公开(公告)号：US09614874B2

公开(公告)日：2017-04-04

申请号：US14932108

申请日：2015-11-04

Applicant: Cisco Technology, Inc.

Inventor： Pok Sze Wong

IPC: G06F15/16 ,  H04L29/06 ,  G06F21/10 ,  G06F21/62 ,  G06F21/31 ,  H04B7/185 ,  G01S1/72

CPC classification number: H04L63/20 ,  G01S1/725 ,  G06F21/10 ,  G06F21/31 ,  G06F21/62 ,  G06F21/6218 ,  H04B7/18593 ,  H04L63/08 ,  H04L63/10 ,  H04L63/102 ,  H04L63/105 ,  H04L63/107 ,  H04L63/108

Abstract: An access control module in an enterprise computing network receives contextual information of a first active network session at a first network endpoint and contextual information of a second active network session at a second network endpoint. The access control module is configured to evaluate the contextual information of one or more of the first or second network sessions based on one or more network policies to determine a policy action for enforcement on at least one of the first or second network endpoints.

公开(公告)号：US20170013016A1

公开(公告)日：2017-01-12

申请号：US14795264

申请日：2015-07-09

Applicant: Cisco Technology, Inc.

Inventor： Pok Sze Wong ,  Ramesh Nampelly

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/10 ,  H04L65/1003

Abstract: A computing device providing a network service to a service area may receive a connection request from a user device and generate a session start request to start a user session in a service domain covering the service area. One or more policy rules may be evaluated to determine whether any rule is applicable to the user device, which includes determining that an authoritative user session has already been established in the service domain. The user session may be established in the service domain for the user device, and at least one permission for access to a controlled network resource may be associated with the user session based on the determination that the authoritative user session has already been established. A request from the user device to access the controlled network resource may be received and access to the controlled network resource may be granted.

Abstract translation: 向服务区域提供网络服务的计算设备可以从用户设备接收连接请求，并生成会话开始请求，以在覆盖服务区域的服务域中启动用户会话。 可以评估一个或多个策略规则以确定任何规则是否适用于用户设备，其包括确定在服务域中已经建立了权威用户会话。 可以在用户设备的服务域中建立用户会话，并且基于权威用户会话已经建立的确定，可以将用于访问受控网络资源的至少一个许可与用户会话相关联。 可以接收来自用户设备访问受控网络资源的请求，并且可以授予对受控网络资源的访问。

公开(公告)号：US10171504B2

公开(公告)日：2019-01-01

申请号：US14817401

申请日：2015-08-04

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Pok Sze Wong ,  Ramesh Nampelly ,  Aaron Rodriguez

IPC: H04L29/06

Abstract: In one embodiment, a method includes receiving at an enforcement node, a request to access a network from an endpoint, transmitting at the enforcement node, the access request to a policy server, receiving at the enforcement node from the policy server, a dynamic authorization comprising a plurality of ranks, each of the ranks comprising a policy for access to the network by the endpoint, assigning the endpoint to one of the ranks and applying the policy associated with the rank to traffic received from the endpoint at the enforcement node during a communication session between the endpoint and the network, assigning the endpoint to a different rank, and applying the policy associated with the rank to traffic received from the endpoint during the communication session. An apparatus and logic are also disclosed herein.

公开(公告)号：US10021141B2

公开(公告)日：2018-07-10

申请号：US15620033

申请日：2017-06-12

Applicant: Cisco Technology, Inc.

Inventor： Pok Sze Wong ,  Ramesh Nampelly

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/10 ,  H04L65/1003 ,  H04L65/1066 ,  H04L67/141 ,  H04L67/143

Abstract: A computing device providing a network service to a service area may receive a connection request from a user device and generate a session start request to start a user session in a service domain covering the service area. One or more policy rules may be evaluated to determine whether any rule is applicable to the user device, which includes determining that an authoritative user session has already been established in the service domain. The user session may be established in the service domain for the user device, and at least one permission for access to a controlled network resource may be associated with the user session based on the determination that the authoritative user session has already been established. A request from the user device to access the controlled network resource may be received and access to the controlled network resource may be granted.

公开(公告)号：US20170279856A1

公开(公告)日：2017-09-28

申请号：US15620033

申请日：2017-06-12

Applicant: Cisco Technology, Inc.

Inventor： Pok Sze Wong ,  Ramesh Nampelly

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/10 ,  H04L65/1003

Abstract: A computing device providing a network service to a service area may receive a connection request from a user device and generate a session start request to start a user session in a service domain covering the service area. One or more policy rules may be evaluated to determine whether any rule is applicable to the user device, which includes determining that an authoritative user session has already been established in the service domain. The user session may be established in the service domain for the user device, and at least one permission for access to a controlled network resource may be associated with the user session based on the determination that the authoritative user session has already been established. A request from the user device to access the controlled network resource may be received and access to the controlled network resource may be granted.

