Method and appliance for authenticating, by an appliance, a client to access a virtual private network connection, based on an attribute of a client-side certificate

US 8,413,229 B2
Filed: 08/21/2006
Issued: 04/02/2013
Est. Priority Date: 08/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating, by an appliance, a client to access a virtual private network connection, based on an attribute of a client-side certificate, the method comprising the steps of:

(a) requesting, by an appliance, a client authentication certificate from a client;

(b) identifying, by the appliance, a value of at least one field in the client authentication certificate received from the client, the identified value other than a public key and an identity of a user of the client; and

(c) applying, by the appliance, a policy to the identified value of the at least one field in the client authentication certificate received from the client, responsive to authenticating the client via the same client authentication certificate;

(d) assigning, by the appliance, one of a plurality of types of access to the authenticated client responsive to the application of the policy to the identified value of the at least one field, each of the plurality of access types characterized by at least one connection characteristic.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a method and appliance for authenticating, by an appliance, a client to access a virtual network connection, based on an attribute of a client-side certificate, a client authentication certificate is requested from a client. A value of at least one field in the client authentication certificate received from the client is identified. One of a plurality of types of access is assigned responsive to an application of a policy to the identified value of the at least one field, each of the plurality of access types associated with at least one connection characteristic.

95 Citations

View as Search Results

55 Claims

1. A method for authenticating, by an appliance, a client to access a virtual private network connection, based on an attribute of a client-side certificate, the method comprising the steps of:
- (a) requesting, by an appliance, a client authentication certificate from a client;
  
  (b) identifying, by the appliance, a value of at least one field in the client authentication certificate received from the client, the identified value other than a public key and an identity of a user of the client; and
  
  (c) applying, by the appliance, a policy to the identified value of the at least one field in the client authentication certificate received from the client, responsive to authenticating the client via the same client authentication certificate;
  
  (d) assigning, by the appliance, one of a plurality of types of access to the authenticated client responsive to the application of the policy to the identified value of the at least one field, each of the plurality of access types characterized by at least one connection characteristic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The method of claim 1, wherein step (a) further comprises requesting, from the client, the client authentication certificate comprising a Secure Socket Layer (SSL) certificate.
  - 3. The method of claim 1, wherein step (a) further comprises denying authentication of a user of the client if the client authentication certificate is not received.
  - 4. The method of claim 1, wherein step (a) further comprises requesting the client authentication certificate from the client in response to a failed authentication attempt by a user of the client.
  - 5. The method of claim 1, wherein the at least one field comprises a second value, the second value comprising an identity of a user of the client.
  - 6. The method of claim 1, wherein step (b) further comprises identifying a value of a field, the value identifying a group of users with which a user of the client is associated.
  - 7. The method of claim 1, wherein step (b) further comprises identifying a value of a field, the value identifying a policy applicable to a user of the client.
  - 8. The method of claim 1, wherein step (b) further comprises displaying, on the client, a user interface having a user name field displaying the identified value of the at least one field.
  - 9. The method of claim 8, wherein step (b) further comprises receiving, from a user of the client, a password via a password field of the user interface.
  - 10. The method of claim 8, wherein step (b) further comprises displaying a non-modifiable field in the user interface.
  - 11. The method of claim 1, wherein step (b) further comprises identifying a second field identifying a group name in the client authentication certificate.
  - 12. The method of claim 11, wherein step (d) further comprises assigning a group authorization policy to a user of the client based on the identified second field.
  - 13. The method of claim 1, wherein step (b) further comprises receiving, from a user of the client, a first user name via a login page.
  - 14. The method of claim 13, wherein step (b) further comprises comparing a user name identified as a value in the client authentication certificate with the first user name.
  - 15. The method of claim 14, wherein step (b) further comprises determining that the user name and the first user name differ, requesting a second user name and a second password from the user via a user interface on the client, and authenticating the second user name and the second password to a second authentication service.
  - 16. The method of claim 14, wherein step (b) further comprises determining that the user name and the first user name are the same and authenticating the first user name and the password.
  - 17. The method of claim 1, wherein step (d) further comprises transmitting the identified value to a policy engine.
  - 18. The method of claim 17, wherein step (d) further comprises receiving a result of a policy application by the policy engine to the identified value.
  - 19. The method of claim 1, wherein step (d) comprises assigning, by a policy engine, one of a plurality of types of access responsive to application of a policy to the identified value.
  - 20. The method of claim 1, wherein step (d) further comprises authenticating the user to a first authentication service responsive to the identified value and to a password provided by the user of the client.
  - 21. The method of claim 20, wherein the first authentication service comprises an external authentication server.
  - 22. The method of claim 20, wherein the first authentication service comprises an authentication database of the appliance.
  - 23. The method of claim 1, wherein step (d) further comprises authenticating a user of the client to a second authentication service, responsive to a first user name and a password if identification of the first value fails.
  - 24. The method of claim 1, wherein step (d) further comprises assigning one of a plurality of types of access, each of the plurality of access types associated with at least one connection characteristic, the connection characteristic identifying an accelerated connection.
  - 25. The method of claim 1, wherein step (d) further comprises assigning one of a plurality of types of access, each of the plurality of access types associated with at least one connection characteristic, the connection characteristic identifying a load-balanced connection.
  - 26. The method of claim 1, wherein step (d) further comprises assigning one of a plurality of types of access, each of the plurality of access types associated with at least one connection characteristic, the connection characteristic identifying a traffic-managed connection.
  - 27. The method of claim 1, wherein step (d) further comprises assigning one of a plurality of types of access, each of the plurality of access types associated with at least one connection characteristic, the connection characteristic identifying a session-managed connection.

