Integration of authentication authorization and accounting service and proxy service
First Claim
1. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database;
maintaining at least one authentication, authorization and accounting (AAA) service at a point of presence (PoP) of the data communications network; and
configuring a database associated with the AAA service from the central database, wherein said configuring includes publishing information from said central database on an information bus as at least one event, said AAA service subscribing to said event so as to receive said published information so as to thereby update its associated database;
further comprising;
receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
parsing the network access request for an identification of the user'"'"'s domain;
routing the network access request to the AAA service at the PoP if the user'"'"'s domain corresponds to that of the PoP;
looking up a domain identification entry corresponding to the user'"'"'s domain in the AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the PoP;
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP.
0 Assignments
0 Petitions
Accused Products
Abstract
A single database maintained centrally hosts both proxy service data and authentication, authorization and accounting (AAA) data. Data is then copied to storage used locally by each system when both systems are instantiated. Therefore the ISP/Telco need not maintain two different data bases. A protocol gateway (PGW) is used to determine if the incoming user is a wholesale or retail user. The PGW filters the domain portion of the access request to locate a remote AAA service. If one such service is found, the PGW routes the communication via the proxy service to proxy it to the remote AAA service. The returned packet from the remote AAA service is then searched for an IP address to be assigned to the incoming user. If one is not found the PGW obtains a dynamically allocated IP address from a DHCP server (using an IP-Pool-ID if supplied in the returned packet from the remote AAA service). The same mechanism is used to forward accounting event packets from the NAS to the remote AAA server. The PGW may monitor more than one proxy and/or AAA service and load balance among them.
50 Citations
71 Claims
-
1. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
-
maintaining a central database;
maintaining at least one authentication, authorization and accounting (AAA) service at a point of presence (PoP) of the data communications network; and
configuring a database associated with the AAA service from the central database, wherein said configuring includes publishing information from said central database on an information bus as at least one event, said AAA service subscribing to said event so as to receive said published information so as to thereby update its associated database;
further comprising;
receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
parsing the network access request for an identification of the user'"'"'s domain;
routing the network access request to the AAA service at the PoP if the user'"'"'s domain corresponds to that of the PoP;
looking up a domain identification entry corresponding to the user'"'"'s domain in the AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the PoP;
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
-
maintaining a central database;
maintaining a plurality of authentication, authorization and accounting (AAA) services at a point of presence (PoP) of the data communication network; and
configuring databases associated with the AAA services from the central database, wherein said configuring includes publishing information from said central database on an information bus as at least one event, said AAA services subscribing to said event so as to receive said published information so as to thereby update their associated databases;
further comprising;
receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
parsing the network access request for an identification of the user'"'"'s domain;
routing the network access request to one of said plurality of AAA services at the PoP if the user'"'"'s domain corresponds to that of the PoP while load balancing among said plurality of AAA services;
looking up a domain identification entry corresponding to the user'"'"'s domain in one of said plurality of AAA service'"'"'s databases if the user'"'"'s domain does not correspond to that of the PoP;
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
-
maintaining a central database, said central database containing access information for authentication, authorization and accounting services associated with domains of the data communications network;
maintaining at a point of presence (PoP) of the data communications network at least one AAA service and at least one proxy service and at least one protocol gateway in communication with a network access server (NAS);
periodically publishing information contained in said central database;
subscribing at said AAA and said proxy service to information published from said central database;
receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
parsing the network access request at the protocol gateway for an identification of the user'"'"'s domain;
routing the network access request to an AAA service at the PoP if the user'"'"'s domain corresponds to that of the PoP;
looking up access information within a domain identification entry corresponding to the user'"'"'s domain in a database associated with the proxy server if the user'"'"'s domain does not correspond to that of the PoP; and
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the access information if the user'"'"'s domain does not correspond to that of the PoP. - View Dependent Claims (12, 13, 14)
-
-
15. A method executing on a hardware computer of managing network access requests to a data communications network, said method comprising:
-
receiving at a protocol gateway in a point of presence (PoP) of the data communications network a network access request from a user through a network access server (NAS);