公开(公告)号：US20160366040A1

公开(公告)日：2016-12-15

申请号：US14734511

申请日：2015-06-09

Applicant: Cisco Technology, Inc.

Inventor： Ramesh Nampelly ,  Pok Sze Wong

IPC: H04L12/26 ,  H04L29/08 ,  H04L29/12 ,  H04L29/06

CPC classification number: H04L43/12 ,  H04L41/0806 ,  H04L43/50 ,  H04L61/6004 ,  H04L61/6022 ,  H04L67/02 ,  H04L67/42 ,  H04L69/22

Abstract: A server is in communication with a network device that has network connectivity to an endpoint device. The server receives from the network device a packet that includes a Media Access Control (MAC) address of the endpoint device. A determination is made as to whether at least a portion of the MAC address matches stored information for MAC addresses of known endpoint devices. One or more attributes that carry further descriptive information of the endpoint device are extracted from the packet. It is determined based whether the endpoint device can be classified at a level of granularity according to a policy rule. If the endpoint device cannot be classified at the level of granularity, a probe function is dynamically selected based on the one or more attributes extracted from the packet and the MAC address to collect additional data about the endpoint device.

Abstract translation: 服务器与具有到端点设备的网络连接的网络设备通信。 服务器从网络设备接收包括端点设备的媒体访问控制（MAC）地址的分组。 确定MAC地址的至少一部分是否与已知端点设备的MAC地址的存储信息匹配。 从分组中提取携带端点设备的进一步描述信息的一个或多个属性。 根据策略规则确定端点设备是否可以按粒度级别进行分类。 如果端点设备不能按照粒度级别进行分类，则基于从分组提取的一个或多个属性和MAC地址来动态地选择探测功能以收集关于端点设备的附加数据。

公开(公告)号：US08910250B2

公开(公告)日：2014-12-09

申请号：US13748893

申请日：2013-01-24

Applicant: Cisco Technology, Inc.

Inventor： Pok Sze Wong ,  Paul Forbes Bigbee

IPC: H04L29/06

CPC classification number: H04L63/105 ,  H04L63/02 ,  H04L63/08 ,  H04L63/10

Abstract: A notification is received that a network device in a computing network has blocked a service request directed towards a network resource of the computing network. A determination is made, based on authentication information associated with one or more of a network endpoint that transmitted the service request and a user at the network endpoint, as to whether the user should be notified of a reason that the network device blocked the service request. If it is determined that the user should be notified, a notification summarizing the reason that the network device blocked the service request is transmitted to the network endpoint.

Abstract translation: 接收到计算网络中的网络设备已经阻止了针对计算网络的网络资源的服务请求的通知。 基于与发送服务请求的网络端点与网络端点的用户的一个或多个相关联的认证信息，确定用户是否应被通知网络设备阻止服务请求的原因， 。 如果确定应该通知用户，则将网络设备阻止服务请求的原因总结的通知传送到网络端点。

公开(公告)号：US08898757B2

公开(公告)日：2014-11-25

申请号：US13706963

申请日：2012-12-06

Applicant: Cisco Technology, Inc.

Inventor： Pok Sze Wong ,  Thomas Alan Parker

IPC: H04L9/32 ,  H04L29/06 ,  H04W12/06 ,  H04W84/12

CPC classification number: H04L63/0892 ,  H04L9/32 ,  H04L63/08 ,  H04W12/06 ,  H04W84/12

Abstract: An example embodiment of the present invention provides processes relating to the authentication, by an authentication server, of a supplicant/user for access to a network. In one particular implementation, an authentication server receives a request for access from a supplicant, which request is forwarded to the authentication server by an authenticator that controls a port to the network. The authentication server scores various authentication methods, based on configured preferences, currently cached credentials, and the availability of a networked credential store as measured by a link-state monitor. The authentication server then negotiates an agreed authentication method with the supplicant, using a preferred order resulting from the scores. The authentication server receives forwarded credentials for the agreed authentication method from the supplicant and instructs the authenticator to give the supplicant access to the port, if the authentication server can verify the credentials against a credential store or a credential cache.

Abstract translation: 本发明的示例性实施例提供了一种与验证服务器认证用于访问网络的请求者/用户有关的过程。 在一个特定实现中，认证服务器从请求方接收到访问请求，该请求由控制到网络的端口的认证器转发给认证服务器。 认证服务器基于配置的偏好，当前缓存的凭证以及由链路状态监视器测量的联网凭证存储的可用性来分类各种认证方法。 然后，认证服务器使用由分数得到的优选顺序与请求者协商一致的认证方法。 验证服务器从请求方接收所约定的认证方法的转发凭证，并且指示认证者给认证方访问该端口，如果认证服务器可以根据证书存储或证书缓存来验证凭证。