Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-06-19
2001-04-17
Iqbal, Nadeem (Department: 2184)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Reexamination Certificate
active
06219790
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates generally to authentication, authorization and accounting systems, and more particularly to a centralized general purpose authentication, authorization and accounting server with support for multiple authentication transport protocols and multiple client types.
2. Related Art
Security is a major and continuing concern for managers and administrators of computer networks. For financial and security reasons, it is vitally important that only authorized users have access to the network. Additionally, access must be controlled so that users can only connect to systems and services in which they are entitled. For tracking and billing purposes, it is important to document the time users are logged onto the network and the services that are used. Finally, there is often a need to limit the number of times a user can simultaneously log onto the network.
Conventionally, each type of client provides a unique form of security for guarding against unauthorized break-ins and for controlling user access. For example, UNIX-type operating systems generally provide a user identification (UserID) and password scheme for authenticating pre-authorized users. Such systems also provide the ability to assign specific access rights for each user that is authorized to access the system Generally, data associated with pre-authorized users and their corresponding access rights are stored in a database on each client.
Other types of clients provide similar types of security measures using some form of a User ID and/or Password for authentication purposes. Sometimes encryption schemes are used to increase the level of security. Each client also provides an authorization mechanism to control user access to specific systems and services. Generally, each client maintains a separate database to store the user authentication and authorization information.
Generally, modem computer networks employ a variety of client types and have multiple points of access. For these networks it can be very difficult to manage, maintain and update user authentication and authorization information because such information is distributed among separate databases in a variety of clients. In addition, valuable storage resources are wasted because user data must be duplicated among the different client databases. This problem is multiplied when large networks with many points of access are implemented.
One solution to this problem is the use of distributed security servers. An example of a distributed security server is the Remote Authentication Dial-In User Service (RADIUS), provided by Livingston Enterprises, Inc. of Pleasonton California. Distributed security servers create a single centralized location for user authentication and authorization data. In this fashion, all user data is stored in a single location to facilitate the task of maintaining and updating user data. Further, by having all the data in one location, storage space is preserved because there is no need to duplicate user data on multiple machines.
Conventional distributed security servers are problematic in that they are designed to work with particular types of hardware and particular types of operating systems (i.e. client types). In addition, conventional security servers generally support a specific authentication transport protocol. Examples of authentication transport protocols in use today are: RADIUS transport protocol, provided by Livingston Enterprises, Inc.; Network Information Service (NIS), provided by SUN Microsystems Inc.; Kerberos, provided by the Massachusetts Institute of Technology; Microsoft Domain System (MDS), provided by Microsoft, Inc.; and AppleTalk by Apple Computer, Inc.
For many large computer networks, a variety of authentication transport protocols may be in use. For these networks, conventional security servers are inadequate to handle the different types of authentication transport protocols being used by clients on the network. Thus, multiple security servers must be used, or client software must be altered to support the authentication transport protocol being supported by the particular security server being used. The latter solution may not be possible for some client types. For example, it may not be possible to support Kerberos on a Macintosh computer system.
Additionally, conventional security systems typically only support specific types of operating systems. Examples of different operating systems include UNIX operating systems, Microsoft operating systems (Windows 95, Windows N/T and DOS) and Macintosh operating systems. For these networks, conventional security servers are inadequate to handle the variety of operating systems being used.
Still further, conventional security servers typically support authentication and authorization functions, but not accounting functions. Generally, user data used by conventional security servers is stored in a propriety format. For these systems, separate accounting databases and accounting systems are typically maintained. This is a waste of resources because much of the same data is used by both accounting and security systems. Therefore, it would be desirable to maintain a single database for both the accounting information and the user authentication and authorization information.
Accordingly, what is needed is a distributed security system capable of supporting a variety of authentication transport protocols used by a variety of client types and is capable of supporting accounting functionality from the same database used to store user authentication and authorization information.
SUMMARY OF THE INVENTION
Accordingly, the present invention is directed toward an Authentication, Authorization and Accounting server (AAA server), that is capable of supporting a variety of authentication transport protocols from a variety of client types. The AAA server of the present invention includes a standard database management system (DBMS) that stores user authentication and authorization data in a standard format. Accounting information and reports are stored and derived from the same DBMS used for authenticating and authorizing user access.
The AAA server of the present invention comprises a plurality of authentication transport protocol modules (“support modules”). Support for specific authentication transport protocols is contained within each support module. Each support module is coupled to one or more clients that request access to the network using a particular authentication transport protocol corresponding with the associated support module. In this fashion, support for the AAA server of the present invention is transparent to the clients requesting access to the network.
Each support module is coupled with an Accounting and Authorization module (AA module). The AA module is coupled with the DBMS and performs authentication and authorization functions on behalf of the clients using a novel five phase process. The five phase process comprises the following phases: Augmentation; Selection; Authentication; Authorization and Confirmation.
During the Augmentation phase, client requests are translated into a standard internal format used by the AA module. The requests are parsed into a set of attribute/value pairs according to a parse rules table. An attribute/value pair is referred to as a tuple. A complete set of tuples associated with a particular client request is referred to as a tuple vector.
In the Selection phase, the AA module determines the details of the access request. In addition, a specific permit is extracted from a rules table. The permit is used later during the Authorization phase to be sure the particular user making the request is authorized to access the requested service. A rules table is used, wherein a particular row in the rules table is selected according to the attribute/value pairs from the Augmentation phase. The rules table provides the necessary details for the AA module to formulate a proper response to the client.
In the Authentication phase, the AA module determines if the
Lloyd Brian
McGregor Glenn
Iqbal Nadeem
Lucent Technologies - Inc.
LandOfFree
Centralized authentication, authorization and accounting... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Centralized authentication, authorization and accounting..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Centralized authentication, authorization and accounting... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2485748