AU1974101A - Service sign on - Google Patents

Description

09-FEB-2001 15:05 A J PARK 64 4 4723358 64 4 4723358 P.05/34 -1I- Regulation 3.2

AUSTRALIA

PATENTS ACT, 1990 COMPLETE SPECIFICATION FOR A STANDARD PATENT

ORIGINAL

Name of Applicant: Actual Inventor: Address for service in Australia: Invention Title: NICE TALENT LIMITED Tang Pak HUNG A J PARK, Level 11, 60 Marcus Clarke Street, Canberra ACT 2601 SERVICE SIGN ON The following statement is a. full description of this invention, including the best mcthod of performing it known to n/us RECEIVED TIME 9. FEB. 13:44 RTTIE 1.FB 116 PRINT TIME 10. FEB. 11:06 09-FEB-2001 5:05 A J PARK 1 64 4 4723358 P.06/34 b 64 4 4723358 1 A The need foz Service Sigri On arise3 From the deployment of broadband I2 internetworking infrastructure.

Examcles of a broadband 12 interrtetworking infrastructure include high-speed 12 networks over cable TV infrastructure or intell.!gent building networks based on structured wiring. Both of these examples are based on a contnection-less transmission mediumL- in layer 2 of the OSI model, one over RF (radio frequency) and the other based or. IEEE 802.3. With a V connection-less data link control layer, there is no natural point in the network itself (OSI model. layer 3 or below) for performing user authentication when a user starts to use the network services. it is therefore difficult to account for when the user starts to use the network and when the user stops using the network.

It is an obJect of the invention to overcome or at leasc red'a.ce this o.robJlem.

According to the invention there is pro~tided a service sign-an (SSO) method for use by an internet service provider or a network owner in a broadband 1? RECEIVED TIME 9. FEB. 13:44 PRINT TIME 10. FEB. 11:06 09-FEB-2001 1)5:06 Al J PARK 64 4 4723358 P.07/34 64 4 4723358 2inte-rnetworking infrastructure for user auLt hert i cation to permit access of an access device to use network service(s) enabled by the said infrastructure and subsequent access records keeping, said access device being configured for DHCP and incorporating a Software supporting Java appl~et, which method comprises providing a database for storing user-related information, providing a DHCP server for answering

DRCP

packets from said access device via an existing ifltaznetwor king device in said infrastructure to establish communication of said access device via the internetworking device with a SSO web server, providing sai SS we severfor serving a sinon form to said access device to commence a pre-sign-on state for user 1 5 authentication, providing said SSO web server for serving Java applet to said access device to maintain a session representing that access to said network service and/or to automate DHC? I? address lease renewal; providing said SSO web server for controlling ass;ignment of IP address to the said access device; providing said SSO web server f or activating a per user access and service control policy on the in ternetwor king devices and providing a DNS server for answering DNS queries from said access device via the internetworking device for permitting access of said access device to said network service, and means for RECEIVED TIME 9. FEB. 13 :44 PRINT TIME 10. F EB. 11:06 09-FEB-2001 15:06 A J PARK A64 4 4723358 P.08/34 64 4 4723358 3monizoring and receiving records relating to that access for accounting purpose.

Preferably, the internetworking device is an electronic dievice or computer system that is deployed by said ISP or network owner in a communication path between said access device and the Internez or internal server system, that can be commanded by said SSQ web server, usjig IETF standards I? comm-unication protocol to activate said per user access and service policy.

More preferably, the internetworking device is provided by a router.

Further more preferably, the router is an edge router connected closest to said access device.

The router may be an edge router connected nearest to said access device. Internetworking devices may be any elec-tronicr device or computer system(s) that are deployed by said ISP or network owner in a communication path between Said access device and the 4 Internet or internal server system Cs), that can be commanded by a trusted process, such as said SSO web server, using IETF standards T2 communication protocol(s) to activate said per user access and service policy.

