OFF-SITE USER ACCESS CONTROL

US 20140245395A1
Filed: 10/16/2013
Published: 08/28/2014
Est. Priority Date: 10/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method for off-site access control in a communications system, the method comprising:

receiving, by a router, a communication request from a user device for communications over the Internet, the user device being communicatively coupled with a site-based communications network;

determining, by the router, whether the user device is authorized to communicate as requested over the Internet; and

when the user device is not authorized to communicate as requested over the Internet according to the determining step;

forwarding the communication request by the router to a off-site authentication system over the Internet;

receiving a portal response from the off-site authentication system comprising a captive authentication portal for becoming authorized to communicate as requested over the Internet;

receiving an authentication request from the user device according to the captive authentication portal; and

authenticating the user device to communicate as requested over the Internet according to the authentication request.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for off-site user access control to communications services via a site-based communications network. Embodiments operate in context of sites, each having one or more site-based networks in communication with external networks via one or more on-site routers. User devices are provided with controlled access to those external networks via wired or wireless connections between those user devices and the site based networks. In some embodiments, on-site routers maintain route maps that indicate which user devices are authorized. Standard routing functions are used so that traffic from authorized devices is routed normally, while traffic from unauthorized devices is automatically forwarded to an off-site (e.g., cloud-based) authentication system. As devices become remotely authenticated, the off-site authentication system can remotely update route maps of the on-site routers to add those devices.

38 Citations

View as Search Results

27 Claims

1. A method for off-site access control in a communications system, the method comprising:
- receiving, by a router, a communication request from a user device for communications over the Internet, the user device being communicatively coupled with a site-based communications network;
  
  determining, by the router, whether the user device is authorized to communicate as requested over the Internet; and
  
  when the user device is not authorized to communicate as requested over the Internet according to the determining step;
  
  forwarding the communication request by the router to a off-site authentication system over the Internet;
  
  receiving a portal response from the off-site authentication system comprising a captive authentication portal for becoming authorized to communicate as requested over the Internet;
  
  receiving an authentication request from the user device according to the captive authentication portal; and
  
  authenticating the user device to communicate as requested over the Internet according to the authentication request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 11, 12)
- - 2. The method of claim 1, wherein:
    - determining whether the user device is authorized to communicate as requested over the Internet comprises determining whether the user device is one of a plurality of authorized devices according to an access control list maintained by the router; and
      
      the router is configured so that traffic originating from any of the plurality of authorized devices is automatically routed to a destination address of the traffic, and traffic originating from any user device that is not one of the plurality of authorized devices is automatically forwarded to the off-site authentication system.
  - 3. The method of claim 2, wherein authenticating the user device to communicate as requested over the Internet according to the authentication request comprises:
    - receiving an authentication response from the off-site authentication system according to the authentication request directing the router to add the user device to the access control list; and
      
      adding the user device to the access control list by the router according to the authentication response.
  - 4. The method of claim 1, wherein:
    - the captive authentication portal comprises an authentication prompt;
      
      receiving the authentication request from the user device according to the captive authentication portal comprises;
      
      communicating the captive authentication portal from the router to the user device in such a way as to display the authentication prompt via a user interface of the user device; and
      
      receiving the authentication request from the user device as a response to the authentication prompt via the user interface; and
      
      authenticating the user device to communicate as requested over the Internet according to the authentication request comprises;
      
      forwarding the authentication request to the off-site authentication system; and
      
      receiving an authentication response from the off-site authentication system directing the router to authenticate the user device to communicate as requested over the Internet according to the authentication request.
  - 5. The method of claim 4, wherein:
    - the user interface is a browser interface; and
      
      the captive authentication portal comprises content page data of a captive portal webpage that includes the authentication prompt and is configured for display via the browser interface of the user device.
  - 6. The method of claim 4, wherein the authentication response comprises user credentials submitted by a user via the user interface.
  - 7. The method of claim 1, wherein:
    - the user device is running a local authentication application having an associated set of stored credentials;
      
      the captive authentication portal comprises an authentication prompt configured to request the set of stored credentials from the local authentication application; and
      
      receiving the authentication request from the user device according to the captive authentication portal comprises;
      
      communicating the captive authentication portal from the router to the user device; and
      
      receiving the set of stored credentials from the local authentication application authentication in response to the authentication prompt; and
      
      authenticating the user device to communicate as requested over the Internet according to the authentication request comprises authenticating the user device according to the set of credentials.
  - 8. The method of claim 1, further comprising:
    - when the user device is authorized to communicate at least as requested over the Internet according to the determining step, routing the communication request to a destination address associated with the communication request.
  - 9. The method of claim 1, further comprising:
    - receiving, by the router, a second communication request from the user device for communications over the Internet;
      
      determining, by the router subsequent to the authenticating step, that the user device is authorized to communicate as second requested over the Internet; and
      
      routing the second communication request to a destination address associated with the second request according to determining that the user device is authorized to communicate as second requested over the Internet.
  - 11. The method of claim 1, wherein the authentication request from the user device comprises at least one of:
    - a credential corresponding to hardware or software of the user device;
      
      a credential corresponding to a user of the user device;
      
      information corresponding to a payment transaction for communications services over the site-based network;
      
      an indication of agreement to view promotional content;
      
      oran indication of agreement to a usage policy for communications services over the site-based network.
  - 12. The method of claim 1, wherein forwarding the communication request by the router to the off-site authentication system over the Internet comprises encapsulating traffic of the communication request according to a logical tunnel between the router and the off-site authentication system.

