Integration of authentication authorization and accounting service and proxy service
A single database maintained centrally hosts both proxy service data and authentication, authorization and accounting (AAA) data. Data is then copied to storage used locally by each system when both systems are instantiated. Therefore the ISP/Telco need not maintain two different data bases. A protocol gateway (PGW) is used to determine if the incoming user is a wholesale or retail user. The PGW filters the domain portion of the access request to locate a remote AAA service. If one such service is found, the PGW routes the communication via the proxy service to proxy it to the remote AAA service. The returned packet from the remote AAA service is then searched for an IP address to be assigned to the incoming user. If one is not found the PGW obtains a dynamically allocated IP address from a DHCP server (using an IP-Pool-ID if supplied in the returned packet from the remote AAA service). The same mechanism is used to forward accounting event packets from the NAS to the remote AAA server. The PGW may monitor more than one proxy and/or AAA service and load balance among them.
Latest Cisco Technology, Inc. Patents:
1. Field of the Invention
The present invention relates to the field of data communications networks. More particularly, this invention relates to a method and apparatus for unifying the operation of authentication, authorization and accounting services and proxy services in a data communications network.
2. The Background
ISPs (Internet Service Providers) and Telcos (telephone companies) typically offer wholesale internet access and retail internet access to their subscribers. Wholesale access is typically offered to subsidiary and specialized service providers, CLECs (Competitive Local Exchange Carriers), corporations, and Community of Interest (COI) providers. Naturally, the processing afforded customers of the wholesale variety differs from the processing afforded customers of the retail variety. Subscriber information for individual wholesale users is usually stored by those who lease data communications network access from the ISP or Telco. Hence, corporations, CLECs and COI providers do not normally share their user information with the wholesale providers. The ISP or Telco, however, typically also has its own retail subscribers whose user information is stored in its databases. Hence, the ISP or Telco must identify an incoming user as a wholesale user or a retail user and initiate different actions for an incoming user based upon this status.
See, for example,
Traditional wholesale ISPs and Roaming Service Providers offer network access through a technique called “Authentication proxying.” Proxying involves the transfer of the Authentication responsibility to the “owner” of the subscriber. Thus, if a corporation was to outsource its corporate intranet to an ISP, what it gives up is the maintenance of its dial-up servers (i.e., the NASes). It does not, however, normally want to give up the control or information of its employees. Hence, when a corporate user dials in to such an ISP's network access servers, the user essentially perceives that the user is dialing into a corporate facility when the user is actually dialing into the ISP's domain and then somehow gaining admittance to the corporation's intranet.
What really happens in that scenario is that the ISP determines that the user belongs to Corporation A(CorpA) by parsing either the fully qualified domain name (FQDN) supplied by the user, a DNIS ID, or some other mechanism. Having determined that the user trying to gain access belongs to CorpA, the ISP cannot really authenticate the user. As noted earlier, the user's record is still with the corporation. Hence, the ISP will “proxy” out the authentication transaction to the corporation. An AAA service within the corporation then identifies the user, verifies the password, and provisions the user. Then the AAA service notifies the ISP's proxy server that the user is acceptable and passes along provisioning details associated with the user (such as an IP address to use or a pool identification of an IP address pool from which an IP address needs to be allocated). The ISP then grants the user access to the network based upon the reply it gets back from the corporation. This technique is called “proxying.” This is shown in FIG. 2.
To be able to do this, the ISP maintains minimal information on its proxy server 14 at its PoP. Information such as supported domain names, the IP address to which the transaction is to be sent, the port number to which the transaction is to be addressed, etc. are stored (see FIG. 3).
For example, turning now to
When the subscriber is granted access, or leaves the network, the accounting transactions will now have to be shared with the wholesale customers of the ISP/Telco. That is, the ISP/Telco will keep a record with which to bill or otherwise account to CorPA for services rendered and the record will also need to be sent to CorpA's AAA. Typically, the wholesale provider (e.g., the ISP) will use a roaming service product such as the Global Roaming Server™ (GRS), a product of Cisco Systems, Inc. of San Jose, Calif., to achieve this objective. In the retail case, the ISP/Telco will use a product like Cisco Secure™, a product of Cisco Systems, Inc., to act as an authentication, authorization and accounting (AAA) service to authenticate and authorize the user. This approach, however, poses some problems for the ISP/Telco.
The ISP/Telco needs to maintain two different sets of NASes as diagrammed in
Accordingly, it would be desirable to provide a capability for allowing ISPs and Telcos to seamlessly offer wholesale and retail data communications network access, unify the disparate systems that specialize in these access control segments and scale both systems to simultaneously reside on a plurality of PoPs while behaving in a distributed manner within the data communications network.
SUMMARY OF THE INVENTIONA single database maintained centrally hosts both proxy service data and authentication, authorization and accounting (AAA) data. Data is then copied to storage used locally by each system when both systems are instantiated. Therefore the ISP/Telco need not maintain two different data bases. A protocol gateway (PGW) is used to determine if the incoming user is a wholesale or retail user. The PGW filters the domain portion of the access request to locate a remote AAA service. If one such service is found, the PGW routes the communication via the GRS to proxy it to the remote AAA service. The returned packet from the remote AAA service is then searched for an IP address to be assigned to the incoming user. If one is not found the PGW obtains a dynamically allocated IP address from a DHCP server (using an IP-Pool-ID if supplied in the returned packet from the remote AAA service). The same mechanism is used to forward accounting event packets from the NAS to the remote AAA service. The PGW may monitor more than one proxy service and/or AAA service and load balance among them.
Those of ordinary skill in the art will realize that the following description of the present invention is illustrative only and not in any way limiting. Other embodiments of the invention will readily suggest themselves to such skilled persons after a perusal of the within disclosure.
In accordance with a presently preferred embodiment of the present invention, the components, processes and/or data structures are implemented using a gateway device and other services implemented using C++ programs running on an Enterprise 2000™ server running Sun Solaris™ as its operating system. The Enterprise 2000™ server and Sun Solaris™ operating system are products available from Sun Microsystems, Inc. of Mountain View, Calif. Different implementations may be used and may include other types of operating systems, computing platforms, computer programs, firmware and/or general purpose machines. In addition, those of ordinary skill in the art will readily recognize that devices of a less general purpose nature, such as hardwired devices, devices relying on FPGA (field programmable gate array) or ASIC (Application Specific Integrated Circuit) technology, or the like, may also be used without departing from the scope and spirit of the inventive concepts disclosed herein.