RECEIVED TIME 9. FEB. 13:44PRN TIE i.FB 1Q PRINT TIME 10, F E B, 11:06 09-FEB-2001. j5:6 A J PAlRK A 64 4 4723358 P.09/34 64 4 4723358 -4 A Service Sign on method according to the invention w-il noew be described by way of example with reference to the accompanying schematic drawings in which S Figure 1 is a normal user workstation start up; Figure 2 is stage 3. of a Service Sign On; Figure 3 is stage 2 of a Service Sign On; 0 Figure 4 is a Sign Off 5tage; and Figure 5 is a Time-out stage.

The Service Sign On method is a mechanism that is designed to resolve the difficialties of the prior art :by making it possible for internet service providers (ISPs) or network owners to: 20 1) Control user access to a broad~band I? network even if connection-less transmission medium is used; b) Account for usage duration and other usage related paramneters; C) TIplement access and service policy on how the user usea the network resources; and d) Acquire information about_ the access device used RECEIVED TIME 9. FEB. 13:44 PRINT TIME 10. FEB. 11:06 09-FEB-2001 15:07 A J PARK 64 4 4723358 P.10e/34 64 4 4723358 by the user.

The whole mechanism is based orl open 1:ETF-based standard IP comu-nnication Drotoc;oIs and can be implemented on commercially available hardware and software. Some of the open protocols that are used in the mechanism include D~qCP, DNS, H-TTP, SNMP, and TELNET.

Tt is assumed that user informati-or is, captured by a separate registration process. This liser registration process will capture at a minimumn the following information in a centralized data st-ore: a) Username and password b) Access policy such as restricted access from a specific cable modem or physical ports c) Service policy such as class of service and types of service subscribed Use Process 1) User needs to ensure that an access device is conf~igured for DHCP and have a software, such as a browser, installed that support Java applet.

2) User plugs the access device to a service connection point, such as an Ethernet port of a cable modem or a RJ-45 connector that connects to RECEIVED TIME 9. FEB. 13:44PR TTIE 1.FB 1:0 PRINT TIME 10. FEB. 11 0 6 09-FEB-2001 15:07 A~ J PARK 64 4 4723358 64 4 4723358 P.11/34 6an Ethernet hub or switch.

3) User starts up the access device (say boot:s a PC).

4) User opens the browser and connects to a Service Sign On web site.

User can only access the Service Sign On (SSQ) Web Server before sign on- All other traffic will be blocked by the router.

User prompted for userniame and password- User asked to wait for service sign on to complete.

8) Service sign on completed.

9) User starts to use the network services that he is authorized.

During the sign on period, a Java applet. sh-ould be kept active.

a. S. S The SSO mechanism makes use Of fEive, different system components that can be installed in different computers or in the same Computer. The five components are: L) DHCP server 2) User informiation data store 3) SSO web server 4) DNS server Accounting record data store The DHCP server answers DHCP packets from the access RECEIVED TIME 9. FEB. 13:44PRN TIE 1,FB 1 6 PRINT TIME 10. FEB. I I 0 6 09-FEB-2001 15:07 A5 PARK 64 4 4723358 64 4 4723358 P. 12/34 -7 device in both a Dre-s ign-on and post-sign-on state.

The u~ser infonimation data store contains all the user related informnation such as usernaine, password, access poli.:y and service policy for the user.

The SSO web server executes the serviet and serves the Java applet(s) to the access devices. The serviet authenticates the user, checks the user authorizations, activates access and/or service policy in the roumer and/or other internetworking devices.

The DNS server answers DNS queries fromn the access device during the pre-sign-o- arnd post-sign-on state.

is The accounting record data store receives all connection related records '&or a particular user session as generazed by the serviet or a daemon.

S

Pre-sign-on means that the access device is yet to trigger the SSO mechanism.

Post-sigjn-on means that. the servJlet has completed the verification and policy enforcement process.

A session means the period between a session-start RECEIVED TIME 9. FEB. 13:44PR TTIE i.FB i6 PRINT TIME 10. FEB. I I 0 6 09-FEB-2001 1.5:08 A J PRRK A64 4 4723:358 P.13/34 64 4 4723358 record and a session-end record that the servlem generates for the accounting record data store.

Ther,-- are five processes in the whole 550 method: 1) Initial access device activation process 2) Browser to SSO web server process 31, ServIet sign-on verification process 4) Post-sign-on access device activation process 5) Logout or timeout process An initial Access Device Activation Process (Process 1) is as follows:- 1) Access device starts up and iJssues a DHCP DISCOVER packet that contains a MAC addzess of the access device.

2) DHCP server checks its internal database to verify if the MAC address is registered. In the presign-on state, the MAC address is not registered with the DHC? server.

3) DIHCP server builds a DHCP OFFER to offer the access device a temporary IP address and the IP address of the DNS server- 4) Access device issues a DH-C? R.EQUJEST to request for the temporary IP address.

RECEIVED TIME 9. FEB. 13:44 PRINT TIME 10. F EB. I110 6 09-FEB-2001 15:09 A J PARK A 64 4 4723358 P.14/34 64 4 4723358 DH{CP server pexforms step 2 and 3 again and builds a DF-CP ACK packet.

Browser to SSO Web Server Process (Process 2)js as follows:- 1) User starts the web browser and opens the SSO web site.

The access device attempts to resolve the host name by sending a DNS QUERY packet to the DNS server.

The DNS server resolves the host name to the IP address of the SSO web server- 4) The HTTP request goes to the SSO web server.

5) SSO web server returns a sign-on form to the user browser.

Ser*e Sino.eiiainPocs Po 53 sa 3)rvIf k eet SinreVrf tine arcess (nrocer3)iea RECEIVED TIME 9. FEB. 13:44PR TTIE i.FB 1:6 PRINT TIME 10. FEB. I I 0 6 09-FEB-2001 1-3:08 A~ J PARK A 64 4 4723358 P.15/34 64 4 4723358 policy for the particular user.

4) Serviet determines the IP address of the access device from HTTP meta-variables.

checks the DHCP servez for ithe 1AAC address of the access device.

6) ServIet verifies conformance of the access policy by sending out SN'T queries and/or TELNET connection to relevant internetworkinq devices.

Serviet issues a command to the DHCP server- to i0 registex the access MAC address with an appropriate policy rule set.

8) Servlet creates a random session identifier and makes an entry to a temporary data store 9) Servlet sets the session iden-tifier into the browser in the form of cookie.

I0)Servlet downloads a lease-renewal Java applet to the user browser.

RE E V D T ME 9 E 13 44P I T I E 1.FE 1 09-FEB-2001 15:09 A J PARK A 64 4 4723358 P.16/34 64 4 4723358 Post-sign-on Access Device Activation Process (Process 4)i4s as follows:- 1) The lease-renewal Java applet initiates a D8CP lease release and renew. The exact action may be platform dependent.

2' Access device issues a DHCP DISCOVER packet containing a MAC address.

31 DHCP server looks up the MAC address and should find the MAC address registered.

4) DHCP server builds a DHCP OFFER with a valid 1P address according to appropriate policy rule set.

S) Access device issues a DHC? REQUEST for a lease on the T? address offered.

1 DH-C? server performs steps 3 and 4 again and builds the DHCP ACK packet.

7) Java applet issues a special session-start HTTP request to S.SO serviet.

8) Serviet retrieves the session record based on, the session identifier in the rneta-variable.

9) Serviet implements the access and service policy onto the router and other internetworking devices using SNMP, TELNET or some other open protocols.

Serviet sends out the service sign on complete page to the user browser.

11) A new browser window is automatically started RECEIVED TIME 9. FEB. 13:44PRN TIE @.FB 11 PRINT TIME 1O.FEB, 11:05 09-FEB-2001 15:09 Al J PARK 164 4 4723358 P.17/34 64 4 4723358 with a keep-alive Java appJle-t enbedded.

