Location-based access control in a data network

US 8,972,589 B2
Filed: 02/28/2003
Issued: 03/03/2015
Est. Priority Date: 03/01/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a network connection with a network infrastructure by a client device;

identifying location sensitive data which requires at least one access parameter to access the location sensitive data, wherein the location sensitive data is located on the client device, and wherein the at least one access parameter is based on a physical location and defines a region of allowed use;

receiving location information of the client device from a source providing the location information, wherein the source providing the location information is separate from the client device;

determining that a level of trustworthiness of the source providing the location information is below a predefined threshold;

determining, at least in part by one or more packet relaying devices, a first physical location of the client device without trusting the location information provided by the source based upon, at least in part, determining that the level of trustworthiness of the source is below a threshold, and wherein the first physical location is within the region of allowed use;

generating, by a network infrastructure device, a first set of access parameters based, at least in part, on the first physical location determined without trusting the location information provided by the source;

transmitting the first set of access parameters to the client device, wherein the client device is at the determined first physical location;

enabling the client device to access the location sensitive data by utilizing, at least in part, the first set of access parameters;

receiving, at subsequent intervals of time, the location information of the client device from the source providing the location information;

determining, at least in part by one or more packet relaying devices, one or more subsequent physical locations of the client device without trusting the location information provided by the source based upon, at least in part, determining that the level of trustworthiness of the source is below the threshold, and wherein the one or more subsequent physical locations are within the region of allowed use;

generating, by a network infrastructure device, a second set of access parameters based, at least in part, on the one or more subsequent physical locations determined without trusting the location information provided by the source;

transmitting the second set of access parameters to the client device, wherein the client device is at the one or more determined subsequent physical locations;

enabling the client device to maintain access to the location sensitive data by utilizing, at least in part, the second set of access parameters;

determining, at least in part by one or more packet relaying devices, whether the client device is outside the region of allowed use; and

denying access to the location sensitive data on the client device, if the client device is determined to be outside the region of allowed use.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A request for network access is received from a client device at a network entry device of a network infrastructure. The network infrastructure determines a physical location of the client device and determines authorization of the client device based on the physical location. The approach can include providing the physical location along with other user credentials to an authorizing device. The method can also include determining a level of service based on the physical location. Communication for the approach can make use of the IEEE 802.1X protocol.

235 Citations

20 Claims

1. A method comprising:
- establishing a network connection with a network infrastructure by a client device;
  
  identifying location sensitive data which requires at least one access parameter to access the location sensitive data, wherein the location sensitive data is located on the client device, and wherein the at least one access parameter is based on a physical location and defines a region of allowed use;
  
  receiving location information of the client device from a source providing the location information, wherein the source providing the location information is separate from the client device;
  
  determining that a level of trustworthiness of the source providing the location information is below a predefined threshold;
  
  determining, at least in part by one or more packet relaying devices, a first physical location of the client device without trusting the location information provided by the source based upon, at least in part, determining that the level of trustworthiness of the source is below a threshold, and wherein the first physical location is within the region of allowed use;
  
  generating, by a network infrastructure device, a first set of access parameters based, at least in part, on the first physical location determined without trusting the location information provided by the source;
  
  transmitting the first set of access parameters to the client device, wherein the client device is at the determined first physical location;
  
  enabling the client device to access the location sensitive data by utilizing, at least in part, the first set of access parameters;
  
  receiving, at subsequent intervals of time, the location information of the client device from the source providing the location information;
  
  determining, at least in part by one or more packet relaying devices, one or more subsequent physical locations of the client device without trusting the location information provided by the source based upon, at least in part, determining that the level of trustworthiness of the source is below the threshold, and wherein the one or more subsequent physical locations are within the region of allowed use;
  
  generating, by a network infrastructure device, a second set of access parameters based, at least in part, on the one or more subsequent physical locations determined without trusting the location information provided by the source;
  
