Reconciliation of multiple sets of network access control policies

US 7,886,335 B1
Filed: 07/12/2007
Issued: 02/08/2011
Est. Priority Date: 07/12/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a network communication with a network access control policy decision point (“

PDP”

), wherein the network communication includes a first access request from an endpoint device for access to a network;

identifying a first set of access policies based on the first access request;

causing access policies in the first set of access policies to be enforced with regard to the endpoint device;

while the first set of access policies is being enforced with regard to the endpoint device, receiving another network communication from the endpoint device with the PDP, wherein the other network communication includes a second access request from the endpoint device for access to the same network;

determining, in response to receiving the second access request, that the first set of access policies is currently enforced with regard to the endpoint device due to the network communication received by the PDP;

identifying, when the first set of access policies is currently enforced with regard to the endpoint device, a second set of access policies based on the second access request; and

causing only access policies in the second set of access policies to be enforced with regard to the endpoint device.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, techniques are described for managing multiple access policies in a network access control system. An endpoint device may send, to a policy decision point (“PDP”), a request to communicate on a network. When the PDP receives such an access request, the PDP typically identifies a set of access policies to be enforced with regard to the endpoint device and causes the identified access policies to be enforced with regard to the endpoint device. These access policies may specify rights to communicate on networks and/or rights to communicate with server resources and/or endpoint configuration requirements. However, because the endpoint device may issue multiple access requests, conflicting sets of access policies may potentially be enforced with regard to the endpoint device. The techniques described herein ensure that only a consistent set of access policies are enforced with regard to the endpoint device when accessing the network.

88 Citations

View as Search Results

43 Claims

1. A method comprising:
- receiving a network communication with a network access control policy decision point (“
  
  PDP”
  
  ), wherein the network communication includes a first access request from an endpoint device for access to a network;
  
  identifying a first set of access policies based on the first access request;
  
  causing access policies in the first set of access policies to be enforced with regard to the endpoint device;
  
  while the first set of access policies is being enforced with regard to the endpoint device, receiving another network communication from the endpoint device with the PDP, wherein the other network communication includes a second access request from the endpoint device for access to the same network;
  
  determining, in response to receiving the second access request, that the first set of access policies is currently enforced with regard to the endpoint device due to the network communication received by the PDP;
  
  identifying, when the first set of access policies is currently enforced with regard to the endpoint device, a second set of access policies based on the second access request; and
  
  causing only access policies in the second set of access policies to be enforced with regard to the endpoint device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the second access request is for access to the network through a policy enforcement point (“
    - PEP”
      
      ) that enforces access policies at the network layer of the OSI model.
  - 3. The method of claim 2, wherein the first access request is for access to the network through a PEP that enforces access policies at the link layer of the OSI model.
  - 4. The policy decision device of claim 3, wherein the request reception module receives the network communication from a first PEP.
  - 5. The policy decision device of claim 4,wherein the first PEP operates at a link layer the open system interconnection (“
    - OSI”
      
      ) network model; and
      
      wherein the first PEP receives an 802.1X protocol message from the endpoint device, wherein the 802.1X protocol message specifies the request for access to communicate on a network.
  - 6. The method of claim 1, wherein access policies in the first set of access policies and access policies in the second set of access policies are selected from a group consisting of:
    - a set of access policies that specify rights to communicate on networks, a set of access policies that specify rights to communicate with server resources, and endpoint configuration requirements.
  - 7. The method of claim 1, further comprising:
    - after identifying the second set of policies, determining, with the PDP, whether one or more access policies of the first set of access policies conflict with one or more access policies of the second set of access policies;
      
      in response to the PDP determining that one or more access policies conflict, identifying a new set of access policies based on the first set of access policies and the second set of access policies with the PDP, wherein the new set of access policies reconciles the conflicting access policies; and
      
      causing only access policies in the new set of access policies to be enforced with regard to the endpoint device.
  - 8. The method of claim 1, further comprising:
    - establishing a first secure control channel from the PDP to the endpoint device in response to receiving the network communication, wherein the first set of access policies are enforced with regard to the endpoint device via the first secure control channel; and
      
