Abstract: Presented herein are techniques to facilitate wireless authorization based on in-line assurance and tariffing information. In one example, a method may include obtaining, by a home network, a request to authorize access of a roaming subscriber for a visited network; determining whether the request includes visited network charging information and visited network metric information; based on determining that the request includes the visited network charging information and the visited network metric information, determining whether one or more visited network metrics satisfy one or more threshold metrics for the roaming subscriber; and based on determining that the one or more visited network metrics satisfy the one or more threshold metrics for the roaming subscriber, authorizing access of the roaming subscriber for the visited network.

Abstract: In one embodiment, a gateway to a zero trust network applies an access control policy to an endpoint device attempting to access a cloud-based application hosted by the zero trust network. The gateway acts as a reverse proxy between the endpoint device and the cloud-based application, based on the access control policy applied to the endpoint device. The gateway captures telemetry data regarding application traffic reverse proxied by the gateway between the endpoint device and the cloud-based application. The gateway detects an anomalous behavior of the application traffic by comparing the captured telemetry data to a machine learning-based behavioral model for the application. The gateway initiates a mitigation action for the detected anomalous behavior of the application traffic.

Abstract: Presented herein are techniques to facilitate wireless authorization based on in-line assurance and tariffing information. In one example, a method may include obtaining, by a home network, a request to authorize access of a roaming subscriber for a visited network; determining whether the request includes visited network charging information and visited network metric information; based on determining that the request includes the visited network charging information and the visited network metric information, determining whether one or more visited network metrics satisfy one or more threshold metrics for the roaming subscriber; and based on determining that the one or more visited network metrics satisfy the one or more threshold metrics for the roaming subscriber, authorizing access of the roaming subscriber for the visited network.

Abstract: A method includes linking, at an access node, a first media control access (MAC) address of a device to an identifier of the device to establish a communication session between the access node and the device and during the communication session, receiving, at the access node, an indication of a change of the first MAC address to a second MAC address. The method also includes linking, at the access node, the second MAC address to the first MAC address and the identifier and receiving, at the access node, a communication from the device using the second MAC address while maintaining the communication session.

Abstract: A method includes receiving, at an access node, a connection request from a device and in response to the connection request, establishing a connection with an identity provider. The device, the access node, the local network, and the identity provider are members of an identity federation. The method also includes, after the device is authenticated with the identity provider, sending or receiving, to or from the identity provider and by the access node, data linking the device to an item and an owner of the device.

Abstract: In one embodiment, a method for providing access to wireless networks may include receiving, by a wireless network access provider from a user device, a request to access a wireless network. The method may include obtaining data representing a policy applicable to the access request, sending the access request, augmented with the policy, to an identity provider associated with the user and having no pre-existing relationship with the access provider, and receiving, from the identity provider, an access request response indicating whether or not the policy is met. The method may include communicating, to the wireless device, an indication that the access request has been accepted, if the policy is met, or an indication that the access request has been rejected, if the policy is not met. The access provider and identity provider may be members of an identity and access federation that communicate over a dynamically established secure connection.

Abstract: A method is provided that includes obtaining an access request for a device to access a visited access network, the access request including an authentication identifier for the device including an identity for the device and a realm comprising a network identifying portion; determining a re-write rule for the realm by querying a database based on an identity type of the device and the network identifying portion of the realm, the database including a plurality of re-write rules for a plurality of networks and a plurality of identity types; re-writing the realm based on the re-write rule using the identity for the device to generate a re-written realm; obtaining, based on the re-written realm, an address for an authentication server of an identity provider associated with the device; and performing an authentication with the authentication server using the authentication identifier to authenticate the device for the visited access network.

Abstract: Embodiments herein registers Asset Owners (AOs) and AO applications to a location, aggregation, and insight (LAI) service that are part of the same identity federation. When registering the AO with the LAI service, the AO selects which of a plurality of Identity Providers (IDPs) it has a relationship with, and the LAI service can then bind those IDPs to the AO application. This binding associates respective realms (e.g., domains) corresponding to the selected IDPs to the AO application. Later, when a device owned by the AO roams to a visited network (VN), the LAI service can then use a realm identified from a device ID provided by the device to identify the ID of the AO application. The LAI service then enables the VN to transmit a location of the device to the AO application. In one embodiment, the VN obtains consent from the AO before sharing location data.

Abstract: A system and method for optimizing access points (APs) within a network comprises receiving, at a first AP, parameters corresponding to a second AP, and determining that the first AP and the second AP are part a first and a second wireless local area network (WLAN), respectively. The first and second WLANs support client credential sharing allowing seamlessly transitioning of a client device between the first and second WLANs using common credentials. Further, co-channel interference between the first AP and the second AP is detected based on the parameters corresponding to the second AP and parameters of the first AP, and at least one of a channel and transmission power of one or more of the first AP and the second AP is changed in response to the detection of the interference.

Abstract: The presently claimed disclosure is directed to methods that may be implemented at a computer. Methods and systems consistent with the present disclosure may include extending protocols associated with authenticating client (i.e. supplicant) devices and with authorizing those supplicant devices to access a wireless network. These methods may include sending data relating to the failure of an authentication and/or an authorization process to a supplicant device attempting to access a wireless network. Methods discussed within may include securely sending failure codes or reasons to a supplicant device that identify why an authentication or authorization process failed. These methods may include sending messages between a supplicant device, an authenticator device, and an authentication and authorization server. After a first failure, the supplicant device may be able to access the wireless network after a reason or code of that failure has been reported to the supplicant device.

