Secure authentication advertisement protocol

摘要

A network device for distributing authentication information between authorized nodes for purposes of concurrently “pre-authenticating” a mobile user at a plurality of points throughout a LAN is disclosed. When a client attempts to access the network through the network device, the network device attempts to authenticate the client based on the credentials presented by the user. If authenticated, the client is admitted into the network at the network device and the client's pre-authentication information transmitted to one or more network nodes associated with an authentication group. Upon receipt of the pre-authentication information, the one or more network nodes are authorized to admit the client into the network at those nodes in addition to the network device at which the client was initially authenticated, thereby concurrently pre-authorizing the client at multiple points across the network.

主权项

1. A security authentication system in a data communications network comprising a plurality of nodes associated with an authentication group preventing unauthorized access to the data communications network, comprising:
a client seeking access to the data communications network, wherein the client is associated with an client identifier and security credentials, wherein the client comprises a processor and a memory; a first node configured as a point of client access to the data communications network, the first node configured to receive an access request including the security credentials and to authenticate the client based on the security credentials; and a second node configured as a point of client access to the data communications network; wherein the client is provided access to the data communications network at the first node and at the second node responsive to a determination that the client is authenticated at the first node, wherein the client is provided access to the data communications network at the second node by automatically transmitting client information from the first node toward the second node for enabling the second node to provide the client access to the data communications network, wherein automatically transmitting the client information from the first node toward the second node comprises:
identifying the second node based on authentication group information available at the first node for the authentication group;generating, at the first node based on the authentication group information available at the first node for the authentication group, a pre-authentication grant message for pre-authentication of the client at the second node, the pre-authentication grant message comprising the client information; andtransmitting the pre-authentication grant message from the first node toward the second node.