`PATENT APPLICATION
`TRANSMITTAL
`
`(Only for new nonprovisional applications under 37 CFR l.SJ(b))
`
`Attorney Docket No. 42253/205
`
`=====;,A
`
`First Inventor or Application Identifier: Short et al.
`
`Title of Invention: SYSTEMS AND METHODS FOR
`PROVIDING DYNAMIC NETWORK AUTHORIZATION,
`AUTHENTICATION AND ACCOUNTING
`
`Express Mail Label No. EL149284597US
`
`ADDRESS TO: ASSIST ANT COMMISSIONER FOR PA TENTS
`BOX PATENT APPLICATION
`WASHINGTON, DC 20231
`
`Transmitted herewith for filing in the United States Patent Office is a patent application for:
`
`Inventors:
`
`Joel E. Short
`Florence C.l. Pagan
`Josh J. Goldstein
`
`1.
`
`2.
`
`The Filing Fee has been calculated as shown below:
`
`Applicant claims Small Entity Status. See 37 CFR 1.27.
`
`No Filed
`
`No Extra
`
`Small Entity
`Rate
`Fee 1
`
`Large Entity
`Rate
`Fee 0
`
`BASIC FEE
`
`TOT AL CLAIMS:
`
`INDEP CLAIMS:
`
`[(cid:143)
`
`32 - 20 =
`
`4 - 3 =
`
`12
`
`1
`
`$355
`
`X 9 = $108
`
`X 40 = $40
`
`+135=$
`
`$
`
`X 18 $
`
`X 80 $
`+270 = $
`
`]MULTIPLE DEPENDENT CLAIMS
`PRESENTED
`
`*If the difference in Column 1 is less than zero,
`enter "O" in Column 2.
`
`TOTAL
`
`$503
`
`TOTAL
`
`$
`
`The Commissioner is hereby authorized to credit overpayments or charge the following fees to Deposit Acct. No. 16-0605.
`[8J
`a.
`Fees required under 37 CFR 1.16 (National filing fees).
`[8J
`Fees required under 37 CFR 1.17 (National application processing fees).
`b.
`
`,.
`
`(cid:143)
`(cid:143)
`
`A check in the amount of$ _ _ _ for the filing fee is enclosed.
`
`The above filing fee will be paid along with Applicant(s) Response to the Notice to File Missing
`Parts.
`
`3.
`
`4.
`
`5.
`
`[8J Specification; Total Pages 27
`
`[8J
`(cid:143)
`
`i
`
`Sheets ofFormal Drawing(s) (35 USC 113)
`
`Declaration and Power of Attorney; [Total Pages __}
`D
`a.
`Newly executed (original or copy)
`D
`Copy from a prior application (37 CFR l.63(d))
`b.
`(for continuation/divisional with Box 17 completed)
`0
`DELETION OF INVENTOR(S) Signed statement attached deleting
`inventor(s) named in the prior application, see 37 CFR l.63(d)(2) & 1.33(b).
`
`i.
`
`ATL0l/10843797vl
`
`GUEST TEK EXHIBIT 1003
`Guest Tek v. Nomadix, IPR2019-01191
`
`Page 1 of 35
`
`
`
`6.
`
`7.
`
`8.
`
`(cid:143)
`(cid:143)
`
`Applicat'.~·heet. See 37 CFR 1.76
`
`CD-ROM or CD-R in duplicate, large table or Computer Program (Appendix)
`
`Nucleotide and/or Amino Acid Sequence Submission (if applicable, all necessary)
`D
`a.
`Computer Readable Copy (CRF)
`D
`b.
`Specification Sequence Listing on:
`D CD-ROM or CD-R (2 copies); or
`i.
`ii.
`Paper
`Statement verifying identity of above copies
`
`c.
`
`D
`
`ACCOMPANYING APPLICATION PARTS
`
`(cid:143)
`(cid:143)
`(cid:143)
`(cid:143)
`(cid:143)
`~
`(cid:143)
`(cid:143)
`
`9.
`
`10.
`
`11.
`
`12.
`
`13.
`
`14.
`
`15.
`
`16.
`
`17.
