MAC Authentication Bypass Endpoint Database Access Control
First Claim
1. An information security system, comprising:
- a switch comprising a plurality of ports configured to provide network connectivity for one or more endpoint devices to a network; and
a device operably coupled to the switch, comprising;
a memory operable to store;
a device information table comprising MAC addresses of previously authenticated endpoint devices; and
an identity group information table comprising;
a set of device type categories, wherein each device type category is linked with a set of flags that provide device information; and
an access control engine implemented by a processor, configured to;
receive device information for an endpoint device connected to a port of the switch, comprising;
a MAC address for the endpoint device; and
a device type for the endpoint device;
compare the MAC address for the endpoint device to MAC addresses in the device information table;
determine the MAC address for the endpoint device is not present in the device information table based on the comparison;
identify a device type category from the set of device type categories that correspond with the device type for the endpoint device in response to the determination that the MAC address for the endpoint device is not present in the device information table;
identify one or more flags linked with the identified device type category; and
set a port status for the port where the endpoint device is connected based on the identified one or more flags.
1 Assignment
0 Petitions
Accused Products
Abstract
An information security system that includes a switch operably coupled to a device. The switch includes a plurality of ports configured to provide network connectivity for one or more endpoint devices to a network. The device is configured to receive a MAC address and a device type for an endpoint device. The device is further configured to determine that the MAC address for the endpoint device is not present in a device information table that comprises MAC addresses of previously authenticated endpoint devices and to identify a device type category from a set of device type categories that correspond with the device type for the endpoint device. The device is further configured to identify one or more flags linked with the identified device type category and to set a port status for the port where the endpoint device is connected based on the identified one or more flags.
1 Citation
20 Claims
-
1. An information security system, comprising:
-
a switch comprising a plurality of ports configured to provide network connectivity for one or more endpoint devices to a network; and a device operably coupled to the switch, comprising; a memory operable to store; a device information table comprising MAC addresses of previously authenticated endpoint devices; and an identity group information table comprising; a set of device type categories, wherein each device type category is linked with a set of flags that provide device information; and an access control engine implemented by a processor, configured to; receive device information for an endpoint device connected to a port of the switch, comprising; a MAC address for the endpoint device; and a device type for the endpoint device; compare the MAC address for the endpoint device to MAC addresses in the device information table; determine the MAC address for the endpoint device is not present in the device information table based on the comparison; identify a device type category from the set of device type categories that correspond with the device type for the endpoint device in response to the determination that the MAC address for the endpoint device is not present in the device information table; identify one or more flags linked with the identified device type category; and set a port status for the port where the endpoint device is connected based on the identified one or more flags. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An access control method, comprising:
-
receiving, by an access control engine implemented by a processor, device information for an endpoint device connected to a port of the switch, comprising; a MAC address for the endpoint device; and a device type for the endpoint device; comparing, by the access control engine, the MAC address for the endpoint device to MAC addresses in a device information table, wherein the device information table comprises MAC addresses of previously authenticated endpoint devices; determining, by the access control engine, the MAC address for the endpoint device is not present in the device information table based on the comparison; identifying, by the access control engine, a device type category from a set of device type categories identified in an identity group information table that corresponds with the device type for the endpoint device in response to the determination that the MAC address for the endpoint device is not present in the device information table, wherein the identity group information table comprises the set of device type categories that are each linked with a set of flags that provide device information; identifying, by the access control engine, one or more flags linked with the identified device type category; and setting, by the access control engine, a port status for a port on a switch where the endpoint device is connected based on the identified one or more flags. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An information security device, comprising:
-
a memory operable to store; a device information table comprising MAC addresses of previously authenticated endpoint devices; and an identity group information table comprising; a set of device type categories, wherein each device type category is linked with a set of flags that provide device information; and an access control engine implemented by a processor, configured to; receive device information for an endpoint device connected to a port of the switch, comprising; a MAC address for the endpoint device; and a device type for the endpoint device; compare the MAC address for the endpoint device to MAC addresses in the device information table; determine the MAC address for the endpoint device is not present in the device information table based on the comparison; identify a device type category from the set of device type categories corresponding with the device type for the endpoint device in response to the determination that the MAC address for the endpoint device is not present in the device information table; identify one or more flags linked with the identified device type; and set a port status for a port on a switch where the endpoint device is connected based on the identified one or more flags. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification