Method and apparatus for re-authentication of a computing device using cached state
First Claim
1. A method of re-authenticating a computing device seeking access to a resource, the method comprising the computer-implemented steps of:
- receiving a first request from the computing device for authentication by a server comprising one or more processors;
forwarding the first request received from the computing device to an authentication device to enable said authentication device to authenticate said computing device using a full-authentication mechanism for a first session, wherein state information related to authenticating said computing device for the first session is created;
wherein the state information comprises one or more of;
transport layer security (TLS) session ID;
protected access credentials;
cryptographic information;
session expiration information;
transport layer security (TLS) master secret;
access control policies that indicate what type of access the computing device should have to protected resources;
receiving said state information from said authentication device;
the server storing said state information on a state cache accessible by the server;
subsequent to termination of the first session;
receiving a second request from the computing device for authentication by the server;
re-authenticating said computing device for a second session, in response to said second request, using said stored state information without again contacting said authentication device;
receiving, at an authenticator device, a third request for authentication from said computing device;
determining that said authenticator device does not have valid state information for said computing device stored thereon; and
responsive to the determination that said authenticator device does not have said valid state information, forwarding said third request for authentication from said authenticator device to said authentication device.
1 Assignment
0 Petitions
Accused Products
Abstract
Automatically re-authenticating a computing device seeking access to a network or a resource. A method comprises forwarding a request received from the computing device to an authentication device to enable the authentication device to authenticate the computing device using a full-authentication mechanism. State information related to authenticating the computing device is created from authenticating the computing device. The state information is received and stored. For example, an authenticator device that forwarded the initial authentication request from the computing device to the authentication device receives and stores the state information. The computing device is re-authenticated using the stored state information without again contacting the authentication device.
28 Citations
25 Claims
-
1. A method of re-authenticating a computing device seeking access to a resource, the method comprising the computer-implemented steps of:
-
receiving a first request from the computing device for authentication by a server comprising one or more processors; forwarding the first request received from the computing device to an authentication device to enable said authentication device to authenticate said computing device using a full-authentication mechanism for a first session, wherein state information related to authenticating said computing device for the first session is created; wherein the state information comprises one or more of; transport layer security (TLS) session ID; protected access credentials; cryptographic information; session expiration information; transport layer security (TLS) master secret; access control policies that indicate what type of access the computing device should have to protected resources; receiving said state information from said authentication device; the server storing said state information on a state cache accessible by the server; subsequent to termination of the first session; receiving a second request from the computing device for authentication by the server; re-authenticating said computing device for a second session, in response to said second request, using said stored state information without again contacting said authentication device; receiving, at an authenticator device, a third request for authentication from said computing device; determining that said authenticator device does not have valid state information for said computing device stored thereon; and responsive to the determination that said authenticator device does not have said valid state information, forwarding said third request for authentication from said authenticator device to said authentication device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. An apparatus for authenticating a computing device over a network, said apparatus comprising:
-
a network interface that is coupled to the network for receiving one or more packet flows therefrom; a processor; and a computer readable medium having stored thereon one or more sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of; receiving a first request from the computing device for authentication; forwarding the first request received from the computing device to an authentication device to enable said authentication device to authenticate said computing device using a full-authentication mechanism for a first session, wherein state information related to authenticating said computing device for the first session is created; wherein the state information comprises one or more of; TLS session ID; protected access credentials; cryptographic information; session expiration information; transport layer security (TLS) master secret; access control policies that indicate what type of access the computing device should have to protected resources; receiving said state information from said authentication device; storing said state information by the apparatus on a state cache; subsequent to termination of the first session; receiving a second request from the computing device for authentication; re-authenticating said computing device for a second session, in response to said second request, using said stored state information without again contacting said authentication device; receiving, at an authenticator device, a third request for authentication from said computing device; determining that said authenticator device does not have valid state information for said computing device stored thereon; and responsive to the determination that said authenticator device does not have said valid state information, forwarding said third request for authentication from said authenticator device to said authentication device. - View Dependent Claims (21)
-
-
22. A computer readable medium, comprising volatile or non-volatile media, having stored thereon one or more sequences of instructions which, when executed by a processor, cause the processor to carry out the steps of:
-
receiving a first request for authentication from a computing device; forwarding the first request received from the computing device to an authentication device to enable said authentication device to authenticate said computing device using a full-authentication mechanism for a first session, wherein state information related to authenticating said computing device for the first session is created; wherein the state information comprises one or more of; TLS session ID; protected access credentials; cryptographic information; session expiration information; transport layer security (TLS) master secret; access control policies that indicate what type of access the computing device should have to protected resources; receiving said state information from said authentication device; storing said state information by a server on a state cache; subsequent to termination of the first session; receiving a second request for authentication from said computing device; responsive to receiving said second request, re-authenticating said computing device, for a second session, using said stored state information without contacting said authentication device; receiving, at an authenticator device, a third request for authentication from said computing device; determining that said authenticator device does not have valid state information for said computing device stored thereon; and responsive to the determination that said authenticator device does not have said valid state information, forwarding said third request for authentication from said authenticator device to said authentication device.
-
-
23. An apparatus for authenticating a computing device, comprising:
-
one or more processors; means for receiving a first request for authentication from a computing device; means for forwarding said first authentication request to an authentication device to enable said authentication device to authenticate said computing device using a full-authentication mechanism for a first session, wherein state information related to authenticating said computing device for the first session is created; wherein the state information comprises one or more of; TLS session ID; protected access credentials; cryptographic information; session expiration information; transport layer security (TLS) master secret; access control policies that indicate what type of access the computing device should have to protected resources; means for receiving said state information from said authentication device; means for storing said state information on a state cache accessible by the apparatus; subsequent to termination of the first session; means for receiving a second request for authentication from said computing device; means for re-authenticating said computing device for a second session, responsive to said second request, using said stored state information without contacting said authentication device; means for receiving, at an authenticator device, a third request for authentication from said computing device; means for determining that said authenticator device does not have valid state information for said computing device stored thereon; and means for, responsive to the determination that said authenticator device does not have said valid state information, forwarding said third request for authentication from said authenticator device to said authentication device.
-
-
24. A network for authenticating a computing device, the network comprising:
-
an authentication device; and an authenticator device communicatively coupled to said authentication device; wherein said authentication device is operable to; authenticate said computing device using a full-authentication mechanism for a first session, wherein state information related to said authenticating said computing device is created; and wherein the state information comprises one or more of; TLS session ID; protected access credentials; cryptographic information; session expiration information; transport layer security (TLS) master secret; access control policies that indicate what type of access the computing device should have to protected resources; transfer said state information to the authenticator device; and wherein said authenticator device is operable to; store said state information on said authenticator device; and subsequent to termination of the first session; re-authenticate said computing device at said authenticator device, for a second session, using said state information stored on said authenticator device; receive a third request for authentication from said computing device; determine that said authenticator device does not have valid state information for said computing device stored thereon; and responsive to the determination that said authenticator device does not have said valid state information, forward said third request for authentication from said authenticator device to said authentication device. - View Dependent Claims (25)
-
Specification