Managing network resource access using session context

US 9,723,026 B2
Filed: 07/09/2015
Issued: 08/01/2017
Est. Priority Date: 07/09/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a connection request at a computing device from a user device, the computing device providing a network service to a service area;

generating a session start request to start a user session in a service domain covering the service area;

evaluating one or more policy rules to determine whether any rule is applicable to the user device, including determining whether an authoritative user session has already been established in the service domain;

establishing the user session in the service domain for the user device;

if the authoritative user session has already been established in the service domain;

associating a first access control list (ACL) defining at least one permission to the user session based on the determination that the authoritative user session has already been established, the at least one permission being for access to a controlled network resource; and

if a request from the user device to access the controlled network resource is received, granting access to the controlled network resource to the user device based on the first ACL; and

if the authoritative user session has not already been established in the service domain;

associating a second ACL that does not define the at least one permission to the user session; and

if the request from the user device to access the controlled network resource is received, denying access to the controlled network resource to the user device based on the second ACL.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device providing a network service to a service area may receive a connection request from a user device and generate a session start request to start a user session in a service domain covering the service area. One or more policy rules may be evaluated to determine whether any rule is applicable to the user device, which includes determining that an authoritative user session has already been established in the service domain. The user session may be established in the service domain for the user device, and at least one permission for access to a controlled network resource may be associated with the user session based on the determination that the authoritative user session has already been established. A request from the user device to access the controlled network resource may be received and access to the controlled network resource may be granted.

15 Citations

20 Claims

1. A method comprising:
- receiving a connection request at a computing device from a user device, the computing device providing a network service to a service area;
  
  generating a session start request to start a user session in a service domain covering the service area;
  
  evaluating one or more policy rules to determine whether any rule is applicable to the user device, including determining whether an authoritative user session has already been established in the service domain;
  
  establishing the user session in the service domain for the user device;
  
  if the authoritative user session has already been established in the service domain;
  
  associating a first access control list (ACL) defining at least one permission to the user session based on the determination that the authoritative user session has already been established, the at least one permission being for access to a controlled network resource; and
  
  if a request from the user device to access the controlled network resource is received, granting access to the controlled network resource to the user device based on the first ACL; and
  
  if the authoritative user session has not already been established in the service domain;
  
  associating a second ACL that does not define the at least one permission to the user session; and
  
  if the request from the user device to access the controlled network resource is received, denying access to the controlled network resource to the user device based on the second ACL.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - if the authoritative user session has already been established in the service domain;
      
      monitoring connected user devices in the service domain;
      
      generating a session stop event when any user device leaves the service area; and
      
      re-evaluating the one or more policy rules affected by the session stop event.
  - 3. The method of claim 2, further comprising:
    - if the authoritative user session has already been established in the service domain;
      
      determining that an authoritative user device that established the authoritative user session has left the service area; and
      
      revoking, based on the second ACL, the at least one permission to access the controlled network resource previously granted to the user session.
  - 4. The method of claim 3, further comprising:
    - if the authoritative user session has already been established in the service domain;
      
      receiving another request from the user device to access the controlled network resource; and
      
      denying access to the controlled network resource to the user device based on the second ACL.
  - 5. The method of claim 1, wherein access to the controlled network resource is controlled by a firewall that contains or has access to the first and/or second ACLs.
  - 6. The method of claim 1, wherein the service area is a home and the authoritative user device belongs to a person with authority at the home.
  - 7. The method of claim 1, wherein the service area is a business premise and the authoritative user device belongs to a manager.
  - 8. The method of claim 1, wherein the session start request is a Remote Authentication Dial In User Service (RADIUS) access request message, a port up, or a RADIUS accounting start message.

