Allocation of local MAC addresses to client devices

US 10,454,887 B2
Filed: 11/18/2015
Issued: 10/22/2019
Est. Priority Date: 11/18/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a network device connected with a network;

receiving from a client device an authentication request including identity credentials and a temporary media access control (MAC) address of the client device; and

in response to successfully authenticating the client device based on the identity credentials;

selecting a new MAC address of the client device from among a plurality of available MAC addresses stored in a MAC address server in the network;

sending the new MAC address to the client device in an address allocation frame;

receiving a data frame;

determining whether the client device is using the new MAC address based on the received data frame; and

if it is determined that the client device is using the new MAC address;

granting the client device access to the network; and

generating a record including the new MAC address, a time at which the new MAC address was selected, the identity credentials, and a time at which the client device was successfully authenticated based on the identity credentials.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

At a network device configured to control access to a network, a client device authentication request is received from a client device. The request includes identity credentials and a temporary media access control (MAC) address of the client device. The client device is successfully authenticated based on the identity credentials. After authentication, a new MAC address is established in the client device. A data frame is received from at the network device. It is determined whether the client device is using the new MAC address based on the received data frame. If it is determined that the client device is using the new MAC address, the client device is permitted access the network.

Citations

21 Claims

1. A method comprising:
- at a network device connected with a network;
  
  receiving from a client device an authentication request including identity credentials and a temporary media access control (MAC) address of the client device; and
  
  in response to successfully authenticating the client device based on the identity credentials;
  
  selecting a new MAC address of the client device from among a plurality of available MAC addresses stored in a MAC address server in the network;
  
  sending the new MAC address to the client device in an address allocation frame;
  
  receiving a data frame;
  
  determining whether the client device is using the new MAC address based on the received data frame; and
  
  if it is determined that the client device is using the new MAC address;
  
  granting the client device access to the network; and
  
  generating a record including the new MAC address, a time at which the new MAC address was selected, the identity credentials, and a time at which the client device was successfully authenticated based on the identity credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 19, 20, 21)
- - 2. The method of claim 1, wherein the new MAC address is a local MAC address.
  - 3. The method of claim 1, wherein the determining includes determining whether the client device is using the new MAC address within a predetermined time period after the sending;
    - and further comprising;
      
      if it is determined that the client device is not using the new MAC address within the predetermined time period after the sending, preventing the client device from accessing the network.
  - 4. The method of claim 1, further comprising integrity protecting the address allocation frame based on the new MAC address to produce an integrity protected address allocation frame, and wherein:
    - the sending includes sending the integrity protected address allocated frame;
      
      the receiving includes receiving the data frame as an integrity protected data frame having a source MAC address that matches the new MAC address; and
      
      the determining includes;
      
      integrity checking the integrity protected data frame based on the new MAC address; and
      
      if the integrity checking is successful, determining that the client device is using the new MAC address.
  - 5. The method of claim 1, further comprising encrypting and integrity protecting the address allocation frame based on the new MAC address to produce an encrypted, integrity protected address allocation frame, and wherein:
    - the sending further includes sending the encrypted, integrity protected address allocation frame;
      
      the receiving further includes receiving the data frame as an encrypted, integrity protected data frame; and
      
      the determining further includes;
      
      decrypting and integrity checking the encrypted, integrity protected data frame based on the new MAC address; and
      
      if the decrypting is successful and the integrity checking is successful, determining that the client device is using the new MAC address.
  - 6. The method of claim 1, further comprising encrypting the address allocation frame based on a session key associated with the new MAC address to produce an encrypted address allocation frame, and wherein:
    - the sending includes sending the encrypted address allocation frame;
      
      the receiving includes receiving the data frame as an encrypted data frame; and
      
      the determining includes;
      
      decrypting the encrypted data frame based on the session key; and
      
      if the decrypting is successful, determining the client device is using the new MAC address.
  - 7. The method of claim 6, further comprising:
    - receiving a master key from the authenticating; and
      
      deriving the session key from the master key, wherein the session key is matched to another session key in the client device.
  - 19. The method of claim 1, wherein the record further includes the temporary MAC address and a time at which the temporary MAC address was received.
  - 20. The method of claim 1, wherein the record further includes a time at which the new MAC address becomes available for re-selection from among the plurality of available MAC addresses.
  - 21. The method of claim 1, wherein the record further includes an indication of whether the client device is using the new MAC address, and a time at which the indication was made.

