CA2296213C - Distributed subscriber management - Google Patents
Distributed subscriber management Download PDFInfo
- Publication number
- CA2296213C CA2296213C CA002296213A CA2296213A CA2296213C CA 2296213 C CA2296213 C CA 2296213C CA 002296213 A CA002296213 A CA 002296213A CA 2296213 A CA2296213 A CA 2296213A CA 2296213 C CA2296213 C CA 2296213C
- Authority
- CA
- Canada
- Prior art keywords
- user
- network
- networks
- authentication
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2854—Wide area networks, e.g. public data networks
- H04L12/2856—Access arrangements, e.g. Internet access
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2854—Wide area networks, e.g. public data networks
- H04L12/2856—Access arrangements, e.g. Internet access
- H04L12/2869—Operational details of access network equipments
- H04L12/287—Remote access server, e.g. BRAS
- H04L12/2874—Processing of data for distribution to the subscribers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Abstract
A Distributed Subscriber Management system is disclosed which controls acces s to a network preventing unauthorized traffic through the access network and providing centralized access control between User Networks. The system in accordance with the invention provides controlled access through the use of one of several technologies including user authentication, using PAP, CHAP, RADIUS, TACACS+, or other standard authentication means. The preferred system allows setup maintenance , and tear- down of the user connection and allows users to choose their destination as opposed to tying a user to a single destination. The system also preferably provides fo r the administration of the assignment and release of network addresses. The invention also provides a Distributed Subscriber Management (DSM) method for performing use r authentication for an external network at an access control node, which external network is connected to the access control node by means of an Access Network while the access control node is connected to a plurality of User Networks. The method includ es the steps of receiving a connection request from a user located on one of the User Networks; interrogating the user for userid and password information; encrypting the userid and password information; transmitting the encrypted information, via the Access network, to an authentication server attached to one of a plurality of external networks ; decrypting the information at the authentication server; and transmitting an authentication message from the authentication server of the external network to the access control node via the Access Network. The preferred method includes the additional step of challenging al l data leaving the access control node. The authentication server of the external network normally employs one of Radius, PAP, CHAP, and TACACS or TACACS+.
Description
DISTRIBUTED SUBSCRIBER MANAGEMENT
Field of the Invention This invention relates to the management of user access rights on networks, and is particularly concerned with the distribution of resources used to authenticate and authorize users while allowing for accounting activities on user access to provided facilities.
Background of the Invention Distributed Subscriber Management (DSM) is a technology that performs several tasks, but is primarily used to verify the authorization of a user to move from a first network to another. Typically a user is challenged to provide this authorization, in the form of a userid and password by a system residing at the gateway between the two networks. In the event that a user is denied access to the next portion of the network, all of that user's packets can be discarded. This scheme is common in the art. Although this authorization scheme does succeed in preventing unauthorised access it allows unauthorized traffic to fully traverse the first network before it is discarded. This generates unnecessary traffic which is transmitted over the first network consuming precious bandwidth.
Authorization for such schemes is provided through the use of systems like the Remote Authentication Dial-In User Service (RADIUS) protocol. RADIUS is a fully open protocol, distributed as source code, known in the art, which is a client/server system designed to prevent unauthorized access to networks. RADIUS clients run on network devices and send authentication requests to a central RADIUS server that contains both user authentication information and network access rights. RADIUS can be modified to work with any common security system. Common implementations for RADIUS
include networks with multiple vendor access servers such as an Internet Protocol (IP) based network, where dial-in users can be authenticated through a RADIUS server customized to work with the KERBEROS security system, a common security system on UNIX -like computer networks. Other common implementations include networks in which a user is permitted access to a particular service. In this type of implementation a user could be restricted to a single utility, such as telnet, or a single server, or even a single protocol. This would permit RADIUS to identify a certain user as having access only to Point-to-Point-Protocol (PPP) using an IP address in a given range using only one service such as telnet or File Transfer Protocol (FTP).
An example of a known authentication scheme is depicted in Figure 1. Here different User Networks 5 are connected to an Access Network 4, which in turn has a RADIUS
client at the other end. This RADIUS client 3 serves to ensure that only data with the correct authorization is allowed to go to the various ISP hosted networks 2a-2c. If a packet is not authorized it is discarded at the RADIUS client 3. To obtain the authorization, the RADIUS client 3 forms a connection to the RADIUS server 1 attached to the target ISP network which the packet is trying to enter. After forming this connection to the RADIUS server 1, the RADIUS client 3 can determine whether the user who initiated the packet transmission has authorization to transmit packets onto the target network. In such an implementation, the RADIUS client only controls access to the ISP
Field of the Invention This invention relates to the management of user access rights on networks, and is particularly concerned with the distribution of resources used to authenticate and authorize users while allowing for accounting activities on user access to provided facilities.
Background of the Invention Distributed Subscriber Management (DSM) is a technology that performs several tasks, but is primarily used to verify the authorization of a user to move from a first network to another. Typically a user is challenged to provide this authorization, in the form of a userid and password by a system residing at the gateway between the two networks. In the event that a user is denied access to the next portion of the network, all of that user's packets can be discarded. This scheme is common in the art. Although this authorization scheme does succeed in preventing unauthorised access it allows unauthorized traffic to fully traverse the first network before it is discarded. This generates unnecessary traffic which is transmitted over the first network consuming precious bandwidth.
Authorization for such schemes is provided through the use of systems like the Remote Authentication Dial-In User Service (RADIUS) protocol. RADIUS is a fully open protocol, distributed as source code, known in the art, which is a client/server system designed to prevent unauthorized access to networks. RADIUS clients run on network devices and send authentication requests to a central RADIUS server that contains both user authentication information and network access rights. RADIUS can be modified to work with any common security system. Common implementations for RADIUS
include networks with multiple vendor access servers such as an Internet Protocol (IP) based network, where dial-in users can be authenticated through a RADIUS server customized to work with the KERBEROS security system, a common security system on UNIX -like computer networks. Other common implementations include networks in which a user is permitted access to a particular service. In this type of implementation a user could be restricted to a single utility, such as telnet, or a single server, or even a single protocol. This would permit RADIUS to identify a certain user as having access only to Point-to-Point-Protocol (PPP) using an IP address in a given range using only one service such as telnet or File Transfer Protocol (FTP).
An example of a known authentication scheme is depicted in Figure 1. Here different User Networks 5 are connected to an Access Network 4, which in turn has a RADIUS
client at the other end. This RADIUS client 3 serves to ensure that only data with the correct authorization is allowed to go to the various ISP hosted networks 2a-2c. If a packet is not authorized it is discarded at the RADIUS client 3. To obtain the authorization, the RADIUS client 3 forms a connection to the RADIUS server 1 attached to the target ISP network which the packet is trying to enter. After forming this connection to the RADIUS server 1, the RADIUS client 3 can determine whether the user who initiated the packet transmission has authorization to transmit packets onto the target network. In such an implementation, the RADIUS client only controls access to the ISP
2 hosted networks 2, while not controlling access to the Access Network 4, or between the User Networks 5. Thus, it is left to the administrators of the various User Networks 5 to ensure their own security and prevent admission of other User Networks 5 to systems to which they should not have access.
The unnecessary unauthorized traffic penetrating the Access Network 4 is problematic if there are restrictions on the available bandwidth, or if traffic is heavy. It would be desirable to stop this traffic as it enters the originating network, so as to eliminate loading problems. Moreover, the lack of centralized access control between the User Networks 5 is also undesirable.
One system addressing the problem of unneccessary traffic has been offered by CISCO
systems in the form of their Authentication, Authorization and Accounting (AAA) software. AAA acts to verify the authorization of a packet to enter an external network prior to entry of the packet into the access network. However, in order to offer this service, a AAA client can only be attached to one User Network, since when multiple User Networks are connected to the same AAA client, one User Network without challenge by the AAA system could gain access to another User Network connected to the same AAA system. An example of an implemention known in the art and using AAA is found in Figure 2. In that implementation, RADIUS Servers 1 are attached to ISP networks 2a-2c, a multitude of such networks are, in turn, connected to an Access Network 4. The Access Network 4 connects to a multitude of ISP User Networks 5a-5c through AAA routed systems 6. Each ISP User Network 5a-5c has its own AAA
routed
The unnecessary unauthorized traffic penetrating the Access Network 4 is problematic if there are restrictions on the available bandwidth, or if traffic is heavy. It would be desirable to stop this traffic as it enters the originating network, so as to eliminate loading problems. Moreover, the lack of centralized access control between the User Networks 5 is also undesirable.
