Method and Apparatus for Network Access Control (NAC) in Roaming Services

US 20090276827A1
Filed: 04/16/2009
Published: 11/05/2009
Est. Priority Date: 04/30/2008
Status: Active Grant

First Claim

Patent Images

1. A network access control (NAC) method for roaming services applicable to a local network comprising at least a local authentication server, a local security policy server, and a local access device, the method comprising:

authenticating a roaming terminal by the local authentication server, the local authentication server instructing the local access device to apply a roaming quarantine access policy to the roaming terminal after the roaming terminal is authenticated;

the local access device applying the roaming quarantine access policy according to the instruction;

executing a security check on the roaming terminal carried out by the local security policy server, the local security policy server instructing the local access device to apply a roaming secure access policy to the roaming terminal after the roaming terminals passes the security check;

the local access device applying the roaming secure access policy according to the instruction.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention discloses a method and apparatus for network access control (NAC) in roaming services. In embodiments of the present invention, roaming quarantine access policies and roaming secure access policies are defined on access devices to control access of roaming terminals, instead of defining unified access policies on network-wide access devices. Embodiments of the present invention allow each branch network to enforce and update access policies as needed without restrictions of network identification and adaptation, making it easier to implement NAC on a distributed network, and improving NAC development. Embodiments of the present invention provide widely applicable, easy-to-implement NAC solutions for roaming.

Citations

27 Claims

1. A network access control (NAC) method for roaming services applicable to a local network comprising at least a local authentication server, a local security policy server, and a local access device, the method comprising:
- authenticating a roaming terminal by the local authentication server, the local authentication server instructing the local access device to apply a roaming quarantine access policy to the roaming terminal after the roaming terminal is authenticated;
  
  the local access device applying the roaming quarantine access policy according to the instruction;
  
  executing a security check on the roaming terminal carried out by the local security policy server, the local security policy server instructing the local access device to apply a roaming secure access policy to the roaming terminal after the roaming terminals passes the security check;
  
  the local access device applying the roaming secure access policy according to the instruction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein authenticating the roaming terminal comprises:
    - the local authentication server receiving an authentication request from an access terminal, determining that the access terminal is a roaming terminal, and forwarding the authentication request to a separate home authentication server for processing; and
      
      after an “
      
      authentication passed”
      
      message is returned from the separate home authentication server, instructing the local access device to apply the roaming quarantine access policy to the roaming terminal.
  - 3. The method of claim 2, wherein instructing the local access device to apply the roaming quarantine access policy comprises:
    - the local authentication server replacing a home quarantine access policy ID carried in the “
      
      authentication passed”
      
      message sent by the home authentication server with a local quarantine access policy ID before sending the message to the local access device.
  - 4. The method of claim 3, further comprising:
    - the local authentication server replacing an address of a separate home security policy server carried in the received “
      
      authentication passed”
      
      message with an address of the local security policy server, and the roaming terminal using the resulting message to send a security check request to the local security policy server.
  - 5. The method of claim 2, wherein the local authentication server determining that the access terminal is a roaming terminal and forwarding the authentication request to the separate home authentication server comprises:
    - the local authentication server resolving the domain name carried in the authentication request received from the access terminal;
      
      determining that the access terminal is a roaming terminal if the resolved domain name is not the same as the domain name of the local network;
      
      obtaining a network address of the home authentication server from stored mappings between domain names and authentication server addresses; and
      
      sending the authentication request to the home authentication server.
  - 6. The method of claim 2, wherein a home network ID is carried in the authentication request sent by the access terminal;
    - wherein the local authentication server determining that the access terminal is a roaming terminal and forwarding the authentication request to the separate home authentication server comprises;
      
      the local authentication server resolving a home network ID carried in the received authentication request;
      
      determining that the current access terminal is a roaming terminal if the home network ID does not indicate the local network;
      
      obtaining an address of the home authentication server from stored mappings between home network IDs and authentication server addresses; and
      
      sending the authentication request to the home authentication server for processing.
  - 7. The method of claim 6, wherein the home network ID is a prefix or suffix of a user name included in the authentication request.
  - 8. The method of claim 1, wherein executing a security check on the roaming terminal comprises:
    - the local security policy server receiving a security check request from an access terminal, determining that the access terminal is a roaming terminal, forwarding the security check request to a separate home security policy server for processing, and, after receiving a “
      
      check passed”
      
      message returned from the home security policy server, instructing the local access device to apply the roaming secure access policy to the roaming terminal.
  - 9. The method of claim 8, wherein instructing the local access device to apply the roaming secure access policy comprises:
    - the local security policy server replacing an ID of a home secure access policy contained in the “
      
      check passed”
      
      message sent by the home security policy server with an ID of the roaming secure access policy, and sending the resulting “
      
      check passed”
      
      message to the local access device.
  - 10. The method of claim 1, wherein executing a security check on a roaming terminal comprises:
    - the local security policy server receiving a security check request sent by an access terminal that passed authentication, determining that the access terminal is a roaming terminal, carrying out a security check on the roaming terminal based on the preconfigured roaming security check policy, and, after the roaming terminal passes security check, instructing the access device to apply the roaming secure access policy to the roaming terminal.
  - 11. The method of claim 1, wherein applying the roaming quarantine policy comprises applying a roaming quarantine Access Control List (ACL), and applying the roaming secure access policy comprises applying a roaming secure ACL.
  - 12. The method of claim 1, wherein applying the roaming quarantine policy comprises adding the roaming terminal to a roaming quarantine Virtual Local Area Network (VLAN, and applying the roaming secure access policy is adding the roaming terminal to the roaming secure VLAN.
  - 13. The method of claim 1,wherein the authentication server is an Authentication, Authorization, and Accounting (AAA) server;
    - andwherein authenticating the roaming terminal comprises authenticating the roaming terminal through a Remote Authentication Dial In User Service (RADIUS) protocol.

