System and method for enabling unconfigured devices to join an autonomic network in a secure manner

US 9,774,452 B2
Filed: 05/27/2015
Issued: 09/26/2017
Est. Priority Date: 05/22/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

using a processor to create an initial information package for a device attempting to join a network domain of a network environment;

communicating the initial information package to a signing authority;

sending an authorization token generated by the signing authority to the device, wherein the device validates the authorization token based on a credential in the device;

evaluating an audit history report of the device, wherein the audit history report comprises information regarding previous attempts by the device to join the network environment including, for each of the previous attempts, a date and time of the attempt, an identity of a network domain associated with the attempt, and an indication of whether the attempt was successful;

applying a policy to the device based on an evaluation of the audit history report;

generating a completed information package, wherein the completed information package includes an authorization token;

applying a second signature to the completed information package;

sending the authorization token and the completed information package to the device, the device validating the second signature on the completed information package.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in an example embodiment includes creating an initial information package for a device attempting to join a network domain of a network environment; communicating the initial information package to a signing authority; sending an authorization token generated by the signing authority to the device, wherein the device validates the authorization token based on a credential in the device; and receiving an audit history report of the device, wherein the audit history report comprises information regarding previous attempts by the device to join the network environment. The method may also include applying a policy to the device based on the audit history report; generating a completed information package, wherein the completed information package includes an authorization token; applying a second signature to the completed information package; and sending the authorization token and the completed information package to the device, the device validating the second signature on the completed information package.

43 Citations

View as Search Results

20 Claims

1. A method, comprising:
- using a processor to create an initial information package for a device attempting to join a network domain of a network environment;
  
  communicating the initial information package to a signing authority;
  
  sending an authorization token generated by the signing authority to the device, wherein the device validates the authorization token based on a credential in the device;
  
  evaluating an audit history report of the device, wherein the audit history report comprises information regarding previous attempts by the device to join the network environment including, for each of the previous attempts, a date and time of the attempt, an identity of a network domain associated with the attempt, and an indication of whether the attempt was successful;
  
  applying a policy to the device based on an evaluation of the audit history report;
  
  generating a completed information package, wherein the completed information package includes an authorization token;
  
  applying a second signature to the completed information package;
  
  sending the authorization token and the completed information package to the device, the device validating the second signature on the completed information package.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the device validates the authorization token by:
    - verifying the authorization token was created by the signing authority; and
      
      verifying the signing authority is trusted based on the credential.
  - 3. The method of claim 1, further comprising:
    - receiving a message containing a unique device identifier (UDI) of the device.
  - 4. The method of claim 3, further comprising:
    - determining the validity of the device to connect to the domain;
      
      determining a device type of the device; and
      
      determining whether the device is authorized to connect to an interface in the domain.
  - 5. The method of claim 3, wherein the initial information package includes the unique device identifier of the device and a domain identifier of the domain.
  - 6. The method of claim 5, wherein the signing authority creates the authorization token by applying an authorization signature to the unique device identifier and the domain identifier.
  - 7. The method of claim 1, wherein the credential on the device includes a manufacturing installed certificate, and wherein the manufacturing installed certificate is a root of a signing authority certificate of the signing authority.
  - 8. The method of claim 1, wherein the signing authority determines whether the device is authorized to join the domain, and wherein the signing authority creates the authorization token if the device is authorized to join the domain.
  - 9. The method of claim 1, wherein the signing authority determines whether the device is authorized to join the domain based on a customer policy.
  - 10. The method of claim 1, wherein the credential includes a manufacturing installed certificate with an Institute of Electrical and Electronics Engineers (IEEE) 802.1AR initial device identifier (IDevID) and a root public key of a manufacturer.
  - 11. The method of claim 1, wherein the policy prevents the device from joining the domain if the audit history report indicates the device was previously registered to a different domain in the network environment.
  - 12. The method of claim 1, wherein if the device validates the authorization token, the device automatically enrolls in the domain.
  - 13. The method of claim 1, further comprising:
    - receiving a certificate request from the device after the device validates the authorization token;
      
      generating a certificate signed by a certification authority of the domain; and
      
      sending the certificate to the device, thereby enabling the device to join the domain.
  - 14. The method of claim 1, wherein the signing authority is a cloud resource.

15. Logic encoded in one or more non-transitory computer-readable media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- creating an initial information package for a device attempting to join a network domain of a network environment;
  
  communicating the initial information package to a signing authority;
  
  sending an authorization token generated by the signing authority to the device, wherein the device validates the authorization token based on a credential in the device;
  
  evaluating an audit history report of the device, wherein the audit history report comprises information regarding previous attempts by the device to join the network environment including, for each of the previous attempts, a date and time of the attempt, an identity of a network domain associated with the attempt, and an indication of whether the attempt was successful;
  
  applying a policy to the device based on an evaluation of the audit history report;
  
  generating a completed information package, wherein the completed information package includes an authorization token;
  
  applying a second signature to the completed information package;
  
  sending the authorization token and the completed information package to the device, the device validating the second signature on the completed information package.

16. An apparatus, comprising:
- a memory element configured to store data;
  
  a processor operable to execute instructions associated with the data; and
  
  an information package module configured to interface with the memory element and the processor, wherein the apparatus is configured to;
  
  create an initial information package for a device attempting to join a network domain of a network environment;
  
  communicate the initial information package to a signing authority;
  
  send an authorization token generated by the signing authority to the device, wherein the device validates the authorization token based on a credential in the device;
  
  evaluate an audit history report of the device, wherein the audit history report comprises information regarding previous attempts by the device to join the network environment including, for each of the previous attempts, a date and time of the attempt, an identity of a network domain associated with the attempt, and an indication of whether the attempt was successful;
  
  apply a policy to the device based on an evaluation of the audit history report;
  
  generate a completed information package, wherein the completed information package includes an authorization token;
  
  apply a second signature to the completed information package;
  
  send the authorization token and the completed information package to the device, the device validating the second signature on the completed information package.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, wherein the initial information package includes a unique device identifier of the device and a domain identifier of the domain.
  - 18. The apparatus of claim 16, wherein the signing authority determines whether the device is authorized to join the domain, and wherein the signing authority creates the authorization token if the device is authorized to join the domain.
  - 19. The apparatus of claim 18, wherein the signing authority determines whether the device is authorized to join the domain by determining whether the domain identifier in the initial information package corresponds to a root certificate in a certification authority of the domain.
  - 20. The apparatus of claim 18, wherein the signing authority creates the authorization token by applying an authorization signature to the unique device identifier and the domain identifier and wherein if the device validates the authorization token, the device automatically enrolls in the domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Bjarnason, Steinthor, Behringer, Michael H., Hertoghs, Yves Francis Eugene, Pritikin, Max
Primary Examiner(s)
Rahim, Monjour

Application Number

US14/722,444
Publication Number

US 20150280916A1
Time in Patent Office

853 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 41/0809   Plug-and-play configuration

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 63/20   for managing network securi...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3247   involving digital signatures

System and method for enabling unconfigured devices to join an autonomic network in a secure manner

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for enabling unconfigured devices to join an autonomic network in a secure manner

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links