Authentication in a network using client health enforcement framework

US 9,443,084 B2
Filed: 12/18/2008
Issued: 09/13/2016
Est. Priority Date: 11/03/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, the method comprising:

requesting authentication to an out-of-band server;

in response to the request, obtaining, at a client computer, authentication information, from the out-of-band server, indicating that the client computer is authenticated to access a network;

formatting, at the client computer, a statement of health to include the authentication information; and

requesting network access to a first server, the request including the statement of health the first server differing from the out-of-band server; and

when the statement of health is not in compliance, receiving a response including at least one remediation that is needed before access to the network is granted,wherein the authentication performed in the out-of-band server does not interface with the first server that grants access to the network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network with authentication implemented using a client health enforcement framework. The framework is adapted to receive plug-ins on clients that generate health information. Corresponding plug-ins on a server validate that health information. Based on the results of validation, the server may instruct the client to remediate or may authorize an underlying access enforcement mechanism to allow access. A client plug-in that generates authentication information formatted as a statement of health may be incorporated into such a framework. Similarly, on the server, a validator to determine, based on the authentication information, whether the client should be granted network access can be incorporated into the framework. Authentication can be simply applied or modified by changing the plug-ins, while relying on the framework to interface with an enforcement mechanism. Functions of the health enforcement framework can be leveraged to provide authentication-based functionality, such as revoking authorized access after a period of user inactivity or in response to a user command.

56 Citations

View as Search Results

18 Claims

1. A computer-implemented method, the method comprising:
- requesting authentication to an out-of-band server;
  
  in response to the request, obtaining, at a client computer, authentication information, from the out-of-band server, indicating that the client computer is authenticated to access a network;
  
  formatting, at the client computer, a statement of health to include the authentication information; and
  
  requesting network access to a first server, the request including the statement of health the first server differing from the out-of-band server; and
  
  when the statement of health is not in compliance, receiving a response including at least one remediation that is needed before access to the network is granted,wherein the authentication performed in the out-of-band server does not interface with the first server that grants access to the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the remediation is associated with a protective configuration and the method further comprising:
    - remediating the protective configuration;
      
      formatting, at the client computer, a second statement of health, the second statement of health including the authentication information; and
      
      providing the second statement of health to the first server in connection with a request for network access.
  - 3. The method of claim 1, wherein the remediation is associated with the authentication information and the method further comprising:
    - obtaining a second authorization authentication information, the second authentication information indicating that the client computer is authenticated to access the network;
      
      formatting, at the client computer, a second statement of health, the second statement of health including the second authorization authentication information; and
      
      providing the second statement of health to the first server in connection with a request for network access.
  - 4. The method of claim 1, further comprising:
    - receiving a security token as the authentication information from the out-of-band server.
  - 5. The method of claim 1, wherein:
    - the method further comprisesgenerating anti-virus configuration information indicating a configuration of anti-virus software on the client computer; and
      
      formatting the statement of health further comprises formatting the statement of health to include the anti-virus configuration information.
  - 6. The method of claim 1, further comprising:
    - monitoring user interactions with the client computer; and
      
      when user interactions are not detected for a period of time exceeding a threshold, sending to the first server an indication that the statement of health of the client computer has changed.
  - 7. The method of claim 1, further comprising:
    - receiving user input indicating a network logoff; and
      
      in response to the user input, sending to the first server an indication that the statement of health of the client computer has changed.