14. An authentication server for authenticating a roaming terminal in a network system implementing network access control (NAC), comprising:
- a processing unit, which, after the roaming terminal passes authentication, configured to inform an execution unit to apply to the roaming terminal a roaming quarantine access policy preconfigured for access terminals that roam to the local network; and
  
  the execution unit, which, after receiving the notification from the processing unit, configured to instruct a local access device to apply to the roaming terminal the preconfigured roaming quarantine access policy.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The authentication server of claim 14, wherein:
    - the processing unit, after receiving an authentication request sent from an access terminal, configured to forward the authentication request to a home authentication server after determining that the access terminal is a roaming terminal, and, after receiving an “
      
      authentication passed”
      
      message sent from the home authentication server, notify the execution unit of the “
      
      authentication passed”
      
      message.
  - 16. The authentication server of claim 15, wherein:
    - the execution unit is configured to replace a quarantine access policy ID in the “
      
      authentication passed”
      
      message received from the home authentication server with a roaming quarantine access policy ID, and send the resulting “
      
      authentication passed”
      
      message to the local access device to instruct the local access device to apply to the roaming terminal the preconfigured roaming quarantine access policy.
  - 17. The authentication server of claim 16, wherein:
    - the execution unit is further configured to replace an address of the home security policy server carried in the received “
      
      authentication passed”
      
      message with an address of the local security policy server, and the resulting message is used by the roaming terminal to send a security check request to the local security policy server.
  - 18. The authentication server of claim 15, wherein the processing unit comprises:
    - a confirmation unit that is configured to obtain a domain name by resolving the received authentication request, confirm that the access terminal is a roaming terminal if the resolved domain name is not the same as the domain name of the local network, and notify an acquisition unit of the result;
      
      the acquisition unit that is configured to, after receiving the notification from the confirmation unit, obtain an address of the home authentication server from stored mappings between domain names and authentication server addresses, send the received authentication request to the home authentication server for processing, and, after the roaming terminal passes authentication, instruct the execution unit to apply to the roaming terminal the preconfigured roaming quarantine access policy.
  - 19. The authentication server of claim 15, wherein the processing unit comprises:
    - a confirmation unit, which obtains a home network ID by resolving the received authentication request, determines that the access terminal is a roaming terminal if the home network ID does not indicate the local network, and notifies an acquisition unit;
      
      the acquisition unit that, after receiving the notification from the confirmation unit, is configured to obtain an address of the home authentication server from stored mappings between home network IDs and authentication server addresses, send the received authentication request to the home authentication server for processing, and, after the roaming terminal passes authentication, instruct the execution unit to apply the roaming quarantine access policy to the roaming terminal.
  - 20. The authentication server of claim 19, wherein:
    - the confirmation unit is configured to resolve a prefix or suffix of a user name carried in the authentication request to obtain the home network ID.
  - 21. The authentication server of claim 14, wherein the authentication server further comprises:
    - a remote authentication unit, which, after receiving an authentication request sent from another authentication server, is configured to carry out authentication based on the received authentication request, and send an authentication result to the another authentication server.
  - 22. The authentication server of claim 14, wherein:
    - the authentication server is an Authentication, Authorization, and Accounting (AAA) server, and the roaming terminal is authenticated through the Remote Authentication Dial In User Service (RADIUS) protocol.

23. A security policy server for executing a security check on a roaming terminal in a NAC network system, comprising;
- a control unit, which notifies an operation unit to deliver to the roaming terminal a roaming secure access policy preconfigured for access terminals that roam to the local network after the roaming terminal passes the security check;
  
  the operation unit, which, after receiving the notification from the control unit, instructs a local access device to deliver the roaming secure access policy to the roaming terminal.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The security policy server of claim 23, wherein:
    - the control unit, after receiving a security check request from an access terminal, forwards the security check request to a separate home security policy server after verifying that the access terminal is a roaming terminal, and, after receiving a “
      
      check passed”
      
      message from the home security policy server, notifies the operation unit of the “
      
      check passed”
      
      message.
  - 25. The security policy server of claim 24, wherein:
    - the operation unit replaces a secure access policy ID in the “
      
      check passed”
      
      message received from the home security policy server with a roaming secure access policy ID, and sends the resulting “
      
      check passed”
      
      message to the local access device to instruct the local access device to apply to the roaming terminal the preconfigured roaming secure access policy.
  - 26. The security policy server of claim 23, further comprising:
    - a remote check unit, which, after receiving a security check request sent from another security policy server, carries out a security check according to the received security check request, and sends a security check result to the requesting another security policy server.
  - 27. The security policy server of claim 23, wherein the control unit, after receiving a security check request from an access terminal, verifies that the access terminal is a roaming terminal, carries out a security check on the roaming terminal based on a roaming security check policy that is preconfigured on the local network for roaming terminals, and, after the roaming terminal passes the security check, notifies the operation unit to apply the roaming secure access policy to the roaming terminal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
H3C Technologies (USA) Company Limited (Tsinghua Holdings Co., Ltd.)
Inventors
Zheng, Xiongkai

Granted Patent

US 8,161,523 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04W 8/06 Registration at serving net...

Method and Apparatus for Network Access Control (NAC) in Roaming Services

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Network Access Control (NAC) in Roaming Services

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links