METHOD FOR AUTOMATICALLY APPLYING ACCESS CONTROL POLICIES BASED ON DEVICE TYPES OF NETWORKED COMPUTING DEVICES

US 20140068030A1
Filed: 08/27/2013
Published: 03/06/2014
Est. Priority Date: 08/31/2012
Status: Active Grant

First Claim

Patent Images

1. A system for managing access control policies, comprising:

a management server, residing on server hardware communicatively coupled to a plurality of network access devices over a wide area network (WAN), the management server including;

a Web interface to allow an administrator to login and configure access control policies based on device types of network client devices,an access control policy (ACP) database to store ACPs received from the Web interface,an access control rule (ACR) database to store ACRs mapping device types to one or more ACPs stored in the ACP database, anda first access control module (ACM) to transmit over the Internet the ACPs and the ACRs to the plurality of network access devices to allow the network access devices to apply the ACPs based on the ACRs of their respective network client devices, to receive update information of a first network client device from a first of the network access devices, and to broadcast the update information to a remainder of the network access devices; and

the plurality of network access devices, each including;

a second access control module to download the ACRs and the ACPs from the management server over the Internet, anda device type detector, in response to a request from a network client device to enter a network, to detect a device type of the network client device using one or more device type detection methods, wherein the second access control module is to determine an ACP identifier based on an ACR of the network client device and to apply an ACP selected from the ACPs based on the ACP identifier, and wherein the second access control module is to report at least the selected ACP to the management server to allow the management server to distribute the same to other network access devices.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for managing access control policies are described herein. According to one embodiment, access control policies (ACPs) and access control rules (ACRs) are downloaded from a management server to a network access device (NAD) over the Internet, where the network access device is one of a plurality of network access devices managed by the management server over the Internet. In response to a request from a network client device for entering a network, a device type of the network client device is detected and an ACP identifier is determined based on the device type using the ACRs An ACP is selected from the ACPs based on the ACP identifier and enforced against the network client device. At least the selected ACP is reported to the management server to distribute the selected ACP to other network access devices.

Citations

18 Claims

1. A system for managing access control policies, comprising:
- a management server, residing on server hardware communicatively coupled to a plurality of network access devices over a wide area network (WAN), the management server including;
  
  a Web interface to allow an administrator to login and configure access control policies based on device types of network client devices,an access control policy (ACP) database to store ACPs received from the Web interface,an access control rule (ACR) database to store ACRs mapping device types to one or more ACPs stored in the ACP database, anda first access control module (ACM) to transmit over the Internet the ACPs and the ACRs to the plurality of network access devices to allow the network access devices to apply the ACPs based on the ACRs of their respective network client devices, to receive update information of a first network client device from a first of the network access devices, and to broadcast the update information to a remainder of the network access devices; and
  
  the plurality of network access devices, each including;
  
  a second access control module to download the ACRs and the ACPs from the management server over the Internet, anda device type detector, in response to a request from a network client device to enter a network, to detect a device type of the network client device using one or more device type detection methods, wherein the second access control module is to determine an ACP identifier based on an ACR of the network client device and to apply an ACP selected from the ACPs based on the ACP identifier, and wherein the second access control module is to report at least the selected ACP to the management server to allow the management server to distribute the same to other network access devices.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the device type detector of each network access device is to detect a device type of a network client device based on a prefix portion of a media access control (MAC) address of the network client device.
  - 3. The system of claim 1, wherein the device type detector of each network access device is to detect a device type of a network access device based on a combination of one or more DHCP options obtained from a DHCP request which is broadcast by the network client device when the network client device attempts to enter the network.
  - 4. The system of claim 1, wherein the device type detector of each network access device is to detect a device type of a network access device based on one or more user agent string patterns obtained from a request originated from a browser running within the network client device, when a user of the network client device attempts to access the Internet using the browser.
  - 5. The system of claim 1, wherein each of the network access devices is to periodically download updates of the ACPs and the ACRs from the management server over the Internet.

