Host credentials authorization protocol
First Claim
Patent Images
1. A method for controlling access to a device, the method comprising:
- receiving a request for access to the device from a host, wherein the request for access includes host credentials describing a state of the host with respect to its execution of an anti-virus application;
forwarding the request for access from said device to a first server;
initiating a posture validation session between an authentication, authorization and accounting (AAA) server and a posture validation server, said posture validation session utilizing a host credentials authorization protocol (HCAP);
the posture validation server being operated by an application vendor that provides the anti-virus application executed by the host and is utilized to enforce a network access policy requiring a virus scan of the host with the anti-virus application within a predetermined preceding period;
determining whether to allow access by said host to said device by said first server based on a result from said posture validation session, wherein the determining whether to allow access includes;
creating, from the host credentials, one or more attribute-value pairs each containing an attribute and a value of the attribute, each attribute-value pair conveying information pertaining to the state of the host with respect to its execution of the anti-virus application;
creating a posture validation request message and sending the posture validation request message to the posture validation server, the posture validation request message including a Vendor AppType frame including (i) a vendor identifier identifying the vendor, (ii) an application type field describing an anti-virus application type, and (iii) the attribute value pairs created from the host credentials;
receiving a posture validation response message from the posture validation server, the posture validation response message including a result for the posture validation request message, the result providing information pertaining to whether the host is in compliance with the network access policy; and
determining, based on the result in the posture validation response message, whether the host is in compliance with the network access policy; and
when it is determined that access is allowed, allowing access by said host to said device; and
when it is determined that access is not allowed, disabling access by said host to said device.
1 Assignment
0 Petitions
Accused Products
Abstract
A protocol, method, apparatus and computer program product for providing and utilizing a host credential authorization protocol (HCAP) is presented. The protocol is utilized by an AAA server and a posture validation server. The AAA server and the posture validation server are utilized to determine whether a host is allowed access to a device.
31 Citations
15 Claims
-
1. A method for controlling access to a device, the method comprising:
-
receiving a request for access to the device from a host, wherein the request for access includes host credentials describing a state of the host with respect to its execution of an anti-virus application; forwarding the request for access from said device to a first server; initiating a posture validation session between an authentication, authorization and accounting (AAA) server and a posture validation server, said posture validation session utilizing a host credentials authorization protocol (HCAP); the posture validation server being operated by an application vendor that provides the anti-virus application executed by the host and is utilized to enforce a network access policy requiring a virus scan of the host with the anti-virus application within a predetermined preceding period; determining whether to allow access by said host to said device by said first server based on a result from said posture validation session, wherein the determining whether to allow access includes; creating, from the host credentials, one or more attribute-value pairs each containing an attribute and a value of the attribute, each attribute-value pair conveying information pertaining to the state of the host with respect to its execution of the anti-virus application; creating a posture validation request message and sending the posture validation request message to the posture validation server, the posture validation request message including a Vendor AppType frame including (i) a vendor identifier identifying the vendor, (ii) an application type field describing an anti-virus application type, and (iii) the attribute value pairs created from the host credentials; receiving a posture validation response message from the posture validation server, the posture validation response message including a result for the posture validation request message, the result providing information pertaining to whether the host is in compliance with the network access policy; and determining, based on the result in the posture validation response message, whether the host is in compliance with the network access policy; and when it is determined that access is allowed, allowing access by said host to said device; and when it is determined that access is not allowed, disabling access by said host to said device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a host; a device in communication with said host; an authentication, authorization and accounting (AAA) server in communication with said device; and a posture validation server (PVS) in communication with said AAA server, said PVS communicating with said AAA server using a host credentials authorization protocol (HCAP); the PVS being operated by an application vendor that provides an anti-virus application executed by the host and is utilized to enforce a network access policy requiring a virus scan of the host with the anti-virus application within a predetermined preceding period; said AAA server and said PVS determine whether said host is allowed access to said device, wherein as part of determining whether the host is allowed access to the device, the AAA server; receives from the device a request for access including host credentials describing a state of the host with respect to its execution of the anti-virus application; creates, from the host credentials, one or more attribute-value pairs each containing an attribute and a value of the attribute, each attribute-value pair conveying information pertaining to the state of the host with respect to its execution of the anti-virus application; creates a posture validation request message and sends the posture validation request message to the PVS, the posture validation request message including a Vendor AppType frame including (i) a vendor identifier identifying the vendor, (ii) an application type field describing an anti-virus application type, and (iii) the attribute-value pairs created from the host credentials; receives a posture validation response message from the PVS, the posture validation response message including a result for the posture validation request message, the result providing information pertaining to whether the host is in compliance with the network access policy; and determines, based on the result in the posture validation response message, whether the host is in compliance with the network access policy. - View Dependent Claims (12, 13, 14)
-
-
15. A system comprising:
-
means for receiving a request for access to a device from a host; means for forwarding the request for access from said device to an authentication, authorization and accounting (AAA) server; means for initiating a posture validation session between said AAA server and a posture validation server, said posture validation session utilizing a host credentials authorization protocol (HCAP); the posture validation server being operated by an application vendor that provides the anti-virus application executed by the host and is utilized to enforce a network access policy requiring a virus scan of the host with the anti-virus application within a predetermined preceding period; means for determining whether to allow access by said host to said device by said AAA server based on a result from said posture validation session, wherein the determining means includes; means for receiving from the device the request for access including host credentials describing a state of the host with respect to its execution of the anti-virus application; means for creating, from the host credentials, one or more attribute-value pairs each containing an attribute and a value of the attribute, each attribute-value pair conveying information pertaining to the state of the host with respect to its execution of the anti-virus application; means for creating a posture validation request message and sending the posture validation request message to the posture validation server, the posture validation request message including a Vendor AppType frame including (i) a vendor identifier identifying the vendor, (ii) an application type field describing an anti-virus application type, and (iii) the attribute value pairs created from the host credentials; means for receiving a posture validation response message from the posture validation server, the posture validation response message including a result for the posture validation request message, the result providing information pertaining to whether the host is in compliance with the network access policy; and means for determining, based on the result in the posture validation response message, whether the host is in compliance with the network access policy; when it is determined that access is allowed, means for allowing access by said host to said device; and when it is determined that access is not allowed, means for disabling access by said host to said device.
-
Specification