US20010044893A1 - Distributed subscriber management system - Google Patents

Distributed subscriber management system Download PDF

Info

Publication number
US20010044893A1
US20010044893A1 US09/755,037 US75503701A US2001044893A1 US 20010044893 A1 US20010044893 A1 US 20010044893A1 US 75503701 A US75503701 A US 75503701A US 2001044893 A1 US2001044893 A1 US 2001044893A1
Authority
US
United States
Prior art keywords
user
authentication
access
network
subscriber management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US09/755,037
Inventor
Terry Skemer
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tropic Networks Inc
Original Assignee
Tropic Networks Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CA 2293989 external-priority patent/CA2293989A1/en
Application filed by Tropic Networks Inc filed Critical Tropic Networks Inc
Assigned to SEDONA NETWORKS CORPORATION reassignment SEDONA NETWORKS CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SKEMER. TERRY
Assigned to TROPIC NETWORKS INC. reassignment TROPIC NETWORKS INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ERNST & YOUNG, INC., IN ITS CAPACITY AS TRUSTEE IN BANKRUPTCY OF SEDONA NETWORKS CORP.
Assigned to SILICON VALLEY BANK, DBA: SILICON VALLEY EAST, GATX/MM VENTURE PARTNERS, TRANSAMERICA COMMERCIAL FINANCE CORPORATION, CANADA reassignment SILICON VALLEY BANK, DBA: SILICON VALLEY EAST SECURITY AGREMENT Assignors: TROPIC NETWORKS INC.
Publication of US20010044893A1 publication Critical patent/US20010044893A1/en
Assigned to TROPIC NETWORKS INC. reassignment TROPIC NETWORKS INC. RELEASE Assignors: SILICON VALLEY BANK
Priority to US11/514,852 priority Critical patent/US7512784B2/en
Priority to US12/132,583 priority patent/US7921457B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • H04L12/2869Operational details of access network equipments
    • H04L12/287Remote access server, e.g. BRAS
    • H04L12/2874Processing of data for distribution to the subscribers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Definitions