`
`Assignment Papers (cover sheet & document(s) (including a check for the $40.00 fee)
`37 CFR 3.73(b) Statement (when there is an assignee); D Power of Attorney
`English Translation Document (if applicable)
`
`Infonnation Disclosure Statement (IDS)/PTO-1449; _ Copies of IDS Citations
`
`Preliminary Amendment
`
`Return Receipt Postcard (MPEP 503) (Should be specifically itemized)
`
`Certified Copy of Priority Document(s) (if foreign priority is claimed)
`
`Foreign Priority is
`
`Other:
`
`If a CONTINUING APPLICATION, check appropriate box and supply the requisite information below
`and in a preliminary amendment, or in an Application Data Sheet under 37 CF 1. 76:
`D
`Continuation D Divisional ~ Continuation in Part (CIP)
`of prior Application Nos: 09/458,569; Filed December 8, 1999
`
`09/458,602; Filed December 8, 1999
`
`60/161, 182; Filed October 22. 1999
`
`60/160.890; Filed October 22, 1999
`
`60/161,139; Filed October 22, 1999
`
`60/161,189; Filed October 22, 1999
`
`60/160.973; Filed October 22, 1999
`
`60/ 16 l, 181; Filed October 22. 1999
`
`60/161.093; Filed October 22, 1999
`
`Prior Application Infonnation: Examiner
`
`Group/Art Unit:
`
`For CONTINUATION or DIVISONAL APPS only: The entire disclosure of the prior application, from which an oath or declaration
`is supplied under Box 5b, is considered a part of the disclosure of the accompanying continuation or divisional application and is
`hereby incorporated by reference. The incorporation can only be relied upon when a portion has been inadvertently omitted from the
`submitted application parts.
`
`ATL0l/10843797vl
`
`(Utility Patent Application Transmittal) Page 2 of 3
`
`Page 2 of 35
`
`(cid:143)
`
`
`18.
`
`CORRESPONDEN.DRESS
`
`Customer Number or Bar Code Label 000826 •
`
`Attention Of: William R. Silverio
`
`.,
`
`J,_});,,;, £. ~
`
`Signarure
`Attorney/Agent of Record: William R. Silv ~
`Attorney/Agent Registration No. 45,3433
`Tel Atlanta Office (404) 881-7000
`Fax Atlanta Office (404) 881-7777
`
`ALSTON & BIRD LLP
`P.O. Drawer 34009
`Charlotte NC 28234-4009
`
`"Express Mail" mailing label number ELI49284597US
`Date of Deposit October 20, 2000
`
`I hereby certify that this paper or fee is being deposited with the United States Postal Service "Express Mail Post Office
`to Addressee" service under 3 7 CFR 1.10 on the date indicated above and is addressed to Box: Patent Application, Assistant
`· ner For . tents, Washington, D.C. 20231.
`Co
`
`A TLO 1/10843 797v I
`
`(Utility Patent Application Transmittal) Page 3 of 3
`
`Page 3 of 35
`
`
`
`UTILITY,,
`PATENT APPLICATION
`TRANSMITTAL
`
`(Only for new nonprovisional applications under 37 CFR l.SJ(b))
`
`Attorney Docket No. 42253/205
`
`=====;,A
`
`First Inventor or Application Identifier: Short et al.
`
`Title of Invention: SYSTEMS AND METHODS FOR
`PROVIDING DYNAMIC NETWORK AUTHORIZATION,
`AUTHENTICATION AND ACCOUNTING
`
`Express Mail Label No. EL149284597US
`
`ADDRESS TO: ASSIST ANT COMMISSIONER FOR PA TENTS
`BOX PATENT APPLICATION
`WASHINGTON, DC 20231
`
`Transmitted herewith for filing in the United States Patent Office is a patent application for:
`
`Inventors:
`
`Joel E. Short
`Florence C.l. Pagan
`Josh J. Goldstein
`
`1.
`
`2.
`
`The Filing Fee has been calculated as shown below:
`
`Applicant claims Small Entity Status. See 37 CFR 1.27.
