GB2416651A - Controlling access to a network using a central AAA platform and local AAA platforms synchronised with the central AAA platform. - Google Patents

Controlling access to a network using a central AAA platform and local AAA platforms synchronised with the central AAA platform. Download PDF

Info

Publication number
GB2416651A
GB2416651A GB0514944A GB0514944A GB2416651A GB 2416651 A GB2416651 A GB 2416651A GB 0514944 A GB0514944 A GB 0514944A GB 0514944 A GB0514944 A GB 0514944A GB 2416651 A GB2416651 A GB 2416651A
Authority
GB
United Kingdom
Prior art keywords
network
controlling access
access
user
cap
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0514944A
Other versions
GB0514944D0 (en
Inventor
Ken Wolstencroft
Clive Mayhew-Begg
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of GB0514944D0 publication Critical patent/GB0514944D0/en
Publication of GB2416651A publication Critical patent/GB2416651A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Abstract

A network contains a number of sub-networks, each provided with a network access gateway (NAG) and a local authentication authorisation and accounting platform (AAA). A user can communicate with at least a selected number of the sub-networks, preferably using a wireless communication method. The network also contains a central AAA platform (CAP). The CAP is connected to the local AAA platforms (LAP) (preferably by the internet) to allow the central AAA and the local AAAs to synchronize authentication information. A user can obtain authorisation to access a sub-network from that sub-network's local AAA. In one embodiment the user may select between using a local AAA or the central AAA. The central AAA is preferably provided at a "secure internet location".

