Enabling dynamic authentication with different protocols on the same port for a switch
First Claim
1. One or more non-transitory media comprising code for execution and when executed, causes one or more processors to:
- monitor network traffic associated with a port of a network device;
determine whether the network traffic associated with the port and a client device indicates the client device is capable of using a first authentication protocol to attempt authentication via the network device;
enable the first authentication protocol on the port of the network device if the client device is determined to be capable of using the first authentication protocol to attempt authentication via the network device; and
evaluate a first policy to determine whether to grant access to a network resource associated with a first local area network, wherein the first policy is evaluated if the client device is authenticated using the first authentication protocol after the first authentication protocol is enabled on the network device, and wherein, if the client device is not capable of using the first authentication protocol and is authenticated using a second authentication protocol that is different than the first authentication protocol, then a second policy is evaluated to determine whether to grant access to the network resource.
9 Assignments
0 Petitions
Accused Products
Abstract
The invention enables a client device that does not support IEEE 802.1X authentication to access at least some resources provided through a switch that supports 802.1X authentication by using dynamic authentication with different protocols. When the client device attempts to join a network, the switch monitors for an 802.1X authentication message from the client device. In one embodiment, if the client fails to send an 802.1X authentication message, respond to an 802.1X request from the switch, or a predefined failure condition is detected the client may be deemed incapable of supporting 802.1X authentication. In one embodiment, the client may be initially placed on a quarantine VLAN after determination that the client fails to perform an 802.1X authentication within a backoff time limit. However, the client may still gain access to resources based on various non-802.1X authentication mechanisms, including name/passwords, digital certificates, or the like.
58 Citations
23 Claims
-
1. One or more non-transitory media comprising code for execution and when executed, causes one or more processors to:
-
monitor network traffic associated with a port of a network device; determine whether the network traffic associated with the port and a client device indicates the client device is capable of using a first authentication protocol to attempt authentication via the network device; enable the first authentication protocol on the port of the network device if the client device is determined to be capable of using the first authentication protocol to attempt authentication via the network device; and evaluate a first policy to determine whether to grant access to a network resource associated with a first local area network, wherein the first policy is evaluated if the client device is authenticated using the first authentication protocol after the first authentication protocol is enabled on the network device, and wherein, if the client device is not capable of using the first authentication protocol and is authenticated using a second authentication protocol that is different than the first authentication protocol, then a second policy is evaluated to determine whether to grant access to the network resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method, comprising:
-
monitoring network traffic associated with a port of a network device; determining whether the network traffic associated with the port and a client device indicates the client device is capable of using a first authentication protocol to attempt authentication via the network device; enabling the first authentication protocol on the port of the network device if the client device is determined to be capable of using the first authentication protocol to attempt authentication via the network device; and evaluating a first policy to determine whether to grant access to a network resource associated with a first local area network, wherein the first policy is evaluated if the client device is authenticated using the first authentication protocol after the first authentication protocol is enabled on the network device, and wherein, if the client device is not capable of using the first authentication protocol and is authenticated using a second authentication protocol that is different than the first authentication protocol, then a second policy is evaluated to determine whether to grant access to the network resource. - View Dependent Claims (14, 15, 16, 17)
-
-
18. An apparatus, comprising:
-
at least one memory element configured to store code; at least one processor operable to execute instructions associated with the code; and an enforcer element configured to interface with the at least one memory element and the at least one processor such that the apparatus can; monitor network traffic associated with a port of a network device; determine whether the network traffic associated with the port and a client device indicates the client device is capable of using a first authentication protocol to attempt authentication via the network device; enable the first authentication protocol on the port of the network device if the client device is determined to be capable of using the first authentication protocol to attempt authentication via the network device; and evaluate a first policy to determine whether to grant access to a network resource associated with a first local area network, wherein the first policy is evaluated if the client device is authenticated using the first authentication protocol after the first authentication protocol is enabled on the network device, and wherein, if the client device is not capable of using the first authentication protocol and is authenticated using a second authentication protocol that is different than the first authentication protocol, then a second policy is evaluated to determine whether to grant access to the network resource. - View Dependent Claims (19, 20, 21, 22, 23)
-
Specification