A portion of the disclosure of this patent document contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by any one of the patent disclosures, as it appears in the U.S. Patent and Trademark Office patent files or records, but otherwise reserves all copyright rights whatsoever.
The present invention generally relates to the management of network systems, and more specifically to managing the access of a network system using distributed authorization that is controlled by distributed nodes.
Many network systems can be remotely accessed. Through remote access, individuals can connect to the network system to access resources and obtain information while being located at a remote site. A popular method of providing remote access to a network is through the use of a dial-in network access server (NAS) that controls access to the network. For example, network access server model AS5300, commercially available from Cisco Systems, Inc., can be used to provide dial-in access to a network system. Individuals can access the network system by dialing into the network access server from a Remote Node to establish a connection. In this document, the term Remote Node refers to any client device, such as a personal computer (PC) or router, that can be used to dial in and establish a connection with a network access server. A client/server relationship exists between the Remote Node and the network access server.
To establish a connection with a particular NAS, a user interacts with the user""s client computer to cause its modem to dial into the NAS. As part of the dial-in process, the client provides identification information, typically in the form of username/password information, to the NAS as part of a login dialogue. As a result, the NAS establishes a session for the particular user. In this context, a session is a specific connection that has been established for a particular user between a Remote Node and a server and which provides access to a network system. A session is generally identified by the numeric values of a remote port, remote IP address, local port, and local IP address. Once a session is established, the user can access network resources and information.
Controlling and monitoring the number of users or groups of users who are able to login and establish a session with an NAS can be important. For example, Internet Service Providers (ISPs) are in the business of allowing customers to login and establish sessions with an NAS to obtain access to resources that are available on the Internet. Several ISPs and Online Services, such as America Online(copyright) and CompuServe(copyright), also provide their customers with access to proprietary information (such as proprietary databases and forums) and other online services that are available through their NAS connections. The ISPs and Online Services charge their customers a connection fee that is typically on an hourly connection or monthly flat fee basis. Thus, because their revenue is dependent on fees paid by their customers, ISPs and Online Services need to monitor and control the users or group of users that login and establish sessions with their NASs.
To reduce loads and better serve customers, ISPs and Online Services typically have a large number of NASs. In addition, because their customers may not be in a particular region, many ISPs and Online Services have distributed their NASs across wide geographic regions. A benefit of such distribution is that many customers may dial in and establish a session by a local call. Customers do not need to make a long distance call, and the ISPs and Online Services do not need to provide an xe2x80x9c800xe2x80x9d number to reduce their customer""s connection costs.
However, a drawback with maintaining multiple NASs is that it can be difficult to control the actual number of sessions that are established by a particular user or group of users. A greater number of sessions may be established for a particular user or group of users than is actually authorized (xe2x80x9cover-subscriptionxe2x80x9d). For example, a company xe2x80x9cAxe2x80x9d, who has employees located in five (5) cities (e.g., San Diego, Los Angeles, San Jose, San Francisco and Sacramento) may require and have paid (xe2x80x9csubscribedxe2x80x9d) for a total of one hundred (100) sessions for its employees. If an NAS is located in each of the five cities, and each NAS allows a total of 100 sessions to be established by the employees of company xe2x80x9cAxe2x80x9d, then a total of 500 sessions may actually be established by the employees of company xe2x80x9cAxe2x80x9d, 400 of which are unauthorized. Thus, with multiple NASs, a large number of unauthorized sessions may be established. These unauthorized sessions can potentially represent a significant amount of lost revenue for the ISP. Also, because only a limited number of connections can be made with any one NAS, allowing a large number of unauthorized sessions to be established can significantly reduce the number of authorized sessions that can be established at particular one time.
One method of controlling the number of unauthorized sessions is by assigning a subset or portion of the authorized sessions to each of the NASs. For example, by dividing, between each of the NASs that are located in the different cities, the 100 sessions that are authorized to the employees of company xe2x80x9cAxe2x80x9d, a total of 20 sessions can be established with each NAS. Thus, the employees of company xe2x80x9cAxe2x80x9d will be limited to at most the 100 authorized sessions between the NASs in the five different cities.
However, a drawback with this approach is that an employee who is located in a particular city may be denied a session with a the local NAS even though the total number of authorized sessions has not yet been established (xe2x80x9cunder-subscriptionxe2x80x9d). For example, assume that 100 sessions have been authorized for the employees of company xe2x80x9cAxe2x80x9d, and that each NAS in one of five cities is authorized to establish a maximum of 20 sessions. Assume further that a total of 20 sessions have already been established by the employees of company xe2x80x9cAxe2x80x9d with the NAS located in San Jose, but only 10 sessions have been established with each of the other four NASs in the other cities. A request to establish a session with the NAS in San Jose will be denied even though the authorized session limit of 100 has not yet been reached. Thus, splitting the number of authorized sessions between different NASs can produce the unwanted side effect of denying a valid connection request.