One system addressing the problem of unneccessary traffic has been offered by CISCO
systems in the form of their Authentication, Authorization and Accounting (AAA) software. AAA acts to verify the authorization of a packet to enter an external network prior to entry of the packet into the access network. However, in order to offer this service, a AAA client can only be attached to one User Network, since when multiple User Networks are connected to the same AAA client, one User Network without challenge by the AAA system could gain access to another User Network connected to the same AAA system. An example of an implemention known in the art and using AAA is found in Figure 2. In that implementation, RADIUS Servers 1 are attached to ISP networks 2a-2c, a multitude of such networks are, in turn, connected to an Access Network 4. The Access Network 4 connects to a multitude of ISP User Networks 5a-5c through AAA routed systems 6. Each ISP User Network 5a-5c has its own AAA
routed
3 system 6 thus preventing one ISP User Network 5a, 5b, or 5c from gaining access to another ISP User Network 5a, 5b, or 5c. The AAA system 6 is used to verify the authorization of the packets with the RADIUS Server 1, and will discard any user packets that do not have the correct authorization. Unfortunately this requires a different AAA
system 6 for each ISP User Network 5a-5c that is connected to the Access Network 4, which can greatly add to the cost of a network.
Alternatives to RADIUS do exist, providing DSM systems with the option of implementing another type of security system. One of the alternatives to RADIUS is Terminal Access Controller Access Control System (TACACS). Three distinct versions of TACACS exist. The first is TACACS, which was the original product that provided password checking and authentication, as well as notification of user actions for security and accounting purposes. This original system is now considered obsolete. The second version is Extended TACACS, which is an extension to the older TACACS protocol that provides information about protocol translator and router information that can be used in UNIX like systems for auditing trails and accounting files. Extended TACACS is also now considered to be obsolete. TACACS+ is a recent protocol that provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through Authentication, Authorization and Accounting (AAA) and can be enabled only through AAA commands. A full description of the implementation of TACACS+ can be found in a draft Request For Comment (RFC) 1492. PPP is used to carry IP over dial configurations and supports both Password Authentication Protocol (PAP) and Chalenge Handshake Authentication
system 6 for each ISP User Network 5a-5c that is connected to the Access Network 4, which can greatly add to the cost of a network.
Alternatives to RADIUS do exist, providing DSM systems with the option of implementing another type of security system. One of the alternatives to RADIUS is Terminal Access Controller Access Control System (TACACS). Three distinct versions of TACACS exist. The first is TACACS, which was the original product that provided password checking and authentication, as well as notification of user actions for security and accounting purposes. This original system is now considered obsolete. The second version is Extended TACACS, which is an extension to the older TACACS protocol that provides information about protocol translator and router information that can be used in UNIX like systems for auditing trails and accounting files. Extended TACACS is also now considered to be obsolete. TACACS+ is a recent protocol that provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through Authentication, Authorization and Accounting (AAA) and can be enabled only through AAA commands. A full description of the implementation of TACACS+ can be found in a draft Request For Comment (RFC) 1492. PPP is used to carry IP over dial configurations and supports both Password Authentication Protocol (PAP) and Chalenge Handshake Authentication
4 Protocol (CHAP) as methods of password transfer. PPP has been modified to support numerous always-on access technologies including PPP over ATM (PPPoA), PPP
over Frame Relay (PPPoF), and PPP over Ethernet (PPPoE).
With the creation of Competitive Local Exchange Carriers (CLECs) it is common to find a company which is delivering telephony over packet based networks and supplying clients with data based services. In addition if there are two clients in close physical proximity to each other it would be advantageous to connect them to a common access network so that there is a single connection to the ISP. However, this single connection to the ISP is only feasible if a stronger user authorization scheme is implemented. Thus, a need exists in the art for an improved user authentication and authorization system.
Summary of the Invention It is an object of this invention to provide a Distributed Subscriber Management system which controls access to a network preventing unauthorized traffic through the access network and providing centralized access control between User Networks. The system in accordance with the invention provides controlled access through the use of one of several technologies including user authentication, using PAP, CHAP, RADIUS, TACACS+, or other standard authentication means.
It is yet another object to provide a DSM system which allows setup maintenance, and tear-down of the user connection.
It is a further object of the invention to provide a DSM system allowing users to choose their destination as opposed to tying a user to a single destination.
In still another object of the invention, the DSM system of the invention provides for the administration of the assignment and release of network addresses.
The DSM system of the invention preferably allows for at least one of several technologies including facilities for the enforcement of service levels as defined in Service Level Agreements, facilities for resource management and facilities for billing by a service provider through the collection of statistics and accounting data.
Moreover, the system of the invention preferably alerts service providers of system problems through the use of alarm reporting.
Accordingly, the invention provides a Distributed Subscriber Management (DSM) method for performing user authentication for an external network at an access control node, the external network being connected to the access control node by means of an Access Network and the access control node being connected to a plurality of User Networks, the method comprising the steps of a. receiving a connection request from a user located on one of the User Networks;
b. interrogating the user for userid and password information;
c. encrypting the userid and password information;
d. transmitting the encrypted information, via the Access network, to an authentication server attached to one of a plurality of external networks;
e. decrypting the information at the authentication server; and f. transmitting an authentication message from the authentication server of the external network to the access control node via the Access Network.
In a preferred embodiment, the DSM method includes the additional step of g) challenging all data leaving the access control node.
In another preferred embodiment, the authentication server of the external network employs one of Radius, PAP, CHAP, and TACACS or TACACS+.
In yet a further preferred embodiment, the DSM method of the invention includes the following additional steps:
h. if the message is ACCEPT the packets generated by the requesting user, for transmission to the external network, are allowed into the Access Network for transmittal to the external network;
i. if the message is REJECT the requesting user either has his/her packets, for transmission to the external network, rejected or is reinterrogated for userid and password information so that the process in claim 1 can be restarted at step c;
j. if the message is CHALLENGE the requesting user is requested to provide more information to prove access rights to the external network; and k. if the message is CHANGE PASSWORD the requesting user is requested to select a new password.
The preferred embodiment of the Integrated Access Device in accordance with the invention provides all necessary AAA functions allowing service providers to eliminate an extra box in their network.
AAA is performed at the ingress edge of the access network rather than the egress edge.
Thus, injection of packets by malicious users into the access network is substantially prevented. This provides increased denial-of-service protection of the entire access network as well as ISP Intranets. This reduces unauthorized traffic on the access network and allows service providers to offer guaranteed bandwidth through enforcement.
The invention further provides an Integrated Access Device including a plurality of authorization clients;
a) a plurality of connection set up devices;
b) a plurality of connection maintenance devices;
c) a plurality of connection teardown devices;
d) means for the administration of network address assignment and release for a plurality of user networks;
e) means for enforcing service levels;
In a prefferred embodiment of the IAD the following elements may also be included:
f) means for managing resources;
g) means for collecting usage statistics; and h) means for alarm monitoring.
With the Integrated Access Device in accordance with the invention, subscribers can `roam' throughout the access network with the authentication being performed the same way each time from any access point. The Integrated Access Device of the invention is scalable with substantially no practical limit to the number of subscribers.
The RADIUS
server implementation will impose restrictions on the number-of-users before DSM.
The IAD preferably does not change the complexion or fan-out capabilities of the Service Internetworking Platform (SIP) and preferably allows the SIP to concentrate on the efficient movement of voice and data.
Use of the DSM method and IAD aspects of the invention lowers protocol overhead across the access network (no additional PPPoE or L2TP protocol overhead) and does not impact Voice QoS or Traffic Management.
The IAD of the invention fits substantially seamlessly and painlessly into existing ISP/CLEC AAA paradigms, obviating the need for the service providers to change their operational model.
Brief Description of the Drawings The invention will now be described in more detail by way of example only and with reference to the attched drawings, wherein Figure 1 is a schematic diagram of an authentication scheme known in the art;
Figure 2 is a schematic diagram of another authentication scheme known in the art;
Figure 3 is a schematic illustration of the preferred authorization system in accordance with the invention; and Figure 4 is a schematic illustration of an application of the preferred DSM
system of the invention in a mixed voice/data environment.
Detailed Description of the Invention Glossary of Terms DMS Distributed Subscriber Management RADIUS Remote Authentication Dial-In User Service IP Internet Protocoll PPP Point-to-Point Protocol FTP File Transfer Protocol TACACS Terminal Access Controller Access Control System AAA Authentication, Authorization, Accounting PAP Password Authentication Protocol CHAP Challenge Handshake Authentication Protocol PPPoA PPP over ATM
ATM Asynchronous Transfer Mode PPPoE PPP over Ethernet PPPoF PPP over Frame Relay CLEC Competitive Locale Exchange Carrier ISP Internet Service Provider IAD Integrated Access Device QoS Quality of Service VPN Virtual Private Network ISDN Integrated Services Digital Network UDP/IP User Datagram Protocol/Internet Protocol L2TP IP over PPP over UDP/IP
L2F IP over PPP over IP
IPSec Secure Internet Protocol VPN IP over PPP over IPSec BootP Boot Protocol DHCP Dynamic Host Configuration Protocol SNMP Simple Network Management Protocol CLI Command Line Interface MAC Media Access Control SIP Service Interworking Platform In order to provide secure Distributed Subscriber Management (DSM) in an efficient manner so as to allow multiple end user networks to co-exist with a single connection to the central network, while providing security to those users, it is necessary to consider various aspects of DSM, including:
location of functionality user authentication efficient method of transport secure dialogue concentration and scalability customer ease-of-use IP address assignment bandwidth management accounting/billing multiple ISP selection VPN capability The location of the functionality is of importance so that traffic can be reduced by eliminating packets without sufficient permission before they travel to the service provider. It is the major concept of the DSM method of the invention that the subscriber management functionality is located at an access control node at the customer premise end of the access network. In the preferred embodiment, this functionality is provided by the Integrated Access Device (IAD). The DSM method of the invention preferably takes the subscriber functionality and distributes it across many IADs instead of centralizing it at the Service Provider.
