Off-site user access control

US 9,917,840 B2
Filed: 09/09/2016
Issued: 03/13/2018
Est. Priority Date: 10/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method for off-site access control in a communications system, the method comprising:

receiving, by a router, a communication request from a user device for communications over an external network;

wherein the user device is communicatively coupled with a site-based communications network, and the router controls access between the site-based communications network and the external network;

determining, by the router, whether the user device is one of a plurality of authorized devices included on an access control list;

when the user device is one of the authorized devices included on the access control list, automatically routing, by the router, outgoing network traffic originating from the user device to the external network; and

when the user device is not one of the authorized devices included on the access control list;

forwarding one or more packets forming the communication request from the user device to an off-site authentication system over the external network without modifying the one or more packets;

after forwarding the one or more packets forming the communication request to the off-site authentication system, receiving an authentication response from the off-site authentication system, the authentication response directing the router to add the user device to the access control list;

adding the user device to the access control list in response to the authentication response; and

after adding the user device to the access control list, automatically routing, by the router, outgoing network traffic originating from the user device to the external network.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for off-site user access control to communications services via a site-based communications network. Embodiments operate in context of sites, each having one or more site-based networks in communication with external networks via one or more on-site routers. User devices are provided with controlled access to those external networks via wired or wireless connections between those user devices and the site based networks. In some embodiments, on-site routers maintain route maps that indicate which user devices are authorized. Standard routing functions are used so that traffic from authorized devices is routed normally, while traffic from unauthorized devices is automatically forwarded to an off-site (e.g., cloud-based) authentication system. As devices become remotely authenticated, the off-site authentication system can remotely update route maps of the on-site routers to add those devices.

50 Citations

View as Search Results

20 Claims

1. A method for off-site access control in a communications system, the method comprising:
- receiving, by a router, a communication request from a user device for communications over an external network;
  
  wherein the user device is communicatively coupled with a site-based communications network, and the router controls access between the site-based communications network and the external network;
  
  determining, by the router, whether the user device is one of a plurality of authorized devices included on an access control list;
  
  when the user device is one of the authorized devices included on the access control list, automatically routing, by the router, outgoing network traffic originating from the user device to the external network; and
  
  when the user device is not one of the authorized devices included on the access control list;
  
  forwarding one or more packets forming the communication request from the user device to an off-site authentication system over the external network without modifying the one or more packets;
  
  after forwarding the one or more packets forming the communication request to the off-site authentication system, receiving an authentication response from the off-site authentication system, the authentication response directing the router to add the user device to the access control list;
  
  adding the user device to the access control list in response to the authentication response; and
  
  after adding the user device to the access control list, automatically routing, by the router, outgoing network traffic originating from the user device to the external network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein forwarding the one or more packets forming the communication request from the user device to the off-site authentication system over the external network without modifying the one or more packets comprises acting as a transparent proxy between the user device and the off-site authentication system.
  - 3. The method of claim 1, wherein forwarding the one or more packets forming the communication request from the user device to the off-site authentication system over the external network without modifying the one or more packets comprises encapsulating the one or more packets of the communication request within data of a logical tunnel between the router and the off-site authentication system.
  - 4. The method of claim 1, further comprising continuing to forward packets from the user device to the off-site authentication system during a period of time between forwarding the one or more packets forming the communication request and receiving the authentication response.
  - 5. The method of claim 1, further comprising removing the user device from the access control list after an authorization has expired for the user device.
  - 6. The method of claim 1, wherein, after forwarding the one or more packets forming the communication request to the off-site authentication system but before receiving the authentication response from the off-site authentication system, the method further comprises:
    - receiving a captive authentication portal from the off-site authentication system for the user device to become authorized to communicate as requested over the external network;
      
      communicating the captive authentication portal from the router to the user device;
      
      receiving an authentication request from the user device according to the captive authentication portal;
      
      forwarding the authentication request to the off-site authentication system.
  - 7. The method of claim 6, wherein:
    - the captive authentication portal comprises an authentication prompt; and
      
      receiving the authentication request from the user device according to the captive authentication portal comprises;
      
      communicating the captive authentication portal from the router to the user device in such a way as to display the authentication prompt via a user interface of the user device; and
      
      receiving the authentication request from the user device in response to the authentication prompt via the user interface.
  - 8. The method of claim 7, wherein:
    - the user interface is a browser interface; and
      
      the captive authentication portal comprises content page data of a captive portal webpage that includes the authentication prompt and is configured for display via the browser interface of the user device.
  - 9. The method of claim 7, wherein the authentication request comprises user credentials submitted by a user via the user interface.
  - 10. The method of claim 6, wherein:
    - the user device is running a local authentication application having a set of stored credentials;
      
      the captive authentication portal comprises an authentication prompt configured to request the set of stored credentials from the local authentication application; and
      
      receiving the authentication request from the user device according to the captive authentication portal comprises receiving the set of stored credentials from the local authentication application authentication in response to the authentication prompt.

