wherein if the second end user is not in the group profile associated with the first end user, then the packet gateway may initiate a request to the AAA server in order to attempt to identify a profile associated with the second end user.
  - 4. The apparatus of claim 1, wherein if the group profile associated with first end user has expired, the packet gateway may initiate a request to the AAA server for a valid profile that corresponds to the first end user.
  - 5. The apparatus of claim 1, wherein each group profile includes an expiration time such that if the group profile is identified as having expired, it may be expunged.
  - 6. The apparatus of claim 1, further comprising:
    - a centralized server operable to store a plurality of group profiles and to return requested group profiles to the packet gateway so that they can be locally cached.
  - 7. The apparatus of claim 1, wherein the packet gateway includes a table operable to store one or more group profiles that may be locally cached.

8. A method for executing authentication in a network environment, comprising:
- retrieving a group profile from an authentication, authorization, and accounting (AAA) server in response to receiving a request from a first end user;
  
  locally caching the group profile;
  
  providing a service to the first end user based on information included within the group profile and associated with the first end user, wherein the packet gateway determines if the first end user is authenticated and if the first end user is unauthenticated, then the packet gateway searches a local cache for the group profile associated with network digits of the first end user'"'"'s mobile station identifier (MSID), whereby if the group profile is not in the local cache or has expired, then the packet gateway purges the expired group profile or requests the group profile from the AAA server, caches the group profile, and marks an expiry time that is provided within the group profile, once the group profile is in the cache, subsequent users that belong to a same group can be authorized with a realm and with authorization attributes and without involving the AAA server;
  
  receiving a request from a second end user; and
  
  determining if the second end user is included within the group profile such that in cases where the second end user is included in the group profile the group profile can be locally cached in order to provide a service to the second end user without having to communicate with the AAA server.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8, wherein the group profile includes a plurality of end users that share a common prefix associated with their mobile station identifiers (MSIDs).
  - 10. The method of claim 8, wherein if the second end user is not in the group profile associated with the first end user, then a request is communicated to the AAA server in order to attempt to identify a profile associated with the second end user.
  - 11. The method of claim 8, wherein if the group profile associated with first end user has expired, a request may be communicated to the AAA server for a valid profile that corresponds to the first end user.
  - 12. The method of claim 8, further comprising:
    - storing a plurality of group profiles; and
      
      returning requested group profiles such that they can be locally cached.

13. A system for executing authentication in a network environment, comprising:
- means for retrieving a group profile from an authentication, authorization, and accounting (AAA) server in response to receiving a request from a first end user;
  
  means for locally caching the group profile;
  
  means for providing a service to the first end user based on information included within the group profile and associated with the first end user, wherein the packet gateway determines if the first end user is authenticated and if the first end user is unauthenticated, then the packet gateway searches a local cache for the group profile associated with network digits of the first end user'"'"'s mobile station identifier (MSID), whereby if the group profile is not in the local cache or has expired, then the packet gateway purges the expired group profile or requests the group profile from the AAA server, caches the group profile, and marks an expiry time that is provided within the group profile, once the group profile is in the cache, subsequent users that belong to a same group can be authorized with a realm and with authorization attributes and without involving the AAA server;
  
  means for receiving a request from a second end user; and
  
  means for determining if the second end user is included within the group profile such that in cases where the second end user is included in the group profile the group profile can be locally cached in order to provide a service to the second end user without having to communicate with the AAA server.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system of claim 13, wherein the group profile includes a plurality of end users that share a common prefix associated with their mobile station identifiers (MSIDs).
  - 15. The system of claim 13, wherein if the second end user is not in the group profile associated with the first end user, then a request is communicated to the AAA server in order to attempt to identify a profile associated with the second end user.
  - 16. The system of claim 13, wherein if the group profile associated with first end user has expired, a request may be communicated to the AAA server for a valid profile that corresponds to the first end user.
  - 17. The system of claim 13, further comprising:
    - means for storing a plurality of group profiles; and
      
      means for returning requested group profiles such that they can be locally cached.

18. Software for executing authentication in a network environment, the software being embodied in a computer readable medium and comprising computer code such that when executed is operable to:
- retrieve a group profile from an authentication, authorization, and accounting (AAA) server in response to receiving a request from a first end user;
  
  locally cache the group profile;
  
  provide a service to the first end user based on information included within the group profile and associated with the first end user, wherein the packet gateway determines if the first end user is authenticated and if the first end user is unauthenticated, then the packet gateway searches a local cache for the group profile associated with network digits of the first end user'"'"'s mobile station identifier (MSID), whereby if the group profile is not in the local cache or has expired, then the packet gateway purges the expired group profile or requests the group profile from the AAA server, caches the group profile, and marks an expiry time that is provided within the group profile, once the group profile is in the cache, subsequent users that belong to a same group can be authorized with a realm and with authorization attributes and without involving the AAA server;
  
  receive a request from a second end user; and
  
  determine if the second end user is included within the group profile such that in cases where the second end user is included in the group profile the group profile can be locally cached in order to provide a service to the second end user without having to communicate with the AAA server.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The computer readable medium of claim 18, wherein the group profile includes a plurality of end users that share a common prefix associated with their mobile station identifiers (MSIDs).
  - 20. The computer readable medium of claim 18, wherein if the second end user is not in the group profile associated with the first end user, then a request is communicated to the AAA server in order to attempt to identify a profile associated with the second end user.
  - 21. The computer readable medium of claim 18, wherein if the group profile associated with first end user has expired, a request may be communicated to the AAA server for a valid profile that corresponds to the first end user.
  - 22. The computer readable medium of claim 18, wherein in the code is further operable to:
    - store a plurality of group profiles; and
      
      return requested group profiles such that they can be locally cached.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Mukherjee, Arghya T., Wang, Hancang, Wen, Renhua
Primary Examiner(s)
Moise; Emmanuel L.
Assistant Examiner(s)
NGUYEN, MINH DIEU T

Application Number

US10/639,053
Time in Patent Office

1,492 Days
Field of Search

713160-161, 713/168, 370/401, 370/420, 455/410, 455/411, 709/225, 707/100
US Class Current

713/160
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/102   Entity profiles

H04L 67/306   User profiles

System and method for optimizing authentication in a network environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

112 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for optimizing authentication in a network environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links