12) Serviet writes a session-start record to the local data store.

Logout or Timeout Process (Process 5)is as follows:- 1) The keep-alive Java appl~et periodically sends out special session keep-alive HTTP request to the SSO servlet.

2) SSO servIet updates the session record showing the last active tirnestamp.

3) If u~seL clicks -a LOGOUT button on the Java appDlet: a. Java applet sends a special session end HTTP 0 0 15 request to the SSO servlat.

b. Serviet writes sessioni-end record to the accounting record data store.

c. Servlet performs a clean up chores including removing the session record from the local data store, removing the MAC address from the DHCP server and removing any access and service policy from the router and other internetworking devices.

4) If user de-activates the access device or closes the Java applet: a. A background daemocn in the SSO web server RECEIVED TIME 9. FEB. 13:44PR TTIE i.FB iD PR I NT T I ME 10. FEB. I I 0 09-FEB-2001 15:09 Al J PARK 64 4 4723358 P.18/34 64 4 4723358 -13 periodically scans the local data store for session records.

b. For session records that have expired, daemon performs the clean up Chores including write session-end record to accounting record data store, remove session record from local data store, remove the MC address from the DH-CP server and remove any access and service policy from the router and other internetworking devices.

To illustrate the method reference is now made to the Figures. In Figure 1 the u-ser workstation is being set up to use DRCP for I? configuration. In a normal boot 15 sequence, it raises a DHCP request. The D!HCP server responses and allocates a temporary IP address which is OS0 ~ee.barred by the Rout.er from going out to Internet.

.*s 'In Figure 2, the user brings up the web browser for service sign-on. It sets tJRL to the Service Sign-On Server which triggers a DNS look up. DNS protocol is allowed to go through the Router. The DNS server replies with the IP address of the internal service Sign-On Server. Web browser opens HTTP connection with the Service Sign-On Server. User is required to supply user ID and password.

RECEIVED TIME 9. FEB. 13:44PRN TIE i.FB 11C PR I NT T I ME 10, FEB. I I 0 09-FEB-2001 15:10 A J PARK A 64 4 472335e P.19/34 64 44723358 -14 If authentication is successful, a CGI program or serviet will check if this access is authorized based on pre-defined rules and restzictions. In case of successful user authentication anid author izat ion, a CGI program or serviet will be activated to configure the DHCP server such that a piiblic IP address will be assigned to this pazticular user workstation the next time D)HCP request is received from it. Repl~y is sent back to the browser with status update and Java applet for follow-up actions.

cnfiguretio, a Java applet in the responding HTML g pTeroial soC serve resones werihte updatnSrer wil conftigsratonfiguJrao intaet. in t rfpingt HequeL agetsaedto nfigr the Servic assignOn Server pdeodinlyto thate lsric Sign-eonerr llth ne fro th aest roulte atChrograf or Inervet willsbe In Figure 4, the Uiser has decided to terminate his access and clicks on a "Disconnect" button on the web RECEIVED TIME 9. FEB. 13:44PRN TIE i.EB 1D PR I NT TIME 10. FEB. I I 0 09-FEB-2001 15:10 A~ J PARK A64 4 472358 P.20/34 64 44723358 page. Service Sign-on Server revokes the DHC? configura-tion. for this workstation. Entry in the access li4st of the Router for this workstation is removed.

Service Sign-On Server sends completing H1TML. message to the workstation. Service Sign-on Server updates accounting record.

In Figure 5, the Java applet in the web browser of the user workstation stops notifying the Service Sign-On Server of its 'oresence quit browser, workstation .0::Ooshutdown, etc.), the Service Sign-on Server will revoke 00000the DH-CP configuration for this workstation. Entry in o o th;e access list of the Router for this workstation is removed. Thus, no -further access from this workstation 0 15 to the Internet is allowed. Service Sign-On Server updates accounting record.

