CA2293989A1 - Distributed subscriber management - Google Patents
Distributed subscriber management Download PDFInfo
- Publication number
- CA2293989A1 CA2293989A1 CA 2293989 CA2293989A CA2293989A1 CA 2293989 A1 CA2293989 A1 CA 2293989A1 CA 2293989 CA2293989 CA 2293989 CA 2293989 A CA2293989 A CA 2293989A CA 2293989 A1 CA2293989 A1 CA 2293989A1
- Authority
- CA
- Canada
- Prior art keywords
- network
- user
- access
- iad
- networks
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2854—Wide area networks, e.g. public data networks
- H04L12/2856—Access arrangements, e.g. Internet access
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2854—Wide area networks, e.g. public data networks
- H04L12/2856—Access arrangements, e.g. Internet access
- H04L12/2869—Operational details of access network equipments
- H04L12/287—Remote access server, e.g. BRAS
- H04L12/2876—Handling of subscriber policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Description
,."", ~".~. ..... "~.._.."",._. """~~ ,~ ..~L~,..
DISTRIBUTED SU$SCRIBER MANAGEMENT
held of the hlvention This invention relates to the management of user access tights on networks, and is particularly concerned with the distribution of resources used to authenticate and authorize users while allowing for accounting activities on user access to provided facilities.
$ackground of the Invention l5istributed Subscriber Management (DS1VI) is a technology that performs several tasks, but is primarily used to verify the authorization of a user to move from a ~rsr network to another. Typically a user is challenged to provide this authorization, in the form of a userid and password by a system residing at the gateway between the twa networks. in the event that a user is denied access to the next portion of the network, all of that user's packets can be discarded_ This scheme is common in the art. Although this authorization sch~ne does succeed in preventing unauthorised access it allows unauthorized traffic to fully travezse the fast network before it is discarded. This generates unnecessary traffic whic)~ is transmitted over the first network consuming precious b~dy~ridth.
Authorization for such schemes is provided through the use of systems like the Remote Authentication Dial-In User Service (RADIUS) protocal_ RADIUS is a fully open protocol, distributed as source code, known in the art, which is a cliendserver system designed to prevent unauthorized access to networks. RADIUS clients run on network I
U1/U'l/UU 115:b~5 t'Ad G1:SL:SU~f~54G JI;Ul'1 (fc AYL~iV løJUU15 devices and send authentication requests to a central RADIUS server that contains both user authentication information and network access rights. RAI~I't1S can be modified to work with any common security system. Common implementations for RADIUS
include networks with multiple vendor access servers such as an Internet Protocol (IP) based network, Where dial-in users carp be authenticated through a RADIUS server customized to work with the KE~EROS security system, a common security system ors Unix-like cv~-nputer networks- Other common implementations izzcIude networks ire which a user is permitted access to a particular sezvice. In this type of implementation a user could be restricted to a single utility, such as telnet, or a single server, or even a single protQCOl.
This would permit R.A.pIUS to identify a certain user as having access only tQ
point_tQ-Point-ProtQCol (PPP) using an IP addmss in a given range using only Qne service such as telnet or File Transfer Protocol (FTP).
An example of a lcuvwn authentication scheme is depicted in Figure 1. here different User Networks 5 are connected to an Access Network 4, which in tuzn has a RADIUS
client at the other end. This RADIUS client 3 serves to ensure that only data with the correct authorization is allowed to go to the various ISP hosted networks 2.
If a packet is not authorized it is discarded at the RADIUS client 3. To obtain the authorization, the R.A151-CTS client 3 forms a connection to the RADIUS server 1 attaclied tv the target hSP
network v~hich the packet is trying to enter. After forming this connection to the 1ZADIUS server 1, the RADIUS client 3 can determine whether the user vyho initiated the packet transmission has authorization to transmit packets onto the target network. In such an implennentation , the RADIUS client only controls access to the ISP
hosted
DISTRIBUTED SU$SCRIBER MANAGEMENT
held of the hlvention This invention relates to the management of user access tights on networks, and is particularly concerned with the distribution of resources used to authenticate and authorize users while allowing for accounting activities on user access to provided facilities.
$ackground of the Invention l5istributed Subscriber Management (DS1VI) is a technology that performs several tasks, but is primarily used to verify the authorization of a user to move from a ~rsr network to another. Typically a user is challenged to provide this authorization, in the form of a userid and password by a system residing at the gateway between the twa networks. in the event that a user is denied access to the next portion of the network, all of that user's packets can be discarded_ This scheme is common in the art. Although this authorization sch~ne does succeed in preventing unauthorised access it allows unauthorized traffic to fully travezse the fast network before it is discarded. This generates unnecessary traffic whic)~ is transmitted over the first network consuming precious b~dy~ridth.
Authorization for such schemes is provided through the use of systems like the Remote Authentication Dial-In User Service (RADIUS) protocal_ RADIUS is a fully open protocol, distributed as source code, known in the art, which is a cliendserver system designed to prevent unauthorized access to networks. RADIUS clients run on network I
U1/U'l/UU 115:b~5 t'Ad G1:SL:SU~f~54G JI;Ul'1 (fc AYL~iV løJUU15 devices and send authentication requests to a central RADIUS server that contains both user authentication information and network access rights. RAI~I't1S can be modified to work with any common security system. Common implementations for RADIUS
include networks with multiple vendor access servers such as an Internet Protocol (IP) based network, Where dial-in users carp be authenticated through a RADIUS server customized to work with the KE~EROS security system, a common security system ors Unix-like cv~-nputer networks- Other common implementations izzcIude networks ire which a user is permitted access to a particular sezvice. In this type of implementation a user could be restricted to a single utility, such as telnet, or a single server, or even a single protQCOl.
This would permit R.A.pIUS to identify a certain user as having access only tQ
point_tQ-Point-ProtQCol (PPP) using an IP addmss in a given range using only Qne service such as telnet or File Transfer Protocol (FTP).
An example of a lcuvwn authentication scheme is depicted in Figure 1. here different User Networks 5 are connected to an Access Network 4, which in tuzn has a RADIUS
client at the other end. This RADIUS client 3 serves to ensure that only data with the correct authorization is allowed to go to the various ISP hosted networks 2.
If a packet is not authorized it is discarded at the RADIUS client 3. To obtain the authorization, the R.A151-CTS client 3 forms a connection to the RADIUS server 1 attaclied tv the target hSP
network v~hich the packet is trying to enter. After forming this connection to the 1ZADIUS server 1, the RADIUS client 3 can determine whether the user vyho initiated the packet transmission has authorization to transmit packets onto the target network. In such an implennentation , the RADIUS client only controls access to the ISP
hosted
2 V1/ V f / VV iV. VV 1'ilJ1 ViVLVVVV~t4 iJWit Vt 111LL11 ,~VV, networks 2, while not controlling access tv the Access Network 4, or between the User Networks 5. Thus, it is left to the administrators of the various User Networks 5 to ensure their own security and prevent admission of other 'User Networks 5 to systems to which they should not have access.
The unnecessary unauthorized tragic penetrating the Access Network 4 is problematic if there are restrictions on the available bandwidth, or if traffic is heavy. Zt would be desirable to stop this tragic as it enters the originating network, so as to eliminate loading problems. Moreover, the lack of centralized access control between the User Networks 5 is also undesirable.
One system addressing the problem of unneccessary traffic has been offered by CISCD
systems in the form of their TAG'I"r software.TAG'M acts to verify the authorization of a packet to enter an external network prior to entry afthe packet into the access network.
However, in order tv offer this service, a TAGS system can Quly be attached to one User Network, since when multiple User Networks are connected tv the same TAGTM
system, one User Network without challenge by the TAG-'-"" systerxx could gain access to another User Network connected to the same TAGT"'' system . An example of an implanention known in the art and using TAGT'M is found in Figure 2. In that implementation, RADIUS Servers 1 are attached to ISP networks 2, a multitude of such networks are, in turn, connected to an Access Network 4. The Access Network 4 co~ccts to a multitude of User Networks 5 through TAGTM systems 6. Each User Network 5 has its own TAGTM
system 6 thus preventing one User Network 5 from gaining access to another User
The unnecessary unauthorized tragic penetrating the Access Network 4 is problematic if there are restrictions on the available bandwidth, or if traffic is heavy. Zt would be desirable to stop this tragic as it enters the originating network, so as to eliminate loading problems. Moreover, the lack of centralized access control between the User Networks 5 is also undesirable.
