Managing network resource access using session context
First Claim
1. A method comprising:
- receiving a connection request at a computing device from a user device, the computing device providing a network service to a service area;
generating a session start request to start a user session in a service domain covering the service area;
evaluating one or more policy rules to determine whether any rule is applicable to the user device, including determining whether an authoritative user session has already been established in the service domain;
establishing the user session in the service domain for the user device;
if the authoritative user session has already been established in the service domain;
associating a first access control list (ACL) defining at least one permission to the user session based on the determination that the authoritative user session has already been established, the at least one permission being for access to a controlled network resource; and
if a request from the user device to access the controlled network resource is received, granting access to the controlled network resource to the user device based on the first ACL; and
if the authoritative user session has not already been established in the service domain;
associating a second ACL that does not define the at least one permission to the user session; and
if the request from the user device to access the controlled network resource is received, denying access to the controlled network resource to the user device based on the second ACL.
1 Assignment
0 Petitions
Accused Products
Abstract
A computing device providing a network service to a service area may receive a connection request from a user device and generate a session start request to start a user session in a service domain covering the service area. One or more policy rules may be evaluated to determine whether any rule is applicable to the user device, which includes determining that an authoritative user session has already been established in the service domain. The user session may be established in the service domain for the user device, and at least one permission for access to a controlled network resource may be associated with the user session based on the determination that the authoritative user session has already been established. A request from the user device to access the controlled network resource may be received and access to the controlled network resource may be granted.
15 Citations
20 Claims
-
1. A method comprising:
-
receiving a connection request at a computing device from a user device, the computing device providing a network service to a service area; generating a session start request to start a user session in a service domain covering the service area; evaluating one or more policy rules to determine whether any rule is applicable to the user device, including determining whether an authoritative user session has already been established in the service domain; establishing the user session in the service domain for the user device; if the authoritative user session has already been established in the service domain; associating a first access control list (ACL) defining at least one permission to the user session based on the determination that the authoritative user session has already been established, the at least one permission being for access to a controlled network resource; and if a request from the user device to access the controlled network resource is received, granting access to the controlled network resource to the user device based on the first ACL; and if the authoritative user session has not already been established in the service domain; associating a second ACL that does not define the at least one permission to the user session; and if the request from the user device to access the controlled network resource is received, denying access to the controlled network resource to the user device based on the second ACL. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus comprising:
-
one or more network ports to send/receive data packets to/from a communication network; and a microprocessor coupled to the network ports, and configured to; receive a connection request from a user device, the apparatus providing a network service to a service area; generate a session start request to start a user session in a service domain covering the service area; evaluate one or more policy rules to determine whether any rule is applicable to the user device, including determining whether an authoritative user session has already been established in the service domain; establish the user session in the service domain for the user device; if the authoritative user session has already been established in the service domain; associate a first access control list (ACL) defining at least one permission to the user session based on the determination that the authoritative user session has already been established, the at least one permission being for access to a controlled network resource; and if a request from the user device to access the controlled network resource is received, grant access to the controlled network resource to the user device based on the first ACL; and if the authoritative user session has not already been established in the service domain; associate a second ACL that does not define the at least one permission to the user session; and if the request from the user device to access the controlled network resource is received, deny access to the controlled network resource to the user device based on the second ACL. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable storage media encoded with instructions that, when executed by a processor of a computing device, cause the processor to:
-
receive a connection request from a user device, the computing device providing a network service to a service area; generate a session start request to start a user session in a service domain covering the service area; evaluate one or more policy rules to determine whether any rule is applicable to the user device, including determining whether an authoritative user session has already been established in the service domain; establish the user session in the service domain for the user device; if the authoritative user session has already been established in the service domain; associate a first access control list (ACL) defining at least one permission to the user session based on the determination that the authoritative user session has already been established, the at least one permission being for access to a controlled network resource; and if a request from the user device to access the controlled network resource is received, grant access to the controlled network resource to the user device based on the first ACL; and if the authoritative user session has not already been established in the service domain; associate a second ACL that does not define the at least one permission to the user session; and if the request from the user device to access the controlled network resource is received, deny access to the controlled network resource to the user device based on the second ACL. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification