Rule based extensible authentication
First Claim
1. A network device for managing a communication between a client and a server, comprising:
- a transceiver that receives packets from the client; and
a processor programmed to perform actions including;
receiving from the client a request for a resource;
dynamically changing criteria that indicates what credential information is to be extracted from a packet flow using deep packet inspection rules and what credential information is to be evaluated to determine whether the request is authorized;
extracting the credential information based on the dynamically changed criteria from at least one packet in the packet flow associated with the request;
determining that the extracted credential information is insufficient to determine whether the request is authorized and based on the determination, automatically sending a query to the client for additional information to be received in one or more subsequent packets from the client in response to the query;
when the additional information and the extracted credential information are affirmatively authenticated, requesting different credential information based on the dynamically changing criteria; and
selectively allowing access to the requested resource based on authorization of the different credential information.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, apparatus, and method are directed to managing access to a resource using rule-based deep packet extractions of a credential. A network device, such as a traffic management device, is situated between a client device and a server device. When the client device sends a request for a resource, the request is intercepted by the network device. The network device may employ a multi-layer deep packet extraction of the credential from the request. The network device may then use the credential to determine whether the request enabled to access the resource. Based, in part, on a variety of rules, the network device may deny access, enable access, route the request to a different server, or the like. In one embodiment, the network device may receive a rule from another device that directs the network device to request a different credential.
217 Citations
20 Claims
-
1. A network device for managing a communication between a client and a server, comprising:
-
a transceiver that receives packets from the client; and a processor programmed to perform actions including; receiving from the client a request for a resource; dynamically changing criteria that indicates what credential information is to be extracted from a packet flow using deep packet inspection rules and what credential information is to be evaluated to determine whether the request is authorized; extracting the credential information based on the dynamically changed criteria from at least one packet in the packet flow associated with the request; determining that the extracted credential information is insufficient to determine whether the request is authorized and based on the determination, automatically sending a query to the client for additional information to be received in one or more subsequent packets from the client in response to the query; when the additional information and the extracted credential information are affirmatively authenticated, requesting different credential information based on the dynamically changing criteria; and selectively allowing access to the requested resource based on authorization of the different credential information. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system, comprising;
-
a memory storage device having stored thereon protected content; and one or more processors programmed to perform actions, including; receiving a request from a client for at least some of the protected content; dynamically changing criteria that indicates what credential information is to be extracted from a packet flow using deep packet inspection rules and what credential information is to be evaluated to determine whether the request is authorized; extracting the credential information based on the dynamically changed criteria from at least one packet in the packet flow associated with the request; determining that the extracted credential information is insufficient to determine whether the request is authorized and based on the determination, automatically querying the client for additional information to be sent by the client in one or more subsequent packets in response to the query; and when the additional information and the extracted credential information are affirmatively authenticated, requesting different credential information based on the dynamically changing criteria; and selectively allowing access to the requested protected content based on authorization of the different credential information. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A method, composing:
-
employing one or more servers for providing access to content; and employing one or more processors to perform actions, including; receiving a request for at least some of the content; dynamically changing criteria that indicates what credential information is to be extracted from a packet How using deep packet inspection rules and what credential information is to be evaluated to determine whether the request is authorized; extracting the credential information based on the dynamically changed criteria from at least one packet in the packet flow associated with the request; determining that the extracted credential information is insufficient to determine whether the request is authorized and based on the determination, automatically sending a query to the client for additional information to be received in one or more subsequent packets from the client in response to the query; and when the additional information and the extracted credential information are affirmatively authenticated, requesting different credential information based on the dynamically changing criteria; and selectively allowing access to the requested content based on authorization of the different credential information. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification