802.1X access session keepalive method, device, and system

US 9,918,353 B2
Filed: 09/17/2013
Issued: 03/13/2018
Est. Priority Date: 02/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method for keeping an 802.1X access session alive, comprising:

determining, by an authenticating node, a Keeplive period of the authenticating node for an 802.1X client according to one of a recommended Keeplive period carried in an Extensible Authentication Protocol over Local Area Network (EAPOL)-Start-Announcement request or an announcement request and sent by the 802.1X client, a local Keeplive period configured locally at the authenticating node, and an authorized Keeplive period carried in an access-granted message and sent by an authenticating server for the 802.1X client;

sending, by the authenticating node, according to the Keeplive period of the authenticating node EAPOL-Keeplive request to the 802.1X client while the 802.1X client is connected to a network for determining whether the 802.1X client loses connection to the network abnormally;

determining, by the authenticating node, that the 802.1X client loses connection to the network abnormally, when the authenticating node does not receive, within a predetermined period of time at the authenticating node, a Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client;

determining, by the authenticating node, that the 802.1X client is connected to the network, when the authenticating node receives, within the predetermined period of time at the authenticating node, the Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client;

before sending, by the authenticating node to the 802.1X client, or by the 802.1X client to the authenticating node, the EAPOL-Keeplive request receiving, by the authenticating node, the EAPOL-Start-Announcement request sent by the 802.1X client and sending to the 802.1X client an EAPOL-EAP-Request-Identity message;

receiving, by the authenticating node, an EAPOL-EAP-Response-Identity message sent by the 802.1X client in response to the EAPOL-EAP-Request-Identity message, packing, by the authenticating node, the EAPOL-EAP-Response-Identity message into an Access-Request, and sending, by the authenticating node, the Access-Request to the authenticating server;

determining, by the authenticating server with the 802.1X client through the authenticating node, an authentication mode according to the Access-Request, and authenticating, by the authenticating server, the 802.1X client according to the authentication mode; and

packing, by the authenticating server, an authentication-succeeds result into an access-granted message, or an authentication-fails result into an access-refused message, and sending, by the authenticating server, the access-granted or access-refused message to the authenticating node, wherein during access authentication of the 802.1X client, when the EAPOL-Start-Announcement request sent by the 802.1X client does not comprise the recommended Keeplive period, packing, by the 802.1X client, the recommended Keeplive period into the announcement request, and sending, by the 802.1X client, the announcement request to the authenticating node, such that the authenticating node determines the Keeplive period of the authenticating node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to the field of communications. Disclosed are an 802.1X access session keepalive method, device, and system. The method comprises: during network access of a 802.1X client, an authenticating node used for access authentication sending, to the 802.1X client according to an actual keepalive period of the authenticating node, a keepalive request message used for determining whether the 802.1X client is off-net abnormally; and during a preset duration of the authenticating node, if the authenticating node does not receive a keepalive response message from the 802.1X client in response to the keepalive request message, the authenticating node determining that the 802.1X client is off-net abnormally; otherwise, determining that the 802.1X client is on-net normally. The embodiments of the present invention improve network resource utilization, reduce the security problem caused by too heavy load of the authenticating node, and lower the risk of errors in charging on time.

24 Citations

View as Search Results

16 Claims

1. A method for keeping an 802.1X access session alive, comprising:
- determining, by an authenticating node, a Keeplive period of the authenticating node for an 802.1X client according to one of a recommended Keeplive period carried in an Extensible Authentication Protocol over Local Area Network (EAPOL)-Start-Announcement request or an announcement request and sent by the 802.1X client, a local Keeplive period configured locally at the authenticating node, and an authorized Keeplive period carried in an access-granted message and sent by an authenticating server for the 802.1X client;
  
  sending, by the authenticating node, according to the Keeplive period of the authenticating node EAPOL-Keeplive request to the 802.1X client while the 802.1X client is connected to a network for determining whether the 802.1X client loses connection to the network abnormally;
  
  determining, by the authenticating node, that the 802.1X client loses connection to the network abnormally, when the authenticating node does not receive, within a predetermined period of time at the authenticating node, a Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client;
  
  determining, by the authenticating node, that the 802.1X client is connected to the network, when the authenticating node receives, within the predetermined period of time at the authenticating node, the Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client;
  
