Method and system for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute
First Claim
1. A method for authorizing a level of access of a client to a virtual private network connection, based on an attribute of a client-side computing environment, the method comprising the steps of:
- (a) establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network;
(b) transmitting, by the appliance via the control connection to the client, a request for an evaluation component executing on the client to evaluate a security string transmitted in the request, the security string comprising one or more expressions including (i) an identifier of an attribute of a client-side computing environment, and (ii) a logical operation on a value of the attribute, a result of which comprises a value that determines what level of access to grant to the client;
(c) transmitting, by the client via the control connection, a response to the appliance comprising the result of evaluating the one or more expressions of the security string by the evaluation component; and
(d) assigning, by the appliance, a level of access to the client responsive to an application of a policy by a policy engine to the result of the evaluation; and
(e) establishing, by the appliance, the virtual private network connection with the client in accordance with the assigned level of access.
8 Assignments
0 Petitions
Accused Products
Abstract
An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause.
-
Citations
42 Claims
-
1. A method for authorizing a level of access of a client to a virtual private network connection, based on an attribute of a client-side computing environment, the method comprising the steps of:
-
(a) establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network; (b) transmitting, by the appliance via the control connection to the client, a request for an evaluation component executing on the client to evaluate a security string transmitted in the request, the security string comprising one or more expressions including (i) an identifier of an attribute of a client-side computing environment, and (ii) a logical operation on a value of the attribute, a result of which comprises a value that determines what level of access to grant to the client; (c) transmitting, by the client via the control connection, a response to the appliance comprising the result of evaluating the one or more expressions of the security string by the evaluation component; and (d) assigning, by the appliance, a level of access to the client responsive to an application of a policy by a policy engine to the result of the evaluation; and (e) establishing, by the appliance, the virtual private network connection with the client in accordance with the assigned level of access. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system for authorizing a level of access of a client to a virtual private network connection, based on an attribute of a client-side computing environment, the system comprising:
-
a means for transmitting, by a client, a request to an appliance for a virtual private network connection to a network; a request received by the client, via a control connection between the client and the appliance, for evaluation of a security string transmitted in the request, the security string comprising one or more expressions including (i) an identifier of an attribute of a client-side computing environment, and (ii) a logical operation on a value of the attribute, a result of which comprises a value that determines what level of access to grant to the client; an evaluation component, executing on the client, for evaluating the one or more expressions; a means for transmitting, by the client via the control connection, a response comprising the result of the evaluation by the evaluation component; and a means for receiving, from the appliance, an assignment of a level of access to the client responsive to an application of a policy by a policy engine to the result of the evaluation, the appliance establishing the virtual private network connection with the client in accordance with the assigned level of access. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
Specification