System and method for authentication of SP ethernet aggregation networks
First Claim
1. A processor-implemented method of operation for a Broadband Remote Access Server (BRAS) device of an Ethernet access network, the method comprising:
- receiving an Extensible Authentication Protocol (EAP) message transported from a subscriber-premises device in compliance with an IEEE 802.1x compatible protocol;
allowing or denying the subscriber-premises device access to the Ethernet access network on a per service basis based on a logical identifier contained in the EAP message, a first application layer service being allowed without passing of authentication credentials, a second application layer service being allowed only after authentication, the first and second application layer services comprising end-user Layer 2 (L2) and/or Layer 3 (L3) services, the authentication comprising;
encapsulating subscriber identity information extracted from the EAP message in a Remote Authentication Dial-In User Service (RADIUS) authentication access request; and
forwarding the RADIUS authentication access request to the RADIUS server for validation.
1 Assignment
0 Petitions
Accused Products
Abstract
A Service Provider (SP) authentication method includes receiving a message from a subscriber-premises device, the message being compatible with an authentication protocol and being transported from the subscriber-premises device to a u-PE device operating in compliance with an IEEE 802.1x compatible protocol. Access to the SP network is either allowed or denied access based on a logical identifier contained in the message. It is emphasized that this abstract is provided to comply with the rules requiring an abstract that will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. 37 CFR 1.72(b).
-
Citations
20 Claims
-
1. A processor-implemented method of operation for a Broadband Remote Access Server (BRAS) device of an Ethernet access network, the method comprising:
-
receiving an Extensible Authentication Protocol (EAP) message transported from a subscriber-premises device in compliance with an IEEE 802.1x compatible protocol; allowing or denying the subscriber-premises device access to the Ethernet access network on a per service basis based on a logical identifier contained in the EAP message, a first application layer service being allowed without passing of authentication credentials, a second application layer service being allowed only after authentication, the first and second application layer services comprising end-user Layer 2 (L2) and/or Layer 3 (L3) services, the authentication comprising; encapsulating subscriber identity information extracted from the EAP message in a Remote Authentication Dial-In User Service (RADIUS) authentication access request; and forwarding the RADIUS authentication access request to the RADIUS server for validation. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A processor-implemented method of operation for a Broadband Remote Access Server (BRAS) device of a Service Provider (SP) subscriber Ethernet aggregation network, the method comprising:
-
sending an Extensible Authentication Protocol (EAP) request message to a subscriber-premises device; receiving an EAP response identity packet from the subscriber-premises device, the EAP response identity packet being transported from the subscriber-premises device to the BRAS device in compliance with an IEEE 802.1x compatible protocol; extracting user identity information from the EAP response identity packet; encapsulating the user identity information in a network access request; forwarding the network access request to an 802.1x authentication server; sending a request message to the subscriber-premises device; receiving a Media Access Control (MAC) address and a request to join a multicast video program from the subscriber-premises device without end-user input based on a stored credential; permitting the subscriber-premises device to view the multicast video program without passing credentials to the 802.1x authentication server; sending the MAC address to the 802.1x authentication server; receiving a validation message from the 802.1x authentication server; authorizing traffic associated with a particular application layer service between the subscriber-premises device and the SP subscriber Ethernet aggregation network based on the MAC address, the particular application layer service comprising an end-user Layer 2 (L2) or Layer 3 (L3) service. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
15. A Broadband Remote Access Server (BRAS) device for association with an Ethernet access network, the BRAS device comprising:
-
a physical port; an authenticator compatible with an IEEE 802.1x compatible protocol, the authenticator being configured to communicate with a supplicant device of a residential gateway (RG) device over the IEEE 802.1x compatible protocol, and with a Remote Authentication Dial-In User Service (RADIUS) server that stores credential information of the supplicant device via a Remote Authentication Dial-In User Service (RADIUS) protocol, the authenticator being operable to open the physical port to first traffic between the RG device and the Ethernet access network by Ethertype, with non-Internet Protocol (IP) end-user Layer 2 (L2) and Layer 3 (L3) services enabled on a per service basis responsive to receiving a message from the supplicant device without passing of authentication credentials, the message being transported from the supplicant device to the BRAS device in compliance with the IEEE 802.1x compatible protocol, the physical port being opened to second traffic between the RG device and the Ethernet access network only after authentication. - View Dependent Claims (16, 17, 18)
-
-
19. A computer-readable memory encoded with a computer program for configuring a Broadband Remote Access Server (BRAS) device, when executed, the computer program being operable to:
-
communicate with a subscriber-premises device via Extensible Authentication Protocol (EAP) messages carried over an IEEE 802.1x compatible protocol; and communicate with a Remote Authentication Dial-In User Service (RADIUS) server via a different protocol; open a physical port to traffic between the subscriber-premises device and an Ethernet access network by Ethertype, with non-Internet Protocol (IP) end-user Layer 2 (L2) and Layer 3 (L3) services enabled on a per service basis, a first service being provided without passing of credential information, an additional one or more services being provided upon validation of credential information provided by the subscriber-premises device without end-user input, the additional one or more services being associated with one or more corresponding Ethernet traffic streams, each of the additional one or more services being identified by a different Media Access Control (MAC) address. - View Dependent Claims (20)
-
Specification