`
`No Filed
`
`No Extra
`
`Small Entity
`Rate
`Fee 1
`
`Large Entity
`Rate
`Fee 0
`
`BASIC FEE
`
`TOT AL CLAIMS:
`
`INDEP CLAIMS:
`
`[(cid:143)
`
`32 - 20 =
`
`4 - 3 =
`
`12
`
`1
`
`$355
`
`X 9 = $108
`
`X 40 = $40
`
`+135=$
`
`$
`
`X 18 $
`
`X 80 $
`+270 = $
`
`]MULTIPLE DEPENDENT CLAIMS
`PRESENTED
`
`*If the difference in Column 1 is less than zero,
`enter "O" in Column 2.
`
`TOTAL
`
`$503
`
`TOTAL
`
`$
`
`The Commissioner is hereby authorized to credit overpayments or charge the following fees to Deposit Acct. No. 16-0605.
`[8J
`a.
`Fees required under 37 CFR 1.16 (National filing fees).
`[8J
`Fees required under 37 CFR 1.17 (National application processing fees).
`b.
`
`,.
`
`(cid:143)
`(cid:143)
`
`A check in the amount of$ _ _ _ for the filing fee is enclosed.
`
`The above filing fee will be paid along with Applicant(s) Response to the Notice to File Missing
`Parts.
`
`3.
`
`4.
`
`5.
`
`[8J Specification; Total Pages 27
`
`[8J
`(cid:143)
`
`i
`
`Sheets ofFormal Drawing(s) (35 USC 113)
`
`Declaration and Power of Attorney; [Total Pages __}
`D
`a.
`Newly executed (original or copy)
`D
`Copy from a prior application (37 CFR l.63(d))
`b.
`(for continuation/divisional with Box 17 completed)
`0
`DELETION OF INVENTOR(S) Signed statement attached deleting
`inventor(s) named in the prior application, see 37 CFR l.63(d)(2) & 1.33(b).
`
`i.
`
`ATL0l/10843797vl
`
`Page 4 of 35
`
`
`
`6.
`
`7.
`
`8.
`
`(cid:143)
`(cid:143)
`
`Applicat'.~·heet. See 37 CFR 1.76
`
`CD-ROM or CD-R in duplicate, large table or Computer Program (Appendix)
`
`Nucleotide and/or Amino Acid Sequence Submission (if applicable, all necessary)
`D
`a.
`Computer Readable Copy (CRF)
`D
`b.
`Specification Sequence Listing on:
`D CD-ROM or CD-R (2 copies); or
`i.
`ii.
`Paper
`Statement verifying identity of above copies
`
`c.
`
`D
`
`ACCOMPANYING APPLICATION PARTS
`
`(cid:143)
`(cid:143)
`(cid:143)
`(cid:143)
`(cid:143)
`~
`(cid:143)
`(cid:143)
`
`9.
`
`10.
`
`11.
`
`12.
`
`13.
`
`14.
`
`15.
`
`16.
`
`17.
`
`Assignment Papers (cover sheet & document(s) (including a check for the $40.00 fee)
`37 CFR 3.73(b) Statement (when there is an assignee); D Power of Attorney
`English Translation Document (if applicable)
`
`Infonnation Disclosure Statement (IDS)/PTO-1449; _ Copies of IDS Citations
`
`Preliminary Amendment
`
`Return Receipt Postcard (MPEP 503) (Should be specifically itemized)
`
`Certified Copy of Priority Document(s) (if foreign priority is claimed)
`
`Foreign Priority is
`
`Other:
`
`If a CONTINUING APPLICATION, check appropriate box and supply the requisite information below
`and in a preliminary amendment, or in an Application Data Sheet under 37 CF 1. 76:
`D
`Continuation D Divisional ~ Continuation in Part (CIP)
`of prior Application Nos: 09/458,569; Filed December 8, 1999
`
`09/458,602; Filed December 8, 1999
`
`60/161, 182; Filed October 22. 1999
`
`60/160.890; Filed October 22, 1999
`
`60/161,139; Filed October 22, 1999
`
`60/161,189; Filed October 22, 1999
`
`60/160.973; Filed October 22, 1999
`
`60/ 16 l, 181; Filed October 22. 1999
`
`60/161.093; Filed October 22, 1999
`
`Prior Application Infonnation: Examiner
`
`Group/Art Unit:
`
`For CONTINUATION or DIVISONAL APPS only: The entire disclosure of the prior application, from which an oath or declaration
`is supplied under Box 5b, is considered a part of the disclosure of the accompanying continuation or divisional application and is
`hereby incorporated by reference. The incorporation can only be relied upon when a portion has been inadvertently omitted from the
`submitted application parts.
