Provisioning layer two network access for mobile devices

US 8,990,891 B1
Filed: 06/22/2011
Issued: 03/24/2015
Est. Priority Date: 04/19/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing, with a network device positioned in a public network, a session with a mobile device via a first interface of the mobile device;

requesting, with the network device, security state data identifying a security state of the mobile device via the established session;

receiving, with the network device, a mobile device identifier and the security state data from the mobile device via the session, wherein the mobile device identifier identifies a second interface of the mobile device that is used for communicating with a private network;

publishing the security state information to a database such that the security state information is associated with the mobile device identifier;

prior to establishing a layer three session with the private network, receiving, with an authentication device, an authentication request from a wireless access point in an attempt by the wireless access point to authenticate the mobile device to locally access a layer two of the private network wirelessly;

based on the authentication request, determining the mobile device identifier that identifies the mobile device with the authentication device;

retrieving the security state data associated with the determined mobile device identifier from the database;

determining, with the authentication device, a level of access to the layer two of the private network permitted to the mobile device based on the retrieved security state data; and

prior to establishing the layer three session with the private network, transmitting the level of access to the wireless access point so that the wireless access point enforces, with respect to communications sent to and received from the mobile device, the level of access determined by the authentication device.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, techniques are described for provisioning layer two access in computer networks. A network device located in a public network comprising an interface and a control unit may implement the techniques. The interface establishes a session with a mobile device. The control unit requests security state data identifying a security state of the mobile device via the established session. The interface receives a mobile device identifier and the security state data from the mobile device via the session. The mobile device identifier identifies the mobile device. The control unit publishes the security state information to a database such that the security state information is associated with the mobile device identifier.

83 Citations

View as Search Results

55 Claims

1. A method comprising:
- establishing, with a network device positioned in a public network, a session with a mobile device via a first interface of the mobile device;
  
  requesting, with the network device, security state data identifying a security state of the mobile device via the established session;
  
  receiving, with the network device, a mobile device identifier and the security state data from the mobile device via the session, wherein the mobile device identifier identifies a second interface of the mobile device that is used for communicating with a private network;
  
  publishing the security state information to a database such that the security state information is associated with the mobile device identifier;
  
  prior to establishing a layer three session with the private network, receiving, with an authentication device, an authentication request from a wireless access point in an attempt by the wireless access point to authenticate the mobile device to locally access a layer two of the private network wirelessly;
  
  based on the authentication request, determining the mobile device identifier that identifies the mobile device with the authentication device;
  
  retrieving the security state data associated with the determined mobile device identifier from the database;
  
  determining, with the authentication device, a level of access to the layer two of the private network permitted to the mobile device based on the retrieved security state data; and
  
  prior to establishing the layer three session with the private network, transmitting the level of access to the wireless access point so that the wireless access point enforces, with respect to communications sent to and received from the mobile device, the level of access determined by the authentication device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, further comprising:
    - determining configuration data to configure one or more security modules executing on the mobile device, wherein the configuration data specifies whether one or more security features provided by the one or more security modules executing on the mobile device are enabled, and wherein the security features include one or more of anti-virus, anti-malware, anti-spam, firewall, theft protection, and monitor and control security features; and
      
      transmitting the configuration data to the mobile device via the session to configure the one or more security modules executing on the mobile device to enable those of the security features identified by the configuration data.
  - 3. The method of claim 2, wherein determining the configuration data comprises:
    - identifying an enterprise security policy associated with the mobile device identifier; and
      
      determining the configuration data based on the identified enterprise security policy associated with the mobile device identifier.
  - 4. The method of claim 2, further comprising publishing the configuration data to the database such that the configuration data is associated with the mobile device identifier.
  - 5. The method of claim 1, further comprising:
    - determining whether the mobile device has previously registered with the network device;
      
      in response to determining that the mobile device has not previously registered with the network device, creating a profile for the mobile device identified by the mobile device identifier;
      
      determining configuration data to configure one or more security modules executing on the mobile device, wherein the configuration data specifies whether one or more security features provided by the one or more security modules executing on the mobile device are enabled;
      
      transmitting the configuration data to the mobile device via the session to configure the one or more security modules executing on the mobile device to enable those of the security features identified by the configuration data;
      
      storing the configuration data to the profile;
      