One system addressing the problem of unneccessary traffic has been offered by CISCD
systems in the form of their TAG'I"r software.TAG'M acts to verify the authorization of a packet to enter an external network prior to entry afthe packet into the access network.
However, in order tv offer this service, a TAGS system can Quly be attached to one User Network, since when multiple User Networks are connected tv the same TAGTM
system, one User Network without challenge by the TAG-'-"" systerxx could gain access to another User Network connected to the same TAGT"'' system . An example of an implanention known in the art and using TAGT'M is found in Figure 2. In that implementation, RADIUS Servers 1 are attached to ISP networks 2, a multitude of such networks are, in turn, connected to an Access Network 4. The Access Network 4 co~ccts to a multitude of User Networks 5 through TAGTM systems 6. Each User Network 5 has its own TAGTM
system 6 thus preventing one User Network 5 from gaining access to another User
3 "., "" ~"..,., .~... ,.~.,_..""".._ ,."~~~ ~ ...~.... .
Network 5. The TAGT"'z system d is used to veri fy the authorization of the packets with the 1;-ADIUS Server 1, and will discard any user packets that do not have the correct authorization. ~Tnfortunately this requires a different ?AG'~"~ system 6 for each User Network 5 that is connected to the Access Network 4, which can greatly add to the cost of a network.
Alternatives to RADIUS do e~s~ pm~~ng DSM systems with the option of implementing another type of security system. One of the alternatives to RADIUS is Terminal Access Controller Access control System (TACACS). 'Three distinct versions of TACACS exist. The first is TACACS, which was the original product that provided password checking and authentication, as well as notification ofuser actions for security and accounting purposes. This original system is now considered obsolete. The second version is extended TACACS, which is an extension to the elder TACACS protocol tk~at provides information about protocol translator and rvuter information that can. he used in L>I~ like systems for auditing trails and accounting files. Extended TACACS is also now considered to be obsolete. TACACS+ is a recent protocol that provides detailed accounting information and flexible administrative control over authentication and autl-~orizatxvn processes. TACACS+ is facilitated through Authentication, Authorization arzd Accounting (AAA) and can be enabled only through AAA coa,u,~ds. A full description of the implementation of T,~CACS+ c~ be found in a drag Request For Comment (RFC) 2492, Ppp is used to carry IP over dial configurations and supports both Password Authentication Protocol ()yAP) arid Chalenge Handshake Authentication
Network 5. The TAGT"'z system d is used to veri fy the authorization of the packets with the 1;-ADIUS Server 1, and will discard any user packets that do not have the correct authorization. ~Tnfortunately this requires a different ?AG'~"~ system 6 for each User Network 5 that is connected to the Access Network 4, which can greatly add to the cost of a network.
Alternatives to RADIUS do e~s~ pm~~ng DSM systems with the option of implementing another type of security system. One of the alternatives to RADIUS is Terminal Access Controller Access control System (TACACS). 'Three distinct versions of TACACS exist. The first is TACACS, which was the original product that provided password checking and authentication, as well as notification ofuser actions for security and accounting purposes. This original system is now considered obsolete. The second version is extended TACACS, which is an extension to the elder TACACS protocol tk~at provides information about protocol translator and rvuter information that can. he used in L>I~ like systems for auditing trails and accounting files. Extended TACACS is also now considered to be obsolete. TACACS+ is a recent protocol that provides detailed accounting information and flexible administrative control over authentication and autl-~orizatxvn processes. TACACS+ is facilitated through Authentication, Authorization arzd Accounting (AAA) and can be enabled only through AAA coa,u,~ds. A full description of the implementation of T,~CACS+ c~ be found in a drag Request For Comment (RFC) 2492, Ppp is used to carry IP over dial configurations and supports both Password Authentication Protocol ()yAP) arid Chalenge Handshake Authentication
4 .,., "" ~"..," ..... "~~_.."""~_ .,.".~~ ,.. ......,., .
protocol (CHAP) as methods ofpassword transfer. PPp has been modified to support numerous always-on access technologies including PPp over ATlvI (PPPoA), ppp over Frame Relay (pPPoF), ~d ppp over Ethernet (pppoE) With the creation of Cvmpetiti.ve Local Irxchange Carriers (CLECs) it is common to find a company which is delivering telephony over packet based networks and supplying clients with data based services. In addition if there are two clients in close physical proximity to each, other it would be advantageous to connect them to a common access network so that there is a single connection to the ISP. However, this single connection to the I$p is only feasible if a stronger user authorization scheme is implemented. Thus, a need exists in the art for an improved user authentication and authorization system.
Sum~dnary Qf the Invention It is an object of this invention to provide a Distributed Subscriber Management system which controls access to a network preventing unauthorized tic through the access network and providing centralized access control between User Networks. The system in accordance with the invention provides controlled access through tkte use of one of several technologies including user autlxentieation, using PAp, CH,Ap, R
ADIUS, TACACS-~, or other standard authenticatian means.
It is yet another object to provide a DSlvi system which allows setup maintenance, and tear-down of the user connection, U1/ Ul / UU lU. JD rfid U1JGJV004G Jl.Ull OS H1LG1'1 t~LJ V1U
It is a further object of the invention to provide a D$M sy$t~ allowing users to choose their destination a5 opposed to tying a user to a single destination.
In still another abj ect of the invention, the DSM system of the invention provides for the administration of the assignment and release of network addresses.
The DSM system of the invention preferably allows for at least one of several technologies includi~xg facilities for the enforc~,ent of service levels as defined in Service Level Agreements, facilities for resource management and facilities for billing by a service provider through the colleckion of statistics and accounting data.
Moreover, t~.e system of the invention preferably alerts service providers of systenn problems through the use of alarm reporting.
Accordingly, the invention provides a Distributed Subscriber Management (DSM}
ruethod far performing user authentication for an external network at an access control node, the external network being connected to the access control node by means of an Access Network and the access control node being connected to a plurality of User Networks, the method comprising the steps of a. receiw~ng a connection request from a user located on one of the ~Tser Networks;
b. interrogating the user for userid and password information;
c. encrypting the userid and password information;
d. tran5znitting the encrypted information, via the ACaess network, to an authentication server attached to one of a plurality of external networks;
e. decrypting the information at the authentication server; and "., "" ~".~" ..... "~.,.""""__ ,..,.,~~ ,.. ..~~...,.. .
f transmitting an authentication message from the authentication server of the external network to the access control node via the Access Network.
In a preferred errAbodiment, the DSM method includes the additional step of g) challenging all data leaving the access control node.
In another preferred embodiment, the authentication saver of the external network employs one of Radius, PAP, CHAP, and TACl~CS or TACACS+.
In yet a further preferred embodiment, the DSM method of the invention includes the following additional steps:
h. if the message is ACCPpT the packets generated by the requesting user, for tran5In1S5ton to the external network, are allowed into the Access Network for transmittal tv the external network;
i_ if the message is REJECT the requesting user either has his/her packets, for transmission to the external network, rejected or is reinterrogated for userid and password informatiozt so that the process in claim 1 can be restarted at step c;
j. if the message is CHALLENGE the requesting user is requested to provide more information to prove access rights to the external network; and k. if the message is CHANG>~ PASSWORD the requesting user is requested to select a new password_ The preferred embodiment of the Integrated Access Device in accordance y~th ~e invention pro~rides all necessary AAA ~ado~ allowing service providers to eliminate an exixa box in their network_ AAA is performed at the ingress edge of the access network rather than the egress edge.
Thus, injection ofpackets by malicious users into the access network is substantially prevented. This provides increased denial-of service protection of the entire access V 1 / V 7 / V V i V . V V 1' LL 1 V 15J 4 V V V V 't i i.7 4 V 1 l V L f11 L1i 11 yJ 4 1 L
network as well as ISP )rntranets. This reduces unauthorized traffic on the access network and allows service providers to offer guaranteed bandwidth through enforcement.
The invention further provides an Integrated Access Device including a plurality of authorization clients;
a) a plurality of connection set u~p devices;
b) a plurality of connection maintenance devices;
c) a plurality of connection teardown devices;
d) means for the administration of network address assigrirnent and release for a plurality of user networks;
e) means for enforcing service levels;
In a prefferred embodiment of the IAD the following elements may also be included:
f) means for managing resources;
g) means for collecting usage statistics; and h) means for alarm monitoring.
With the Integrated Access Device in accordance with the invention, subscribers can 'roam' throughout the access network with the authentication being performed the same way each time from any access point. The Integrated Access Device of the invention is scalable with substantially no practical limit to the number of subscribers.
The RADIUS
server implementation will impose restrictions on the number~of users before DSM.
The LAD preferably does not change the complexion or fan-out capabilities of the Service internetworking Platform (SIP) and preferably allows the SIP to concentrate on the efficient movement of voice and data.
Use of the DSM method and IUD aspects of the invention lowers protocol overhead across the access network (no additional PPpoE or LZTP protocol overhead]
U1/U7/UU 17:UU r'AX U132;tU8~f4C ~4U'1'1' ~ AYLlJN tQ:IUl;S
and does not impact Voice QoS ar traffic Management.
The IAD of the invention fits substantially seamlessly and painlessly into existing ISP/CLEC AAA parad;,gms, bbv nxting the need for the service providezs to el~ange their operational model.
Brief Description of the Drawings The invention will now be described in more detail by way of example only and with reference to tlAe attached drawings, wherein Figure 1 is a schematic diagram ofan authentication scheme known in the art;
Figure 2 is a schematic diagram of another authentication scheme 1~-~Qwn in the art;
Figure 3 is a schematic iIlustrxtion ofthepreferred authorization system in accordance with the itxvention; and Figure 4 is a schematic illustration of an application of the preferred DSM
system of the inventiorA in a mixed voice/data enviTOnment_ Detailed pescription of the )(nventiQu Glossary of Terms bM8 Distributed Subscriber Management ~~S Remote Authentication Dial_In User Service Internet Protoeoll Ppp Paint-to-Paint protocol File Transfer Protocol TACACS Terminal Aecess Controller Access Control System U1/U7/UU 17:UU r'AX OIaGSU8~i4C SI;U'1'1' ~C AYL~N ~JU14 AAA Authentication, Authorization., Accounting PAP Password Authentication Protocol Challenge Handshake Authentication Protocol PPPoA PPP over ATM
A,TM Asynchronous Transfer Mode PPPoE PPP over lthernet PPPor PpP over Frame Relay CLEC Competitive Locale Exchange Carrier ISP Internet Service Provider IAD Integrated Access Device QoS Quality of Service VPN Virtual Private Network ISDN Integrated Services Digital Network LrDP/lpUser l~atagram Protocollinternet Protocol L2TP IP over PPP over UDP/1P
LAP Ip over PPP veer IP
lPSec Secure Internet Protocol VPN IIy over PPP over iPSec BootP Boot protocol DHCP Dynamic Host Gonfiguration protocol SNMP Simple Network Management protocol GLI Command Line Interface MAC Media Access Control Ul/U7/UU 17:UU 1~'AX OlaZ;fU884~ S4U'1'1' ~ AYL~N ~JU15 SIP Service Tazterworking Plxt~orm Iu order to provide secure Distributed Subscriber Management (DSNI] in an efficient manner so as to allow multiple end user networlzs to co-exist with a single connection to the central network, while providing security to those use;s, it is necessary to consider various aspects of DSM, including:
' location of functionality ' user authentication ~ efficient method of transport ' secure dialogue ~ concentration and scalability ' customer ease-of use ' 1P address assignment ' bandwidth management accountirr~illing multiple ISP selection VPN capability The location of the functionality is of importance so that traffic can be reduced by eliminating packets without sufficient pernussion before they travel to the service provider. It is the major concept of the D5M method of the invention that the subscriber uWU7~uu 17:u1 r~Ax Wszsull&4z scu~ru ~ AYLt;N ~qlg management functionality is located at au access control node at the customer prennise end of the access network. Irr the preferred embodiment, this functionality is provided by the Integrated ,~,.ocess Device (IAb). The DSM method of the invention pzeferably takes the subscriber functionality and distributes it across many IADs instead of centralizing it at the Service Provider.
The p~ary ~~on of the DSM method is user authartication. D$1V,1 is a method of verifying that the user is authorized to use network resources or to access certain applications_ At session start-up, the user is challenged to provide a user identifier (name or userid) and password. The authentication challenge can be one-time at session start-up;
can be issued peribdically, or can be issued upon session-timeout or interruption, at the discretion ofthe network administrators.
The operation of the preferred embodiment of the invention is apparent from Figures 3 and 4. Figure 3 depicts an exemplary network using the current invention.
I~ers a RADIUS Server 1 is connected through an ISP 2 to an Access Network ~, At the opposite end of the Access Network 4 is an Integrated Access Device 7.
Inteznal to the I~ integrated Access bevice 7 is a RADI~JS client 3. The r_An 7 is placed between the Access Network 7 and a plurality of User Networks 5. This allows ~o ~~g Cl;~t ~
,in the IAD 7 to authorize all packets leaving the User Networks 5 before they travserse the Access Network 4. In addition due to the manner in which the IA.D i5 designed all tragic leaving the l~ is challenged for authQ~ation thus different User Networks 5 cannot inadvertently gain access to each othex_ U1/U7/UU 17:U1 t'AX tfl:fG;SUHEi4L ~4U'1'1' ~ AYL~N t~JUl7 Figure 4 depicts an exenrAplary embodiment of the invention being used in a mixed datalvoice environment, wl~~e each of the different I9P netoworks require their own set of authorizations. Here both Voice Networks 8 and ISP data networks 2 axe connc~ed to an SIP 9. The ISF networks 2 transmit and receive data signals, while the voice networks 8 transmit and receive voice rrtessages. Each ISp nework 2 has its own RADIUS
Server 1 internal to the network. The SIP 9 is connected to both the Voioe networks 8 and the ISP networks 2 and provides them access to the Access Network 4. ~'lxe Access Network is connected to the IAD 7, which has a plurality of 1ZADIUB olxants 3 internal to it. The l:AD 7 allows the Access Network 4 to communicate with the telephony networks 11 and the User pevices 10. The IAD°s plurality ofRADICTg ~lieuts 3 each establish a client/server realationship with one of the R,aidus Servers 1 so that they may perform AAA services on the packets that arises from both the telephony networks 1 I
and the 'CJser Devices 10.
'Upon receiving a packet from a user, the source Media ,~scess Control (MAC) andlor IP
address is verified in the IAD Forward Table against a list of authorized users. If authorized, the user packet is marked by a packet labelling system, sent across the access network to the egress edge and then forwarded to the destination provider.
Session/interface states and statistics on session duration, number afpacketslbytes sentlreceived and $Q on, are collected by the IA.I7 and forwarded to the operator upon Command line Interface (CLI) or Simple Network Management Protocol (SNMP) request.
U1/U7/UU 17:U1 r'AX Gl~G;tUHS4~ ~l:U'1'1' ~ AYLt~N ~JUlEi If a particular user is not authorized to use a provider's dozrzain, the IAD
challenges the user based on information received from the provider's RA,DICTS server, The user enters their User ID and password, which is forwarded to the RADIUS server by the Lan. The server will respond with an IP address (if not already statically assigned).
Once authenticated, the user data is allowed to slow through the access network and SIP to the destQn pmyider. The flow between the L4D and the service provider consists of pure ~ datagrams, marked by a packet labelling system, without any of the additional tunnel overhead incurrod when using phl?oE or L2TP, The IAD DSM module is responsible for authentication, authorization and accounting as well as interacting with the user across the user dialogue protocol (e.g., FPPoE, L2TP, ete.). It processes user IDs/passwords and builds a table of authorized user-to-Domain mappings which is consulted for each incoming packet. The table is partly constructed with information from the provider's RA~1IUS server.
An efficient method of transport allows the reduction of data carried over the network starting at the user device, flowing towards the rAD and then on to the deshina~on network. There are many methods of carrying user sessions from user device to the IAD.