parsing the network access request for an identification of the user'"'"'s domain;
routing the network access request to one of the plurality of authentication, authorization and accounting (AAA) services associated with the PoP if the user'"'"'s domain corresponds to that of the PoP while load balancing among the plurality of AAA services;
looking up a domain identification entry corresponding to the user'"'"'s domain in a database if the user'"'"'s domain does not correspond to that of the PoP;
proxying the network access request via one of a plurality of proxy services to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP while load balancing among the plurality of proxy services. - View Dependent Claims (16, 17, 18)
-
-
19. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
-
maintaining a central database, said central database containing access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
maintaining at a point of presence (PoP) of the data communications network a plurality of AAA services at least one AAA service and at least one proxy service and at least one protocol gateway in communication with a network access server (NAS);
periodically publishing information contained in said central database;
subscribing at said AAA and said proxy service to information published from said central database;
receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
parsing the network access request at the protocol gateway for an identification of the user'"'"'s domain;
routing the network access request to one of said plurality of AAA services at the PoP if the user'"'"'s domain corresponds to that of the PoP while load balancing among said plurality of AAA services;
looking up access information within a domain identification entry corresponding to the user'"'"'s domain in a database associated with one of said plurality of proxy services if the user'"'"'s domain does not correspond to that of the PoP while load balancing among said plurality of proxy services; and
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the access information if the user'"'"'s domain does not correspond to that of the PoP. - View Dependent Claims (20, 21, 22)
-
-
23. A method executing on a hardware computer of managing network access requests to a data communications network, said method comprising:
-
receiving at a protocol gateway in a point of presence (PoP) of the data communications network a network access request from a user through a network access server (NAS);
parsing the network access request for an identification of the user'"'"'s domain;
routing the network access request to an authentication, authorization and accounting (AAA) service associated with the PoP if the user'"'"'s domain corresponds to that of the PoP;
looking up a domain identification entry corresponding to the user'"'"'s domain in a database if the user'"'"'s domain does not correspond to that of the PoP;
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the PoP. - View Dependent Claims (24, 25, 26)
-
-
27. A hardware system for data communications network access management, comprising:
-
a central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
a publisher, said publisher publishing information from said central database to subscribers over an information bus;
a point of presence (PoP) on the data communications network, said PoP including a protocol gateway in communication with at least one network access server (NAS);
an AAA service associated with said PoP and in communication with said protocol gateway, said AAA service subscribing to information published by said publisher; and
a proxy service associated with the PoP and in communication with said protocol gateway, said proxy service subscribing to information published by said publisher, said protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the PoP to the proxy service, said proxy service routing network access requests to AAA services in remote domains in accordance with said access information. - View Dependent Claims (28)
-
-
29. A hardware system for data communications network access management, comprising:
-
a central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
a publisher, said publisher publishing information from said central database to subscribers over an information bus;
a point of presence (PoP) on the data communications network, said PoP including a protocol gateway in communication with at least one network access server (NAS);
a plurality of AAA services associated with said PoP and in communication with said protocol gateway, said AAA services subscribing to information published by said publisher; and
a plurality of proxy services associated with said PoP and in communication with said protocol gateway, said proxy services subscribing to information published by said publisher, said protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the PoP to one of said plurality of proxy services while load balancing among them, said proxy service routing network access requests to AAA services in remote domains in accordance with said access information. - View Dependent Claims (30)
-
-
31. A method executing on a hardware computer for managing network access to a data communications network said method comprising:
-
maintaining a central database coupled to the data communications network;
maintaining at least a first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and second AAA service at a second PoP of the data communications network;
configuring a database associated with the first AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the first AAA service; and
configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service;
further comprising;
receiving at a protocol gateway in the first PoP a network access request from a user through network access server (NAS);
parsing the network access request for an identification of the user'"'"'s domain;
routing the network access request to the first AAA service at the first PoP if the user'"'"'s domain corresponds to that of the first PoP;