Description

F ACCESSING NETWORKS
The present invention relates mainly to providing secure network access and most particularly to providing secure access to a network by account holding users or user devices from a plurality of locations.
Many organizations maintain networks of computers and related equipment, allowing authorised users to share access to files and equipment.
Currently user access control methods concentrate on controlling access to computer equipment such as workstations, servers and network equipment.
Very little emphasis is placed on managing user level access to the network itself. With the introduction of wireless local area networks (WLAN), network level user access control is essential for preventing unauthorised access and usage of the network infrastructure. WLAN technology is particularly vulnerable as users can access wireless networks from remote locations (e.g. the street, cars, other buildings).
A number of user level access control methods exist today that can be implemented to protect networks. These include restricting access based on a users particular network interface card Media Access Control address (MAC address); 802.1x port based authentication and virtual private networks.
These methods are primarily designed to work with a centralised user access control system. To use them across multiple geographic locations, the authentication infrastructure must be installed in a central location. This often requires the installation of expensive network infrastructure to connect each site to the central location. Even with this level of investment, organizations can only control the user network access policy for their own internal network.
They have very little control over users connecting the organizations equipment (e.g. laptops and Personal Digital Assistants) to public networks (e.g. the Intemet or public WLAN hotshots). Public networks do not offer the same high levels of security, especially when users connect using WEAN technology. This leaves organizations vulnerable even when they require users to operate virtual private network technologies when connected to public networks. The organizations equipment is still exposed to the underlying network (i.e. the public network). It is therefore feasible for the organizations equipment to be compromised in some way (e.g. interception of information being transmitted through the network, or unauthorized access being gained to the organizations equipment).
It is therefore an object of the present invention to provide a method of access to a network that overcomes or alleviates some or all of the above problems.
According to a first aspect of the present invention there is provided a method of controlling access to a network by users or user devices having network accounts comprising the steps of: authenticating a user account or user device account when an attempt is made to access said network; and subsequently authorising authenticated account holding users or user devices to access the network wherein authorization and authentication is carried out by connecting the user or user device to an authentication, authorization and accounting (AAA) platform which may be either a central AAA platform (CAP) at a remote location or a local AAA platform (LAP) connected to and synchronized with said CAP.
In this manner it is ensured that a common user access policy or user device access policy is maintained across the whole network thereby permitting secure access to the network from any location.
Preferably, said CAP is provided at a secure internet location.
Preferably, said LAP or LAPs synchronise with said CAP via an intemet connection.
Preferably, no upper level data is transferred between the network and the user or user device until the user or user device is authenticated and authorised by said CAP or an LAP. Most preferably once authentication and authorization have taken place and the network is accessed data is transferred between the user/user device and the network in encrypted form only. In this way the security of the network is maintained.
Preferably said network including said CAP and said LAP or LAPs operate using an IEEE 802.1 x (PEAP or PALS) identification protocol.
Preferably all user devices having network accounts have an IEEE 802.1x PEAP or TTLS supplicant client installed. One advantage of operation with an IEEE 802.1x authentication protocol is that no upper level data may be transferred until authentication has occurred and any data that is subsequently transferred is encrypted at layer 2.
In one preferred embodiment, the network is a dispersed network comprising one or more sub-networks. Preferably, each sub-network has a dedicated LAP synchronized with the CAP as described above. In some embodiments, it is however possible for sub-networks without a dedicated LAP or for individual user devices to be authenticated and authorised by said CAP directly. In such embodiments preferably said sub-networks or said individual user devices are able to connect to the CAP via an internet connection.
Preferably, if the user or user device is attempting to connect to the network via a public sub-network, authorization is only forthcoming if the public sub-network provides matching access control provisions to the network. In this way the problem of exposure of devices to a public network via an insecure network or internet protocol connection operating under a virtual private network can be avoided.