0*0. it is quite possible to provide the Service Sign On 0 according to the invention without the steps that force an access device to change the temporary !F address to a public IP address in Process 3 Step 7, 10 and Process 4 Step 1 to 8. This can be achieved simply by allocating to the access device a default public 12 address in Process 1 Step 3. If in Process 3 Stem 3 to 4 it is determined that it is acceptable for the user to continue to use the default public 12 address, RECEIVED TIME 9, FEB, 13 44 PRINT TIME 10. FEB. 11I: 05 09-FEB-2001 15:10 A J PARK A 64 4 4723358 P.21/34 64 4 4723358 16 Process 3 Step 7, 10, Process 4 Step 1 to 8 and the clean up chore of removing the MAC address from the DHCP server can be skipped.

The described methods or mechanisms have particular applications in a public broadband IP network services environment and in a mobile office environment.

Currently, there are three major categories of service access technology for public broadband IP network services. Most service providers make use of digital subscriber loop (DSL), cable modem or structured wiring for Ethernet to provision their services. DSL mainly makes use of a connect-oriented protocol in layer 2 of the OSI model. Cable modem and structured wiring for Ethernet make use of a connection-less protocol in 15 layer 2 of the OSI model. At present, DSL service *e providers model their service provisioning method on an Internet dial access mechanism. Users will need to "dial-in" to a gateway, an additional internetworking device inserted in the communication path, for authentication and authorization before proceeding. The mechanism is based on building a tunnel between the subscriber's access device and the gateway before any network service can be provided. Some common encapsulation protocols include PPP over Ethernet (PPPoE) and Layer 2 Tunneling Protocol (L2TP).

RECEIVED TIME 9. FEB. 13:44 PRINT TIME 10. FEB. 11 0 09-FEB-2001 15:11 A J PARK A 64 4 4723358 P.22/34 64 4 4723358 -17 Extensions of tunneling models may solve signi on. issu'es for cable moderu and structured wiring for Ethernet.

However, the tunneling affects the whole or overall network communications and requires special and sophistication programming. The de-9cribed mechanisms do not model after an internet dial-up access mechanism.

Instead, the mechanisms make use of a common web site sign~ on model, and subscribers are required to sign on to a special web site, that is the SSO Server, before they are allowed access to the network services.

The described mechanisms are therefore:- More scalable to serve many more users than using 15 tunneling; -Less costly to implement than tunneling; -More friendly to multi-media traffic that is transmitted over IF zulticast; and Able to create revenues generating opportunities like pushing advertisements to subscribers from the SSO Server In some multinational companies, a so-called "mobile office" has been implemented where employees no longer have a fixed office or desk space. When employees come to work, they need to go through a check-in process RECEIVED TIME 9. FEB. 13:44 PRINT TIME 10. FEB. 11:05 09-FEB-2001 15:11 A J PARK A 64 4 4723358 P.23/34 64 4 4723358 more or less like -a hotel check-in. It is therefore possible that the same employee will be connecting into the company's intranet using different physical "rthernet Ports. The described mechanisms of service sign on can then be used to authenticate and authorize the user before allowed access into the corporate intraaet. Without the mechanism of service sign on, an administrator Will need to manually perform a numnber- of tasks on the internietworking devices to enforce proper security on the intranet.

The described mechanisms of service sign on make use of the capability in creating a point to perform authentication, authorization, network access control and policy enforcement in a broadband .P network. The point of entry into the broadband TP network is provrided by the SSO Server. The mechanisms do not need to create any new communication protocol. The mechanisms are accomplished by making sure that data f lcws during the sign-on stage can only happen in a pre-defined manner.

Normally, the described mechanisms are implemented by appropriate software, that is by means of a combination of web pages, CGI scripts and/or Java servlets, Java applets and back-end network con-figuration modules.

RECEIVED TIME 9. FEB. 13:44 RTTIE1.FB116 PR I NT T I ME 10. F E B. I I 0 09-FEB-2001 15:12 A J PARK A 64 4 4723358 P.24/34 64 4 4723358 19- Technically, it is also possible to im~plement the described SSO Server as a hardware device for better performance or possibly more if required reliability.