Another approach is to identify a central NAS that is used to control the number of sessions that can be established by a user or group of users at any one time. This approach assures that a connection request will not be denied even when the total number of authorized sessions has not yet been reached. Thus, before a NAS can establish a session, it must first communicate with the central NAS to determine whether the maximum number of authorized sessions has already been reached for the particular user or group of users. If a maximum number of sessions have already been established, then the connection request is denied. Conversely, if central NAS indicates that the maximum number has not yet been reached, then the connection request is granted.
However, a serious drawback is associated with always having to communicate with a central NAS to determine whether a connection request should be granted to a particular user or group of users. This approach requires a significant amount of additional communication overhead to determine whether a connection request should be granted. This overhead can significantly degrade the response time for establishing sessions to a network system.
For example, assume that the central NAS is in San Jose. Whenever a connection request is received by the NAS located in San Diego, the San Diego NAS must first communicate with the San Jose NAS to determine whether an additional session may be established for the particular user or group of users. Upon receiving the message, the San Jose NAS must determine whether the total number of authorized sessions have already been established for the particular user or group of users. The San Jose NAS must then send a message to the San Diego NAS indicating whether the session should be granted. The communication overhead that is required in communicating with a central NAS each time a connection request is received can significantly increase the amount of time that is required to establish a session with a non-central NAS. In addition, in larger systems where dozens or even hundreds of NASs are used to provide access to a network system, the delay caused by using a central NAS can dramatically increase the amount of time that is required to establish a session.
Based on the foregoing, there is a clear need for a mechanism that can be used to control and manage the number of sessions that can be established with a network access server by a particular user or group of users for accessing a network system.
There is also a clear need for a mechanism that can reduce the communication overhead that is typically required in controlling the number of users or group of users that can establish a session with a set of network access servers for accessing a network system.
The foregoing needs, and other needs and objects that will become apparent from the following description, are achieved in the present invention, which comprises, in one aspect, a method for authorizing a session between a client and a first server, the method comprising the computer-implemented steps of storing, in the first server, an association of the first server to a second server that authorizes session requests for the first server; storing, in the second server, a plurality of records of resource allocation data, in which each record indicates whether a session may be established between the client and the first server; storing, at the second server, an association of an entity that includes and is associated with one or more clients, and an association of the second server to a third server that is authoritative for the second server and the associated clients; receiving a request to establish a session between the client and the first server; determining, at the second server from one of the records that is associated with the client, whether the session may be established when the client is associated with the entity; and informing the first server that the session is authorized only when the second server determines from the one of the records that the session may be established.
According to another feature, the method further comprises the steps of respectively storing, at the second server and the third server, local session authorization information and authoritative session authorization information; when the second server cannot authorize the session based on the local session authorization information, determining, at the third server and based on the authoritative session authorization information, whether the session may be established; and informing the first server that the session is authorized only when the authoritative session authorization information indicates that the session is authorized.
Yet another feature of this aspect is the step of respectively storing, at the second server and the third server, local session authorization information and authoritative session authorization information. This may involve storing, at the second server, a local session threshold value that identifies a maximum number of sessions that may be locally authorized.
In still another feature, the step of storing a plurality of records of resource allocation data comprises the steps of storing, at the second server, a local session counter that identifies a current number of sessions of the first server.
In still another feature, an authorizing apparatus for use with a client that connects to a first server in a network is described. A second server authorizes session requests of the client for the first server. A plurality of records of resource allocation data are stored in the second server, in which each record indicates whether a session may be established between the client and the first server. In the second server, information is stored that associates an entity that includes and is associated with one or more clients, and information that associates the second server to a third server that is authoritative for the second server and the associated clients. The apparatus further includes means for receiving a request to establish a session between the client and the first server; means for determining, at the second server from one of the records that is associated with the client, whether the session may be established when the client is associated with the entity; and means for informing the first server that the session is authorized only when the second server determines from the one of the records that the session may be established.
According to another feature of this aspect, the authorizing apparatus further comprises local session authorization information and authoritative session authorization information, respectively stored at the second server and the third server; means for determining, at the third server and based on the authoritative session authorization information, and when the second server cannot authorize the session based on the local session authorization information, whether the session may be established; and means for informing the first server that the session is authorized only when the authoritative session authorization information indicates that the session is authorized.
In yet another feature of this aspect, the authorizing apparatus further comprises a local session threshold value, stored at the second server, which identifies a maximum number of sessions that may be locally authorized.
In still another feature of this aspect, the authorizing apparatus further comprises a local session counter, stored at the second server, that identifies a current number of sessions of the first server.
The invention also encompasses a computer-readable medium, and a computer data signal embodied in a carrier wave, configured to carry out the foregoing steps.