US2014304769A1PendingUtilityA1

Distributed authentication, authorization and accounting

51
Assignee: ROCKSTAR CONSORTIUM US LPPriority: Dec 13, 2006Filed: Jun 23, 2014Published: Oct 9, 2014
Est. expiryDec 13, 2026(~0.4 yrs left)· nominal 20-yr term from priority
H04L 63/08H04L 63/20H04L 63/0823H04L 63/083H04L 63/0892H04L 63/104
51
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

In some embodiments, computer systems, storage mediums, and methods are provided for controlling a connecting device's access to a plurality of computer networks. In other embodiments, the provided computer systems, storage mediums, and methods may provide for authentication, authorization, and accounting of connecting devices connecting to a plurality of computer networks. In other embodiments, the provided computer systems, storage mediums, and methods may provide for the distribution of authentication routing data and authorization policies among a plurality of computer networks. In yet other embodiments, the provided computer systems, storage mediums, and methods may provide for the distribution of accounting among a plurality of computer networks.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method of controlling access to a plurality of computer networks at a first computer network of the plurality of computer networks, the method comprising, at the first computer network:
 receiving a first credential from a network access controller on the first computer network, the first credential being associated with a first connecting device requesting access to the plurality of computer networks at the network access controller;   selecting, using a criterion, at least one authentication routing policy from a plurality of authentication routing policies, each authentication routing policy of the plurality of authentication routing policies comprising address information associated with at least two authentication databases against which the first credential associated with the first connecting device is to be authenticated;   selecting a first authentication database of the at least two authentication databases against which the the first credential is to be authenticated;   communicating the first credential to the first authentication database using the address information;   receiving an authentication response from the first authentication database; and   communicating the authentication response to the network access controller.   
     
     
         2 . The method of  claim 1 , further comprising caching a copy of the first credential at the first computer network. 
     
     
         3 . The method of  claim 2 , further comprising:
 receiving a second credential; and   authenticating the second credential against the copy of the first credential.   
     
     
         4 . The method of  claim 1 , wherein the criterion is used to select which of the at least two authentication databases the first credential is to be authenticated against based on attributes of the network access controller through which the first connecting device is requesting access to the plurality of computer networks. 
     
     
         5 . The method of  claim 1 , wherein the criterion is used to select which of the at least two authentication databases the first credential is to be authenticated against based on attributes of the first connecting device. 
     
     
         6 . The method of  claim 5 , wherein the attributes of the first connecting device identify a realm of the first connecting device. 
     
     
         7 . The method of  claim 1 , further comprising receiving at least a portion of authentication routing data from a computer network of the plurality of computer networks other than the first computer network. 
     
     
         8 . The method of  claim 1 , further comprising:
 storing an authorization policy comprising one or more rules for controlling a connecting device's access to the plurality of computer networks;   receiving first authorization information related to the first connecting device;   comparing the first authorization information to the authorization policy; and   controlling access of the first connecting device to the plurality of computer networks based on a result of the comparison.   
     
     
         9 . The method of  claim 8 , further comprising receiving at least a portion of the first authorization information from the first authentication database. 
     
     
         10 . The method of  claim 8 , further comprising receiving at least a portion of the authorization policy from a computer network of the plurality of computer networks other than the first computer network. 
     
     
         11 . The method of  claim 8 , wherein the authorization policy includes a rule for controlling access to the plurality of computer networks based on at least one of a group comprising:
 attributes of a network access controller through which a connecting device requests access to the plurality of computer networks; and   a time of day at which the connecting device requests access to the plurality of computer networks and attributes of one or more groups of which a user of a connecting device is a member; and   wherein the authorization information includes at least one of a group comprising:
 attributes of the network access controller through which the first connecting device is requesting access to the plurality of computer networks; 
 the time of day at which the first connecting device is requesting access to the plurality of computer networks; and 
 attributes of one or more groups of which a first user of the first connecting device is a member. 
   
     
     
         12 . The method of  claim 8 , wherein controlling access of the first connecting device to the plurality of computer networks comprises instructing the network access controller to permit the first connecting device access to a first network resource residing on the plurality of computer networks and to deny the first connecting device access to a second network resource residing on the plurality of computer networks. 
     
     
         13 . The method of  claim 1 , further comprising:
 monitoring use by the first connecting device of the plurality of computer networks;   storing one or more records of events involving use by the first connecting device of the plurality of computer networks; and   transmitting at least one of the one or more records to a computer network of the plurality of computer networks other than the first computer network.   
     
     
         14 . The method of  claim 1 , further comprising:
 receiving network service parameters allocating at least one logical address for a first type of network resource from a computer network of the plurality of computer networks other than the first computer network; and   providing a first network resource of the first type on a computer system residing on the first computer network with an address containing the logical address.   
     
     
         15 . The method of  claim 1 , further comprising:
 receiving, from a computer network of the plurality of computer networks different from the first computer network, at least a portion of an authorization policy comprising one or more rules for controlling access by a connecting device to the plurality of computer networks;   storing an authorization policy comprising the at least the portion of the authorization policy;   receiving first authorization information related to the first connecting device requesting access to the plurality of computer networks at a network access controller residing on the first computer network;   comparing the first authorization information to the authorization policy; and   controlling the first connecting device's access to the plurality of computer networks based at least in part on a result of the comparison.   
     
     
         16 . The method of  claim 15 , wherein:
 the authorization policy comprises a rule for controlling access to the plurality of computer networks based on attributes of a network access controller through which a connecting device requests access to the plurality of computer networks; and   the authorization information comprises attributes of the network access controller through which the first connecting device is requesting access to the plurality of computer networks.   
     
     
         17 . The method of  claim 15 , wherein:
 the authorization policy comprises a rule for controlling access to the plurality of computer networks based on a time of day at which a connecting device requests access to the plurality of computer networks; and   the authorization information comprises a time of day at which the first connecting device is requesting access to the plurality of computer networks.   
     
     
         18 . The method of  claim 15 , wherein:
 the authorization policy comprises a rule for controlling access to the plurality of computer networks based on attributes of one or more groups of which a first user of a connecting device is a member; and   the authorization information includes attributes of one or more groups of which a first user of the connecting device is a member.   
     
     
         19 . The method of  claim 15 , wherein controlling access by the first connecting device to the plurality of computer networks comprises instructing the network access controller:
 to permit the first connecting device access to a first network resource residing on the plurality of computer networks; and   to deny the first connecting device access to a second network resource residing on the plurality of computer networks.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.