Abstract: Embodiments herein describe techniques for dynamically negotiating an SLA between a roaming device and a VN in an identity federation. Instead of an IDP having to individually negotiate with a VN to decide on an SLA before a user device roams to the VN, the parties can dynamically negotiate the SLA after the user device has detected the VN (but before the device is permitted to connect or associate with the VN). In one embodiment, when a roaming user device comes within wireless range of a VN, the roaming device receives an advertisement from the VN that indicates the current SLA (or SLAs) offered by the VN. The roaming device can compare this offered SLA to a stored SLA in an identity profile the device received from the IDP to determine whether to accept the offer. In another embodiment, the SLA is instead negotiated between VN and the IDP.

Abstract: The disclosed technology relates to a process of evaluating any number of different identity providers (IDPs) and their respective set of credentials that are used to authenticate corresponding users to assist with the onboarding of the different IDPs in connection with Wi-Fi identity federations. In particular, the process allows a person's electronic identity and attributes (stored across one or more IDPs) to be determined once using a standard. Once trust has been established for the user, that trust can then be utilized across a number of different systems (e.g., Single-sign on). The same trust determination can be used without the need for the authenticity of the user identity to be re-evaluated with each new access request.

Abstract: Presented herein are techniques to facilitate OpenRoaming integration into a Wireless Roaming Intermediary Exchange (WRIX) data-clearing and financial-settlement architecture. In one example, a method is provided that may include querying, by an application endpoint, a Domain Name System (DNS) server to determine support for a service for a domain; and obtaining, by the application endpoint from the DNS server, an explicit indication that one of: the service is not supported for the domain; or the service is proprietary and is supported for the domain.

Abstract: The disclosed technology relates to a process of evaluating any number of different identity providers (IDPs) and their respective set of credentials that are used to authenticate corresponding users to assist with the onboarding of the different IDPs in connection with Wi-Fi identity federations. In particular, the process allows a person's electronic identity and attributes (stored across one or more IDPs) to be determined once using a standard. Once trust has been established for the user, that trust can then be utilized across a number of different systems (e.g., Single-sign on). The same trust determination can be used without the need for the authenticity of the user identity to be re-evaluated with each new access request.

Abstract: The present technology provides a system and method for automating on-boarding and management of IoT devices on data network. The disclosed technology further provides an interactive representation of various performance attribute with automatically generated actionable alert based on operator defined rules and performance-specific threshold values. Furthermore, disclosed technology provides for single-click activation of suggested actions at scale directed at once to all device units within one or more device groups reported in critical state. In this way the proposed technology enables rapid restoration of a network state. Offending device(s) may then be easily identified, from device units within the device category isolated in a resolution space, and managed according to one or more device-specific actionable alerts automatically generated on the offending device.

Abstract: An example method is provided in one example embodiment and may include receiving traffic associated with at least one of a mobile network and a Gi-Local Area Network (Gi-LAN), wherein the traffic comprises one or more packets; determining a classification of the traffic to a service chain, wherein the service chain comprises one or more service functions associated at least one of one or more mobile network services and one or more Gi-LAN services; routing the traffic through the service chain; and routing the traffic to a network using one of a plurality of egress interfaces, wherein each egress interface of the plurality of egress interfaces is associated with at least one of the one or more mobile network services and the one or more Gi-LAN services.

Abstract: The present technology discloses non-transitory computer-readable media, systems, and methods for receiving a notification that an identified physical object has attached to a roaming network, wherein the identified physical object is roaming when on the roaming network; translating at least one policy intent that was defined at a home network for the identified physical object into a policy suitable to be applied by the roaming network; and sending, to the roaming network, the at least one translated policy intent to be applied to the identified physical object on the roaming network.

Abstract: First, a plurality of access tokens may be received from a respective plurality of identity provider services. Each of the plurality of access tokens may be associated with a user. Then, the plurality of access tokens may be stored in a profile associated with the user. Next, user polices associated with the use of the plurality of access tokens may be assigned. A device token may then be provided to a user device associated with the user. The device token may be associated with the profile. The device token and network policies may be received and then it may be determined that the user polices and the network policies are congruent. In response to determining that the user polices and the network policies are congruent, authentication to at least one of the plurality identity provider services may be made.

Abstract: Presented herein are techniques to facilitate OpenRoaming integration into a Wireless Roaming Intermediary Exchange (WRIX) data-clearing and financial-settlement architecture. In one example, a method is provided that may include querying, by an application endpoint, a Domain Name System (DNS) server to determine support for a service for a domain; and obtaining, by the application endpoint from the DNS server, an explicit indication that one of: the service is not supported for the domain; or the service is proprietary and is supported for the domain.

Abstract: The present technology discloses non-transitory computer-readable media, systems, and methods for receiving a notification that an identified physical object has attached to a roaming network, wherein the identified physical object is roaming when on the roaming network; translating at least one policy intent that was defined at a home network for the identified physical object into a policy suitable to be applied by the roaming network; and sending, to the roaming network, the at least one translated policy intent to be applied to the identified physical object on the roaming network.