Abstract: Techniques are disclosed for dynamically mitigating a noncompliant password. The method comprises obtaining a password; generating one or more quality scores for the password using a password policy for an authentication and authorization service; determining whether the password has sufficient score quality; in response to determining that the password does not have sufficient score quality, granting to the user a different level of access to the service than if the password meets the quality criteria; wherein the method is performed by one or more computing devices.

Abstract: Techniques are disclosed for dynamically mitigating a noncompliant password. The method comprises obtaining a password; generating one or more quality scores for the password using a password policy for an authentication and authorization service; determining whether the password has sufficient score quality; in response to determining that the password does not have sufficient score quality, granting to the user a different level of access to the service than if the password meets the quality criteria; wherein the method is performed by one or more computing devices.

Abstract: A method is disclosed for determining the authentication capabilities of a supplicant before initiating an authentication conversation with a client, for example, using Extensible Authentication Protocol (EAP). In one aspect, the method provides for sending, to a supplicant that is requesting access to a computer network subject to authentication of a user of the supplicant, a list of first authentication methods that are supported by an authentication server; receiving, from the supplicant, a counter-list of second authentication methods that are supported by the supplicant; determining how many second authentication methods in the counter-list match the first authentication methods; and performing an authentication policy action based on how many of the second authentication methods match the first authentication methods. Policy actions can include blocking access, re-directing to sources of acceptable authentication methods, granting one of several levels of network access, etc.

Abstract: Techniques are disclosed for dynamically mitigating a noncompliant password. The method comprises obtaining a password; generating one or more quality scores for the password using a password policy for an authentication and authorization service; determining whether the password has sufficient score quality; in response to determining that the password does not have sufficient score quality, granting to the user a different level of access to the service than if the password meets the quality criteria; wherein the method is performed by one or more computing devices.

Abstract: The invention relates to a method for requesting access to services across a computer network, preferably although not exclusively to a network in which access is controlled by a AAA server. Instead of defining on the AAA server all possible network devices that may require or provide access, along with the respective services they may need, in the present invention the network devices submit access request messages which include information both identifying the device and also specifying explicitly which services are needed. On receipt of such requests, the AAA server uses its internal policies to confirm or deny access, to select appropriate services from those requested, and to instruct the provisioning of those services. The invention provides additional granularity in authentication/authorization, and also significantly reduces the amount of work required to set up and maintain the AAA server.

Abstract: Techniques are disclosed for dynamically mitigating a noncompliant password. The techniques include obtaining a password from a user when the user attempts to access a service; determining whether the password meets quality criteria; and if the password does not meet the quality criteria, performing one or more responsive actions that relate to accessing the service.

Abstract: A method and apparatus for load balancing within a computer system makes use of client MAC addresses, reduced modulo N, to direct client requests to a particular server within a server farm. The method is particularly applicable to load balancing applied to AAA servers. In the preferred embodiments, the method can handle failovers and fail-back with few or no aborted authentications.

Abstract: According to one embodiment of the invention, a session list identifying communication sessions relating to supplicants that access a computer network through an access device is created and stored at an authentication server. Then, an event is received from an anti-virus system announcing an updated anti-virus policy. User input is received that requests performing posture validation for all the supplicants. Next, in response to the information received, a time value for starting the posture validation for a particular supplicant identified in the session list. Finally, in response to the information received, a request to perform posture validation is generated and sent to the access device, wherein the request includes supplicant identifying information, the time value, and instructions that instructs the access device to initiate the posture validation for that supplicant only after the time value has expired. The steps are repeated for all supplicants in the session list.

Abstract: A system supplies configuration information, via an EAP protocol, to a remote device trying to access the network. An authentication server performs an authentication exchange by receiving, from a remote device, a connection attempt to access the network. The authentication server performs an authentication exchange with the remote device to allow the remote device access to the network. During the authentication exchange, a configuration selection characteristic associated with the remote device is identified. A device configuration to be applied to the remote device, based on the configuration selection characteristic, is determined. The authentication server provides the determined device configuration to the remote device, via an EAP protocol, to allow the remote device to install the determined device configuration prior to being allowed access to the network.

Abstract: Creating and storing troubleshooting information for providing access control information to a network device involves receiving a provisioning of control lists, and associations of the ACLs to users of the device. During authenticating a user login, a name of a first ACL is provided to the device, selected from among the ACLs based on the associations. A request is received from the device for a first ACL that is associated with a user of the device. The request includes the name of the ACL. The first ACL is sent to the network device in response to the request. Embodiments may use RADIUS for communicating ACLs from an authentication server to a firewall. A de-fragmentation approach enables downloading ACLs that exceed the maximum RADIUS packet size. Using an ACL renaming approach the firewall updates its cache when a user subsequently logs in and the corresponding ACL has changed.

