Method and apparatus for assigning network addresses to network devices

US 7,367,046 B1
Filed: 12/04/2002
Issued: 04/29/2008
Est. Priority Date: 12/04/2002
Status: Active Grant

First Claim

Patent Images

1. A method for assigning network addresses to network devices, the method comprising the computer-implemented steps of:

receiving an address allocation request from a client network device that does not have an assigned network address;

generating a network device authentication request that requests authentication of identification data that uniquely identifies the network device;

sending the authentication request to an authentication mechanism;

wherein the authentication mechanism comprises an authentication, authorization and accounting (AAA) server;

receiving an authentication response from the authentication mechanism;

if the authentication response indicates that the network device is authorized to access a first network, then assigning to the network device, a trusted network address on the first network, andif the authentication response indicates that the network device is not authorized to access a first network, then assigning to the network device, an untrusted network address on a second network;

wherein the trusted and untrusted network addresses are assigned to the network device without respect to port assignment;

wherein the generating, the sending and the receiving the authentication response all are performed in response to receiving the address allocation request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to an approach for assigning network addresses to network devices, an authentication request that requests authentication of identification data that uniquely identifies a network device is generated and sent to an authentication mechanism. An authentication response is received from the authentication mechanism that indicates whether the network device is authorized to access a first network. If the authentication response indicates that the network device is authorized to access the first network, then a first network address on a first network is assigned to the network device. If the authentication response indicates that the network device is not authorized to access the first network, then a second network address on a second network to the network device is assigned. If no authentication response is received from the authentication mechanism, then the second network address on the second network is assigned to the network device.

52 Citations

View as Search Results

47 Claims

1. A method for assigning network addresses to network devices, the method comprising the computer-implemented steps of:
- receiving an address allocation request from a client network device that does not have an assigned network address;
  
  generating a network device authentication request that requests authentication of identification data that uniquely identifies the network device;
  
  sending the authentication request to an authentication mechanism;
  
  wherein the authentication mechanism comprises an authentication, authorization and accounting (AAA) server;
  
  receiving an authentication response from the authentication mechanism;
  
  if the authentication response indicates that the network device is authorized to access a first network, then assigning to the network device, a trusted network address on the first network, andif the authentication response indicates that the network device is not authorized to access a first network, then assigning to the network device, an untrusted network address on a second network;
  
  wherein the trusted and untrusted network addresses are assigned to the network device without respect to port assignment;
  
  wherein the generating, the sending and the receiving the authentication response all are performed in response to receiving the address allocation request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 46)
- - 2. A method as recited in claim 1, wherein the step of generating an authentication request is performed in response to receiving, from the network device, a request for a network address, wherein the request includes the identification data.
  - 3. A method as recited in claim 1, wherein said network device is one or more of a personal computer, an Internet Protocol phone and a wireless device.
  - 4. A method as recited in claim 1, wherein said trusted network address is an Internet protocol address.
  - 5. A method as recited in claim 1, wherein said identification data is a media access control (MAC) address.
  - 6. A method as recited in claim 1, wherein the step of sending the authentication request to the authentication mechanism is performed via a secure connection.
  - 7. A method as recited in claim 6, wherein said secure connection conforms to Internet Protocol Security (IPsec) or Secure Sockets Layer (SSL) protocols.
  - 8. A method as recited in claim 1, wherein accessibility to the first network is more restricted relative to the second network.
  - 9. A method as recited in claim 8, wherein the first network is a private network and the second network is a public network.
  - 10. A method as recited in claim 9, wherein the private network is a corporate intranet and the public network is the Internet.
  - 46. The method of claim 1, wherein a DHCP server performs all the steps and wherein the AAA server is in another private network separate from the first network and the second network.

11. A method for assigning network addresses to network devices, the method comprising the computer-implemented steps of:
- receiving an address allocation request from a client network device that does not have an assigned network address;
  
  generating a network device authentication request that requests authentication of identification data that uniquely identifies the network device;
  
  sending the authentication request to an authentication mechanism;
  
  wherein the authentication mechanism comprises an authentication, authorization and accounting (AAA) server;
  
  determining whether an authentication response is received from the authentication mechanism;
  
  if the authentication response is received from the authentication mechanism, then determining whether the authentication response indicates the network device is authorized to access a first network;
  
  if the authentication response indicates that the network device is authorized to access the first network, then assigning, to the network device, a trusted network address on the first network;
  
  if the authentication response indicates that the network device is not authorized to access the first network, then assigning, to the network device, an untrusted network address on a second network; and
  
  if the authentication response is not received from the authentication mechanism, then assigning, to the network device, an untrusted network address on the second network;
  
  wherein the trusted and untrusted network addresses are assigned to the network device without respect to port assignment;
  
  wherein the generating, the sending and the determining all are performed in response to receiving the address allocation request.

