Distributed authentication functionality

US 8,069,475 B2
Filed: 09/01/2005
Issued: 11/29/2011
Est. Priority Date: 09/01/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

inhibiting transmission of non-authentication messages until an identity of an entity seeking to send said non-authentication messages is authenticated;

enabling transmission of non-authentication messages in response to receiving an entity authentication confirmation to an entity authentication request; and

authenticating the identity of the entity wherein said authenticating is performed by at least one Optical Line Terminal (OLT) and an authentication server, which cooperates with the OLT wherein the OLT plays an active role in authenticating the identity of the entity;

characterized in that said inhibiting transmission of non-authentication messages is performed by an Optical Network Terminal (ONT) and said enabling transmission of non-authentication messages is performed by the ONT and the ONT and wherein the entity, at the control of a supplicant, sends an EAP-Start Message for reception by the connected ONT;

in response to the ONT receiving the EAP-Start Message, the ONT sends an EAP-Request Identity Message for reception by the entity;

in response to the entity receiving the EAP-Request Identity Message, the entity sends an EAP-Response Message;

in response to the ONT receiving the EAP-Response Message, the ONT forwards the EAP-Response Message for reception by the OLT that serves the ONT;

the OLT receives the EAP-Response Message and then forwards the EAP-Response Message for reception by the authentication server;

the authentication server receives the EAP-Response Message and determines the identity authenticity of the supplicant;

if the identity of the supplicant is determined to be authentic, the authentication server sends an Accept Message for reception by the entity via the OLT and the ONT;

if the identity of the supplicant is determined to be non-authentic, the authentication server sends a Reject Message for reception by the entity via the OLT and the ONT;

in the case of the identity of the supplicant being determined to be authentic and the authentication server sending the Accept Message for reception by the entity via the OLT and the ONT, the OLT receives the Accept Message and then forwards the Accept Message for reception by the ONT and the ONT forwards the Accept Message for reception by the entity and enables transmission of non-EAP Messages at a controlled port of the ONT and the entity receives the Accept Message while the entity sends a Log-off Message for reception by the ONT at some point after the ONT enables transmission of non-EAP Messages to the controlled port of the ONT and in response to receiving the Log-off Message, the ONT inhibits transmission of non-EAP messages; and

in the case of the identity of the supplicant being determined to be non-authentic and the authentication server sending the Reject Message for reception by the entity via the OLT and the ONT, the OLT receives the Reject Message and forwards the Reject Message for reception by the ONT and the ONT forwards the Reject Message for reception by the entity.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Passive Optical Network (PON) includes an Optical Network Terminal (ONT) and an Optical Line Terminal (OLT). The ONT is configured for providing controlled port operations of authenticator Port Access Entity (PAE) functionality and the OLT is configured for providing entity authentication operations of the authenticator PAE functionality. The controlled port operations of authenticator PAE functionality includes inhibiting transmission of non-authentication messages from the ONT, transmitting a supplicant authentication request to the OLT and enabling transmission of non-authentication messages from the ONT in response to receiving supplicant authentication confirmation. The entity authentication operations of the authenticator PAE functionality include facilitating authentication of an identity of the supplicant and facilitating transmission of supplicant authentication confirmation for reception by the ONT in response to the identity being authenticated.

Citations

13 Claims

1. A method, comprising:
- inhibiting transmission of non-authentication messages until an identity of an entity seeking to send said non-authentication messages is authenticated;
  
  enabling transmission of non-authentication messages in response to receiving an entity authentication confirmation to an entity authentication request; and
  
  authenticating the identity of the entity wherein said authenticating is performed by at least one Optical Line Terminal (OLT) and an authentication server, which cooperates with the OLT wherein the OLT plays an active role in authenticating the identity of the entity;
  
  characterized in that said inhibiting transmission of non-authentication messages is performed by an Optical Network Terminal (ONT) and said enabling transmission of non-authentication messages is performed by the ONT and the ONT and wherein the entity, at the control of a supplicant, sends an EAP-Start Message for reception by the connected ONT;
  
  in response to the ONT receiving the EAP-Start Message, the ONT sends an EAP-Request Identity Message for reception by the entity;
  
  in response to the entity receiving the EAP-Request Identity Message, the entity sends an EAP-Response Message;
  
  in response to the ONT receiving the EAP-Response Message, the ONT forwards the EAP-Response Message for reception by the OLT that serves the ONT;
  
  the OLT receives the EAP-Response Message and then forwards the EAP-Response Message for reception by the authentication server;
  
  the authentication server receives the EAP-Response Message and determines the identity authenticity of the supplicant;
  
  if the identity of the supplicant is determined to be authentic, the authentication server sends an Accept Message for reception by the entity via the OLT and the ONT;
  
  if the identity of the supplicant is determined to be non-authentic, the authentication server sends a Reject Message for reception by the entity via the OLT and the ONT;
  