8. An apparatus comprising:
- a network interface unit configured to communicate with a client device and a network; and
  
  a processor coupled to the network interface unit, and configured to;
  
  receive from the client device an authentication request including identity credentials and a temporary media access control (MAC) address of the client device; and
  
  in response to successfully authenticating the client device based on the identity credentials;
  
  select a new MAC address of the client device from among a plurality of available MAC addresses stored in a MAC address server in the network;
  
  send the new MAC address to the client device in an address allocation frame;
  
  receive a data frame;
  
  determine whether the client device is using the new MAC address based on the received data frame; and
  
  if it is determined that the client device is using the new MAC address;
  
  grant the client device access to the network; and
  
  generate a record including the new MAC address, a time at which the new MAC address was selected, the identity credentials, and a time at which the client device was successfully authenticated based on the identity credentials.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The apparatus of claim 8, wherein the new MAC address is a local MAC address.
  - 10. The apparatus of claim 8, wherein the processor is further configured to:
    - determine whether the client device is using the new MAC address within a predetermined time period after the sending; and
      
      if it is determined that the client device is not using the new MAC address within the predetermined time period after the sending, prevent the client device from accessing the network.
  - 11. The apparatus of claim 8, wherein the processor is further configured to integrity protect the address allocation frame based on the new MAC address to produce an integrity protected address allocation frame, and wherein:
    - the processor is configured to send by sending the integrity protected address allocated frame;
      
      the processor is configured to receive by receiving the data frame as an integrity protected data frame having a source MAC address that matches the new MAC address; and
      
      the processor is configured to determine by;
      
      integrity checking the integrity protected data frame based on the new MAC address; and
      
      if the integrity checking is successful, determining that the client device is using the new MAC address.
  - 12. The apparatus of claim 8, wherein the processor is further configured to encrypt the address allocation frame based on a session key associated with the new MAC address to produce an encrypted address allocation frame, and wherein:
    - the processor is configured to send by sending the encrypted address allocation frame;
      
      the processor is configured to receive by receiving the data frame as an encrypted data frame; and
      
      the processor is configured to determine by;
      
      decrypting the encrypted data frame based on the session key; and
      
      if the decrypting is successful, determining the client device is using the new MAC address.

13. A tangible processor readable medium storing instructions that, when executed by a processor, cause the processor to:
- receive from a client device an authentication request including identity credentials and a temporary media access control (MAC) address of the client device; and
  
  in response to successfully authenticating the client device based on the identity credentials;
  
  select a new MAC address of the client device from among a plurality of available MAC addresses stored in a MAC address server in a network;
  
  send the new MAC address to the client device in an address allocation frame;
  
  receive a data frame;
  
  determine whether the client device is using the new MAC address based on the received data frame; and
  
  if it is determined that the client device is using the new MAC address;
  
  grant the client device access to the network; and
  
  generate a record including the new MAC address, a time at which the new MAC address was selected, the identity credentials, and a time at which the client device was successfully authenticated based on the identity credentials.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The processor readable medium of claim 13, further comprising instructions to cause the processor to integrity protect the address allocation frame based on the new MAC address to produce an integrity protected address allocation frame, and wherein:
    - the instructions to cause the processor to send include instructions to cause the processor to send the integrity protected address allocated frame;
      
      the instructions to cause the processor to receive include instructions to cause the processor to receive the data frame as an integrity protected data frame having a source MAC address that matches the new MAC address; and
      
      the instructions to cause the processor to determine include instructions to cause the processor to determine by;
      
      integrity checking the integrity protected data frame based on the new MAC address; and
      
      if the integrity checking is successful, determining that the client device is using the new MAC address.
  - 15. The processor readable medium of claim 13, further comprising instructions to cause the processor to encrypt the address allocation frame based on a session key associated with the new MAC address to produce an encrypted address allocation frame, and wherein:
    - the instructions to cause the processor to send include instructions to cause the processor to send the encrypted address allocation frame;
      
      the instructions to cause the processor to receive include instructions to cause the processor to receive the data frame as an encrypted data frame; and
      
      the instructions to cause the processor to determine include instructions to cause the processor to determine by;
      
      decrypting the encrypted data frame based on the session key; and
      
      if the decrypting is successful, determining the client device is using the new MAC address.
  - 16. The processor readable medium of claim 15, further comprising instructions to cause the processor to:
    - receive a master key from the authenticating; and
      
      derive the session key from the master key, wherein the session key is matched to another session key in the client device.
  - 17. The processor readable medium of claim 13, wherein the new MAC address is a local MAC address.
  - 18. The processor readable medium of claim 13, wherein the instructions to cause the processor to determine include instructions to cause the processor to determine whether the client device is using the new MAC address within a predetermined time period after sending the new MAC address to the client device, and further comprising instructions to cause the processor to:
    - if it is determined that the client device is not using the new MAC address within the predetermined time period after sending the new MAC address to the client device, prevent the client device from accessing the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Weis, Brian Eliot, Jones, Peter Geoffrey
Primary Examiner(s)
Nguyen, Dustin

Application Number

US14/944,743
Publication Number

US 20170142064A1
Time in Patent Office

1,434 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 61/5038   for local use, e.g. in LAN ...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

H04L 63/162   at the data link layer

Allocation of local MAC addresses to client devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Allocation of local MAC addresses to client devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links