Search

US-20260129081-A1 - ENHANCED USER AUTHENTICATION SYSTEM AND METHOD

US20260129081A1US 20260129081 A1US20260129081 A1US 20260129081A1US-20260129081-A1

Abstract

Systems and methods are provided to utilize information from a directory service to determine, at a layer-one network policy server, the appropriate layer-two network policy server to which an authentication request should be routed. For example, a first directory service group may be created that includes all users using a first authentication type, a second directory service group may be created that includes all users using a second authentication type, etc. The layer-one network policy server may periodically synchronize with the directory service to download information about users in the different directory service groups, update a markup language document with that information, and use the markup language document to help route incoming authentication requests to the correct layer-two network policy server for a particular authentication type. In addition, a priority may be set (and changed) by an administrator favoring one or more authentication types in a network.

Inventors

  • Justin SHERRY

Assignees

  • CENTURYLINK INTELLECTUAL PROPERTY LLC

Dates

Publication Date
20260507
Application Date
20260102

Claims (13)

  1. 1 . A method for authenticating a user of a computing network, comprising: receiving, at a layer-one network policy server, information from a directory service; receiving, at the layer-one network policy server, an authentication request from a client computing device associated with a user, the authentication request including identifying information; determining, by the layer-one network policy server and based on the identifying information and the information from the directory service, whether the user is a member of a first directory service group; when the user is a member of the first directory service group, routing the request to a first layer-two network policy server operating as a first type of network authenticator; when the user is not a member of the first directory service group, determining whether the user is a member of a second directory service group; when the user is a member of the second directory service group, routing the request to a second layer-two network policy server operating as a second type of network authenticator; when the user is not a member of the second directory service group, routing the request to a third layer-two network policy server operating as a third type of network authenticator; receiving an authentication response at the layer-one network policy server; and providing the authentication response to the client computing device.
  2. 2 . The method of claim 1 , further comprising, prior to receiving the authentication request: providing an authentication type enrollment form; receiving an authentication type selection and the identifying information; providing the authentication type selection and the identifying information to the directory service; and synchronizing a markup language document with information from the directory service.
  3. 3 . The method of claim 1 , further comprising, prior to receiving the authentication request: generating, by the layer-one network policy server, a first RADIUS client adapted to communicate with a first login service; generating, by the layer-one network policy server, a second RADIUS client adapted to communicate with a second login service; and generating, by the layer-one network policy server, a third RADIUS client adapted to communicate with a third login service.
  4. 4 . The method of claim 3 , wherein each of the first RADIUS client, the second RADIUS client, and the third RADIUS client is a remote authentication dial-in user service (RADIUS) client.
  5. 5 . The method of claim 3 , further comprising: providing a form adapted to receive a name, shared secret, and an electronic address for each of the first RADIUS client, the second RADIUS client, and the third RADIUS client; receiving the form; and generating the first RADIUS client, the second RADIUS client, and the third RADIUS client based on the form.
  6. 6 . The method of claim 1 , further comprising: receiving, at the layer-one network policy server, instructions to change priority of the layer-two network policy servers; receiving, at the layer-one network policy server, a second authentication request from the user including the identifying information; determining, by the layer-one network policy server and based on the identifying information and the information from the directory service, whether the user is a member of the second directory service group; when the user is a member of the second directory service group, routing the request to the second layer-two network policy server operating as the second type of network authenticator; when the user is not a member of the second directory service group, determining whether the user is a member of the first directory service group; when the user is a member of the first directory service group, routing the request to the first layer-two network policy server operating as the first type of network authenticator; when the user is not a member of the first directory service group, routing the request to the third layer-two network policy server operating as the third type of network authenticator; receiving a second authentication response at the layer-one network policy server; and providing the second authentication response to the client device for the user.
  7. 7 . A system for authenticating a user of a computing network, comprising: at least one processor; and memory, operatively connected to the at least one processor and storing instructions that, when executed by the at least one processor, cause the system to perform a method, the method comprising: receiving, at a layer-one network policy server, information from a directory service; receiving, at the layer-one network policy server, an authentication request from a client computing device associated with a user, the authentication request including identifying information; determining, by the layer-one network policy server and based on the identifying information and the information from the directory service, whether the user is a member of a first directory service group; when the user is a member of the first directory service group, routing the request to a first layer-two network policy server operating as a first type of network authenticator; when the user is not a member of the first directory service group, determining whether the user is a member of a second directory service group; when the user is a member of the second directory service group, routing the request to a second layer-two network policy server operating as a second type of network authenticator; when the user is not a member of the second directory service group, routing the request to a third layer-two network policy server operating as a third type of network authenticator; receiving an authentication response at the layer-one network policy server; and providing the authentication response to the client computing device.
  8. 8 . The system of claim 7 , wherein the method further comprises, prior to receiving the authentication request: providing an authentication type enrollment form; receiving an authentication type selection and the identifying information; providing the authentication type selection and the identifying information to the directory service; and synchronizing a markup language document with information from the directory service.
  9. 9 . The system of claim 7 , wherein the method further comprises, prior to receiving the authentication request: generating, by the layer-one network policy server, a first RADIUS client adapted to communicate with a first login service; generating, by the layer-one network policy server, a second RADIUS client adapted to communicate with a second login service; and generating, by the layer-one network policy server, a third RADIUS client adapted to communicate with a third login service.
  10. 10 . The system of claim 9 , wherein each of the first RADIUS client, the second RADIUS client, and the third RADIUS client is a remote authentication dial-in user service (RADIUS) client.
  11. 11 . The system of claim 9 , wherein the method further comprises: providing a form adapted to receive a name, shared secret, and an electronic address for each of the first RADIUS client, the second RADIUS client, and the third RADIUS client; receiving the form; and generating the first RADIUS client, the second RADIUS client, and the third RADIUS client based on the form.
  12. 12 . The system of claim 7 , wherein the method further comprises: receiving, at the layer-one network policy server, instructions to change priority of the layer-two network policy servers; receiving, at the layer-one network policy server, a second authentication request from the user including the identifying information; determining, by the layer-one network policy server and based on the identifying information and the information from the directory service, whether the user is a member of the second directory service group; when the user is a member of the second directory service group, routing the request to the second layer-two network policy server operating as the second type of network authenticator; when the user is not a member of the second directory service group, determining whether the user is a member of the first directory service group; when the user is a member of the first directory service group, routing the request to the first layer-two network policy server operating as the first type of network authenticator; when the user is not a member of the first directory service group, routing the request to the third layer-two network policy server operating as the third type of network authenticator; receiving a second authentication response at the layer-one network policy server; and providing the second authentication response to the client device for the user.
  13. 13 . A method for authenticating a user of a computing network, comprising: receiving, at a layer-one network policy server, information from a directory service; receiving, at the layer-one network policy server, an authentication request from a client computing device associated with a user, the authentication request including identifying information; determining, by the layer-one network policy server and based on the identifying information and the information from the directory service, whether the user is a member of a first directory service group; when the user is a member of the first directory service group, routing the request to a first layer-two network policy server operating as a first type of network authenticator; when the user is not a member of the first directory service group, determining whether the user is a member of a second directory service group; when the user is a member of the second directory service group, routing the request to a second layer-two network policy server operating as a second type of network authenticator; when the user is not a member of the second directory service group, routing the request to a third layer-two network policy server operating as a third type of network authenticator; receiving an authentication response at the layer-one network policy server; providing the authentication response to the client computing device; determining that the first directory service group is an empty set; based on determining that the first directory service group is an empty set, decommissioning the first layer-two network policy server.

