Selective persistent storage of controller information

US 8,108,904 B1
Filed: 09/29/2006
Issued: 01/31/2012
Est. Priority Date: 09/29/2006
Status: Active Grant

First Claim

Patent Images

1. A device, comprising:

a memory to store instructions; and

a processor to execute the instructions to;

receive a request from an endpoint,determine whether the endpoint is to authenticate via one of layer 2 or layer 3,download first software to the endpoint when the endpoint is to authenticate via layer 2, the first software causing authentication of the endpoint via another device and instructing the endpoint to not store information regarding the device,download second software to the endpoint when the endpoint is to authenticate via layer 3,where the second software is different from the first software, andauthenticate the endpoint based on the second software when the endpoint is to authenticate via layer 3.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A controller may receive a request from an endpoint and determine whether the endpoint connects via a first network or a second network. The controller may download first software to the endpoint when the endpoint connects via the first network, where the first software facilitates authentication of the endpoint via another device and instructs the endpoint to not store information regarding the controller. The controller may download second software to the endpoint when the endpoint connects via the second network, where the second software facilitates authentication of the endpoint by the device and instructs the endpoint to store information regarding the controller.

23 Citations

View as Search Results

28 Claims

1. A device, comprising:
- a memory to store instructions; and
  
  a processor to execute the instructions to;
  
  receive a request from an endpoint,determine whether the endpoint is to authenticate via one of layer 2 or layer 3,download first software to the endpoint when the endpoint is to authenticate via layer 2, the first software causing authentication of the endpoint via another device and instructing the endpoint to not store information regarding the device,download second software to the endpoint when the endpoint is to authenticate via layer 3,where the second software is different from the first software, andauthenticate the endpoint based on the second software when the endpoint is to authenticate via layer 3.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The device of claim 1, where, when determining whether the endpoint is to authenticate via layer 2 or layer 3, the processor is further to:
    - determine whether the endpoint is accessing the device from a particular network.
  - 3. The device of claim 2, where, when determining whether the endpoint is accessing the device from a particular network, the processor is further to:
    - determine whether an address associated with the endpoint falls within a particular range of addresses, anddetermine that the endpoint is accessing the device from the particular network when the address associated with the endpoint falls within the particular range of addresses.
  - 4. The device of claim 2, where, when determining whether the endpoint is to authenticate via layer 2 or layer 3, the processor is further to:
    - determine that the endpoint is to authenticate via layer 3 when the endpoint accesses the device from a network other than the particular network.
  - 5. The device of claim 1, where the first software includes an authentication module and a layer 2 configuration module,where the authentication module is to determine whether the endpoint complies with a security policy, andwhere the layer 2 configuration module is to instruct the endpoint to authenticate via layer 2 and to not store the information regarding the device.
  - 6. The device of claim 1, where the second software includes an authentication module and a layer 3 configuration module.
  - 7. The device of claim 6, where the authentication module is to determine whether the endpoint complies with a security policy, and the layer 3 configuration module is to instruct the endpoint to authenticate to the device and to store information regarding the device.
  - 8. The device of claim 7, where, when authenticating the endpoint, the processor is further to:
    - receive, from the authentication module, information regarding a compliance of the endpoint with the security policy,verify an identity of the endpoint or a user operating the endpoint,determine an ability of the endpoint to access a protected network, anddetermine whether to grant the endpoint access to the protected network based on at least one of the received information regarding the compliance of the endpoint with the security policy, the verified identity of the endpoint, or the determined ability of the endpoint to access the protected network.
  - 9. The device of claim 1, where, when authenticating the endpoint based on the second software, the processor is further to:
    - authenticate the endpoint further based on at least one of a verified identity of the endpoint or a user operating the endpoint, or a determined ability of the endpoint to access a protected network.
  - 10. The device of claim 1, where, when authenticating the endpoint based on the second software, the processor is further to:
    - determine whether to grant, the endpoint, access to a protected network based on an analysis performed by the second software on the endpoint.
  - 11. The device of claim 10, where the processor is further to:
    - transmit, to a network device and based on determining whether to grant the endpoint access to the protected network, a message that indicates whether the network device is to grant the endpoint access to the protected network.
  - 12. The device of claim 1, where the processor is further to:
    - establish a layer 3 control channel with the endpoint after the endpoint is authenticated via layer 2, andgrant access to network resources based on the established layer 3 control channel.

13. A device, comprising:
- a memory to store instructions; and
  
  a processor to execute the instructions to;
  
  receive a request from an endpoint,determine whether the endpoint is to authenticate via a data link layer or a network layer,download first software to the endpoint when the endpoint is to authenticate via the data link layer, the first software instructing the endpoint to not store information regarding the device and to authenticate via a network device using the data link layer,download second software to the endpoint when the endpoint is to authenticate via the network layer, where the second software includes an authentication module to determine whether the endpoint complies with a particular security policy and a configuration module to instruct the endpoint to store information regarding the device,cause, based on the first software, the endpoint to authenticate via the network device when the first software is downloaded to the endpoint, andauthenticate the endpoint when the second software is downloaded to the endpoint.
- View Dependent Claims (27)
- - 27. The device of claim 13, where the first software includes a first module and a second module,where the first module is to determine whether the endpoint complies with a security policy, andwhere the second module is to instruct the endpoint to:
    - authenticate via the network device using the data link layer, andnot store the information regarding the device.

