Method and system for continuously serving authentication requests

Information

  • Patent Application
  • 20070074049
  • Publication Number
    20070074049
  • Date Filed
    September 29, 2005
    19 years ago
  • Date Published
    March 29, 2007
    17 years ago
Abstract
A method and system for continuously serving the authentication requests of networked computers is disclosed. The authentication requests of computers are served and the services for the computers are reserved for a predefined time interval. The authentication service for a computer is reserved by an authentication server, which receives authentication requests of the computer.
Description
BACKGROUND OF THE INVENTION

1. Field of Invention


Embodiments of the invention relate in general to AAA servers. More specifically, embodiments of the invention relate to methods and systems for continuous authentication services provided by the AAA servers.


2. Description of the Background Art


Network computers often access resources from their own networks and from other networks. Point-to-Point Protocol (PPP) can be used to connect the networked computers to other networks. An extension to the PPP, which is known as Extensible Authentication Protocol (EAP), provides authentication service to those computers, which require access to the network resources. EAP supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, public key authentication and smart cards. Moreover, EAP provides layer-2 authentication functionality to network computers. In layer-2 authentication, the networked computers have to pass through a process of authentication before connecting to other networks. The mechanism of authentication prevents unauthorized networked computers from gaining access to confidential information, and also reduces a possibility of network threats. These network threats can be in the form of worms and viruses. 802.1x is an IEEE (Institute of Electrical & Electronic Engineers) standard, which provides authentication and resource access control capability to the networked computers for accessing resources or data from protected networks.


AAA servers are used for authentication, authorization, and accounting services in networks. An AAA server authenticates a computer, based on its unique identity information. This unique identity information can be in the form of a user name and a password. The AAA server grants or denies the information and services of the network to a computer, depending on the authentication, authorization, and accounting rule defined for the computer.


A typical AAA server can authenticate hundreds of computers per second. The problem arises in a situation wherein all the computers are disconnected from the network as a result of temporary loss in network connectivity. In such cases, the computers can try to regain authentication as soon as network connection is re-established. The AAA server may stop responding as a result of the bulk of requests. This situation is commonly known as a friendly DOS attack.


According to the conventional method, static AAA servers are used to enhance the quality of authentication service to network computers that are its clients. However, the quality of authentication service can be hampered since the static servers may stop responding as a result of DOS attacks.




BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 shows a network environment wherein the invention can be implemented for providing continuous service to authentication requests, in accordance with various embodiments of the invention.



FIG. 2 is a block diagram illustrating an authentication server, in accordance with an exemplary embodiment of the invention.



FIG. 3 is a block diagram illustrating a network access server, in accordance with an exemplary embodiment of the invention.



FIG. 4 is a flowchart illustrating a method for providing continuous service to authentication requests for clients in the network, in accordance with an exemplary embodiment of the invention.



FIG. 5 is a flowchart illustrating a method for providing continuous service to authentication requests for clients, in accordance with another exemplary embodiment of the invention.



FIGS. 6
a, 6b and 6c is a detailed flowchart illustrating a method for providing continuous service to authentication requests, in accordance with another exemplary embodiment of the invention.




DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION

Various embodiments of the invention provide a method and a system for continuous authentication service to clients of authentication servers in a network. Each client in the network can attempt access to one or more network resources. This attempt to access can be accompanied by a request for authentication from the client. According to various embodiments of the invention, the authentication server that responds to the request, reserves its service for serving the authentication requests of the client. The service is reserved and authentication requests are answered continuously for a predefined time interval. Similarly, the authentication server can reserve its service for a number of clients.



FIG. 1 shows a network environment wherein the invention can be implemented to provide continuous service to authentication requests, in accordance with various embodiments of the invention. Network environment 100 includes clients 102, a network 104, a network access server 108, and authentication servers 110. Clients 102 can include a client 102a, a client 102b, and a client 102c. In an embodiment of the invention, clients 102 require resources or data access from network 104. Examples of network 104 include Local Area network (LAN), Metropolitan Area Network (MAN), Wide Area Network (WAN), Virtual Private Network (VPN), and the like. Examples of each of clients 102 include personal computers, laptops, workstations, mobile communication devices, telephony instruments, and the like. Clients 102 undergo a process of authentication to access resources from network 104. The process of authentication can be implemented with the help of application software. The application software can be located at each of clients 102, to initiate authentication requests from them in order to gain access to network resources. Examples of application software may include the ‘Cisco IOS Software’.


