公开(公告)号：US06892309B2

公开(公告)日：2005-05-10

申请号：US10071873

申请日：2002-02-08

申请人： James Richmond ,  Paula Jane Dunigan ,  David L. Kjendal ,  Steven A. Pettit

发明人： James Richmond ,  Paula Jane Dunigan ,  David L. Kjendal ,  Steven A. Pettit

IPC分类号： H04L12/46 ,  H04L29/06 ,  H04L9/00 ,  G06F15/16

CPC分类号： H04L63/0218 ,  H04L12/4641 ,  H04L63/0227 ,  H04L63/08 ,  H04L63/0815 ,  H04L63/102

摘要： A user's usage of network resources is controlled, after the user has been authenticated, without using any network resources beyond the user's entry point to the network. Packet rules may be provisioned to the user's entry point to the network, and the packet rules may be applied to each packet received from the user before any network resources beyond the entry point are used. These packet rules may be associated with an identity of the user and then provisioned to the user's entry point in response to the user being authenticated. Usage of network resources of a communications network by a user beyond a network device of the communications network that serves as the user's entry point to the communications network is controlled. The port module of the network device is configured with one or more packet rules corresponding to an identity of the user. A packet is received from a device used by the user at the port module, and, before using any of the network resources beyond the network device, the one or more packet rules are applied to the received packet. Another embodiment is provided for controlling usage of network resources of a communications network by a user. The user has an assigned role with respect to the communications network, and the assigned role is associated with one or more packet rules, each packet rule including a condition and action to be taken if a packet received at a device satisfies the condition. A packet including identification information of the user is received from a device of the user at a port module of a network device. The assigned role of the user is determined based on the identification information, and the port module is configured with the one or more packet rules associated with the assigned role of the user.

摘要翻译： 在用户被认证之后，用户对网络资源的使用情况进行控制，而不使用超出用户进入网络的任何网络资源。 可以将分组规则提供给用户对网络的入口点，并且可以在使用超出入口点的任何网络资源之前将分组规则应用于从用户接收的每个分组。 这些分组规则可以与用户的身份相关联，然后响应于用户被认证而被提供给用户的入口点。 控制通过用户进入通信网络的通信网络的网络设备之外的用户使用通信网络的网络资源。 网络设备的端口模块配置有与用户身份相对应的一个或多个分组规则。 从用户在端口模块使用的设备接收到分组，并且在使用网络设备之外的任何网络资源之前，将一个或多个分组规则应用于所接收的分组。 提供了另一个实施例，用于控制用户对通信网络的网络资源的使用。 用户相对于通信网络具有分配的角色，并且所分配的角色与一个或多个分组规则相关联，每个分组规则包括如果在设备处接收的分组满足条件，则要采取的条件和动作。 在网络设备的端口模块处从用户的设备接收到包括用户的标识信息的分组。 基于识别信息确定用户的分配角色，并且将端口模块配置为与用户的分配角色相关联的一个或多个分组规则。

公开(公告)号：US06990592B2

公开(公告)日：2006-01-24

申请号：US10251140

申请日：2002-09-20

申请人： James Richmond ,  David L. Kjendal

发明人： James Richmond ,  David L. Kjendal

IPC分类号： H04L9/00 ,  G06F15/16

CPC分类号： H04L63/0218 ,  H04L12/4641 ,  H04L63/0227 ,  H04L63/0263 ,  H04L63/08 ,  H04L63/0815 ,  H04L63/102

摘要： Controlling a user's usage of network resources, after the user has been authenticated, without using any network resources beyond the user's entry point to the network. A plurality of users may be connected to an entry point of a network of a network device by a shared transmission medium. Each users' usage of network resources is controlled, after such user has been authenticated, without using any network resources beyond such user's entry point to the network. For each one or more users, packet rules may be provisioned to the user's entry point to the network, where such entry point may be shared with other users. The packet rules may be applied to each packet received from the user before any network resources beyond the entry point are used. These packet rules may be associated with an identity of the user and then provisioned to the user's entry point in response to the user being authenticated. If a plurality of users are connected to an entry point by a shared transmission medium, packet rules associated with the users may be provisioned to the entry point and applied to packets received from the users before any network resources beyond the entry point are used. Such packet rules may be provisioned to a number of network entry devices and may serve as a distributed firewall for users of a network, as opposed to a centralized firewall. An entry port module of a network entry device may be configured based on an identity of one or more users as a result of the authentication of the one or more users, respectively, and each packet received from each user may be examined to control usage of network resources by the user.