KR100687837B1 - Systems and methods for providing dynamic network authorization, authentication and accounting - Google Patents

Abstract

A system and method for selectively controlling and customizing a source's access to a network, the source being associated with the source computer, the source computer having a transparent access to the network via a gateway device and configured to access the network. Systems and methods are disclosed in which software does not need to be installed on a source computer. The user is allowed to access other sites that the method and system deem accessible, while access from certain destinations or sites is prevented based on the user's approval. The method and system can identify a source without knowledge of the source, and can access customizable access rights corresponding to that source in the source profile database. The source profile database may be a remote authentication dial-in user service (RADIUS) or lightweight directory access protocol (LDAP) database. The method and system use the source profile in the source profile database to dynamically authorize the source to access the destination over and over the network.

Network, service, source, access, dynamic, control, customize, source computer, gateway device, transparent, configuration, software, user, identification, authentication, authorization, billing, destination, site, source profile, database, protocol

Description

Systems and methods for providing dynamic network authorization, certification, and billing {SYSTEMS AND METHODS FOR PROVIDING DYNAMIC NETWORK AUTHORIZATION, AUTHENTICATION AND ACCOUNTING}

The present invention relates generally to systems and methods for controlling network access, and more particularly to systems and methods for establishing dynamic user network access.

The present application, filed December 8, 1999, is entitled United States entitled "System and Method for Orienting Users With Transparent Computer Access to a Network Using a Gateway Device with Directional Capability." Partial serial application of patent application 09 / 458,569. The present application is also filed on December 8, 1999 and entitled US Systems Applicant, entitled “Systems and Methods for Authorizing, Authorizing, and Billing Users with Transparent Computer Access to a Network Using Gateway Devices.” 09 / 458,602, filed Oct. 22, 1999 and entitled "System and Method for Dynamic Bandwidth Management on a Per-Subscriber Base in Computer Networks" US Provisional Patent Application No. 60 / 161,182, 10, 1999 The invention is filed on May 22 and filed as U.S. Provisional Patent Application No. 60 / 160,890, filed October 22, 1999, entitled "System and Method for Generating a Subscriber Tunnel by a Gateway Device in a Computer Network." Provisional Patent Application No. 60 / 161,139, entitled "Information and Control Console for Use in Network Gateway Interfaces," filed October 22, 1999 Invented and filed in US Provisional Patent Application No. 60 / 161,189, filed Oct. 22, 1999, entitled "System and Method for Transparent Computer Access and Communication with a Service Provider Network Using a Network Gateway Apparatus". Of U.S. Provisional Patent Application No. 60 / 160,973, filed Oct. 22, 1999, entitled "System and Method for Allowing a Network Gateway Device to Communicate with a Management System to Conveniently Manage Subscribers". US Provisional Patent Application No. 60 / 161,181, entitled "Gateway Device with an XML Interface," and October 22, 1999, entitled "Identification and Approval Based on Location for Use with Gateway Devices" Priority is claimed from U.S. Provisional Patent Application 60 / 161,093. The above applications are all part of this specification by citing the entire contents herein.

User access to the computer network is based on a two-step authentication process that provides full network access to conventional users or denies any access of the user. In the first step of the process, the user establishes a communication link with the network via a telephone line, a dedicated network connection line (eg, broadband, digital signal line (DSL)), or the like. In the second step of the authentication process, the user must enter identification information to gain access to the network. Typically, the identification information entered includes a user name and a password. Using this information, the network or service provider determines that the user matches the network by determining whether the identification information matches subscriber information contained in a subscriber table (or database) that stores identification information for all users authorized to access the network. Verify that you have access to access. If the user input information matches the subscriber data in the subscriber table, the user is authorized to access any and all services on the network. On the other hand, if the user input identification information does not match the subscriber data in the table, the user is denied access to the network. Thus, once the identity of the user is compared with the data stored in the subscriber table, the user is entitled to network access or is denied all access. Moreover, when a user is authorized to access the network, the user is typically authorized to access any destination accessible through the network. Thus, conventional authentication of a user is based on an all-or-nothing approach to network access.

In many conventional network applications, such as in conventional Internet access applications, the subscriber database (or table) not only stores data corresponding to the identity of subscribers authorized to access the network, but also information that may vary based on a particular subscriber. Save it. By way of example, the subscriber database may include a subscriber profile that indicates the type of access the subscriber should receive and other related information such as the fee the subscriber will pay for network access. Although the information in the subscriber database can vary from user to user, the only information about the database is generally used for billing or network maintenance purposes. By way of example, conventional subscriber databases typically include data such as the cost paid by a subscriber for network access and the amount of time the subscriber has accessed the network. Thus, if a subscriber to an Internet Service Provider (ISP) has purchased Internet access, the source profile database allows the user to be authenticated and also maintains a log of the user's time on the network. It may contain information that tracks a user's access for accounting purposes.

