802.1X authentication technique for shared media
First Claim
1. A method for implementing port-based network access control at a shared media port in an intermediate node, the shared media port being a physical interface coupled to a plurality of client nodes, the method comprising:
- partitioning the shared media port into a plurality of logical subinterfaces, wherein a logical subinterface is a logical division of a physical interface, each logical subinterface dedicated to providing access to a different network or subnetwork accessible through the intermediate node;
receiving a data packet at the shared media port from a first client node;
associating the received data packet with a first logical subinterface in the plurality of logical subinterfaces;
determining whether the first client node is authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork;
if the first client node is determined to be authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork, forwarding the received data packet over the first logical subinterface'"'"'s dedicated network or subnetwork;
receiving a second data packet at the shared media port from a second client node;
associating the second received data packet with the first logical subinterface;
determining whether the second client node is authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork; and
if the second client node is determined to not be authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork, preventing the second received data packet from being forwarded over the first logical subinterface'"'"'s dedicated network or subnetwork, while still allowing data packets from the first client node to be forwarded if the first client node is determined to be authenticated.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention provides a technique for securely implementing port-based authentication on a shared media port in an intermediate node, such as a router. To that end, the invention provides enhanced port-based network access control that includes client-based control at the shared media port. Unlike previous implementations, the port does not permit multiple client nodes to access a trusted subnetwork as soon as a user at any one of those nodes is authenticated by the subnetwork. Instead, port-based authentication is performed for every client node that attempts to access the trusted subnetwork through the shared media port. As such, access to the trusted subnetwork is not compromised by unauthenticated client nodes that “piggy-back” over the shared media port after a user at another client node has been authenticated by the trusted subnetwork.
-
Citations
32 Claims
-
1. A method for implementing port-based network access control at a shared media port in an intermediate node, the shared media port being a physical interface coupled to a plurality of client nodes, the method comprising:
-
partitioning the shared media port into a plurality of logical subinterfaces, wherein a logical subinterface is a logical division of a physical interface, each logical subinterface dedicated to providing access to a different network or subnetwork accessible through the intermediate node; receiving a data packet at the shared media port from a first client node; associating the received data packet with a first logical subinterface in the plurality of logical subinterfaces; determining whether the first client node is authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork; if the first client node is determined to be authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork, forwarding the received data packet over the first logical subinterface'"'"'s dedicated network or subnetwork; receiving a second data packet at the shared media port from a second client node; associating the second received data packet with the first logical subinterface; determining whether the second client node is authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork; and if the second client node is determined to not be authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork, preventing the second received data packet from being forwarded over the first logical subinterface'"'"'s dedicated network or subnetwork, while still allowing data packets from the first client node to be forwarded if the first client node is determined to be authenticated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An intermediate node for implementing port-based network access control in a network containing a plurality of client nodes, the intermediate node comprising:
-
a processor; a shared media port that is a physical interface for receiving a data packet from a first client node, and a second data packet from a second client node, in the plurality of client nodes; and a memory adapted to store instructions for execution by the processor, at least a portion of the instructions defining a network operating system configured to perform the steps of; partitioning the shared media port into a plurality of logical subinterfaces, wherein a logical subinterface is a logical division of a physical interface, each logical subinterface dedicated to providing access to a different network or subnetwork accessible through the intermediate node; associating the data packet received from the first client node with a first logical subinterface in the plurality of logical subinterfaces; determining whether the first client node is authenticated to communicate over the network or subnetwork to which the first logical subinterface provides dedicated access; forwarding the received data packet over the first logical subinterface'"'"'s dedicated network or subnetwork only if the first client node is determined to be authenticated to communicate over that network or subnetwork associating the second received data packet with the first logical subinterface; determining whether the second client node is authenticated to communicate over the first logical subinterface; and preventing the second received data packet from being forwarded over the first logical subinterface'"'"'s dedicated network or subnetwork if the second client node is determined to not be authenticated to communicate over that network or subnetwork, while still allowing data packets from the first client node to be forwarded over that network or subnetwork if the first client node is determined to be authenticated. - View Dependent Claims (15, 16, 17)
