Method and apparatus for securely disseminating security server contact information in a network

US 8,037,514 B2
Filed: 03/01/2005
Issued: 10/11/2011
Est. Priority Date: 03/01/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a server list as part of a first security exchange, whereinthe server list is received by a first network device,the first network device acts as a supplicant in the first security exchange,the server list comprises network addresses of two or more security servers, including a first network address of a first security server and a second network address of a second security server, andthe server list identifies the first security server as having a higher priority than the second security server; and

communicating with the first security server of the two or more security servers as part of a second security exchange, using information in the server list, whereinthe first network device acts as an authenticator to a second network device in the second security exchange,the communicating comprises sending a packet to the first network address of the first security server, andthe communicating is performed by the first network device; and

sending the server list during the second security exchange, wherein the first network device performs the sending to the second network device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various systems and method are disclosed for disseminating security server contact information in a network. For example, one method (e.g., performed by a security server) involves determining that a network device is a secure network device, in response to participating in a security exchange with the network device; and then sending a server list to the network device. The server list includes the network address of at least one security server. Another method (e.g., performed by a network device) involves initiating an authentication exchange; receiving a server list, which includes the network address of a security server, as part of the authentication exchange; and communicating with the security server by sending a packet to the network address included in the server list.

10 Citations

View as Search Results

25 Claims

1. A method comprising:
- receiving a server list as part of a first security exchange, whereinthe server list is received by a first network device,the first network device acts as a supplicant in the first security exchange,the server list comprises network addresses of two or more security servers, including a first network address of a first security server and a second network address of a second security server, andthe server list identifies the first security server as having a higher priority than the second security server; and
  
  communicating with the first security server of the two or more security servers as part of a second security exchange, using information in the server list, whereinthe first network device acts as an authenticator to a second network device in the second security exchange,the communicating comprises sending a packet to the first network address of the first security server, andthe communicating is performed by the first network device; and
  
  sending the server list during the second security exchange, wherein the first network device performs the sending to the second network device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1,wherein the first security sever is an authorization server.
  - 3. The method of claim 2, further comprising:
    - in response to detecting an inability to communicate with the authorization server, communicating with the second security server by sending a second packet to the second network address, wherein the second security sever is a second authorization server.
  - 4. The method of claim 1, further comprising:
    - providing the server list to an additional network device.
  - 5. The method of claim 1, further comprising:
    - verifying the server list, whereinthe verifying is dependent upon a public key infrastructure.

6. A method comprising:
- determining that a first network device is a secure network device as part of asecurity exchange, whereinthe determining is performed in response to the first network device providing proper credentials to a first security server, andthe first security server performs the determining while participating in the security exchange;
  
  sending a server list to the first network device during the security exchange, in response to the determining, whereinthe security server performs the sending,the server list comprises network addresses of two or more security servers, including a first network address of the first security server and a second network address of a second security server, andthe server list identifies the first security server as having a higher priority than the second security server; and
  
  participating in a subsequent security exchange with a second network device, whereinthe first security server performs the participating, andthe first network device contacts the first security server during the subsequent security exchange using the first network address of the first security server in the server list.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, whereinthe security exchange is an authentication exchange.
  - 8. The method of claim 6, whereinthe security exchange is an authorization exchange.
  - 9. The method of claim 6, whereinthe server list comprises expiration information.
  - 10. The method of claim 6, further comprising:
    - resending the server list to the first network device in response to detecting that the server list has been modified.

11. A system comprising:
- a network device comprising a security module and a memory device coupled to the security module, whereinthe security module is configured to participate as a supplicant in a security exchange,the security module is configured to receive a server list during the security exchange,the server list comprises network addresses of two or more security servers, including a first network address of a first security server and a second network address of a second security server,the server list identifies the first security server as having a higher priority than the second security server, andthe security module is configured to store the server list in the memory device, andthe security module is configured to use the first network address of the first security server of the two or more security servers to contact the first security server during a subsequent security exchange, whereinthe security module is configured to act as an authenticator to a second network device in the subsequent security exchange, andthe security module is configured to send the server list to the second network device during the subsequent security exchange.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, whereinthe security module comprises an authentication module, andthe authentication module is configured to receive the server list from one of the two or more security servers during an authentication exchange.
  - 13. The system of claim 12, whereinhe security module comprises an authorization module,the authorization module is configured to participate in an authorization exchange with an authorization server,the authorization module is configured to receive a second server list from the authorization server as part of the authorization exchange,the authorization module is configured to store the second server list in the memory device, andthe second server list comprises a plurality of network addresses, each network address corresponding to a respective one of a plurality of security servers.
  - 14. The system of claim 13, whereinthe security module is configured to select a third network address of a third security server in response to the second server list identifying the third security server as having a highest priority of the security servers.
  - 15. The system of claim 11, whereinthe security module is configured to verify that the server list is not expired by accessing expiration information, prior to using the network address to initiate the security exchange, andthe server list comprises the expiration information.