`
`ATL0l/10843797vl
`
`(Utility Patent Application Transmittal) Page 2 of 3
`
`Page 5 of 35
`
`(cid:143)
`
`
`18.
`
`CORRESPONDEN.DRESS
`
`Customer Number or Bar Code Label 000826 •
`
`Attention Of: William R. Silverio
`
`.,
`
`J,_});,,;, £. ~
`
`Signarure
`Attorney/Agent of Record: William R. Silv ~
`Attorney/Agent Registration No. 45,3433
`Tel Atlanta Office (404) 881-7000
`Fax Atlanta Office (404) 881-7777
`
`ALSTON & BIRD LLP
`P.O. Drawer 34009
`Charlotte NC 28234-4009
`
`"Express Mail" mailing label number ELI49284597US
`Date of Deposit October 20, 2000
`
`I hereby certify that this paper or fee is being deposited with the United States Postal Service "Express Mail Post Office
`to Addressee" service under 3 7 CFR 1.10 on the date indicated above and is addressed to Box: Patent Application, Assistant
`· ner For . tents, Washington, D.C. 20231.
`Co
`
`A TLO 1/10843 797v I
`
`(Utility Patent Application Transmittal) Page 3 of 3
`
`Page 6 of 35
`
`
`
`20
`
`Network
`
`Network
`
`FIG. 1
`
`0
`
`AAA Server
`
`1
`
`6
`
`Router
`
`Access Controller .,__ __ ...., Gateway Device
`
`Computer
`
`14
`
`Computer
`
`14
`
`Online Service
`
`DHCP Server
`
`Computer
`
`14
`
`Online Service
`
`22
`
`24
`
`( 10
`
`·::::11 rr.;n
`
`d"~h _,...
`
`d....,
`
`it.: ..
`
`:::11
`
`tJ-'HI!
`
`ill
`
`ir.:::: IL..ll
`Ir•
`""'H tf"'ti "U"'
`
`IL.JI
`d .. 'b
`
`Computer
`
`14
`
`......--
`
`Page 7 of 35
`
`
`
`• Receives a Request from a
`
`source computer
`
`t----
`
`200
`
`Authenticates Source Based on
`210
`Attribute Associated with the
`1 - - - -
`Source
`
`Determines Authorization of
`Source Based on Attribute
`Associated with the Source,
`Destination or Content
`
`t---~220
`
`Pending
`
`240
`
`260
`
`==(cid:173)
`' '
`Pimit Access and Log Into
`•·
`Accounting
`
`Route to Login Screen and
`Collect Additional Information
`
`Deny Access
`
`250
`
`YES
`
`Is Information Sufficient?