11. A router disposed in a site-based communications network for controlling access between the site-based communication network and an external network, the router comprising:
- a storage device storing therein a route map indicating a plurality of authorized user devices, the route map operable to designate traffic originating from any of the plurality of authorized devices for routing to the external network, and operable to designate traffic originating from any user device that is not one of the plurality of authorized devices for forwarding to an off-site authentication system; and
  
  a communications subsystem operable to;
  
  receive a communication request from a user device communicatively coupled with the site-based communications network, the communication request being for communications to the external network;
  
  route outgoing network traffic originating from the user device to the external network when the communication request is designated as originating from one of the plurality of authorized devices according to the route map; and
  
  when the communication request is designated as originating from other than one of the plurality of authorized devices according to the route map;
  
  forward one or more packets forming the communication request to the off-site authentication system over the external network without modifying the one or more packets;
  
  after forwarding the one or more packets forming the communication request to the off-site authentication system, receive an authentication response from the off-site authentication system, the authentication response directing the router to add the user device to the plurality of authorized devices;
  
  update the route map to include the user device as one of the plurality of authorized user devices in response to the authentication response; and
  
  route outgoing network traffic originating from the user device to the external network after updating the route map according to the authentication response.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The router of claim 11, wherein the communications subsystem is further operable to forward the one or more packets forming the communication request to the off-site authentication system by acting as a transparent proxy between the user device and the off-site authentication system.
  - 13. The router of claim 11, wherein the communications subsystem is further operable to forward the one or more packets forming the communication request to the off-site authentication system by encapsulating the one or more packets of the communication request within data of a logical tunnel between the router and the off-site authentication system.
  - 14. The router of claim 11, wherein the communications subsystem is further operable to continue to forward packets from the user device to the off-site authentication system during a period of time between forwarding the one or more packets forming the communication request and receiving the authentication response.
  - 15. The router of claim 11, wherein the communications subsystem is further operable to update the route map to delete the user device from the plurality of authorized user devices after an authorization has expired for the user device.
  - 16. The router of claim 11, wherein, after forwarding the one or more packets forming the communication request to the off-site authentication system but before receiving the authentication response from the off-site authentication system, the communications subsystem is further operable to:
    - receive a captive authentication portal from the off-site authentication system for the user device to become authorized to communicate as requested over the external network;
      
      communicate the captive authentication portal to the user device;
      
      receive an authentication request from the user device according to the captive authentication portal;
      
      forward the authentication request to the off-site authentication system.
  - 17. The router of claim 16, wherein the communications subsystem is further operable to:
    - communicate the captive authentication portal to the user device in such a way as to display an authentication prompt via a user interface of the user device; and
      
      receive the authentication request from the user device in response to the authentication prompt via the user interface.
  - 18. The router of claim 16, wherein the communications subsystem is further operable to communicate the captive authentication portal from the router to the user device with a source address corresponding to a destination address originally requested in the communication request regardless of said destination address.
  - 19. The router of claim 16, wherein the communications subsystem is further operable to communicate the captive authentication portal from the router to the user device with a source address being different than a destination address originally requested in the communication request.
  - 20. The router of claim 11, wherein the route map is an access control list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Guest-tek Interactive Entertainment Ltd.
Original Assignee
Guest-tek Interactive Entertainment Ltd.
Inventors
Hulse, David Andrew, Bryars, Mark Howard
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Stoica, Adrian

Application Number

US15/260,706
Publication Number

US 20160381029A1
Time in Patent Office

550 Days
Field of Search
US Class Current
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 45/02   Topology update or discovery

H04L 45/14   Routing performance; Theore...

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04W 12/068   using credential vaults, e....

Off-site user access control

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Off-site user access control

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links