Fast re-authentication with dynamic credentials

US 7,434,044 B2
Filed: 02/26/2003
Issued: 10/07/2008
Est. Priority Date: 02/26/2003
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus, comprising:

a table for storing authentication data;

a proxy authentication server configured to be coupled to a network, the proxy authentication server is in data communication with the table;

wherein the proxy authentication server is configured to intercept an authentication request for a client from a first access point;

wherein the proxy authentication server is responsive to intercepting the authentication request for the client to determine whether authentication data for the client is stored in the table;

wherein the proxy authentication server is responsive to determining authentication data for the table is not stored in the table to forward the authentication request to an authentication server;

wherein the proxy authentication server is configured to intercept a response to the forwarded authentication request from the authentication server, the response comprising authentication data for the client;

wherein the proxy authentication server is configured to store the authentication data for the client from the response in the table;

wherein the proxy authentication server is configured to send data derived from the authentication data to the first access point to enable the first access point to establish a communication session with the client;

wherein the proxy authentication server is configured to intercept an authentication request for the client from a second access point;

wherein the proxy authentication server is responsive to intercepting the authentication request for the client from the second access point to determine whether authentication data for the client is stored in the table; and

wherein the proxy authentication server is configured to send data derived from the authentication data to the second access point to enable the second access point to establish a communication session with the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A proxy server that is inserted between a plurality of network access servers, typically an access points, and an authentication server. When an original authentication request is received by an network access server, the network access server forwards the request to the proxy server which forwards the request to an authentication server. The authentication server then sends the session information to the proxy server which stores the keying material as a dynamic credentials. When the client re-authenticates with one of the plurality of access servers, the re-authentication request is handled by the proxy server using the dynamic credentials. The proxy server may re-authenticate the client using a different method than the method that was originally used. For example, the original authentication may be by Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and subsequent reauthentications may use Wi-Fi Protected Access (WPA).

12 Citations

View as Search Results

13 Claims

1. An apparatus, comprising:
- a table for storing authentication data;
  
  a proxy authentication server configured to be coupled to a network, the proxy authentication server is in data communication with the table;
  
  wherein the proxy authentication server is configured to intercept an authentication request for a client from a first access point;
  
  wherein the proxy authentication server is responsive to intercepting the authentication request for the client to determine whether authentication data for the client is stored in the table;
  
  wherein the proxy authentication server is responsive to determining authentication data for the table is not stored in the table to forward the authentication request to an authentication server;
  
  wherein the proxy authentication server is configured to intercept a response to the forwarded authentication request from the authentication server, the response comprising authentication data for the client;
  
  wherein the proxy authentication server is configured to store the authentication data for the client from the response in the table;
  
  wherein the proxy authentication server is configured to send data derived from the authentication data to the first access point to enable the first access point to establish a communication session with the client;
  
  wherein the proxy authentication server is configured to intercept an authentication request for the client from a second access point;
  
  wherein the proxy authentication server is responsive to intercepting the authentication request for the client from the second access point to determine whether authentication data for the client is stored in the table; and
  
  wherein the proxy authentication server is configured to send data derived from the authentication data to the second access point to enable the second access point to establish a communication session with the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein the authentication data for the client comprises a session key.
  - 3. The apparatus of claim 1, wherein the authentication server is a Remote Authentication Dial-In User Service (RADIUS) compatible server.
  - 4. The apparatus of claim 1, wherein the client is a wireless client, the first access point is a wireless access point and the second access point is a wireless access point.
  - 5. The apparatus of claim 1, wherein the authentication data for the client comprises keying material;
    - wherein the data sent to the first access point is authentication data for authenticating the client with a first authentication protocol; and
      
      wherein the data sent to the second access point is authentication data for authenticating the client with a second authentication protocol.
  - 6. The apparatus of claim 5, wherein the first authentication protocol is an Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) compatible protocol.
  - 7. The apparatus of claim 6, wherein the second authentication protocol is a Lightweight Extensible Authentication Protocol (LEAP) compatible protocol.
  - 8. The apparatus of claim 6, wherein the second authentication protocol is a WiFi Protected Access (WPA) compatible protocol.
  - 9. The apparatus of claim 1, wherein the proxy authentication server is configured to intercept an authentication request for the client from a third access point;
    - wherein the proxy authentication server is responsive to intercepting the authentication request for the client from the third access point to determine whether authentication data for the client is stored in the table; and
      
      wherein the proxy authentication server is configured to send data to the third access point to enable the third access point to establish a communication session with the client.
  - 10. The apparatus of claim 1, wherein the proxy authentication server is configured to intercept a subsequent authentication request for the client from the first access point;
    - wherein the proxy authentication server is responsive to intercepting the subsequent authentication request for the client from the first access point to determine whether authentication data for the client is stored in the table; and
      
      wherein the proxy authentication server is configured to send data to the first access point to enable the second access point to establish a communication session with the client.

11. An apparatus, comprising:
- means for storing authentication data;
  
  means for intercepting a first request to authenticate a client from a first access point to an authentication server;
  
  means for determining whether authentication data for the client is stored by the means for storing authentication data responsive to the means for intercepting a request to authenticate a client from a first access point;
  
  means for forwarding the first authentication request to an authentication server responsive to the means for determining ascertaining the means for storing authentication data does not have authentication data for the client;
  
  means for receiving authentication data for the client from the authentication server and storing the authentication with the means for storing authentication data;
  
  means for sending data derived from the authentication data to the first access point enabling the first access point to establish a communication session with the client;
  
  means for intercepting a second request to authenticate the client from a second access point to an authentication server;
  
  means for acquiring authentication data for the client is stored by the means for storing authentication data responsive to the means for intercepting a request to authenticate the client from a second access point; and
  
  means for sending data derived from the authentication data to the second access point enabling the second access point to establish a communication session with the client.
- View Dependent Claims (12, 13)
- - 12. The apparatus of claim 11, wherein the mean for sending data to the first access point sends keying material for the first access point to communicate with the client.
  - 13. The apparatus of claim 11, wherein the mean for sending data to the second access point sends keying material for the second access point to communicate with the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Halasz, David E., Zorn, Glen W.
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Okoronkwo; Chinwendu C

Application Number

US10/373,128
Publication Number

US 20040168054A1
Time in Patent Office

2,050 Days
Field of Search

380277-286, 726 2- 7, 726/21, 713/150
US Class Current

713/155
CPC Class Codes

H04L 12/2856   Access arrangements, e.g. I...

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/162   at the data link layer

H04L 69/18   Multiprotocol handlers, e.g...

H04W 12/062   Pre-authentication

H04W 36/0038   of security context informa...

H04W 84/12   WLAN [Wireless Local Area N...

H04W 88/182   Network node acting on beha...

Fast re-authentication with dynamic credentials

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Fast re-authentication with dynamic credentials

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links