CN117240490A - Network access control system, network access control method, and storage medium - Google Patents

Abstract

The application discloses a network access control system, a network access control method and a storage medium. A multi-tenant, cloud-hosted Network Access Control (NAC) system may receive an indicator from a Network Access Server (NAS) device to identify a tenant associated with the NAS device. The NAS device may place the identifier in a Transport Layer Security (TLS)/Secure Sockets Layer (SSL) extended Server Name Indication (SNI) field. The NAC system may use the identifier to obtain tenant-specific configuration information for establishing a secure tunnel with the NAS device.

Description

Network access control system, network access control method, and storage medium

Cross Reference to Related Applications

The present application claims priority from U.S. patent application Ser. No. 17/934,124, filed on day 21 9 of 2022, and U.S. provisional patent application Ser. No. 63/366,379, filed on day 14 of 6 of 2022, the disclosures of both of which are incorporated herein by reference.

Technical Field

The present disclosure relates generally to computer networks, and more particularly, to managing access to computer networks.

Background

A business or site, such as an office, hospital, airport, stadium, or retail store, typically installs a complex wireless network system throughout the site, including a wireless Access Point (AP) network, to provide wireless network services to one or more wireless client devices (or simply "clients"). An AP is a physical electronic device that enables other devices to wirelessly connect to a wired network using various wireless network protocols and technologies, such as wireless local area network protocols (i.e., "WiFi"), bluetooth/Bluetooth Low Energy (BLE), mesh network protocols such as ZigBee, or other wireless network technologies that conform to one or more IEEE 802.11 standards.

Many different types of wireless client devices (e.g., notebook, smart phone, tablet, wearable device, appliance, and internet of things (IoT) device) integrate wireless communication technology and may be configured to connect to a wireless access point when the device is within range of a compatible AP. To access the wireless network, the wireless client device may first need to authenticate to the AP. Authentication may occur via a handshake exchange between the wireless client device, the AP, and an authentication, authorization, and accounting (AAA) server that controls access at the AP.

Disclosure of Invention

In general, this disclosure describes one or more techniques for identifying and verifying a tenant or organization to which a device (e.g., a Network Access Server (NAS) device, such as an access point, switch, router, or other network infrastructure device capable of authenticating and authorizing client devices to access an enterprise network) belongs in the context of a multi-tenant, cloud-hosted Network Access Control (NAC) service. The NAC service may be hosted on one or more NAC systems in communication with a centralized, cloud-based Network Management System (NMS) configured to manage a plurality of NAS devices associated with one or more tenants or organizations.

In accordance with the disclosed technology, the NAC system uses an indicator contained in a request received from the NAS device to establish a secure tunnel. The indicator identifies the tenant or organization to which the NAS device is associated or belongs. In one example, the disclosed technology may utilize Transport Layer Security (TLS)/Secure Sockets Layer (SSL) extended Server Name Indication (SNI) to identify a tenant or organization. In this example, the request received from the NAS device may include a "client hello" message that includes an SNI value identifying the tenant or organization of the NAS device.

The NAC system may then use the indicator to look up in a local cache to obtain configuration information for the tenant or organization. The configuration information may include server credentials associated with the tenant or organization identified by the indicator. If the tenant's configuration information is not included in the NAC system's local cache, the NAC system may request the tenant's or organization's configuration information from the cloud-based NMS in a process known as "lazy download".

Once the correct server certificate for the tenant or organization is obtained, the NAC system may provide the server certificate to the NAS device. For example, as part of a TLS handshake, the NAC system may send a "server hello" message to the NAS device. In response to receiving the client certificate from the NAS device, the NAC system may verify the client certificate using a certificate authority associated with the tenant or organization. The certificate authority location may be included in the configuration information of the tenant or organization identified by the indicator.

In one example, the present disclosure relates to a system comprising a cloud-based NMS configured to manage a plurality of NAS devices associated with one or more network tenants and one or more cloud-based NAC systems in communication with the NMS. At least one NAC system of the one or more NAC systems is configured to receive a request from a NAS device of a plurality of NAS devices associated with a network tenant of the one or more network tenants to establish a secure tunnel, the request including an indicator identifying the network tenant to which the NAS device belongs; obtaining configuration information of the network tenant based on the indicator, the configuration information including a server certificate associated with the network tenant; providing a server certificate to the NAS device in response to the request; in response to receiving the client certificate from the NAS device, validating the client certificate using the configuration information of the network tenant; establishing a secure tunnel with the NAS device; and providing NAC services to the NAS device using the secure tunnels.

In another example, the present disclosure is directed to a method comprising: receiving, at a cloud-based NAC system in communication with a cloud-based NMS, a request to establish a secure tunnel from a NAS device of a plurality of NAS devices associated with one or more network tenants, the request including an indicator identifying a network tenant of the one or more network tenants to which the NAS device belongs; obtaining, by the NAC system, configuration information of the network tenant based on the indicator, the configuration information including a server certificate associated with the network tenant; providing, by the NAC system, a server certificate to the NAS device in response to the request; responsive to receiving the client certificate from the NAS device, validating, by the NAC system, the client certificate using the configuration information of the network tenant; establishing, by the NAC system, a secure tunnel with the NAS device; and providing, by the NAC system, the NAC service to the NAS device using the secure tunnel.

In another example, the present disclosure relates to a computer-readable storage medium comprising instructions that, when executed, cause one or more processors of a cloud-based NAC system in communication with a cloud-based NMS to: receiving, from a NAS device of a plurality of NAS devices associated with one or more network tenants, a request to establish a secure tunnel, the request including an indicator identifying a network tenant of the one or more network tenants to which the NAS device belongs; obtaining configuration information of the network tenant based on the indicator, the configuration information including a server certificate associated with the network tenant; providing a server certificate to the NAS device in response to the request; in response to receiving the client certificate from the NAS device, validating the client certificate using the configuration information of the network tenant; establishing a secure tunnel with the NAS device; and providing NAC services to the NAS device using the secure tunnels.

The details of one or more examples of the technology of the present disclosure are set forth in the accompanying drawings and the description below. Other features, objects, and advantages of the techniques will be apparent from the description and drawings, and from the claims.

Drawings

Fig. 1A is a block diagram of an example network system including a network management system and a network access control system in accordance with one or more techniques of this disclosure.

Fig. 1B is a block diagram illustrating further example details of the network system of fig. 1A.

Fig. 1C is a conceptual diagram illustrating further example details of the network system of fig. 1A.

Fig. 2 is a block diagram of an example network access control system in accordance with one or more techniques of this disclosure.

Fig. 3 is a block diagram of an example network management system in accordance with one or more techniques of the present disclosure.

Fig. 4 is a block diagram of an example access point device in accordance with one or more techniques of this disclosure.

Fig. 5 is a block diagram of an example edge device in accordance with one or more techniques of this disclosure.

Fig. 6 is a conceptual diagram illustrating an example communication flow.

Fig. 7 is a flowchart illustrating example operations of identifying and verifying a tenant or organization to which a network access server device belongs in the context of a multi-tenant, cloud-hosted network access control system, in accordance with one or more techniques of the present disclosure.

Detailed Description

Fig. 1A is a block diagram of an example network system 100 including Network Access Control (NAC) systems 180A-180K and a Network Management System (NMS) 130 in accordance with one or more techniques of the present disclosure. The example network system 100 includes a plurality of sites 102A-102N at which a network service provider manages one or more wireless networks 106A-106N, respectively. Although in fig. 1A, each station 102A-102N is shown to include a single wireless network 106A-106N, respectively, in some examples, each station 102A-102N may include multiple wireless networks, and the disclosure is not limited in this respect.

Each site 102A-102N includes a plurality of Network Access Server (NAS) devices 108A-108N, such as an Access Point (AP) 142, a switch 146, and a router 147.NAS devices may include any network infrastructure device capable of authenticating and authorizing client devices to access an enterprise network. For example, station 102A includes a plurality of APs 142A-1-142A-M, a switch 146A, and a router 147A. Similarly, station 102N includes a plurality of APs 142N-1-142N-M, a switch 146N, and a router 147N. Each AP 142 may be any type of wireless access point including, but not limited to, a business or enterprise AP, a router, or any other device connected to a wired network and capable of providing wireless network access to client devices within a site. In some examples, each of the APs 142A-1-142A-M at station 102A may be connected to one or both of switch 146A and router 147A. Similarly, each of the APs 142N-1 through 142N-M at station 102N may be connected to one or both of switch 146N and router 147N.

Each site 102A-102N also includes a plurality of client devices, also referred to as User Equipment (UE), commonly referred to as UE or client device 148, representing the various wireless-enabled devices within each site. For example, a plurality of UEs 148A-1-148A-K are currently located at site 102A. Similarly, a plurality of UEs 148N-1-148N-K are currently located at site 102N. Each UE148 may be any type of wireless client device including, but not limited to, a mobile device, such as a smart phone, tablet or laptop computer, personal Digital Assistant (PDA), wireless terminal, smart watch, smart ring, or other wearable device. UE148 may also include a wired client device, e.g., an internet of things IoT device such as a printer, security device, environmental sensor, or any other device connected to a wired network and configured to communicate over one or more wireless networks 106.

