Abstract: A network security system including a first-level security profile engine and a second-level security profile engine is disclosed. In an example of operation, the first-level security profile engine assigns a first-level security profile for a first user device, the first user device requesting access to a network; the second-level security profile engine assigns a first second-level security profile to the first user device, the first second-level security profile providing first network configuration information for the first user device; a device selection engine receives a selection of a second user device associated with the first-level security profile; and the second-level security profile engine assigns a second second-level security profile to the second user device, the second second-level security profile providing second network configuration information for the second user device.

Abstract: Various implementations include systems and methods for generating a radio frequency floor plan. The systems and methods include receiving map data for a map image. A user is provided with functionalities for generating a trace outline in the map image. Floor dimensions are determined from the trace outline in the map image. A blank floor plan is generated using the floor dimensions and the map image. Access point position data can be received that signifies the position of placed access points. Access point type data can be received that signifies the type of access points that are positioned. The access point position data, the access point type data, and the floor plan or blank floor plan can be used to generate a RF floor plan.

Abstract: A network device of a subnet determines predictive roaming information for a wireless client. Predictive roaming information can identify the wireless client and a home network subnet of the wireless client. The network device provides predictive roaming information associated with a wireless client to neighboring subnets. Neighboring subnets store received predictive roaming information, and use the predictive roaming information if the wireless client roams to them.

Abstract: Wireless access points detect neighboring wireless access points in different subnets. Upon connecting with a wireless client, a wireless access point determines predictive roaming information for the wireless client. Predictive roaming information identifies the wireless client; its home network subnet; and includes connection information associated with the wireless client. The wireless access point forwards the predictive roaming information associated with a wireless client to neighboring wireless access points while the wireless client is still connected with the wireless access point. Neighboring wireless access points store received predictive roaming information. Upon connecting with a wireless client, a neighboring wireless access point determines if the wireless client matches the stored predictive roaming information.

Abstract: A technique allows stations to utilize an equal share of resources (e.g., airtime or throughput). This prevents slow stations from consuming too many resources (e.g., using up too much air time). Fairness is ensured by selective dropping after a multicast packet is converted to unicast. This prevents slow stations from using more than their share of buffer resources. Multicast conversion aware back-pressure into the network layer can be used to prevent unnecessary dropping of packets after multicast to unicast (1:n) conversion by considering duplicated transmit buffers. This technique helps achieve airtime/resource fairness among stations.

Abstract: Wireless networking devices scan for available channels and gather data about the channels and the RF environment. Using this information, each wireless networking device determines a cost value for each available channel and a quality value for its overall RF neighborhood. Each wireless networking device select the channel with the best cost value as a candidate channel for use. The wireless networking devices may submit channel requests to the arbiter for approval. If two or more wireless networking devices are requesting the same channel, the arbiter assigns the channel to the wireless networking device with the worst RF neighborhood quality. The arbiter informs the wireless networking devices if their channel requests are approved. If a wireless networking device's channel request is not approved, the wireless networking device will rescan the remaining available channels to select a different candidate channel to be approved.

Abstract: A method and system for selecting a route in a wireless network for the transmission of a data packet between wireless nodes in said network using a modified link-state routing algorithm wherein only a limited number of broadcast messages are generated to synchronize the link-state database throughout the wireless network. A subset of nodes called portal nodes within the network are elected to do the broadcasting for the entire network. Each portal node broadcasts an announcement of its identity to all of the wireless nodes. Each wireless node responds to these broadcasts to select one of the portal nodes as its root portal node. It then identifies a unicast route back to its root portal node, and sends a link-state register message to this portal node. These link-state register messages received by each portal node are aggregated by them and are broadcast to each of the wireless nodes for storage.

Abstract: An embodiment of the invention includes a circuit to determine the power lost between a network device and a network power supply. Using this determination, an embodiment of the network device may increase its power consumption by an amount equal to the difference between the actual cable power loss and the worst-case cable power loss. This allows the network device to draw more power than allowed by network power standards without triggering the power-limiting circuitry of the network power source or overloading the network power device. The network device can determine an operating configuration that utilizes this additional power consumption to improve performance. The network device may also determine the existence of network power device or cable fault conditions, and adjust its operating configuration as necessary. Operating configurations can include enabling additional or more powerful wired or wireless network interfaces.

Abstract: A method of configuring a networking device comprises: collecting data regarding the networking device; conveying the data to a remote server; selecting configuration slice instances based on the data using the server, wherein templates for the slice instances are stored on the server; compiling the configuration slice instances using the server; and delivering the compiled configuration slice instances to the networking device; wherein the slice instances are coherent sub-sections of configuration settings for the networking device.

Abstract: Disclosed is a system comprising: an authentication datastore; a device presence engine; a traffic monitor engine; an authentication presence monitor engine; an authentication server selection engine; and a traffic routing engine. In operation: the device presence engine is configured to detect presence of a user device on a trusted network; the traffic monitor engine is configured to monitor, in response to the detection, traffic on the trusted network from the device; the authentication presence monitor engine is configured to evaluate onboarding characteristics of the user device in response to the monitoring; the authentication server selection engine is configured to select one of a plurality of authentication servers to authenticate the user device to the trusted network, the selecting based on the onboarding characteristics; and the traffic routing engine is configured to route traffic from the user device to the selected authentication server.

