Multiple tiered network security system, method and apparatus using dynamic user policy assignment

US 8,239,929 B2
Filed: 04/28/2010
Issued: 08/07/2012
Est. Priority Date: 09/04/2003
Status: Active Grant

First Claim

Patent Images

1. A network access device comprising:

a memory for storing data packets received on a plurality of input ports; and

control logic adapted to;

examine a first data packet stored in the memory, the first data packet comprising;

a first physical address identifying a user device coupled to one of the plurality of input ports; and

a second physical address identifying a destination device to which a user of the user device is requesting access, for sending one or more data packets to the destination device via the network access device;

authenticate the first physical address;

if the authentication of the first physical address indicates the first physical address is valid,request one or more user credentials from a user of the user device; and

authenticate the one or more user credentials provided by the user in a second data packet in response to the request, the second data unit comprising the first physical address and the second physical address;

if the authentication of the one or more user credentials indicates the one or more user credentials are valid,dynamically assign the user policy to the one of the plurality of input ports; and

restrict further traffic on the one of the plurality of input ports in accordance with the user policy; and

if the authentication of the first physical address indicates the first physical address is invalid, block traffic on the one of the plurality of ports except for packets related to a user authentication protocol.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1x standard. The third level includes dynamic assignment of a user policy to the port based on the identity of the user, wherein the user policy is used to selectively control access to the port. The user policy may identify or include an access control list (ACL) or MAC address filter. Also, the user policy is not dynamically assigned if insufficient system resources are available to do so. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.

188 Citations

25 Claims

1. A network access device comprising:
- a memory for storing data packets received on a plurality of input ports; and
  
  control logic adapted to;
  
  examine a first data packet stored in the memory, the first data packet comprising;
  
  a first physical address identifying a user device coupled to one of the plurality of input ports; and
  
  a second physical address identifying a destination device to which a user of the user device is requesting access, for sending one or more data packets to the destination device via the network access device;
  
  authenticate the first physical address;
  
  if the authentication of the first physical address indicates the first physical address is valid,request one or more user credentials from a user of the user device; and
  
  authenticate the one or more user credentials provided by the user in a second data packet in response to the request, the second data unit comprising the first physical address and the second physical address;
  
  if the authentication of the one or more user credentials indicates the one or more user credentials are valid,dynamically assign the user policy to the one of the plurality of input ports; and
  
  restrict further traffic on the one of the plurality of input ports in accordance with the user policy; and
  
  if the authentication of the first physical address indicates the first physical address is invalid, block traffic on the one of the plurality of ports except for packets related to a user authentication protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The network access device of claim 1 wherein the first physical address comprises a Media Access Control (MAC) address.
  - 3. The network access device of claim 1 wherein the control logic is adapted to authenticate the user credentials in accordance with an IEEE 802.1×
    - protocol.
  - 4. The network access device of claim 1 wherein the user policy identifies an access control list.
  - 5. The network access device of claim 1 wherein the user policy includes an access control list.
  - 6. The network access device of claim 1 wherein the user policy identifies a Media Access Control (MAC) address filter.
  - 7. The network access device of claim 1 wherein the user policy includes a Media Access Control (MAC) address filter.
  - 8. The network access device of claim 1 wherein the control logic is adapted to send the one or more user credentials to an authentication server and to receive an accept message from the authentication server if the user credentials are valid.
  - 9. The network access device of claim 8 wherein the authentication server comprises a Remote Authentication Dial-In User Service (RADIUS) server.
  - 10. The network access device of claim 8 wherein the accept message includes the user policy.
  - 11. The network access device of claim 1 wherein the control logic is further adapted to assign the one of the plurality of input ports to a virtual local area network (VLAN) associated with the one or more user credentials if the one or more user credentials are valid.
  - 12. The network access device of claim 11 wherein the control logic is adapted to receive a message from an authentication server, wherein the message comprises a VLAN identifier (ID) associated with the one or more user credentials, and to assign the one of the plurality of input ports to a VLAN associated with the VLAN ID.
  - 13. The device of claim 1 wherein the user credentials comprise a user name and a password.

