Integration of authentication authorization and accounting service and proxy service

US RE41,811 E1
Filed: 10/02/2003
Issued: 10/05/2010
Est. Priority Date: 01/04/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:

maintaining a central database;

maintaining at least one authentication, authorization and accounting (AAA) service at a point of presence (PoP) of the data communications network; and

configuring a database associated with the AAA service from the central database, wherein said configuring includes publishing information from said central database on an information bus as at least one event, said AAA service subscribing to said event so as to receive said published information so as to thereby update its associated database;

further comprising;

receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);

parsing the network access request for an identification of the user'"'"'s domain;

routing the network access request to the AAA service at the PoP if the user'"'"'s domain corresponds to that of the PoP;

looking up a domain identification entry corresponding to the user'"'"'s domain in the AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the PoP;

proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A single database maintained centrally hosts both proxy service data and authentication, authorization and accounting (AAA) data. Data is then copied to storage used locally by each system when both systems are instantiated. Therefore the ISP/Telco need not maintain two different data bases. A protocol gateway (PGW) is used to determine if the incoming user is a wholesale or retail user. The PGW filters the domain portion of the access request to locate a remote AAA service. If one such service is found, the PGW routes the communication via the proxy service to proxy it to the remote AAA service. The returned packet from the remote AAA service is then searched for an IP address to be assigned to the incoming user. If one is not found the PGW obtains a dynamically allocated IP address from a DHCP server (using an IP-Pool-ID if supplied in the returned packet from the remote AAA service). The same mechanism is used to forward accounting event packets from the NAS to the remote AAA server. The PGW may monitor more than one proxy and/or AAA service and load balance among them.

50 Citations

View as Search Results

71 Claims

1. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database;
  
  maintaining at least one authentication, authorization and accounting (AAA) service at a point of presence (PoP) of the data communications network; and
  
  configuring a database associated with the AAA service from the central database, wherein said configuring includes publishing information from said central database on an information bus as at least one event, said AAA service subscribing to said event so as to receive said published information so as to thereby update its associated database;
  
  further comprising;
  
  receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
  
  parsing the network access request for an identification of the user'"'"'s domain;
  
  routing the network access request to the AAA service at the PoP if the user'"'"'s domain corresponds to that of the PoP;
  
  looking up a domain identification entry corresponding to the user'"'"'s domain in the AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the PoP;
  
  proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method in accordance with claim 1, further comprising:
    - receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
      
      parsing the network access request for an identification of the user'"'"'s domain;
      
      routing the network access request to the AAA service at the PoP if the user'"'"'s domain corresponds to that of the PoP;
      
      looking up a domain identification entry corresponding to the user'"'"'s domain in the AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the PoP;
      
      proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP.
  - 3. A The method executing on the hardware computer in accordance with claim 2 1, further comprising:
    - obtaining an IP address for the user from the AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the PoP.
  - 4. A The method executing on the hardware computer in accordance with claim 2 1, further comprising:
    - assigning an IP address to the user from a local DHCP pool of IP address addresses if the user'"'"'s domain does not correspond to that of the PoP.
  - 5. A The method executing on the hardware computer in accordance with claim 2 1, further comprising:
    - assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the PoP.

6. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database;
  
  maintaining a plurality of authentication, authorization and accounting (AAA) services at a point of presence (PoP) of the data communication network; and
  
  configuring databases associated with the AAA services from the central database, wherein said configuring includes publishing information from said central database on an information bus as at least one event, said AAA services subscribing to said event so as to receive said published information so as to thereby update their associated databases;
  
  further comprising;
  
  receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
  
  parsing the network access request for an identification of the user'"'"'s domain;
  
  routing the network access request to one of said plurality of AAA services at the PoP if the user'"'"'s domain corresponds to that of the PoP while load balancing among said plurality of AAA services;
  
  looking up a domain identification entry corresponding to the user'"'"'s domain in one of said plurality of AAA service'"'"'s databases if the user'"'"'s domain does not correspond to that of the PoP;
  
  proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP.
- View Dependent Claims (7, 8, 9, 10)
- - 7. A method in accordance with claim 6, further comprising:
    - receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
      
      parsing the network access request for an identification of the user'"'"'s domain;
      
      routing the network access request to one of said plurality of AAA services at the PoP if the user'"'"'s domain corresponds to that of the PoP while load balancing among said plurality of AAA services;
      
      looking up a domain identification entry corresponding to the user'"'"'s domain in one of said plurality of AAA service'"'"'s databases if the user'"'"'s domain does not correspond to that of the PoP;
      
      proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP.
  - 8. A The method executing on the hardware computer in accordance with claim 7 6, further comprising:
    - obtaining an IP address for the user from the AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the PoP.
  - 9. A The method executing on the hardware computer in accordance with claim 7 6, further comprising:
    - assigning an IP address to the user from a local DHCP pool of IP address addresses if the user'"'"'s domain does not correspond to that of the PoP.
  - 10. A The method executing on the hardware computer in accordance with claim 7 6, further comprising:
    - assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the PoP.

11. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database, said central database containing access information for authentication, authorization and accounting services associated with domains of the data communications network;
  
  maintaining at a point of presence (PoP) of the data communications network at least one AAA service and at least one proxy service and at least one protocol gateway in communication with a network access server (NAS);
  
  periodically publishing information contained in said central database;
  
  subscribing at said AAA and said proxy service to information published from said central database;
  
  receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
  
  parsing the network access request at the protocol gateway for an identification of the user'"'"'s domain;
  
  routing the network access request to an AAA service at the PoP if the user'"'"'s domain corresponds to that of the PoP;
  
  looking up access information within a domain identification entry corresponding to the user'"'"'s domain in a database associated with the proxy server if the user'"'"'s domain does not correspond to that of the PoP; and
  
  proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the access information if the user'"'"'s domain does not correspond to that of the PoP.
- View Dependent Claims (12, 13, 14)
- - 12. A The method executing on the hardware computer in accordance with claim 11, further comprising:
    - obtaining an IP address for the user from an AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the PoP.
  - 13. A The method executing on the hardware computer in accordance with claim 11, further comprising:
    - assigning an IP address to the user from a local DHCP pool of IP address addresses if the user'"'"'s domain does not correspond to that of the PoP.
  - 14. A The method executing on the hardware computer in accordance with claim 11, further comprising:
    - assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the PoP.

15. A method executing on a hardware computer of managing network access requests to a data communications network, said method comprising:
- receiving at a protocol gateway in a point of presence (PoP) of the data communications network a network access request from a user through a network access server (NAS);
  
  parsing the network access request for an identification of the user'"'"'s domain;
  
  routing the network access request to one of the plurality of authentication, authorization and accounting (AAA) services associated with the PoP if the user'"'"'s domain corresponds to that of the PoP while load balancing among the plurality of AAA services;
  
  looking up a domain identification entry corresponding to the user'"'"'s domain in a database if the user'"'"'s domain does not correspond to that of the PoP;
  
  proxying the network access request via one of a plurality of proxy services to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP while load balancing among the plurality of proxy services.
- View Dependent Claims (16, 17, 18)
- - 16. A The method executing on the hardware computer in accordance with claim 15, further comprising:
    - obtaining an IP address for the user from the AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the PoP.
  - 17. A The method executing on the hardware computer in accordance with claim 15, further comprising:
    - assigning an IP address to the user from a local DHCP pool of IP address addresses if the user'"'"'s domain does not correspond to that of the PoP.
  - 18. A The method executing on the hardware computer in accordance with claim 15, further comprising:
    - assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the PoP.

19. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database, said central database containing access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
  
  maintaining at a point of presence (PoP) of the data communications network a plurality of AAA services at least one AAA service and at least one proxy service and at least one protocol gateway in communication with a network access server (NAS);
  
  periodically publishing information contained in said central database;
  
  subscribing at said AAA and said proxy service to information published from said central database;
  
  receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
  
  parsing the network access request at the protocol gateway for an identification of the user'"'"'s domain;
  
  routing the network access request to one of said plurality of AAA services at the PoP if the user'"'"'s domain corresponds to that of the PoP while load balancing among said plurality of AAA services;
  
  looking up access information within a domain identification entry corresponding to the user'"'"'s domain in a database associated with one of said plurality of proxy services if the user'"'"'s domain does not correspond to that of the PoP while load balancing among said plurality of proxy services; and
  
  proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the access information if the user'"'"'s domain does not correspond to that of the PoP.
- View Dependent Claims (20, 21, 22)
- - 20. A The method executing on the hardware computer in accordance with claim 19, further comprising:
    - obtaining an IP address for the user from an AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the PoP.
  - 21. A The method executing on the hardware computer in accordance with claim 19, further comprising:
    - assigning an IP address to the user from a local DHCP pool of IP address addresses if the user'"'"'s domain does not correspond to that of the PoP.
  - 22. A The method executing on the hardware computer in accordance with claim 19, further comprising:
    - assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the PoP.

23. A method executing on a hardware computer of managing network access requests to a data communications network, said method comprising:
- receiving at a protocol gateway in a point of presence (PoP) of the data communications network a network access request from a user through a network access server (NAS);
  
  parsing the network access request for an identification of the user'"'"'s domain;
  
  routing the network access request to an authentication, authorization and accounting (AAA) service associated with the PoP if the user'"'"'s domain corresponds to that of the PoP;
  
  looking up a domain identification entry corresponding to the user'"'"'s domain in a database if the user'"'"'s domain does not correspond to that of the PoP;
  
  proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP.
- View Dependent Claims (24, 25, 26)
- - 24. A The method executing on the hardware computer in accordance with claim 23, further comprising:
    - obtaining an IP address for the user from the AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the PoP.
  - 25. A The method executing on the hardware computer in accordance with claim 23, further comprising:
    - assigning an IP address to the user from a local DHCP pool of IP address addresses if the user'"'"'s domain does not correspond to that of the PoP.
  - 26. A The method executing on the hardware computer in accordance with claim 23, further comprising:
    - assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the PoP.

27. A hardware system for data communications network access management, comprising:
- a central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
  
  a publisher, said publisher publishing information from said central database to subscribers over an information bus;
  
  a point of presence (PoP) on the data communications network, said PoP including a protocol gateway in communication with at least one network access server (NAS);
  
  an AAA service associated with said PoP and in communication with said protocol gateway, said AAA service subscribing to information published by said publisher; and
  
  a proxy service associated with the PoP and in communication with said protocol gateway, said proxy service subscribing to information published by said publisher, said protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the PoP to the proxy service, said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.
- View Dependent Claims (28)
- - 28. A The hardware system in accordance with claim 27, further comprising:
    - an AAA database associated with said AAA service; and
      
      a proxy database associated with said proxy service,said AAA database populated at instantiation of said AAA service by receiving information published by said publisher from said central database, said proxy database populated at instantiation of said proxy service by receiving information published by said publisher from said central database.

29. A hardware system for data communications network access management, comprising:
- a central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
  
  a publisher, said publisher publishing information from said central database to subscribers over an information bus;
  
  a point of presence (PoP) on the data communications network, said PoP including a protocol gateway in communication with at least one network access server (NAS);
  
  a plurality of AAA services associated with said PoP and in communication with said protocol gateway, said AAA services subscribing to information published by said publisher; and
  
  a plurality of proxy services associated with said PoP and in communication with said protocol gateway, said proxy services subscribing to information published by said publisher, said protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the PoP to one of said plurality of proxy services while load balancing among them, said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.
- View Dependent Claims (30)
- - 30. A The hardware system in accordance with claim 29, further comprising:
    - a plurality of AAA databases associated with said respective AAA services; and
      
      a plurality of proxy databases associated with said respective proxy services, said AAA databases populated at instantiation of said respective AAA services by receiving information published by said publisher from said central database, said proxy databases populated at instantiation of said respective proxy services by receiving information published by said publisher from said central database.

