Enabling dynamic authentication with different protocols on the same port for a switch

US 9,374,353 B2
Filed: 07/26/2013
Issued: 06/21/2016
Est. Priority Date: 01/26/2005
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory media comprising code for execution and when executed, causes one or more processors to:

monitor network traffic associated with a port of a network device;

determine whether the network traffic associated with the port and a client device indicates the client device is capable of using a first authentication protocol to attempt authentication via the network device;

enable the first authentication protocol on the port of the network device if the client device is determined to be capable of using the first authentication protocol to attempt authentication via the network device; and

evaluate a first policy to determine whether to grant access to a network resource associated with a first local area network, wherein the first policy is evaluated if the client device is authenticated using the first authentication protocol after the first authentication protocol is enabled on the network device, and wherein, if the client device is not capable of using the first authentication protocol and is authenticated using a second authentication protocol that is different than the first authentication protocol, then a second policy is evaluated to determine whether to grant access to the network resource.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention enables a client device that does not support IEEE 802.1X authentication to access at least some resources provided through a switch that supports 802.1X authentication by using dynamic authentication with different protocols. When the client device attempts to join a network, the switch monitors for an 802.1X authentication message from the client device. In one embodiment, if the client fails to send an 802.1X authentication message, respond to an 802.1X request from the switch, or a predefined failure condition is detected the client may be deemed incapable of supporting 802.1X authentication. In one embodiment, the client may be initially placed on a quarantine VLAN after determination that the client fails to perform an 802.1X authentication within a backoff time limit. However, the client may still gain access to resources based on various non-802.1X authentication mechanisms, including name/passwords, digital certificates, or the like.

58 Citations

View as Search Results

23 Claims

1. One or more non-transitory media comprising code for execution and when executed, causes one or more processors to:
- monitor network traffic associated with a port of a network device;
  
  determine whether the network traffic associated with the port and a client device indicates the client device is capable of using a first authentication protocol to attempt authentication via the network device;
  
  enable the first authentication protocol on the port of the network device if the client device is determined to be capable of using the first authentication protocol to attempt authentication via the network device; and
  
  evaluate a first policy to determine whether to grant access to a network resource associated with a first local area network, wherein the first policy is evaluated if the client device is authenticated using the first authentication protocol after the first authentication protocol is enabled on the network device, and wherein, if the client device is not capable of using the first authentication protocol and is authenticated using a second authentication protocol that is different than the first authentication protocol, then a second policy is evaluated to determine whether to grant access to the network resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The one or more non-transitory media of claim 1, wherein, when the client device is authenticated using the second authentication protocol, the client device is permitted to access the network resource based on the second policy.
  - 3. The one or more non-transitory media of claim 1, wherein the code for execution, when executed, causes the one or more processors to:
    - responsive to an incorrect authentication credential being provided by the client device, determine that the client device is not capable of using the first authentication protocol for authentication.
  - 4. The one or more non-transitory media of claim 1, wherein identifying an authentication request associated with the second authentication protocol serves as a basis for a determination that the client device is not capable of using the first authentication protocol to attempt authentication.
  - 5. The one or more non-transitory media of claim 1, wherein the client device is restricted to a second local area network until the client device is authenticated.
  - 6. The one or more non-transitory media of claim 1, wherein the code for execution, when executed, causes the one or more processors to:
    - disable use of the first authentication protocol based on exceeding a time limit allotted for receiving a first authentication request associated with the first authentication protocol.
  - 7. The one or more non-transitory media of claim 6, wherein the code for execution, when executed, causes the one or more processors to:
    - provision the client device on a second local area network based on exceeding the time limit.
  - 8. The one or more non-transitory media of claim 1, wherein the code for execution, when executed, causes the one or more processors to:
    - provide an interface to the client device if the client device is not capable of using the first authentication protocol, wherein the interface is configured to enable a user of the client device to initiate a second authentication protocol.
  - 9. The one or more non-transitory media of claim 1, wherein the evaluating the first policy is performed after the client device is authenticated based on the first authentication protocol.
  - 10. The one or more non-transitory media of claim 1, wherein when the first authentication protocol is enabled on the port of the network device, the network device is to drop or ignore packets received at the port if the packets are associated with the second authentication protocol.
  - 11. The one or more non-transitory media of claim 1, wherein the first authentication protocol is an 802.1X protocol and the second authentication protocol is a non-802.1X protocol.
  - 12. The one or more non-transitory media of claim 1, wherein the code for execution, when executed, causes the one or more processors to:
    - configure the port on the network device to an auto mode to enable the first authentication protocol.

