Distributed authentication, authorization and accounting
Abstract
In some embodiments, computer systems, storage mediums, and methods are provided for controlling a connecting device's access to a plurality of computer networks. In other embodiments, the provided computer systems, storage mediums, and methods may provide for authentication, authorization, and accounting of connecting devices connecting to a plurality of computer networks. In other embodiments, the provided computer systems, storage mediums, and methods may provide for the distribution of authentication routing data and authorization policies among a plurality of computer networks. In yet other embodiments, the provided computer systems, storage mediums, and methods may provide for the distribution of accounting among a plurality of computer networks.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method of controlling access to a plurality of computer networks at a first computer network of the plurality of computer networks, the method comprising, at the first computer network:
receiving a first credential from a network access controller on the first computer network, the first credential being associated with a first connecting device requesting access to the plurality of computer networks at the network access controller; selecting, using a criterion, at least one authentication routing policy from a plurality of authentication routing policies, each authentication routing policy of the plurality of authentication routing policies comprising address information associated with at least two authentication databases against which the first credential associated with the first connecting device is to be authenticated; selecting a first authentication database of the at least two authentication databases against which the the first credential is to be authenticated; communicating the first credential to the first authentication database using the address information; receiving an authentication response from the first authentication database; and communicating the authentication response to the network access controller.
2 . The method of claim 1 , further comprising caching a copy of the first credential at the first computer network.
3 . The method of claim 2 , further comprising:
receiving a second credential; and authenticating the second credential against the copy of the first credential.
4 . The method of claim 1 , wherein the criterion is used to select which of the at least two authentication databases the first credential is to be authenticated against based on attributes of the network access controller through which the first connecting device is requesting access to the plurality of computer networks.
5 . The method of claim 1 , wherein the criterion is used to select which of the at least two authentication databases the first credential is to be authenticated against based on attributes of the first connecting device.
6 . The method of claim 5 , wherein the attributes of the first connecting device identify a realm of the first connecting device.
7 . The method of claim 1 , further comprising receiving at least a portion of authentication routing data from a computer network of the plurality of computer networks other than the first computer network.
8 . The method of claim 1 , further comprising:
storing an authorization policy comprising one or more rules for controlling a connecting device's access to the plurality of computer networks; receiving first authorization information related to the first connecting device; comparing the first authorization information to the authorization policy; and controlling access of the first connecting device to the plurality of computer networks based on a result of the comparison.
9 . The method of claim 8 , further comprising receiving at least a portion of the first authorization information from the first authentication database.
10 . The method of claim 8 , further comprising receiving at least a portion of the authorization policy from a computer network of the plurality of computer networks other than the first computer network.
11 . The method of claim 8 , wherein the authorization policy includes a rule for controlling access to the plurality of computer networks based on at least one of a group comprising:
attributes of a network access controller through which a connecting device requests access to the plurality of computer networks; and a time of day at which the connecting device requests access to the plurality of computer networks and attributes of one or more groups of which a user of a connecting device is a member; and wherein the authorization information includes at least one of a group comprising:
attributes of the network access controller through which the first connecting device is requesting access to the plurality of computer networks;
the time of day at which the first connecting device is requesting access to the plurality of computer networks; and
attributes of one or more groups of which a first user of the first connecting device is a member.
12 . The method of claim 8 , wherein controlling access of the first connecting device to the plurality of computer networks comprises instructing the network access controller to permit the first connecting device access to a first network resource residing on the plurality of computer networks and to deny the first connecting device access to a second network resource residing on the plurality of computer networks.
13 . The method of claim 1 , further comprising:
monitoring use by the first connecting device of the plurality of computer networks; storing one or more records of events involving use by the first connecting device of the plurality of computer networks; and transmitting at least one of the one or more records to a computer network of the plurality of computer networks other than the first computer network.
14 . The method of claim 1 , further comprising:
receiving network service parameters allocating at least one logical address for a first type of network resource from a computer network of the plurality of computer networks other than the first computer network; and providing a first network resource of the first type on a computer system residing on the first computer network with an address containing the logical address.
15 . The method of claim 1 , further comprising:
receiving, from a computer network of the plurality of computer networks different from the first computer network, at least a portion of an authorization policy comprising one or more rules for controlling access by a connecting device to the plurality of computer networks; storing an authorization policy comprising the at least the portion of the authorization policy; receiving first authorization information related to the first connecting device requesting access to the plurality of computer networks at a network access controller residing on the first computer network; comparing the first authorization information to the authorization policy; and controlling the first connecting device's access to the plurality of computer networks based at least in part on a result of the comparison.
16 . The method of claim 15 , wherein:
the authorization policy comprises a rule for controlling access to the plurality of computer networks based on attributes of a network access controller through which a connecting device requests access to the plurality of computer networks; and the authorization information comprises attributes of the network access controller through which the first connecting device is requesting access to the plurality of computer networks.
17 . The method of claim 15 , wherein:
the authorization policy comprises a rule for controlling access to the plurality of computer networks based on a time of day at which a connecting device requests access to the plurality of computer networks; and the authorization information comprises a time of day at which the first connecting device is requesting access to the plurality of computer networks.
18 . The method of claim 15 , wherein:
the authorization policy comprises a rule for controlling access to the plurality of computer networks based on attributes of one or more groups of which a first user of a connecting device is a member; and the authorization information includes attributes of one or more groups of which a first user of the connecting device is a member.
19 . The method of claim 15 , wherein controlling access by the first connecting device to the plurality of computer networks comprises instructing the network access controller:
to permit the first connecting device access to a first network resource residing on the plurality of computer networks; and to deny the first connecting device access to a second network resource residing on the plurality of computer networks.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.