31. A method executing on a hardware computer for managing network access to a data communications network said method comprising:
- maintaining a central database coupled to the data communications network;
  
  maintaining at least a first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and second AAA service at a second PoP of the data communications network;
  
  configuring a database associated with the first AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the first AAA service; and
  
  configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service;
  
  further comprising;
  
  receiving at a protocol gateway in the first PoP a network access request from a user through network access server (NAS);
  
  parsing the network access request for an identification of the user'"'"'s domain;
  
  routing the network access request to the first AAA service at the first PoP if the user'"'"'s domain corresponds to that of the first PoP;
  
  looking up a domain identification entry corresponding to the user'"'"'s domain in the first AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the first PoP;
  
  proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the first PoP.
- View Dependent Claims (32, 33, 34, 35, 36)
- - 32. The method executing on the hardware computer of claim 31 further comprising:
    - periodically updating the database associated with the first AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the first AAA service.
  - 33. The method executing on the hardware computer of claim 32 further comprising:
    - periodically updating the database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service.
  - 34. The method executing on the hardware computer of claim 31 further comprising:
    - obtaining an IP address for the user from the AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the first PoP.
  - 35. The method executing on the hardware computer of claim 31 further comprising:
    - assigning an IP address to the user from a local DHCP pool of IP addresses if the user'"'"'s domain does not correspond to that of the first PoP.
  - 36. The method executing on the hardware computer of claim 31, further comprising:
    - assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the first PoP.

37. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database coupled to the data communications network;
  
  maintaining a plurality of first authentication, authorization and accounting (AAA) services at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network;
  
  configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to the database(s) associated with the first AAA services; and
  
  configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service;
  
  further comprising;
  
  receiving at a protocol gateway in the first PoP a network access request from a user through a network access server (NAS);
  
  parsing the network access request for an identification of the user'"'"'s domain;
  
  routing the network access request to one of said plurality of first AAA services at the first PoP if the user'"'"'s domain corresponds to that of the first PoP while load balancing among said plurality of first AAA services;
  
  looking up a domain identification entry corresponding to the user'"'"'s domain in one of said plurality of first AAA service'"'"'s database(s) if the user'"'"'s domain does not correspond to that of the first PoP;
  
  proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the first PoP.
- View Dependent Claims (38, 39, 40)
- - 38. The method executing on the hardware computer of claim 37 further comprising:
    - obtaining an IP address for the user from the AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the first PoP.
  - 39. The method executing on the hardware computer of claim 37, further comprising:
    - assigning an IP address to the user from a local DHCP pool of IP addresses if the user'"'"'s domain does not correspond to that of the first PoP.
  - 40. The method executing on the hardware computer of claim 37 further comprising:
    - assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the first PoP.

41. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database coupled to the data communications network;
  
  said central database containing access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
  
  maintaining at a first point of presence (PoP) of the data communications network at least one first AAA service and at least one first proxy service and at least one first protocol gateway in communication with a network access server (NAS);
  
  periodically transporting information contained in the central database from the central database, over the data communications network, to the first AAA service(s), the first proxy service(s) and the first protocol gateway(s);
  
  receiving at a protocol gateway in the first PoP a network access request from a user through a network access server (NAS);
  
  parsing the network access request at the first protocol gateway for an identification of the user'"'"'s domain;
  
  routing the network access request to an AAA service at the first PoP if the user'"'"'s domain corresponds to that of the first PoP;
  
  looking up access information within a domain identification entry corresponding to the user'"'"'s domain in a database associated with the first proxy server if the user'"'"'s domain does not correspond to that of the first PoP; and
  
  proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the access information if the user'"'"'s domain does not correspond to that of the first PoP.
- View Dependent Claims (42, 43, 44)
- - 42. The method executing on the hardware computer of claim 41, further comprising:
    - obtaining an IP address for the user from an AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the first PoP.
  - 43. The method executing on the hardware computer of claim 41, further comprising:
    - assigning an IP address to the user from a local DHCP pool of IP addresses if the user'"'"'s domain does not correspond to that of the first PoP.
  - 44. The method executing on the hardware computer of claim 41, further comprising:
    - assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the first PoP.