The primary function of the DSM method is user authentication. DSM is a method of verifying that the user is authorized to use network resources or to access certain applications. At session start-up, the user is challenged to provide a user identifier (name or userid) and password. The authentication challenge can be one-time at session start-up, can be issued periodically, or can be issued upon session-timeout or interruption, at the discretion of the network administrators.
The operation of the preferred embodiment of the invention is apparent from Figures 3 and 4. Figure 3 depicts an exemplary network using the current invention. Here a RADIUS Server 1 is connected through an ISP 2 to an Access Network 4. At the opposite end of the Access Network 4 is an Integrated Access Device 7.
Internal to the IAD Integrated Access Device 7 is a RADIUS client 3. The IAD 7 is placed between the Access Network 7 and a plurality of User Networks 5. This allows the RADIUS
Client 3 in the IAD 7 to authorize all packets leaving the User Networks 5 before they travserse the Access Network 4. In addition due to the manner in which the IAD is designed all traffic leaving the IAD is challenged for authorization thus different User Networks 5 cannot inadvertantly gain access to each other.
Figure 4 depicts an exemplary embodiment of the invention being used in a mixed data/voice environment, where each of the different ISP netoworks require their own set of authorizations. Here both Voice Networks 8 and ISP data networks 2 are connected to an SIP 9. The ISP networks 2 transmit and receive data signals, while the voice networks 8 transmit and receive voice messages. Each ISP nework 2 has its own RADIUS
Server 1 internal to the network. The SIP 9 is connected to both the Voice networks 8 and the ISP networks 2 and provides them access to the Access Network 4. The Access Network is connected to the IAD 7, which has a plurality of RADIUS clients 3 internal to it. The IAD 7 allows the Access Network 4 to communicate with the telephony networks 11 and the User Devices 10. The IAD's plurality of RADIUS Clients 3 each establish a client/server realationship with one of the Raidus Servers 1 so that they may perform AAA services on the packets that arises from both the telephony networks 11 and the User Devices 10.
Upon receiving a packet from a user, the source Media Access Control (MAC) and/or IP
address is verified in the IAD Forward Table against a list of authorized users. If authorized, the user packet is marked by a packet labelling system, sent across the access network to the egress edge and then forwarded to the destination provider.
Session/interface states and statistics on session duration, number of packets/bytes sent/received and so on, are collected by the IAD and forwarded to the operator upon Command Line Interface (CLI) or Simple Network Management Protocol (SNMP) request.
If a particular user is not authorized to use a provider's domain, the IAD
challenges the user based on information received from the provider's RADIUS server. The user enters their User ID and password, which is forwarded to the RADIUS server by the IAD. The server will respond with an IP address (if not already statically assigned).
Once authenticated, the user data is allowed to flow through the access network and SIP to the destination provider. The flow between the IAD and the service provider consists of pure IP datagrams, marked by a packet labelling system, without any of the additional tunnel overhead incurred when using PPPoE or L2TP.
The IAD DSM module is responsible for authentication, authorization and accounting as well as interacting with the user across the user dialogue protocol (e.g., PPPoE, L2TP, etc.). It processes user IDs/passwords and builds a table of authorized user-to-Domain mappings which is consulted for each incoming packet. The table is partly constructed with information from the provider's RADIUS server.
An efficient method of transport allows the reduction of data carried over the network starting at the user device, flowing towards the IAD and then on to the destination network. There are many methods of carrying user sessions from user device to the IAD.
Methods known in the art include the numerous encapsulation choices for transporting user data including: IP over PPP over dial-up; IP over PPP over ISDN; IP over PPP over ethernet (PPPoE); IP over PPP over Frame Relay (PPPoF); IP over PPP over ATM
(PPPoA); IP over PPP over UDP/IP (L2TP); IP over PPP over IP (L2F); IP over PPP
over IPSec (VPN); as well as any number of proprietary encapsulation techniques. As is apparent, the public, or non-proprietary, methods share is the use of PPP to carry subscriber management information. Traditionally these methods have been used to transport the user PPP session across the access network. This contributes significantly to the protocol overhead in the process and increases traffic across the Access Network. In the preferred embodiment, this invention uses the PPPoE or L2TP protocols between the IAD and user device. These protocols do not extend over the access network thus reducing the overhead that these techniques apply to the packets.
The IAD is charged with performing user authentication and communicates with the RADIUS server becoming in effect a RADIUS client. If the IAD supports multiple destination networks (i.e., multiple Virtual Private Networks), then multiple RADIUS
clients must be supported: one for each network. The communication of authentication information across the access network 4 must be secured to avoid the discovery of user names and passwords through the use of simple snooping techniques. Thus to provide secure dialogue security transactions between the IAD RADIUS client and RADIUS
server are authenticated through the use of a shared secret, which is never sent over the network. All user passwords are encrypted using industry standard encryption technologies, such as MD5, when sent between the client and RADIUS server, to eliminate the possibility of password compromise.
In the event that data packets are accidentally released to the wrong network it is essential that a data security system is preferably implemented so as to prevent these errant packets from being decoded. Numerous techniques of packet labelling can be applied to solve this so that packets that are not intended for a given network are never read by it. A
packet labelling scheme that can render a packet illegible to foreign IP
devices while in transit across the access network, while at the same time introducing no overhead is preferred for use with this invention. This packet marking process must be undone at the egress edge of the access network so that IP packets can be restored for delivery to the ISP or corporate router.
The preferred embodiment of the invention as described so far can be considered both scalable and concentrated. A high concentration of users is considered important for the service provider to make a viable business case. In today's world of cut-rate Internet access, service providers must groom many hundreds or thousands of subscribers onto one high-speed IP stream. The ISP or corporate router cannot be troubled with managing these many user sessions while trying to route incoming IP packets at say, DS3 (45Mbps) or 0C3 (155 Mbps) wire rate.
Scalability is a potential problem for products that perform subscriber management in a box located at the ISP end of the access network. This has been addressed with the present invention, where subscriber management is preferably distributed across multiple IADs, each IAD only having to manage at most, 1 or 2 dozen subscribers. This means that if a given subscriber increases their load, and requires more resources at the IAD it is possible to upgrade a single unit that effects a small part of the user base as opposed to upgrading a centralized unit and inconveniencing all users of the system during the upgrade process.
With DSM, the user has a procedure whose simplicity is comparable to the one used for dial-up access. RADIUS follows a client-server operational model. A Network Access Server (NAS), Remote Access Server (RAS), or the like, operates as a client of RADIUS.
The client is responsible for passing user information to designated RADIUS
servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user. A
RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.
RADIUS is carried in UDP (Port number 1812 decimal) and IP. At times, the source IP
address field in client requests is zeroes since the client may not yet have an address.
When a user attempts to login, the following steps occur to authenticate the user with RADIUS:
1. The user is prompted for and enters a username and password.
2. The username and encrypted password are sent over the network to the RADIUS
server.
3. The user receives one of the following responses from the RADIUS server:
ACCEPT (The user is authenticated) REJECT (The user is not authenticated and is prompted to reenter the username and password, or access is denied) CHALLENGE (A challenge is issued by the RADIUS server to collect additional data from the user) CHANGE PASSWORD (A request is issued by the RADIUS server, asking the user to select a new password) RADIUS authentication must be performed before RADIUS authorization. The ACCEPT
or REJECT response contains additional data that is used for EXEC or network authorization. The additional data included with the ACCEPT or REJECT packets consists of services that the user can access, including Telnet, rlogin, PPP, FTP, EXEC
services, or connection parameters, including the host or client IP address, access list, and user timeouts.
User IP addresses can be statically provisioned or dynamically assigned using RADIUS
or the like. In RADIUS, the ACCEPT or REJECT response contains the host or client IP
address, access list, and user timeouts. Upon a user timeout, the user may be disconnected and if dynamically assigned, the IP address is returned to a pool of available addresses.
BootP, DHCP, and TACACS+ can also be used to dynamically assign IP addresses to users but these protocols are less common than RADIUS.
Normally, a pool or group of addresses are pre-assigned by a network administrator and given out by the RADIUS server as users sign-on to the service provider.
Typically used to oversubscribe IP addresses, a pool allows many clients to share a small number of IP
addresses based on usage and contention patterns.
The Boot Protocol (BootP) is a UDP-serviced protocol that can be IP-routed to a BootP
address server. Through the BootP protocol, the server can do many functions including IP address assignment, bootstrapping, operating system loading, desktop configuration, and hardware/interface configuration. BootP cannot completely replace RADIUS
as a subscriber management protocol. Dynamic Host Configuration Protocol (DHCP) is a newer alternative to BootP and possesses all the capabilities of BootP. As a rule, any BootP relay Agent (e.g., in a router or gateway) will work with DHCP. As with BootP, DHCP cannot completely replace RADIUS as a subscriber management protocol.
