Local authentication of a client at a network device

US 6,609,154 B1
Filed: 10/03/2002
Issued: 08/19/2003
Est. Priority Date: 07/02/1999
Status: Expired due to Term

First Claim

Patent Images

1. A computer-readable medium carrying one or more sequences of one or more instructions for controlling access of a client to a network resource using a network firewall routing device, the one or more sequences of one or more instructions including instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of:

creating and storing client authorization information at the network firewall routing device that is logically interposed between the client and the network resource, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;

receiving a request from the client to communicate with the network resource;

determining, at the network firewall routing device, whether the client is authorized to communicate with the network resource based on the authorization information; and

reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus that provide network access control are disclosed. In one embodiment, a network device is configured to intercept network traffic initiated from a client and directed toward a network resource, and to locally authenticate the client. Authentication is carried out by comparing information identifying the client to authentication information stored in the network device. In one embodiment, an authentication cache in the network device stores the authentication information. If the client identifying information is authenticated successfully against the stored authentication information, the network device is dynamically re-configured to allow network traffic initiated by the client to reach the network resource. If local authentication fails, new stored authentication is created for the client, and the network device attempts to authenticate the client using a remote authentication server. If remote authentication is successful, the local authentication information is updated so that subsequent requests can authenticate locally. As a result, a client may be authenticated locally at a router or similar device, reducing network traffic to the authentication server.

153 Citations

29 Claims

1. A computer-readable medium carrying one or more sequences of one or more instructions for controlling access of a client to a network resource using a network firewall routing device, the one or more sequences of one or more instructions including instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of:
- creating and storing client authorization information at the network firewall routing device that is logically interposed between the client and the network resource, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
  
  receiving a request from the client to communicate with the network resource;
  
  determining, at the network firewall routing device, whether the client is authorized to communicate with the network resource based on the authorization information; and
  
  reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A computer-readable medium as recited in claim 1, wherein creating and storing client authorization information comprises the steps of creating and storing in a cache in the network routing device a set of authorization information for each client that communicates with the network routing device.
  - 3. A computer-readable medium as recited in claim 1, wherein creating and storing client authorization information comprises the steps of creating and storing in the network routing device an authentication cache for each client that communicates with the network routing device.
  - 4. A computer-readable medium as recited in claim 1, wherein creating and storing client authorization information comprises the steps of creating and storing in the network routing device a plurality of authentication caches, each authentication cache uniquely associated with one of a plurality of clients that communicate with the network routing device, each authentication cache comprising information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client is authorized to have with respect to the network resource.
  - 5. A computer-readable medium as recited in claim 1, wherein determining whether the client is authorized to communicate with the network resource comprises the step of determining whether information in the request identifying the client matches information in a filtering mechanism of the network routing device and the authorization information stored in the network routing device.
  - 6. A computer-readable medium as recited in claim 1, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
7. A computer-readable medium as recited in claim 1, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
- determining whether a source IP address of the client in a data packet of the request matches information in an a filtering mechanism of the network routing device;
  
  if a match is found using the filtering mechanism, determining whether the source IP address matches the authorization information stored in the network routing device; and
  
  when the source IP address fails to match the authorization information stored in the network routing device, determining if user identifying information received from the client matches a profile associated with the user that is stored in an authentication server that is coupled to the network routing device.
8. A computer-readable medium as recited in claim 1, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
- determining whether client identifying information in the request matches information in a filtering mechanism of the network routing device;
  
  if a match is found using the filtering mechanism, determining whether the client identifying information matches the authorization information stored in the network routing device; and
  
  only when the client identifying information fails to match the authorization information stored in the network routing device, then;
  
  creating and storing new authorization information in the network device that is uniquely associated with the client;
  
  requesting login information from the client;
  
  authenticating the login information by communicating with an authentication server that is coupled to the network routing device; and
  
  updating the new authorization information based on information received from the authentication server.
9. A computer-readable medium as recited in claim 8, wherein:
- requesting login information from the client comprises sending a Hypertext Markup Language login form from the network routing device to the client to solicit a username and a user password; and
  
  authenticating the login information by communicating with an authentication server that is coupled to the network routing device comprises determining, from a profile associated with a user of the client stored in the authentication server, whether the username and password are valid.
10. A computer-readable medium as recited in claim 1, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
- determining whether a source IP address in the request matches information in a filtering mechanism of the network routing device;
  
  determining whether the source IP address matches the authorization information stored in the network routing device using an authentication cache in the network routing device; and
  
  only when the source IP address fails to match the authorization information stored in the network routing device, then;
  
  creating and storing a new entry in the authentication cache that is uniquely associated with the client;
  
  requesting login information from the client;
  
  authenticating the login information by communicating with an authentication server that is coupled to the network routing device; and
  
  updating the new entry in the authentication cache based on information received from the authentication server.
11. A computer-readable medium as recited in claim 1, wherein reconfiguring the network routing device comprises the steps of creating and storing one or more commands to the network routing device which, when executed by the network routing device, result in modifying one or more routing interfaces of the network routing device to permit communications between the client and the network resource.

12. A computer system for controlling access of a client to a network resource using a network firewall routing device, comprising:
- one or more processor;
  
  a storage medium carrying one or more sequences of one or more instructions including instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
  
  creating and storing client authorization information at the network firewall routing device that is logically interposed between the client and the network resource, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
  
  receiving a request from the client to communicate with the network resource;
  
  determining, at the network firewall routing device, whether the client is authorized to communicate with the network resource based on the authorization information;
  
  reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information;
  
  wherein creating and storing client authorization information comprises the steps of creating and storing in a cache in the network routing device a set of authorization information for each client that communicates with the network routing device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. A computer system as recited in claim 12, wherein creating and storing client authorization information comprises the steps of creating and storing in the network routing device a plurality of authentication caches, each authentication cache uniquely associated with one of a plurality of clients that communicate with the network routing device, each authentication cache comprising information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client is authorized to have with respect to the network resource.
  - 14. A computer system as recited in claim 12, wherein determining whether the client is authorized to communicate with the network resource comprises the step of determining whether information in the request identifying the client matches information in a filtering mechanism of the network routing device and the authorization information stored in the network routing device.
  - 15. A computer system as recited in claim 12, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
16. A computer system as recited in claim 12, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
- determining whether a source IP address of the client in a data packet of the request matches information in an a filtering mechanism of the network routing device;
  
  if a match is found using the filtering mechanism, determining whether the source IP address matches the authorization information stored in the network routing device; and
  
  when the source IP address fails to match the authorization information stored in the network routing device, determining if user identifying information received from the client matches a profile associated with the user that is stored in an authentication server that is coupled to the network routing device.
17. A computer system as recited in claim 12, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
- determining whether client identifying information in the request matches information in a filtering mechanism of the network routing device;
  
  if a match is found using the filtering mechanism, determining whether the client identifying information matches the authorization information stored in the network routing device; and
  
  only when the client identifying information fails to match the authorization information stored in the network routing device, then;
  
  creating and storing new authorization information in the network device that is uniquely associated with the client;
  
  requesting login information from the client;
  
  authenticating the login information by communicating with an authentication server that is coupled to the network touting device; and
  
  updating the new authorization information based on information received from the authentication server.
18. A computer system as recited in claim 17, wherein:
- requesting login information from the client comprises sending a Hypertext Markup Language login form from the network routing device to the client to solicit a username and a user password; and
  
  authenticating the login information by communicating with an authentication server that is coupled to the network routing device comprises determining, from a profile associated with a user of the client stored in the authentication server, whether the username and password are valid.
19. A computer system as recited in claim 12, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
- determining whether a source IP address in the request matches information in a filtering mechanism of the network routing device;
  
  determining whether the source IP address matches the authorization information stored in the network routing device using an authentication cache in the network routing device; and
  
  only when the source IP address fails to match the authorization information stored in the network routing device, then;
  
  creating and storing a new entry in the authentication cache that is uniquely associated with the client;
  
  requesting login information from the client;
  
  authenticating the login information by communicating with an authentication server that is coupled to the network routing device; and
  
  updating the new entry in the authentication cache based on information received from the authentication server.
20. A computer system as recited in claim 12, wherein reconfiguring the network routing device comprises the steps of creating and storing one or more commands to the network routing device which, when executed by the network routing device, result in modifying one or more routing interfaces of the network routing device to permit communications between the client and the network resource.