`
`NO
`
`FIG. 2
`
`Page 8 of 35
`
`
`
`•
`
`.omey Docket No. 42253/20530 I
`
`·1
`
`SYSTIEMS ANID ME1'HO]1))S lFOR PROVIDING DYNAMIC NlE1'WORK
`AU1'HORllZA1'ION, AU1'HEN1'ICATION AND ACCOUNTING
`
`5
`
`CROSS-REFERENCE TO RELATED APPLICATIONS
`
`This application is a continuation-in-part of copending U.S. Patent Application
`
`Serial No. 09/458,569, filed on December 8, 1999, titled "Systems And Methods For
`
`Redirecting Users Having Transparent Computer Access To A Network Using A
`
`Gateway Device Having Redirection Capability". This application also claims priority
`
`10
`
`from U.S. Application Serial No. 09/458,602, filed December 8, 1999, titled "Systems
`
`and Methods For Authorizing, Authenticating and Accounting Users Having Transparent
`
`Computer Access To A Network Using A Gateway Device," U.S. Provisional
`
`Application Serial No. 60/161, 182, filed October 22, 1999, titled "Systems and Methods
`
`for Dynamic Bandwidth Management on a Per Subscriber Basis in a Computer
`
`15 Network," U.S. Provisional Application Serial No. 60/160,890, filed October 22, 1999,
`
`titled "Systems and Methods for Creating Subscriber Tunnels by a Gateway Device in a
`
`Computer Network," U.S. Provisional Application Serial No. 60/161,139, filed October
`
`22, 1999, titled "Information And Control Console For Use With A Network Gateway
`
`Interface," U.S. Provisional Application Serial No. 60/161,189, filed October 22, 1999,
`
`20
`
`titled "Systems and Methods for Transparent Computer Access and Communication with
`
`a Service Provider Network Using a Network Gateway Device," U.S. Provisional
`
`Application Serial No. 60/160,973, filed October 22, 1999, titled "Systems and Methods
`
`for Enabling Network Gateway Devices to Communicate with Management Systems to
`
`Facilitate Subscriber Management," U.S. Provisional Application Serial No. 60/161,181,
`
`25
`
`filed October 22, 1999, titled "Gateway Device Having an XML Interface and Associated
`
`Method," and U.S. Provisional Application Serial No. 60/161,093, filed October 22,
`
`1999, titled "Location-Based Identification and Authorization for use With a Gateway
`
`Device." All of the above applications are incorporated by reference in their entirety.
`
`ATL0l/10823107v2
`
`-1-
`
`Page 9 of 35
`
`
`
`•
`
`.omey Docket No. 42253/205301
`
`FIELD OF THE INVENTION
`
`The present invention relates generally to systems and methods for controlling
`
`network access, and more particularly, to systems and methods for establishing dynamic
`
`user network access.
`
`5
`
`BACKGROUND OF THE INVENTION
`
`User access to computer networks has traditionally been based upon a two step
`
`authentication process that either provides a user total network access, or refuses the user
`
`any access whatsoever. In the first step of the process, a user establishes a
`
`10
`
`communication link with a network via a telephone line, dedicated network connection
`
`(e.g., Broadband, Digital Signal Line (DSL)), or the like. In the second step of the
`
`authentication process, the user must input identification information to gain access to the
`
`network. Typically, the input identification information includes a user name and
`
`password. Using this information, the network or service provider verifies that the user is
`
`15
`
`entitled to access the network by determining whether the identification information
`
`matches subscriber information contained in a subscriber table ( or database) that stores
`
`identification information for all users authorized to access the network. Where user
`
`input information matches subscriber data in the subscriber table, the user is authorized to
`
`access any and all services on the network. On the other hand, if the user input
`
`20
`
`identification information fails to match subscriber data in the table, the user will be
`
`denied access to the network. Thus, once a user 's identity is compared to data stored
`
`within a subscription table, the user is either entitled network access, or denied access
`
`altogether. Furthermore, where the user is authorized access to the network, the user is
`
`typically authorized to access any destination accessible via the network. Therefore,
`
`25
`
`conventional authentication of users is based on an all-or-nothing approach to network
`
`access.
`
`In many conventional network access applications, such as in conventional
`
`Internet access applications, the subscriber database ( or table) not only stores data
`
`corresponding to the identity of subscribers authorized to access the network, but also
`
`30
`
`stores information that can vary based upon the particular subscriber. For instance, the
`
`subscriber database can include subscriber profiles that indicate the type of access a
`
`ATL0l/10823107v2
`
`-2-
`
`Page 10 of 35
`
`
`
`•
`
`.omey Docket No. 42253/20530 I
`
`subscriber should receive, and other related information, such as the fees due by the
`
`subscriber for network access. Although information in the subscriber database may vary
`
`from user to user, information unique to the database is generally used for billing or
`
`network maintenance purposes. For instance, conventional subscriber databases typically
`
`5
`
`include data such as the cost the subscriber is paying for network access, and the amount
`
`of time the subscriber has accessed the network. Thus, where a subscriber to an Internet
`
`Service Provider (ISP) has purchased Internet access, a source profile database may
`
`contain information that enables a user to be authenticated and tracks the user's access for
`
`accounting purposes, such as maintaining a log of the user's time on the network.
