Reconciliation of multiple sets of network access control policies
First Claim
1. A method comprising:
- receiving a network communication with a network access control policy decision point (“
PDP”
), wherein the network communication includes a first access request from an endpoint device for access to a network;
identifying a first set of access policies based on the first access request;
causing access policies in the first set of access policies to be enforced with regard to the endpoint device;
while the first set of access policies is being enforced with regard to the endpoint device, receiving another network communication from the endpoint device with the PDP, wherein the other network communication includes a second access request from the endpoint device for access to the same network;
determining, in response to receiving the second access request, that the first set of access policies is currently enforced with regard to the endpoint device due to the network communication received by the PDP;
identifying, when the first set of access policies is currently enforced with regard to the endpoint device, a second set of access policies based on the second access request; and
causing only access policies in the second set of access policies to be enforced with regard to the endpoint device.
12 Assignments
0 Petitions
Accused Products
Abstract
In general, techniques are described for managing multiple access policies in a network access control system. An endpoint device may send, to a policy decision point (“PDP”), a request to communicate on a network. When the PDP receives such an access request, the PDP typically identifies a set of access policies to be enforced with regard to the endpoint device and causes the identified access policies to be enforced with regard to the endpoint device. These access policies may specify rights to communicate on networks and/or rights to communicate with server resources and/or endpoint configuration requirements. However, because the endpoint device may issue multiple access requests, conflicting sets of access policies may potentially be enforced with regard to the endpoint device. The techniques described herein ensure that only a consistent set of access policies are enforced with regard to the endpoint device when accessing the network.
88 Citations
43 Claims
-
1. A method comprising:
-
receiving a network communication with a network access control policy decision point (“
PDP”
), wherein the network communication includes a first access request from an endpoint device for access to a network;identifying a first set of access policies based on the first access request; causing access policies in the first set of access policies to be enforced with regard to the endpoint device; while the first set of access policies is being enforced with regard to the endpoint device, receiving another network communication from the endpoint device with the PDP, wherein the other network communication includes a second access request from the endpoint device for access to the same network; determining, in response to receiving the second access request, that the first set of access policies is currently enforced with regard to the endpoint device due to the network communication received by the PDP; identifying, when the first set of access policies is currently enforced with regard to the endpoint device, a second set of access policies based on the second access request; and causing only access policies in the second set of access policies to be enforced with regard to the endpoint device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A policy decision device comprising:
-
a request reception module that receives a network communication, wherein the network communication includes a first access request from an endpoint device for access to a network; a primary policy module that identifies a first set of access policies based on the first access request; a policy communication module that causes access policies in the first set of access policies to be enforced with regard to the endpoint device, wherein the request reception module receives another network communication from the endpoint device while the first set of access policies is enforced with regard to the endpoint device, and wherein the other network communication includes a second access request from the endpoint device for access to the same network; an enforcement detection module that determines, in response to receiving the second access request, that the first set of access policies is currently enforced with regard to the endpoint device due to the access request received by the request reception module; a policy reconciliation module that identifies, when the first set of access policies is currently enforced with regard to the endpoint device, a second set of access policies based on the second access request; and a policy communication module that causes, when the first set of access policies is currently enforced with regard to the endpoint device, only access policies in the second set of access policies to be enforced with regard to the endpoint device. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A computer-readable medium comprising instructions, wherein the instructions cause a programmable processor of a network access control policy decision point (“
- PDP”
) to;configure the PDP to receive a network communication, wherein the network communication includes a first access request from an endpoint device for access to a network; identify a first set of access policies based on the first access request; cause access policies in the first set of access policies to be enforced with regard to the endpoint device; while the first set of access policies is being enforced with regard to the endpoint device, configure the PDP to receive another network communication from the endpoint device with the PDP, wherein the other network communication includes a second access request from the endpoint device for access to the same network; determine, in response to receiving the second access request, that the whether a first set of access policies is currently enforced with regard to the endpoint device due to an earlier network communication received by the PDP; identify, when the first set of access policies is currently enforced with regard to the endpoint device, a second set of access policies based on the second access request; and cause only access policies in the second set of access policies to be enforced with regard to the endpoint device. - View Dependent Claims (40, 41, 42, 43)
- PDP”
Specification