GB2502781A - Session Authentication via a Network Policy Controller - Google Patents

Session Authentication via a Network Policy Controller Download PDF

Info

Publication number
GB2502781A
GB2502781A GB1209931.3A GB201209931A GB2502781A GB 2502781 A GB2502781 A GB 2502781A GB 201209931 A GB201209931 A GB 201209931A GB 2502781 A GB2502781 A GB 2502781A
Authority
GB
United Kingdom
Prior art keywords
network access
client device
authentication
data item
access control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1209931.3A
Other versions
GB2502781B (en
GB201209931D0 (en
GB2502781B8 (en
Inventor
Christopher Spencer
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
GLOBAL REACH CORP Ltd
Original Assignee
GLOBAL REACH CORP Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by GLOBAL REACH CORP Ltd filed Critical GLOBAL REACH CORP Ltd
Priority to GB1209931.3A priority Critical patent/GB2502781B8/en
Publication of GB201209931D0 publication Critical patent/GB201209931D0/en
Publication of GB2502781A publication Critical patent/GB2502781A/en
Publication of GB2502781B publication Critical patent/GB2502781B/en
Application granted granted Critical
Publication of GB2502781B8 publication Critical patent/GB2502781B8/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Power Engineering (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A Network Policy Controller (NPC, 2) authenticates a communication session between a client (10) and an external network (eg. HTML webpage provider 8) by appending a session identifier (SID) and media access address (MAC) to a data packet (9) to a remote authentication server (4) which provides the client with a user ID and password login webpage (fig. 3). Upon successfully validating the predetermined password data, the required webpage resource is delivered to the client.