      in response to determining that the first set of access policies is currently enforced with regard to the endpoint device, establishing a second secure control channel from the PDP to the endpoint device in response to receiving the other network communication,wherein causing only access policies in the second set of access policies to be enforced with regard to the endpoint device comprises;
      
      causing the second set of access policies to be enforced with regard to the endpoint device via the second secure control channel; and
      
      causing the second set of access policies to be enforced with regard to the endpoint device via the first secure control channel.
  - 9. The method of claim 1, wherein the second set of access policies includes one or more access policies that require one or more policy enforcement points (“
    - PEPs”
      
      ) that enforce access policies with regard to the endpoint device to permit the endpoint device to communicate on the network, wherein the network is protected by the one or more PEPs.
  - 10. The method of claim 1, wherein the second set of access policies includes one or more access policies that require one or more policy enforcement points (“
    - PEPs”
      
      ) that enforce access policies with regard to the endpoint device to permit the endpoint device to communicate with a set of server resources protected by the one or more PEPs.
  - 11. The method of claim 1, wherein the second set of access policies includes one or more access policies that require the endpoint device to comply with a coherent set of endpoint configuration requirements.
  - 12. The method of claim 1,wherein the method further comprises receiving information that indicates a health status of the endpoint device;
    - andwherein identifying the second set of access policies comprises identifying the second set of access policies based, at least in part, on the health status of the endpoint device.
  - 13. The method of claim 12,wherein receiving information that indicates a health status of the endpoint device comprises receiving a trusted platform module (“
    - TPM”
      
      ) register value generated by a TPM chip on the endpoint device; and
      
      wherein identifying the second set of access policies based on the health status of the endpoint device comprises identifying access policies associated with the TPM register value.
  - 14. The method of claim 1,wherein the method further comprises receiving, from the endpoint device, identity information of a user of the endpoint device;
    - andwherein identifying the second set of access policies comprises identifying the second set of access policies based, at least in part, on the received identity information.
  - 15. The method of claim 1,wherein determining whether a first set of access policies is enforced with regard to the endpoint device comprises:
    - receiving a client identifier from the endpoint device, wherein the client identifier is unique among endpoint devices that request access from the PDP; and
      
      determining that the first set of access policies is currently enforced with regard to the endpoint device when the client identifier is associated with a set of access policies that is currently enforced with regard to the endpoint device.
  - 16. The method of claim 1, wherein determining whether a first set of access policies is enforced with regard to the endpoint device comprises receiving, from the endpoint device, an indicator that indicates that the endpoint device has determined that the first set of access policies is enforced with regard to the endpoint device.
  - 17. The method of claim 16, wherein the method further comprises:
    - sending, in response to receiving the second access request, a server identifier to the endpoint device,wherein the server identifier is unique among policy decision points with which the endpoint device communicates; and
      
      wherein the endpoint device uses the server identifier to determine whether the first set of access policies is enforced with regard to the endpoint device.
  - 18. The method of claim 1, wherein the second access request is for access to the network through a first PEP that enforces access policies at the link layer of the OSI model.
  - 19. The method of claim 18, wherein receiving the network communication with the PDP comprises receiving the network communication from the first PEP.
  - 20. The method of claim 19, wherein the method further comprises receiving, with the first PEP, one or more 802.1X protocol messages from the endpoint device, wherein the 802.1X protocol messages specify the access request for access to communicate on a network.
  - 21. The method of claim 18, wherein the first access request was for access to the network through a PEP that enforces access policies at the network layer of the OSI model.

22. A policy decision device comprising:
- a request reception module that receives a network communication, wherein the network communication includes a first access request from an endpoint device for access to a network;
  
  a primary policy module that identifies a first set of access policies based on the first access request;
  
  a policy communication module that causes access policies in the first set of access policies to be enforced with regard to the endpoint device, wherein the request reception module receives another network communication from the endpoint device while the first set of access policies is enforced with regard to the endpoint device, and wherein the other network communication includes a second access request from the endpoint device for access to the same network;
  
  an enforcement detection module that determines, in response to receiving the second access request, that the first set of access policies is currently enforced with regard to the endpoint device due to the access request received by the request reception module;
  
  a policy reconciliation module that identifies, when the first set of access policies is currently enforced with regard to the endpoint device, a second set of access policies based on the second access request; and
  
  a policy communication module that causes, when the first set of access policies is currently enforced with regard to the endpoint device, only access policies in the second set of access policies to be enforced with regard to the endpoint device.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 23. The policy decision device of claim 22, wherein access policies in the first set of access policies and access policies in the second set of access policies are selected from a group consisting of:
    - a set of access policies that specify rights to communicate on networks, a set of access policies that specify rights to communicate with server resources, and endpoint configuration requirements.
  - 24. The policy decision device of claim 22,wherein the policy reconciliation module determines whether one or more access policies of the first set of access policies conflict with one or more access policies of the second set of access policies, and, in response to determining that one or more access policies conflict, identifies a new set of access policies based on the first set of access policies and the second set of access policies, wherein the new set of access policies reconciles the conflicting access policies, andwherein the policy communication module causes only access policies in the new set of access policies to be enforce with regard to the endpoint device.
  - 25. The policy decision device of claim 22, further comprising:
    - a control channel module that establishes a first secure control channel from the PDP to the endpoint device in response to the request reception module receiving the network communication, and establishes a second secure control channel from the PDP to the endpoint device in response to the request reception module receiving the other network communication,wherein the policy communication module causes the first set of access policies to be enforced with regard to the endpoint device via the first secure control channel, and wherein the policy communication module causes, when the first set of access policies is currently enforced with regard to the endpoint device, only access policies in the second set of access policies to be enforce with regard to the endpoint device via the first secure control channel and the second secure control channel.
  - 26. The policy decision device of claim 22, wherein the second set of access policies includes one or more access policies that require one or more policy enforcement points (“
    - PEPs”
      
      ) that enforce access policies with regard to the endpoint device to permit the endpoint device to communicate on the network, wherein the network is protected by the one or more PEPs.
  - 27. The policy decision device of claim 22, wherein the second set of access policies includes one or more access policies that require one or more enforcement points (“
    - PEPs”
      
      ) that enforce access policies with regard to the endpoint device to permit the endpoint device to communicate with a set of server resources protected by the one or more PEPs.
  - 28. The policy decision device of claim 22, wherein the second set of access policies includes one or more access policies that require the endpoint device to comply with a coherent set of endpoint configuration requirements.
  - 29. The policy decision device of claim 22,wherein the policy decision device further comprises a health module that receives information that indicates a health status of the endpoint device;
    - andwherein the policy reconciliation module identifies the second set of access policies based, at least in part, on the health status of the endpoint device.
  - 30. The policy decision device of claim 29,wherein the information that indicates a health status of the endpoint includes a trusted platform module (“
    - TPM”
      