45. A method executing on a hardware computer for managing network access requests to a data communications network, said method comprising:
- receiving at a protocol gateway in a first point of presence (PoP) of the data communications network a network access request from a user received through a network access server (NAS);
  
  parsing the network access request for an identification of the user'"'"'s domain;
  
  routing the network access request to one of the plurality of authentication, authorization and accounting (AAA) services associated with the first PoP if the user'"'"'s domain corresponds to that of the first PoP while load balancing among the plurality of AAA services;
  
  looking up a domain identification entry corresponding to the user'"'"'s domain in a database associated with the one AAA if the user'"'"'s domain does not correspond to that of the first PoP;
  
  proxying the network access request via one of a plurality of proxy services to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the first PoP while load balancing among the plurality of proxy services.
- View Dependent Claims (46, 47, 48)
- - 46. The method executing on the hardware computer of claim 45, further comprising:
    - obtaining an IP address for the user from the AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the first PoP.
  - 47. The method executing on the hardware computer of claim 45, further comprisingassigning an IP address to the user from a local DHCP pool of IP addresses if the user'"'"'s domain does not correspond to that of the first PoP.
  - 48. The method executing on the hardware computer of claim 45, further comprising:
    - assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the first PoP.

49. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database, said central database containing access information for authentication, authorization and accounting services associated with domains of the data communications network;
  
  maintaining at a first point of presence (PoP) of the data communications network a plurality of AAA services at least one AAA service and at least one proxy service and at least one protocol gateway in communication with a network access server (NAS);
  
  periodically transmitting information contained in said central database over the data communications network to said AAA and said proxy service;
  
  receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS) parsing the network access request at the protocol gateway for an identification of the user'"'"'s domain;
  
  routing the network access request to one of said plurality of AAA services at the first PoP if the user'"'"'s domain corresponds to that of the first PoP while load balancing among said plurality of AAA services;
  
  looking up access information within a domain identification entry corresponding to the user'"'"'s domain in a database associated with one of said plurality of proxy services if the user'"'"'s domain does not correspond to that of the first PoP while load balancing among said plurality of proxy services; and
  
  proxying the network access request to an AAA service in the user'"'"'s domain at an address arid port as specified in the access information if the user'"'"'s domain does not correspond to that of the first PoP.
- View Dependent Claims (50, 51, 52)
- - 50. The method executing on the hardware computer of claim 49, further comprising:
    - obtaining an IP address for the user from an AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the first PoP.
  - 51. The method executing on the hardware computer of claim 49, further comprising:
    - assigning an IP address to the user from a local DHCP pool of IP addresses if the user'"'"'s domain does not correspond to that of the first PoP.
  - 52. The method executing on the hardware computer of claim 49, further comprising:
    - assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the first PoP.

53. A method executing on a hardware computer for managing network access requests to a data communications network, said method comprising:
- periodically transmitting updating information contained in a central database over the data communications network to an authentication, authorization and accounting (AAA) service associated with a first point of presence (PoP) of the data communications network;
  
  receiving at a protocol gateway in the first point of presence (PoP) of the data communications network a network access request from a user received through a network access server (NAS);
  
  parsing the network access request for an identification of the user'"'"'s domain;
  
  routing the network access request to the AAA service associated with the first PoP if the user'"'"'s domain corresponds to that of the first PoP;
  
  looking up a domain identification entry corresponding to the user'"'"'s domain in a database if the user'"'"'s domain does not correspond to that of the first PoP;
  
  proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the first PoP.
- View Dependent Claims (54, 55, 56)
- - 54. The method executing on the hardware computer of claim 53, further comprising:
    - obtaining an IP address for the user from the AAA service in the user'"'"'s domain if the user'"'"'s domain does not correspond to that of the first PoP.
  - 55. The method executing on the hardware computer of claim 53, further comprising:
    - assigning an IP address to the user from a local DHCP pool of IP addresses if the user'"'"'s domain does not correspond to that of the first PoP.
  - 56. The method executing on the hardware computer of claim 53, further comprising:
    - assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user'"'"'s domain'"'"'s AAA service if the user'"'"'s domain does not correspond to that of the first PoP.

57. A hardware system for data communications network access management, comprising:
- a central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
  
  a first point of presence (PoP) on the data communications network, said first PoP including a protocol gateway in communication with at least one network access server (NAS);
  
  an AAA service associated with said first PoP and in communication with said protocol gateway and the data communications network;
  
  proxy service associated with the first PoP and in communication with said protocol gateway and the data communications network;
  
  a transmitter, said transmitter transmitting information from said central database to said AAA service at said first PoP and said proxy service at said first PoP over the data communications network;
  
  said protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to the proxy service, said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.
- View Dependent Claims (58)
- - 58. The hardware system of claim 57, further comprising:
    - an AAA database associated with said AAA service at said first PoP;
      
      a proxy database associated with said proxy service at said first PoP;
      
      said AAA database populated at instantiation of said AAA service by receiving information transmitted said transmitter from said central database;
      
      said proxy database populated at instantiation of said proxy service by receiving information transmitted by said transmitter from said database.