      storing the security state data to the profile; and
      
      publishing the profile to the database.
  - 6. The method of claim 5, further comprising transmitting 802.1X configuration settings to the mobile device via the session to configure an 802.1X supplicant module on the mobile device,wherein the profile published to the database includes information describing the 802.1X configuration settings, andwherein the information describing the 802.1X configuration settings comprises one or more of an identifier of an X.509 certificate and a username.
  - 7. The method of claim 1,wherein the first interface comprises a wireless network interface,wherein the second interface comprises a cellular interface, andwherein the mobile device identifier comprises a layer 2 address associated with the wireless network interface of the mobile device that is different from the cellular interface of the mobile device used to communicate via with the public network.
  - 8. The method of claim 1, wherein the mobile device identifier comprises one or more of a Media Access Control (MAC) address, an identifier of an X.509 certificate, credentials to be used for 802.1X authentication, and a username.
  - 9. The method of claim 1, wherein the database comprises an Interface for Metadata Access Point (IF-MAP) server.
  - 10. The method of claim 1, further comprising:
    - receiving registration information from the mobile device via the public network, wherein the registration information registers the mobile device with the network device; and
      
      registering the mobile device with the network device based on the registration information,wherein requesting security state data comprises, after successfully registering the mobile device with the network device, requesting the security state data identifying the security state of the mobile device.
  - 11. The method of claim 1, wherein the security state data includes one or more of an 802.1X configuration to be applied to the native 802.1X supplicant on the mobile device, information about one or more of active viruses and malware present on the mobile device, information about a hardware platform of the mobile device and a state of one or more of an operating system executed by the mobile device, anti-virus software executed by the mobile device, anti-spam software executed by the mobile device, anti-malware software executed by the mobile device and firewall software executed by the mobile device.
  - 12. The method of claim 1,wherein the database is accessed using interface for metadata access point (IF-MAP), andwherein retrieving security state data comprises:
    - generating an IF-MAP query formulated in accordance with the IF-MAP specification that requests any security state data associated with the determined MAC address;
      
      transmitting the IF-MAP query to the IF-MAP database; and
      
      receiving an IF-MAP message in response to the IF-MAP query providing the security state data associated with the determined MAC address.
  - 13. The method of claim 1, further comprising publishing, with the authentication device, a request-for-information to the database so as to provoke the network device to obtain and publish updated security state data.
  - 14. The method of claim 12, further comprising:
    - subscribing, with the authentication device, to the database for changes to the updated security state data;
      
      in response to changes to the updated security state data, determining, with the authentication device, a new level of access; and
      
      transmitting the new level of access to the wireless access point so that the wireless access point enforces, with respect to communications sent to and received from the mobile device, the new level of access determined by the authentication device.
  - 15. The method of claim 1, further comprising:
    - retrieving, with the authentication device, a profile created by the network device from the database that associates the mobile device identifier with the security state data and configuration data used to configure one or more security modules executing on the mobile device, wherein the configuration data specifies whether one or more security features provided by the one or more security modules executing on the mobile device are enabled; and
      
      determining, with the authentication device, the level of layer two access to the layer two private network permitted to the mobile device based on the retrieved profile.
  - 16. The method of claim 1, wherein the authentication device comprises a remote authentication dial-in user service (RADIUS) server.
  - 17. The method of claim 1, wherein the authentication device performs one or more of MAC authentication of the mobile device and 802.1X authentication of the mobile device.

18. A network device located in a public network, the network device comprising:
- at least one interface that establishes a session with a mobile device via a first interface of the mobile device; and
  