Description

Improvements in and Relating to Authentication The invention relates to authentication of users requesting access to a network of computers, such as an/the internet. In particular, though not exclusively, the invention relates to controlling access to resources on/via the World Wide Web.
Controlling the access of a user to a network, such as the Internet or a private intranet, is an essential element of modern network usage. It is common that network access may be controlled by a device known as a Network Policy Controller (NPC), or the like, which remotely maintains and administers the network access rights assigned to the machines (client computers) of individual users and/or rules which must be enforced if network access is to be granted to users. The NPC may also implement such access restrictions on the basis of those access rights and rules.
For example, a user of a client computer may wish to gain access to the Internet (or a particular website), or may wish to gain access to a secure or restricted-access intranet or private network. An NPC assigned to control access to/from the network in question would typically be arranged to be the route via which the client device may access the network subject to restrictions. The NPC may receive a network access request and may grant or prevent access to the requested network according to the access rights assigned that client in respect of the requested network or website.
However, this can require the NPC to not only administer but also implement the rules and rights in question in respect of potentially very many users (clients) and very many networks or websites.
This can become burdensome and difficult to administer.
The invention aims to address these difficulties.
At its most general, the invention is the delegation of at least some of the implementation of network access rules from a network access control device (e.g. an NPC) to an authentication device (e.g. a server device) and the communication of the result of that implementation back to the network access control device using a webpage resource destined for the authenticated client device. This double-purpose use of the webpage resource helps reduces traffic to, and the processing burden upon, the network access control device.
In a first aspect, the invention provides a computer implemented method for authenticating the access rights of a client device to a computer network, comprising receiving (e.g. intercepting) by a network access control device a network access request message from the client device requesting network access, and directing the network access request message from the network access control device to an authentication device together with an associated identity data item generated by the network access control device identifying the network access request message. The method includes delivering to the client device a webpage from the authentication device comprising a user input interface for receiving a predetermined user authentication input at the client device, and monitoring by the network access control device the data delivered to the client device from the authentication device to detect said identity data item therein, and authenticating the network access rights of the client device if a said detection occurs. The method further includes delivering to the client device a webpage resource from the authentication device in response to said user authentication input wherein the webpage resource is delivered together with said identity data item thereby to cause said authentication.
The network access control device is preferably remote from the client device. The authentication device is preferably remote from the network access control device and from the client device. The network access control device may be arranged to direct the network access request message to the authentication device together with an address of the client. The authentication device may use this address to address the webpage and the subsequent webpage resource (i.e. provide those communications with a destination address) destined for the client device.
In this way, the network access control device (e.g. an NPC device) may delegate to a remote authentication device the implementation of network access rules which, in turn, notifies the network access control device of successful implementation using a simple and efficient notification technique.
The method may include, at the authentication device, assigning to the webpage resource an identity which matches said identity data item for use by the client device in identifying the webpage resource, and delivering the webpage resource to the client device (via the network access control device) with said identity. The naming of the webpage resource by the authentication device may be such that the name in question matches the identity data item previously received by the authentication device from the network access control device. The authentication device may deliver the webpage resource to the client device via the network access control device, as a resource item bearing this name. The webpage resource may be a component amongst other webpage resources for rendering concurrently at the client device (e.g. part of the webpage, or a new webpage) and/or data items and/or files generated by the authentication device to be delivered to the client device via the network access control device.
The webpage resource preferably includes a data file and the method may include using the identity data item as a file name of the webpage resource by the authentication device.
The webpage resource may comprise an image data file conveying image data for display by the client device. The image data file may convey an image for discernible display on the webpage rendered at the client device. It may represent a number of pixels (e.g. as few as one) for display at the client device which, optionally, is/are identical to existing pixels rendered via the webpage such that the webpage remains unchanged when the webpage resource is delivered and implemented (e.g. rendered) at the client device.
The method may include the network access control device inserting into the network access request message a message header containing the identity data item and directing the network access request message bearing said message header to the authentication device. The network access request may simply comprise a datagram, package of other communications item bearing a destination address (e.g. an IF address) of a destination which resides in a network subject to access restrictions. The network access control device may be arranged to monitor communications traffic output from the client device and upon detection of a communications item of that traffic bearing a destination address located within a restricted network, may determine that particular communications item to be a network access request.
The message header may include an address of the client device such as a media access address (MAC). The authentication device may be arranged to read the appropriate part of the header to obtain the address of the client device and to employ that address to subsequently address the communications (e.g. datagrams, packages etc.) associated with the webpage and the webpage resource for subsequent delivery to the client device via the network access control device. The message header may include a header filed dedicated to containing the address of the client device (e.g. MAC address), and may comprise a separate header field dedicated to containing the identity data item. The identity data item may be a session ID ("SID") generated by the network access device in respect of the network access request.