Methods known in the art include the numerous encapsulation choices for transporting user data including: IP over PPp over dial-up;1P over PPP over ISDN; IP aver Ppp over ethernet (PPPoE); IP over PPP over Frame delay (PPPoF); IP aver PPP over ATM
(PPPoA); IP over PPP over UDPIll~ (L2~'p); IP over PP)? over IP (L2F~; IP over PPP
U1/U7/UU 17:U1 r'AX Ul~L;fUllEl4~ al;U'1'1' ~C AYL~N ~UlU
over Zpg~ (Vp~? ~ well ~ a"y number oi"proprietary encapsulation techniques.
As is apparent, the public, or non-proprietary, methods share is the use of PPP to carry subscriber management information. Traditionally these methods have been used to transport the user PPP session across the access network. This contributes significantly tQ
the protocol overhead in the process and creases traffic across the Access hTetwork. Ire the preferred embodiment, this invention uses the PPPoE or L2TP protocols between the ):AD and user device. These protocols da not extend over the access network thus reducing the overhead that these techniques apply to the packets.
The TAD is charged with perfom-raz~g user authentication and communicates with the R.AD1US server becoming in effect a R.ADlUS client. If the L4D supports multiple destination networks (i.e., multiple Virtual Private Networks), then multiple RA):7IIJS
clients must be supported: one for each network. The communication of authentication information across the access network 4 must be secured to avoid the discovery of user xiames and Passwords through the use of simple snooping techniques . Thus to provide secure dialogue security transactions between the IAD RADIUS client and RAIaIUS
server are authenticated through the use of a shared secret, which is ,ever sent over the network. A11 user passwords are encrypted using industry standard encryption technologies, such as MDS, when sent between the client and RAD'(US server, to eliminate the possibility ofpassword compromise.
Ia the event that data packets are accidentally released to the wrong network it is essential that a data security system is preferably i~onpleniented so as to prevent these errant packets U1/ V l / VV 11 . UG rlLA UlJGJU00'3G JI.,Ull pi t11L811 ~,/ UGU
I~
from being decoded. Numerous techniques ofpacker labelling can be applied to solve this so that packets that are not intended for a ~ 'ven network are never read by it. A
packet labelling scheme that can render a pac lief illegible tQ foreign IP
devices while in transit across the access network, while at the ~ame time ir~~oducing no overhead is preferred for use with this invention. This packet marking process must be undone at the egress edge of the access network so that IP_ pickets can be restored for delivery to the ISp or corporate roofer.
The preferred embodiment of the invention as.described so far can be considered both scalable and concentrated. A high conrentrati~~on of use;s is considered important for the i service provider to make a viable business case. In today's world of cut-rate Internet access, service providers must groom many h ~ dreds or thousands of subscribers onto one high-speed 1P stream. The rSP or corporoutes cannot be troubled with managing these many user sessions while trying to route:incoming IP packets at say, DS3 (45Mbps) or 0~3 (155 Mbps) wire rate.
Scalability is a potential problem for products: that perform subscri her management in a box located at the ISP end of the access netwo 1c. This has been addressed with the present invention, where subscriber managcm~t is preferably distributed across multiple »,Ds, each IAD only having to manage at most, 1 or Z dozen subscribers_ This means that if a given subscriber increases their load, a~,a requires more resources at the IAb it is possible to upgrade a single unit that effects a small part of the user base as opposed to 16 ~I
uliuriuu m:uc rtln otacauoa4c at,um a, ezLnlv ,~lucy i upgrading a centralized unit and inconveniencing a11'~users o~the system during the upgrade process.
With DSM, the user has a procedure whose simp~city is cozaparable to the one used far did-up access. RADIUS follows a client-server operational, model. A Network Access Server (NAS), Remote Access Server (RA$), Qr the like, operates as a client of RAbIUS.
The client is responsible for passing user information to designated RADIUS
servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and thewc-eturning all configuration infor~tion necessary for the client to deliver service to the user. A
RADICJS server can act as a proxy elieut to other RADIUS servers or other kinds of authentication servers.
RADIUS is carried in UDP (port number 1812 decimal) and IP. At times, the source ~
address field in client requests is zeroes since the client may not yet have an address.
When a user attempts to legin, the following steps occur to authenticate the user with RADIUS _ 1. The user is prompted for axrd enters a username and pass~rord 2. The mername and encrypts p~~rord are sent over the network to the RAD1ZJS
server.
3. The user receives one of the following responses from the RADIUS server;
- ACCEPT (The user is authenticated) i .. ~ ~ x ne user J~ noz aamenncazea ana is prompted to reetttez the usemame and password, ar access is denied) CHAJ,LE1VGE (A challenge is issued by the RA.DIT_TS server to collect additional data from the user) OHAi\TGE P.A55WORD (A request is issued by the ~Ap~~ s~y~?
asking the user to select a new password) I~AbI~JS authentication must he performed before 1ZA.DI~T~ authorization. The ACCEPT
or 1ZEJECT response contains additional data that is used for EXEC or network authorization, 'The additional data included with the ACCEPT oz ~rE~T packets consists of services that the user can access, including Telnet, rlogin, PPP, FTP, ESC
services, or connection parameters, including the host or client rP address, access list, and user ti~eputs, User Ip addresses can be statically provisioned or dynamically assigned using RADIUS
or the like. In RADIUS, the ACCEPT or REJECT response contains the host or client TP
address, access list, and user timeouts_ Upon a user ti~neout, the user may be disconnected and if dynamically assigned, the ZP address is returned to a pool of available addresses-BootP, pgCp, and TACACS+ can also be used to dyz~annically assign IP addresses to users but these protocols are less common than RApIUS.
Normally, a pool or group of addresses are pre-assigned by a network administrator and given out by the RADIUS server as users sign-on to the service provider-'fypicahy used to oversubscribe 11'~ addresses, a pool allows many clients to share a small number of IP
addresses based on usage and contention patterns.
The Boot Protocol ($ootP) is a UDP-serviced protocql that can be IP-routed to a BootP
address server. Through the BootP protocol, the server can do matey functions including IP address assignment, bootstrapping, operating system loading, desktop coniiguratian, and hardwarelinterface configuration. BootP cannot completely replace RADIUS
as a subscriber management protocol- DyrAamic Host Configuration Protocol (DHCP) is a newer alternative to BootP and possesses all the capabilities oFBaotP. As a rule, any Booth relay Agent (e.g., in a router or gateway) will work with DHCP_ As with BootP, DHCP cannot completely replace RADIUS as a subs~eriber managennent protocol.
with the preferred embodiment of this invention, subnet and mask information are tied to a Domain which appears as a logical RAS module. IP host numbers can then be dynamically assigned to users as they connect.
The DSM systean in accordance with the invention allows providers to sell services based on guaranteed bit rates by allocating discrete bandwidth levels to individual users and enforcing the bandwidth through bandwidth management techniques.
Service providers require resource accounting to bill users or to prove service levels have been met by the network/system. A service provider is likely to use RADIUS
access control arid accounting software defined by RFC 2139 to meet these special needs.
RADIUS accounting is independent of 1ZADIUS autlientication or authorizatior~_ Ul/ Ul / UU 11 . UJ !'f111 U1JGJU00~FL J1,,U11 OG l11LG11 ~ UGa~
,I
RADIUS accounting allows reports to be sent at the start and end of services, indicating the amount of resources (e.g. session duration, data transferred, etc.) used during the session. It is possible for an IS.P to use Simple Network Management Protocol (SNMP)-based statistics collected by the IAD for tb.e above purposes. ,An SNMP
management station periodically 'palls' the IAD SNMP agent to upload the accumulated statistics.
Neither of these technologies is incompatible with the ir.~o~plementation described.
The present invention provides for the ability of a client network to select from a number of >,SPs. Multiple ISP selection has not traditionally been regarded as an ability of networks but is now seen as a necessary feature for products providing access network services. The user has the capability of switching between destination ISPs or corporations via the DSM service.
Through the implementation of both this invention and a secure packet labelling system it is possibile to enable Virtual Isrivate NetworlQng. Once authenticated by I7SM
and marked by the packet labelling, packets are secure until they reach the egress interface of the network.
