Extensible authentication and authorization of identities in an application message on a network device
First Claim
1. A data processing apparatus, comprising:
- a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
one or more processors;
a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
a non-transitory computer-readable storage medium having stored thereon a plurality of authentication methods and a policy that associates the authentication methods with respective message types, and a plurality of user credential location definitions that specify locations of user credentials for various types of application messages;
authentication and authorization logic comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
receiving, by the data processing apparatus, one or more packets containing an application message of OSI layer 5 or above, wherein the application message comprises one or more user credential elements and wherein the one or more packets containing the application message are addressed to an endpoint device other than the data processing apparatus;
determining a particular type of the application message;
identifying one or more user credential elements in the application message;
selecting, based on the policy and the particular type of the application message, a particular authentication method, and validating the application message using the one or more user credential elements and the particular authentication method;
wherein identifying the one or more user credential elements includes selecting a particular user credential location definition and performing the identifying based on the particular user credential location definition;
wherein the data processing apparatus is a router forwarding data packets below OSI layer 5.
1 Assignment
0 Petitions
Accused Products
Abstract
User credentials are validated within a network infrastructure element such as a packet data router or switch. The network element has authentication and authorization logic for receiving one or more packets representing an input application message logically associated with OSI network model Layer 5 or above; extracting user credentials from the one or more packets; authenticating an identity associated with the user credentials; authorizing privileges to the identity; and forwarding the application message to an intended destination if the identity is successfully authenticated and/or authorized. The authentication and authorization logic in the network element can invoke extension authentication and authorization methods that may be provisioned after the network element is deployed in a networked system.
19 Citations
30 Claims
-
1. A data processing apparatus, comprising:
-
a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto; one or more processors; a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface; a non-transitory computer-readable storage medium having stored thereon a plurality of authentication methods and a policy that associates the authentication methods with respective message types, and a plurality of user credential location definitions that specify locations of user credentials for various types of application messages; authentication and authorization logic comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform; receiving, by the data processing apparatus, one or more packets containing an application message of OSI layer 5 or above, wherein the application message comprises one or more user credential elements and wherein the one or more packets containing the application message are addressed to an endpoint device other than the data processing apparatus; determining a particular type of the application message; identifying one or more user credential elements in the application message; selecting, based on the policy and the particular type of the application message, a particular authentication method, and validating the application message using the one or more user credential elements and the particular authentication method; wherein identifying the one or more user credential elements includes selecting a particular user credential location definition and performing the identifying based on the particular user credential location definition; wherein the data processing apparatus is a router forwarding data packets below OSI layer 5. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A machine-implemented method, comprising:
-
receiving, by a data processing apparatus, one or more packets containing an application message of OSI layer 5 or above, wherein the application message comprises one or more user credential elements and wherein the one or more packets are addressed to an endpoint device other than the data processing apparatus; determining a particular type of the application message; identifying one or more user credential elements in the application message; selecting, based on a policy and the particular type of the application message, a particular authentication method, wherein the policy associates a plurality of authentication methods with respective message types; and validating the application message using the one or more user credential elements and the particular authentication method; wherein identifying the one or more user credential elements includes selecting a particular user credential location definition and performing the identifying based on the particular user credential location definition, and wherein the particular user credential location definition specifies locations of user credentials for various types of application messages; wherein the data processing apparatus is a router forwarding data packets below OSI layer 5; wherein the machine-implemented method is performed by one or more computing devices comprising at least one processor. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer-readable storage device carrying one or more sequences of instructions, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
receiving, by a data processing apparatus, one or more packets containing an application message of OSI layer 5 or above, wherein the application message comprises one or more user credential elements and wherein the one or more packets are addressed to an endpoint device other than the data processing apparatus; determining a particular type of the application message; identifying one or more user credential elements in the application message; selecting, based on the policy and the particular type of the application message, a particular authentication method; and validating the application message using the one or more user credential elements and the particular authentication method; wherein identifying the one or more user credential elements includes selecting a particular user credential location definition and performing the identifying based on the particular user credential location definition, and wherein the particular user credential location definition specifies locations of user credentials for various types of application messages; wherein the data processing apparatus is a router forwarding data packets below OSI layer 5.
-
-
23. A data processing apparatus, comprising:
-
a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto; one or more processors; a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface; a non-transitory computer-readable storage medium having stored thereon a plurality of authentication methods and a policy that associates the authentication methods with respective message types, and a plurality of user credential location definitions that specify locations of user credentials for various types of application messages; means for receiving, by the data processing apparatus, one or more packets containing an application message of OSI layer 5 or above, wherein the application message comprises one or more user credential elements and wherein the one or more packets containing the application message are addressed to an endpoint device other than the data processing apparatus; means for determining a particular type of the application message; means for identifying one or more user credential elements in the application message; means for selecting, based on the policy and the particular type of the application message, a particular authentication method; and means for validating the application message using the one or more user credential elements and the particular authentication method; wherein the means for identifying the one or more user credential elements includes selecting a particular user credential location definition and performing the identifying based on the particular user credential location definition; wherein the data processing apparatus is a router forwarding data packets below OSI layer 5. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
Specification