Abstract: Embodiments allow a network device whose hardware limits an Association Number (AN) to only {0, 1}, to be part of Media Access Control security (MACsec). Upon detecting a network device as being AN-limited, that device's priority value is assigned a maximum value, thereby ensuring election of the AN-limited device as the key server. The {0, 1} AN of the key server is used to generate a Secure Association Key (SAK) used for MACsec. Upon subsequent rekeying, the AN-limited key server automatically cycles to a next AN (either 0 or 1) to generate a new SAK, where that next AN is also recognized by other network devices. In this manner, the AN-limited network device can participate in the MACsec without encountering ANs (e.g., {2, 3}) that it does not recognize.

Abstract: In general, the disclosure relates to a method for redirecting a user to a captive portal. The method includes trapping an incoming frame originating from a host, where the incoming frame comprises a L2 header and a payload, wherein the payload specifies information associated with an external server, wherein the user of the host has not been authenticated by the captive portal at a time when the incoming frame is trapped, extracting the L2 header, an L3 header, and the payload from the incoming frame, forwarding the L3 header and the payload towards a redirection server executing on the network device, wherein the redirection server is configured to generate a redirection response based on the payload; encapsulating the redirection response to obtain an L3 response packet, encapsulating the L3 response packet using information from the L2 header to obtain an output frame, and transmitting the output frame towards the host.

Abstract: In general, embodiments relate to a method for managing a network device, including receiving an incoming frame originating from a host, where the incoming frame includes IP address of the host and a payload specifying information associated with an external server. The further includes determining, using the IP address of the host and an IP address to segment identifier (ID) mapping, that the host is associated with a first segment, in response to the determining, forwarding the incoming frame towards a redirection server executing on the network device, where the first segment is associated with a first policy and where the first policy specifies that the incoming frame is to be forwarded to the redirection server.

Abstract: Systems and methods for the tracking and use of the status of authentication servers by a network device are disclosed. Embodiments as disclosed may maintain a responsiveness status reflecting the responsiveness of each authentication server in a network at a network device utilized as an authenticator. When a request for authentication is received from a host at the network device the status of each of the plurality of the authentication servers can be checked. Only those authentication servers indicated as responsive may be utilized to attempt authentication.

Abstract: In general, the disclosure relates to a method for creating segment mapping in a network, by a network device. The method includes receiving a segment identification (ID) for a client device of the network from an authentication system. The segment ID identifies a segment of the network including the client device and the network device wherein the segment ID is associated with a media access control (MAC) address of the client device. The network device or a network management system (NMS) determines an internet protocol (IP) address of the client device and the network device creates an IP address to segment ID mapping for the client device using the IP address. The IP address to segment ID mapping is provided to the NMS for distribution to remaining network devices of the network. At least one packet of the client device is processed using the IP address to segment ID mapping.

Abstract: Systems and methods are disclosed for acknowledgement-based retirement of expired secure association keys (SAK). A new SAK is generated by a key server. The new SAK is transmitted to members of a connectivity association (CA). The new SAK for key server ingress traffic is installed. An ingress SAK installation acknowledgement is received from the members of the CA. The new SAK for key server egress traffic is installed at the key server, based on receiving the ingress SAK installation acknowledgement from the members of the CA. A key server egress SAK installation notification is transmitted to the members of the CA A prior secure association key is retired after a configurable SAK retirement buffer delay in response to an earlier occurrence of either: receipt of an egress SAK installation acknowledgement from the members of the CA and expiration of a SAK retirement buffer delay, or expiration of a SAK retirement timeout.

Abstract: In general, the disclosure relates to a method for redirecting a user to a captive portal. The method includes trapping an incoming frame originating from a host, where the incoming frame comprises a L2 header and a payload, wherein the payload specifies information associated with an external server, wherein the user of the host has not been authenticated by the captive portal at a time when the incoming frame is trapped, extracting the L2 header, an L3 header, and the payload from the incoming frame, forwarding the L3 header and the payload towards a redirection server executing on the network device, wherein the redirection server is configured to generate a redirection response based on the payload; encapsulating the redirection response to obtain an L3 response packet, encapsulating the L3 response packet using information from the L2 header to obtain an output frame, and transmitting the output frame towards the host.

Abstract: A method for managing a group of secured network devices. The method includes detecting, by a switchover agent operating in a secured network device of the group of secured network devices, a switchover between two supervisors operating in the secured network device, based on the detecting: generating a modified heartbeat packet, wherein the modified heartbeat packet comprises a suspension time that is significantly larger than a heartbeat interval, and sending the modified heartbeat packet to a second secured network device of the group of secured network devices.

Abstract: In general, embodiments relate to a method for managing a network device, including receiving an incoming frame originating from a host, where the incoming frame includes IP address of the host and a payload specifying information associated with an external server. The further includes determining, using the IP address of the host and an IP address to segment identifier (ID) mapping, that the host is associated with a first segment, in response to the determining, forwarding the incoming frame towards a redirection server executing on the network device, where the first segment is associated with a first policy and where the first policy specifies that the incoming frame is to be forwarded to the redirection server.

Abstract: Embodiments allow a network device whose hardware limits an Association Number (AN) to only {0, 1}, to be part of Media Access Control security (MACsec). Upon detecting a network device as being AN-limited, that device’s priority value is assigned a maximum value, thereby ensuring election of the AN-limited device as the key server. The {0, 1} AN of the key server is used to generate a Secure Association Key (SAK) used for MACsec. Upon subsequent rekeying, the AN-limited key server automatically cycles to a next AN (either 0 or 1) to generate a new SAK, where that next AN is also recognized by other network devices. In this manner, the AN-limited network device can participate in the MACsec without encountering ANs (e.g., {2, 3}) that it does not recognize.

Abstract: In general, the disclosure relates to a method for redirecting a user to a captive portal. The method includes trapping an incoming frame originating from a host, where the incoming frame comprises a L2 header and a payload, wherein the payload specifies information associated with an external server, wherein the user of the host has not been authenticated by the captive portal at a time when the incoming frame is trapped, extracting the L2 header, an L3 header, and the payload from the incoming frame, forwarding the L3 header and the payload towards a redirection server executing on the network device, wherein the redirection server is configured to generate a redirection response based on the payload; encapsulating the redirection response to obtain an L3 response packet, encapsulating the L3 response packet using information from the L2 header to obtain an output frame, and transmitting the output frame towards the host.

Abstract: Embodiments of a method for redirecting, by a network device, a host to a captive portal are disclosed. The method includes receiving an incoming frame originating from the host. The incoming frame has a payload specifying information associated with an external server. A user of the host has not been authenticated by the captive portal at a time when the incoming frame is received by the network device. The network device matches at least a portion of the incoming frame to a custom redirect rule of a unified access control list (ACL) implemented by the network device. In response to the matching, the network device forwards the incoming frame towards an internal redirection server executing on the network device. The network device receives a redirection frame from the internal redirection server. The payload of the redirection frame is generated by the internal redirection server using at least a portion of the incoming frame. The redirection frame is transmitted towards the host.

Abstract: In general, the disclosure relates to a method for creating segment mapping in a network, by a network device. The method includes receiving a segment identification (ID) for a client device of the network from an authentication system. The segment ID identifies a segment of the network including the client device and the network device wherein the segment ID is associated with a media access control (MAC) address of the client device. The network device or a network management system (NMS) determines an internet protocol (IP) address of the client device and the network device creates an IP address to segment ID mapping for the client device using the IP address. The IP address to segment ID mapping is provided to the NMS for distribution to remaining network devices of the network. At least one packet of the client device is processed using the IP address to segment ID mapping.

Abstract: In general, the disclosure relates to a method for redirecting, by a network device, a host to a captive portal. The method includes receiving an incoming frame originating from the host. The incoming frame has a payload specifying information associated with an external server. A user of the host has not been authenticated by the captive portal at a time when the incoming frame is received by the network device. The network device matches at least a portion of the incoming frame to a custom redirect rule of a unified access control list (ACL) implemented by the network device. In response to the matching, the network device forwards the incoming frame towards an internal redirection server executing on the network device. The network device receives a redirection frame from the internal redirection server. The payload of the redirection frame is generated by the internal redirection server using at least a portion of the incoming frame. The redirection frame is transmitted towards the host.

Abstract: In general, the disclosure relates to a method for redirecting a user to a captive portal. The method includes trapping an incoming frame originating from a host, where the incoming frame comprises a L2 header and a payload, wherein the payload specifies information associated with an external server, wherein the user of the host has not been authenticated by the captive portal at a time when the incoming frame is trapped, extracting the L2 header, an L3 header, and the payload from the incoming frame, forwarding the L3 header and the payload towards a redirection server executing on the network device, wherein the redirection server is configured to generate a redirection response based on the payload; encapsulating the redirection response to obtain an L3 response packet, encapsulating the L3 response packet using information from the L2 header to obtain an output frame, and transmitting the output frame towards the host.