Systems and methods for authorizing, authenticating and accounting users having transparent computer access to a network using a gateway device

US 8,713,641 B1
Filed: 12/08/1999
Issued: 04/29/2014
Est. Priority Date: 12/08/1998
Status: Expired due to Fees

First Claim

Patent Images

1. A method of managing access to network resources, the method being performed by a network management system in communication with a portable communication device, the method comprising:

receiving, at a communications port of a wireless access point of the network management system from a portable communication device, a connection request for an external server, the connection request comprising one or more network packets;

transmitting the connection request from the wireless access point to a controller of the network management system;

determining, using the controller, whether to provide the portable communication device with access to the external server, the determination being based at least in part on comparing an attribute included in the connection request to a user profile database; and

upon determining that the portable communication device is not at that time permitted with access to the external server, redirecting the portable communication device to an authentication system, the redirection including;

sending transmission control protocol handshake completion data from the communications port of the wireless access point to the portable communication device in response to the connection request, said transmission control protocol handshake completion data configured to indicate that it was sent by the external server;

receiving at the controller via the wireless access point a request from the portable communication device for a network resource of the external server;

receiving, at the wireless access point from the controller, the redirection data comprising resource identification data that identifies the authentication system, the redirection data configured to cause the portable communication device to be redirected to the authentication system; and

sending, from the communications port of the wireless access point to the portable communication device, a browser redirect message based upon the redirection data;

whereby the portable communication device provides authentication-related information wherein the portable communication system can be provided access to the network resource, wherein the network management system need not communicate with the external server to redirect the portable communication device.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for authorizing, authenticating and accounting users having transparent access to a destination network, wherein the users otherwise have access to a home network through home network settings resident on the user'"'"'s computers, and wherein the users can access the destination network without altering the home network settings and without installing software on the user'"'"'s computer. The system includes a gateway device for receiving a request from a user for access to the destination network, and means for identifying an attribute associated with the user based upon a packet received by the gateway device, wherein the packet is transmitted from the user'"'"'s computer, and wherein the user'"'"'s computer is configured for accessing the home network.

922 Citations

88 Claims

1. A method of managing access to network resources, the method being performed by a network management system in communication with a portable communication device, the method comprising:
- receiving, at a communications port of a wireless access point of the network management system from a portable communication device, a connection request for an external server, the connection request comprising one or more network packets;
  
  transmitting the connection request from the wireless access point to a controller of the network management system;
  
  determining, using the controller, whether to provide the portable communication device with access to the external server, the determination being based at least in part on comparing an attribute included in the connection request to a user profile database; and
  
  upon determining that the portable communication device is not at that time permitted with access to the external server, redirecting the portable communication device to an authentication system, the redirection including;
  
  sending transmission control protocol handshake completion data from the communications port of the wireless access point to the portable communication device in response to the connection request, said transmission control protocol handshake completion data configured to indicate that it was sent by the external server;
  
  receiving at the controller via the wireless access point a request from the portable communication device for a network resource of the external server;
  
  receiving, at the wireless access point from the controller, the redirection data comprising resource identification data that identifies the authentication system, the redirection data configured to cause the portable communication device to be redirected to the authentication system; and
  
  sending, from the communications port of the wireless access point to the portable communication device, a browser redirect message based upon the redirection data;
  
  whereby the portable communication device provides authentication-related information wherein the portable communication system can be provided access to the network resource, wherein the network management system need not communicate with the external server to redirect the portable communication device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, further comprising updating the user profile database upon determining that the portable communication device is to be provided with access to the network resource.
  - 3. The method of claim 1, further comprising maintaining in the user profile database a historical log of the portable communication device'"'"'s access to the network resource.
  - 4. The method of claim 1, wherein the connection request comprises a TCP packet.
  - 5. The method of claim 1, wherein determining whether to provide the portable communication device with access to the network resource further comprises denying the portable communication device access where the user profile database indicates that the portable communication device may not access the network resource.
  - 6. The method of claim 1, wherein the determination of whether to provide the portable communication device with access to the requested network is based at least in part on one of a port, circuit ID, VLAN ID or MAC address.
  - 7. The method of claim 1, further comprising:
    - receiving, from the portable communication device, a second request to access a second network resource; and
      
      determining that the portable communication device is authorized to access the second network resource, based at least upon a MAC address included in the second request.
  - 8. The method of claim 1, wherein the portable communication device is redirected to the authentication system by further storing the request to access the network resource.
  - 9. The method of claim 1, wherein the portable communication device is redirected to the authentication system by further communicating request data to a redirection server, the request data being based on the connection request.
  - 10. The method of claim 1, wherein determining whether to provide the portable communication device with access to the network resource comprises determining whether the portable communication device is authorized to access the requested network resource.
  - 11. The method of claim 1, wherein the connection request is configured with network settings that do not correspond to the network.
  - 12. The method of claim 1, further comprising storing the connection request to access a network resource.
  - 13. The method of claim 1, further comprising communicating a modified request to a redirection server, the modified request being based upon the connection request to access the network resource.
  - 14. The method of claim 1, wherein the redirection data comprises a browser redirect message.
  - 15. The method of claim 1, wherein the method is performed by single device.
  - 16. The method of claim 1, wherein the method is performed by multiple devices in communication with each other.
  - 17. The method of claim 1, wherein the network management system is a gateway device.
  - 18. The method of claim 1, wherein the request for the network resource includes header and body data, wherein request for the network resource is configured with attributes including a source address, a checksum, and a port number, wherein the checksum is calculated based at least in part on header and body data of one or more network packets, and wherein the browser redirect message comprises attributes in which at least one of a source address, a checksum, and a port number differs from those attributes of the request for the network resource.
  - 19. The method of claim 1, wherein the authentication-related information is related to an agreement to access network resources.

20. A network management system configured to manage access to a network resource, the system comprising:
- a wireless access point configured to receive, from a portable communication device, a connection request for an external server, the connection request comprising one or more network packets; and
  
  a controller configured to receive the connection request from the wireless access point and determine whether to allow the portable communication device to access the external server, the determination being based at least in part on comparing one or more attributes included in the connection request to a user profile database;
  
  the network management system further configured to redirect the portable communication device to an authentication system, upon determining not to allow the portable communication device to access the external server at that time, the redirect including;
  
  sending transmission control protocol handshake completion data from the communications port of the wireless access point to the portable communication device in response to the connection request, said transmission control protocol handshake completion data configured to indicate that it was sent by the external server;
  
  receiving at the controller via the wireless access point a request from the portable communication device for a network resource of the external server;
  
  receiving, at the wireless access point from the controller, redirection data comprising resource identification data that identifies the authentication system, the redirection data configured to cause the portable communication device to be redirected to the authentication system; and
  
  sending, from the communications port of the wireless access point to the portable communication device, a browser redirect message based upon the redirection data;
  
  whereby the portable communication device submits authentication-related information wherein the portable communication system can be allowed to access the network resource, wherein the network management system need not communicate with the external server to redirect the portable communication device.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 21. The network management system of claim 20, wherein the controller is further configured to maintain, in the user profile database, a historical log of the portable communication device'"'"'s access to the network resource.
  - 22. The network management system of claim 20, wherein the connection request comprises a TCP packet.
  - 23. The network management system of claim 20, wherein determining whether to allow the portable communication device to access the network resource further comprises denying the portable communication device access where the user profile database indicates that the portable communication device may not access the network resource.
  - 24. The network management system of claim 20, wherein the determination of whether to allow the portable communication device to access the network resource is based at least in part on one of a port, circuit ID, VLAN ID or MAC address.
  - 25. The network management system of claim 20, wherein the wireless access point is further configured to receive, from the portable communication device, a second request to access a second network resource, and wherein the controller is further configured to determine that the portable communication device is authorized to access the second network resource, based at least upon a MAC address included in the second request.
  - 26. The network management system of claim 20, wherein the user profile database further stores information relating to a time period associated with the portable communication device, and wherein the determination of whether to allow the portable communication device to access the network resource is further based on an amount of time that has elapsed in relation to the time period stored in the user profile database.
  - 27. The network management system of claim 20, wherein the attribute included in the connection request comprises a link-layer header of a network packet, and wherein the determination of whether to allow the portable communication device to access the network resource is based both on the link-layer header of the network packet and on identification information provided automatically by a browser of the portable communication device.
  - 28. The network management system of claim 20, wherein the connection request is configured with network settings that do not correspond to the network.
  - 29. The network management system of claim 20, wherein the controller is further configured to store the connection request to access the network resource.
  - 30. The network management system of claim 20, wherein the controller is further configured to communicate a modified request to a redirection server, the modified request being based upon the connection request to access the network resource.
  - 31. The network management system of claim 20, wherein the redirection data comprises a browser redirect message.
  - 32. The network management system of claim 20, wherein the controller is further configured to determine whether the portable communication device is authorized to access the network resource.
  - 33. The network management system of claim 20, wherein the network management system is a gateway device.
  - 34. The network management system of claim 20, wherein the request for the network resource is configured with attributes including a source address, a checksum, and a port number, wherein the checksum allows for verifying correct data transmission, and wherein the browser redirect message comprises attributes in which at least one of a source address, a checksum, and a port number differs from those attributes of the request for the network resource.
  - 35. The network management system of claim 20, wherein the authentication-related information is related to an agreement to access network resources.

36. A method of accessing a network resource of an external server by a portable communication device, the method performed by a network management system in communication with the portable communication device, the method comprising:
- receiving, at a communications port of a wireless access point of the network management system from a portable communication device, a connection request for an external server, the connection request comprising one or more network packets;
  
  transmitting the connection request from the wireless access point to a controller of the network management system;
  
  determining, using the controller, whether to provide the portable communication device with access to the external server, the determination being based at least in part on comparing one or more attributes included in the connection request to a user profile database;
  
  sending transmission control protocol handshake completion data from the communications port of the wireless access point to the portable communication device in response to the connection request, said transmission control protocol handshake completion data configured to indicate that it was sent by the external server;
  
  receiving, at the wireless access point from the controller, redirection data comprising resource identification data that identifies an authentication system, the redirection data configured to cause the portable communication device to be redirected to the authentication system; and
  
  sending, from the communications port of the wireless access point to the portable communication device, a browser redirect message based upon the redirection data, the browser redirect message being sent upon a determination not to provide the portable communication device with access to the external server at that time;
  
  whereby the portable communication device transmits authentication-related information wherein the portable communication system can be provided access to a network resource of the external server, wherein the network management system need not communicate with the external server to redirect the portable communication device.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
- - 37. The method of claim 36, further comprising updating the user profile database upon determining to provide the portable communication device with access to the network resource.
  - 38. The method of claim 36, further comprising maintaining in the user profile database a historical log of the portable communication device'"'"'s access to the network resource.
  - 39. The method of claim 36, wherein the connection request comprises a TCP packet.
  - 40. The method of claim 36, wherein determining whether to provide the portable communication device with access to the network resource further comprises denying the portable communication device access where the user profile database indicates that the portable communication device may not access the network resource.
  - 41. The method of claim 36, wherein the determination of whether to provide the portable communication device with access to the network resource is one of a port, circuit ID, VLAN ID or MAC address.
  - 42. The method of claim 36, further comprising:
    - receiving, from the portable communication device, a second request to access a second network resource; and
      