  • This invention relates to the management of user access rights on networks, and is particularly concerned with the distribution of resources used to authenticate and authorize users while allowing for accounting activities on user access to provided facilities.
  • a user is challenged to provide access control information, such as user identification and password, by a system residing at the gateway between the two networks.
  • access control information such as user identification and password
  • a system residing at the gateway between the two networks.
  • all of that user's packets can be discarded, or the user can be re-challenged to provide access control information.
  • This scheme is common in the art. Although this authorization scheme does succeed in preventing unauthorised access it allows unauthorized traffic to fully traverse the first network before it is discarded. This generates unnecessary traffic which is transmitted over the first network consuming precious bandwidth.
  • RADIUS Remote Authentication Dial-In User Service
  • RADIUS is a fully open protocol, distributed as source code, known in the art, which is a client/server system designed to prevent unauthorized access to networks.
  • RADIUS clients run on network devices and send authentication requests to a central RADIUS server that contains both user authentication information and network access rights.
  • RADIUS can be modified to work with any common security system.
  • Common implementations for RADIUS include networks with multiple vendor access servers such as an Internet Protocol (IP) based network, where dial-in users can be authenticated through a RADIUS server customized to work with the KERBEROS security system, a common security system on UNIX®-like computer networks.
  • IP Internet Protocol
  • telnet Point-to-Point-Protocol
  • FTP File Transfer Protocol
  • RADIUS follows a client-server operational model.
  • a Network Access Server (NAS), Remote Access Server (RAS), or the like operates as a client of RADIUS.
  • the client is responsible for passing user information to designated RADIUS servers, and then acting on the response that is returned.
  • RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user.
  • a RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.
  • RADIUS is carried in UDP (Port number 1812 decimal) and IP data units. At times, the source IP address field in client requests is zero since the client may not yet have an address, in which case the RADIUS system will allocate an address to the user from a pool of unused network addresses.
  • REJECT The user is not authenticated and is prompted to re-enter the username and password, or access is denied
  • CHALLENGE A challenge is issued by the RADIUS server to collect additional data from the user
  • CHANGE PASSWORD A request is issued by the RADIUS server, asking the user to select a new password
  • RADIUS authentication must be performed before RADIUS authorization.
  • the ACCEPT or REJECT response contains additional data that is used for EXEC or network authorization.
  • the additional data included with the ACCEPT or REJECT packets consists of services that the user can access, including Telnet, rlogin, PPP, FTP, EXEC services, or connection parameters, including the host or client IP address, access list, and user timeouts.
  • User IP addresses can be statically provisioned or dynamically assigned using RADIUS or the like.
  • RADIUS the ACCEPT or REJECT response contains the host or client IP address, access list, and user timeouts. Upon a user timeout, the user may be disconnected and if dynamically assigned, the IP address is returned to a pool of available addresses.
  • BootP, DHCP, and TACACS+ can also be used to dynamically assign IP addresses to users but these protocols are less common than RADIUS.
  • a pool or group of addresses are pre-assigned by a network administrator and given out by the RADIUS server as users sign-on to the service provider.
  • a pool allows many clients to share a small number of IP addresses based on usage and contention patterns.
  • the Boot Protocol is a UDP-serviced protocol that can be IP-routed to a BootP address server. Through the BootP protocol, the server can do many functions including IP address assignment, bootstrapping, operating system loading, desktop configuration, and hardware/interface configuration. BootP does not completely replace RADIUS as a subscriber management protocol. Dynamic Host Configuration Protocol (DHCP) is a newer alternative to BootP and possesses all the capabilities of BootP. As a rule, any BootP relay Agent (e.g., in a router or gateway) will work with DHCP. As with BootP, DHCP does not completely replace RADIUS as a subscriber management protocol.
  • DHCP Dynamic Host Configuration Protocol
  • FIG. 1 An example of a known authentication scheme is depicted in FIG. 1.
  • different User Networks 5 are connected to an Access Network 4 , which in turn has a RADIUS clients at an egress edge.
  • This RADIUS client 3 serves to ensure that only data with the correct authorization is allowed to go to the various ISP hosted networks 2 a - 2 c. If a packet is not authorized it is discarded at the RADIUS client 3 .
  • the RADIUS client 3 forms a connection to the RADIUS server 1 attached to the target ISP network which the packet is trying to enter. After forming this connection to the RADIUS server 1 , the RADIUS client 3 can determine whether the user who initiated the packet transmission has authorization to transmit packets onto the target network.
  • the RADIUS client only controls access to the ISP hosted networks 2 a - 2 c, while not controlling access to the Access Network 4 , or between the User Networks 5 .
  • the RADIUS client only controls access to the ISP hosted networks 2 a - 2 c, while not controlling access to the Access Network 4 , or between the User Networks 5 .
  • it is left to the administrators of the various User Networks 5 to ensure their own security and prevent admission of users from other User Networks 5 to systems to which those users should not have access.
  • AAA acts to verify the authorization of a packet to enter an external network prior to entry of the packet into the access network.
  • AAA also seeks to distribute the subscriber management features of the RADIUS client.
  • DSM Distributed subscriber management
  • DSM provides a more fault tolerant implementation than a single RADIUS client does.
  • a AAA client can only be attached to one User Network, since when multiple User Networks are connected to the same AAA client, one User Network, without challenge by the AAA system, could gain access to another User Network connected to the same AAA system.
  • An example of an implementation known in the art and using AAA is found in FIG. 2.
  • RADIUS Servers 1 are attached to ISP networks 2 a - 2 c, a multitude of such networks are, in turn, connected to an Access Network 4 .
  • the Access Network 4 connects to a multitude of User Networks 5 a - 5 c through AAA routed systems 6 .
  • Each User Network 5 a - 5 c has its own AAA routed system 6 thus preventing one User Network 5 a, 5 b, or 5 c from gaining access to another ISP User Network 5 a, 5 b, or 5 c.
  • the AAA system 6 is used to verify the authorization of the packets with the RADIUS Server 1 , and will discard any user packets that do not have the correct authorization. Unfortunately this requires a different AAA system 6 for each ISP User Network 5 a - 5 c that is connected to the Access Network 4 , which can greatly add to the cost of a network.
  • TACACS Terminal Access Controller Access Control System
  • TACACS Terminal Access Controller Access Control System
  • Extended TACACS is an extension to the older TACACS protocol that provides information about protocol translator and router information that can be used in UNIX like systems for auditing trails and accounting files. Extended TACACS is also now considered to be obsolete.
  • TACACS+ is a recent protocol that provides detailed accounting information and flexible administrative control over authentication and authorization processes.
  • TACACS+ is facilitated through Authentication, Authorization and Accounting (AAA) and can be enabled only through AAA commands.
  • AAA Authentication, Authorization and Accounting
  • a full description of the implementation of TACACS+ can be found in a draft Request For Comment (RFC) 1492.
  • RRC Request For Comment
  • PPP is used to carry IP over dial configurations and supports both Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) as methods of password transfer.
  • PPP has been modified to support numerous always-on access technologies including PPP over ATM (PPoA), PPP over Frame Relay (PPPoF), and PPP over Ethernet (PPPoE).
  • the present invention provides a DSM system and method that obviates or mitigates at least one disadvantage of previous systems and methods.
  • the present invention provides a DSM system and method that controls access to a network to prevent unauthorized traffic through the access network and provides centralized access control between user networks.
  • Other features of the invention can include providing a DSM system which allows set-up, maintenance, and tear-down of the user connection, allows users to choose their destination as opposed to tying a user to a single destination, and provides for the administration of the assignment and release of network addresses.
  • the DSM system of the invention preferably allows for at least one of several technologies including facilities for the enforcement of service levels as defined in Service Level Agreements, facilities for resource management and facilities for billing by a service provider through the collection of statistics and accounting data. Moreover, the system of the invention preferably alerts service providers of system problems through the use of alarm reporting.
  • the present invention provides a distributed subscriber management method.
  • This method allows a user network to perform user authentication for an external network at an access control node, such as an integrated access device, the external network being connected to the access control node by means of an access network.
  • the method includes a first step of receiving a data unit at an access control node that is connected to a plurality of user networks.
  • the second step is to determine whether the data unit requires authentication.
  • the third step is to authenticate the determined data unit.
  • the fourth step is to determine that the authenticated data unit is eligible for transmission.
  • the step of authenticating may include any combination of interrogating the user for access information, transmitting the access information to an authentication server on an external network, and transmitting an authentication message from the authentication server to the access control node.
  • Both the transmitting of the access information to an authentication server and the transmitting of an authentication message may be preceded by a step of encrypting the message, and then decrypting it after transmission.
  • the authentication server of the external network may optionally employ one of the following protocols: remote authentication, dial-in user service protocol (RADIUS), password authentication protocol (PAP), challenge handshake authentication protocol (CHAP), and terminal access controller access control system (TACACS).
  • the distributed subscriber management method of the first aspect of the present invention may also include the step of packet labelling the data units at the access control node.
  • the steps of the contents of the authentication message at the access control node; dropping the data unit if the contents indicate rejection; examining the authentication message for authenticity; and collecting statistical usage information at the access node may be performed.
  • an integrated access device for placement between a user network and an external network, the external network having an access rights authentication server.
  • the integrated access device is comprised of a user network interface for operatively connecting to a plurality of user networks to receive data units from the plurality of user networks, an authentication agent, operatively connected to the user network interface for authenticating, authorising and forwarding data units received from the plurality of user networks and an external network interface, operatively connected to the authentication agent, for forwarding data units authorised by the authentication agent to an external network.
  • the user network interface includes a plurality of ingress cards and the external network interface includes an egress card.
  • the authentication agent may include a combination of a local authorisation table for authorising data units, network address assignment and release means, service level enforcing means, network resource management means, statistical usage collection means, and alarm monitoring means.
  • the authentication client includes a combination of a PAP client, a CHAP client, a TACACS client or a RADIUS client.
  • FIG. 1 is a schematic diagram of an authentication scheme known in the art
  • FIG. 2 is a schematic diagram of another authentication scheme known in the art
  • FIG. 3 is a schematic illustration of the presently preferred authorization system in accordance with the invention.
  • FIG. 4 is a schematic illustration of an application of the preferred DSM system of the invention in a mixed voice/data environment
  • FIG. 5 is an overview of a DSM method of the present invention
  • FIG. 6 is an overview of an authorization method used in conjunction with the present invention.
  • a Distributed Subscriber Management system and method which control access to a network, preventing unauthorized traffic through an access network and provide centralized access control between user networks.
  • the system in accordance with the invention, provides controlled access through the use of one of several technologies including user authentication, using PAP, CHAP, RADIUS, TACACS, or other standard authentication means.
  • the preferred system allows set-up, maintenance, and tear-down of the user connection and allows users to choose their destination as opposed to tying a user to a single destination.
  • the system also preferably provides for the administration of the assignment and release of network addresses.
  • the invention also provides a Distributed Subscriber Management (DSM) method for performing user authentication for an external network at an access control node, which external network is connected to, by means of an Access Network, while the access control node is connected to a plurality of User Networks.
  • the method can include the steps of receiving a connection request from a user located on one of the User Networks; interrogating the user for access control information such as user identification and password; optionally encrypting the userid and password information; transmitting the optionally encrypted information, via the Access network, to an authentication server attached to an external network; decrypting the information, if necessary, at the authentication server; and transmitting an authentication message from the authentication server of the external network to the access control node via the Access Network.
  • DSM Distributed Subscriber Management
  • the preferred method includes the additional step of challenging all data leaving the access control node.
  • the authentication server of the external network normally employs one of Radius, PAP, CHAP, and TACACS. A more detailed description of the method of the present invention is provided later in a description of FIG. 5.
  • DSM Distributed Subscriber Management
  • the location of the functionality is of importance so that traffic can be reduced by eliminating data units without sufficient permission before they travel to the external network gateway. It is a concept of the DSM method of the invention that the subscriber management functionality is located at an access control node at the user network edge of the access network. In the preferred embodiment, this functionality is provided by the Integrated Access Device (IAD).
  • IAD Integrated Access Device
  • the DSM method of the invention preferably takes the subscriber management functionality and distributes it across many IADs instead of centralizing it at the Service Provider.
  • DSM is a method of verifying that the user is authorized to use network resources or to access certain applications.
  • a user on a user network initiates a connection to a system on an external network, the user is challenged to provide access control information (name or user identification and password).
  • the authentication challenge can be one-time at session start-up, issued periodically, issued on a per data unit basis, or can be issued after session-timeout or interruption, at the discretion of the network administrators.
  • FIG. 3 depicts an exemplary network using the current invention.
  • a RADIUS Server 1 is connected through an ISP 2 a - 2 c to an Access Network 4 .
  • IAD Integrated Access Device
  • RADIUS client 3 Internal to the IAD 7 is a RADIUS client 3 .
  • the IAD 7 is placed between the Access Network 4 and a plurality of User Networks 5 .
  • This allows the RADIUS Client 3 in the IAD 7 to authorize all packets leaving the User Networks 5 before they traverse the Access Network 4 .
  • all traffic leaving the IAD 7 is challenged for authorization, thus different User Networks 5 cannot inadvertently gain access to each other.
  • FIG. 4 depicts an exemplary embodiment of the invention being used in a mixed data/voice environment, where each of the different ISP networks require their own set of authorizations.
  • both Voice Networks 8 and ISP data networks 2 are connected to a Services Interworking Platform (SIP) 9 .
  • the ISP networks 2 transmit and receive data signals, while the voice networks 8 transmit and receive voice messages.
  • Each ISP network 2 has its own RADIUS Server 1 internal to the network.
  • the SIP 9 is connected to both the Voice Networks 8 and the ISP networks 2 and provides them access to the Access Network 4 .
  • the Access Network is connected to the IAD 7 , which has a plurality of RADIUS clients 3 internal to it.
  • the IAD 7 allows the Access Network 4 to communicate with the telephony networks 11 and the User Devices 10 .
  • the IAD's plurality of RADIUS Clients 3 each establish a client/server relationship with one of the RADIUS Servers 1 so that they may perform AAA services on the packets that arises from both the telephony networks 11 and the User Devices 10 . It should be noted for clarity that there need not be a direct relationship between the number of RADIUS clients 3 and the number of RADIUS servers 1 they connect to.
  • the RADIUS clients 3 need not be dedicated to a particular RADIUS server 1 unless so desired by a system architect or a network administrator.
  • the IAD 7 can be represented by three basic elements, a user network interface, an authentication agent, and an external network interface.
  • the user network interface is designed so that the IAD 7 can connect to the user networks 5 .
  • the external network interface connects to the external networks 2 a - 2 c through the access network 4 .
  • the authentication agent is responsible for the authorisation, authentication and forwarding of packets, and communicates with authentication servers.
  • Authentication servers authorise and authenticate access rights and user identity, and are typically represented by RADIUS servers.
  • the source Media Access Control (MAC) and/or IP address is verified in the LAD Forward Table against a list of authorized users. If authorized, the user data unit is marked by a data unit labelling system, sent across the access network to the egress edge and then forwarded to the destination provider. Session/interface states and statistics on session duration, number of packets/bytes sent/received and so on, can be collected by the IAD 7 and forwarded to the operator upon Command Line Interface (CLI) or Simple Network Management Protocol (SNMP) request.
  • CLI Command Line Interface
  • SNMP Simple Network Management Protocol
  • the IAD 7 challenges the user based on information received from the provider's RADIUS server 1 .
  • the user provides access control information to the IAD 7 , which is forwarded to the RADIUS server 1 .
  • the RADIUS server 1 will respond with an authentication message.
  • the user data is allowed to flow through the access network 4 and SIP 9 to the destination service provider 2 a - 2 c.
  • the flow between the IAD 7 and the service provider network 2 a - 2 c consists of pure data units, marked by a data unit labelling system, without any of the additional tunnel overhead incurred when using Point to Point Protocol over Ethernet (PPPoE) or Layer 2 Tunnelling protocols (L 2 TP).
  • PPPoE Point to Point Protocol over Ethernet
  • L 2 TP Layer 2 Tunnelling protocols
  • the IAD DSM module 7 is responsible for authentication, authorization and accounting as well as interacting with the user across the user dialogue protocol (e.g., PPPoE, L 2 TP, etc.). It processes access control information and builds a table of authorized user-to-Domain mappings which is consulted for each incoming packet.
  • the table can be at least partly constructed with information from the provider's RADIUS server 1 .
  • An efficient method of transport allows the reduction of data carried over the network starting at the user device 10 , flowing towards the IAD 7 and then on to the external network 2 a - 2 c through the access network 4 .
  • Methods known in the art include the numerous encapsulation choices for transporting user data including: IP over PPP over dial-up; IP over PPP over ISDN; IP over PPP over Ethernet (PPPoE); IP over PPP over Frame Relay (PPPoF); IP over PPP over ATM (PPPoA); IP over PPP over UDP/IP (L 2 TP); IP over PPP over IP (L 2 F); IP over PPP over IPSec (VPN); as well as any number of proprietary encapsulation techniques.
  • PPPoE IP over PPP over Frame Relay
  • PPPoA IP over PPP over ATM
  • L 2 TP IP over PPP over IP
  • L 2 F IP over PPP over IP
  • VPN IP over PPP over IPSec
  • public, or non-proprietary, methods share the use of PPP to carry subscriber management information. Traditionally these methods have been used to transport the user PPP session across the access network. This contributes significantly to the protocol overhead in the process and increases traffic across the Access Network.
  • the IAD 7 is charged with performing user authentication and communicates with the RADIUS server 1 becoming in effect a RADIUS client 3 . If the IAD 7 supports multiple destination networks (i.e., multiple Virtual Private Networks), then multiple RADIUS clients 3 can be supported. The communication of authentication information across the access network 4 can be secured to avoid the discovery of user names and passwords through the use of snooping techniques. Thus, to provide secure dialogue security transactions between the IAD RADIUS client 3 and RADIUS server I are authenticated through the use of a shared secret code, which is never sent over the network. Access control information can be encrypted using industry standard encryption technologies, such as MD 5 , when sent between the client 3 and RADIUS server 1 , to eliminate the possibility of password compromise.
  • MD 5 industry standard encryption technologies
  • a data security system is preferably implemented so as to prevent these errant data units from being decoded.
  • Numerous techniques of data unit labelling can be applied to solve this so that data units that are not intended for a given network are never read by it.
  • a data unit labelling scheme that can render a data unit illegible to foreign devices while in transit across the access network, while at the same time introducing no overhead is presently preferred for use with this invention.
  • This data unit marking process must be undone at the egress edge of the access network 4 so that data units can be restored for delivery to the ISP or corporate router.
  • the method of the present invention is illustrated, in exemplary form, in FIG. 5.
  • the process starts in step 100 when an access node, such as the IAD, receives a data unit from a user network.
  • the access node examines the destination of the data unit and determines whether the access rights to the destination network need to be authenticated in step 102 . If no authentication is required, the data unit may be transmitted in step 108 . If authentication of access rights to the destination network is required, authentication of the access rights is obtained in step 104 . A detailed example of the authentication of access rights is provided in FIG. 6, and will be described later.
  • a determination-of the authenticated access rights is made at step 106 . If the authentication failed then the data unit may be dropped in step 110 . If the authentication was successful the data unit is transmitted in step 108 , and the method returns to step 100 .
  • FIG. 6 illustrates an exemplary method of authentication that can be used in step 104 .
  • access control information is obtained in step 112 .
  • the access node checks a local cache or table of authenticated information in step 114 to see if the authentication can be provided locally. If the authentication can be provided locally then the locally provided authentication is forwarded to step 106 in step 116 .
  • the access node reduces latency times for data unit transit, and also reduces the amount of data that is transmitted over an access network to a remote authentication server.
  • access control information is transmitted to a remote authentication server in step 118 .
  • the remote authentication server transmits an authorization message to the access control node in step 120 .
  • the communications between the access control node and the remote authorization server can optionally be encrypted for security.
  • the information from either step 116 or step 120 is then provided to step 106 .
  • the locally stored information accessed in step 116 can be added to upon each communication with the remote authentication server.
  • the contents of this local resource can serve as a cache for the remote network.
  • the local information can optionally be given a timestamp or other information so that the remote server can have the access control node remove information when predetermined conditions are met. This allows the information in the access control node to expire after a period of inactivity for example.
  • the access control information obtained in step 112 can include user identification and password information, and can further include network address values. After an initial connection requiring user identification and password information for authorization, the access control node can assume that further data units from that network address are from the same user so long as the contents of the locally stored authentication information has not expired.
  • the presently preferred embodiment of the invention as described so far can be considered both scalable and concentrated.
  • the IAD is connected to a number of users networks, and is thus able to serve a large number of individual users from a central location, this gives it concentration.
  • the LAD serves a number of networks it is possible to introduce a second IAD to a location and simply shift some of the networks from the first IAD to the second, this allows an IAD to be used until it is near capacity and then provides a simple scaling path to support more users.
  • a high concentration of users is considered important for the service provider to make a viable business case.
  • service providers In today's world of cut-rate Internet access, service providers must groom many hundreds or thousands of subscribers onto one high-speed data stream.
  • the ISP or corporate router should not be troubled with managing these many user sessions while trying to route incoming data units at say, DS3 (45 MBPS) or OC3 (155 MBPS) wire rate.
  • Scalability is a potential problem for products that perform subscriber management in a box located at the ISP end of the access network. This has been addressed with the present invention, where subscriber management is preferably distributed across multiple IADs 7 , each IAD 7 only having to manage at most, 1 or 2 dozen subscribers. This means that if a given subscriber increases their load, and requires more resources at the IAD 7 it is possible to add or upgrade a single unit that affects a small part of the user base as opposed to upgrading a centralized unit and inconveniencing all users of the system during the upgrade process. Conventional systems lack either the scalability or the concentration of the IAD. AAA systems need not be scaled in the same manner because they serve a single network, and are thus not concentrated.
  • subnet and mask information are tied to a Domain which appears as a logical RAS module. IP host numbers can then be dynamically assigned to users as they connect. Typically each user network connected to the IAD will have a different subnet address, so that requests that stay on the network are easily identified, and that requests destined for other networks are easily routed.
  • the subnet mask information is a code resembling a network address, that when bitwise logically AND'ed with a network address results in the subnet address.
  • the DSM system in accordance with the invention allows providers to sell services based on guaranteed bit rates by allocating discrete bandwidth levels to individual users and enforcing the bandwidth through bandwidth management techniques. These bandwidth management techniques can be used to enforce service level agreements that access providers have with the user networks.
  • the user network interface of the IAD is designed to offer different levels of bandwidth availability to the different networks. For example, an IAD connecting three networks, may guarantee the first network two megabits per second of bandwith, but allow up to three megabits per second if capacity allows; the second network may be guaranteed a bandwidth of one megabit per second, with a maximum permitted bandwidth of four megabits per second; and the third network may be allocated a minimum of one and a half megabits per second with no defined maximum capacity. Enforcing such a level of service, with the discrete bandwidth limits can be carried out through methods known in, and common to, the art.
  • RADIUS accounting is independent of RADIUS authentication or authorization. RADIUS accounting allows reports to be sent at the start and end of services, indicating the amount of resources (e.g. session duration, data transferred, etc.) used during the session. It is possible for an ISP to use Simple Network Management Protocol (SNMP)-based statistics collected by the IAD for the above purposes. An SNMP management station periodically ‘polls’ the IAD SNMP agent to upload the accumulated statistics. Neither of these technologies is incompatible with the implementation described.
  • SNMP Simple Network Management Protocol
  • the present invention can provide the ability of a client network to select from a number of ISPs. Multiple ISP selection has not traditionally been regarded as an ability of networks but is now seen as a necessary feature for products providing access network services.
  • the user has the capability of switching between destination ISPs or corporations via the DSM service. This service is possible through the IAD because the IAD is designed to connect to numerous network services, whereas in the prior art systems access devices were designed for communication with specific networks.
  • the IAD is able to interface with and act as an authentication agent for numerous networks, thus allowing the user network to connect to any of the supported networks.