Abstract: Authenticating a client device coupled to an authenticator network device for a network. A service request is received from the client device at the authenticator network device. User credentials, including a user ID, a user key, and a nonce for a user are received at the authenticator network device. A token is generated using the received user credentials. The service request is modified to include the token and a user ID parameter that is the user ID to generate a modified service request. The modified service request is used to provide single sign-on access to a service that is the subject of the service request.

Abstract: Techniques and systems for performing a network activity within a network. The technique includes assigning one or a plurality of network devices subnets with network devices for performing network activities. Network devices within the assigned network device subnets can be assigned to act as a primary network device and a backup network device. The primary network device can perform the network activity. The backup network devices can monitor the primary network device and continue performing the network activities if the primary network device fails or is rogue.

Abstract: Various implementations described herein relate to routing network data traffic using network tunnels. In some implementations, one or more tunnels are established between a remote gateway device and a central gateway system. The central gateway system receives data traffic-to-tunnel information from the remote gateway device, and the central gateway system incorporates the data traffic-to-tunnel information in a data traffic-to-tunnel mapping. The data traffic-to-tunnel information comprises n-tuple of network flow information, network flow tags, application-to-tunnel binding information, or the like. The central gateway system receives first data traffic from the remote gateway and forwards the first data traffic to a server. Subsequently, the central gateway system receives second data traffic and forwards the first data traffic to the remote gateway device over one or more select tunnels selected from the established tunnels.

Abstract: Networking as a Service (NaaS) delivers network services using remote appliances controlled by a hosted, multi-tenant management system. The system may include a heartbeating process for communication between a web-based server and appliances, in which the appliances periodically contact the management system on the server. The heartbeating process allows the appliances to maintain a completely up-to-date configuration. Furthermore, heartbeating allows for comprehensive monitoring of appliances and for software distribution. The system may also include means for authenticating appliances, without the need for pre-installed PSKs or certificates.

Abstract: A technique allows stations to utilize an equal share of resources (e.g., airtime or throughput). This prevents slow stations from consuming too many resources (e.g., using up too much air time). Fairness is ensured by selective dropping after a multicast packet is converted to unicast. This prevents slow stations from using more than their share of buffer resources. Multicast conversion aware back-pressure into the network layer can be used to prevent unnecessary dropping of packets after multicast to unicast (1:n) conversion by considering duplicated transmit buffers. This technique helps achieve airtime/resource fairness among stations.

Abstract: Networking as a Service (NaaS) delivers network services using remote appliances controlled by a hosted, multi-tenant management system. The system may include a heartbeating process for communication between a web-based server and appliances, in which the appliances periodically contact the management system on the server. The heartbeating process allows the appliances to maintain a completely up-to-date configuration. Furthermore, heartbeating allows for comprehensive monitoring of appliances and for software distribution. The system may also include means for authenticating appliances, without the need for pre-installed PSKs or certificates.

Abstract: Airtime usage may be used as a factor in controlling network traffic flow to and from client devices via a wireless network interface. Received packets or other data are assigned to a quality of service profile. Additionally, a cost value for communicating the received data is determined at least in part based on an actual or estimated airtime usage for the received packet. The cost value is used to allocate wireless network airtime to data. The allocation of wireless network airtime may be varied dynamically based on operating conditions. The cost value may be based on factors including the airtime used to communicate data; whether the data is a retransmission; and wireless network overhead. The cost value of data may also be different depending on whether the data is being sent from a client device or to a client device.

Abstract: A technique for improving wireless communication characteristics involving matching transmitter antenna patterns to receiver antenna patterns. In a specific implementation, the transmitter antenna pattern adapts to changing parameters, such as when a smartphone is initially held in a first orientation and is later held in a second orientation. Because the transmitter antenna pattern matches receiver antenna patterns, signal quality between stations improves. In some implementations, antennas are organized and mounted to maximize spatial diversity to cause peak gains in different directions.

Abstract: Airtime usage may be used as a factor in controlling network traffic flow to and from client devices via a wireless network interface. Received packets or other data are assigned to a quality of service profile. Additionally, a cost value for communicating the received data is determined at least in part based on an actual or estimated airtime usage for the received packet. The cost value is used to allocate wireless network airtime to data. The allocation of wireless network airtime may be varied dynamically based on operating conditions. The cost value may be based on factors including the airtime used to communicate data; whether the data is a retransmission; and wireless network overhead. The cost value of data may also be different depending on whether the data is being sent from a client device or to a client device.

Abstract: A network monitoring and control application suitable for use by teachers and other users is implemented using wireless access points and does not require specific software to be installed on client network devices. The application uses student and class information to organize network client information. Upon receiving a monitoring request, one or more classes assigned to the teacher are identified by accessing class data. Class data is accessed to identify students assigned to the class and the client network devices used by these students. One wireless access point providing wireless network connections to at least a portion of the students' devices is selected to collect network activity information from the students' devices and presents this information to the teacher. The teacher may also use the selected wireless access point to disable students' network access or to redirect students' devices to a network resource.