  in the case of the identity of the supplicant being determined to be authentic and the authentication server sending the Accept Message for reception by the entity via the OLT and the ONT, the OLT receives the Accept Message and then forwards the Accept Message for reception by the ONT and the ONT forwards the Accept Message for reception by the entity and enables transmission of non-EAP Messages at a controlled port of the ONT and the entity receives the Accept Message while the entity sends a Log-off Message for reception by the ONT at some point after the ONT enables transmission of non-EAP Messages to the controlled port of the ONT and in response to receiving the Log-off Message, the ONT inhibits transmission of non-EAP messages; and
  
  in the case of the identity of the supplicant being determined to be non-authentic and the authentication server sending the Reject Message for reception by the entity via the OLT and the ONT, the OLT receives the Reject Message and forwards the Reject Message for reception by the ONT and the ONT forwards the Reject Message for reception by the entity.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein transmitting the entity authentication request and transmitting said entity authentication confirmation each include at least one of:
    - transmitting Extensible Authentication Protocol (EAP) messages over a dedicated tunnel between the ONT and the OLT; and
      
      transmitting EAP messages in a data path including EAP messages and non-EAP messages and extracting said EAP messages from the data path.
  - 3. The method of claim 1, further comprising:
    - directing the entity authentication request to authenticator Port Access Entity (PAE) functionality at the ONT for enabling said authenticating the identity of the entity to be performed.
  - 4. The method of claim 3 wherein:
    - said authenticating the identity of the entity and said transmitting said entity authentication confirmation are performed by at least one the OLT and an authentication server; and
      
      transmitting the entity authentication request and transmitting said entity authentication confirmation each include at least one of transmitting Extensible Authentication Protocol (EAP) messages over a dedicated tunnel between the ONT and the OLT and transmitting EAP messages in a data path including EAP messages and non-EAP messages and extracting said EAP messages from the data path.

5. A Passive Optical Network (PON) comprising:
- an Optical Network Terminal (ONT) including;
  
  at least one data processing device;
  
  memory connected to said at least one data processing device of the ONT;
  
  an authentication server; and
  
  an Optical Line Terminal (OLT) including at least one data processing device and memory connected to said at least one data processing device of the OLT wherein said OLT and said authentication server are adapted to facilitate authenticating the identity of an entity in cooperation wherein the OLT plays an active role in authenticating the identity of the entity;
  
  characterized in that said at least one data processing device of the ONT is adapted to inhibit transmission of non-authentication messages from the ONT until the identity of the entity seeking to send said non-authentication messages is authenticated; and
  
  said at least one data processing device of the ONT is further adapted to enable transmission of non-authentication messages from the ONT in response to receiving an entity authentication confirmation to an entity authentication request and wherein the entity, at the control of a supplicant, sends an EAP-Start Message for reception by the connected ONT;
  
  in response to the ONT receiving the EAP-Start Message, the ONT sends an EAP-Request Identity Message for reception by the entity;
  
  in response to the entity receiving the EAP-Request Identity Message, the entity sends an EAP-Response Message;
  
  in response to the ONT receiving the EAP-Response Message, the ONT forwards the EAP-Response Message for reception by the OLT that serves the ONT;
  
  the OLT receives the EAP-Response Message and then forwards the EAP-Response Message for reception by the authentication server;
  
  the authentication server receives the EAP-Response Message and determines the identity authenticity of the supplicant;
  
  if the identity of the supplicant is determined to be authentic, the authentication server sends an Accept Message for reception by the entity via the OLT and the ONT;
  
  if the identity of the supplicant is determined to be non-authentic, the authentication server sends a Reject Message for reception by the entity via the OLT and the ONT;
  
  in the case of the identity of the supplicant being determined to be authentic and the authentication server sending the Accept Message for reception by the entity via the OLT and the ONT, the OLT receives the Accept Message and then forwards the Accept Message for reception by the ONT and the ONT forwards the Accept Message for reception by the entity and enables transmission of non-EAP Messages at a controlled port of the ONT and the entity receives the Accept Message while the entity sends a Log-off Message for reception by the ONT at some point after the ONT enables transmission of non-EAP Messages to the controlled port of the ONT and in response to receiving the Log-off Message, the ONT inhibits transmission of non-EAP messages; and
  
  in the case of the identity of the supplicant being determined to be non-authentic and the authentication server sending the Reject Message for reception by the entity via the OLT and the ONT, the OLT receives the Reject Message and forwards the Reject Message for reception by the ONT and the ONT forwards the Reject Message for reception by the entity.
- View Dependent Claims (6, 7, 8)
- - 6. The PON of claim 5 wherein transmitting the entity authentication request and transmitting said entity authentication confirmation each include at least one of:
    - transmitting Extensible Authentication Protocol (EAP) messages over a dedicated tunnel between the ONT and the OLT; and
      
      transmitting EAP messages in a data path including EAP messages and non-EAP messages and extracting said EAP messages from the data path.
  - 7. The PON of claim 5 wherein said at least one data processing device of the OLT is adapted to facilitate:
    - directing the entity authentication request to authenticator Port Access Entity (PAE) functionality at the ONT for enabling said authenticating the identity of the entity to be performed.
  - 8. The PON of claim 5 wherein:
    - transmitting the entity authentication request and transmitting said entity authentication confirmation each include at least one of transmitting Extensible Authentication Protocol (EAP) messages over a dedicated tunnel between the ONT and the OLT and transmitting EAP messages in a data path including EAP messages and non-EAP messages and extracting said EAP messages from the data path.

9. A Passive Optical Network (PON), comprising:
- an Optical Network Terminal (ONT) configured for providing controlled port operations of authenticator Port Access Entity (PAE) functionality; and
  
  an Optical Line Terminal (OLT) configured for providing entity authentication operations of said authenticator Port Access Entity (PAE) functionality, wherein the OLT is connected to the ONT for enabling interaction therebetween and to an authentication server that cooperates with the OLT for providing entity authentication operations wherein the OLT plays an active role in providing entity authentication operations and wherein an entity, at the control of a supplicant, sends an EAP-Start Message for reception by the connected ONT;
  
  in response to the ONT receiving the EAP-Start Message, the ONT sends an EAP-Request Identity Message for reception by the entity;
  
  in response to the entity receiving the EAP-Request Identity Message, the entity sends an EAP-Response Message;
  
  in response to the ONT receiving the EAP-Response Message, the ONT forwards the EAP-Response Message for reception by the OLT that serves the ONT;
  
  the OLT receives the EAP-Response Message and then forwards the EAP-Response Message for reception by the authentication server;
  
  the authentication server receives the EAP-Response Message and determines the identity authenticity of the supplicant;
  
  if the identity of the supplicant is determined to be authentic, the authentication server sends an Accept Message for reception by the entity via the OLT and the ONT;
  
  if the identity of the supplicant is determined to be non-authentic, the authentication server sends a Reject Message for reception by the entity via the OLT and the ONT;
  
  in the case of the identity of the supplicant being determined to be authentic and the authentication server sending the Accept Message for reception by the entity via the OLT and the ONT, the OLT receives the Accept Message and then forwards the Accept Message for reception by the ONT and the ONT forwards the Accept Message for reception by the entity and enables transmission of non-EAP Messages at a controlled port of the ONT and the entity receives the Accept Message while the entity sends a Log-off Message for reception by the ONT at some point after the ONT enables transmission of non-EAP Messages to the controlled port of the ONT and in response to receiving the Log-off Message, the ONT inhibits transmission of non-EAP messages; and
  
  in the case of the identity of the supplicant being determined to be non-authentic and the authentication server sending the Reject Message for reception by the entity via the OLT and the ONT, the OLT receives the Reject Message and forwards the Reject Message for reception by the ONT and the ONT forwards the Reject Message for reception by the entity.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The PON of claim 9 wherein said controlled port operations of authenticator Port Access Entity (PAE) functionality includes:
    - inhibiting transmission of non-authentication messages from the ONT until an identity of the entity seeking to send said non-authentication messages is authenticated; and
      
      enabling transmission of non-authentication messages from the ONT in response to receiving an entity authentication confirmation to the entity authentication request.
  - 11. The PON of claim 10 wherein transmitting the entity authentication request and transmitting said entity authentication confirmation each include at least one of:
    - transmitting Extensible Authentication Protocol (EAP) messages over a dedicated tunnel between the ONT and the OLT; and
      
      transmitting EAP messages in a data path including EAP messages and non-RAP messages and extracting said EAP messages from the data path.
  - 12. The PON of claim 10 wherein said entity authentication operations of said authenticator PAE functionality include:
    - directing the entity authentication request to authenticator Port Access Entity (PAE) functionality for enabling said authenticating the identity of the entity to be performed.
  - 13. The PON of claim 12 wherein transmitting the entity authentication request and facilitating transmission of said entity authentication confirmation each include at least one of:
    - transmitting Extensible Authentication Protocol (EAP) messages over a dedicated tunnel between the ONT and the OLT; and
      
      transmitting EAP messages in a data path including EAP messages and non-EAP messages and extracting said EAP messages from the data path.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WSOU Investments, LLC (WSOU Holdings, LLC)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Surya, Gopal, Absillis, Luc, Dharanikota, Sudheer
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Vaughan, Michael R

Application Number

US11/217,827
Publication Number

US 20070050839A1
Time in Patent Office

2,280 Days
Field of Search

None
US Class Current

726/7
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/162 at the data link layer

Distributed authentication functionality

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed authentication functionality

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links