The protocol gateway (PGW or gateway) is a device which couples the user via a network access server (NAS) to the data communications network. The term gateway is not meant to be limited to a single type of device, as any device, hardware or software, that may act as a bridge between the user and the network may be considered a gateway for the purposes of this application. In accordance with a presently preferred embodiment of the present invention, the PGW is a software service operating on a general purpose computer running the User Control Point (UCP) software package available from Cisco Systems, Inc. of San Jose, Calif.
The authentication, authorization and accounting (AAA) service performs user authentication, user authorization and user accounting functions. It may be a Cisco ACS™ product such as Cisco Secure™, available from Cisco Systems, Inc. of San Jose, Calif., or an equivalent product. In accordance with a presently preferred embodiment of the present invention, the Remote Authentication Dial-In User Service (RADIUS) protocol is used as the communication protocol between the gateway and the AAA and GRS proxy services. RADIUS is an Internet standard track protocol for carrying authentication, authorization, accounting and configuration information between devices that desire to authenticate their links and a shared AAA or GRS service. Those of ordinary skill in the art will now realize that systems, methods and apparatuses may employ other Internet protocols such as TACACS+ can be used as acceptable authentication communications links between the various communications devices that encompass the data communications network and still be within the inventive concepts disclosed herein. The global roaming service (GRS) is also a an AAA service which is capable of proxying transactions to remote AAA service services. It also preferably uses the RADIUS protocol or an equivalent.
One way in which the present invention may come into use involves the concept of roaming users. A roaming user is, for example, a traveling person with a lap top. If the person wants to reach a corporate intranet or local ISP, he or she can (1) dial the number of the home PoP (point of presence) and incur potentially large telephone bills; (2) dial a “toll free” number such as an 800 number which can also be expensive—to the provider; or (3) use a global roaming server model. In the global roaming server model, ISPs with PoPs in different locations make cross-agreements with one another so as to provide local telephone access numbers to ISPs without any other (or a sufficient) presence in a location. To the user, it appears that his ISP has PoPs everywhere that there is a roaming agreement in place with a cooperating ISP.
A global roaming service (“GRS”) at a PoP can parse the fully qualified domain name (“FQDN”) of the user (e.g., joe@ISPA.NET) and determine that Joe belongs to ISPA.NET. The GRS can then send an authentication request to ISPA-NET's AAA server to authenticate and authorize Joe in a conventional manner. Accounting event information, e.g., accounting start packets associated with log-in and accounting stop packets associated with log-out, are sent both to the GRS at the local PoP and to ISPA.NET's AAA server to enable the local PoP to account for use by Joe at the local PoP and so bill ISPA.NET, if desired, and to allow ISPA.NET to bill Joe, if desired. It also provides a mechanism for tracking this type of usage which can serve a number of purposes.
GRSes have their own associated databases which keep lists of remote AAAs, their IP addresses, their port numbers and their associated domain names.
To render the roaming model more tenable to the myriad IPSs and Telcos which might see fit to enter into these cross-agreements and thus make roaming easier for the end users, the process must be simplified and made scaleable. Under the prior model, as shown in
The database 18 and access database adapter 20 can run on the same host 14 as the NCC 12, as depicted in
The information bus 22 that serves as the transportation medium for the presently preferred embodiment of the present invention can be Common Object Request Broker Architecture (CORBA)-based. The CORBA-based information bus is capable of handling the communication of events to and from objects in a distributed, multi-platform environment. The concept of a CORBA-based information bus is well known by those of ordinary skill in the art. Other acceptable communication languages can be used as are also known by those of ordinary skill in the art.
CORBA provides a standard way of executing program modules in a distributed environment. A broker 24, therefore, may be incorporated into an Object Request Broker (ORB) within a CORBA compliant network. To make a request of an ORB, a client may use a dynamic invocation interface (which is a standard interface which is independent of the target object's interface) or an Object Management Group Interface Definition Language (OMG IDL) stub (the specific stub depending on the interface of the target object). For some functions, the client may also directly interact with the ORB. The object is then invoked. When an invocation occurs, the ORB core arranges so a call is made to the appropriate method of the implementation. A parameter to that method specifics the object being invoked, which the method can use to locate the data for the object. When the method is complete, it returns, causing output parameters or exception results to be transmitted back to the client.
In accordance with a presently preferred embodiment of the present invention an Enterprise Application Integration (EAT) system is used to broker the flow of information between the various services and adapters comprising the data network management system of the present invention. An example of an EAI system that can be incorporated in the presently preferred invention is the ActiveWorks Integration System, available from Active Software of Santa Clara, Calif. As shown in
Referring back to
By way of example, the node 34 of
The protocol gateway service 30a is used to couple the network user to the data communication network. The protocol gateway service 30a functions as an interface to the NASes that allows access requests received from a user to be serviced using components that may communicate using different protocols. A typical protocol gateway service 30a may be able to support different user access methodologies, such as dial-up, frame relay, leased lines, ATM (Asynchronous Transfer Mode), ADSL (Asymmetric Digital Subscriber Line) and the like. Used in conjunction with the protocol gateway service 30a, the AAA service 30c performs user authentication, authorization and accounting functions. The AAA service 30c stores user profile information and tracks user usage. The profile information stored in the AAA service 30c is proxied to the protocol gateway service 30a when a network user desires network access.
The DNS service 30e is used to return Internet protocol (IP) addresses in response to domain names received, for example, from a protocol gateway service 30a. For example, if the DNS service 30e receives a domain name query from the protocol gateway service 30a, it has the capability to locate the associated numerical IP address from within the memory of the DNS service (or another DNS service) and return this numerical IP address to the protocol gateway service 30a.
The DHCP service 30d is used as a dynamic way of assigning IP addresses to the network users as well known to those of ordinary skill in the art.
Each of these services 30a, 30b, 30c, 30d, 30e is in communication with a corresponding service adapter 28a, 28b, 28c, 28d, 28e. The service adapter subscribes to and publishes various events on the information bus 22. The service adapter is configured so that it subscribes to events published by the access database adapter 20 of the NCC 12. The service adapter also publishes events to the access database adapter 20 of the NCC 12.