To provide wireless network services to UEs 148 and/or communicate over wireless network 106, AP 142 and other wired client devices at site 102 are directly or indirectly connected to one or more network devices (e.g., switches, routers, gateways, etc.) via physical cables (e.g., ethernet cables). Although shown in fig. 1A, as if each site 102 included a single switch and a single router, in other examples, each site 102 may include more or fewer switches and/or routers. Furthermore, two or more switches of a site may be connected to each other and/or to two or more routers, e.g., via a mesh or partial mesh topology in a central radial architecture. In some examples, the interconnected switches 146 and routers 147 include a wired Local Area Network (LAN) located at the site 102 hosting the wireless network 106.

Example network system 100 also includes various network components for providing network services within a wired network, including, for example, NAC system 180, which includes or provides access to authentication, authorization, and accounting (AAA) servers for authenticating users and/or UEs 148, dynamic Host Configuration Protocol (DHCP) server 116 for dynamically assigning network addresses (e.g., IP addresses) to UEs 148 upon authentication, domain Name System (DNS) server 122 for resolving domain names to network addresses, a plurality of servers 128A-128X (collectively, "servers 128") (e.g., network servers, database servers, file servers, etc.), and NMS 130. As shown in fig. 1A, various devices and systems of network system 100 are coupled together via one or more networks 134 (e.g., the internet and/or an intranet).

In the example of FIG. 1A, NMS130 is a cloud-based computing platform that manages wireless networks 106A-106N at one or more sites 102A-102N. As further described herein, NMS130 provides an integrated set of management tools and implements the various techniques of this disclosure. In general, NMS130 may provide a cloud-based platform for wireless network data acquisition, monitoring, activity logging, reporting, predictive analysis, network anomaly identification, and alarm generation. In some examples, NMS130 outputs notifications, e.g., alarms, warnings, graphical indicators on the dashboard, log messages, text/SMS messages, email messages, etc., and/or suggestions regarding wireless network problems, to a site or network administrator ("administrator") interacting with administrator device 111 and/or operating administrator device 111. Further, in some examples, NMS130 operates in response to configuration inputs received from an administrator interacting with administrator device 111 and/or operating administrator device 111.

The administrator device 111 may include IT personnel and administrator computing devices associated with one or more sites 102. The administrator device 111 may be implemented as any suitable device for presenting output and/or accepting user input. For example, the administrator device 111 may include a display. The administrator device 111 may be a computing system, e.g., a mobile or non-mobile computing device operated by a user and/or administrator. In accordance with one or more aspects of the present disclosure, administrator device 111 may represent, for example, a workstation, a laptop or notebook computer, a desktop computer, a tablet computer, or any other computing device operable by a user and/or presenting a user interface. The administrator device 111 may be physically separate and/or located in a different location from the NMS130 such that the administrator device 111 may communicate with the NMS130 via the network 134 or other communication means.

In some examples, one or more NAS devices 108 (e.g., AP 142, switch 146, and router 147) may be connected to edge devices 150A-150N via physical cables (e.g., ethernet cables). Edge device 150 includes a cloud managed wireless Local Area Network (LAN) controller. Each edge device 150 may comprise a local device at site 102 that communicates with NMS130 to extend some micro services from NMS130 to local (on-premise) NAS devices 108 while using NMS130 and its distributed software architecture for scalable and resilient operation, management, troubleshooting, and analysis.

Each network device of network system 100 (e.g., NAC system 180, servers 116, 122 and/or 128, AP 142, switch 146, router 147, UE 148, edge device 150, and any other server or device attached to or forming part of network system) may include a system log or error log module, wherein each of these network devices records the status of the network device, including normal operating status and error conditions. Throughout this disclosure, one or more network devices of network system 100 (e.g., servers 116, 122 and/or 128, AP 142, switch 146, router 147, and UE 148) may be considered "third party" network devices when owned by and/or associated with an entity other than NMS130, such that NMS130 does not directly receive, collect, or otherwise access the record status and other data of the third party network devices. In some examples, edge device 150 may provide an agent through which logging status and other data of third party network devices may be reported to NMS 130.

In the example of fig. 1A, each NAC system 180 includes a cloud-based network access control service at a plurality of geographically distributed points of presence. Typically, network access control functionality is provided by local devices, which are limited by processing power and memory, as well as maintenance and upgrade issues. Providing cloud-based network access control services avoids these limitations and improves network management. However, centralized, cloud-based deployment of network access control introduces latency and failure issues that may prevent client devices from accessing the network.

In accordance with the disclosed technology, the NAC system 180 provides multiple points of presence or NAC clouds in several geographic areas. NMS 130 is configured to manage NAC configurations, including access policies of the enterprise network, and push appropriate NAC configuration data or files to the corresponding NAC systems (clouds) 180A-180K. In this way, NAC system 180 provides the same benefits as a centralized, cloud-based network access control service, with lower latency and high availability.

NAC system 180 provides a way to authenticate client devices 148 to access wireless network 106, such as a branch or campus enterprise network. NAC systems 180 can each include or provide access to an authentication, authorization, and accounting (AAA) server (e.g., a RADIUS server) to authenticate client device 148 before providing access to an enterprise network via NAS device 108. In some examples, NAC system 180 may enable certificate-based authentication of a client device, or enable interaction with a cloud directory service to authenticate a client device.

NAC system 180 can identify client device 148 and provide appropriate authorization or access policies to client device 148 based on its identity, e.g., by assigning the client device to certain Virtual Local Area Networks (VLANs), applying certain Access Control Lists (ACLs), directing the client device to certain registration portals, etc. NAC system 180 can identify client device 148 by analyzing the network behavior of the client device (referred to as fingerprinting). In some examples, the identification of the client device may be performed based on a Media Access Control (MAC) address, a DHCP option for requesting an IP address, a Link Layer Discovery Protocol (LLDP) packet, user agent information, and/or device type and operating system information.

Client device 148 may include a number of different classes of devices for a given enterprise, such as trusted enterprise devices, in-band devices (BYOD) devices, ioT devices, and guest devices. NAC system 180 may be configured to subject each different class of device to different types of tracking, different types of authorization, and different levels of access rights. In some examples, after a client device gains access to the enterprise network, NAC system 180 may monitor the activity of the client device to identify security issues and, in response, reassign the client device to a quarantine VLAN or another lower-privileged VLAN to restrict access by the client device.

NMS130 is configured to operate in accordance with an artificial intelligence/machine learning-based computing platform that provides comprehensive automation, insight, and assurance (WiFi assurance, wired assurance, and WAN assurance) extending from "clients" (e.g., client devices 148 connected to wireless network 106 and wired Local Area Network (LAN) at site 102) to "clouds" (e.g., cloud-based application services that may be hosted by computing resources within a data center).

As described herein, NMS130 provides an integrated set of management tools and implements the various techniques of this disclosure. In general, NMS130 may provide a cloud-based platform for wireless network data acquisition, monitoring, activity logging, reporting, predictive analysis, network anomaly identification, and alarm generation. For example, NMS130 may be configured to actively monitor and adaptively configure network system 100 to provide self-driving capabilities.

In some examples, AI-driven NMS130 also provides configuration management, monitoring, and automatic administration of a software-defined wide area network (SD-WAN) that operates as an intermediary network that communicatively couples wireless network 106 and the wired LAN at site 102 to data centers and application services. Typically, the SD-WAN provides a seamless, secure, traffic engineering connection between a "hub" router (e.g., router 147) of a wired LAN hosting a wireless network 106 (e.g., a branch or campus enterprise network) and a "hub" router in the cloud stack further up toward cloud-based application services. SD-WANs typically operate and manage an overlay network over an underlying physical Wide Area Network (WAN) that provides connectivity to geographically separated customer networks. In other words, the SD-WAN extends Software Defined Networking (SDN) capabilities to the WAN and allows the network to separate the underlying physical network infrastructure from the virtualized network infrastructure and applications so that the network can be configured and managed in a flexible and extensible manner.

In some examples, AI-driven NMS 130 may enable intent-based configuration and management of network system 100, including enabling construction, presentation, and execution of intent-driven workflows for configuring and managing devices associated with wireless network 106, wired LAN network, and/or SD-WAN. For example, declarative requirements express the desired configuration of network components without specifying the exact local device configuration and control flow. By utilizing declarative requirements, it is possible to specify what should be done, not how. Declarative requirements may be contrasted with imperative instructions describing the exact device configuration syntax and control flow that implements the configuration. By utilizing declarative requirements rather than imperative instructions, the burden on the user and/or user system to determine the exact device configuration needed to achieve the desired results for the user/system is reduced. For example, when utilizing a variety of different types of devices from different vendors, it is often difficult and burdensome to specify and manage precise imperative instructions to configure each device of a network. The type and kind of network devices may change dynamically as new devices are added and device failures occur. Managing a variety of different types of devices from different vendors with different configuration protocols, grammars, and software versions to configure an aggregated network of devices is often difficult to achieve. Thus, by requiring only the user/system to specify declarative requirements that specify desired results applicable to a variety of different types of devices, management and configuration of network devices becomes more efficient. Further example details and techniques of Intent-based network management systems are described in U.S. patent No. 10,756,983 entitled "Intent-based analysis" and U.S. patent No. 10,992,543 entitled "Automatically generating an Intent-based network model of an existing computer network," both of which are incorporated herein by reference.