16. A system, comprising:
- a first security server comprising a security module and a memory device coupled to the security module, whereinthe security module is configured to participate in a security exchange with a first network device,the memory device is configured to store a server list, the server list comprising network addresses of two or more security servers, including a first network address of the first security server and a second network address of a second security server,the server list identifies the first security server as having a higher priority than the second security server, andthe security module is configured to send the server list to the first network device, in response to detecting that the first network device is a secure network device, in response to the first network device providing proper credentials to the security module while participating in the security exchange, andthe security module is configured to participate in a subsequent security exchange with a second network device, wherein the first network device is configured to contact the first security server during the subsequent security exchange using the first network address of the first security server in the server list.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, wherein the first security server comprises:
    - a user interface, whereinthe user interface is configured to receive user input specifying the server list, andthe user interface is configured to store the server list in the memory device, in response to receiving the user input.
  - 18. The system of claim 17, whereinhe security module is configured to send a second server list to the first network device as part of an authorization exchange, andthe second server list comprises a plurality of network addresses, wherein each of the network addresses corresponds to a respective one of a plurality of security servers.
  - 19. The system of claim 17, whereinthe security module is configured to resend the server list to the first network device in response to detecting that the server list has been modified.

20. A system comprising:
- a first security server; and
  
  a first network device coupled to the first security server, whereinthe first security server is configured to participate in a security exchange with the first network device,the first security server is configured to provide a server list to the first network device, in response to detecting that the first network device is a secure network device, in response to the first network device presenting proper credentials to the first security server while participating in the security exchange,the server list comprises addresses of two or more security servers, including a first network address of the first security server and a second network address of a second security server,the server list identifies the first security server as having a higher priority than the second security server; and
  
  the first security server is configured to participate in a subsequent security exchange with a second network device, wherein the first network device contacts the first security server during the subsequent security exchange using the first network address of the first security server in the server list.
- View Dependent Claims (21, 22, 23)
- - 21. The system of claim 20, whereinthe first security server is configured to send the server list to the first network device, in response to the first network device presenting proper credentials to the first security server while participating in an authentication exchange.
  - 22. The system of claim 20, whereinthe first security server is configured to send the server list to the first network device, in response to the first network device presenting proper credentials to the first security server while participating in an authorization exchange.
  - 23. The system of claim 20, whereinthe server list comprises expiration information, andthe first network device is configured to inhibit use of the server list if the expiration information indicates that the server list is expired.

24. A system comprising:
- non-transitory computer readable storage means for storing a server list, wherein the server list comprises network addresses of two or more security servers, including a first network address of a first security server and a second network address of a second security server, and wherein the server list identifies the first security server as having a higher priority than the second security server; and
  
  security module means for;
  
  participating as a supplicant in a security exchange, wherein the security module means receive the server list during the security exchange, and wherein the security module means store the server list in the non-transitory computer readable storage means in response to receipt of the server list,participating as an authenticator in a subsequent security exchange, whereinthe security module means act as an authenticator to a network device,the security module means use the first network address of the first security server of the two or more security servers to contact the first security server during the subsequent security exchange andthe security module means send the server list to the network device during the subsequent security exchange.

25. A system comprising:
- non-transitory computer readable storage means for storing a server list, wherein the server list comprises network addresses of two or more security servers, including a first network address of a first security server and a second network address of a second security server, and wherein the server list identifies the first security server as having a higher priority than the second security server; and
  
  security module means for;
  
  participating in a security exchange with a first network device, wherein the participating in the security exchange comprises sending the server list to the first network device, in response to detecting that the first network device is a secure network device, in response to the first network device providing proper credentials to the security module while participating in the security exchange, andparticipating in a subsequent security exchange with a second network device, wherein the first network device contacts the first security server during the subsequent security exchange using the first network address of the first security server in the server list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kuffel, Irene H., Lau, Jed Lin, Fine, Michael, Kok, Wilson, Maino, Fabio R.
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Traore; Fatoumata

Application Number

US11/069,857
Publication Number

US 20060200670A1
Time in Patent Office

2,415 Days
Field of Search

None
US Class Current

726/5
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/08   for authentication of entit...

H04L 9/321   involving a third party or ...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

Method and apparatus for securely disseminating security server contact information in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for securely disseminating security server contact information in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links