Preferably, in embodiments wherein there are a plurality of sub networks having LAPs, one LAP is designated a master LAP and any other LAPs are designated slave LAPs. The master LAP may be operative to manage user/user device accounts and to subsequently synchronise any changes with said CAP, said CAP then synchronizes said changes across all other LAPs. Preferably such synchronization takes place via an internet connection.
Preferably, said CAP is provided with an AAA synchronization server operative to synchronize said CAP with said LAPs. Additionally and - 5 preferably, each said LAP is provided with an AAA synchronization client operative to synchronise said LAP with said CAP.
Management of user/user device accounts may include creation, deletion and any other modification of user/user device accounts. The account management may be carried out by a user management interface (UMI) which may be an intranet website utility or a software application.
Preferably each said sub-network comprises one or more user devices connected to a network access gateway (NAG). Preferably said NAG is provided with IEEE 802.1x authenticator features. Typical user devices include but are not limited to computer workstations, personal computers, laptops, notebooks, printers scanners, servers or similar, personal digital assistants (PDA) or similar, fixed line or cellular telephones, fax machines or similar.
Preferably each said sub-network operates with an IEEE 802.1x authentication protocol. Said sub-networks may be wireless local area networks (WLAN). The authentication may be username/password authentication via a TLS tunnel and rotating WEP keys. Additionally or alternatively, the network may be adapted to use the RADIUS AAA protocol or any other suitable protocol.
In one preferred embodiment of such a dispersed network, the dispersed network is a company wide network and each sub-network is an individual office network. Preferably, the master LAP is provided in a head office network and the slave LAPs are provided in branch office networks. - 6
Most preferably, account holding users such as employees of said company are able to access the network from their home networks or from individual user devices at their home via direct authorization obtained by connection to said CAP via an internet connection. Similarly account holding users or user devices may connect to and be authorised to access said network after connecting to said CAP via a public network such as those provided in airports, hotels, cafes or similar.
Although preferred, home and public networks may not operate with an IEEE 802.1x authentication protocol. In an alternative embodiment Centralised Protocol Interception and Redirection (CPIR) may be used as part of the present invention. When using CPIR, the network access gateway (NAG) connects to the secure internet location where the CAP is situated via a virtual private network tunnel (VPN). CPIR may be configured to monitor any protocol of data traffic passing through the VPN tunnel. If a particular protocol is detected, the traffic will be intercepted and then redirected to an appropriate authentication gateway. No access to the network will be allowed until authentication and authorization has been successful. An example of this process in action with CPIR configured to detect the Hyper Text Transfer Protocol, is that when unauthenticated users attempt to access the network, they are prevented from doing so and If they subsequently try to request web pages, CPIR would intercept these requests and redirect them to an appropriate web page where they can be authenticated using the CAP. Once authenticated, the users would then be able to access the network.
Preferably, different network access policies can be applied to different users. In addition normal differences between individual user accounts such as the particular data they may access or the permission to edit rather than view data or settings, additional access policies may be implemented limiting the particular possible authentication locations from which a user may access the network. In one example a first user (or group of users) may only connect from particular office sub-networks, a second user (or group of users) may connect from any of a number of office sub-networks, a third user (or group of users) may connect from any of a number of office sub-networks and a specific home sub-network, and a fourth user (or group of users) may connect from any location or sub-network including public networks such as public WLANs.
According to a second aspect of the present invention there is provided a dispersed network operating according to the method of the first aspect of the present invention comprising: a central authentication, authorization and accounting platform (CAP) provided in a secure intemet location, said CAP operative to authenticate and authorise users or user devices to access said network; one or more sub-networks, each sub- network comprising a network access gateway (NAG) having one or more user devices connected thereto and a local authentication, authorization and accounting platform (LAP) operative to authenticate and authorise users or user devices to access said network wherein each said LAP is synchronized with said CAP via an internet connection thus ensuring that a common user access policy or user device access policy is maintained across the network. t - 8
The dispersed network may incorporate any or all of the features described in relation to the first aspect of the invention as appropriate.
In order that the invention is more clearly understood, it will now be described further herein, by way of example only and with reference to the accompanying drawing the only figure of which showing a dispersed network according to the present invention.
Referring now to figure 1, a network 100 comprising a number of subnetworks 110, 120, 130, 140 is shown. Each of the sub-networks 110, 120, 130, 140 comprises one or more user devices 111, 121, 131, 141 connected via a network access gateway (NAG) 112,122,132,142 to a server 113,123, 133, 143. In the example shown in figure 1, the network 100 links a company's head office sub-network 110, a branch office sub-network 120, an employee's home sub-network 130 and a public sub-network 140 to one another and also thereby links users or user devices 111, 121, 131, 141 connected to each sub-network 110, 120, 130, 140 to one another. When connected to the network 100, each user device 111, 121, 131, 141 may connect to and exchange data with any other device connected to the network via NAGs 112,122,132,142 and servers 113,123,133,143.
In the example shown, each of the sub-networks 110, 120, 130, 140 is a wireless sub-network. It is however possible that fixed line networks or network technologies may be alternatively adapted to implement the invention. In the example shown, the user devices 111, 121 connected to sub-networks 110, 120 are laptop computers and fixed computer - 9 - workstations, the user devices 131 connected to the home sub-network 130 are a laptop computer and a personal computer and the user devices 141 connected to the public sub-network are laptop computers and personal digital assistants (PDAs). These examples are of course illustrative and any suitable device may be connected to any of the sub-networks 110, 120, 130, including but not limited to computer workstations, personal computers, laptops, notebooks, printers, scanners, servers or similar, personal digital assistants (PDA) or similar, fixed line or cellular telephones, fax machines or similar.
Users and user devices 111, 121, 131, 141 are provided with an account to allow them to access the network 100. When a user or a user device attempts to connect to the network 100, they are authenticated and if successfully authenticated, they are then authorised to connect to the network 100. If either authentication or authorization fails, the user or user device 1 1 1, 121, 131, 141 is barred from the network 100.
The authorization and authentication is carried out by an authentication, authorization and accounting (AAA) platform. The authentication and authorization may be carried out either locally by a local AAA plaffomm (LAP) 114, 124 in those sub-networks 110, 120 so provided or alternatively by a central AAA platform (CAP) 154 provided at a secure intemet location 150. In the example shown in figure 1, the CAP 154 is comprised of two AAA platforms, which provides backup in the event of failure of one of the AAA platforms. - 10
The network 100 typically uses standard protocols for the authentication and authorization process. This maximises the range of equipment and software that will operate with the network. One particular protocol used is IEEE 802.1x, which offers usemame/password authentication via a TLS tunnel and rotating WEP keys. An alternative protocol that may be used is Centralised Protocol Interception and Redirection (CPIR) as proposed as part of this invention, which allows a wider range of access control possibilities to be implemented.
To maintain the security of the network 100, the same access policy is maintained across the whole network 100. In order to achieve this, each LAP 114, 124 is synchronised with the CAP 154, thereby ensuring that the user/user device account data is stored by each AAA platform 154, 114, 124 is identical, the synchronization taking place via a secure intemet connection.
The present invention thus allows account holding users/user devices to access the network 100 conveniently via a local NAG 112, 122, 132, 142 when in their offices 110, 120 or if desired from their home 130 or from a public location 140 without any loss of security.
The synchronization between the CAP 154 and each LAP 114, 124 takes place via a secure internet connection established via the respective local servers 113, 123 for each LAP 114, 124 and a central server 153 connected to and provided for said CAP 154. The central server 153 is provided at the same secure intemet location 150 as the CAP 154 and is set - 11 up to act as an AAA synchronization server. The local servers 113, 123 are set up to act as AAA synchronization clients.
If the secure intemet connection fails between either LAP 114, 124 and the CAP 154, authentication and authorization can still take place for user devices 111 and 121. User device 111 will still be able to authenticate using LAP 114 and user device 121 will still be able to authenticate using LAP 124.
Any new user/user device accounts or modifications made to existing user/user device accounts will be placed in a queue by LAP 114 or CAP 154, depending where the failure has occurred. Once the secure intemet connection has been restored, synchronization will resume.