8. A client computer comprising:
- a client health enforcement framework having a client health access agent adapted to obtain information from one or more statement of health agents through an interface and to send a statement of health to a health policy server, the health policy server configured to grant access to a network based on a validated statement of health; and
  
  an authentication agent for authenticating the client computer for access to the network to an out-of-band server and that provides authentication information indicating authentication status of the client computer to the client health access agent through the interface,whereby the client health access agent requests network access to the health policy server with a statement of health including the authentication information and when the statement of health does not comply with a health policy, receive a response from the health policy server, indicating at least one remediation that is needed before access to the network is granted,wherein the authentication agent does not interface with the health policy server that grants access to the network.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The client computer of claim 8, wherein the client health enforcement framework is configured to authorize access that times out, and the client health access agent is adapted to poll each of the one or more statement of health agents and the authentication agent for status information when the authorization times out.
  - 10. The client computer of claim 9, wherein, the authentication agent is adapted to re-authenticate the client computer in response to being polled by the client health access agent for status information.
  - 11. The client computer of claim 9, wherein:
    - the one or more statement of health agents is each adapted to communicate a change of health status indication through the interface;
      
      the client health access agent is adapted to communicate a health status change to the health policy server in response to a change of health status indication through the interface; and
      
      the authentication agent is adapted to communicate a change of health status indication through the interface in response to detecting user inactivity exceeding a threshold period of time.
  - 12. The client computer of claim 11, wherein the authentication agent is further adapted to communicate a change of health status indication through the interface in response to user input indicating a network logoff.
  - 13. The client computer of claim 12, wherein the one or more statement of health agents comprise an anti-virus agent adapted to indicate a configuration of anti-virus software executing on the client computer.

14. A method of operating a network, the method comprising:
- configuring a client computer to include a client health access agent being adapted to obtain health information from one or more statement of health agents executing on the client computer and to provide, based on the obtained health information, a statement of health to a health policy server;
  
  in an authentication agent on the client computer, requesting authentication from an authentication server and in response to the request, obtaining authentication information indicating whether the client computer is authorized for network access from the authentication server and providing the authentication information to the client health access agent; and
  
  in the client health access agent, generating a statement of health for the client computer including the authentication information and the health information from the one or more statement of health agents and requesting network access by sending the statement of health to the health policy server,in the client health access agent, when the health information is out of compliance, receiving a response from the health policy server indicating at least one remediation measure needed to obtain network access,wherein the health policy server and the authentication server differ,wherein the authentication agent does not interface with the health policy server that grants access to the network.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, wherein:
    - the authentication agent is configured as a plug-in for the client health access agent, andthe authentication agent provides a user interface to obtain authentication parameters from a user.
  - 16. The method of claim 14, wherein:
    - when the health policy server determines that one or more portions of the statement of health is out of compliance with an access policy, the health policy server responds with an instruction to remediate a component associated with each of the one or more portions; and
      
      when the instruction to remediate is associated with the authentication information in the statement of health, the instruction to remediate includes challenge information;
      
      following remediation by the authentication agent, when the client health access agent submits a subsequent statement of health to the health validation server, the subsequent statement of health includes the challenge information signed by the authentication server.
  - 17. The method of claim 14, further comprising:
    - configuring a health policy server to provide a portion of the statement of health to each of one or more component health validators and to selectively authorize network access based on results of processing of respective portions of the statement of health by the one or more component health validators; and
      
      providing a portion of the statement of health corresponding to the authentication information to an authentication validator and selectively authorizing network access based in part on processing of the authentication information within the authentication validator.
  - 18. The method of claim 17, wherein:
    - the one or more statement of health agents comprises a statement of health agent adapted to determine a configuration of at least one protective component on the client computer;
      
      generating the statement of health comprises incorporating configuration information identifying the configuration of the at least one protective component;
      
      the method further comprises, in the health policy server, providing a second portion of the statement of health corresponding to the configuration information to a component health validator; and
      
      selectively authorizing network access further comprises authorizing network access based in part on processing of the configuration information within the component health validator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Nice, Nir, Eyal, Anat, Nukala, Chandrasekhar, Addagatla, Sreenivas, Neystadt, Eugene
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US12/338,268
Publication Number

US 20100115578A1
Time in Patent Office

2,826 Days
Field of Search

726/1, 726/9, 726/3
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2129   Authenticate client device ...

H04L 63/08   for authentication of entit...

H04L 63/1441   Countermeasures against mal...

Authentication in a network using client health enforcement framework

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication in a network using client health enforcement framework

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links