Distributed authentication, authorization and accounting

US 8,763,088 B2
Filed: 12/12/2007
Issued: 06/24/2014
Est. Priority Date: 12/13/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A first computer system, residing on a first computer network of a plurality of computer networks, for controlling access to the plurality of computer networks, the first computer system configured to:

receive a first credential from a network access controller on the first computer network, the first credential being associated with a first connecting device requesting access to the plurality of computer networks at the network access controller;

select, using a criterion, at least one authentication routing policy from a plurality of authentication routing policies, each authentication routing policy of the plurality of authentication routing policies comprising;

address information associated with at least two authentication databases against which the first credential associated with the first connecting device may be authenticated, wherein at least one of the at least two authentication databases is contained on a second computer system residing on a second computer network;

select a first authentication database of the at least two authentication databases of the selected at least one authentication routing policy against which the first credential is to be authenticated;

communicate the first credential to the first authentication database using the address information;

receive an authentication response from the first authentication database; and

communicate the authentication response to the network access controller.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, computer systems, storage mediums, and methods are provided for controlling a connecting device'"'"'s access to a plurality of computer networks. In other embodiments, the provided computer systems, storage mediums, and methods may provide for authentication, authorization, and accounting of connecting devices connecting to a plurality of computer networks. In other embodiments, the provided computer systems, storage mediums, and methods may provide for the distribution of authentication routing data and authorization policies among a plurality of computer networks. In yet other embodiments, the provided computer systems, storage mediums, and methods may provide for the distribution of accounting among a plurality of computer networks.

32 Citations

View as Search Results

20 Claims

1. A first computer system, residing on a first computer network of a plurality of computer networks, for controlling access to the plurality of computer networks, the first computer system configured to:
- receive a first credential from a network access controller on the first computer network, the first credential being associated with a first connecting device requesting access to the plurality of computer networks at the network access controller;
  
  select, using a criterion, at least one authentication routing policy from a plurality of authentication routing policies, each authentication routing policy of the plurality of authentication routing policies comprising;
  
  address information associated with at least two authentication databases against which the first credential associated with the first connecting device may be authenticated, wherein at least one of the at least two authentication databases is contained on a second computer system residing on a second computer network;
  
  select a first authentication database of the at least two authentication databases of the selected at least one authentication routing policy against which the first credential is to be authenticated;
  
  communicate the first credential to the first authentication database using the address information;
  
  receive an authentication response from the first authentication database; and
  
  communicate the authentication response to the network access controller.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The first computer system of claim 1 further configured to cache a copy of the first credential.
  - 3. The first computer system of claim 1 further configured to receive a second credential and authenticate the second credential against the cached copy of the first credential.
  - 4. The first computer system of claim 1 wherein the criterion is used to select which of the at least two authentication databases the first credential is to be authenticated against based on attributes of the network access controller through which the first connecting device is requesting access to the plurality of computer networks.
  - 5. The first computer system of claim 1 wherein the criterion is used to select which of the at least two authentication databases the first credential is to be authenticated against based on attributes of the first connecting device.
  - 6. The first computer system of claim 5 wherein the attributes of the first connecting device include the first connecting device'"'"'s realm.
  - 7. The first computer system of claim 1 further configured to receive at least a portion of authentication routing data from a third computer system residing on a computer network different than the first computer network.
  - 8. The first computer system of claim 1 further configured to:
    - store an authorization policy comprising one or more rules for controlling a connecting device'"'"'s access to the plurality of computer networks;
      
      receive first authorization information related to the first connecting device;
      
      compare the first authorization information to the authorization policy; and
      
      control the first connecting device'"'"'s access to the plurality of computer networks based on a result of the comparison.
  - 9. The first computer system of claim 8 further configured to receive at least a portion of the first authorization information from the first authentication database.
  - 10. The first computer system of claim 8 further configured to receive at least a portion of the authorization policy from a third computer system residing on a computer network different than the first computer network.
  - 11. The first computer system of claim 8 wherein the authorization policy includes a rule for controlling access to the plurality of computer networks based on at least one of a group comprising attributes of a network access controller through which a connecting device requests access to the plurality of computer networks, a time of day at which the connecting device requests access to the plurality of computer networks, and attributes of one or more groups of which a user of a connecting device is a member;
    - and wherein the first authorization information includes at least one of a group comprising attributes of the network access controller through which the first connecting device is requesting access to the plurality of computer networks, the time of day at which the first connecting device is requesting access to the plurality of computer networks, and attributes of one or more groups of which a first user of the first connecting device is a member.
  - 12. The first computer system of claim 8 wherein controlling the first connecting device'"'"'s access to the plurality of computer networks includes instructing the network access controller to permit the first connecting device access to a first network resource residing on the plurality of computer networks and deny the first connecting device access to a second network resource residing on the plurality of computer networks.
  - 13. The first computer system of claim 1 further comprising an accounting computer system configured to:
    - monitor the first connecting device'"'"'s use of the plurality of computer networks;
      
