Patent Application
20080040773
As briefly described above, application and/or network access device level policies may be used to provide users with greater flexibility and security in network access. In the following detailed description, references are made to the accompanying drawings that form a part hereof, and in which are shown by way of illustrations specific embodiments or examples. These aspects may be combined, other aspects may be utilized, and structural changes may be made without departing from the spirit or scope of the present disclosure. The following detailed description is therefore not to be taken in a limiting sense, and the scope of the present invention is defined by the appended claims and their equivalents.
While the embodiments will be described in the general context of program modules that execute in conjunction with an application program that runs on an operating system on a personal computer, those skilled in the art will recognize that aspects may also be implemented in combination with other program modules.
Generally, program modules include routines, programs, components, data structures, and other types of structures that perform particular tasks or implement particular abstract data types. Moreover, those skilled in the art will appreciate that embodiments may be practiced with other computer system configurations, including hand-held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, minicomputers, mainframe computers, and the like. Embodiments may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.
Embodiments may be implemented as a computer process (method), a computing system, or as an article of manufacture, such as a computer program product or computer readable media. The computer program product may be a computer storage media readable by a computer system and encoding a computer program of instructions for executing a computer process. The computer program product may also be a propagated signal on a carrier readable by a computing system and encoding a computer program of instructions for executing a computer process.
In a typical operation, user 102 requests access from NAS 104, which in turn forwards the request to an AAA server such as an Internet Access Service (IAS) server 106. Through an authentication protocol (e.g. Extensible Authentication Protocol), the servers communicate. IAS server 106 may include policy engine 108, which determines one or more applicable policies associated with parameters of the request (user, communication type, access requested resource, etc.). Policy engine 108 may retrieve applicable policy(ies) from policy database 112 for authentication purposes. If the policy engine determines compliance with the applicable policy(ies), IAS server 108 provides an acknowledgement to NAS 106, which in turn facilitates access to the requested network resource (e.g. access to Internet 110) for user 102.
According to some embodiments, policies in policy database 112 may include isolated policies at application and/or network device level. Implementing application level policies instead of user or machine level policies enables a user to obtain access based on different policies for each application. For example, financial transaction applications, such as online banking, may be subject to a higher level of security policies. On the other hand, simpler browsing applications may be subject to lower level security policies. Similarly, the policies may be categorized or isolated based on network access device types. For example, wireless access devices may be subjected to higher level security policies because of concerns about unauthorized use. The policies may also consider a capacity of the network access device setting different rules for dial-up network access devices compared to higher speed DSL or cable type network access devices.
Because the policies may be customized for applications and/or network access devices, not only authentication, but also authorization and accounting operations for the network access may also be performed based on the isolated policies.
In a policy creation operation, a user or a network administrator 214 may provide the new isolated policies, modify or remove existing ones using an adaptive UI. The policy management UI may allow access to policies stored in policy database 212 based on the credentials of user or network administrator 214. For example, a user may be associated with a subset of policies applicable to a number of applications related to the user. The adaptive UI may allow access only to that subset of policies based on the user's credentials, while a network administrator may have access to modify all policies stored in policy database 212. User or network administrator 214 may perform the changes through policy engine 208. In other embodiments, the UI for making changes to policy database 212 may be managed by another module or application.
In a use scenario, user 202 submits his/her request for access to NAS 204, which initiates the authentication protocol with an AAA server including policy engine 208. The request may include access to a network or access to a specific network resource (e.g. a data store, an output device, a network application, and the like). Policy engine 208 determines the applicable policy linked to the application or network access device associated with the request, and retrieves the policy from policy database 212. Once the user's compliance with the applicable policy is confirmed, NAS 204 may provide the requested access to user 202.
The architectures discussed in
A first part of the interactions, shown above the dashed line, illustrate an example of generating new application and/or network access device level policies. User 302 initiates the process by reporting to NAS 304 that a new application or network access device is to be added with isolated policies. In response to this request, NAS 304 may submit a new policy associated with the new application or network access device to IAS server 306. In other embodiments, NAS 304 may request that a new policy be created for the new application or network access device.
According to some embodiments, the application(s) and/or network access device(s) may be indicated with an integer value assigned to a network access server type attribute. This attribute may be provided to the IAS server in a policy tag as part of a packet in network communication protocol. For example, an anywhere access gateway may be assigned “1”, a remote access virtual private network (VPN) application may be assigned “2”, a DHCP network device may be assigned “3”, a wireless access device may be assigned “4”, and the like. Of course, the indicators and their conveyance to the IAS server may be implemented in many other ways using the principles described herein.
Upon receiving the submitted policy or creating a new policy in response to the request from NAS 304, IAS server 306 may store the new policy and its association with the new application or network access device in data store 312 for subsequent retrieval.
