System and method for providing access control

US 8,117,639 B2
Filed: 10/10/2003
Issued: 02/14/2012
Est. Priority Date: 10/10/2002
Status: Active Grant

First Claim

Patent Images

1. A method for network access control, comprising:

at a control device, receiving a packet originating from a user device in a first network, wherein the first network is connected to a second network via the control device, and wherein the user device is associated with a user;

processing the packet according to a plurality of stages, including a client discrimination stage and a user specific rule stage;

at the client discrimination stage, extracting information associated with the user device from a header of the packet and associating the packet with user specific traffic control rules and user specific firewall rules; and

at the user specific rule stage, accessing the user specific traffic control rules and user specific firewall rules based on the extracted information associated with the user device and applying the user specific traffic control rules and the user specific firewall rules to the packet as governed by at least one user specific class of service rule associated with the user on the user device in the first network.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments disclosed herein provide systems and methods for provisioning network access for a user in order to provide access control to one or more networks with regard to the user. More particularly, a user may be authenticated and, based on a user profile associated with the authenticated user, provisioning rules may be established for the user such that the user'"'"'s network access to one or more networks may be controlled based upon the user profile associated with the user. In a network utilized by multiple users, the use of access control based on user profiles associated with the users may prevent any one user or users from accessing one or more networks to the exclusion or detriment of other users because each user may be limited to the network resources provisioned to that user based on the user profile associated with the user.

271 Citations

27 Claims

1. A method for network access control, comprising:
- at a control device, receiving a packet originating from a user device in a first network, wherein the first network is connected to a second network via the control device, and wherein the user device is associated with a user;
  
  processing the packet according to a plurality of stages, including a client discrimination stage and a user specific rule stage;
  
  at the client discrimination stage, extracting information associated with the user device from a header of the packet and associating the packet with user specific traffic control rules and user specific firewall rules; and
  
  at the user specific rule stage, accessing the user specific traffic control rules and user specific firewall rules based on the extracted information associated with the user device and applying the user specific traffic control rules and the user specific firewall rules to the packet as governed by at least one user specific class of service rule associated with the user on the user device in the first network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein the plurality of stages further comprises an interface specific stage, further comprising:
    - at the interface specific stage, applying interface specific rules to the packet based on a type of a network interface over which the packet is received.
  - 3. The method according to claim 2, wherein the plurality of stages further comprises a global stage, further comprising:
    - at the global stage, applying global firewall rules to the packet.
  - 4. The method according to claim 1, wherein the packet is processed utilizing a provisioning module running on the control device, wherein the provisioning module comprises a first table for interface specific rules, a second table for global rules, and a third table for user specific rules.
  - 5. The method according to claim 1, wherein the user device is assigned with an Internet Protocol (IP) address in the first network and wherein the at least one user specific rule is associated with the IP address.
  - 6. The method according to claim 5, wherein the user device is associated with a media access control (MAC) address and wherein the at least one user specific rule is further associated with the MAC address.
  - 7. The method according to claim 1, wherein the user specific traffic control rules and the user specific firewall rules are established for the user based on a user profile that includes parameters that determine an extent of the user'"'"'s access to the second network, services available to the user, or a combination thereof.
  - 8. A method according to claim 1, further comprising determining whether the user has authenticated.
  - 9. A method according to claim 8, wherein the user has not authenticated, further comprising:
    - redirecting the user to a login web page that requests user credentials; and
      
      using the user credentials received from the user to authenticate the user.

10. A computer program product comprising at least one non-transitory computer-readable storage medium storing computer instructions translatable by a processor of a control device to perform:
- receiving a packet originating from a user device in a first network, wherein the first network is connected to a second network via the control device, and wherein the user device is associated with a user;
  
  processing the packet according to a plurality of stages, including a client discrimination stage and a user specific rule stage;
  
  at the client discrimination stage, extracting information associated with the user device from a header of the packet and associating the packet with user specific traffic control rules and user specific firewall rules; and
  
  at the user specific rule stage, accessing the user specific traffic control rules and user specific firewall rules based on the extracted information associated with the user device and applying the user specific traffic control rules and the user specific firewall rules to the packet as governed by at least one user specific class of service rule associated with the user on the user device in the first network.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The computer program product of claim 10, wherein the plurality of stages further comprises an interface specific stage and wherein the computer instructions are further translatable by the processor to perform:
    - at the interface specific stage, applying interface specific rules to the packet based on a type of a network interface over which the packet is received.
  - 12. The computer program product of claim 10, wherein the plurality of stages further comprises a global stage and wherein the computer instructions are further translatable by the processor to perform:
    - at the global stage, applying global firewall rules to the packet.
  - 13. The computer program product of claim 10, wherein the computer instructions are further translatable by the processor to implement a control program on the control device, wherein the control program comprises a provisioning module, wherein the provisioning module comprises a traffic conditioning module for user specific allocation of bandwidth.
  - 14. The computer program product of claim 10, wherein the computer instructions are further translatable by the processor to establish the user specific traffic control rules and the user specific firewall rules for the user based on a user profile that includes parameters that determine an extent of the user'"'"'s access to the second network, services available to the user, or a combination thereof.
  - 15. The computer program product of claim 10, wherein the computer instructions are further translatable by the processor to determine whether the user has authenticated.
  - 16. The computer program product of claim 15, wherein the user has not authenticated and wherein the computer instructions are further translatable by the processor to perform:
    - redirecting the user to a login web page that requests user credentials; and
      
      using the user credentials received from the user to authenticate the user.

17. A control device for network access control, comprising:
- a processor;
  
  at least one computer-readable storage medium storing computer instructions translatable by the processor to perform;
  
  receiving a packet originating from a user device in a first network, wherein the first network is connected to a second network via the control device, and wherein the user device is associated with a user;
  
  processing the packet according to a plurality of stages, including a client discrimination stage and a user specific rule stage;
  
  at the client discrimination stage, extracting information associated with the user device from a header of the packet and associating the packet with user specific traffic control rules and user specific firewall rules; and
  
  at the user specific rule stage, accessing the user specific traffic control rules and user specific firewall rules based on the extracted information associated with the user device and applying the user specific traffic control rules and the user specific firewall rules to the packet as governed by at least one user specific class of service rule associated with the user on the user device in the first network.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 18. The control device of claim 17, wherein the plurality of stages further comprises an interface specific stage and wherein the computer instructions are further translatable by the processor to perform:
    - at the interface specific stage, applying interface specific rules to the packet based on a type of a network interface over which the packet is received.
  - 19. The control device of claim 17, wherein the plurality of stages further comprises a global stage and wherein the computer instructions are further translatable by the processor to perform:
    - at the global stage, applying global firewall rules to the packet.
  - 20. The control device of claim 17, wherein the computer instructions are further translatable by the processor to implement a control program on the control device, wherein the control program comprises a provisioning module, wherein the provisioning module comprises a traffic conditioning module for user specific allocation of bandwidth.
  - 21. The control device of claim 20, wherein the traffic conditioning module further comprises an interface master queue for controlling a flow of network traffic over a particular network interface.
  - 22. The control device of claim 20, wherein the provisioning module further comprises a firewall module for associating the packet with the user specific firewall rules.
  - 23. The control device of claim 20, wherein the provisioning module further comprises an authentication module for authenticating the user.
  - 24. The control device of claim 17, wherein the computer instructions are further translatable by the processor to establish the user specific traffic control rules and the user specific firewall rules for the user based on a user profile that includes parameters that determine an extent of the user'"'"'s access to the second network, services available to the user, or a combination thereof.
  - 25. The control device of claim 17, wherein the computer instructions are further translatable by the processor to determine whether the user has authenticated.
  - 26. The control device of claim 25, wherein the user has not authenticated and wherein the computer instructions are further translatable by the processor to perform:
    - redirecting the user to a login web page that requests user credentials; and
      
      using the user credentials received from the user to authenticate the user.

27. A control device for network access control, comprising:
- a processor;
  
  at least one computer-readable storage medium storing computer instructions translatable by the processor to perform;
  
  receiving a packet originating from a user device in a first network, wherein the first network is connected to a second network via the control device, and wherein the user device is associated with a user;
  
  determining whether the user has authenticated;
  
  if the user has not authenticated;
  
  redirecting the user to a login web page that requests user credentials; and
  
  using the user credentials received from the user to authenticate the user;
  
  processing the packet according to a plurality of stages, including a client discrimination stage and a user specific rule stage;
  
  at the client discrimination stage, extracting information associated with the user device from a header of the packet and associating the packet with user specific traffic control rules and user specific firewall rules; and
  
  at the user specific rule stage, accessing the user specific traffic control rules and user specific firewall rules based on the extracted information associated with the user device and applying the user specific traffic control rules and the user specific firewall rules to the packet as governed by at least one user specific class of service rule associated with the user on the user device in the first network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Rocksteady Technologies LLC
Inventors
MacKinnon, Richard, Looney, Kelly, White, Eric
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US10/683,317
Publication Number

US 20040177276A1
Time in Patent Office

3,049 Days
Field of Search

713/150, 713/1, 713/151, 713/153, 713/155, 713/156, 713/160, 713/161, 713/162, 713/164, 713/168, 713/172, 713/182, 713/189, 726/5, 726/1, 726/2, 726/19, 726/27, 726/11, 726/12, 726/13, 705/26, 705/27
US Class Current

726/1
CPC Class Codes

H04L 51/00   User-to-user messaging in p...

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 67/306   User profiles

System and method for providing access control

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

271 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing access control

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

271 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links