      determining to provide the portable communication device with access to the second network resource, based at least upon a MAC address included in the second request.
  - 43. The method of claim 36, further comprising storing the request to access the network resource.
  - 44. The method of claim 36, wherein receiving, from a portable communication device, a connection request to access a network resource comprises receiving, from a portable communication device via a network, a request to access a network resource.
  - 45. The method of claim 36, wherein the determination of whether to provide the portable communication device with access to the network resource is based at least in part on a port.
  - 46. The method of claim 36, wherein the determination of whether to provide the portable communication device with access to the network resource is based at least in part on a circuit ID.
  - 47. The method of claim 36, wherein the determination of whether to provide the portable communication device with access to the network resource is based at least in part on a VLAN ID.
  - 48. The method of claim 36, wherein the determination of whether to provide the portable communication device with access to the network resource is based at least in part on a MAC address.
  - 49. The method of claim 36, further comprising communicating request-related data to a redirection server, the request-related data being based on the connection request.
  - 50. The method of claim 36, wherein the resource identification data is a URL.
  - 51. The method of claim 36, wherein the resource identification data is a network address.
  - 52. The method of claim 36, wherein the step of determining whether to provide the portable communication device with access to the network resource precedes the step of receiving the redirection data.
  - 53. The method of claim 36, wherein determining whether to provide the portable communication device with access to the network resource comprises determining whether the portable communication device is authorized to access the requested network resource.
  - 54. The method of claim 36, further comprising redirecting, upon determining that the portable communication device is not authorized to access the requested network resource, the portable communication device to an authentication system.
  - 55. The method of claim 36, further comprising communicating a modified request to a redirection server, the modified request being based upon the request to access the network resource.
  - 56. The method of claim 36, wherein the redirection data comprises a browser redirect message.
  - 57. The method of claim 36, wherein the method is performed by single device.
  - 58. The method of claim 36, wherein the method is performed by multiple devices in communication with each other.
  - 59. The method of claim 36, wherein the network management system is a gateway device.
  - 60. The method of claim 36, wherein the request for the network resource comprises attributes including a source address, a checksum, and a port number, wherein the checksum allows for verifying correct data transmission, and wherein the browser redirect message comprises attributes in which at least one of a source address, a checksum, and a port number differs from those attributes of the request for the network resource.
  - 61. The method of claim 36, wherein the authentication-related information is related to an agreement to access network resources.

62. A network management system configured to manage access of a portable communication device to a network resource of an external server, the system comprising:
- a wireless access point configured to receive, from a portable communication device, a connection request for an external server, the connection request comprising one or more network packets; and
  
  a controller configured to receive the connection request from the wireless access point and determine whether to allow the portable communication device to access the external server, the determination being based at least in part on comparing an attribute included in the connection request to a user profile database;
  
  the network management system further configured to redirect the portable communication device to an authentication system, by performing operations comprising;
  
  sending transmission control protocol handshake completion data from the communications port of the wireless access point to the portable communication device in response to the connection request, said transmission control protocol handshake completion data configured to indicate that it was sent by the external server;
  
  receiving, at the wireless access point from the controller, redirection data comprising resource identification data that identifies the authentication system, the redirection data configured to cause the portable communication device to be redirected to the authentication system; and
  
  sending, from the communications port of the wireless access point to the portable communication device, a browser redirect message based upon the redirection data, the browser redirect message being sent as a result of the determination not to allow the portable communication device to access the network resource;
  