Description

BACKGROUND In a sophisticated computing network, it is possible for users to employ multiple different kinds of authentication methods. For example, an organization may require multi-factor authentication, where a user must first authenticate using a user name and password and also authenticate with a secondary authentication method. The secondary authentication method may vary. For example, some users may use a first type of authentication token, while other users may use a second type of authentication token, while other uses may use a third type of authentication token in order to satisfy the secondary authentication requirement in a multi-factor authentication scheme. It is with respect to this general technical environment that aspects of the present systems and methods are directed. SUMMARY In exemplary embodiments, a method for authenticating a user of a computing network is provided. A layer-one network policy server may receive information from a directory service identifying groups of users by the authentication type(s) selected by the users. The layer-one network policy server may then receive an authentication request from a client computing device associated with a user, the authentication request including identifying information. The layer-one network policy server may then determine, based on the identifying information and the information from the directory service, whether the user is a member of a first directory service group. When the user is a member of the first directory service group, the layer-one network policy server may route the request to a first layer-two network policy server operating as a first type of network authenticator. When the user is not a member of the first directory service group, the layer-one network policy server may determine whether the user is a member of a second directory service group. When the user is a member of the second directory service group, the layer-one network policy server may then route the request to a second layer-two network policy server operating as a second type of network authenticator. When the user is not a member of the second directory service group, the layer-one network policy server may route the request to a third layer-two network policy server operating as a third type of network authenticator. An authentication response is then received at the layer-one network policy server and provided to the client computing device. In further exemplary embodiments, a system for authenticating a user of a computing network is provided. In examples, the system may comprise at least one processor and memory, operatively connected to the at least one processor and storing instructions that, when executed by the at least one processor, cause the at least one processor to perform a method. In examples, the method may include a layer-one network policy server receiving information from a directory service identifying groups of users by the authentication type(s) selected by the users. The layer-one network policy server may then receive an authentication request from a client computing device associated with a user, the authentication request including identifying information. The layer-one network policy server may then determine, based on the identifying information and the information from the directory service, whether the user is a member of a first directory service group. When the user is a member of the first directory service group, the layer-one network policy server may route the request to a first layer-two network policy server operating as a first type of network authenticator. When the user is not a member of the first directory service group, the layer-one network policy server may determine whether the user is a member of a second directory service group. When the user is a member of the second directory service group, the layer-one network policy server may then route the request to a second layer-two network policy server operating as a second type of network authenticator. When the user is not a member of the second directory service group, the layer-one network policy server may route the request to a third layer-two network policy server operating as a third type of network authenticator. An authentication response is then received at the layer-one network policy server and provided to the client computing device. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 depicts an example a user registration system according to the present application. FIG. 2 depicts an example method for registering a user with a network authentication system. FIG. 3 depicts an example system for generating multiple RADIUS clients according to the present application. FIG. 4 depicts an example method for generating multiple RADIUS clients according to the present application. FIG. 5 depicts an example system for managing multiple authentication methods according to the present application. FIG. 6A depicts an example method for updating a network policy