Internetwork authentication

US 10,666,653 B2
Filed: 03/26/2019
Issued: 05/26/2020
Est. Priority Date: 08/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request for a policy-based identity routing service for a first network;

providing a first local authoritative user datastore interface (LAUDI) to a first network device of the first network;

obtaining a set of rules for identity routing to the first network;

establishing a connection between the first LAUDI and an authentication proxy;

receiving, at the first LAUDI, an authentication request for a station;

determining, based on the set of rules, whether to analyze the authentication request at the first LAUDI or to route the authentication request to a second LAUDI of a second network device of a second network;

in response to determining that the authentication request matches a characteristic defined by the set of rules, analyzing the authentication request at the first LAUDI; and

in response to determining that the authentication request does not match the characteristic defined by the set of rules, routing the authentication request to the second LAUDI, wherein an authentication result from the second LAUDI indicates whether the station is approved to access services on the second network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for network authentication interoperability involves initiating an authentication procedure on a first network, authenticating on a second network, and allowing access at the first network. The technique can include filtering access to a network, thereby restricting access to users with acceptable credentials. Offering a service that incorporates these techniques can enable incorporation of the techniques into an existing system with minimal impact to network configuration.

76 Citations

20 Claims

1. A method comprising:
- receiving a request for a policy-based identity routing service for a first network;
  
  providing a first local authoritative user datastore interface (LAUDI) to a first network device of the first network;
  
  obtaining a set of rules for identity routing to the first network;
  
  establishing a connection between the first LAUDI and an authentication proxy;
  
  receiving, at the first LAUDI, an authentication request for a station;
  
  determining, based on the set of rules, whether to analyze the authentication request at the first LAUDI or to route the authentication request to a second LAUDI of a second network device of a second network;
  
  in response to determining that the authentication request matches a characteristic defined by the set of rules, analyzing the authentication request at the first LAUDI; and
  
  in response to determining that the authentication request does not match the characteristic defined by the set of rules, routing the authentication request to the second LAUDI, wherein an authentication result from the second LAUDI indicates whether the station is approved to access services on the second network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein receiving the request for the policy-based identity routing service comprises receiving the request from a party having appropriate credentials.
  - 3. The method of claim 1, wherein receiving the request for the policy-based identity routing service comprises receiving the request from an agent that received a previous request from a party.
  - 4. The method of claim 1, wherein providing the first LAUDI comprises pre-installing the first LAUDI on the first network device prior to implementation of the first network device.
  - 5. The method of claim 1, wherein the first network device includes a wireless access point.
  - 6. The method of claim 1, wherein the first LAUDI is coupled to a datastore to enable the first LAUDI to carry out authentication procedures.
  - 7. The method of claim 1, wherein obtaining the set of rules comprises obtaining the set of rules from an agent via an administrative interface.
  - 8. The method of claim 1, wherein the set of rules establish conditions under which the authentication request is sent to the first network based on credentials associated with the authentication request.

9. A non-transitory, tangible computer-readable device having instructions stored thereon for a policy-based identity routing service that, when executed by at least one computing device, causes the at least one computing device to perform operations comprising:
- receiving a request for the policy-based identity routing service for a first network;
  
  providing a first local authoritative user datastore interface (LAUDI) to a first network device of the first network;
  
  obtaining a set of rules for identity routing to the first network;
  
  establishing a connection between the first LAUDI and an authentication proxy;
  
  receiving, at the first LAUDI, an authentication request for a station;
  
  determining, based on the set of rules, whether to locally analyze the authentication request or to route the authentication request to a second LAUDI of a second network device of a second network;
  
  in response to determining that the authentication request matches a characteristic defined by the set of rules, analyzing the authentication request at the first LAUDI; and
  
  in response to determining that the authentication request does not match the characteristic defined by the set of rules, routing the authentication request to the second LAUDI, wherein an authentication result from the second LAUDI indicates whether the station is approved to access services on the second network.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The non-transitory, tangible computer-readable device of claim 9, wherein receiving the request for the policy-based identity routing service comprises receiving the request from a party having appropriate credentials.
  - 11. The non-transitory, tangible computer-readable device of claim 9, wherein receiving the request for the policy-based identity routing service comprises receiving the request from an agent that received a previous request from a party.
  - 12. The non-transitory, tangible computer-readable device of claim 9, wherein providing the first LAUDI comprises pre-installing the first LAUDI on the first network device prior to implementation of the first network device.
  - 13. The non-transitory, tangible computer-readable device of claim 9, wherein the first LAUDI is coupled to a datastore to enable the first LAUDI to carry out authentication procedures.
  - 14. The non-transitory, tangible computer-readable device of claim 9, wherein the set of rules establish conditions under which the authentication request is sent to the first network based on credentials associated with the authentication request.

15. A system comprising:
- a memory for storing instructions for a policy-based identity routing service; and
  
  a processor configured to execute the instructions, the instructions causing the processor to;
  
  receive a request for the policy-based identity routing service for a first network;
  
  provide a first local authoritative user datastore interface (LAUDI) to a first network device of the first network;
  
  obtain a set of rules for identity routing to the first network;
  
  establish a connection between the first LAUDI and an authentication proxyreceive, at the first LAUDI, an authentication request for a station;
  
  determine, based on the set of rules, whether to locally analyze the authentication request or to route the authentication request to a second LAUDI of a second network device of a second network;
  
  in response to determining that the authentication request matches a characteristic defined by the set of rules, analyze the authentication request at the first LAUDI; and
  
  in response to determining that the authentication request does not match the characteristic defined by the set of rules, route the authentication request to the second LAUDI, wherein an authentication result from the second LAUDI indicates whether the station is approved to access services on the second network.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein receiving the request for the policy-based identity routing service comprises receiving the request from a party having appropriate credentials.
  - 17. The system of claim 15, wherein receiving the request for the policy-based identity routing service comprises receiving the request from an agent that received a previous request from a party.
  - 18. The system of claim 15, wherein providing the first LAUDI comprises pre-installing the first LAUDI on the first network device prior to implementation of the first network device.
  - 19. The system of claim 15, wherein the first LAUDI is coupled to a datastore to enable the first LAUDI to carry out authentication procedures.
  - 20. The system of claim 15, wherein the set of rules establish conditions under which the authentication request is sent to the first network based on credentials associated with the authentication request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Aerohive Networks Incorporated (Extreme Networks, Inc.)
Inventors
Sakura, Kenshin, Gast, Matthew Stuart, Fu, Long
Primary Examiner(s)
Chang, Kenneth W

Application Number

US16/365,654
Publication Number

US 20190334898A1
Time in Patent Office

427 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/0892   by using authentication-aut...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04W 12/069   using certificates or pre-s...

Internetwork authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Internetwork authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links