      ) register value generated by a TPM chip on the endpoint device; and
      
      wherein the policy reconciliation module identifies the second set of access policies at least in part by identifying access policies associated with the TPM register value.
  - 31. The policy decision device of claim 22,wherein the policy decision device further comprises an authentication module that receives, from the endpoint device, identity information of a user of the endpoint device;
    - andwherein the policy reconciliation module identifies the second set of access policies based, at least in part, on the received identity information.
  - 32. The policy decision device of claim 22,wherein the enforcement detection module determines whether the first set of access policies is enforced with regard to the endpoint device by receiving a client identifier from the endpoint device and by determining that the first set of access policies is currently enforced with regard to the endpoint device when the client identifier is associated with a set of access policies that is currently enforced with regard to the endpoint device,wherein the client identifier is unique among endpoint devices that request access from the PDP.
  - 33. The policy decision device of claim 22, wherein the enforcement detection module determines that the first set of access policies is enforced with regard to the endpoint device by receiving, from the endpoint device, an indicator that indicates that the endpoint device has determined that the first set of access policies is enforced with regard to the endpoint device.
  - 34. The policy decision device of claim 33,wherein the enforcement detection module sends a server identifier to the endpoint device,wherein the server identifier is unique among policy decision devices with which the endpoint device communicates;
    - andwherein the endpoint device uses the server identifier to determine whether the first set of access policies is enforced with regard to the endpoint device.
  - 35. The policy decision device of claim 22, wherein the second access request is for access to the network through a first PEP that enforces access policies at the link layer of the OSI model.
  - 36. The policy decision device of claim 35, wherein the first access request was for access to the network through a PEP that enforces access policies at the network layer of the OSI model.
  - 37. The policy decision device of claim 22, wherein the second access request is for access to the network through a PEP that enforces access policies at the network layer of the OSI model.
  - 38. The policy decision device of claim 37, wherein the first access request was for access to the network through a PEP that enforces access policies at the link layer of the OSI model.

39. A computer-readable medium comprising instructions, wherein the instructions cause a programmable processor of a network access control policy decision point (“
- PDP”
  
  ) to;
  
  configure the PDP to receive a network communication, wherein the network communication includes a first access request from an endpoint device for access to a network;
  
  identify a first set of access policies based on the first access request;
  
  cause access policies in the first set of access policies to be enforced with regard to the endpoint device;
  
  while the first set of access policies is being enforced with regard to the endpoint device, configure the PDP to receive another network communication from the endpoint device with the PDP, wherein the other network communication includes a second access request from the endpoint device for access to the same network;
  
  determine, in response to receiving the second access request, that the whether a first set of access policies is currently enforced with regard to the endpoint device due to an earlier network communication received by the PDP;
  
  identify, when the first set of access policies is currently enforced with regard to the endpoint device, a second set of access policies based on the second access request; and
  
  cause only access policies in the second set of access policies to be enforced with regard to the endpoint device.
- View Dependent Claims (40, 41, 42, 43)
- - 40. The computer-readable medium of claim 39, wherein the second set of access policies includes one or more access policies that require one or more policy enforcement points (“
    - PEPs”
      
      ) that enforce access policies with regard to the endpoint device to permit the endpoint device to communicate on the network, wherein the network is protected by the one or more PEPs.
  - 41. The computer-readable medium of claim 39,wherein the instructions further cause the programmable processor to receive information that indicates a health status of the endpoint device;
    - andwherein the instructions cause the programmable processor to identify the second set of access policies at least in part by causing the programmable processor to identify the second set of access policies based, at least in part, on the health status of the endpoint device.
  - 42. The computer-readable medium of claim 39,wherein the instructions further cause the programmable processor to receive, from the endpoint device, identity information of a user of the endpoint device;
    - andwherein the instructions cause the programmable processor to identify the second set of access policies at least in part by causing the programmable processor to identify the second set of access policies based, at least in part, on the received identity information.
  - 43. The computer-readable medium of claim 39,wherein the instructions cause the programmable processor to determine whether a first set of access policies is enforced with regard to the endpoint device in part by causing the programmable processor to:
    - receive a client identifier from the endpoint device, wherein the client identifier is unique among endpoint devices that request access from the PDP; and
      
      determine that the first set of access policies is currently enforced with regard to the endpoint device when the client identifier is associated with a set of access policies that is currently enforced.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Juniper Networks Incorporated
Inventors
Funk, Paul, Chickering, Roger A., Kirner, Paul J.
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US11/827,598
Time in Patent Office

1,307 Days
Field of Search

726/1, 726/2, 726/3
US Class Current

726/1
CPC Class Codes

H04L 43/0817   by checking functioning

H04L 47/781   Centralised allocation of r...

H04L 47/808   User-type aware

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

Reconciliation of multiple sets of network access control policies

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

88 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Reconciliation of multiple sets of network access control policies

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links