Method and apparatus for re-authentication of a computing device using cached state

US 7,716,721 B2
Filed: 10/18/2005
Issued: 05/11/2010
Est. Priority Date: 10/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method of re-authenticating a computing device seeking access to a resource, the method comprising the computer-implemented steps of:

receiving a first request from the computing device for authentication by a server comprising one or more processors;

forwarding the first request received from the computing device to an authentication device to enable said authentication device to authenticate said computing device using a full-authentication mechanism for a first session, wherein state information related to authenticating said computing device for the first session is created;

wherein the state information comprises one or more of;

transport layer security (TLS) session ID;

protected access credentials;

cryptographic information;

session expiration information;

transport layer security (TLS) master secret;

access control policies that indicate what type of access the computing device should have to protected resources;

receiving said state information from said authentication device;

the server storing said state information on a state cache accessible by the server;

subsequent to termination of the first session;

receiving a second request from the computing device for authentication by the server;

re-authenticating said computing device for a second session, in response to said second request, using said stored state information without again contacting said authentication device;

receiving, at an authenticator device, a third request for authentication from said computing device;

determining that said authenticator device does not have valid state information for said computing device stored thereon; and

responsive to the determination that said authenticator device does not have said valid state information, forwarding said third request for authentication from said authenticator device to said authentication device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Automatically re-authenticating a computing device seeking access to a network or a resource. A method comprises forwarding a request received from the computing device to an authentication device to enable the authentication device to authenticate the computing device using a full-authentication mechanism. State information related to authenticating the computing device is created from authenticating the computing device. The state information is received and stored. For example, an authenticator device that forwarded the initial authentication request from the computing device to the authentication device receives and stores the state information. The computing device is re-authenticated using the stored state information without again contacting the authentication device.

28 Citations

View as Search Results

25 Claims

1. A method of re-authenticating a computing device seeking access to a resource, the method comprising the computer-implemented steps of:
- receiving a first request from the computing device for authentication by a server comprising one or more processors;
  
  forwarding the first request received from the computing device to an authentication device to enable said authentication device to authenticate said computing device using a full-authentication mechanism for a first session, wherein state information related to authenticating said computing device for the first session is created;
  
  wherein the state information comprises one or more of;
  
  transport layer security (TLS) session ID;
  
  protected access credentials;
  
  cryptographic information;
  
  session expiration information;
  
  transport layer security (TLS) master secret;
  
  access control policies that indicate what type of access the computing device should have to protected resources;
  
  receiving said state information from said authentication device;
  
  the server storing said state information on a state cache accessible by the server;
  
  subsequent to termination of the first session;
  
  receiving a second request from the computing device for authentication by the server;
  
  re-authenticating said computing device for a second session, in response to said second request, using said stored state information without again contacting said authentication device;
  
  receiving, at an authenticator device, a third request for authentication from said computing device;
  
  determining that said authenticator device does not have valid state information for said computing device stored thereon; and
  
  responsive to the determination that said authenticator device does not have said valid state information, forwarding said third request for authentication from said authenticator device to said authentication device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. A method as recited in claim 1, wherein said authentication device is substantially compliant with an authentication server in an 802.1x architecture.
  - 3. A method as recited in claim 1, wherein said re-authenticating is performed at an authenticator device that is substantially compliant with an authenticator in an 802.1x architecture.
  - 4. A method as recited in claim 1, wherein said re-authenticating is performed at a network access point.
  - 5. A method as recited in claim 1, wherein said re-authenticating said computing device comprises:
    - determining that said state information for said computing device is stored and that said state information is valid.
  - 6. A method as recited in claim 1, further comprising:
    - receiving, at an authenticator device, a fourth request from said computing device for authentication;
      
      determining if said authenticator device has policies associated with authenticating said computing device;
      
      in response to determining that said authenticator device has said policies, initiating said re-authenticating said computing device at said authenticator device; and
      