  a control unit that requests security state data identifying a security state of the mobile device via the established session,wherein the at least one interface receives a mobile device identifier and the security state data from the mobile device via the session, wherein the mobile device identifier identifies a second interface of the mobile device that is used for communicating with a private network, andwherein the control unit publishes the security state information to a database such that the security state information is associated with the mobile device identifier and such that the security state information is accessible by an authentication device located in the private network so that the authentication device is able to, based on the security state information, authenticate the mobile device to access a layer two of the private network prior to the mobile device establishing a layer three session with the private network.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 19. The network device of claim 18,wherein the control unit further determines configuration data to configure one or more security modules executing on the mobile device, wherein the configuration data specifies whether one or more security features provided by the one or more security modules executing on the mobile device are enabled, and wherein the security features include one or more of anti-virus, anti-malware, anti-spam, firewall, theft protection, and monitor and control security features, andwherein the at least one interface transmits the configuration data to the mobile device via the session to configure the one or more security modules executing on the mobile device to enable those of the security features identified by the configuration data.
  - 20. The network device of claim 19, wherein the control unit further identifies an enterprise security policy associated with the mobile device identifier, and determines the configuration data based on the identified enterprise security policy associated with the mobile device identifier.
  - 21. The network device of claim 19, wherein the control unit publishes the configuration data to the database such that the configuration data is associated with the mobile device identifier.
  - 22. The network device of claim 18,wherein the control unit further determines whether the mobile device has previously registered with the network device, in response to determining that the mobile device has not previously registered with the network device, creates a profile for the mobile device identified by the mobile device identifier, determines configuration data to configure one or more security modules executing on the mobile device, wherein the configuration data specifies whether one or more security features provided by the one or more security modules executing on the mobile device are enabled,wherein the at least one interface transmits the configuration data to the mobile device via the session to configure the one or more security modules executing on the mobile device to enable those of the security features identified by the configuration data, andwherein the control unit further stores the configuration data to the profile, stores the security state data to the profile and publishes the profile to the database.
  - 23. The network device of claim 22, wherein the at least one interface transmits 802.1X configuration settings to the mobile device via the session to configure an 802.1X supplicant module on the mobile device,wherein the profile published to the database includes information describing the 802.1X configuration settings, andwherein the information describing the 802.1X configuration settings comprises one or more of an identifier of an X.509 certificate and a username.
  - 24. The network device of claim 18,wherein the first interface comprises a wireless network interface,wherein the second interface comprises a cellular interface, andwherein the mobile device identifier comprises a layer 2 address associated with the wireless network interface of the mobile device that is different from the cellular interface of the mobile device used to communicate with the public network.
  - 25. The network device of claim 18, wherein the mobile device identifier comprises one or more of a Media Access Control (MAC) address, an identifier of an X.509 certificate, credentials to be used for 802.1X authentication, and a username.
  - 26. The network device of claim 18, wherein the database comprises an Interface for Metadata Access Point (IF-MAP) server.
  - 27. The network device of claim 18,wherein the at least one interface receives registration information from the mobile device, wherein the registration information registers the mobile device with the network device, andwherein the control unit further registers the mobile device with the network device based on the registration information and, after successfully registering the mobile device with the network device, requests the security state data identifying the security state of the mobile device.
  - 28. The network device of claim 18, wherein the security state data includes one or more of an 802.1X configuration to be applied to the native 802.1X supplicant on the mobile device, information about one or more of active viruses and malware present on the mobile device, information about a hardware platform of the mobile device and a state of one or more of an operating system executed by the mobile device, anti-virus software executed by the mobile device, anti-spam software executed by the mobile device, anti-malware software executed by the mobile device and firewall software executed by the mobile device.

29. A network system comprising:
- a mobile device;
  
  a database;
  
  a public network that includes a network device, anda private network that includes an authentication device and a wireless access point,wherein the network device comprises;
  
  at least one interface that establishes a session with a first interface of the mobile device; and
  
  a control unit that requests security state data identifying a security state of the mobile device via the established session,wherein the at least one interface of the network device receives a mobile device identifier and the security state data from the mobile device via the session, wherein the mobile device identifier identifies a second interface of the mobile device used for communicating with the private network,wherein the control unit of the network device publishes the security state information to a database such that the security state information is associated with the mobile device identifier,wherein the authentication device comprises;
  
  at least one interface that receives an authentication request from the wireless access point in an attempt by the wireless access point to, prior to the mobile device establishing a layer three session with the wireless access point, authenticate the mobile device to locally access a layer two of the private network wirelessly; and
  