Once authentication and authorization has taken place, upper level data may be transferred between the user device 1 11, 121, 131, 141 and the network 100. All data exchanged between a user device 111, 121, 131, 141 and the network 100 after authentication and authorization is encrypted to further ensure the security of the network 100. These two requirements may be met by operating the LAPs 114, 124 and the CAP 154 with an IEEE 802.1x (PEAR or TTLS) identification protocol and by ensuring all user devices 111, 121, 131, 141 have an IEEE 802.1x PEAP or TTLS supplicant client installed.
Of course, it is possible to operate the network 100 using alternative identification protocols if desired and without encryption, although this may be less secure.
As a further security feature, the network 100 is adapted such that the CAP 154 will not authorise access to the network 100 from any subnetworks - 12 110, 120, 130, 140 which do not provide matching access control provisions to the rest of the network 100. For example, the home network 130 and the public network 140 in figure 1 may only be used to connect to the main network 100 if they operate under a identification protocol that is the same as that operated by the main network 100 or that is the same as that operated by the main network 100. In this way the problem of user devices 111,121,131, 141 being vulnerable when connected to the network 100 from a public network due to their exposure to an insecure public network even when running virtual private network technologies can be avoided.
In order that user accounts can be created and if desired modified, a User Manager Interface (UMI) 115 is provided. The UMI 115 can be an intranet website utility or a software application. In the example shown in figure 1, the UMI 115 is provided in the head office sub-network 110 however it is possible for it to be provided in any particular sub- network or at the same or a different secure internet location as the CAP 154 if desired. In order to ensure synchronization occurs between each LAP 114, 124 and the CAP 154 when the UMI 115 is provided in an office sub-network (such as 110) the LAP 114 in the said office sub-network 110 is designated a master LAP and any other LAPs 124 are designated slave LAPs.
The UMI 115 is operative to create, delete, enable, disable and modify user or user device accounts for example modifications to a user account may allow the user to access the network from home 130 or any other remote location 140 or may change the data or applications that are accessible by the - 13 user either from a particular location or from any location. It is of course possible for similar modifications to be made to a user device account in addition to or as an alternative to the modifications to a user account. Such modifications could prevent a lost or stolen user device such as a Personal Digital Assistant (PDA) or laptop being used to access the network by a third party, once the loss or theft has been communicated to a network administrator.
User/user device accounts created or modified by the UMI 115 can allow access to the entire network 100 or merely to particular sub-networks or to particular data files or applications on the whole network or particular sub networks. The accounts may additionally restrict access to viewing data or applications but not to modifying said data or applications. The accounts may additionally have variable restrictions depending on how or from where the network 100 is accessed. For instance a first user may only connect from a particular office location 110; a second user can connect from any office location 110, 120; a third user can connect from any office location 1 10, 120 and from a particular home location 130, but not from public locations 140; and a fourth user may be able to connect from any location. Similar location dependent conditions may be applied to particular user devices 111, 121, 131, 141 if desired.
Information relating to the creation, deletion, enablement, disablement or modification of accounts undertaken by UMI 115 is transferred to the master LAP, in this example LAP 1 14. The master LAP 1 14 then connects to - 14 - - and synchronizes with CAP 154 via local server 113, central server 153 and a secure internet connection therebetween. The CAP 154 then synchronises with the or each slave LAP 124 via central server 153, local server 123 and a secure intemet connection therebetween. In this manner a common access policy for the entire network 100 is maintained.
A conventional synchronized company network synchronizes directly between branch offices and thus the authentication services on those networks are normally inaccessible from public locations (e.g Internet, public network 140) or home networks 130. This therefore prevents them from implementing the company's access control policies for employees connecting to the network 100 from a public location or home network 130. In the present invention however, the network 100 is provided with one or more LAPs 114, 124 synchronized with the CAP 154, allowing companies to implement a secure access control policy for employees connecting to the network from a public location 140 or home network 130. A further advantage of the present invention is that users/user devices connecting to the network 100 from public locations 140 or home networks 130 can use the same authentication token (e.g. usemame/password) as they use in the office due to the automatic synchronization between the CAP 154 and each LAP 114, 124.
It is of course to be understood that the invention is not to be limited to the details of the above embodiment which is described by way of example only. - 15

