MULTIPLE TIERED NETWORK SECURITY SYSTEM, METHOD AND APPARATUS USING DYNAMIC USER POLICY ASSIGNMENT
First Claim
1. A network access device comprising:
- a memory for storing data packets received on a plurality of input ports; and
control logic adapted to;
examine a first data packet stored in the memory, the first data packet comprising a physical address of a user device;
authenticate the physical address;
if the authentication of the physical address indicates the physical address is valid, authenticate one or more user credentials in a second data packet stored in the memory after the physical address is authenticated;
if the authentication of the one or more user credentials indicates the one or more user credentials are valid,dynamically assign the user policy to the one of the plurality of input ports; and
restrict further traffic on the one of the plurality of input ports in accordance with the user policy; and
if the authentication of the physical address indicates the physical address is invalid, block traffic on the one of the plurality of ports except for packets related to a user authentication protocol.
3 Assignments
0 Petitions
Accused Products
Abstract
A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1x standard. The third level includes dynamic assignment of a user policy to the port based on the identity of the user, wherein the user policy is used to selectively control access to the port. The user policy may identify or include an access control list (ACL) or MAC address filter. Also, the user policy is not dynamically assigned if insufficient system resources are available to do so. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.
115 Citations
26 Claims
-
1. A network access device comprising:
-
a memory for storing data packets received on a plurality of input ports; and control logic adapted to; examine a first data packet stored in the memory, the first data packet comprising a physical address of a user device; authenticate the physical address; if the authentication of the physical address indicates the physical address is valid, authenticate one or more user credentials in a second data packet stored in the memory after the physical address is authenticated; if the authentication of the one or more user credentials indicates the one or more user credentials are valid, dynamically assign the user policy to the one of the plurality of input ports; and restrict further traffic on the one of the plurality of input ports in accordance with the user policy; and if the authentication of the physical address indicates the physical address is invalid, block traffic on the one of the plurality of ports except for packets related to a user authentication protocol. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer implemented method comprising:
-
at a network access device comprising a plurality of input ports, examining a first data packet stored in a memory of the device, the first data packet comprising a physical address of a user device; authenticating the physical address; if the authentication of the physical address indicates the physical address is valid, authenticating one or more user credentials in a second data packet stored in the memory after the physical address is authenticated; if the authentication of the one or more user credentials indicates the one or more user credentials are valid, dynamically assigning the user policy to the one of the plurality of input ports and restricting further traffic on the port in accordance with the user policy; and if the authentication of the physical address indicates the physical address is invalid, blocking traffic on the one of the plurality of ports except for packets related to a user authentication protocol. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. An apparatus comprising:
-
a memory for storing data packets received on a plurality of input ports; means for examining a first data packet stored in the memory, the first data packet comprising a physical address of a user device; means for authenticating the physical address; means for, if the authentication of the physical address indicates the physical address is valid, authenticating one or more user credentials in a second data packet stored in the memory after the physical address is authenticated; means for, if the authentication of the one or more user credentials indicates the one or more user credentials are valid, dynamically assigning the user policy to the one of the plurality of input ports and restricting further traffic on the port in accordance with the user policy; and means for, if the authentication of the physical address indicates the physical address is invalid, blocking traffic on the one of the plurality of ports except for packets related to a user authentication protocol.
-
-
26. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method, the method comprising:
-
at a network access device comprising a plurality of input ports, examining a first data packet stored in a memory of the device, the first data packet comprising a physical address of a user device; authenticating the physical address; if the authentication of the physical address indicates the physical address is valid, authenticating one or more user credentials in a second data packet stored in the memory after the physical address is authenticated; if the authentication of the one or more user credentials indicates the one or more user credentials are valid, dynamically assigning the user policy to the one of the plurality of input ports and restricting further traffic on the port in accordance with the user policy; and if the authentication of the physical address indicates the physical address is invalid, blocking traffic on the one of the plurality of ports except for packets related to a user authentication protocol.
-
Specification