Abstract: Methods and apparatus for preventing an IP address from being assigned to a client implementing a protocol such as DHCP are disclosed. This is particularly useful in an environment such as a Mobile IP environment in which a network device (e.g., Access Point) performs proxy registration on behalf of the client. When the client transmits a detection packet to detect whether its IP address is still valid (e.g., whether it is on the same sub-network on which the IP address was allocated), a response is transmitted to the client that indicates that the client is still on its home network. This response is transmitted regardless of whether the client is still on its home network. Since the client believes it is still on its home network, a new IP address will not be assigned to the client. As a result, an existing Mobile IP session will not be interrupted.

Abstract: The present invention provides a technique for securely implementing port-based authentication on a shared media port in an intermediate node, such as a router. To that end, the invention provides enhanced port-based network access control that includes client-based control at the shared media port. Unlike previous implementations, the port does not permit multiple client nodes to access a trusted subnetwork as soon as a user at any one of those nodes is authenticated by the subnetwork. Instead, port-based authentication is performed for every client node that attempts to access the trusted subnetwork through the shared media port. As such, access to the trusted subnetwork is not compromised by unauthenticated client nodes that “piggy-back” over the shared media port after a user at another client node has been authenticated by the trusted subnetwork.

Abstract: In a wireless LAN (WLAN) a method and system for dynamically assigning a configuration identity to a device being connected to the WLAN is provided. An access point (AP) or other device is plugged into a switch port of an Ethernet switch, and discovers its location and the location of a WLAN management module. The device can then request its configuration identity from the WLAN management module by providing its switch and/or port location. When a device in the WLAN needs to be replaced, the method and system enable dynamic assignment of configuration identity for the new device, to ensure that the configuration and identity of the new device matches that of the device it is replacing.

Abstract: Detection of a man-in-the-middle attack. In particular implementations, a method includes detecting a first event comprising notification of an invalid wireless management frame operable to cause a termination of a connection between a wireless client and a wireless access point, wherein the notification is based on a failed verification of a management integrity code (MIC) appended to the wireless management frame. The method also includes detecting a second event involving notification of either an authentication failure associated with the wireless client or a connection between the wireless client and a rogue access point. The method also includes performing one or more actions upon detection of the first event and the second event within a threshold period of time of each other.

Abstract: Methods and apparatus for preventing an IP address from being assigned to a client implementing a protocol such as DHCP are disclosed. This is particularly useful in an environment such as a Mobile IP environment in which a network device (e.g., Access Point) performs proxy registration on behalf of the client. When the client transmits a detection packet to detect whether its IP address is still valid (e.g., whether it is on the same sub-network on which the IP address was allocated), a response is transmitted to the client that indicates that the client is still on its home network. This response is transmitted regardless of whether the client is still on its home network. Since the client believes it is still on its home network, a new IP address will not be assigned to the client. As a result, an existing Mobile IP session will not be interrupted.

Abstract: In a wireless LAN (WLAN) a method and system for dynamically assigning a configuration identity to a device being connected to the WLAN is provided. An access point (AP) or other device is plugged into a switch port of an Ethernet switch, and discovers its location and the location of a WLAN management module. The device can then request its configuration identity from the WLAN management module by providing its switch and/or port location. When a device in the WLAN needs to be replaced, the method and system enable dynamic assignment of configuration identity for the new device, to ensure that the configuration and identity of the new device matches that of the device it is replacing.

Abstract: A system for improving network resource utilization. The system includes a prioritizer that prioritizes received data by assigning one or more priority values thereto. A network resource monitor provides network resource information. A transmitter selectively transmits the data based on the network resource information and the one or more priority values. In a specific embodiment, the data includes network messages, and the prioritizer includes a prioritization mechanism that assigns a priority value to each of the network messages. A threshold-comparison mechanism compares each of the priority values to a threshold and provides comparison results in response thereto. The transmitter selectively transmits each of the network messages based on the comparison results. In an illustrative embodiment, the network messages include network alerts generated by an Intrusion Detection System (IDS).

Abstract: The present invention provides a technique for securely implementing port-based authentication on a shared media port in an intermediate node, such as a router. To that end, the invention provides enhanced port-based network access control that includes client-based control at the shared media port. Unlike previous implementations, the port does not permit multiple client nodes to access a trusted subnetwork as soon as a user at any one of those nodes is authenticated by the subnetwork. Instead, port-based authentication is performed for every client node that attempts to access the trusted subnetwork through the shared media port. As such, access to the trusted subnetwork is not compromised by unauthenticated client nodes that “piggy-back” over the shared media port after a user at another client node has been authenticated by the trusted subnetwork.