System and method for flexible authentication in a data communications network

US 8,528,071 B1
Filed: 08/24/2004
Issued: 09/03/2013
Est. Priority Date: 12/05/2003
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more client devices; and

a network access device comprising;

a memory configured to store;

an indication of a selected one of a plurality of different authentication procedures a system administrator of the network access device has selected to perform authentication, the authentication based at least in part on credential information identifying the one or more client devices and credential information identifying users of one or more client devices the plurality of different client authentication procedures comprising a combined physical address and web authentication procedure, comprising transmitting user credential information from a client device toward the network access device according to a secure protocol, and then transmitting the user credential information from the network access device toward an authentication server; and

control logic configured to, when executed;

detect that the new client device has attached to a port of the network access device;

upon detecting the new client device, perform authentication according to the selected one of a plurality of different authentication procedures each supported by the access device; and

determine whether to grant the new client device access to a data communications network based upon a result of the authentication.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing for a number of different authentication methods. The system and method can be used in conjunction with a data communications network, where client devices gain access to the data communications network through a network access device. The different authentication methods can allow for authentication based on a physical address for the client device, and can allow for authentication based on a web authentication procedure, and can provide for an authentication method which utilizes a combination of authentication methods which includes authentication based on both the physical address of the client device and based on user credential information.

Citations

35 Claims

1. A system comprising:
- one or more client devices; and
  
  a network access device comprising;
  
  a memory configured to store;
  
  an indication of a selected one of a plurality of different authentication procedures a system administrator of the network access device has selected to perform authentication, the authentication based at least in part on credential information identifying the one or more client devices and credential information identifying users of one or more client devices the plurality of different client authentication procedures comprising a combined physical address and web authentication procedure, comprising transmitting user credential information from a client device toward the network access device according to a secure protocol, and then transmitting the user credential information from the network access device toward an authentication server; and
  
  control logic configured to, when executed;
  
  detect that the new client device has attached to a port of the network access device;
  
  upon detecting the new client device, perform authentication according to the selected one of a plurality of different authentication procedures each supported by the access device; and
  
  determine whether to grant the new client device access to a data communications network based upon a result of the authentication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 14, 30)
- - 2. The system of claim 1, wherein the combined physical address and web authentication procedure comprises transmitting user credential information from the new client device toward the network access device according to a secure protocol, and then transmitting the user credential information from the network access device toward the authentication server in accordance with IEEE 802.1x.
  - 3. The system of claim 1 wherein the network access device comprises supplicant software so that credential information can be transmitted from the network access device toward an authentication server in accordance with IEEE 802.1x.
  - 4. The system of claim 1, wherein the plurality of different client authentication procedures comprises:
    - a physical address authentication procedure; and
      
      wherein the network access device is configured to, if the physical address authentication procedure is selected,determine a physical address for the new client device, and to use physical address information to authenticate the new client device; and
      
      make a determination as to whether to provide the new client device access to the data communications network based on the physical address of new the client device.
  - 5. The system of claim 1,wherein the network access device is configured to, if the combined physical address and web authentication procedure is selected, provide the new client device with limited access to the data communications network, to allow the new client device to communicate with a Web authentication routine, so that a user of the new client device can provide credential information to the web authentication routine.
  - 6. The system of claim 1, wherein the physical address is a MAC address for the new client device.
  - 7. The system of claim 1, wherein the plurality of different client authentication procedures comprises:
    - a physical address authentication procedure, and wherein the network access device is configured to, if the physical address authentication procedure is selected;
      
      determine a physical address for the new client device; and
      
      use physical address information to authenticate the new client device and to make a determination as to whether to provide the new client device access to the data communications network based on the physical address of the new client device; and
      
      a combined physical address and web authentication procedure, and wherein the network access device is configured to, if the combined physical address and web authentication procedure is selected, provide the new client device with limited access to the data communications network, to allow the new client device to communicate with a Web authentication routine, so that a user of the new client device can provide credential information to the web authentication routine.
  - 14. The method of claim 6, wherein the authentication server is coupled to the network access device through a data communications network.
  - 30. The system of claim 1 wherein the network access device further comprises:
    - a plurality of ports comprising one or more input ports and one or more output ports, the plurality of ports configured to communicatively interconnect the one or more client devices to each other and to the data communications network; and
      
      switching fabric configured to route one or more data units from the one or more input ports to the one or more output ports.