Although the techniques of this disclosure are described in this example as being performed by NAC system 180 and/or NMS130, the techniques described herein may be performed by any other computing device, system, and/or server, and the disclosure is not limited in this respect. For example, one or more computing devices configured to perform the functions of the techniques of this disclosure may reside in a dedicated server or be included in any other server that is additional to or in addition to NAC system 180 or NMS130, or may be distributed throughout network system 100, and may or may not form part of NAS system 180 or NMS 130.

Fig. 1B is a block diagram illustrating further example details of the network system of fig. 1A. In this example, FIG. 1B shows logical connections 178A-178N, 182A-182N, and 184A-184K between NAS device 108, NAC system 180, and NMS130 at site 102. Further, fig. 1B shows NMS130 configured to operate in accordance with an AI-based computing platform to provide configuration and management of one or more NAC systems 180 and NAS devices 108 at site 102 via logical connections.

In operation, NMS130 observes, collects, and/or receives network data 137, which may take the form of data extracted from messages, counters, and statistics, for example, from one or more of AP 142, switch 146, router 147, edge device 150, NAC system 180, and/or other nodes within network 134. NMS130 provides a management plane for network system 100, including management of one or more NAS devices 108 at site 102 and enterprise-specific configuration information 139 of NAC system 180. Each of the one or more NAS devices 108 and each of the NAC systems 180 may have a secure connection with the NMS130, for example, a RADSEC (RADIUS over transport layer security protocol (TLS) tunnel or another encrypted tunnel. Each of NAS device 108 and NAC system 180 may download the appropriate enterprise-specific configuration information 139 from NMS130 and implement the configuration. In some cases, one or more NAS devices 108 may be third party devices or may not support establishing secure connections directly with NMS 130. In these cases, the edge device 150 may provide agents through which the NAS device 108 may connect to the NMS 130.

According to one embodiment, the computing device is part of NMS 130. According to other implementations, NMS 130 may include one or more computing devices, dedicated servers, virtual machines, containers, services, or other forms of environments for performing the techniques described herein. Similarly, the computing resources and components implementing VNA 133 may be part of NMS 130, may execute on other servers or execution environments, or may be distributed to nodes (e.g., routers, switches, controllers, gateways, etc.) within network 134.

In some examples, NMS 130 monitors network data 137, e.g., one or more service level desire (SLE) metrics, received from each site 102A-102N and manages network resources, e.g., one or more of AP 142, switch 146, router 147, and edge device 150 at each site to deliver high quality wireless experiences to end users, ioT devices, and clients of the site. In other examples, NMS 130 monitors network data 137 received from NAC system 180 and manages enterprise-specific configuration information 139 of NAC system 180 to enable unrestricted network access control services to client devices 148 at site 102 with low latency and high availability.

As shown in fig. 1B, NMS 130 may include a Virtual Network Assistant (VNA) 133 that implements an event processing platform for providing real-time insight and simplified fault diagnosis for IT operations, and automatically takes corrective action or provides advice to proactively solve network problems. For example, VNA133 may include an event processing platform configured to process hundreds or thousands of concurrent network data flows 137 from sensors and/or agents associated with AP 142, switch 146, router 147, edge device 150, NAC system 180, and/or other nodes within network 134. For example, VNA133 of NMS 130 may include an underlying analysis and network error recognition engine and an alarm system according to various examples described herein. The underlying analysis engine of the VNA133 may apply historical data and models to the inbound event stream to calculate assertions, e.g., identified anomalies or predicted occurrences of events that constitute a network error condition. In addition, VNA133 may provide real-time alarms and reports to notify a site or network administrator of any predicted events, anomalies, trends via administrator device 111, and may perform root cause analysis and automatic or assisted error remediation. In some examples, VNA133 of NMS 130 may apply machine learning techniques to identify the root cause of the error condition detected or predicted from network data stream 137. If the root cause can be automatically resolved, the VNA133 can invoke one or more corrective actions to correct the root cause of the error condition, thereby automatically improving the underlying SLE metrics and also automatically improving the user experience.

Further exemplary details of the operations implemented by the VNA 133 of the NMS 130 are described in U.S. patent No. 9,832,082 entitled "Monitoring Wireless Access Point Events" issued 11/28 in 2017, U.S. patent No. 2021/0306201 entitled "Network System Fault Resolution Using a Machine Learning Model" issued 9/30 in 2021, U.S. patent No. 10,985,969 entitled "Systems and Methods for a Virtual Network Assistant" issued 20 in 2021, U.S. patent No. 10,958,585 entitled "Methods and Apparatus for Facilitating Fault Detection and/or Predictive Fault Detection" issued 3/23 in 2021, U.S. patent No. 10,958,537 entitled "Method for Spatio-Temporal Modeling" issued 3/23 in 2021, and U.S. patent No. 10,862,742 entitled "Method for Conveying AP Error Codes Over BLE Advertisements" issued 8 in 2020 12, all of which are incorporated herein by reference in their entirety.

Further, as shown in fig. 1B, NMS 130 may include a NAC controller 138 that implements a NAC configuration platform that provides a user interface to create and assign access policies for client devices 148 of enterprise network 106, and to provide appropriate enterprise-specific configuration information 139 to respective NAC systems (clouds) 180A-180K. NMS 130 may have secure connections 184A-184K with each NAC system 180A-180K, respectively, such as a RADSEC tunnel or another encrypted tunnel. Through secure connection 184, NAC controller 136 may receive network data 137, e.g., NAC event data, from each NAC system 180, and each NAC system 180 may download appropriate configuration information 139 from NMS 130. In some examples, NAC controller 138 may record or map which enterprise networks are served by which NAC systems 180. In addition, NAC controller 138 can monitor NAC system 180 to identify failures of the primary NAC system and manage failover of the backup NAC system.

The NAC system 180 provides network access control services in a control plane for one or more NAS devices 108 at the site 102. In operation, NAC system 180 authenticates client devices 148 accessing enterprise wireless network 106 and can perform fingerprinting to identify client devices 148 and apply authorization or access policies to client devices 148 based on identity. NAC system 180 includes a plurality of geographically distributed points of presence. For example, NAC system 180A may include a first cloud-based system located within a first geographic area (e.g., eastern United states), NAC system 180B (not shown) may include a second cloud-based system located within a second geographic area (e.g., western United states), and NAC system 180K may include a kth cloud-based system located within a kth geographic area (e.g., australia).

Deploying multiple NAC clouds in several geographic regions enables network access control services to be provided to nearby NAS devices with lower latency and high availability while avoiding processing limitations and maintenance issues experienced by local NAC devices. For example, NAS device 108A within site 102A of the enterprise network may connect to one NAC system that is physically closest, namely NAC system 180A, to experience lower latency for network access control services. In some examples, the physically closest one of the NAC systems 180 may include a primary NAC system, and the NAS device may also be connected to the next closest NAC system 180 as a backup NAC system in the event of failure of the primary NAC system. For example, NAS device 108A within site 102A of the enterprise network may connect to NAC system 180A and NAC system 108B (not shown) to experience high availability of network access control services.

In the example shown in FIG. 1B, each NAS device 108 has a secure connection with at least one NAC system 180, either directly or indirectly. For example, each AP 142A within station 120A has a direct secure connection 182A to NAC system 180A, such as a RADSEC tunnel or another encrypted tunnel. Each of the switch 146A and router 147A within site 120A is indirectly connected to NAC system 180A via edge device 150A. In this example, switch 146A and router 147A may not support establishing a secure connection directly with NAC system 180A, but edge device 150A may provide a proxy through which switch 146A and router 147A may connect to NAC system 180A. For example, each of switch 146A and router 147A has a direct connection 178A, e.g., a RADIUS tunnel, to edge device 150A, and edge device 150A has a direct secure connection 182A to NAC system 180A. Similarly, for site 102N, each NAS device 108N has an indirect connection to NAC system 180K via edge devices 150N. In this example, the AP 142N, switch 142N, and router 147N may not support establishing secure connections directly with the NAC system 180K, but the edge device 150N may provide a proxy through which the NAS device 108N may connect to the NAC system 180K. For example, each of the AP 142N, switch 146N, and router 147N has a direct connection 178N, e.g., a RADIUS tunnel, to the edge device 150N, and the edge device 150N has a direct secure connection 182N to the NAC system 180K.

