Dynamic policy-based on-boarding of devices in enterprise environments

US 10,667,135 B2
Filed: 01/11/2018
Issued: 05/26/2020
Est. Priority Date: 01/11/2018
Status: Active Grant

First Claim

Patent Images

1. A system for providing access to wireless networks, comprising:

an access provider that is a member of an identity and access federation implemented in a wireless roaming environment, the access provider comprising;

at least one processor; and

a memory comprising program instructions that when executed by the at least one processor cause the processor to;

receive, from a wireless device on behalf of a user, a request to access a wireless network, the wireless device being communicatively coupled to the access provider;

obtain data representing a policy applicable to the access request;

send the access request, augmented with an indication of the policy, to an identity provider that is associated with the user and is a member of the identity and access federation, the identity provider having no pre-existing relationship with the access provider;

receive, from the identity provider, an access request response indicating whether the policy has been met;

communicate, to the wireless device when the access request response indicates that the policy has been met, an indication that the access request has been accepted; and

communicate, to the wireless device when the access request response indicates that the policy has not been met, an indication that the access request has been rejected.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method for providing access to wireless networks may include receiving, by a wireless network access provider from a user device, a request to access a wireless network. The method may include obtaining data representing a policy applicable to the access request, sending the access request, augmented with the policy, to an identity provider associated with the user and having no pre-existing relationship with the access provider, and receiving, from the identity provider, an access request response indicating whether or not the policy is met. The method may include communicating, to the wireless device, an indication that the access request has been accepted, if the policy is met, or an indication that the access request has been rejected, if the policy is not met. The access provider and identity provider may be members of an identity and access federation that communicate over a dynamically established secure connection.

20 Citations

View as Search Results

20 Claims

1. A system for providing access to wireless networks, comprising:
- an access provider that is a member of an identity and access federation implemented in a wireless roaming environment, the access provider comprising;
  
  at least one processor; and
  
  a memory comprising program instructions that when executed by the at least one processor cause the processor to;
  
  receive, from a wireless device on behalf of a user, a request to access a wireless network, the wireless device being communicatively coupled to the access provider;
  
  obtain data representing a policy applicable to the access request;
  
  send the access request, augmented with an indication of the policy, to an identity provider that is associated with the user and is a member of the identity and access federation, the identity provider having no pre-existing relationship with the access provider;
  
  receive, from the identity provider, an access request response indicating whether the policy has been met;
  
  communicate, to the wireless device when the access request response indicates that the policy has been met, an indication that the access request has been accepted; and
  
  communicate, to the wireless device when the access request response indicates that the policy has not been met, an indication that the access request has been rejected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein:
    - the identity and access federation defines a collection of common terms, conditions, or terms of service for access policies and identity policies;
      
      to obtain the data representing the policy, the program instructions, when executed by the at least one processor, cause the processor to retrieve the policy from a policy repository in a memory accessible by the access provider; and
      
      the policy repository stores one or more access policies or identity policies in compliance with the identity and access federation definition.
  - 3. The system of claim 2, wherein to obtain the data representing the policy, the program instructions, when executed by the at least one processor, cause the processor to:
    - extract, from the access request, an identifier of the wireless device; and
      
      select the policy from the policy repository based on the identifier of the wireless device.
  - 4. The system of claim 1, wherein:
    - the policy comprises an identity policy applicable to access requests received by the access provider; and
      
      the policy includes a requirement that a permanent user identity be communicated by the identity provider in the access request response.
  - 5. The system of claim 1, wherein the policy comprises one or more of:
    - an indication of an acceptable use policy for which consent is required;
      
      a pointer to a list of acceptable use policies for which consent is required;
      
      an indication of an implied disclaimed liability;
      
      ora pointer to a list of disclaimers for which consent is required.
  - 6. The system of claim 1, wherein the policy comprises a policy enforced by the identity provider specifying that the access provider is required to implement a particular service or that the access provider is required to meet a particular compliance level.
  - 7. The system of claim 1, further comprising an identity and access services engine configured to:
    - receive a request to validate the identity provider for membership in the identity and access federation;
      
      issue security credentials to the identity provider as a member of the identity and access federation in response to a successful validation of the identity provider;
      
      receive a request to validate the access provider for membership in the identity and access federation; and
      
      issue security credentials to the access provider as a member of the identity and access federation in response to a successful validation of the access provider.
  - 8. The system of claim 7, wherein to send the access request to the identity provider, the access provider is configured to:
    - establish, based on mutual membership in the identity and access federation, a secure communication channel with the identity provider; and
      
      send the access request to the identity provider over the secure communication channel.