A second portion of the interactions, shown below the dashed line, illustrates an example of the use of isolated policies in access authentication, authorization, and accounting. The process begins with a request from user 302 for access to a network resource. The request is forwarded by NAS 304 to IAS server 306 in form of an AAA request. The AAA request includes an indication of the application or network access device associated with the user's access request. The indication may include the policy tag with the network access server type attribute described previously. IAS server 306 determines one or more applicable policies and retrieves them from data store 312. Following the retrieval of the policies, an authentication process may ensue depending on which protocol is used. Examples of authentication protocols are provided below in conjunction with
Once compliance with the policy(ies) is confirmed, IAS server 306 may provide authentication to NAS 304. A similar process may be followed for authorization. In response to receiving confirmation of the authentication (and authorization), NAS 304 may provide access to user 302 for the requested network resource. In some embodiments, IAS server 306 may also provide accounting services to NAS 304 or other designated servers. Such services may include collecting and providing information associated with user's access duration, type, and the like. The isolated policy(ies) associated with the application and/or network device may also be used for defining parameters of the accounting operations.
Referring now to the following figures, aspects and exemplary operating environments will be described.
Referring to
Network access server (NAS) 404 and IAS server 406 may also be one or more servers or programs on one or more server machines executing programs associated with network access tasks. Similarly, user database 412 may include one or more data stores, such as SQL servers, databases, non multi-dimensional data sources, file compilations, data cubes, and the like.
Network(s) 410 may include a secure network such as an enterprise network, an unsecure network such as a wireless open network, or the Internet. Network(s) 410 provide communication between the nodes described above. By way of example, and not limitation, network(s) 410 may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media.
To validate and provide dial-up and remote access networking the Remote Authentication Dial-In User Service (RADIUS) industry standard was developed. A goal of the RADIUS standard is to ensure a secure authorization, identification, authentication, and accounting process of user accounts. According to a RADIUS compliant process, a client, typically network server used by a service provider, forwards user account information (e.g. username and password) to a RADIUS server. The RADIUS server authenticates the client request and validates the information submitted.
A specific example of RADIUS servers is Microsoft Windows 2000® provided RADIUS Server named the Internet Authentication Service (IAS). IAS provides services for receiving individual connection requests, authenticating, and authorizing the connection attempt, then returning all the data necessary for the RADIUS client to service the end user. In an ISP network environment, usually a network access server (NAS) 404 works as a client of an IAS server 406. The NAS is responsible for passing the user information to clustered IAS servers and then forwarding the result to the end user. There are a wide variety of different types of NAS providing access to different systems and networks, including a dial-up endpoint providing access to client devices via dial-up connection, a VPN concentrator serving a virtual private network, a wireless base station providing network access via wireless connection, a router, and a number of other devices that provide network access.
Various authentication protocols may be supported by the IAS server. The protocol in use is determined by the settings of the NAS device. The authentication protocol has to be correctly configured to allow end user connectivity. Some example protocols are:
Password Authentication Protocol (PAP)—The PAP authentication protocol passes a password as a text string from the end user to the NAS. The NAS forwards the password to the IAS Server using the configured shared secret as an encryption key.
Shiva Password Authentication Protocol (SPAP)—This protocol is used by Shiva remote access devices. SPAP may be less secure than CHAP or MS-CHAP, but more secure than PAP.
Challenge Handshake Authentication Protocol (CHAP)—This protocol uses MD5 algorithms to encrypt the challenge and the user's password. CHAP is used by many dial-up environments.
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP®)—MS-CHAP is a version of CHAP that uses MD4 algorithms to encrypt the challenge and the user's password.
Extensible Authentication Protocol (EAP)—This protocol is an extension to Point-To-Point Protocol (PPP) that allows authentication methods to validate PPP connections. EAP is used is high-security environments. It supports user authentication through public key certificates and the smart card logon.
IAS, implementing RADIUS protocol, extends the operating system's network authentication capabilities by making it possible to implement plug-in DLLs that provide enhanced session control and accounting.
In an operation, an authenticating client (“user”) connecting to NAS 404 over any connection (e.g. user 401 through dial-up, user 402 through wireless, user 403 through DSL, and the like) may use the Point-to-Point Protocol (PPP). In order to authenticate the user, the NAS contacts a remote server running IAS. The NAS 404 and the IAS server 406 may communicate using the RADIUS protocol.
A NAS operates as a client of a server or servers that support the RADIUS protocol. Servers that support the RADIUS protocol are generally referred to as the RADIUS servers (in this case IAS server 406). The RADIUS client, that is, the NAS 404, passes information about the user to designated RADIUS servers, and then acts on the response that the servers return. The request sent by the NAS to the RADIUS server in order to authenticate the user is generally called an “authentication request.”
If a RADIUS server authenticates the user successfully, the RADIUS server returns configuration information to the NAS so that it can provide network service to the user. This configuration information is composed of “authorizations.”
