CN113785606A - Network device and method for policy-based wireless network access - Google Patents
Network device and method for policy-based wireless network access Download PDFInfo
- Publication number
- CN113785606A CN113785606A CN201980095727.3A CN201980095727A CN113785606A CN 113785606 A CN113785606 A CN 113785606A CN 201980095727 A CN201980095727 A CN 201980095727A CN 113785606 A CN113785606 A CN 113785606A
- Authority
- CN
- China
- Prior art keywords
- wireless network
- network
- network device
- service
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 238000013475 authorization Methods 0.000 claims abstract description 26
- 238000004891 communication Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 7
- 238000000926 separation method Methods 0.000 description 3
- 230000001419 dependent effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 101000826116 Homo sapiens Single-stranded DNA-binding protein 3 Proteins 0.000 description 1
- 102100023008 Single-stranded DNA-binding protein 3 Human genes 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/086—Access security using security domains
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention relates to the field of wireless computer networks, and in particular, to a network device and corresponding method for policy-based wireless network access. Accordingly, the present invention provides a network device (100) for policy-based wireless network (101) access, wherein the network device (100) is configured to: obtaining a unique identifier (102) of a wireless network client (103); determining at least one authorization service (104) based on the unique identifier (102) and a policy (105); creating a virtual subnet (106) that can access the at least one authorization service (104); assigning the wireless network client (103) to the virtual subnet (106).
Description
Technical Field
The present invention relates to the field of wireless computer networks, and in particular, to a network device and corresponding method for policy-based wireless network access. In other words, the present invention relates to policy-based wireless access to a restricted service set.
Background
In conventional wireless computer networks, a Service Set Identifier (SSID) is a name associated with a wireless computer network (e.g., a Wireless Local Area Network (WLAN)). When a traditional wireless network client intends to join a wireless computer network, the traditional wireless network client joins the wireless computer network using an SSID associated with the wireless computer network. When a traditional wireless network client joins a wireless computer network, the entire network topology of the wireless computer network is exposed to the traditional wireless network client. In particular, all services provided in a wireless computer network are visible to connected legacy wireless network clients. Traditional service access restrictions may be implemented, for example, by using a dedicated portal with service links, or by using dual or complex (e.g., token-based) authentication. Using a security portal may require several steps, access restrictions based on network filtering rules (e.g., firewalls). Furthermore, in conventional wireless computer networks, different legacy network devices (e.g., Access Points (APs)) named by the same SSID are mapped to different subnets, which is why a legacy wireless network client is provided with different sets of services according to the AP to which the legacy wireless network client is connected. For example, as shown in fig. 5.
Conventional solutions lack the dynamic services provided at the device local subnet. Policy enforcement is implemented by a firewall that restricts the network view of a traditional wireless network client through a set of rules. However, conventional wireless network clients can still observe the presence of a service, but are prevented from connecting to the service by a firewall. However, it is desirable that only allowed services be visible and accessible.
The conventional scheme also does not support roaming of conventional wireless network clients. Currently, service separation is achieved in two ways:
1. a WPA pre-shared password based security scheme is configured on a wireless network. A service set is configured on one site a and a different service set is configured on site B. Devices roaming from one site to another will access different sets of services. On the same site, this separation is not feasible for non-identity based authentication (e.g., pre-shared passwords).
2. A WPA enterprise-based security scheme is configured on a wireless network. A conventional wireless network client will access the service set according to the domain group to which it belongs, without being associated with a specific station. This separation is achieved by providing traditional wireless network clients to specific VLAN groups, where the policy is enforced by the firewall.
Thus, there is a lack of a scheme that can isolate wireless network clients connected to a wireless network while using a single SSID in an efficient and effective manner.
Disclosure of Invention
In view of the above problems and disadvantages, the present invention is directed to improving conventional network devices. The present invention is specifically able to determine which authorized service a wireless network client may access based on the unique identifier of the wireless network client and a policy. This may be done for several wireless network clients accessing a wireless network provided by a single SSID.
To do so, wireless network clients attempting to connect to the wireless network must be policy authenticated. This may be accomplished, for example, through Public Key Infrastructure (PKI) certificates. After successful authorization on the network device, authorization and policy enforcement will be triggered and a subnet assigned to the wireless network client is created.