6. A method performed by a network access device, comprising:
- downloading access control policies (ACPs) and access control rules (ACRs) from a management server over the Internet, wherein the network access device is one of a plurality of network access devices managed by the management server over the Internet;
  
  in response to a request from a network client device for entering a network, detecting a device type of the network client device;
  
  determining an ACP identifier based on the device type in view of the ACRs;
  
  selecting an ACP from the ACPs based on the ACP identifier;
  
  enforcing the selected ACP against the network client device; and
  
  reporting the selected ACP and the device type and a media access control (MAC) address of the network client device to the management server, wherein the management server is to distribute the selected ACP and the device type of the network client device to other network access devices.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, wherein the device type of the network client device is performed based on a prefix portion of a media access control (MAC) address of the network client device.
  - 8. The method of claim 6, wherein the device type of the network client device is performed based on a combination of one or more DHCP options obtained from a DHCP request which is broadcast by the network client device when the network client device attempts to enter the network.
  - 9. The method of claim 6, wherein the device type of the network client device is performed based on one or more user agent string patterns obtained from a request originated from a browser running within the network client device, when a user of the network client device attempts to access the Internet using the browser.
  - 10. The method of claim 6, further comprising periodically downloading updates of the ACPs and the ACRs from the management server over the Internet.

11. A method performed by a network access device, comprising:
- receiving, at the network access device, a request from a client device for entering a network;
  
  redirecting the request from the network access device to a remote device type detection server to allow the remote device type detection server to detect a device type of the client device;
  
  receiving the device type of the network client device from the remote device type detection server;
  
  transmitting the device type to a management server over the Internet, wherein the network access device is one of a plurality of network access devices managed by the management server;
  
  receiving an access control policy (ACP) from the management server, wherein the ACP is generated by the management server based on the device type; and
  
  enforcing within the network access device the received access control policy against the network client device.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, wherein the device type of the network client device is performed based on a prefix portion of a media access control (MAC) address of the network client device.
  - 13. The method of claim 11, wherein the device type of the network client device is performed based on a combination of one or more DHCP options obtained from a DHCP request which is broadcast by the network client device when the network client device attempts to enter the network.
  - 14. The method of claim 11, wherein the device type of the network client device is performed based on one or more user agent string patterns obtained from a request originated from a browser running within the network client device, when a user of the network client device attempts to access the Internet using the browser.

15. A method performed by a network access device, comprising:
- receiving, at the network access device, a request from a client device for entering a local area network (LAN) associated with the network access device;
  
  redirecting the request from the network access device to a remote device type detection server to allow the remote device type detection server to detect a device type of the client device, wherein the remote device type detection server is to detect the device type of the network client device and to transmit the device type of the network client device to a management server, wherein the network access device is one of a plurality of network access devices managed by the management server;
  
  receiving at the network access device an access control policy (ACP) from the management server without receiving the device type of the network client device, wherein the management server generates the ACP for the network client device based on the device type of the network client device received from the remote device type detection server; and
  
  enforcing at the network access device the received access control policy against the network client device.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, wherein the device type of the network client device is performed based on a prefix portion of a media access control (MAC) address of the network client device.
  - 17. The method of claim 15, wherein the device type of the network client device is performed based on a combination of one or more DHCP options obtained from a DHCP request which is broadcast by the network client device when the network client device attempts to enter the network.
  - 18. The method of claim 15, wherein the device type of the network client device is performed based on one or more user agent string patterns obtained from a request originated from a browser running within the network client device, when a user of the network client device attempts to access the Internet using the browser.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Chambers, Benjamin A., Bicket, John

Granted Patent

US 9,197,498 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/220
CPC Class Codes

H04L 41/0803   Configuration setting

H04L 41/0809   Plug-and-play configuration

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/28   Restricting access to netwo...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

METHOD FOR AUTOMATICALLY APPLYING ACCESS CONTROL POLICIES BASED ON DEVICE TYPES OF NETWORKED COMPUTING DEVICES

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD FOR AUTOMATICALLY APPLYING ACCESS CONTROL POLICIES BASED ON DEVICE TYPES OF NETWORKED COMPUTING DEVICES

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links