EP-4742629-A2 - NETWORK ACCESS CONTROL INTENT-BASED POLICY CONFIGURATION

Abstract

Techniques are described for configuration and application of intent-based network access control (NAC) policies for authentication and authorization of multi-tenant, network access server (NAS) devices to access enterprise networks of organizations. A network management system configures intent-based NAC policies for an organization. A cloud-based NAC system may apply an appropriate intent-based NAC policy in response to an authentication request from a NAS device. The NAC system identifies a vendor of the NAS device, matches incoming attributes in the authentication request to a set of normalized match rules of the intent-based NAC policy, and translates a set of abstracted policy results corresponding to the set of normalized match rules into a vendor-specific set of return attributes based on the vendor of the NAS device. The NAC system sends the vendor-specific set of return attributes to the NAS device to enable the NAS device to access the enterprise network of the organization.

Inventors

• DEMENTYEV, VIACHESLAV
• MANNAR, KESAVAN KAZHIYUR
• CHEETHIRALA, MADHAVA RAO
• MANTHIRAMOORTHY, NATARAJAN
• TADIMETI, RAJA RAO

Assignees

• Juniper Networks, Inc.

Dates

Publication Date

20260513

Application Date

20221208

Claims (13)

1. A system comprising: memory; and one or more processors in communication with the memory and configured to: obtain one or more network access control (NAC) policies of an organization, wherein the one or more NAC policies are vendor-agnostic; receive, from a network access server (NAS) device, an authentication request for a network of the organization; determine a match between one or more incoming attributes included in the authentication request from the NAS device and one or more rules of the one or more NAC policies of the organization; produce one or more vendor-specific return attributes corresponding to a vendor of the NAS device based on one or more policy results corresponding to the one or more rules determined to match the one or more incoming attributes; and send the one or more vendor-specific return attributes to enable the NAS device to access the network of the organization.
2. The system of claim 1, wherein the one or more rules of the one or more NAC policies comprise both authentication rules normalized to be vendor-agnostic and authorization rules normalized to be vendor-agnostic.
3. The system of claim 1 or claim 2, wherein the one or more processors are configured to: identify a type of the NAS device based on the one or more incoming attributes included in the authentication request; and produce the one or more vendor-specific return attributes corresponding to the vendor of the NAS device and the type of the NAS device.
4. The system of any preceding claim, wherein to determine the match between the one or more incoming attributes and the one or more rules of the one or more NAC policies, the one or more processors are configured to: produce one or more vendor-specific incoming attributes corresponding the vendor of the NAS device based on the one or more rules of the one or more NAC policies of the organization; and determine the match between the one or more incoming attributes included in the authentication request from the NAS device and the one or more vendor-specific incoming attributes produced from the one or more rules of the one or more NAC policies.
5. The system of any preceding claim, wherein the vendor of the NAS device comprises a first vendor, and wherein the one or more processors are configured to: receive, from a second NAS device, a second authentication request for the network of the organization; determine a match between one or more second incoming attributes included in the second authentication request from the second NAS device and the one or more rules of the one or more NAC policies of the organization; produce one or more second vendor-specific return attributes corresponding to the second vendor of the second NAS device based on the one or more policy results corresponding to the one or more rules determined to match the one or more second incoming attributes; and. send the one or more second vendor-specific return attributes to enable the second NAS device to access the network of the organization.
6. The system of any preceding claim, wherein the one or more processors are configured to identify the vendor of the NAS device based on the authentication request.
7. The system of claim 6, wherein, to identify the vendor of the NAS device based on the authentication request, the one or more processors are configured to determine a match between one or more features of the authentication request received from the NAS device to a vendor signature of the vendor of the NAS device included in a vendor signature database, wherein the one or more features of the authentication request at least include the one or more incoming attributes included in the authentication request.
8. The system of claim 7, wherein the one or more processors are configured to periodically obtain updated vendor signatures and store the updated vendor signatures in the vendor signature database.
9. The system of any preceding claim, wherein the system comprises a NAC system in communication with a network management system (NMS) configured to manage a plurality of NAS devices, and wherein the plurality of NAS devices includes NAS devices of at least two different vendors.
10. The system of claim 9, wherein to obtain the one or more NAC policies of the organization, the one or more processors are configured to obtain configuration information for the organization from the NMS in response to receipt of the authentication request for the network of the organization from the NAS device, wherein the configuration information for the organization includes the one or more NAC policies of the organization.
11. The system of claim 9 or claim 10, wherein the one or more processors are configured to periodically obtain updates to the one or more NAC policies of the organization from the NMS.
12. The system of any of claims 9 to 11, wherein the NMS is configured to: generate data representative of a user interface for display on a computing device of a network administrator of the network of the organization; and configure, based on data received from the computing device via the user interface, the one or more NAC policies of the organization.
13. The system of claim 12, wherein to configure the one or more NAC policies of the organization, the NMS is further configured to: receive, from the computing device via the user interface, data indicative of selection of one or more labels representative of authentication rules of the organization, the authentication rules including authentication types and identity providers; receive, from the computing device via the user interface, data indicative of selection of one or more labels representative of authorization rules of the organization, the authorization rules including group names, virtual local area networks (VLANs), and roles; configure the one or more rules of the one or more NAC policies of the organization based on the selected one or more labels representative of the authentication rules of the organization and the group names from the authorization rules of the organization; and configure the one or more policy results of the one or more NAC policies of the organization based on the selected one or more labels representative of the VLANs and roles from the authorization rules of the organization.

