Systems and methods for user access authentication based on network access point

US 8,782,751 B2
Filed: 03/19/2012
Issued: 07/15/2014
Est. Priority Date: 05/16/2006
Status: Active Grant

First Claim

Patent Images

1. A method of user access authentication, the method comprising:

receiving by a first network access point a first authentication request from a second network access point based on a user device access request for accessing a secure data network;

sending a second authentication request based on the first authentication request to an identity server wherein the second authentication request is associated with the second network access point;

obtaining from the user device access request a first network access point identity of the first network access point and a second network access point identity of the second network access point;

determining at the identity server whether to grant a user device access to the secure data network by comparing a user identity and the first and second access point identities to a stored plurality of user identities and corresponding validated pairs of network access point identities; and

granting access to the secure data network when the user identity and the access point identities obtained match with one of the stored plurality of user identities and its corresponding validated pair of network point identities.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of authenticating user access based on an access point to a secure data network include a secure data network having a plurality of a network access points serving as entry points for a user to access the secure data network using a user device. The user is associated with a user identity, each network access point with a network access point identity. The user uses a user device to send an access request, requesting access to the secure data network, to the network access point, which then sends an authentication request to an identity server. The identity server processes the authentication request, by validating the combination of the user identity and the network access point identity, and responds with an authentication response, granting or denying access, as communicated to the user device via an access response.

84 Citations

View as Search Results

32 Claims

1. A method of user access authentication, the method comprising:
- receiving by a first network access point a first authentication request from a second network access point based on a user device access request for accessing a secure data network;
  
  sending a second authentication request based on the first authentication request to an identity server wherein the second authentication request is associated with the second network access point;
  
  obtaining from the user device access request a first network access point identity of the first network access point and a second network access point identity of the second network access point;
  
  determining at the identity server whether to grant a user device access to the secure data network by comparing a user identity and the first and second access point identities to a stored plurality of user identities and corresponding validated pairs of network access point identities; and
  
  granting access to the secure data network when the user identity and the access point identities obtained match with one of the stored plurality of user identities and its corresponding validated pair of network point identities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising maintaining a log of communication paths which tracks at least one of the first and second network access point identities.
  - 3. The method of claim 2 wherein the second authentication request logs at least a portion of the communication paths.
  - 4. The method of claim 2 comprising logging the first network access point identity and the second network access point identity.
  - 5. The method of claim 1 wherein the secure data network comprises an application level secure data network.
  - 6. The method of claim 5 wherein the access request seeks access to a network application, and the access request comprises a Transport Control Protocol (TCP) access request.
  - 7. The method of claim 6 further comprising determining that access to the network application is sought, wherein the first network access point determines that access to the network application is sought.
  - 8. The method of claim 6 wherein the network application comprises one or more of an enterprise application, an employee benefit application, a human resources application, an inventory information application, a library system, a conference workshop application, a live concert webcast, a hotel television over IP application, or a web application.

9. A system for user access authentication, the system comprising:
- a secure data network comprising at least a first network access point and a second network access point, the first network access point that receives a first authentication request from the second network access point based on a user device access request for accessing the secure data network; and
  
  an identity server in communication with the secure data network via one of the network access points, wherein the identity server receives a second authentication request associated with the second network access point;
  
  whereinthe identity server obtains from the user device access request a first network access point identity of the first network access point and a second network access point identity of the second network access point;
  
  determines whether to grant a user device access to the secure data network by comparing a user identity and the first and second access point identities to a stored plurality of user identities and corresponding validated pairs of network access point identities; and
  
  grants access to the secure data network when the user identity and the access point identities obtained match with one of the stored plurality of user identities and its corresponding validated pair of network point identities.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9 further comprising a log of communication paths which tracks at least one of the first and second network access point identities.
  - 11. The system of claim 10 wherein the second authentication request logs at least a portion of the communication paths.
  - 12. The system of claim 10 wherein the log comprises at least the first network access point identity and second network access point identity.
  - 13. The system of claim 9 wherein the secure data network comprises an application level secure data network.
  - 14. The system of claim 13 wherein the access request comprises a Transport Control Protocol (TCP) and seeks access to a network application.
  - 15. The system of claim 14 wherein the first network access point determines that access to the network application is being sought.
  - 16. The system of claim 14 wherein the network application comprises one or more of an enterprise application, an employee benefit application, a human resources application, an inventory information application, a library system, a conference workshop application, a live concert web cast, a hotel television over IP application, and a web application.

17. A method of user access authentication, the method comprising:
- receiving at a first network access point an access request to a secure data network from a user device;
  
  generating an authentication request in response to receiving the access request wherein the authentication request comprises a log of a communication path;
  
  sending the authentication request from the first network access point via a second network access point to an identity server for processing;
  
  obtaining from the user device access request a first network access point identity of the first network access point and a second network access point identity of the second network access point;
  
  determining at the identity server whether to grant a user device access to the secure data network by comparing a user identity and the first and second access point identities to a stored plurality of user identities and corresponding validated pairs of network access point identities; and
  