Abstract

A distributed subscriber management system and method that controls access to a network preventing unauthorized traffic through the access network and providing centralized access control between user networks. The system and method provide controlled access through the use of one of several technologies including user authentication, using PAP, CHAP, RADIUS, TACACS+, or other standard authentication means. The method includes the steps of receiving a connection request from a user located on one of the User Networks; interrogating the user for userid and password information; encrypting the userid and password information; transmitting the encrypted information, via the access network, to an authentication server attached to one of a plurality of external networks; decrypting the information at the authentication server; and transmitting an authentication message from the authentication server of the external network to the access control node via the access network. The preferred method includes the additional step of challenging all data leaving the access control node.

Description

    FIELD OF THE INVENTION
  • This invention relates to the management of user access rights on networks, and is particularly concerned with the distribution of resources used to authenticate and authorize users while allowing for accounting activities on user access to provided facilities. [0001]
  • BACKGROUND OF THE INVENTION
  • Typically, in the interoperation of various networks, a user is challenged to provide access control information, such as user identification and password, by a system residing at the gateway between the two networks. In the event that a user is denied access to the next portion of the network, all of that user's packets can be discarded, or the user can be re-challenged to provide access control information. This scheme is common in the art. Although this authorization scheme does succeed in preventing unauthorised access it allows unauthorized traffic to fully traverse the first network before it is discarded. This generates unnecessary traffic which is transmitted over the first network consuming precious bandwidth. [0002]
  • Authorization for such schemes is provided through the use of systems like the Remote Authentication Dial-In User Service (RADIUS) protocol. RADIUS is a fully open protocol, distributed as source code, known in the art, which is a client/server system designed to prevent unauthorized access to networks. RADIUS clients run on network devices and send authentication requests to a central RADIUS server that contains both user authentication information and network access rights. RADIUS can be modified to work with any common security system. Common implementations for RADIUS include networks with multiple vendor access servers such as an Internet Protocol (IP) based network, where dial-in users can be authenticated through a RADIUS server customized to work with the KERBEROS security system, a common security system on UNIX®-like computer networks. Other common implementations include networks in which a user is permitted access to a particular service. In this type of implementation a user could be restricted to a single utility, such as telnet, or a single server, or even a single protocol. This would permit RADIUS to identify a certain user as having access only to Point-to-Point-Protocol (PPP) using an IP address in a given range using only one service such as telnet or File Transfer Protocol (FTP). [0003]
  • RADIUS follows a client-server operational model. A Network Access Server (NAS), Remote Access Server (RAS), or the like, operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers. [0004]
  • RADIUS is carried in UDP (Port number 1812 decimal) and IP data units. At times, the source IP address field in client requests is zero since the client may not yet have an address, in which case the RADIUS system will allocate an address to the user from a pool of unused network addresses. [0005]
  • When a user attempts to login, the following steps occur to authenticate the user with RADIUS: [0006]
  • 1. The user is prompted for and enters a username and password. [0007]
  • 2. The username and encrypted password are sent over the network to the RADIUS server. [0008]
  • 3. The user receives one of the following responses from the RADIUS server: [0009]
  • ACCEPT (The user is authenticated) [0010]
  • REJECT (The user is not authenticated and is prompted to re-enter the username and password, or access is denied) [0011]
  • CHALLENGE (A challenge is issued by the RADIUS server to collect additional data from the user) [0012]
  • CHANGE PASSWORD (A request is issued by the RADIUS server, asking the user to select a new password) [0013]
  • RADIUS authentication must be performed before RADIUS authorization. The ACCEPT or REJECT response contains additional data that is used for EXEC or network authorization. The additional data included with the ACCEPT or REJECT packets consists of services that the user can access, including Telnet, rlogin, PPP, FTP, EXEC services, or connection parameters, including the host or client IP address, access list, and user timeouts. [0014]
  • User IP addresses can be statically provisioned or dynamically assigned using RADIUS or the like. In RADIUS, the ACCEPT or REJECT response contains the host or client IP address, access list, and user timeouts. Upon a user timeout, the user may be disconnected and if dynamically assigned, the IP address is returned to a pool of available addresses. BootP, DHCP, and TACACS+ can also be used to dynamically assign IP addresses to users but these protocols are less common than RADIUS. [0015]
  • Normally, a pool or group of addresses are pre-assigned by a network administrator and given out by the RADIUS server as users sign-on to the service provider. Typically used to oversubscribe IP addresses, a pool allows many clients to share a small number of IP addresses based on usage and contention patterns. [0016]
  • The Boot Protocol (BootP) is a UDP-serviced protocol that can be IP-routed to a BootP address server. Through the BootP protocol, the server can do many functions including IP address assignment, bootstrapping, operating system loading, desktop configuration, and hardware/interface configuration. BootP does not completely replace RADIUS as a subscriber management protocol. Dynamic Host Configuration Protocol (DHCP) is a newer alternative to BootP and possesses all the capabilities of BootP. As a rule, any BootP relay Agent (e.g., in a router or gateway) will work with DHCP. As with BootP, DHCP does not completely replace RADIUS as a subscriber management protocol. [0017]
  • An example of a known authentication scheme is depicted in FIG. 1. Here [0018] different User Networks 5 are connected to an Access Network 4, which in turn has a RADIUS clients at an egress edge. This RADIUS client 3 serves to ensure that only data with the correct authorization is allowed to go to the various ISP hosted networks 2 a-2 c. If a packet is not authorized it is discarded at the RADIUS client 3. To obtain the authorization, the RADIUS client 3 forms a connection to the RADIUS server 1 attached to the target ISP network which the packet is trying to enter. After forming this connection to the RADIUS server 1, the RADIUS client 3 can determine whether the user who initiated the packet transmission has authorization to transmit packets onto the target network. In such an implementation, the RADIUS client only controls access to the ISP hosted networks 2 a-2 c, while not controlling access to the Access Network 4, or between the User Networks 5. Thus, it is left to the administrators of the various User Networks 5 to ensure their own security and prevent admission of users from other User Networks 5 to systems to which those users should not have access.
  • Because data fully traverses the Access Network [0019] 4 before authorization is obtained, bandwidth on the Access Network 4 is needlessly consumed by transmissions that fail authentication. The unnecessary unauthorized traffic traversing the Access Network 4 can be problematic if there are restrictions on the available bandwidth, or if traffic is heavy. It would be desirable to stop this traffic as it enters the access network 4, so as to reduce loading problems. Moreover, the lack of centralized access control between the User Networks 5 is also undesirable.
  • One system addressing the problem of unnecessary traffic has been offered by CISCO Systems in the form of their Authentication, Authorization and Accounting (AAA) software. AAA acts to verify the authorization of a packet to enter an external network prior to entry of the packet into the access network. AAA also seeks to distribute the subscriber management features of the RADIUS client. Distributed subscriber management (DSM) provides a more fault tolerant implementation than a single RADIUS client does. However, in order to offer this service, a AAA client can only be attached to one User Network, since when multiple User Networks are connected to the same AAA client, one User Network, without challenge by the AAA system, could gain access to another User Network connected to the same AAA system. An example of an implementation known in the art and using AAA is found in FIG. 2. In that implementation, [0020] RADIUS Servers 1 are attached to ISP networks 2 a-2 c, a multitude of such networks are, in turn, connected to an Access Network 4. The Access Network 4 connects to a multitude of User Networks 5 a-5 c through AAA routed systems 6. Each User Network 5 a-5 c has its own AAA routed system 6 thus preventing one User Network 5 a, 5 b, or 5 c from gaining access to another ISP User Network 5 a, 5 b, or 5 c. The AAA system 6 is used to verify the authorization of the packets with the RADIUS Server 1, and will discard any user packets that do not have the correct authorization. Unfortunately this requires a different AAA system 6 for each ISP User Network 5 a-5 c that is connected to the Access Network 4, which can greatly add to the cost of a network.
  • Alternatives to RADIUS do exist, providing DSM systems with the option of implementing another type of security system. One of the alternatives to RADIUS is Terminal Access Controller Access Control System (TACACS). Three distinct versions of TACACS exist. The first is TACACS, which was the original product that provided password checking and authentication, as well as notification of user actions for security and accounting purposes. This original system is now considered obsolete. The second version is Extended TACACS, which is an extension to the older TACACS protocol that provides information about protocol translator and router information that can be used in UNIX like systems for auditing trails and accounting files. Extended TACACS is also now considered to be obsolete. TACACS+ is a recent protocol that provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through Authentication, Authorization and Accounting (AAA) and can be enabled only through AAA commands. A full description of the implementation of TACACS+ can be found in a draft Request For Comment (RFC) 1492. For the purposes of simplicity all three TACACS implementations will be referred to as TACACS in this document, and it should be understood that any derivative of such a system can be substituted for TACACS. PPP is used to carry IP over dial configurations and supports both Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) as methods of password transfer. PPP has been modified to support numerous always-on access technologies including PPP over ATM (PPPoA), PPP over Frame Relay (PPPoF), and PPP over Ethernet (PPPoE). [0021]
  • With the creation of Competitive Local Exchange Carriers (CLECs) it is common to find a company which is delivering telephony over packet based networks and supplying clients with data based services. In addition, if there are two clients in close physical proximity to each other it would be advantageous to connect them to a common access network so that there is a single connection to the CLEC. However, this single connection to the CLEC is only feasible if a stronger user authorization scheme is implemented. Thus, a need exists in the art for an improved user authentication and authorization system. [0022]
  • SUMMARY OF THE INVENTION
  • It is an object of this invention to provide a DSM system and method that obviates or mitigates at least one disadvantage of previous systems and methods. In particular, the present invention provides a DSM system and method that controls access to a network to prevent unauthorized traffic through the access network and provides centralized access control between user networks. Other features of the invention can include providing a DSM system which allows set-up, maintenance, and tear-down of the user connection, allows users to choose their destination as opposed to tying a user to a single destination, and provides for the administration of the assignment and release of network addresses. [0023]
  • The DSM system of the invention preferably allows for at least one of several technologies including facilities for the enforcement of service levels as defined in Service Level Agreements, facilities for resource management and facilities for billing by a service provider through the collection of statistics and accounting data. Moreover, the system of the invention preferably alerts service providers of system problems through the use of alarm reporting. [0024]
  • In a first aspect, the present invention provides a distributed subscriber management method. This method allows a user network to perform user authentication for an external network at an access control node, such as an integrated access device, the external network being connected to the access control node by means of an access network. The method includes a first step of receiving a data unit at an access control node that is connected to a plurality of user networks. The second step is to determine whether the data unit requires authentication. The third step is to authenticate the determined data unit. The fourth step is to determine that the authenticated data unit is eligible for transmission. The step of authenticating may include any combination of interrogating the user for access information, transmitting the access information to an authentication server on an external network, and transmitting an authentication message from the authentication server to the access control node. Both the transmitting of the access information to an authentication server and the transmitting of an authentication message may be preceded by a step of encrypting the message, and then decrypting it after transmission. The authentication server of the external network may optionally employ one of the following protocols: remote authentication, dial-in user service protocol (RADIUS), password authentication protocol (PAP), challenge handshake authentication protocol (CHAP), and terminal access controller access control system (TACACS). The distributed subscriber management method of the first aspect of the present invention may also include the step of packet labelling the data units at the access control node. Optionally, after the step of determining that the authenticated data unit is eligible for transmission, the steps of the contents of the authentication message at the access control node; dropping the data unit if the contents indicate rejection; examining the authentication message for authenticity; and collecting statistical usage information at the access node may be performed. [0025]
  • In accordance with a second aspect of the present invention there is provided an integrated access device, for placement between a user network and an external network, the external network having an access rights authentication server. The integrated access device is comprised of a user network interface for operatively connecting to a plurality of user networks to receive data units from the plurality of user networks, an authentication agent, operatively connected to the user network interface for authenticating, authorising and forwarding data units received from the plurality of user networks and an external network interface, operatively connected to the authentication agent, for forwarding data units authorised by the authentication agent to an external network. In one embodiment of the second aspect of the present invention the user network interface includes a plurality of ingress cards and the external network interface includes an egress card. In other embodiments the authentication agent may include a combination of a local authorisation table for authorising data units, network address assignment and release means, service level enforcing means, network resource management means, statistical usage collection means, and alarm monitoring means. In further embodiments of the second aspect of the present invention the authentication client includes a combination of a PAP client, a CHAP client, a TACACS client or a RADIUS client. [0026]
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • The invention will now be described in more detail by way of example only and with reference to the attached drawings, wherein [0027]
  • FIG. 1 is a schematic diagram of an authentication scheme known in the art; [0028]
  • FIG. 2 is a schematic diagram of another authentication scheme known in the art; [0029]
  • FIG. 3 is a schematic illustration of the presently preferred authorization system in accordance with the invention; [0030]
  • FIG. 4 is a schematic illustration of an application of the preferred DSM system of the invention in a mixed voice/data environment; [0031]
  • FIG. 5 is an overview of a DSM method of the present invention; [0032]
  • FIG. 6 is an overview of an authorization method used in conjunction with the present invention.[0033]
  • DETAILED DESCRIPTION OF THE INVENTION
  • A Distributed Subscriber Management system and method are disclosed which control access to a network, preventing unauthorized traffic through an access network and provide centralized access control between user networks. The system, in accordance with the invention, provides controlled access through the use of one of several technologies including user authentication, using PAP, CHAP, RADIUS, TACACS, or other standard authentication means. The preferred system allows set-up, maintenance, and tear-down of the user connection and allows users to choose their destination as opposed to tying a user to a single destination. The system also preferably provides for the administration of the assignment and release of network addresses. The invention also provides a Distributed Subscriber Management (DSM) method for performing user authentication for an external network at an access control node, which external network is connected to, by means of an Access Network, while the access control node is connected to a plurality of User Networks. The method can include the steps of receiving a connection request from a user located on one of the User Networks; interrogating the user for access control information such as user identification and password; optionally encrypting the userid and password information; transmitting the optionally encrypted information, via the Access network, to an authentication server attached to an external network; decrypting the information, if necessary, at the authentication server; and transmitting an authentication message from the authentication server of the external network to the access control node via the Access Network. The preferred method includes the additional step of challenging all data leaving the access control node. The authentication server of the external network normally employs one of Radius, PAP, CHAP, and TACACS. A more detailed description of the method of the present invention is provided later in a description of FIG. 5. [0034]
  • The following terms and acronyms are used in the following description: [0035]