With the preferred embodiment of this invention, subnet and mask information are tied to a Domain which appears as a logical RAS module. IP host numbers can then be dynamically assigned to users as they connect.
The DSM system in accordance with the invention allows providers to sell services based on guaranteed bit rates by allocating discrete bandwidth levels to individual users and enforcing the bandwidth through bandwidth management techniques.
Service providers require resource accounting to bill users or to prove service levels have been met by the network/system. A service provider is likely to use RADIUS
access control and accounting software defined by RFC 2139 to meet these special needs.
RADIUS accounting is independent of RADIUS authentication or authorization.
RADIUS accounting allows reports to be sent at the start and end of services, indicating the amount of resources (e.g. session duration, data transferred, etc.) used during the session. It is possible for an ISP to use Simple Network Management Protocol (SNMP)-based statistics collected by the IAD for the above purposes. An SNMP
management station periodically `polls' the IAD SNMP agent to upload the accumulated statistics.
Neither of these technologies is incompatible with the implementation described.
The present invention provides for the ability of a client network to select from a number of ISPs. Multiple ISP selection has not traditionally been regarded as an ability of networks but is now seen as a necessary feature for products providing access network services. The user has the capability of switching between destination ISPs or corporations via the DSM service.
Through the implementation of both this invention and a secure packet labelling system it is possibile to enable Virtual Private Networking. Once authenticated by DSM
and marked by the packet labelling, packets are secure until they reach the egress interface of the network.
The preceeding discussion of the application of the invention should be seen as exemplary in nature and should not be considered to limit the scope of the invention to the particular embodiments described.
over Frame Relay (PPPoF), and PPP over Ethernet (PPPoE).
With the creation of Competitive Local Exchange Carriers (CLECs) it is common to find a company which is delivering telephony over packet based networks and supplying clients with data based services. In addition if there are two clients in close physical proximity to each other it would be advantageous to connect them to a common access network so that there is a single connection to the ISP. However, this single connection to the ISP is only feasible if a stronger user authorization scheme is implemented. Thus, a need exists in the art for an improved user authentication and authorization system.
Summary of the Invention It is an object of this invention to provide a Distributed Subscriber Management system which controls access to a network preventing unauthorized traffic through the access network and providing centralized access control between User Networks. The system in accordance with the invention provides controlled access through the use of one of several technologies including user authentication, using PAP, CHAP, RADIUS, TACACS+, or other standard authentication means.
It is yet another object to provide a DSM system which allows setup maintenance, and tear-down of the user connection.
It is a further object of the invention to provide a DSM system allowing users to choose their destination as opposed to tying a user to a single destination.
In still another object of the invention, the DSM system of the invention provides for the administration of the assignment and release of network addresses.
The DSM system of the invention preferably allows for at least one of several technologies including facilities for the enforcement of service levels as defined in Service Level Agreements, facilities for resource management and facilities for billing by a service provider through the collection of statistics and accounting data.
Moreover, the system of the invention preferably alerts service providers of system problems through the use of alarm reporting.
Accordingly, the invention provides a Distributed Subscriber Management (DSM) method for performing user authentication for an external network at an access control node, the external network being connected to the access control node by means of an Access Network and the access control node being connected to a plurality of User Networks, the method comprising the steps of a. receiving a connection request from a user located on one of the User Networks;
b. interrogating the user for userid and password information;
c. encrypting the userid and password information;
d. transmitting the encrypted information, via the Access network, to an authentication server attached to one of a plurality of external networks;
e. decrypting the information at the authentication server; and f. transmitting an authentication message from the authentication server of the external network to the access control node via the Access Network.
In a preferred embodiment, the DSM method includes the additional step of g) challenging all data leaving the access control node.
In another preferred embodiment, the authentication server of the external network employs one of Radius, PAP, CHAP, and TACACS or TACACS+.
In yet a further preferred embodiment, the DSM method of the invention includes the following additional steps:
h. if the message is ACCEPT the packets generated by the requesting user, for transmission to the external network, are allowed into the Access Network for transmittal to the external network;
i. if the message is REJECT the requesting user either has his/her packets, for transmission to the external network, rejected or is reinterrogated for userid and password information so that the process in claim 1 can be restarted at step c;
j. if the message is CHALLENGE the requesting user is requested to provide more information to prove access rights to the external network; and k. if the message is CHANGE PASSWORD the requesting user is requested to select a new password.
The preferred embodiment of the Integrated Access Device in accordance with the invention provides all necessary AAA functions allowing service providers to eliminate an extra box in their network.
AAA is performed at the ingress edge of the access network rather than the egress edge.
Thus, injection of packets by malicious users into the access network is substantially prevented. This provides increased denial-of-service protection of the entire access network as well as ISP Intranets. This reduces unauthorized traffic on the access network and allows service providers to offer guaranteed bandwidth through enforcement.
The invention further provides an Integrated Access Device including a plurality of authorization clients;
a) a plurality of connection set up devices;
b) a plurality of connection maintenance devices;
c) a plurality of connection teardown devices;
d) means for the administration of network address assignment and release for a plurality of user networks;
e) means for enforcing service levels;
In a prefferred embodiment of the IAD the following elements may also be included:
f) means for managing resources;
g) means for collecting usage statistics; and h) means for alarm monitoring.
With the Integrated Access Device in accordance with the invention, subscribers can `roam' throughout the access network with the authentication being performed the same way each time from any access point. The Integrated Access Device of the invention is scalable with substantially no practical limit to the number of subscribers.
The RADIUS
server implementation will impose restrictions on the number-of-users before DSM.
The IAD preferably does not change the complexion or fan-out capabilities of the Service Internetworking Platform (SIP) and preferably allows the SIP to concentrate on the efficient movement of voice and data.
Use of the DSM method and IAD aspects of the invention lowers protocol overhead across the access network (no additional PPPoE or L2TP protocol overhead) and does not impact Voice QoS or Traffic Management.
The IAD of the invention fits substantially seamlessly and painlessly into existing ISP/CLEC AAA paradigms, obviating the need for the service providers to change their operational model.
Brief Description of the Drawings The invention will now be described in more detail by way of example only and with reference to the attched drawings, wherein Figure 1 is a schematic diagram of an authentication scheme known in the art;
Figure 2 is a schematic diagram of another authentication scheme known in the art;
Figure 3 is a schematic illustration of the preferred authorization system in accordance with the invention; and Figure 4 is a schematic illustration of an application of the preferred DSM
system of the invention in a mixed voice/data environment.
Detailed Description of the Invention Glossary of Terms DMS Distributed Subscriber Management RADIUS Remote Authentication Dial-In User Service IP Internet Protocoll PPP Point-to-Point Protocol FTP File Transfer Protocol TACACS Terminal Access Controller Access Control System AAA Authentication, Authorization, Accounting PAP Password Authentication Protocol CHAP Challenge Handshake Authentication Protocol PPPoA PPP over ATM
ATM Asynchronous Transfer Mode PPPoE PPP over Ethernet PPPoF PPP over Frame Relay CLEC Competitive Locale Exchange Carrier ISP Internet Service Provider IAD Integrated Access Device QoS Quality of Service VPN Virtual Private Network ISDN Integrated Services Digital Network UDP/IP User Datagram Protocol/Internet Protocol L2TP IP over PPP over UDP/IP
L2F IP over PPP over IP
IPSec Secure Internet Protocol VPN IP over PPP over IPSec BootP Boot Protocol DHCP Dynamic Host Configuration Protocol SNMP Simple Network Management Protocol CLI Command Line Interface MAC Media Access Control SIP Service Interworking Platform In order to provide secure Distributed Subscriber Management (DSM) in an efficient manner so as to allow multiple end user networks to co-exist with a single connection to the central network, while providing security to those users, it is necessary to consider various aspects of DSM, including:
location of functionality user authentication efficient method of transport secure dialogue concentration and scalability customer ease-of-use IP address assignment bandwidth management accounting/billing multiple ISP selection VPN capability The location of the functionality is of importance so that traffic can be reduced by eliminating packets without sufficient permission before they travel to the service provider. It is the major concept of the DSM method of the invention that the subscriber management functionality is located at an access control node at the customer premise end of the access network. In the preferred embodiment, this functionality is provided by the Integrated Access Device (IAD). The DSM method of the invention preferably takes the subscriber functionality and distributes it across many IADs instead of centralizing it at the Service Provider.
The primary function of the DSM method is user authentication. DSM is a method of verifying that the user is authorized to use network resources or to access certain applications. At session start-up, the user is challenged to provide a user identifier (name or userid) and password. The authentication challenge can be one-time at session start-up, can be issued periodically, or can be issued upon session-timeout or interruption, at the discretion of the network administrators.