8. A method comprising:
- receiving, at a port of a network access device, a request from one of one or more client devices to access a data communications network;
  
  storing an indication of a selected one of a plurality of different authentication procedures a system administrator of the network access device has selected to perform authentication, the authentication based at least in part on credential information identifying the one or more client devices and credential information identifying users of the one or more client devices, the plurality of different client authentication procedures comprising a combined physical address and web authentication procedure, comprising transmitting user credential information from a client device toward the network access device according to a secure protocol, and then transmitting the user credential information from the network access device toward an authentication server;
  
  detecting that the new client device has attached to a port of the network access device;
  
  upon detecting the new client device, performing authentication according to the selected one of a plurality of different authentication procedures each supported by the access device; and
  
  determining whether to grant or deny the request in accordance with the selected one of a plurality of authentication procedures.
- View Dependent Claims (9, 10, 11, 12, 13, 16, 20, 31)
- - 9. The method of claim 8, further comprisingtransmitting the credential information from the network access device toward the authentication server in accordance with IEEE 802.1x.
  - 10. The method of claim 8, wherein the plurality of authentication procedures comprises a physical address authentication procedure, and wherein if the physical address authentication procedure is selected, using a physical address of the new client device to make a determination as to whether to provide the new client device access to the data communications network through the network access device.
  - 11. The method of claim 8, wherein the plurality of authentication procedures comprises a combined physical address and web authentication procedure, and wherein if the a combined physical address and web authentication procedure is selected,providing the new client device with limited access to the data communications network, to allow the new client device to communicate with a web authentication routine, andtransmitting user credential information from the new client device toward the web authentication routine.
  - 12. The method of claim 8, wherein the physical address is a MAC address for the new client device.
  - 13. The method of claim 8, wherein the plurality of different client authentication procedures comprises:
    - a physical address authentication procedure, and wherein if the physical address authentication procedure is selected, using a physical address of the new client device to authenticate the new client device and to make a determination as to whether to provide the new client device access to the data communications network based on the physical address of the new client device; and
      
      wherein if the combined physical address and web authentication procedure is selected, providing the new client device with limited access to the data communications network, to allow the new client device to communicate with a Web authentication routine, so that a user of the new client device can provide credential information to the web authentication routine.
  - 16. The network access device of claim 11, wherein control logic is further configured to, if executing the combined physical address and web authentication procedure, transmit user credential information from the new client device to the network access device according to a secure protocol, and then transmit the user credential information from the network access device toward an authentication server coupled to the data communications network, the transmitting in accordance with IEEE 802.1x.
  - 20. The network access device of claim 11, wherein the physical address is a MAC address for the new client device.
  - 31. The method of claim 8, further comprising:
    - routing one or more data units from one or more input ports of the network device toward one or more output ports of the network device.

15. A network access device comprising:
- a memory configured to store;
  
  an indication of a selected one of a plurality of different authentication procedures a system administrator of the network access device has selected to perform authentication, the authentication based at least in part on credential information identifying one or more client devices and credential information identifying users of the one or more client devices, the plurality of different client authentication procedures comprising a combined physical address and web authentication procedure, comprising transmitting user credential information from a client device toward the network access device according to a secure protocol, and then transmitting the user credential information from the network access device toward an authentication server; and
  
  control logic stored in the memory and configured to;
  
  detect that a new client device has attached to a port of the network access device;
  
  upon detecting the new client device, perform authentication according to the selected one of the plurality of different authentication procedures each supported by the access device; and
  