      in response to determining that said authenticator device does not have said policies, forwarding said third request for authentication from said authenticator device to said authentication device.
  - 7. A method as recited in claim 1, wherein said state information comprises the TLS session ID.
  - 8. A method as recited in claim 1, wherein said state information comprises the cryptographic information.
  - 9. A method as recited in claim 1, wherein said state information comprises expiration information for the first session associated with said authenticating said computing device to said authentication device.
  - 10. A method as recited in claim 1, wherein said state information comprises access control policies.
  - 11. A method as recited in claim 1, wherein said receiving said state information comprises receiving said state information in a message used in authentication handshaking.
  - 12. A method as recited in claim 1, wherein said receiving said state information comprises receiving a RADIUS change of authorization request message.
  - 13. A method as recited in claim 1, wherein said receiving said state information is in response to a request from an authenticator device for said state information.
  - 14. A method as recited in claim 1, further comprising invalidating said stored state information responsive to a directive from said authentication device.
  - 15. A method as recited in claim 1, further comprising receiving a policy change from said authentication device.
  - 16. A method as recited in claim 1, further comprising an authenticator device invalidating said stored state information responsive to a session timeout.
  - 17. A method as recited in claim 1, wherein said authentication device does not store said state information for the duration of the first session associated with said authenticating said computing device.
  - 18. A method as recited in claim 8, wherein said cryptographic information comprises the Transport Layer Security (TLS) master secret.
  - 19. A method as recited in claim 11, wherein said message is an access-accept message in a Transport Layer Security (TLS) protocol.

20. An apparatus for authenticating a computing device over a network, said apparatus comprising:
- a network interface that is coupled to the network for receiving one or more packet flows therefrom;
  
  a processor; and
  
  a computer readable medium having stored thereon one or more sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving a first request from the computing device for authentication;
  
  forwarding the first request received from the computing device to an authentication device to enable said authentication device to authenticate said computing device using a full-authentication mechanism for a first session, wherein state information related to authenticating said computing device for the first session is created;
  
  wherein the state information comprises one or more of;
  
  TLS session ID;
  
  protected access credentials;
  
  cryptographic information;
  
  session expiration information;
  
  transport layer security (TLS) master secret;
  
  access control policies that indicate what type of access the computing device should have to protected resources;
  
  receiving said state information from said authentication device;
  
  storing said state information by the apparatus on a state cache;
  
  subsequent to termination of the first session;
  
  receiving a second request from the computing device for authentication;
  
  re-authenticating said computing device for a second session, in response to said second request, using said stored state information without again contacting said authentication device;
  
  receiving, at an authenticator device, a third request for authentication from said computing device;
  
  determining that said authenticator device does not have valid state information for said computing device stored thereon; and
  
  responsive to the determination that said authenticator device does not have said valid state information, forwarding said third request for authentication from said authenticator device to said authentication device.
- View Dependent Claims (21)
- - 21. An apparatus as recited in claim 20, wherein said instructions, when executed by the processor, cause the processor to carry out the further steps of:
    - receiving a third request for authentication from said computing device;
      
      responsive to receiving said second request, determining if said state information is stored in said computer readable medium;
      
      responsive to a determination that said state information is not stored in said computer readable medium, forwarding said third request for authentication to the authentication device; and
      
      responsive to a determination that said state information is stored in said computer readable medium, re-authenticating said computing device using said stored state information.

22. A computer readable medium, comprising volatile or non-volatile media, having stored thereon one or more sequences of instructions which, when executed by a processor, cause the processor to carry out the steps of:
- receiving a first request for authentication from a computing device;
  
  forwarding the first request received from the computing device to an authentication device to enable said authentication device to authenticate said computing device using a full-authentication mechanism for a first session, wherein state information related to authenticating said computing device for the first session is created;
  
  wherein the state information comprises one or more of;
  
  TLS session ID;
  
  protected access credentials;
  
  cryptographic information;
  
  session expiration information;
  
  transport layer security (TLS) master secret;
  
  access control policies that indicate what type of access the computing device should have to protected resources;
  
  receiving said state information from said authentication device;
  
  storing said state information by a server on a state cache;
  
  subsequent to termination of the first session;
  
  receiving a second request for authentication from said computing device;
  
  responsive to receiving said second request, re-authenticating said computing device, for a second session, using said stored state information without contacting said authentication device;
  
  receiving, at an authenticator device, a third request for authentication from said computing device;
  
  determining that said authenticator device does not have valid state information for said computing device stored thereon; and
  
  responsive to the determination that said authenticator device does not have said valid state information, forwarding said third request for authentication from said authenticator device to said authentication device.