      store one or more records of events involving the first connecting device'"'"'s use of the plurality of computer networks; and
      
      transmit at least one of the one or more records to a third computer system residing on a computer network different from the first computer network.
  - 14. The first computer system of claim 1 further configured to receive network service parameters allocating at least one logical address for a first type of network resource from a fourth computer system residing on a computer network different from the first computer network, store the network service parameters, and to provide a first network resource of the first type, executing on a third computer system residing on the first computer network, with an address containing the logical address.
  - 15. The first computer system of claim 1 further configured to:
    - receive, from a computer system residing on a computer network different than the first computer network, at least a portion of an authorization policy comprising one or more rules for controlling the first connecting device'"'"'s access to the plurality of computer networks;
      
      store the authorization policy including the at least the portion of the authorization policy;
      
      receive first authorization information related to the first connecting device requesting access to the plurality of computer networks at the network access controller residing on the first computer network;
      
      compare the first authorization information to the authorization policy; and
      
      control the first connecting device'"'"'s access to the plurality of computer networks based at least in part on a result of the comparison.
  - 16. The first computer system of claim 15 wherein the authorization policy includes a rule for controlling access to the plurality of computer networks based on attributes of the network access controller through which a connecting device requests access to the plurality of computer networks, and the first authorization information includes attributes of the network access controller through which the first connecting device is requesting access to the plurality of computer networks.
  - 17. The first computer system of claim 15 wherein the authorization policy includes a rule for controlling access to the plurality of computer networks based on a time of day at which the first connecting device requests access to the plurality of computer networks, and the authorization information includes the time of day at which the first connecting device is requesting the access to the plurality of computer networks.
  - 18. The first computer system of claim 15 wherein the authorization policy includes a rule for controlling access to the plurality of computer networks based on attributes of one or more groups of which a first user of the first connecting device is a member, and the first authorization information includes the attributes of the one or more groups of which the first user of the first connecting device is a member.
  - 19. The first computer system of claim 15 wherein controlling the first connecting device'"'"'s access to the plurality of computer networks includes instructing the network access controller to permit the first connecting device access to a first network resource residing on the plurality of computer networks and deny the first connecting device access to a second network resource residing on the plurality of computer networks.

20. A non-transitory storage medium, readable by a first processor of a first computer system residing on a first computer network of a plurality of computer networks, having embodied therein a program of commands executable by the first processor, the program being adapted to be executed to:
- receive a first credential from a network access device on the first computer network, the first credential being relatable to a first connecting device requesting access to the plurality of computer networks at the network access device;
  
  select, using a criterion, at least one authentication routing policy from a plurality of authentication routing policies, each authentication routing policy of the plurality of authentication routing policies comprising;
  
  address information associated with at least two authentication databases against which the first credential related to the first connecting device may be authenticated, wherein at least one of the at least two authentication databases is contained on a second computer system residing on a second computer network; and
  
  select a first authentication database of the at least two authentication databases of the at least one authentication routing policy against which the first credential is to be authenticated;
  
  communicate the first credential to the first authentication database using the address information;
  
  receive an authentication response from the first authentication database;
  
  communicate the authentication response to the network access device;
  
  receive at least a portion of an authorization policy comprising one or more rules for controlling a connecting device'"'"'s access to the plurality of computer networks from a third computer system residing on a computer network different than the first computer network;
  
  store the authorization policy;
  
  receive first authorization information related to the first connecting device;
  
  compare the first authorization information to the authorization policy; and
  
  control the first connecting device'"'"'s access to the plurality of computer networks based on a result of the comparison.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Clearinghouse LLC (RPX Corporation)
Original Assignee
Rockstar Consortium US LP (Rockstar Consortium Inc.)
Inventors
Chua, Roy Liang, Convery, Sean Joseph, Pearce, Andrew Keith, Thusoo, Ashish
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Wilcox, James J

Application Number

US12/518,636
Publication Number

US 20110055900A1
Time in Patent Office

2,386 Days
Field of Search

None
US Class Current

726/4
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0892   by using authentication-aut...

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

Distributed authentication, authorization and accounting

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed authentication, authorization and accounting

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links