Enhanced trust relationship in an IEEE 802.1x network

US 7,325,246 B1
Filed: 01/07/2002
Issued: 01/29/2008
Est. Priority Date: 01/07/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A system, comprising:

an authentication server disposed on a network;

a switch coupled to the network and communicatively coupled to the authentication server via the network, the switch comprises a switch table containing a list of allowed addresses; and

an access point communicatively coupled to the switch;

wherein the switch is configured to allow packets having addresses listed in the switch table and the switch is configured to block packets having addresses that are not in the switch table;

wherein the switch is configured to be the authenticator for the access point and is configured to authenticate the access point with the authentication server and establish a secure communication session with the access point;

wherein the access point is configured to be the authenticator for a wireless client having an address, the access point communicates with the authentication server using the secure communication session established with the switch;

wherein the access point is configured to send a message to the switch via the secure communication session, the message comprising data indicating the wireless client is authenticated, responsive to successfully authenticating the wireless client with the authentication server;

wherein the switch is responsive to receiving the message from the access point indicating the wireless client is authenticated to add an address for the wireless client into the switch tablewherein the access point is configured to forward all communications received from the authenticated wireless client to the switch responsive to the wireless client successfully authenticating with the authentication server; and

wherein the switch is configured to forward all communications received from the wireless client via the access point onto the network after adding the address for the wireless client into the switch table.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Architecture for providing access to an IEEE 802.1x network. A trust relationship is created between a switch of the network and an access point of the network such that the access point is authorized to communicate over the network. The trust relationship is then extended from the access point to a wireless client requesting connection to the network such that access to the network by said wireless client is authorized.

89 Citations

View as Search Results

16 Claims

1. A system, comprising:
- an authentication server disposed on a network;
  
  a switch coupled to the network and communicatively coupled to the authentication server via the network, the switch comprises a switch table containing a list of allowed addresses; and
  
  an access point communicatively coupled to the switch;
  
  wherein the switch is configured to allow packets having addresses listed in the switch table and the switch is configured to block packets having addresses that are not in the switch table;
  
  wherein the switch is configured to be the authenticator for the access point and is configured to authenticate the access point with the authentication server and establish a secure communication session with the access point;
  
  wherein the access point is configured to be the authenticator for a wireless client having an address, the access point communicates with the authentication server using the secure communication session established with the switch;
  
  wherein the access point is configured to send a message to the switch via the secure communication session, the message comprising data indicating the wireless client is authenticated, responsive to successfully authenticating the wireless client with the authentication server;
  
  wherein the switch is responsive to receiving the message from the access point indicating the wireless client is authenticated to add an address for the wireless client into the switch tablewherein the access point is configured to forward all communications received from the authenticated wireless client to the switch responsive to the wireless client successfully authenticating with the authentication server; and
  
  wherein the switch is configured to forward all communications received from the wireless client via the access point onto the network after adding the address for the wireless client into the switch table.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system according to claim 1, wherein the switch updates the switch table with a medium access control address, a quality of service parameter and an access control list.
  - 3. The system according to claim 1, wherein a session key is generated for subsequent communications between the authenticated wireless client and the access point responsive to the authenticated wireless client successfully authenticating with the authentication server.
  - 4. The system according to claim 1, further comprising the authentication server is responsive to establish a message authentication check key for the secure communication session between the switch and the access point.
  - 5. The system according to claim 4, wherein the a message authentication check key uniquely identifies the access point to the switch.
  - 6. The system according to claim 4, further comprising:
    - the access point is configured to send the data indicating the wireless client is authenticated signed with the message authentication check key; and
      
      the switch is responsive to receiving the data representative of the authenticated wireless client to verify the message authentication check key.
  - 7. A system according to claim 1, wherein the authentication server is configured to send data representative of a session key for the wireless client to the access point responsive to the wireless client successfully authenticating.

8. An apparatus, comprising:
- a wireless switch configured to be in data communication with a network having an authentication server disposed thereon and the switch is configured to be in data communication with an access point; and
  
  a switch table coupled to the switch, the switch table containing a list of authorized addresses;
  
  wherein the switch is configured to verify an address of a packet received from the access point with the switch table;
  
  wherein the switch is configured to forward packets from the access point onto the network responsive to the verifying the address of the packet is in the switch table;
  
  wherein the switch is configured to block packets from the access point from reaching the network responsive to determining the address of the packet is not in the switch table;
  
  wherein the switch is configured to authenticate the access point with the authentication server and to store the address of the access point in the switch table responsive to successfully authenticating the access point;
  
  wherein the switch is configured to allow authentication packets between the access point and the authentication server on the network for a wireless client having an address attempting to associate with the access point after the switch has added the address of the access point to the switch table;
  
  wherein the switch is configured to add the address of the wireless client to the switch table responsive to receiving a message from the access point that the wireless client is authenticated after the switch has authenticated the access point; and
  
  wherein the switch is configured to allow packets from the wireless client to pass onto the network after adding the address of the wireless client to the switch table.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The apparatus according to claim 8, wherein the switch updates the switch table with a medium access control address, a quality of service parameters and an access control list for the wireless client responsive to receiving a message from the access point that the wireless client is authenticated after the switch has authenticated the access point.
  - 10. The apparatus according to claim 8, further comprising the switch is configured to establish a message authentication check key communications between the switch and the access point.
  - 11. The apparatus according to claim 10, wherein the a message authentication check key uniquely identifies the access point to the switch.
  - 12. The apparatus according to claim 10, further comprising the switch is configured to verify the message from the access point that the wireless client is authenticated was signed with the message authentication check key.

13. A method, comprising:
- configuring a switch disposed between an access point having an address and a network with a table of allowed addresses to allow a packet having an address received from the access point onto the network responsive to the address of the packet matching an address in the table of allowed addresses;
  
  configuring the switch to block a packet having an address received from the access point responsive to the address of the packet not matching an address in the table of allowed addresses;
  
  receiving a communication from an access point having an address;
  
  authenticating the access point with an authentication server, whereupon a successful authentication, the access point is an authenticated access point;
  
  adding the address of the authenticated access point to a table of authorized users;
  
  forwarding authentication packets from the authenticated access point onto the network;
  
  adding the address of a wireless client to the table of authorized users responsive to receiving a message from the authenticated access point that the wireless client is an authenticated wireless client; and
  
  forwarding packets received from the wireless client onto the wireless network after the wireless client is added to the table of authorized users.
- View Dependent Claims (14, 15, 16)
- - 14. The method according to claim 13, wherein the adding the address of a wireless client further comprises adding a medium access control address, a quality of service parameter and an access control list for the wireless client.
  - 15. The method according to claim 13, the authenticating the access point further comprises establishing a message authentication check key for communications with the access point.
  - 16. The method according to claim 15, further comprising verifying the message from the authenticated access point was signed with the message authentication check key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Shuen, Pauline, Halasz, David E., Andrade, Merwyn B.
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
CHEN, SHIN HON

Application Number

US10/041,005
Time in Patent Office

2,213 Days
Field of Search

713/168, 713/171, 713/181, 713/183, 726 2- 4, 726/12, 726/21, 709/219, 709/223, 709/225, 709/229, 379/88.17, 455/411, 455/414.1
US Class Current

726/2
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 88/08   Access point devices

H04W 92/045   between access point and ba...

Enhanced trust relationship in an IEEE 802.1x network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

89 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Enhanced trust relationship in an IEEE 802.1x network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links