Method and apparatus for assigning network addresses based on connection authentication

US 7,886,149 B2
Filed: 01/30/2009
Issued: 02/08/2011
Est. Priority Date: 10/16/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method of assigning a network address to a host based on authentication for a physical connection between the host and an intermediate device, the method comprising the computer-implemented steps of:

receiving, at a configuration server, from the intermediate device, a first message for discovering a logical network address for the host;

receiving, at the configuration server, first data that indicates at least some of authentication and authorization information associated with the host, wherein a first server that provides authentication and authorization in response to a request for authentication for the physical connection generated the first data;

selecting, based at least in part on the first data, a particular pool of one or more logical network addresses from among a plurality of pools of one or more logical network addresses; and

sending, to the host, a second message including second data indicating a particular network address from the particular pool.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for assigning a network address to a host are based on authentication for a physical connection between the host and an intermediate device. One approach involves receiving first data at the intermediate device from an authentication and authorization server in response to a request for authentication for the physical connection. The first data indicates at least some of authentication and authorization information. A configuration request message from the host is also received at the intermediate device. The configuration request message is for discovering a logical network address for the host. A second message is generated based on the configuration request message and the first data. The second message is sent to a configuration server that provides the logical network address for the host. The configuration server is then able to provide the logical network address based on authorization and authentication information.

Citations

26 Claims

1. A method of assigning a network address to a host based on authentication for a physical connection between the host and an intermediate device, the method comprising the computer-implemented steps of:
- receiving, at a configuration server, from the intermediate device, a first message for discovering a logical network address for the host;
  
  receiving, at the configuration server, first data that indicates at least some of authentication and authorization information associated with the host, wherein a first server that provides authentication and authorization in response to a request for authentication for the physical connection generated the first data;
  
  selecting, based at least in part on the first data, a particular pool of one or more logical network addresses from among a plurality of pools of one or more logical network addresses; and
  
  sending, to the host, a second message including second data indicating a particular network address from the particular pool.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method as recited in claim 1, wherein the first message includes the first data.
  - 3. A method as recited in claim 1, wherein receiving the first data comprises receiving, at the configuration server, the first data directly from the first server.
  - 4. A method as recited in claim 3, further comprising the step of correlating the first message and the first data.
  - 5. A method as recited in claim 4, wherein:
    - the first message includes a unique identification for the host;
      
      the first data includes the unique identification for the host; and
      
      the step of correlating the first message and the first data is based, at least in part, on the unique identification for the host.
  - 6. A method as recited in claim 5, wherein the unique identification for the host is a media access control address.
  - 7. A method as recited in claim 1, wherein each pool of the plurality of pools is associated with a corresponding group of a plurality of groups of one or more authorized users of the host.
  - 8. A method as recited in claim 7, wherein the first data includes user class data indicating a particular group of the plurality of groups.
  - 9. A method as recited in claim 1, wherein the particular pool is associated with a privilege to access an Internet through a gateway process.
  - 10. A method as recited in claim 1, wherein the first server is a RADIUS protocol server and the configuration server is a DHCP server.

11. A method of assigning a network address to a host based on authentication for a physical connection between the host and an intermediate device, the method comprising the computer-implemented steps of:
- receiving, from the intermediate device, at an authorization server on a network connected to the intermediate device, a request for authenticating the host, the request including information provided from the host;
  
  determining, at the authorization server, whether the host is authentic and authorized to connect to the network based, at least in part, on the request and user profile data;
  
  in response to determining that the host is authentic and authorized to connect to the network, sending, from the authorization server, to the intermediate device, a response indicating that the host is authentic and authorized; and
  
  sending, from the authorization server, to a configuration server, first data that indicates at least some of authentication and authorization information associated with the host, wherein the configuration server provides a logical network address for the host.
- View Dependent Claims (12, 13)
- - 12. A method as recited in claim 11, wherein:
    - the response includes data indicating a particular group of one or more users authorized for a particular set of network operations;
      
      each network operation in the particular set is controlled by a logical network address of a host of a user; and
      
      the group includes the particular user.
  - 13. A method as recited in claim 11, wherein the authorization server is a RADIUS protocol server and the configuration server is a DHCP server.