The header preferably contains an address of the client device. The method may include the authentication device reading the header thereby to determine the destination for delivery to the client of said webpage and said webpage resource.
Thus, the authentication device is provided with the information required to communicate with the client device when implementing authentication rules and in conveying the result of authentication to both the client device and the network access control device.
The method may include the authentication device reading the identity data item from the header and naming the webpage resource with a name which includes the identity data item.
Preferably, the identity data item uniquely identifies the webpage resource from amongst the other data delivered from the authentication device to the client device.
The monitoring by the network access control device preferably includes comparing the identity data item to the identities of data items delivered from the authentication device to client device via the network access control device, in search of a match. The network access control device may be arranged to compare the names of webpage resources destined for the client from the authentication device with the identity data item previously generated by the network access control device. This identity data item (or a copy of it) is most preferably stored by the network access control device upon its generation, for later use for this purpose.
The monitoring preferably occurs only in respect of data delivered from the authentication device to the client device after said directing by the network access control device and until said subsequent identification of the identity data item in said webpage resource from the authentication device. This reduces the monitoring time to those times when it is needed.
In a second aspect, the invention may provide apparatus for authenticating the access rights of a client device to a computer network, comprising a network access control device arranged for controlling access to the network by the client device, and an authentication device arranged to communicate with the network access control device. The network access control device is arranged to receive (e.g. intercept) a network access request message from the client device requesting network access, to generate an identity data item identifying the network access request message, and to direct the network access request message to the authentication device in association with the identity data item. The authentication device is arranged to deliver to the client device a webpage comprising a user input interface arranged for receiving a predetermined user authentication input at the client device, and to deliver to the client device a webpage resource in response to said user authentication input wherein the webpage resource is delivered together with said identity data item.
The network access control device is arranged to monitor the data delivered to the client device from the authentication device to detect said identity data item therein, and to authenticate the network access rights of the client device if a said detection occurs.
The authentication device is preferably arranged to assign to the webpage resource an identity which matches said identity data item for use by the client device in identifying the webpage resource, and to deliver the webpage resource to the client device with said identity.
The webpage resource preferably includes a data file. The authentication device is preferably arranged to use the identity data item as a file name of the webpage resource.
The webpage resource may comprise an image data file conveying image data for display by the client device.
The network access control device is preferably arranged to insert into the network access request message a message header containing the identity data item and to direct the network access request message bearing said message header to the authentication device.
The header may contain an address of the client device. The authentication device may be arranged to read the header thereby to determine the destination for delivery to the client of said webpage and said webpage resource.
The authentication device is preferably arranged to read the identity data item from the header and to name the webpage resource with a name which includes the identity data item.
Preferably, the identity data item uniquely identifies the webpage resource from amongst the other data delivered from the authentication device to the client device.
The network access control device may be arranged to perform said monitoring by comparing the identity data item to the identities of data items delivered from the authentication device to client device via the network access control device.
The network access control device may be arranged to perform said monitoring only in respect of data delivered from the authentication device to the client device after said directing by the network access control device and until said subsequent identification of the identity data item in said webpage resource from the authentication device.
In a further aspect, the invention may provide apparatus for authenticating the access rights of a client device to a computer network, comprising a network access control device arranged for controlling access to the network by the client device, and arranged to communicate with an authentication device, wherein the network access control device is arranged to receive (e.g. intercept) a network access request message from the client device requesting network access, to generate an identity data item identifying the network access request message, and to direct the network access request message to the authentication device in association with the identity data item. The network access control device is arranged to deliver to the client device a webpage from the authentication device comprising a user input interface arranged for receiving a predetermined user authentication input at the client device, and to deliver to the client device a webpage resource from the authentication device in response to said user authentication input wherein the webpage resource is delivered together with said identity data item. The network access control device is arranged to monitor the data delivered to the client device from the authentication device to detect said identity data item therein, and to authenticate the network access rights of the client device if a said detection occurs.
The network access control device is preferably arranged to insert into the network access request message a message header containing the identity data item and to direct the network access request message bearing said message header to the authentication device.
The header preferably contains an address of the client device. The authentication device preferably being arranged to read the header thereby to determine the destination for delivery to the client of said webpage and said webpage resource.
The network access control device is preferably arranged to perform said monitoring by comparing the identity data item to the identities of data items delivered from the authentication device to client device via the network access control device. Preferably, the network access control device is arranged to perform said monitoring only in respect of data delivered from the authentication device to the client device after said directing by the network access control device and until said subsequent identification of the identity data item in said webpage resource from the authentication device.
A non-limiting example of a preferred embodiment of the invention will now be described with reference to the accompanying drawings of which: Figure 1 shows schematically a client device connected in communication with an authentication server device via a network policy controller (NPC) device for controlling communication with the Internet; Figure 2 schematically illustrates the sequence and flow of communications between the client device, NPC device, authentication device and Internet of Figure 1; Figure 3A schematically illustrates a webpage initially delivered to the client device seeking access to the internet, the webpage including a user input interface; Figure 3B schematically illustrates the webpage of Figure 3A further including a webpage resource delivered to the client device in response to successful input to the user input interface of Figure 3A; Figure 4 shows a flow diagram of the steps implemented by the apparatus of Figure 1 and Figure 2 which lead to the delivery of the webpage of Figure 3B; Figure 5 schematically illustrates elements of the apparatus of Figures 1 and 2.
In the drawings, like items are assigned like reference symbols for consistency.
Figure 1 illustrates apparatus for authenticating the access rights of a client device (7) to the Internet (8). The apparatus includes a network access control device (2) in the form of a network policy controller (NPC) arranged for controlling access to the Internet by the client device, and an (\,j 15 authentication server device (4) arranged to communicate with the NPC and also with the client device via the NPC.
0) The NPC device is arranged to intercept outgoing communications traffic (item (1); e.g. datagrams) 0 from the client device and to determine whether the intended destination of the communications is a destination within the Internet, or optionally a destination within the Internet other than a destination corresponding to one of a predetermined one or more web sites or web domains known to the NPC device as being those for which the client device has access rights.
For this purpose, the NPC is arranged to determine the destination address of outgoing communications from the client device and to determine if that address is a public IP address of the Internet. The destination address may, alternatively, be a private IF address associated with a destination node within a private network of which the client device forms a part (e.g. an intranet). If the client device has no current access rights to the Internet, then the NPC is arranged to divert (3) the outgoing communications to the authentication server. This diverted outgoing communication from the client device is considered to be a network access request from the client device.
Alternatively, the NPC may be arranged to compare the destination IF address with IF addresses of permitted destination Internet nodes, sites or domains stored in the NFC in association with the client device and in association with respective access rights or rules for granting the client device access to the permitted destinations. If the destination address does not correspond to a permitted destination node, site or domain, such that client device has no current access rights to the desired destination within the Internet, then the NPC is arranged to divert (3) the outgoing communications to the authentication server. This diverted outgoing communication from the client device is also considered to be a network access request from the client device.
In such circumstances, the NPC is arranged to generate an identity data item identifying the network access request message, and to direct the network access request message to the authentication server together with the identity data item. In particular, the NPC is arranged to insert into the intercepted datagram of the network access request, an HTTP header (9) comprising the following information: (1) The MAC (media access) address associated with the client device, within a dedicated
header field; and,
(2) A unique SID (session ID) generated by the network access control device, within a dedicated
header field.
The MAC address enables the authentication server to identify the client device. The SID is the identity data item which allows the NPC to subsequently identify from communication from the authentication server to the client device, which pass via the NPC, whether authentication of the client device has been established/granted by the authentication device as described below. This extended network access request is then forwarded (3) by the NPC to the authentication server.
Upon receipt of the extended network access request, the authentication device is arranged to deliver (5) a webpage to the client device via the NPC using the MAC address of the client device obtained from the header of the extended network access request. The MAC address is used by the authentication server, and the NPC, to identify the destination address (i.e. the client device) of the webpage data to be delivered. The webpage (Figure 3A) comprises a user input interface arranged for receiving a predetermined user authentication input at the client device. The delivered webpage may be arranged to present a request for a user name and password for input by the user of the client device via the user input interface presented to him/her by the delivered webpage rendered at a display device of the client device, for return to the authentication server.
The authentication server is arranged to receive the user authentication input and to determine if the input is valid. This may simply involve the authentication server comparing the received user name with a stored one or more user names and if a match is found, subsequently comparing the received password with a stored password associated with the stored username in question. If the two matches are validly completed by the authentication server, then the server is arranged subsequently to deliver to the client device a webpage resource in response to the valid user authentication input.
The webpage resource may be an image file arranged to be displayed as part of the webpage previously delivered to the client device via which the user authentication was input by the user. The image may display the result "Access Granted" for example (Figure 3B), in order to convey a successful authentication result to the user of the client device. Any other webpage resource may be delivered instead (or as well). Examples include application files (Apps"), widgets, program files for execution via the webpage or even an image file representing as few as a single pixel indistinguishable from an existing pixel of the webpage it is arranged to replace (leaving the webpage visibly unchanged).
Furthermore, the authentication server is arranged to name or identify the webpage resource (e.g. image file) with a file name or identity which matches the identity data item (SID) previously inserted into the extended network access request by the NPC. The authentication server is arranged to control the naming of other webpage resources or communications delivered to the client device such that those other names do not also match the identity data item (SID). For example, the webpage delivered to the client device by the authentication device in response to initially receiving the extended network access request from the NPC is generated by the authentication server such that no resource within it bears a name matching the identity data item (SID). Thus, the uniqueness of the deliberately-named webpage resource is maintained when it is delivered by the authentication server to the client device via the NPC.