Through secure connection 182, NAC system 180 can receive network access requests from client devices 148 through NAS devices 108 (and in some cases edge devices 150) at nearby enterprise sites 102. In response to the network access request, NAC system 180 authenticates the requesting client device using the AAA server. NAC system 180 can perform fingerprinting to identify authenticated client devices. NAC system 180 then enforces the appropriate access policy to the identity of the authenticated client device based on enterprise-specific configuration information 139 downloaded from NMS 130. According to one particular embodiment, the computing device is part of each NAC system 180. According to other implementations, each of NAC systems 180A-180K can include one or more computing devices, dedicated servers, virtual machines, containers, services, or other forms of environments for performing the techniques described herein.

In accordance with one or more techniques of the present disclosure, the NAC system 180 may allow for identifying and verifying the tenant or organization to which the NAS device 108 belongs. NAC system 180 may be a multi-tenant system, each serving multiple organizations or tenants. In order to provide the appropriate NAC services associated with a particular organization or tenant, the NAC system 180 needs to be able to identify the organization or tenant to which the particular NAS device 108 belongs.

The NAC system 180 may receive an indicator from the NAS device 108 that allows the NAC system 180 to identify an organization or tenant associated with the NAS device 108. NAC system 180 can map the identifier to specific configuration information for an organization or tenant.

Transport Layer Security (TLS)/Secure Sockets Layer (SSL) extended Server Name Indication (SNI) may be used as an identifier to identify an organization associated with the NAS device. An identifier, such as an SNI value, may be sent from the NAS device to the NAC system in a "client hello" message. This extends the functionality of Server Name Indication (SNI), which is typically used to identify a particular desired web server among web servers hosting multiple web sites.

The "client hello" is part of the TLS handshake that occurs at the beginning of a communication session using TLS encryption. During the TLS handshake, the communicating parties exchange messages to mutually authenticate, establish the encryption algorithm they will use, and agree on a session key.

In a cloud-based architecture, NMS 130 provides a management plane and one or more NAC systems 180 provide configuration enforcement, NAS device 108 may open RADSEC (RADIUS over TLS) based tunnels, e.g., tunnel 182, directly to NAC system 180 for NAC services. The accurate identification of the tenant or organization of NAS device 108 by NAC system 180 enables the use of the correct organization server credentials during TLS handshakes and/or the retrieval (retrievals) of the correct organization configuration information from NMS 130 to the NAC cloud when needed.

RADSEC does not include any NAS device information that does not allow for custom payloads or data. However, RADSEC TLS client hello requests allow for the use of SNI field extensions.

The disclosed technology may use the SNI field to carry the identity of the tenant or organization. The NAC system 180 may map the SNI of the organization to configuration information of the organization. In response to receiving the "client hello" message from one NAS device 108, for example, the NAC system 180A can use the SNI value to locally find the appropriate server certificate for the organization identified by the SNI value. If the appropriate server certificate is stored locally, NAC system 180A can provide the server certificate to the NAS device in a "server hello" message, and the TLS handshake can continue.

NAC system 180A may request configuration information for an organization from NMS 130 if NAC system 180A does not have the appropriate server certificate. NMS 130 may check whether it is appropriate to download configuration information to NAC system 180A based on policies. For example, NMS 130 may limit the downloading of configuration information based on the physical location of NAC system 180A. In this way, an organization may be restricted to storing configuration information in a particular country.

Fig. 1C is a conceptual diagram illustrating further example details of the network system of fig. 1A. In this example, NAS devices 108A, 108C, and 108D are associated with organization a. NAS device 108B is associated with organization B. NAS device 108E is associated with organization C. NAC system 180A is physically located in the eastern United states, while NAC system 180K is physically located in Australia.

Assuming NAS device 108D is attempting to access organization a's enterprise network through NAC system 180K, NAC system 180K is physically located in australia, and organization a's configuration information is not stored locally at NAC system 180K, NAC system 180K will attempt to download or retrieve organization a's configuration information from NMS 130.

NMS 130 may examine corporate policies of organization a to determine if it should provide configuration information to NAC system 180K physically located in australia. In this example, the policy does not allow the configuration of organization a to be stored in NAC system 180K that is physically located in australia, thus rejecting the request and preventing NAC system 180K from establishing a secure connection with NAS device 108D.

In contrast, assuming NAS device 108A is attempting to access organization a's enterprise network through NAC system 180A, NAC system 180A is physically located in the eastern united states, organization a's configuration information is not stored locally to NAC system 180A, NAC system 180A will attempt to download or retrieve organization a's configuration information from NMS 130.

NMS 130 may examine corporate policies of organization a to determine whether it provides configuration information to NAC system 180A located in the eastern united states. In this example, the policy does allow the configuration of organization A to be stored in NAC system 180A, which is physically located in the eastern United states, thus allowing requests, and configuration information to be provided to NAC system 180A to allow it to establish a secure connection with NAS device 108A.

The configuration information for organization a may be maintained in the configuration information cache of NAC system 180A so that when NAS device 108C later attempts to connect to NAC system 180A, the configuration information for organization a will be stored locally at NAC system 180A without having to be retrieved from NMS 130. In this way, configuration information for a particular organization or tenant may be distributed from NMS 130 to a particular NAC system 180 that receives access requests from NAS devices belonging to the particular organization or tenant, which is referred to as "lazy download. In this manner, not all configuration information for each organization need be sent to and stored in each NAC system 180. The NAC system 180 may clear the configuration information of the network tenant from the local cache if the configuration information is not used for a predetermined period of time. For example, if the configuration information of a particular tenant has not been used to authenticate a client device within the past 10-15 days, the configuration information of the particular tenant may be purged from the configuration information cache in order to keep the configuration information up-to-date.

NMS 130 may provide configuration information updates to NAC system 180. NAC system 180 may use the configuration information updates to update its corresponding configuration information cache. Configuration information updates may be directed to an organization whose information is stored in a corresponding configuration information cache of NAC system 180. The configuration information update may indicate a current configuration of the organization. The NMS 130 may send configuration updates periodically, for example, once a day. NMS 130 may track what configuration information has been previously sent to each NAC system 180 to determine which NAC system 180 sent the configuration information update.

Once the NAC system 180A obtains the correct server certificate for the organization, the NAC system 180A may provide the server certificate to the NAS device 108 in a "server hello" message, and the TLS handshake continues. When the TLS handshake continues, NAC system 180A may request that the NAS device provide a "client certificate". This "client certificate" may be checked by NAC system 180 using a Certificate Authority (CA). The correct certification authority to be checked may depend on the organization identified by the SNI. The CA may be an organization-specific private CA. In private CAs, certificates are signed with the private key of the organization's root certificate. The private CA may issue certificates for the internal network of the organization. However, instead of using a public CA whose address is generally well known, it may be necessary to determine or find the location of a private CA.

NAC system 180A can use the indicator in the SNI field to determine the CA of the organization by retrieving configuration information corresponding to the SNI. The CA may be managed and may be located at NMS 130 or another location. If the "client certificate" passes the certificate check of the CA, NAC system 180A can continue to establish a secure tunnel between NAC system 180A and NAS device 108. If the "client certificate" does not pass the certificate check of the CA, NAC system 180A can block access to NAS device 108.

The NMS 130 may provide the NAS device 108 with an indicator of the insertion of the SNI field and a "client certificate" of the NAS device 108. Alternatively, the NAS device 180 may be provided with the SNI field and "client certificate" independently.

The disclosed technology provides one or more technical advantages and practical applications. For example, the techniques allow for identifying an organization associated with a NAS device when standard TLS-based protocols are used that do not provide the ability to add custom interactions and/or payloads. This technique is an extension of the TLS handshake and can be used for various TLS-based protocols. Furthermore, the techniques of this disclosure allow the NAC system to not store all configuration information for each organization, and as a result of the policy, allow configuration information to be restricted from certain NAC system locations.

Fig. 2 is a block diagram of an example Network Access Control (NAC) system 200 in accordance with one or more techniques of the present disclosure. NAC system 200 can be used to implement, for example, any of NAC systems 180 in fig. 1A, 1B, and 1C. In such examples, NAC system 200 is responsible for authenticating and authorizing one or more client devices 148 to access enterprise wireless network 106 at a subset of nearby enterprise sites 102A-102N.

NAC system 200 includes a communication interface 230, one or more processors 206, a user interface 210, memory 212, and database 218. The various elements are coupled together via a bus 214 through which they may exchange data and information. In some examples, NAC system 200 receives network access requests from one or more client devices 148 through NAS devices 108 (and in some cases edge devices 150) at a subset of nearby enterprise sites 102 from fig. 1A, 1B. In response to the network access request, NAC system 200 authenticates the requesting client device. In some examples, NAC system 200 enforces appropriate access policies to authenticated client devices according to enterprise-specific configuration information 217 downloaded from NMS 130 of fig. 1A, 1B. In some examples, NAC system 200 may be part of another server shown in fig. 1A, 1B, or part of any other server.

The processor 206 executes software instructions stored in a computer-readable storage medium (e.g., memory 212), such as software instructions for defining software or a computer program, such as a non-transitory computer-readable medium including a storage device (e.g., a magnetic disk drive or optical disk drive) or memory (e.g., flash memory or RAM) or any other type of volatile or non-volatile memory, that stores instructions to cause the one or more processors 306 to perform the techniques described herein.

Communication interface 230 may include, for example, an ethernet interface. Communication interface 230 couples NAC system 200 to a network and/or the Internet, such as any of networks 134 and/or any of the local area networks shown in FIG. 1A. Communication interface 230 includes a receiver 232 and a transmitter 234, and nac system 200 receives data and information from AP 142, switch 146, router 147, edge device 150, NMS 130, or servers 116, 122, 128, and/or any other network node, device, or system forming part of network system 100 via receiver 232 and transmits data and information to AP 142, switch 146, router 147, edge device 150, NMS 130, or servers 116, 122, 128, and/or any other network node, device, or system forming part of network system 100 via transmitter 234, as shown in fig. 1A, 1B.

The data and information received by NAC system 200 may include, for example, configuration information 217 associated with one or more enterprise sites 102 downloaded from NMS 130. Configuration information 217 may include enterprise-specific NAC configuration information, including access policies and associated policy allocation criteria. For example, configuration information 217 may define a particular Virtual Local Area Network (VLAN), access Control List (ACL), registration portal, etc. associated with a particular class of client devices. The configuration information 217 may also define different types of tracking, different types of authorization, and/or different levels of access rights for each different class of client device. In addition, the data and information received by NAC system 200 can include identification information from client device 148 of NAS device 108 that NAC system 200 uses to perform end user device fingerprinting in order to enforce the access policies defined in configuration information 217. NAC system 200 may also send data and information, including, for example, NAC event data, to NMS 130 via communications interface 330, which NMS 130 may use to remotely monitor the performance of NAC system 200.

Memory 212 includes one or more devices configured to store programming modules and/or data associated with the operation of NAC system 200. For example, the memory 212 may include a computer-readable storage medium, such as a non-transitory computer-readable medium including a storage device (e.g., a disk drive or optical drive) or memory (e.g., flash memory or RAM) or any other type of volatile or non-volatile memory, that stores instructions to cause the one or more processors 206 to perform the techniques described herein.

In this example, memory 212 includes an API 220, an authentication manager 240, a fingerprinting module 242, a policy manager 244, and an NMS connector 250.NAC system 200 may also include any other programming modules, software engines, and/or interfaces configured for authentication and authorization of client device 148.

The authentication manager 240 causes authentication of the client device 148 to be performed at the NAS device 108 to access a wireless network 106, such as a branch or campus enterprise network, at a subset of the enterprise sites 102 in communication with the NAC system 200. Authentication manager 240 may perform the functions of an AAA server (e.g., RADIUS server) or provide access to an AAA server to authenticate client device 148 before providing access to enterprise network 106 via NAS device 108. In some examples, authentication manager 240 may participate in a handshake exchange between the client device, the NAS device, and NAC system 200 controlling access at the NAS device. In other examples, authentication manager 240 may enable certificate-based authentication of a client device or enable interaction with a cloud directory service to authenticate a client device.

Fingerprint module 242 enables identification of client device 148 for providing appropriate authorization or access policies to the client device based on the identity or classification of the client device. Fingerprinting module 242 may identify client device 148 by analyzing the network behavior of the client device. The fingerprinting module 242 may receive network behavior data of client devices from the NAS device 108 and/or edge device 150 in communication with the NAS system 200. For example, fingerprinting module 242 may perform fingerprinting of client device 148 based on one or more of a MAC address, a DHCP option for requesting an IP address, an LLDP packet, user agent information, and/or device type and operating system information.

Policy manager 244 can enforce authorization or access policies based on the identity or class of the authenticated client device. For example, policy manager 244 may assign authenticated client devices to particular VLANs, apply particular ACLs, direct client devices to particular registration portals, etc., each associated with different types of tracking, different types of authorization, and/or different levels of access rights, based on configuration information 217 of the corresponding enterprise of the client device. In some examples, after a client device accesses an enterprise network, policy manager 244 may monitor the activity of the client device to identify security issues and, in response, reassign the client device to a quarantined VLAN or another lower-privileged VLAN to restrict access by the client device.

NMS connector 250 manages data and information exchanged between NAC system 200 and NMS130, for example, via RADSEC tunnel or another encryption tunnel 182, as shown in fig. 1B. NMS connector 250 may maintain a log or map of which enterprise networks are served by NAC system 200 and corresponding configuration information 217 for those enterprises. NMS connector 250 may also manage any updates or modifications to configuration information 217 received from NMS 130.

In accordance with one or more techniques of the present disclosure, the authentication manager 240 of the NAC system 200 may establish a RADSEC tunnel or another encryption tunnel 182, as shown in fig. 1B, wherein one or more NAS devices 108 are associated with one or more tenants or organizations. The authentication manager 240 may determine the organization to which the NAS device belongs from an identifier included in the request to establish a secure tunnel from the NAS device, e.g., the SNI field of a "client hello" message. The authentication manager 240 may provide the appropriate server certificate indicated by the identifier to the NAS device 108, for example, in a "server hello" message. The authentication manager 240 may request a client certificate from the NAS device 108 and check the client certificate of the organization associated with the NAS device 108 as indicated by an indicator (e.g., SNI). The authentication manager 240 may examine the configuration information 217 to find configuration information of an organization associated with the NAS device 108 as indicated by an indicator (e.g., SNI). The organization-based configuration information may include an indication of the server certificate and CA to check the client certificate provided by the NAS device 108. Authentication manager 240 may include configuration information caching logic to store and use organization-based configuration information using configuration information 217.

Fig. 3 is a block diagram of an example Network Management System (NMS) 300 in accordance with one or more techniques of the present disclosure. NMS 300 may be used to implement NMS 130 in fig. 1A, 1B, 1C, for example. In such an example, the NMS 300 is responsible for monitoring and managing one or more wireless networks 106A-106N at the sites 102A-102N, respectively.

NMS 300 includes a communication interface 330, one or more processors 306, a user interface 310, memory 312, and database 318. The various elements are coupled together via a bus 314, through which the various elements may exchange data and information. In some examples, NMS 300 receives data from one or more of client device 148, AP 142, switch 146, router 147, edge device 150, NAC system 180, and other network nodes (e.g., routers and gateway devices) within network 134, which can be used to calculate one or more SLE metrics and/or update network data 316 in database 318. The NMS 300 analyzes the data for cloud-based management of the wireless networks 106A-106N. In some examples, NMS 300 may be part of another server as shown in fig. 1A, or part of any other server.

The processor 306 executes software instructions stored in a computer-readable storage medium (e.g., memory 312), such as software instructions for defining software or a computer program, such as a non-transitory computer-readable medium including a storage device (e.g., a magnetic disk drive or optical disk drive) or memory (e.g., flash memory or RAM) or any other type of volatile or non-volatile memory, that stores instructions to cause the one or more processors 306 to perform the techniques described herein.

The communication interface 330 may comprise, for example, an ethernet interface. Communication interface 330 couples NMS300 to a network and/or the internet, such as any of networks 134 shown in fig. 1A, and/or any local area network. Communication interface 330 includes a receiver 332 and a transmitter 334, where nms300 receives data and information from and transmits data and information to any of client device 148, AP 142, switch 146, router 147, edge device 150, NAC system 180, servers 116, 122, 128, and/or any other network node, device, or system forming part of network system 100 as shown in fig. 1A via receiver 332, and to any of client device 148, AP 142, switch 146, router 147, edge device 150, NAC system 180, servers 116, 122, 128, and/or any other network node, device, or system forming part of network system 100 as shown in fig. 1A via transmitter 334. In some scenarios described herein in which network system 100 includes an entity other than NMS300 that owns and/or is associated with a "third party" network device, NMS300 does not directly receive, collect, or access network data from the third party network device. In some examples, an edge device (e.g., edge device 150 from fig. 1A, 1B) may provide an agent through which network data of a third party network device may be reported to NMS 300.

The data and information received by NMS 300 may include, for example, telemetry data, SLE-related data, or event data received from one or more of client devices 148, AP142, switch 146, router 147, edge devices 150, NAC system 180, or other network nodes (e.g., routers and gateway devices) for use by NMS 300 to remotely monitor the performance of wireless networks 106A-106N and application sessions from client devices to cloud-based application servers. NMS 300 may also send data to any network device (e.g., client device 148, AP142, switch 146, router 147, edge device 150, NAC system 180, or other network node within network 134) via communication interface 330 to remotely manage wireless networks 106A-106N and portions of the wired network.