    DMS Distributed Subscriber Management
    RADIUS Remote Authentication Dial-In User Service
    IP Internet Protocol
    PPP Point-to-Point Protocol
    FTP File Transfer Protocol
    TACACS Terminal Access Controller Access Control System
    AAA Authentication, Authorization, Accounting
    PAP Password Authentication Protocol
    CHAP Challenge Handshake Authentication Protocol
    PPPoA PPP over ATM
    ATM Asynchronous Transfer Mode
    PPPoE PPP over Ethernet
    PPPoF PPP over Frame Relay
    CLEC Competitive Locale Exchange Carrier
    ISP Internet Service Provider
    IAD Integrated Access Device
    QoS Quality of Service
    VPN Virtual Private Network
    ISDN Integrated Services Digital Network
    UDP/IP User Datagram Protocol/Internet Protocol
    L2TP Layer
    2 tunnelling protocol such as IP over PPP over UDP/IP
    L2F layer
    2 forwarding such as IP over PPP over IP
    IPSec Secure Internet Protocol
    VPN IP over PPP over IPSec
    BootP Boot Protocol
    DHCP Dynamic Host Configuration Protocol
    SNMP Simple Network Management Protocol
    CLI Command Line Interface
    MAC Media Access Control
    SIP Service Interworking Platform
  • In order to provide secure Distributed Subscriber Management (DSM) in an efficient manner so as to allow multiple end user networks to co-exist with a single connection to the central network, while providing security to those users, it is necessary to consider various aspects of DSM, including: location of functionality; user authentication; efficient method of transport; secure dialogue; concentration and scalability; customer ease-of-use; IP address assignment; bandwidth management; accounting/billing; multiple ISP selection; and VPN capability. [0036]
  • The location of the functionality is of importance so that traffic can be reduced by eliminating data units without sufficient permission before they travel to the external network gateway. It is a concept of the DSM method of the invention that the subscriber management functionality is located at an access control node at the user network edge of the access network. In the preferred embodiment, this functionality is provided by the Integrated Access Device (IAD). The DSM method of the invention preferably takes the subscriber management functionality and distributes it across many IADs instead of centralizing it at the Service Provider. [0037]
  • A function of the DSM method is user authentication. DSM is a method of verifying that the user is authorized to use network resources or to access certain applications. At session start-up, a user on a user network initiates a connection to a system on an external network, the user is challenged to provide access control information (name or user identification and password). The authentication challenge can be one-time at session start-up, issued periodically, issued on a per data unit basis, or can be issued after session-timeout or interruption, at the discretion of the network administrators. [0038]
  • The operation of the presently preferred embodiment of the invention is illustrated in FIGS. 3 and 4. FIG. 3 depicts an exemplary network using the current invention. Here a [0039] RADIUS Server 1 is connected through an ISP 2 a-2 c to an Access Network 4. At the user network edge of the Access Network 4 is an Integrated Access Device (IAD) 7. Internal to the IAD 7 is a RADIUS client 3. The IAD 7 is placed between the Access Network 4 and a plurality of User Networks 5. This allows the RADIUS Client 3 in the IAD 7 to authorize all packets leaving the User Networks 5 before they traverse the Access Network 4. In addition, due to the manner in which the IAD is designed, all traffic leaving the IAD 7 is challenged for authorization, thus different User Networks 5 cannot inadvertently gain access to each other.
  • FIG. 4 depicts an exemplary embodiment of the invention being used in a mixed data/voice environment, where each of the different ISP networks require their own set of authorizations. Here both [0040] Voice Networks 8 and ISP data networks 2 are connected to a Services Interworking Platform (SIP) 9. The ISP networks 2 transmit and receive data signals, while the voice networks 8 transmit and receive voice messages. Each ISP network 2 has its own RADIUS Server 1 internal to the network. The SIP 9 is connected to both the Voice Networks 8 and the ISP networks 2 and provides them access to the Access Network 4. The Access Network is connected to the IAD 7, which has a plurality of RADIUS clients 3 internal to it. The IAD 7 allows the Access Network 4 to communicate with the telephony networks 11 and the User Devices 10. The IAD's plurality of RADIUS Clients 3 each establish a client/server relationship with one of the RADIUS Servers 1 so that they may perform AAA services on the packets that arises from both the telephony networks 11 and the User Devices 10. It should be noted for clarity that there need not be a direct relationship between the number of RADIUS clients 3 and the number of RADIUS servers 1 they connect to. The RADIUS clients 3 need not be dedicated to a particular RADIUS server 1 unless so desired by a system architect or a network administrator.
  • The [0041] IAD 7 can be represented by three basic elements, a user network interface, an authentication agent, and an external network interface. The user network interface is designed so that the IAD 7 can connect to the user networks 5. The external network interface connects to the external networks 2 a-2 c through the access network 4. The authentication agent is responsible for the authorisation, authentication and forwarding of packets, and communicates with authentication servers. Authentication servers authorise and authenticate access rights and user identity, and are typically represented by RADIUS servers.
  • Upon receiving a data unit from a user, the source Media Access Control (MAC) and/or IP address is verified in the LAD Forward Table against a list of authorized users. If authorized, the user data unit is marked by a data unit labelling system, sent across the access network to the egress edge and then forwarded to the destination provider. Session/interface states and statistics on session duration, number of packets/bytes sent/received and so on, can be collected by the [0042] IAD 7 and forwarded to the operator upon Command Line Interface (CLI) or Simple Network Management Protocol (SNMP) request.
  • If a particular user is not authorized to use a provider's domain, the [0043] IAD 7 challenges the user based on information received from the provider's RADIUS server 1. The user provides access control information to the IAD 7, which is forwarded to the RADIUS server 1. The RADIUS server 1 will respond with an authentication message. Once authenticated, the user data is allowed to flow through the access network 4 and SIP 9 to the destination service provider 2 a-2 c. The flow between the IAD 7 and the service provider network 2 a-2 c consists of pure data units, marked by a data unit labelling system, without any of the additional tunnel overhead incurred when using Point to Point Protocol over Ethernet (PPPoE) or Layer 2 Tunnelling protocols (L2TP).
  • The [0044] IAD DSM module 7 is responsible for authentication, authorization and accounting as well as interacting with the user across the user dialogue protocol (e.g., PPPoE, L2TP, etc.). It processes access control information and builds a table of authorized user-to-Domain mappings which is consulted for each incoming packet. The table can be at least partly constructed with information from the provider's RADIUS server 1.
  • An efficient method of transport allows the reduction of data carried over the network starting at the [0045] user device 10, flowing towards the IAD 7 and then on to the external network 2 a-2 c through the access network 4. There are many methods of carrying user sessions from user device to the IAD 7. Methods known in the art include the numerous encapsulation choices for transporting user data including: IP over PPP over dial-up; IP over PPP over ISDN; IP over PPP over Ethernet (PPPoE); IP over PPP over Frame Relay (PPPoF); IP over PPP over ATM (PPPoA); IP over PPP over UDP/IP (L2TP); IP over PPP over IP (L2F); IP over PPP over IPSec (VPN); as well as any number of proprietary encapsulation techniques. As is apparent, public, or non-proprietary, methods share the use of PPP to carry subscriber management information. Traditionally these methods have been used to transport the user PPP session across the access network. This contributes significantly to the protocol overhead in the process and increases traffic across the Access Network. In the presently preferred embodiment, this invention uses the PPPoE or L2 TP protocols between the IAD 7 and user device 10. These protocols do not extend over the access network 4 thus reducing the overhead that these techniques apply to the data units.
  • The [0046] IAD 7 is charged with performing user authentication and communicates with the RADIUS server 1 becoming in effect a RADIUS client 3. If the IAD 7 supports multiple destination networks (i.e., multiple Virtual Private Networks), then multiple RADIUS clients 3 can be supported. The communication of authentication information across the access network 4 can be secured to avoid the discovery of user names and passwords through the use of snooping techniques. Thus, to provide secure dialogue security transactions between the IAD RADIUS client 3 and RADIUS server I are authenticated through the use of a shared secret code, which is never sent over the network. Access control information can be encrypted using industry standard encryption technologies, such as MD 5, when sent between the client 3 and RADIUS server 1, to eliminate the possibility of password compromise.
  • To secure data units that are accidentally released to the wrong network a data security system is preferably implemented so as to prevent these errant data units from being decoded. Numerous techniques of data unit labelling can be applied to solve this so that data units that are not intended for a given network are never read by it. A data unit labelling scheme that can render a data unit illegible to foreign devices while in transit across the access network, while at the same time introducing no overhead is presently preferred for use with this invention. This data unit marking process must be undone at the egress edge of the [0047] access network 4 so that data units can be restored for delivery to the ISP or corporate router.
  • The method of the present invention is illustrated, in exemplary form, in FIG. 5. The process starts in [0048] step 100 when an access node, such as the IAD, receives a data unit from a user network. The access node examines the destination of the data unit and determines whether the access rights to the destination network need to be authenticated in step 102. If no authentication is required, the data unit may be transmitted in step 108. If authentication of access rights to the destination network is required, authentication of the access rights is obtained in step 104. A detailed example of the authentication of access rights is provided in FIG. 6, and will be described later. A determination-of the authenticated access rights is made at step 106. If the authentication failed then the data unit may be dropped in step 110. If the authentication was successful the data unit is transmitted in step 108, and the method returns to step 100.
  • FIG. 6 illustrates an exemplary method of authentication that can be used in [0049] step 104. Upon beginning the authentication process, access control information is obtained in step 112. The access node checks a local cache or table of authenticated information in step 114 to see if the authentication can be provided locally. If the authentication can be provided locally then the locally provided authentication is forwarded to step 106 in step 116. By providing locally stored authentication in this manner, the access node reduces latency times for data unit transit, and also reduces the amount of data that is transmitted over an access network to a remote authentication server. If authentication information is not stored locally, access control information is transmitted to a remote authentication server in step 118. The remote authentication server transmits an authorization message to the access control node in step 120. The communications between the access control node and the remote authorization server can optionally be encrypted for security. The information from either step 116 or step 120 is then provided to step 106.
  • The locally stored information accessed in [0050] step 116 can be added to upon each communication with the remote authentication server. Thus the contents of this local resource can serve as a cache for the remote network. The local information can optionally be given a timestamp or other information so that the remote server can have the access control node remove information when predetermined conditions are met. This allows the information in the access control node to expire after a period of inactivity for example.
  • The access control information obtained in [0051] step 112 can include user identification and password information, and can further include network address values. After an initial connection requiring user identification and password information for authorization, the access control node can assume that further data units from that network address are from the same user so long as the contents of the locally stored authentication information has not expired.
  • The presently preferred embodiment of the invention as described so far can be considered both scalable and concentrated. The IAD is connected to a number of users networks, and is thus able to serve a large number of individual users from a central location, this gives it concentration. Additionally, since the LAD serves a number of networks it is possible to introduce a second IAD to a location and simply shift some of the networks from the first IAD to the second, this allows an IAD to be used until it is near capacity and then provides a simple scaling path to support more users. A high concentration of users is considered important for the service provider to make a viable business case. In today's world of cut-rate Internet access, service providers must groom many hundreds or thousands of subscribers onto one high-speed data stream. The ISP or corporate router should not be troubled with managing these many user sessions while trying to route incoming data units at say, DS3 (45 MBPS) or OC3 (155 MBPS) wire rate. [0052]
  • Scalability is a potential problem for products that perform subscriber management in a box located at the ISP end of the access network. This has been addressed with the present invention, where subscriber management is preferably distributed across [0053] multiple IADs 7, each IAD 7 only having to manage at most, 1 or 2 dozen subscribers. This means that if a given subscriber increases their load, and requires more resources at the IAD 7 it is possible to add or upgrade a single unit that affects a small part of the user base as opposed to upgrading a centralized unit and inconveniencing all users of the system during the upgrade process. Conventional systems lack either the scalability or the concentration of the IAD. AAA systems need not be scaled in the same manner because they serve a single network, and are thus not concentrated. Conventional RADIUS clients, though concentrated, are difficult to scale because each user attempting the access the external network accesses the RADIUS client as a gateway. Simply adding a second gateway will not allow for proper load balancing or load sharing, as users must change the previously specified gateway if they want to access the second RADIUS client. Expensive load balancing systems can be applied to solve this problem, but typically they are difficult to design and maintain.
  • With the preferred embodiment of this invention, subnet and mask information are tied to a Domain which appears as a logical RAS module. IP host numbers can then be dynamically assigned to users as they connect. Typically each user network connected to the IAD will have a different subnet address, so that requests that stay on the network are easily identified, and that requests destined for other networks are easily routed. The subnet mask information, as would be known to a person skilled in the art, is a code resembling a network address, that when bitwise logically AND'ed with a network address results in the subnet address. [0054]
  • The DSM system in accordance with the invention allows providers to sell services based on guaranteed bit rates by allocating discrete bandwidth levels to individual users and enforcing the bandwidth through bandwidth management techniques. These bandwidth management techniques can be used to enforce service level agreements that access providers have with the user networks. Typically, the user network interface of the IAD is designed to offer different levels of bandwidth availability to the different networks. For example, an IAD connecting three networks, may guarantee the first network two megabits per second of bandwith, but allow up to three megabits per second if capacity allows; the second network may be guaranteed a bandwidth of one megabit per second, with a maximum permitted bandwidth of four megabits per second; and the third network may be allocated a minimum of one and a half megabits per second with no defined maximum capacity. Enforcing such a level of service, with the discrete bandwidth limits can be carried out through methods known in, and common to, the art. [0055]
  • Service providers require resource accounting to bill users or to prove service levels have been met by the network/system. A service provider is likely to use RADIUS access control and accounting software defined by RFC 2139 to meet these special needs. RADIUS accounting is independent of RADIUS authentication or authorization. RADIUS accounting allows reports to be sent at the start and end of services, indicating the amount of resources (e.g. session duration, data transferred, etc.) used during the session. It is possible for an ISP to use Simple Network Management Protocol (SNMP)-based statistics collected by the IAD for the above purposes. An SNMP management station periodically ‘polls’ the IAD SNMP agent to upload the accumulated statistics. Neither of these technologies is incompatible with the implementation described. [0056]
  • The present invention can provide the ability of a client network to select from a number of ISPs. Multiple ISP selection has not traditionally been regarded as an ability of networks but is now seen as a necessary feature for products providing access network services. The user has the capability of switching between destination ISPs or corporations via the DSM service. This service is possible through the IAD because the IAD is designed to connect to numerous network services, whereas in the prior art systems access devices were designed for communication with specific networks. The IAD is able to interface with and act as an authentication agent for numerous networks, thus allowing the user network to connect to any of the supported networks. [0057]
  • Through the implementation of both this invention and a secure data unit labelling system it is possible to enable Virtual Private Networking, as will be apparent to those of skill in the art. Once authenticated by DSM and marked by the data unit labelling, data units are secure until they reach the egress interface of the network. [0058]
  • The above-described embodiments of the present invention are intended to be examples only. Alterations, modifications and variations may be effected to the particular embodiments by those of skill in the art without departing from the scope of the invention, which is defined solely by the claims appended hereto. [0059]