In addition, in a conventional network access system, in order for a user to connect to an online service (eg, the Internet), the user must install client-side software on the user's computer. Client-side software is typically provided by a network administrator or network access provider, such as an ISP, to which the user has subscribed for Internet access, and allows the client to configure the client's computer to communicate with that network access provider. Continuing with the illustrative example of a user accessing the Internet via an ISP, the user must install the ISP software on the client computer and then set up an account with the ISP for Internet access. Typically, a user subscribes to an ISP by directly contracting with an ISP such as America Online ^™ , Earthlink ^™ , Compuserve ^™ for Internet access. Typically, a user pays for such internet access on a monthly flat rate basis. Regardless of the user's location, the user dials the access number provided by the ISP and accesses the Internet. The connection is often accomplished via conventional telephone modems, cable modems, DSL connections, and the like.

Users who access the network through conventional means, such as through an ISP, are allowed or denied access to the network in an all-or-nothing way, so that the user's access and authentication to a particular network or site is customizable. The user cannot be dynamically granted access to the network. What is needed is a method and system that allows a user to have dynamic and customizable access that can vary based on any number of variables associated with the user, such as user location, user name or password, user computer or other attributes. As an example, it may be beneficial for some users to be granted access to all Internet sites when other users may be denied access to a particular site. In addition to authorizing the user's access to the network, it would be advantageous to selectively allow a range of authorizations for the user by the network, such as an ISP or corporate network, so that the user's access is not based on all-or-nothing methods.

The present invention includes methods and systems for selectively enforcing and enhancing authentication, authorization, and accounting (AAA) for user access to a network via a gateway device. In accordance with the present invention, the user may be authenticated to determine the identity of the user. The authentication capability of the systems and methods of the present invention may be based on a user ID, computer, location or one or more additional attributes identifying a source (eg, a particular user, computer or location) requesting network access. Once authenticated, the authentication capabilities of the systems and methods of the present invention are customized based on the identity of the source, so that the sources have different access rights based on their identity, requested content, and / or destination. By way of example, access rights cause the first source to access a particular Internet destination address, and the second source refuses to access the same address. In addition, the authentication capability of the systems and methods of the present invention may be based on other information included in the data transmission, such as destination port, Internet address, TCP port, network or similar destination address. Moreover, the AAA of the present invention may be based on the type or protocol of content to be transmitted. By authenticating the user in this manner, each packet can be filtered through an optional AAA process so that the user can be identified and authorized to access a particular destination. Thus, whenever a user wants to access a different destination, the user receives an AAA, while the user can be prevented from accessing a particular site where the AAA system and method is inaccessible to the user based on the user's approval. To allow access to other sites that the AAA system and method consider accessible. In addition, according to one embodiment of the present invention, the source's access to the network can be tracked and recorded by the present invention for billing and historical recording purposes.

According to one embodiment of the invention, a method for selectively controlling and customizing access of a source to a network, wherein the source is associated with the source computer, the source computer has transparent access to the network via a gateway device and is connected to the network. A method has been described in which configuration software does not need to be installed on the source computer to access it. The method comprises receiving at the gateway device a request from a source computer for access to the network, identifying an attribute related to the source based on a packet transmitted from the source computer and received by the gateway device, Accessing a source profile corresponding to the source and stored in a source profile database, the source profile being accessed based on the attribute, the source profile database being located outside of the gateway device and communicating with the gateway device Steps. The method also includes determining an access right of the source based on the source profile, the access right defining the right of the source to access the network.

According to one aspect of the invention, determining an access right of a source based on the source profile comprises determining an access right of a source based on the source profile, the access right being requested to a requested network destination. Restrict the permissions that the source has access to. According to another aspect of the invention, the method further comprises assigning a location identifier to a location that transmits a request for access to the network, wherein the location identifier is an attribute associated with a source. Also in accordance with the present invention, accessing the source profile corresponding to the source includes accessing a source profile stored in a source profile database, the source profile database comprising a remote authentication dial-in user service (RADIUS), Or a Lightweight Directory Access Protocol (LDAP) database.

According to another feature of the invention, the method further comprises updating a source profile database when a new source accesses the network. The method further comprises a history of access of the source to the network in the source profile database. Maintaining a record. Moreover, the attribute associated with the source is based on one of the MAC address, user ID, or VLAN ID associated with the source computer that sent the request for access to the network. According to another feature of the invention, receiving a request from a source for access at the gateway device includes receiving a destination address from the source.

According to another embodiment of the invention, a system for selectively controlling and customizing a source's access to a network, the source being associated with the source computer, the source computer having transparent access to the network via a gateway device and having access to the network. A system has been described in which configuration software does not need to be installed on the source computer to access it. The system is a gateway device that receives a request from a source computer for access to the network, a source profile database in communication with and located external to the gateway device, the source profile database being identifiable by an attribute associated with the source. Stores access information, the attribute comprising a source profile database, identified from the data packet transmitted from the source computer and received by the gateway device. The system is also an AAA server in communication with the gateway device and a source profile database, the AAA server determining whether the source has access to a network based on access information stored in the source profile database, And determine the access rights of the AAA server, wherein the access rights define an access right for the source to access the destination site over the network.

