Method and apparatus for policy-based network access control with arbitrary network access control frameworks

US 8,245,281 B2
Filed: 12/28/2007
Issued: 08/14/2012
Est. Priority Date: 12/29/2006
Status: Active Grant

First Claim

Patent Images

1. A method of granting a client access to a communication network, the method comprising:

blocking access by the client to the communication network using an enforcer;

receiving a request to access the communication network from the client;

invoking an appropriate access protocol terminator;

receiving at least one attribute associated with client access to the communication network from the appropriate access protocol terminator;

translating the at least one attribute into a canonical form;

receiving at least one attribute of backend service type information and translating the at least one attribute of the backend service type information into the canonical form;

using the at least one attribute associated with client access in canonical form and the at least one attribute of the backend service type information in canonical form as input to policy rules;

applying the policy rules to determine a policy result;

delivering the policy result to the enforcer; and

granting access by the client to the communication network through the enforcer based on the policy result.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for integrating various network access control frameworks under the control of a single policy decision point (PDP). The apparatus supports pluggable protocol terminators to interface to any number of access protocols or backend support services. The apparatus contains Trust and Identity Mediators to mediate between the protocol terminators and a canonical policy subsystem, translating attributes between framework representations, and a canonical representation using extensible data-driven dictionaries.

23 Citations

View as Search Results

22 Claims

1. A method of granting a client access to a communication network, the method comprising:
- blocking access by the client to the communication network using an enforcer;
  
  receiving a request to access the communication network from the client;
  
  invoking an appropriate access protocol terminator;
  
  receiving at least one attribute associated with client access to the communication network from the appropriate access protocol terminator;
  
  translating the at least one attribute into a canonical form;
  
  receiving at least one attribute of backend service type information and translating the at least one attribute of the backend service type information into the canonical form;
  
  using the at least one attribute associated with client access in canonical form and the at least one attribute of the backend service type information in canonical form as input to policy rules;
  
  applying the policy rules to determine a policy result;
  
  delivering the policy result to the enforcer; and
  
  granting access by the client to the communication network through the enforcer based on the policy result.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the method is implemented with a plurality of clients, the plurality of clients each having one or more network access control frameworks.
  - 3. The method of claim 1 further comprising:
    - determining an access policy result; and
      
      delivering the access policy result to the client.
  - 4. The method of claim 1 further comprising implementing access to the network with a single policy system and associated set of rules regardless of a number of network access control frameworks utilized.
  - 5. The method of claim 1 further comprising making network access requests from an environment having a plurality of network access control frameworks.
  - 6. The method of claim 1 wherein the translating the at least one attribute into the canonical form further comprises utilizing extensible data-driven dictionaries.
  - 7. The method of claim 1 further comprising controlling an integration of various network access control frameworks with a single policy decision point.

8. A non-transitory computer readable medium having embodied thereon a program, the program being executable by a machine to perform a method to grant access to a client in a communication network, the method comprising:
- blocking access by the client to the communication network using an enforcer;
  
  receiving a request to access the communication network from the client;
  
  invoking an appropriate access protocol terminator;
  
  receiving at least one attribute associated with client access to the communication network from the appropriate access protocol terminator;
  
  translating the at least one attribute associated with client access into a canonical form;
  
  receiving at least one attribute of service type information and translating the at least one attribute of the service type information into the canonical form;
  
  using the at least one of the attribute associated with client access in the canonical form and the at least one attribute of service type information in canonical form as input to policy rules;
  
  applying the policy rules to determine a policy result;
  
  delivering the policy result to the enforcer; and
  
  granting access by the client to the communication network through the enforcer, based on the policy result.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The computer readable medium of claim 8 wherein the method is implemented with a plurality of clients, the plurality of clients each having one or more network access control frameworks.
  - 10. The computer readable medium of claim 8 wherein the method further comprises:
    - determining an access policy result; and
      
      delivering the access policy result to the client.
  - 11. The computer readable medium of claim 8 wherein the method further comprises implementing access to the network with a single policy system and associated set of rules regardless of a number of network access control frameworks utilized.
  - 12. The computer readable medium of claim 8 wherein the method further comprises making network access requests from an environment having a plurality of network access control frameworks.
  - 13. The computer readable medium of claim 8 wherein the step of translating the at least one attribute into a canonical form further comprises using extensible data-driven dictionaries.
  - 14. The computer readable medium of claim 8 wherein the method further comprises controlling an integration of various network access control frameworks with a single policy decision point.
  - 15. The computer readable medium of claim 8 wherein the method further comprises selecting pluggable protocol terminators to interface to a plurality of access protocols or backend support services.

