Abstract: The invention provides techniques for dynamic timeout including the steps of receiving a request from a requestor; determining whether an interim message should be sent to the requestor; and, if the interim message should be sent to the requestor, sending to the requestor the interim message referring to the request. Techniques are also provided for dynamic timeout including steps of sending a request to a server; receiving an interim message from the server, where the interim message contains one or more response-related items; and determining whether to change a timeout value based on the one or more response-related items in the interim message.

Abstract: A method is disclosed for providing multiple authentication types within an authentication protocol that supports a single type of authentication for a client in communication with an authorization server over a network. One or more authentication request packets compliant with an authentication protocol are sent to the client. Each of the packets comprises a type value that specifies multiple authentication, and a data field having a value that is structured in compliance with the authentication protocol. Each of the packets is associated with one of a plurality of different authentication conversations with the client. A plurality of responses is received from the client for each of the authentication conversations. The sending and receiving steps are repeated until results are determined for the authentication conversations. The client is authenticated based on results of each of the plurality of authentication conversations.

Abstract: A method and apparatus for managing and balancing wireless access based on centralized information is provided. A request to provide service to a wireless client is received from a first access node in a plurality of access node. An access policy, applicable to the first access node, is selected from a plurality of stored policies. The stored policies may include a variety of rules, such as how many or which wireless clients may be serviced by an access node. A centralized manager, such as an AAA server, may perform the selection of the access policy. A determination is made as to whether to allow the first access node to provide service to the wireless client based on the selected access policy. A message that instructs the first access node whether to provide or deny service to the wireless client is transmitted to the first access node.

Abstract: A method is disclosed for authenticating multiple network elements that access a network through a single network switch port. Certain authentication protocols, such as EAPoE, leave a port of a network switch indefinitely opened when one particular host is authenticated and authorized to transmit network frames through the port. In one embodiment of the invention, a network frame from a second host that is received by the open port is not automatically transmitted to the network. Instead, techniques are employed locally by the network switch to grant or deny transmission of the network frame received from the second host. An authentication server is contacted only when the network switch cannot locally employ techniques to authorize the transmission of the network frame received from the second host.

Abstract: A method and apparatus for managing and balancing wireless access based on centralized information is provided. A request to provide service to a wireless client is received from a first access node in a plurality of access node. An access policy, applicable to the first access node, is selected from a plurality of stored policies. The stored policies may include a variety of rules, such as how many or which wireless clients may be serviced by an access node. A centralized manager, such as an AAA server, may perform the selection of the access policy. A determination is made as to whether to allow the first access node to provide service to the wireless client based on the selected access policy. A message that instructs the first access node whether to provide or deny service to the wireless client is transmitted to the first access node.

Abstract: A method is disclosed for simulating a load on an application server in a network. The method intercepts data packets of a request from a sender to a receiver. The data packets to be intercepted can be selected according to specified criteria, such as communications protocol or port and address information of the sender and/or receiver. A simulation session can begin and end based on a specified period of time or after a specified number of data packets have been received. The intercepted data packets are stored in a buffer and the time of arrival of the data packets is recorded. The data packets are held in the buffer for a user specified delay time. Upon expiration of the delay time, the data packets are forwarded to the receiver. Alternately, the method can operate bi-directionally, or by intercepting and delaying data packets of a response of the receiver sent to the sender.

Abstract: A method and system is disclosed for creating and tracking network sessions. A request to access a network is received from an entity. The entity is authenticated after the request is received. Authenticated identity information associated with the entity, network address information associated with the entity, and network location information associated with the entity is collected. An information set is created. The information set comprises and binds together the authenticated identity information, the network address information, and the network location information. The information set indicates a present association among the authenticated identity information, the network address information, and the network location information. The information set is stored in a session record in a centralized database. The session record represents a session in which the entity accesses the network. The session record is one of a plurality of session records that are stored in the centralized database.

Abstract: Automatically re-authenticating a computing device seeking access to a network or a resource. A method comprises forwarding a request received from the computing device to an authentication device to enable the authentication device to authenticate the computing device using a full-authentication mechanism. State information related to authenticating the computing device is created from authenticating the computing device. The state information is received and stored. For example, an authenticator device that forwarded the initial authentication request from the computing device to the authentication device receives and stores the state information. The computing device is re-authenticated using the stored state information without again contacting the authentication device.

Abstract: A method and system for continuously serving the authentication requests of networked computers is disclosed. The authentication requests of computers are served and the services for the computers are reserved for a predefined time interval. The authentication service for a computer is reserved by an authentication server, which receives authentication requests of the computer.

Abstract: A method and an apparatus are disclosed for securing authentication, authorization and accounting (AAA) protocol messages. An encryption key, a device identifier value, and verification data are received and stored at a network device. The verification data comprises in part a copy the encryption key and the device identifier value, and has been encrypted using a private key of a server. A shared secret is generated by applying a computational function to the encryption key and the device identifier value. Based on the shared secret, a first message integrity check value for a message is generated. The message, the first integrity check value, and the verification data are sent to the server. The server decrypts the verification data using the private key, extracts the encryption key and the device identifier value, and generates the same shared secret by applying the same computational function to the extracted encryption key and device identifier value.

Abstract: A method and apparatus for performing load-based packet marking within a network is described. In one aspect, a first group of one or more packets of a data flow are marked with a first behavioral treatment value that directs devices within the network to treat the first group of one or more packets with a first quality of service treatment. The bandwidth that is currently being achieved for the flow within the network is determined based on data traffic within the network. Based on the achieved flow bandwidth within the network a second behavioral treatment value is then determined. Thereafter, a second group of one or more packets of the data flow is marked with a second behavioral treatment value that directs devices within the network to treat the second group of one or more packets with a second quality of service treatment. The process of dynamically marking the packets for a particular data flow may be performed multiple times.

Abstract: A method and apparatus for managing and balancing wireless access based on centralized information is provided. A request to provide service to a wireless client is received from a first access node in a plurality of access node. An access policy, applicable to the first access node, is selected from a plurality of stored policies. The stored policies may include a variety of rules, such as how many or which wireless clients may be serviced by an access node. A centralized manager, such as an AAA server, may perform the selection of the access policy. A determination is made as to whether to allow the first access node to provide service to the wireless client based on the selected access policy. A message that instructs the first access node whether to provide or deny service to the wireless client is transmitted to the first access node.

Abstract: A method, apparatus, and computer-readable medium configured for maintaining consistent per-hop packet forwarding behavior among a plurality of network devices in a network within a Differentiated Services (DS) domain are disclosed. In one aspect, a method involves creating and storing a network-wide PHB definition that associates a PHB with a DS code point (DSCP) value, and with a set of parameters that define the bandwidth and buffer resources allocated to the PHBs on all interfaces of network devices within the DS domain. A mapping of each of the PHBs in the network-wide PHB definition to one or more queues of the network devices is determined. Drain size and queue size values are determined for each of the queues to which PHBs are mapped. A mapping of each of the PHBs to a threshold value associated with the queues is determined. Parameters of fragmentation and interleave mechanisms are determined.

Abstract: A method is disclosed for communicating network quality of service policy information to a plurality of policy enforcement points. Active QoS configuration information is created and stored at a policy enforcement point, such as a router in a network. New configuration information is received and stored as an inactive configuration of the policy enforcement point. The policy enforcement point determines whether the inactive configuration information is properly functional in combination with the active QoS configuration information. The new configuration information is made active in place of the active QoS configuration information only in response to receiving an activation message. An inactive configuration may be signaled by a COPS protocol decision message from the policy decision point that identifies the configuration information as an inactive configuration by a specified flag bit in a message type value in a Context object that forms part of the decision message.

Abstract: A method of converting an abstract quality of service policy into a new configuration for one or more network devices of managed network, as routers. The abstract quality of service policy is received and converted into a first set of one or more basic commands. A current configuration of one of the network devices is obtained, e.g. through device discovery. The configuration is received in the form of one or more first command line interface (CLI) commands that represent the current configuration of the network device. A second set of one or more basic commands that correspond to the current configuration of the network device is determined, based on the first CLI commands. The first and second sets of basic commands are transformed into one or more second CLI commands which, when executed by the network device, will create a new configuration for the network device that implements the abstract quality of service policy.

Abstract: The invention provides techniques for dynamic timeout including the steps of receiving a request from a requestor; determining whether an interim message should be sent to the requestor; and, if the interim message should be sent to the requester, sending to the requestor the interim message referring to the request. Techniques are also provided for dynamic timeout including steps of sending a request to a server; receiving an interim message from the server, where the interim message contains one or more response-related items; and determining whether to change a timeout value based on the one or more response-related items in the interim message.

Abstract: A method, apparatus, and computer-readable medium configured for maintaining consistent per-hop packet forwarding behavior among a plurality of network devices in a network within a Differentiated Services (DS) domain are disclosed. In one aspect, a method involves creating and storing a network-wide PHB definition that associates a PHB with a DS code point (DSCP) value, and with a set of parameters that define the bandwidth and buffer resources allocated to the PHBs on all interfaces of network devices within the DS domain. A mapping of each of the PHBs in the network-wide PHB definition to one or more queues of the network devices is determined. Drain size and queue size values are determined for each of the queues to which PHBs are mapped. A mapping of each of the PHBs to a threshold value associated with the queues is determined. Parameters of fragmentation and interleave mechanisms are determined.

Abstract: A method, apparatus, and computer-readable medium configured for maintaining consistent per-hop packet forwarding behavior among a plurality of network devices in a network within a Differentiated Services (DS) domain are disclosed. In one aspect, a method involves creating and storing a network-wide PHB definition that associates a PHB with a DS code point (DSCP) value, and with a set of parameters that define the bandwidth and buffer resources allocated to the PHBs on all interfaces of network devices within the DS domain. A mapping of each of the PHBs in the network-wide PHB definition to one or more queues of the network devices is determined. Drain size and queue size values are determined for each of the queues to which PHBs are mapped. A mapping of each of the PHBs to a threshold value associated with the queues is determined. Parameters of fragmentation and interleave mechanisms are determined.

Abstract: A method and apparatus for adaptively enforcing Quality of Service (QoS) policies for one or more flows of packets in a packet-switched network based on network feedback information. In one aspect, packets of a first group of flows are assigned to a first service level. Then-current interface congestion information for network traffic that is mapped to the first service level and that is passing through an interface of a network device in the network is received. Based on the then-current interface congestion information one or more flows from the first group of flows are selected. Packets from the one or more flows are then assigned to a second service level.