Method and apparatus for policy-based network access control with arbitrary network access control frameworks

US 8,713,639 B2
Filed: 07/13/2012
Issued: 04/29/2014
Est. Priority Date: 12/29/2006
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

at least one device including a hardware processor;

the system being configured to perform operations comprising;

receiving a first request;

determining a first set of one or more attributes in a first framework-specific representation based on the first request;

translating the first set of attributes from the first framework-specific representation to a canonical representation;

applying policy rules to the first set of attributes in the canonical representation to determine whether to grant the first request;

receiving a second request;

determining a second set of one or more attributes in a second framework-specific representation based on the second request, the second framework-specific representation being different than the first framework-specific representation;

wherein at least one of the second set of one or more attributes is associated with a backend service and/or a backend server;

translating the second set of attributes from the second framework-specific representation to the canonical representation;

applying policy rules to the second set of attributes in the canonical representation to determine whether to grant the second request.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for integrating various network access control frameworks under the control of a single policy decision point (PDP). The apparatus supports pluggable protocol terminators to interface to any number of access protocols or backend support services. The apparatus contains Trust and Identity Mediators to mediate between the protocol terminators and a canonical policy subsystem, translating attributes between framework representations, and a canonical representation using extensible data-driven dictionaries.

36 Citations

View as Search Results

10 Claims

1. A system comprising:
- at least one device including a hardware processor;
  
  the system being configured to perform operations comprising;
  
  receiving a first request;
  
  determining a first set of one or more attributes in a first framework-specific representation based on the first request;
  
  translating the first set of attributes from the first framework-specific representation to a canonical representation;
  
  applying policy rules to the first set of attributes in the canonical representation to determine whether to grant the first request;
  
  receiving a second request;
  
  determining a second set of one or more attributes in a second framework-specific representation based on the second request, the second framework-specific representation being different than the first framework-specific representation;
  
  wherein at least one of the second set of one or more attributes is associated with a backend service and/or a backend server;
  
  translating the second set of attributes from the second framework-specific representation to the canonical representation;
  
  applying policy rules to the second set of attributes in the canonical representation to determine whether to grant the second request.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, further comprising:
    - based on the first set of attributes in the canonical representation, gathering a first information using a first framework-specific representation;
      
      translating the first information into the canonical representation;
      
      based on the first set of attributes in the canonical representation, gathering a second information using a second framework-specific representation;
      
      translating the second information into the canonical representation.
  - 3. The system of claim 1, wherein the first framework-specific representation is a RADIUS protocol and wherein the second framework-specific representation is a TACACS+protocol.
  - 4. The system of claim 1, wherein the translating of the first set of attributes and translating of the second set of attributes is performed using a single database comprising a plurality of conversion dictionaries.
  - 5. The system of claim 1, wherein the translating the first set of attributes and the second set of attributes is performed by a single translation device.

6. A non-transitory computer readable medium comprising instructions which when executed by one or more processors causes performance of:
- receiving a first request;
  
  determining a first set of one or more attributes in a first framework-specific representation based on the first request;
  
  translating the first set of attributes from the first framework-specific representation to a canonical representation;
  
  applying policy rules to the first set of attributes in the canonical representation to determine whether to grant the first request;
  
  receiving a second request;
  
  determining a second set of one or more attributes in a second framework-specific representation based on the second request, the second framework-specific representation being different than the first framework-specific representation;
  
  wherein at least one of the second set of one or more attributes is associated with a backend service and/or a backend server;
  
  translating the second set of attributes from the second framework-specific representation to the canonical representation;
  
  applying policy rules to the second set of attributes in the canonical representation to determine whether to grant the second request.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer readable medium of claim 6, further comprising:
    - based on the first set of attributes in the canonical representation, gathering a first information using a first framework-specific representation;
      
      translating the first information into the canonical representation;
      
      based on the first set of attributes in the canonical representation, gathering a second information using a second framework-specific representation;
      
      translating the second information into the canonical representation.
  - 8. The computer readable medium of claim 6, wherein the first framework-specific representation is a RADIUS protocol and wherein the second framework-specific representation is a TACACS+protocol.
  - 9. The computer readable medium of claim 6, wherein the translating of the first set of attributes and translating of the second set of attributes is performed using a single database comprising a plurality of conversion dictionaries.
  - 10. The computer readable medium of claim 6, wherein the translating the first set of attributes and the second set of attributes is performed by a single translation device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Aruba Networks Incorporated (Hewlett-Packard Enterprise Company)
Inventors
Cheeniyil, Santhosh, Prabhakar, Krishna, Fine, Michael
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US13/549,244
Publication Number

US 20130042002A1
Time in Patent Office

655 Days
Field of Search

726/3
US Class Current

726/3
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/20 for managing network securi...

Method and apparatus for policy-based network access control with arbitrary network access control frameworks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for policy-based network access control with arbitrary network access control frameworks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links