`
`10
`
`Additionally, in conventional network access systems, in order for a user to
`
`connect to on-line services (e.g., the Internet), the user must install client side software
`
`onto the user's computer. Client side software is typically provided by a network
`
`administrator or network access provider, such as an ISP with whom the user has
`
`subscribed for Internet access, and enables the client to configure his or her computer to
`
`15
`
`communicate with that network access provider. Continuing with the illustrative
`
`example of a user accessing the Internet via an ISP, the user must install ISP software on
`
`the client computer, and thereafter establish an account with the ISP for Internet access.
`
`Typically, a user subscribes to an ISP, such as America Online™, Earthlink ™,
`
`Compuserve TM or the like, by contracting directly with the ISP for Internet access.
`
`20 Usually, the user pays for such Internet access on a monthly fixed fee basis. Regardless
`
`of the user's location, the user may dial up an access number provided by the ISP and
`
`obtain Internet access. The connection is often achieved via a conventional telephone
`
`modem, cable modem, DSL connection, or the like.
`
`Because users accessing networks through conventional methods, such as through
`
`25
`
`ISPs, are either allowed or denied access to a network in an all or nothing approach, users
`
`cannot be dynamically authorized access to a network such that the user's access and
`
`authorization to particular networks or sites is customizable. What is needed is a method
`
`and system that allows users dynamic and customizable access that may vary based upon
`
`any number of variables associated with a user, such as a user location, user name or
`
`30
`
`password, user computer, or other attributes. For example, it would be advantageous for
`
`some users to be authorized access to all Internet sites, while others may be denied access
`
`ATL0l/10823107v2
`
`-3-
`
`Page 11 of 35
`
`
`
`•
`
`to particular sites. In addition to authorizing user access to a network, it would be
`
`.omey Docket No. 42253/205301
`
`advantageous for a network, such as an ISP or enterprise network, to selectively permit
`
`users a range of authorization, such that the user's access is not based upon an all or
`
`nothing approach.
`
`5
`
`SUMMARY OF THE INVENTION
`
`The present invention includes a method and system for selectively implementing
`
`and enforcing Authentication, Authorization and Accounting (AM) of users accessing a
`
`network via a gateway device. According to the present invention, a user may first be
`
`10
`
`authenticated to determine the identity of the user. The authentication capability of the
`
`system and method of the present invention can be based upon a user ID, computer,
`
`location, or one or more additional attributes identifying a source ( e.g., a particular user,
`
`computer or location) requesting network access. Once authenticated, an authorization
`
`capability of the system and method of the present invention is customized based upon
`
`15
`
`the identity of the source, such that sources have different access rights based upon their
`
`identity, and the content and/or destination requested. For instance, access rights permit a
`
`first source to access a particular Internet destination address, while refusing a second
`
`source access to that same address. In addition, the authorization capability of the
`
`system and method of the present invention can be based upon the other information
`
`(J
`
`20
`
`contained in the data transmission, such as a destination port, Internet address, TCP port,
`
`network, or similar destination address. Moreover, the AM of the present invention can
`
`be based upon the content type or protocol being transmitted. By authenticating users in
`
`this manner, each packet can be filtered through the selective AM process, so that a user
`
`can be identified and authorized access to a particular destination. Thus, each time the
`
`25
`
`user attempts to access a different destination, the user is subject to the AAA, so that the
`
`user may be prevented access from a particular site the AAA system and method deem
`
`inaccessible to the user based upon the user's authorization while permitting access to
`
`other sites that the AM method and system deem accessible. Additionally, according to
`
`one embodiment of the invention, source access to the network may be tracked and
`
`30
`
`logged by the present invention for accounting and historical purposes.
`
`ATL0l/10823107v2
`
`-4-
`
`Page 12 of 35
`
`
`
`•
`
`According to one embodiment of the invention, there is disclosed a method for
`
`.torney Docket No. 42253/205301
`
`selectably controlling and customizing source access to a network, wherein the source is
`
`associated with a source computer, and wherein the source computer has transparent
`
`access to the network via a gateway device and no configuration software need be
`
`5
`
`installed on the source computer to access the network. The method includes receiving at
`
`the gateway device a request from the source computer for access to the network,
`
`identifying an attribute associated with the source based upon a packet transmitted from
`
`the source computer and received by the gateway device, and accessing a source profile
`
`corresponding to the source and stored in a source profile database, wherein the source
`
`10
`
`profile is accessed based upon the attribute, and wherein the source profile database is
`
`located external to the gateway device and in communication with the gateway device.