14. An apparatus for assigning a network address to a host based on authentication for a physical connection between the host and an intermediate device, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a physical connection that is coupled to the host;
  
  one or more processors;
  
  instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
  
  receiving, at a configuration server, from the intermediate device, a first message for discovering a logical network address for the host;
  
  receiving, at the configuration server, first data that indicates at least some of authentication and authorization information associated with the host, wherein a first server that provides authentication and authorization in response to a request for authentication for the physical connection generated the first data;
  
  selecting, based at least in part on the first data, a particular pool of one or more logical network addresses from among a plurality of pools of one or more logical network addresses; and
  
  sending, to the host, a second message including second data indicating a particular network address from the particular pool.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. An apparatus as recited in claim 14, wherein the first message includes the first data.
  - 16. An apparatus as recited in claim 14, wherein receiving the first data comprises receiving, at the configuration server, the first data directly from the first server.
  - 17. An apparatus as recited in claim 16, wherein the instructions include additional instructions which, when executed by the one or more processors, further cause the one or more processors to perform the step of correlating the first message and the first data.
  - 18. An apparatus as recited in claim 17, wherein:
    - the first message includes a unique identification for the host;
      
      the first data includes the unique identification for the host; and
      
      the step of correlating the first message and the first data is based, at least in part, on the unique identification for the host.
  - 19. An apparatus as recited in claim 18, wherein the unique identification for the host is a media access control address.
  - 20. An apparatus as recited in claim 14, wherein each pool of the plurality of pools is associated with a corresponding group of a plurality of groups of one or more authorized users of the host.
  - 21. An apparatus as recited in claim 20, wherein the first data includes user class data indicating a particular group of the plurality of groups.
  - 22. An apparatus as recited in claim 14, wherein the particular pool is associated with a privilege to access an Internet through a gateway process.
  - 23. An apparatus as recited in claim 14, wherein the first server is a RADIUS protocol server and the configuration server is a DHCP server.

24. An apparatus for assigning a network address to a host based on authentication for a physical connection between the host and an intermediate device, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a physical connection that is coupled to the host;
  
  one or more processors;
  
  one or more instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
  
  receiving, from the intermediate device, at an authorization server on a network connected to the intermediate device, a request for authenticating the host, the request including information provided from the host;
  
  determining, at the authorization server, whether the host is authentic and authorized to connect to the network based, at least in part, on the request and user profile data;
  
  in response to determining that the host is authentic and authorized to connect to the network, sending, from the authorization server, to the intermediate device, a response indicating that the host is authentic and authorized; and
  
  sending, from the authorization server, to a configuration server, first data that indicates at least some of authentication and authorization information associated with the host, wherein the configuration server provides a logical network address for the host.
- View Dependent Claims (25, 26)
- - 25. An apparatus as recited in claim 24, wherein:
    - the response includes data indicating a particular group of one or more users authorized for a particular set of network operations;
      
      each network operation in the particular set is controlled by a logical network address of a host of a user; and
      
      the group includes the particular user.
  - 26. An apparatus as recited in claim 24, wherein the authorization server is a RADIUS protocol server and the configuration server is a DHCP server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Droms, Ralph, Schnizlein, John M.
Primary Examiner(s)
Moorthy; Aravind K

Application Number

US12/362,857
Publication Number

US 20090138619A1
Time in Patent Office

739 Days
Field of Search

713/168, 713/153, 713/161, 713/162, 726/12, 726/15, 709/202, 709/203, 709/220, 709/224
US Class Current

713/168
CPC Class Codes

H04L 61/5014   using dynamic host configur...

H04L 63/083   using passwords cryptograph...

H04L 63/0892   by using authentication-aut...

H04L 63/101   Access control lists [ACL]

Method and apparatus for assigning network addresses based on connection authentication

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for assigning network addresses based on connection authentication

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links