Thereby hiding the topology of the wireless network provided by the network device. Furthermore, no modifications to the wireless network client are required. The application running on the wireless network client is solution independent. No application modifications are required. The scheme can also realize flat service discovery, namely, only the services allowed by the wireless network client exist in the sub-network allocated to the wireless network client. Furthermore, the present invention allows policy-based security enforcement, such as at the Domain Name System (DNS) request level, or when connecting to a service.
The object of the invention is achieved by the solution presented in the appended independent claims. Advantageous implementations of the invention are further defined in the dependent claims.
A first aspect of the present invention provides a network device for policy-based wireless network access, wherein the network device is configured to: acquiring a unique identifier of a wireless network client; determining at least one authorized service based on the unique identifier and a policy; creating a virtual subnet that can access the at least one authorized service; assigning the wireless network client to the virtual subnet.
This is advantageous because each wireless network client may be provisioned and tuned with a policy to a set of authorized services accessible to the network device, where the entire wireless network may be provisioned in a common manner (e.g., over only one SSID).
In particular, the authorization service may include any network service that is not affected by NAT traversal.
In particular, the authorization service is a service that the wireless network client is authorized to use. In particular, the network client is authorized according to a policy.
In one implementation of the first aspect, the virtual subnet has exclusive access to the at least one authorized service.
This may ensure that the virtual subnet restricts access to authorized services in a secure manner. An accessible authorized service may be selected based on the policy and the unique identifier, for example, other services may be excluded from the accessible service.
In another implementation of the first aspect, the unique identifier comprises a passphrase in combination with at least one of: a device unique ID or username; or a certificate.
In particular, the certificate is a Public Key Infrastructure (PKI) certificate.
In another implementation form of the first aspect, the network device is configured to provision the wireless network based on a network identifier to enable the wireless network client to access the virtual subnet.
Specifically, the network identifier may be a Service Set Identifier (SSID).
In another implementation manner of the first aspect, the network device is configured to create a different virtual subnet for each wireless network client accessing the wireless network according to the policy.
In other words, a different virtual subnet for each wireless network client is created according to the policy.
In another implementation of the first aspect, each of the different virtual subnets is created according to the unique identifier of the respective wireless network client and the policy.
In another implementation of the first aspect, the policy is predefined indicating that the at least one authorized service corresponds to the unique identifier.
In another implementation of the first aspect, the network identifier of the wireless network is the same for all wireless network clients accessing the wireless network.
In another implementation form of the first aspect, the virtual subnets are virtual subnets in an isolated network.
Specifically, the isolated network is an independent L2 broadcast domain. In particular, the subnet or virtual subnet is an L3 domain (i.e., a network layer domain).
This is advantageous because the same subnet address range can be used within multiple independent networks. It is an advantage that this scheme supports address overlap between different virtual subnets assigned to different wireless network clients.
In another implementation form of the first aspect, only the wireless network clients assigned to the virtual subnets of the isolated independent network may access the virtual subnets.
In particular, no other client (e.g., other wireless network clients) can access or access the independent quarantine network. An independent isolated network may also be referred to as an independent virtual subnet. However, at least one authorization service provided to the wireless network client may access the independent quarantine network to communicate with the wireless network client.
In another implementation form of the first aspect, the network device is further configured to provide a service discovery function to the wireless network client.
This ensures that the wireless network client can identify at least one authorized service in the virtual subnet that is provided to the wireless network client.
In another implementation form of the first aspect, the service discovery function provides a service identifier of the at least one authorized service to the wireless network client.
In particular, the service identifier may include an address (e.g., an IPv4 or IPv6 address), a port, or a protocol of at least one authorized service.
In another implementation form of the first aspect, the service identifier provided to the wireless network client is associated with the virtual subnet assigned to the wireless network client.
In particular, the service identifier is associated with a domain of the virtual subnet (e.g., an address range of the virtual subnet).
In another implementation of the first aspect, the at least one authorization service operates in a network different from the virtual subnet assigned to the wireless network client.
This ensures that the authorization service can operate in a different network or subnet than the virtual subnet, while the wireless network client can still access the authorization service.