  a control unit that, based on the authentication request, determines the mobile device identifier that identifies the mobile device with the authentication device, retrieves the security state data associated with the determined mobile device identifier from the database, determines a level of access to the layer two of the private network permitted to the mobile device based on the retrieved security state data, andwherein the at least one interface of the authentication device transmits the level of access to the wireless access point so that the wireless access point enforces, with respect to communications sent to and received from the mobile device, the level of access determined by the authentication device.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 30. The network system of claim 29,wherein the control unit of the network device further determines configuration data to configure one or more security modules executing on the mobile device, wherein the configuration data specifies whether one or more security features provided by the one or more security modules executing on the mobile device are enabled, and wherein the security features include one or more of anti-virus, anti-malware, anti-spam, firewall, theft protection, and monitor and control security features, andwherein the at least one interface of the network device transmits the configuration data to the mobile device via the session to configure the one or more security modules executing on the mobile device to enable those of the security features identified by the configuration data.
  - 31. The network system of claim 30, wherein the control unit of the network device further identifies an enterprise security policy associated with the mobile device identifier, and determines the configuration data based on the identified enterprise security policy associated with the mobile device identifier.
  - 32. The network system of claim 30, wherein the control unit of the network device publishes the configuration data to the database such that the configuration data is associated with the mobile device identifier.
  - 33. The network system of claim 29,wherein the control unit of the network device further determines whether the mobile device has previously registered with the network device, in response to determining that the mobile device has not previously registered with the network device, creates a profile for the mobile device identified by the mobile device identifier, determines configuration data to configure one or more security modules executing on the mobile device, wherein the configuration data specifies whether one or more security features provided by the one or more security modules executing on the mobile device are enabled,wherein the at least one interface of the network device transmits the configuration data to the mobile device via the session to configure the one or more security modules executing on the mobile device to enable those of the security features identified by the configuration data, andwherein the control unit of the network device further stores the configuration data to the profile, stores the security state data to the profile and publishes the profile to the database.
  - 34. The network system of claim 33, wherein the at least one interface of the network device transmits 802.1X configuration settings to the mobile device via the session to configure an 802.1X supplicant module on the mobile device,wherein the profile published to the database includes information describing the 802.1X configuration settings, andwherein the information describing the 802.1X configuration settings comprises one or more of an identifier of an X.509 certificate and a username.
  - 35. The network system of claim 29,wherein the first interface comprises a wireless network interface,wherein the second interface comprises a cellular interface, andwherein the mobile device identifier comprises a layer 2 address associated with the wireless network interface of the mobile device that is different from the cellular interface of the mobile device used to communicate with the public network.
  - 36. The network system of claim 29, wherein the mobile device identifier comprises one or more of a Media Access Control (MAC) address, an identifier of an X.509 certificate, credentials to be used for 802.1X authentication, and a username.
  - 37. The network system of claim 29, wherein the database comprises an Interface for Metadata Access Point (IF-MAP) server.
  - 38. The network system of claim 29,wherein the at least one interface of the network device receives registration information from the mobile device, wherein the registration information registers the mobile device with the network device, andwherein the control unit of the network device further registers the mobile device with the network device based on the registration information and, after successfully registering the mobile device with the network device, requests the security state data identifying the security state of the mobile device.
  - 39. The network system of claim 29, wherein the security state data includes one or more of an 802.1X configuration to be applied to the native 802.1X supplicant on the mobile device, information about one or more of active viruses and malware present on the mobile device, the identity of a user operating the mobile device, information about a hardware platform of the mobile device and a state of one or more of an operating system executed by the mobile device, anti-virus software executed by the mobile device, anti-spam software executed by the mobile device, anti-malware software executed by the mobile device and firewall software executed by the mobile device.
  - 40. The network system of claim 29,wherein the database is accessed using interface for metadata access point (IF-MAP),wherein the control unit of the authentication device further generates an IF-MAP query formulated in accordance with the IF-MAP specification that requests any security state data associated with the determined MAC address,wherein the at least one interface of the authentication device transmits the IF-MAP query to the IF-MAP database, and receives an IF-MAP message in response to the IF-MAP query providing the security state data associated with the determined MAC address.
  - 41. The network system of claim 29, wherein the control unit of the authentication device publishes a request-for-information to the database so as to provoke the network device to obtain and publish updated security state data.
  - 42. The network system of claim 29,wherein the control unit of the authentication device further subscribes to the database for changes to the updated security state data and,in response to changes to the updated security state data, determines a new level of access, andwherein the at least one interface of the authentication device transmits the new level of access to the wireless access point so that the wireless access point enforces, with respect to communications sent to and received from the mobile device, the new level of access determined by the authentication device.
  - 43. The network system of claim 29, wherein the control unit of the authentication device retrieves a profile created by the network device from the database that associates the mobile device identifier with the security state data and configuration data used to configure one or more security modules executing on the mobile device, wherein the configuration data specifies whether one or more security features provided by the one or more security modules executing on the mobile device are enabled and determines the level of access to the private network permitted to the mobile device based on the retrieved profile.
  - 44. The network system of claim 29, wherein the authentication device comprises a remote authentication dial-in user service (RADIUS) server.
  - 45. The network system of claim 29, wherein the authentication device performs one or more of MAC authentication of the mobile device and 802.1X authentication of the mobile device.