The RADIUS server may also collect a variety of information sent by the NAS that can be used for accounting and for reporting on network activity. The RADIUS client sends information to designated RADIUS servers when the user logs on and logs off. The RADIUS client may send additional usage information on a periodic basis while the session is in progress. The requests sent by the client to the server to record logon/logoff and usage information are generally called “accounting requests.”
While the RADIUS server is processing the authentication request, it can perform authorization functions such as verifying the user's telephone number and checking whether the user already has a session in progress. The RADIUS server can determine whether the user already has a session in progress by contacting a state server. A RADIUS server can act as a proxy client to other RADIUS servers. In these cases, the RADIUS server contacted by the NAS passes the authentication request to another RADIUS server that actually performs the authentication. In a conventional system, the authentication and authorization is limited to the user as the registered person or the machine utilized by the user. Furthermore, the system may typically include a general policy engine to authenticate and authorize a request without providing a way to isolate a policy to an application. Thus, there is no policy isolation mechanism where a policy can be associated with an application or a network access device.
In a system according to embodiments, however, application and/or network access device level isolated policies may be implemented to provide the users greater freedom and flexibility as well as security to networked applications. As described above, specific applications or network access devices may be designated as an attribute value in a policy tag included in packets submitted to IAS server 406, which uses this information to retrieve application or network access device specific policies from user database 412 and perform AAA operation based on these isolated policies.
Many other configurations of computing devices, applications, data sources, data distribution and analysis systems may be employed to implement a network access management system with isolated policies.
In
User 503 is associated with application 3 (526), which is further associated with three other computing devices: server 528, computing device 530, and computing device 532. For example, application 3 may be a back-up application that coordinates data backup operations for the three listed devices. In this scenario, user database 512 may include multiple sets of policies based on application 3. For example, one policy may be based on application 3 being authenticated without any of the computing devices 528, 530, and 532. Another policy may be based on application 3 and any combination of its associated computing devices, because any one of these devices may gain access to the same resource as user 503 through application 3 (526).
The networked environments discussed in
With reference to
Policy engine 608 may work in a coordinated manner as part of a network AAA system in managing isolated policies. As described previously in more detail, policy engine 608 may determine compliance of an access request with predetermined policies at application and/or network access device level. Policy engine 608 may be an integrated part of an Internet access service or operate remotely and communicate with the IAS and with other applications running on computing device 600 or on other devices. Furthermore, policy engine 608 may be executed in an operating system other than operating system 645. This basic configuration is illustrated in
The computing device 600 may have additional features or functionality. For example, the computing device 600 may also include additional data storage devices (removable and/or non-removable) such as, for example, magnetic disks, optical disks, or tape. Such additional storage is illustrated in
The computing device 600 may also contain communication connections 656 that allow the device to communicate with other computing devices 658, such as over a network in a distributed computing environment, for example, an intranet or the Internet. Communication connection 656 may enable policy engine 608 to communicate with policy database 612, store and retrieve categorized policies at application and/or network access device level. Communication connection 656 is one example of communication media. Communication media may typically be embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and includes any information delivery media. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. The term computer readable media as used herein includes both storage media and communication media.
The claimed subject matter also includes methods. These methods can be implemented in any number of ways, including the structures described in this document. One such way is by machine operations, of devices of the type described in this document.
Another optional way is for one or more of the individual operations of the methods to be performed in conjunction with one or more human operators performing some. These human operators need not be collocated with each other, but each can be only with a machine that performs a portion of the program.
Process 700 begins with operation 702, where an AAA request is received from a NAS. The request may include in form of a network access server type attribute an indication of an application or network access device for which isolated policies are to be applied. Processing advances from operation 702 to operation 704.
At operation 704, one or more applicable policies are determined. As mentioned above the policies may be determined based on the attribute associated with the application and/or network access device provided in a policy tag. If no indication is provided or the attribute cannot be resolved by the policy engine, a set of default policies may be applied. Processing proceeds from operation 704 to decision operation 706.
At decision operation 706, a determination is made whether the request is valid, in other words, whether the request complies with the applicable policies. If the request is invalid, a rejection of the authentication request may be provided to the requesting NAS (e.g. a NACK message) at the following operation 708. If compliance is determined, processing moves from decision operation 706 to operation 710.
At operation 710, the requesting NAS is notified of the authentication (e.g. ACK message). The authentication response may also include authorization. Because the request and applied policies are based on a specific application(s) or network access device(s), the authentication is also specific to the same specific application(s) or network access device(s). Processing advances from operation 710 to operation 712.
At operation 712, the IAS server that includes the policy engine may provide accounting services for the authenticated user access. Information associated with the accounting operations may be provided to the requesting NAS or another server or application. After operation 712, processing moves to a calling process for further actions.
The operations included in process 700 are for illustration purposes. Providing categorized policies at application and/or network access device level may be implemented by similar processes with fewer or additional steps, as well as in different order of operations using the principles described herein.
The above specification, examples and data provide a complete description of the manufacture and use of the composition of the embodiments. Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims and embodiments.