In another implementation form of the first aspect, the network device further comprises a communication module that can communicate with the at least one authorized service provided in a network different from the virtual subnet through the service identifier associated with the virtual subnet.
In particular, the communication module includes address routing or address remapping.
In another implementation manner of the first aspect, the network device is an Access Point (AP).
A second aspect of the present invention provides a method for policy-based wireless network access, wherein the method comprises the steps of: the network equipment acquires a unique identifier of a wireless network client; the network device determining at least one authorized service based on the unique identifier and a policy; the network device creating a virtual subnet that can access the at least one authorized service; the network device assigns the wireless network client to the virtual subnet.
In particular, the authorization service may include any network service that is not affected by NAT traversal.
In particular, the authorization service is a service that the wireless network client is authorized to use. In particular, the network client is authorized according to a policy.
In one implementation of the second aspect, the virtual subnet has exclusive access to the at least one authorized service.
In another implementation of the second aspect, the unique identifier comprises a passphrase in combination with at least one of: a device unique ID or username; or a certificate.
In particular, the certificate is a Public Key Infrastructure (PKI) certificate.
In another implementation of the second aspect, the method further includes the network device providing the wireless network according to a network identifier to enable the wireless network client to access the virtual subnet.
Specifically, the network identifier may be a Service Set Identifier (SSID).
In another implementation manner of the second aspect, the method further includes: and the network equipment creates different virtual subnets for each wireless network client accessing the wireless network according to the strategy.
In other words, a different virtual subnet for each wireless network client is created according to the policy.
In another implementation of the second aspect, each of the different virtual subnets is created according to the unique identifier of the respective wireless network client and the policy.
In another implementation of the second aspect, the policy is predefined indicating that the at least one authorized service corresponds to the unique identifier.
In another implementation of the second aspect, the network identifier of the wireless network is the same for all wireless network clients accessing the wireless network.
In another implementation form of the second aspect, the virtual subnets are virtual subnets in an isolated network.
Specifically, the isolated network is an independent L2 broadcast domain. In particular, the subnet or virtual subnet is an L3 domain (i.e., a network layer domain).
In another implementation of the second aspect, only the wireless network clients assigned to the virtual subnets of the isolated independent network may access the virtual subnets.
In particular, no other client (e.g., other wireless network clients) can access or access the independent quarantine network. An independent isolated network may also be referred to as an independent virtual subnet. However, at least one authorization service provided to the wireless network client may access the independent quarantine network to communicate with the wireless network client.
In another implementation manner of the second aspect, the method further includes: the network device provides a service discovery function to the wireless network client.
In another implementation of the second aspect, the service discovery function provides the wireless network client with a service identifier of the at least one authorized service.
In particular, the service identifier may include an address (e.g., an IPv4 or IPv6 address), a port, or a protocol of at least one authorized service.
In another implementation of the second aspect, the service identifier provided to the wireless network client is associated with the virtual subnet assigned to the wireless network client.
In particular, the service identifier is associated with a domain of the virtual subnet (e.g., an address range of the virtual subnet).
In another implementation of the second aspect, the at least one authorization service operates in a network different from the virtual subnet assigned to the wireless network client.
In another implementation of the second aspect, the method further includes the communication module of the network device communicating with the at least one authorized service provided in a network different from the virtual subnet through a service identifier associated with the virtual subnet.
In particular, the communication module includes address routing or address remapping.
In another implementation manner of the second aspect, the network device is an Access Point (AP).
The second aspect and its implementations comprise the same advantages as the first aspect and its respective implementations.
It should be noted that all devices, elements, units and modules described in the present application may be implemented in software or hardware elements or any type of combination thereof. All steps performed by the various entities described in the present application, as well as the functions described to be performed by the various entities, are intended to indicate that the respective entities are adapted or used to perform the respective steps and functions. Although in the following description of specific embodiments specific functions or steps performed by an external entity are not reflected in the description of specific elements of the entity performing the specific steps or functions, it should be clear to a skilled person that these methods and functions may be implemented in corresponding hardware elements or software elements or any type of combination thereof.
Drawings
The following description of specific embodiments, taken in conjunction with the accompanying drawings, set forth the above-described aspects of the invention and the manner of attaining them.
Fig. 1 is a schematic diagram of a network device provided by an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating an operation manner of a network device according to an embodiment of the present invention;
fig. 3 is another schematic diagram illustrating an operation manner of a network device according to an embodiment of the present invention;
FIG. 4 shows a schematic diagram of a method provided by an embodiment of the invention;
fig. 5 illustrates the operating principle of a network device provided by the prior art.
Detailed Description
Fig. 1 illustrates a network device 100 for policy-based wireless network 101 access. Network device 100 may be, for example, an AP, or a router including an AP. Wireless network 101 may be, for example, a WLAN. The network device 100 is configured to: acquiring a unique identifier 102 of a wireless network client 103; determining at least one authorization service 104 based on the unique identifier 102 and based on the policy 105; creating a virtual subnet 106 that can access at least one authorization service 104; the wireless network client 103 is assigned to a virtual subnet 106. The policies 105 may be pre-stored in the network device and may indicate which services 104 are provided to which wireless network clients 103.
Fig. 2 shows a schematic diagram of the manner in which network device 100 operates. As shown in fig. 2, network device 100 may implement a flattened view of services enabled in wireless network 101.
As shown in fig. 2, a wireless network client 103 wirelessly connects to a network device 100 (e.g., an AP) associated with an SSID by submitting a unique identifier 102 (e.g., credentials or certificates). The network device 100 provides an independent, uniquely identified subnet 106 to the authenticated wireless network client 103. No other client can access the subnet 106 unless the subnet is explicitly exposed to the other clients. The subnet 106 cannot be routed directly from the network device 100. Classless inter-domain routing (CIDR) may overlap for the same subnet.
Specifically, the network device 100 may provide the IP address of the subnet 106 and/or the wireless network client 103 by using a Dynamic Host Configuration Protocol (DHCP). Using DHCP, network device 100 may also provide a local DNS address and/or a local domain for service discovery. This allows the host name to be resolved to the local subnet address. This may also limit the network view of the wireless network client 103 to authorized services only. Service discovery is based on a "white list", specifically based on the unique identifier 102 of the wireless network client 103.
To map a service (accessible to network device 100) to subnet 106, where the service is accessible only by authorized wireless network clients 103, the following service forwarding rules apply:
the wireless network client 103 connects to the authorization service 104 using the local standalone IP address of the authorization service 104 (from subnet 106).
To implement forwarding of egress packets, network device 100 converts the destination IP of the packet to a routable service IP. The source IP address may be tracked using a Network Address Translation (NAT) connection. To implement forwarding of ingress packets, the reverse translation is applied.
Fig. 3 shows another schematic diagram of the manner in which network device 100 operates. Specifically, the following steps are performed in the operational manner shown in fig. 3:
1. the wireless network client 103 (i.e., the client device in fig. 3) connects to the network device 100 (i.e., the access point in fig. 3) using predefined connection settings.
2. The network device 100 authenticates the wireless network client 103, for example, by delegating the authentication session to an external AAA server and/or by using an internally implemented WPA enterprise backend.
3. In accordance with policies 105, network device 100 obtains a list of allowed services from the enterprise service domain, provides a separate subnet 106 for wireless client 103, adds service discovery endpoints to the subnet, and populates information about all allowed services. In addition, the network device 100 adds a local logical port for each allowed service 104 on that subnet 106. All logical ports may be Software Defined Network (SDN) ports, and network traffic to and from the logical ports may be intercepted and modified by SDN controlled switches. The logical ports create the illusion of a limited and well-defined network topology from the perspective of the wireless network client 103.
4. Network device 100 returns the service discovery domain (SSDP/DNS-SD), subnet 106, and its local IP address to wireless network client 103.
5. The wireless network client 103 issues a service discovery request to the local discovery service 201. The wireless network client obtains a response with locally mapped service information (address, port and protocol).
Fig. 4 shows a schematic diagram of a method 400 provided by an embodiment of the invention. The method comprises the step of the network device 100 obtaining 401 a unique identifier 102 of a wireless network client 103. The method comprises the step of the network device 100 determining 402 at least one authorization service 104 based on the unique identifier 102 and the policy 105. The method comprises the step of the network device 100 creating 403 a virtual subnet 106 that can access at least one authorization service 104. The method includes the step of the network device 100 assigning 404 the wireless network client 103 to the virtual subnet 106.