The following is an exemplary listing and definition of some of the events published by and subscribed to by the access database adapter and the service adapters which are pertinent to this invention. This listing is by way of example and is not intended to be exhaustive or limiting in any way. Other events are possible and can be used in this invention without departing from the inventive concepts herein disclosed.
The NCC 12 publishes “configure” events to the service adapters 28a, 28b, 28c, 28d, 28e. Configure events are published to configure the service adapters upon initial start up of the service adapters or to modify a preexisting configuration. A configure event can be delivered to a service adapter directly from the access database adapter 20 at the NCC 12. The service adapters update their corresponding configuration files upon receiving a configure event. An example of the information contained within a configure event includes the GUID (global unique identifier) of the publisher, the GUID of the subscriber, listening port configuration, sink port configuration, protocol handler information, engine data and facility data.
The NCC 12 publishes “start” events that are subscribed to by a control adapter such as control adapter 29 associated with a host computer at a node to cause the control adapter to start up one or more specific services. Since the control adapter is always responsible for starting a service, the start events are always subscribed to by the control adapters as opposed to the service adapters. An example of the information contained within a start event includes the GUID of the publisher, the GUID of the subscribing control adapter, the GUID of the service to be started, the service name and the absolute path where the service binary resides. The access database adapter 20 of the NCC 12 also publishes “stop” events that are subscribed to by the control adapter to cause the control adapter to shut down a specific service or multiple services. Since the control adapter is always responsible for stopping a service, the stop events are always subscribed to by the control adapter as opposed to the service adapters. Once the control adapter receives the stop event, it publishes a stop event to the service adapter of the corresponding service. The control adapter allows the service sufficient time to shut down. If the service does not respond to the stop event and continues running, the control adapter can explicitly kill the service based on the process ID found in the configuration file. An example of information contained within a start event includes the GUID of the publisher, the GUID of the subscribing control adapter, the GUID of the service to be stopped and the name of the service to be stopped.
Other events may be published and subscribed to.
The configure event is used to publish the current contents of a master database relevant to GRS and AAA services at the various nodes of the data communications network. Thus the master database may be maintained and serviced at the NOC or some other convenient facility and the AAA services and GRS services updated with information automatically without the need to manually update their separate databases.
The PGW is used as a protocol gateway between the NASes and the AAA and GRS services. The PGW parses the FQDN of incoming users and sends access requests from local users to the local AAA and access requests for roaming users to the GRS. The GRS, in turn, forwards the access requests to the remote AAA belonging to the user's provider in accordance with the conventional proxy model.
The PGW has the ability to load balance by monitoring the condition and response times of its respective GRS services and AAA services. Thus, if one such services is particularly loaded, incoming calls may be directed to other services. If one such server has crashed or becomes non responsive, it may be bypassed. In the present configurations where NASes are directly connected to a GRS and or an AAA service, a dead service can result in the NASes connected to the dead service becoming non-responsive. This condition is avoided by using the PGW as a front end to the GRS and AAA service.
In accordance with the present invention IP addresses may be assigned to incoming users in a number of ways. For users having permanently or otherwise allocated IP addresses reflected in their user service profiles in their respective AAA services, they will receive that address. This is done by returning the IP address in the access-accept packet ultimately returned to the NAS via the PGW.
For users of the local ISP who do not have pre-allocated IP addresses, a DHCP (dynamic host control protocol) service such as one running in a host at the PoP will provide a DHCP IP address from a pool of such addresses assigned to the ISP.
For wholesale users, an IP address may be returned from a DHCP service running remotely at their provider, it may be assigned by the ISP as if the user were a retail user of the ISP, or a separate pool of IP addresses maintained locally at the ISP on behalf of the provider can be identified by the access-accept packet and an address selected therefrom by the local DHCP service.
Turning now to
At reference numeral 128 the protocol gateway load balances by distributing network access requests among the relevant services in a manner designed to more or less equally share the load. Any convenient mechanism may be used, such as a round-robin schedule or another conventional scheduling algorithm.
At reference numeral 130 the protocol gateway detects non-responsive services and bypasses them. An error condition event may also be published to allow other components of the data communications network to become aware of the failure.
Turning finally to
Alternative Embodiments
While embodiments and applications of the invention have been shown and described, it would be apparent to those of ordinary skill in the art, after a perusal of the within disclosure, that many more modifications than mentioned above are possible without departing from the inventive concepts herein. The invention, therefore, is not to be restricted except in the spirit of the appended claims.
Claims
1. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database;
- maintaining at least one authentication, authorization and accounting (AAA) service at a point of presence (PoP) of the data communications network; and
- configuring a database associated with the AAA service from the central database, wherein said configuring includes publishing information from said central database on an information bus as at least one event, said AAA service subscribing to said event so as to receive said published information so as to thereby update its associated database;
- further comprising:
- receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
- parsing the network access request for an identification of the user's domain;
- routing the network access request to the AAA service at the PoP if the user's domain corresponds to that of the PoP;
- looking up a domain identification entry corresponding to the user's domain in the AAA service's database if the user's domain does not correspond to that of the PoP;
- proxying the network access request to an AAA service in the user's domain at an address and port as specified in the domain identification entry of the database if the user's domain does not correspond to that of the PoP.
2. A method in accordance with claim 1, further comprising:
- receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
- parsing the network access request for an identification of the user's domain;
- routing the network access request to the AAA service at the PoP if the user's domain corresponds to that of the PoP;
- looking up a domain identification entry corresponding to the user's domain in the AAA service's database if the user's domain does not correspond to that of the PoP; proxying the network access request to an AAA service in the user's domain at an address and port as specified in the domain identification entry of the database if the user's domain does not correspond to that of the PoP.
3. A The method executing on the hardware computer in accordance with claim 2 1, further comprising:
- obtaining an IP address for the user from the AAA service in the user's domain if the user's domain does not correspond to that of the PoP.
4. A The method executing on the hardware computer in accordance with claim 2 1, further comprising:
- assigning an IP address to the user from a local DHCP pool of IP address addresses if the user's domain does not correspond to that of the PoP.
5. A The method executing on the hardware computer in accordance with claim 2 1, further comprising:
- assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user's domain's AAA service if the user's domain does not correspond to that of the PoP.
6. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database;
- maintaining a plurality of authentication, authorization and accounting (AAA) services at a point of presence (PoP) of the data communication network; and
- configuring databases associated with the AAA services from the central database, wherein said configuring includes publishing information from said central database on an information bus as at least one event, said AAA services subscribing to said event so as to receive said published information so as to thereby update their associated databases;
- further comprising:
- receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
- parsing the network access request for an identification of the user's domain;
- routing the network access request to one of said plurality of AAA services at the PoP if the user's domain corresponds to that of the PoP while load balancing among said plurality of AAA services;
- looking up a domain identification entry corresponding to the user's domain in one of said plurality of AAA service's databases if the user's domain does not correspond to that of the PoP;
- proxying the network access request to an AAA service in the user's domain at an address and port as specified in the domain identification entry of the database if the user's domain does not correspond to that of the PoP.
7. A method in accordance with claim 6, further comprising:
- receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
- parsing the network access request for an identification of the user's domain;
- routing the network access request to one of said plurality of AAA services at the PoP if the user's domain corresponds to that of the PoP while load balancing among said plurality of AAA services;
- looking up a domain identification entry corresponding to the user's domain in one of said plurality of AAA service's databases if the user's domain does not correspond to that of the PoP;
- proxying the network access request to an AAA service in the user's domain at an address and port as specified in the domain identification entry of the database if the user's domain does not correspond to that of the PoP.
8. A The method executing on the hardware computer in accordance with claim 7 6, further comprising:
- obtaining an IP address for the user from the AAA service in the user's domain if the user's domain does not correspond to that of the PoP.
9. A The method executing on the hardware computer in accordance with claim 7 6, further comprising:
- assigning an IP address to the user from a local DHCP pool of IP address addresses if the user's domain does not correspond to that of the PoP.
10. A The method executing on the hardware computer in accordance with claim 7 6, further comprising:
- assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user's domain's AAA service if the user's domain does not correspond to that of the PoP.
11. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database, said central database containing access information for authentication, authorization and accounting services associated with domains of the data communications network;
- maintaining at a point of presence (PoP) of the data communications network at least one AAA service and at least one proxy service and at least one protocol gateway in communication with a network access server (NAS);
- periodically publishing information contained in said central database;
- subscribing at said AAA and said proxy service to information published from said central database;
- receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
- parsing the network access request at the protocol gateway for an identification of the user's domain;
- routing the network access request to an AAA service at the PoP if the user's domain corresponds to that of the PoP;
- looking up access information within a domain identification entry corresponding to the user's domain in a database associated with the proxy server if the user's domain does not correspond to that of the PoP; and
- proxying the network access request to an AAA service in the user's domain at an address and port as specified in the access information if the user's domain does not correspond to that of the PoP.
12. A The method executing on the hardware computer in accordance with claim 11, further comprising:
- obtaining an IP address for the user from an AAA service in the user's domain if the user's domain does not correspond to that of the PoP.
13. A The method executing on the hardware computer in accordance with claim 11, further comprising:
- assigning an IP address to the user from a local DHCP pool of IP address addresses if the user's domain does not correspond to that of the PoP.
14. A The method executing on the hardware computer in accordance with claim 11, further comprising:
- assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user's domain's AAA service if the user's domain does not correspond to that of the PoP.
15. A method executing on a hardware computer of managing network access requests to a data communications network, said method comprising:
- receiving at a protocol gateway in a point of presence (PoP) of the data communications network a network access request from a user through a network access server (NAS);
- parsing the network access request for an identification of the user's domain;
- routing the network access request to one of the plurality of authentication, authorization and accounting (AAA) services associated with the PoP if the user's domain corresponds to that of the PoP while load balancing among the plurality of AAA services;
- looking up a domain identification entry corresponding to the user's domain in a database if the user's domain does not correspond to that of the PoP;
- proxying the network access request via one of a plurality of proxy services to an AAA service in the user's domain at an address and port as specified in the domain identification entry of the database if the user's domain does not correspond to that of the PoP while load balancing among the plurality of proxy services.
16. A The method executing on the hardware computer in accordance with claim 15, further comprising:
- obtaining an IP address for the user from the AAA service in the user's domain if the user's domain does not correspond to that of the PoP.
17. A The method executing on the hardware computer in accordance with claim 15, further comprising:
- assigning an IP address to the user from a local DHCP pool of IP address addresses if the user's domain does not correspond to that of the PoP.
18. A The method executing on the hardware computer in accordance with claim 15, further comprising:
- assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user's domain's AAA service if the user's domain does not correspond to that of the PoP.
19. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database, said central database containing access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
- maintaining at a point of presence (PoP) of the data communications network a plurality of AAA services at least one AAA service and at least one proxy service and at least one protocol gateway in communication with a network access server (NAS);
- periodically publishing information contained in said central database;
- subscribing at said AAA and said proxy service to information published from said central database;
- receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS);
- parsing the network access request at the protocol gateway for an identification of the user's domain;
- routing the network access request to one of said plurality of AAA services at the PoP if the user's domain corresponds to that of the PoP while load balancing among said plurality of AAA services;
- looking up access information within a domain identification entry corresponding to the user's domain in a database associated with one of said plurality of proxy services if the user's domain does not correspond to that of the PoP while load balancing among said plurality of proxy services; and
- proxying the network access request to an AAA service in the user's domain at an address and port as specified in the access information if the user's domain does not correspond to that of the PoP.
20. A The method executing on the hardware computer in accordance with claim 19, further comprising:
- obtaining an IP address for the user from an AAA service in the user's domain if the user's domain does not correspond to that of the PoP.
21. A The method executing on the hardware computer in accordance with claim 19, further comprising:
- assigning an IP address to the user from a local DHCP pool of IP address addresses if the user's domain does not correspond to that of the PoP.
22. A The method executing on the hardware computer in accordance with claim 19, further comprising:
- assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user's domain's AAA service if the user's domain does not correspond to that of the PoP.
23. A method executing on a hardware computer of managing network access requests to a data communications network, said method comprising:
- receiving at a protocol gateway in a point of presence (PoP) of the data communications network a network access request from a user through a network access server (NAS);
- parsing the network access request for an identification of the user's domain;
- routing the network access request to an authentication, authorization and accounting (AAA) service associated with the PoP if the user's domain corresponds to that of the PoP;
- looking up a domain identification entry corresponding to the user's domain in a database if the user's domain does not correspond to that of the PoP;
- proxying the network access request to an AAA service in the user's domain at an address and port as specified in the domain identification entry of the database if the user's domain does not correspond to that of the PoP.
24. A The method executing on the hardware computer in accordance with claim 23, further comprising:
- obtaining an IP address for the user from the AAA service in the user's domain if the user's domain does not correspond to that of the PoP.
25. A The method executing on the hardware computer in accordance with claim 23, further comprising:
- assigning an IP address to the user from a local DHCP pool of IP address addresses if the user's domain does not correspond to that of the PoP.
26. A The method executing on the hardware computer in accordance with claim 23, further comprising:
- assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user's domain's AAA service if the user's domain does not correspond to that of the PoP.
27. A hardware system for data communications network access management, comprising:
- a central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
- a publisher, said publisher publishing information from said central database to subscribers over an information bus;
- a point of presence (PoP) on the data communications network, said PoP including a protocol gateway in communication with at least one network access server (NAS);
- an AAA service associated with said PoP and in communication with said protocol gateway, said AAA service subscribing to information published by said publisher; and
- a proxy service associated with the PoP and in communication with said protocol gateway, said proxy service subscribing to information published by said publisher,
- said protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the PoP to the proxy service,
- said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.
28. A The hardware system in accordance with claim 27, further comprising: an AAA database associated with said AAA service; and a proxy database associated with said proxy service,
- said AAA database populated at instantiation of said AAA service by receiving information published by said publisher from said central database,
- said proxy database populated at instantiation of said proxy service by receiving information published by said publisher from said central database.
29. A hardware system for data communications network access management, comprising:
- a central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
- a publisher, said publisher publishing information from said central database to subscribers over an information bus;
- a point of presence (PoP) on the data communications network, said PoP including a protocol gateway in communication with at least one network access server (NAS);
- a plurality of AAA services associated with said PoP and in communication with said protocol gateway, said AAA services subscribing to information published by said publisher; and
- a plurality of proxy services associated with said PoP and in communication with said protocol gateway, said proxy services subscribing to information published by said publisher,
- said protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the PoP to one of said plurality of proxy services while load balancing among them,
- said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.
30. A The hardware system in accordance with claim 29, further comprising:
- a plurality of AAA databases associated with said respective AAA services; and
- a plurality of proxy databases associated with said respective proxy services,
- said AAA databases populated at instantiation of said respective AAA services by receiving information published by said publisher from said central database,
- said proxy databases populated at instantiation of said respective proxy services by receiving information published by said publisher from said central database.
31. A method executing on a hardware computer for managing network access to a data communications network said method comprising:
- maintaining a central database coupled to the data communications network;
- maintaining at least a first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and second AAA service at a second PoP of the data communications network:
- configuring a database associated with the first AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the first AAA service; and
- configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service;
- further comprising:
- receiving at a protocol gateway in the first PoP a network access request from a user through network access server (NAS);
- parsing the network access request for an identification of the user's domain;
- routing the network access request to the first AAA service at the first PoP if the user's domain corresponds to that of the first PoP;
- looking up a domain identification entry corresponding to the user's domain in the first AAA service's database if the user's domain does not correspond to that of the first PoP;
- proxying the network access request to an AAA service in the user's domain at an address and port as specified in the domain identification entry of the database if the user's domain does not correspond to that of the first PoP.
32. The method executing on the hardware computer of claim 31 further comprising:
- periodically updating the database associated with the first AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the first AAA service.
33. The method executing on the hardware computer of claim 32 further comprising:
- periodically updating the database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service.
34. The method executing on the hardware computer of claim 31 further comprising:
- obtaining an IP address for the user from the AAA service in the user's domain if the user's domain does not correspond to that of the first PoP.
35. The method executing on the hardware computer of claim 31 further comprising:
- assigning an IP address to the user from a local DHCP pool of IP addresses if the user's domain does not correspond to that of the first PoP.
36. The method executing on the hardware computer of claim 31, further comprising:
- assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user's domain's AAA service if the user's domain does not correspond to that of the first PoP.
37. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database coupled to the data communications network;
- maintaining a plurality of first authentication, authorization and accounting (AAA) services at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network;
- configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to the database(s) associated with the first AAA services; and
- configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service;
- further comprising:
- receiving at a protocol gateway in the first PoP a network access request from a user through a network access server (NAS);
- parsing the network access request for an identification of the user's domain;
- routing the network access request to one of said plurality of first AAA services at the first PoP if the user's domain corresponds to that of the first PoP while load balancing among said plurality of first AAA services;
- looking up a domain identification entry corresponding to the user's domain in one of said plurality of first AAA service's database(s) if the user's domain does not correspond to that of the first PoP;
- proxying the network access request to an AAA service in the user's domain at an address and port as specified in the domain identification entry of the database if the user's domain does not correspond to that of the first PoP.
38. The method executing on the hardware computer of claim 37 further comprising:
- obtaining an IP address for the user from the AAA service in the user's domain if the user's domain does not correspond to that of the first PoP.
39. The method executing on the hardware computer of claim 37, further comprising:
- assigning an IP address to the user from a local DHCP pool of IP addresses if the user's domain does not correspond to that of the first PoP.
40. The method executing on the hardware computer of claim 37 further comprising:
- assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user's domain's AAA service if the user's domain does not correspond to that of the first PoP.
41. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database coupled to the data communications network;
- said central database containing access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
- maintaining at a first point of presence (PoP) of the data communications network at least one first AAA service and at least one first proxy service and at least one first protocol gateway in communication with a network access server (NAS);
- periodically transporting information contained in the central database from the central database, over the data communications network, to the first AAA service(s), the first proxy service(s) and the first protocol gateway(s);
- receiving at a protocol gateway in the first PoP a network access request from a user through a network access server (NAS);
- parsing the network access request at the first protocol gateway for an identification of the user's domain;
- routing the network access request to an AAA service at the first PoP if the user's domain corresponds to that of the first PoP;
- looking up access information within a domain identification entry corresponding to the user's domain in a database associated with the first proxy server if the user's domain does not correspond to that of the first PoP; and
- proxying the network access request to an AAA service in the user's domain at an address and port as specified in the access information if the user's domain does not correspond to that of the first PoP.
42. The method executing on the hardware computer of claim 41, further comprising:
- obtaining an IP address for the user from an AAA service in the user's domain if the user's domain does not correspond to that of the first PoP.
