Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-04-08
2003-03-25
Hua, Ly V. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C713S152000, C713S183000, C713S184000, C713S182000
Reexamination Certificate
active
06539482
ABSTRACT:
Priority is hereby claimed to EP Patent Application No. 98410038.8 entitled “Network Access Authentication System”, filed Apr. 10, 1998.
FIELD OF THE INVENTION
The present invention relates to an authentication system for users which may access a network locally or remotely.
DISCUSSION OF THE RELATED ART
FIG. 1
illustrates an exemplary network. The network includes a network server
10
having a mass storage device
10
-
1
and several local clients
12
connected to each other and to server
10
through a network line
14
, such as an Ethernet link.
The network may also include a Network Access Server (NAS)
16
connected to link
14
, that allows remote clients
18
to connect to the network, for example through a modem and a telephone line. In this manner, users may access their business network from home.
In order to have access to a network, a user must first be authenticated, i.e. he must provide a user identifier and a password which must match authentication data previously created for the user by the network administrator. Such data is usually stored in a user data file on the network server
10
.
Usual network transport protocols, such as TCP/IP, are not specifically intended for authentication. Therefore, specific protocols are used on top of the transport protocols, some of which are dedicated to authentication and some others, although not dedicated, may be used for authentication. The non-dedicated protocols (such as NIS), which may convey passwords as clear text, are often used on small local area networks (LAN) where strong security is not an issue. If more security is needed, dedicated authentication protocols, such as RADIUS (Remote Authentication Dial In User Service) or TACACS, are used.
With the RADIUS protocol, a NAS operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS severs, and then acting on the response which is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user.
A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.
Transactions between the client and RADIUS server are authenticated though the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecure network could determine a user's password.
The RADIUS server can support a variety of methods to authenticate a user. When it is provided with the user name and original password given by the user, it can support PPP PAP or CHAP, UNIX login, and other authentication mechanisms.
All transactions are comprised of variable length Attribute-Length-Value 3-tuples. New attribute values can be added without disturbing existing implementations of the protocol.
TACAS is an industry standard specification that forwards user name and password information to a centralized server. The centralized server can either be a TACACS database or a database like the UNIX password file with TACACS protocol support. For example, the UNIX server with TACACS passes requests to the UNIX database and sends accept or reject messages back to the access server. XTACACS is an extension of the TACACS protocol that authorizes connections with SLIP enable, PPP (IP or IPX), ARA, EXEC, and Telnet.
The protocols mentioned in the present application and others are well documented in RFC (Request For Comments) papers available on Internet at:
www.nexor.com/public/rfc/index/rfc.html.
In particular, the RADIUS and TACACS protocols are documented in RFC papers 1492, 2058 and 2138 which are incorporated herein by reference.
All these protocols require different user data files. As a consequence, in a large network where many protocols coexist, a user may have data stored in several different files scattered on the network. This makes the network administration complex, since the administrator will have to update several files each time he creates a user or modifies the data of an existing user. There may even be several administrators in charge of different services. Unless these administrators attempt to synchronize with each other, the user ends up with several user identifiers and passwords which will be difficult to remember.
For improving the security of a network providing remote access, it is usually recommended to use at least two different passwords, one for remote access and the other for local access.
SUMMARY OF THE INVENTION
An object of the invention is to provide an authentication procedure which allows a centralized administration of user data without creating security breaches in networks providing remote access.
This object and others are achieved by an authentication system including a directory service containing a remote access password and a standard access password for each user of the network, using an authentication protocol that provides information on whether a user is accessing the network locally or remotely, and including a front-end between the directory service and the authentication protocol. The front-end receives a user identifier and a user password entered by a user through the authentication protocol, and retrieves from the directory service the remote access password and the standard access password corresponding to the user identifier. If the authentication protocol indicates a remote access, the front-end compares the user password to the remote access password, else it compares the user password to the standard access password. Access to the network is granted if the comparison is successful.
The directory service may additionally contain a remote access password enable flag for each user of the network. In this case, if the authentication protocol indicates a remote access corresponding to the remote access enable flag and the remote access enable flag has an active state, the front-end compares the user password to the remote access password, else it compares the user password to the standard access password. Access to the network is granted if the comparison is successful.
According to an embodiment of the invention, the front-end behaves as a client for a protocol used by the directory service and as a server for the authentication protocol, and exchanges information between the authentication protocol and the directory service protocol using a protocol attribute translation table.
According to an embodiment of the invention, several authentication protocols are used on the network and one front-end is provided for each authentication protocol.
REFERENCES:
patent: 4926481 (1990-05-01), Collins, Jr.
patent: 5359660 (1994-10-01), Clark et al.
patent: 5434918 (1995-07-01), Kung et al.
patent: 5455953 (1995-10-01), Russell
patent: 5495235 (1996-02-01), Durinovic-Johri et al.
patent: 5581700 (1996-12-01), Witte
patent: 5586260 (1996-12-01), Hu
patent: 5684869 (1997-11-01), Palumbo et al.
patent: 5694595 (1997-12-01), Jacobs et al.
patent: 5991810 (1999-11-01), Shapiro et al.
patent: 6049602 (2000-04-01), Foladare et al.
patent: 6081900 (2000-06-01), Subramaniam et al.
patent: 6301368 (2001-10-01), Bolle et al.
patent: 6308200 (2001-10-01), Yamamoto
patent: 6308213 (2001-10-01), Valencia
patent: 6345266 (2002-02-01), Ganguly et al.
Blanco Marcos Ares
Marco Regis
Hua Ly V.
Kivlin B. Noäl
Meyertons Hood Kivlin Kowert & Goetzel P.C.
Sun Microsystems Inc.
LandOfFree
Network access authentication system does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Network access authentication system, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Network access authentication system will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3060079