The invention has been described in connection with various embodiments and implementations as examples. However, other variations will become apparent to those skilled in the art and may be made in practicing the claimed invention, from a study of the drawings, the disclosure, and the appended claims. In the claims as well as in the description, the word "comprising" does not exclude other elements or steps, and "a" or "an" does not exclude a plurality. A single element or other unit may fulfill the functions of several entities or items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
Claims (17)
1. A network device (100) for policy-based wireless network (101) access, the network device (100) being configured to:
-obtaining a unique identifier (102) of a wireless network client (103);
-determining at least one authorization service (104) from the unique identifier (102) and a policy (105);
-creating a virtual subnet (106) that can access the at least one authorization service (104);
-assigning the wireless network client (103) to the virtual subnet (106).
2. The network device (100) of claim 1, wherein the virtual subnet (106) has exclusive access to the at least one authorized service (104).
3. The network device (100) according to claim 1 or 2, wherein the unique identifier comprises a passphrase combined with at least one of: a device unique ID or username; or a certificate.
4. The network device (100) of any of the preceding claims, wherein the network device (100) is configured to provision the wireless network (101) according to a network identifier to enable the wireless network client (103) to access the virtual subnet (106).
5. The network device (100) of any of the preceding claims, wherein the network device (100) is configured to create a different virtual subnet (106) for each wireless network client (103) accessing the wireless network (101) according to the policy (105).
6. The network device (100) of any of the preceding claims, wherein each of the different virtual subnets (106) is created according to the policy (105) and the unique identifier (102) of the respective wireless network client (103).
7. The network device (100) of any of the preceding claims, wherein the policy is predefined indicating that the at least one authorized service corresponds to the unique identifier.
8. Network device (100) according to any of the preceding claims, wherein the network identifier of the wireless network (101) is the same for all wireless network clients (103) accessing the wireless network (101).
9. The network device (100) according to any of the preceding claims, wherein the virtual subnet (106) is a virtual subnet (106) in an independent isolated network.
10. The network device (100) of claim 9, wherein only the wireless network clients (103) assigned to the virtual subnets in the isolated independent network have access to the virtual subnets.
11. The network device (100) of any of the preceding claims, further configured to provide a service discovery function (201) to the wireless network client (103).
12. Network device (100) according to any of the preceding claims, wherein the service discovery function (201) provides the wireless network client (103) with a service identifier of the at least one authorization service (104).
13. Network device (100) according to any of the preceding claims, wherein the service identifier provided to the wireless network client (103) is related to the virtual subnet (106) allocated for the wireless network client (103).
14. Network device (100) according to any of the preceding claims, wherein said at least one authorization service (104) operates in a network different from said virtual subnet (106) assigned to said wireless network client (103).
15. The network device (100) according to any of the preceding claims, wherein the network device (100) further comprises a communication module that can communicate with the at least one authorized service (104) provided in a network different from the virtual subnet (106) by means of the service identifier associated with the virtual subnet (106).
16. Network device (100) according to any of the preceding claims, wherein the network device (100) is an Access Point (AP).
17. A method (400) for providing policy-based access to a wireless network (101), the method (400) comprising the steps of:
-the network device (100) obtaining (401) a unique identifier (102) of the wireless network client (103);
-the network device (100) determining (402) at least one authorization service (104) from the unique identifier (102) and a policy (105);
-the network device (100) creating (403) a virtual subnet (106) having access to the at least one authorization service (104);
-the network device (100) assigning (404) the wireless network client (103) to the virtual subnet (106).
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/EP2019/061216 WO2020221454A1 (en) | 2019-05-02 | 2019-05-02 | Network device and method for policy based access to a wireless network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113785606A true CN113785606A (en) | 2021-12-10 |
CN113785606B CN113785606B (en) | 2023-10-27 |
Family
ID=66448529
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201980095727.3A Active CN113785606B (en) | 2019-05-02 | 2019-05-02 | Network device and method for policy-based wireless network access |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN113785606B (en) |
WO (1) | WO2020221454A1 (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060177063A1 (en) * | 2005-02-07 | 2006-08-10 | Conway Adam M | Wireless network having multiple security interfaces |
US20100074261A1 (en) * | 2008-09-24 | 2010-03-25 | At&T Intellectual Property I, L.P. | Providing access to multiple different services by way of a single network identifier |
US8363658B1 (en) * | 2008-11-13 | 2013-01-29 | Sprint Communications Company L.P. | Dynamic firewall and dynamic host configuration protocol configuration |
US20140068030A1 (en) * | 2012-08-31 | 2014-03-06 | Benjamin A. Chambers | Method for automatically applying access control policies based on device types of networked computing devices |
US20160112452A1 (en) * | 2014-10-15 | 2016-04-21 | Adtran, Inc. | Network access control using subnet addressing |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080301801A1 (en) * | 2007-05-31 | 2008-12-04 | Premkumar Jothimani | Policy based virtual private network (VPN) communications |
US20160345170A1 (en) * | 2015-05-21 | 2016-11-24 | Ftac Systems, Inc. | Wireless network segmentation for internet connected devices using disposable and limited security keys and disposable proxies for management |
-
2019
- 2019-05-02 WO PCT/EP2019/061216 patent/WO2020221454A1/en active Application Filing
- 2019-05-02 CN CN201980095727.3A patent/CN113785606B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060177063A1 (en) * | 2005-02-07 | 2006-08-10 | Conway Adam M | Wireless network having multiple security interfaces |
US20100074261A1 (en) * | 2008-09-24 | 2010-03-25 | At&T Intellectual Property I, L.P. | Providing access to multiple different services by way of a single network identifier |
US8363658B1 (en) * | 2008-11-13 | 2013-01-29 | Sprint Communications Company L.P. | Dynamic firewall and dynamic host configuration protocol configuration |
US20140068030A1 (en) * | 2012-08-31 | 2014-03-06 | Benjamin A. Chambers | Method for automatically applying access control policies based on device types of networked computing devices |
US20160112452A1 (en) * | 2014-10-15 | 2016-04-21 | Adtran, Inc. | Network access control using subnet addressing |
Also Published As
Publication number | Publication date |
---|---|
WO2020221454A1 (en) | 2020-11-05 |
CN113785606B (en) | 2023-10-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110087236B (en) | Protocol for establishing a secure communication session with an anonymous host over a wireless network | |
KR100826736B1 (en) | A method of dynamically connecting a client node to a serving network, a method of connecting a client node to multiple internet service providers, and a method of connecting a client node to a serving network | |
US8681695B1 (en) | Single address prefix allocation within computer networks | |
CA3021367C (en) | Using wlan connectivity of a wireless device | |
US7444415B1 (en) | Method and apparatus providing virtual private network access | |
EP2347560B1 (en) | Secure access in a communication network | |
US20090129386A1 (en) | Operator Shop Selection | |
US20140075505A1 (en) | System and method for routing selected network traffic to a remote network security device in a network environment | |
US20130182651A1 (en) | Virtual Private Network Client Internet Protocol Conflict Detection | |
JP2011501623A (en) | Various methods and apparatus for a central station for assigning virtual IP addresses | |
JP2004536500A (en) | Computer network | |
JP2004357292A (en) | System for converting data transferred on ip switched network from ipv4 base into ipv6 base | |
CN114556868B (en) | Private subnetworks for virtual private network VPN clients | |
JP3994412B2 (en) | Network system, network identifier setting method, network connection point, network identifier setting program, and recording medium | |
JP4253520B2 (en) | Network authentication device and network authentication system | |
CN113785606B (en) | Network device and method for policy-based wireless network access | |
EP3264710B1 (en) | Securely transferring the authorization of connected objects | |
Stenberg et al. | Home networking control protocol | |
Aura et al. | Securing network location awareness with authenticated DHCP | |
WO2006075823A1 (en) | Internet protocol address management system co-operated with authentication server | |
Bjarnason | RFC 8994: An Autonomic Control Plane (ACP) | |
JP5461465B2 (en) | Computer network | |
Stenberg et al. | RFC 7788: Home Networking Control Protocol |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20220222 Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province Applicant after: Huawei Cloud Computing Technologies Co.,Ltd. Address before: 518129 Huawei headquarters office building, Bantian, Longgang District, Shenzhen City, Guangdong Province Applicant before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |