Local authentication of a client at a network device
First Claim
1. A system for controlling access of a client to a network resource, the system comprising:
- a network resource that is communicatively coupled to a network;
a network firewall routing device that is communicatively coupled to the network and that is logically interposed between the client and the network resource, wherein the network firewall routing device comprises;
a firewall that protects the network resource by means for selectively blocking messages initiated by client and directed to the network resource, wherein the firewall comprises;
an external interface and an internal interface; and
an Output Access Control List at the internal interface and an Input Access Control List at the external interface;
an authentication server that is communicatively coupled to the network and to the network firewall routing device and comprising user profile information;
means for creating and storing client authorization information at the network firewall routing device, based in part on the user profile information, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
means for receiving a request from the client to communicate with the network resource;
means for determining whether the client is authorized to communicate with the network resource based on the authorization information; and
means for reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information, wherein the means for reconfiguring the network firewall routing device opens a logical passageway for network traffic from the client, wherein the logical passageway does not automatically close when a user terminates a session, and wherein the means for reconfiguring the network firewall routing device further comprises;
means for determining a current IP address of the client;
means for creating a new user profile information, based on the user profile information, that includes the current IP address; and
means for adding the new user profile information as temporary entries to the Input Access Control List at the external interface and to the Output Access Control List at the internal interface.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus that provide network access control are disclosed. In one embodiment, a network device is configured to intercept network traffic initiated from a client and directed toward a network resource, and to locally authenticate the client. Authentication is carried out by comparing information identifying the client to authentication information stored in the network device. In one embodiment, an authentication cache in the network device stores the authentication information. If the client identifying information is authenticated successfully against the stored authentication information, the network device is dynamically re-configured to allow network traffic initiated by the client to reach the network resource. If local authentication fails, new stored authentication is created for the client, and the network device attempts to authenticate the client using a remote authentication server. If remote authentication is successful, the local authentication information is updated so that subsequent requests can authenticate locally. As a result, a client may be authenticated locally at a router or similar device, reducing network traffic to the authentication server.
78 Citations
30 Claims
-
1. A system for controlling access of a client to a network resource, the system comprising:
-
a network resource that is communicatively coupled to a network; a network firewall routing device that is communicatively coupled to the network and that is logically interposed between the client and the network resource, wherein the network firewall routing device comprises; a firewall that protects the network resource by means for selectively blocking messages initiated by client and directed to the network resource, wherein the firewall comprises; an external interface and an internal interface; and an Output Access Control List at the internal interface and an Input Access Control List at the external interface; an authentication server that is communicatively coupled to the network and to the network firewall routing device and comprising user profile information; means for creating and storing client authorization information at the network firewall routing device, based in part on the user profile information, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource; means for receiving a request from the client to communicate with the network resource; means for determining whether the client is authorized to communicate with the network resource based on the authorization information; and means for reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information, wherein the means for reconfiguring the network firewall routing device opens a logical passageway for network traffic from the client, wherein the logical passageway does not automatically close when a user terminates a session, and wherein the means for reconfiguring the network firewall routing device further comprises; means for determining a current IP address of the client; means for creating a new user profile information, based on the user profile information, that includes the current IP address; and means for adding the new user profile information as temporary entries to the Input Access Control List at the external interface and to the Output Access Control List at the internal interface. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for controlling access to a network resource, the system comprising:
-
a network resource that is communicatively coupled to a network; a client capable of sending a request to communicate with the network resource; a network firewall routing device that is logically interposed between the client and the network resource and is capable of permitting the client to communicate with the network resource, wherein the network firewall routing device comprises; a firewall that protects the network resource by selectively blocking messages initiated by client and directed to the network resource, wherein the firewall comprises; an external interface and an internal interface; and an Output Access Control List at the internal interface and an Input Access Control List at the external interface; an authentication server that is communicatively coupled to the network and to the network firewall routing device and comprising user profile information; means for creating and storing client authorization information at the network firewall routing device, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource; means for determining, at the network firewall routing device, whether the client is authorized to communicate with the network resource based on the authorization information; and means for reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information, wherein the means for reconfiguring the network firewall routing device opens a logical passageway for network traffic from the client, wherein the logical passageway does not automatically close when a user terminates a session, and wherein the means for reconfiguring the network firewall routing device further comprises; means for determining a current IP address of the client; means for creating a new user profile information, based on the user profile information, that includes the current IP address; and means for adding the new user profile information as temporary entries to the Input Access Control List at the external interface and to the Output Access Control List at the internal interface. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A system for authentication comprising:
-
a network resource connected to a network; a client capable of sending a request to communicate with the network resource; a network firewall routing device that is logically interposed between the client and the network resource and that is reconfigured to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on client authorization information stored in the network firewall routing device, wherein the network firewall routing device comprises; a firewall that protects the network resource by means for selectively blocking messages initiated by client and directed to the network resource, wherein the firewall comprises; an external interface and an internal interface; an Output Access Control List at the internal interface and an Input Access Control List at the external interface; wherein the network firewall routing device, when reconfigured, is reconfigured by the steps of; determining a current IP address of the client; creating a new user profile information, based on the user profile information, that includes the current IP address; and adding the new user profile information as temporary entries to the Input Access Control List at the external interface and to the Output Access Control List at the internal interface; wherein the network firewall routing device, when reconfigured, opens a logical passageway for network traffic from the client, wherein the logical passageway does not automatically close when a user terminates a session, and wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource; a database server that stores a plurality of user profiles, each user profile uniquely associated with one of a plurality of users that can use the client to send requests to communicate with the network resource; an authentication server that is logically interposed between the network firewall routing device and the database server, and that is capable of communicating with the database server and retrieving from the database server a user profile. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
-
Specification