  determine whether to grant the new client device access to a data communications network based upon a result of the authentication.
- View Dependent Claims (17, 18, 19, 21, 32)
- - 17. The network access device of claim 15, wherein the control logic is further configured to transmit credential information from the network access device toward an authentication server coupled to the data communications network, the transmitting in accordance with IEEE 802.1x.
  - 18. The network access device of claim 15, wherein the plurality of different client authentication procedures comprises:
    - a physical address authentication procedure; and
      
      wherein the control logic is configured to, if the physical address authentication procedure is selected,determine a physical address for the new client device, and to use physical address information to authenticate the new client device; and
      
      make a determination as to whether to provide the new client device access to the data communications network based on the physical address of the new client device.
  - 19. The network access device of claim 15, wherein the control logic is further configured to, if the combined physical address and web authentication procedure is selected, provide the new client device with limited access to the data communications network, to allow the new client device to communicate with a Web authentication routine, so that a user of the new client device can provide credential information to the web authentication routine.
  - 21. The network access device of claim 15, wherein the plurality of different client authentication procedures comprises:
    - a physical address authentication procedure, and wherein the control logic is further configured to, if the physical address authentication procedure is selected;
      
      determine a physical address for the new client device; and
      
      use physical address information to authenticate the new client device and to make a determination as to whether to provide the new client device access to the data communications network based on the physical address of the new client device; and
      
      wherein the control logic is further configured to, if the combined physical address and web authentication procedure is selected, provide the new client device with limited access to the data communications network, to allow the new client device to communicate with a Web authentication routine, so that a user of the new client device can provide credential information to the web authentication routine.
  - 32. The network access device of claim 15, further comprising:
    - a plurality of ports comprising one or more input ports and one or more output ports, the plurality of ports configured to communicatively interconnect the one or more client devices to each other and to the data communications network; and
      
      switching fabric configured to route one or more data units from the one or more input ports to the one or more output ports.

22. A method comprising:
- by a network access device,detecting that a new client device has attached to a port of the network access device;
  
  storing an indication of a selected one of a plurality of different authentication procedures by a system administrator of the network access device to perform authentication, the authentication based at least in part on credential information identifying one or more client devices attached to ports of the network access device and credential information identifying users of the one or more client devices the plurality of different client authentication procedures comprising a combined physical address and web authentication procedure, comprising transmitting user credential information from a client device toward the network access device according to a secure protocol, and then transmitting the user credential information from the network access device toward an authentication server;
  
  upon detecting the new client device, performing authentication according to the selected one of a plurality of different authentication procedures; and
  
  determining whether to grant the new client device access to a data communications network based upon a result of the authentication.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 33)
- - 23. The method of claim 22 wherein the combined physical address and web authentication procedure comprises transmitting user credential information from the new client device toward the network access device according to a SSL protocol, and then transmitting the user credential information from the network access device to an authentication server coupled to the data communications network, the transmitting in accordance with IEEE 802.1x.
  - 24. The method of claim 22, further comprising transmitting credential information from the new client device toward an authentication server coupled to the data communications network, the transmitting in accordance with IEEE 802.1x.
  - 25. The method of claim 22, wherein the plurality of different client authentication procedures comprises:
    - a physical address authentication procedure comprising;
      
      determining a physical address for the new client device, and to use physical address information to authenticate the new client device; and
      
      making a determination as to whether to provide the new client device access to the data communications network based on the physical address of the new client device.
  - 26. The method of claim 22, wherein the plurality of different client authentication procedures comprises:
    - a combined physical address and web authentication procedure comprising providing the new client device with limited access to the data communications network, to allow the new client device to communicate with a Web authentication routine, so that a user of the new client device can provide credential information to the web authentication routine.
  - 27. The method of claim 22, wherein the physical address is a MAC address for the new client device.
  - 28. The method of claim 22, wherein the plurality of different client authentication procedures comprises:
    - a physical address authentication procedure comprising;
      