The operation of the preferred embodiment of the invention is apparent from Figures 3 and 4. Figure 3 depicts an exemplary network using the current invention. Here a RADIUS Server 1 is connected through an ISP 2 to an Access Network 4. At the opposite end of the Access Network 4 is an Integrated Access Device 7.
Internal to the IAD Integrated Access Device 7 is a RADIUS client 3. The IAD 7 is placed between the Access Network 7 and a plurality of User Networks 5. This allows the RADIUS
Client 3 in the IAD 7 to authorize all packets leaving the User Networks 5 before they travserse the Access Network 4. In addition due to the manner in which the IAD is designed all traffic leaving the IAD is challenged for authorization thus different User Networks 5 cannot inadvertantly gain access to each other.
Figure 4 depicts an exemplary embodiment of the invention being used in a mixed data/voice environment, where each of the different ISP netoworks require their own set of authorizations. Here both Voice Networks 8 and ISP data networks 2 are connected to an SIP 9. The ISP networks 2 transmit and receive data signals, while the voice networks 8 transmit and receive voice messages. Each ISP nework 2 has its own RADIUS
Server 1 internal to the network. The SIP 9 is connected to both the Voice networks 8 and the ISP networks 2 and provides them access to the Access Network 4. The Access Network is connected to the IAD 7, which has a plurality of RADIUS clients 3 internal to it. The IAD 7 allows the Access Network 4 to communicate with the telephony networks 11 and the User Devices 10. The IAD's plurality of RADIUS Clients 3 each establish a client/server realationship with one of the Raidus Servers 1 so that they may perform AAA services on the packets that arises from both the telephony networks 11 and the User Devices 10.
Upon receiving a packet from a user, the source Media Access Control (MAC) and/or IP
address is verified in the IAD Forward Table against a list of authorized users. If authorized, the user packet is marked by a packet labelling system, sent across the access network to the egress edge and then forwarded to the destination provider.
Session/interface states and statistics on session duration, number of packets/bytes sent/received and so on, are collected by the IAD and forwarded to the operator upon Command Line Interface (CLI) or Simple Network Management Protocol (SNMP) request.
If a particular user is not authorized to use a provider's domain, the IAD
challenges the user based on information received from the provider's RADIUS server. The user enters their User ID and password, which is forwarded to the RADIUS server by the IAD. The server will respond with an IP address (if not already statically assigned).
Once authenticated, the user data is allowed to flow through the access network and SIP to the destination provider. The flow between the IAD and the service provider consists of pure IP datagrams, marked by a packet labelling system, without any of the additional tunnel overhead incurred when using PPPoE or L2TP.
The IAD DSM module is responsible for authentication, authorization and accounting as well as interacting with the user across the user dialogue protocol (e.g., PPPoE, L2TP, etc.). It processes user IDs/passwords and builds a table of authorized user-to-Domain mappings which is consulted for each incoming packet. The table is partly constructed with information from the provider's RADIUS server.
An efficient method of transport allows the reduction of data carried over the network starting at the user device, flowing towards the IAD and then on to the destination network. There are many methods of carrying user sessions from user device to the IAD.
Methods known in the art include the numerous encapsulation choices for transporting user data including: IP over PPP over dial-up; IP over PPP over ISDN; IP over PPP over ethernet (PPPoE); IP over PPP over Frame Relay (PPPoF); IP over PPP over ATM
(PPPoA); IP over PPP over UDP/IP (L2TP); IP over PPP over IP (L2F); IP over PPP
over IPSec (VPN); as well as any number of proprietary encapsulation techniques. As is apparent, the public, or non-proprietary, methods share is the use of PPP to carry subscriber management information. Traditionally these methods have been used to transport the user PPP session across the access network. This contributes significantly to the protocol overhead in the process and increases traffic across the Access Network. In the preferred embodiment, this invention uses the PPPoE or L2TP protocols between the IAD and user device. These protocols do not extend over the access network thus reducing the overhead that these techniques apply to the packets.
The IAD is charged with performing user authentication and communicates with the RADIUS server becoming in effect a RADIUS client. If the IAD supports multiple destination networks (i.e., multiple Virtual Private Networks), then multiple RADIUS
clients must be supported: one for each network. The communication of authentication information across the access network 4 must be secured to avoid the discovery of user names and passwords through the use of simple snooping techniques. Thus to provide secure dialogue security transactions between the IAD RADIUS client and RADIUS
server are authenticated through the use of a shared secret, which is never sent over the network. All user passwords are encrypted using industry standard encryption technologies, such as MD5, when sent between the client and RADIUS server, to eliminate the possibility of password compromise.
In the event that data packets are accidentally released to the wrong network it is essential that a data security system is preferably implemented so as to prevent these errant packets from being decoded. Numerous techniques of packet labelling can be applied to solve this so that packets that are not intended for a given network are never read by it. A
packet labelling scheme that can render a packet illegible to foreign IP
devices while in transit across the access network, while at the same time introducing no overhead is preferred for use with this invention. This packet marking process must be undone at the egress edge of the access network so that IP packets can be restored for delivery to the ISP or corporate router.
The preferred embodiment of the invention as described so far can be considered both scalable and concentrated. A high concentration of users is considered important for the service provider to make a viable business case. In today's world of cut-rate Internet access, service providers must groom many hundreds or thousands of subscribers onto one high-speed IP stream. The ISP or corporate router cannot be troubled with managing these many user sessions while trying to route incoming IP packets at say, DS3 (45Mbps) or 0C3 (155 Mbps) wire rate.
Scalability is a potential problem for products that perform subscriber management in a box located at the ISP end of the access network. This has been addressed with the present invention, where subscriber management is preferably distributed across multiple IADs, each IAD only having to manage at most, 1 or 2 dozen subscribers. This means that if a given subscriber increases their load, and requires more resources at the IAD it is possible to upgrade a single unit that effects a small part of the user base as opposed to upgrading a centralized unit and inconveniencing all users of the system during the upgrade process.
With DSM, the user has a procedure whose simplicity is comparable to the one used for dial-up access. RADIUS follows a client-server operational model. A Network Access Server (NAS), Remote Access Server (RAS), or the like, operates as a client of RADIUS.
The client is responsible for passing user information to designated RADIUS
servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user. A
RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.
RADIUS is carried in UDP (Port number 1812 decimal) and IP. At times, the source IP
address field in client requests is zeroes since the client may not yet have an address.
When a user attempts to login, the following steps occur to authenticate the user with RADIUS:
1. The user is prompted for and enters a username and password.
2. The username and encrypted password are sent over the network to the RADIUS
server.
3. The user receives one of the following responses from the RADIUS server:
ACCEPT (The user is authenticated) REJECT (The user is not authenticated and is prompted to reenter the username and password, or access is denied) CHALLENGE (A challenge is issued by the RADIUS server to collect additional data from the user) CHANGE PASSWORD (A request is issued by the RADIUS server, asking the user to select a new password) RADIUS authentication must be performed before RADIUS authorization. The ACCEPT
or REJECT response contains additional data that is used for EXEC or network authorization. The additional data included with the ACCEPT or REJECT packets consists of services that the user can access, including Telnet, rlogin, PPP, FTP, EXEC
services, or connection parameters, including the host or client IP address, access list, and user timeouts.
User IP addresses can be statically provisioned or dynamically assigned using RADIUS
or the like. In RADIUS, the ACCEPT or REJECT response contains the host or client IP
address, access list, and user timeouts. Upon a user timeout, the user may be disconnected and if dynamically assigned, the IP address is returned to a pool of available addresses.
BootP, DHCP, and TACACS+ can also be used to dynamically assign IP addresses to users but these protocols are less common than RADIUS.
Normally, a pool or group of addresses are pre-assigned by a network administrator and given out by the RADIUS server as users sign-on to the service provider.
Typically used to oversubscribe IP addresses, a pool allows many clients to share a small number of IP
addresses based on usage and contention patterns.
The Boot Protocol (BootP) is a UDP-serviced protocol that can be IP-routed to a BootP
address server. Through the BootP protocol, the server can do many functions including IP address assignment, bootstrapping, operating system loading, desktop configuration, and hardware/interface configuration. BootP cannot completely replace RADIUS
as a subscriber management protocol. Dynamic Host Configuration Protocol (DHCP) is a newer alternative to BootP and possesses all the capabilities of BootP. As a rule, any BootP relay Agent (e.g., in a router or gateway) will work with DHCP. As with BootP, DHCP cannot completely replace RADIUS as a subscriber management protocol.
With the preferred embodiment of this invention, subnet and mask information are tied to a Domain which appears as a logical RAS module. IP host numbers can then be dynamically assigned to users as they connect.
The DSM system in accordance with the invention allows providers to sell services based on guaranteed bit rates by allocating discrete bandwidth levels to individual users and enforcing the bandwidth through bandwidth management techniques.
Service providers require resource accounting to bill users or to prove service levels have been met by the network/system. A service provider is likely to use RADIUS
access control and accounting software defined by RFC 2139 to meet these special needs.
RADIUS accounting is independent of RADIUS authentication or authorization.
