Identity Propagation
First Claim
1. A method comprising:
- authenticating an endpoint based on a user identity and a credential;
generating a hypertext transfer protocol (HTTP) packet including the user identity;
sending the HTTP packet including the user identity to a policy enforcement device; and
receiving traffic from the policy enforcement device, wherein the traffic is filtered according the user identity.
1 Assignment
0 Petitions
Accused Products
Abstract
In one implementation, identity based security features and policies are applied to endpoint devices behind an intermediary device, such as a network address translation device. The access network switch authenticates an endpoint based on a user identity and a credential. A hypertext transfer protocol (HTTP) packet is generated or modified to include the user identity in an inline header. The HTTP packet including the user identity is sent to a policy enforcement device to look up one or more policies for the endpoint. The access switch receives traffic from the policy enforcement device that is filtered according the user identity. Subsequent TCP connections may also include identity information within the TCP USER_HINT option in a synchronization packet thus allowing identity propagation for other applications and protocols.
-
Citations
20 Claims
-
1. A method comprising:
-
authenticating an endpoint based on a user identity and a credential; generating a hypertext transfer protocol (HTTP) packet including the user identity; sending the HTTP packet including the user identity to a policy enforcement device; and receiving traffic from the policy enforcement device, wherein the traffic is filtered according the user identity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus comprising:
-
a communication interface configured to receive a transmission control protocol (TCP) packet from a host device; and a controller configured to access a user identity based on the TCP packet from the host device and insert the user identity into the TCP packet for a policy enforcement device, wherein the user identity is defined by a preceding hypertext transfer protocol packet received from the host device, and wherein traffic is filtered according the user identity by the policy enforcement device. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A method comprising:
-
receiving a packet including a session identification value; extracting the session identification value from the packet; querying an identity database using the session identification value to access user identity information for a source of the packet according to an internet protocol (IP) address of the source of the packet; generating a web security packet comprising a header including the user identity information; and forwarding the web security packet to a policy decision point. - View Dependent Claims (17, 18)
-
-
19. An apparatus comprising:
-
a memory configured to store session identification values in association with user identities; a processor configured to extract a user identity from an a hypertext transfer protocol (HTTP) packet and generate a web security packet comprising a header including the user identity; and a communication device configured to forward the web security packet to a policy decision point. - View Dependent Claims (20)
-
Specification