The NPC device is arranged to identify the traffic/data from the authentication server which is destined or addressed to the client device, by comparing the destination address of that traffic to the MAC address of the client device stored by the NPC device. This MAC address is stored by the NPC device in association with a stored SID -namely, those previously inserted in to headers of the extended network access request. The NPC device is further arranged to then compare the stored SID associated with the stored MAC address, against the names assigned to webpage resource files contained within the traffic from the authentication server destined for the client device in order to detect the presence therein of a web resource file bearing a name/identity matching the SID. The NPC is arranged to authenticate the network access rights of the client device if such a detection occurs.
Authentication may be simply changing the network access rights if the client device according to network access rules stored by the NPC in association with that client device, or conveyed to the NPC device from the authentication device (e.g. in conjunction with delivery of the SID-named webpage resource). This might include rules limiting network access to a limited period of time.
Communications (6) between the client and the internet may then commence -via the network access control device.
Figures 2 and 4 illustrate the steps undertaken by the user, client device, NPC device and authentication device according to an embodiment of the invention.
The method for authenticating the access rights of the client device to the Internet, comprise: Step 1: attempted access the Internet by a user of the client device.
Step 2: intercepting by a network access control device a network access request message from the client device requesting internet access; Step 3: directing the network access request message from the network access control device to an authentication device together with an associated SID identity data item generated by the network access control device identifying the network access request message. Preferably all of the users traffic goes via the NPC (Network Policy Controller). Preferably no outside access is granted other than optionally a walled garden. The NFC injects headers containing the client MAC, Unique Session ID (SID), and optionally a VLAN, IF Address and any extra custom headers; Step 4: delivering to the client device a webpage from the authentication server comprising a user input interface for receiving a predetermined user authentication input at the client device. The NPC forces the client device to display the webpage; Step 5: inputting of user authentication data at the client device by the user and transmission to the authentication server; Step 6: delivering to the client device a webpage resource (named according to the SID) from the authentication server in response to the user authentication input; Step 7: monitoring by the NPC device the data delivered to the client device from the authentication server to detect the SID therein, and authenticating the network access rights of the client device if a detection occurs. The data flowing between the client device and the authentication server is monitored by the NPC waiting for that data stream to contain a resource, or a request for a resource, matching the session ID (SID). Once the NPC detects this resource in the data flow it knows the user has been authenticated and can grant access based on the requirements of the network administrator; and Step 8: user accesses Internet via client device and NFC device.
Figure 5 illustrates the elements and functional units of the client device, NPC device and authentication device according to an embodiment of the invention.
The client device (7) comprises a control unit (12) operably connected to a display unit (10) and an input1output (I/O) interface (13) arranged for providing a communications interface between the client device and the NPC device (2). The control unit is arranged to generate communications signals (e.g. datagrams) for transmission to the NPC device via the I/O interface and to process communications signals received from the NPC device via the I/O interface. This includes network access requests, webpages and webpage resources. The control device is arranged to control the display unit to render webpages and webpage resources.
The NPC device includes a first, second and third input/output (I/O) interfaces (14, 15, 16) respectively for receiving and transmitting communications signals (e.g. datagrams) from/to the client device, the internet (8) and the authentication server (4) respectively.
The NFC device further includes a monitoring unit (20) arranged for monitoring the destination address of communications signals received from the client device via the first I/O interface for the NPC device. The monitoring unit is arranged to pass to an inserter unit (17) of the NPC device those communications signals found to have a destination address located within a network subject to access restrictions, and deemed to be a network access request. The inserter unit is arranged to generate (and store a copy of): (1) an SID uniquely associated with the network access request; and (2) a MAC address for the client device.
The inserter unit is arranged to generate a header comprising a MAC header field containing the MAC address and a SID header field containing the SID, and to insert the header into the network access request thereby to generate an extended network access request. The inserter unit is arranged to forward the resulting extended network access request (item 9, Fig.1) to the third I/O interface for transmission to the authentication server (4).
The authentication server includes a control unit (19) arranged for receiving the extended network access request from the NPC device and for reading the MAC address and SID data from the header fields of the received request. The authentication server includes a webpage resource generator unit (18) controlled by the control unit (19) to generate a webpage (Figure 3A) containing a user input interface for the input of authentication data by a user of the client device (7), and to generate a subsequent webpage resource (conditional upon user authentication) named using the SIB as its name. The control unit is arranged to transmit the webpage, and subsequently the webpage resource, to the client device via the NPC device using as the destination address the MAC address read from the header of the extended network access request.
The authentication unit stores in a memory thereof (not shown) a plurality of user IDs and associated passwords for pre-determined users of the network in respect of which the network access request is made. These user names and passwords are provided via a previous registration procedure, concerning user registration for network use/access, such as would be readily apparent to the skilled person and shall not he described in detail here. In implementing the network access rules applicable to the user of the client device and the network access request, the control unit (19) of the authentication server is arranged to compare the password input at the user interface of the webpage (Figure 3A) rendered at the client device, to the pre-stored password associated with the pre-stored user ID matching the currently input user ID (if such a match exists). If the pre-stored password matches the currently input password then authentication is deemed by the authentication server to be achieved.