Claims (39)

  1. Claims 1. A method of controlling access to a network by users or user
    devices having network accounts comprising the steps of: authenticating a user account or user device account when an attempt is made to access said network; and subsequently authorising authenticated account holding users or user devices to access the network wherein authorization and authentication is carried out by connecting the user or user device to an authentication, authorization and accounting (AAA) platform which may be either a central AAA platform (CAP) at a remote location or a local AAA platform (LAP) connected to and synchronized with said CAP.
  2. 2. A method of controlling access to a network as claimed in claim 1 wherein said CAPis provided at a secure internet location.
  3. 3. A method of controlling access to a network as claimed in claim 1 or claim 2 wherein said LAP or LAPs synchronise with said CAP via an internet connection.
  4. 4. A method of controlling access to a network as claimed in any preceding claim wherein no upper level data is transferred between the network and the user or user device until the user or user device is authenticated and authorised by said CAP or an LAP.
  5. 5. A method of controlling access to a network as claimed in any preceding claim wherein once authentication and authorization have - 16 - taken place and the network is accessed data is transferred between the user/user device and the network in encrypted form only.
  6. 6. A method of controlling access to a network as claimed in any preceding claim wherein said network including said CAP and said LAP or LAPs operates using an IEEE 802.1x (PEAP or PALS) identification protocol.
  7. 7. A method of controlling access to a network as claimed in any preceding claim wherein all user devices having network accounts have an IEEE 802.1x PEAP or TTLS supplicant client installed.
  8. 8. A method of controlling access to a network as claimed in any preceding claim wherein the network is a dispersed network comprising one or more sub-networks.
  9. 9. A method of controlling access to a network as claimed in claim 8 wherein each sub-network has a dedicated LAP synchronized with the CAP.
  10. 10. A method of controlling access to a network as claimed in claim 8 wherein sub-networks without a dedicated LAP or for individual user devices are authenticated and authorised by said CAP directly.
  11. 11. A method of controlling access to a network as claimed in any one of claims 8 to 10 wherein said sub-networks or said individual user devices are able to connect to the CAP via an internet connection.
  12. 12. A method of controlling access to a network as claimed in claim 11 wherein if the user or user device is attempting to connect to the network via a public sub-network, authorization is only forthcoming if the public sub-network provides matching access control provisions to the network.
  13. 13. A method of controlling access to a network as claimed in any one of claims 8 to 12 wherein in embodiments wherein there are a plurality of sub-networks having LAPs, one LAPis designated a master LAP and any other LAPs are designated slave LAPs.
  14. 14. A method of controlling access to a network as claimed in claim 13 wherein the master LAP is operative to manage user/user device accounts and to subsequently synchronise any changes with said CAP and said CAP then synchronizes said changes across all other LAPs.
  15. 15. A method of controlling access to a network as claimed in claim 14 wherein synchronization takes place via an intemet connection.
  16. 16. A method of controlling access to a network as claimed in claim 15 wherein said CAP is provided with an AAA synchronization server operative to synchronize said CAP with said LAPs.
  17. 17. A method of controlling access to a network as claimed in claim 16 wherein each said LAPis provided with an AAA synchronization client operative to synchronize said LAP with said CAP. - 18
  18. 18. A method of controlling access to a network as claimed in any preceding claim wherein management of user/user device accounts includes creation, deletion and any other modification of user/user device accounts.
  19. 19. A method of controlling access to a network as claimed in claim 18 wherein account management is carried out by a user management interface (UMI).
  20. 20. A method of controlling access to a network as claimed in claim 19 wherein the UMI is an intranet website utility.
  21. 21. A method of controlling access to a network as claimed in claim 19 wherein the UMI is a software application.
  22. 22. A method of controlling access to a network as claimed in any one of claims 8 to 21 wherein each said sub-network comprises one or more user devices connected to a network access gateway (NAG).
  23. 23. A method of controlling access to a network as claimed in claim 22 wherein said NAG is provided with IEEE 802.1x authenticator features.
  24. 24. A method of controlling access to a network as claimed in any preceding claim wherein typical user devices include but are not limited to computer workstations, personal computers, laptops, notebooks, printers scanners, servers, personal digital assistants (PDA), fixed line or cellular telephones, fax machines. - 19
  25. 25. A method of controlling access to a network as claimed in any one of claims 8 to 24 wherein each said sub-network operates with an IEEE 802.1x authentication protocol.
  26. 26. A method of controlling access to a network as claimed in any one of claims 8 to 25 wherein said sub-networks are wireless local area networks (WLAN).
  27. 27. A method of controlling access to a network as claimed in any preceding claim wherein the authentication is username/password authentication via a TLS tunnel and rotating WEP keys.
  28. 28. A method of controlling access to a network as claimed in any preceding claim wherein the network may be adapted to use the RADIUS AAA protocol or any other suitable protocol.
  29. 29. A method of controlling access to a network as claimed in any one of claims 8 to 28 wherein the dispersed network is a company wide network and each sub-network is an individual office network.
  30. 30. A method of controlling access to a network as claimed in claim 29 wherein the master LAP is provided in a head office network and the slave LAPs are provided in branch office networks.
  31. 31. A method of controlling access to a network as claimed in any preceding claim wherein account holding users are able to access the network from their home networks or from individual user devices at their home via direct authorization obtained by connection to said CAP via an internet connection.
  32. 32. A method of controlling access to a network as claimed in any preceding claim wherein account holding users or user devices may connect to and be authorised to access said network after connecting to said CAP via a public network.
  33. 33. A method of controlling access to a network as claimed in any preceding claim wherein home and public networks operate with Centralised Protocol Interception and Redirection (CPIR).
  34. 34. A method of controlling access to a network as claimed in claim 33 wherein the network access gateway (NAG) connects to the secure intemet location where the CAP is situated via a virtual private network tunnel (VPN).
  35. 35. A method of controlling access to a network as claimed in claim 33 or claim 34 wherein the CPIR is configured to monitor the protocol of data traffic passing through the VPN tunnel.
  36. 36. A method of controlling access to a network as claimed in claim 35 wherein if the particular protocol is detected, the traffic will be intercepted and then redirected to an appropriate authentication gateway.
  37. 37. A method of controlling access to a network as claimed in any preceding claim wherein different network access policies can be applied to different users.
  38. 38. A dispersed network operating comprising: a central authentication, authorization and accounting platform (CAP) provided in a secure intemet location, said CAP operative to authenticate and authorise users or user devices to access said network; one or more sub networks, each subnetwork comprising a network access gateway (NAG) having one or more user devices connected thereto and a local authentication, authorization and accounting platform (LAP) operative to authenticate and authorise users or user devices to access said network wherein each said LAP is synchronized with said CAP via an intemet connection thus ensuring that a common user access policy or user device access policy is maintained across the network.
  39. 39. A dispersed network as claimed in claim 38 operating in accordance with any one of claims 1 to 37.
GB0514944A 2004-07-24 2005-07-21 Controlling access to a network using a central AAA platform and local AAA platforms synchronised with the central AAA platform. Withdrawn GB2416651A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GBGB0416563.5A GB0416563D0 (en) 2004-07-24 2004-07-24 Accessing networks