  granting access to the secure data network when the user identity and the access point identities obtained match with one of the stored plurality of user identities and its corresponding validated pair of network point identities.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 18. The method of claim 17 wherein the log of the communication path comprises the second network access point when the authentication request passes through the second network access point.
  - 19. The method of claim 17 comprising sending an access response to the user device.
  - 20. The method of claim 17 wherein the access request comprises the user identity and the authentication request comprises the user identity.
  - 21. The method of claim 20 wherein the user identity comprises at least one of a user name, an identity of user device, a Media Access Control (MAC) address, an Internet Protocol (IP) address and port number, a device serial number, subscriber information in a subscriber identity module (SIM) card, subscriber information in a Universal Subscriber Identity Module (USIM) card, a telephone number, security information, a password, a security code, a secret answer to a security question, biometric characteristics, fingerprint data, eye retinal data, eye iris data voice pattern recognition data and signature recognition data.
  - 22. The method of claim 17 comprising the identity server determining whether to grant the access request based on the user identity, a first network access identity of the first network access point and a second network access identity of the second network access point.
  - 23. The method of claim 17 wherein the secure data network comprises an application level secure data network.
  - 24. The method of claim 23 wherein the access request seeks access to a network application, and the access request comprises a Transport Control Protocol (TCP) access request.
  - 25. The method of claim 24 further comprising determining that access to the network application is sought, wherein the first network access point determines that access to the network application is sought.
  - 26. The method of claim 24 wherein the network application comprises one or more of an enterprise application, an employee benefit application, a human resources application, an inventory information application, a library system, a conference workshop application, a live concert web cast, a hotel television over IP application, or a web application.
  - 27. The method of claim 17 wherein the secure data network comprises at least one of an Internet Protocol (IP) network, a Local Area Network (LAN), a Wide Area Network (WAN), a wireless network, a WiFi network, a General Packet Radio Service (GPRS) network, a public IP network, and a private IP network;
    - wherein the user device comprises at least one of a desktop personal computer, a laptop personal computer, a personal data assistance (PDA), a cellular phone, a smart-phone, and a device having a computing unit connectable to a network;
      
      wherein the first network access point and/or the second network access point comprises at least one of a firewall, a wireless access point, a Dynamic Host Configuration Protocol (DHCP) server, a Remote Access Server (RAS), a Broadband Remote Access Server (BRAS), a web server, a secure web server, a virtual private network (VPN) server, a termination point of an access tunnel, a termination point of a virtual private network (VPN) tunnel, a termination point of a Generic Routing Encapsulation (GRE) tunnel, and a termination point of a Layer-2 Tunnel Protocol (L2TP) tunnel; and
      
      wherein the first network access point identity and/or the second network access point identity comprises at least one of a network access point name, an IP address, a port number, security information, a password, a security code, a device name, a machine identity, a serial number, an identity of an access tunnel termination point, and an Access Point Name (APN).

28. A system for user access authentication comprising:
- a secure data network comprising at least a first network access point and a second network access point, and an identity server, wherein the first network access point receives an access request to the secure data network from a user device;
  
  wherein the system generates an authentication request in response to receiving the access request, the authentication request comprising a log of a communication path;
  
  sends the authentication request from the first network access point via the second network access point to an identity server for processings;
  
  obtains from the user device access request a first network access point identity of the first network access point and a second network access point identity of the second network access point;
  
  determines at the identity server whether to grant a user device access to the secure data network by comparing a user identity and the first and second access point identities to a stored plurality of user identities and corresponding validated pairs of network access point identities; and
  
  grants access to the secure data network when the user identity and the access point identities obtained match with one of the stored plurality of user identities and its corresponding validated pair of network point identities.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The system of claim 28 wherein the log of communication path comprises the second network access point when the authentication request passes through the second network access point.
  - 30. The system of claim 28 wherein the identity server determines whether to grant the access request based on a user identity, a first network access identity of the first network access point, and a second network access identity of the second network access point.
  - 31. The system of claim 28 wherein the secure data network comprises at least one of an Internet Protocol (IP) network, a Local Area Network (LAN), a Wide Area Network (WAN), a wireless network, a WiFi network, a General Packet Radio Service (GPRS) network, a public IP network, and a private IP network;
    - wherein the user device comprises at least one of a desktop personal computer, a laptop personal computer, a personal data assistance (PDA), a cellular phone, a smart-phone, and a device having a computing unit connectable to a network;
      
      wherein the first network access point and/or the second network access point comprises at least one of a firewall, a wireless access point, a Dynamic Host Configuration Protocol (DHCP) server, a Remote Access Server (RAS), a Broadband Remote Access Server (BRAS), a web server, a secure web server, a virtual private network (VPN) server, a termination point of an access tunnel, a termination point of a virtual private network (VPN) tunnel, a termination point of a Generic Routing Encapsulation (GRE) tunnel, and a termination point of a Layer-2 Tunnel Protocol (L2TP) tunnel; and
      
      wherein the first network access point identity and/or the second network access point identity comprises at least one of a network access point name, an IP address, a port number, security information, a password, a security code, a device name, a machine identity, a serial number, an identity of an access tunnel termination point, and an Access Point Name (APN).
  - 32. The system of claim 28 wherein the access request comprises a user identity which comprises at least one of a user name, an identity of user device, a Media Access Control (MAC) address, an Internet Protocol (IP) address and port number, a device serial number, subscriber information in a subscriber identity module (SIM) card, subscriber information in a Universal Subscriber Identity Module (USIM) card, a telephone number, security information, a password, a security code, a secret answer to a security question, biometric characteristics, fingerprint data, eye retinal data, eye iris data, voice pattern recognition data and signature recognition data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Chiong, John, Yu, Yang
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
VU, PHY ANH TRAN

Application Number

US13/423,953
Publication Number

US 20120204236A1
Time in Patent Office

848 Days
Field of Search

None
US Class Current

726/4
CPC Class Codes

G11C 7/24   Memory cell safety or prote...

H04L 63/08   for authentication of entit...

H04L 63/107   wherein the security polici...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/72   Subscriber identity

H04W 12/73   Access point logical identity

Systems and methods for user access authentication based on network access point

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for user access authentication based on network access point

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links