Internetwork authentication

US 9,473,484 B2
Filed: 08/06/2015
Issued: 10/18/2016
Est. Priority Date: 08/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request for a policy-based identity routing service for a first network;

providing a local authoritative user datastore interface (LAUDI) to a network device of the first network;

obtaining a set of rules for identity routing to the first network;

establishing a connection with the LAUDI on the network device of the first network;

filtering authentication requests received from at least one other network, including a second network, to resolve the authentication requests with either on-network or off-network authentication;

wherein a successful authentication result, from the LAUDI, for a station associated with the second network, is indicative of the station being allowed access to services on the second network including services provided by the first network and the set of rules for identity routing to the first network are used, at least in part, in providing the services on the second network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for network authentication interoperability involves initiating an authentication procedure on a first network, authenticating on a second network, and allowing access at the first network. The technique can include filtering access to a network, thereby restricting access to users with acceptable credentials. Offering a service that incorporates these techniques can enable incorporation of the techniques into an existing system with minimal impact to network configuration.

41 Citations

18 Claims

1. A method comprising:
- receiving a request for a policy-based identity routing service for a first network;
  
  providing a local authoritative user datastore interface (LAUDI) to a network device of the first network;
  
  obtaining a set of rules for identity routing to the first network;
  
  establishing a connection with the LAUDI on the network device of the first network;
  
  filtering authentication requests received from at least one other network, including a second network, to resolve the authentication requests with either on-network or off-network authentication;
  
  wherein a successful authentication result, from the LAUDI, for a station associated with the second network, is indicative of the station being allowed access to services on the second network including services provided by the first network and the set of rules for identity routing to the first network are used, at least in part, in providing the services on the second network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the LAUDI is provided to the network device of the first network through download.
  - 3. The method of claim 1, wherein the LAUDI is preinstalled on the network device of the first network.
  - 4. The method of claim 1, wherein the set of rules for identity routing to the first network are provided by an agent of the first network.
  - 5. The method of claim 1, wherein the rules for identity routing to the first network include filter rules used in filtering the authentication requests received from the at least one other network, including the second network.
  - 6. The method of claim 1, further comprising:
    - receiving an authentication request from the second network for the station;
      
      routing the authentication request based on a rule of the set of rules to the LAUDI;
      
      receiving an authentication result from the LAUDI;
      
      sending the authentication result to the second network;
      
      wherein if the authentication result is the successful authentication result, then the station being allowed access to the services on the second network.
  - 7. The method of claim 1, wherein the connection between the LAUDI and the network device is a persistent connection.
  - 8. The method of claim 1, wherein the connection between the LAUDI and the network device is established using transport layer security.
  - 9. The method of claim 1, further comprising obtaining a set of rules for filtering and identity routing to the first network, wherein the successful authentication result is indicative of station credentials sufficient to avoid filtering an authentication request associated with the station in accordance with the filtering rules and sufficient to permit routing the authentication request to the first network in accordance with the identity routing rules.

10. A system comprising:
- a local authoritative user datastore interface (LAUDI) provided to a network device of a first network;
  
  an online authentication proxy comprising a processor and memory storing instructions configured to;
  
  receive a request for a policy-based identity routing service for the first network;
  
  obtain a set of rules for identity routing to the first network;
  
  establish a connection with the LAUDI on the network device of the first network;
  
  filter authentication requests received from at least one other network, including a second network, to resolve the authentication requests with either on-network or off-network authentication;
  
  wherein a successful authentication result, from the LAUDI, for a station associated with the second network, is indicative of the station being allowed access to services on the second network including services provided by the first network and the set of rules for identity routing to the first network are used, at least in part, in providing the services on the second network.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the LAUDI is provided to the network device of the first network through download.
  - 12. The system of claim 10, wherein the LAUDI is preinstalled on the network device of the first network.
  - 13. The system of claim 10, wherein the set of rules for identity routing to the first network are provided by an agent of the first network.
  - 14. The system of claim 10, wherein the rules for identity routing to the first network include filter rules used in filtering the authentication requests received from the at least one other network, including the second network.
  - 15. The system of claim 10, wherein the online authentication proxy is further configured to:
    - receive an authentication request from the second network for the station;
      
      route the authentication request based on a rule of the set of rules to the LAUDI;
      
      receive an authentication result from the LAUDI;
      
      send the authentication result to the second network;
      
      wherein if the authentication result is the successful authentication result, then the station being allowed access to the services on the second network.
  - 16. The system of claim 10, wherein the connection between the LAUDI and the network device is a persistent connection.
  - 17. The system of claim 10, wherein the connection between the LAUDI and the network device is established using transport layer security.
  - 18. The system of claim 10, wherein the online authentication proxy is further configured to obtain a set of rules for filtering and identity routing to the first network, wherein the successful authentication result is indicative of station credentials sufficient to avoid filtering an authentication request associated with the station in accordance with the filtering rules and sufficient to permit routing the authentication request to the first network in accordance with the identity routing rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Aerohive Networks Incorporated (Extreme Networks, Inc.)
Inventors
Sakura, Kenshin, Gast, Matthew Stuart, Fu, Long
Primary Examiner(s)
CHANG, KENNETH W

Application Number

US14/820,251
Publication Number

US 20150350183A1
Time in Patent Office

439 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/0892   by using authentication-aut...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04W 12/069   using certificates or pre-s...

Internetwork authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Internetwork authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links