9. A method for providing access to wireless networks, comprising:
- receiving, by a wireless network access provider that is a member of an identity and access federation implemented in a wireless roaming environment from a wireless device on behalf of a user, a request to access a wireless network;
  
  obtaining data representing a policy applicable to the access request;
  
  sending the access request, augmented with an indication of the policy, to an identity provider that is associated with the user and is a member of the identity and access federation, the identity provider having no pre-existing relationship with the access provider;
  
  receiving, from the identity provider, an access request response indicating that the policy has been met;
  
  communicating, to the wireless device, an indication that the access request has been accepted.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein:
    - the identity and access federation defines a collection of common terms, conditions, or terms of service for access policies and identity policies;
      
      obtaining the data representing the policy comprises retrieving the policy from a policy repository in a memory, the policy repository storing one or more access policies or identity policies in compliance with the identity and access federation definition.
  - 11. The method of claim 10, wherein obtaining the data representing the policy comprises:
    - extracting, from the access request, an identifier of the wireless device; and
      
      selecting the policy from the policy repository based on the identifier of the wireless device.
  - 12. The method of claim 9, wherein:
    - the policy comprises an identity policy applicable to access requests received by the access provider; and
      
      the policy includes a requirement that a permanent user identity be communicated by the identity provider in the access request response.
  - 13. The method of claim 9, wherein the policy comprises a policy enforced by the identity provider specifying that the access provider is required to implement a particular service or that the access provider is required to meet a particular compliance level.
  - 14. The method of claim 9, further comprising:
    - receiving, by an identity and access services engine in the wireless roaming environment, a request to validate the identity provider for membership in the identity and access federation;
      
      issuing security credentials to the identity provider as a member of the identity and access federation in response to a successful validation of the identity provider;
      
      receiving a request to validate the access provider for membership in the identity and access federation; and
      
      issuing security credentials to the access provider as a member of the identity and access federation in response to a successful validation of the access provider.
  - 15. The method of claim 14, wherein sending the access request to the identity provider comprises:
    - establishing, based on mutual membership in the identity and access federation, a secure communication channel between the access provider and the identity provider; and
      
      sending the access request to the identity provider over the secure communication channel.
  - 16. The method of claim 9, further comprising:
    - receiving, by the access provider from another wireless device on behalf of another user, another request to access the wireless network;
      
      obtaining data representing another policy applicable to the other access request;
      
      sending the other access request, augmented with an indication of the other policy, to another identity provider that is associated with the other user and is a member of the identity and access federation, the other identity provider having no pre-existing relationship with the access provider;
      
      receiving, from the other identity provider, another access request response indicating that the other policy has not been met; and
      
      communicating, to the other wireless device, an indication that the other access request has been rejected, the indication including an identifier of the other policy that was not met.

17. An apparatus, comprising:
- a processor; and
  
  a memory comprising program instructions that when executed by the processor cause the processor to;
  
  receive, from a wireless device on behalf of a user, a request to access a wireless network, the wireless device being communicatively coupled to the access provider;
  
  obtain data representing a policy applicable to the access request;
  
  send the access request, augmented with an indication of the policy, to an identity provider that is associated with the user and is a member of the identity and access federation, the identity provider having no pre-existing relationship with the access provider;
  
  receive, from the identity provider, an access request response indicating whether the policy has been met;
  
  communicate, to the wireless device when the access request response indicates that the policy has been met, an indication that the access request has been accepted; and
  
  communicate, to the wireless device when the access request response indicates that the policy has not been met, an indication that the access request has been rejected.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17, wherein:
    - the identity and access federation defines a collection of common terms, conditions, or terms of service for access policies and identity policies;
      
      to obtain the data representing the policy, the program instructions, when executed by the at least one processor, cause the processor to retrieve the policy from a policy repository in a memory accessible by the access provider; and
      
      the policy repository stores one or more access policies or identity policies in compliance with the identity and access federation definition.
  - 19. The apparatus of claim 18, wherein to obtain the data representing the policy, the program instructions, when executed by the at least one processor, cause the processor to:
    - extract, from the access request, an identifier of the wireless device; and
      
      select the policy from the policy repository based on the identifier of the wireless device.
  - 20. The apparatus of claim 17, wherein:
    - the policy comprises an identity policy applicable to access requests received by the access provider; and
      
      the policy includes a requirement that a permanent user identity be communicated by the identity provider in the access request response.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Grayson, Mark, O'Connor, Desmond Joseph, Smith, Malcolm Muir, Brinckman, Bart
Primary Examiner(s)
Revak, Christopher A

Application Number

US15/868,573
Publication Number

US 20190215692A1
Time in Patent Office

866 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0876   based on the identity of th...

H04L 63/0892   by using authentication-aut...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/084   using delegated authorisati...

Dynamic policy-based on-boarding of devices in enterprise environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic policy-based on-boarding of devices in enterprise environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links