In an embodiment of the invention, network access server 108 receives authentication requests from clients 102. These authentication requests can be in the form of frames, which follow the 802.1x authentication protocol. Network access server 108 can receive these authentication requests in an encrypted format. Examples of network access server 108 include a router, a switch, a wireless access point, and the like. Network access server 108 can forward authentication requests of clients 102 to authentication servers 110. Authentication servers 110 can include an authentication server 110a, an authentication server 110b, and an authentication server 110c. Authentication servers 110 can include a database each, which stores the authentication information of clients 102. Authentication servers 110 compare the authentication information of the clients that send authentication requests with the authentication information stored in their databases. The result of the comparison determines the ability of a requesting client to access a required network resource. Examples of authentication servers 110 include servers that support Remote Authentication Dial In User Service (RADIUS) protocol, Terminal Access Controller Access Control System Plus (TACACS+) protocol, and the like. Authentication servers 110 return a network access policy to network access server 108. This network access policy is for each of clients 102. Network access server 108 applies the network access policy onto clients 102 and allows network access to clients 102, based on their network access policy.



FIG. 2 is a block diagram illustrating authentication server 110a, in accordance with an exemplary embodiment of the invention. Authentication servers 110a, 110b, and 110c as shown in FIG. 1, are similar to each other. Authentication server 110a can include a transceiver module 202 and a reservation module 204. Transceiver module 202 can receive authentication requests forwarded through network access server 108. In addition, transceiver module 202 can also transmit the authentication requests to reservation module 204. Transceiver module 202 can also transmit two lists, one list to network access server 108 and the other to authentication servers 110. According to an embodiment of the invention, the list to network access server 108 can include identification details and number of reserved clients of each of authentication servers 110. The list sent to authentication servers 110 can include the number of network access servers. Reservation module 204 reserves authentication services for the clients for which authentication server 110a provides authentication services. Reservation module 202 can include a serving module 206 for serving authentication requests and a processing unit 208, to reserve the authentication service. According to an embodiment of the invention, serving module 206 receives authentication requests from transceiver module 202 and serves the received authentication requests. These requests are served only after verification of the requesting client. The verification can involve comparison of the authentication information related to the requesting client with the authentication information corresponding to the requesting client that is stored in the database of authentication server 110a.


According to various embodiments of the invention, processing unit 208 includes a storage module 210, a checking module 212, and an updating module 214. Storage module 210 can store the authentication information corresponding to clients 102 that are served by serving module 206. In an embodiment of the invention, storage module 210 can be a secondary memory device such as magnetic disk, magnetic tape, and equivalents thereof. Examples of magnetic disk include hard drives, floppy disks, optical disks, and equivalents thereof. Each of clients 102, for which the corresponding identification details are stored in storage module 210 becomes a ‘reserved’ client of the authentication server that serves them. For example, if the authentication request for client 102a is served by authentication server 110a, then client 102a is a reserved client of authentication server 110a. In an embodiment of the invention, checking module 212 checks the transactions taking place at storage module 210 and determines if there are any additions or removals in the reserved clients from storage module 210. Checking module 212 can also check the number of authentication servers 110 and collect information relating to the number of reserved clients at each of authentication servers 110. Updating module 214 can update the stored list with the identification details of the reserved clients as determined by checking module 212. The identification details can include specific identity given to each client that remains unique in network environment 100. Updating module 214 can transmit the recently stored list to transceiver module 202. In an embodiment of the invention, checking module 212 also checks and determines the number of network access servers present in network environment 100. Updating module 214 can update the second of the two lists with the number of network access servers as determined by checking module 212. Updating module 214 can also transmit the second list to transceiver module 202.



FIG. 3 is a block diagram illustrating network access server 108, in accordance with an exemplary embodiment of the invention. Network access server 108 can include a transceiver module 302, a storage unit 304, and a decision module 306. Transceiver module 302 can receive authentication requests from clients 102. Transceiver module 302 can also transmit authentication requests to authentication servers 110. Transceiver module 302 can also receive one or more lists from authentication servers 110. Storage unit 304 can store the lists, which are received by transceiver module 302. Decision module 306 can check the lists, which are stored in storage unit 304 and determine one of authentication servers 110 with the least number of reserved clients. Decision module 306 can also forward the identification details of the determined authentication server to transceiver module 302. For example, if authentication server 110b is serving the least number of reserved clients, decision module 306 forwards the identification details of authentication server 110b to transceiver module 302. Transceiver module 302 can now transmit authentication requests for the remaining clients 102 to authentication server 110b till the time for which authentication server 110b cannot reserve its services for any more clients.



FIG. 4 is a flowchart illustrating a method for providing continuous service to authentication requests for clients 102 in network environment 100, in accordance with an exemplary embodiment of the invention. At step 402, an authentication server of authentication servers 110 receives an authentication request from a client, through network access server 108. At step 404, the authentication server reserves its service for the received authentication request and continuously serves the authentication requests for the client.



FIG. 5 is a flowchart illustrating a method for providing continuous service to authentication requests, in accordance with an exemplary embodiment of the invention. At step 502, network access server 108 forwards the authentication request of a client to one of authentication servers 110. The client can be one of clients 102. For example, network access server 108 forwards the authentication request to authentication server 110a and the forwarded authentication request is for client 102a. At step 504, authentication server 110a serves the authentication request of client 102a and reserves the authentication service for client 102a. The reservation of authentication service is for the predefined time interval. Authentication server 110a forwards one or more lists to network access server 108 after each step of serving the authentication request for client 102a. Network access server 108 receives the lists from authentication server 110a and stores the lists in storage unit 304.


At step 506, network access server 108 checks if it has received more authentication requests to be forwarded for clients 102. If network access server 108 receives more authentication requests, step 508 is performed. At step 508, network access server 108 checks if the one of authentication servers 110 which received the previous authentication request is capable of reserving service for another authentication request. If the one of authentication servers 110 is capable of reserving service for another authentication request, step 502 is performed.


If the one of authentication servers 110 is not capable of reserving service for another authentication request, step 510 is performed. At step 510, network access server 108 forwards the received authentication requests to one of authentication servers 110, based on the list, which is received from authentication server 110a. For example, network access server 108 forwards the authentication request to authentication server 110b, if authentication server 110b is reserving the minimum authentication requests, and the forwarded authentication request is for client 102b. This is followed by step 504. At step 504, authentication server 110b serves the authentication request of client 102b and reserves the service for client 102b, thereby ensuring continuous service to the authentication requests for clients 102 in network environment 100 by identifying one of authentication servers 110.



FIGS. 6
a, 6b and 6c is a detailed flowchart illustrating a method for providing continuous service to authentication requests for clients 102 in network environment 100, in accordance with an exemplary embodiment of the invention. At step 602, one of clients 102 sends an authentication request to network access server 108. For example, client 102a sends the authentication request to network access server 108. At step 604, the authentication request is forwarded by network access server 108 to one of authentication servers 110. For example, the authentication request is forwarded by network access server 108 to authentication server 110a. At step 606, authentication server 110a serves the authentication request for client 102a. At step 608, authentication server 110a reserves the service of the authentication request for client 102a for a predefined time interval. The predefined time interval can be manually defined for authentication servers 110 as the time during which the authentication requests from any client will be served. At step 610, authentication server 110a updates the list of reserved authentication requests by adding the identification details of client 102a for which authentication request has been recently served. At step 612, authentication server 110a checks authentication servers 110, which are present in network environment 100.