  before sending, by the authenticating node to the 802.1X client, or by the 802.1X client to the authenticating node, the EAPOL-Keeplive request receiving, by the authenticating node, the EAPOL-Start-Announcement request sent by the 802.1X client and sending to the 802.1X client an EAPOL-EAP-Request-Identity message;
  
  receiving, by the authenticating node, an EAPOL-EAP-Response-Identity message sent by the 802.1X client in response to the EAPOL-EAP-Request-Identity message, packing, by the authenticating node, the EAPOL-EAP-Response-Identity message into an Access-Request, and sending, by the authenticating node, the Access-Request to the authenticating server;
  
  determining, by the authenticating server with the 802.1X client through the authenticating node, an authentication mode according to the Access-Request, and authenticating, by the authenticating server, the 802.1X client according to the authentication mode; and
  
  packing, by the authenticating server, an authentication-succeeds result into an access-granted message, or an authentication-fails result into an access-refused message, and sending, by the authenticating server, the access-granted or access-refused message to the authenticating node, wherein during access authentication of the 802.1X client, when the EAPOL-Start-Announcement request sent by the 802.1X client does not comprise the recommended Keeplive period, packing, by the 802.1X client, the recommended Keeplive period into the announcement request, and sending, by the 802.1X client, the announcement request to the authenticating node, such that the authenticating node determines the Keeplive period of the authenticating node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, further comprising:
    - while the 802.1X client is connected to the network, sending, by the 802.1X client according to a Keeplive period of the 802.1X client, to the authenticating node, an EAPOL-Keeplive request for determining whether the authenticating node is in an abnormal state;
      
      when the 802.1X client receives, within a predetermined period of time at the 802.1X client, no Keeplive response sent by the authenticating node in response to the EAPOL-Keeplive request sent by the 802.1X client to the authenticating node, determining, by the 802.1X client, that the authenticating node is in an abnormal state;
      
      otherwise when the 802.1X client receives, within the predetermined period of time at the 802.1X client, a Keeplive response sent by the authenticating node in response to the EAPOL-Keeplive request sent by the 802.1X client to the authenticating node, determining that the authenticating node is in a normal state.
  - 3. The method according to claim 2, further comprising:
    - before sending, by the authenticating node to the 802.1X client, or by the 802.1X client to the authenticating node, the EAPOL-Keeplive request, receiving, by the authenticating node, an EAPOL-Start-Announcement request sent by the 802.1X client, and sending to the 802.1X client an EAPOL-EAP-Request-Identity message;
      
      receiving, by the authenticating node, an EAPOL-EAP-Response-Identity message sent by the 802.1X client in response to the EAPOL-EAP-Request-Identity message, packing, by the authenticating node, the EAPOL-EAP-Response-Identity message into an Access-Request, and sending, by the authenticating node, the Access-Request to the authenticating server;
      
      determining, by the authenticating server with the 802.1X client through the authenticating node, an authentication mode according to the Access-Request, and authenticating, by the authenticating server, the 802.1X client according to the authentication mode; and
      
      packing, by the authenticating server, an authentication-succeeds result into an access-granted message, or an authentication-fails result into an access-refused message, and sending, by the authenticating server, the access-granted or access-refused message to the authenticating node.
  - 4. The method according to claim 3, wherein during access authentication of the 802.1X client, when the EAPOL-Start-Announcement request sent by the 802.1X client does not comprise the recommended Keeplive period, packing, by the 802.1X client, the recommended Keeplive period into an announcement request, and sending, by the 802.1X client, the announcement request to the authenticating node, such that the authenticating node determines the Keeplive period of the authenticating node.
  - 5. The method according to claim 1, further comprising:
    - acquiring, by the authenticating node, an authorization attribute for activating a Keeplive option in the received access-granted message by resolving the received access-granted message, and activating, by the authenticating node, according to the authorization attribute for activating the Keeplive option, a Keeplive option of an 802.1X client corresponding to a specified identity or service manage domain identifier, such that an 802.1X access session is kept alive.
  - 6. The method according to claim 5, further comprising:
    - before determining, by the authenticating node, the Keeplive period of the authenticating node for the 802.1X client,resolving, by the authenticating node, the received EAPOL-Start-Announcement request or the received announcement request, and acquiring the recommended Keeplive period in the resolved message; and
      
      resolving, by the authenticating node, the received access-granted message, and acquiring the authorized Keeplive period in the resolved access-granted message.
  - 7. The method according to claim 5, wherein the Keeplive period of the 802.1X client is a default Keeplive period local to the 802.1X client.
  - 8. The method according to claim 7, further comprising:
    - acquiring, by the 802.1X client by resolving the Keeplive response received by the 802.1X client, a forced Keeplive period in the Keeplive response received by the 802.1X client, and adjusting, by the 802.1X client, the Keeplive period of the 802.1X client according to the forced Keeplive period.

