The invention may best be understood by referring to the following description and accompanying drawings that are used to illustrate embodiments of the invention.
Embodiments of the invention relate to the field of communication security, and in particular, to a system, apparatus, and method for providing local client authentication, such as wireless authentication. Local authentication means local with respect to a switch for the client as opposed to, for example, in a backend server.
A. First Authentication Scheme
Referring to
Authentication server 125 terminates the PEAP MSCHAPv2 signals and performs client authentication as, for example, is described below. Clients 100 and 105 are examples of clients to be authenticated. Signals following the protocols described herein are in the form of packets although the principles could apply to other signaling formats. There may be additional devices on the network (for example, printers and other laptop or desktop computers), and it is not required that both clients 100 and 105 be on the network.
Switch 120 is also coupled through a link 130 to a backend server computer 140. A “link” is generally defined as any communication medium that enables information to be transferred to/from a destination device. Examples of link 130 include any wired communication medium (e.g., wire, cable, fiber optic, etc.), or any wireless communication medium such as radio frequency, light pulses, magnetic-based transmissions, and the like. At least some signals between switch 120 and server computer 140 follow an NTLMv1 authentication protocol. As an illustrative example, server computer 140 includes a MICROSOFT® Active Directory (MSFT AD) server 150 that receives signals under the NTLMv1 authentication protocol. Note that server computer 140 is a physical computer and MSFT AD server 150 is a software construct that is executed on server computer 140. MSFT AD server 150 terminates signals following the NTLMv1 authentication protocol and performs authentication under the NTLMv1 authentication protocol.
The following discussion provides examples of how authentication server 125 provides client authentication and bridges the PEAP-MSCHAPv2 to NTLMv1 authentication. Authentication server 125 handles PEAP-MSCHAPv2 authentication without the need of a backend RADIUS server such as in server computer 140. In some embodiments, the AD (active directory) of MSFT AD server 150 does not have to be configured for authentication of new clients.
The MSCHAPv2 authentication protocol is an authentication method that uses the NT PasswordHash (described below) as a basic component of the authentication process (see Request for Comment 2759). In general, the NT PasswordHash is placed in a message in accordance with the NTLMv1 authentication protocol, which is an authentication protocol that is substantially different from that of MSCHAPv2, but is adapted in the present invention to use NT PasswordHash for client authentication. Hence, the two seemingly unrelated algorithms can be used in conjunction to authenticate a client using PEAP-MSCHAPv2 while server 150 uses the NTLMv1 authentication protocol. This may be an attractive combination because PEAP-MSCHAPv2 is the default client authentication standard with the Windows XP operating system whereas NTLMv1 is also standard and enabled by default on a Win2K3 (2003) server without configuration. Further details are described in connection with the following processes in connection with blocks 200-240 in an exemplary flowchart illustrated in
With respect to
Although not shown, it is contemplated that the NT PasswordHash is padded with additional information (e.g., “0” values) and separated into three (3) 7-byte value. These values are used to perform cryptographic operations (e.g., DES operations) on the Server Challenge in order to produce resultant 8-bytes values. These values are appended together to produce a Client Response. Of course, it is contemplated that the Client Response may be produced by other techniques, provided such techniques can be replicated at backend server 150.
According to this embodiment of the invention, Client Response is a 24-byte value, and is transferred from client 100 or 105 to authentication server 125 in accordance with the MSCHAPv2 authentication protocol (see block 220 of
As can be seen from the message exchange described above, client authentication is performed by authentication server 125, but a portion of the complete authentication process is performed in MSFT AD server 150.
As further illustrated, network processor 310 is adapted to execute authentication server instructions 320 which may be stored in a memory such as internal memory 330. Instructions 320 may be stored in software or firmware, or hardwired.
Still referring to
Having server 125 of
Credentials for these clients are cached in cache 340. In prior art systems, when the link between the backend server and the switch goes down, the clients of the switch are no longer authenticated and hence cannot use the local network. Alternatively, conventional systems use a local redundant client authentication server while still keeping the remote RADIUS server. By contrast, in the network system of
B. Second Authentication Scheme
Referring to
Switch 420 is also coupled through a link 430 to a backend server computer 440. At least some signals between switch 420 and server computer 440 follow a LDAP authentication protocol. Server computer 440 operates as a LDAP server 450 that terminates signals under the LDAP authentication protocol. LDAP server 450 performs authentication for the LDAP authentication protocol.
The following discussion provides examples of how authentication server 425 provides client authentication and bridges the PEAP GTC to LDAP authentication. Authentication server 425 handles PEAP GTC authentication without the need of a backend RADIUS Server such as in server computer 440. In some embodiments, LDAP server 450 does not have to be configured for authentication of new clients.
Not needing a RADIUS backend server is attractive because many different backend servers do not include RADIUS servers. The GTC authentication allows for the passing of the user/password pair to the backend LDAP server 450. Further details are described in connection with the following operations and in connection with blocks 500-550 in the flowchart of
(1) Authentication server 425 terminates the TLS portion of PEAP (see block 500 of
(2) Client 400 or 405 starts the GTC handshake (see block 510 of
(3) Client 400 or 405 server 450 passes a user password for the GTC handshake to authentication server 520 (see block 520 of
(4) Authentication server 425 receives the user password and repackages these packets in accordance with the LDAP protocol for transmission to LDAP server 450 (see block 530 of
(5) LDAP server 450 determines whether the client passes or fails (see block 540 of
(6) Switch 420 (authentication server 425) responds to LDAP server 450 decision regarding pass/fail by authenticating or not authenticating the client (see block 550 of
The above described process is different than the prior art systems in that the prior art system handle PEAP GTC to RADIUS and then to LDAP. The above described process skips the RADIUS translation operations completely.
Although this embodiment describes an authentication scheme using LDPA server 450, it is contemplated that other types of servers may utilize this inventive authentication scheme, namely any type of server that processes a user name and password (or token). Examples include, but are not limited or restricted to NTLMv2 based sever, Kerberos-based server, RSA SecurID® server, RADIUS® and the like.
C. Third Authentication Scheme
In
The above described system in connection with
Wireless communications described herein may be in accordance with a wireless communication standard such as High Performance Radio LAN (HiperLan) or IEEE 802.11. Examples of different types of IEEE 802.11 standards include, but are not limited or restricted to (i) an IEEE 802.11b standard entitled “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: Higher-Speed Physical Layer Extension in the 2.4 GHz Band” (IEEE 802.11b, 1999), (ii) an IEEE 802.11a standard entitled “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: High-Speed Physical Layer in the 5 GHz Band” (IEEE 802.11a, 1999), (iii) a revised IEEE 802.11 standard “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications” (IEEE 802.11, 2003), or the like.
In some embodiments, instructions to perform the functions described herein are hardwired into the circuits. In other embodiments, at least some of the functions may be initiated through firmware and/software. Such firmware or software can be provided to the switch and access point over the Internet or through a storage medium such as a CD ROM, DVD, flash memory, or other memory.
While the invention has been described in terms of several embodiments, the invention should not limited to only those embodiments described, but can be practiced with modification and alteration within the spirit and scope of the appended claims. The description is thus to be regarded as illustrative instead of limiting.