The controller is arranged to respond to the authentication to control the webpage resource generator unit (18) to generate a webpage resource for rendering at the client device and to name the resource with a name exactly matching the SID obtained from the header of the extended network access request. The control unit then controls the authentication server to transmit the webpage resource to the client device via the NPC device.
The NPC device is arranged to receive the webpage resource file from the authentication server via the third I/O interface unit thereof, and to pass the received resource file to the monitoring unit. The monitoring unit is arranged to determine the destination address (MAC address) of the webpage resource file (e.g. obtained from an appropriate header field) and to determine the name/identity of the resource file. The webpage resource file is then forwarded on to the destination client device. The monitoring unit is arranged to subsequently compare the name of the webpage resource file to the stored value of the SID previously generated by the NPC device in association with the client device (associated with the MAC address). If a match is found between the stored SID value and the name of the webpage resource file, then the NPC is arranged to update the network access rights of the client device to permit communications (6) between the client device and the internet (8), via the NPC device (2).
A preferred embodiment is further described below.
The Captive Portal methodology is a means to control access to the internet by requiring some form of authentication. In the present embodiment, once a client device has received an IP address and attempts to load a page on the internet, the Network Policy Controller (NPC) intercepts this request and re-directs them to a chosen portal thus controlling what a user can access before they have authenticated for full internet access. The chosen portal includes the authentication server described above. The NFC may store a list of walled gardened domains or IF's that the user can have open access to without the need for further authentication.
Part of the redirection to the chosen portal preferably involves intercepting port 80 from the client device and redirecting the traffic through a proxy within the NPC daemon. This allows the injection of extra HTTP headers into the flow that can be read by a simple webserver application.
These extra NPC HTTP headers may contain, for example: vid=1 001;state=O;mac=3c07541 b046&;sid=658f3bf0-a2be-6a2b-83e8-40880281 35ab The "vid" header is a VLAN ID, which the NFC interprets as being the intended destination address of traffic bearing that header (e.g. whatever is passed to the NPC bearing the vid header, the NFC will pass to the destination defined by the vid header).
The "stat& header may be employed to indicate the validation state of a user. For example: o = not authenticated 1 = authenticated A "state" can be any access profile, in the example above 11.
state 0 -not authenticated e.g. a brand new user never been seen before.
state 1 -authenticated and allowed to access the internet.
state 2,3,4.... -user is authenticated but has certain restrictions depending on state e.g. user has 1 hour of Internet time.
The "mac" header is the MAC address of the calling station (client device's MAC). This is not normally visible to a webserver (such as the authentication server) over the internet but with the injection of the MAC address into the headers, the authentication webserver can now choose how to handle that user.
The "sid" header is a unique session identifier generated by the NPC daemon.
Using these headers the invention in a preferred embodiment may allow the remote web portal (authentication server) to display the correct site portal and information for each client uniquely.
Full example of an injected header is: -vid= 1101;state= 1; mac28cfdaed4o8e;sid6S8f3bfO-a2be-6a2b-83e8-40880281 35ab The invention may provide a method of proving a user has seen and responded to a certain webpage or content within it (e.g. webpage of Figure 3A) before they are granted full authentication.
Using the unique "sid" generated by the NPC and sent to the authentication webserver in the injected headers (item 9, Fig. 1), the authentication webserver can render a specially formatted webpage (e.g. Figure 3A) behind whatever method of authentication desired. For example it might be a regular login via username and password based on a local database on the authentication webserver.
A webpage that ultimately allows access (Figure 3B; state change) simply uses the "sid" it received in the injected headers as a resource on the webpage, for example a pixel loaded from a webserver called the same as the unique "sid". It need not be an image, and could be any resource contained in the structure of a standard HTML web page.
Using the example above an image (e.g. a.png image file conveying an image containing the words "Access Granted", Figure 3B) can be embedded within the HTML source delivered to the client device: <img src=' G5Bf3bfO-a2be-6a2b-83e8-40880281 35ab. png'> Which uses as its name a name which exactly matches the "sid". The NPC would see this is the case and would cause the user to be granted full internet access by the NPC. The NPC may merely (e.g. only) inject the header into the web domain of the authentication server (portal), and it is not required to be injected into pages where the functionality is not required. That web domain is the only domain the end user can get to, if the user tries to go elsewhere the NPC will always return the user to that web domain until the user has completed the action that is required to gain access to the Internet. When any webpage is requested from that domain the x headers are sent to the webserver, a small application on the webserver can embed the "sid"-named webpage resource on any page (e.g. Figure 3A) that controls the user's access.
The NPC monitors the http stream (resource requests to and from the authentication server portal) so the NPC knows the user has seen the authentication webpage (Figure 3A) and it has been rendered on the client device and successfully responded to thus guaranteeing the user has downloaded the web HTML of the authentication page. The NPC then changes the state of that client allowing (or even blocking) access.
A Standard HTTP Header is defined and can be seen at: http:Ilwww.w3.org/Frotocols/rfc26l 6/rfc26l 6-seci 4.html A preferred embodiment may be implemented by following the steps below: 1) The NPC device to inject the aforementioned headers, monitor the TCP stream and grant authorisation seeing the "sid"-named webpage resource destined for the requesting client device; 2) The authentication webserver receiving the injected headers and using the "sid" within the injected header to name a webpage resource delivered to a client on request of redirection to that webpage.
The NPC can be arranged optionally to read the required permissions and access profiles (in respect of a user requesting network access) from any database, radius, diameter or LDAP or similar data store.

