Internetwork authentication

US 9,143,498 B2
Filed: 08/29/2013
Issued: 09/22/2015
Est. Priority Date: 08/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request for a policy-based identity routing service for a first network;

providing a local authoritative user datastore interface (LAUDI) to a network device of the first network;

obtaining a set of rules for identity routing to the first network;

establishing a secure persistent connection between the LAUDI on the network device of the first network and an online authentication proxy;

wherein a successful authentication result, from the LAUDI for a station associated with a second network, is indicative of the station being allowed access to services on the second network;

receiving an authentication request from the second network for the station;

routing the authentication request based on a rule of the set of rules to the LAUDI;

receiving an authentication result from the LAUDI; and

sending the authentication result to the second network;

wherein the successful authentication result is indicative of the station being allowed access to services on the second network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for network authentication interoperability involves initiating an authentication procedure on a first network, authenticating on a second network, and allowing access at the first network. The technique can include filtering access to a network, thereby restricting access to users with acceptable credentials. Offering a service that incorporates these techniques can enable incorporation of the techniques into an existing system with minimal impact to network configuration.

Citations

17 Claims

1. A method comprising:
- receiving a request for a policy-based identity routing service for a first network;
  
  providing a local authoritative user datastore interface (LAUDI) to a network device of the first network;
  
  obtaining a set of rules for identity routing to the first network;
  
  establishing a secure persistent connection between the LAUDI on the network device of the first network and an online authentication proxy;
  
  wherein a successful authentication result, from the LAUDI for a station associated with a second network, is indicative of the station being allowed access to services on the second network;
  
  receiving an authentication request from the second network for the station;
  
  routing the authentication request based on a rule of the set of rules to the LAUDI;
  
  receiving an authentication result from the LAUDI; and
  
  sending the authentication result to the second network;
  
  wherein the successful authentication result is indicative of the station being allowed access to services on the second network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising providing internetwork authentication service on computing resources delivered as a service via a third network.
  - 3. The method of claim 1, further comprising providing the LAUDI via a software download.
  - 4. The method of claim 1, further comprising:
    - installing the LAUDI on the network device;
      
      shipping the network device to a recipient associated with the first network;
      
      wherein the network device is implemented in association with the first network after receipt by the recipient.
  - 5. The method of claim 1, further comprising implementing the network device as a wireless access point (WAP) or controller.
  - 6. The method of claim 1, further comprising coupling the LAUDI to a user datastore at the first network.
  - 7. The method of claim 1, further comprising obtaining the set of rules via an administrative interface.
  - 8. The method of claim 1, further comprising obtaining a set of rules for filtering and identity routing to the first network, wherein the successful authentication result is indicative of station credentials sufficient to avoid filtering an authentication request associated with the station in accordance with the filtering rules and sufficient to permit routing the authentication request to the first network in accordance with the identity routing rules.
  - 9. The method of claim 1, wherein the connection is persistent.
  - 10. The method of claim 1, wherein account data from a local authoritative user datastore at the first network is shared with the second network.
  - 11. The method of claim 1, wherein the station is a first station, further comprising:
    - storing user data associated with a second station at the second network;
      
      authenticating the second station at the second network.

12. A system comprising:
- a means for receiving a request for a policy-based identity routing service for a first network;
  
  a means for providing a local authoritative user datastore interface (LAUDI) to a network device of the first network;
  
  a means for obtaining a set of rules for identity routing to the first network;
  
  a means for establishing a secure persistent connection between the LAUDI on the network device of the first network and an online authentication proxy;
  
  wherein a successful authentication result, from the LAUDI for a station associated with a second network, is indicative of the station being allowed access to services on the second network;
  
  a means for receiving an authentication request from the second network for the station;
  
  a means for routing the authentication request based on a rule of the set of rules to the LAUDI;
  
  a means for receiving an authentication result from the LAUDI; and
  
  a means for sending the authentication result to the second network;
  
  wherein the successful authentication result is indicative of the station being allowed access to services on the second network.
- View Dependent Claims (13, 14)
- - 13. The system of claim 12, further comprising a means for obtaining a set of rules for filtering and identity routing to the first network, wherein the successful authentication result is indicative of station credentials sufficient to avoid filtering an authentication request associated with the station in accordance with the filtering rules and sufficient to permit routing the authentication request to the first network in accordance with the identity routing rules.
  - 14. The system of claim 12, wherein the connection is persistent, further comprising a means for establishing the persistent connection.

15. A method comprising:
- receiving at a network access point associated with a first network a first authentication request for a first station associated with a second network;
  
  making a local determination that the first authentication request is suitable for off-network authentication;
  
  sending the first authentication request off-network;
  
  receiving from off-network an off-network authentication result responsive to the first authentication request;
  
  providing services to the first station consistent with the off-network authentication result;
  
  establishing a persistent connection with an internetwork authentication service provider, wherein the first authentication request is sent to the internetwork authentication service provider and the off-network authentication result is received from the internetwork authentication service provider;
  
  receiving at the network access point a second authentication request for a second station;
  
  making a determination that the second authentication request is suitable for on-network authentication;
  
  initiating on-network authentication of the second station;
  
  obtaining an on-network authentication result responsive to the second authentication request; and
  
  providing services to the second station consistent with the on-network authentication result.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, further comprising:
    - determining an identity associated with the first authentication request;
      
      wherein the sending the first authentication request off-network is performed in accordance with the determination.
  - 17. The method of claim 15, wherein the persistent connection is an outbound encrypted tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Aerohive Networks Incorporated (Extreme Networks, Inc.)
Inventors
Sakura, Kenshin, Gast, Matthew Stuart, Fu, Long
Primary Examiner(s)
CHANG, KENNETH W

Application Number

US14/014,247
Publication Number

US 20140068707A1
Time in Patent Office

754 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/0892   by using authentication-aut...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04W 12/069   using certificates or pre-s...

Internetwork authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Internetwork authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links