At step 614, authentication server 110a updates another list with the number of authentication servers 110 and the reserved clients of each of authentication servers 110. At step 616, authentication server 110a forwards the list to network access server 108. For example, authentication server 110a forwards the list to network access servers in network environment 100. At Step 618, authentication server 110a checks the number of network access servers, which are present in network environment 100.


At step 620, authentication server 110a updates the second list with the number of network access servers. Step 620 is executed if there is more than one network access server 108 present in network environment 100. At step 622, the second list is forwarded to authentication servers 110. At step 624, network access server 108 checks if it receives more authentication requests from clients 102.


If network access server 108 receives more authentication requests from clients, step 626 is performed. For example, if network access server 108 receives more authentication requests from client 102b, step 626 is performed. At step 626, network access server 108 checks if client 102b is a reserved client of one of authentication servers 110 or not. If client 102b is a reserved client of one of authentication servers 110, step 604 is performed. For example, if client 102b is a reserved client for authentication server 110b, step 604 is performed. At step 604, authentication requests for the reserved client 102b will be forwarded to authentication server 110b.


At step 626, if it is determined that client 102b is not a reserved client for any of authentication servers 110, step 628 is performed. At step 628, network access server 108 checks which one of authentication servers 110 is currently serving the least number of reserved clients. At step 630, the authentication request for one of clients 102 is forwarded to the authentication server, which is currently serving the least number of reserved clients. For example, the authentication request for one of clients 102 is forwarded to authentication server 110c. This is followed by step 606, where authentication server 110c serves the authentication request of one of clients 102, thereby ensuring continuous service to the authentication requests for clients 102.


Embodiments of the present invention have the advantage of assuring quality of service to the clients even when networks face the problem of DOS attacks. The reservation of service mechanism implemented in the present invention allows a dynamic allocation of authentication servers to respond to the authentication requests for the clients, thereby authenticating their reserved clients.


Although the invention has been discussed with respect to specific embodiments thereof, these embodiments are merely illustrative, and not restrictive, of the invention. For example, a ‘method for continuously serving authentication requests’ can include any type of analysis, manual or automatic, to anticipate the needs of the method.


Although specific protocols have been used to describe embodiments, other embodiments can use other transmission protocols or standards. Use of the terms ‘peer’, ‘client’, and ‘server’ can include any type of device, operation, or other process. The present invention can operate between any two processes or entities including users, devices, functional systems, or combinations of hardware and software. Peer-to-peer networks and any other networks or systems where the roles of client and server are switched, change dynamically, or are not even present, are within the scope of the invention.


Any suitable programming language can be used to implement the routines of the present invention including C, C++, Java, assembly language, etc. Different programming techniques such as procedural or object oriented can be employed. The routines can execute on a single processing device or multiple processors. Although the steps, operations, or computations may be presented in a specific order, this order may be changed in different embodiments. In some embodiments, multiple steps shown sequentially in this specification can be performed at the same time. The sequence of operations described herein can be interrupted, suspended, or otherwise controlled by another process, such as an operating system, kernel, etc. The routines can operate in an operating system environment or as stand-alone routines occupying all, or a substantial part, of the system processing.


In the description herein for embodiments of the present invention, numerous specific details are provided, such as examples of components and/or methods, to provide a thorough understanding of embodiments of the present invention. One skilled in the relevant art will recognize, however, that an embodiment of the invention can be practiced without one or more of the specific details, or with other apparatus, systems, assemblies, methods, components, materials, parts, and/or the like. In other instances, well-known structures, materials, or operations are not specifically shown or described in detail to avoid obscuring aspects of embodiments of the present invention.


Also in the description herein for embodiments of the present invention, a portion of the disclosure recited in the specification contains material, which is subject to copyright protection. Computer program source code, object code, instructions, text or other functional information that is executable by a machine may be included in an appendix, tables, figures or in other forms. The copyright owner has no objection to the facsimile reproduction of the specification as filed in the Patent and Trademark Office. Otherwise all copyright rights are reserved.


