Method and apparatus for assigning network addresses based on connection authentication

US 7,502,929 B1
Filed: 10/16/2001
Issued: 03/10/2009
Est. Priority Date: 10/16/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method of assigning a network address to a host based on authentication for a physical connection between the host and an intermediate device, the method comprising the computer-implemented steps of:

receiving, at a router hosting an authenticator process for the host, from a first server that provides authentication and authorization, in response to a request for authentication for the physical connection, first data indicating at least some of authentication and authorization information;

receiving, at a DHCP relay agent process of the router, from the host, a DHCP discovery message for discovering a logical network address for the host;

generating at the DHCP relay agent process a second message that comprises the DHCP discovery message and the first data; and

sending the second message from the DHCP relay agent process to a DHCP server that provides the logical network address for the host;

wherein generating the second message further comprises sending a third message, from the authenticator process to the relay agent process, that contains at least some of the authentication and authorization information based on the first data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for assigning a network address to a host are based on authentication for a connection between the host and an intermediate device. One approach involves receiving first data at the intermediate device from an authentication and authorization server in response to a request for authentication for the connection. The first data indicates at least some of authentication and authorization information. A configuration request message from the host is also received at the intermediate device. A second message is generated based on the configuration request message and the first data and is sent to a configuration server that provides the logical network address for the host. The configuration server provides the logical network address based on authorization and authentication information. The logical network address is thus based on the user, e.g., to limit access by the user to the Internet and other services.

Citations

27 Claims

1. A method of assigning a network address to a host based on authentication for a physical connection between the host and an intermediate device, the method comprising the computer-implemented steps of:
- receiving, at a router hosting an authenticator process for the host, from a first server that provides authentication and authorization, in response to a request for authentication for the physical connection, first data indicating at least some of authentication and authorization information;
  
  receiving, at a DHCP relay agent process of the router, from the host, a DHCP discovery message for discovering a logical network address for the host;
  
  generating at the DHCP relay agent process a second message that comprises the DHCP discovery message and the first data; and
  
  sending the second message from the DHCP relay agent process to a DHCP server that provides the logical network address for the host;
  
  wherein generating the second message further comprises sending a third message, from the authenticator process to the relay agent process, that contains at least some of the authentication and authorization information based on the first data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as recited in claim 1, wherein:
    - the step of generating the second message further comprises the steps of;
      
      storing second data based on the first data by the authenticator process; and
      
      retrieving the second data by the relay agent process in response to said step of receiving the first message.
  - 3. A method as recited in claim 1, wherein the first server is an authentication, authorization and accounting server.
  - 4. A method as recited in claim 3, wherein the first server is a RADIUS protocol server.
  - 5. A method as recited in claim 1, wherein the physical connection comprises an Ethernet interface card on the router.
  - 6. A method as recited in claim 1, wherein the physical connection comprises a wireless Ethernet encryption key and time slot.
  - 7. A method as recited in claim 1, wherein the request for authentication is based on an Institute of Electrical and Electronics Engineers (IEEE) 802.1x standard.
  - 8. A method as recited in claim 1, wherein:
    - the first data includes user class data indicating a particular group of one or more authorized users of the host; and
      
      said step of generating the second message is further based on the user class data.
  - 9. A method as recited in claim 1, wherein:
    - the first data includes credential data indicating authentication is performed by the first server; and
      
      said step of generating the second message is further based on the credential data.

10. An apparatus for assigning a network address to a host based on authentication for a physical connection between the host and an intermediate device, comprising:
- means for receiving, at a router hosting an authenticator process for the host, from a first server that provides authentication and authorization, in response to a request for authentication for the physical connection, first data indicating at least some of authentication and authorization information;
  
  means for receiving, at a DHCP relay agent process of the router, from the host, a DHCP discovery message for discovering a logical network address for the host;
  
  means for generating at the DHCP relay agent process a second message that comprises the DHCP discovery message and the first data; and
  
  means for sending the second message from the DHCP relay agent process to a DHCP server that provides the logical network address for the host;
  
  wherein generating the second message further comprises sending a third message, from the authenticator process to the relay agent process, that contains at least some of the authentication and authorization information based on the first data.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. An apparatus as recited in claim 10, wherein the means for generating the second message further comprises means for storing second data based on the first data by the authenticator process, and means for retrieving the second data by the relay agent process in response to said step of receiving the first message.
  - 12. An apparatus as recited in claim 10, wherein the physical connection comprises any one of an Ethernet interface card, and a wireless Ethernet encryption key and time slot.
  - 13. An apparatus as recited in claim 10, wherein the request for authentication is based on an Institute of Electrical and Electronics Engineers (IEEE) 802.1x standard.
  - 14. An apparatus as recited in claim 10, wherein the first data includes user class data indicating a particular group of one or more authorized users of the host;
    - and wherein the means for generating the second message comprises means for generating the second message based on the user class data.
  - 15. An apparatus as recited in claim 10, wherein the first data includes credential data indicating authentication is performed by the first server;
    - and wherein the means for generating the second message further comprises means for generating the second message based on the credential data.

