Enabling dynamic authentication with different protocols on the same port for a switch

US 8,522,318 B2
Filed: 09/10/2010
Issued: 08/27/2013
Est. Priority Date: 01/26/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

monitoring network traffic associated with a port of a network device;

identifying an authentication request within the network traffic, wherein the authentication request is associated with a client device; and

evaluating a first policy associated with the client device in order to determine whether to grant access to a network resource associated with a first local area network, wherein the first policy is evaluated if the client device is authenticated using 802.1x authentication, and wherein if the client device is not capable of supporting 802.1x authentication and is authenticated using non-802.1x authentication then a second policy is evaluated to determine whether to grant access to the network resource.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention enables a client device that does not support IEEE 802.1X authentication to access at least some resources provided through a switch that supports 802.1X authentication by using dynamic authentication with different protocols. When the client device attempts to join a network, the switch monitors for an 802.1X authentication message from the client device. In one embodiment, if the client fails to send an 802.1X authentication message, respond to an 802.1X request from the switch, or a predefined failure condition is detected the client may be deemed incapable of supporting 802.1X authentication. In one embodiment, the client may be initially placed on a quarantine VLAN after determination that the client fails to perform an 802.1X authentication within a backoff time limit. However, the client may still gain access to resources based on various non-802.1X authentication mechanisms, including name/passwords, digital certificates, or the like.

Citations

30 Claims

1. A method, comprising:
- monitoring network traffic associated with a port of a network device;
  
  identifying an authentication request within the network traffic, wherein the authentication request is associated with a client device; and
  
  evaluating a first policy associated with the client device in order to determine whether to grant access to a network resource associated with a first local area network, wherein the first policy is evaluated if the client device is authenticated using 802.1x authentication, and wherein if the client device is not capable of supporting 802.1x authentication and is authenticated using non-802.1x authentication then a second policy is evaluated to determine whether to grant access to the network resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein if the client device is determined to be incapable of supporting 802.1x authentication, then hypertext transfer protocol (HTTP) packets associated with the client device are permitted to propagate through the port of the network device.
  - 3. The method of claim 1, wherein the non-802.1x authentication permits the client device to access different resources based on the second policy associated with the client device.
  - 4. The method of claim 1, wherein an incorrect authentication credential being provided by the client device serves as a basis for determining that the client device is not capable of an 802.1x authentication.
  - 5. The method of claim 1, wherein if the client device is incapable of supporting an 802.1x authentication, the client device is provisioned on a second local area network for quarantining.
  - 6. The method of claim 5, wherein the client device is provisioned on the second local area network based on exceeding a time limit allotted for 802.1x authentication.
  - 7. The method of claim 5, wherein an interface is provided to the client device when it is quarantined, and wherein the interface is a webpage or a command line interface (CLI).
  - 8. The method of claim 1, further comprising:
    - provisioning an enforcer element configured to act as an authentication server for the client device.
  - 9. The method of claim 8, wherein the enforcer element is operable to configure a port on the network device to an auto mode to enable 802.1x authentication detection.
  - 10. The method of claim 1, wherein an audit is performed for the client device to ensure conformance with a security policy associated with the client device.
  - 11. The method of claim 1, wherein if the client device is incapable of supporting an 802.1x authentication, the non-802.1x authentication is accepted for access to the network resource, wherein the non-802.1x authentication is a different type of authentication than the 802.1x authentication.
  - 12. The method of claim 1, further comprising:
    - providing a simple network management protocol (SNMP) handler application for transmitting and receiving e-mail associated with the client device.
  - 13. The method of claim 1, further comprising:
    - providing a hypertext transfer protocol (HTTP) handler application for receiving and handling HTTP requests associated with the client device.
  - 14. The method of claim 1, wherein the client device is a mobile phone configured to send and receive voice communications.