A ‘computer’ for purposes of embodiments of the present invention may include any processor-containing device, such as a mainframe computer, personal computer, laptop, notebook, microcomputer, server, personal data manager or ‘PIM’ (also referred to as a personal information manager), smart cellular or other phone, so-called smart card, set-top box, or any of the like. A ‘computer program’ may include any suitable locally or remotely executable program or sequence of coded instructions, which are to be inserted into a computer, well known to those skilled in the art. Stated more specifically, a computer program includes an organized list of instructions that, when executed, causes the computer to behave in a predetermined manner. A computer program contains a list of ingredients (called variables) and a list of directions (called statements) that tell the computer what to do with the variables. The variables may represent numeric data, text, audio or graphical images. If a computer is employed for presenting media via a suitable directly or indirectly coupled input/output (I/O) device, the computer would have suitable instructions for allowing a user to input or output (e.g., present) program code and/or data information respectively in accordance with the embodiments of the present invention.


A ‘computer readable medium’ for purposes of embodiments of the present invention may be any medium that can contain, store, communicate, propagate, or transport the computer program for use by or in connection with the instruction execution system apparatus, system or device. The computer readable medium can be, by way of example only but not by limitation, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, system, device, propagation medium, or computer memory.


Reference throughout this specification to “one embodiment”, “an embodiment”, or “a specific embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention and not necessarily in all embodiments. Thus, respective appearances of the phrases “in one embodiment”, “in an embodiment”, or “in a specific embodiment” in various places throughout this specification are not necessarily referring to the same embodiment. Furthermore, the particular features, structures, or characteristics of any specific embodiment of the present invention may be combined in any suitable manner with one or more other embodiments. It is to be understood that other variations and modifications of the embodiments of the present invention described and illustrated herein are possible in light of the teachings herein and are to be considered as part of the spirit and scope of the present invention.


Further, at least some of the components of an embodiment of the invention may be implemented by using a programmed general-purpose digital computer, by using application specific integrated circuits, programmable logic devices, or field programmable gate arrays, or by using a network of interconnected components and circuits. Connections may be wired, wireless, by modem, and the like.


It will also be appreciated that one or more of the elements depicted in the drawings/figures can also be implemented in a more separated or integrated manner, or even removed or rendered as inoperable in certain cases, as is useful in accordance with a particular application.


Additionally, any signal arrows in the drawings/Figures should be considered only as exemplary, and not limiting, unless otherwise specifically noted. Combinations of components or steps will also be considered as being noted, where terminology is foreseen as rendering the ability to separate or combine is unclear.


As used in the description herein and throughout the claims that follow, “a”, “an”, and “the” includes plural references unless the context clearly dictates otherwise. Also, as used in the description herein and throughout the claims that follow, the meaning of “in” includes “in” and “on” unless the context clearly dictates otherwise.


The foregoing description of illustrated embodiments of the present invention, including what is described in the abstract, is not intended to be exhaustive or to limit the invention to the precise forms disclosed herein. While specific embodiments of, and examples for, the invention are described herein for illustrative purposes only, various equivalent modifications are possible within the spirit and scope of the present invention, as those skilled in the relevant art will recognize and appreciate. As indicated, these modifications may be made to the present invention in light of the foregoing description of illustrated embodiments of the present invention and are to be included within the spirit and scope of the present invention.


Thus, while the present invention has been described herein with reference to particular embodiments thereof, a latitude of modification, various changes and substitutions are intended in the foregoing disclosures, and it will be appreciated that in some instances some features of embodiments of the invention will be employed without a corresponding use of other features without departing from the scope and spirit of the invention as set forth. Therefore, many modifications may be made to adapt a particular situation or material to the essential scope and spirit of the present invention. It is intended that the invention not be limited to the particular terms used in following claims and/or to the particular embodiment disclosed as the best mode contemplated for carrying out this invention, but that the invention will include any and all embodiments and equivalents falling within the scope of the appended claims.

Claims
  • 1. A method for continuously serving one or more authentication requests for a plurality of clients in a network, the method comprising receiving an authentication request for authenticating a client, the client being one of the plurality of clients; and reserving a service for the received authentication request, the reservation ensuring continuous service of the authentication request.
  • 2. The method of claim 1, wherein the reserving the service comprises serving the authentication request for a predefined time interval, the predefined time interval being a time interval during which the service for the authentication request is reserved for the client, the client being a reserved client, wherein the reserved client sends one or more authentication requests during the entire predefined time interval.
  • 3. The method of claim 2 further comprising withdrawing the service for the authentication request that is reserved for the reserved client if the reserved client does not send the one or more authentication requests continuously during the entire predefined time interval.
  • 4. The method of claim 1 further comprising forwarding a list, the list comprising one or more reserved clients being served at each of a plurality of authentication servers, the one or more reserved clients being the clients for which the service for the authentication requests is reserved, the list being forwarded to a plurality of network access servers.
  • 5. The method of claim 4, wherein the list further comprises the number of the plurality of authentication servers.
  • 6. The method of claim 1 further comprises forwarding a list to a plurality of authentication servers, the list containing the number of a plurality of network access servers.
  • 7. A method for continuously serving one or more authentication requests for a plurality of clients in a network, the method comprising forwarding an authentication request for a client, the client being one of the plurality of clients, the authentication request being forwarded to an authentication server, the authentication server being one of a plurality of authentication servers in the network, the authentication server reserving a first service for the authentication request; receiving a list from the authentication server in response to the authentication request, the list comprising information relating to the plurality of authentication servers, the information including a number of services reserved by the plurality of authentication servers; and forwarding one or more authentication requests for remaining clients to one of the plurality of authentication servers, the remaining clients being the plurality of clients excluding the client, the forwarding being performed according to the list.
  • 8. The method of claim 7, wherein the forwarding the one or more authentication requests comprises forwarding the one or more authentication requests for the remaining clients to the authentication server if the authentication server is capable of reserving a second service; and forwarding the one or more authentication requests for the remaining clients to one of a plurality of remaining authentication servers if the authentication server is not capable of reserving a second service, the plurality of remaining authentication servers being the plurality of authentication servers excluding the authentication server, the one of the plurality of remaining authentication servers serving the minimum number of authentication requests according to the list.
  • 9. A system for continuously serving one or more authentication requests for a plurality of clients in a network, the system comprising a means for receiving an authentication request; and a means for reserving a service for the received authentication request.
  • 10. A system for continuously serving one or more authentication requests for a plurality of clients in a network, the system comprising a transceiver module for receiving an authentication request; and a reservation module for reserving a service for the received authentication request.
  • 11. The system of claim 10, wherein the reservation module comprises a serving module for serving the authentication request for a predefined time interval; and a processing module for forwarding one or more lists, the lists being forwarded to a plurality of network access servers and to a plurality of authentication servers.
  • 12. The system of claim 11, wherein the processing module comprises a storage module for storing the one or more lists; a checking module for checking one or more authentication servers and one or more network access servers in the network; an updating module for updating stored lists; and a transmitting module for transmitting the updated lists.
  • 13. A system for continuously serving one or more authentication requests for a plurality of clients in a network, the system comprising a transceiver module for forwarding the one or more authentication requests, the transceiver module also receiving a list in response to the forwarded one or more authentication requests; a storage module for storing the received list; and a decision module for deciding which client is a reserved client of an authentication server, the decision module also deciding which authentication server is serving the least number of authentication requests.
  • 14. A machine-readable medium including instructions executable by the processor comprising one or more instructions for receiving an authentication request for authenticating a client, the client being one of the plurality of clients; and one or more instructions for reserving a service for the received authentication request, the reservation ensuring continuous service of the authentication request.
  • 15. An apparatus for allocating a resource in a digital network, the apparatus comprising a processor for executing instructions; and a machine readable medium including instructions executable by the processor comprising one or more instructions for receiving an authentication request for authenticating a client, the client being one of the plurality of clients; and one or more instructions for reserving a service for the received authentication request, the reservation ensuring continuous service of the authentication request.