16. A system to grant network access to a client in a communication network, the system comprising:
- a client protocol terminator configured to be coupled through a network access device to a remote client;
  
  an access attribute translation device coupled to the client protocol terminator and configured to translate attributes from a first framework representation into a canonical representation;
  
  a policy database coupled to the access attribute translation device and configured to store protocol attributes relating to a plurality of frameworks;
  
  a service protocol terminator configured to be coupled to one or more backend service services;
  
  a service attribute translation device coupled to the policy database and the service protocol terminator, the service attribute translation device being configured to translate attributes from a second framework representation to the canonical representation; and
  
  a policy subsystem coupled to the access attribute translation device and the policy database, configured to determine a policy result based upon an attempt by the client to connect to the communication network,wherein the network access device blocks the client from accessing the communication network prior to the policy result being determined and the network access device grants the client access to the communication network based on the policy results.
- View Dependent Claims (17, 18)
- - 17. The system of claim 16 further comprising the policy subsystem having a plurality of rules engine pipeline stages.
  - 18. The system of claim 16 further comprising a single policy decision point configured to control an integration of a plurality of network access control frameworks.

19. A system to grant network access to a client in a communication network, the system comprising:
- client protocol terminator means adapted for coupling to a remote client;
  
  an enforcer;
  
  access attribute translation means for translating attributes from a first framework representation into a canonical representation;
  
  protocol storage means for storing protocol attributes relating to a plurality of frameworks;
  
  service protocol terminator means adapted for coupling to one or more backend service devices;
  
  service attribute translation means for translating attributes from a second framework representation into the canonical representation; and
  
  policy determination means coupled to the enforcer, the access attribute translation means and the protocol storage means, for determining a policy result based upon an attempt by the client to connect to the communication network,wherein the enforcer blocks the client from accessing the communication network prior to the policy result being determined and the enforcer grants the client access to the communication network based on the policy result.
- View Dependent Claims (20, 21)
- - 20. The system of claim 19 wherein the policy determination means includes a policy subsystem coupled to the access attribute translation means and the protocol storage means, the policy subsystem having a plurality of rules engine pipeline stages.
  - 21. The system of claim 19 further comprising a single policy decision means for controlling an integration of a plurality of network access control frameworks.

22. A method of granting a client access to a communication network, the method comprising:
- blocking access by the client to the network using an enforcer;
  
  receiving a request to access the network from the client;
  
  invoking an appropriate access protocol terminator by selecting a pluggable protocol terminator to interface to a plurality of access protocols or backend support services;
  
  receiving at least one attribute about the client from the appropriate access protocol terminator;
  
  translating the at least one attribute into a canonical form utilizing extensible data-driven dictionaries and using the at least one attribute in canonical form as input to policy rules;
  
  applying the policy rules to determine a policy result;
  
  delivering the policy result to the enforcer; and
  
  granting access by the client to the communication network through the enforcer based on the policy result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Aruba Networks Incorporated (Hewlett-Packard Enterprise Company)
Inventors
Cheeniyil, Santhosh, Prabhakar, Krishna, Fine, Michael
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Rahman, Mahfuzur

Application Number

US11/966,837
Publication Number

US 20080163340A1
Time in Patent Office

1,691 Days
Field of Search

726/3
US Class Current

726/3
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/20 for managing network securi...

Method and apparatus for policy-based network access control with arbitrary network access control frameworks

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for policy-based network access control with arbitrary network access control frameworks

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links