Local authentication of a client at a network device
First Claim
1. A computer-readable medium carrying one or more sequences of one or more instructions for controlling access of a client to a network resource using a network firewall routing device, the one or more sequences of one or more instructions including instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of:
- creating and storing client authorization information at the network firewall routing device that is logically interposed between the client and the network resource, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
receiving a request from the client to communicate with the network resource;
determining, at the network firewall routing device, whether the client is authorized to communicate with the network resource based on the authorization information; and
reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus that provide network access control are disclosed. In one embodiment, a network device is configured to intercept network traffic initiated from a client and directed toward a network resource, and to locally authenticate the client. Authentication is carried out by comparing information identifying the client to authentication information stored in the network device. In one embodiment, an authentication cache in the network device stores the authentication information. If the client identifying information is authenticated successfully against the stored authentication information, the network device is dynamically re-configured to allow network traffic initiated by the client to reach the network resource. If local authentication fails, new stored authentication is created for the client, and the network device attempts to authenticate the client using a remote authentication server. If remote authentication is successful, the local authentication information is updated so that subsequent requests can authenticate locally. As a result, a client may be authenticated locally at a router or similar device, reducing network traffic to the authentication server.
153 Citations
29 Claims
-
1. A computer-readable medium carrying one or more sequences of one or more instructions for controlling access of a client to a network resource using a network firewall routing device, the one or more sequences of one or more instructions including instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of:
-
creating and storing client authorization information at the network firewall routing device that is logically interposed between the client and the network resource, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
receiving a request from the client to communicate with the network resource;
determining, at the network firewall routing device, whether the client is authorized to communicate with the network resource based on the authorization information; and
reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
determining whether a source IP address of the client in a data packet of the request matches information in a filtering mechanism of the network routing device; and
if so, determining whether the source IP address matches the authorization information stored in the network routing device.
-
-
7. A computer-readable medium as recited in claim 1, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
-
determining whether a source IP address of the client in a data packet of the request matches information in an a filtering mechanism of the network routing device;
if a match is found using the filtering mechanism, determining whether the source IP address matches the authorization information stored in the network routing device; and
when the source IP address fails to match the authorization information stored in the network routing device, determining if user identifying information received from the client matches a profile associated with the user that is stored in an authentication server that is coupled to the network routing device.
-
-
8. A computer-readable medium as recited in claim 1, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
-
determining whether client identifying information in the request matches information in a filtering mechanism of the network routing device;
if a match is found using the filtering mechanism, determining whether the client identifying information matches the authorization information stored in the network routing device; and
only when the client identifying information fails to match the authorization information stored in the network routing device, then;
creating and storing new authorization information in the network device that is uniquely associated with the client;
requesting login information from the client;
authenticating the login information by communicating with an authentication server that is coupled to the network routing device; and
updating the new authorization information based on information received from the authentication server.
-
-
9. A computer-readable medium as recited in claim 8, wherein:
-
requesting login information from the client comprises sending a Hypertext Markup Language login form from the network routing device to the client to solicit a username and a user password; and
authenticating the login information by communicating with an authentication server that is coupled to the network routing device comprises determining, from a profile associated with a user of the client stored in the authentication server, whether the username and password are valid.
-
-
10. A computer-readable medium as recited in claim 1, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
-
determining whether a source IP address in the request matches information in a filtering mechanism of the network routing device;
determining whether the source IP address matches the authorization information stored in the network routing device using an authentication cache in the network routing device; and
only when the source IP address fails to match the authorization information stored in the network routing device, then;
creating and storing a new entry in the authentication cache that is uniquely associated with the client;
requesting login information from the client;
authenticating the login information by communicating with an authentication server that is coupled to the network routing device; and
updating the new entry in the authentication cache based on information received from the authentication server.
-
-
11. A computer-readable medium as recited in claim 1, wherein reconfiguring the network routing device comprises the steps of creating and storing one or more commands to the network routing device which, when executed by the network routing device, result in modifying one or more routing interfaces of the network routing device to permit communications between the client and the network resource.
-
12. A computer system for controlling access of a client to a network resource using a network firewall routing device, comprising:
-
one or more processor;
a storage medium carrying one or more sequences of one or more instructions including instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
creating and storing client authorization information at the network firewall routing device that is logically interposed between the client and the network resource, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
receiving a request from the client to communicate with the network resource;
determining, at the network firewall routing device, whether the client is authorized to communicate with the network resource based on the authorization information;
reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information;
wherein creating and storing client authorization information comprises the steps of creating and storing in a cache in the network routing device a set of authorization information for each client that communicates with the network routing device. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
determining whether a source IP address of the client in a data packet of the request matches information in a filtering mechanism of the network routing device; and
if so, determining whether the source IP address matches the authorization information stored in the network routing device.