  transmitting the second set of access parameters to the client device, wherein the client device is at the one or more determined subsequent physical locations;
  
  enabling the client device to maintain access to the location sensitive data by utilizing, at least in part, the second set of access parameters;
  
  determining, at least in part by one or more packet relaying devices, whether the client device is outside the region of allowed use; and
  
  denying access to the location sensitive data on the client device, if the client device is determined to be outside the region of allowed use.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein one or more of transmitting the first set of access parameters and transmitting the second set of access parameters further comprises determining authorization.
  - 3. The method of claim 1 wherein one or more of transmitting the first set of access parameters and transmitting the second set of access parameters further comprises providing one of the first physical location and the subsequent physical location along with other user credentials to an authorized device.
  - 4. The method of claim 1 wherein the first set of access parameters and the second set of access parameters further comprises determining a level of access based on the level of trustworthiness of the source.
  - 5. The method of claim 1 wherein one or more of transmitting the first set of access parameters and transmitting the second set of access parameters further comprises authorizing a user associated with the client device if the level of trustworthiness of the source is above the predefined threshold.
  - 6. The method of claim 1 wherein one or more of transmitting the first set of access parameters and transmitting the second set of access parameters further comprises communicating in accordance with IEEE 802.1X.
  - 7. The method of claim 1 wherein the subsequent physical location is different from the first physical location.
  - 8. The method of claim 1 wherein the subsequent physical location is the same as the first physical location.
  - 9. The method of claim 1 wherein the first set of access parameters and the second set of access parameters comprise, at least in part, an encryption key.

10. A system comprising:
- one or more packet relaying devices, each packet relaying device comprising a processor and a memory, the one or more packet relaying devices configured to;
  
  establish a network connection with a network infrastructure by a client device;
  
  identify location sensitive data which requires at least one access parameter to access the location sensitive data, wherein the location sensitive data is located on the client device, and wherein the at least one access parameter is based on a physical location and defines a region of allowed use;
  
  receive location information of the client device from a source providing the location information, wherein the source providing the location information is separate from the client device;
  
  determine that a level of trustworthiness of the source providing the location information is below a predefined threshold;
  
  determine a first physical location of the client device without trusting the location information provided by the source based upon, at least in part, determining that the level of trustworthiness of the source is below a threshold, and wherein the first physical location is within the region of allowed use;
  
  generate a first set of access parameters based, at least in part, on the first physical location determined without trusting the location information provided by the source;
  
  transmit the first set of access parameters to the client device, wherein the client device is at the determined first physical location;
  
  receive, at subsequent intervals of time, the location information of the client device from the source providing the location information;
  
  determine one or more subsequent physical locations of the client device without trusting the location information provided by the source based upon, at least in part, determining that the level of trustworthiness of the source is below the threshold, and wherein the one or more subsequent physical locations are within the region of allowed use;
  
  if the subsequent physical location of the client device necessitates a second set of access parameters;
  
  generate the second set of access parameters based, at least in part, on the one or more subsequent physical locations determined without trusting the location information provided by the source;
  
  transmit the second set of access parameters to the client device, wherein the client device is at the one or more determined subsequent physical locations;
  
  enable the client device to maintain access to location sensitive data in accordance with one of the first set of access parameters and the second set of access parameters;
  
  determine whether the client device is outside the region of allowed use;
  
  anddeny access to the location sensitive data on the client device if the client device is determined to be outside the region of allowed use.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10 wherein the one or more packet relaying devices are further configured to determine a level of access based on the level of trustworthiness of the source.
  - 12. The system of claim 10 wherein the one or more packet relaying devices are further configured to authorize a user associated with the client device if the level of trustworthiness of the source is above the predefined threshold.
  - 13. The system of claim 10 wherein at least one of the one or more packet relaying devices are further configured to communicate in accordance with IEEE 802.1X.
  - 14. The system of claim 10 wherein the subsequent physical location is different from the first physical location.
  - 15. The system of claim 10 wherein the subsequent physical location is the same as the first physical location.
  - 16. The system of claim 10 wherein the first set of access parameters and the second set of access parameters comprise, at least in part, an encryption key.