Claims (26)

What is claimed is:
1. A distributed subscriber management method for a user network for performing user authentication for an external network at an access control node, the external network being connected to the access control node by means of an access network; comprising:
(a) receiving, at an access control node operatively connected to a plurality of user networks, a data unit from a user located on one of the plurality of user networks;
(b) determining that the data unit requires authentication;
(c) authenticating the determined data unit; and
(d) determining that the authenticated data unit is eligible for transmission.
2. The distributed subscriber management method as claimed in
claim 1
, wherein authenticating includes interrogating the user for access information.
3. The distributed subscriber management method as claimed in
claim 2
, wherein authenticating includes transmitting the access information to an authentication server of an external network.
4. The distributed subscriber management method as claimed in
claim 3
, wherein authenticating includes transmitting an authentication message from the authentication server to the access control node to permit the user to access the external network.
5. The distributed subscriber management method as claimed in
claim 4
, further including encrypting the access information at the access control node prior to transmitting the access information; and decrypting the access information at the authentication server.
6. The distributed subscriber management method as claimed in
claim 3
, wherein the authentication server of the external network employs remote authentication dial-in user service protocol.
7. The distributed subscriber management method as claimed in
claim 3
, wherein the authentication server of the external network employs password authentication protocol.
8. The distributed subscriber management method as claimed in
claim 3
, wherein the authentication server of the external network employs challenge handshake authentication protocol.
9. The distributed subscriber management method as claimed in
claim 3
, wherein the authentication server of the external network employs terminal access controller access control system.
10. The distributed subscriber management method as claimed in
claim 1
, further including packet-labelling the data unit.
11. The distributed subscriber management method as claimed in
claim 4
, further including determining the contents of the authentication message at the access control node.
12. The distributed subscriber management method as claimed in
claim 11
, further including dropping the data unit if the contents indicate rejection.
13. The distributed subscriber management method as claimed in
claim 11
, further including examining the authentication message for authenticity.
14. The distributed subscriber management method as claimed in
claim 1
, further including collecting statistical usage information at the access node.
15. An integrated access device, for placement between a user network and an external network, the external network having an access rights authentication server, comprising:
a user network interface for operatively connecting to a plurality of user networks to receive data units from the plurality of user networks;
an authentication agent, operatively connected to the user network interface for authenticating, authorising and forwarding data units received from the plurality of user networks;
an external network interface, operatively connected to the authentication agent, for forwarding data units authorised by the authentication agent to an external network.
16. An integrated access device as claimed in
claim 15
, wherein the user network interface includes a plurality of ingress cards and the external network interface includes an egress card.
17. An integrated access device as claimed in
claim 15
, wherein the authentication agent includes a local authorisation table for authorising data units.
18. An integrated access device as claimed in
claim 15
, wherein the authentication agent includes network address assignment and release means.
19. An integrated access device as claimed in
claim 15
, further including service level enforcing means.
19. An integrated access device as claimed in
claim 15
, further including network resource management means.
20. An integrated access device as claimed in
claim 19
, further including means for statistical usage collection means.
21. An integrated access device as claimed in
claim 20
, further including alarm monitoring means.
21. An integrated access device as claimed in
claim 15
, wherein the authorization client includes a password authentication protocol client.
22. An integrated access device as claimed in
claim 15
, wherein the authorization client includes a challenge handshake authentication protocol client.
23. An integrated access device as claimed in
claim 15
, wherein the authorization client includes a terminal access controller access control system client.
24. An integrated access device as claimed in
claim 15
, wherein the authorization client includes a remote authentication dial-in user service protocol client.
US09/755,037 2000-01-07 2001-01-08 Distributed subscriber management system Abandoned US20010044893A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US11/514,852 US7512784B2 (en) 2000-01-07 2006-09-05 Distributed subscriber management system
US12/132,583 US7921457B2 (en) 2000-01-07 2008-06-03 Distributed subscriber management system

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CA 2293989 CA2293989A1 (en) 2000-01-07 2000-01-07 Distributed subscriber management
CA2,293,989 2000-01-07
CA002296213A CA2296213C (en) 2000-01-07 2000-01-14 Distributed subscriber management

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US11/514,852 Continuation US7512784B2 (en) 2000-01-07 2006-09-05 Distributed subscriber management system

Publications (1)

Publication Number Publication Date
US20010044893A1 true US20010044893A1 (en) 2001-11-22

Family

ID=25681453

Family Applications (3)

Application Number Title Priority Date Filing Date
US09/755,037 Abandoned US20010044893A1 (en) 2000-01-07 2001-01-08 Distributed subscriber management system
US11/514,852 Expired - Fee Related US7512784B2 (en) 2000-01-07 2006-09-05 Distributed subscriber management system
US12/132,583 Expired - Fee Related US7921457B2 (en) 2000-01-07 2008-06-03 Distributed subscriber management system

Family Applications After (2)

Application Number Title Priority Date Filing Date
US11/514,852 Expired - Fee Related US7512784B2 (en) 2000-01-07 2006-09-05 Distributed subscriber management system
US12/132,583 Expired - Fee Related US7921457B2 (en) 2000-01-07 2008-06-03 Distributed subscriber management system

Country Status (2)

Country Link
US (3) US20010044893A1 (en)
CA (1) CA2296213C (en)