16. An apparatus for assigning a network address to a host based on authentication for a physical connection between the host and an intermediate device, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a physical connection that is coupled to the host;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving, at an authenticator process for the host, through the network interface from a first server that provides authentication and authorization, in response to a request for authentication for the physical connection, first data indicating at least some of authentication and authorization information;
  
  receiving, at a DHCP relay agent process, through the physical connection from the host, a DHCP discovery message for discovering a logical network address for the host;
  
  generating at the DHCP relay agent process a second message that comprises the DHCP discovery message and the first data; and
  
  sending through the network interface the second message from the DHCP relay agent process to a DHCP server that provides the logical network address for the host;
  
  wherein generating the second message further comprises sending a third message, from the authenticator process to the relay agent process, that contains at least some of the authentication and authorization information based on the first data.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. An apparatus as recited in claim 16, wherein the instructions for generating the second message further comprise instructions for storing second data based on the first data by the authenticator process, and instructions for retrieving the second data by the relay agent process in response to receiving the first message.
  - 18. An apparatus as recited in claim 16, wherein the physical connection comprises any one of an Ethernet interface card, and a wireless Ethernet encryption key and time slot.
  - 19. An apparatus as recited in claim 16, wherein the request for authentication is based on an Institute of Electrical and Electronics Engineers (IEEE) 802.1x standard.
  - 20. An apparatus as recited in claim 16, wherein the first data includes user class data indicating a particular group of one or more authorized users of the host;
    - and wherein the instructions for generating the second message comprise further instructions for generating the second message based on the user class data.
  - 21. An apparatus as recited in claim 16, wherein the first data includes credential data indicating authentication is performed by the first server;
    - and wherein the instructions for generating the second message further comprise instructions for generating the second message based on the credential data.

22. A computer-readable storage medium carrying one or more sequences of instructions for assigning a network address to a host based on authentication for a physical connection between the host and an intermediate device, wherein the computer-readable storage medium is one of a volatile medium or non-volatile medium, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving, at a router hosting an authenticator process for the host, from a first server that provides authentication and authorization, in response to a request for authentication for the physical connection, first data indicating at least some of authentication and authorization information;
  
  receiving, at a DHCP relay agent process of the router, from the host, a DHCP discovery message for discovering a logical network address for the host;
  
  generating at the DHCP relay agent process a second message that comprises the DHCP discovery message and the first data; and
  
  sending the second message from the DHCP relay agent process to a DHCP server that provides the logical network address for the host;
  
  wherein generating the second message further comprises sending a third message, from the authenticator process to the relay agent process, that contains at least some of the authentication and authorization information based on the first data.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. A computer-readable storage medium as recited in claim 22, wherein generating the second message includes storing second data based on the first data by the authenticator process and retrieving the second data by the relay agent process in response to receiving the first message.
  - 24. A computer-readable storage medium as recited in claim 22, wherein the physical connection comprises any one of an Ethernet interface card, and a wireless Ethernet encryption key and time slot.
  - 25. A computer-readable storage medium as recited in claim 22, wherein the request for authentication is based on an Institute of Electrical and Electronics Engineers (IEEE) 802.1x standard.
  - 26. A computer-readable storage medium as recited in claim 22, wherein the first data includes user class data indicating a particular group of one or more authorized users of the host;
    - and wherein generating the second message includes generating the second message based on the user class data.
  - 27. A computer-readable storage medium as recited in claim 22, wherein the first data includes credential data indicating authentication is performed by the first server;
    - and wherein generating the second message includes generating the second message based on the credential data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Droms, Ralph, Schnizlein, John M.
Primary Examiner(s)
Revak; Christopher A
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US09/981,182
Time in Patent Office

2,702 Days
Field of Search

713/168
US Class Current

713/168
CPC Class Codes

H04L 61/5014   using dynamic host configur...

H04L 63/083   using passwords cryptograph...

H04L 63/0892   by using authentication-aut...

H04L 63/101   Access control lists [ACL]

Method and apparatus for assigning network addresses based on connection authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for assigning network addresses based on connection authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links