Claims (27)

  1. CLAIMS: 1. A computer implemented method for authenticating the access rights of a client device to a computer network, comprising: receiving (e.g. intercepting) by a network access control device a network access request message from the client device requesting network access; directing the network access request message from the network access control device to an authentication device together with an associated identity data item generated by the network access control device identifying the network access request message; delivering to the client device a webpage from the authentication device comprising a user input interface for receiving a predetermined user authentication input at the client device; monitoring by the network access control device the data delivered to the client device from the authentication device to detect said identity data item therein, and authenticating the network access rights of the client device if a said detection occurs; and delivering to the client device a webpage resource from the authentication device in response to said user authentication input wherein the webpage resource is delivered together with said identity data item thereby to cause said authentication.
  2. 2. The computer implemented method of any preceding claim including at the authentication device assigning to the webpage resource an identity which matches said identity data item for use by the client device in identifying the webpage resource, and delivering the webpage resource to the client device with said identity.
  3. 3. The computer implemented method of any preceding claim in which the webpage resource includes a data file and the method including using the identity data item as a file name of the webpage resource by the authentication device.
  4. 4. The computer implemented method of any preceding claim in which the webpage resource comprises an image data file conveying image data for display by the client device.
  5. 5. The computer implemented method of any preceding claim including inserting, by the network access control device, into the network access request message a message header containing the identity data item and directing the network access request message bearing said message header to the authentication device.
  6. 6. The computer implemented method of claim 5 in which the header contains an address of the client device, the method including the reading of the header by the authentication device thereby to determine the destination for delivery to the client of said webpage and said webpage resource.
  7. 7. The computer implemented method of claim 5 or claim 6 including reading, by the authentication device, the identity data item from the header and naming the webpage resource with a name which includes the identity data item.
  8. 8. The computer implemented method according to any preceding claim in which identity data item uniquely identifies the webpage resource from amongst the other data delivered from the authentication device to the client device.
  9. 9. The computer implemented method according to any preceding claim in which the monitoring by the network access control device includes comparing the identity data item to the identities of data items delivered from the authentication device to client device via the network access control device.
  10. 10. The computer implemented method according to any preceding claim in which the monitoring occurs only in respect of data delivered from the authentication device to the client device after said directing by the network access control device and until said subsequent identification of the identity data item in said webpage resource from the authentication device.
  11. 11. Apparatus for authenticating the access rights of a client device to a computer network, comprising: a network access control device arranged for controlling access to the network by the client device; and an authentication device arranged to communicate with the network access control device; wherein the network access control device is arranged to receive (e.g. intercept) a network access request message from the client device requesting network access, to generate an identity data item identifying the network access request message, and to direct the network access request message to the authentication device in association with the identity data item; and, the authentication device is arranged to deliver to the client device a webpage comprising a user input interface arranged for receiving a predetermined user authentication input at the client device, and to deliver to the client device a webpage resource in response to said user authentication input wherein the webpage resource is delivered together with said identity data item; wherein the network access control device is arranged to monitor the data delivered to the client device from the authentication device to detect said identity data item therein, and to authenticate the network access rights of the client device if a said detection occurs.
  12. 12. The apparatus of claim 11 in which in which the authentication device is arranged to assign to the webpage resource an identity which matches said identity data item for use by the client device in identifying the webpage resource, and to deliver the webpage resource to the client device with said identity.
  13. 13. The apparatus claim 11 or 12 in which the webpage resource includes a data file and the authentication device is arranged to use the identity data item as a file name of the webpage resource.
  14. 14. The apparatus of any of claims 11 to 13 in which the webpage resource comprises an image data file conveying image data for display by the client device.
  15. 15. The apparatus of any of claims 11 to 14 wherein the network access control device is arranged to insert into the network access request message a message header containing the identity data item and to direct the network access request message bearing said message header to the authentication device.
  16. 16. The apparatus of claim 15 in which the header contains an address of the client device, the authentication device being arranged to read the header thereby to determine the destination for delivery to the client of said webpage and said webpage resource.
  17. 17. The apparatus of claim 15 or claim 16 in which the authentication device is arranged to reading the identity data item from the header and to name the webpage resource with a name which includes the identity data item.
  18. 18. The apparatus according to any of claims 11 to 17 in which identity data item uniquely identifies the webpage resource from amongst the other data delivered from the authentication device to the client device.
  19. 19. The apparatus according to any of claims 11 to 18 in which the network access control device is arranged to perform said monitoring by comparing the identity data item to the identities of data items delivered from the authentication device to client device via the network access control device.
  20. 20. The apparatus according to any of claims 11 to 19 in which the network access control device is arranged to perform said monitoring only in respect of data delivered from the authentication device to the client device after said directing by the network access control device and until said subsequent identification of the identity data item in said webpage resource from the authentication device.
  21. 21. Apparatus for authenticating the access rights of a client device to a computer network, comprising: a network access control device arranged for controlling access to the network by the client device, and arranged to communicate with an authentication device; wherein the network access control device is arranged to receive (e.g. intercept) a network access request message from the client device requesting network access, to generate an identity data item identifying the network access request message, and to direct the network access request message to the authentication device in association with the identity data item; and, the network access control device is arranged to deliver to the client device a webpage from the authentication device comprising a user input interface arranged for receiving a predetermined user authentication input at the client device, and to deliver to the client device a webpage resource from the authentication device in response to said user authentication input wherein the webpage resource is delivered together with said identity data item; wherein the network access control device is arranged to monitor the data delivered to the client device from the authentication device to detect said identity data item therein, and to authenticate the network access rights of the client device if a said detection occurs.
  22. 22. The apparatus of claim 21 wherein the network access control device is arranged to insert into the network access request message a message header containing the identity data item and to direct the network access request message bearing said message header to the authentication device.
  23. 23. The apparatus of claim 22 in which the header contains an address of the client device for use by the authentication device to determine the destination for delivery to the client of said webpage and said webpage resource.
  24. 24. The apparatus according to any of claims 21 to 23 in which the network access control device is arranged to perform said monitoring by comparing the identity data item to the identities of data items delivered from the authentication device to client device via the network access control device.
  25. 25. The apparatus according to any of claims 21 to 23 in which the network access control device is arranged to perform said monitoring only in respect of data delivered from the authentication device to the client device after said directing by the network access control device and until said subsequent identification of the identity data item in said webpage resource from the authentication device.
  26. 26. Apparatus substantially as disclosed in any one embodiment hereinbefore with reference to the accompanying drawings.
  27. 27. A method substantially as described hereinbefore with reference to the accompanying drawings.
GB1209931.3A 2012-06-05 2012-06-05 Improvements in and relating to authentication Active GB2502781B8 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1209931.3A GB2502781B8 (en) 2012-06-05 2012-06-05 Improvements in and relating to authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1209931.3A GB2502781B8 (en) 2012-06-05 2012-06-05 Improvements in and relating to authentication