Cited By (65)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020016855A1 (en) * 2000-03-20 2002-02-07 Garrett John W. Managed access point for service selection in a shared access network
US20020095497A1 (en) * 2001-01-17 2002-07-18 Satagopan Murli D. Caching user network access information within a network
US20030037163A1 (en) * 2001-08-15 2003-02-20 Atsushi Kitada Method and system for enabling layer 2 transmission of IP data frame between user terminal and service provider
US20030056096A1 (en) * 2001-04-18 2003-03-20 Albert Roy David Method and system for securely authenticating network access credentials for users
US20030056092A1 (en) * 2001-04-18 2003-03-20 Edgett Jeff Steven Method and system for associating a plurality of transaction data records generated in a service access system
EP1370040A1 (en) * 2002-06-04 2003-12-10 Alcatel A method, a network access server, an authentication-authorization-and-accounting server, and a computer software product for proxying user authentication-authorization-and-accounting messages via a network access server
WO2004029823A1 (en) 2002-09-25 2004-04-08 Telemac Corporation Method and system for managing local control of wlan access
US20040073651A1 (en) * 2002-10-10 2004-04-15 International Business Machines Corporation Secure system and method for providing a robust radius accounting server
US20040088411A1 (en) * 2002-11-04 2004-05-06 Jakubowski Deborah W. Method and system for vendor management
US20050015591A1 (en) * 2003-06-12 2005-01-20 International Business Machines Corporation Multi-level multi-user web services security system and method
US20050021746A1 (en) * 2003-06-26 2005-01-27 International Business Machines Corporation Information collecting system for providing connection information to an application in an IP network
US20050086492A1 (en) * 2003-08-15 2005-04-21 Fiberlink Communications Corporation System, method, apparatus and computer program product for facilitating digital communications
US20050091333A1 (en) * 2003-10-23 2005-04-28 Ikuko Kobayashi Computer system that a plurality of computers share a storage device
US20050114697A1 (en) * 2003-11-21 2005-05-26 Finisar Corporation Secure point to point network pairs
US20050120223A1 (en) * 2003-12-01 2005-06-02 Gary Kiwimagi Secure authenticated network connections
EP1557978A1 (en) * 2002-11-01 2005-07-27 Huawei Technologies Co., Ltd. A security management method for an integrated access device of network
US6947404B1 (en) * 2000-11-06 2005-09-20 Nokia Corporation Automatic WAP login
WO2005094463A2 (en) * 2004-03-23 2005-10-13 Pctel Inc. Service level assurance system and method for wired and wireless broadband networks
US6988148B1 (en) 2001-01-19 2006-01-17 Cisco Technology, Inc. IP pool management utilizing an IP pool MIB
US20060047823A1 (en) * 2004-06-22 2006-03-02 Taiwan Semiconductor Manufacturing Company, Ltd. Method and apparatus for detecting an unauthorized client in a network of computer systems
US20070053334A1 (en) * 2005-09-02 2007-03-08 Noriyuki Sueyoshi Packet forwarding apparatus for connecting mobile terminal to ISP network
US7197549B1 (en) 2001-06-04 2007-03-27 Cisco Technology, Inc. On-demand address pools
CN1319337C (en) * 2003-07-02 2007-05-30 华为技术有限公司 Authentication method based on Ethernet authentication system
US20070157306A1 (en) * 2005-12-30 2007-07-05 Elrod Craig T Network threat detection and mitigation
US20080077980A1 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Pagelets
US7353260B1 (en) * 2003-06-13 2008-04-01 Cisco Technology, Inc. System and method for access control on a storage router
US20080080368A1 (en) * 2006-09-29 2008-04-03 Sbc Knowledge Ventures, Lp System and method of providing communications services
US20080133914A1 (en) * 2002-02-01 2008-06-05 Novell, Inc. Authentication cache and authentication on demand in a distributed network environment
US20080222696A1 (en) * 2004-08-16 2008-09-11 Fiberlink Communications Corporation System, Method, Apparatus, and Computer Program Product for Facilitating Digital Communications
US20080222416A1 (en) * 2003-12-01 2008-09-11 Gary Kiwimagi Secure Network Connection
US20080228919A1 (en) * 2007-03-14 2008-09-18 Cisco Technology, Inc. Unified User Interface for Network Management Systems
US20080240128A1 (en) * 2007-03-30 2008-10-02 Elrod Craig T VoIP Security
US20080288776A1 (en) * 2007-05-17 2008-11-20 Estsoft Corp. Security method using virtual keyboard
US20090010264A1 (en) * 2006-03-21 2009-01-08 Huawei Technologies Co., Ltd. Method and System for Ensuring QoS and SLA Server
US7487535B1 (en) * 2002-02-01 2009-02-03 Novell, Inc. Authentication on demand in a distributed network environment
US7505472B1 (en) * 2003-06-20 2009-03-17 Redback Networks Inc. Method and apparatus for agnostic PPP switching
US20090080437A1 (en) * 2002-12-31 2009-03-26 Nguyen Han Q Service selection in a shared access network using virtual networks
US7539862B2 (en) 2004-04-08 2009-05-26 Ipass Inc. Method and system for verifying and updating the configuration of an access device during authentication
US20090165121A1 (en) * 2007-12-21 2009-06-25 Nvidia Corporation Touch Pad based Authentication of Users
US20090193503A1 (en) * 2008-01-28 2009-07-30 Gbs Laboratories Llc Network access control
US20090210935A1 (en) * 2008-02-20 2009-08-20 Jamie Alan Miley Scanning Apparatus and System for Tracking Computer Hardware
US7606916B1 (en) * 2003-11-10 2009-10-20 Cisco Technology, Inc. Method and apparatus for load balancing within a computer system
US20090325489A1 (en) * 2008-06-30 2009-12-31 Canon Kabushiki Kaisha Wireless communication apparatus, control method therefor, and storage medium storing control program therefor
US20100017525A1 (en) * 2008-07-16 2010-01-21 Ipass Inc. Electronic supply chain management
US20100067537A1 (en) * 2003-01-23 2010-03-18 Redknee Inc. Method for implementing an internet protocol (ip) charging and rating middleware platform and gateway system
US7702726B1 (en) * 2002-04-10 2010-04-20 3Com Corporation System and methods for providing presence services in IP network
EP2184895A1 (en) * 2008-11-06 2010-05-12 Alcatel, Lucent Secure distributed network resource management
US7788345B1 (en) * 2001-06-04 2010-08-31 Cisco Technology, Inc. Resource allocation and reclamation for on-demand address pools
EP2237498A1 (en) * 2008-02-04 2010-10-06 Huawei Technologies Co., Ltd. A method, system, gateway device and authentication server for allocating multiservice resources
US20110137980A1 (en) * 2009-12-08 2011-06-09 Samsung Electronics Co., Ltd. Method and apparatus for using service of plurality of internet service providers
US20110149736A1 (en) * 2005-04-27 2011-06-23 Extreme Networks, Inc. Integrated methods of performing network switch functions
US20110167255A1 (en) * 2008-09-15 2011-07-07 Ben Matzkel System, apparatus and method for encryption and decryption of data transmitted over a network
WO2011145096A1 (en) 2010-05-21 2011-11-24 Vaultive Ltd. System and method for controlling and monitoring access to data processing applications
US8079066B1 (en) * 2007-11-20 2011-12-13 West Corporation Multi-domain login and messaging
US20120066324A1 (en) * 2009-05-04 2012-03-15 Marcel Mampaey Method for Verifying a User Association, Intercepting Module and Network Node Element
US8181010B1 (en) * 2006-04-17 2012-05-15 Oracle America, Inc. Distributed authentication user interface system
US8396075B2 (en) 2002-12-02 2013-03-12 Redknee Inc. Method for implementing an open charging (OC) middleware platform and gateway system
US8542676B2 (en) 2003-06-16 2013-09-24 Redknee Inc. Method and system for multimedia messaging service (MMS) rating and billing
US8606885B2 (en) 2003-06-05 2013-12-10 Ipass Inc. Method and system of providing access point data associated with a network access point
US20150087227A1 (en) * 2007-07-20 2015-03-26 Broadcom Corporation Method and system for managing information among personalized and shared resources with a personalized portable device
EP2491673A4 (en) * 2009-10-23 2016-09-14 Microsoft Technology Licensing Llc Authentication using cloud authentication
CN112751735A (en) * 2021-01-04 2021-05-04 烽火通信科技股份有限公司 Method and device for realizing PPPoA function in broadband access equipment
US11206600B2 (en) * 2012-05-25 2021-12-21 Comcast Cable Communications, Llc Wireless gateway supporting public and private networks
US20220138290A1 (en) * 2019-03-18 2022-05-05 Qrypted Technology Pte Ltd Method and system for a secure transaction
US11354403B1 (en) * 2020-12-17 2022-06-07 PayJoy Inc. Method and system for remote management of access to appliances

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030119536A1 (en) * 2001-12-21 2003-06-26 Hutchison James A. Arbitrated audio communication with reduced latency
US20030233580A1 (en) * 2002-05-29 2003-12-18 Keeler James D. Authorization and authentication of user access to a distributed network communication system with roaming features
US7577154B1 (en) * 2002-06-03 2009-08-18 Equinix, Inc. System and method for traffic accounting and route customization of network services
ES2246484T3 (en) * 2002-06-11 2006-02-16 Siemens Aktiengesellschaft PROCEDURE AND ACCESS MULTIPLEXER FOR QUICK ACCESS TO DATA NETWORKS.
KR100670791B1 (en) * 2004-12-07 2007-01-17 한국전자통신연구원 Method for verifying authorization with extensibility in AAA server
US8140665B2 (en) * 2005-08-19 2012-03-20 Opnet Technologies, Inc. Managing captured network traffic data
KR100819036B1 (en) * 2005-12-08 2008-04-02 한국전자통신연구원 Traffic Authentication Equipment using Packet Header Information and Method thereof
WO2008114931A1 (en) * 2007-03-16 2008-09-25 Lg Electronics Inc. Performing contactless applications in battery off mode
EP2028812B1 (en) * 2007-08-21 2011-06-08 Nokia Siemens Networks Oy Methods, apparatuses, system, and related computer program product for user equipment access
US8645568B2 (en) * 2007-11-16 2014-02-04 Equinix, Inc. Various methods and apparatuses for a route server
JP4737283B2 (en) * 2008-12-19 2011-07-27 富士ゼロックス株式会社 Program, information processing apparatus and information processing system
JP5381329B2 (en) * 2009-05-26 2014-01-08 株式会社リコー Image forming apparatus, authentication system, authentication control method, and authentication control program
CN101990183B (en) * 2009-07-31 2013-10-02 国际商业机器公司 Method, device and system for protecting user information
US8650805B1 (en) 2010-05-17 2014-02-18 Equinix, Inc. Systems and methods for DMARC in a cage mesh design
JP5440892B2 (en) * 2011-08-24 2014-03-12 Dic株式会社 Resin composition for adhesive containing plate-like inorganic compound, and adhesive
US9043878B2 (en) * 2012-03-06 2015-05-26 International Business Machines Corporation Method and system for multi-tiered distributed security authentication and filtering
EP3852333A1 (en) * 2013-12-13 2021-07-21 M87, Inc. Methods and systems for secure connections for joining hybrid cellular and non-cellular networks
US9602493B2 (en) * 2015-05-19 2017-03-21 Cisco Technology, Inc. Implicit challenge authentication process
EP3358876B1 (en) * 2015-09-29 2020-12-23 Soracom, Inc. Control apparatus for gateway in mobile communication system
CN105656747A (en) * 2015-11-11 2016-06-08 乐卡汽车智能科技(北京)有限公司 Multi-link data transmission method and apparatus
US11411920B2 (en) * 2019-05-16 2022-08-09 Circadence Corporation Method and system for creating a secure public cloud-based cyber range

Citations (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5235642A (en) * 1992-07-21 1993-08-10 Digital Equipment Corporation Access control subsystem and method for distributed computer system using locally cached authentication credentials
US5491752A (en) * 1993-03-18 1996-02-13 Digital Equipment Corporation, Patent Law Group System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens
US5546387A (en) * 1993-03-10 1996-08-13 Telefonakteibolaget Lm Ericsson Label handling in packet networks
US5689638A (en) * 1994-12-13 1997-11-18 Microsoft Corporation Method for providing access to independent network resources by establishing connection using an application programming interface function call without prompting the user for authentication data
US5841970A (en) * 1995-09-08 1998-11-24 Cadix, Inc. Authentication method for networks
US5889958A (en) * 1996-12-20 1999-03-30 Livingston Enterprises, Inc. Network access control system and process
US5903564A (en) * 1997-08-28 1999-05-11 Ascend Communications, Inc. Efficient multicast mapping in a network switch
US5991810A (en) * 1997-08-01 1999-11-23 Novell, Inc. User name authentication for gateway clients accessing a proxy cache server
US6070192A (en) * 1997-05-30 2000-05-30 Nortel Networks Corporation Control in a data access transport service
US6105027A (en) * 1997-03-10 2000-08-15 Internet Dynamics, Inc. Techniques for eliminating redundant access checking by access filters
US6167438A (en) * 1997-05-22 2000-12-26 Trustees Of Boston University Method and system for distributed caching, prefetching and replication
US6212561B1 (en) * 1998-10-08 2001-04-03 Cisco Technology, Inc. Forced sequential access to specified domains in a computer network
US6263369B1 (en) * 1998-10-30 2001-07-17 Cisco Technology, Inc. Distributed architecture allowing local user authentication and authorization
US6298383B1 (en) * 1999-01-04 2001-10-02 Cisco Technology, Inc. Integration of authentication authorization and accounting service and proxy service
US6311218B1 (en) * 1996-10-17 2001-10-30 3Com Corporation Method and apparatus for providing security in a star network connection using public key cryptography
US6311275B1 (en) * 1998-08-03 2001-10-30 Cisco Technology, Inc. Method for providing single step log-on access to a differentiated computer network
US6377955B1 (en) * 1999-03-30 2002-04-23 Cisco Technology, Inc. Method and apparatus for generating user-specified reports from radius information
US6463474B1 (en) * 1999-07-02 2002-10-08 Cisco Technology, Inc. Local authentication of a client at a network device
US6466977B1 (en) * 1999-05-06 2002-10-15 Cisco Technology, Inc. Proxy on demand
US6470453B1 (en) * 1998-09-17 2002-10-22 Cisco Technology, Inc. Validating connections to a network system
US6510454B1 (en) * 1998-04-21 2003-01-21 Intel Corporation Network device monitoring with E-mail reporting
US6584505B1 (en) * 1999-07-08 2003-06-24 Microsoft Corporation Authenticating access to a network server without communicating login information through the network server
US6606663B1 (en) * 1998-09-29 2003-08-12 Openwave Systems Inc. Method and apparatus for caching credentials in proxy servers for wireless user agents
US6636894B1 (en) * 1998-12-08 2003-10-21 Nomadix, Inc. Systems and methods for redirecting users having transparent computer access to a network using a gateway device having redirection capability
US6707795B1 (en) * 1999-04-26 2004-03-16 Nortel Networks Limited Alarm correlation method and system
US6965939B2 (en) * 2001-01-05 2005-11-15 International Business Machines Corporation Method and apparatus for processing requests in a network data processing system based on a trust association between servers