17. An article of manufacture comprising a non-transitory machine-readable medium that stores executable instruction signals that cause a machine to perform operations comprising:
- establishing a network connection with a network infrastructure by a client device;
  
  identifying location sensitive data which requires at least one access parameter to access the location sensitive data, wherein the location sensitive data is located on the client device, and wherein the at least one access parameter is based on a physical location and defines a region of allowed use;
  
  receiving location information of the client device from a source providing the location information, wherein the source providing the location information is separate from the client device;
  
  determining that a level of trustworthiness of the source providing the location information is below a predefined threshold;
  
  determining a first physical location of the client device without trusting the location information provided by the client device source based upon, at least in part, determining that the level of trustworthiness of the source is below a threshold, and wherein the first physical location is within the region of allowed use;
  
  generating a first set of access parameters based, at least in part, on the first physical location determined without trusting the location information provided by the source;
  
  transmitting the first set of access parameters to the client device, wherein the client device is at the determined first physical location;
  
  receiving, at subsequent intervals of time, the location information of the client device from the source providing the location information;
  
  determining one or more subsequent physical locations of the client device without trusting the location information provided by the source based upon, at least in part, determining that the level of trustworthiness of the source is below the threshold, and wherein the one or more subsequent physical locations are within the region of allowed use;
  
  if the subsequent physical location of the client device necessitates a second set of access parameters;
  
  generating the second set of access parameters based, at least in part, on the one or more subsequent physical locations determined without trusting the location information provided by the source;
  
  transmitting the second set of access parameters to the client device, wherein the client device is at the one or more determined subsequent physical locations;
  
  enabling the client device to maintain access to location sensitive data in accordance with one of the first set of access parameters and the second set of access parameters;
  
  determining whether the client device is outside the region of allowed use;
  
  anddenying access to the location sensitive data on the client device if the client device is determined to be outside the region of allowed use.
- View Dependent Claims (18, 19, 20)
- - 18. The article of claim 17 wherein the subsequent physical location is different from the first physical location.
  - 19. The article of claim 17 wherein the subsequent physical location is the same as the first physical location.
  - 20. The article of claim 17 wherein the first set of access parameters and the second set of access parameters comprise, at least in part, an encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Enterasys Networks Incorporated (Extreme Networks, Inc.)
Inventors
Harrington, David, Frattura, David, Graham, Richard W., Roese, John J.
Primary Examiner(s)
TODD, GREGORY G

Application Number

US10/377,012
Publication Number

US 20030217122A1
Time in Patent Office

4,386 Days
Field of Search

726/4, 726/3, 726/29, 726/30, 709/229, 709/219, 709/225, 709/220, 709/223, 4554561-4566, 701/485
US Class Current

709/229
CPC Class Codes

G01S 5/02   using radio waves using sat...

H04L 41/0213   Standardised network manage...

H04L 41/12   Discovery or management of ...

H04L 61/10   of different types

H04L 63/02   for separating internal fro...

H04L 63/0492   by using a location-limited...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 63/107   wherein the security polici...

H04L 63/126   the source of the received ...

H04L 67/04   specially adapted for termi...

H04L 67/51   Discovery or management the...

H04L 67/52   specially adapted for the l...

H04L 67/63   Routing a service request d...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

H04W 4/02   Services making use of loca...

H04W 4/029   Location-based management o...

H04W 4/20   Services signaling; Auxilia...

H04W 4/50 : Service provisioning or rec...

H04W 64/00 : Locating users or terminals...

H04W 8/26 : Network addressing or numbe...

Y10S 707/99932 : Access augmentation or opti...

Y10S 707/99939 : Privileged access

View All

Location-based access control in a data network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

235 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Location-based access control in a data network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

235 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links