Multi-factor authorization for IEEE 802.1x-enabled networks

US 10,298,563 B2
Filed: 04/29/2015
Issued: 05/21/2019
Est. Priority Date: 04/29/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium including instructions executable by a processor to cause the processor to:

determine a device fingerprint of a client device, wherein the instructions to determine the device fingerprint include instructions to;

receive a Dynamic Host Configuration Protocol (DHCP) message from the client device;

determine a type of the client device based on content of the DHCP message; and

determine, based on the content of the DHCP message, that the client device has previously been authenticated;

authenticate the client device to obtain access to network resources in a network in response to the determination of the device fingerprint, wherein the instructions to authenticate the client device include instructions to;

receive a device certificate from the client device, wherein the device certificate was issued to the client device upon the prior successful authentication;

authenticate the client device based on validity of the device certificate;

detect a device quarantine trigger, wherein the device quarantine trigger indicates an increased level of suspicion that a current user of the client device is a non-authenticated user; and

in response to the device quarantine trigger, place the client device from an authenticated state to a quarantined state pending completion of a particular workflow by the current user, wherein the client device has limited access to the network resources while in the quarantined state regardless of a previous successful user and/or device authentication.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure discloses a system and method for providing multi-factor authorization for IEEE 802.1x-enabled networks. Specifically, a network device authenticates a client device to obtain access to network resources in a network via a network authentication protocol. The network device then detects a device quarantine trigger indicating an increased level of suspicion that a current user of the client device is a non-authenticated user. In response to the device quarantine trigger, the network device temporarily places the client device from an authenticated state to a quarantined state pending completion of a particular workflow by the current user. The client device has limited access to the network resources while in the quarantined state regardless of a previous successful user and/or device authentication.

16 Citations

View as Search Results

18 Claims

1. A non-transitory computer readable medium including instructions executable by a processor to cause the processor to:
- determine a device fingerprint of a client device, wherein the instructions to determine the device fingerprint include instructions to;
  
  receive a Dynamic Host Configuration Protocol (DHCP) message from the client device;
  
  determine a type of the client device based on content of the DHCP message; and
  
  determine, based on the content of the DHCP message, that the client device has previously been authenticated;
  
  authenticate the client device to obtain access to network resources in a network in response to the determination of the device fingerprint, wherein the instructions to authenticate the client device include instructions to;
  
  receive a device certificate from the client device, wherein the device certificate was issued to the client device upon the prior successful authentication;
  
  authenticate the client device based on validity of the device certificate;
  
  detect a device quarantine trigger, wherein the device quarantine trigger indicates an increased level of suspicion that a current user of the client device is a non-authenticated user; and
  
  in response to the device quarantine trigger, place the client device from an authenticated state to a quarantined state pending completion of a particular workflow by the current user, wherein the client device has limited access to the network resources while in the quarantined state regardless of a previous successful user and/or device authentication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory computer readable medium of claim 1, further comprising instructions executable by the processor to cause the processor to initiate a multi-factor authentication that requires the current user of the client device to complete the particular workflow to confirm the current user'"'"'s identity.
  - 3. The non-transitory computer readable medium of claim 1, further comprising instructions executable by the processor to cause the processor to:
    - place the client device from the quarantined state to the authenticated state in response to completion of the particular workflow; and
      
      place the client device from the quarantined state to an unauthenticated state in response to a failure to complete the particular workflow, wherein the client device has limited or no access to the network resources while in the unauthenticated state.
  - 4. The non-transitory computer readable medium of claim 1, wherein the authentication to obtain access to the network resources is compliant with IEEE 802.1 X standard.
  - 5. The non-transitory computer readable medium of claim 1, wherein the instructions to authenticate the client device include instructions to:
    - receive user credential information from the client device; and
      
      authenticate the client device based on validity of the user credential information.
  - 6. The non-transitory computer readable medium of claim 1, wherein the device quarantine trigger comprises lapse of a predefined time interval.
  - 7. The non-transitory computer readable medium of claim 1, wherein the device quarantine trigger comprises a change of the client device'"'"'s posture or geolocation.
  - 8. The non-transitory computer readable medium of claim 1, wherein the device quarantine trigger comprises a threshold number of consecutive failed password attempts.
  - 9. The non-transitory computer readable medium of claim 1, wherein:
    - the particular workflow is initiated only for a subset of authenticated client devices in the network; and
      
      a particular device quarantine trigger defined by network policies is triggered for each authenticated client device in the subset.

10. A system comprising:
- a device including a hardware processor, the system being configured to perform operations comprising;
  
  determining a device fingerprint of a client device, wherein determining the device fingerprint includes;
  
  determining a Media Access Control (MAC) address of the client device; and
  
  comparing the MAC address of the client device to a plurality of MAC addresses corresponding to a plurality of previously authenticated client devices;
  
  authenticating the client device to obtain access to network resources in a network in response to a determination that the MAC address of the client devices matches a MAC address of the plurality of MAC addresses corresponding to the plurality of previously authenticated client devices, wherein authenticating the client device comprises;
  
  receiving a device certificate from the client device, wherein the device certificate was issued to the client device upon the prior successful authentication; and
  
  authenticating the client device based on validity of the device certificate;
  
  detecting a device quarantine trigger, wherein the device quarantine trigger indicates an increased level of suspicion that a current user of the client device is a non-authenticated user; and
  
  in response to the device quarantine trigger, placing the client device from an authenticated state to a quarantined state pending completion of a particular workflow by the current user, wherein the client device has limited access to the network resources while in the quarantined state regardless of a previous successful user and/or device authentication.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, further comprising initiating a multi-factor authentication, wherein the multi-factor authorization comprises completion of the particular workflow to confirm a user identity.
  - 12. The system of claim 10, further comprising:
    - placing the client device from the quarantined state to the authenticated state in response to completion of the particular workflow; and
      
      placing the client device from the quarantined state to an unauthenticated state in response to a failure to complete the particular workflow, wherein the client device has limited access to the network resources while in the unauthenticated state.
  - 13. The system of claim 10, wherein the authentication to obtain access to the network resources is compliant with IEEE 802.1 X standard.
  - 14. The system of claim 10, wherein authenticating the client device comprises:
    - receiving user credential information from the client device; and
      
      authenticating the client device based on validity of the user credential information.
  - 15. The system of claim 10, wherein the device quarantine trigger comprises lapse of a predefined time interval.
  - 16. The system of claim 10, wherein the device quarantine trigger comprises a change of the client device'"'"'s posture or geolocation.
  - 17. The system of claim 10, wherein the device quarantine trigger comprises a threshold number of consecutive failed password attempts.
  - 18. The system of claim 10, wherein:
    - the particular workflow is initiated only for a subset of authenticated client devices in the network; and
      
      a particular device quarantine trigger defined by network policies is triggered for each authenticated client device in the subset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Esdaile, Cameron
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US14/699,420
Publication Number

US 20160323265A1
Time in Patent Office

1,483 Days
Field of Search

726 7
US Class Current
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0876   based on the identity of th...

H04W 12/06   Authentication

H04W 12/065   Continuous authentication

H04W 12/069   using certificates or pre-s...

H04W 12/40   Security arrangements using...

Multi-factor authorization for IEEE 802.1x-enabled networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-factor authorization for IEEE 802.1x-enabled networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links