METHOD AND APPARATUS FOR POLICY-BASED NETWORK ACCESS CONTROL WITH ARBITRARY NETWORK ACCESS CONTROL FRAMEWORKS

US 20080163340A1
Filed: 12/28/2007
Published: 07/03/2008
Est. Priority Date: 12/29/2006
Status: Active Grant

First Claim

Patent Images

1. A method of assessing network access to a client in a communication network, the method comprising:

receiving a request to access the network from the client;

invoking an appropriate access protocol terminator;

receiving at least one attribute about the client from the appropriate access protocol terminator;

translating the at least one attribute into a canonical form; and

using the at least one attribute in canonical form to determine a service type.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for integrating various network access control frameworks under the control of a single policy decision point (PDP). The apparatus supports pluggable protocol terminators to interface to any number of access protocols or backend support services. The apparatus contains Trust and Identity Mediators to mediate between the protocol terminators and a canonical policy subsystem, translating attributes between framework representations, and a canonical representation using extensible data-driven dictionaries.

Citations

26 Claims

1. A method of assessing network access to a client in a communication network, the method comprising:
- receiving a request to access the network from the client;
  
  invoking an appropriate access protocol terminator;
  
  receiving at least one attribute about the client from the appropriate access protocol terminator;
  
  translating the at least one attribute into a canonical form; and
  
  using the at least one attribute in canonical form to determine a service type.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the method is implemented with a plurality of clients, the plurality of clients each having one or more network access control frameworks.
  - 3. The method of claim 1 further comprising:
    - translating any requests for information for implementing service type rules into a framework specific form understood by the client;
      
      receiving any service type information from the client; and
      
      translating the any service type information from the client into the canonical form.
  - 4. The method of claim 1 further comprising:
    - determining an access policy result; and
      
      delivering the access policy result to the client.
  - 5. The method of claim 1 further comprising implementing access to the network with a single policy system and associated set of rules regardless of a number of network access control frameworks utilized.
  - 6. The method of claim 1 further comprising making network access requests from an environment having a plurality of network access control frameworks.
  - 7. The method of claim 1 wherein the step of translating the at least one attribute into a canonical form further comprises utilizing extensible data-driven dictionaries.
  - 8. The method of claim 1 further comprising controlling an integration of various network access control frameworks with a single policy decision point.
  - 9. The method of claim 1 further comprising selecting pluggable protocol terminators to interface to a plurality of access protocols or backend support services.

10. A computer readable medium having embodied thereon a program, the program being executable by a machine to perform a method to grant access to a client in a communication network, the method comprising:
- receiving a request to access the network from the client;
  
  invoking an appropriate access protocol terminator;
  
  receiving at least one attribute about the client from the appropriate access protocol terminator;
  
  translating the at least one attribute into a canonical form; and
  
  using the at least one attribute in canonical form to determine a service type.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer readable medium of claim 10 wherein the method is implemented with a plurality of clients, the plurality of clients each having one or more network access control frameworks.
  - 12. The computer readable medium of claim 10 wherein the method further comprises:
    - translating any requests for information for implementing service type rules into a framework specific form understood by the client;
      
      receiving any service type information from the client; and
      
      translating the any service type information from the client into the canonical form.
  - 13. The computer readable medium of claim 10 wherein the method further comprises:
    - determining an access policy result; and
      
      delivering the access policy result to the client.
  - 14. The computer readable medium of claim 10 wherein the method further comprises implementing access to the network with a single policy system and associated set of rules regardless of a number of network access control frameworks utilized.
  - 15. The computer readable medium of claim 10 wherein the method further comprises making network access requests from an environment having a plurality of network access control frameworks.
  - 16. The computer readable medium of claim 10 wherein the step of translating the at least one attribute into a canonical form further comprises using extensible data-driven dictionaries.
  - 17. The computer readable medium of claim 10 wherein the method further comprises controlling an integration of various network access control frameworks with a single policy decision point.
  - 18. The computer readable medium of claim 10 wherein the method further comprises selecting pluggable protocol terminators to interface to a plurality of access protocols or backend support services.

19. A system to grant network access to a client in a communication network, the system comprising:
- a client protocol terminator configured to be coupled through a network access device to a remote client;
  
  an access attribute translation device coupled to the client protocol terminator and configured to translate attributes from a first framework representation into a canonical representation; and
  
  a policy database coupled to the access attribute translation device and configured to store protocol attributes relating to a plurality of frameworks.
- View Dependent Claims (20, 21, 22)
- - 20. The system of claim 19 further comprising a policy subsystem coupled to the access attribute translation device and the policy database, the policy subsystem having a plurality of rules engine pipeline stages.
  - 21. The system of claim 19 further comprising:
    - a service protocol terminator configured to be coupled to one or more backend service devices; and
      
      a service attribute translation device coupled to the policy database and the service protocol terminator, the service attribute translation device being configured to translate attributes from a second framework representation to the canonical representation.
  - 22. The system of claim 19 further comprising a single policy decision point configured to control an integration of a plurality of network access control frameworks.

23. A system to grant network access to a client in a communication network, the system comprising:
- a client protocol terminator means for coupling to a remote client;
  
  an access attribute translation means for translating attributes from a first framework representation into a canonical representation; and
  
  a protocol storage means for storing protocol attributes relating to a plurality of frameworks.
- View Dependent Claims (24, 25, 26)
- - 24. The system of claim 23 further comprising a policy subsystem coupled to the access attribute translation means and the protocol storage means, the policy subsystem having a plurality of rules engine pipeline stages.
  - 25. The system of claim 23 further comprising:
    - a service protocol terminator means for coupling to one or more backend service devices; and
      
      a service attribute translation means for translating attributes from a second framework representation into the canonical representation.
  - 26. The system of claim 23 further comprising a single policy decision means for controlling an integration of a plurality of network access control frameworks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Avenda Systems Incorporated (Hewlett-Packard Enterprise Company)
Inventors
Fine, Michael, Prabhakar, Krishna, Cheeniyil, Santhosh

Granted Patent

US 8,245,281 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/20 for managing network securi...

METHOD AND APPARATUS FOR POLICY-BASED NETWORK ACCESS CONTROL WITH ARBITRARY NETWORK ACCESS CONTROL FRAMEWORKS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR POLICY-BASED NETWORK ACCESS CONTROL WITH ARBITRARY NETWORK ACCESS CONTROL FRAMEWORKS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links