According to one aspect of the invention, a packet received by the gateway device comprises at least one of a VLAN ID, a circuit ID, and a MAC address. Further, according to another aspect of the invention, the source profile database is remotely authenticated. It includes a dial-in user service (RADIUS) or lightweight directory access protocol (LDAP) database. Moreover, the source profile database includes a plurality of source profiles, each of the plurality of source profiles including access information. In accordance with the present invention, each source profile also includes historical data regarding the duration of network access for use in determining a fee to be paid for network access. According to another feature of the invention, the source profile database is located on the AAA server.

According to yet another embodiment of the present invention, a method for directing a source to access a destination through a gateway device, wherein the source is associated with a source computer, the gateway device causes the source computer to be configured with network software configured for a network. A method has been described that allows a source to communicate with a network without requiring that it be included. The method comprises receiving at the gateway device a request to access a network from the source, identifying a source based on an attribute associated with the source, located outside of the gateway device, and storing access rights of the source. Accessing the source profile database. The method includes determining an access right of the source based on the identification of the source, wherein the access right further includes defining a right for the source to access the destination over a network.

In accordance with an aspect of the present invention, accessing the source profile database comprises a source profile database comprising a remote authentication dial-in user service (RADIUS) or lightweight directory access protocol (LDAP) database. According to another aspect of the invention, the method may comprise assigning a location identifier to a location sending a request for access to the network, the location identifier being an attribute associated with a source. The method further includes updating a source profile database when a new source accesses the network, and maintaining a history record in the charging database of the source accessing the network, wherein the charging database includes the source profile. Communicate with the database.

According to another feature of the invention, receiving a request from a source for access at the gateway device includes receiving a destination address from the source. Moreover, determining whether the source computer has access to access the destination address further includes denying access to the source computer if the source profile indicates that the source computer is denied access. Determining whether the source has access to access the network also includes directing the source to the login page when the source profile is not located in the source profile database.

In accordance with yet another embodiment of the present invention, a system has been described that enables transparent communication between a computer and a service provider network. The system includes a computer, a network gateway device in communication with the computer for connecting the computer to the computer network, and receiving source data indicative of a user wishing to access the computer network. The system also includes a service provider network in communication with the network gateway device, wherein the service provider network is located outside of the network gateway device and includes an authentication server in communication with the network gateway device. The authentication server has a source profile database therein that includes a source profile representing a user authorized to access the computer network, and compares the source data with the source profile to see if a user who wants to access the computer network can access the computer network. Judge.

According to one aspect of the invention, the system may comprise a charging system for maintaining historical data relating to the use of said service provider network. According to another feature of the invention, the authentication server comprises a Remote Authentication Dial-in User Service (RADIUS) or Lightweight Directory Access Protocol (LDAP) database. Moreover, the source profile database includes a plurality of source profiles, each of the plurality of source profiles including access information. According to another feature of the invention, the source data includes attributes associated with the computer and transmitted from the computer to the gateway device. According to another feature of the invention, the source data includes login information associated with each user.

The authentication, authorization, and charging method and system according to the present invention enable transparent access of a user to a computer network using a gateway device. Thus, each user may have different rights to access a service, site or destination across a network. Accordingly, the present invention differs from conventional AAA methods and systems by providing a dynamic AAA service that authenticates a user and provides the users with a different degree of authorization to use an accessed network. Moreover, the source profile database of the present invention can be located outside the gateway device on a network that is not local to the network requesting access. The external source profile database is advantageous because each gateway device allows a finite number of users to access the network, so that a plurality of gateway devices may be required. In addition, managing and maintaining one merged database of authentication data is easier than multiple small databases. Moreover, positioning the database outside of the local network allows the ISP or third party provider to maintain the reliability of the information stored within the database and to maintain and control the database in the manner desired by the third party provider.

The invention will now be described in more detail below with reference to the accompanying drawings, in which preferred embodiments of the invention are shown. However, the present invention may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are intended to those skilled in the art to which this disclosure is complete and are familiar with the art. It is provided to fully convey the scope of the invention. Like reference numerals refer to like elements here.

1 is a block diagram of a computer system including an AAA server that authenticates, authorizes, and charges a source to access a network and / or online service in accordance with one embodiment of the present invention.

2 is a flow chart of a method in which an AAA server performs authentication, authorization and charging in accordance with an aspect of the present invention.

Referring to FIG. 1, computer system 10 is shown in a block diagram. The computer system 10 may communicate with one or more online services 22 or networks via a gateway device 12 that provides an interface between the computer 14 and various networks 20 or online services 22. A plurality of computers 14 are included. One embodiment of such a gateway device is described in US patent application Ser. No. 08 / 816,174, referred to herein as a gateway device application, the contents of which are hereby incorporated by reference herein. In short, the gateway device 12 facilitates transparent access of the computer 14 to the online service 22 or the network 22, such that the computer 14 is independent of their network configuration. Any network can be accessed via device 12. In addition, the gateway device 12 may be a computer that wants to access the network 20, a location of a computer that wants to access the network, or an identity of a user who wants to access the network, as described below for the dynamic AAA method and system of the present invention. , And the ability to recognize additional attributes.

