System and Method for Distributed Network Authentication and Access Control
Abstract
A user gains access to a private network by connecting to a network, either through a hardwired or wireless connection, and then initiates an Internet access request targeting any website. If the user is not already authorized for Internet access, then the user is sent to a first predetermined website that points the user to an authentication server accessible via the Internet. The authentication server sends the user an HTTP form pages requesting authentication information. When the user responds, a network monitoring device within the private network alters the form page to include the user's hardware address and an encoded ID based on the network's location. The authentication server forwards this data to a gate keeper server, which authenticates the new user and transmits an unblock message along with another encoded ID based on the network's location and the user's hardware address.
Claims
exact text as granted — not AI-modified1 . A computer method for controlling Internet access on a network, said method comprising:
connecting at least one access device to said network, said at least one access device originating out-going data packets, each of said at least one access device being characterized by a unique hardware address; accessing a redirection server via the Internet; monitoring out-going data packets sent from said network to the Internet via a network monitoring device and verifying if an originator access device of an out-going data packet is authorized for Internet access, forwarding unimpededly all out-going packets originated from authorized access devices to the Internet and inspecting all out-going data packets originated from unauthorized access devices for determination of their target destination Internet websites, and checking if a determined target destination Internet website matches a predetermined authentication server website and in response to said checking forwarding a corresponding out-going data packet to said predetermined authentication server for a match found, said network monitoring device responding to a match not being found by disregarding the determined destination Internet website and forwarding the out-going data packet to said redirection server; whereby all out-going data packets to the Internet gain access to the Internet irrespective of whether their respective originator access devices are authorized for Internet access.
2 . The method of claim 1 wherein said redirection server responds to a received data packet from an unauthorized originator access device by sending said originator access device a message instructing it to connect to said predetermined authentication server.
3 . The method of claim 1 wherein said authentication server responds to an unsolicited received data packet by sending an originator access device of said data packet a questionnaire form soliciting authentication information, said questionnaire form including a hidden reserved field and a first identification keyword.
4 . The method of claim 3 wherein said hidden reserved field is not accessible by said originator access device which receives said questionnaire form.
5 . The method of claim 3 wherein said first identification keyword is based on address information from said network monitoring device.
6 . The method of claim 3 wherein, after verifying that said determined target destination Internet website matches said predetermined authentication server and before forwarding the out-going data to said predetermined authentication server, said network monitoring device further scanning contents of said out-going data packet in search of said first identification keyword and upon locating said first identification keyword, generating a second identification keyword based on the unique hardware address of the originator access device, and inserting said second identification keyword in said hidden reserved field.
7 . The method of claim 6 wherein said second identification keyword is additionally based on current communication session information.
8 . The method of claim 6 wherein said second identification keyword is additionally based on location information of said network monitoring device.
9 . The method of claim 6 wherein said hidden reserved field is located within said out-going data packet a predetermined number of bytes away from said first identification keyword.
10 . The method of claim 6 wherein said hidden reserved field is immediately preceded by said first identification keyword within said out-going data packet.
11 . The method of claim 3 wherein said originator access device receiving said questionnaire form uses web browsing software to supply said solicited authentication information into said questionnaire form before transmitting the questionnaire form back to said authentication server via the Internet.
12 . The method of claim 1 wherein said authentication server responds to a solicited data packet having a hidden reserved field by extracting the contents of said hidden reserved field and extracting authentication information from said solicited data packet, the extracted information being sent to a gate keeper server.
13 . The method of claim 12 wherein said gate keeper server is accessible via the Internet.
14 . The method of claim 12 wherein said authentication server uses a CGI script to parse said extracted information from said solicited data packet.
15 . The method of claim 12 wherein said gate keeper server compares said authentication information with a predefined database to determine if said originator access device is registered, and responds to the verification of the originator access device being registered by sending an unblock message to said network monitoring device.
16 . The method of claim 15 wherein said unblock message is encrypted with an identification keyword.
17 . The method of claim 15 wherein upon verification of the originator access device being registered, said gate keeper server decodes contents of said hidden reserved field to determine the unique hardware address of said originator access device and labeling said unblock message with said hardware address.
18 . The method of claim 15 wherein said network monitoring device responds to receipt of said unblock message by updating a network access list to authorize said originator access device for Internet access.
19 . A method for remotely authenticating a user on a private network via the Internet, the method comprising:
permitting said user access to said private network via a network access device, said access device being characterized by a unique hardware; accessing an authentication server via the Internet; monitoring the destination address of all out-going messages from said private network to the Internet via a network monitoring device and scanning the content of any message whose destination is said authentication server to search for a first predetermined identification code in said message, said network monitoring device responding to the detection of said first predetermined identification code by determining the hardware address of the access device that originated the message and generating a second identification code based on said hardware address, said network monitoring device further inserting said second identification code in said message before forwarding said message to said authentication server; said authentication server responding to receipt of said forwarded message from said network monitoring device by decoding said hardware address from said second identification code; generating and transmitting a third identification code based on said hardware address along with an unblock message to said network monitoring device.
20 . The method of claim 19 wherein said network monitoring device responds to said unblock message by updating a network access list to authorize for Internet access the user whose network access device has the same hardware address as is embedded in said third identification code.
21 . The method of claim 19 wherein said second identification code is further based on the Internet protocol address of said network monitoring device.
22 . The method of claim 19 wherein said third identification code is further based on the Internet protocol address of said network monitoring device.
23 . The method of claim 19 wherein said network monitoring device responds to the absence of said first predetermined identification code in a message whose destination is said authentication server by forwarding said message to said authentication server with no modification to said message.
24 . The method of claim 19 wherein said network monitoring device is further effective for verifying if an out-going message is originated by an authorized user and permitting all out-going messages from authorized users unimpeded access to the Internet, inspecting destination addresses of all messages from unauthorized users to determined if their destination is said authentication server, and responding to a destination address other than said authentication server by ignoring the destination address and forwarding the message to a predetermined redirection server via the Internet;
whereby all out-going messages to the Internet are granted access to the Internet irrespective of whether the message is originated by an unauthorized user.
25 . The method of claim 24 wherein said redirection server responds to a received message from an unauthorized user by sending the user's network access device a message instructing it to connect to said authentication server.
26 . The method of claim 19 wherein said authentication server responds to a received message lacking said second identification code by generating said first predetermined identification code based on location information of said private network, said authentication server further sending the network access device that originated the message a questionnaire form soliciting authentication information from its respective user, said questionnaire form including a hidden reserved field and said first predetermined identification code.
27 . The method of claim 26 wherein said hidden reserved field is not accessible by the user that receives said questionnaire form.
28 . The method of claim 26 wherein said hidden reserved field is preceded by said first predetermined identification code in said questionnaire form.
29 . The method of claim 26 wherein said network monitoring device inserts said second identification code in said hidden reserved field of any messages sent by a user to said authorization server.
30 . The method of claim 26 , further comprising said authentication server being able to identify filled questionnaire forms received from unauthorized users and being effective for parsing out the user's authentication information along with said hardware address from said second identification code;
relaying said authentication information and hardware address to a gate keeper server for verification, said gate keeper server responding to the verification of an unauthorized user by generating said third identification code and transmitting said unblock message to said network monitoring device.
31 . The method of claim 30 wherein said gate keeper is accessed via a secure link from said authorization server.
32 . The method of claim 30 wherein said authorization server accesses said gate keeper server via the Internet.Join the waitlist — get patent alerts
Track US2007124802A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.