System and method for identity based authentication in a distributed virtual switch network environment

US 8,893,258 B2
Filed: 06/11/2012
Issued: 11/18/2014
Est. Priority Date: 06/11/2012
Status: Active Grant

First Claim

Patent Images

1. A method executed by a network access control (NAC) in a distributed virtual switch (DVS) network environment, comprising:

forwarding user credentials from a virtual machine (VM) in the DVS network environment to a network element located outside the DVS network environment, wherein the user credentials relate to a user attempting to access the VM, wherein a plurality of tenants subscribe to one or more VMs hosted in the DVS network and the tenants share underlying infrastructure of the DVS network, wherein each tenant controls a separate NAC and a separate network element that can assure security of user authentication relevant to the tenant;

receiving a user policy at the NAC from the network element, wherein the network element is configured with the user policy by a tenant controlling the NAC and the network element; and

facilitating enforcement of the user policy within the DVS network environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method includes forwarding user credentials from a virtual machine in a distributed virtual switch (DVS) network environment to a network element outside the DVS network environment, receiving a user policy from the AAA server, and facilitating enforcement of the user policy within the DVS network environment. The user credentials may relate to a user attempting to access the VM. In a specific embodiment, the user credentials are provided in a 802.1X packet. In a particular embodiment, a network access control (NAC) in the DVS network environment forwards the user credentials, receives the user policy, and facilitates the enforcement of the user policy. In one embodiment, the NAC is provisioned as another VM in the DVS network environment.

26 Citations

View as Search Results

20 Claims

1. A method executed by a network access control (NAC) in a distributed virtual switch (DVS) network environment, comprising:
- forwarding user credentials from a virtual machine (VM) in the DVS network environment to a network element located outside the DVS network environment, wherein the user credentials relate to a user attempting to access the VM, wherein a plurality of tenants subscribe to one or more VMs hosted in the DVS network and the tenants share underlying infrastructure of the DVS network, wherein each tenant controls a separate NAC and a separate network element that can assure security of user authentication relevant to the tenant;
  
  receiving a user policy at the NAC from the network element, wherein the network element is configured with the user policy by a tenant controlling the NAC and the network element; and
  
  facilitating enforcement of the user policy within the DVS network environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the user credentials are provided in a 802.1X packet, and wherein the network element is an Authentication, Authorization, and Accounting (AAA) server.
  - 3. The method of claim 1, wherein the user policy includes information related to access control lists (ACLs), virtual local area networks (VLANs), virtual eXtensible local area networks (VXLANs), and security groups that are authorized to be accessed by the user.
  - 4. The method of claim 1, wherein the user policy comprises network configuration information based on the user credentials, including user profiling, user workspace management, and user identity management.
  - 5. The method of claim 1, wherein the network access control (NAC) in the DVS network environment facilitates the enforcement of the user policy through a vPath module that runs virtualized services in the DVS network, wherein the vPath intercepts new flows and forwards a packet of each new flow to a virtual security gateway (VSG) that applies appropriate policies from the user policy and sends a policy decision to the vPath, wherein the vPath caches the policy decision and enforces the policy decision for subsequent packets of the flows.
  - 6. The method of claim 5, wherein the NAC is provisioned as another VM in the DVS network environment.
  - 7. The method of claim 5, wherein the network element is located at another network controlled by the tenant.
  - 8. The method of claim 1, wherein facilitating enforcement of the user policy comprises forwarding the user policy to a virtual Ethernet module (VEM) that can enforce the user policy.

9. Logic encoded in non-transitory media that includes instructions for execution and when executed by a processor, is operable to perform operations comprising:
- forwarding, by a NAC in the DVS, user credentials from a VM in a DVS network environment to a network element outside the DVS network environment, wherein the user credentials relate to a user attempting to access the VM, wherein a plurality of tenants subscribe to one or more VMs hosted in the DVS network and the tenants share underlying infrastructure of the DVS network, wherein each tenant controls a separate NAC and a separate network element that can assure security of user authentication relevant to the tenant;
  
  receiving a user policy at the NAC from the network element, wherein the network element is configured with the user policy by a tenant controlling the NAC and the network element; and
  
  facilitating enforcement of the user policy within the DVS network environment.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The logic of claim 9, wherein the user credentials are provided in a 802.1X packet, and wherein the network element is an Authentication, Authorization, and Accounting (AAA) server.
  - 11. The logic of claim 9, wherein the user policy includes information related to ACLs, VLANs, VXLANs, and security groups that are authorized to be accessed by the user.
  - 12. The logic of claim 9, wherein the NAC facilitates the enforcement of the user policy through a vPath module that runs virtualized services in the DVS network, wherein the vPath intercepts new flows and forwards a packet of each new flow to a virtual security gateway (VSG) that applies appropriate policies from the user policy and sends a policy decision to the vPath, wherein the vPath caches the policy decision and enforces the policy decision for subsequent packets of the flows.
  - 13. The logic of claim 12, wherein the NAC is provisioned as another VM in the DVS network environment.
  - 14. The logic of claim 12, wherein the network element is located at another network controlled by the tenant.

15. An apparatus, comprising:
- a memory element for storing data; and
  
  a processor that executes instructions associated with the data, wherein the processor and the memory element cooperate, such that the apparatus is configured to;
  
  forward user credentials, by a NAC in a DVS network environment to a network element outside the DVS network environment, wherein the user credentials relate to a user attempting to access a virtual machine (VM), wherein a plurality of tenants subscribe to one or more VMs hosted in the DVS network and the tenants share underlying infrastructure of the DVS network, wherein each tenant controls a separate NAC and a separate network element that can assure security of user authentication relevant to the tenant;
  
  receive a user policy at the NAC from the network element, wherein the network element is configured with the user policy by a tenant controlling the NAC and the network element; and
  
  facilitate enforcement of the user policy within the DVS network environment.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein the user credentials are provided in a 802.1X packet, and wherein the network element is an Authentication, Authorization, and Accounting (AAA) server.
  - 17. The apparatus of claim 15, wherein the user policy includes information related to ACLs, VLANs, VXLANs, and security groups that are authorized to be accessed by the user.
  - 18. The apparatus of claim 15, wherein the NAC facilitates the enforcement of the user policy through a vPath module that runs virtualized services in the DVS network, wherein the vPath intercepts new flows and forwards a packet of each new flow to a virtual security gateway (VSG) that applies appropriate policies from the user policy and sends a policy decision to the vPath, wherein the vPath caches the policy decision and enforces the policy decision for subsequent packets of the flows.
  - 19. The apparatus of claim 18, wherein the NAC is provisioned as another VM in the DVS network environment.
  - 20. The apparatus of claim 18, wherein the network element is located at another network controlled by the tenant.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Rao, Sudarshana Kandachar Sridhara, Fernandes, Lilian Sylvia
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US13/493,642
Publication Number

US 20130332982A1
Time in Patent Office

890 Days
Field of Search

None
US Class Current

726/14
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/20   for managing network securi...

System and method for identity based authentication in a distributed virtual switch network environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method for identity based authentication in a distributed virtual switch network environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others