Abstract: A method is disclosed for providing multiple authentication types within an authentication protocol that supports a single type of authentication for a client in communication with an authorization server over a network. One or more authentication request packets compliant with an authentication protocol are sent to the client. Each of the packets comprises a type value that specifies multiple authentication, and a data field having a value that is structured in compliance with the authentication protocol. Each of the packets is associated with one of a plurality of different authentication conversations with the client. A plurality of responses is received from the client for each of the authentication conversations. The sending and receiving steps are repeated until results are determined for the authentication conversations. The client is authenticated based on results of each of the plurality of authentication conversations.

Abstract: Creating and storing troubleshooting information for providing access control information to a network device involves receiving a provisioning of control lists, and associations of the ACLs to users of the device. During authenticating a user login, a name of a first ACL is provided to the device, selected from among the ACLs based on the associations. A request is received from the device for a first ACL that is associated with a user of the device. The request includes the name of the ACL. The first ACL is sent to the network device in response to the request. Embodiments may use RADIUS for communicating ACLs from an authentication server to a firewall. A de-fragmentation approach enables downloading ACLs that exceed the maximum RADIUS packet size. Using an ACL renaming approach the firewall updates its cache when a user subsequently logs in and the corresponding ACL has changed.

Abstract: A method is disclosed for creating and storing troubleshooting information for providing access control information to a network device. A provisioning of one or more access control lists, and one or more associations of the access control lists to users of the network device, are received. As part of authenticating a user login request, a name of a first access control list is provided to the network device, selected from among the one or more access control lists that based on the associations. A request is received from the network device for a first access control list that is associated with a user of the network device. The request includes the name of the access control list. The first access control list is sent to the network device in response to the request. Embodiments may use RADIUS packets for communicating ACLs from an authentication server to a firewall, and a de-fragmentation approach is disclosed for downloading ACLs that exceed the maximum RADIUS packet size.

Abstract: A method is disclosed for determining the authentication capabilities of a supplicant before initiating an authentication conversation with a client, for example, using Extensible Authentication Protocol (EAP). In one aspect, the method provides for sending, to a supplicant that is requesting access to a computer network subject to authentication of a user of the supplicant, a list of first authentication methods that are supported by an authentication server; receiving, from the supplicant, a counter-list of second authentication methods that are supported by the supplicant; determining how many second authentication methods in the counter-list match the first authentication methods; and performing an authentication policy action based on how many of the second authentication methods match the first authentication methods. Policy actions can include blocking access, re-directing to sources of acceptable authentication methods, granting one of several levels of network access, etc.

Abstract: A method is disclosed for determining the authentication capabilities of a supplicant before initiating an authentication conversation with a client, for example, using Extensible Authentication Protocol (EAP). In one aspect, the method provides for sending, to a supplicant that is requesting access to a computer network subject to authentication of a user of the supplicant, a list of first authentication methods that are supported by an authentication server; receiving, from the supplicant, a counter-list of second authentication methods that are supported by the supplicant; determining how many second authentication methods in the counter-list match the first authentication methods; and performing an authentication policy action based on how many of the second authentication methods match the first authentication methods. Policy actions can include blocking access, re-directing to sources of acceptable authentication methods, granting one of several levels of network access, etc.

Abstract: A system supplies configuration information, via an EAP protocol, to a remote device trying to access the network. An authentication server performs an authentication exchange by receiving, from a remote device, a connection attempt to access the network. The authentication server performs an authentication exchange with the remote device to allow the remote device access to the network. During the authentication exchange, a configuration selection characteristic associated with the remote device is identified. A device configuration to be applied to the remote device, based on the configuration selection characteristic, is determined. The authentication server provides the determined device configuration to the remote device, via an EAP protocol, to allow the remote device to install the determined device configuration prior to being allowed access to the network.

Abstract: A method is disclosed for determining the authentication capabilities of a supplicant before initiating an authentication conversation with a client, for example, using Extensible Authentication Protocol (EAP). In one aspect, the method provides for sending, to a supplicant that is requesting access to a computer network subject to authentication of a user of the supplicant, a list of first authentication methods that are supported by an authentication server; receiving, from the supplicant, a counter-list of second authentication methods that are supported by the supplicant; determining how many second authentication methods in the counter-list match the first authentication methods; and performing an authentication policy action based on how many of the second authentication methods match the first authentication methods. Policy actions can include blocking access, re-directing to sources of acceptable authentication methods, granting one of several levels of network access, etc.

Abstract: A method is disclosed for performing on-demand posture validation for all of multiple clients or supplicants of an authentication system, comprising creating and storing a session list identifying communication sessions relating to supplicants that access a computer network through an access device; receiving input requesting performing posture validation for all the supplicants; determining a time value for starting the posture validation for a particular supplicant identified in the session list; generating and sending to the access device, a request to perform posture validation, wherein the request comprises supplicant identifying information and the time value and instructs the access device to initiate the posture validation for that supplicant only after the time value has expired; and repeating the steps of determining, generating and sending for all supplicants in the session list.

Abstract: Techniques are disclosed for dynamically mitigating a noncompliant password. The techniques include obtaining a password from a user when the user attempts to access a service; determining whether the password meets quality criteria; and if the password does not meet the quality criteria, performing one or more responsive actions that relate to accessing the service.