As shown in FIG. 1, computer system 10 also includes access located between computer 14 and gateway device 12 to multiplex signals received on a link to gateway device 12 from a plurality of computers. And a controller 16. Depending on the medium connecting the computer 14 to the access controller, the access controller 16 can be configured in a number of different ways. As an example, the access controller may be a digital subscriber line access multiplexer (DSLAM) for signals transmitted over a regular telephone line, a cable head end for a signal transmitted over a coaxial cable (Cable Modem Termination Shelf (CTMS)). ), A wireless access point (WAP), a switch, and the like, for signals transmitted over a wireless network.

Computer system 10 includes an AAA server 30 that dynamically authenticates and authorizes user access, as described in detail below, wherein the user undergoes an AAA process when attempting to access the network through gateway device 12. Finally, as shown in FIG. 1, computer system 10 typically includes one or more routers 18 and / or servers (not shown in FIG. 1), so that a plurality of computer networks 20 or other The online service 22 also controls or redirects traffic therefrom. Although computer system 10 is shown as having a single router. Computer system 10 may have a plurality of routers, switches, bridges, etc., arranged in some hierarchical manner to properly route calls to and from various networks 20 or online services 20. . In this regard, gateway device 12 typically establishes a link with one or more routers. The router then establishes a link with the servers of network 20 or online service 22 based on the user's choice. Those skilled in the art will understand that one or more of the devices shown in FIG. 1 may be combined. By way of example, although not shown, router 18 may be located entirely within gateway device 12.

Users and computers that wish to access network 20 or online service 22 via gateway device 12 are referred to hereinafter as sources. According to the AAA method and system of the present invention, a source that wants to access a network via a gateway device 12 is authenticated based on attributes associated with it. These attributes may include the identity of a particular user or computer, the location from which access was requested, the network or destination requested, and the like. As detailed in the gate device application, these attributes are identified by data packets sent to the gateway device 12 from the computers requesting access. According to one embodiment, the method and system of the present invention provide dynamic authentication, authorization and charging based on these attributes. In general, as used herein, authentication refers to the identification of a source, authorization refers to the determination of allowable source access, and charging refers to tracking the source's access to the network.

Referring now to the authentication mechanism of the systems and methods of the present invention, authenticating a source that attempts to access the network is often important for network management because network access and services are typically not disclosed to all users regardless of identity or payment. Will understand. As noted above, a source may be identified by the gateway device 12 by one or more attributes contained in a data packet sent to the device from a computer associated with a source or network that is intended to access a service, referred to herein as a source computer. . For example, if the source is a user, the source computer is the computer through which the user communicates to access the network or network destination. On the other hand, if the source is a computer through which one or more users can request to access the network, the source computer is the computer requesting access.

In accordance with an aspect of the present invention, a source computer that wishes to access a network via a gateway device 12 is referred to in US Provisional Application No. 60 / 161,093, entitled "Identification and Authorization Based on Location for Use with Gateway Device". A circuit ID, MAC address, user name, ID and / or password, or specific location (eg, communication port in a hotel room) sent to the gateway device 12 via a data packet generated by the source computer as described in. May be identified by one or more attributes, including the like. It should be understood that one or more of these attributes may be used in the present invention to identify a source that accesses the network. As an illustrative example, where the sources are several different users with dissimilar authentication and authorization rights, users may identify themselves by their respective login information (eg, username and password), so that they Despite the use of the same equipment, such as the same computer, they will be identified independently. On the other hand, where the source is a computer, the various users who use the computer will have similar authentication and authorization rights, regardless of each user's individual rights, because the rights are associated with the computer (eg, rather than associated with each user). (Identified by MAC address).

Authentication of the source via attributes associated with the source is performed by the AAA server 30 shown in FIG. The AAA server 30 stores a source profile corresponding to the source identified by it. According to one feature of the invention, the AAA server 30 is located entirely within the gateway device 12. According to another feature of the invention, the AAA server 30 may comprise a plurality of components, at least some of which are external to the gateway device 12 or, alternatively, the AAA server 30 may be a gateway. It may be located completely outside of the device 12. As an example, the location of the AAA server 30 may cause the gateway device 12 to communicate with the AAA server 30 via an Internet protocol. According to one embodiment of the present invention, AAA server 30 is maintained by an ISP identifying a source authorized to communicate with the network via an ISP. Thus, AAA server 30 may be located at any internet address and stored on any computer accessible via an internet protocol.

According to one aspect of the invention, there is a separate source profile for each source accessing the system. The source profile is maintained in a source profile database, which may be an internal component of AAA server 30, an external component of AAA server 30, or a separate component in communication with AAA server 30. Preferably, the source profile database is located outside of the gateway device and the network to relieve administrative burden on the network so that the network does not need to configure and maintain a separate authentication database on each network or gateway device. This is also because each gateway device 12 allows a finite number of users to access the network, which requires multiple gateway devices to accommodate a large number of sources. Second, managing and maintaining one integrated database of authentication data is easier than multiple small databases. Finally, placing the source profile database outside of the local network allows the ISP or third party provider to maintain the reliability of the information stored in the database and to maintain and control the database in any way desired by the third party provider.

The source profile includes one or more names, passwords, addresses, VLAN tags, MAC addresses, sources, and other information about charging the source, if desired. When the source attempts to access the network via the gateway device 12, the AAA server 30 compares the stored source profile in the source profile database with the attributes received from the gateway device 12 to determine the source identity. Attempt to authenticate. As an illustrative example, where a user wishes to access a network by entering a user ID and password, the user ID and password are compared with all IDs and passwords stored in the source profile database to determine the identity of the user. As noted above, the source profile database generally includes a database or data storage means in communication with the processing means located in the AAA server 30 or the gateway device 12, the AAA server 30 or the gateway device 12. The source profile database and the processor act in conjunction with each other, as is well known in the art, to compare received attributes and stored source profile information.

The source profile database may include programmable storage hardware or similar means located on a conventional personal computer, mainframe computer, or other suitable storage device known in the art. In addition, the means for comparing the received data with data in the database may include any software, such as an executable software program capable of comparing the data. By way of example, AAA server 30 may store a source profile on a hard drive of a personal computer, and the means for comparing the received source data with a source profile residing on the computer may include Microsoft Excel (Washington, Computer software, such as the trademark of Microsoft Corporation of Redmond. According to another embodiment of the present invention, the AAA server 30 or source profile database may comprise a Remote Authentication Dual-In User Service (RADIUS) or Lightweight Directory Access Protocol (LDAP) database that is well known in the art.

If the source does not correspond to the source profile in the AAA server 30 at the time of authentication, the source will not be allowed access to the network. When this happens, a user or a user associated with a non-user source may be asked to enter source profile information into the AAA server 30 so that the AAA server 30 sends the source profile to the AAA server 30, in particular the source. Can be added to the profile database. By way of example, this may occur when a user wishes to access gateway device 12 for the first time. According to another feature of the invention, if the source cannot be identified, the source may be directed to a login page to collect additional information to identify the source. By way of example, information may be entered with the help of a web page, pop-up control panel or user interface, which web page, pop-up control panel or user interface is described herein and filed December 8, 1999. US Patent Application No. 09 / 458,569 (hereinafter referred to as "Directional Application"), entitled "System and Method for Directing a User With Transparent Computer Access to a Network Using a Gateway Device with Directional Capability"; , US patent application Ser. No. 09 / 458,579, filed Dec. 8, 1999, entitled “System and Method for Orienting Users With Transparent Computer Access to a Network Using a Gateway Device with Directional Capability”. And the inventor Joel Short, the content of which is described herein and forms a part of this specification. And the homepage orientation capability described in the US patent application entitled "French Pagan" and entitled "System and Method for Orienting Users Who Want to Access a Network Site". Can be opened when connecting.

In accordance with one aspect of the present invention, AAA server 30 may identify a source that communicates with the gateway device in a transparent way to a computer user. That is, according to one aspect of the present invention, the user is not required to enter identification information, open the source computer or otherwise change the main network settings of the source computer. Moreover, no additional configuration software needs to be added to the source computer. After the packet is received by the gateway device, the attribute identified by the data packet can be compared with the data contained in the source profile database. Thus, in addition to not requiring reconfiguration of the computer accessing the network, the AAA server of the present invention has the ability to authenticate the source without requiring a dialogue step by a computer user, such as entering a user ID. As an example, AAA server 30 may automatically identify the source based on the MAC address, so that the source's approval can be easily determined. Thus, AAA server 30 can determine where a user, computer, or access is requested by retrieving attributes associated with the received data packet (such as in the header of the data packet) and data retrieved from the source profile database. As described below, access rights associated with a source are also stored in a source profile database so that the systems and methods of the present invention can dynamically grant access to a particular service or destination.

Once the source has established a network service connection through the authentication process, and the tunnel is opened to form a communication line between the source computer and the network, the gateway device 12 can assemble the source profile information or data specific to the source. In order to communicate with the AAA server (30). The source profile information assembled by the gateway device may include a MAC address, name or ID, circuit ID, billing plan related data, service level data, user profile data, remote site related data, and similar data related to the source. As above, the AAA server 30 may transmit to the gateway device 12 any necessary information related to the authorization of the source and the use of the network as described in detail below.

In addition to authenticating a user, the AAA server 30 of the present invention provides an authorization function where source access rights are determined. The present invention allows for dynamic approval of sources, so that each source can have different respective network uses or access rights. After authentication, AAA server 30 compares the attributes of the source with the access rights of the source associated with the user, computer, location or attribute. Access rights may be stored in a source profile database or in a separate subscriber database located inside or outside the gateway device 12. Thus, a separate database can be used, where one database stores identifying information about the source for authentication, and the other database stores access rights of the authenticated source. However, since all source profiles identified by attributes or combinations of attributes are stored in the source profile database, it may be advantageous to place information about access rights in the source profile database, which source profile database may It already contains information about each authentication source.

