Multiple tiered network security system, method and apparatus using dynamic user policy assignment
First Claim
1. A network access device comprising:
- a plurality of input ports;
a memory for storing data packets received on the plurality of input ports;
a switching fabric configured for packet switching of the data packets to at least one output port; and
control logic adapted to;
examine a first data packet comprising a physical address of a user device coupled to one of the plurality of input ports;
authenticate the physical address;
if the authentication of the physical address indicates the physical address is valid, authenticate one or more user credentials provided in a second data packet by a user of the user device after the physical address is authenticated;
if the authentication of the one or more user credentials indicates the one or more user credentials are valid, determine if the network access device has sufficient system resources to dynamically configure a user policy;
if the determination indicates the network access device has sufficient system resources, dynamically assign the user policy to the one of the plurality of input ports; and
restrict further traffic on the one of the plurality of input ports in accordance with the user policy; and
if the authentication of the physical address indicates the physical address is invalid, or if the determination indicates insufficient system resources, block traffic on the one of the plurality of ports except for packets related to a user authentication protocol.
7 Assignments
0 Petitions
Accused Products
Abstract
A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1x standard. The third level includes dynamic assignment of a user policy to the port based on the identity of the user, wherein the user policy is used to selectively control access to the port. The user policy may identify or include an access control list (ACL) or MAC address filter. Also, the user policy is not dynamically assigned if insufficient system resources are available to do so. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.
148 Citations
49 Claims
-
1. A network access device comprising:
-
a plurality of input ports; a memory for storing data packets received on the plurality of input ports; a switching fabric configured for packet switching of the data packets to at least one output port; and control logic adapted to; examine a first data packet comprising a physical address of a user device coupled to one of the plurality of input ports; authenticate the physical address; if the authentication of the physical address indicates the physical address is valid, authenticate one or more user credentials provided in a second data packet by a user of the user device after the physical address is authenticated; if the authentication of the one or more user credentials indicates the one or more user credentials are valid, determine if the network access device has sufficient system resources to dynamically configure a user policy; if the determination indicates the network access device has sufficient system resources, dynamically assign the user policy to the one of the plurality of input ports; and
restrict further traffic on the one of the plurality of input ports in accordance with the user policy; andif the authentication of the physical address indicates the physical address is invalid, or if the determination indicates insufficient system resources, block traffic on the one of the plurality of ports except for packets related to a user authentication protocol.
-
-
2. The network access device of claim 1, wherein the physical address comprises a Media Access Control (MAC) address.
-
3. The network access device of claim 1, wherein the control logic is adapted to authenticate the user information in accordance with an IEEE 802.1x protocol.
-
4. The network access device of claim 1, wherein the user policy identifies an access control list.
-
5. The network access device of claim 1, wherein the user policy includes an access control list.
-
6. The network access device of claim 1, wherein the user policy identifies a Media Access Control (MAC) address filter.
-
7. The network access device of claim 1, wherein the user policy includes a Media Access Control (MAC) address filter.
-
8. The network access device of claim 1, wherein the control logic is adapted to send the one or more user credentials to an authentication server and to receive an accept message from the authentication server if the user information is valid.
-
9. The network access device of claim 8, wherein the authentication server comprises a Remote Authentication Dial-In User Service (RADIUS) server.
-
10. The network access device of claim 8, wherein the accept message includes the user policy.
-
11. The network access device of claim 1, wherein the control logic is further adapted to assign the one of the plurality of input ports to a virtual local area network (VLAN) associated with the one or more user credentials if the one or more user credentials are valid.
-
12. The network access device of claim 11, wherein the control logic is adapted to receive a message from an authentication server, wherein the message comprises a VLAN identifier (ID) associated with the one or more user credentials, and to assign the one of the plurality of input ports to a VLAN associated with the VLAN ID.
-
13. The network access device of claim 2 wherein the control logic is further configured to:
-
if authentication of the MAC address indicates the MAC address is invalid, drop packets from the user device;
ordisable the port; if authentication of user information indicates the user information is valid, determine whether the user is associated with a VLAN supported by the network access device; if the user is not associated with the VLAN, assign the port to a port default VLAN; and block all traffic on the port except for packets related to the user authentication protocol; and if the user is associated with the VLAN, assign the port to the VLAN associated with the user; and forward packets from the user device.
-
-
14. The device of claim 1 wherein the user information comprises a user name and a password.
-
15. The network access device of claim 1 wherein the control logic is further adapted to:
if the authentication of the user information indicates the user information is invalid, block all traffic on the one of the plurality of input ports except for packets related to a user authentication protocol.
-
16. A computer implemented method for providing network security, the method comprising:
-
at a network access device comprising a plurality of input ports and configured for packet switching of data packets, examining a first data packet comprising a physical address of a user device coupled to one of the plurality of input ports; authenticating the physical address; if the authentication of the physical address indicates the physical address is valid, authenticating one or more user credentials provided in a second data packet by a user of the user device after the physical address is authenticated; if the authentication of the one or more user credentials indicates the one or more user credentials are valid, determining if the network access device has sufficient system resources to dynamically configure a user policy; if the determining indicates sufficient system resources, dynamically assigning the user policy to the one of the plurality of input ports and restricting further traffic on the port in accordance with the user policy; and if the authentication of the physical address indicates the physical address is invalid, or if the determining indicates insufficient system resources, blocking traffic on the one of the plurality of ports except for packets related to a user authentication protocol.
-
-
17. The method of claim 16, wherein the authenticating a physical address comprises authenticating a Media Access Control (MAC) address.
-
18. The method of claim 16, wherein the authenticating the user information comprises authenticating the user information in accordance with an IEEE 802.1x protocol.
-
19. The method of claim 16, wherein the restricting access comprises restricting access to the one of the plurality of input ports in accordance with an access control list.
-
20. The method of claim 16, wherein the restricting access comprises restricting access to the one of the plurality of input ports in accordance with a Media Access Control (MAC) address filter.
-
21. The method of claim 16, wherein the authenticating the user information comprises:
sending the one or more user credentials to an authentication server; and receiving an accept message from the authentication server if the one or more user credentials are valid.
-
22. The method of claim 21, wherein the authentication server comprises a Remote Authentication Dial-In User Service (RADIUS) server.
-
23. The method of claim 21, wherein the receiving an accept message comprises receiving an accept message that includes the user policy.
-
24. The method of claim 16, further comprising:
assigning the port to a virtual local area network (VLAN) associated with the one or more user credentials only if the one or more user credentials are valid.
-
25. The method of claim 24, wherein the assigning the port to a VLAN comprises:
-
receiving a message from an authentication server, wherein the message comprises a VLAN identifier (ID) associated with the user information; and assigning the port to a VLAN associated with the VLAN ID.
-
-
26. The method of claim 17, further comprising:
-
if the authenticating of the MAC address indicates the MAC address is invalid, dropping packets from the user device;
ordisabling the port; if the authenticating user information indicates the user information is valid, determining whether the user is associated with a VLAN supported by the network access device; if the determining indicates the user is not associated with the VLAN, assigning the port to a port default VLAN; and blocking all traffic on the port except for packets related to the user authentication protocol; and if the determining indicates the user is associated with the VLAN, assigning the port to the VLAN associated with the user; and forwarding packets from the user device.
-
-
27. The method of claim 16 wherein the user information comprises a user name and a password.
-
28. The method of claim 16, further comprising:
if the authentication of the user information indicates the user information is invalid, blocking all traffic on the one of the plurality of input ports except for packets related to a user authentication protocol.
-
29. A network system, comprising:
-
a network access device comprising a plurality of input ports and configured for packet switching of data packets in a data communications network; and a user device coupled to a port of the network access device; wherein the network access device is adapted to; examine a first data packet comprising a physical address of a user device coupled to one of the plurality of input ports; authenticate the physical address; if the authentication of the physical address indicates the physical address is valid, authenticate one or more user credentials provided in a second data packet by a user of the user device after the physical address is authenticated; if the authentication of the one or more user credentials indicates the one or more user credentials are valid, determine if the network access device has sufficient system resources to dynamically configure a user policy; if the determination indicates the network access device has sufficient system resources, dynamically assign the user policy to the one of the plurality of input ports; and restrict further traffic on the one of the plurality of input ports in accordance with the user policy; and if the authentication of the physical address indicates the physical address is invalid, or if the determination indicates insufficient system resources, block traffic on the one of the plurality of ports except for packets related to a user authentication protocol.
-
-
30. The system of claim 29, wherein the physical address comprises a Media Access Control (MAC) address.
-
31. The system of claim 29, wherein the network access device is adapted to authenticate the user information in accordance with an IEEE 802.1x protocol.
-
32. The system of claim 29, wherein the user policy identifies an access control list.
-
33. The system of claim 29, wherein the user policy includes an access control list.
-
34. The system of claim 29, wherein the user policy identifies a Media Access Control (MAC) address filter.
-
35. The system of claim 29, wherein the user policy includes a Media Access Control (MAC) address filter.
-
36. The system of claim 29, further comprising:
-
an authentication server coupled to the data communications network; wherein the network access device is adapted to send the one or more user credentials to an authentication server and to receive an accept message from the authentication server if the user information is valid.
-
-
37. The system of claim 36, wherein the authentication server comprises a Remote Authentication Dial-In User Service (RADIUS) server.
-
38. The system of claim 36, wherein the accept message includes the user policy.
-
39. The system of claim 29, wherein the network access device is further adapted to assign the one of the plurality of input ports to a virtual local area network (VLAN) associated with the one or more user credentials if the one or more user credentials is are valid.