The preceeding discussion of the application of the invention should be seen as oxcmplary in nature and should not be considered to limit the scope oFthe invention to the particular embodiments described.
protocol (CHAP) as methods ofpassword transfer. PPp has been modified to support numerous always-on access technologies including PPp over ATlvI (PPPoA), ppp over Frame Relay (pPPoF), ~d ppp over Ethernet (pppoE) With the creation of Cvmpetiti.ve Local Irxchange Carriers (CLECs) it is common to find a company which is delivering telephony over packet based networks and supplying clients with data based services. In addition if there are two clients in close physical proximity to each, other it would be advantageous to connect them to a common access network so that there is a single connection to the ISP. However, this single connection to the I$p is only feasible if a stronger user authorization scheme is implemented. Thus, a need exists in the art for an improved user authentication and authorization system.
Sum~dnary Qf the Invention It is an object of this invention to provide a Distributed Subscriber Management system which controls access to a network preventing unauthorized tic through the access network and providing centralized access control between User Networks. The system in accordance with the invention provides controlled access through tkte use of one of several technologies including user autlxentieation, using PAp, CH,Ap, R
ADIUS, TACACS-~, or other standard authenticatian means.
It is yet another object to provide a DSlvi system which allows setup maintenance, and tear-down of the user connection, U1/ Ul / UU lU. JD rfid U1JGJV004G Jl.Ull OS H1LG1'1 t~LJ V1U
It is a further object of the invention to provide a D$M sy$t~ allowing users to choose their destination a5 opposed to tying a user to a single destination.
In still another abj ect of the invention, the DSM system of the invention provides for the administration of the assignment and release of network addresses.
The DSM system of the invention preferably allows for at least one of several technologies includi~xg facilities for the enforc~,ent of service levels as defined in Service Level Agreements, facilities for resource management and facilities for billing by a service provider through the colleckion of statistics and accounting data.
Moreover, t~.e system of the invention preferably alerts service providers of systenn problems through the use of alarm reporting.
Accordingly, the invention provides a Distributed Subscriber Management (DSM}
ruethod far performing user authentication for an external network at an access control node, the external network being connected to the access control node by means of an Access Network and the access control node being connected to a plurality of User Networks, the method comprising the steps of a. receiw~ng a connection request from a user located on one of the ~Tser Networks;
b. interrogating the user for userid and password information;
c. encrypting the userid and password information;
d. tran5znitting the encrypted information, via the ACaess network, to an authentication server attached to one of a plurality of external networks;
e. decrypting the information at the authentication server; and "., "" ~".~" ..... "~.,.""""__ ,..,.,~~ ,.. ..~~...,.. .
f transmitting an authentication message from the authentication server of the external network to the access control node via the Access Network.
In a preferred errAbodiment, the DSM method includes the additional step of g) challenging all data leaving the access control node.
In another preferred embodiment, the authentication saver of the external network employs one of Radius, PAP, CHAP, and TACl~CS or TACACS+.
In yet a further preferred embodiment, the DSM method of the invention includes the following additional steps:
h. if the message is ACCPpT the packets generated by the requesting user, for tran5In1S5ton to the external network, are allowed into the Access Network for transmittal tv the external network;
i_ if the message is REJECT the requesting user either has his/her packets, for transmission to the external network, rejected or is reinterrogated for userid and password informatiozt so that the process in claim 1 can be restarted at step c;
j. if the message is CHALLENGE the requesting user is requested to provide more information to prove access rights to the external network; and k. if the message is CHANG>~ PASSWORD the requesting user is requested to select a new password_ The preferred embodiment of the Integrated Access Device in accordance y~th ~e invention pro~rides all necessary AAA ~ado~ allowing service providers to eliminate an exixa box in their network_ AAA is performed at the ingress edge of the access network rather than the egress edge.
Thus, injection ofpackets by malicious users into the access network is substantially prevented. This provides increased denial-of service protection of the entire access V 1 / V 7 / V V i V . V V 1' LL 1 V 15J 4 V V V V 't i i.7 4 V 1 l V L f11 L1i 11 yJ 4 1 L
network as well as ISP )rntranets. This reduces unauthorized traffic on the access network and allows service providers to offer guaranteed bandwidth through enforcement.
The invention further provides an Integrated Access Device including a plurality of authorization clients;
a) a plurality of connection set u~p devices;
b) a plurality of connection maintenance devices;
c) a plurality of connection teardown devices;
d) means for the administration of network address assigrirnent and release for a plurality of user networks;
e) means for enforcing service levels;
In a prefferred embodiment of the IAD the following elements may also be included:
f) means for managing resources;
g) means for collecting usage statistics; and h) means for alarm monitoring.
With the Integrated Access Device in accordance with the invention, subscribers can 'roam' throughout the access network with the authentication being performed the same way each time from any access point. The Integrated Access Device of the invention is scalable with substantially no practical limit to the number of subscribers.
The RADIUS
server implementation will impose restrictions on the number~of users before DSM.
The LAD preferably does not change the complexion or fan-out capabilities of the Service internetworking Platform (SIP) and preferably allows the SIP to concentrate on the efficient movement of voice and data.
Use of the DSM method and IUD aspects of the invention lowers protocol overhead across the access network (no additional PPpoE or LZTP protocol overhead]
U1/U7/UU 17:UU r'AX U132;tU8~f4C ~4U'1'1' ~ AYLlJN tQ:IUl;S
and does not impact Voice QoS ar traffic Management.
The IAD of the invention fits substantially seamlessly and painlessly into existing ISP/CLEC AAA parad;,gms, bbv nxting the need for the service providezs to el~ange their operational model.
Brief Description of the Drawings The invention will now be described in more detail by way of example only and with reference to tlAe attached drawings, wherein Figure 1 is a schematic diagram ofan authentication scheme known in the art;
Figure 2 is a schematic diagram of another authentication scheme 1~-~Qwn in the art;
Figure 3 is a schematic iIlustrxtion ofthepreferred authorization system in accordance with the itxvention; and Figure 4 is a schematic illustration of an application of the preferred DSM
system of the inventiorA in a mixed voice/data enviTOnment_ Detailed pescription of the )(nventiQu Glossary of Terms bM8 Distributed Subscriber Management ~~S Remote Authentication Dial_In User Service Internet Protoeoll Ppp Paint-to-Paint protocol File Transfer Protocol TACACS Terminal Aecess Controller Access Control System U1/U7/UU 17:UU r'AX OIaGSU8~i4C SI;U'1'1' ~C AYL~N ~JU14 AAA Authentication, Authorization., Accounting PAP Password Authentication Protocol Challenge Handshake Authentication Protocol PPPoA PPP over ATM
A,TM Asynchronous Transfer Mode PPPoE PPP over lthernet PPPor PpP over Frame Relay CLEC Competitive Locale Exchange Carrier ISP Internet Service Provider IAD Integrated Access Device QoS Quality of Service VPN Virtual Private Network ISDN Integrated Services Digital Network LrDP/lpUser l~atagram Protocollinternet Protocol L2TP IP over PPP over UDP/1P
LAP Ip over PPP veer IP
lPSec Secure Internet Protocol VPN IIy over PPP over iPSec BootP Boot protocol DHCP Dynamic Host Gonfiguration protocol SNMP Simple Network Management protocol GLI Command Line Interface MAC Media Access Control Ul/U7/UU 17:UU 1~'AX OlaZ;fU884~ S4U'1'1' ~ AYL~N ~JU15 SIP Service Tazterworking Plxt~orm Iu order to provide secure Distributed Subscriber Management (DSNI] in an efficient manner so as to allow multiple end user networlzs to co-exist with a single connection to the central network, while providing security to those use;s, it is necessary to consider various aspects of DSM, including:
' location of functionality ' user authentication ~ efficient method of transport ' secure dialogue ~ concentration and scalability ' customer ease-of use ' 1P address assignment ' bandwidth management accountirr~illing multiple ISP selection VPN capability The location of the functionality is of importance so that traffic can be reduced by eliminating packets without sufficient pernussion before they travel to the service provider. It is the major concept of the D5M method of the invention that the subscriber uWU7~uu 17:u1 r~Ax Wszsull&4z scu~ru ~ AYLt;N ~qlg management functionality is located at au access control node at the customer prennise end of the access network. Irr the preferred embodiment, this functionality is provided by the Integrated ,~,.ocess Device (IAb). The DSM method of the invention pzeferably takes the subscriber functionality and distributes it across many IADs instead of centralizing it at the Service Provider.
The p~ary ~~on of the DSM method is user authartication. D$1V,1 is a method of verifying that the user is authorized to use network resources or to access certain applications_ At session start-up, the user is challenged to provide a user identifier (name or userid) and password. The authentication challenge can be one-time at session start-up;
can be issued peribdically, or can be issued upon session-timeout or interruption, at the discretion ofthe network administrators.
The operation of the preferred embodiment of the invention is apparent from Figures 3 and 4. Figure 3 depicts an exemplary network using the current invention.
I~ers a RADIUS Server 1 is connected through an ISP 2 to an Access Network ~, At the opposite end of the Access Network 4 is an Integrated Access Device 7.
Inteznal to the I~ integrated Access bevice 7 is a RADI~JS client 3. The r_An 7 is placed between the Access Network 7 and a plurality of User Networks 5. This allows ~o ~~g Cl;~t ~
,in the IAD 7 to authorize all packets leaving the User Networks 5 before they travserse the Access Network 4. In addition due to the manner in which the IA.D i5 designed all tragic leaving the l~ is challenged for authQ~ation thus different User Networks 5 cannot inadvertently gain access to each othex_ U1/U7/UU 17:U1 t'AX tfl:fG;SUHEi4L ~4U'1'1' ~ AYL~N t~JUl7 Figure 4 depicts an exenrAplary embodiment of the invention being used in a mixed datalvoice environment, wl~~e each of the different I9P netoworks require their own set of authorizations. Here both Voice Networks 8 and ISP data networks 2 axe connc~ed to an SIP 9. The ISF networks 2 transmit and receive data signals, while the voice networks 8 transmit and receive voice rrtessages. Each ISp nework 2 has its own RADIUS
Server 1 internal to the network. The SIP 9 is connected to both the Voioe networks 8 and the ISP networks 2 and provides them access to the Access Network 4. ~'lxe Access Network is connected to the IAD 7, which has a plurality of 1ZADIUB olxants 3 internal to it. The l:AD 7 allows the Access Network 4 to communicate with the telephony networks 11 and the User pevices 10. The IAD°s plurality ofRADICTg ~lieuts 3 each establish a client/server realationship with one of the R,aidus Servers 1 so that they may perform AAA services on the packets that arises from both the telephony networks 1 I
and the 'CJser Devices 10.
'Upon receiving a packet from a user, the source Media ,~scess Control (MAC) andlor IP
address is verified in the IAD Forward Table against a list of authorized users. If authorized, the user packet is marked by a packet labelling system, sent across the access network to the egress edge and then forwarded to the destination provider.
Session/interface states and statistics on session duration, number afpacketslbytes sentlreceived and $Q on, are collected by the IA.I7 and forwarded to the operator upon Command line Interface (CLI) or Simple Network Management Protocol (SNMP) request.
U1/U7/UU 17:U1 r'AX Gl~G;tUHS4~ ~l:U'1'1' ~ AYLt~N ~JUlEi If a particular user is not authorized to use a provider's dozrzain, the IAD
challenges the user based on information received from the provider's RA,DICTS server, The user enters their User ID and password, which is forwarded to the RADIUS server by the Lan. The server will respond with an IP address (if not already statically assigned).
Once authenticated, the user data is allowed to slow through the access network and SIP to the destQn pmyider. The flow between the L4D and the service provider consists of pure ~ datagrams, marked by a packet labelling system, without any of the additional tunnel overhead incurrod when using phl?oE or L2TP, The IAD DSM module is responsible for authentication, authorization and accounting as well as interacting with the user across the user dialogue protocol (e.g., FPPoE, L2TP, ete.). It processes user IDs/passwords and builds a table of authorized user-to-Domain mappings which is consulted for each incoming packet. The table is partly constructed with information from the provider's RA~1IUS server.
An efficient method of transport allows the reduction of data carried over the network starting at the user device, flowing towards the rAD and then on to the deshina~on network. There are many methods of carrying user sessions from user device to the IAD.
Methods known in the art include the numerous encapsulation choices for transporting user data including: IP over PPp over dial-up;1P over PPP over ISDN; IP aver Ppp over ethernet (PPPoE); IP over PPP over Frame delay (PPPoF); IP aver PPP over ATM
(PPPoA); IP over PPP over UDPIll~ (L2~'p); IP over PP)? over IP (L2F~; IP over PPP
U1/U7/UU 17:U1 r'AX Ul~L;fUllEl4~ al;U'1'1' ~C AYL~N ~UlU
over Zpg~ (Vp~? ~ well ~ a"y number oi"proprietary encapsulation techniques.
As is apparent, the public, or non-proprietary, methods share is the use of PPP to carry subscriber management information. Traditionally these methods have been used to transport the user PPP session across the access network. This contributes significantly tQ
the protocol overhead in the process and creases traffic across the Access hTetwork. Ire the preferred embodiment, this invention uses the PPPoE or L2TP protocols between the ):AD and user device. These protocols da not extend over the access network thus reducing the overhead that these techniques apply to the packets.
The TAD is charged with perfom-raz~g user authentication and communicates with the R.AD1US server becoming in effect a R.ADlUS client. If the L4D supports multiple destination networks (i.e., multiple Virtual Private Networks), then multiple RA):7IIJS
clients must be supported: one for each network. The communication of authentication information across the access network 4 must be secured to avoid the discovery of user xiames and Passwords through the use of simple snooping techniques . Thus to provide secure dialogue security transactions between the IAD RADIUS client and RAIaIUS
server are authenticated through the use of a shared secret, which is ,ever sent over the network. A11 user passwords are encrypted using industry standard encryption technologies, such as MDS, when sent between the client and RAD'(US server, to eliminate the possibility ofpassword compromise.
Ia the event that data packets are accidentally released to the wrong network it is essential that a data security system is preferably i~onpleniented so as to prevent these errant packets U1/ V l / VV 11 . UG rlLA UlJGJU00'3G JI.,Ull pi t11L811 ~,/ UGU
I~
from being decoded. Numerous techniques ofpacker labelling can be applied to solve this so that packets that are not intended for a ~ 'ven network are never read by it. A
packet labelling scheme that can render a pac lief illegible tQ foreign IP
devices while in transit across the access network, while at the ~ame time ir~~oducing no overhead is preferred for use with this invention. This packet marking process must be undone at the egress edge of the access network so that IP_ pickets can be restored for delivery to the ISp or corporate roofer.
The preferred embodiment of the invention as.described so far can be considered both scalable and concentrated. A high conrentrati~~on of use;s is considered important for the i service provider to make a viable business case. In today's world of cut-rate Internet access, service providers must groom many h ~ dreds or thousands of subscribers onto one high-speed 1P stream. The rSP or corporoutes cannot be troubled with managing these many user sessions while trying to route:incoming IP packets at say, DS3 (45Mbps) or 0~3 (155 Mbps) wire rate.
Scalability is a potential problem for products: that perform subscri her management in a box located at the ISP end of the access netwo 1c. This has been addressed with the present invention, where subscriber managcm~t is preferably distributed across multiple »,Ds, each IAD only having to manage at most, 1 or Z dozen subscribers_ This means that if a given subscriber increases their load, a~,a requires more resources at the IAb it is possible to upgrade a single unit that effects a small part of the user base as opposed to 16 ~I
uliuriuu m:uc rtln otacauoa4c at,um a, ezLnlv ,~lucy i upgrading a centralized unit and inconveniencing a11'~users o~the system during the upgrade process.
With DSM, the user has a procedure whose simp~city is cozaparable to the one used far did-up access. RADIUS follows a client-server operational, model. A Network Access Server (NAS), Remote Access Server (RA$), Qr the like, operates as a client of RAbIUS.
The client is responsible for passing user information to designated RADIUS
servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and thewc-eturning all configuration infor~tion necessary for the client to deliver service to the user. A
RADICJS server can act as a proxy elieut to other RADIUS servers or other kinds of authentication servers.
RADIUS is carried in UDP (port number 1812 decimal) and IP. At times, the source ~
address field in client requests is zeroes since the client may not yet have an address.
When a user attempts to legin, the following steps occur to authenticate the user with RADIUS _ 1. The user is prompted for axrd enters a username and pass~rord 2. The mername and encrypts p~~rord are sent over the network to the RAD1ZJS
server.
3. The user receives one of the following responses from the RADIUS server;
- ACCEPT (The user is authenticated) i .. ~ ~ x ne user J~ noz aamenncazea ana is prompted to reetttez the usemame and password, ar access is denied) CHAJ,LE1VGE (A challenge is issued by the RA.DIT_TS server to collect additional data from the user) OHAi\TGE P.A55WORD (A request is issued by the ~Ap~~ s~y~?
asking the user to select a new password) I~AbI~JS authentication must he performed before 1ZA.DI~T~ authorization. The ACCEPT
or 1ZEJECT response contains additional data that is used for EXEC or network authorization, 'The additional data included with the ACCEPT oz ~rE~T packets consists of services that the user can access, including Telnet, rlogin, PPP, FTP, ESC
services, or connection parameters, including the host or client rP address, access list, and user ti~eputs, User Ip addresses can be statically provisioned or dynamically assigned using RADIUS
or the like. In RADIUS, the ACCEPT or REJECT response contains the host or client TP
address, access list, and user timeouts_ Upon a user ti~neout, the user may be disconnected and if dynamically assigned, the ZP address is returned to a pool of available addresses-BootP, pgCp, and TACACS+ can also be used to dyz~annically assign IP addresses to users but these protocols are less common than RApIUS.
Normally, a pool or group of addresses are pre-assigned by a network administrator and given out by the RADIUS server as users sign-on to the service provider-'fypicahy used to oversubscribe 11'~ addresses, a pool allows many clients to share a small number of IP
addresses based on usage and contention patterns.
The Boot Protocol ($ootP) is a UDP-serviced protocql that can be IP-routed to a BootP
address server. Through the BootP protocol, the server can do matey functions including IP address assignment, bootstrapping, operating system loading, desktop coniiguratian, and hardwarelinterface configuration. BootP cannot completely replace RADIUS
as a subscriber management protocol- DyrAamic Host Configuration Protocol (DHCP) is a newer alternative to BootP and possesses all the capabilities oFBaotP. As a rule, any Booth relay Agent (e.g., in a router or gateway) will work with DHCP_ As with BootP, DHCP cannot completely replace RADIUS as a subs~eriber managennent protocol.
with the preferred embodiment of this invention, subnet and mask information are tied to a Domain which appears as a logical RAS module. IP host numbers can then be dynamically assigned to users as they connect.
The DSM systean in accordance with the invention allows providers to sell services based on guaranteed bit rates by allocating discrete bandwidth levels to individual users and enforcing the bandwidth through bandwidth management techniques.
Service providers require resource accounting to bill users or to prove service levels have been met by the network/system. A service provider is likely to use RADIUS
access control arid accounting software defined by RFC 2139 to meet these special needs.
RADIUS accounting is independent of 1ZADIUS autlientication or authorizatior~_ Ul/ Ul / UU 11 . UJ !'f111 U1JGJU00~FL J1,,U11 OG l11LG11 ~ UGa~
,I
RADIUS accounting allows reports to be sent at the start and end of services, indicating the amount of resources (e.g. session duration, data transferred, etc.) used during the session. It is possible for an IS.P to use Simple Network Management Protocol (SNMP)-based statistics collected by the IAD for tb.e above purposes. ,An SNMP
management station periodically 'palls' the IAD SNMP agent to upload the accumulated statistics.
Neither of these technologies is incompatible with the ir.~o~plementation described.
The present invention provides for the ability of a client network to select from a number of >,SPs. Multiple ISP selection has not traditionally been regarded as an ability of networks but is now seen as a necessary feature for products providing access network services. The user has the capability of switching between destination ISPs or corporations via the DSM service.
Through the implementation of both this invention and a secure packet labelling system it is possibile to enable Virtual Isrivate NetworlQng. Once authenticated by I7SM
and marked by the packet labelling, packets are secure until they reach the egress interface of the network.
The preceeding discussion of the application of the invention should be seen as oxcmplary in nature and should not be considered to limit the scope oFthe invention to the particular embodiments described.
Claims (15)
1. A Distributed Subscriber Management (DSM) method far performing user authentication for an external network at an access control node, the external network being connected to the access control node by means of an Access Network and the access control node being connected to a plurality of User Networks, the method comprising the steps of g. receiving a connection request from a per located on one of the User Networks;
h. interrogating the user for userid and password information;
i. encrypting the userid and password information;
j. transmitting the encrypted information, via the Access network, to an authentication server attached to one of a plurality of external networks;
k. decrypting the information at the authentication server; and l. transmitting an authentication message from the authentication server of the external network to the access control node via the Access Network.
h. interrogating the user for userid and password information;
i. encrypting the userid and password information;
j. transmitting the encrypted information, via the Access network, to an authentication server attached to one of a plurality of external networks;
k. decrypting the information at the authentication server; and l. transmitting an authentication message from the authentication server of the external network to the access control node via the Access Network.
2. A DSM method as defined in claim 1, including the additional step of h) challenging all data leaving the access control node.
3) A DSM method as defined in clue 1, wherein the authentification server of the external network employs Radius.
4) A DSM method as defined in claim 1, wherein the authentication server of the external network employs PAP.
5) A DSM method as defined in claim 1, wherein the authentication server of the external network employs CHAP.
6) A DSM method as defined in claim 1, wherein the authentication server of the external network employs either TACACS or TACACS+.
7) A DSM method as defined in claim 1; wherein the Access Network applies a packet-labelling scheme to all data units it receives from either its ingress ar egress edges.
8) A DSM method as defined in claim 1, wherein upon receipt of the authentication message, the message is examined to determine its contents and the following additional steps are performed:
l. if the message is ACCEPT the packets generated by the requesting user, for transmission to the external network, are allowed into the Access Network for transmittal to the external network;
m. if the message is REJECT the requesting user either has his/her packets, for transmission to the external network, rejected or is reinterrogated for userid and password information so that the process in claim 1 can be restarted at step c;
n. if the message is CHALLENGE the requesting user is requested to provide more informative to prove access rights to the external network; and o. if the message is CHANGE PASSWORD the requesting user is requested to select a new password.
l. if the message is ACCEPT the packets generated by the requesting user, for transmission to the external network, are allowed into the Access Network for transmittal to the external network;
m. if the message is REJECT the requesting user either has his/her packets, for transmission to the external network, rejected or is reinterrogated for userid and password information so that the process in claim 1 can be restarted at step c;
n. if the message is CHALLENGE the requesting user is requested to provide more informative to prove access rights to the external network; and o. if the message is CHANGE PASSWORD the requesting user is requested to select a new password.
9) A DSM method as defined in claim 8, wherein a REJECT or ACCEPT message is examined for authenticity.
10) A DSM method as defined in claim 8 wherein the REJECT or ACCEPT message optionally contains specific services that are to be allowed or rejected.
11) A DSM method as defined in claim 8; wherein upon receipt of an ACCEPT
message all packets from the requesting user marked for transmission to the external network are relayed to the Access Network without further authentication until conditions set by the network administrator are met.
message all packets from the requesting user marked for transmission to the external network are relayed to the Access Network without further authentication until conditions set by the network administrator are met.
12) A DSM method as defined in claim 10, wherein the conditions comprise user timeout and end of session.
13) A DSM method as defined in claim 1, wherein all information entering or exiting the access network at the ingress edge is monitored so as to collect statistical information on usage.
14) A DSM method as defined in claim 12, wherein all the statistical in formation on usage can be used for billing purposes.
15) A DSM method as defined in claim 12, wherein the statistical information is collected through the Simple Network Management Protocol functionality.
14) An Integrated Access Device (IAD) apparatus for placement at the ingress edge of an Access Network to perform a DSM method comprising:
i) a plurality of authorization clients;
j) a plurality of connections set up devices;
k) a plurality of connection maintenance devices;
l) a plurality of connection teardown devices;
m) means for the administration of network address assignment and release for a plurality of user networks.
n) means for enforcing service levels;
o) means for managing resources;
p) means for collecting usage statistics; and q) means for alarm monitoring.
17) An IAD apparatus as defined in claim 16; further comprising j) means for enforcing service levels.
18) An IAD apparatus as defined in claim 17, further comprising k) means far managing resources.
19) An IAD apparatus as defined in claim 18, further comprising l) means for collecting usage statistics.
20) An IAD apparatus as defined in claim 19, further, comprising m) means for alarm monitoring.
21) An IAD apparatus as defined in claim 16, wherein the authorization client is a PAP
client.
22) An IAD apparatus as defined in claim 16, wherein the authorization client is a CHAP
client.
23) An IAD apparatus as defined in claim 16, wherein the authorization client is a TACACS or TACACS+ client.
24) An IAD apparatus as defined in claim 16, wherein the authorization client is a RADIUS client.
25) An IAD apparatus as defined in claim 16, wherein the connection set up, maintenance, and teardown means support virtual circuit transport methods.
26) An IAD apparatus as defined in claim 16, wherein the means for the administration of network address assignment and release support IP addresses.
27) An IAD apparatus as defined in claim 18, wherein the means for managing resources restrict the CPU time spent per client.
28) An IAD apparatus as defined in claim 18, wherein the means for managing resources control the bandwidth available to each user network.
29) An IAD apparatus as defined in claim 19, wherein the means for collecting usage statistics collect information usable for billing purposes.
30) An IAD apparatus as defined in claim 20, wherein the means for alarm monitoring notify network administrators in the event of an alarm.
31) An IAD apparatus as defined in claim 16, connecting a plurality of User Networks to the Access Network.
32) An IAD apparatus as defined in claim 31, including means for preventing uncontrolled access of different user networks to each other.
33) An IAD apparatus as defined in claim 16, wherein the plurality of authorization clients connect to a plurality of authorization servers in different external networks each connected to the Access Networks.
14) An Integrated Access Device (IAD) apparatus for placement at the ingress edge of an Access Network to perform a DSM method comprising:
i) a plurality of authorization clients;
j) a plurality of connections set up devices;
k) a plurality of connection maintenance devices;
l) a plurality of connection teardown devices;
m) means for the administration of network address assignment and release for a plurality of user networks.
n) means for enforcing service levels;
o) means for managing resources;
p) means for collecting usage statistics; and q) means for alarm monitoring.
17) An IAD apparatus as defined in claim 16; further comprising j) means for enforcing service levels.
18) An IAD apparatus as defined in claim 17, further comprising k) means far managing resources.
19) An IAD apparatus as defined in claim 18, further comprising l) means for collecting usage statistics.
20) An IAD apparatus as defined in claim 19, further, comprising m) means for alarm monitoring.
21) An IAD apparatus as defined in claim 16, wherein the authorization client is a PAP
client.
22) An IAD apparatus as defined in claim 16, wherein the authorization client is a CHAP
client.
23) An IAD apparatus as defined in claim 16, wherein the authorization client is a TACACS or TACACS+ client.
24) An IAD apparatus as defined in claim 16, wherein the authorization client is a RADIUS client.
25) An IAD apparatus as defined in claim 16, wherein the connection set up, maintenance, and teardown means support virtual circuit transport methods.
26) An IAD apparatus as defined in claim 16, wherein the means for the administration of network address assignment and release support IP addresses.
27) An IAD apparatus as defined in claim 18, wherein the means for managing resources restrict the CPU time spent per client.
28) An IAD apparatus as defined in claim 18, wherein the means for managing resources control the bandwidth available to each user network.
29) An IAD apparatus as defined in claim 19, wherein the means for collecting usage statistics collect information usable for billing purposes.
30) An IAD apparatus as defined in claim 20, wherein the means for alarm monitoring notify network administrators in the event of an alarm.
31) An IAD apparatus as defined in claim 16, connecting a plurality of User Networks to the Access Network.
32) An IAD apparatus as defined in claim 31, including means for preventing uncontrolled access of different user networks to each other.
33) An IAD apparatus as defined in claim 16, wherein the plurality of authorization clients connect to a plurality of authorization servers in different external networks each connected to the Access Networks.
Priority Applications (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA 2293989 CA2293989A1 (en) | 2000-01-07 | 2000-01-07 | Distributed subscriber management |
| CA002296213A CA2296213C (en) | 2000-01-07 | 2000-01-14 | Distributed subscriber management |
| US09/755,037 US20010044893A1 (en) | 2000-01-07 | 2001-01-08 | Distributed subscriber management system |
| US11/514,852 US7512784B2 (en) | 2000-01-07 | 2006-09-05 | Distributed subscriber management system |
| US12/132,583 US7921457B2 (en) | 2000-01-07 | 2008-06-03 | Distributed subscriber management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA 2293989 CA2293989A1 (en) | 2000-01-07 | 2000-01-07 | Distributed subscriber management |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2293989A1 true CA2293989A1 (en) | 2001-07-07 |
Family
ID=4165019
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA 2293989 Abandoned CA2293989A1 (en) | 2000-01-07 | 2000-01-07 | Distributed subscriber management |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2293989A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004040845A1 (en) * | 2002-11-01 | 2004-05-13 | Huawei Technologies Co., Ltd | A security management method for an integrated access device of network |
| WO2006081742A1 (en) * | 2005-02-05 | 2006-08-10 | Huawei Technologies Co., Ltd. | A method for realizing the user information synchronization and authenticating the user end |
| US7725589B2 (en) | 2004-08-16 | 2010-05-25 | Fiberlink Communications Corporation | System, method, apparatus, and computer program product for facilitating digital communications |
-
2000
- 2000-01-07 CA CA 2293989 patent/CA2293989A1/en not_active Abandoned
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004040845A1 (en) * | 2002-11-01 | 2004-05-13 | Huawei Technologies Co., Ltd | A security management method for an integrated access device of network |
| US7725589B2 (en) | 2004-08-16 | 2010-05-25 | Fiberlink Communications Corporation | System, method, apparatus, and computer program product for facilitating digital communications |
| WO2006081742A1 (en) * | 2005-02-05 | 2006-08-10 | Huawei Technologies Co., Ltd. | A method for realizing the user information synchronization and authenticating the user end |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2296213C (en) | Distributed subscriber management | |
| US7389534B1 (en) | Method and apparatus for establishing virtual private network tunnels in a wireless network | |
| EP1886447B1 (en) | System and method for authentication of sp ethernet aggregation networks | |
| US8885539B2 (en) | Configurable quality-of-service support per virtual access point (VAP) in a wireless LAN (WLAN) access device | |
| EP2090063B1 (en) | Apparatus and methods for authenticating voice and data devices on the same port | |
| US6839320B2 (en) | Performing authentication over label distribution protocol (LDP) signaling channels | |
| EP1670205B1 (en) | Method and apparatuses for pre-authenticating a mobile user to multiple network nodes using a secure authentication advertisement protocol | |
| EP1413094B1 (en) | Distributed server functionality for emulated lan | |
| US7325058B1 (en) | Method and system for controlling subscriber access in a network capable of establishing connections with a plurality of domain sites | |
| KR101162290B1 (en) | Method and system of accreditation for a client enabling access to a virtual network for access to services | |
| US20050041808A1 (en) | Method and apparatus for facilitating roaming between wireless domains | |
| US7653932B2 (en) | Method and system for layer-3 subscriber login in a cable data network | |
| Mitton et al. | Network access server requirements next generation (nasreqng) nas model | |
| US20040153556A1 (en) | Connections on demand between subscribers and service providers | |
| US20110161510A1 (en) | Method and system for layer-3 subscriber login in a cable data network | |
| WO2008062353A2 (en) | Method for authenticating nomadic user domains and nodes therefor | |
| CA2293989A1 (en) | Distributed subscriber management | |
| WO2004014045A1 (en) | Service class dependant asignment of ip addresses for cotrolling access to an d delivery of e-sevices | |
| Cisco | Overview | |
| Cisco | Chapter 1 - Overview | |
| Cisco | Chapter 1 - Overview | |
| EP1413095B1 (en) | System and method for providing services in virtual private networks | |
| JP4776582B2 (en) | Network system and aggregation device | |
| Bernstein et al. | Understanding PPPoE and DHCP | |
| Mitton et al. | RFC2881: Network Access Server Requirements Next Generation (NASREQNG) NAS Model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Dead |