13. A method, comprising:
- monitoring network traffic associated with a port of a network device;
  
  determining whether the network traffic associated with the port and a client device indicates the client device is capable of using a first authentication protocol to attempt authentication via the network device;
  
  enabling the first authentication protocol on the port of the network device if the client device is determined to be capable of using the first authentication protocol to attempt authentication via the network device; and
  
  evaluating a first policy to determine whether to grant access to a network resource associated with a first local area network, wherein the first policy is evaluated if the client device is authenticated using the first authentication protocol after the first authentication protocol is enabled on the network device, and wherein, if the client device is not capable of using the first authentication protocol and is authenticated using a second authentication protocol that is different than the first authentication protocol, then a second policy is evaluated to determine whether to grant access to the network resource.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, further comprising:
    - accepting, from the client device when the client device is not capable of using the first authentication protocol, at least one authentication credential associated with the second authentication protocol.
  - 15. The method of claim 13, further comprising:
    - responsive to an incorrect authentication credential being provided by the client device, determining that the client device is not capable of using the first authentication protocol for authentication.
  - 16. The method of claim 13, wherein identifying an authentication request associated with the second authentication protocol serves as a basis for determining that the client device is not capable of using the first authentication protocol to attempt authentication.
  - 17. The method of claim 13, further comprising:
    - providing an interface to the client device if the client device is not capable of using the first authentication protocol, wherein the interface is configured to enable a user of the client device to initiate the second authentication protocol.

18. An apparatus, comprising:
- at least one memory element configured to store code;
  
  at least one processor operable to execute instructions associated with the code; and
  
  an enforcer element configured to interface with the at least one memory element and the at least one processor such that the apparatus can;
  
  monitor network traffic associated with a port of a network device;
  
  determine whether the network traffic associated with the port and a client device indicates the client device is capable of using a first authentication protocol to attempt authentication via the network device;
  
  enable the first authentication protocol on the port of the network device if the client device is determined to be capable of using the first authentication protocol to attempt authentication via the network device; and
  
  evaluate a first policy to determine whether to grant access to a network resource associated with a first local area network, wherein the first policy is evaluated if the client device is authenticated using the first authentication protocol after the first authentication protocol is enabled on the network device, and wherein, if the client device is not capable of using the first authentication protocol and is authenticated using a second authentication protocol that is different than the first authentication protocol, then a second policy is evaluated to determine whether to grant access to the network resource.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The apparatus of claim 18, wherein the enforcer element is configured to interface with the at least one memory element and the at least one processor such that the apparatus can:
    - accept, from the client device when the client device is not capable of using the first authentication protocol, at least one authentication credential associated with the second authentication protocol.
  - 20. The apparatus of claim 18, wherein the client device is restricted to a second local area network until the client device is authenticated.
  - 21. The apparatus of claim 18, wherein the enforcer element is configured to interface with the at least one memory element and the at least one processor such that the apparatus can:
    - disable use of the first authentication protocol based on exceeding a time limit allotted for receiving a first authentication request associated with the first authentication protocol.
  - 22. The apparatus of claim 21, wherein the enforcer element is configured to interface with the at least one memory element and the at least one processor such that the apparatus can:
    - provision the client device on a second local area network based on exceeding the time limit.
  - 23. The apparatus of claim 18, wherein the enforcer element is configured to interface with the at least one memory element and the at least one processor such that the apparatus can:
    - provide an interface to the client device if the client device is not capable of using the first authentication protocol, wherein the interface is configured to enable a user of the client device to initiate the second authentication protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Vank, Alexandru Z., Shen, Xin, Cobb, Matt B., Robel-Forrest, Brad, Phoenix, Evan M.
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US13/952,245
Publication Number

US 20140123213A1
Time in Patent Office

1,061 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/162   at the data link layer

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Enabling dynamic authentication with different protocols on the same port for a switch

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Enabling dynamic authentication with different protocols on the same port for a switch

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links