RADIUS accounting allows reports to be sent at the start and end of services, indicating the amount of resources (e.g. session duration, data transferred, etc.) used during the session. It is possible for an ISP to use Simple Network Management Protocol (SNMP)-based statistics collected by the IAD for the above purposes. An SNMP
management station periodically `polls' the IAD SNMP agent to upload the accumulated statistics.
Neither of these technologies is incompatible with the implementation described.
The present invention provides for the ability of a client network to select from a number of ISPs. Multiple ISP selection has not traditionally been regarded as an ability of networks but is now seen as a necessary feature for products providing access network services. The user has the capability of switching between destination ISPs or corporations via the DSM service.
Through the implementation of both this invention and a secure packet labelling system it is possibile to enable Virtual Private Networking. Once authenticated by DSM
and marked by the packet labelling, packets are secure until they reach the egress interface of the network.
The preceeding discussion of the application of the invention should be seen as exemplary in nature and should not be considered to limit the scope of the invention to the particular embodiments described.
Claims (11)
1. A distributed subscriber management system comprising:
a plurality of user networks, each user network connecting a respective group of users;
an integrated access device interposed between said plurality of user networks and an access network, said integrated access device comprising means for controlling admission to each of said user networks of users while connected to each other user network of said plurality of user networks; and a plurality of external networks connected to said access network, each said external network having an authentication server;
wherein said integrated access device comprises a set of at least two authentication clients shared by said plurality of user networks and operable to authenticate and authorize data units received from users belonging to any of said user networks and destined to any of said external networks.
a plurality of user networks, each user network connecting a respective group of users;
an integrated access device interposed between said plurality of user networks and an access network, said integrated access device comprising means for controlling admission to each of said user networks of users while connected to each other user network of said plurality of user networks; and a plurality of external networks connected to said access network, each said external network having an authentication server;
wherein said integrated access device comprises a set of at least two authentication clients shared by said plurality of user networks and operable to authenticate and authorize data units received from users belonging to any of said user networks and destined to any of said external networks.
2. The distributed subscriber management system of claim 1 further including means for centralized access control between said user networks.
3. The distributed subscriber management system of claim 1 further comprising a secure data-unit labeling system associated with said integrated access device for marking data units received from said user networks to produce marked data units so that each said marked data unit destined to a specific external network from among said plurality of external networks becomes illegible to any other of said external networks.
4. The distributed subscriber management system of claim 1 wherein said set of at least two authentication clients uses a Remote Authentication, Dial-in User Service (RADIUS) protocol.
5. The distributed subscriber management system of claim 1 further including, in said integrated access device, means for:
receiving a data unit from a user located on one of said plurality of user networks;
interrogating said user for access information;
encrypting said access information prior to transmitting the access information to an authentication server; and wherein the encrypted access information is decrypted at the authentication server.
receiving a data unit from a user located on one of said plurality of user networks;
interrogating said user for access information;
encrypting said access information prior to transmitting the access information to an authentication server; and wherein the encrypted access information is decrypted at the authentication server.
6. The distributed subscriber management system of claim 1 wherein said plurality of user networks includes a first number of user networks, said set of at least two authentication clients includes a second number of authentication clients, and said first number is unequal to said second number.
7. An integrated access device comprising:
a user-network interface connecting to a plurality of user networks to receive data units from said plurality of user networks;
at least two authentication clients operatively connected to said user network interface for authenticating and authorizing data units received from said plurality of user networks;
an external-network interface operatively connected to said at least two authentication clients and to an access network, said external-network interface operable to forward a data unit authorized by any of said at least two authentication clients to an external network from among a plurality of external networks connected to said access network; and means for controlling admission to each of said user networks of users while connected to each other user network of said plurality of user networks.
a user-network interface connecting to a plurality of user networks to receive data units from said plurality of user networks;
at least two authentication clients operatively connected to said user network interface for authenticating and authorizing data units received from said plurality of user networks;
an external-network interface operatively connected to said at least two authentication clients and to an access network, said external-network interface operable to forward a data unit authorized by any of said at least two authentication clients to an external network from among a plurality of external networks connected to said access network; and means for controlling admission to each of said user networks of users while connected to each other user network of said plurality of user networks.
8. The integrated access device of claim 7 further comprising means for allocating discrete bandwidth levels to at least one of said user networks.
9. The integrated access device of claim 7 further comprising:
means for service-level enforcing;
means for network-resource management;
means for collecting usage statistical usage; and means for alarm monitoring.
means for service-level enforcing;
means for network-resource management;
means for collecting usage statistical usage; and means for alarm monitoring.
10. The integrated access device of claim 7, further comprising at least one of the following:
a password authentication protocol client;
a challenge handshake authentication protocol client;
a terminal-access controller-access control system client; and a remote authentication dial-in user service protocol client.
a password authentication protocol client;
a challenge handshake authentication protocol client;
a terminal-access controller-access control system client; and a remote authentication dial-in user service protocol client.
11. The integrated access device of claim 7 wherein the user network interface includes a plurality of ingress cards and the external network interface includes an egress card.
Priority Applications (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002296213A CA2296213C (en) | 2000-01-07 | 2000-01-14 | Distributed subscriber management |
| US09/755,037 US20010044893A1 (en) | 2000-01-07 | 2001-01-08 | Distributed subscriber management system |
| US11/514,852 US7512784B2 (en) | 2000-01-07 | 2006-09-05 | Distributed subscriber management system |
| US12/132,583 US7921457B2 (en) | 2000-01-07 | 2008-06-03 | Distributed subscriber management system |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA 2293989 CA2293989A1 (en) | 2000-01-07 | 2000-01-07 | Distributed subscriber management |
| CA2,293,989 | 2000-01-07 | ||
| CA002296213A CA2296213C (en) | 2000-01-07 | 2000-01-14 | Distributed subscriber management |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2296213A1 CA2296213A1 (en) | 2001-07-07 |
| CA2296213C true CA2296213C (en) | 2009-04-14 |
Family
ID=25681453
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002296213A Expired - Fee Related CA2296213C (en) | 2000-01-07 | 2000-01-14 | Distributed subscriber management |
Country Status (2)
| Country | Link |
|---|---|
| US (3) | US20010044893A1 (en) |
| CA (1) | CA2296213C (en) |
Families Citing this family (86)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7065578B2 (en) * | 2000-03-20 | 2006-06-20 | At&T Corp. | Service selection in a shared access network using policy routing |
| US6947404B1 (en) * | 2000-11-06 | 2005-09-20 | Nokia Corporation | Automatic WAP login |
| US7085833B2 (en) * | 2001-01-17 | 2006-08-01 | Microsoft Corporation | Caching user network access information within a network |
| US6988148B1 (en) | 2001-01-19 | 2006-01-17 | Cisco Technology, Inc. | IP pool management utilizing an IP pool MIB |
| US7921290B2 (en) * | 2001-04-18 | 2011-04-05 | Ipass Inc. | Method and system for securely authenticating network access credentials for users |
