Integration of network admission control functions in network access devices

US 9,071,611 B2
Filed: 02/23/2011
Issued: 06/30/2015
Est. Priority Date: 02/23/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a communication from an endpoint device at a network access device located within a data path between the endpoint device and a network;

identifying a network admission control policy for the endpoint device, wherein identifying said network admission control policy comprises receiving policy information from a network admission control manager in communication with the network;

enforcing at the network access device, said network admission control policy for traffic received from the endpoint device, wherein enforcing said network admission control policy at the network access device comprises utilizing a service template downloaded from the network admission control manager and locally configured at the network access device, the network admission control manager selecting the service template for the endpoint device and instructing the network access device to apply said service template to the endpoint device;

performing continuous profiling operations at the network access device to identify the endpoint device, wherein said network admission control policy is based on identification of the endpoint device; and

forwarding at the network access device, traffic from the endpoint device to the network, in accordance with said network admission control policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method includes receiving a communication from an endpoint device at a network access device located within a data path between the endpoint device and a network, identifying a network admission control policy for the endpoint device, enforcing at the network access device, the network admission control policy for traffic received from the endpoint device, and forwarding at the network access device, traffic from the endpoint device to the network in accordance with the network admission control policy. An apparatus is also disclosed.

36 Citations

View as Search Results

19 Claims

1. A method comprising:
- receiving a communication from an endpoint device at a network access device located within a data path between the endpoint device and a network;
  
  identifying a network admission control policy for the endpoint device, wherein identifying said network admission control policy comprises receiving policy information from a network admission control manager in communication with the network;
  
  enforcing at the network access device, said network admission control policy for traffic received from the endpoint device, wherein enforcing said network admission control policy at the network access device comprises utilizing a service template downloaded from the network admission control manager and locally configured at the network access device, the network admission control manager selecting the service template for the endpoint device and instructing the network access device to apply said service template to the endpoint device;
  
  performing continuous profiling operations at the network access device to identify the endpoint device, wherein said network admission control policy is based on identification of the endpoint device; and
  
  forwarding at the network access device, traffic from the endpoint device to the network, in accordance with said network admission control policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein identifying said network admission control policy further comprises attempting to authenticate the endpoint device.
  - 3. The method of claim 1 wherein identifying said network admission control policy further comprises assessing a status of the endpoint device.
  - 4. The method of claim 1 wherein enforcing said network admission control policy is performed in hardware at the network access device.
  - 5. The method of claim 1 wherein the network access device is an access layer switch.
  - 6. The method of claim 1 wherein said network admission control policy is applied in a data path between the endpoint device and the network, at a point at which traffic enters the network.
  - 7. The method of claim 1 wherein said profiling is dynamically performed.
  - 8. The method of claim 1 wherein profiling comprises identifying the endpoint device based on a device type, a user role, and a location, and classifying the endpoint device based on rules receives from the network admission control manager.

9. An apparatus comprising:
- a forwarding engine for receiving traffic from an endpoint device and forwarding the traffic to a network; and
  
  a network admission control server for identifying a network admission control policy for the endpoint device and enforcing said network admission control policy for traffic received from the endpoint device;
  
  a profiler for performing continuous profiling operations at the network access device to identify the endpoint device, wherein said network admission control policy is based on identification of the endpoint device; and
  
  memory for storing said network admission control policy;
  
  wherein the apparatus is configured for operation within a data path between the endpoint device and the network, wherein identifying said network admission control policy comprises receiving policy information from a network admission control manager in communication with the network, and wherein enforcing said network admission control policy at the network access device comprises utilizing a service template downloaded from the network admission control manager and locally configured at the network access device, the network admission control manager selecting the service template for the endpoint device and instructing the network access device to apply said service template to the endpoint device.
- View Dependent Claims (10, 11, 12)
- - 10. The apparatus of claim 9 wherein enforcing said network admission control policy is performed in hardware.
  - 11. The apparatus of claim 9 wherein the network admission control server is operable to communicate with a network admission control manager for authentication of the endpoint device.
  - 12. The apparatus of claim 9 wherein the network admission control server is operable to communicate with an agent installed at the endpoint device to assess a status of the endpoint device.

13. An apparatus comprising:
- a forwarding engine for receiving traffic from an endpoint device and forwarding the traffic to a network;
  
  a profiler for identifying an endpoint device in communication with the apparatus and providing identification information for each of the endpoint devices in communication with the apparatus to a manager;
  
  a network admission control server for enforcing a network admission control policy for each of the endpoint devices in communication with the apparatus, said network admission control policy based on said identification information, wherein enforcing said network admission control policy at the network access device comprises utilizing a service template downloaded from the network admission control manager and locally configured at the network access device, the network admission control manager selecting the service template for the endpoint device and instructing the network access device to apply said service template to the endpoint device; and
  
  memory for storing said identification information;
  
  wherein the apparatus is configured for operation within a data path between the endpoint device and the network.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The apparatus of claim 13 wherein identification of the endpoint device is performed in hardware.
  - 15. The apparatus of claim 13 further comprising a network admission control server for enforcing a network admission control policy for each of the endpoint devices in communication with the apparatus, said network admission control policy based on said identification information.
  - 16. The apparatus of claim 13 wherein the profiler is operable to update said identification information based on data received from the endpoint device.
  - 17. The apparatus of claim 13 wherein the apparatus is configured to perform deep packet inspection for use in identifying a type of endpoint device.
  - 18. The apparatus of claim 13 wherein the profiler is operable to continuously review traffic transmitted to the network access device from the endpoint device.
  - 19. The apparatus of claim 13 wherein the profiler is configured to inspect all traffic transmitted from the endpoint device to the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Yadav, Navindra, Mahamuni, Atul, Ozakil, Azim, Akyol, Bora A., Feng, Peirong, Enderwick, Thomas J., Joseph, Aji, Kumar, Shashi, Valliappan, Sambasivam
Primary Examiner(s)
PEARSON, DAVID J

Application Number

US12/932,456
Publication Number

US 20120216239A1
Time in Patent Office

1,588 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0892   by using authentication-aut...

H04L 63/102   Entity profiles

Integration of network admission control functions in network access devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Integration of network admission control functions in network access devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others