Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol

US 20090119742A1
Filed: 11/01/2007
Published: 05/07/2009
Est. Priority Date: 11/01/2007
Status: Active Grant

First Claim

Patent Images

1. In a communications network using an Extensible Authentication Protocol (EAP), a method for a routing a client access request to a home Authentication, Authorization, and Accounting (AAA) server for inner user authentication, comprising:

(a) establishing a transport layer security (TLS) tunnel between a visited AAA server in a foreign network and the client;

(b) receiving an access request from the client at the visited AAA server within the TLS tunnel;

(c) evaluating attributes received in the access request at the TLS AAA server against a local policy; and

(d) routing said access request to a home authentication server based at least in part on the evaluation of attributes received in said access request against said local policy.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol are provided. The methods include evaluating an inner user identifier against a policy engine to determine a home AAA server to route an access request for inner user authentication. Instead of having a static route configured based on an outer identifier/roaming identity, the policy engine can have multiple rules and actions for routing the request. The evaluation can be based on the conditions of the inner user identifier and or other AAA attributes received in the request. The request is transmitted within a secure communication tunnel. There are several embodiments of evaluating an inner user identifier against a policy engine.

64 Citations

View as Search Results

14 Claims

1. In a communications network using an Extensible Authentication Protocol (EAP), a method for a routing a client access request to a home Authentication, Authorization, and Accounting (AAA) server for inner user authentication, comprising:
- (a) establishing a transport layer security (TLS) tunnel between a visited AAA server in a foreign network and the client;
  
  (b) receiving an access request from the client at the visited AAA server within the TLS tunnel;
  
  (c) evaluating attributes received in the access request at the TLS AAA server against a local policy; and
  
  (d) routing said access request to a home authentication server based at least in part on the evaluation of attributes received in said access request against said local policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 13)
- - 2. The method of claim 1, wherein attributes received in said access request include an inner user identifier and wherein evaluating attributes received in said access request includes evaluating the inner user identifier against said local policy.
  - 3. The method of claim 1, wherein a client comprises a cellular telephone, a smart phone, a laptop computer, or a personal data assistant.
  - 4. The method of claim 2, wherein evaluating the inner user identifier against said local policy comprises performing at least one of the following determinations on the inner user identifier:
    - (a) determining if the inner user identifier equals a known character string;
      
      (b) determining if a prefix portion of the inner user identifier equals a known character string;
      
      (c) determining if a suffix portion of the inner user identifier equals a known character string; and
      
      (d) determining if the inner user identifier contains a characters in a defined set of characters.
  - 5. The method of claim 1, wherein establishing a transport layer security (TLS) tunnel between a visited AAA server in a foreign network and the client includes establishing the TLS tunnel according to one of EAP-TTLS or PEAP protocols.
  - 6. The method of claim 1, wherein evaluating attributes received in the access request at the TLS AAA server against a local policy includes evaluating a EAP-Identity in the access request.
  - 7. The method of claim 6, wherein evaluating a EAP-Identity includes performing at least one of the following determinations on the inner user identifier:
    - (a) determining if the EAP-Identity equals a known character string;
      
      (b) determining if a prefix portion of the EAP-Identity equals a known character string;
      
      (c) determining if a suffix portion of the EAP-Identity equals a known character string; and
      
      (d) determining if the EAP-Identity contains a characters in a defined set of characters.
  - 8. The method of claim 1, wherein evaluating attributes received in the access request at the TLS AAA server against a local policy includes evaluating a User-Name attributes in the access request, wherein User-Name attribute is defined by any one of PAP, CHAP, MSCHAPv1, or MSCHAPv2 protocols.
  - 9. The method of claim 8, wherein evaluating a User-Name includes performing at least one of the following determinations on the inner user identifier:
    - (a) determining if the User-Name equals a known character string;
      
      (b) determining if a prefix portion of the User-Name equals a known character string;
      
      (c) determining if a suffix portion of the User-Name equals a known character string; and
      
      (d) determining if the User-Name contains a characters in a defined set of characters.
  - 13. The method of claim 8, wherein a client comprises a cellular telephone, a smart phone, a laptop computer, or a personal data assistant.

10. In a communications network using an authentication protocol, a method for a routing a client access request to a home authentication server for inner user authentication, comprising:
- (a) establishing a secure communication tunnel between a visited server and the client;
  
  (b) receiving an access request from the client at the visited server within said secure communication tunnel;
  
  (c) evaluating attributes received in said access request at said visited server against a local policy; and
  
  (d) routing said access request to a home authentication server based at least in part on the evaluation of attributes received in said access request against said local policy.
- View Dependent Claims (11, 12)
- - 11. The method of claim 10, wherein attributes received in said access request include an inner user identifier and wherein evaluating attributes received in said access request includes evaluating the inner user identifier against said local policy.
  - 12. The method of claim 10, wherein evaluating the inner user identifier against said local policy comprises performing at least one of the following determinations on the inner user identifier:
    - (a) determining if the inner user identifier equals a known character string;
      
      (b) determining if a prefix portion of the inner user identifier equals a known character string;
      
      (c) determining if a suffix portion of the inner user identifier equals a known character string; and
      
      (d) determining if the inner user identifier contains a characters in a defined set of characters.

14. In a communications network using an authentication protocol, a method for a routing a client access request to a home authentication server for inner user authentication, comprising:
- (a) establishing a secure communication tunnel between a visited server and the client using a roaming identifier for the client;
  
  (b) receiving an access request from the client at the visited server within said secure communication tunnel;
  
  (c) routing the access request to a first home authentication server based on said roaming identifier;
  
  (d) receiving the access request said first home authentication server;
  
  (c) evaluating attributes received in said access request, including an inner user identifier, at said first home authentication server against a local policy; and
  
  (d) routing said access request to a second home authentication server based at least in part on the evaluation of attributes received in said access request against said local policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amdocs Canadian Managed Services Inc. (Amdocs Ltd.), Amdocs Development Limited (Amdocs Ltd.)
Original Assignee
Bridgewater Systems Corp. (Amdocs Ltd.)
Inventors
Graziani, Giulio, Li, Yong

Granted Patent

US 8,341,702 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/166   at the transport layer

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links