Memory 312 includes one or more devices configured to store programming modules and/or data associated with the operation of NMS 300. For example, memory 312 may include a computer-readable storage medium, such as a non-transitory computer-readable medium including a storage device (e.g., a disk drive or optical drive) or memory (e.g., flash memory or RAM) or any other type of volatile or non-volatile memory, that stores instructions to cause one or more processors 306 to perform the techniques described herein.

In this example, memory 312 includes an API 320, SLE module 322, virtual Network Assistant (VNA)/AI engine 350, radio Resource Management (RRM) engine 360, and NAC controller 370.NMS 300 may also include any other programming modules, software engines, and/or interfaces configured for remote monitoring and management of wireless networks 106A-106N and portions of the wired network, including remote monitoring and management of any of AP142, switch 146, router 147, edge device 150, NAC system 180, or other network devices (e.g., routers and gateway devices).

SLE module 322 enables the setting and tracking of thresholds for SLE metrics for each network 106A-106N. SLE module 322 further analyzes SLE related data collected by, for example, an AP (e.g., any AP 142) from UEs in each wireless network 106A-106N. For example, APs 142A-1-142A-N collect SLE-related data from UEs 148A-1-148A-N currently connected to wireless network 106A. This data is sent to NMS 300, which is executed by SLE module 322 to determine one or more SLE metrics for each UE 148A-1-148A-N currently connected to wireless network 106A. In addition to any network data collected by one or more APs 142A-1 through 142A-N in wireless network 106A, this data is also transmitted to NMS 300 and stored in database 318 as, for example, network data 316.

RRM engine 360 monitors one or more metrics for each site 102A-102N to learn and optimize the RF environment for each site. For example, RRM engine 360 can monitor coverage and capacity SLE metrics for wireless network 106 at sites 102 to identify potential problems with SLE coverage and/or capacity in wireless network 106 and adjust radio settings for access points at each site to address the identified problems. For example, the RRM engine may determine the channel and transmit power distribution across all APs 142 in each network 106A-106N. For example, RRM engine 360 may monitor events, power, channels, bandwidth, and the number of clients connected to each AP. RRM engine 360 may further automatically change or update the configuration of one or more APs 142 at station 102 in order to improve coverage and capacity SLE metrics, thereby providing an improved wireless experience for the user.

The VNA/AI engine 350 analyzes data received from the network devices and its own data to identify when an undesirable abnormal condition is encountered at one of the network devices. For example, the VNA/AI engine 350 can identify the root cause of any undesired or abnormal state, e.g., any poor SLE metric indicative of a connection problem at one or more network devices. In addition, the VNA/AI engine 350 can automatically invoke one or more corrective actions aimed at resolving the identified root cause of the one or more poor SLE metrics. In some examples, ML model 380 may include a supervised ML model trained using training data including pre-collected tagged network data received from network devices. The supervised ML model may include one of logistic regression, naive bayes, support Vector Machines (SVMs), etc. In other examples, ML model 380 may include an unsupervised ML model. Although not shown in fig. 3, in some examples, database 318 may store training data and VNA/AI engine 350 or a dedicated training module may be configured to train ML model 380 based on the training data to determine appropriate weights for one or more features of the training data.

Examples of corrective actions that may be automatically invoked by VNA/AI engine 350 may include, but are not limited to, invoking RRM 360 to restart one or more APs, adjusting/modifying transmit power of a particular radio in a particular AP, adding an SSID configuration to a particular AP, changing channels on an AP or a set of APs, and the like. Corrective actions may also include restarting the switch and/or router, invoking new software downloads to the AP, switch or router, etc. These corrective measures are given for illustrative purposes only and the disclosure is not limited in this respect. If automatic corrective measures are not available or are insufficient to address the root cause, the VNA/AI engine 350 can proactively provide notifications that include recommended corrective measures to be taken by IT personnel (e.g., a site using the administrator device 111 or a network administrator) to address the network error.

NAC controller 370 implements a NAC configuration platform that provides a user interface 310 for display to an enterprise network administrator, e.g., via administrator device 111 of FIG. 1A, through which access policy information for the enterprise network is received. NAC controller 370 creates enterprise-specific configuration information 317 stored in database 318 based on input received via user interface 310. Configuration information 317 may include NAC configuration information for one or more enterprise networks managed by NMS 300. Configuration information 317 may include, for each enterprise, access policies and associated policy allocation criteria. For example, the configuration information 317 may define a particular VLAN, ACL, registration portal, etc. associated with a particular class of client device, and may also define different types of tracking, different types of authorization, and/or different levels of access rights for each different class of client device. Configuration information 317 may be substantially similar to configuration information 139 of fig. 1B.

NAC controller 370 manages data and information exchanged between NMS 300 and NAC system 180, for example, via a RADSEC tunnel or another encryption tunnel 184, as shown in fig. 1B. NAC controller 370 may maintain a log or map of which enterprise networks are served by which NAC systems 180 and corresponding configuration information 317 for those enterprises. NAC controller 370 may also manage any updates or modifications to be pushed down to NAC system 180 regarding configuration information 317. In addition, NAC controller 370 can monitor NAC system 180 to identify failures of the primary NAC system and manage failover to the backup NAC system.

In accordance with one or more techniques of this disclosure, NAC controller 370 can provide the NAC system with tissue-based configuration information, e.g., one of NAC system 180 of FIGS. 1A-1C or NAC system 200 of FIG. 2, to allow the NAC system to establish a secure tunnel, e.g., a RADSEC or other encrypted tunnel, with one or more NAS devices. The organization-based configuration information may include server certificates of the NAC system and an indication of the organization CA. NAC controller 370 may provide periodic configuration updates to the NAC system. NAC controller 370 may use policies to determine whether to provide the NAC system with tissue-based configuration information. Configuration information 317 may include organization-based configuration information and policies.

The NAS provisioning unit 272 may provision the NAS device (e.g., the NAS device 108 in fig. 1A-1C) with an indicator inserted in the SNI field and a "client certificate" of the NAS device.

Although the techniques of this disclosure are described in this example as being performed by NMS 130, the techniques described herein may be performed by any other computing device, system, and/or server, and the disclosure is not limited in this respect. For example, one or more computing devices configured to perform the functions of the techniques of this disclosure may reside in a dedicated server or be contained in any other server, either additional to or in addition to NMS 130, or may be distributed throughout network system 100, and may or may not form part of NMS 130.

Fig. 4 is a block diagram of an example Access Point (AP) device 400 in accordance with one or more techniques of this disclosure. The example access point 400 shown in fig. 4 may be used to implement any AP 142 as shown and described herein with reference to fig. 1A. The access point 400 may include, for example, a Wi-Fi, bluetooth, and/or Bluetooth Low Energy (BLE) base station, or any other type of wireless access point.

In the example of fig. 4, access point 400 includes a wired interface 430, wireless interfaces 420A-420B, one or more processors 406, memory 412, and input/output 410 coupled together via bus 414, through which the various elements may exchange data and information. The wired interface 430 represents a physical network interface and includes a receiver 432 and a transmitter 434 for sending and receiving network communications (e.g., packets). The wired interface 430 couples the access point 400 directly or indirectly to a wired network device, such as one of the switches 146 or routers 147 in the wired network of fig. 1A, 1B, via a cable (e.g., an ethernet cable).

First wireless interface 420A and second wireless interface 420B represent wireless network interfaces and include receivers 422A and 422B, respectively, each of which includes a receive antenna via which access point 400 may receive wireless signals from a wireless communication device (e.g., UE 148 of fig. 1A, 1B). The first wireless interface 420A and the second wireless interface 420B also include transmitters 424A and 424B, respectively, each including a transmit antenna via which the access point 400 may transmit wireless signals to wireless communication devices (e.g., the UE 148 of fig. 1A, 1B). In some examples, the first wireless interface 420A may include a Wi-Fi 802.11 interface (e.g., 2.4GHz and/or 5 GHz), and the second wireless interface 420B may include a bluetooth interface and/or a Bluetooth Low Energy (BLE) interface. As described above, AP 400 may request network access for one or more UEs 148 from a nearby NAC system (e.g., NAC system 200 of fig. 2 or one of NAC systems 180 of fig. 1A, 1B).

The processor 406 is a programmable hardware-based processor configured to execute software instructions stored in a computer-readable storage medium (e.g., the memory 412), such as software instructions for defining software or a computer program, such as a non-transitory computer-readable medium including a storage device (e.g., a magnetic disk drive or optical disk drive) or memory (e.g., flash memory or RAM) or any other type of volatile or non-volatile memory, that stores instructions to cause the one or more processors 406 to perform the techniques described herein.

Memory 412 includes one or more devices configured to store programming modules and/or data associated with the operation of access point 400. For example, memory 412 may include computer-readable storage media, such as non-transitory computer-readable media, including a storage device (e.g., a magnetic disk drive or optical disk drive) or memory (e.g., flash memory or RAM) or any other type of volatile or non-volatile memory that stores instructions to cause one or more processors 406 to perform the techniques described herein.

In this example, memory 412 stores executable software and includes an Application Programming Interface (API) 440, a communication manager 442, configuration settings 450, a device status log 452, a data store 454, and a log controller 455. The device status log 452 includes a list of events specific to the access point 400. The events may include a log of normal events and error events, such as memory status, restart or restart events, crash events, cloud disconnect with self-recovery events, low link speed or link speed swing events, ethernet port status, ethernet interface packet errors, upgrade failure events, firmware upgrade events, configuration changes, etc., and time and date stamps for each event. The log controller 455 determines the logging level of the device based on instructions from the NMS 130. Data 454 may store any data used and/or generated by access point 400, including data collected from UE 148, e.g., data used to calculate one or more SLE metrics, which is transmitted by access point 400 for cloud-based management of wireless network 106A by NMS 130/300.

Input/output (I/O) 410 represents physical hardware components capable of interacting with a user, such as buttons, displays, and the like. Although not shown, memory 412 typically stores executable software for controlling a user interface with respect to inputs received via I/O410. Communication manager 442 includes program code that, when executed by processor 406, allows access point 400 to communicate with UE 148 and/or network 134 via any of interfaces 430 and/or 420A-420C. Configuration settings 450 include any device settings of access point 400, such as radio settings of each wireless interface 420A-420C. These settings may be manually configured or may be remotely monitored and managed by NMS 130 to optimize wireless network performance on a periodic basis (e.g., hourly or daily).

As described herein, AP device 400 may measure network data from status log 452 and report it to NMS 130. Network data can include event data, telemetry data, and/or other SLE related data. The network data may include various parameters that indicate the performance and/or status of the wireless network. These parameters may be measured and/or determined by one or more UE devices and/or one or more APs in the wireless network. NMS 130/300 may determine one or more SLE metrics based on SLE related data received from APs in the wireless network and store the SLE metrics as network data 137 (fig. 1B).

In accordance with one or more techniques of this disclosure, NAC connector 460 is operable to request and (if authenticated) establish a secure tunnel, such as a RADSEC tunnel or another encrypted tunnel, from at least one NAC system (e.g., one of NAC system 180 of fig. 1A-1C or NAC system 200 of fig. 2). NAC connector 460 may send an identifier from access point 400 to the NAC system indicating the organization of access point 400, e.g., a SNI value in a "client hello" message, NAC connector 460 may also evaluate the server certificate received back from the NAC system and send the client certificate to the NAC system to complete an authentication handshake, e.g., a TLS handshake.

Fig. 5 is a block diagram of an example edge device 500 in accordance with one or more techniques of this disclosure. The edge device 500 includes a cloud managed wireless Local Area Network (LAN) controller. Edge device 500 may implement any of edge devices 150 of fig. 1A, 1B, for example. In such examples, edge device 500 comprises a local device at site 102 that communicates with NMS 130 and one or more local NAS devices 108, e.g., one or more APs 142, switches 146, or routers 147 in fig. 1A, 1B. The edge device 500 is connected to the NMS 130 and is operable to extend some micro services from the NMS 130 to the local NAS device 108 while using the NMS 130 and its distributed software architecture for scalable and resilient operation, management, troubleshooting, and analysis.

In this example, the edge device 500 includes a wired interface 502, such as an ethernet interface, a processor 506, input/output 508 (e.g., display, buttons, keyboard, keypad, touch screen, mouse, etc.), and memory 512, coupled together via a bus 514 through which the various elements may exchange data and information. The wired interface 502 couples the edge device 500 to a network, such as the network 134 shown in fig. 1A and/or any local area network. The wired interface 502 includes a receiver 520 and a transmitter 522, and the edge device 500 receives data and information from any of the NAS device 108 and NMS130 and/or NAC system 180 via the receiver 520, or transmits data and information to any of the NAS device 108 and 130 and/or NAC system 180 via the transmitter 522. Although only one interface is shown as an example, the edge device 500 may have multiple communication interfaces and/or multiple communication interface ports.

Memory 512 stores executable software applications 532, operating system 540, and data/information 530. The data 530 may include a system log and/or an error log storing event data (including behavior data) of the edge device 500. Tunnel service 544 provides local tunnel termination from APs and other NAS devices. Tunnel service 544 also provides secure tunnel agents to NMS130 and/or NAC system 180. In one case, one or more NAS devices 108 (e.g., switch 146A from fig. 1B) may not support establishing RADSEC tunnels directly with NMS130 and/or NAC system 180. In this case, the tunnel service 544 of the edge device 500 provides a RADSEC proxy to enable RADIUS packets received from the switch 146A via the RADIUS tunnel 178A to be tunneled to the NAC system 180A using the RADSEC tunnel 182A, as shown in fig. 1B.

In accordance with one or more techniques of this disclosure, tunnel service 544 can be used to establish a secure tunnel, e.g., a RADSEC tunnel or another encrypted tunnel, to an NAC system (e.g., one of NAC system 180 of fig. 1A-1C or NAC system 200 of fig. 2). Tunnel service 544 may send an identifier, e.g., SNI value in a "client hello" message, from edge device 500 to the NAC system indicating the organization of edge device 500. Tunnel service 544 may also evaluate server certificates received back from the NAC system and send client certificates to the NAC system to complete authentication handshakes, e.g., TLS handshakes.

Fig. 6 is a conceptual diagram illustrating an example communication flow. The communication flow of fig. 6 is described with respect to NAS device 108, NAC system 180, and NMS 130 in fig. 1A-1C. The NMS 130 provides the NAS device 108 with an organization indicator and client credentials. When the NAS device 108 attempts to establish a tunnel, the NAS device 108 can send a client hello with an organization indicator in the SNI field to the NAC system 180. NAC system 180 can map the indicators to the tissue-specific configuration information. When the organization's configuration information is stored locally at NAC system 180, NAC system 180 can send a server hello, including the server certificate in the configuration information.

When the organized configuration information is not stored locally in NAC system 180, NAC system 180 uses SNI to request configuration information from NMS 130. NMS130 may map the indicator to organization-specific configuration information. NMS130 may examine the organization policy of the organization identified by the SNI to see if NAC system 180 is allowed to store configuration information, e.g., based on the physical geographic location of NAC system 180. NMS130 may provide configuration information to NAC system 180 when the organization policy allows the configuration information to be stored at NAC system 180. The NAC system 180 can send a server hello back to the NAS device 108, including a server certificate from the organization's configuration information. The NAC system 180 may request client credentials from the NAS device 108 and the NAS device 108 may respond with the client credentials. NAC system 180 can then verify the client certificate at the organization's certification authority, as indicated by the organization's configuration information identified by the SNI. The NAC system 180 and NAS device 108 may then establish a secure tunnel.

As described above, NAC system 180 can use the identifier to identify the organization with which NAS device 108A is associated. NAC system 180 and NMS130 may store the organization-specific configuration information based on the identifier. Each NAC system 180 need only store configuration information for the organization it is currently serving. NAC system 180 need not permanently store configuration information for each organization; NAC system 180 may use the identifier to request and download an organization configuration (referred to as "lazy download") from NMS130 as needed. In this way, all configuration information for all organizations need not reside in each NAC system 180. Instead, each NAC system 180 may store only client-specific configuration information for those organizations for which the corresponding NAC system 180 provides NAC services. Based on inactivity, the tissue configuration information may become stale and discarded from the cloud memory of NAC system 180.

Fig. 7 is a flowchart illustrating example operations of identifying and verifying a tenant or organization to which NAS device 108 belongs in the context of a multi-tenant, cloud-hosted NAC system 180, in accordance with one or more techniques of the present disclosure. The example operations of fig. 7 are described herein with respect to NMS 130 and NAC system 180 of fig. 1A-1C. In other examples, the operations of fig. 7 may be performed by other computing systems or devices.

The NAC system 180A receives a request to establish a secure tunnel from a NAS device 108A of a plurality of NAS devices 108 associated with a network tenant of the one or more network tenants, the request including an indicator identifying the network tenant to which the NAS device 108A belongs (702). NAS device 108 may include any network infrastructure device that authenticates and authorizes client devices to access an enterprise network, such as access points, switches, and routers. Network tenants may correspond to different organizations or communities. The secure tunnel may be a TLS (transport layer security) tunnel. The NAC system may provide RADIUS (remote authentication dial-in user service) services to the NAS device and the TLS tunnel may be a RADSEC (RADIUS over TLS) tunnel. The request may be a "client hello" message. The indicator may be a Server Name Indication (SNI) field of a "client hello" message.

NAC system 180A obtains configuration information for the network tenant based on the indicator, the configuration information including server certificates associated with the network tenant (704). To obtain the configuration information of the network tenant, NAC system 180A may use the indicator to perform a lookup in a local cache of the configuration information to identify the network tenant. Based on the successful lookup operation, the configuration information of the network tenant may be obtained from the local cache. Based on the unsuccessful lookup operation, the network tenant's configuration information may be obtained from NMS 130 by identifying an indicator of the network tenant.

NAC system 180A can clear the configuration information of the network tenant from the local cache if the configuration information is not used for a predetermined period of time. NMS 130 may provide configuration information updates to NAC system 180A. NAC system 180A can update the local cache with configuration information updates.

NMS 130 may determine whether to provide configuration information of the network tenant to the NAC system using policies associated with the network tenant. The policy may include restrictions on providing configuration information to the NAC system based on the physical location of the NAC system.

NAC system 180A provides server certificates to NAS device 108A in response to the request (706). NAC system 180A can include the server certificate in the server hello message. NAC system 180A can request client credentials from NAS device 108A. The request may be part of a TLS handshake extension. NAC system 180A can receive client credentials from NAS device 108A. NMS 130 may provide an indicator and client credentials to NAS device 108A before NAC system 180A receives an initial request for a secure tunnel.

In response to receiving the client certificate from NAS device 108A, NAC system 180A verifies the client certificate using the network tenant's configuration information (708). The configuration information may indicate a Certification Authority (CA) associated with the network tenant. NAC system 180A can use the CA associated with the network tenant to verify the client certificate received from NAS device 108A. The NMS 130 may maintain the CA associated with the network tenant or the CA associated with the network tenant may be in another location.

NAC system 180A establishes a secure tunnel with the NAS device (710). The secure tunnel may be a TLS tunnel, for example, a RADSEC (RADIUS over TLS) tunnel. NAC system 180 provides NAC services to NAS device 108A using the secure tunnels (712). The NAC service may include providing access to authentication, authorization, and accounting (AAA) services for authenticating the user.

The techniques described herein may be implemented in hardware, software, firmware, or any combination thereof. The various features described as modules, units, or components may be implemented together in an integrated logic device or separately as discrete but interoperable logic devices or other hardware devices. In some cases, various features of the electronic circuit may be implemented as one or more integrated circuit devices, e.g., an integrated circuit chip or chipset.

If implemented in hardware, the present disclosure may relate to a device, e.g., a processor or an integrated circuit device, e.g., an integrated circuit chip or chipset. Alternatively or additionally, if implemented in software or firmware, the techniques may be realized at least in part by a computer-readable data storage medium comprising instructions that, when executed, cause a processor to perform one or more of the methods described above. For example, a computer-readable data storage medium may store such instructions for execution by a processor.

The computer readable medium may form part of a computer program product, which may include packaging material. The computer-readable medium may include computer data storage media such as Random Access Memory (RAM), read Only Memory (ROM), non-volatile random access memory (NVRAM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory, magnetic or optical data storage media, and the like. In some examples, an article of manufacture may comprise one or more computer-readable storage media.

In some examples, the computer-readable storage medium may include a non-transitory medium. The term "non-transitory" may mean that the storage medium is not embodied in a carrier wave or propagated signal. In some examples, a non-transitory storage medium may store data (e.g., in RAM or cache) that may change over time.

The code or instructions may be software and/or firmware executed by a processing circuit comprising one or more processors, such as one or more Digital Signal Processors (DSPs), general purpose microprocessors, application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs), or other equivalent integrated or discrete logic circuitry. Thus, the term "processor" as used herein may refer to any of the foregoing structure or any other structure suitable for implementation of the techniques described herein. Furthermore, in some aspects, the functionality described in this disclosure may be provided in software modules or hardware modules.

Claims (20)

1. A network access control system, comprising:

a cloud-based network management system, NMS, configured to manage a plurality of network access server, NAS, devices associated with one or more network tenants; and

one or more cloud-based network access control, NAC, systems in communication with the NMS, at least one of the one or more NAC systems configured to:

receiving a request to establish a secure tunnel from a NAS device of the plurality of NAS devices associated with a network tenant of the one or more network tenants, the request including an indicator identifying the network tenant to which the NAS device belongs;

Obtaining configuration information of the network tenant based on the indicator, the configuration information including a server certificate associated with the network tenant;

providing the server certificate to the NAS device in response to the request; in response to receiving a client certificate from the NAS device, validating the client certificate using the configuration information of the network tenant;

establishing the secure tunnel with the NAS device; and

NAC services are provided to the NAS device using the secure tunnels.

2. The network access control system of claim 1, wherein the secure tunnel comprises a transport layer secure TLS tunnel, wherein the request to establish the secure tunnel comprises a "client hello" message, and wherein the indicator comprises a server name indication SNI field of the "client hello" message.

3. The network access control system of claim 2, wherein the NAC system is configured to provide remote authentication dial-in user service RADIUS services to the NAS device, and wherein the TLS tunnel is a RADIUS (RADSEC) tunnel through TLS.

4. The network access control system of claim 1, wherein to obtain the configuration information of the network tenant, the NAC system is configured to:

Performing a lookup in a local cache of the configuration information using the indicator to identify the network tenant; and

the configuration information of the network tenant is obtained from the local cache based on a successful lookup operation.

5. The network access control system of claim 4, wherein the NAC system is configured to purge the configuration information of the network tenant from the local cache if the configuration information is not used for a predetermined period of time.

6. The network access control system of claim 4, wherein the NMS is configured to provide configuration information updates to the NAC system, and wherein the NAC system is configured to update the local cache using the configuration information updates.

7. The network access control system of claim 1, wherein to obtain the configuration information of the network tenant, the NAC system is configured to:

performing a lookup in a local cache of the configuration information using the indicator to identify the network tenant; and

based on the unsuccessful lookup operation, the configuration information of the network tenant is obtained from the NMS based on the indicator identifying the network tenant.

8. The network access control system of claim 7, wherein the NMS is configured to use policies associated with the network tenant to determine whether to provide the configuration information of the network tenant to the NAC system.

9. The network access control system of claim 8, wherein the policy includes a restriction to provide the configuration information to the NAC system based on a physical location of the NAC system.

10. The network access control system of any of claims 1-9, wherein the NMS is configured to provide the indicator and the client certificate to the NAS device before the NAC system receives the request for the secure tunnel.

11. The network access control system of any of claims 1-9, wherein the configuration information includes an indication of a certificate authority, CA, associated with the network tenant, and wherein the NAC system is configured to verify the client certificate received from the NAS device using the CA associated with the network tenant.

12. The network access control system of claim 11, wherein the NMS is configured to maintain the CA associated with the network tenant.

13. A network access control method, comprising:

at a cloud-based network access control, NAC, system in communication with a cloud-based network management system, NMS, receiving a request from a NAS device of a plurality of network access server, NAS, devices associated with one or more network tenants to establish a secure tunnel, the request comprising an indicator identifying a network tenant of the one or more network tenants to which the NAS device belongs;

obtaining, by the NAC system, configuration information of the network tenant based on the indicator, the configuration information including a server certificate associated with the network tenant;

providing, by the NAC system, the server certificate to the NAS device in response to the request;

responsive to receiving a client certificate from the NAS device, validating, by the NAC system, the client certificate using the configuration information of the network tenant;

establishing, by the NAC system, the secure tunnel with the NAS device; and

NAC services are provided to the NAS device by the NAC system using the secure tunnels.

14. The network access control method of claim 13, wherein the secure tunnel comprises a transport layer secure TLS tunnel, wherein the request to establish the secure tunnel comprises a "client hello" message, and wherein the indicator comprises a server name indication SNI field of the "client hello" message.

15. The network access control method of claim 13, wherein obtaining the configuration information of the network tenant comprises:

performing a lookup in a local cache of configuration information using the indicator to identify the network tenant; and

the configuration information of the network tenant is obtained from the local cache based on a successful lookup operation.

16. The network access control method of claim 13, wherein obtaining the configuration information of the network tenant comprises:

performing a lookup in a local cache of the configuration information using the indicator to identify the network tenant; and

based on the unsuccessful lookup operation, the configuration information of the network tenant is obtained from the NMS based on the indicator identifying the network tenant.

17. The network access control method of claim 16, further comprising determining, by the NMS, whether to provide the configuration information to the NAC system using policies associated with the network tenant.

18. The network access control method of claim 17, wherein the policy includes a restriction to provide the configuration information to the NAC system based on a physical location of the NAC system.

19. The network access control method of any of claims 13-18, wherein the configuration information includes an indication of a certificate authority, CA, associated with the network tenant, and wherein verifying the client certificate includes using the CA associated with the network tenant to verify the client certificate received from the NAS device.

20. A computer-readable storage medium comprising instructions that, when executed, cause one or more processors of a cloud-based network access control, NAC, system in communication with a cloud-based network management system, NMS, to:

receiving a request to establish a secure tunnel from a NAS device of a plurality of network access server NAS devices associated with one or more network tenants, the request including an indicator identifying a network tenant of the one or more network tenants to which the NAS device belongs;

obtaining configuration information of the network tenant based on the indicator, the configuration information including a server certificate associated with the network tenant;

providing the server certificate to the NAS device in response to the request;

in response to receiving a client certificate from the NAS device, validating the client certificate using the configuration information of the network tenant;

Establishing the secure tunnel with the NAS device; and

NAC services are provided to the NAS device using the secure tunnels.