A portion of the disclosure of this patent document contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by any one of the patent disclosures, as it appears in the U.S. Patent and Trademark Office patent files or records, but otherwise reserves all copyright rights whatsoever.
The present invention generally relates to the management of network systems, and more specifically to managing the access of a network system using distributed authorization that is controlled by distributed nodes.
Many network systems can be remotely accessed. Through remote access, individuals can connect to the network system to access resources and obtain information while being located at a remote site. A popular method of providing remote access to a network is through the use of a dial-in network access server (NAS) that controls access to the network. For example, network access server model AS5300, commercially available from Cisco Systems, Inc., can be used to provide dial-in access to a network system. Individuals can access the network system by dialing into the network access server from a Remote Node to establish a connection. In this document, the term Remote Node refers to any client device, such as a personal computer (PC) or router, that can be used to dial in and establish a connection with a network access server. A client/server relationship exists between the Remote Node and the network access server.
To establish a connection with a particular NAS, a user interacts with the user""s client computer to cause its modem to dial into the NAS. As part of the dial-in process, the client provides identification information, typically in the form of username/password information, to the NAS as part of a login dialogue. As a result, the NAS establishes a session for the particular user. In this context, a session is a specific connection that has been established for a particular user between a Remote Node and a server and which provides access to a network system. A session is generally identified by the numeric values of a remote port, remote IP address, local port, and local IP address. Once a session is established, the user can access network resources and information.
Controlling and monitoring the number of users or groups of users who are able to login and establish a session with an NAS can be important. For example, Internet Service Providers (ISPs) are in the business of allowing customers to login and establish sessions with an NAS to obtain access to resources that are available on the Internet. Several ISPs and Online Services, such as America Online(copyright) and CompuServe(copyright), also provide their customers with access to proprietary information (such as proprietary databases and forums) and other online services that are available through their NAS connections. The ISPs and Online Services charge their customers a connection fee that is typically on an hourly connection or monthly flat fee basis. Thus, because their revenue is dependent on fees paid by their customers, ISPs and Online Services need to monitor and control the users or group of users that login and establish sessions with their NASs.
To reduce loads and better serve customers, ISPs and Online Services typically have a large number of NASs. In addition, because their customers may not be in a particular region, many ISPs and Online Services have distributed their NASs across wide geographic regions. A benefit of such distribution is that many customers may dial in and establish a session by a local call. Customers do not need to make a long distance call, and the ISPs and Online Services do not need to provide an xe2x80x9c800xe2x80x9d number to reduce their customer""s connection costs.
However, a drawback with maintaining multiple NASs is that it can be difficult to control the actual number of sessions that are established by a particular user or group of users. A greater number of sessions may be established for a particular user or group of users than is actually authorized (xe2x80x9cover-subscriptionxe2x80x9d). For example, a company xe2x80x9cAxe2x80x9d, who has employees located in five (5) cities (e.g., San Diego, Los Angeles, San Jose, San Francisco and Sacramento) may require and have paid (xe2x80x9csubscribedxe2x80x9d) for a total of one hundred (100) sessions for its employees. If an NAS is located in each of the five cities, and each NAS allows a total of 100 sessions to be established by the employees of company xe2x80x9cAxe2x80x9d, then a total of 500 sessions may actually be established by the employees of company xe2x80x9cAxe2x80x9d, 400 of which are unauthorized. Thus, with multiple NASs, a large number of unauthorized sessions may be established. These unauthorized sessions can potentially represent a significant amount of lost revenue for the ISP. Also, because only a limited number of connections can be made with any one NAS, allowing a large number of unauthorized sessions to be established can significantly reduce the number of authorized sessions that can be established at particular one time.
One method of controlling the number of unauthorized sessions is by assigning a subset or portion of the authorized sessions to each of the NASs. For example, by dividing, between each of the NASs that are located in the different cities, the 100 sessions that are authorized to the employees of company xe2x80x9cAxe2x80x9d, a total of 20 sessions can be established with each NAS. Thus, the employees of company xe2x80x9cAxe2x80x9d will be limited to at most the 100 authorized sessions between the NASs in the five different cities.
