METHOD AND APPARATUS FOR POLICY-BASED NETWORK ACCESS CONTROL WITH ARBITRARY NETWORK ACCESS CONTROL FRAMEWORKS

US 20140237543A1
Filed: 04/29/2014
Published: 08/21/2014
Est. Priority Date: 12/29/2006
Status: Abandoned Application

First Claim

Patent Images

1. A non-transitory computer readable medium comprising instructions which when executed by one or more processors causes performance of:

receiving a first request;

determining a first set of one or more attributes in a first protocol based on the first request;

translating the first set of attributes from the first protocol to a canonical form;

applying policy rules to the first set of attributes in the canonical form to determine whether to grant the first request;

receiving a second request;

determining a second set of one or more attributes in a second protocol based on the second request, the second protocol being different than the first protocol;

translating the second set of attributes from the second protocol to the canonical form;

applying policy rules to the second set of attributes in the canonical form to determine whether to grant the second request.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for integrating various network access control frameworks under the control of a single policy decision point (PDP). The apparatus supports pluggable protocol terminators to interface to any number of access protocols or backend support services. The apparatus contains Trust and Identity Mediators to mediate between the protocol terminators and a canonical policy subsystem, translating attributes between framework representations, and a canonical representation using extensible data-driven dictionaries.

10 Citations

View as Search Results

12 Claims

1. A non-transitory computer readable medium comprising instructions which when executed by one or more processors causes performance of:
- receiving a first request;
  
  determining a first set of one or more attributes in a first protocol based on the first request;
  
  translating the first set of attributes from the first protocol to a canonical form;
  
  applying policy rules to the first set of attributes in the canonical form to determine whether to grant the first request;
  
  receiving a second request;
  
  determining a second set of one or more attributes in a second protocol based on the second request, the second protocol being different than the first protocol;
  
  translating the second set of attributes from the second protocol to the canonical form;
  
  applying policy rules to the second set of attributes in the canonical form to determine whether to grant the second request.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer readable medium of claim 1, further comprising:
    - based on the first set of attributes in the canonical form, gathering a first information using a first protocol;
      
      translating the first information into the canonical form;
      
      based on the first set of attributes in the canonical form, gathering a second information using a second protocol;
      
      translating the second information into the canonical form.
  - 3. The computer readable medium of claim 1, wherein the first protocol is a RADIUS protocol and wherein the second protocol is a TACACS+ protocol.
  - 4. The computer readable medium of claim 1, wherein the translating of the first set of attributes and translating of the second set of attributes is performed using a single database comprising a plurality of conversion dictionaries.
  - 5. The computer readable medium of claim 1, wherein the translating the first set of attributes and the second set of attributes is performed by a single translation device.

6. A non-transitory computer readable medium comprising instructions which when executed by one or more processors causes performance of:
- receiving a first request;
  
  determining one or more attributes based on the first request;
  
  translating the one or more attributes into a canonical form;
  
  based on the one or more attributes in the canonical form, gathering information from at least two different devices;
  
  translating the information into the canonical form.
- View Dependent Claims (7, 8)
- - 7. The computer readable medium of claim 6, wherein gathering information comprises gathering a first information from a first device using a first protocol and gathering a second information from a second device using a second protocol.
  - 8. The computer readable medium of claim 6, wherein gathering information comprises a single device gathering a first information from a first device using a first protocol and gathering a second information from a second device using a second protocol.

9. A non-transitory computer readable medium comprising instructions which when executed by one or more processors causes performance of:
- receiving a first request;
  
  determining one or more attributes based on the first request;
  
  translating the one or more attributes into a canonical form;
  
  based on the one or more attributes in the canonical form, gathering a first information using a first protocol;
  
  translating the first information into the canonical form;
  
  based on the one or more attributes in the canonical form, gathering a second information using a second protocol;
  
  translating the second information into the canonical form.
- View Dependent Claims (10, 11, 12)
- - 10. The computer readable medium of claim 9, further comprising:
    - applying policy rules to the one or more attributes in the canonical form based on the first information and the second information to determine a policy result.
  - 11. The computer readable medium of claim 9, wherein the translating of the first information and translating of the second information is performed by a single translation device.
  - 12. The computer readable medium of claim 9, wherein the first protocol is an audit protocol and the second protocol is an identity protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Aruba Networks Incorporated (Hewlett-Packard Enterprise Company)
Inventors
Cheeniyil, Santhosh, Prabhakar, Krishna, Fine, Michael

Application Number

US14/265,014
Publication Number

US 20140237543A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/20 for managing network securi...

METHOD AND APPARATUS FOR POLICY-BASED NETWORK ACCESS CONTROL WITH ARBITRARY NETWORK ACCESS CONTROL FRAMEWORKS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR POLICY-BASED NETWORK ACCESS CONTROL WITH ARBITRARY NETWORK ACCESS CONTROL FRAMEWORKS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links