The present invention generally relates to management of computer networks, and relates specifically to validating connections to a network system.
A network system generally includes a number of network devices, such as switches, routers, and others, connected so as to allow communication among the devices and end station devices such as desktop machines, servers, hosts, printers, fax machines, and others. Many companies have a desire to provide remote access to their computer networks. By allowing remote access, individuals can connect to the computer network to use it to work and obtain resource information while located at a remote site.
A popular method of providing remote access to a network is through the use of a dial-in network access server (NAS) that controls access to the network. For example, the server model AS5300, commercially available from Cisco Systems, Inc., can be used to provide dial-in access to a company""s network. Individuals can access the network system by dialing into the network access server from a Remote Node to establish a connection. In this document, the term Remote Node refers to a client device such as a personal computer (PC) or router that can be used to dial in and establish a connection with a network access server. A client/server relationship exists between the Remote Node (client) and the network access server (server).
A drawback associated with providing remote access to a company""s network system is that unauthorized individuals can sometimes gain access to the network system, thus potentially allowing the company""s resources and information to be accessed, used or compromised. To prevent unauthorized network access, a remote user is generally required to enter xe2x80x9cuser identification informationxe2x80x9d to remotely connect and access the network system. Most often, the user identification information is in the form of a username and password that requires authentication before a remote connection is established.
For example, when a user attempts to remotely log into a system, the user is typically required to supply a set of xe2x80x9cfixedxe2x80x9d user identification information in the form of a username and password that is used by the network access server to identify the requesting user. If the user is using a xe2x80x9chands onxe2x80x9d remote device having a display and input device, such as a PC, the network access server may cause a login window to be displayed on the monitor of the PC. The user is then required to enter their username and password in order to establish a connection between the network access server and the remote node. Based on the supplied username and password, the network access server can determine whether a connection should be established between the network access server and the remote node.
A drawback with using fixed user identification information is that poises a significant security risk in allowing remote access to the network system. For example, certain client software permits a user to select a xe2x80x9csave passwordxe2x80x9d button, which causes the client to save the client access information so that the user does not have to enter the client access information every time the user dials in to the network access server. However, if the individual""s client computer is stolen, an unauthorized user may potentially dial in and connect to the network access server, thus compromising the information and resources that are accessible through the network access server.
One method of reducing the security risks that are introduced by fixed user identification information is through the use of a Smart card or Token card. One type of Token card, the SecurID card commercially available from Security Dynamics, Inc., continually generates a series of random one-time passwords (OTPs) that can be used once to login into a network access server. The Token card works in conjunction with a password server, such as Security Dynamics"" ACE password server, and generates a response that is unique for every login. Because the password server generates a unique response for every login attempt, the OTP may only be used once to establish a session. Thus, even if monitored or stolen, the one-time password cannot be reused by an intruder to gain access to a user""s account.
To use the Token card, the user typically enters a series of digits and letters displayed on the token-card in the prompt window or inserts the card into a reader that is coupled to the Remote Node. The password server internally generates OTPs in synch with the card. The OTP is then used to verify that the user is allowed to log into the network access server through the remote device to access the network system by comparing the card password to the password server""s password at a particular instant in time.
Token cards can provide a greater level of security as the password is only valid for a single session. For example, if a Token card is used to provide the user identification information, even if an individual""s computer is stolen, an unauthorized user will not be able to log into the network access server and gain access to the network system without also obtaining the Token card.
In addition, many home office users have begun using access router devices, such as router models 1004 and 1604 commercially available from Cisco Systems Inc., to remotely connect to a company""s network access server. Access routers are xe2x80x9chands-offxe2x80x9d devices that have no display device and therefore cannot display a login window for the user to enter user access information. Instead, the user is required to provide the user access information through an alternative means such as a Token card. Passwords are statically configured or stored in the router.
However, a drawback with using OTPs is that additional connections that are made by a user that is currently connected to the network access server are treated as separate connections. Thus, to establish a second session between the remote node and the network access server, the user is required to reenter valid user identification information a second time. Because the OTP is only valid xe2x80x9concexe2x80x9d, the user must again use the token card to obtain another OTP that can be used to validate the second connection.
For example, consider the situation of a small office or home office user who uses a client that communicates with a network using an Integrated Services Digital Network (ISDN) line having first and second bearer (data) channels. Normally the client connects to a network, ISP, or server using only the first data channel and using the access procedure described above. If an additional connection is made, for example, by activating the second ISDN channel to accommodate a large data transfer, the user is required to enter valid client access information to establish the second connection.
However, requiring user identification information to be entered whenever an additional connection is made can be both irritating and burdensome since the user must again use the Token card to provide another valid OTP for the additional connection. Similarly, Point-to-Point Protocol (PPP) or the Serial Line Internet Protocol (SLIP) users having multiple connections (for example, PPP Multi-link connections) may experience the same inconvenience.
Based on the foregoing, there is a clear need for a mechanism can provide an enhanced password security system, yet allows additional connections to be established for a particular user without requiring the user to enter additional access information.
There is also a need for a mechanism that provides for the use of Token cards with hands-off devices, such as routers and other devices.
In one aspect, a method for establishing sessions between a client and a first server is disclosed. The method comprises the steps of receiving a request to establish a session between the client and the first server, wherein the request includes identification information for authenticating a requesting user; determining, based on the identification information, whether the session between the client and the first server should be established; if the session between the client and the first server should be established, caching the identification information in memory; and establishing the session between the client and the first server.
One feature of this aspect is that the identification information includes a username and a one-time password (OTP); and the step of determining whether the session between the client and the first server should be established comprises the step of the first server communicating with a second server to determine whether the OTP is currently valid.
According to another feature of this aspect, the step of communicating with a second server to determine whether the OTP is currently valid further includes the steps of the second server determining whether the username and the OTP were previously cached in memory; and if the username and the OTP were not previously cached in memory, the second server communicating with a password server to determine whether the OTP is currently valid.
According to yet another feature of this aspect, the step of communicating with a second server to determine whether the OTP is currently valid further comprises the step of the second server determining whether the username and the OTP were previously cached in memory; and if the username and the OTP were previously cached in memory, determining whether the username and the OTP are still valid.
The invention also encompasses a computer-readable medium, a computer data signal embodied in a carrier wave, and an apparatus configured to carry out the foregoing steps.