Abstract: A method of operating a network is provided that includes identifying a plurality of client devices connected to the network, categorizing the client devices into respective client groups based on device characteristics of each of the client devices, analyzing traffic patterns among the client groups and assigning the client groups to respective network segments based on the observed traffic patterns, and generating one or more network access policy for at least one of the network segments based on the traffic patterns or baseline behavior associated with a portion of the client devices belonging to the at least one of the network segments.

Abstract: Client devices in the same device group may use the same group-specific key to perform a key exchange operation with access point(s) to obtain network access. A network access management server may provide centralized management of different device groups each being associated with a different group-specific key during the life cycles of the device groups. An access point may communicate with the network access management server to obtain the group-specific key to assist in authenticating network access of a connecting client device.

Abstract: Client devices in the same device group may use the same group-specific key to perform a key exchange operation with access point(s) to obtain network access. A network access management server may provide centralized management of different device groups each being associated with a different group-specific key during the life cycles of the device groups. An access point may communicate with the network access management server to obtain the group-specific key to assist in authenticating network access of a connecting client device.

Abstract: A method of operating a server is provided that includes providing, with the server, one or more services relating to network access control and management of a network, predicting a network configuration failure associated with the network with a failure prediction model, and generating a network configuration recommendation based on the predicted network configuration failure to avoid the predicted network configuration failure. The failure prediction model can be a machine-learning based network configuration failure prediction model that is trained on past network configuration failure events. Operated in this way, erroneous network configuration issues can be automatically identified and addressed in a timely fashion.

Abstract: A device access management server may facilitate secure access of a target device by an accessing device. The secure remote access of the target device by the accessing device may be facilitated by a public key infrastructure (PKI) certificate issued and/or validated by the device access management server.

Abstract: A method of operating a network is provided that includes identifying a plurality of client devices connected to the network, categorizing the client devices into respective client groups based on device characteristics of each of the client devices, analyzing traffic patterns among the client groups and assigning the client groups to respective network segments based on the observed traffic patterns, and generating one or more network access policy for at least one of the network segments based on the traffic patterns or baseline behavior associated with a portion of the client devices belonging to the at least one of the network segments.

Abstract: A device access management server may facilitate secure remote access of a target device by an accessing device. The secure remote access of the target device by the accessing device may be authenticated using a session token. The device access management server may maintain the session token and other session information.

Abstract: A method of operating a network is provided that includes receiving a query, using a first language model to determine an intent or purpose of the query, using a second language model to extract a named entity from the query, and obtaining search results by searching for the extracted named entity on a named entity list corresponding to a particular tenant. The method can further include generating a response based on the search results. The query can be a natural language query, and the first language model can be a natural language model. The second language model for extracting the named entity can be a network-related language model that is trained on network records associated with a plurality of tenants. The network records associated with the plurality of tenants can be stored on a multi-tenant database.

Abstract: A network management server may provide options via a user interface for configuring a network and a network policy for the network. The network management server may identify values for network attributes based on the user-selected option(s). The network management server may maintain network entity attribute information and use the network entity attribute information to populate the selectable options based on which conditions and/or actions for the network policy are defined.

Abstract: Methods and systems for providing vendor agnostic captive portal authentication in a network that includes a plurality of network access devices are provided. For instance, one method includes receiving a redirect request for a communication between a first user-terminal and a first network access device, the redirect request including at least one of a vendor-specific item of information of the first network access device and an Internet Protocol (IP) address of the first network access device. The method further includes comparing the at least one of the vendor-specific item of information of the first network access device and the IP address of the first network access device against each of a plurality of entries of a network access device database, and providing the first user-terminal access to a captive portal page in response to an appropriate match.

Abstract: Methods and systems for specifying and enforcing network policies are provided. One method for configuring a network that includes a plurality of heterogeneous network access devices includes creating a network enforcement profile based on at least one enforcement policy, and determining a network access device group of the plurality of heterogeneous network access devices that are capable of managing the enforcement profile. The method further includes providing vendor-specific configuration parameters for at least one network access device of the network access device group so as to cause the network to manage the network enforcement profile, and applying the vendor-specific configuration parameters to the at least one network access device.

Abstract: Methods and systems for providing vendor agnostic captive portal authentication in a network that includes a plurality of network access devices are provided. For instance, one method includes receiving a redirect request for a communication between a first user-terminal and a first network access device, the redirect request including at least one of a vendor-specific item of information of the first network access device and an Internet Protocol (IP) address of the first network access device. The method further includes comparing the at least one of the vendor-specific item of information of the first network access device and the IP address of the first network access device against each of a plurality of entries of a network access device database, and providing the first user-terminal access to a captive portal page in response to an appropriate match.

Abstract: A process, system, and non-transient computer readable medium that provides device automation support for the dynamic activation, authentication, and accounting of network access and network access devices while enabling seamless multi-vendor support for change of authorization through multiple network protocols. The process, system, and non-transient computer readable media also provides security threat remediation that can be automated at the device, network access, traffic inspection, and/or threat protection level by taking action on a device by triggering actions in a bidirectional manner.

Abstract: Systems and methods are provided for chaining network access control authorization processes. A method includes executing a first authorization process to generate a first authorization result for a user according to first authorization data obtained from a first authorization source corresponding to the first authorization process; executing a second authorization process to generate a second authorization result for the user according to second authorization data obtained from a second authorization source corresponding to the second authorization process and the first authorization data obtained by the first authorization process; and authorizing the user to access a network resource according to the first authorization result generated by the first authorization process and the second authorization result generated by the second authorization process.

Abstract: Methods and systems for providing vendor agnostic captive portal authentication in a network that includes a plurality of network access devices are provided. For instance, one method includes receiving a redirect request for a communication between a first user-terminal and a first network access device, the redirect request including at least one of a vendor-specific item of information of the first network access device and an Internet Protocol (IP) address of the first network access device. The method further includes comparing the at least one of the vendor-specific item of information of the first network access device and the IP address of the first network access device against each of a plurality of entries of a network access device database, and providing the first user-terminal access to a captive portal page in response to an appropriate match.

Abstract: A process, system, and non-transient computer readable medium that provides device automation support for the dynamic activation, authentication, and accounting of network access and network access devices while enabling seamless multi-vendor support for change of authorization through multiple network protocols. The process, system, and non-transient computer readable media also provides security threat remediation that can be automated at the device, network access, traffic inspection, and/or threat protection level by taking action on a device by triggering actions in a bidirectional manner.

Abstract: Systems and methods are provided for chaining network access control authorization processes. A method includes executing a first authorization process to generate a first authorization result for a user according to first authorization data obtained from a first authorization source corresponding to the first authorization process; executing a second authorization process to generate a second authorization result for the user according to second authorization data obtained from a second authorization source corresponding to the second authorization process and the first authorization data obtained by the first authorization process; and authorizing the user to access a network resource according to the first authorization result generated by the first authorization process and the second authorization result generated by the second authorization process.

Abstract: Methods and systems for specifying and enforcing network policies are provided. One method for configuring a network that includes a plurality of heterogeneous network access devices includes creating a network enforcement profile based on at least one enforcement policy, and determining a network access device group of the plurality of heterogeneous network access devices that are capable of managing the enforcement profile. The method further includes providing vendor-specific configuration parameters for at least one network access device of the network access device group so as to cause the network to manage the network enforcement profile, and applying the vendor-specific configuration parameters to the at least one network access device.

Abstract: Methods and systems for providing vendor agnostic captive portal authentication in a network that includes a plurality of network access devices are provided. For instance, one method includes receiving a redirect request for a communication between a first user-terminal and a first network access device, the redirect request including at least one of a vendor-specific item of information of the first network access device and an Internet Protocol (IP) address of the first network access device. The method further includes comparing the at least one of the vendor-specific item of information of the first network access device and the IP address of the first network access device against each of a plurality of entries of a network access device database, and providing the first user-terminal access to a captive portal page in response to an appropriate match.

Abstract: An example non-transitory memory resource including instructions executable by the processing resource to monitor device information for a plurality of devices, wherein the plurality of devices comprise at least one device of an unknown device type, identify behavior attributes for the plurality of devices based on the monitored device information, cluster the plurality of devices into groups based on the behavior attributes, identify a device type for the plurality of devices based on the group of the plurality of devices; and present identifiers for each of the plurality of devices, based on the device type of the plurality of devices.