Controlling network access

US 20070006288A1
Filed: 06/30/2005
Published: 01/04/2007
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to a network by a computer comprising acts of:

receiving, at a network access device, identity information about the computer at a network access device;

receiving, at the network access device, a health credential from the computer that indicates a security state of the computer; and

determining whether to grant network access to the computer based on the identity information and the health credential.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the invention is directed to managing access of a host computer to a network. A first communication session with the host computer may be conducted to authenticate the host computer'"'"'s identity. A second communication session with the host computer may be conducted to determine the health status of the host computer.

306 Citations

20 Claims

1. A method of controlling access to a network by a computer comprising acts of:
- receiving, at a network access device, identity information about the computer at a network access device;
  
  receiving, at the network access device, a health credential from the computer that indicates a security state of the computer; and
  
  determining whether to grant network access to the computer based on the identity information and the health credential.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the health credential is a certificate.
  - 3. The method of claim 1, wherein the act of determining further comprises:
    - sending the identity information and health credential to an authentication, authorization, and accounting (AAA) server.
  - 4. The method of claim 3, further comprising acts of:
    - determining, at the AAA server, whether the identity information is valid; and
      
      determining, at the AAA server, whether the health credential is valid.
  - 5. The method of claim 4, wherein the act of determining whether the health credential is valid further comprises:
    - determining whether the health credential is expired.

6. At least one computer-readable medium encoded with instructions that, when executed, perform a method of controlling access to a network by a computer comprising acts of:
- receiving, at a network access device, identity information about the computer at a network access device;
  
  receiving, at the network access device, a health credential from the computer that indicates a security state of the computer; and
  
  determining whether to grant network access to the computer based on the identity information and the health credential.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The at least one computer-readable medium of claim 6, wherein the health credential is a certificate.
  - 8. The at least one computer-readable medium of claim 6, wherein the act of determining further comprises:
    - sending the identity information and health credential to an authentication, authorization, and accounting (AAA) server.
  - 9. The at least one computer-readable medium of claim 8, wherein the method further comprises acts of:
    - determining, at the AAA server, whether the identity information is valid; and
      
      determining, at the AAA server, whether the health credential is valid.
  - 10. The at least one computer-readable medium of claim 9, wherein the act of determining whether the health credential is valid further comprises:
    - determining whether the health credential is expired.

11. A method of obtaining network access comprising acts of:
- sending, from a computer, a network access request to a network access device, wherein the network access request includes identity information;
  
  receiving, at the computer, in response to the network access request, limited network access, wherein the limited network access permits access to a health credential server;
  
  conducting a communication session between the computer and the health credential server to determine a security state of the computer; and
  
  when it is determined that the computer is in a required security state, receiving a health credential from the health credential server.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, further comprising acts of:
    - sending, from the computer, a network access request to the network access device, wherein the network access request includes the identity information and the health credential; and
      
      receiving, in response to the request, additional network access.
  - 13. The method of claim 11, wherein the act of conducting the communication session between the computer and the health credential server further comprises acts of:
    - sending health information about the computer from the computer to the health credential server;
      
      verifying that the health information complies with a predefined security policy.
  - 14. The method of claim 11, wherein the limited network access includes limited layer 3 network access.
  - 15. The method of claim 11, further comprising acts of:
    - subsequently re-authenticating the computer using the identify information and the health credential.

16. At least one computer readable medium encoded with instructions that, when executed, perform a method of obtaining network access comprising acts of:
- sending, from a computer, a network access request to a network access device, wherein the network access request includes identity information;
  
  receiving, at the computer, in response to the network access request, limited network access, wherein the limited network access permits access to a health credential server;
  
  conducting a communication session between the computer and the health credential server to determine a security state of the computer; and
  
  when it is determined that the computer is in a required security state, receiving a health credential from the health credential server.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The at least one computer readable medium of claim 16, wherein the method further comprises acts of:
    - sending, from the computer, a network access request to the network access device, wherein the network access request includes the identity information and the health credential; and
      
      receiving, in response to the request, additional network access.
  - 18. The at least one computer readable medium of claim 16, wherein the act of conducting the communication session between the computer and the health credential server further comprises acts of:
    - sending health information about the computer from the computer to the health credential server;
      
      verifying that the health information complies with a predefined security policy.
  - 19. The at least one computer readable medium of claim 16, wherein the limited network access includes limited layer 3 network access.
  - 20. The at least one computer readable medium of claim 16, wherein the method further comprises an act of:
    - subsequently providing the identify information and the health credential to the network access device to re-authenticate the computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Aboba, Bernard, Mayfield, Paul

Granted Patent

US 7,636,938 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/1433   Vulnerability analysis

H04W 12/06   Authentication

H04W 12/128   Anti-malware arrangements, ...

Controlling network access

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

306 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling network access

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

306 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links