14. A computer implemented method comprising:
- at a network access device comprising a plurality of input ports, examining a first data packet stored in a memory of the device, the first data packet comprising;
  
  a first physical address identifying a user device coupled to one of the plurality of input ports; and
  
  a second physical address identifying a destination device to which a user of the user device is requesting access, for sending one or more data packets to the destination device via the network access device;
  
  authenticating the first physical address;
  
  if the authentication of the first physical address indicates the first physical address is valid, requesting one or more user credentials from a user of the user device; and
  
  authenticating the one or more user credentials provided by the user in a second data packet in response to the request, the second data packet comprising the first physical address and the second physical address;
  
  if the authentication of the one or more user credentials indicates the one or more user credentials are valid, dynamically assigning the user policy to the one of the plurality of input ports and restricting further traffic on the port in accordance with the user policy; and
  
  if the authentication of the first physical address indicates the first physical address is invalid, blocking traffic on the one of the plurality of ports except for packets related to a user authentication protocol.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The method of claim 14 wherein the first physical address comprises a Media Access Control (MAC) address.
  - 16. The method of claim 14 wherein the authenticating the user credentials comprises authenticating the user credentials in accordance with an IEEE 802.1x protocol.
  - 17. The method of claim 14 wherein the restricting access comprises restricting access to the one of the plurality of input ports in accordance with an access control list.
  - 18. The method of claim 14 wherein the restricting access comprises restricting access to the one of the plurality of input ports in accordance with a Media Access Control (MAC) address filter.
  - 19. The method of claim 14 wherein the authenticating the user credentials comprises:
    - sending the one or more user credentials to an authentication server; and
      
      receiving an accept message from the authentication server if the one or more user credentials are valid.
  - 20. The method of claim 19 wherein the authentication server comprises a Remote Authentication Dial-In User Service (RADIUS) server.
  - 21. The method of claim 19 wherein the receiving an accept message comprises receiving an accept message that includes the user policy.
  - 22. The method of claim 14, further comprising:
    - assigning the port to a virtual local area network (VLAN) associated with the one or more user credentials only if the one or more user credentials are valid.
  - 23. The method of claim 22, wherein the assigning the port to a VLAN comprises:
    - receiving a message from an authentication server, wherein the message comprises a VLAN identifier (ID) associated with the user credentials; and
      
      assigning the port to a VLAN associated with the VLAN ID.
  - 24. The method of claim 14 wherein the user credentials comprise a user name and a password.

25. An apparatus comprising:
- means for storing data packets received on a plurality of input ports;
  
  means for examining a first data packet stored in the memory, the first data packet comprising;
  
  a first physical address identifying a user device coupled to one of the plurality of input ports; and
  
  a second physical address identifying a destination device to which a user of the user device is requesting access, for sending one or more data packets to the destination device via the network access device;
  
  means for authenticating the first physical address;
  
  means for, if the authentication of the first physical address indicates the first physical address is valid,requesting one or more user credentials from a user of the user device; and
  
  authenticating the one or more user credentials provided by the user in a second data packet in response to the request, the second data packet comprising the first physical address and the second physical address;
  
  means for, if the authentication of the one or more user credentials indicates the one or more user credentials are valid, dynamically assigning the user policy to the one of the plurality of input ports and restricting further traffic on the port in accordance with the user policy; and
  
  means for, if the authentication of the first physical address indicates the first physical address is invalid, blocking traffic on the one of the plurality of ports except for packets related to a user authentication protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Foundry Networks LLC (Broadcom, Inc.)
Inventors
Kwan, Philip, Ho, Chi-Jui
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US12/769,626
Publication Number

US 20100223654A1
Time in Patent Office

832 Days
Field of Search

713/154, 713/168, 726 1- 4, 726 11- 14, 709/201, 709/225, 709/229, 709/232, 709/238, 455/410, 455/411
US Class Current

726/11
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

Multiple tiered network security system, method and apparatus using dynamic user policy assignment

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

188 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Multiple tiered network security system, method and apparatus using dynamic user policy assignment

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

188 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links