Dynamic download and enforcement of network access role based on network login context
Abstract
Systems and methods are described that configure network devices to dynamically (1) download privilege setting definitions from an authentication server to address a currently connected set of client devices associated with these privilege setting definitions and (2) clear privilege setting definitions that are no longer in use by client devices connected to the network device. In particular, a network device may determine if a privilege setting definition associated with a successfully authenticated client device is locally available on the network device and request the privilege setting definition from the authentication server when not locally available. In some situations, the authentication server may selectively transmit update messages to network devices that may be affected by an update to a privilege setting definition such that the network devices may request this updated privilege setting definition for download.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method of managing privilege setting definitions in a network system, comprising:
detecting, by an authentication server, an update from a first version of a privilege setting definition to a second version of the privilege setting definition; identifying a network device in the network system that currently utilizes the first version of the privilege setting definition to control communications by one or more connected client devices; and transmitting an update message to the identified network device, wherein the update message indicates that the second version of the privilege setting definition is available and provides information sufficient to cause the network device to request the second version of the privilege setting definition from the authentication server in a privilege setting definition request.
2 . The method of claim 1 , further comprising:
receiving, by the network device, the requested second version of the privilege setting definition from the authentication server, wherein the second version of the privilege setting definition includes a set of parameter values for controlling communications of the one or more client devices connected to the network device; and applying, by the network device, the set of parameter values to control communications of the one or more client devices.
3 . The method of claim 2 , wherein the set of parameter values includes one or more of an access control list (AGL), virtual local area network (VLAN) information, a voice over Internet Protocol (VoIP) setting, a firewall rule, and a quality of service (QoS) setting.
4 . The method of claim 2 , wherein at least one parameter value in the set of parameter values for the second version of the privilege setting definition is different than at least one parameter value in a set of parameters for the first version of the privilege setting definition.
5 . The method of claim 1 , further comprising:
receiving, by the network device, the requested second version of the privilege setting definition from the authentication server; and determining whether any client devices currently connected to the network device are also assigned the first version of the privilege setting definition; and in response to determining that the first version of the privilege setting definition is not assigned to any other client devices currently connected to the network device, deleting the privilege setting definition from local storage within the network device.
6 . The method of claim 5 , wherein the second and first versions of the privilege setting definition includes a set of parameter values for controlling access of the client device in the network system.
7 . The method of claim 6 , wherein the set of parameter values includes one or more of an access control list (AGL), virtual local area network (VLAN) information, a voice over Internet Protocol (VoIP) setting, a firewall rule, and a quality of service (QoS) setting.
8 . The method of claim 1 , wherein the update message is a Remote Authentication Dial In User Service (RADIUS) Change of Authorization (CoA) message.
9 . The method of claim 1 , further comprising:
maintaining a list of network devices and associated privilege setting definitions utilized by each network device to control client device communications using Remote Authentication Dial In User Service (RADIUS) Accounting, wherein the list is utilized to determine the network device in the network system that currently utilizes the first version of the privilege setting definition.
10 . A non-transitory computer readable medium comprising instructions stored thereon that when executed by one or more hardware processors of a network device operating in a network system, cause the network device to managing privilege setting definitions in a network system, the instructions to cause the network device to:
detect an update from a first version of a privilege setting definition to a second version of the privilege setting definition at an authentication server; identify a network device in the network system that currently utilizes the first version of the privilege setting definition to control communications by one or more connected client devices; and transmit an update message to the identified network device, wherein the update message indicates that the second version of the privilege setting definition is available and provides information sufficient to cause the network device to request the second version of the privilege setting definition from the authentication server in a privilege setting definition request.
11 . The non-transitory computer readable medium of claim 10 , further comprising instructions to cause the network device to:
receive the requested second version of the privilege setting definition from the authentication server, wherein the second version of the privilege setting definition includes a set of parameter values for controlling communications of the one or more client devices connected to the network device; and apply the set of parameter values to control communications of the one or more client devices.
12 . The non-transitory computer readable medium of claim 13 , wherein the set of parameter values includes one or more of an access control list (AGL), virtual local area network (VLAN) information, a voice over Internet Protocol (VoIP) setting, a firewall rule, and a quality of service (QoS) setting.
13 . The non-transitory computer readable medium of claim 13 , wherein at least one parameter value in the set of parameter values for the second version of the privilege setting definition is different than at least one parameter value in a set of parameters for the first version of the privilege setting definition.
14 . The non-transitory computer readable medium of claim 11 , wherein the update message is a Remote Authentication Dial In User Service (RADIUS) Change of Authorization (CoA) message.
15 . The non-transitory computer readable medium of claim 11 , further comprising instructions to cause the network device to:
maintain a list of network devices and associated privilege setting definitions utilized by each network device to control client device communications using Remote Authentication Dial In User Service (RADIUS) Accounting, wherein the list is utilized to determine the network device in the network system that currently utilizes the first version of the privilege setting definition.
16 . A network device comprising one or more hardware processors and a memory area storing instructions that, when executed by the one or more hardware processors, cause the network device to:
obtain an indication of an update from a first version of a privilege setting definition to a second version of the privilege setting definition at an authentication server; identify a different network device in the network system that currently utilizes the first version of the privilege setting definition to control communications by one or more connected client devices; and transmit an update message to the identified different network device, wherein the update message indicates that the second version of the privilege setting definition is available and provides information sufficient to cause the network device to request the second version of the privilege setting definition from the authentication server in a privilege setting definition request.
17 . The network device of claim 16 , wherein the memory area further stores instructions to cause the network device to:
receive the requested second version of the privilege setting definition from the authentication server, wherein the second version of the privilege setting definition includes a set of parameter values for controlling communications of the one or more client devices connected to the network device; and apply the set of parameter values to control communications of the one or more client devices.
18 . The network device of claim 17 , wherein the set of parameter values includes one or more of an access control list (AGL), virtual local area network (VLAN) information, a voice over Internet Protocol (VoIP) setting, a firewall rule, and a quality of service (QoS) setting.
19 . The network device of claim 17 , wherein at least one parameter value in the set of parameter values for the second version of the privilege setting definition is different than at least one parameter value in a set of parameters for the first version of the privilege setting definition.
20 . The network device of claim 16 , wherein the update message is a Remote Authentication Dial In User Service (RADIUS) Change of Authorization (CoA) message.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.