9. An apparatus comprising:
- one or more network ports to send/receive data packets to/from a communication network; and
  
  a microprocessor coupled to the network ports, and configured to;
  
  receive a connection request from a user device, the apparatus providing a network service to a service area;
  
  generate a session start request to start a user session in a service domain covering the service area;
  
  evaluate one or more policy rules to determine whether any rule is applicable to the user device, including determining whether an authoritative user session has already been established in the service domain;
  
  establish the user session in the service domain for the user device;
  
  if the authoritative user session has already been established in the service domain;
  
  associate a first access control list (ACL) defining at least one permission to the user session based on the determination that the authoritative user session has already been established, the at least one permission being for access to a controlled network resource; and
  
  if a request from the user device to access the controlled network resource is received, grant access to the controlled network resource to the user device based on the first ACL; and
  
  if the authoritative user session has not already been established in the service domain;
  
  associate a second ACL that does not define the at least one permission to the user session; and
  
  if the request from the user device to access the controlled network resource is received, deny access to the controlled network resource to the user device based on the second ACL.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The apparatus of claim 9, wherein the microprocessor is further configured to:
    - if the authoritative user session has already been established in the service domain;
      
      monitor connected user devices in the service domain;
      
      generate a session stop event when any user device leaves the service area;
      
      re-evaluate the one or more policy rules affected by the session stop event;
      
      determine that an authoritative user device that established the authoritative user session has left the service area;
      
      revoke, based on the second ACL, the at least one permission to access the controlled network resource previously granted to the user session;
      
      receive another request from the user device to access the controlled network resource; and
      
      deny access to the controlled network resource to the user device based on the second ACL.
  - 11. The apparatus of claim 9, wherein access to the controlled network resource is controlled by a firewall that contains or has access to the first and/or second ACLs.
  - 12. The apparatus of claim 9, wherein the service area is a home and the authoritative user device belongs to a person with authority at the home.
  - 13. The apparatus of claim 9, wherein the service area is a business premise and the authoritative user device belongs to a manager.
  - 14. The apparatus of claim 9, wherein the session start request is a Remote Authentication Dial In User Service (RADIUS) access request message, a port up, or a RADIUS accounting start message.

15. A non-transitory computer readable storage media encoded with instructions that, when executed by a processor of a computing device, cause the processor to:
- receive a connection request from a user device, the computing device providing a network service to a service area;
  
  generate a session start request to start a user session in a service domain covering the service area;
  
  evaluate one or more policy rules to determine whether any rule is applicable to the user device, including determining whether an authoritative user session has already been established in the service domain;
  
  establish the user session in the service domain for the user device;
  
  if the authoritative user session has already been established in the service domain;
  
  associate a first access control list (ACL) defining at least one permission to the user session based on the determination that the authoritative user session has already been established, the at least one permission being for access to a controlled network resource; and
  
  if a request from the user device to access the controlled network resource is received, grant access to the controlled network resource to the user device based on the first ACL; and
  
  if the authoritative user session has not already been established in the service domain;
  
  associate a second ACL that does not define the at least one permission to the user session; and
  
  if the request from the user device to access the controlled network resource is received, deny access to the controlled network resource to the user device based on the second ACL.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable storage media of claim 15, wherein the processor is further configured to:
    - if the authoritative user session has already been established in the service domain;
      
      monitor connected user devices in the service domain;
      
      generate a session stop event when any user device leaves the service area;
      
      re-evaluate the one or more policy rules affected by the session stop event;
      
      determine that an authoritative user device that established the authoritative user session has left the service area;
      
      revoke, based on the second ACL, the at least one permission to access the controlled network resource previously granted to the user session;
      
      receive another request from the user device to access the controlled network resource; and
      
      deny access to the controlled network resource to the user device based on the second ACL.
  - 17. The non-transitory computer readable storage media of claim 15, wherein access to the controlled network resource is controlled by a firewall that contains or has access to the first and/or second ACLs.
  - 18. The non-transitory computer readable storage media of claim 15, wherein the service area is a home and the authoritative user device belongs to a person with authority at the home.
  - 19. The non-transitory computer readable storage media of claim 15, wherein the service area is a business premise and the authoritative user device belongs to a manager.
  - 20. The non-transitory computer readable storage media of claim 15, wherein the session start request is a Remote Authentication Dial In User Service (RADIUS) access request message, a port up, or a RADIUS accounting start message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wong, Pok Sze, Nampelly, Ramesh
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US14/795,264
Publication Number

US 20170013016A1
Time in Patent Office

754 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 65/1066   Session management

H04L 65/1101   Session protocols

H04L 67/141   Setup of application sessio...

H04L 67/143   Termination or inactivation...

Managing network resource access using session context

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Managing network resource access using session context

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links