looking up a domain identification entry corresponding to the user'"'"'s domain in the first AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the first PoP;
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the first PoP. - View Dependent Claims (32, 33, 34, 35, 36)
-
-
37. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
-
maintaining a central database coupled to the data communications network;
maintaining a plurality of first authentication, authorization and accounting (AAA) services at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network;
configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to the database(s) associated with the first AAA services; and
configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service;
further comprising;
receiving at a protocol gateway in the first PoP a network access request from a user through a network access server (NAS);
parsing the network access request for an identification of the user'"'"'s domain;
routing the network access request to one of said plurality of first AAA services at the first PoP if the user'"'"'s domain corresponds to that of the first PoP while load balancing among said plurality of first AAA services;
looking up a domain identification entry corresponding to the user'"'"'s domain in one of said plurality of first AAA service'"'"'s database(s) if the user'"'"'s domain does not correspond to that of the first PoP;
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the first PoP. - View Dependent Claims (38, 39, 40)
-
-
41. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
-
maintaining a central database coupled to the data communications network;
said central database containing access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
maintaining at a first point of presence (PoP) of the data communications network at least one first AAA service and at least one first proxy service and at least one first protocol gateway in communication with a network access server (NAS);
periodically transporting information contained in the central database from the central database, over the data communications network, to the first AAA service(s), the first proxy service(s) and the first protocol gateway(s);
receiving at a protocol gateway in the first PoP a network access request from a user through a network access server (NAS);
parsing the network access request at the first protocol gateway for an identification of the user'"'"'s domain;
routing the network access request to an AAA service at the first PoP if the user'"'"'s domain corresponds to that of the first PoP;
looking up access information within a domain identification entry corresponding to the user'"'"'s domain in a database associated with the first proxy server if the user'"'"'s domain does not correspond to that of the first PoP; and
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the access information if the user'"'"'s domain does not correspond to that of the first PoP. - View Dependent Claims (42, 43, 44)
-
-
45. A method executing on a hardware computer for managing network access requests to a data communications network, said method comprising:
-
receiving at a protocol gateway in a first point of presence (PoP) of the data communications network a network access request from a user received through a network access server (NAS);
parsing the network access request for an identification of the user'"'"'s domain;
routing the network access request to one of the plurality of authentication, authorization and accounting (AAA) services associated with the first PoP if the user'"'"'s domain corresponds to that of the first PoP while load balancing among the plurality of AAA services;
looking up a domain identification entry corresponding to the user'"'"'s domain in a database associated with the one AAA if the user'"'"'s domain does not correspond to that of the first PoP;
proxying the network access request via one of a plurality of proxy services to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the first PoP while load balancing among the plurality of proxy services. - View Dependent Claims (46, 47, 48)
-
-
49. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
-
maintaining a central database, said central database containing access information for authentication, authorization and accounting services associated with domains of the data communications network;
maintaining at a first point of presence (PoP) of the data communications network a plurality of AAA services at least one AAA service and at least one proxy service and at least one protocol gateway in communication with a network access server (NAS);
periodically transmitting information contained in said central database over the data communications network to said AAA and said proxy service;
receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS) parsing the network access request at the protocol gateway for an identification of the user'"'"'s domain;
routing the network access request to one of said plurality of AAA services at the first PoP if the user'"'"'s domain corresponds to that of the first PoP while load balancing among said plurality of AAA services;
looking up access information within a domain identification entry corresponding to the user'"'"'s domain in a database associated with one of said plurality of proxy services if the user'"'"'s domain does not correspond to that of the first PoP while load balancing among said plurality of proxy services; and
proxying the network access request to an AAA service in the user'"'"'s domain at an address arid port as specified in the access information if the user'"'"'s domain does not correspond to that of the first PoP. - View Dependent Claims (50, 51, 52)
-
-
53. A method executing on a hardware computer for managing network access requests to a data communications network, said method comprising:
-
periodically transmitting updating information contained in a central database over the data communications network to an authentication, authorization and accounting (AAA) service associated with a first point of presence (PoP) of the data communications network;
