Methods and devices for qualifying a client machine to access a network
First Claim
1. A method of qualifying a client machine to access a network, comprising the computer-implemented steps of:
- receiving a request for access from the client machine from an access server through which the client machine must first go to access the network, said request including user identification information;
determining qualification procedures and standards of adequate protection for the client machine based on the user identification information;
sending the determined qualification procedures to the access server;
receiving from the access server results of applying the qualification procedures at the client machine;
determining a level of allowable network access for the client machine based on the results; and
instructing the access server to enforce the determined level of allowable network access;
wherein determining the qualification procedures and standards of adequate protection comprises;
determining a role for the client machine based on a prioritized set of attributes including two or more of MAC address of the client machine, subnet through which access is requested, IP address of the client machine, and network traffic information;
updating, based on at least one outside source, information used to construct a plurality of policy rule sets providing different levels of network access requirements; and
determining qualification procedures and standards of adequate protection associated with the determined role and the plurality of policy rule sets;
wherein the method is performed by one or more computing devices.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and devices for qualifying a client machine to access a network, based on policies governing required protective measures, such as virus checking and operating system updates, are disclosed. A client machine must pass various checks to qualify for access. A client machine may be redirected to remediation resources that support efforts to bring the client machine into compliance with applicable network access requirements. A policy repository is updated regularly by vendors of protective measures. An administrator establishes user roles that are mapped to policy rule sets retrieved from the policy repository. The policy rule sets govern qualification of client machines for access to the network in accordance with the roles of the users of the machines. An access server is an intermediary between a client machine and the access manager. A client agent runs on the client machine and carries out checks, and reports the results via the access server to the access manager.
128 Citations
29 Claims
-
1. A method of qualifying a client machine to access a network, comprising the computer-implemented steps of:
-
receiving a request for access from the client machine from an access server through which the client machine must first go to access the network, said request including user identification information; determining qualification procedures and standards of adequate protection for the client machine based on the user identification information; sending the determined qualification procedures to the access server; receiving from the access server results of applying the qualification procedures at the client machine; determining a level of allowable network access for the client machine based on the results; and instructing the access server to enforce the determined level of allowable network access; wherein determining the qualification procedures and standards of adequate protection comprises; determining a role for the client machine based on a prioritized set of attributes including two or more of MAC address of the client machine, subnet through which access is requested, IP address of the client machine, and network traffic information; updating, based on at least one outside source, information used to construct a plurality of policy rule sets providing different levels of network access requirements; and determining qualification procedures and standards of adequate protection associated with the determined role and the plurality of policy rule sets; wherein the method is performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for qualifying a client machine to access a network, comprising:
-
one or more processors; a computer-readable storage medium storing one or more sequences of instructions, which when executed cause the one or more processors to provide an access manager, said access manager storing a plurality of policy rule sets, each policy rule set containing qualification procedures and associated standards of adequate protection; and said access manager determining qualification procedures and standards of adequate protection; and to provide at least one access server through which the client machine must first go to access the network; wherein the access manager provides one or more policy rule sets to the access server for application upon a request from a client machine to access the network; wherein the access server applies the one or more policy rule sets to the client machine and provides results of applying the qualification procedures to the access manager; and wherein the access manager determines allowable network access by the client machine based on the results, wherein determining qualification procedures and standards of adequate protection comprises; determining a role for the client machine based on a prioritized set of attributes including two or more of MAC address of the client machine, subnet through which access is requested, IP address of the client machine, and network traffic information; updating, based on at least one outside source, information used to construct the plurality of policy rule sets; determining qualification procedures and standards of adequate protection associated with the determined role, and wherein the plurality of policy rule sets provide different levels of network access requirements. - View Dependent Claims (15)
-
-
16. A method of qualifying a client machine to access a network, comprising the computer-implemented steps of:
-
receiving a request for access from the client machine from an access server through which the client machine must first go to access the network, said request including user identification information; determining if the client machine is on a clean list; causing the user of the client machine to be authenticated; determining a role for the user of the client machine based on the authentication results and a prioritized set of attributes including two or more of MAC address of the client machine, subnet through which access is requested, IP address of the client machine, and network traffic information; determining qualification procedures and standards of adequate protection for the client machine based on the user identification information; if the client machine is determined to be on the clean list, allowing the client machine to access the network according to the determined role; sending the determined qualification procedures to the access server; in response to determining that the qualification procedures include procedures to be applied by a client agent on the client machine, receiving from the access server first results of applying the qualification procedures by the client agent at the client machine; in response to determining that the first results indicate that the client machine does not meet the determined standards of adequacy, downloading a remediation package to the client machine; in response to determining that the qualification procedures include procedures to be applied by the access server, receiving from the access server second results of applying the procedures to the client machine; in response to determining that the second results indicate that the client machine does not meet the determined standards, redirecting the client machine to remediation resources; determining a level of allowable network access for the client machine based on the determined role; and instructing the access server to enforce the determined level of allowable network access; wherein determining the qualification procedures and standards of adequate protection comprises determining a role for the client machine; updating, based on at least one outside source, information used to construct a plurality of policy rule sets providing different levels of network access requirements; determining qualification procedures and standards of adequate protection associated with the determined role and the plurality of policy rule sets; wherein the method is performed by one or more computing devices.
-
-
17. A non-transitory computer-readable storage medium storing one or more sequences of instructions which when executed, cause one or more processors to perform:
-
receiving a request for access from a client machine from an access server through which the client machine must first go to access a network, said request including user identification information; determining qualification procedures and standards of adequate protection for the client machine based on the user identification information; sending the determined qualification procedures to the access server; receiving from the access server results of applying the qualification procedures at the client machine; determining a level of allowable network access for the client machine based on the results; and instructing the access server to enforce the determined level of allowable network access; wherein determining the qualification procedures and standards of adequate protection comprises; determining a role for the client machine based on a prioritized set of attributes including two or more of MAC address of the client machine, subnet through which access is requested, IP address of the client machine, and network traffic information; updating, based on at least one outside source, information used to construct a plurality of policy rule sets providing different levels of network access requirements; and determining qualification procedures and standards of adequate protection associated with the determined role and the plurality of policy rule sets. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
Specification