14. A controller, comprising:
- a memory to store instructions; and
  
  a processor to execute the instructions to;
  
  receive a request from an endpoint,determine whether the endpoint connects via a first network or a second network that is different from the first network,download first software to the endpoint when the endpoint connects via the first network, the first software facilitating authentication of the endpoint via a first device and instructing the endpoint to not store information regarding the controller,download second software to the endpoint when the endpoint connects via the second network, the second software facilitating authentication of the endpoint by the controller and instructing the endpoint to store information regarding the controller,authenticate the endpoint based on the second software when the second software is downloaded to the endpoint, andsend a message to a second device instructing the second device to permit the endpoint to access a third network when the endpoint has been successfully authenticated based on the second software, where the third network is different from the first network and the second network.
- View Dependent Claims (28)
- - 28. The controller of claim 14, where the first device is associated with layer 2,where the first software includes a module,where the second module is to instruct the endpoint to authenticate via layer 2 and instruct the endpoint to not store the information regarding the controller.

15. A method performed by a network controller, the method comprising:
- receiving, by the network controller, a request from an endpoint to access network resources;
  
  determining, by the network controller, whether the endpoint is to authenticate via layer 2 or layer 3;
  
  downloading, by the network controller, first software to the endpoint when the endpoint is to authenticate via layer 2, the first software causing the endpoint to authenticate via a network device and instructing the endpoint to not store information regarding the network controller,where the network device authorizes the endpoint to access the network resources when the endpoint has been authenticated via the network device;
  
  downloading, by the network controller, second software to the endpoint when the endpoint is to authenticate via layer 3, the second software causing the endpoint to be authenticated by the network controller and instructing the endpoint to store information regarding the network controller;
  
  authenticating, by the network controller, the endpoint based on the second software when the endpoint is to authenticate via layer 3; and
  
  authorizing, by the network controller, the endpoint to access the network resources after the endpoint has been authenticated based on the second software.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 16. The method of claim 15, where determining whether the endpoint is to authenticate via layer 2 or layer 3 includes:
    - determining whether the endpoint is accessing the network controller via a particular network, anddetermining that the endpoint is to authenticate via layer 2 when the endpoint accesses the network controller via the particular network.
  - 17. The method of claim 16, where determining whether the endpoint is accessing the network controller via a particular network includes:
    - determining whether an address associated with the endpoint falls within a range of addresses, anddetermining that the endpoint is accessing the network controller via the particular network when the address associated with the endpoint falls within the range of addresses.
  - 18. The method of claim 16, where determining whether the endpoint is to authenticate via layer 2 or layer 3 further includes:
    - determining that the endpoint is to authenticate via layer 3 when the endpoint accesses the network controller via a network other than the particular network.
  - 19. The method of claim 15, where the first software includes an authentication module and a layer 2 configuration module,where the authentication module is to determine whether the endpoint complies with a security policy, andwhere the layer 2 configuration module is to instruct the endpoint to obtain authentication from the network device and to not store the information regarding the network controller.
  - 20. The method of claim 15, where the second software includes an authentication module and a layer 3 configuration module.
  - 21. The method of claim 20, where the authentication module is to determine whether the endpoint complies with a security policy, and the layer 3 configuration module is to instruct the endpoint to obtain authentication from the network controller and to store information regarding the network controller.
  - 22. The method of claim 21, further comprising:
    - receiving, from the authentication module, information regarding a compliance of the endpoint with the security policy;
      
      verifying an identity of the endpoint or a user operating the endpoint;
      
      determining an ability of the endpoint to access a protected network; and
      
      determining whether to grant the endpoint access to the protected network based on at least one of the received information regarding the compliance of the endpoint with the security policy, the verified identity of the endpoint or the user operating the endpoint, or the determined ability of the endpoint to access the protected network.
  - 23. The method of claim 15, further comprising:
    - authenticating the endpoint to determine whether to grant the endpoint access to a protected network based on at least one of;
      
      an analysis of the endpoint by the second software,verification of an identity of the endpoint or a user operating the endpoint, ora determination of an ability of the endpoint to access the protected network.
  - 24. The method of claim 15, further comprising:
    - determining whether to grant the endpoint access to a protected network based on an analysis, performed by the second software, on the endpoint.
  - 25. The method of claim 24, further comprising:
    - transmitting, to another network device and based on determining whether to grant the endpoint access to the protected network, a message that indicates whether the other network device is to grant the endpoint access to the protected network.
  - 26. The method of claim 15, further comprising:
    - establishing a layer 3 control channel with the endpoint after the endpoint is authenticated via layer 2; and
      
      granting access to the network resources based on the established layer 3 channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Juniper Networks Incorporated
Inventors
Chickering, Roger, Funk, Paul
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
LEE, JASON T

Application Number

US11/537,036
Time in Patent Office

1,950 Days
Field of Search

726/2, 726/3, 726/4, 709/236, 370/338
US Class Current

726/2
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/34   involving the movement of s...

Selective persistent storage of controller information

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Selective persistent storage of controller information

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others