28. An appliance for authenticating a client to access a virtual private network connection, based on an attribute of a client-side certificate, the appliance comprising:
- a means for requesting a client authentication certificate from a client;
  
  a means for identifying a value of at least one field in the client authentication certificate received from the client, the identified value other than a public key and an identity of a user of the client;
  
  a means for applying a policy to the identified value of the at least one field in the client authentication certificate received from the client, responsive to authenticating the client via the same client authentication certificate; and
  
  a means for assigning one of a plurality of types of access to the authenticated client responsive to the application of the policy to the identified value of the at least one field, each of the plurality of access types characterized by at least one connection characteristic.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 29. The appliance of claim 28, wherein the means for requesting further comprises a means for requesting, from the client, the client authentication certificate comprising a Secure Socket Layer (SSL) certificate.
  - 30. The appliance of claim 28, wherein the means for requesting further comprises a means for denying authentication of a user of the client if the client authentication certificate is not received.
  - 31. The appliance of claim 28, wherein the means for requesting further comprises a means for requesting the client authentication certificate from the client in response to a failed authentication attempt by a user of the client.
  - 32. The appliance of claim 28, wherein the at least one field comprises a second value, the second value comprising an identity of a user of the client.
  - 33. The appliance of claim 28, wherein the means for requesting further comprises a means for identifying a value of a field, the value identifying a group of users with which a user of the client is associated.
  - 34. The appliance of claim 28, wherein the means for requesting further comprises a means for identifying a value of a field, the value identifying a policy applicable to a user of the client.
  - 35. The appliance of claim 28, wherein the means for requesting further comprises a means for displaying on the client, a user interface having a user name field displaying the identified value of the at least one field.
  - 36. The appliance of claim 35, the means for requesting further comprises a means for receiving, from a user of the client, a password via a password field of the user interface.
  - 37. The appliance of claim 35, wherein the means for requesting further comprises a means for displaying a non-modifiable field in the user interface.
  - 38. The appliance of claim 28, wherein the means for identifying further comprises a means for identifying from the client authentication certificate a second field identifying a group name.
  - 39. The appliance of claim 38, the means for assigning further comprises a means for assigning a group authorization policy to a user of the client based on the extracted second field.
  - 40. The appliance of claim 28, wherein the means for identifying further comprises a means for receiving from the user a first user name via a login page.
  - 41. The appliance of claim 40, wherein the means for identifying further comprises a means for comparing a user name identified as a value in the client authentication certificate with the first user name.
  - 42. The appliance of claim 41, wherein the means for identifying further comprises a means for determining that the user name and the first user name differ, a means for requesting a second user name and a second password from the user via a user interface on the client, and a means for authenticating the second user name and the second password to a second authentication service.
  - 43. The appliance of claim 41, wherein the means for identifying further comprises a means for determining that the user name and the first user name are the same and authenticating the first user name and the password to a second authentication service.
  - 44. The appliance of claim 28, wherein the means for assigning further comprises a means for applying a policy to the identified value.
  - 45. The appliance of claim 28, wherein the means for assigning further comprises a means for transmitting the identified value to a policy engine.
  - 46. The appliance of claim 45, wherein the means for assigning further comprises a means for receiving a result of a policy application by the policy engine to the identified value.
  - 47. The appliance of claim 28, wherein the means for assigning comprises a means for assigning, by a policy engine, one of a plurality of types of access responsive to application of a policy to the identified value.
  - 48. The appliance of claim 28, wherein the means for assigning further comprises a means for authenticating the user to a first authentication service responsive to the identified value and to a password provided by the user of the client.
  - 49. The appliance of claim 48, wherein the first authentication service comprises an external authentication server.
  - 50. The appliance of claim 48, wherein the first authentication service comprises an authentication database of the appliance.
  - 51. The appliance of claim 28, wherein the means for assigning further comprises a means for authenticating a user of the client to a second authentication service, responsive to a first user name and a password if identification of the first value fails.
  - 52. The appliance of claim 28, wherein the means for assigning further comprises a means for assigning one of a plurality of types of access, each of the plurality of access types associated with at least one connection characteristic, the connection characteristic identifying an accelerated connection.
  - 53. The appliance of claim 28, wherein the means for assigning further comprises a means for assigning one of a plurality of types of access, each of the plurality of access types associated with at least one connection characteristic, the connection characteristic identifying a load-balanced connection.
  - 54. The appliance of claim 28, wherein the means for assigning further comprises a means for assigning one of a plurality of types of access, each of the plurality of access types associated with at least one connection characteristic, the connection characteristic identifying a traffic-managed connection.
  - 55. The appliance of claim 28, wherein the means for assigning further comprises a means for assigning one of a plurality of types of access, each of the plurality of access types associated with at least one connection characteristic, the connection characteristic identifying a session-managed connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Mullick, Amarnath, Nanjundaswamy, Shashi, Soni, Ajay
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
SHEHNI, GHAZAL B

Application Number

US11/465,894
Publication Number

US 20080072311A1
Time in Patent Office

2,416 Days
Field of Search

726 2- 21, 713168-181, 713183-185
US Class Current

726/15
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 67/1001   for accessing one among a p...

H04L 67/1008   based on parameters of serv...

H04L 67/1012   based on compliance of requ...

H04L 67/1029   using data related to the s...

Method and appliance for authenticating, by an appliance, a client to access a virtual private network connection, based on an attribute of a client-side certificate

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

55 Claims

Specification

Solutions

Use Cases

Quick Links

Method and appliance for authenticating, by an appliance, a client to access a virtual private network connection, based on an attribute of a client-side certificate

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

55 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links