Publications (2)

Publication Number Publication Date
GB0514944D0 GB0514944D0 (en) 2005-08-24
GB2416651A true GB2416651A (en) 2006-02-01

Family

ID=32922758

Family Applications (2)

Application Number Title Priority Date Filing Date
GBGB0416563.5A Ceased GB0416563D0 (en) 2004-07-24 2004-07-24 Accessing networks
GB0514944A Withdrawn GB2416651A (en) 2004-07-24 2005-07-21 Controlling access to a network using a central AAA platform and local AAA platforms synchronised with the central AAA platform.

Family Applications Before (1)

Application Number Title Priority Date Filing Date
GBGB0416563.5A Ceased GB0416563D0 (en) 2004-07-24 2004-07-24 Accessing networks

Country Status (1)

Country Link
GB (2) GB0416563D0 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9438604B1 (en) * 2015-07-02 2016-09-06 International Business Machines Corporation Managing user authentication in association with application access

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6263369B1 (en) * 1998-10-30 2001-07-17 Cisco Technology, Inc. Distributed architecture allowing local user authentication and authorization
WO2003029940A2 (en) * 2001-10-02 2003-04-10 Networks Associates Technology, Inc. Master security policy server
US20030093690A1 (en) * 2001-11-15 2003-05-15 Stefan Kemper Computer security with local and remote authentication
US20030147537A1 (en) * 2002-02-07 2003-08-07 Dongfeng Jing Secure key distribution protocol in AAA for mobile IP
US6668283B1 (en) * 1999-05-21 2003-12-23 Cisco Technology, Inc. ISDN B-channel count limitation
US20040085942A1 (en) * 2002-11-01 2004-05-06 Yanqun Le Session updating procedure for authentication, authorization and accounting
EP1589777A1 (en) * 2003-01-30 2005-10-26 Matsushita Electric Industrial Co., Ltd. Unitary management authentication device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6263369B1 (en) * 1998-10-30 2001-07-17 Cisco Technology, Inc. Distributed architecture allowing local user authentication and authorization
US6668283B1 (en) * 1999-05-21 2003-12-23 Cisco Technology, Inc. ISDN B-channel count limitation
WO2003029940A2 (en) * 2001-10-02 2003-04-10 Networks Associates Technology, Inc. Master security policy server
US20030093690A1 (en) * 2001-11-15 2003-05-15 Stefan Kemper Computer security with local and remote authentication
US20030147537A1 (en) * 2002-02-07 2003-08-07 Dongfeng Jing Secure key distribution protocol in AAA for mobile IP
US20040085942A1 (en) * 2002-11-01 2004-05-06 Yanqun Le Session updating procedure for authentication, authorization and accounting
EP1589777A1 (en) * 2003-01-30 2005-10-26 Matsushita Electric Industrial Co., Ltd. Unitary management authentication device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9438604B1 (en) * 2015-07-02 2016-09-06 International Business Machines Corporation Managing user authentication in association with application access
US9635035B2 (en) 2015-07-02 2017-04-25 International Business Machines Corporation Managing user authentication in association with application access
US9635036B2 (en) 2015-07-02 2017-04-25 International Business Machines Corporation Managing user authentication in association with application access
US9736169B2 (en) 2015-07-02 2017-08-15 International Business Machines Corporation Managing user authentication in association with application access

Also Published As

Publication number Publication date
GB0416563D0 (en) 2004-08-25
GB0514944D0 (en) 2005-08-24

Similar Documents

Publication Publication Date Title
US7437752B2 (en) Client architecture for portable device with security policies
US7665125B2 (en) System and method for distribution of security policies for mobile devices
US7665118B2 (en) Server, computer memory, and method to support security policy maintenance and distribution
US8973122B2 (en) Token based two factor authentication and virtual private networking system for network management and security and online third party multiple network management method
US9769655B2 (en) Sharing security keys with headless devices
EP2328319B1 (en) Method, system and server for realizing the secure access control
US20060190984A1 (en) Gatekeeper architecture/features to support security policy maintenance and distribution
US20120317625A1 (en) Dynamic Authentication in Secured Wireless Networks
EP1547303A1 (en) Server, computer memory, and method to support security policy maintenance and distribution
CN101714918A (en) Safety system for logging in VPN and safety method for logging in VPN
JPH10269184A (en) Security management method for network system
BRPI0520139B1 (en) Method and apparatus for secure anonymous wireless lan (wlan) access
EP1943769A1 (en) Method of providing secure access to computer resources
US20130024948A1 (en) System for enterprise digital rights management
Kravets et al. Mobile security solution for enterprise network
KR20060044494A (en) Network management system and network management server of co-operating with authentication server
CN101621503A (en) Identity identification system and method being applied under virtual private network framework
CN112334898A (en) System and method for managing multi-domain access credentials for users having access to multiple domains
GB2416651A (en) Controlling access to a network using a central AAA platform and local AAA platforms synchronised with the central AAA platform.
KR20110128371A (en) Mobile authentication system and central control system, and the method of operating them for mobile clients
Cisco Deploying Cisco Secure ACS
Cisco Understanding the Cisco VPN Client
Jensen Identity management lifecycle-exemplifying the need for holistic identity assurance frameworks
Forsberg Secure distributed AAA with domain and user reputation
Garbis et al. Network Access Control

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)