The Router can be regarded as an intelligent or program controlled 'switch". Routers aze well-known and widely uased in Internet and like communication networks and are used for routing digital transmissions around and throughout a network. Routers have the capability of transmitting infEortmation or not, generally in the manner of an ON-OFF switch say, and so provide access control to some addresses but not others. Known Routers also provide bandwidth control for certain applications, where for example the rate of admission of data mustr be reduced, priority control where some packets can be given higher priority, quality control such as delaying certain information, and "don't drop packet" facilities.

A feature of the present invention resides in the SSO server being able to make use of various known R.outer characteristics to respond to pre-definied access and service policy of the network owner on a per user basis.

For example, a VIP user can be given high priority.

order or quality controls to the Router can be provided RECEIVED TIME 9. FEB. 13:44 ITTME 0.F.115 PRINT TIME 10. FEB. I I 0 09-FEB-2001 15:12 A J PARK 64 4 4723358 64 4 472:3358 P.25/34 20 based on appropriate instructions automatically provided by the SSO server when the User accesses the Internet. These Instructions are based on the User 1D or other known User data or special User instructions at ini tial sign on. In the same way, the SSO server can automatically respond to known (pre-registered) User detail~s or instructions t6 cont.-ol access to certain data by content/quality or time locks, so that either only certain data is transmitted/received (where sen~sitive material may be totally barred, say) oz- only transmitted at certain times of the day. This latter could be used for restricting transmissions to certain users~ or to children for certain times of each day.

a RECEIVED TIME 9J EB. 13:44 RNTIE1.FB1:4 PRINT TIME 10. F E B. I I 0 4

Claims (1)

1. 09-FEB-2001 15:12 A J PARK A 64 4 4723358 P.26/34 64 4 4723358 -21. THE CLAIMS DEFINING THE INVENTION ARE AS FOLLOWS: 1. .A service sign-on (SSQ) method for use by an internet service provider (ISP) or network owner in a broadband IP internetworkiig infrastructure for user authentication to permit access of an access device to use network service enabled by the said infrastructure and subsequent access records keeping, said access device being configured for DILCP and incorporating a sof-:ware supporting Java applet, which method comprises providing a database for storing user-related information, providing a CH1CP server for answering DHCP nackets from said acce.-s device via an existing internetworking device in said. infrastructure to is establish communication of said access device via the internetworking device with a SSO web server, providing said SSO web server for serving a sign on form to said access device to commence a pre-sign-on state for user authentication, providing said SSQ web server fo~r serving-Java applet to said access device to maintain a session representing that access to said network service and/or to auitomate DHCP IP address lease renewal; providing said SS0 web server for controlling assignment of IP address to said access device, providing said SSO web server for activating a per user access and service control policy on the RECEIVED TIME 9. FEB. 13:44PRN TIE 1.FB 1:4 PRINT TIME 10. F E B. I I 0 4 09-FEB-2001 15:13 A J PARK £64 4 4723358 P.27/34 64 4 4723358 -22 interne twor king device and providing a DNS server for answering DNS queries from said access device via the internetworking device for permitting access of said access device to said network service, and meaans for m ronitoring and receiving records relating to that access for accounting purpose. 2. The service sign-on method as claimed in claim 1, wherein the interrietworking device is an electronic io device or computer system that- is deployed by said IS? or network owner in a communication path between said access device and the Internet or in.rternal server system, that can be commanded by said SSO web server, using IETF standards IP communication protocol to activate said per user access and service policy. 3. The service sign-on method as claimed in claim 2, wherein the internetworking device is provided by a router.- 4. The Service sign-on method as claimed in claim 3, wherein the router is an edge router connected closest to said access device. NICE TALENT LEMMITE Dated this 9th day of February 2001 By their Patent Attorneys AJPARX On behaf 01an Per:. RECEIVED TIME 9, FEB. 13:44 PRINT TIME 10. F EB. I11:04