Browse Prior Art Database

TECHNIQUES TO EFFECTIVELY MANAGE AUTHORIZATION PROCESSES IN A NETWORK ACCESS CONTROLLER

IP.com Disclosure Number: IPCOM000212150D
Publication Date: 2011-Nov-02
Document File: 6 page(s) / 138K

Publishing Venue

The IP.com Prior Art Database

Related People

Aravindan Ramalingam: AUTHOR [+3]

Abstract

Techniques are provided to distinguish authentication and authorization processes associated with a user or machine authentication with a network. When a user or machine authenticates with the Authentication, Authorization and Accounting (AAA) server, the AAA server is typically not informed about the authorization policies applied to a port or virtual local area network (VLAN) of an endpoint associated with the user (e.g., the endpoint device through which the user has authenticated). The techniques described herein enable the AAA server to obtain the authorization policies by distinguishing the authentication and authorization processes logically, implementing authorization as an independent part of message processing, reporting the authorization policies applied on the port or VLAN to the AAA server at the end of authentication or authorization, and providing command-line interface (CLI) commands to configure mandatory and optional attributes associated with access-accept messages sent from the AAA server.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 37% of the total text.

Page 01 of 6

TECHNIQUES TO EFFECTIVELY MANAGE AUTHORIZATION PROCESSES IN A NETWORK ACCESS CONTROLLER

       AUTHORS: Aravindan Ramalingam Rajasekhar Manam Sudarshana Kandachar Sridhara Rao

CISCO SYSTEMS, INC.

ABSTRACT

     Techniques are provided to distinguish authentication and authorization processes associated with a user or machine authentication with a network. When a user or machine authenticates with the Authentication, Authorization and Accounting (AAA) server, the AAA server is typically not informed about the authorization policies applied to a port or virtual local area network (VLAN) of an endpoint associated with the user (e.g., the endpoint device through which the user has authenticated). The techniques described herein enable the AAA server to obtain the authorization policies by distinguishing the authentication and authorization processes logically, implementing authorization as an independent part of message processing, reporting the authorization policies applied on the port or VLAN to the AAA server at the end of authentication or authorization, and providing command-line interface (CLI) commands to configure mandatory and optional attributes associated with access-accept messages sent from the AAA server.

             DETAILED DESCRIPTION
Network access control features are popularly deployed in network security

environments. Service providers typically deploy these features for user and machine based authentication and authorization using an Authentication, Authorization and Accounting (AAA) server. After a user or machine is authenticated with the AAA server, a set of authorization attributes and policies are supplied from the AAA server to a

Copyright 2011 Cisco Systems, Inc.


Page 02 of 6

network access device (NAD) to be applied on a port or virtual local area network (VLAN) associated with an endpoint device to which the user or machine is connected. For example, FIG. 1 shows a network environment comprising an endpoint device in communication with an authentication server.

    A remote dial-in user service (RADIUS) protocol is used between a network access server (NAS) (e.g., a terminal server) and an access control server (ACS) (e.g., the AAA server). The RADIUS protocol does not separate authorization from authentication and, instead, uses one authentication request-response transaction to perform this separation. Sets of authorization attributes are sent in the access-accept message from the AAA server. The techniques described herein describe a mechanism to efficiently detect what authorization policies are granted by the NAS to the user who has successfully authenticated (via, e.g., an endpoint device) with the AAA server.

    The decision of granting access to the user is usually solely based on the NAS software by applying what is possible to apply on the port or VLAN. Thus, in traditional environments, the NAS software discards the remaining attributes sent from the AAA server. This results in the AAA server not being informed or updated a...