      determining a physical address for the new client device; and
      
      using physical address information to authenticate the new client device and to make a determination as to whether to provide the new client device access to the data communications network based on the physical address of the new client device; and
      
      the combined physical address and web authentication procedure comprises providing the new client device with limited access to the data communications network, to allow the new client device to communicate with a Web authentication routine, so that a user of the new client device can provide credential information to the web authentication routine.
  - 33. The method of claim 22, further comprising:
    - routing one or more data units from one or more input ports of the network device to one or more output ports of the network device.

29. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method, the method comprising:
- by a network access device, detecting that a new client device has attached to a port of the network access device, the network access device comprising;
  
  a memory configured to store;
  
  an indication of a selected one of a plurality of different authentication procedures a system administrator of the network access device has selected to perform authentication, the authentication based at least in part on credential information identifying one or more client devices attached to ports of the network access device and credential information identifying users of the one or more client devices the plurality of different client authentication procedures comprising a combined physical address and web authentication procedure, comprising transmitting user credential information from a client device to the network access device according to a secure protocol, and then transmitting the user credential information from the network access device toward an authentication server;
  
  upon detecting the new client device, performing authentication according to the selected one of a plurality of different authentication procedures; and
  
  determining whether to grant the new client device access to a data communications network based upon a result of the authentication.

34. A method comprising:
- receiving, at a port of an apparatus, a request from one of one or more client devices to access a data communications network;
  
  routing one or more data units from the one or more input ports toward the one or more output ports;
  
  storing an indication of a selected one of a plurality of different authentication procedures a system administrator of the apparatus has selected to perform authentication, the authentication based at least in part on credential information identifying the one or more client devices and credential information identifying users of the one or more client devices, the plurality of different client authentication procedures comprising a combined physical address and web authentication procedure, comprising transmitting user credential information from a client device to the network access device according to a secure protocol, and then transmitting the user credential information from the network access device to an authentication server;
  
  detecting that a new client device has attached to a port of the apparatus;
  
  upon detecting the new client device, performing authentication according to the selected one of a plurality of different authentication procedures each supported by the apparatus; and
  
  determining whether to grant or deny the request in accordance with the selected one of a plurality of authentication procedures.

35. An apparatus comprising:
- a plurality of ports comprising one or more input ports and one or more output ports, the plurality of ports configured to communicatively interconnect the one or more client devices to each other and to a data communications network;
  
  switching fabric configured to route one or more data units from the one or more input ports to the one or more output ports;
  
  a memory configured to store an indication of a selected one of a plurality of different authentication procedures a system administrator of the apparatus has selected to perform authentication, the authentication based at least in part on credential information identifying one or more client devices and credential information identifying users of the one or more client devices, the plurality of different client authentication procedures comprising a combined physical address and web authentication procedure, comprising transmitting user credential information from a client device toward the network access device according to a secure protocol, and then transmitting the user credential information from the network access device toward an authentication server; and
  
  control logic stored in the memory and configured to;
  
  detect that a new client device has attached to a port of the apparatus;
  
  upon detecting the new client device, perform authentication according to the selected one of the plurality of different authentication procedures each supported by the apparatus; and
  
  determine whether to grant the new client device access to the data communications network based upon a result of the authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Foundry Networks LLC (Broadcom, Inc.)
Inventors
Kwan, Philip
Primary Examiner(s)
LOUIE, OSCAR A

Application Number

US10/925,155
Time in Patent Office

3,297 Days
Field of Search

None
US Class Current

726/14
CPC Class Codes

H04L 63/0876   based on the identity of th...

H04L 63/0892   by using authentication-aut...

H04L 63/205   involving negotiation or de...

H04W 12/06   Authentication

H04W 84/12   WLAN [Wireless Local Area N...

System and method for flexible authentication in a data communications network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for flexible authentication in a data communications network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links