`
`The method also includes determining the access rights of the source based upon the
`
`source profile, wherein access rights define the rights of the source to access the network.
`
`According to one aspect of the invention, determining the access rights of the
`
`15
`
`source based upon the source profile includes determining the access rights of the source
`
`based upon the source profile, wherein the access rights define the rights of the source to
`
`access a requested network destination. According to another aspect of the invention, the
`
`method includes assigning a location identifier to the location from which requests for
`
`access to the network are transmitted, and the location identifier is the attribute associated
`
`!J
`
`20 with the source. Furthermore, according to the invention, accessing a source profile
`
`corresponding to the source can include accessing a source profile stored in a source
`
`profile database, where the source profile database includes a remote authentication dial(cid:173)
`
`in user service (RADIUS), or a lightweight directory access protocol (LDAP) database.
`
`According to yet another aspect of the invention, the method includes updating
`
`25
`
`the source profile database when a new source accesses the network. Additionally, the
`
`method can include maintaining in the source profile database a historical log of the
`
`source's access to the network. Moreover, the attribute associated with the source can be
`
`based upon a MAC address, User ID or VLAN ID associated with the source computer
`
`from which the request for access to the network was transmitted. According to yet
`
`30
`
`another aspect of the invention, receiving at the gateway device a request from a source
`
`for access can include the step of receiving a destination address from the source.
`
`ATL0l/10823107v2
`
`-5-
`
`Page 13 of 35
`
`
`
`•
`
`According to another embodiment of the invention, there is disclosed a system for
`
`.torney Docket No. 42253/20530 I
`
`selectably controlling and customizing access, to a network, by a source, where the
`
`source is associated with a source computer, and wherein the source computer has
`
`transparent access to the network via a gateway device and no configuration software
`
`5
`
`need be installed on the source computer to access the network. The system includes a
`
`gateway device for receiving a request from the source for access to the network, and a
`
`source profile database in communication with the gateway device and located external to
`
`the gateway device, wherein the source profile database stores access information
`
`identifiable by an attribute associated with the source, and wherein the attribute is
`
`10
`
`identified based upon a data packet transmitted from the source computer and received by
`
`the gateway device. The system also includes a AAA server in communication with the
`
`gateway device and source profile database, wherein the AAA server determines if the
`
`source is entitled to access the network based upon the access information stored within
`
`the source profile database, and wherein the AAA server determines the access rights of
`
`15
`
`the source with the access rights defining the rights of the source to access destination
`
`sites via the network.
`
`According to one aspect of the invention, the packet received by the gateway
`
`device includes at least one ofVLAN ID, a circuit ID, and a MAC address. Additionally,
`
`according to another aspect of the invention, the source profile database includes a
`
`20
`
`remote authentication dial-in user service (RADIUS) or a lightweight directory access
`
`protocol (LDAP) database. Furthermore, the source profile database can include a
`
`plurality of source profiles, wherein each respective source profile of the plurality of
`
`source profiles contains access information. According to the invention, each respective
`
`source profile can also contain historical data relating to the duration of network access
`
`25
`
`for use in determining the charges due for the network access. According to yet another
`
`aspect of the invention, the source profile database can be located within the AAA server.
`
`According to another embodiment of the present invention, there is disclosed a
`
`method for redirecting a source attempting to access a destination through a gateway
`
`device, wherein source is associated with a source computer, and wherein the gateway
`
`30
`
`device enables the source to communicate with a network without requiring the source
`
`computer to include network software configured for the network. The method includes
`
`ATL0l/10823107v2
`
`-6-
`
`Page 14 of 35
`
`
`
`•
`
`receiving at the gateway device a request from the source to access the network,
`
`.tomey Docket No. 42253/20530 I
`
`identifying the source based upon an attribute associated with the source, and accessing a
`
`source profile database located external to the gateway device, where the source profile
`
`database stores access rights of the source. The method further includes determining the
`
`5
`
`access rights of the source based upon the identification of the source, wherein the access
`
`rights define the rights of the source to access destination sites via the network.
