Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-12-02
2001-06-26
Heckler, Thomas M. (Department: 2182)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Reexamination Certificate
active
06253327
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to a method and apparatus for providing simplified access to subscribers of a differentiated computer network. More particularly, the present invention relates to a method and apparatus for single step network logon based on a point to point communication link between the host computer and a server capable of providing both public domain connections and private service domain connections.
2. The Background
In order for a user to access a computer network, such as the Internet or a private Intra net network, the user must generally first dial-in or otherwise connect to a Network Access Server, or NABS. In most instances, the MASS are maintained by Internet Service Providers (ISIS) or Telephone Companies (TelCos) and are located at Network Access Points (NAPs). The NAS serves as the gate between the computer and the user. As a threshold matter, the NAS must authenticate the identity of the user/subscriber in order to ascertain the nature and scope of the services that it will provide to the subscriber. This authentication process is of heightened importance when the network is differentiated into public areas, such as the Internet, that are generally accessible to all subscribers and private areas, such as a business's Intranet, that are accessible only to authorized subscribers.
The authentication procedure generally involves another server, herein referred to as an Authentication, Authorization and Accounting Server, or an AAA Server. The NAS is a client of the AAA Server and, accordingly, the AAA server has the capability to serve numerous client MASS simultaneously. The NAS and AAA server communicate with one another according to a standard Internet protocol, such as the Remote Authentication Dial-In User Service (RADIUS) protocol. The RADIUS Protocol is well known by those of ordinary skill in the art.
FIG.
1
. is a schematic diagram of the computer network environment
10
involved in a standard subscriber logon process. In most instances, the subscriber
12
begins a session on the network by first launching a dial-in application on a personal computer or host
14
. The dial-in application prompts the subscriber
12
to enter some form of user identification, commonly a user-name and a private password. Such information may also be stored in the host's memory and automatically provided by the host
14
. Once the necessary information is provided, the dial-in application contacts a NAS
16
, typically, via modem
18
and telephone line
20
, and provides NAS
16
with the subscriber
12
or host
14
supplied identification information. The private password data is customarily encrypted using methods well-known by those of ordinary skill in the art. The NAS
16
then prepares and sends an “access request” packet to AAA server
22
. The access request packet contains the data supplied by the host
14
, as well as additional data identifying the particular NAS
16
client from which the packet was sent.
The AAA server
22
contains a large database
24
of stored information pertaining to the accounts of each subscriber, including user-names, encrypted passwords and configuration information related to the types of services that are authorized to be provided to the subscriber. When AAA server
22
receives an access request packet from an authorized NAS
16
client, it consults the corresponding database
24
of user profiles to locate the account entry for the subscriber
12
identified by the information contained in the access request packet. The account entry will often specify certain requirements that must be met in order for the subscriber
12
to gain access to the network
10
, including information on the clients and ports throughout the network that the subscriber
12
is allowed to access. A paramount requirement is that the password entered by the user match the password specified in the account entry on the AAA database
24
. If the passwords match, and all other requirements are met, then AAA server
22
sends NAS
16
an “access accept” packet in response. The access accept packet contains configuration data that enables NAS
16
to provide the desired service to the subscriber
12
. Once access is granted to the subscriber
12
a connection to the network, in this instance the Internet
26
, can be established.
If any requirement is not met, for example, if the passwords do not match, then AAA server
22
responds with an “access-reject” packet indicating that the user request is invalid. The access-reject packet may also contain text messages that may be delivered to the subscriber
12
via NAS
16
. As an alternate option, even if all requirements are met, AAA server
22
may still deny immediate access to the user and instead issue an “access-challenge” packet that will effectively prompt the user for new or additional information before access is granted.
A complication of the scheme detailed in
FIG. 1
arises when the network environment contains private areas whose access is regulated by an additional server or gateway device, herein referred to as a Service Selection Gateway, or SSG server.
FIG. 2
is a schematic diagram of the computer network environment
30
that includes a SSG server
32
. Among many features of the SSG server
32
, it serves to create multiple secure channels to private areas of the network for those subscribers authorized to use such private networks. In order to access the private domains, an authorized subscriber
34
must logon to the SSG server
32
, as well as the corresponding NAS
36
. The ability to access both the public domains and the private domains currently involves two separate logon procedures.
The dual logon procedure is initiated by the subscriber
34
launching on a host
38
the same dial-in application detailed in the discussion of FIG.
1
. The subscriber
34
or host
38
will provide the necessary authorization and identification information. Once this information is provided, the dial-in application will contact NAS
36
and the information will be forwarded from the host
38
to NAS
36
. The NAS
36
then communicates with AAA server
44
to authenticate and authorize public access to the subscriber
34
. Once this process is completed, then the user must launch a separate and largely redundant “dashboard” application on the host
38
in order to gain access to the private domains gated by the SSG server
32
. The subscriber
34
is again prompted by the dashboard application to input identification information. Once the necessary information is provided, the dashboard application contacts the SSG server
32
and provides the SSG server
32
with the subscriber supplied identification information. In much the same fashion as NAS
36
performs, the SSG server
32
prepares and sends an “access request” packet to AAA server
44
. In this illustration AAA server
44
and the corresponding database
46
are the same AAA server
44
and database with which NAS
36
communicated. It is also possible to have individual AAA servers and/or databases in communication with NAS
36
and SSG server
32
. Once AAA server
44
receives the access request packet from SSG server
32
, it consults the corresponding database
46
to locate the service entry for the subscriber
34
identified by the information contained in the access request packet. If the passwords match, and all other requirements are met, then AAA server
44
sends SSG server
32
an “access accept” packet in response. Once access is granted to the subscriber
12
the subscriber is permitted to make connections with both public domains
48
and private domains
50
.
The need for this two-step logon process is dictated by how the IP address is assigned. It would not be sufficient to simply pass the identification information from NAS
36
to SSG server
32
because SSG server
32
is incapable of sending information from the private domains without access to the dynamically assigned IP address of the subscriber. From the subscriber's perspective this
Lou Shuxian
Zhang Shujin
Cisco Technology Inc.
Heckler Thomas M.
Thelen Reid & Priest LLP
LandOfFree
Single step network logon based on point to point protocol does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Single step network logon based on point to point protocol, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Single step network logon based on point to point protocol will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2496668