Abstract: Airtime usage may be used as a factor in controlling network traffic flow to and from client devices via a wireless network interface. Received packets or other data are assigned to a quality of service profile. Additionally, a cost value for communicating the received data is determined at least in part based on an actual or estimated airtime usage for the received packet. The cost value is used to allocate wireless network airtime to data. The allocation of wireless network airtime may be varied dynamically based on operating conditions. The cost value may be based on factors including the airtime used to communicate data; whether the data is a retransmission; and wireless network overhead. The cost value of data may also be different depending on whether the data is being sent from a client device or to a client device.

Abstract: A method of configuring a virtual network comprises: running a user-interactive business requirements wizard from a server, the wizard collecting business requirements from a user; translating the business requirements into technical requirements for a network configuration using the server; selecting a network configuration from a network configuration database using the server, the selecting utilizing the technical requirements; testing the network configuration using a processor; monitoring the testing and generating new facts regarding performance of the network configuration, using the processor; feeding back the new facts to the server for use by the server in the selecting; and repeating the selecting, testing, monitoring and generating, and feeding back, until the server determines a criterion for network stability has been reached.

Abstract: A network security system including a first-level security profile engine and a second-level security profile engine is disclosed. The first-level security profile engine may assign a first-level security profile for a first user device, the first user device requesting access to a network; the second-level security profile engine assigns a first second-level security profile to the first user device, the first second-level security profile providing first network configuration information for the first user device; a device selection engine receives a selection of a second user device associated with the first-level security profile; and the second-level security profile engine assigns a second second-level security profile to the second user device, the second second-level security profile providing second network configuration information for the second user device.

Abstract: A technique for network authentication interoperability involves initiating an authentication procedure on a first network, authenticating on a second network, and allowing access at the first network. The technique can include filtering access to a network, thereby restricting access to users with acceptable credentials. Offering a service that incorporates these techniques can enable incorporation of the techniques into an existing system with minimal impact to network configuration.

Abstract: A passphrase is assigned to an end user device for use in authenticating the end user device for a network using SAE. An identification of the end user device is determined during an authentication process. The passphrase assigned to the end user device is determined at a network side using the identification of the end user device. A shared secret is generated using the passphrase. Whether the end user device has generated the shared secret is determined. The end user device is authenticated for the network, if it is determined that the end user device has generated the shared secret.

Abstract: A request related to an access to a network by a first user device may be received. The user device may be included in a plurality of user devices associated with a first first-level security profile assigned to the user. An application extension to an application executing on the first user device may be accessed in response to the request related to the access. A network connectivity file may be provided to the application extension. The network connectivity file may include network configuration information for the first user device. The network configuration information may be associated with a first second-level security profile assigned to the first user device. Instructions to configure the first user device to access the network based at least in part on the network configuration information in the network connectivity file may be provided.

Abstract: Managing rogue devices in a network through a network backhaul. A rogue device is detected in a network and a rogue device message that includes the rogue device is sent to a plurality of switches in a backhaul of the network. The rogue device is added into a rogue monitor table. Whether the rogue device is In-Net or Out-Of-Net is determined using forwarding tables of the plurality of switches in the backhaul of the network and the rogue monitor table. Mitigation is performed using a nearest switch to the rogue device of the plurality of switches in the backhaul of the network if it is determined that the rogue device is In-Net.

Abstract: A network security system including a first-level security profile engine and a second-level security profile engine is disclosed. The first-level security profile engine may assign a first-level security profile for a first user device, the first user device requesting access to a network; the second-level security profile engine assigns a first second-level security profile to the first user device, the first second-level security profile providing first network configuration information for the first user device; a device selection engine receives a selection of a second user device associated with the first-level security profile; and the second-level security profile engine assigns a second second-level security profile to the second user device, the second second-level security profile providing second network configuration information for the second user device.

Abstract: A network device comprising, a first radio module configured to transmit and receive first radio signals in a first frequency band, a first antenna array configured to transmit and receive the first radio signals for the first radio module in the first frequency band, a second radio module configured to transmit and receive second radio signals in the first frequency band, a second antenna array configured to transmit and receive the second radio signals for the second radio module in the first frequency band, wherein, in operation, the first radio module and the second radio modules function concurrently using the first frequency band while at least 40 dB of antenna isolation is maintained between the first antenna array and the second antenna array.

Abstract: Managing rogue devices in a network through a network backhaul. A rogue device is detected in a network and a rogue device message that includes the rogue device is sent to a plurality of switches in a backhaul of the network. The rogue device is added into a rogue monitor table. Whether the rogue device is In-Net or Out-Of-Net is determined using forwarding tables of the plurality of switches in the backhaul of the network and the rogue monitor table. Mitigation is performed using a nearest switch to the rogue device of the plurality of switches in the backhaul of the network if it is determined that the rogue device is In-Net.

