公开(公告)号：US12238082B2

公开(公告)日：2025-02-25

申请号：US17510953

申请日：2021-10-26

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Feng Ding ,  Hao Lu ,  Mohan Ram R. Bhadravati

IPC: H04W12/08 ,  H04L9/40 ,  H04L41/28

Abstract: Examples relate to configuring dynamic user roles that can be managed and distributed by a cloud-based user role service. In this way, dynamic user roles may be distributed in a more scalable manner than has been previously possible. Upon associating or connecting to an access point (AP), for example, a user device can be authenticated and assigned a user role. The AP can request the user role configuration from the cloud-based user role service. The cloud-based user role service can additionally distribute the same user role configuration/details to all neighboring APs. In this way, a user device can move, roam, or otherwise associate to another AP that post-distribution, already has the (dynamic) user role configuration, which can simply be applied to the user device.

公开(公告)号：US12244695B2

公开(公告)日：2025-03-04

申请号：US18050083

申请日：2022-10-27

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ruiyao Yang ,  David Wilson ,  Zhou Wang ,  Youhe Zhang ,  Feng Ding

IPC: H04L9/40 ,  H04L9/08 ,  H04L9/32

Abstract: A process includes accessing a first message that is sent from an access point device. The first message includes data representing a second message that is sent by a client device. The second message is part of an exchange of messages between the client device and the access point device associated with authentication of the client device and a derivation of a first key used to encrypt and decrypt data communicated between the client device and the access point device. The second message includes a first message integrity check value. The process includes identifying, based on the second message, a pre-shared key corresponding to the client device. The identification of the pre-shared key includes determining a second message integrity check value based on a candidate pre-shared key of a plurality of candidate pre-shared keys; comparing the second message integrity check value with the first message integrity check value; and based on a result of the comparison, selecting the given candidate pre-shared key as the pre-shared key. The process includes determining a user role based on the pre-shared key. The process includes causing a third message to be sent to the access point device, where the third message includes data representing the pre-shared key and data representing the user role.

公开(公告)号：US11792718B2

公开(公告)日：2023-10-17

申请号：US17182058

申请日：2021-02-22

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Hao Lu ,  Xiaoding Shang ,  Feng Ding ,  Qiwei Chang

IPC: H04W48/12 ,  H04W48/16 ,  H04W12/06 ,  H04W88/08 ,  H04W88/16

CPC classification number: H04W48/12 ,  H04W12/06 ,  H04W48/16 ,  H04W88/08 ,  H04W88/16

Abstract: Systems and methods are provided for authentication chaining and firewall optimization in a micro branch deployment comprising a plurality of chained access points (APs) and a gateway AP. A topology of the micro branch deployment may be determined through enhanced hierarchical beaconing. Based on the determined topology, an authentication chain is developed through which a client device associated to an AP of the plurality of chained APs may be authenticated and granted access to the AP. Upon authentication of the client device, firewall optimization is performed to implement access control rules only at the AP to which the client device is associated.

公开(公告)号：US20240171975A1

公开(公告)日：2024-05-23

申请号：US18058308

申请日：2022-11-23

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Feng Ding ,  Hao Lu

IPC: H04W12/069 ,  H04W12/041

CPC classification number: H04W12/069 ,  H04W12/041

Abstract: In some examples, as part of an authentication process for an electronic device when connecting to a first access point (AP), an authentication server generates a first key of a hierarchy of keys. The authentication server receives a request from a second AP, and generates a second key based on the first key, the second key being part of the hierarchy of keys. In response to the request, the authentication server distributes the second key from the authentication server to the second AP for use in data protection for communications between the second AP and the electronic device after the electronic device has transitioned from the first AP to the second AP.

公开(公告)号：US20240146512A1

公开(公告)日：2024-05-02

申请号：US18050083

申请日：2022-10-27

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ruiyao Yang ,  David Wilson ,  Zhou Wang ,  Youhe Zhang ,  Feng Ding

IPC: H04L9/08 ,  H04L9/32

CPC classification number: H04L9/0825 ,  H04L9/085 ,  H04L9/3242

Abstract: A process includes accessing a first message that is sent from an access point device. The first message includes data representing a second message that is sent by a client device. The second message is part of an exchange of messages between the client device and the access point device associated with authentication of the client device and a derivation of a first key used to encrypt and decrypt data communicated between the client device and the access point device. The second message includes a first message integrity check value. The process includes identifying, based on the second message, a pre-shared key corresponding to the client device. The identification of the pre-shared key includes determining a second message integrity check value based on a candidate pre-shared key of a plurality of candidate pre-shared keys; comparing the second message integrity check value with the first message integrity check value; and based on a result of the comparison, selecting the given candidate pre-shared key as the pre-shared key. The process includes determining a user role based on the pre-shared key. The process includes causing a third message to be sent to the access point device, where the third message includes data representing the pre-shared key and data representing the user role.

公开(公告)号：US20220272614A1

公开(公告)日：2022-08-25

申请号：US17182058

申请日：2021-02-22

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Hao Lu ,  Xiaoding Shang ,  Feng Ding ,  Qiwei Chang

IPC: H04W48/12 ,  H04W48/16 ,  H04W12/06

Abstract: Systems and methods are provided for authentication chaining and firewall optimization in a micro branch deployment comprising a plurality of chained access points (APs) and a gateway AP. A topology of the micro branch deployment may be determined through enhanced hierarchical beaconing. Based on the determined topology, an authentication chain is developed through which a client device associated to an AP of the plurality of chained APs may be authenticated and granted access to the AP. Upon authentication of the client device, firewall optimization is performed to implement access control rules only at the AP to which the client device is associated.