However, a drawback with this approach is that an employee who is located in a particular city may be denied a session with a the local NAS even though the total number of authorized sessions has not yet been established (xe2x80x9cunder-subscriptionxe2x80x9d). For example, assume that 100 sessions have been authorized for the employees of company xe2x80x9cAxe2x80x9d, and that each NAS in one of five cities is authorized to establish a maximum of 20 sessions. Assume further that a total of 20 sessions have already been established by the employees of company xe2x80x9cAxe2x80x9d with the NAS located in San Jose, but only 10 sessions have been established with each of the other four NASs in the other cities. A request to establish a session with the NAS in San Jose will be denied even though the authorized session limit of 100 has not yet been reached. Thus, splitting the number of authorized sessions between different NASs can produce the unwanted side effect of denying a valid connection request.
Another approach is to identify a central NAS that is used to control the number of sessions that can be established by a user or group of users at any one time. This approach assures that a connection request will not be denied even when the total number of authorized sessions has not yet been reached. Thus, before a NAS can establish a session, it must first communicate with the central NAS to determine whether the maximum number of authorized sessions has already been reached for the particular user or group of users. If a maximum number of sessions have already been established, then the connection request is denied. Conversely, if central NAS indicates that the maximum number has not yet been reached, then the connection request is granted.
However, a serious drawback is associated with always having to communicate with a central NAS to determine whether a connection request should be granted to a particular user or group of users. This approach requires a significant amount of additional communication overhead to determine whether a connection request should be granted. This overhead can significantly degrade the response time for establishing sessions to a network system.
For example, assume that the central NAS is in San Jose. Whenever a connection request is received by the NAS located in San Diego, the San Diego NAS must first communicate with the San Jose NAS to determine whether an additional session may be established for the particular user or group of users. Upon receiving the message, the San Jose NAS must determine whether the total number of authorized sessions have already been established for the particular user or group of users. The San Jose NAS must then send a message to the San Diego NAS indicating whether the session should be granted. The communication overhead that is required in communicating with a central NAS each time a connection request is received can significantly increase the amount of time that is required to establish a session with a non-central NAS. In addition, in larger systems where dozens or even hundreds of NASs are used to provide access to a network system, the delay caused by using a central NAS can dramatically increase the amount of time that is required to establish a session.
Based on the foregoing, there is a clear need for a mechanism that can be used to control and manage the number of sessions that can be established with a network access server by a particular user or group of users for accessing a network system.
There is also a clear need for a mechanism that can reduce the communication overhead that is typically required in controlling the number of users or group of users that can establish a session with a set of network access servers for accessing a network system.
The foregoing needs, and other needs and objects that will become apparent from the following description, are achieved in the present invention, which comprises, in one aspect, a method for authorizing a data communication session between a client and a first server, comprising the computer-implemented steps of receiving a request to establish the session, wherein the request is associated with a particular entity that is associated with the client. The method then determines whether authorization of the session can be performed locally at a second server. If authorization of the session can be performed locally at the second server, then the first server is informed that the session may be established between the client and the first server for the particular entity. A third server that is associated with the particular entity is identified. After informing the first server, the third server is informed that the session has been authorized to be established for the particular entity.
One feature of this aspect is that the step of determining whether authorization of the session can be performed locally at the second server comprises determining a session counter value that indicates the number of sessions that are currently active for the particular entity; determining a session threshold value that indicates a threshold as to a number of sessions that may be currently active before sessions cannot be authorized locally by the second server; and comparing the session counter value with the session threshold value to determine whether authorization of the session can be performed locally at the second server.
Yet another feature comprises, if authorization of the session cannot be performed locally at the second server, requesting the third server to authorize the session between the client and the first server, and informing the first server based on a response received from the third server as to whether the session may be authorized.
According to another feature, a method for broadcasting session information to one or more servers is provided. A message is received from a first server. The message indicates that a session has been authorized for a particular entity. Whether one or more other servers have previously authorized sessions for the particular entity is determined. If one or more other servers have previously authorized sessions for the particular entity, then the one or more other servers are informed that another session has been authorized for the particular entity.
In yet another feature, the method further includes, prior to receiving the message from the first server, maintaining data that is associated with a second server. The data includes a session counter value that indicates the number of sessions that are currently active for the particular entity; and a server list that identifies the one or more other servers that have previously authorized sessions for the particular entity.
The invention also encompasses a computer-readable medium, a computer data signal embodied in a carrier wave, and an apparatus configured to carry out the foregoing steps.
These features provide an intuitive control mechanism that allows operators to tune their systems to balance the tradeoffs between speed and accuracy. The features are applicable to many forms of resource allocation, management, and provisioning. They may also have applications in systems that include one or more values that have a definable maximum rate of change.