12. A computer-readable storage medium carrying one or more sequences of instructions for assigning addresses to network devices, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving an address allocation request from a client network device that does not have an assigned network address;
  
  generating a network device authentication request that requests authentication of identification data that uniquely identifies the network device;
  
  sending the authentication request to an authentication mechanism;
  
  wherein the authentication mechanism comprises an authentication, authorization and accounting (AAA) server;
  
  receiving an authentication response from the authentication mechanism;
  
  if the authentication response indicates that the network device is authorized to access a first network, then assigning, to the network device, a trusted network address on the first network, andif the authentication response indicates that the network device is not authorized to access the first network, then assigning, to the network device, an untrusted network address on the second network;
  
  wherein the trusted and untrusted network addresses are assigned to the network device without respect to port assignment;
  
  wherein the generating, the sending and the receiving the authentication response all are performed in response to receiving the address allocation request.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The computer-readable storage medium as recited in claim 12, wherein the step of generating an authentication request is performed in response to receiving, from the network device, a request for a network address, wherein the request includes the identification data.
  - 14. The computer-readable storage medium as recited in claim 12, wherein said network device is one or more of a personal computer, an Internet Protocol phone and a wireless device.
  - 15. The computer-readable storage medium as recited in claim 12, wherein said trusted network address is an Internet protocol address.
  - 16. The computer-readable storage medium as recited in claim 12, wherein said identification data is a media access control (MAC) address.
  - 17. The computer-readable storage medium as recited in claim 12, wherein the step of sending the authentication request to the authentication mechanism is performed via a secure connection.
  - 18. The computer-readable storage medium as recited in claim 17, wherein said secure connection conforms to Internet Protocol Security (IPsec) or Secure Sockets Layer (SSL) protocols.
  - 19. The computer-readable storage medium as recited in claim 12, wherein accessibility to the first network is more restricted relative to the second network.
  - 20. The computer-readable storage medium as recited in claim 19, wherein the first network is a private network and the second network is a public network.
  - 21. The computer-readable storage medium as recited in claim 20, wherein the private network is a corporate intranet and the public network is the Internet.

22. A computer-readable storage medium carrying one or more sequences of instructions for assigning network addresses to devices, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving an address allocation request from a client network device that does not have an assigned network address;
  
  generating a network device authentication request that requests authentication of identification data that uniquely identifies the network device;
  
  sending the authentication request to an authentication mechanism;
  
  wherein the authentication mechanism comprises an authentication, authorization and accounting (AAA) server;
  
  determining whether an authentication response is received from the authentication mechanism;
  
  if the authentication response is received from the authentication mechanism, then determining whether the authentication response indicates the network device is authorized to access a first network;
  
  if the authentication response indicates that the network device is authorized to access the first network, then assigning, to the network device, a trusted network address on the first network;
  
  if the authentication response indicates that the network device is not authorized to access the first network, then assigning, to the network device, an untrusted network address on a second network; and
  
  if the authentication response is not received from the authentication mechanism, then assigning, to the network device, a an untrusted network address on the second network;
  
  wherein the trusted and untrusted network addresses are assigned to the network device without respect to port assignment;
  
  wherein the generating, the sending and the determining all are performed in response to receiving the address allocation request.

23. An apparatus for assigning network addresses to network devices, comprising:
- means for receiving an address allocation request from a client network device that does not have an assigned network address;
  
  means for generating a network device authentication request that requests authentication of identification data that uniquely identifies the network device;
  
  means for sending the authentication request to an authentication mechanism;
  
  means for determining whether an authentication response is received from the authentication mechanism;
  
  wherein the authentication mechanism comprises an authentication, authorization and accounting (AAA) server;
  
  means for determining if the authentication response is received from the authentication mechanism and for determining whether the authentication response indicates the network device is authorized to access a first network;
  
  means for assigning, to the network device, a trusted network address on the first network if the authentication response indicates that the network device is authorized to access a first network;
  
  means for assigning, to the network device, an untrusted network address on a second network if the authentication response indicates that the network device is not authorized to access a first network;
  
  means for assigning, to the network device, an untrusted network address on the second network if the authentication response is not received from the authentication mechanism;
  
  wherein the means for assigning the trusted and untrusted network addresses to the network device is performed without respect to port assignment;
  
  wherein the means for generating, sending and determining all are performed in response to receiving the address allocation request.

24. An apparatus for assigning network addresses to network devices comprisinga memory having one or more stored sequences of instructions which, when executed by one or more processors, cause the one or more processors to:
- receive an address allocation request from a client network device that does not have an assigned network address;
  
  generate a network device authentication request that requests authentication of identification data that uniquely identifies the network device;
  
  send the authentication request to an authentication mechanism;
  
  wherein the authentication mechanism comprises an authentication, authorization and accounting (AAA) server;
  
  determine whether an authentication response is received from the authentication mechanism;
  
  if the authentication response is received from the authentication mechanism, then determine whether the authentication response indicates the network device is authorized to access a first network;
  
  if the authentication response indicates that the network device is authorized to access the first network, then assign, to the network device, a trusted network address on the first network;
  
  if the authentication response indicates that the network device is not authorized to access the first network, then assign, to the network device, an untrusted network address on a second network;
  
  if the authentication response is not received from the authentication mechanism, then assign, to the network device, an untrusted network address on the second network;
  
  wherein the trusted and untrusted network addresses are assigned to the network device without respect to port assignment;
  
  wherein the instructions to generate, send and receive an authentication response all are responsive to the instructions to receive the address allocation request.

25. An apparatus for assigning network addresses to network devices, comprising:
- means for receiving an address allocation request from a client network device that does not have an assigned network address;
  
  means for generating a network device authentication request that requests authentication of identification data that uniquely identifies a network device;
  
  means for sending the authentication request to an authentication mechanism;
  
  means for receiving an authentication response from the authentication mechanism;
  
  means for assigning, to the network device, a trusted network address on the first network if the authentication response indicates that the network device is authorized to access the first network, andmeans for assigning, to the network device, an untrusted network address on a second network if the authentication response indicates that the network device is not authorized to access the first network;
  
  wherein the means for assigning the trusted and untrusted network addresses to the network device by is performed by a network address allocator;
  
  wherein the means for generating, sending and receiving the authentication response all are responsive to the means for receiving the address allocation request.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 26. An apparatus as recited in claim 25, wherein the means for generating an authentication request is configured to generate the authentication request in response to receiving, from the network device, a request for a network address, wherein the request includes the identification data.
  - 27. An apparatus as recited in claim 25, wherein said network device is one or more of a personal computer, an Internet Protocol phone and a wireless device.
  - 28. An apparatus as recited in claim 25, wherein said trusted network address is an Internet protocol address.
  - 29. An apparatus as recited in claim 25, wherein said identification data is a media access control (MAC) address.
  - 30. An apparatus as recited in claim 25, wherein the means for sending the authentication request to the authentication mechanism is configured to send the authentication request to the authentication mechanism via a secure connection.
  - 31. An apparatus as recited in claim 30, wherein said secure connection conforms to Internet Protocol Security (IPsec) or Secure Sockets Layer (SSL) protocols.
  - 32. An apparatus as recited in claim 25, wherein accessibility to the first network is more restricted relative to the second network.
  - 33. An apparatus as recited in claim 32, wherein the first network is a private network and the second network is a public network.
  - 34. An apparatus as recited in claim 33, wherein the private network is a corporate intranet and the public network is the Internet.
  - 35. The apparatus of claim 25, wherein the apparatus comprises a DHCP server and wherein the AAA server is in another private network separate from the first network and the second network.

36. An apparatus for assigning network addresses to network devices comprising:
- a memory having one or more stored sequences of instructions which, when executed by one or more processors, cause the one or more processors to;
  
  receive an address allocation request from a client network device that does not have an assigned network address;
  
  generate a network device authentication request that requests authentication of identification data that uniquely identifies the network device;
  
  send the authentication request to an authentication mechanism;
  
  wherein the authentication mechanism comprises an authentication, authorization and accounting (AAA) server;
  
  receive an authentication response from the authentication mechanism;
  
  if the authentication response indicates that the network device is authorized to access a first network, then assign, to the network device, a trusted network address on the first network, andif the authentication response indicates that the network device is not authorized to access the first network, then assign, to the network device, an untrusted network address on the second network;
  
  wherein the trusted and untrusted network addresses are assigned to the network device without respect to port assignment;
  
  wherein the instructions to generate, send and receive an authentication response all are performed in response to the instructions to receive the address allocation request.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 47)
- - 37. An apparatus as recited in claim 36, wherein the generating an authentication request is performed in response to receiving, from the network device, a request for a network address, wherein the request includes the identification data.
  - 38. An apparatus as recited in claim 36, wherein said network device is one or more of a personal computer, an Internet Protocol phone and a wireless device.
  - 39. An apparatus as recited in claim 36, wherein said trusted network address is an Internet protocol address.
  - 40. An apparatus as recited in claim 36, wherein said identification data is a media access control (MAC) address.
  - 41. An apparatus as recited in claim 36, wherein the sending the authentication request to the authentication mechanism is performed via a secure connection.
  - 42. An apparatus as recited in claim 41, wherein said secure connection conforms to Internet Protocol Security (IPsec) or Secure Sockets Layer (SSL) protocols.
  - 43. An apparatus as recited in claim 36, wherein accessibility to the first network is more restricted relative to the second network.
  - 44. An apparatus as recited in claim 43, wherein the first network is a private network and the second network is a public network.
  - 45. An apparatus as recited in claim 44, wherein the private network is a corporate intranet and the public network is the Internet.
  - 47. The apparatus of claim 36, wherein the apparatus comprises a DHCP server and wherein the AAA server is in another private network separate from the first network and the second network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Melohn, William C., Aggarwal, Gautam, Jayasenan, Siva S., Sukiman, Indrajanti
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Tran; Tongoc

Application Number

US10/310,372
Time in Patent Office

1,973 Days
Field of Search

713/155, 709/219, 709/245, 726 2- 4
US Class Current

726/2
CPC Class Codes

G06F 2221/2129   Authenticate client device ...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

Method and apparatus for assigning network addresses to network devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

52 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for assigning network addresses to network devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links