46. A non-transitory computer-readable medium comprising instructions that, when executed, cause one or more processors to:
- establish, with a network device positioned in a public network, a session with a mobile device via a first interface of the mobile device;
  
  request, with the network device, security state data identifying a security state of the mobile device via the established session;
  
  receive, with the network device, a mobile device identifier and the security state data from the mobile device via the session, wherein the mobile device identifier identifies a second interface of the mobile device that is used to communicate with a private network; and
  
  publish the security state information to a database such that the security state information is associated with the mobile device identifier and such that the security state information is accessible by an authentication device located in the private network so that the authentication device is able to, based on the security state information, authenticate the mobile device to access the private network prior to the mobile device establish a layer three session with the private network.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 47. The non-transitory computer-readable medium of claim 46, further comprising instructions that, when executed, cause the one or more processors to:
    - determine configuration data to configure one or more security modules executing on the mobile device, wherein the configuration data specifies whether one or more security features provided by the one or more security modules executing on the mobile device are enabled, and wherein the security features include one or more of anti-virus, anti-malware, anti-spam, firewall, theft protection, and monitor and control security features; and
      
      transmit the configuration data to the mobile device via the session to configure the one or more security modules executing on the mobile device to enable those of the security features identified by the configuration data.
  - 48. The non-transitory computer-readable medium of claim 47, further comprising instructions that, when executed, cause the one or more processors to:
    - identify an enterprise security policy associated with the mobile device identifier; and
      
      determine the configuration data based on the identified enterprise security policy associated with the mobile device identifier.
  - 49. The non-transitory computer-readable medium of claim 47, further comprising instructions that, when executed, cause the one or more processors to publish the configuration data to the database such that the configuration data is associated with the mobile device identifier.
  - 50. The non-transitory computer-readable medium of claim 46, further comprising instructions that, when executed, cause the one or more processors to:
    - determine whether the mobile device has previously registered with the network device;
      
      in response to determining that the mobile device has not previously registered with the network device, create a profile for the mobile device identified by the mobile device identifier;
      
      determine configuration data to configure one or more security modules executing on the mobile device, wherein the configuration data specifies whether one or more security features provided by the one or more security modules executing on the mobile device are enabled;
      
      transmit the configuration data to the mobile device via the session to configure the one or more security modules executing on the mobile device to enable those of the security features identified by the configuration data;
      
      store the configuration data to the profile;
      
      store the security state data to the profile; and
      
      publish the profile to the database.
  - 51. The non-transitory computer-readable medium of claim 50, further comprising instructions that, when executed, cause the one or more processors to transmit 802.1X configuration settings to the mobile device via the session to configure an 802.1X supplicant module on the mobile device,wherein the profile published to the database includes information describing the 802.1X configuration settings, andwherein the information describing the 802.1X configuration settings comprises one or more of an identifier of an X.509 certificate and a username.
  - 52. The non-transitory computer-readable medium of claim 46,wherein the first interface comprises a wireless network interface,wherein the second interface comprises a cellular interface, andwherein the mobile device identifier comprises a layer 2 address associated with the wireless network interface of the mobile device that is different from the cellular interface of the mobile device used to communicate via with the public network.
  - 53. The non-transitory computer-readable medium of claim 46, wherein the mobile device identifier comprises one or more of a Media Access Control (MAC) address, an identifier of an X.509 certificate, credentials to be used for 802.1X authentication, and a username.
  - 54. The non-transitory computer-readable medium of claim 46, further comprising instructions that, when executed, cause the one or more processors to:
    - receive registration information from the mobile device via the public network, wherein the registration information registers the mobile device with the network device;
      
      register the mobile device with the network device based on the registration information; and
      
      after successfully registering the mobile device with the network device, request the security state data identifying the security state of the mobile device.
  - 55. The non-transitory computer-readable medium of claim 46, wherein the security state data includes one or more of an 802.1X configuration to be applied to the native 802.1X supplicant on the mobile device, information about one or more of active viruses and malware present on the mobile device, the identity of a user operating the mobile device, information about a hardware platform of the mobile device and a state of one or more of an operating system executed by the mobile device, anti-virus software executed by the mobile device, anti-spam software executed by the mobile device, anti-malware software executed by the mobile device and firewall software executed by the mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Inventors
Chickering, Roger A., Venable, Jeffrey C. Sr.
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
LEUNG, ROBERT B

Application Number

US13/166,376
Time in Patent Office

1,371 Days
Field of Search
US Class Current

726/3
CPC Class Codes

G06F 21/74   operating in dual or compar...

G06F 21/85   interconnection devices, e....

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/0272   Virtual private networks

H04L 63/0876   based on the identity of th...

H04L 63/0884   by delegation of authentica...

H04L 63/0892   by using authentication-aut...

H04L 63/105   Multiple levels of security

H04L 63/162   at the data link layer

H04L 63/164   at the network layer

H04W 12/062   Pre-authentication

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

Provisioning layer two network access for mobile devices

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

55 Claims

Specification

Solutions

Use Cases

Quick Links

Provisioning layer two network access for mobile devices

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

55 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links