-
-
16. A computer system as recited in claim 12, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
-
determining whether a source IP address of the client in a data packet of the request matches information in an a filtering mechanism of the network routing device;
if a match is found using the filtering mechanism, determining whether the source IP address matches the authorization information stored in the network routing device; and
when the source IP address fails to match the authorization information stored in the network routing device, determining if user identifying information received from the client matches a profile associated with the user that is stored in an authentication server that is coupled to the network routing device.
-
-
17. A computer system as recited in claim 12, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
-
determining whether client identifying information in the request matches information in a filtering mechanism of the network routing device;
if a match is found using the filtering mechanism, determining whether the client identifying information matches the authorization information stored in the network routing device; and
only when the client identifying information fails to match the authorization information stored in the network routing device, then;
creating and storing new authorization information in the network device that is uniquely associated with the client;
requesting login information from the client;
authenticating the login information by communicating with an authentication server that is coupled to the network touting device; and
updating the new authorization information based on information received from the authentication server.
-
-
18. A computer system as recited in claim 17, wherein:
-
requesting login information from the client comprises sending a Hypertext Markup Language login form from the network routing device to the client to solicit a username and a user password; and
authenticating the login information by communicating with an authentication server that is coupled to the network routing device comprises determining, from a profile associated with a user of the client stored in the authentication server, whether the username and password are valid.
-
-
19. A computer system as recited in claim 12, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
-
determining whether a source IP address in the request matches information in a filtering mechanism of the network routing device;
determining whether the source IP address matches the authorization information stored in the network routing device using an authentication cache in the network routing device; and
only when the source IP address fails to match the authorization information stored in the network routing device, then;
creating and storing a new entry in the authentication cache that is uniquely associated with the client;
requesting login information from the client;
authenticating the login information by communicating with an authentication server that is coupled to the network routing device; and
updating the new entry in the authentication cache based on information received from the authentication server.
-
-
20. A computer system as recited in claim 12, wherein reconfiguring the network routing device comprises the steps of creating and storing one or more commands to the network routing device which, when executed by the network routing device, result in modifying one or more routing interfaces of the network routing device to permit communications between the client and the network resource.
-
21. A data packet firewall router that is logically interposed between a client and a network resource and that controls access of the client to the network resource, comprising:
-
one or more processors;
a storage medium carrying one or more sequences of one or more instructions including instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
creating and storing client authorization information at the router, wherein the client authentication information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
receiving a request from the client to communicate with the network resource;
determining, at the router, whether the client is authorized to communicate with the network resource based on the authorization information;
reconfiguring the router to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information;
wherein creating and storing client authorization information comprises the steps of creating and storing in a cache in the network routing device a set of authorization information for each client that communicates with the network routing device. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
determining whether a source IP address of the client in a data packet of the request matches information in a filtering mechanism of the network routing device; and
if so, determining whether the source IP address matches the authorization information stored in the network routing device.
-
-
25. A data packet router as recited in claim 21, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
-
determining whether a source IP address of the client in a data packet of the request matches information in an a filtering mechanism of the network routing device;
if a match is found using the filtering mechanism, determining whether the source IP address matches the authorization information stored in the network routing device; and
when the source IP address fails to match the authorization information stored in the network routing device, determining if user identifying information received from the client matches a profile associated with the user that is stored in an authentication server that is coupled to the network routing device.
-
-
26. A data packet router as recited in claim 21, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
-
determining whether client identifying information in the request matches information in a filtering mechanism of the network routing device;
if a match is found using the filtering mechanism, determining whether the client identifying information matches the authorization information stored in the network routing device; and
only when the client identifying information fails to match the authorization information stored in the network routing device, then;
creating and storing new authorization information in the network device that is uniquely associated with the client;
requesting login information from the client;
authenticating the login information by communicating with an authentication server that is coupled to the network routing device; and
updating the new authorization information based on information received from the authentication server.
-
-
27. A data packet router as recited in claim 26, wherein:
-
requesting login information from the client comprises sending a Hypertext Markup Language login form from the network routing device to the client to solicit a username and a user password; and
authenticating the login information by communicating with an authentication server that is coupled to the network routing device comprises determining, from a profile associated with a user of the client stored in the authentication server, whether the username and password are valid.
-
-
28. A data packet router as recited in claim 21, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
-
determining whether a source IP address in the request matches information in a filtering mechanism of the network routing device;
determining whether the source IP address matches the authorization information stored in the network routing device using an authentication cache in the network routing device; and
only when the source IP address fails to match the authorization information stored in the network routing device, then;
creating and storing a new entry in the authentication cache that is uniquely associated with the client;
requesting login information from the client;
authenticating the login information by communicating with an authentication server that is coupled to the network routing device; and
updating the new entry in the authentication cache based on information received from the authentication server.
-
-
29. A data packet router as recited in claim 21, wherein reconfiguring the network routing device comprises the steps of creating and storing one or more commands to the network routing device which, when executed by the network routing device, result in modifying one or more routing interfaces of the network routing device to permit communications between the client and the network resource.
Specification