Method for providing single step log-on access to a differentiated computer network

US 6,966,004 B1
Filed: 08/14/2003
Issued: 11/15/2005
Est. Priority Date: 08/03/1998
Status: Expired due to Term

First Claim

Patent Images

1. An apparatus for providing a single step log-on access for a subscriber of a computer network having a first area and a second area, said computer network including at least one Network Access Server (NAS) and at least one Authentication Authorization and Accounting (AAA) Server, said NAS providing access for the subscriber to said first area, said apparatus comprising:

a Service Selection Gateway (SSG) Server providing access for the subscriber to the second area, said SSG Server connected between the NAS and the AAA Server, said SSG Server configured to;

(1) receive an access-request packet from the NAS when the subscriber connects the NAS, (2) forward said access-request packet to the AAA Server, (3) receive an access-reply packet from the AAA Server in response to said access-request packet, (4) forward said access-reply packet to the NAS, and (5) process information in said access-reply packet for enabling said SSG Server to automatically log the subscriber onto said SSG Server when the subscriber logs onto the NAS.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for providing single step log-on access for a subscriber to a computer network. The computer network is differentiated into public and private areas. Secure access to the private areas is provided by a Service Selection Gateway (SSG) Server, introduced between a conventional Network Access Server (NAS) and an Authentication Authorization and Accounting (AAA) Server. The SSG Server intercepts and manipulates packets of data exchanged between the NAS and the AAA Server to obtain all the information it needs to automatically log the user on when the user logs on to the NAS. An authorized user is thus spared the task of having to re-enter username and password data or launch a separate application in order to gain secure access to private areas of the network.

62 Citations

View as Search Results

15 Claims

1. An apparatus for providing a single step log-on access for a subscriber of a computer network having a first area and a second area, said computer network including at least one Network Access Server (NAS) and at least one Authentication Authorization and Accounting (AAA) Server, said NAS providing access for the subscriber to said first area, said apparatus comprising:
- a Service Selection Gateway (SSG) Server providing access for the subscriber to the second area, said SSG Server connected between the NAS and the AAA Server, said SSG Server configured to;
  
  (1) receive an access-request packet from the NAS when the subscriber connects the NAS, (2) forward said access-request packet to the AAA Server, (3) receive an access-reply packet from the AAA Server in response to said access-request packet, (4) forward said access-reply packet to the NAS, and (5) process information in said access-reply packet for enabling said SSG Server to automatically log the subscriber onto said SSG Server when the subscriber logs onto the NAS.
- View Dependent Claims (2, 3)
- - 2. The apparatus of claim 1, wherein the access-request packet includes user-name and password information for the subscriber.
  - 3. The apparatus of claim 2, wherein the SSG Server is further configured to utilize the user-name and password information for the subscriber to initiate log-on for the subscriber to the second area.

4. An apparatus for providing a subscriber with single step log-on access to computer network having a first area and a second area, the apparatus comprising:
- a Service Selection Gateway (SSG) Server configured to;
  
  (1) intercept a log-on request packet from a Network Access Server (NAS), said log-on-request packet initiated by a user seeking to gain access to the first area, access to which is controlled by the NAS, and to the second area, access to which is controlled by the SSG Server, (2) send an authorization request packet derived from said log-on request packet to an Authentication, Authorization and Accounting (AAA) Server, (3) receive an authorization packet from the AAA Server and responsive to the authorization request packet, and (4) process said log-on request packet and said authorization packet to enable said SSG Server to automatically log the subscriber on to the SSG Server for access to the second area when the subscriber logs on to the NAS.
- View Dependent Claims (5, 6)
- - 5. The apparatus of claim 4, wherein the log-on request is sent from the NAS.
  - 6. The apparatus of claim 4, wherein said SSG Server is further configured to utilize information contained in the log-on request to initiate log-on for the subscriber to the second area.

7. An apparatus for providing a subscriber with single step log-on access to a computer network having a first area and a second area, the apparatus comprising:
- a Service Selection Gateway (SSG) Server configured to;
  
  (1) intercept a log-on request initiated by the subscriber, (2) route the log-on request to an Authentication, Authorization and Accounting (AAA) Server to initiate log-on for the subscriber to the first area, (3) process an access-reply received from the AAA Server, (4) provide log-on access for the subscriber to the second area based on the access-reply, and (5) route the access-reply to a Network Access Server (NAS) to complete log-on for the subscriber to the first area.
- View Dependent Claims (8, 9)
- - 8. The apparatus of claim 7, wherein the log-on request is sent from the NAS.
  - 9. The apparatus of claim 7, wherein said SSG Server is further configured to utilize information contained in the log-on request to initiate log-on for the subscriber to the second area.

10. An apparatus for providing a subscriber with single step log-on to a computer network differentiated into a plurality of areas, the apparatus comprising:
- a Service Selection Gateway (SSG) Server configured to;
  
  (1) receive an access-reply from an Authentication, Authorization and Accounting (AAA) server, (2) check the access-reply to determine if it contains a network address assigned by the AAA server to the subscriber, (3) log the subscriber on to the SSG with the assigned network address if the access-reply contains authorization to do so from the AAA server and if it contains a network address assigned by the AAA server to the subscriber, and (4) forward the access-reply to a Network Access Server (NAS) so that the subscriber may log-on to the NAS with the assigned network address if the access-reply contains authorization to do so from the AAA server and if it contains a network address assigned by the AAA server to the subscriber.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus of claim 10, wherein said SSG Server is further configured to:
    - if the access-reply does not contain an assigned IP address, (5) log the subscriber on to the SSG with a temporary IP address if the access-reply contains authorization to do so from the AAA server, (6) assign a user identification to the subscriber, (7) forward the access-reply and the user identification to the NAS so that the subscriber may log-on to the NAS with a NAS-assigned network address if the access-reply contains authorization to do so from the AAA server, (8) receive from the NAS an accounting-start request identifying the NAS-assigned network address and the user identification, (9) replace the temporary IP address with the NAS-assigned IP address, and (10) forward the accounting-start request to the AAA server.
  - 12. The apparatus of claim 11, wherein the user identification is written into the access-reply packet as a Remote Authentication Dial-In User Service (RADIUS) attribute.
  - 13. The apparatus of claim 12, wherein the RADIUS attribute is a RADIUS class attribute.
  - 14. The apparatus of claim 10, wherein said SSG Server is further configured to:
    - (5) receive an access-request from the NAS, and (6) forward the access-request to the AAA server.
  - 15. The apparatus of claim 10, wherein the user identification is the temporary network address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Xu, Xi, Chu, Jie, Lou, Shuxian, Dos Santos, Maria Alice, Zhang, Shujin, Jin, Jane Jiaying
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US10/642,534
Time in Patent Office

824 Days
Field of Search

709223-225, 709/227, 709/228, 709/238, 713200-202
US Class Current

726/5
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/083 using passwords cryptograph...

Method for providing single step log-on access to a differentiated computer network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method for providing single step log-on access to a differentiated computer network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links