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6067623A (en) * 1997-11-21 2000-05-23 International Business Machines Corp. System and method for secure web server gateway access using credential transform
US6459682B1 (en) * 1998-04-07 2002-10-01 International Business Machines Corporation Architecture for supporting service level agreements in an IP network
DE69833929T2 (en) * 1998-04-10 2007-03-15 Sun Microsystems, Inc., Mountain View Network access authentication system
US6219790B1 (en) * 1998-06-19 2001-04-17 Lucent Technologies Inc. Centralized authentication, authorization and accounting server with support for multiple transport protocols and multiple client types
US6584122B1 (en) * 1998-12-18 2003-06-24 Integral Access, Inc. Method and system for providing voice and data service
US6405251B1 (en) * 1999-03-25 2002-06-11 Nortel Networks Limited Enhancement of network accounting records

Patent Citations (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5235642A (en) * 1992-07-21 1993-08-10 Digital Equipment Corporation Access control subsystem and method for distributed computer system using locally cached authentication credentials
US5546387A (en) * 1993-03-10 1996-08-13 Telefonakteibolaget Lm Ericsson Label handling in packet networks
US5491752A (en) * 1993-03-18 1996-02-13 Digital Equipment Corporation, Patent Law Group System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens
US5689638A (en) * 1994-12-13 1997-11-18 Microsoft Corporation Method for providing access to independent network resources by establishing connection using an application programming interface function call without prompting the user for authentication data
US5841970A (en) * 1995-09-08 1998-11-24 Cadix, Inc. Authentication method for networks
US6311218B1 (en) * 1996-10-17 2001-10-30 3Com Corporation Method and apparatus for providing security in a star network connection using public key cryptography
US5889958A (en) * 1996-12-20 1999-03-30 Livingston Enterprises, Inc. Network access control system and process
US6105027A (en) * 1997-03-10 2000-08-15 Internet Dynamics, Inc. Techniques for eliminating redundant access checking by access filters
US6167438A (en) * 1997-05-22 2000-12-26 Trustees Of Boston University Method and system for distributed caching, prefetching and replication
US6070192A (en) * 1997-05-30 2000-05-30 Nortel Networks Corporation Control in a data access transport service
US5991810A (en) * 1997-08-01 1999-11-23 Novell, Inc. User name authentication for gateway clients accessing a proxy cache server
US5903564A (en) * 1997-08-28 1999-05-11 Ascend Communications, Inc. Efficient multicast mapping in a network switch
US6510454B1 (en) * 1998-04-21 2003-01-21 Intel Corporation Network device monitoring with E-mail reporting
US6311275B1 (en) * 1998-08-03 2001-10-30 Cisco Technology, Inc. Method for providing single step log-on access to a differentiated computer network
US6470453B1 (en) * 1998-09-17 2002-10-22 Cisco Technology, Inc. Validating connections to a network system
US6606663B1 (en) * 1998-09-29 2003-08-12 Openwave Systems Inc. Method and apparatus for caching credentials in proxy servers for wireless user agents
US6212561B1 (en) * 1998-10-08 2001-04-03 Cisco Technology, Inc. Forced sequential access to specified domains in a computer network
US6263369B1 (en) * 1998-10-30 2001-07-17 Cisco Technology, Inc. Distributed architecture allowing local user authentication and authorization
US6636894B1 (en) * 1998-12-08 2003-10-21 Nomadix, Inc. Systems and methods for redirecting users having transparent computer access to a network using a gateway device having redirection capability
US6298383B1 (en) * 1999-01-04 2001-10-02 Cisco Technology, Inc. Integration of authentication authorization and accounting service and proxy service
US6377955B1 (en) * 1999-03-30 2002-04-23 Cisco Technology, Inc. Method and apparatus for generating user-specified reports from radius information
US6707795B1 (en) * 1999-04-26 2004-03-16 Nortel Networks Limited Alarm correlation method and system
US6466977B1 (en) * 1999-05-06 2002-10-15 Cisco Technology, Inc. Proxy on demand
US6463474B1 (en) * 1999-07-02 2002-10-08 Cisco Technology, Inc. Local authentication of a client at a network device
US6584505B1 (en) * 1999-07-08 2003-06-24 Microsoft Corporation Authenticating access to a network server without communicating login information through the network server
US6965939B2 (en) * 2001-01-05 2005-11-15 International Business Machines Corporation Method and apparatus for processing requests in a network data processing system based on a trust association between servers