receiving at a protocol gateway in the first point of presence (PoP) of the data communications network a network access request from a user received through a network access server (NAS);
parsing the network access request for an identification of the user'"'"'s domain;
routing the network access request to the AAA service associated with the first PoP if the user'"'"'s domain corresponds to that of the first PoP;
looking up a domain identification entry corresponding to the user'"'"'s domain in a database if the user'"'"'s domain does not correspond to that of the first PoP;
proxying the network access request to an AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the first PoP. - View Dependent Claims (54, 55, 56)
-
-
57. A hardware system for data communications network access management, comprising:
-
a central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
a first point of presence (PoP) on the data communications network, said first PoP including a protocol gateway in communication with at least one network access server (NAS);
an AAA service associated with said first PoP and in communication with said protocol gateway and the data communications network;
proxy service associated with the first PoP and in communication with said protocol gateway and the data communications network;
a transmitter, said transmitter transmitting information from said central database to said AAA service at said first PoP and said proxy service at said first PoP over the data communications network;
said protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to the proxy service, said proxy service routing network access requests to AAA services in remote domains in accordance with said access information. - View Dependent Claims (58)
-
-
59. A hardware system for data communications network access management, comprising:
-
a central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
a first point of presence (PoP) on the data communications network, said first PoP including a protocol gateway in communication with at least one network access server (NAS);
a plurality of AAA services associated with said first PoP and in communication with said protocol gateway, said AAA services subscribing to information published by said publisher;
a plurality of proxy services associated with said first PoP and in communication with said protocol gateway, said proxy services subscribing to information published by said publisher; and
a transmitter, said transmitter transmitting information from said central database over the data communications network to said plurality of AAA services associated with said first PoP and to said plurality of proxy services associated with said first PoP;
said protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to one of said plurality of proxy services while load balancing among them;
said proxy service routing network access requests to AAA services in remote domains in accordance with said access information. - View Dependent Claims (60)
-
-
61. A hardware system for managing access to a data communications network, said system comprising;
-
means for communicating with a central database via the data communications network, the central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
means for communicating with a local AAA service associated with a local Point of Presence (PoP);
means for communicating with a remote AAA service via a local proxy service;
means for instantiating the local AAA service from the central database;
means for reaching a network access request from a user through a local network access server (NAS);
means for checking the network access request to determine an identification of the user'"'"'s domain;
means for routing the network access request to the local AAA service if the users domain corresponds to that of the local PoP;
means for looking up a domain identification entry corresponding to the user'"'"'s domain in the local AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the local PoP; and
means for proxying the network access request to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the database if the user'"'"'s domain does not correspond to that of the local PoP.
-
-
62. A hardware system for managing access to a data communications network, said system comprising:
-
means for communicating with a central database via the data communications network, the central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
means for communicating with a plurality of local AAA services associated with a local Point of Presence (PoP);
means for communicating with a plurality of local proxy services associated with the local PoP;
means for communicating with a remote AAA service via a local proxy service;
means for instantiating the local AAA services from the central database;
means for instantiating the local proxy services from the central database;
means for receiving a network access request from a user through local network access server (NAS);
means for checking the network access request to determine an identification of the user'"'"'s domain;
means for routing the network access request to the local AAA service if the user'"'"'s domain corresponds to that of the local PoP;
means for looking up a domain identification entry corresponding to the user'"'"'s domain with the local AAA services if the user'"'"'s domain does not correspond to that of the local PoP;
means for proxying the network access request to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the local AAA services'"'"' database if the user'"'"'s domain does not correspond to that of the local PoP; and
means for receiving network access requests from users over a network access server (NAS), parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to one of said plurality of proxy services while load balancing among them;
said proxy service routing network access requests to the remote AAA service in accordance with said access information.
-
-
63. A method executing on a hardware computer for accounting for use of a data communications network, said method comprising:
-
means for communicating with a central database via the data communications network, the central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
means for communicating with at least one local AAA service associated with a local Point of Presence (PoP);
means for communicating with a remote AAA service;
means for instantiating the local AAA services from the central database;
means for receiving a network access request from a user through a local network access server (NAS);
means for checking the network access request to determine an identification of the user'"'"'s domain;
means for routing accounting information associated with the user to the local AAA service if the user'"'"'s domain corresponds to that of the local PoP;
means for looking up a domain identification entry corresponding to the user'"'"'s domain with the local AAA services if the user'"'"'s domain does not correspond to that of the local PoP;
means for routing the accounting information to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the local AAA services'"'"' database if the user'"'"'s domain does not correspond to that of the local PoP.
-
-
64. A method executing on a hardware computer for managing network access accounting in a data communications network, said method comprising:
-
maintaining a central database coupled to the data communications network;
maintaining at least a local authentication, authorization and accounting (AAA) service at a local point of presence (PoP) of the data communications network;
configuring a database associated with the local AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the local AAA service;
receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
forwarding said accounting information to the local AAA service if the user'"'"'s domain corresponds to that of the local PoP; and
forwarding said accounting information to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the local AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the local PoP.
-
-
65. A hardware apparatus for managing network access accounting in a data communications network, said apparatus comprising:
-
means for maintaining a central database coupled to the data communications network;
means for maintaining at least a local authentication, authorization and accounting (AAA) service at a local point of presence (PoP) of the data communications network;
means for configuring a database associated with the local AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the local AAA service;
means for receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
means for forwarding said accounting information to the local AAA service if the user'"'"'s domain corresponds to that of the local PoP; and
means for forwarding said accounting information to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the local AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the local PoP.
-
-
66. A hardware system for managing network access to a data communications network, said method comprising:
-
a central database coupled to the data network;
at least a first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network; and
a database configurer configuring a database associated with the first AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the first AAA service and configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service a protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to the proxy service, said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.
-
-
67. A hardware apparatus for managing network access to a data communications network, said method comprising:
-
means for maintaining a central database coupled to the data communications network;
means for maintaining at least a first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network;
means for configuring a database associated with the first AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the first AAA service; and
means for configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service means for receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
means for forwarding said accounting information to a local AAA service if the user'"'"'s domain corresponds to that of the local PoP; and
means for forwarding said accounting information to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the local AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the local PoP.
-
-
68. A hardware system for managing network access to a data communications network, said method comprising:
-
a central database coupled to the data communications network;
a plurality of first authentication, authorization and accounting (AAA) services disposed at a first point of presence (PoP) of the data communications network and a second AAA service disposed at a second PoP of the data communications network;
a first database configurer configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to the database(s) associated with the first AAA services; and
a second database configurer configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service a protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to the proxy service, said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.
-
-
69. A hardware apparatus for managing network access to a data communications network, said method comprising:
-
means for maintaining a central database coupled to the data communications network;
means for maintaining a plurality of first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network; and
means for configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to the database(s) associated with the first AAA services; and
means for configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service means for receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
means for forwarding said accounting information to a local AAA service if the user'"'"'s domain corresponds to that of the local PoP; and
means for forwarding said accounting information to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the local AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the local PoP.
-
-
70. A hardware system for managing network access to a data communications network, said method comprising:
-
a central database coupled to the data communications network;
a plurality of first authentication, authorization and accounting (AAA) services disposed at a first point of presence (PoP) of the data communications network and a second AAA service disposed at a second PoP of the data communications network; and
a database configurer configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to the database(s) associated with the first AAA services and configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service a protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to the proxy service, said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.
-
-
71. A hardware apparatus for managing network access to a data communications network, said method comprising:
-
means for maintaining a central database coupled to the data communications network;
means for maintaining plurality of first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network; and
means for configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to database(s) associated with the first AAA services and for configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service means for receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
means for forwarding said accounting information to a local AAA service if the user'"'"'s domain corresponds to that of the local PoP; and
means for forwarding said accounting information to a remote AAA service in the user'"'"'s domain at an address and port as specified in the domain identification entry of the local AAA service'"'"'s database if the user'"'"'s domain does not correspond to that of the local PoP.
-
Specification