-
40. The system of claim 39, further comprising:
-
an authentication server coupled to the data communications network; wherein the network access device is adapted to receive a message from the authentication server, wherein the message comprises a VLAN identifier (ID) associated with the user information, and to assign the port to a VLAN associated with the VLAN ID if the user information is valid.
-
-
41. The network system of claim 30 wherein the network access device is further adapted to:
-
if authentication of the MAC address indicates the MAC address is invalid, dropping packets from the user device;
ordisabling the port; if authentication of user information indicates the user information is valid, determine whether the user is associated with a VLAN supported by the network access device; if the user is not associated with the VLAN, assign the port to a port default VLAN; and block all traffic on the port except for packets related to the user authentication protocol; and if the user is associated with the VLAN, assign the port to the VLAN associated with the user; and forward packets from the user device.
-
-
42. The system of claim 29 wherein the user information comprises a user name and a password.
-
43. The system of claim 29 wherein the network access device is further adapted to:
if the authentication of the user information indicates the user information is invalid, block all traffic on the one of the plurality of input ports except for packets related to a user authentication protocol.
-
44. An apparatus comprising:
-
a plurality of input ports; a memory for storing data packets received on the plurality of input ports; a switching fabric configured for packet switching of the data packets to at least one output port; and control logic adapted to; examine a first data packet comprising a physical address of a user device coupled to one of the plurality of input ports; authenticate the physical address; drop packets from the user device if the physical address is invalid; authenticate user information provided in a second data packet by a user of the user device after the physical address is authenticated; if the authentication of the user information indicates the user information is invalid, block all traffic on the one of the plurality of input ports except for packets related to a user authentication protocol; if the authentication of the user information indicates the user information is valid, determine whether the user is associated with a VLAN supported by the apparatus by receiving a message from an authentication server, wherein the message comprises a VLAN identifier (ID) associated with the user information; if the user is not associated with the VLAN, assign the one of the plurality of input ports to a port default VLAN; and block all traffic on the one of the plurality of input ports except for packets related to the user authentication protocol; and if the user is associated with the VLAN and if the apparatus has enough system resources to dynamically configure a user policy associated with the user information, assign the one of the plurality of ports to the VLAN associated with the user; and restrict access to the one of the plurality of input ports in accordance with the user policy.
-
-
45. The apparatus of claim 44, wherein the apparatus comprises a switch.
-
46. A computer implemented method for providing network security, the method comprising:
-
at a network access device comprising a plurality of input ports and configured for packet switching of data packets, examining a first data packet comprising a physical address of a user device coupled to one of the plurality of input ports; authenticating the physical address; dropping packets from the user device if the physical address is invalid; authenticating user information provided in a second data packet by a user of the user device after the physical address is authenticated; if the authenticating of the user information indicates the user information is invalid, blocking all traffic on the port except for packets related to a user authentication protocol; if the authenticating of the user information indicates the user information is valid, determining whether the user is associated with a VLAN supported by the network access device by receiving a message from an authentication server, wherein the message comprises a VLAN identifier (ID) associated with the user information; if the user is not associated with the VLAN, assigning the one of the plurality of input ports to a port default VLAN; and blocking all traffic on the one of the plurality of input ports except for packets related to the user authentication protocol; and if the user is associated with the VLAN and if the network access device has enough system resources to dynamically configure a user policy associated with the user information, assigning the one of the plurality of ports to the VLAN associated with the user; and restricting access to the one of the plurality of input ports in accordance with the a user policy.
-
-
47. The method of claim 46, wherein the network access device comprises a switch.
-
48. A network system, comprising:
-
a network access device comprising a plurality of input ports and configured for packet switching of data packets in a data communications network; and a user device coupled to a port of the network access device, wherein the network access device is adapted to; examine a first data packet comprising a physical address of a user device coupled to one of the plurality of input ports; authenticate the physical address; drop packets from the user device if the physical address is invalid; authenticate user information provided in a second data packet by a user of the user device after the physical address is authenticated; if the authentication of the user information indicates the user information is invalid, block all traffic on the port except for packets related to a user authentication protocol; if the authentication of the user information indicates the user information is valid, determine whether the user is associated with a VLAN supported by the network access device by receiving a message from an authentication server, wherein the message comprises a VLAN identifier (ID) associated with the user information; if the user is not associated with the VLAN, assign the one of the plurality of input ports to a port default VLAN; and block all traffic on the one of the plurality of input ports except for packets related to the user authentication protocol; and if the user is associated with the VLAN and if the network access device has enough system resources to dynamically configure a user policy associated with the user information, assign the one of the plurality of ports to the VLAN associated with the user; and restrict access to the one of the plurality of input ports in accordance with the a user policy.
-
-
49. The network system of claim 48, wherein the network access device comprises a switch.
Specification