10. (canceled)

13. A router disposed in a site-based communications network, the router comprising:
- a route map indicating a plurality of authorized user devices, operable to designate traffic originating from any of the plurality of authorized devices for routing to a destination address of the traffic, and operable to designate traffic originating from any user device that is not one of the plurality of authorized devices for forwarding to an off-site authentication system; and
  
  a communications subsystem operable to;
  
  receive a communication request from a user device communicatively coupled with the site-based communications network, the communication request being for communications external to the site-based network;
  
  route the communication request to a destination address of the communication request when designated as originating from one of the plurality of authorized devices according to the route map;
  
  forward the communication request to the off-site authentication system when designated as originating from other than one of the plurality of authorized devices according to the route map;
  
  receive an indication from the off-site authentication system to authorize the user device; and
  
  update the route map to include the user device as one of the plurality of authorized user devices according to the indication.
- View Dependent Claims (14, 15, 16)
- - 14. The router of claim 13, wherein the communications subsystem is operable to receive the indication from the off-site authentication system to authorize the user device by:
    - receiving a portal response from the off-site authentication system comprising a captive authentication portal for becoming authorized to communicate as requested external to the site-based network;
      
      communicating the captive authentication portal from the router to the user device in such a way as to display an authentication prompt via a user interface of the user device;
      
      receiving an authentication request from the user device in response to the authentication prompt via the user interface;
      
      forwarding the authentication request to the off-site authentication system; and
      
      receiving the indication from the off-site authentication system to authorize the user device according to the authentication request.
  - 15. The router of claim 13, wherein the communications subsystem is operable to receive the indication from the off-site authentication system to authorize the user device by:
    - receiving a portal response from the off-site authentication system comprising a captive authentication portal for becoming authorized to communicate as requested external to the site-based network;
      
      communicating the captive authentication portal from the router to the user device in such a way as to request a set of stored credentials from a local application running on the user device;
      
      receiving the set of stored credentials from the local application in response to the request;
      
      forwarding the set of stored credentials to the off-site authentication system; and
      
      receiving the indication from the off-site authentication system to authorize the user device according to the set of stored credentials.
  - 16. The router of claim 13, wherein the communications subsystem is communicatively coupled with the off-site authentication system via a logical tunnel.

17-22. -22. (canceled)

23. An off-site authentication system in communication with a plurality of on-site routers, each disposed within a site-based network, the off-site authentication system comprising:
- a router controller operable to;
  
  receive, from an on-site router, a communication request originating from a user device, the user device being communicatively coupled with a site-based communications network of the on-site router, the communication request being for communications external to the site-based network, and the on-site router being configured so that traffic originating from any of a plurality of authorized user devices is automatically routed to a destination address of the traffic, and traffic originating from any user device that is not one of the plurality of authorized devices is automatically forwarded to the off-site authentication system; and
  
  an authentication subsystem in communication with the router controller, and operable to;
  
  communicate a portal response to the on-site router comprising a captive authentication portal for becoming authorized to communicate as requested external to the site-based network;
  
  receive an authentication request from the user device via the on-site router according to the captive authentication portal; and
  
  determine that the user device is authorized to communicate as requested external to the site-based network according to the authentication request,wherein the router controller is operable to communicate an instruction to the on-site router directing the on-site router to update a route map to indicate that the user device is authorized to communicate at least as requested external to the site-based network according to the determination of the authentication subsystem.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The off-site authentication system of claim 23, wherein the authentication subsystem is operable to communicate the portal response to the on-site router as content page data of a captive portal webpage that includes an authentication prompt and is configured for display via a browser interface of the user device.
  - 25. The off-site authentication system of claim 24, wherein the authentication subsystem is operable to communicate the portal response further by communicating a redirect response to the browser interface of the user device in such a way that the browser interface displays the captive portal webpage in association with a captive portal web address.
  - 26. The off-site authentication system of claim 23, wherein the authentication subsystem is operable to communicate the portal response to the on-site router as a request for a set of stored credentials from a local application running on the user device.
  - 27. The off-site authentication system of claim 23, wherein the router controller and the authentication subsystem are implemented on a cloud-based virtual server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Guest-tek Interactive Entertainment Ltd.
Original Assignee
Guest-tek Interactive Entertainment Ltd.
Inventors
Hulse, David Andrew, Bryars, Mark Howard

Granted Patent

US 9,178,861 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 45/02   Topology update or discovery

H04L 45/14   Routing performance; Theore...

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04W 12/068   using credential vaults, e....

OFF-SITE USER ACCESS CONTROL

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

OFF-SITE USER ACCESS CONTROL

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links