| US7469341B2 (en) * | 2001-04-18 | 2008-12-23 | Ipass Inc. | Method and system for associating a plurality of transaction data records generated in a service access system |
| US7788345B1 (en) * | 2001-06-04 | 2010-08-31 | Cisco Technology, Inc. | Resource allocation and reclamation for on-demand address pools |
| US7197549B1 (en) | 2001-06-04 | 2007-03-27 | Cisco Technology, Inc. | On-demand address pools |
| JP4236398B2 (en) * | 2001-08-15 | 2009-03-11 | 富士通株式会社 | Communication method, communication system, and communication connection program |
| US20030119536A1 (en) * | 2001-12-21 | 2003-06-26 | Hutchison James A. | Arbitrated audio communication with reduced latency |
| US7707416B2 (en) * | 2002-02-01 | 2010-04-27 | Novell, Inc. | Authentication cache and authentication on demand in a distributed network environment |
| US7487535B1 (en) * | 2002-02-01 | 2009-02-03 | Novell, Inc. | Authentication on demand in a distributed network environment |
| US7702726B1 (en) * | 2002-04-10 | 2010-04-20 | 3Com Corporation | System and methods for providing presence services in IP network |
| US20030233580A1 (en) * | 2002-05-29 | 2003-12-18 | Keeler James D. | Authorization and authentication of user access to a distributed network communication system with roaming features |
| US7577154B1 (en) * | 2002-06-03 | 2009-08-18 | Equinix, Inc. | System and method for traffic accounting and route customization of network services |
| EP1370040B1 (en) * | 2002-06-04 | 2005-03-02 | Alcatel | A method, a network access server, an authentication-authorization-and-accounting server, and a computer software product for proxying user authentication-authorization-and-accounting messages via a network access server |
| DE50301376D1 (en) * | 2002-06-11 | 2006-02-23 | Siemens Ag | PROCESS AND ACCESS MULTIPLEXERS FOR QUICK ACCESS TO DATA NETWORKS |
| BR0314692A (en) | 2002-09-25 | 2005-08-02 | Telemac Corp | System for administering local access control to a computer network |
| CN1489332A (en) * | 2002-10-10 | 2004-04-14 | �Ҵ���˾ | Safety system and method for providing service device of identifying long-distance callin user's service-charge |
| WO2004040845A1 (en) * | 2002-11-01 | 2004-05-13 | Huawei Technologies Co., Ltd | A security management method for an integrated access device of network |
| US20040088411A1 (en) * | 2002-11-04 | 2004-05-06 | Jakubowski Deborah W. | Method and system for vendor management |
| US7801171B2 (en) | 2002-12-02 | 2010-09-21 | Redknee Inc. | Method for implementing an Open Charging (OC) middleware platform and gateway system |
| US7467227B1 (en) * | 2002-12-31 | 2008-12-16 | At&T Corp. | System using policy filter decision to map data traffic to virtual networks for forwarding the traffic in a regional access network |
| US7457865B2 (en) * | 2003-01-23 | 2008-11-25 | Redknee Inc. | Method for implementing an internet protocol (IP) charging and rating middleware platform and gateway system |
| US8606885B2 (en) | 2003-06-05 | 2013-12-10 | Ipass Inc. | Method and system of providing access point data associated with a network access point |
| US7299492B2 (en) * | 2003-06-12 | 2007-11-20 | International Business Machines Corporation | Multi-level multi-user web services security system and method |
| US7353260B1 (en) * | 2003-06-13 | 2008-04-01 | Cisco Technology, Inc. | System and method for access control on a storage router |
| US7440441B2 (en) | 2003-06-16 | 2008-10-21 | Redknee Inc. | Method and system for Multimedia Messaging Service (MMS) rating and billing |
| US7505472B1 (en) * | 2003-06-20 | 2009-03-17 | Redback Networks Inc. | Method and apparatus for agnostic PPP switching |
| US7698384B2 (en) * | 2003-06-26 | 2010-04-13 | International Business Machines Corporation | Information collecting system for providing connection information to an application in an IP network |
| CN1319337C (en) * | 2003-07-02 | 2007-05-30 | 华为技术有限公司 | Authentication method based on Ethernet authentication system |
| US7395341B2 (en) * | 2003-08-15 | 2008-07-01 | Fiberlink Communications Corporation | System, method, apparatus and computer program product for facilitating digital communications |
| JP4311636B2 (en) * | 2003-10-23 | 2009-08-12 | 株式会社日立製作所 | A computer system that shares a storage device among multiple computers |
| US7606916B1 (en) * | 2003-11-10 | 2009-10-20 | Cisco Technology, Inc. | Method and apparatus for load balancing within a computer system |
| US20050114710A1 (en) * | 2003-11-21 | 2005-05-26 | Finisar Corporation | Host bus adapter for secure network devices |
| US20050120204A1 (en) * | 2003-12-01 | 2005-06-02 | Gary Kiwimagi | Secure network connection |
| US20050120223A1 (en) * | 2003-12-01 | 2005-06-02 | Gary Kiwimagi | Secure authenticated network connections |
| US20060041931A1 (en) * | 2004-03-23 | 2006-02-23 | Pctel, Inc. | Service level assurance system and method for wired and wireless broadband networks |
| US7539862B2 (en) | 2004-04-08 | 2009-05-26 | Ipass Inc. | Method and system for verifying and updating the configuration of an access device during authentication |
| US7467405B2 (en) * | 2004-06-22 | 2008-12-16 | Taiwan Semiconductor Manufacturing Company, Ltd. | Method and apparatus for detecting an unauthorized client in a network of computer systems |
| US7725589B2 (en) * | 2004-08-16 | 2010-05-25 | Fiberlink Communications Corporation | System, method, apparatus, and computer program product for facilitating digital communications |
| KR100670791B1 (en) * | 2004-12-07 | 2007-01-17 | 한국전자통신연구원 | Method for verifying authorization with extensibility in AAA server |
| US7860006B1 (en) * | 2005-04-27 | 2010-12-28 | Extreme Networks, Inc. | Integrated methods of performing network switch functions |
| US8140665B2 (en) * | 2005-08-19 | 2012-03-20 | Opnet Technologies, Inc. | Managing captured network traffic data |
| JP4616732B2 (en) * | 2005-09-02 | 2011-01-19 | 株式会社日立製作所 | Packet transfer device |
| KR100819036B1 (en) * | 2005-12-08 | 2008-04-02 | 한국전자통신연구원 | Traffic Authentication Equipment using Packet Header Information and Method thereof |
| US8255996B2 (en) * | 2005-12-30 | 2012-08-28 | Extreme Networks, Inc. | Network threat detection and mitigation |
| CN100518191C (en) * | 2006-03-21 | 2009-07-22 | 华为技术有限公司 | Method and system for securing service quality in communication network |
| US8181010B1 (en) * | 2006-04-17 | 2012-05-15 | Oracle America, Inc. | Distributed authentication user interface system |
| US7904953B2 (en) * | 2006-09-22 | 2011-03-08 | Bea Systems, Inc. | Pagelets |
| US8031594B2 (en) * | 2006-09-29 | 2011-10-04 | At&T Intellectual Property I, L.P. | System and method of providing communications services |
| US8650297B2 (en) * | 2007-03-14 | 2014-02-11 | Cisco Technology, Inc. | Unified user interface for network management systems |
| EP2135359A4 (en) * | 2007-03-16 | 2011-07-27 | Lg Electronics Inc | Performing contactless applications in battery off mode |
| US8295188B2 (en) * | 2007-03-30 | 2012-10-23 | Extreme Networks, Inc. | VoIP security |
| KR20080101333A (en) * | 2007-05-17 | 2008-11-21 | (주)이스트소프트 | Secutiry method using virtual keyboard |
| US8331294B2 (en) * | 2007-07-20 | 2012-12-11 | Broadcom Corporation | Method and system for managing information among personalized and shared resources with a personalized portable device |
| ATE512539T1 (en) * | 2007-08-21 | 2011-06-15 | Nokia Siemens Networks Oy | METHOD, APPARATUS, SYSTEM AND CORRESPONDING COMPUTER PROGRAM FOR ACCESSING A USER DEVICE |
| US8645568B2 (en) * | 2007-11-16 | 2014-02-04 | Equinix, Inc. | Various methods and apparatuses for a route server |
| US8079066B1 (en) * | 2007-11-20 | 2011-12-13 | West Corporation | Multi-domain login and messaging |
| US20090165121A1 (en) * | 2007-12-21 | 2009-06-25 | Nvidia Corporation | Touch Pad based Authentication of Users |
| US20090193503A1 (en) * | 2008-01-28 | 2009-07-30 | Gbs Laboratories Llc | Network access control |
| CN101227415A (en) * | 2008-02-04 | 2008-07-23 | 华为技术有限公司 | Multi business resource allocation method, system, gateway equipment and authentication server |
| US20090210935A1 (en) * | 2008-02-20 | 2009-08-20 | Jamie Alan Miley | Scanning Apparatus and System for Tracking Computer Hardware |
| JP5541648B2 (en) * | 2008-06-30 | 2014-07-09 | キヤノン株式会社 | Wireless communication apparatus, control method, and program |
| US8984150B2 (en) * | 2008-07-16 | 2015-03-17 | Ipass Inc. | Electronic supply chain management |
| US9338139B2 (en) * | 2008-09-15 | 2016-05-10 | Vaultive Ltd. | System, apparatus and method for encryption and decryption of data transmitted over a network |
| ATE502466T1 (en) * | 2008-11-06 | 2011-04-15 | Alcatel Lucent | SECURE DISTRIBUTED NETWORK RESOURCE MANAGEMENT |
| JP4737283B2 (en) * | 2008-12-19 | 2011-07-27 | 富士ゼロックス株式会社 | Program, information processing apparatus and information processing system |
| EP2249540B1 (en) * | 2009-05-04 | 2020-03-18 | Alcatel Lucent | Method for verifying a user association, intercepting module and network node element |
| JP5381329B2 (en) * | 2009-05-26 | 2014-01-08 | 株式会社リコー | Image forming apparatus, authentication system, authentication control method, and authentication control program |
| CN101990183B (en) * | 2009-07-31 | 2013-10-02 | 国际商业机器公司 | Method, device and system for protecting user information |
| US8584221B2 (en) * | 2009-10-23 | 2013-11-12 | Microsoft Corporation | Authenticating using cloud authentication |
| US20110137980A1 (en) * | 2009-12-08 | 2011-06-09 | Samsung Electronics Co., Ltd. | Method and apparatus for using service of plurality of internet service providers |
| US8650805B1 (en) | 2010-05-17 | 2014-02-18 | Equinix, Inc. | Systems and methods for DMARC in a cage mesh design |
| EP2572493A1 (en) | 2010-05-21 | 2013-03-27 | Vaultive Ltd. | System and method for controlling and monitoring access to data processing applications |
| CN103764783B (en) * | 2011-08-24 | 2016-11-02 | Dic株式会社 | Bonding agent resin combination containing plate like inorganic compound and bonding agent |
| US9043878B2 (en) * | 2012-03-06 | 2015-05-26 | International Business Machines Corporation | Method and system for multi-tiered distributed security authentication and filtering |
| US10129751B2 (en) | 2012-05-25 | 2018-11-13 | Comcast Cable Communications, Llc | Wireless gateway supporting public and private networks |
| CN105981422B (en) * | 2013-12-13 | 2020-06-30 | 艾姆巴奇公司 | Method and system for secure connection linking hybrid cellular and non-cellular networks |
| US9602493B2 (en) * | 2015-05-19 | 2017-03-21 | Cisco Technology, Inc. | Implicit challenge authentication process |
| WO2017056201A1 (en) * | 2015-09-29 | 2017-04-06 | 株式会社ソラコム | Control apparatus for gateway in mobile communication system |
| CN105656747A (en) * | 2015-11-11 | 2016-06-08 | 乐卡汽车智能科技(北京)有限公司 | Multi-link data transmission method and apparatus |
| SG10201902395SA (en) * | 2019-03-18 | 2019-11-28 | Qrypted Tech Pte Ltd | Method and system for a secure transaction |
| US11411920B2 (en) * | 2019-05-16 | 2022-08-09 | Circadence Corporation | Method and system for creating a secure public cloud-based cyber range |
| MX2020013932A (en) * | 2020-12-17 | 2022-06-20 | Payjoy Inc | Method and system for remote control of access to appliances. |
| CN112751735B (en) * | 2021-01-04 | 2022-03-25 | 烽火通信科技股份有限公司 | Method and device for realizing PPPoA function in broadband access equipment |
Family Cites Families (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5235642A (en) * | 1992-07-21 | 1993-08-10 | Digital Equipment Corporation | Access control subsystem and method for distributed computer system using locally cached authentication credentials |
| SE515422C2 (en) * | 1993-03-10 | 2001-07-30 | Ericsson Telefon Ab L M | Label management in parcel networks |
| US5491752A (en) * | 1993-03-18 | 1996-02-13 | Digital Equipment Corporation, Patent Law Group | System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens |
| US5689638A (en) * | 1994-12-13 | 1997-11-18 | Microsoft Corporation | Method for providing access to independent network resources by establishing connection using an application programming interface function call without prompting the user for authentication data |
| JP3361661B2 (en) * | 1995-09-08 | 2003-01-07 | 株式会社キャディックス | Authentication method on the network |
| US6311218B1 (en) * | 1996-10-17 | 2001-10-30 | 3Com Corporation | Method and apparatus for providing security in a star network connection using public key cryptography |
| US5889958A (en) * | 1996-12-20 | 1999-03-30 | Livingston Enterprises, Inc. | Network access control system and process |
| US6105027A (en) * | 1997-03-10 | 2000-08-15 | Internet Dynamics, Inc. | Techniques for eliminating redundant access checking by access filters |
| US6167438A (en) * | 1997-05-22 | 2000-12-26 | Trustees Of Boston University | Method and system for distributed caching, prefetching and replication |
| CA2206616A1 (en) * | 1997-05-30 | 1998-11-30 | Robert Hugh Holt | Centralized call control in a data access transport service |
| US5991810A (en) * | 1997-08-01 | 1999-11-23 | Novell, Inc. | User name authentication for gateway clients accessing a proxy cache server |
| US5903564A (en) * | 1997-08-28 | 1999-05-11 | Ascend Communications, Inc. | Efficient multicast mapping in a network switch |
| US6067623A (en) * | 1997-11-21 | 2000-05-23 | International Business Machines Corp. | System and method for secure web server gateway access using credential transform |
| US6459682B1 (en) * | 1998-04-07 | 2002-10-01 | International Business Machines Corporation | Architecture for supporting service level agreements in an IP network |
| EP0949788B1 (en) * | 1998-04-10 | 2006-03-22 | Sun Microsystems, Inc. | Network access authentication system |
| US6510454B1 (en) * | 1998-04-21 | 2003-01-21 | Intel Corporation | Network device monitoring with E-mail reporting |
| US6219790B1 (en) * | 1998-06-19 | 2001-04-17 | Lucent Technologies Inc. | Centralized authentication, authorization and accounting server with support for multiple transport protocols and multiple client types |
| US6311275B1 (en) * | 1998-08-03 | 2001-10-30 | Cisco Technology, Inc. | Method for providing single step log-on access to a differentiated computer network |
| US6470453B1 (en) * | 1998-09-17 | 2002-10-22 | Cisco Technology, Inc. | Validating connections to a network system |
| US6606663B1 (en) * | 1998-09-29 | 2003-08-12 | Openwave Systems Inc. | Method and apparatus for caching credentials in proxy servers for wireless user agents |
| US6212561B1 (en) * | 1998-10-08 | 2001-04-03 | Cisco Technology, Inc. | Forced sequential access to specified domains in a computer network |
| US6263369B1 (en) * | 1998-10-30 | 2001-07-17 | Cisco Technology, Inc. | Distributed architecture allowing local user authentication and authorization |
| US6636894B1 (en) * | 1998-12-08 | 2003-10-21 | Nomadix, Inc. | Systems and methods for redirecting users having transparent computer access to a network using a gateway device having redirection capability |
| US6584122B1 (en) * | 1998-12-18 | 2003-06-24 | Integral Access, Inc. | Method and system for providing voice and data service |
| US6298383B1 (en) * | 1999-01-04 | 2001-10-02 | Cisco Technology, Inc. | Integration of authentication authorization and accounting service and proxy service |
| US6405251B1 (en) * | 1999-03-25 | 2002-06-11 | Nortel Networks Limited | Enhancement of network accounting records |
| US6377955B1 (en) * | 1999-03-30 | 2002-04-23 | Cisco Technology, Inc. | Method and apparatus for generating user-specified reports from radius information |
| US6707795B1 (en) * | 1999-04-26 | 2004-03-16 | Nortel Networks Limited | Alarm correlation method and system |
| US6466977B1 (en) * | 1999-05-06 | 2002-10-15 | Cisco Technology, Inc. | Proxy on demand |
| US6463474B1 (en) * | 1999-07-02 | 2002-10-08 | Cisco Technology, Inc. | Local authentication of a client at a network device |
| US6584505B1 (en) * | 1999-07-08 | 2003-06-24 | Microsoft Corporation | Authenticating access to a network server without communicating login information through the network server |
| US6965939B2 (en) * | 2001-01-05 | 2005-11-15 | International Business Machines Corporation | Method and apparatus for processing requests in a network data processing system based on a trust association between servers |
-
2000
- 2000-01-14 CA CA002296213A patent/CA2296213C/en not_active Expired - Fee Related
-
2001
- 2001-01-08 US US09/755,037 patent/US20010044893A1/en not_active Abandoned
-
2006
- 2006-09-05 US US11/514,852 patent/US7512784B2/en not_active Expired - Fee Related
-
2008
- 2008-06-03 US US12/132,583 patent/US7921457B2/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| US20010044893A1 (en) | 2001-11-22 |
| US20070005954A1 (en) | 2007-01-04 |
| CA2296213A1 (en) | 2001-07-07 |
| US20090319777A1 (en) | 2009-12-24 |
| US7512784B2 (en) | 2009-03-31 |
| US7921457B2 (en) | 2011-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2296213C (en) | Distributed subscriber management | |
| US7389534B1 (en) | Method and apparatus for establishing virtual private network tunnels in a wireless network | |
| US7649890B2 (en) | Packet forwarding apparatus and communication bandwidth control method | |
| US8484695B2 (en) | System and method for providing access control | |
| US8094663B2 (en) | System and method for authentication of SP ethernet aggregation networks | |
| EP1370040B1 (en) | A method, a network access server, an authentication-authorization-and-accounting server, and a computer software product for proxying user authentication-authorization-and-accounting messages via a network access server | |
| US20040177247A1 (en) | Policy enforcement in dynamic networks | |
| US6928463B1 (en) | Broadband content delivery via personal content tunnel | |
| US7653932B2 (en) | Method and system for layer-3 subscriber login in a cable data network | |
| US20050041808A1 (en) | Method and apparatus for facilitating roaming between wireless domains | |
| US20080155678A1 (en) | Computer system for controlling communication to/from terminal | |
| US9596240B2 (en) | Method and system for layer-3 subscriber login in a cable data network | |
| Mitton et al. | Network access server requirements next generation (nasreqng) nas model | |
| US20040153556A1 (en) | Connections on demand between subscribers and service providers | |
| US20030204744A1 (en) | Network access control | |
| WO2004014045A1 (en) | Service class dependant asignment of ip addresses for cotrolling access to an d delivery of e-sevices | |
| Cisco | Overview | |
| Cisco | Chapter 1 - Overview | |
| Cisco | Chapter 1 - Overview | |
| Cisco | Release Notes for Cisco 7000 Family for Cisco IOS Release 12.2 B | |
| Cisco | Configuring Accounting | |
| CA2293989A1 (en) | Distributed subscriber management | |
| JP4776582B2 (en) | Network system and aggregation device | |
| AU2002233902B2 (en) | A method and apparatus for transferring data packets in communication networks | |
| Bernstein et al. | Understanding PPPoE and DHCP |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKLA | Lapsed |
Effective date: 20130114 |