System and method for flexible network access control policies in a network environment

US 8,874,766 B2
Filed: 03/09/2012
Issued: 10/28/2014
Est. Priority Date: 03/09/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

capturing session attributes associated with a session, wherein the session is initiated by a first node in an attempt to access a second node in a network environment;

querying external attributes associated with the first node and the second node;

deriving a response attribute according to an access control policy rule based on at least one of the session attributes and at least one of the external attributes that are included in a policy attribute group for the access control policy rule, wherein the policy attribute group includes one or more classes of attributes used to define the access control policy rule; and

applying the response attribute to the session.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method includes capturing session attributes associated with a communication session initiated by a node in a network environment, querying external attributes associated with the node, deriving a response attribute according to an access control policy rule based on at least one of the session attributes and at least one of the external attributes, and applying the response attribute to the communication session. The session attributes can include remote authentication dial in user service RADIUS vendor specific attribute information from an unknown vendor. The method may further include auditing the communication session, enforcing the response attribute, or ignoring the access control policy. Enforcing the response attribute can include taking an access control action according to the response attribute. The access control action may include allowing the node to access a virtual local area network in the network environment, denying access to the network environment, etc.

10 Citations

View as Search Results

20 Claims

1. A method comprising:
- capturing session attributes associated with a session, wherein the session is initiated by a first node in an attempt to access a second node in a network environment;
  
  querying external attributes associated with the first node and the second node;
  
  deriving a response attribute according to an access control policy rule based on at least one of the session attributes and at least one of the external attributes that are included in a policy attribute group for the access control policy rule, wherein the policy attribute group includes one or more classes of attributes used to define the access control policy rule; and
  
  applying the response attribute to the session.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the session attributes include remote authentication dial in user service (RADIUS) vendor specific attribute (VSA) information from an unknown vendor.
  - 3. The method of claim 1, wherein the session attributes and the external attributes for a particular class of attributes comprise at least one selection from a group including:
    - a point of attachment, a health level of the first node, a user group of the first node, a device group of the first node, another device group of the second node, RADIUS attributes, and time of day.
  - 4. The method of claim 1, further comprising a selection from activities including:
    - auditing the communication session, enforcing the response attribute, and ignoring the access control policy rule.
  - 5. The method of claim 4, wherein enforcing the response attribute includes taking an access control action according to the response attribute.
  - 6. The method of claim 5, wherein the access control action is selected from a group comprising:
    - allowing the first node to access a virtual local area network (VLAN) comprising the second node, allowing the first node to access a network access zone (NAZ), allowing access to the first node according to an access control list (ACL), denying access to the second node, denying access to the network environment, setting an access port in the network environment to a default port, and placing the first node in a pre-admission group.
  - 7. The method of claim 1, further comprising registering hooks based on the policy attribute group to select the at least one session attribute and the at least one external attribute included in the policy attribute group for the access control policy rule.

8. An apparatus, comprising:
- a memory element configured to store instructions; and
  
  a processor that executes the instructions, such that the apparatus is configured for;
  
  capturing session attributes associated with a session, wherein the session is initiated by a first node in an attempt to access a second node in a network environment;
  
  querying external attributes associated with the first node and the second node;
  
  deriving a response attribute according to an access control policy rule based on at least one of the session attributes and at least one of the external attributes that are included in a policy attribute group for the access control policy rule, wherein the policy attribute group includes one or more class of attributes used to define the access control policy rule; and
  
  applying the response attribute to the session.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the session attributes include RADIUS VSA information from an unknown vendor.
  - 10. The apparatus of claim 8, wherein the session attributes and the external attributes for a particular class of attributes comprise at least one selection from a group including:
    - a point of attachment, a health level of the first node, a user group of the first node, a device group of the first node, another device group of the second node, RADIUS attributes, and time of day.
  - 11. The apparatus of claim 8, further configured for a selection from activities including:
    - auditing the communication session, enforcing the response attribute, and ignoring the access control policy.
  - 12. The apparatus of claim 11, wherein enforcing the response attribute includes taking an access control action according to the response attribute.
  - 13. The apparatus of claim 12, wherein the access control action is selected from a group comprising:
    - allowing the first node to access a VLAN comprising the second node, allowing the first node to access a NAZ, allowing access to the first node according to an ACL, denying access to the second node, denying access to the network environment, setting an access port in the network environment to a default port, and placing the first node in a pre-admission group.
  - 14. The apparatus of claim 8, further comprising registering hooks based on the policy attribute group to select the at least one session attribute and the at least one external attribute included in the policy attribute group for the access control policy rule.

15. Logic encoded in non-transitory media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- capturing session attributes associated with a session, wherein the session is initiated by a first node in an attempt to access a second node in a network environment;
  
  querying external attributes associated with the first node and the second node;
  
  deriving a response attribute according to an access control policy rule based on at least one of the session attributes and at least one of the external attributes that are included in a policy attribute group for the access control policy rule, wherein the policy attribute group includes one or more classes of attributes used to define the access control policy rule; and
  
  applying the response attribute to the session.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The logic of claim 15, wherein the session attributes include RADIUS VSA information from an unknown vendor.
  - 17. The logic of claim 15, wherein the session attributes and the external attributes for a particular class of attributes comprise at least one selection from a group including:
    - a point of attachment, a health level of the first node, a user group of the first node, a device group of the first node, another device group of the second node, RADIUS attributes, and time of day.
  - 18. The logic of claim 15, the operations further comprising a selection from activities including:
    - auditing the communication session, enforcing the response attribute, and ignoring the access control policy.
  - 19. The logic of claim 18, wherein enforcing the response attribute includes taking an access control action according to the response attribute.
  - 20. The logic of claim 19, wherein the access control action is selected from a group comprising:
    - allowing the first node to access a VLAN comprising the second node, allowing the first node to access a NAZ, allowing access to the first node according to an ACL, denying access to the second node, denying access to the network environment, setting an access port in the network environment to a default port, and placing the first node in a pre-admission group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Nedbal, Manuel, Ahluwalia, Manoj, Slate, Charles
Primary Examiner(s)
SALL, EL HADJI MALICK

Application Number

US13/417,154
Publication Number

US 20130246639A1
Time in Patent Office

963 Days
Field of Search

709/203, 709/217, 709/228, 726/3
US Class Current

709/228
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

System and method for flexible network access control policies in a network environment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for flexible network access control policies in a network environment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links