15. Logic encoded in one or more tangible non-transitory media that includes code for execution and when executed by a processor operable to perform operations comprising:
- monitoring network traffic associated with a port of a network device;
  
  identifying an authentication request within the network traffic, wherein the authentication request is associated with a client device; and
  
  evaluating a first policy associated with the client device in order to determine whether to grant access to a network resource associated with a first local area network, wherein the first policy is evaluated if the client device is authenticated using 802.1x authentication, and wherein if the client device is not capable of supporting 802.1x authentication and is authenticated using non-802.1x authentication then a second policy is evaluated to determine whether to grant access to the network resource.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The logic of claim 15, wherein if the client device is determined to be incapable of supporting 802.1x authentication, then hypertext transfer protocol (HTTP) packets associated with the client device are permitted to propagate through the port of the network device.
  - 17. The logic of claim 15, wherein the non-802.1x authentication permits the client device to access different resources based on the second policy associated with the client device.
  - 18. The logic of claim 15, wherein the client device is provisioned on a second local area network based on exceeding a time limit allotted for 802.1x authentication.
  - 19. The logic of claim 15, wherein an interface is provided to the client device when it is quarantined, and wherein the interface is a webpage or a command line interface (CLI).
  - 20. The logic of claim 15, wherein if the client device is incapable of supporting an 802.1x authentication, the non-802.1x authentication is accepted for access to the network resource, wherein the non-802.1x authentication is a different type of authentication than the 802.1x authentication.

21. An apparatus, comprising:
- a memory element configured to store code;
  
  a processor operable to execute instructions associated with the code; and
  
  an enforcer element configured to interface with the memory element and the processor such that the apparatus can;
  
  monitor network traffic associated with a port of a network device;
  
  identify an authentication request within the network traffic, wherein the authentication request is associated with a client device; and
  
  evaluate a first policy associated with the client device in order to determine whether to grant access to a network resource associated with a first local area network, wherein the first policy is evaluated if the client device is authenticated using 802.1x authentication, and wherein if the client device is not capable of supporting 802.1x authentication and is authenticated using non-802.1x authentication then a second policy is evaluated to determine whether to grant access to the network resource.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The apparatus of claim 21, wherein if the client device is determined to be incapable of supporting 802.1x authentication, then hypertext transfer protocol (HTTP) packets associated with the client device are permitted to propagate through the port of the network device.
  - 23. The apparatus of claim 21, wherein the non-802.1x authentication permits the client device to access different resources based on a second policy associated with the client device.
  - 24. The apparatus of claim 21, wherein an incorrect authentication credential being provided by the client device serves as a basis for determining that the client device is not capable of an 802.1x authentication.
  - 25. The apparatus of claim 21, wherein if the client device is incapable of supporting an 802.1x authentication, the client device is provisioned on a second local area network for quarantining.
  - 26. The apparatus of claim 25, wherein the client device is provisioned on the second local area network based on exceeding a time limit allotted for 802.1x authentication.
  - 27. The apparatus of claim 25, wherein an interface is provided to the client device when it is quarantined, and wherein the interface is a webpage or a command line interface (CLI).
  - 28. The apparatus of claim 21, wherein the enforcer element is operable to configure a port on the network device to an auto mode to enable 802.1x authentication detection.
  - 29. The apparatus of claim 21, further comprising:
    - a simple network management protocol (SNMP) handler application for transmitting and receiving e-mail associated with the client device.
  - 30. The apparatus of claim 21, further comprising:
    - a hypertext transfer protocol (HTTP) handler application for receiving and handling HTTP requests associated with the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Vank, Alexandru Z., Shen, Xin, Cobb, Matt B., Robel-Forrest, Brad, Webb, Evan M.
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US12/879,319
Publication Number

US 20100333176A1
Time in Patent Office

1,082 Days
Field of Search

None
US Class Current

726/4
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/162   at the data link layer

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Enabling dynamic authentication with different protocols on the same port for a switch

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Enabling dynamic authentication with different protocols on the same port for a switch

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links