59. A hardware system for data communications network access management, comprising:
- a central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
  
  a first point of presence (PoP) on the data communications network, said first PoP including a protocol gateway in communication with at least one network access server (NAS);
  
  a plurality of AAA services associated with said first PoP and in communication with said protocol gateway, said AAA services subscribing to information published by said publisher;
  
  a plurality of proxy services associated with said first PoP and in communication with said protocol gateway, said proxy services subscribing to information published by said publisher; and
  
  a transmitter, said transmitter transmitting information from said central database over the data communications network to said plurality of AAA services associated with said first PoP and to said plurality of proxy services associated with said first PoP;
  
  said protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to one of said plurality of proxy services while load balancing among them;
  
  said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.
- View Dependent Claims (60)
- - 60. The hardware system of claim 59, further comprisinga plurality of AAA databases associated with said respective AAA services at said first PoP;
    - and a plurality of proxy databases associated with said respective proxy services at said first PoP;
      
      said AAA databases populated at instantiation of said respective AAA services by receiving information transmitted by said transmitter from said central database;
      
      said proxy databases populated at instantiation of said respective proxy services by receiving information transmitted by said transmitter from said central database.

61. A hardware system for managing access to a data communications network, said system comprising;
- means for communicating with a central database via the data communications network, the central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
  
  means for communicating with a local AAA service associated with a local Point of Presence (PoP);
  
  means for communicating with a remote AAA service via a local proxy service;
  
  means for instantiating the local AAA service from the central database;
  
  means for reaching a network access request from a user through a local network access server (NAS);
  
  means for checking the network access request to determine an identification of the user'"'"'s domain;
  
  means for routing the network access request to the local AAA service if the users domain corresponds to that of the local PoP;
  
  means for looking up a domain identification entry corresponding to the user'"'"'s domain in the local AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the local PoP; and
  
  means for proxying the network access request to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the local PoP.

62. A hardware system for managing access to a data communications network, said system comprising:
- means for communicating with a central database via the data communications network, the central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
  
  means for communicating with a plurality of local AAA services associated with a local Point of Presence (PoP);
  
  means for communicating with a plurality of local proxy services associated with the local PoP;
  
  means for communicating with a remote AAA service via a local proxy service;
  
  means for instantiating the local AAA services from the central database;
  
  means for instantiating the local proxy services from the central database;
  
  means for receiving a network access request from a user through local network access server (NAS);
  
  means for checking the network access request to determine an identification of the user'"'"'s domain;
  
  means for routing the network access request to the local AAA service if the user'"'"'s domain corresponds to that of the local PoP;
  
  means for looking up a domain identification entry corresponding to the user'"'"'s domain with the local AAA services if the user'"'"'s domain does not correspond to that of the local PoP;
  
  means for proxying the network access request to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the local AAA services'"'"' database if the user'"'"'s domain does not correspond to that of the local PoP; and
  
  means for receiving network access requests from users over a network access server (NAS), parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to one of said plurality of proxy services while load balancing among them;
  
  said proxy service routing network access requests to the remote AAA service in accordance with said access information.

63. A method executing on a hardware computer for accounting for use of a data communications network, said method comprising:
- means for communicating with a central database via the data communications network, the central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
  
  means for communicating with at least one local AAA service associated with a local Point of Presence (PoP);
  
  means for communicating with a remote AAA service;
  
  means for instantiating the local AAA services from the central database;
  
  means for receiving a network access request from a user through a local network access server (NAS);
  
  means for checking the network access request to determine an identification of the user'"'"'s domain;
  
  means for routing accounting information associated with the user to the local AAA service if the user'"'"'s domain corresponds to that of the local PoP;
  
  means for looking up a domain identification entry corresponding to the user'"'"'s domain with the local AAA services if the user'"'"'s domain does not correspond to that of the local PoP;
  
  means for routing the accounting information to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the local AAA services'"'"' database if the user'"'"'s domain does not correspond to that of the local PoP.

