Multiple tiered network security system, method and apparatus using dynamic user policy assignment
First Claim
1. A network access device comprising:
- a memory for storing data packets received on a plurality of input ports; and
control logic adapted to;
examine a first data packet stored in the memory, the first data packet comprising;
a first physical address identifying a user device coupled to one of the plurality of input ports; and
a second physical address identifying a destination device to which a user of the user device is requesting access, for sending one or more data packets to the destination device via the network access device;
authenticate the first physical address;
if the authentication of the first physical address indicates the first physical address is valid,request one or more user credentials from a user of the user device; and
authenticate the one or more user credentials provided by the user in a second data packet in response to the request, the second data unit comprising the first physical address and the second physical address;
if the authentication of the one or more user credentials indicates the one or more user credentials are valid,dynamically assign the user policy to the one of the plurality of input ports; and
restrict further traffic on the one of the plurality of input ports in accordance with the user policy; and
if the authentication of the first physical address indicates the first physical address is invalid, block traffic on the one of the plurality of ports except for packets related to a user authentication protocol.
3 Assignments
0 Petitions
Accused Products
Abstract
A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1x standard. The third level includes dynamic assignment of a user policy to the port based on the identity of the user, wherein the user policy is used to selectively control access to the port. The user policy may identify or include an access control list (ACL) or MAC address filter. Also, the user policy is not dynamically assigned if insufficient system resources are available to do so. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.
188 Citations
25 Claims
-
1. A network access device comprising:
-
a memory for storing data packets received on a plurality of input ports; and control logic adapted to; examine a first data packet stored in the memory, the first data packet comprising; a first physical address identifying a user device coupled to one of the plurality of input ports; and a second physical address identifying a destination device to which a user of the user device is requesting access, for sending one or more data packets to the destination device via the network access device; authenticate the first physical address; if the authentication of the first physical address indicates the first physical address is valid, request one or more user credentials from a user of the user device; and authenticate the one or more user credentials provided by the user in a second data packet in response to the request, the second data unit comprising the first physical address and the second physical address; if the authentication of the one or more user credentials indicates the one or more user credentials are valid, dynamically assign the user policy to the one of the plurality of input ports; and restrict further traffic on the one of the plurality of input ports in accordance with the user policy; and if the authentication of the first physical address indicates the first physical address is invalid, block traffic on the one of the plurality of ports except for packets related to a user authentication protocol. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer implemented method comprising:
-
at a network access device comprising a plurality of input ports, examining a first data packet stored in a memory of the device, the first data packet comprising; a first physical address identifying a user device coupled to one of the plurality of input ports; and a second physical address identifying a destination device to which a user of the user device is requesting access, for sending one or more data packets to the destination device via the network access device; authenticating the first physical address; if the authentication of the first physical address indicates the first physical address is valid, requesting one or more user credentials from a user of the user device; and authenticating the one or more user credentials provided by the user in a second data packet in response to the request, the second data packet comprising the first physical address and the second physical address; if the authentication of the one or more user credentials indicates the one or more user credentials are valid, dynamically assigning the user policy to the one of the plurality of input ports and restricting further traffic on the port in accordance with the user policy; and if the authentication of the first physical address indicates the first physical address is invalid, blocking traffic on the one of the plurality of ports except for packets related to a user authentication protocol. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. An apparatus comprising:
-
means for storing data packets received on a plurality of input ports; means for examining a first data packet stored in the memory, the first data packet comprising; a first physical address identifying a user device coupled to one of the plurality of input ports; and a second physical address identifying a destination device to which a user of the user device is requesting access, for sending one or more data packets to the destination device via the network access device; means for authenticating the first physical address; means for, if the authentication of the first physical address indicates the first physical address is valid, requesting one or more user credentials from a user of the user device; and authenticating the one or more user credentials provided by the user in a second data packet in response to the request, the second data packet comprising the first physical address and the second physical address; means for, if the authentication of the one or more user credentials indicates the one or more user credentials are valid, dynamically assigning the user policy to the one of the plurality of input ports and restricting further traffic on the port in accordance with the user policy; and means for, if the authentication of the first physical address indicates the first physical address is invalid, blocking traffic on the one of the plurality of ports except for packets related to a user authentication protocol.
-
Specification