  whereby the portable communication device transmits authentication-related information wherein the portable communication system can be allowed to access a network resource of the external server, wherein the network management system need not communicate with the external server to redirect the portable communication device.
- View Dependent Claims (63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88)
- - 63. The network management system of claim 62, wherein the controller is further configured to maintain, in the user profile database, a historical log of the portable communication device'"'"'s access to the network resource.
  - 64. The network management system of claim 62, wherein the connection request comprises a TCP packet.
  - 65. The network management system of claim 62, wherein determining whether to allow the portable communication device to access the network resource further comprises denying the portable communication device access where the user profile database indicates that the portable communication device may not access the network resource.
  - 66. The network management system of claim 62, wherein the determination of whether to allow the portable communication device to access the network resource is based at least in part on one of a port, circuit ID, VLAN ID or MAC address.
  - 67. The network management system of claim 62, wherein the wireless access point is further configured to receive, from the portable communication device, a second request to access a second network resource, and wherein the controller is further configured to determine that the portable communication device is allowed to access the second network resource, based at least upon a MAC address included in the second request.
  - 68. The system of claim 62, wherein the user profile database further stores information relating to a time period associated with the portable communication device, and wherein the determination of whether the portable communication device is allowed to access the network resource is further based on an amount of time that has elapsed in relation to the time period stored in the user profile database.
  - 69. The system of claim 62, wherein the connection request comprises a link-layer header of a network packet, and wherein the determination of whether the portable communication device is allowed to access the network resource is based both on the link-layer header of the network packet and on identification information provided automatically by a browser of the portable communication device.
  - 70. The system of claim 62, wherein the controller further configured to store the connection request to access the network resource.
  - 71. The system of claim 62, wherein the portable communication device communicates with the wireless access point via a network.
  - 72. The network management system of claim 62, wherein the controller is configured to determine whether to allow the portable communication device to access the requested network resource based at least in part on a port.
  - 73. The network management system of claim 62, wherein the controller is configured to determine whether to allow the portable communication device to access the requested network resource based at least in part on a circuit ID.
  - 74. The network management system of claim 62, wherein the controller is configured to determine whether to allow the portable communication device to access the requested network resource based at least in part on a VLAN ID.
  - 75. The network management system of claim 62, wherein the controller is configured to determine whether to provide the portable communication device with access to the requested network is based at least in part on a MAC address.
  - 76. The network management system of claim 62, wherein the controller is further configured to communicate request-related to a redirection server, the request-related data being based on the connection request.
  - 77. The network management system of claim 62, wherein the resource identification data is a URL.
  - 78. The network management system of claim 62, wherein the resource identification data is a network address.
  - 79. The network management system of claim 62, wherein the controller is further configured to determine whether to provide the portable communication device with access to the network resource prior to receiving the redirection data.
  - 80. The network management system of claim 62, wherein the controller is further configured to determine whether the portable communication device is authorized to access the network resource.
  - 81. The network management system of claim 62, wherein the controller is further configured to redirect upon determining that the portable communication device is not authorized to access the requested network resource.
  - 82. The network management system of claim 62, wherein the controller is further configured to communicate a modified request to a redirection server, the modified request being based upon the request to access the network resource.
  - 83. The network management system of claim 62, wherein the redirection data comprises a browser redirect message.
  - 84. The network management system of claim 62, wherein the controller is comprised in the same housing.
  - 85. The network management system of claim 62, wherein the controller is comprised in the separate housings.
  - 86. The network management of claim 62, wherein the network management system is a gateway device.
  - 87. The network management system of claim 62, wherein the request for the network resource comprises a source address, a checksum allowing for verification of correct data transmission, a port number, and a resource locator that identifies the network resource, and wherein the browser redirect message includes at least one of a source address, a checksum, and a port number that differs from those attributes of the request for the network resource.
  - 88. The network management system of claim 62, wherein the authentication-related information is related to an agreement to access network resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nomadix, Inc. (Nippon Telegraph and Telephone Corporation)
Original Assignee
Nomadix, Inc. (Nippon Telegraph and Telephone Corporation)
Inventors
Pagan, Florence C. I., Short, Joel E.
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US09/458,602
Time in Patent Office

5,256 Days
Field of Search

713/153, 713/154, 713/155, 713/168, 713/201, 713/202, 709/220, 709/225, 709/226, 709/228, 709/229, 726/4, 726/5, 726/7, 726/8, 726/15, 726/26, 726/27
US Class Current

726/4
CPC Class Codes

G06F 21/44 Program or device authentic...

Systems and methods for authorizing, authenticating and accounting users having transparent computer access to a network using a gateway device

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

922 Citations

88 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for authorizing, authenticating and accounting users having transparent computer access to a network using a gateway device

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

922 Citations

88 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others