21. A data packet firewall router that is logically interposed between a client and a network resource and that controls access of the client to the network resource, comprising:
- one or more processors;
  
  a storage medium carrying one or more sequences of one or more instructions including instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
  
  creating and storing client authorization information at the router, wherein the client authentication information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
  
  receiving a request from the client to communicate with the network resource;
  
  determining, at the router, whether the client is authorized to communicate with the network resource based on the authorization information;
  
  reconfiguring the router to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information;
  
  wherein creating and storing client authorization information comprises the steps of creating and storing in a cache in the network routing device a set of authorization information for each client that communicates with the network routing device.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. A data packet router as recited in claim 21, wherein creating and storing client authorization information comprises the steps of creating and storing in the network routing device a plurality of authentication caches, each authentication cache uniquely associated with one of a plurality of clients that communicate with the network routing device, each authentication cache comprising information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client is authorized to have with respect to the network resource.
  - 23. A data packet router as recited in claim 21, wherein determining whether the client is authorized to communicate with the network resource comprises the step of determining whether information in the request identifying the client matches information in a filtering mechanism of the network routing device and the authorization information stored in the network routing device.
  - 24. A data packet router as recited in claim 21, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
25. A data packet router as recited in claim 21, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
- determining whether a source IP address of the client in a data packet of the request matches information in an a filtering mechanism of the network routing device;
  
  if a match is found using the filtering mechanism, determining whether the source IP address matches the authorization information stored in the network routing device; and
  
  when the source IP address fails to match the authorization information stored in the network routing device, determining if user identifying information received from the client matches a profile associated with the user that is stored in an authentication server that is coupled to the network routing device.
26. A data packet router as recited in claim 21, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
- determining whether client identifying information in the request matches information in a filtering mechanism of the network routing device;
  
  if a match is found using the filtering mechanism, determining whether the client identifying information matches the authorization information stored in the network routing device; and
  
  only when the client identifying information fails to match the authorization information stored in the network routing device, then;
  
  creating and storing new authorization information in the network device that is uniquely associated with the client;
  
  requesting login information from the client;
  
  authenticating the login information by communicating with an authentication server that is coupled to the network routing device; and
  
  updating the new authorization information based on information received from the authentication server.
27. A data packet router as recited in claim 26, wherein:
- requesting login information from the client comprises sending a Hypertext Markup Language login form from the network routing device to the client to solicit a username and a user password; and
  
  authenticating the login information by communicating with an authentication server that is coupled to the network routing device comprises determining, from a profile associated with a user of the client stored in the authentication server, whether the username and password are valid.
28. A data packet router as recited in claim 21, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
- determining whether a source IP address in the request matches information in a filtering mechanism of the network routing device;
  
  determining whether the source IP address matches the authorization information stored in the network routing device using an authentication cache in the network routing device; and
  
  only when the source IP address fails to match the authorization information stored in the network routing device, then;
  
  creating and storing a new entry in the authentication cache that is uniquely associated with the client;
  
  requesting login information from the client;
  
  authenticating the login information by communicating with an authentication server that is coupled to the network routing device; and
  
  updating the new entry in the authentication cache based on information received from the authentication server.
29. A data packet router as recited in claim 21, wherein reconfiguring the network routing device comprises the steps of creating and storing one or more commands to the network routing device which, when executed by the network routing device, result in modifying one or more routing interfaces of the network routing device to permit communications between the client and the network resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Fuh, Tzong-Fen, Fan, Serene H., Qu, Diheng
Primary Examiner(s)
Burgess, Glenton B.
Assistant Examiner(s)
FLYNN, KIMBERLY D

Application Number

US10/264,655
Time in Patent Office

320 Days
Field of Search

709/225, 709/229, 709/222, 709/223, 713/200, 713/201
US Class Current

709/225
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 67/306   User profiles

Local authentication of a client at a network device

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

153 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

Local authentication of a client at a network device

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

153 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others