Host credentials authorization protocol

US 7,512,970 B2
Filed: 07/15/2004
Issued: 03/31/2009
Est. Priority Date: 07/15/2004
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to a device, the method comprising:

receiving a request for access to the device from a host, wherein the request for access includes host credentials describing a state of the host with respect to its execution of an anti-virus application;

forwarding the request for access from said device to a first server;

initiating a posture validation session between an authentication, authorization and accounting (AAA) server and a posture validation server, said posture validation session utilizing a host credentials authorization protocol (HCAP);

the posture validation server being operated by an application vendor that provides the anti-virus application executed by the host and is utilized to enforce a network access policy requiring a virus scan of the host with the anti-virus application within a predetermined preceding period;

determining whether to allow access by said host to said device by said first server based on a result from said posture validation session, wherein the determining whether to allow access includes;

creating, from the host credentials, one or more attribute-value pairs each containing an attribute and a value of the attribute, each attribute-value pair conveying information pertaining to the state of the host with respect to its execution of the anti-virus application;

creating a posture validation request message and sending the posture validation request message to the posture validation server, the posture validation request message including a Vendor AppType frame including (i) a vendor identifier identifying the vendor, (ii) an application type field describing an anti-virus application type, and (iii) the attribute value pairs created from the host credentials;

receiving a posture validation response message from the posture validation server, the posture validation response message including a result for the posture validation request message, the result providing information pertaining to whether the host is in compliance with the network access policy; and

determining, based on the result in the posture validation response message, whether the host is in compliance with the network access policy; and

when it is determined that access is allowed, allowing access by said host to said device; and

when it is determined that access is not allowed, disabling access by said host to said device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A protocol, method, apparatus and computer program product for providing and utilizing a host credential authorization protocol (HCAP) is presented. The protocol is utilized by an AAA server and a posture validation server. The AAA server and the posture validation server are utilized to determine whether a host is allowed access to a device.

31 Citations

View as Search Results

15 Claims

1. A method for controlling access to a device, the method comprising:
- receiving a request for access to the device from a host, wherein the request for access includes host credentials describing a state of the host with respect to its execution of an anti-virus application;
  
  forwarding the request for access from said device to a first server;
  
  initiating a posture validation session between an authentication, authorization and accounting (AAA) server and a posture validation server, said posture validation session utilizing a host credentials authorization protocol (HCAP);
  
  the posture validation server being operated by an application vendor that provides the anti-virus application executed by the host and is utilized to enforce a network access policy requiring a virus scan of the host with the anti-virus application within a predetermined preceding period;
  
  determining whether to allow access by said host to said device by said first server based on a result from said posture validation session, wherein the determining whether to allow access includes;
  
  creating, from the host credentials, one or more attribute-value pairs each containing an attribute and a value of the attribute, each attribute-value pair conveying information pertaining to the state of the host with respect to its execution of the anti-virus application;
  
  creating a posture validation request message and sending the posture validation request message to the posture validation server, the posture validation request message including a Vendor AppType frame including (i) a vendor identifier identifying the vendor, (ii) an application type field describing an anti-virus application type, and (iii) the attribute value pairs created from the host credentials;
  
  receiving a posture validation response message from the posture validation server, the posture validation response message including a result for the posture validation request message, the result providing information pertaining to whether the host is in compliance with the network access policy; and
  
  determining, based on the result in the posture validation response message, whether the host is in compliance with the network access policy; and
  
  when it is determined that access is allowed, allowing access by said host to said device; and
  
  when it is determined that access is not allowed, disabling access by said host to said device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein said HCAP includes a version negotiation request message, a version negotiation response message, the posture validation request message, and the posture validation response message.
  - 3. The method of claim 2 wherein said version negotiation request message, said version negotiation response message, said posture validation request message, and said posture validation response message are in a format comprising a code field, a request ID field, a length field, a type field, a flags field, a version field and a data field.
  - 4. The method of claim 3 wherein said code field comprises an eight bit field indicating the message is one of a request message and a response message.
  - 5. The method of claim 3 wherein said request ID field comprises a sixteen bit field indicating an identification number for a request.
  - 6. The method of claim 3 wherein said length field comprises a sixteen bit field indicating a number of octets in the message.
  - 7. The method of claim 3 wherein said type field comprises an eight bit field indicating a message type.
  - 8. The method of claim 3 wherein said flag field comprises an eight bit field.
  - 9. The method of claim 3 wherein said version field comprises an eight bit field indicating the version of the HCAP.
  - 10. The method of claim 1 wherein:
    - the result in the posture validation response message includes (i) a result value indicating whether or not the posture validation server was able to successfully process the posture validation request, and (ii) a response VendorAppType frame (response VAF) if the posture validation server was able to successfully process the posture validation request, the response VAF including an application-specific posture token (APT) including the information pertaining to whether the host is in compliance with the network access policy; and
      
      determining whether the host is in compliance with the network access policy comprises processing the result to determine (iii) whether the result value indicates that the posture validation server was able to successfully process the posture validation request, and (iv) whether the response VAF includes the APT.