According to one aspect of the invention, the source profile database stores information defining the access rights of the source. As an example, the source profile database may include information indicating that a source with a particular MAC address has purchased pre-paid access, or that a given circuit ID has free access or unlimited access. As a specific room example of a hotel, customers in suits and penthouses can receive free unlimited internet access. Thus, access rights may be available depending on the source location (eg, room) or location status (eg, suit). In this case, no further identification is required because the location from which the source requests access is known to the gateway device and stored in the source profile database.

In addition to storing information about what each source is authorized to access, the source profile database may also include specialized access information associated with a particular source, such as the bandwidth of the source's access or the home page to which the source should be directed. have. As an example, a user accessing a network from a penthouse may receive a higher access baud rate than any person accessing the network from a particular hotel room. For example, if a user has transparent access to a gateway device from a hotel room, the hotel network administrator may enter user access information into the source profile database based on the access rights associated with the room in the hotel. This can also be done automatically by a gateway device or a local management system, such as a hotel property management system, when the user checks in to his room. In addition, the user can set the information to be included in the source profile database the first time access to the gateway device. As an example, a new user may be instructed to enter a credit card number, e-wallet account information, prepaid calling card number or similar billing information to gain access to the system. The source profile may also include historical data about the source accessing the network, including the amount of time the source has accessed the network. Specialized access or charging information included in the source profile database may be set by the system administrator or by a source that has purchased or otherwise established access to the network.

According to one aspect of the invention, the authorization capability of the AAA server 30 may be based on the type of service the source wishes to access, such as the destination address identified by the gateway device 12 based on the data received from the source computer. have. The destination may be a destination port, an internet address, a TCP port, a network, or the like. Moreover, the authorization capability of AAA server 30 may be based on the type or protocol of content being transmitted. In accordance with the systems and methods of the present invention, each packet may be filtered through an optional AAA process such that any or all sources may be authorized to access a particular destination based on the access rights associated with each source. Thus, in accordance with the present invention, whenever a source wants to access different destinations, the source is placed under AAA, so that the source is from a particular site that the AAA server 30 believes cannot access the source based on the source's approval. Access can be prevented. Alternatively, the AAA method according to the present invention allows any or all sources to directly connect to a particular site, such as a billing credit card or billing server that can collect payment or billing information, so that the source profile is updated and the source is It is later approved to access the network. In accordance with the systems and methods of the present invention, the approval of the source may also be based on objective criteria, such as a specific time, such that the session may be terminated at a specific time or according to other dynamic information determined by the network provider after the specific time has elapsed. have. Moreover, approval can be associated with a combination of attributes. As an example, a user may be authorized to access a network in which the user has entered an identification of the user and has accessed the network from a particular room. Such a requirement can also prevent unauthorized users staying in certain rooms from gaining network access. Thus, AAA may be based on origin, destination and call type.

As a further description, a flowchart of the operation of the AAA server 30 will be described with reference to FIG. 2 in accordance with an aspect of the present invention. In operation, the source computer requests access to a network, a destination, a service, and the like (block 200). Upon receiving the packet sent to AAA server 30, AAA server 30 examines the packet to determine the identity of the source (block 210). Attributes sent over the packet are temporarily stored in the source profile database so that data can be examined for use in determining the source's authorization. Attributes included in the packet may include network information, source IP address, source port, link layer information, source MAC address, VLAN tag, circuit ID, destination IP address, destination port, protocol type, packet type, and the like. After this information has been identified and stored, the access requested from the source is matched for that source's authorization (block 230).

Once the source profile is determined by accessing the authorization stored in the source profile database, three possible actions may result. Specifically, once the source's authorization is retrieved, the AAA server 30 may determine whether the source will access (222), open or in progress (224), or not (226). have. First, if the source profile database states so, then the source is considered valid (i.e. to access). If the source is determined to be valid, the call of the source may be allowed to exit the gateway device and proceed to the network or online service that the user associated with the source wants to access (block 230). Alternatively, the source may be directed to a portal page, as described in the redirection application, before access to the requested network is allowed. For example, when a user has free access associated with the user's hotel room, the user is automatically forwarded to a destination address entered by the user, for example, an internet address. As an alternative, this may occur if the user has already purchased the access or has not exhausted the available access time. Moreover, the charging message is initialized to record the amount of time the user uses the gateway device (230) so that the user or location can be charged for access.

If a second scenario occurs where the source is considered open or in progress 224, then the source may be for steps to be authenticated 240 so that the source information is recorded in the source profile database. As an example, the user may have to agree to purchase, requiring the user to enter a credit card number. If the user needs to purchase access or if the system needs additional information about the user, the user can log in from the portal page to establish a new user via home page orientation (HPR) and stack address translation (SAT). It may be directed to a location such as a page. The SAT and HPR can arbitrate to redirect the user to a web server (external or internal), where the user must log in and identify himself. This process is described in detail in the orientation application. After entering any necessary and sufficient information, the user is then allowed to access the destination address (blocks 230, 250). If the information provided is insufficient, the user will not be granted access (block 260). Finally, a third scenario can occur, where the source is considered to have no access (226) and the user is not allowed to access the destination via the network (260).

Reference is now made to the charging function of the system and method, and when the source authorizes access to the network, the AAA server 30 may register a billing start to identify that the source accesses the network. Similarly, when a source logs off or terminates a network session, a charge stop can be registered by the AAA server 30. The charging start or stop may be identified by the gateway device 12 or the AAA server 30 when the source is authorized or authorized to access the desired destination. Moreover, charging start or stop may be registered in the source profile or may be stored in a database separate from AAA server 30 and located outside of the network. Typically, charging start and stop includes a time stamp indicating the amount of time the source has accessed the network. Using this data, the time between charging start and charging stop can be recorded so that the total connection time of the source can be calculated. Such information is valuable if you are charged by an increase in time, such as an hour. As is well known in the art, the billing package can then record the total time a user accesses the network over a set period of time, such as each month, so that charges may be incurred for the source. Because networks and ISPs can charge a set rate for a specific period of time, such as a month (ie flat rate pricing), regardless of how much time was spent accessing the network, Start and stop may not be required for billing purposes. However, charging start and stop can generally be recorded by the network provider or ISP for statistical purposes.

The ISP or similar access provider will take additional advantage from being able to track the subscriber's use of the ISP to set up charges, history reports and other relevant information. Preferably, AAA server 30 communicates with one or more processors to determine the source, or any fee that the source must pay for network access or service. The AAA server 30 retrieves the historical charging data on a real time basis or after a specific time interval has elapsed. Preferably, AAA server 30 maintains such data in an easily accessible and adjustable format so that an access provider (eg, an ISP) can generate a report representing historical data in any desired form. As an example, to project the future use of an access provider, AAA server 30 generates a report that records the number of user accesses to the Internet from a particular place in a particular time period. Moreover, if an access provider provides alternative access for the user, such as charging for a faster connection (ie higher baud rate) for an additional fee, the access provider will best meet the needs of future customers. You may want to use the AAA server 30 to analyze the historical data. Such data may be related to currently ongoing network sessions, duration of such sessions, currently used bandwidth, number of bytes transmitted, and any other relevant information. The AAA server 30 can be implemented using well known programs such as the Eclipse Internet Billing System, Kennon Broadband Internet Billing Software (manufactured by Lucent Technologies) or True Radius Account.

The AAA server 30 dynamically charges access of the source in the same way that access can be customized based on each source. That is, the AAA server 30 may maintain a charging record that varies depending on the identity of the source, the location of the source, the destination requested by the source, and the like. Like access or authorization, this information can be maintained in a source profile database or similar billing database. As an example, AAA server 30 may determine that a particular source is only charged for accessing a particular site, and will register a billing site only when that particular site is accessed. Accordingly, the AAA server 30 will identify the account information stored in the subscriber's source profile to determine the charge start, charge stop, charge rate, and the like.

Many modifications and other embodiments of the invention will come to mind to one skilled in the art to which this invention pertains having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Accordingly, it is to be understood that the invention is not limited to the specific embodiments described, and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms have been used, they are generic and used for explanatory purposes only and are not intended to be limiting.

The authentication, authorization, and charging method and system according to the present invention enable transparent access of a user to a computer network using a gateway device. Thus, each user may have different rights to access a service, site or destination across a network. Accordingly, the present invention differs from conventional AAA methods and systems by providing a dynamic AAA service that authenticates a user and provides the users with a different degree of authorization to use an accessed network. Moreover, the source profile database of the present invention can be located outside the gateway device on a network that is not local to the network requesting access. The external source profile database is advantageous because each gateway device allows a finite number of users to access the network, so that a plurality of gateway devices may be required. In addition, managing and maintaining one merged database of authentication data is easier than multiple small databases. Moreover, positioning the database outside of the local network allows the ISP or third party provider to maintain the reliability of the information stored within the database and to maintain and control the database in the manner desired by the third party provider.

Claims (32)

A method of selectively controlling and customizing access to the network of a source associated with a source computer accessing a network via a gateway device, the method comprising: Receiving at the gateway device 12 a request from the source computer 14 for access to the network 20, Identifying attributes related to the source based on packets transmitted from the source computer 14 and received by the gateway device 12, and Accessing a source profile corresponding to the source and stored in a source profile database, the source profile being accessed based on the attribute, wherein the source profile database is located outside of the gateway device 12 and the gateway device ( Accessing the source profile, in communication with 12). Including, The source computer 14 has transparent access to the network 20 via the gateway device 12 such that packets transmitted from the source computer 14 are not changed by the gateway device 12. A method of selectively controlling and customizing access to a source, wherein the status is maintained and no configuration software needs to be installed on the source computer to access the network. The method of claim 1, Determining an access right of the source based on the source profile, And said access rights define the authority of said source to access a requested network destination. The method of claim 1, Assigning a location identifier to a location from which a request for access to the network is sent; And wherein the location identifier is an attribute associated with the source. The method of claim 1, And said source profile database comprises a remote authentication dial-in user service (RADIUS). The method of claim 1, Wherein said source profile database comprises a Lightweight Directory Access Protocol (LDAP) database. The method of claim 1, And updating the source profile database when a new source accesses the network. The method of claim 1, Maintaining a history record of access of the source to a network in the source profile database. The method of claim 1, And wherein said attribute associated with said source is based on one of a MAC address, a user ID, or a VLAN ID associated with the source computer that sent the request for access to the network. The method of claim 1, Receiving a request from the source computer for access at the gateway device comprises receiving a destination address from the source computer. A system for selectively controlling and customizing access to the network by a source associated with a source computer and accessing the network via a gateway device, The gateway device 12 receiving a request from the source for access to the network 20, A source profile database in communication with and located external to the gateway device 12, the source profile database storing access information identifiable by an attribute associated with the source, the attribute being transmitted from a source computer 14 A source profile database, identified based on the data packet received by the gateway device 12, and An authentication, authorization and billing (AAA) server 30 in communication with the gateway device 12 and the source profile database, wherein the AAA server 30 is configured to provide network access based on access information stored in the source profile database. Determine whether the user has access rights to access (20), and also determine access rights of the source, the access rights defining access rights for the source to access a destination site via the network (20) , Authorization and billing server (30) Including, The source computer 14 has transparent access to the network 20 via the gateway device 12 such that packets transmitted from the source computer 14 are not changed by the gateway device 12. A system for selectively controlling and customizing access to a source, which is maintained in a state, wherein no configuration software needs to be installed on the source computer (14) to access the network (20). The method of claim 10, And wherein the packet received by the gateway device comprises at least one of a VLAN ID, a circuit ID, and a MAC address. The method of claim 10, And the source profile database comprises a remote authentication dial-in user service (RADIUS). The method of claim 10, And wherein said source profile database comprises a Lightweight Directory Access Protocol (LDAP) database. The method of claim 10, Wherein said source profile database comprises a plurality of source profiles, each of said plurality of source profiles comprising access information. The method of claim 14, Wherein each source profile includes historical data relating to the duration of network access for use in determining a fee to be paid for network access. The method of claim 10, And wherein said source profile database is located on said AAA server. A method of orienting a source, associated with a source computer, to access a destination through a gateway device, Receiving, at the gateway device 12, a request to access the network 20 from the source, Identifying a source based on an attribute associated with the source, Accessing a source profile database located outside of the gateway device 12 and storing access rights of the source, and Determining an access right of the source based on the identification of the source, the access right defining the right for the source to access a destination via the network 20; Including, The source computer 14 has transparent access to the network 20 via the gateway device 12 such that packets transmitted from the source computer 14 are not changed by the gateway device 12. And a configuration software does not need to be installed on the source computer (14) to access the network (20). The method of claim 17, Accessing the source profile database comprises a source profile database comprising a remote authentication dial-in user service (RADIUS). The method of claim 17, Accessing the source profile database comprises a source profile database comprising a lightweight directory access protocol protocol (LDAP) database. The method of claim 17, Assigning a location identifier to a location from which a request for access to the network is sent; And wherein the location identifier is an attribute associated with the source. The method of claim 17, Updating the source profile database when a new source accesses the network. The method of claim 17, Maintaining a history record of the source accessing the network in a charging database, And said charging database is in communication with said source profile database. The method of claim 17, Examining the destination address identified by the source request, and applying an access right based on the destination address. The method of claim 19, Determining whether the source computer has access to a destination address further comprises denying access to the source computer if the source profile indicates that access to the source computer is denied. How to orient the source. The method of claim 17, Determining whether the source has access to access the network further comprises directing the source to a login page when the source profile is not located in the source profile database. How to specify. A system for enabling communication between a computer and a service provider network, the system comprising: Source computer (14), A network gateway device 12 in communication with the source computer for connecting the source computer 14 to the computer network 20 and receiving source data indicative of a user wishing to access the computer network 20, and A service provider network in communication with the network gateway device 12 Including, The service provider network is located outside of the network gateway device 12 and internally includes a source profile database that includes a source profile representing a user authorized to access the computer network and in communication with the network gateway device 12. Includes an authentication server with The authentication server compares the source data with the source profile to determine whether a user who wants to access the computer network can access the computer network, The source computer 14 has transparent access to the network 20 via the gateway device 12 such that packets transmitted from the source computer 14 are not changed by the gateway device 12. System, characterized in that no configuration software needs to be installed on the source computer (14) to access the network (20). The method of claim 26, And a charging system for maintaining historical data relating to the use of said service provider network. The method of claim 26, The authentication server comprises a remote authentication dial-in user service (RADIUS). The method of claim 26, And the authentication server includes a Lightweight Directory Access Protocol (LDAP) database. The method of claim 26, And the source profile database comprises a plurality of source profiles, each of the plurality of source profiles comprising access information. The method of claim 26, The source data includes an attribute associated with the source computer, the attribute being transmitted from the source computer to a gateway device. The method of claim 26, And the source data includes login information associated with each user.

Images