Enabling dynamic authentication with different protocols on the same port for a switch

US 10,110,638 B2
Filed: 06/17/2016
Issued: 10/23/2018
Est. Priority Date: 01/26/2005
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory, computer readable media, the computer readable media comprising code for execution that, when executed, causes one or more processors to:

detect a request to join a network from a client device at a network device;

initiate a backoff timer with a backoff time-limit based on the request to join the network; and

apply a first policy to grant access to a network resource associated with a local area network based on determining the client device is capable of supporting an 802.1X authentication protocol before the backoff timer expires and on the client device being authenticated according to the 802.1X authentication protocol, whereina second policy is applied based, at least in part, on a determination that the client device is incapable of supporting the 802.1X authentication protocol and on the client device being authenticated according to another authentication protocol.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention enables a client device that does not support IEEE 802.1X authentication to access at least some resources provided through a switch that supports 802.1X authentication by using dynamic authentication with different protocols. When the client device attempts to join a network, the switch monitors for an 802.1X authentication message from the client device. In one embodiment, if the client fails to send an 802.1X authentication message, respond to an 802.1X request from the switch, or a predefined failure condition is detected the client may be deemed incapable of supporting 802.1X authentication. In one embodiment, the client may be initially placed on a quarantine VLAN after determination that the client fails to perform an 802.1X authentication within a backoff time limit. However, the client may still gain access to resources based on various non-802.1X authentication mechanisms, including name/passwords, digital certificates, or the like.

Citations

22 Claims

1. One or more non-transitory, computer readable media, the computer readable media comprising code for execution that, when executed, causes one or more processors to:
- detect a request to join a network from a client device at a network device;
  
  initiate a backoff timer with a backoff time-limit based on the request to join the network; and
  
  apply a first policy to grant access to a network resource associated with a local area network based on determining the client device is capable of supporting an 802.1X authentication protocol before the backoff timer expires and on the client device being authenticated according to the 802.1X authentication protocol, whereina second policy is applied based, at least in part, on a determination that the client device is incapable of supporting the 802.1X authentication protocol and on the client device being authenticated according to another authentication protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The one or more media of claim 1, wherein the code for execution, when executed, causes the one or more processors to:
    - disable the backoff timer based on determining the client device is capable of supporting the 802.1X authentication protocol before the backoff time-limit expires.
  - 3. The one or more media of claim 1, wherein the client device is determined to be capable of supporting the 802.1X authentication protocol based on receiving an 802.1X authentication request before the backoff time-limit expires.
  - 4. The one or more media of claim 1, wherein the determination that the client device is incapable of supporting the 802.1X authentication protocol is made based on the backoff time-limit expiring without the network device receiving an authentication request according to the 802.1X authentication protocol.
  - 5. The one or more media of claim 1, wherein the determination that the client device is incapable of supporting the 802.1X authentication protocol is made based on detecting one or more failure conditions.
  - 6. The one or more media of claim 5, wherein the one or more failure conditions is selected from a group of failure conditions consisting of an incorrect authentication credential, an improperly configured supplicant, and an inoperable network device.
  - 7. The one or more media of claim 1, wherein the code for execution, when executed, causes the one or more processors to:
    - based on the determination that the client device is incapable of supporting the 802.1X authentication protocol, configure the network device to allow the client device to access quarantined resources on a different local area network.
  - 8. The one or more media of claim 1, wherein the code for execution, when executed, causes the one or more processors to:
    - based on the determination that the client device is incapable of supporting the 802.1X authentication protocol, configure the network device to block the client device from accessing any resources in the network.
  - 9. The one or more media of claim 1, wherein the second policy is applied to allow the client device to access one or more different network resources in the network.
  - 10. The one or more media of claim 1, wherein the code for execution, when executed, causes the one or more processors to:
    - enable, prior to the request to join the network being detected, the network device to detect an 802.1X authentication request.
  - 11. The one or more media of claim 1, wherein the code for execution, when executed, causes the one or more processors to:
    - disable the network device from using the 802.1X authentication protocol based on the determination that the client device is incapable of supporting the 802.1X authentication protocol.
  - 12. The one or more media of claim 1, wherein the local area network is virtualized.
  - 13. The one or more media of claim 1, wherein the code for execution, when executed, causes the one or more processors to:
    - provide an interface to the client device if the client device is incapable of using the 802.1X authentication protocol, and the interface is to enable initiation of the other authentication protocol.
  - 14. The one or more media of claim 1, wherein the request to join the network is detected by an enforcer component for detecting a Link Up request generated by the network device.

15. A system, comprising:
- a network device to route network traffic from a client device; and
  
  an enforcer element comprising instructions executable by at least one processor todetect a request to join a network from a client device;
  
  initiate a backoff timer with a backoff time-limit based on the request to join the network; and
  
  apply a first policy to grant access to a network resource associated with a local area network based on determining the client device is capable of supporting an 802.1X authentication protocol before the backoff timer expires and on the client device being authenticated according to the 802.1X authentication protocol, whereina second policy is applied based, at least in part, on a determination that the client device is incapable of supporting the 802.1X authentication protocol and on the client device being authenticated according to another authentication protocol.
- View Dependent Claims (16, 17, 18)
- - 16. The system of claim 15, wherein the instructions of the enforcer element are executable by the at least one processor to:
    - enable, prior to the request to join the network being detected, the network device to detect an 802.1X authentication request.
  - 17. The system of claim 15, wherein the instructions of the enforcer element are executable by the at least one processor to:
    - direct the network device to route network traffic from the client device to the enforcer element.
  - 18. The system of claim 15, wherein, if the client device is determined to be incapable of supporting authentication according to the 802.1X authentication protocol, then hypertext transfer protocol (HTTP) packets associated with the client device are permitted to propagate through the network device.

19. An apparatus, comprising:
- a memory element for storing code; and
  
  at least one processor configured to execute instructions associated with the code to;
  
  detect a request to join a network from a client device to a network device associated with the network;
  
  initiate a backoff timer with a backoff time-limit based on the request to join the network; and
  
  apply a first policy to grant access to a network resource associated with a local area network based on determining the client device is capable of supporting a an 802.1X authentication protocol before the backoff timer expires and on the client device being authenticated according to the 802.1X authentication protocol, whereina second policy is applied based, at least in part, on a determination that the client device is incapable of supporting the 802.1X authentication protocol and on the client device being authenticated according to another authentication protocol.
- View Dependent Claims (20)
- - 20. The apparatus of claim 19, wherein the backoff time-limit is set to a value based on at least one of characteristics of the network or characteristics of the network device.

21. A method, comprising:
- detecting a request to join a network from a client device at a network device;
  
  initiating a backoff timer with a backoff time-limit based on the request to join the network; and
  
  applying a first policy to grant access to a network resource associated with a local area network based on determining the client device is capable of supporting an 802.1X authentication protocol before the backoff timer expires and on the client device being authenticated according to the 802.1X authentication protocol, whereina second policy is applied based, at least in part, on a determination that the client device is incapable of supporting the 802.1X authentication protocol and on the client device being authenticated according to another authentication protocol.
- View Dependent Claims (22)
- - 22. The method of claim 21, further comprising:
    - disabling 802.1X processing on a switch port, on the client device not successfully authenticating using the 802.1X authentication protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Vank, Alexandru Z., Shen, Xin, Cobb, Matt B., Robel-Forrest, Brad, Phoenix, Evan M.
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US15/186,084
Publication Number

US 20170019427A1
Time in Patent Office

858 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/162   at the data link layer

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Enabling dynamic authentication with different protocols on the same port for a switch

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Enabling dynamic authentication with different protocols on the same port for a switch

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links