Authentication in a network using client health enforcement framework
First Claim
1. A computer-implemented method, the method comprising:
- requesting authentication to an out-of-band server;
in response to the request, obtaining, at a client computer, authentication information, from the out-of-band server, indicating that the client computer is authenticated to access a network;
formatting, at the client computer, a statement of health to include the authentication information; and
requesting network access to a first server, the request including the statement of health the first server differing from the out-of-band server; and
when the statement of health is not in compliance, receiving a response including at least one remediation that is needed before access to the network is granted,wherein the authentication performed in the out-of-band server does not interface with the first server that grants access to the network.
2 Assignments
0 Petitions
Accused Products
Abstract
A network with authentication implemented using a client health enforcement framework. The framework is adapted to receive plug-ins on clients that generate health information. Corresponding plug-ins on a server validate that health information. Based on the results of validation, the server may instruct the client to remediate or may authorize an underlying access enforcement mechanism to allow access. A client plug-in that generates authentication information formatted as a statement of health may be incorporated into such a framework. Similarly, on the server, a validator to determine, based on the authentication information, whether the client should be granted network access can be incorporated into the framework. Authentication can be simply applied or modified by changing the plug-ins, while relying on the framework to interface with an enforcement mechanism. Functions of the health enforcement framework can be leveraged to provide authentication-based functionality, such as revoking authorized access after a period of user inactivity or in response to a user command.
56 Citations
18 Claims
-
1. A computer-implemented method, the method comprising:
-
requesting authentication to an out-of-band server;
in response to the request, obtaining, at a client computer, authentication information, from the out-of-band server, indicating that the client computer is authenticated to access a network;formatting, at the client computer, a statement of health to include the authentication information; and requesting network access to a first server, the request including the statement of health the first server differing from the out-of-band server; and when the statement of health is not in compliance, receiving a response including at least one remediation that is needed before access to the network is granted, wherein the authentication performed in the out-of-band server does not interface with the first server that grants access to the network. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A client computer comprising:
-
a client health enforcement framework having a client health access agent adapted to obtain information from one or more statement of health agents through an interface and to send a statement of health to a health policy server, the health policy server configured to grant access to a network based on a validated statement of health; and an authentication agent for authenticating the client computer for access to the network to an out-of-band server and that provides authentication information indicating authentication status of the client computer to the client health access agent through the interface, whereby the client health access agent requests network access to the health policy server with a statement of health including the authentication information and when the statement of health does not comply with a health policy, receive a response from the health policy server, indicating at least one remediation that is needed before access to the network is granted, wherein the authentication agent does not interface with the health policy server that grants access to the network. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A method of operating a network, the method comprising:
-
configuring a client computer to include a client health access agent being adapted to obtain health information from one or more statement of health agents executing on the client computer and to provide, based on the obtained health information, a statement of health to a health policy server; in an authentication agent on the client computer, requesting authentication from an authentication server and in response to the request, obtaining authentication information indicating whether the client computer is authorized for network access from the authentication server and providing the authentication information to the client health access agent; and in the client health access agent, generating a statement of health for the client computer including the authentication information and the health information from the one or more statement of health agents and requesting network access by sending the statement of health to the health policy server, in the client health access agent, when the health information is out of compliance, receiving a response from the health policy server indicating at least one remediation measure needed to obtain network access, wherein the health policy server and the authentication server differ, wherein the authentication agent does not interface with the health policy server that grants access to the network. - View Dependent Claims (15, 16, 17, 18)
-
Specification