23. An apparatus for authenticating a computing device, comprising:
- one or more processors;
  
  means for receiving a first request for authentication from a computing device;
  
  means for forwarding said first authentication request to an authentication device to enable said authentication device to authenticate said computing device using a full-authentication mechanism for a first session, wherein state information related to authenticating said computing device for the first session is created;
  
  wherein the state information comprises one or more of;
  
  TLS session ID;
  
  protected access credentials;
  
  cryptographic information;
  
  session expiration information;
  
  transport layer security (TLS) master secret;
  
  access control policies that indicate what type of access the computing device should have to protected resources;
  
  means for receiving said state information from said authentication device;
  
  means for storing said state information on a state cache accessible by the apparatus;
  
  subsequent to termination of the first session;
  
  means for receiving a second request for authentication from said computing device;
  
  means for re-authenticating said computing device for a second session, responsive to said second request, using said stored state information without contacting said authentication device;
  
  means for receiving, at an authenticator device, a third request for authentication from said computing device;
  
  means for determining that said authenticator device does not have valid state information for said computing device stored thereon; and
  
  means for, responsive to the determination that said authenticator device does not have said valid state information, forwarding said third request for authentication from said authenticator device to said authentication device.

24. A network for authenticating a computing device, the network comprising:
- an authentication device; and
  
  an authenticator device communicatively coupled to said authentication device;
  
  wherein said authentication device is operable to;
  
  authenticate said computing device using a full-authentication mechanism for a first session, wherein state information related to said authenticating said computing device is created; and
  
  wherein the state information comprises one or more of;
  
  TLS session ID;
  
  protected access credentials;
  
  cryptographic information;
  
  session expiration information;
  
  transport layer security (TLS) master secret;
  
  access control policies that indicate what type of access the computing device should have to protected resources;
  
  transfer said state information to the authenticator device; and
  
  wherein said authenticator device is operable to;
  
  store said state information on said authenticator device; and
  
  subsequent to termination of the first session;
  
  re-authenticate said computing device at said authenticator device, for a second session, using said state information stored on said authenticator device;
  
  receive a third request for authentication from said computing device;
  
  determine that said authenticator device does not have valid state information for said computing device stored thereon; and
  
  responsive to the determination that said authenticator device does not have said valid state information, forward said third request for authentication from said authenticator device to said authentication device.
- View Dependent Claims (25)
- - 25. A network as recited in claim 24, wherein said authenticator device is further operable to:
    - receive a request for authentication from said computing device;
      
      determine if state information that is usable for a re-authentication of said computing device is stored at said authenticator device;
      
      forward said authentication request to the authentication device responsive to a determination that said state information is not stored at said authenticator device; and
      
      re-authenticate said computing device at said authenticator device responsive to a determination that said state information is stored at said authenticator device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Frenkel, Ilan, Kobozev, Alexey, Zavalkovsky, Arthur, Salowey, Joseph
Primary Examiner(s)
ZIA, SYED

Application Number

US11/253,960
Publication Number

US 20070101406A1
Time in Patent Office

1,666 Days
Field of Search

713/159, 726/8, 726/10
US Class Current

726/2
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0815   providing single-sign-on or...

H04L 63/166   at the transport layer

H04L 9/321   involving a third party or ...

H04L 9/3273   for mutual authentication n...

H04W 12/068   using credential vaults, e....

Method and apparatus for re-authentication of a computing device using cached state

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for re-authentication of a computing device using cached state

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links