Cited By (136)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020016855A1 (en) * 2000-03-20 2002-02-07 Garrett John W. Managed access point for service selection in a shared access network
US20020019875A1 (en) * 2000-03-20 2002-02-14 Garrett John W. Service selection in a shared access network
US20020023171A1 (en) * 2000-03-20 2002-02-21 Garrett John W. Service selection in a shared access network using policy routing
US20020023174A1 (en) * 2000-03-20 2002-02-21 Garrett John W. Service selection in a shared access network using dynamic host configuration protocol
US20020023160A1 (en) * 2000-03-20 2002-02-21 Garrett John W. Service selection in a shared access network providing access control
US20020038419A1 (en) * 2000-03-20 2002-03-28 Garrett John W. Service selection in a shared access network using tunneling
US7065578B2 (en) 2000-03-20 2006-06-20 At&T Corp. Service selection in a shared access network using policy routing
US6947404B1 (en) * 2000-11-06 2005-09-20 Nokia Corporation Automatic WAP login
US20020095497A1 (en) * 2001-01-17 2002-07-18 Satagopan Murli D. Caching user network access information within a network
US7085833B2 (en) * 2001-01-17 2006-08-01 Microsoft Corporation Caching user network access information within a network
US7587493B1 (en) 2001-01-19 2009-09-08 Cisco Technology, Inc. Local network address management
US6988148B1 (en) 2001-01-19 2006-01-17 Cisco Technology, Inc. IP pool management utilizing an IP pool MIB
US8321567B1 (en) 2001-01-19 2012-11-27 Cisco Technology, Inc. IP pool management utilizing an IP pool MIB
US7921290B2 (en) * 2001-04-18 2011-04-05 Ipass Inc. Method and system for securely authenticating network access credentials for users
US20030056096A1 (en) * 2001-04-18 2003-03-20 Albert Roy David Method and system for securely authenticating network access credentials for users
US20030056092A1 (en) * 2001-04-18 2003-03-20 Edgett Jeff Steven Method and system for associating a plurality of transaction data records generated in a service access system
US7469341B2 (en) 2001-04-18 2008-12-23 Ipass Inc. Method and system for associating a plurality of transaction data records generated in a service access system
US7788345B1 (en) * 2001-06-04 2010-08-31 Cisco Technology, Inc. Resource allocation and reclamation for on-demand address pools
US7197549B1 (en) 2001-06-04 2007-03-27 Cisco Technology, Inc. On-demand address pools
US7469298B2 (en) * 2001-08-15 2008-12-23 Fujitsu Limited Method and system for enabling layer 2 transmission of IP data frame between user terminal and service provider
US20030037163A1 (en) * 2001-08-15 2003-02-20 Atsushi Kitada Method and system for enabling layer 2 transmission of IP data frame between user terminal and service provider
US7487535B1 (en) * 2002-02-01 2009-02-03 Novell, Inc. Authentication on demand in a distributed network environment
US7707416B2 (en) 2002-02-01 2010-04-27 Novell, Inc. Authentication cache and authentication on demand in a distributed network environment
US20080133914A1 (en) * 2002-02-01 2008-06-05 Novell, Inc. Authentication cache and authentication on demand in a distributed network environment
US20100107226A1 (en) * 2002-04-10 2010-04-29 3Com Corporation System and Methods for Providing Presence Services In IP Network
US7702726B1 (en) * 2002-04-10 2010-04-20 3Com Corporation System and methods for providing presence services in IP network
US20030233572A1 (en) * 2002-06-04 2003-12-18 Alcatel Method, a network access server, an authentication-authorization-and-accounting server, and a computer software product for proxying user authentication-authorization-and-accounting messages via a network access server
EP1370040A1 (en) * 2002-06-04 2003-12-10 Alcatel A method, a network access server, an authentication-authorization-and-accounting server, and a computer software product for proxying user authentication-authorization-and-accounting messages via a network access server
US7624429B2 (en) 2002-06-04 2009-11-24 Alcatel Method, a network access server, an authentication-authorization-and-accounting server, and a computer software product for proxying user authentication-authorization-and-accounting messages via a network access server
EP1550050A1 (en) * 2002-09-25 2005-07-06 Telemac Corporation Method and system for managing local control of wlan access
WO2004029823A1 (en) 2002-09-25 2004-04-08 Telemac Corporation Method and system for managing local control of wlan access
EP1550050A4 (en) * 2002-09-25 2010-06-02 Telemac Corp Method and system for managing local control of wlan access
US20040073651A1 (en) * 2002-10-10 2004-04-15 International Business Machines Corporation Secure system and method for providing a robust radius accounting server
EP1557978A4 (en) * 2002-11-01 2007-03-07 Huawei Tech Co Ltd A security management method for an integrated access device of network
EP1557978A1 (en) * 2002-11-01 2005-07-27 Huawei Technologies Co., Ltd. A security management method for an integrated access device of network
US20040088411A1 (en) * 2002-11-04 2004-05-06 Jakubowski Deborah W. Method and system for vendor management
US8396075B2 (en) 2002-12-02 2013-03-12 Redknee Inc. Method for implementing an open charging (OC) middleware platform and gateway system
US20090080437A1 (en) * 2002-12-31 2009-03-26 Nguyen Han Q Service selection in a shared access network using virtual networks
US8040896B2 (en) 2002-12-31 2011-10-18 At&T Intellectual Property Ii, L.P. Service selection in a shared access network using virtual networks
US20100067537A1 (en) * 2003-01-23 2010-03-18 Redknee Inc. Method for implementing an internet protocol (ip) charging and rating middleware platform and gateway system
US8244859B2 (en) 2003-01-23 2012-08-14 Redknee, Inc. Method for implementing an internet protocol (IP) charging and rating middleware platform and gateway system
US8606885B2 (en) 2003-06-05 2013-12-10 Ipass Inc. Method and system of providing access point data associated with a network access point
US7299492B2 (en) 2003-06-12 2007-11-20 International Business Machines Corporation Multi-level multi-user web services security system and method
US20050015591A1 (en) * 2003-06-12 2005-01-20 International Business Machines Corporation Multi-level multi-user web services security system and method
US7353260B1 (en) * 2003-06-13 2008-04-01 Cisco Technology, Inc. System and method for access control on a storage router
US8542676B2 (en) 2003-06-16 2013-09-24 Redknee Inc. Method and system for multimedia messaging service (MMS) rating and billing
US7505472B1 (en) * 2003-06-20 2009-03-17 Redback Networks Inc. Method and apparatus for agnostic PPP switching
US7698384B2 (en) * 2003-06-26 2010-04-13 International Business Machines Corporation Information collecting system for providing connection information to an application in an IP network
US20050021746A1 (en) * 2003-06-26 2005-01-27 International Business Machines Corporation Information collecting system for providing connection information to an application in an IP network
CN1319337C (en) * 2003-07-02 2007-05-30 华为技术有限公司 Authentication method based on Ethernet authentication system
US20050086492A1 (en) * 2003-08-15 2005-04-21 Fiberlink Communications Corporation System, method, apparatus and computer program product for facilitating digital communications
EP1654827A4 (en) * 2003-08-15 2009-08-05 Fiberlink Comm Corp System, method, apparatus and computer program product for facilitating digital communications
EP1654827A2 (en) * 2003-08-15 2006-05-10 Fiberlink Communications Corporation System, method, apparatus and computer program product for facilitating digital communications
US20050091333A1 (en) * 2003-10-23 2005-04-28 Ikuko Kobayashi Computer system that a plurality of computers share a storage device
US7219151B2 (en) 2003-10-23 2007-05-15 Hitachi, Ltd. Computer system that enables a plurality of computers to share a storage device
US7606916B1 (en) * 2003-11-10 2009-10-20 Cisco Technology, Inc. Method and apparatus for load balancing within a computer system
US20050114697A1 (en) * 2003-11-21 2005-05-26 Finisar Corporation Secure point to point network pairs
US20080222416A1 (en) * 2003-12-01 2008-09-11 Gary Kiwimagi Secure Network Connection
US20050120223A1 (en) * 2003-12-01 2005-06-02 Gary Kiwimagi Secure authenticated network connections
WO2005094463A3 (en) * 2004-03-23 2008-08-14 Pctel Inc Service level assurance system and method for wired and wireless broadband networks
WO2005094463A2 (en) * 2004-03-23 2005-10-13 Pctel Inc. Service level assurance system and method for wired and wireless broadband networks
US7958352B2 (en) 2004-04-08 2011-06-07 Ipass Inc. Method and system for verifying and updating the configuration of an access device during authentication
US7539862B2 (en) 2004-04-08 2009-05-26 Ipass Inc. Method and system for verifying and updating the configuration of an access device during authentication
US20060047823A1 (en) * 2004-06-22 2006-03-02 Taiwan Semiconductor Manufacturing Company, Ltd. Method and apparatus for detecting an unauthorized client in a network of computer systems
US7467405B2 (en) * 2004-06-22 2008-12-16 Taiwan Semiconductor Manufacturing Company, Ltd. Method and apparatus for detecting an unauthorized client in a network of computer systems
US20080222696A1 (en) * 2004-08-16 2008-09-11 Fiberlink Communications Corporation System, Method, Apparatus, and Computer Program Product for Facilitating Digital Communications
US7725589B2 (en) 2004-08-16 2010-05-25 Fiberlink Communications Corporation System, method, apparatus, and computer program product for facilitating digital communications
US8767549B2 (en) 2005-04-27 2014-07-01 Extreme Networks, Inc. Integrated methods of performing network switch functions
US20110149736A1 (en) * 2005-04-27 2011-06-23 Extreme Networks, Inc. Integrated methods of performing network switch functions
US20070053334A1 (en) * 2005-09-02 2007-03-08 Noriyuki Sueyoshi Packet forwarding apparatus for connecting mobile terminal to ISP network
US7616615B2 (en) * 2005-09-02 2009-11-10 Hitachi Communication Technologies, Ltd. Packet forwarding apparatus for connecting mobile terminal to ISP network
US8255996B2 (en) 2005-12-30 2012-08-28 Extreme Networks, Inc. Network threat detection and mitigation
US8615785B2 (en) 2005-12-30 2013-12-24 Extreme Network, Inc. Network threat detection and mitigation
US20070157306A1 (en) * 2005-12-30 2007-07-05 Elrod Craig T Network threat detection and mitigation
US8213433B2 (en) * 2006-03-21 2012-07-03 Huawei Technologies Co., Ltd. Method and system for ensuring QoS and SLA server
US20090010264A1 (en) * 2006-03-21 2009-01-08 Huawei Technologies Co., Ltd. Method and System for Ensuring QoS and SLA Server
US8181010B1 (en) * 2006-04-17 2012-05-15 Oracle America, Inc. Distributed authentication user interface system
US20080077809A1 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Credential Vault Encryption
WO2008036947A2 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Reverse proxy system
US20080077983A1 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Non-invasive insertion of pagelets
US20080313728A1 (en) * 2006-09-22 2008-12-18 Bea Systems, Inc. Interstitial pages
US20080077981A1 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Pagelets in adaptive tags in non-portal reverse proxy
US20080077982A1 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Credential vault encryption
US8136150B2 (en) 2006-09-22 2012-03-13 Oracle International Corporation User role mapping in web applications
US20080250388A1 (en) * 2006-09-22 2008-10-09 Bea Systems, Inc. Pagelets in adaptive tags
US7861290B2 (en) 2006-09-22 2010-12-28 Oracle International Corporation Non-invasive insertion of pagelets
US7861289B2 (en) 2006-09-22 2010-12-28 Oracle International Corporation Pagelets in adaptive tags in non-portal reverse proxy
US7865943B2 (en) * 2006-09-22 2011-01-04 Oracle International Corporation Credential vault encryption
US7886352B2 (en) 2006-09-22 2011-02-08 Oracle International Corporation Interstitial pages
WO2008036947A3 (en) * 2006-09-22 2008-10-02 Bea Systems Inc Reverse proxy system
US20110047611A1 (en) * 2006-09-22 2011-02-24 Bea Systems, Inc. User Role Mapping in Web Applications
US7904953B2 (en) 2006-09-22 2011-03-08 Bea Systems, Inc. Pagelets
US20080077980A1 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Pagelets
US8397283B2 (en) 2006-09-22 2013-03-12 Oracle International Corporation User role mapping in web applications
US8031594B2 (en) * 2006-09-29 2011-10-04 At&T Intellectual Property I, L.P. System and method of providing communications services
US20080080368A1 (en) * 2006-09-29 2008-04-03 Sbc Knowledge Ventures, Lp System and method of providing communications services
US20080228919A1 (en) * 2007-03-14 2008-09-18 Cisco Technology, Inc. Unified User Interface for Network Management Systems
US8650297B2 (en) * 2007-03-14 2014-02-11 Cisco Technology, Inc. Unified user interface for network management systems
US20080240128A1 (en) * 2007-03-30 2008-10-02 Elrod Craig T VoIP Security
US8295188B2 (en) * 2007-03-30 2012-10-23 Extreme Networks, Inc. VoIP security
US20080288776A1 (en) * 2007-05-17 2008-11-20 Estsoft Corp. Security method using virtual keyboard
US20150087227A1 (en) * 2007-07-20 2015-03-26 Broadcom Corporation Method and system for managing information among personalized and shared resources with a personalized portable device
US8990908B1 (en) * 2007-11-20 2015-03-24 West Corporation Multi-domain login and messaging
US8079066B1 (en) * 2007-11-20 2011-12-13 West Corporation Multi-domain login and messaging
US8615791B1 (en) * 2007-11-20 2013-12-24 West Corporation Multi-domain login and messaging
US20090165121A1 (en) * 2007-12-21 2009-06-25 Nvidia Corporation Touch Pad based Authentication of Users
US20090193503A1 (en) * 2008-01-28 2009-07-30 Gbs Laboratories Llc Network access control
WO2009097313A1 (en) * 2008-01-28 2009-08-06 Gbs Laboratories Llc Network access control
EP2237498A1 (en) * 2008-02-04 2010-10-06 Huawei Technologies Co., Ltd. A method, system, gateway device and authentication server for allocating multiservice resources
US20100299674A1 (en) * 2008-02-04 2010-11-25 Huawei Technologies Co., Ltd. Method, system, gateway device and authentication server for allocating multi-service resources
EP2237498A4 (en) * 2008-02-04 2011-02-23 Huawei Tech Co Ltd A method, system, gateway device and authentication server for allocating multiservice resources
US20090210935A1 (en) * 2008-02-20 2009-08-20 Jamie Alan Miley Scanning Apparatus and System for Tracking Computer Hardware
US20090325489A1 (en) * 2008-06-30 2009-12-31 Canon Kabushiki Kaisha Wireless communication apparatus, control method therefor, and storage medium storing control program therefor
US20100017525A1 (en) * 2008-07-16 2010-01-21 Ipass Inc. Electronic supply chain management
US8984150B2 (en) * 2008-07-16 2015-03-17 Ipass Inc. Electronic supply chain management
US20110167255A1 (en) * 2008-09-15 2011-07-07 Ben Matzkel System, apparatus and method for encryption and decryption of data transmitted over a network
US20110167121A1 (en) * 2008-09-15 2011-07-07 Ben Matzkel System, apparatus and method for encryption and decryption of data transmitted over a network
US20110167102A1 (en) * 2008-09-15 2011-07-07 Ben Matzkel System, apparatus and method for encryption and decryption of data transmitted over a network
US9002976B2 (en) 2008-09-15 2015-04-07 Vaultive Ltd System, apparatus and method for encryption and decryption of data transmitted over a network
US20110167107A1 (en) * 2008-09-15 2011-07-07 Ben Matzkel System, apparatus and method for encryption and decryption of data transmitted over a network
US8738683B2 (en) 2008-09-15 2014-05-27 Vaultive Ltd. System, apparatus and method for encryption and decryption of data transmitted over a network
US9444793B2 (en) 2008-09-15 2016-09-13 Vaultive Ltd. System, apparatus and method for encryption and decryption of data transmitted over a network
US9338139B2 (en) 2008-09-15 2016-05-10 Vaultive Ltd. System, apparatus and method for encryption and decryption of data transmitted over a network
US20110167129A1 (en) * 2008-09-15 2011-07-07 Ben Matzkel System, apparatus and method for encryption and decryption of data transmitted over a network
EP2184895A1 (en) * 2008-11-06 2010-05-12 Alcatel, Lucent Secure distributed network resource management
US20120066324A1 (en) * 2009-05-04 2012-03-15 Marcel Mampaey Method for Verifying a User Association, Intercepting Module and Network Node Element
US10958751B2 (en) * 2009-05-04 2021-03-23 Alcatel Lucent Method for verifying a user association, intercepting module and network node element
EP2491673A4 (en) * 2009-10-23 2016-09-14 Microsoft Technology Licensing Llc Authentication using cloud authentication
US20110137980A1 (en) * 2009-12-08 2011-06-09 Samsung Electronics Co., Ltd. Method and apparatus for using service of plurality of internet service providers
WO2011145096A1 (en) 2010-05-21 2011-11-24 Vaultive Ltd. System and method for controlling and monitoring access to data processing applications
US10313371B2 (en) 2010-05-21 2019-06-04 Cyberark Software Ltd. System and method for controlling and monitoring access to data processing applications
US11206600B2 (en) * 2012-05-25 2021-12-21 Comcast Cable Communications, Llc Wireless gateway supporting public and private networks
US11751122B2 (en) 2012-05-25 2023-09-05 Comcast Cable Communications, Llc Wireless gateway supporting public and private networks
US20220138290A1 (en) * 2019-03-18 2022-05-05 Qrypted Technology Pte Ltd Method and system for a secure transaction
US11354403B1 (en) * 2020-12-17 2022-06-07 PayJoy Inc. Method and system for remote management of access to appliances
CN112751735A (en) * 2021-01-04 2021-05-04 烽火通信科技股份有限公司 Method and device for realizing PPPoA function in broadband access equipment

Also Published As

Publication number Publication date
CA2296213A1 (en) 2001-07-07
US7921457B2 (en) 2011-04-05
CA2296213C (en) 2009-04-14
US20070005954A1 (en) 2007-01-04
US20090319777A1 (en) 2009-12-24
US7512784B2 (en) 2009-03-31

Similar Documents

Publication Publication Date Title
US7512784B2 (en) Distributed subscriber management system
US7649890B2 (en) Packet forwarding apparatus and communication bandwidth control method
US7389534B1 (en) Method and apparatus for establishing virtual private network tunnels in a wireless network
US8885539B2 (en) Configurable quality-of-service support per virtual access point (VAP) in a wireless LAN (WLAN) access device
US8484695B2 (en) System and method for providing access control
US6539431B1 (en) Support IP pool-based configuration
US7558863B1 (en) Support IP pool-based configuration
US8199760B2 (en) Peer to peer SVC-based DSL service
US8195950B2 (en) Secure and seamless wireless public domain wide area network and method of using the same
EP1878171B1 (en) Method for managing service bindings over an access domain and nodes therefor
US20020013844A1 (en) Service selection in a shared access network supporting quality of service
US20040177247A1 (en) Policy enforcement in dynamic networks
US7701953B2 (en) Client server SVC-based DSL service
US20060182123A1 (en) Method for aggregating data traffic over an access domain and nodes therefor
US20050041808A1 (en) Method and apparatus for facilitating roaming between wireless domains
US20040153556A1 (en) Connections on demand between subscribers and service providers
WO2004014045A1 (en) Service class dependant asignment of ip addresses for cotrolling access to an d delivery of e-sevices
CA2293989A1 (en) Distributed subscriber management
JP4776582B2 (en) Network system and aggregation device
AU2002233902B2 (en) A method and apparatus for transferring data packets in communication networks
Bernstein et al. Understanding PPPoE and DHCP
Balmer et al. Virtual Private Network and Quality of Service Management Implementation
AU2002233902A1 (en) A method and apparatus for transferring data packets in communication networks

Legal Events

Date Code Title Description
AS Assignment

Owner name: SEDONA NETWORKS CORPORATION, CANADA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SKEMER. TERRY;REEL/FRAME:011430/0950

Effective date: 20000203

AS Assignment

Owner name: TROPIC NETWORKS INC., CANADA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ERNST & YOUNG, INC., IN ITS CAPACITY AS TRUSTEE IN BANKRUPTCY OF SEDONA NETWORKS CORP.;REEL/FRAME:011927/0441

Effective date: 20010605

AS Assignment

Owner name: GATX/MM VENTURE PARTNERS, CANADA

Free format text: SECURITY AGREMENT;ASSIGNOR:TROPIC NETWORKS INC.;REEL/FRAME:012072/0617

Effective date: 20010712

Owner name: SILICON VALLEY BANK, DBA: SILICON VALLEY EAST, CAL

Free format text: SECURITY AGREMENT;ASSIGNOR:TROPIC NETWORKS INC.;REEL/FRAME:012072/0617

Effective date: 20010712

Owner name: TRANSAMERICA COMMERCIAL FINANCE CORPORATION, CANAD

Free format text: SECURITY AGREMENT;ASSIGNOR:TROPIC NETWORKS INC.;REEL/FRAME:012072/0617

Effective date: 20010712

AS Assignment

Owner name: TROPIC NETWORKS INC., CANADA

Free format text: RELEASE;ASSIGNOR:SILICON VALLEY BANK;REEL/FRAME:013803/0248

Effective date: 20030226

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION