Abstract: A system and method that supports disjoint authentication server farms and disjoint policy or authorization servers for multi-session establishment. The authentication server has global knowledge of authenticators for additional sessions for a supplicant and can split authentication requests as needed to different authentication servers. The split authentication and authorization requests can be aggregated should the other authentication and authorization servers have the capability to handle multiple requests. In the case of server farms, authentication and implied authorization requests can be split to facilitate load balancing.

Abstract: A method and apparatus for authorizing an access requester to access a data communication network is provided. A determination is made that a threshold access control server cannot process an access request associated with the access requester. Access requester history data, or data that describes the access history for an access requester, is analyzed to obtain a threshold access level. A threshold access level is an expression of how likely that a particular access requester is a legitimate access requester. A session profile is selected for the access requester based on the threshold access level. The session profile indicates one or more actions the access requester is authorized to perform in the network. The session profile may subsequently be transmitted to the access requester to allow the access requester access to the network to the extent appropriate in view of the access requester history data.

Abstract: According to one embodiment of the invention, a session list identifying communication sessions relating to supplicants that access a computer network through an access device is created and stored at an authentication server. Then, an event is received from an anti-virus system announcing an updated anti-virus policy. User input is received that requests performing posture validation for all the supplicants. Next, in response to the information received, a time value for starting the posture validation for a particular supplicant identified in the session list. Finally, in response to the information received, a request to perform posture validation is generated and sent to the access device, wherein the request includes supplicant identifying information, the time value, and instructions that instructs the access device to initiate the posture validation for that supplicant only after the time value has expired. The steps are repeated for all supplicants in the session list.

Abstract: The invention provides techniques for dynamic timeout including the steps of receiving a request from a requestor; determining whether an interim message should be sent to the requestor; and, if the interim message should be sent to the requestor, sending to the requestor the interim message referring to the request. Techniques are also provided for dynamic timeout including steps of sending a request to a server; receiving an interim message from the server, where the interim message contains one or more response-related items; and determining whether to change a timeout value based on the one or more response-related items in the interim message.

Abstract: A method and system for performing pre-authentication across inter-subnets. A pre-authentication request is received by a first access point associated with a first subnet from a mobile node requesting that is requesting pre-authentication with a second access point associated with a second subnet. The request is forwarded by the access point to a first authenticator that is the authenticator for the first subnet. The first authenticator obtains from a root infrastructure node the address for a second authenticator that is the authenticator for the second access point. The first authenticator then pre-authenticates the mobile node with the second authenticator by sending a message to the address for the second authenticator.

Abstract: A method is disclosed for providing multiple authentication types within an authentication protocol that supports a single type of authentication for a client in communication with an authorization server over a network. One or more authentication request packets compliant with an authentication protocol are sent to the client. Each of the packets comprises a type value that specifies multiple authentication, and a data field having a value that is structured in compliance with the authentication protocol. Each of the packets is associated with one of a plurality of different authentication conversations with the client. A plurality of responses is received from the client for each of the authentication conversations. The sending and receiving steps are repeated until results are determined for the authentication conversations. The client is authenticated based on results of each of the plurality of authentication conversations.

Abstract: A method and apparatus for managing and balancing wireless access based on centralized information is provided. A request to provide service to a wireless client is received from a first access node in a plurality of access node. An access policy, applicable to the first access node, is selected from a plurality of stored policies. The stored policies may include a variety of rules, such as how many or which wireless clients may be serviced by an access node. A centralized manager, such as an AAA server, may perform the selection of the access policy. A determination is made as to whether to allow the first access node to provide service to the wireless client based on the selected access policy. A message that instructs the first access node whether to provide or deny service to the wireless client is transmitted to the first access node.

Abstract: A method and apparatus for managing and balancing wireless access based on centralized information is provided. A request to provide service to a wireless client is received from a first access node in a plurality of access node. An access policy, applicable to the first access node, is selected from a plurality of stored policies. The stored policies may include a variety of rules, such as how many or which wireless clients may be serviced by an access node. A centralized manager, such as an AAA server, may perform the selection of the access policy. A determination is made as to whether to allow the first access node to provide service to the wireless client based on the selected access policy. A message that instructs the first access node whether to provide or deny service to the wireless client is transmitted to the first access node.

Abstract: In one embodiment, a method for facilitating authentication and ease the configuration of authentication includes receiving a credential type selection and selecting one or more authentication types based on the credential type selection and one or more policies set by the administrators. The policies can be preconfigured or dynamically pushed or fetched and updated to the client.

Abstract: A method and system is disclosed for creating and tracking network sessions. A request to access a network is received from an entity. The entity is authenticated after the request is received. Authenticated identity information associated with the entity, network address information associated with the entity, and network location information associated with the entity is collected. An information set is created. The information set comprises and binds together the authenticated identity information, the network address information, and the network location information. The information set indicates a present association among the authenticated identity information, the network address information, and the network location information. The information set is stored in a session record in a centralized database. The session record represents a session in which the entity accesses the network. The session record is one of a plurality of session records that are stored in the centralized database.

Abstract: A system and method for selectively controlling traffic in a network to improve network performance. The system includes a network controller that includes a first control-traffic prioritizer. An Access Point (AP) includes a second control-traffic prioritizer and communicates with the network controller. One or more clients communicate with the AP. The communications behavior of the client is affected by operations of the first control-traffic prioritizer and the second control-traffic prioritizer.

Abstract: A method is disclosed for determining the authentication capabilities of a supplicant before initiating an authentication conversation with a client, for example, using Extensible Authentication Protocol (EAP). In one aspect, the method provides for sending, to a supplicant that is requesting access to a computer network subject to authentication of a user of the supplicant, a list of first authentication methods that are supported by an authentication server; receiving, from the supplicant, a counter-list of second authentication methods that are supported by the supplicant; determining how many second authentication methods in the counter-list match the first authentication methods; and performing an authentication policy action based on how many of the second authentication methods match the first authentication methods. Policy actions can include blocking access, re-directing to sources of acceptable authentication methods, granting one of several levels of network access, etc.

Abstract: A method, a system, a machine-readable medium, and an apparatus for managing storage on a shared storage space, for example, on an email server, are provided. A plurality of emails is compared. If the content of each of the plurality of emails is the same, then a single copy is stored on the email server. Further, each recipient of the plurality of emails is enabled access to the stored email via a link to the single copy. Additionally, one or more attachments of the plurality of emails are compared. If an attachment is the same in each of the plurality of emails, then it is stored as a single copy. Further, a link is inserted in each of the plurality of emails, enabling access to the attachment from the single copy.

Abstract: A system and method to manage the pre-authentication service by providing a network-centric, managed list of neighboring/logical access points from which a wireless station should pre-authenticate. An access point is provided with a pre-authentication table. When a wireless station associates with the access point, the access point transmits the pre-authentication table to the client. The client responsive to receiving the table only pre-authenticates with neighboring access points on the table.

Abstract: A method is disclosed for determining the authentication capabilities of a supplicant before initiating an authentication conversation with a client, for example, using Extensible Authentication Protocol (EAP). In one aspect, the method provides for sending, to a supplicant that is requesting access to a computer network subject to authentication of a user of the supplicant, a list of first authentication methods that are supported by an authentication server; receiving, from the supplicant, a counter-list of second authentication methods that are supported by the supplicant; determining how many second authentication methods in the counter-list match the first authentication methods; and performing an authentication policy action based on how many of the second authentication methods match the first authentication methods. Policy actions can include blocking access, re-directing to sources of acceptable authentication methods, granting one of several levels of network access, etc.

Abstract: A system for facilitating use of services in a network. In an illustrative embodiment, the system includes a first mechanism for enabling a user to connect to the network. A second mechanism authenticates the user and provides a signal in response thereto. A third mechanism selectively displays information pertaining to services of the network in response to the signal. In a more specific embodiment, the network is a Public Wireless Local Area Network (PWLAN), and the first mechanism includes one or more local access points. In this embodiment, the second mechanism further facilitates determining which of the services the user is permitted to access and provides permission information in response thereto. The permission information is incorporated in the signal. The third mechanism further employs the permission information to indicate to the user which of the services the user is authorized to use or access.

Abstract: A system for improving network resource utilization. The system includes a prioritizer that prioritizes received data by assigning one or more priority values thereto. A network resource monitor provides network resource information. A transmitter selectively transmits the data based on the network resource information and the one or more priority values. In a specific embodiment, the data includes network messages, and the prioritizer includes a prioritization mechanism that assigns a priority value to each of the network messages. A threshold-comparison mechanism compares each of the priority values to a threshold and provides comparison results in response thereto. The transmitter selectively transmits each of the network messages based on the comparison results. In an illustrative embodiment, the network messages include network alerts generated by an Intrusion Detection System (IDS).

Abstract: A system for selectively handling client information in a network. In an illustrative embodiment, the system includes a first module adapted to determine whether a client will require roaming services or not. A second module, which communicates with the first module, maintains records of the client that are required only for roaming services only if the client will require roaming services as determined by the first module.

Abstract: A system and method that supports disjoint authentication server farms and disjoint policy or authorization servers for multi-session establishment. The authentication server has global knowledge of authenticators for additional sessions for a supplicant and can split authentication requests as needed to different authentication servers. The split authentication and authorization requests can be aggregated should the other authentication and authorization servers have the capability to handle multiple requests. In the case of server farms, authentication and implied authorization requests can be split to facilitate load balancing.

Abstract: A convergent network comprising voice over Internet protocol (VOIP) and voice over wireless local area networks (VoWLAN) telephones provides users the means for notifying a network administrator of a quality problem in real time together with an indication of the nature problem. Upon receipt of the notification, the system takes a snap shot of the current network parameters that are associated with the quality problem and provides network statistics for subsequent analysis and troubleshooting. Other callers participating in a call are notified of the source of the quality problem. In other embodiments, when streaming video or audio users detect a network quality problem, the problem is marked and tagged to indicate the time and the type of quality problem as it is occurring.