43. The method executing on the hardware computer of claim 41, further comprising:
- assigning an IP address to the user from a local DHCP pool of IP addresses if the user's domain does not correspond to that of the first PoP.
44. The method executing on the hardware computer of claim 41, further comprising:
- assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user's domain's AAA service if the user's domain does not correspond to that of the first PoP.
45. A method executing on a hardware computer for managing network access requests to a data communications network, said method comprising:
- receiving at a protocol gateway in a first point of presence (PoP) of the data communications network a network access request from a user received through a network access server (NAS);
- parsing the network access request for an identification of the user's domain;
- routing the network access request to one of the plurality of authentication, authorization and accounting (AAA) services associated with the first PoP if the user's domain corresponds to that of the first PoP while load balancing among the plurality of AAA services;
- looking up a domain identification entry corresponding to the user's domain in a database associated with the one AAA if the user's domain does not correspond to that of the first PoP;
- proxying the network access request via one of a plurality of proxy services to an AAA service in the user's domain at an address and port as specified in the domain identification entry of the database if the user's domain does not correspond to that of the first PoP while load balancing among the plurality of proxy services.
46. The method executing on the hardware computer of claim 45, further comprising:
- obtaining an IP address for the user from the AAA service in the user's domain if the user's domain does not correspond to that of the first PoP.
47. The method executing on the hardware computer of claim 45, further comprising
- assigning an IP address to the user from a local DHCP pool of IP addresses if the user's domain does not correspond to that of the first PoP.
48. The method executing on the hardware computer of claim 45, further comprising:
- assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user's domain's AAA service if the user's domain does not correspond to that of the first PoP.
49. A method executing on a hardware computer for managing network access to a data communications network, said method comprising:
- maintaining a central database, said central database containing access information for authentication, authorization and accounting services associated with domains of the data communications network:
- maintaining at a first point of presence (PoP) of the data communications network a plurality of AAA services at least one AAA service and at least one proxy service and at least one protocol gateway in communication with a network access server (NAS);
- periodically transmitting information contained in said central database over the data communications network to said AAA and said proxy service;
- receiving at a protocol gateway in the PoP a network access request from a user through a network access server (NAS) parsing the network access request at the protocol gateway for an identification of the user's domain:
- routing the network access request to one of said plurality of AAA services at the first PoP if the user's domain corresponds to that of the first PoP while load balancing among said plurality of AAA services;
- looking up access information within a domain identification entry corresponding to the user's domain in a database associated with one of said plurality of proxy services if the user's domain does not correspond to that of the first PoP while load balancing among said plurality of proxy services; and
- proxying the network access request to an AAA service in the user's domain at an address arid port as specified in the access information if the user's domain does not correspond to that of the first PoP.
50. The method executing on the hardware computer of claim 49, further comprising:
- obtaining an IP address for the user from an AAA service in the user's domain if the user's domain does not correspond to that of the first PoP.
51. The method executing on the hardware computer of claim 49, further comprising:
- assigning an IP address to the user from a local DHCP pool of IP addresses if the user's domain does not correspond to that of the first PoP.
52. The method executing on the hardware computer of claim 49, further comprising:
- assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user's domain's AAA service if the user's domain does not correspond to that of the first PoP.
53. A method executing on a hardware computer for managing network access requests to a data communications network, said method comprising:
- periodically transmitting updating information contained in a central database over the data communications network to an authentication, authorization and accounting (AAA) service associated with a first point of presence (PoP) of the data communications network;
- receiving at a protocol gateway in the first point of presence (PoP) of the data communications network a network access request from a user received through a network access server (NAS);
- parsing the network access request for an identification of the user's domain;
- routing the network access request to the AAA service associated with the first PoP if the user's domain corresponds to that of the first PoP;
- looking up a domain identification entry corresponding to the user's domain in a database if the user's domain does not correspond to that of the first PoP;
- proxying the network access request to an AAA service in the user's domain at an address and port as specified in the domain identification entry of the database if the user's domain does not correspond to that of the first PoP.
54. The method executing on the hardware computer of claim 53, further comprising:
- obtaining an IP address for the user from the AAA service in the user's domain if the user's domain does not correspond to that of the first PoP.
55. The method executing on the hardware computer of claim 53, further comprising:
- assigning an IP address to the user from a local DHCP pool of IP addresses if the user's domain does not correspond to that of the first PoP.
56. The method executing on the hardware computer of claim 53, further comprising:
- assigning an IP address to the user from an IP address pool identified in an access-accept packet received from the user's domain's AAA service if the user's domain does not correspond to that of the first PoP.
57. A hardware system for data communications network access management, comprising:
- a central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network:
- a first point of presence (PoP) on the data communications network, said first PoP including a protocol gateway in communication with at least one network access server (NAS);
- an AAA service associated with said first PoP and in communication with said protocol gateway and the data communications network;
- proxy service associated with the first PoP and in communication with said protocol gateway and the data communications network;
- a transmitter, said transmitter transmitting information from said central database to said AAA service at said first PoP and said proxy service at said first PoP over the data communications network;
- said protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to the proxy service,
- said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.
58. The hardware system of claim 57, further comprising:
- an AAA database associated with said AAA service at said first PoP;
- a proxy database associated with said proxy service at said first PoP;
- said AAA database populated at instantiation of said AAA service by receiving information transmitted said transmitter from said central database;
- said proxy database populated at instantiation of said proxy service by receiving information transmitted by said transmitter from said database.
59. A hardware system for data communications network access management, comprising:
- a central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
- a first point of presence (PoP) on the data communications network, said first PoP including a protocol gateway in communication with at least one network access server (NAS);
- a plurality of AAA services associated with said first PoP and in communication with said protocol gateway, said AAA services subscribing to information published by said publisher;
- a plurality of proxy services associated with said first PoP and in communication with said protocol gateway, said proxy services subscribing to information published by said publisher; and
- a transmitter, said transmitter transmitting information from said central database over the data communications network to said plurality of AAA services associated with said first PoP and to said plurality of proxy services associated with said first PoP;
- said protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to one of said plurality of proxy services while load balancing among them;
- said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.
60. The hardware system of claim 59, further comprising
- a plurality of AAA databases associated with said respective AAA services at said first PoP; and
- a plurality of proxy databases associated with said respective proxy services at said first PoP;
- said AAA databases populated at instantiation of said respective AAA services by receiving information transmitted by said transmitter from said central database;
- said proxy databases populated at instantiation of said respective proxy services by receiving information transmitted by said transmitter from said central database.
61. A hardware system for managing access to a data communications network, said system comprising;
- means for communicating with a central database via the data communications network, the central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
- means for communicating with a local AAA service associated with a local Point of Presence (PoP);
- means for communicating with a remote AAA service via a local proxy service;
- means for instantiating the local AAA service from the central database;
- means for reaching a network access request from a user through a local network access server (NAS);
- means for checking the network access request to determine an identification of the user's domain;
- means for routing the network access request to the local AAA service if the users domain corresponds to that of the local PoP;
- means for looking up a domain identification entry corresponding to the user's domain in the local AAA service's database if the user's domain does not correspond to that of the local PoP; and
- means for proxying the network access request to a remote AAA service in the user's domain at an address and port as specified in the domain identification entry of the database if the user's domain does not correspond to that of the local PoP.
62. A hardware system for managing access to a data communications network, said system comprising:
- means for communicating with a central database via the data communications network, the central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
- means for communicating with a plurality of local AAA services associated with a local Point of Presence (PoP);
- means for communicating with a plurality of local proxy services associated with the local PoP;
- means for communicating with a remote AAA service via a local proxy service; means for instantiating the local AAA services from the central database;
- means for instantiating the local proxy services from the central database;
- means for receiving a network access request from a user through local network access server (NAS);
- means for checking the network access request to determine an identification of the user's domain;
- means for routing the network access request to the local AAA service if the user's domain corresponds to that of the local PoP;
- means for looking up a domain identification entry corresponding to the user's domain with the local AAA services if the user's domain does not correspond to that of the local PoP;
- means for proxying the network access request to a remote AAA service in the user's domain at an address and port as specified in the domain identification entry of the local AAA services' database if the user's domain does not correspond to that of the local PoP; and
- means for receiving network access requests from users over a network access server (NAS), parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to one of said plurality of proxy services while load balancing among them;
- said proxy service routing network access requests to the remote AAA service in accordance with said access information.
63. A method executing on a hardware computer for accounting for use of a data communications network, said method comprising:
- means for communicating with a central database via the data communications network, the central database containing information identifying access information for authentication, authorization and accounting (AAA) services associated with domains of the data communications network;
- means for communicating with at least one local AAA service associated with a local Point of Presence (PoP);
- means for communicating with a remote AAA service;
- means for instantiating the local AAA services from the central database;
- means for receiving a network access request from a user through a local network access server (NAS);
- means for checking the network access request to determine an identification of the user's domain;
- means for routing accounting information associated with the user to the local AAA service if the user's domain corresponds to that of the local PoP;
- means for looking up a domain identification entry corresponding to the user's domain with the local AAA services if the user's domain does not correspond to that of the local PoP;
- means for routing the accounting information to a remote AAA service in the user's domain at an address and port as specified in the domain identification entry of the local AAA services' database if the user's domain does not correspond to that of the local PoP.
64. A method executing on a hardware computer for managing network access accounting in a data communications network, said method comprising:
- maintaining a central database coupled to the data communications network;
- maintaining at least a local authentication, authorization and accounting (AAA) service at a local point of presence (PoP) of the data communications network;
- configuring a database associated with the local AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the local AAA service;
- receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
- forwarding said accounting information to the local AAA service if the user's domain corresponds to that of the local PoP; and
- forwarding said accounting information to a remote AAA service in the user's domain at an address and port as specified in the domain identification entry of the local AAA service's database if the user's domain does not correspond to that of the local PoP.
65. A hardware apparatus for managing network access accounting in a data communications network, said apparatus comprising:
- means for maintaining a central database coupled to the data communications network;
- means for maintaining at least a local authentication, authorization and accounting (AAA) service at a local point of presence (PoP) of the data communications network;
- means for configuring a database associated with the local AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the local AAA service;
- means for receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
- means for forwarding said accounting information to the local AAA service if the user's domain corresponds to that of the local PoP; and
- means for forwarding said accounting information to a remote AAA service in the user's domain at an address and port as specified in the domain identification entry of the local AAA service's database if the user's domain does not correspond to that of the local PoP.
66. A hardware system for managing network access to a data communications network, said method comprising:
- a central database coupled to the data network;
- at least a first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network; and
- a database configurer configuring a database associated with the first AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the first AAA service and configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service
- a protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to the proxy service,
- said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.
67. A hardware apparatus for managing network access to a data communications network, said method comprising:
- means for maintaining a central database coupled to the data communications network;
- means for maintaining at least a first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network;
- means for configuring a database associated with the first AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the first AAA service; and
- means for configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service
- means for receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
- means for forwarding said accounting information to a local AAA service if the user's domain corresponds to that of the local PoP; and
- means for forwarding said accounting information to a remote AAA service in the user's domain at an address and port as specified in the domain identification entry of the local AAA service's database if the user's domain does not correspond to that of the local PoP.
68. A hardware system for managing network access to a data communications network, said method comprising:
- a central database coupled to the data communications network;
- a plurality of first authentication, authorization and accounting (AAA) services disposed at a first point of presence (PoP) of the data communications network and a second AAA service disposed at a second PoP of the data communications network;
- a first database configurer configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to the database(s) associated with the first AAA services; and
- a second database configurer configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service
- a protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to the proxy service,
- said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.
69. A hardware apparatus for managing network access to a data communications network, said method comprising:
- means for maintaining a central database coupled to the data communications network;
- means for maintaining a plurality of first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network; and
- means for configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to the database(s) associated with the first AAA services; and
- means for configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service
- means for receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
- means for forwarding said accounting information to a local AAA service if the user's domain corresponds to that of the local PoP; and
- means for forwarding said accounting information to a remote AAA service in the user's domain at an address and port as specified in the domain identification entry of the local AAA service's database if the user's domain does not correspond to that of the local PoP.
70. A hardware system for managing network access to a data communications network, said method comprising:
- a central database coupled to the data communications network;
- a plurality of first authentication, authorization and accounting (AAA) services disposed at a first point of presence (PoP) of the data communications network and a second AAA service disposed at a second PoP of the data communications network; and
- a database configurer configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to the database(s) associated with the first AAA services and configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service
- a protocol gateway receiving network access requests from users over the NAS, parsing the requests for domain identification and routing the requests for domains other than those associated with the first PoP to the proxy service,
- said proxy service routing network access requests to AAA services in remote domains in accordance with said access information.
