MANAGING NETWORK RESOURCE ACCESS USING SESSION CONTEXT

US 20170279856A1
Filed: 06/12/2017
Published: 09/28/2017
Est. Priority Date: 07/09/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing, at a computing device, a user session in a service domain covering a service area to which the computing device provides a network service;

determining whether an authoritative user session has already been established in the service domain;

associating an access control list (ACL) to the user session;

receiving a request from a user device to access a controlled network resource; and

based on whether the ACL defines at least one permission for access to the controlled network resource, permitting or denying, to the user device, access to the controlled network resource.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device providing a network service to a service area may receive a connection request from a user device and generate a session start request to start a user session in a service domain covering the service area. One or more policy rules may be evaluated to determine whether any rule is applicable to the user device, which includes determining that an authoritative user session has already been established in the service domain. The user session may be established in the service domain for the user device, and at least one permission for access to a controlled network resource may be associated with the user session based on the determination that the authoritative user session has already been established. A request from the user device to access the controlled network resource may be received and access to the controlled network resource may be granted.

1 Citation

20 Claims

1. A method comprising:
- establishing, at a computing device, a user session in a service domain covering a service area to which the computing device provides a network service;
  
  determining whether an authoritative user session has already been established in the service domain;
  
  associating an access control list (ACL) to the user session;
  
  receiving a request from a user device to access a controlled network resource; and
  
  based on whether the ACL defines at least one permission for access to the controlled network resource, permitting or denying, to the user device, access to the controlled network resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein:
    - if the authoritative user session has not already been established in the service domain;
      
      associating the ACL to the user session includes associating an ACL that does not define the at least one permission to the user session.
  - 3. The method of claim 2, wherein:
    - if the authoritative user session has not already been established in the service domain;
      
      permitting or denying access includes denying, to the user device, access to the controlled network resource based on the ACL.
  - 4. The method of claim 1, wherein:
    - if the authoritative user session has already been established in the service domain;
      
      associating the ACL to the user session includes associating an ACL that defines the at least one permission to the user session.
  - 5. The method of claim 4, wherein:
    - if the authoritative user session has already been established in the service domain;
      
      permitting or denying access includes permitting, to the user device, access to the controlled network resource based on the ACL.
  - 6. The method of claim 5, further comprising:
    - if the authoritative user session has already been established in the service domain;
      
      determining that an authoritative user device that established the authoritative user session has left the service area; and
      
      revoking the at least one permission to access the controlled network resource previously granted to the user session.
  - 7. The method of claim 1, further comprising:
    - receiving a connection request at the computing device from the user device; and
      
      generating a session start request to start the user session.

8. An apparatus comprising:
- one or more network parts to send/receive data packets to/from a communication network; and
  
  a processor coupled to the network ports, the processor configured to;
  
  establish, at a computing device, a user session in a service domain covering a service area to which the computing device provides a network service;
  
  determine whether an authoritative user session has already been established in the service domain;
  
  associate an access control list (ACL) to the user session;
  
  receive a request from a user device to access a controlled network resource; and
  
  based on whether the ACL defines at least one permission for access to the controlled network resource, permit or deny, to the user device, access to the controlled network resource.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the processor is further configured to:
    - if the authoritative user session has not already been established in the service domain;
      
      associate the ACL to the user session by associating an ACL that does not define the at least one permission to the user session.
  - 10. The apparatus of claim 9, wherein the processor is further configured to:
    - if the authoritative user session has not already been established in the service domain;
      
      permit or deny access by denying, to the user device, access to the controlled network resource based on the ACL.
  - 11. The apparatus of claim 8, wherein the processor is further configured to:
    - if the authoritative user session has already been established in the service domain;
      
      associate the ACL to the user session by associating an ACL that defines the at least one permission to the user session.
  - 12. The apparatus of claim 11, wherein the processor is further configured to:
    - if the authoritative user session has already been established in the service domain;
      
      permit or deny access by permitting, to the user device, access to the controlled network resource based on the ACL.
  - 13. The apparatus of claim 12, wherein the processor is configured to:
    - if the authoritative user session has already been established in the service domain;
      
      determine that an authoritative user device that established the authoritative user session has left the service area; and
      
      revoke the at least one permission to access the controlled network resource previously granted to the user session.
  - 14. The apparatus of claim 8, wherein the processor is further configured to:
    - receive a connection request at the computing device from the user device; and
      
      generate a session start request to start the user session.

15. A non-transitory computer readable storage media encoded with instructions that, when executed by a processor of a computing device, cause the processor to:
- establish, at a computing device, a user session in a service domain covering a service area to which the computing device provides a network service;
  
  determine whether an authoritative user session has already been established in the service domain;
  
  associate an access control list (ACL) to the user session;
  
  receive a request from a user device to access a controlled network resource; and
  
  based on whether the ACL defines at least one permission for access to the controlled network resource, permit or deny, to the user device, access to the controlled network resource.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable storage media of claim 15, wherein the instructions further cause the processor to:
    - if the authoritative user session has not already been established in the service domain;
      
      associate the ACL to the user session by associating an ACL that does not define the at least one permission to the user session.
  - 17. The non-transitory computer readable storage media of claim 16, wherein the instructions further cause the processor to:
    - if the authoritative user session has not already been established in the service domain;
      
      permit or deny access by denying, to the user device, access to the controlled network resource based on the ACL.
  - 18. The non-transitory computer readable storage media of claim 15, wherein the instructions further cause the processor to:
    - if the authoritative user session has already been established in the service domain;
      
      associate the ACL to the user session by associating an ACL that defines the at least one permission to the user session.
  - 19. The non-transitory computer readable storage media of claim 18, wherein the instructions further cause the processor to:
    - if the authoritative user session has already been established in the service domain;
      
      permit or deny access by permitting, to the user device, access to the controlled network resource based on the ACL.
  - 20. The non-transitory computer readable storage media of claim 19, wherein the instructions further cause the processor to:
    - if the authoritative user session has already been established in the service domain;
      
      determine that an authoritative user device that established the authoritative user session has left the service area; and
      
      revoke the at least one permission to access the controlled network resource previously granted to the user session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wong, Pok Sze, Nampelly, Ramesh

Granted Patent

US 10,021,141 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 65/1066   Session management

H04L 65/1101   Session protocols

H04L 67/141   Setup of application sessio...

H04L 67/143   Termination or inactivation...

MANAGING NETWORK RESOURCE ACCESS USING SESSION CONTEXT

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

1 Citation

20 Claims

Specification

Solutions

Use Cases

Quick Links

MANAGING NETWORK RESOURCE ACCESS USING SESSION CONTEXT

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1 Citation

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links