9. A system for keeping an 802.1X access session alive, comprising:
- an 802.1X client;
  
  an authenticating node for access authentication; and
  
  an authenticating server, wherein the authenticating node is configured for;
  
  determining a Keeplive period of the authenticating node for the 802.1X client according to one of a recommended Keeplive period carried in an Extensible authentication Protocol over Local Area Network (EAPOL)-Start-Announcement request or an announcement request and sent by the 802.1X client, a local Keeplive period configured locally at the authenticating node, and an authorized Keeplive period carried in an access-granted message and sent by an authenticating server for the 802.1X client;
  
  sending, according to the Keeplive period of the authenticating node EAPOL-Keeplive request to the 802.1X client while the 802.1X client is connected to a network for determining whether the 802.1X client loses connection to the network abnormally;
  
  determining that the 802.1X client loses connection to the network abnormally, when the authenticating node does not receive, within a predetermined period of time at the authenticating node, a Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client; and
  
  determining that the 802.1X client is connected to the network, when the authenticating node receives, within the predetermined period of time at the authenticating node, the Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client;
  
  before the authenticating node sends to the 802.1X client or the 802.1X client sends to the authenticating node, the EAPOL-Keeplive request receiving the EAPOL-Start-Announcement request sent by the 802.1X client and sending to the 802.1X client an EAPOL-EAP-Request-Identity message;
  
  receiving an EAPOL-EAP-Response-Identity message sent by the 802.1X client in response to the EAPOL-EAP-Request-Identity message, packing the EAPOL-EAP-Response-Identity message into an Access-Request and sending the Access-Request to the authenticating server;
  
  wherein the authenticating server is configured for;
  
  determining an authentication mode with the 802.1X client through the authenticating node according to the Access-Request, and authenticating the 802.1X client according to the authentication mode; and
  
  packing an authentication-succeeds result into an access-granted message, or an authentication-fails result into an access-refused message, and sending the access-granted or access-refused message to the authenticating node; and
  
  wherein the 802.1X client is further configured for;
  
  during access authentication of the 802.1X client when the EAPOL-Start-Announcement request sent by the 802.1X client does not comprise the recommended Keeplive period, packing the recommended Keeplive period into the announcement request and sending the announcement request to the authenticating node, such that the authenticating node determines the Keeplive period of the authenticating node.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system according to claim 9, wherein the 802.1X client is configured for:
    - while the 802.1X client is connected to the network, sending, according to a Keeplive period of the 802.1X client, to the authenticating node, an EAPOL-Keeplive request for determining whether the authenticating node is in an abnormal state;
      
      when the 802.1X client receives, within a predetermined period of time at the 802.1X client, no Keeplive response sent by the authenticating node in response to the EAPOL-Keeplive request sent by the 802.1X client to the authenticating node, determining that the authenticating node is in an abnormal state;
      
      otherwise when the 802.1X client receives, within the predetermined period of time at the 802.1X client, a Keeplive response sent by the authenticating node in response to the EAPOL-Keeplive request sent by the 802.1X client to the authenticating node, determining that the authenticating node is in a normal state.
  - 11. The system according to claim 9, wherein the authenticating node is further configured for:
    - acquiring an authorization attribute for activating a Keeplive option in the received access-granted message by resolving the received access-granted message, and activating, according to the authorization attribute for activating the Keeplive option, a Keeplive option of an 802.1X client corresponding to a specified identity or service manage domain identifier, such that an 802.1X access session is kept alive.
  - 12. The system according to claim 11, wherein the authenticating node is further configured for:
    - resolving the received EAPOL-Start-Announcement request or the received announcement request, and acquiring the recommended Keeplive period in the resolved message; and
      
      resolving the received access-granted message, and acquiring the authorized Keeplive period in the resolved access-granted message.
  - 13. The system according to claim 11, wherein the Keeplive period of the 802.1X client is a default Keeplive period local to the 802.1X client.
  - 14. The system according to claim 13, wherein the 802.1X client is further configured for:
    - acquiring, by resolving the Keeplive response received by the 802.1X client, a forced Keeplive period in the Keeplive response received by the 802.1X client, and adjusting the Keeplive period of the 802.1X client according to the forced Keeplive period.

15. An authenticating node, comprising a processor and a memory coupled to the processor which is configured to execute one or more programmed instructions comprising and stored in the memory to:
- determine a Keeplive period of the authenticating node for an 802.1X client according to one of a recommended Keeplive period carried in an Extensible authentication Protocol over Local Area Network (EAPOL)-Start-Announcement request or an announcement request and sent by the 802.1X client, a local Keeplive period configured locally at the authenticating node, and an authorized Keeplive period carried in an access-granted message and sent by an authenticating server for the 802.1X client;
  
  send, according to the Keeplive period of the authenticating node EAPOL-Keeplive request to the 802.1X client while the 802.1X client is connected to a network for determining whether the 802.1X client loses connection to the network abnormally;
  
  determine that the 802.1X client loses connection to the network abnormally, when the authenticating node does not receive, within a predetermined period of time at the authenticating node, a Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client;
  
  determine that the 802.1X client is connected to the network, when the authenticating node receives, within the predetermined period of time at the authenticating node, the Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client;
  
  before sending to the 802.1X client the EAPOL-Keeplive request receive the EAPOL-Start-Announcement request sent by the 802.1X client and send to the 802.1X client an EAPOL-EAP-Request-Identity message;
  
  receive an EAPOL-EAP-Response-Identity message sent by the 802.1X client in response to the EAPOL-EAP-Request-Identity message, pack the EAPOL-EAP -Response-Identity message into an Access-Request and send the Access-Request to the authenticating server;
  
  receive the access-granted or access-refused message from the authentication server; and
  
  during access authentication of the 802.1X client receive the announcement request packing the recommended Keeplive period from the 802.1X client when the EAPOL-Start-Announcement request sent by the 802.1X client does not comprise the recommended Keeplive period.

16. An 802.1X client, comprising a processor and a memory coupled to the processor which is configured to execute one or more programmed instructions comprising and stored in the memory to:
- receive an Extensible Authentication Protocol over LAN (EAPOL)-Keeplive request sent by an authenticating node according to a Keeplive period of the authenticating node for the 802.1X client while the 802.1X client is connected to a network, the EAPOL-Keeplive request being for determining whether the 802.1X client loses connection to the network abnormally;
  
  send to the authenticating node, within a predetermined period of time at the authenticating node, a Keeplive response in response to the EAPOL-Keeplive request sent by the authenticating node, wherein the Keeplive period of the authenticating node for the 802.1X client is determined by the authenticating node according to one of a recommended Keeplive period carried in an Extensible Authentication Protocol over Local Area Network (EAPOL)-Start-Announcement request or an announcement request and sent by the 802.1X client, a local Keeplive period configured locally at the authenticating node, and an authorized Keeplive period carried in an access-granted message and sent by an authenticating server for the 802.1X;
  
  before sending to the authenticating node the EAPOL-Keeplive request, send the EAPOL-Start-Announcement request to the authentication node and receive an EAPOL-EAP-Request-Identity message from the authentication node;
  
  send an EAPOL-EAP-Response-Identity message to the authentication node in response to the EAPOL-EAP-Request-Identity message; and
  
  during access authentication of the 802.1X client when the EAPOL-Start-Announcement request does not comprise the recommended Keeplive period, pack the recommended Keeplive period into the announcement request and send the announcement request to the authenticating node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ZTE Corporation
Original Assignee
ZTE Corporation
Inventors
Liang, Qiandeng, Fan, Liang
Primary Examiner(s)
Lai, Andrew
Assistant Examiner(s)
Nguyen, Chuong M

Application Number

US14/766,053
Publication Number

US 20150382397A1
Time in Patent Office

1,638 Days
Field of Search
US Class Current
CPC Class Codes

H04L 67/142   Managing session states for...

H04L 69/28   Timers or timing mechanisms...

H04W 12/06   Authentication

H04W 76/19   Connection re-establishment

H04W 76/25   Maintenance of established ...

H04W 84/12   WLAN [Wireless Local Area N...

802.1X access session keepalive method, device, and system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

802.1X access session keepalive method, device, and system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links