71. A hardware apparatus for managing network access to a data communications network, said method comprising:
- means for maintaining a central database coupled to the data communications network;
- means for maintaining plurality of first authentication, authorization and accounting (AAA) service at a first point of presence (PoP) of the data communications network and a second AAA service at a second PoP of the data communications network; and
- means for configuring one or more databases associated with the first AAA services from the central database by transporting information from the central database over the data communications network to database(s) associated with the first AAA services and for configuring a database associated with the second AAA service from the central database by transporting information from the central database over the data communications network to the database associated with the second AAA service
- means for receiving accounting information from a network access server (NAS) responsive to utilization of the data communications network by a user coupled to the data communications network through the NAS;
- means for forwarding said accounting information to a local AAA service if the user's domain corresponds to that of the local PoP; and
- means for forwarding said accounting information to a remote AAA service in the user's domain at an address and port as specified in the domain identification entry of the local AAA service's database if the user's domain does not correspond to that of the local PoP.
4763191 | August 9, 1988 | Gordon et al. |
4922486 | May 1, 1990 | Lidinsky et al. |
4962497 | October 9, 1990 | Ferenc et al. |
5003595 | March 26, 1991 | Collins et al. |
5241594 | August 31, 1993 | Kung |
5241599 | August 31, 1993 | Bellovin et al. |
5351136 | September 27, 1994 | Wu et al. |
5416842 | May 16, 1995 | Aziz |
5423002 | June 6, 1995 | Hart |
5440635 | August 8, 1995 | Bellovin et al. |
5560005 | September 24, 1996 | Hoover et al. |
5621721 | April 15, 1997 | Vatuone |
5655077 | August 5, 1997 | Jones et al. |
5668857 | September 16, 1997 | McHale |
5671354 | September 23, 1997 | Ito et al. |
5684950 | November 4, 1997 | Dare et al. |
5717604 | February 10, 1998 | Wiggins |
5745556 | April 28, 1998 | Ronen |
5768521 | June 16, 1998 | Dedrick |
5778182 | July 7, 1998 | Cathey et al. |
5809422 | September 15, 1998 | Raleigh et al. |
5815665 | September 29, 1998 | Teper et al. |
5835727 | November 10, 1998 | Wong et al. |
5838683 | November 17, 1998 | Corley et al. |
5845070 | December 1, 1998 | Ikudome |
5898780 | April 27, 1999 | Liu et al. |
5905736 | May 18, 1999 | Ronen et al. |
5933625 | August 3, 1999 | Sugiyama |
5944824 | August 31, 1999 | He |
5960409 | September 28, 1999 | Wexler |
5970477 | October 19, 1999 | Roden |
5991810 | November 23, 1999 | Shapiro et al. |
6011910 | January 4, 2000 | Chau et al. |
6018619 | January 25, 2000 | Allard et al. |
6021496 | February 1, 2000 | Dutcher et al. |
6026440 | February 15, 2000 | Shrader et al. |
6035281 | March 7, 2000 | Crosskey et al. |
6047376 | April 4, 2000 | Hosoe |
6052730 | April 18, 2000 | Felciano et al. |
6092196 | July 18, 2000 | Reiche |
6119160 | September 12, 2000 | Zhang et al. |
6141687 | October 31, 2000 | Blair |
6263369 | July 17, 2001 | Sitaraman et al. |
0567217 | October 1993 | EP |
0 567 217 | October 1993 | EP |
99/53408 | October 1999 | WO |
- Steven M Bellovin, “Problem Areas for the IP Security Protocols”, Proceedings of the Sixth Usenix UNIX Security Symposium, Jul. 22-25, 1996, San Jose, CA.
- Active Software, Inc., “Active Software's Integration Systems”, printed from http://www.activesw.com/products/products.html, on Jul. 24, 1998, pp. 1-6.
- Ascend Communications, Inc., “Access Control Product Information”, 4 pages, 1997.
- Ascend Communications, Inc., “Remote Access Network Security”, printed from http://www.ascend.com/1103.html, on Jul. 24, 1998, pp. 1-8.
- Ascend Communications, Inc., “Multi VPN from Ascend Communications: Breaking Down the Barriers to VPNs”, White Paper, 1998.
- Dr. Rafael Bracho, “Integrating the Corporate Computing Environment with Active Software”, Nov. 18, 1998, pp. 1-17.
- Dr. Rafael Bracho, “Mastering Corporate Computing with the ActiveWeb™ System”, Aug. 2, 1996.
- Active Software, Inc., “Active Software's Integration Systems”, printed from http://www.activesw.com/products/products.html, on Jul. 24, 1998.
- Ascend Communications, Inc., “Access Control Product Information”, 4 pages, undated.
- Ascend Communications, Inc., “MultiVPN from Ascend Communications: Breaking Down the Barriers to VPNs,” White Paper, 1998.
- Bellovin, Steven M., “Problem Areas for the IP Security Protocols”, Jul. 22-25, 1996, Proceedings of teh Sixth Usenix UNIX Security Symposium, San Jose, CA.
- Bracho, Dr. Rafael, “Integrating the Corporate Computing Environment with Active Software,” Nov. 18, 1998, Active Software, pp. 1-17.
- Bracho, Dr. Rafael, “Mastering Corporate Computing with the ActiveWeb System,” 1996, Active Software, Inc.
- IBM, “IBM Introduces new Subscriber Management System for Internet Service Providers,” Dec. 2, 1998, IBM News, p. 1.
- Rigney et al., “Remote Authentication Dial in User Service (RADIUS),” Network Working Group, RFC 2138, Apr. 1997, pp. 1-57.
Type: Grant
Filed: Oct 2, 2003
Date of Patent: Oct 5, 2010
Assignee: Cisco Technology, Inc. (San Jose, CA)
Inventors: Andrew Mark Gutman (Foothill Ranch, CA), Aravind Sitaraman (Santa Clara, CA), Sampath Kumar Sthothra Bhasham (Santa Clara, CA), Kalpathi S. Suryanarayanan (Cupertino, CA)
Primary Examiner: Robert B Harrell
Attorney: BainwoodHuang
Application Number: 10/679,203
International Classification: G06F 13/00 (20060101);