Abstract: Wireless access points detect neighboring wireless access points in different subnets. Upon connecting with a wireless client, a wireless access point determines predictive roaming information for the wireless client. Predictive roaming information identifies the wireless client; its home network subnet; and includes connection information associated with the wireless client. The wireless access point forwards the predictive roaming information associated with a wireless client to neighboring wireless access points while the wireless client is still connected with the wireless access point. Neighboring wireless access points store received predictive roaming information. Upon connecting with a wireless client, a neighboring wireless access point determines if the wireless client matches the stored predictive roaming information.

Abstract: A network monitoring and control application suitable for use by teachers and other users is implemented using wireless access points and does not require specific software to be installed on client network devices. The application uses student and class information to organize network client information. Upon receiving a monitoring request, one or more classes assigned to the teacher are identified by accessing class data. Class data is accessed to identify students assigned to the class and the client network devices used by these students. One wireless access point providing wireless network connections to at least a portion of the students' devices is selected to collect network activity information from the students' devices and presents this information to the teacher. The teacher may also use the selected wireless access point to disable students' network access or to redirect students' devices to a network resource.

Abstract: Wireless access points detect neighboring wireless access points in different subnets. Upon connecting with a wireless client, a wireless access point determines predictive roaming information for the wireless client. Predictive roaming information identifies the wireless client; its home network subnet; and includes connection information associated with the wireless client. The wireless access point forwards the predictive roaming information associated with a wireless client to neighboring wireless access points while the wireless client is still connected with the wireless access point. Neighboring wireless access points store received predictive roaming information. Upon connecting with a wireless client, a neighboring wireless access point determines if the wireless client matches the stored predictive roaming information.

Abstract: A network monitoring and control application suitable for use by teachers and other users is implemented using wireless access points and does not require specific software to be installed on client network devices. The application uses student and class information to organize network client information. Upon receiving a monitoring request, one or more classes assigned to the teacher are identified by accessing class data. Class data is accessed to identify students assigned to the class and the client network devices used by these students. One wireless access point providing wireless network connections to at least a portion of the students' devices is selected to collect network activity information from the students' devices and presents this information to the teacher. The teacher may also use the selected wireless access point to disable students' network access or to redirect students' devices to a network resource.

Abstract: A method of intelligently sorting packets/datagrams for sending through appropriate branches of a N-way split VPN tunnel according to embodiments of the present invention allow for efficient movement of network traffic to and from a remote network location. Intelligent sorting may be based on a wide range of criteria in order to implement different policies. For example, datagrams may be sorted for sending through the branches of a 3-way split tunnel so that all traffic from a remote network location ultimately destined to servers at a central location may be sent via a secure VPN tunnel, all traffic that matches a “white-list” of trusted external sites may be sent directly to and from these sites to the remote network location, and all other traffic may be redirected through a Web service that scrubs and filters the traffic to/from questionable sites.

Abstract: A technique for deploying proximity beacons involves coupling proximity beacon transmitters and/or hubs to an enterprise network device. The coupling can be by way of physically connecting communication interfaces of the network device and the proximity beacon transmitter or hub. In some implementations, the communication interface can be implemented as a USB interface. In some implementations, the communication interface can be embedded within the network device, such that the communication interface can provide the physical connection in the form of an embedded or internal connection.

Abstract: A network security system including a first-level security profile engine and a second-level security profile engine is disclosed. In an example of operation, the first-level security profile engine assigns a first-level security profile for a first user device, the first user device requesting access to a network; the second-level security profile engine assigns a first second-level security profile to the first user device, the first second-level security profile providing first network configuration information for the first user device; a device selection engine receives a selection of a second user device associated with the first-level security profile; and the second-level security profile engine assigns a second second-level security profile to the second user device, the second second-level security profile providing second network configuration information for the second user device.

Abstract: A method of intelligently sorting packets/datagrams for sending through appropriate branches of a N-way split VPN tunnel according to embodiments of the present invention allow for efficient movement of network traffic to and from a remote network location. Intelligent sorting may be based on a wide range of criteria in order to implement different policies. For example, datagrams may be sorted for sending through the branches of a 3-way split tunnel so that all traffic from a remote network location ultimately destined to servers at a central location may be sent via a secure VPN tunnel, all traffic that matches a “white-list” of trusted external sites may be sent directly to and from these sites to the remote network location, and all other traffic may be redirected through a Web service that scrubs and filters the traffic to/from questionable sites.

Abstract: A technique for network authentication interoperability involves initiating an authentication procedure on a first network, authenticating on a second network, and allowing access at the first network. The technique can include filtering access to a network, thereby restricting access to users with acceptable credentials. Offering a service that incorporates these techniques can enable incorporation of the techniques into an existing system with minimal impact to network configuration.

Abstract: Wireless access points detect neighboring wireless access points in different subnets. Upon connecting with a wireless client, a wireless access point determines predictive roaming information for the wireless client. Predictive roaming information identifies the wireless client; its home network subnet; and includes connection information associated with the wireless client. The wireless access point forwards the predictive roaming information associated with a wireless client to neighboring wireless access points while the wireless client is still connected with the wireless access point. Neighboring wireless access points store received predictive roaming information. Upon connecting with a wireless client, a neighboring wireless access point determines if the wireless client matches the stored predictive roaming information.