Loading...
Please wait, while we are loading the content...
Allocation of Local Mac Addresses to Client Devices
| Content Provider | The Lens |
|---|---|
| Abstract | At a network device configured to control access to a network, a client device authentication request is received from a client device. The request includes identity credentials and a temporary media access control (MAC) address of the client device. The client device is successfully authenticated based on the identity credentials. After authentication, a new MAC address is established in the client device. A data frame is received from at the network device. It is determined whether the client device is using the new MAC address based on the received data frame. If it is determined that the client device is using the new MAC address, the client device is permitted access the network. |
| Related Links | https://www.lens.org/lens/patent/009-772-444-845-280/frontpage |
| Language | English |
| Publisher Date | 2019-10-22 |
| Access Restriction | Open |
| Content Type | Text |
| Resource Type | Patent |
| Jurisdiction | United States of America |
| Date Applied | 2015-11-18 |
| Agent | Edell, Shapiro & Finnan, Llc |
| Applicant | Cisco Tech Inc |
| Application No. | 201514944743 |
| Claim | A method comprising: at a network device connected with a network: receiving from a client device an authentication request including identity credentials and a temporary media access control (MAC) address of the client device; and in response to successfully authenticating the client device based on the identity credentials: selecting a new MAC address of the client device from among a plurality of available MAC addresses stored in a MAC address server in the network; sending the new MAC address to the client device in an address allocation frame; receiving a data frame; determining whether the client device is using the new MAC address based on the received data frame; and if it is determined that the client device is using the new MAC address: granting the client device access to the network; and generating a record including the new MAC address, a time at which the new MAC address was selected, the identity credentials, and a time at which the client device was successfully authenticated based on the identity credentials. The method of claim 1 , wherein the new MAC address is a local MAC address. The method of claim 1 , wherein the determining includes determining whether the client device is using the new MAC address within a predetermined time period after the sending; and further comprising: if it is determined that the client device is not using the new MAC address within the predetermined time period after the sending, preventing the client device from accessing the network. The method of claim 1 , further comprising integrity protecting the address allocation frame based on the new MAC address to produce an integrity protected address allocation frame, and wherein: the sending includes sending the integrity protected address allocated frame; the receiving includes receiving the data frame as an integrity protected data frame having a source MAC address that matches the new MAC address; and the determining includes: integrity checking the integrity protected data frame based on the new MAC address; and if the integrity checking is successful, determining that the client device is using the new MAC address. The method of claim 1 , further comprising encrypting and integrity protecting the address allocation frame based on the new MAC address to produce an encrypted, integrity protected address allocation frame, and wherein: the sending further includes sending the encrypted, integrity protected address allocation frame; the receiving further includes receiving the data frame as an encrypted, integrity protected data frame; and the determining further includes: decrypting and integrity checking the encrypted, integrity protected data frame based on the new MAC address; and if the decrypting is successful and the integrity checking is successful, determining that the client device is using the new MAC address. The method of claim 1 , further comprising encrypting the address allocation frame based on a session key associated with the new MAC address to produce an encrypted address allocation frame, and wherein: the sending includes sending the encrypted address allocation frame; the receiving includes receiving the data frame as an encrypted data frame; and the determining includes: decrypting the encrypted data frame based on the session key; and if the decrypting is successful, determining the client device is using the new MAC address. The method of claim 6 , further comprising: receiving a master key from the authenticating; and deriving the session key from the master key, wherein the session key is matched to another session key in the client device. An apparatus comprising: a network interface unit configured to communicate with a client device and a network; and a processor coupled to the network interface unit, and configured to: receive from the client device an authentication request including identity credentials and a temporary media access control (MAC) address of the client device; and in response to successfully authenticating the client device based on the identity credentials: select a new MAC address of the client device from among a plurality of available MAC addresses stored in a MAC address server in the network; send the new MAC address to the client device in an address allocation frame; receive a data frame; determine whether the client device is using the new MAC address based on the received data frame; and if it is determined that the client device is using the new MAC address: grant the client device access to the network; and generate a record including the new MAC address, a time at which the new MAC address was selected, the identity credentials, and a time at which the client device was successfully authenticated based on the identity credentials. The apparatus of claim 8 , wherein the new MAC address is a local MAC address. The apparatus of claim 8 , wherein the processor is further configured to: determine whether the client device is using the new MAC address within a predetermined time period after the sending; and if it is determined that the client device is not using the new MAC address within the predetermined time period after the sending, prevent the client device from accessing the network. The apparatus of claim 8 , wherein the processor is further configured to integrity protect the address allocation frame based on the new MAC address to produce an integrity protected address allocation frame, and wherein: the processor is configured to send by sending the integrity protected address allocated frame; the processor is configured to receive by receiving the data frame as an integrity protected data frame having a source MAC address that matches the new MAC address; and the processor is configured to determine by: integrity checking the integrity protected data frame based on the new MAC address; and if the integrity checking is successful, determining that the client device is using the new MAC address. The apparatus of claim 8 , wherein the processor is further configured to encrypt the address allocation frame based on a session key associated with the new MAC address to produce an encrypted address allocation frame, and wherein: the processor is configured to send by sending the encrypted address allocation frame; the processor is configured to receive by receiving the data frame as an encrypted data frame; and the processor is configured to determine by: decrypting the encrypted data frame based on the session key; and if the decrypting is successful, determining the client device is using the new MAC address. A tangible processor readable medium storing instructions that, when executed by a processor, cause the processor to: receive from a client device an authentication request including identity credentials and a temporary media access control (MAC) address of the client device; and in response to successfully authenticating the client device based on the identity credentials: select a new MAC address of the client device from among a plurality of available MAC addresses stored in a MAC address server in a network; send the new MAC address to the client device in an address allocation frame; receive a data frame; determine whether the client device is using the new MAC address based on the received data frame; and if it is determined that the client device is using the new MAC address: grant the client device access to the network; and generate a record including the new MAC address, a time at which the new MAC address was selected, the identity credentials, and a time at which the client device was successfully authenticated based on the identity credentials. The processor readable medium of claim 13 , further comprising instructions to cause the processor to integrity protect the address allocation frame based on the new MAC address to produce an integrity protected address allocation frame, and wherein: the instructions to cause the processor to send include instructions to cause the processor to send the integrity protected address allocated frame; the instructions to cause the processor to receive include instructions to cause the processor to receive the data frame as an integrity protected data frame having a source MAC address that matches the new MAC address; and the instructions to cause the processor to determine include instructions to cause the processor to determine by: integrity checking the integrity protected data frame based on the new MAC address; and if the integrity checking is successful, determining that the client device is using the new MAC address. The processor readable medium of claim 13 , further comprising instructions to cause the processor to encrypt the address allocation frame based on a session key associated with the new MAC address to produce an encrypted address allocation frame, and wherein: the instructions to cause the processor to send include instructions to cause the processor to send the encrypted address allocation frame; the instructions to cause the processor to receive include instructions to cause the processor to receive the data frame as an encrypted data frame; and the instructions to cause the processor to determine include instructions to cause the processor to determine by: decrypting the encrypted data frame based on the session key; and if the decrypting is successful, determining the client device is using the new MAC address. The processor readable medium of claim 15 , further comprising instructions to cause the processor to: receive a master key from the authenticating; and derive the session key from the master key, wherein the session key is matched to another session key in the client device. The processor readable medium of claim 13 , wherein the new MAC address is a local MAC address. The processor readable medium of claim 13 , wherein the instructions to cause the processor to determine include instructions to cause the processor to determine whether the client device is using the new MAC address within a predetermined time period after sending the new MAC address to the client device, and further comprising instructions to cause the processor to: if it is determined that the client device is not using the new MAC address within the predetermined time period after sending the new MAC address to the client device, prevent the client device from accessing the network. The method of claim 1 , wherein the record further includes the temporary MAC address and a time at which the temporary MAC address was received. The method of claim 1 , wherein the record further includes a time at which the new MAC address becomes available for re-selection from among the plurality of available MAC addresses. The method of claim 1 , wherein the record further includes an indication of whether the client device is using the new MAC address, and a time at which the indication was made. |
| CPC Classification | TRANSMISSION OF DIGITAL INFORMATION; e.g. TELEGRAPHIC COMMUNICATION |
| Examiner | Dustin Nguyen |
| Extended Family | 069-099-560-792-349 009-772-444-845-280 086-543-780-946-279 001-680-436-012-845 |
| Patent ID | 10454887 |
| Inventor/Author | Weis Brian Eliot Jones Peter Geoffrey |
| IPC | G06F15/173 H04L29/06 H04L29/12 |
| Status | Active |
| Owner | Cisco Technology Inc |
| Simple Family | 069-099-560-792-349 009-772-444-845-280 086-543-780-946-279 001-680-436-012-845 |
| CPC (with Group) | H04L63/061 H04L61/5038 H04L63/0428 H04L63/08 H04L63/123 H04L63/162 H04L2101/622 |
| Issuing Authority | United States Patent and Trademark Office (USPTO) |
| Kind | Patent/New European patent specification (amended specification after opposition procedure) |