64. A method executing on a hardware computer for managing network access accounting in a data communications network, said method comprising:
- maintaining a central database coupled to the data communications network;
  
  maintaining at least a local authentication, authorization and accounting (AAA) service at a local point of presence (PoP) of the data communications network;
  
  configuring a database associated with the local AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the local AAA service;
  
  receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
  
  forwarding said accounting information to the local AAA service if the user'"'"'s domain corresponds to that of the local PoP; and
  
  forwarding said accounting information to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the local AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the local PoP.

65. A hardware apparatus for managing network access accounting in a data communications network, said apparatus comprising:
- means for maintaining a central database coupled to the data communications network;
  
  means for maintaining at least a local authentication, authorization and accounting (AAA) service at a local point of presence (PoP) of the data communications network;
  
  means for configuring a database associated with the local AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the local AAA service;
  
  means for receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
  
  means for forwarding said accounting information to the local AAA service if the user'"'"'s domain corresponds to that of the local PoP; and
  
  means for forwarding said accounting information to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the local AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the local PoP.

66. A hardware system for managing network access to a data communications network, said method comprising:
- a central database coupled to the data network;
  
  at least a first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network; and
  
  a database configurer configuring a database associated with the first AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the first AAA service and configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service a protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to the proxy service, said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.

67. A hardware apparatus for managing network access to a data communications network, said method comprising:
- means for maintaining a central database coupled to the data communications network;
  
  means for maintaining at least a first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network;
  
  means for configuring a database associated with the first AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the first AAA service; and
  
  means for configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service means for receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
  
  means for forwarding said accounting information to a local AAA service if the user'"'"'s domain corresponds to that of the local PoP; and
  
  means for forwarding said accounting information to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the local AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the local PoP.

68. A hardware system for managing network access to a data communications network, said method comprising:
- a central database coupled to the data communications network;
  
  a plurality of first authentication, authorization and accounting (AAA) services disposed at a first point of presence (PoP) of the data communications network and a second AAA service disposed at a second PoP of the data communications network;
  
  a first database configurer configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to the database(s) associated with the first AAA services; and
  
  a second database configurer configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service a protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to the proxy service, said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.

69. A hardware apparatus for managing network access to a data communications network, said method comprising:
- means for maintaining a central database coupled to the data communications network;
  
  means for maintaining a plurality of first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network; and
  
  means for configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to the database(s) associated with the first AAA services; and
  
  means for configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service means for receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
  
  means for forwarding said accounting information to a local AAA service if the user'"'"'s domain corresponds to that of the local PoP; and
  
  means for forwarding said accounting information to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the local AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the local PoP.

70. A hardware system for managing network access to a data communications network, said method comprising:
- a central database coupled to the data communications network;
  
  a plurality of first authentication, authorization and accounting (AAA) services disposed at a first point of presence (PoP) of the data communications network and a second AAA service disposed at a second PoP of the data communications network; and
  
  a database configurer configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to the database(s) associated with the first AAA services and configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service a protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to the proxy service, said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.

71. A hardware apparatus for managing network access to a data communications network, said method comprising:
- means for maintaining a central database coupled to the data communications network;
  
  means for maintaining plurality of first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network; and
  
  means for configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to database(s) associated with the first AAA services and for configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service means for receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
  
  means for forwarding said accounting information to a local AAA service if the user'"'"'s domain corresponds to that of the local PoP; and
  
  means for forwarding said accounting information to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the local AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the local PoP.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sthothra Bhasham, Sampath Kumar, Suryanarayanan, Kalpathi S., Gutman, Andrew Mark, Sitaraman, Aravind
Primary Examiner(s)
Harrell; Robert B

Application Number

US10/679,203
Time in Patent Office

2,560 Days
Field of Search

709/200, 709/202, 709/203, 709/223, 709/224, 709/227, 709/229
US Class Current

709/229
CPC Class Codes

H04L 63/0281 Proxies

H04L 63/0892 by using authentication-aut...

Integration of authentication authorization and accounting service and proxy service

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

71 Claims

Specification

Solutions

Use Cases

Quick Links

Integration of authentication authorization and accounting service and proxy service

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

71 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links