-
-
18. An apparatus that implements port-based network access control at a shared media port, the shared media port being a physical interface coupled to a plurality of client nodes, the apparatus comprising:
-
means for partitioning the shared media port into a plurality of logical subinterfaces, wherein a logical subinterface is a logical division of a physical interface, each logical subinterface dedicated to providing access to a different network or subnetwork accessible through the intermediate node; means for receiving a data packet at the shared media port from a first client node; means for associating the received data packet with a first logical subinterface in the plurality of logical subinterfaces; means for determining whether the first client node is authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork; means for forwarding the received data packet over the first logical subinterface'"'"'s dedicated network or subnetwork; means for receiving a second data packet at the shared media port from a second client node; means for associating the second received data packet with the first logical subinterface; means for determining whether the second client node is authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork; and means for preventing the second received data packet from being forwarded over the first logical subinterface'"'"'s dedicated network or subnetwork, while still allowing data packets from the first client node to be forwarded. - View Dependent Claims (19, 20, 21, 22, 23)
-
-
24. A computer-readable media including instructions for execution by a processor, the instructions for a method of implementing port-based network access control at a shared media port in an intermediate node, the shared media port being a physical interface coupled to a plurality of client nodes, the method comprising the steps:
-
partitioning the shared media port into a plurality of logical subinterfaces, wherein a logical subinterface is a logical division of a physical interface, each logical subinterface dedicated to providing access to a different network or subnetwork accessible through the intermediate node; receiving a data packet at the shared media port from a first client node; associating the received data packet with a first logical subinterface in the plurality of logical subinterfaces; determining whether the first client node is authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork; if the first client node is determined to be authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork, forwarding the received data packet over the first logical subinterface'"'"'s dedicated network or subnetwork; receiving a second data packet at the shared media port from a second client node; associating the second received data packet with the first logical subinterface; determining whether the second client node is authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork; and
if the second client node is determined to not be authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork, preventing the second received data packet from being forwarded over the first logical subinterface'"'"'s dedicated network or subnetwork, while still allowing data packets from the first client node to be forwarded if the first client node is determined to be authenticated.
-
-
25. An apparatus comprising:
-
a shared media port that is a physical interface and has a trusted subinterface configured to provide access to a trusted network or subnetwork and an untrusted subinterface configured to provide access to an untrusted network or subnetwork, wherein a subinterface is a logical division of a physical interface; an authenticator configured to receive authentication requests from a plurality of client nodes and in response the authentication requests to independently assign to each of the plurality of client nodes an authentication state; and a media access control (MAC) filter configured to maintain an entry for each client node indicating the authentication state of the client node and a MAC address of the client node, and in response to receipt of a data packet from a particular client node directed to the trusted subinterface, to index to an entry in the MAC filter based on a source MAC address of the data packet, to identify the authentication state of the particular client node stored in the indexed MAC-filter entry, and to determine whether the particular client node is authenticated to communicate over the trusted subinterface, and, if so, to permit the particular client node to access the trusted subinterface, wherein the media access control (MAC) filter grants client nodes access on a client-by-client basis. - View Dependent Claims (26, 27, 28)
-
-
29. A method for implementing port-based network access control at a shared media port in an intermediate node, the shared media port being a physical interface coupled to a plurality of client nodes, the method comprising:
-
partitioning the shared media port into a plurality of logical subinterfaces by logically dividing the shared media port into subinterfaces, each logical subinterface dedicated to providing access to a different network or subnetwork accessible through the intermediate node; receiving a data packet at the shared media port from a first client node; associating the received data packet with a first logical subinterface in the plurality of logical subinterfaces; determining whether the first client node is authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork; and if the first client node is determined to be authenticated to communicate over the first logical subinterface'"'"'s dedicated network or subnetwork, forwarding the received data packet over the first logical subinterface'"'"'s dedicated network or subnetwork. - View Dependent Claims (30, 31, 32)
-
Specification