11. A system comprising:
- a host;
  
  a device in communication with said host;
  
  an authentication, authorization and accounting (AAA) server in communication with said device; and
  
  a posture validation server (PVS) in communication with said AAA server, said PVS communicating with said AAA server using a host credentials authorization protocol (HCAP);
  
  the PVS being operated by an application vendor that provides an anti-virus application executed by the host and is utilized to enforce a network access policy requiring a virus scan of the host with the anti-virus application within a predetermined preceding period;
  
  said AAA server and said PVS determine whether said host is allowed access to said device, wherein as part of determining whether the host is allowed access to the device, the AAA server;
  
  receives from the device a request for access including host credentials describing a state of the host with respect to its execution of the anti-virus application;
  
  creates, from the host credentials, one or more attribute-value pairs each containing an attribute and a value of the attribute, each attribute-value pair conveying information pertaining to the state of the host with respect to its execution of the anti-virus application;
  
  creates a posture validation request message and sends the posture validation request message to the PVS, the posture validation request message including a Vendor AppType frame including (i) a vendor identifier identifying the vendor, (ii) an application type field describing an anti-virus application type, and (iii) the attribute-value pairs created from the host credentials;
  
  receives a posture validation response message from the PVS, the posture validation response message including a result for the posture validation request message, the result providing information pertaining to whether the host is in compliance with the network access policy; and
  
  determines, based on the result in the posture validation response message, whether the host is in compliance with the network access policy.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11 wherein said HCAP includes the posture validation request message, the posture validation response message, a version negotiation request message and a version negotiation response message.
  - 13. The system of claim 12 wherein said posture validation request message, said posture validation response message, said version negotiation request message and said version negotiation response message are in a format comprising a code field, a request ID field, a length field, a type field, a flags field, a version field and a data field.
  - 14. The system of claim 11, wherein:
    - the result in the posture validation response message includes (i) a result value indicating whether or not the posture validation server was able to successfully process the posture validation request, and (ii) a response VendorAppType frame (response VAF) if the posture validation server was able to successfully process the posture validation request, the response VAF including an application-specific posture token (APT) including the information pertaining to whether the host is in compliance with the network access policy; and
      
      the AAA server is operative, when determining whether the host is in compliance with the network access policy, to process the result to determine (iii) whether the result value indicates that the posture validation server was able to successfully process the posture validation request, and (iv) whether the response VAF includes the APT.

15. A system comprising:
- means for receiving a request for access to a device from a host;
  
  means for forwarding the request for access from said device to an authentication, authorization and accounting (AAA) server;
  
  means for initiating a posture validation session between said AAA server and a posture validation server, said posture validation session utilizing a host credentials authorization protocol (HCAP);
  
  the posture validation server being operated by an application vendor that provides the anti-virus application executed by the host and is utilized to enforce a network access policy requiring a virus scan of the host with the anti-virus application within a predetermined preceding period;
  
  means for determining whether to allow access by said host to said device by said AAA server based on a result from said posture validation session, wherein the determining means includes;
  
  means for receiving from the device the request for access including host credentials describing a state of the host with respect to its execution of the anti-virus application;
  
  means for creating, from the host credentials, one or more attribute-value pairs each containing an attribute and a value of the attribute, each attribute-value pair conveying information pertaining to the state of the host with respect to its execution of the anti-virus application;
  
  means for creating a posture validation request message and sending the posture validation request message to the posture validation server, the posture validation request message including a Vendor AppType frame including (i) a vendor identifier identifying the vendor, (ii) an application type field describing an anti-virus application type, and (iii) the attribute value pairs created from the host credentials;
  
  means for receiving a posture validation response message from the posture validation server, the posture validation response message including a result for the posture validation request message, the result providing information pertaining to whether the host is in compliance with the network access policy; and
  
  means for determining, based on the result in the posture validation response message, whether the host is in compliance with the network access policy;
  
  when it is determined that access is allowed, means for allowing access by said host to said device; and
  
  when it is determined that access is not allowed, means for disabling access by said host to said device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Naftali, Amir, Fux, Eitan, Thomson, Susan, Howard, Thomas Gary, Bronshtein, Ilan
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
Khoshnoodi; Nadia

Application Number

US10/891,683
Publication Number

US 20060015724A1
Time in Patent Office

1,720 Days
Field of Search

None
US Class Current

726/4
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/162   at the data link layer

H04L 67/02   based on web technology, e....

Host credentials authorization protocol

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Host credentials authorization protocol

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links