Method and apparatus for policy-based network access control with arbitrary network access control frameworks
First Claim
Patent Images
1. A method of granting a client access to a communication network, the method comprising:
- blocking access by the client to the communication network using an enforcer;
receiving a request to access the communication network from the client;
invoking an appropriate access protocol terminator;
receiving at least one attribute associated with client access to the communication network from the appropriate access protocol terminator;
translating the at least one attribute into a canonical form;
receiving at least one attribute of backend service type information and translating the at least one attribute of the backend service type information into the canonical form;
using the at least one attribute associated with client access in canonical form and the at least one attribute of the backend service type information in canonical form as input to policy rules;
applying the policy rules to determine a policy result;
delivering the policy result to the enforcer; and
granting access by the client to the communication network through the enforcer based on the policy result.
5 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for integrating various network access control frameworks under the control of a single policy decision point (PDP). The apparatus supports pluggable protocol terminators to interface to any number of access protocols or backend support services. The apparatus contains Trust and Identity Mediators to mediate between the protocol terminators and a canonical policy subsystem, translating attributes between framework representations, and a canonical representation using extensible data-driven dictionaries.
23 Citations
22 Claims
-
1. A method of granting a client access to a communication network, the method comprising:
-
blocking access by the client to the communication network using an enforcer; receiving a request to access the communication network from the client; invoking an appropriate access protocol terminator; receiving at least one attribute associated with client access to the communication network from the appropriate access protocol terminator; translating the at least one attribute into a canonical form; receiving at least one attribute of backend service type information and translating the at least one attribute of the backend service type information into the canonical form; using the at least one attribute associated with client access in canonical form and the at least one attribute of the backend service type information in canonical form as input to policy rules; applying the policy rules to determine a policy result; delivering the policy result to the enforcer; and granting access by the client to the communication network through the enforcer based on the policy result. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer readable medium having embodied thereon a program, the program being executable by a machine to perform a method to grant access to a client in a communication network, the method comprising:
-
blocking access by the client to the communication network using an enforcer; receiving a request to access the communication network from the client; invoking an appropriate access protocol terminator; receiving at least one attribute associated with client access to the communication network from the appropriate access protocol terminator; translating the at least one attribute associated with client access into a canonical form; receiving at least one attribute of service type information and translating the at least one attribute of the service type information into the canonical form; using the at least one of the attribute associated with client access in the canonical form and the at least one attribute of service type information in canonical form as input to policy rules; applying the policy rules to determine a policy result; delivering the policy result to the enforcer; and granting access by the client to the communication network through the enforcer, based on the policy result. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A system to grant network access to a client in a communication network, the system comprising:
-
a client protocol terminator configured to be coupled through a network access device to a remote client; an access attribute translation device coupled to the client protocol terminator and configured to translate attributes from a first framework representation into a canonical representation; a policy database coupled to the access attribute translation device and configured to store protocol attributes relating to a plurality of frameworks; a service protocol terminator configured to be coupled to one or more backend service services; a service attribute translation device coupled to the policy database and the service protocol terminator, the service attribute translation device being configured to translate attributes from a second framework representation to the canonical representation; and a policy subsystem coupled to the access attribute translation device and the policy database, configured to determine a policy result based upon an attempt by the client to connect to the communication network, wherein the network access device blocks the client from accessing the communication network prior to the policy result being determined and the network access device grants the client access to the communication network based on the policy results. - View Dependent Claims (17, 18)
-
-
19. A system to grant network access to a client in a communication network, the system comprising:
-
client protocol terminator means adapted for coupling to a remote client; an enforcer; access attribute translation means for translating attributes from a first framework representation into a canonical representation; protocol storage means for storing protocol attributes relating to a plurality of frameworks; service protocol terminator means adapted for coupling to one or more backend service devices; service attribute translation means for translating attributes from a second framework representation into the canonical representation; and policy determination means coupled to the enforcer, the access attribute translation means and the protocol storage means, for determining a policy result based upon an attempt by the client to connect to the communication network, wherein the enforcer blocks the client from accessing the communication network prior to the policy result being determined and the enforcer grants the client access to the communication network based on the policy result. - View Dependent Claims (20, 21)
-
-
22. A method of granting a client access to a communication network, the method comprising:
-
blocking access by the client to the network using an enforcer; receiving a request to access the network from the client; invoking an appropriate access protocol terminator by selecting a pluggable protocol terminator to interface to a plurality of access protocols or backend support services; receiving at least one attribute about the client from the appropriate access protocol terminator; translating the at least one attribute into a canonical form utilizing extensible data-driven dictionaries and using the at least one attribute in canonical form as input to policy rules; applying the policy rules to determine a policy result; delivering the policy result to the enforcer; and granting access by the client to the communication network through the enforcer based on the policy result.
-
Specification