Publications (4)

Publication Number Publication Date
GB201209931D0 GB201209931D0 (en) 2012-07-18
GB2502781A true GB2502781A (en) 2013-12-11
GB2502781B GB2502781B (en) 2016-08-03
GB2502781B8 GB2502781B8 (en) 2016-09-07

Family

ID=46582318

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1209931.3A Active GB2502781B8 (en) 2012-06-05 2012-06-05 Improvements in and relating to authentication

Country Status (1)

Country Link
GB (1) GB2502781B8 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109561431A (en) * 2019-01-17 2019-04-02 西安电子科技大学 The WLAN access control system and method identified based on more password identity

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998032066A1 (en) * 1997-01-20 1998-07-23 British Telecommunications Public Limited Company Data access control
US20030191964A1 (en) * 2002-04-03 2003-10-09 Ramakrishna Satyavolu Method for verifying the identity of a user for session authentication purposes during web navigation
US20040003287A1 (en) * 2002-06-28 2004-01-01 Zissimopoulos Vasileios Bill Method for authenticating kerberos users from common web browsers
GB2463758A (en) * 2008-09-30 2010-03-31 Avaya Inc Client authentication in a Session Initiation Protocol

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998032066A1 (en) * 1997-01-20 1998-07-23 British Telecommunications Public Limited Company Data access control
US20030191964A1 (en) * 2002-04-03 2003-10-09 Ramakrishna Satyavolu Method for verifying the identity of a user for session authentication purposes during web navigation
US20040003287A1 (en) * 2002-06-28 2004-01-01 Zissimopoulos Vasileios Bill Method for authenticating kerberos users from common web browsers
GB2463758A (en) * 2008-09-30 2010-03-31 Avaya Inc Client authentication in a Session Initiation Protocol

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109561431A (en) * 2019-01-17 2019-04-02 西安电子科技大学 The WLAN access control system and method identified based on more password identity

Also Published As

Publication number Publication date
GB2502781B (en) 2016-08-03
GB201209931D0 (en) 2012-07-18
GB2502781B8 (en) 2016-09-07

Similar Documents

Publication Publication Date Title
US7665130B2 (en) System and method for double-capture/double-redirect to a different location
US8881248B2 (en) Service provider access
US8683565B2 (en) Authentication
US20170244696A1 (en) Delegating authorizations
US9100365B2 (en) Web application process
US20020147929A1 (en) Access control for distributed content servers
US20110202987A1 (en) Service access control
US8555365B2 (en) Directory authentication method for policy driven web filtering
KR20110009129A (en) System, method and program product for consolidated authentication
AU2017344389B2 (en) Portal aggregation service mapping subscriber device identifiers to portal addresses to which connection and authentication requests are redirected and facilitating mass subscriber apparatus configuration
US20120106399A1 (en) Identity management system
WO2009066858A1 (en) Personal information management apparatus and personal information management method
CN113411324B (en) Method and system for realizing login authentication based on CAS and third-party server
US9781175B2 (en) Presenter device as web proxy for collaborative sharing of web content having presenter context
GB2502781A (en) Session Authentication via a Network Policy Controller
US20220103526A1 (en) Policy integration for cloud-based explicit proxy
Cisco CDAT Expert Interface
JP4352210B2 (en) Access management server, network device, network system
JP5632429B2 (en) Service authentication method and system for building a closed communication environment in an open communication environment
US11323426B2 (en) Method to identify users behind a shared VPN tunnel
US11695736B2 (en) Cloud-based explicit proxy with private access feature set
Oiwa et al. HTTP Authentication Extensions for Interactive Clients
Maeda et al. Internet Engineering Task Force (IETF) Y. Oiwa Request for Comments: 8053 H. Watanabe Category: Experimental H. Takagi
AB A SASL and GSS-API Mechanism for SAML draft-ietf-kitten-sasl-saml-09. txt

Legal Events

Date Code Title Description
732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)

Free format text: REGISTERED BETWEEN 20180531 AND 20180606