`
`According to one aspect of the invention, accessing a source profile database
`
`includes accessing a source profile database that includes a remote authentication dial-in
`
`user service (RADIUS), or a lightweight directory access protocol (LDAP) database.
`
`10 According to another aspect of the invention, the method can include assigning a location
`
`identifier to the location from which requests for access to the network are transmitted,
`
`wherein the location identifier is the attribute associated with the source. The method can
`
`also include updating the source profile database when a new source accesses the
`
`network, and maintaining in an accounting database a historical log of the source's access
`
`15
`
`to the network, wherein the accounting database is in communication with the source
`
`profile database.
`
`According to yet another aspect of the invention, receiving at the gateway device
`
`a request from a source for access can include the step of receiving a destination address
`
`from the source. Moreover, determining if the source computer is entitled to access the
`
`[J
`
`20
`
`destination address can further include denying the source computer access where the
`
`source profile indicates that the source computer is denied access. Determining if the
`
`source is entitled to access the network can also further include directing the source to a
`
`login page when the source profile is not located within the source profile database.
`
`According to yet another embodiment of the invention, there is disclosed a system
`
`25
`
`for enabling transparent communication between a computer and a service provider
`
`network. The system includes a computer, and a network gateway device in
`
`communication with the computer for connecting the computer to a computer network,
`
`where the network gateway device receives source data that represents a user attempting
`
`to access said computer network. The system also includes a service provider network in
`
`30
`
`communication with the network gateway device, where the service provider network
`
`includes an authentication server located external to the network gateway device and in
`
`ATL0l/10823 I07v2
`
`-7-
`
`Page 15 of 35
`
`
`
`•
`
`communication with the network gateway device. The authentication server has therein a
`
`.torney Docket No. 42253/20530 I
`
`source profile database comprising source profiles that represent users authorized to
`
`access said computer network, and compares the source data to said source profiles to
`
`determine if the user attempting to access the computer network can access the computer
`
`5
`
`network.
`
`According to one aspect of the invention, the system can include an accounting
`
`system for maintaining historical data concerning use of the service provider network.
`
`According to another aspect of the invention, the authentication server includes a remote
`
`authentication dial-in user service (RADIUS), or a lightweight directory access protocol
`
`10
`
`(LDAP) database. Furthermore, the source profile database can include a plurality of
`
`source profiles, where each respective source profile of the plurality of source profiles
`
`contains access information. According to yet another aspect of the invention, the source
`
`data includes an attribute associated with the computer and transmitted from the
`
`computer to the gateway device. According to anther aspect of the invention, the source
`
`15
`
`data includes login information associated with a respective user.
`
`The Authentication, Authorization and Accounting method and system according
`
`to the present invention enable users transparent access to a computer network employing
`
`a gateway device. Therefore, each user may have differing rights to access services, sites
`
`or destinations via the network. Thus, the present invention differs from conventional
`
`20 AAA methods and systems by offering dynamic AAA services which authenticate users
`
`and offer those users varying degrees of authorization to utilize the accessed network.
`
`Furthermore, the source profile database of the present invention can be located external
`
`to the gateway device, and on a network non-local to the network from which access is
`
`requested. An external source profile database is desirable because each gateway device
`
`25
`
`allows a finite number of users to access the network, so that multiple gateway devices
`
`may be required. Additionally, administering and maintaining one consolidated database
`
`of authentication data is easier than multiple smaller databases. Moreover, locating the
`
`database external to the local network allows an ISP or third party provider to maintain
`
`the confidentiality of the information stored within the database and maintain and control
`
`30
`
`the database in any manner the third party provider so desires.
`
`ATL0l/l0823107v2
`
`-8-
`
`ru
`
`Page 16 of 35
`
`
`
`•
`
`.torney Docket No. 42253/205301
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 is a block diagram of a computer system that includes a AAA server for
`
`authenticating, authorizing and accounting sources accessing networks and/or online
`
`services, according to one embodiment o