Abstract: An identity platform system configured to authenticate a company-assigned device for accessing a first network using a first unique pre-shared key associated with the company-assigned device. A personal BYOD credential management system configured to authenticate a personal BYOD for accessing a second network using a second unique pre-shared key associated with the personal BYOD. A network administrator interface configured to provide access to the identity platform for a network administrator. A personal BYOD credential management system API included as part of the identity platform system and configured to provide the identity platform system access to the personal BYOD credential management system as if the personal BYOD credential management system is embedded in the identity platform system.

Abstract: A network device comprising, a first radio module configured to transmit and receive first radio signals in a first frequency band, a first antenna array configured to transmit and receive the first radio signals for the first radio module in the first frequency band, a second radio module configured to transmit and receive second radio signals in the first frequency band, a second antenna array configured to transmit and receive the second radio signals for the second radio module in the first frequency band, wherein, in operation, the first radio module and the second radio modules function concurrently using the first frequency band while at least 40 dB of antenna isolation is maintained between the first antenna array and the second antenna array.

Abstract: A network monitoring and control application suitable for use by teachers and other users is implemented using wireless access points and does not require specific software to be installed on client network devices. The application uses student and class information to organize network client information. Upon receiving a monitoring request, one or more classes assigned to the teacher are identified by accessing class data. Class data is accessed to identify students assigned to the class and the client network devices used by these students. One wireless access point providing wireless network connections to at least a portion of the students' devices is selected to collect network activity information from the students' devices and presents this information to the teacher. The teacher may also use the selected wireless access point to disable students' network access or to redirect students' devices to a network resource.

Abstract: Techniques and systems for performing a network activity within a network. The technique includes assigning one or a plurality of network devices subnets with network devices for performing network activities. Network devices within the assigned network device subnets can be assigned to act as a primary network device and a backup network device. The primary network device can perform the network activity. The backup network devices can monitor the primary network device and continue performing the network activities if the primary network device fails or is rogue.

Abstract: Techniques and systems for performing a network activity within a network. The technique includes assigning one or a plurality of network devices subnets with network devices for performing network activities. Network devices within the assigned network device subnets can be assigned to act as a primary network device and a backup network device. The primary network device can perform the network activity. The backup network devices can monitor the primary network device and continue performing the network activities if the primary network device fails or is rogue.

Abstract: A request related to an access to a network by a first user device may be received. The user device may be included in a plurality of user devices associated with a first first-level security profile assigned to the user. An application extension to an application executing on the first user device may be accessed in response to the request related to the access. A network connectivity file may be provided to the application extension. The network connectivity file may include network configuration information for the first user device. The network configuration information may be associated with a first second-level security profile assigned to the first user device. Instructions to configure the first user device to access the network based at least in part on the network configuration information in the network connectivity file may be provided.

Abstract: Preshared keys are assigned to client devices, users, or user groups. The set of valid preshared keys or keys derived therefrom is distributed to network devices such as wireless access points. A client device attempts to establish a secure network connection with a network device using its assigned preshared key. A network device identifies the client device's preshared key by selecting a candidate key from its set of valid preshared keys. The network device determines a validation cryptographic checksum based on the selected candidate key. If the validation cryptographic checksum matches the client's cryptographic checksum, the network device establishes a secure network connection with the client device using this candidate key. If the validation cryptographic checksum does not match the cryptographic checksum provided by the client device, the network device repeats this comparison using different candidate keys selected from its set of valid preshared keys until a match is found.

Abstract: Authenticating a client device coupled to an authenticator network device for a network. A service request is received from the client device at the authenticator network device. User credentials, including a user ID, a user key, and a nonce for a user are received at the authenticator network device. A token is generated using the received user credentials. The service request is modified to include the token and a user ID parameter that is the user ID to generate a modified service request. The modified service request is used to provide single sign-on access to a service that is the subject of the service request.

Abstract: A technique allows stations to utilize an equal share of resources (e.g., airtime or throughput). This prevents slow stations from consuming too many resources (e.g., using up too much air time). Fairness is ensured by selective dropping after a multicast packet is converted to unicast. This prevents slow stations from using more than their share of buffer resources. Multicast conversion aware back-pressure into the network layer can be used to prevent unnecessary dropping of packets after multicast to unicast (1:n) conversion by considering duplicated transmit buffers. This technique helps achieve airtime/resource fairness among stations.

Abstract: Maintaining layer 7 state as a client device roams between network devices during a session. Data packets used in executing a layer 7 application are received at a first network device that a client device is coupled to during a session. Data packets received by the first network device are stored in a layer 7 application buffer that is sent to a second network device that a client device roams to during a session. A layer 7 application buffer is used to classify a layer 7 application that is the subject of a session in order to maintain layer 7 state as a client device roams to a second network device during a session.

Abstract: A network device of a subnet determines predictive roaming information for a wireless client. Predictive roaming information can identify the wireless client and a home network subnet of the wireless client. The network device provides predictive roaming information associated with a wireless client to neighboring subnets. Neighboring subnets store received predictive roaming information, and use the predictive roaming information if the wireless client roams to them.

Abstract: Authenticating a client device coupled to an authenticator network device for a network. A service request is received from the client device at the authenticator network device. User credentials, including a user ID, a user key, and a nonce for a user are received at the authenticator network device. A token is generated using the received user credentials. The service request is modified to include the token and a user ID parameter that is the user ID to generate a modified service request. The modified service request is used to provide single sign-on access to a service that is the subject of the service request.

Abstract: A hybrid low power network device comprising: a wave 1 radio configured to provide client devices wireless access to a network using SU-MIMO, a wave 2 radio configured to provide the client devices wireless access to the network using MU-MIMO, a radio management system configured to assign client devices to either the wave 1 radio or the wave 2 radio for communicating over wireless communication channels in accessing the network, first and second Ethernet ports, wherein at least one of the first and second Ethernet ports are configured to provide power to the hybrid low power network device and allow at least one of the wave 1 radio and the wave 2 radio to communicate with the network, in operation the hybrid low power network device is configured to operate at a power consumption level between 15 and 17 W in providing the client devices wireless access to the network.

Abstract: A network device of a subnet determines predictive roaming information for a wireless client. Predictive roaming information can identify the wireless client and a home network subnet of the wireless client. The network device provides predictive roaming information associated with a wireless client to neighboring subnets. Neighboring subnets store received predictive roaming information, and use the predictive roaming information if the wireless client roams to them.

Abstract: A method of configuring a virtual network comprises: running a user-interactive business requirements wizard from a server, the wizard collecting business requirements from a user; translating the business requirements into technical requirements for a network configuration using the server; selecting a network configuration from a network configuration database using the server, the selecting utilizing the technical requirements; testing the network configuration using a processor; monitoring the testing and generating new facts regarding performance of the network configuration, using the processor; feeding back the new facts to the server for use by the server in the selecting; and repeating the selecting, testing, monitoring and generating, and feeding back, until the server determines a criterion for network stability has been reached.

Abstract: Maintaining layer 7 state as a client device roams between network devices during a session. Data packets used in executing a layer 7 application are received at a first network device that a client device is coupled to during a session. Data packets received by the first network device are stored in a layer 7 application buffer that is sent to a second network device that a client device roams to during a session. A layer 7 application buffer is used to classify a layer 7 application that is the subject of a session in order to maintain layer 7 state as a client device roams to a second network device during a session.

Abstract: Airtime usage may be used as a factor in controlling network traffic flow to and from client devices via a wireless network interface. Received packets or other data are assigned to a quality of service profile. Additionally, a cost value for communicating the received data is determined at least in part based on an actual or estimated airtime usage for the received packet. The cost value is used to allocate wireless network airtime to data. The allocation of wireless network airtime may be varied dynamically based on operating conditions. The cost value may be based on factors including the airtime used to communicate data; whether the data is a retransmission; and wireless network overhead. The cost value of data may also be different depending on whether the data is being sent from a client device or to a client device.

Abstract: A technique allows stations to utilize an equal share of resources (e.g., airtime or throughput). This prevents slow stations from consuming too many resources (e.g., using up too much air time). Fairness is ensured by selective dropping after a multicast packet is converted to unicast. This prevents slow stations from using more than their share of buffer resources. Multicast conversion aware back-pressure into the network layer can be used to prevent unnecessary dropping of packets after multicast to unicast (1:n) conversion by considering duplicated transmit buffers. This technique helps achieve airtime/resource fairness among stations.

Abstract: A passphrase is assigned to an end user device for use in authenticating the end user device for a network using SAE. An identification of the end user device is determined during an authentication process. The passphrase assigned to the end user device is determined at a network side using the identification of the end user device. A shared secret is generated using the passphrase. Whether the end user device has generated the shared secret is determined. The end user device is authenticated for the network, if it is determined that the end user device has generated the shared secret.

Abstract: Airtime usage may be used as a factor in controlling network traffic flow to and from client devices via a wireless network interface. Received packets or other data are assigned to a quality of service profile. Additionally, a cost value for communicating the received data is determined at least in part based on an actual or estimated airtime usage for the received packet. The cost value is used to allocate wireless network airtime to data. The allocation of wireless network airtime may be varied dynamically based on operating conditions. The cost value may be based on factors including the airtime used to communicate data; whether the data is a retransmission; and wireless network overhead. The cost value of data may also be different depending on whether the data is being sent from a client device or to a client device.