Methods and apparatus for user authentication and interactive unit authentication

US 7,624,437 B1
Filed: 05/01/2002
Issued: 11/24/2009
Est. Priority Date: 04/02/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

establishing a connection between a virtual private network (VPN) hardware client and an internet;

establishing a connection between a client computer and the internet, where the connection passes through the VPN hardware client;

establishing a tunnel between the client computer and a remote network upon successfully authenticating the virtual private network (VPN) hardware client to the remote network, where the VPN hardware client is operably connected to and remote to the client computer, and where the VPN hardware client is a hardware device,where authenticating the VPN hardware client comprises;

receiving an initial data request from a client computing device;

sending a web page containing a first query for authentication information to said client computing device in response to said initial data request;

receiving first authentication information in response to said first query; and

verifying said first authentication information, and wherein the step of providing the client computing device authentication mechanism comprises;

returning, in response to verifying the first authentication information, a web page containing a query for client authentication information to said client computing device, the web page including information about the status of the secure data connection;

receiving client authentication information from said client computing device; and

verifying said client authentication information;

controlling the VPN hardware client to provide two different levels of access to a user of the client computer, where a first level of access provides access to the internet to an unauthenticated user of the client computer, and where a second level of access provides access to both the internet and to the remote network to a user of the client computer that has been authenticated to the remote network through the tunnel;

examining all data requests received by the VPN hardware client both before the VPN hardware client has been authenticated to the remote network and after the VPN hardware client has been authenticated to the remote network; and

selectively allowing data requests seeking access to the tunnel, where data requests seeking access to the tunnel will be granted access to the tunnel when the data requests are either data requests that do not require that they originate from an authenticated user of the client computer or are data requests from an authenticated user of the client computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a hardware client for remote logon to a network, a two layer authentication protocol enables authorized users to log on while discouraging unauthorized users. The hardware client prevents logging on to the network if the hardware client is stolen. The hardware client itself is authenticated in the first authentication layer in order to establish a link to the network. Then a client computer authenticates in a second layer and further establishes a secure connection to the network. If the power of the hardware client goes off (as it would if or example it were unplugged for transport), then the authentication is not saved and therefore is lost. The hardware client must be reauthenticated before it can be used again.

39 Citations

View as Search Results

17 Claims

1. A method, comprising:
- establishing a connection between a virtual private network (VPN) hardware client and an internet;
  
  establishing a connection between a client computer and the internet, where the connection passes through the VPN hardware client;
  
  establishing a tunnel between the client computer and a remote network upon successfully authenticating the virtual private network (VPN) hardware client to the remote network, where the VPN hardware client is operably connected to and remote to the client computer, and where the VPN hardware client is a hardware device,where authenticating the VPN hardware client comprises;
  
  receiving an initial data request from a client computing device;
  
  sending a web page containing a first query for authentication information to said client computing device in response to said initial data request;
  
  receiving first authentication information in response to said first query; and
  
  verifying said first authentication information, and wherein the step of providing the client computing device authentication mechanism comprises;
  
  returning, in response to verifying the first authentication information, a web page containing a query for client authentication information to said client computing device, the web page including information about the status of the secure data connection;
  
  receiving client authentication information from said client computing device; and
  
  verifying said client authentication information;
  
  controlling the VPN hardware client to provide two different levels of access to a user of the client computer, where a first level of access provides access to the internet to an unauthenticated user of the client computer, and where a second level of access provides access to both the internet and to the remote network to a user of the client computer that has been authenticated to the remote network through the tunnel;
  
  examining all data requests received by the VPN hardware client both before the VPN hardware client has been authenticated to the remote network and after the VPN hardware client has been authenticated to the remote network; and
  
  selectively allowing data requests seeking access to the tunnel, where data requests seeking access to the tunnel will be granted access to the tunnel when the data requests are either data requests that do not require that they originate from an authenticated user of the client computer or are data requests from an authenticated user of the client computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 16)
- - 2. The method of claim 1, comprising storing an identifier for an authenticated client computer in an authentication table.
  - 3. The method of claim 1, comprising:
    - monitoring tunnel idle time; and
      
      breaking down the tunnel when the monitored tunnel idle time exceeds a network connection idle time threshold.
  - 4. The method of claim 1, where an Internet data type is to be allowed access to the tunnel without being associated with an authenticated user of the client computer.
  - 5. The method of claim 1, where a voice-over-Internet-Protocol type is to be allowed access to the tunnel without being associated with an authenticated user of the client computer.
  - 6. The method of claim 1, comprising:
    - monitoring client computer idle time; and
      
      deauthenticating the client computer when the monitored client computer idle time exceeds a client computer idle time threshold.
  - 7. The method of claim 1, where client authentication information is accessible in a smart card and where authenticating the client computer comprises reading the client authentication information from the smart card.
  - 16. The method of claim 1 comprising:
    - detecting that the established connection is down;
      
      re-authenticating the hardware client to the network; and
      
      establishing a new secure data connection over a public network, the new secure data connection including a tunnel between the hardware client and the network, in response to re-authenticating the hardware client.

8. A method of making a secure connection between a virtual private network (VPN) hardware client and a network, comprising the steps of:
- A. receiving, at the hardware client, an initial data request from a client computing device;
  
  B. sending a first query for authentication information from the hardware client to said client computing device in response to said initial data request;
  
  C. receiving, at the hardware client, first authentication information in response to said first query;
  
  D. verifying said first authentication information;
  
  E. establishing a secure data connection from the hardware client, over a public network, to the network in response to verifying said first authentication information, wherein the secure data connection includes a tunnel between the hardware client and the network;
  
  F. receiving a second data request from said client computing device;
  
  G. determining whether said second data request is a data type to be transmitted without authentication of said client computing device;
  
  a) if yes, directing said second data request to a destination outside said network;
  
  b) if no, determining whether said client computing device is authenticated;
  
  i) if yes, forwarding the packet across said secure data connection to said network, wherein the packet travels over the tunnel;
  
  ii) if no, sending a second query for authentication information to said client computing device;
  
  (1) receiving second authentication information from said client computing device, wherein said second authentication information is transmitted over the network;
  
  (2) verifying said second authentication information;
  
  (3) storing an identifier of said client computing device such that said client is authenticated for subsequent data requests;
  
  wherein the method further comprises;
  
  examining each data request received by the hardware client prior to authenticating the hardware client to the network and examining each data request received by the hardware client post authenticating the hardware client to the network.
- View Dependent Claims (9, 10, 11, 12, 13, 15, 17)
- - 9. The method of claim 8 wherein the step of determining further comprises an authentication table lookup.
  - 10. The method of claim 8 wherein said step of storing an identifier further comprises storing said identifier in an authentication table.
  - 11. The method of claim 8 wherein said stored identifier is a MAC address of said client computing device.
  - 12. The method of claim 8 wherein said stored identifier is a MAC address and an IP address of said client computing device.
  - 13. The method of claim 8 wherein said data type to be transmitted without authentication is an Internet data request type.
  - 15. The method of claim 8, where the step of sending a first query comprises sending a web page containing a first query for authentication information from the hardware client to said client computing device in response to said initial data request, and wherein the step of sending a second query for authentication information comprises sending a web page containing a second query for authentication information to said client computing device, wherein the web page containing a second query for authentication information includes information about the status of the secure data connection.
  - 17. The method of claim 8 comprising:
    - detecting that the secure data connection is down;
      
      sending a first query for authentication information from the hardware client to said client computing device in response to the detection;
      
      receiving, at the hardware client, first authentication information in response to said first query;
      
      verifying said first authentication information; and
      
      re-establishing a secure data connection from the hardware client, over a public network, to the network in response to verifying said first authentication information, wherein the secure data connection includes a tunnel between the hardware client and the network.

14. A circuit, comprising:
- a data communications port;
  
  a memory;
  
  an authentication table; and
  
  a controller coupled to said data communications port, said memory and said authentication table, said controller being configured to;
  
  authenticate to a network;
  
  establish a secure data connection over a public network, the secure data connection including a tunnel between a virtual private network (VPN) hardware client and the network, in response to authenticating;
  
  provide a client computing device authentication mechanism for authenticating at least one client computing device connecting to the network via the tunnel through the hardware client, wherein the client computing device authentication mechanism comprises;
  
  sending a query for client authentication information to said client computing device;
  
  receiving client authentication information from said client computing device, wherein said client computing device transmits said client authentication information over the network;
  
  verifying said client authentication information; and
  
  storing an identifier of said client computing device such that said client is authenticated;
  
  examine each data request received at said data communications port prior to authenticating the hardware client to the network and examining each data request received by the hardware client post authenticating the hardware client to the network;
  
  determine whether said data request originated from a client computing device having an identifier stored in said authentication table; and
  
  transmitting across said secure data connection only data requests belong to one of the following types;
  
  1) a data request of a data type to be transmitted without authentication of an originating client computing device,
  
  2) a data request from an authenticated client computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Rodwin, Andrew, Fagundo, Arturo, Davis, Peter, Bazzinotti, John
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
PATEL, NIRAV B

Application Number

US10/136,480
Time in Patent Office

2,764 Days
Field of Search

713/182, 713150-155, 713/168, 713/153, 726 2- 5, 726/9, 726 11- 15, 709/229, 709/225, 709217-219, 370/229, 370/230, 370/401, 370/398, 455/411, 455/410, 380/255
US Class Current

726/15
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 61/25   of the same type

H04L 63/0272   Virtual private networks

H04L 67/14   Session management for real...

H04L 67/303   Terminal profiles

Methods and apparatus for user authentication and interactive unit authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for user authentication and interactive unit authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links