Description

This application claims the benefit of U.S. Patent Application No. 17/937,208, filed 30 September 2022, which claims the benefit of U.S. Provisional Patent Application No. 63/366,382, filed 14 June 2022, the entire contents of which are incorporated herein by reference. TECHNICAL FIELD The disclosure relates generally to computer networks and, more specifically, to managing access to computer networks. BACKGROUND Commercial premises or sites, such as offices, hospitals, airports, stadiums, or retail outlets, often install complex wireless network systems, including a network of wireless access points (APs), throughout the premises to provide wireless network services to one or more wireless client devices (or simply, "clients"). APs are physical, electronic devices that enable other devices to wirelessly connect to a wired network using various wireless networking protocols and technologies, such as wireless local area networking protocols conforming to one or more of the IEEE 802.11 standards (i.e., "WiFi"), Bluetooth / Bluetooth Low Energy (BLE), mesh networking protocols such as ZigBee or other wireless networking technologies. Many different types of wireless client devices, such as laptop computers, smartphones, tablets, wearable devices, appliances, and Internet of Things (IoT) devices, incorporate wireless communication technology and can be configured to connect to wireless access points when the device is in range of a compatible AP. In order to gain access to a wireless network, a wireless client device may first need to authenticate to the AP. Authentication may occur via a handshake exchange between the wireless client device, the AP, and an Authentication, Authorization, and Accounting (AAA) server controlling access at the AP. SUMMARY Particular embodiments are set out in the independent claims. Various optional examples are set out in the dependent claims. In general, this disclosure describes one or more techniques for configuration and application of intent-based network access control (NAC) policies for authentication and authorization of multi-tenant, network access server (NAS) devices to access enterprise networks of organizations. In accordance with the disclosed techniques, a network management system (NMS), which provides a management plane for one or more cloud-based NAC systems and a plurality of NAS devices associated with one or more organizations, configures intent-based NAC policies for an organization based on user input indicative of network administrator intent. The NAC system providing NAC services for the organization may apply an appropriate intent-based NAC policy of the one or more intent-based NAC policies in response to receipt of an authentication request to access an enterprise network of the organization from a NAS device. The NAC system automatically identifies a vendor of the NAS device based on the authentication request, matches incoming attributes in the authentication request to a set of normalized match rules of the intent-based NAC policy, and translates a set of abstracted policy results corresponding to the set of normalized match rules in the intent-based NAC policy into a vendor-specific set of return attributes based on the vendor of the NAS device. The NAC system then sends the vendor-specific set of return attributes to the NAS device to enable the NAS device to access the enterprise network of the organization. Traditionally, NAC authentication and authorization policy configuration is a very complex process that requires in-depth knowledge of a particular NAC product by a network administrator for the organization, as well as in-depth understanding of particular AAA protocols, e.g., RADIUS. This complexity exponentially grows with every additional NAS vendor added to the enterprise network, as the network administrator needs to know exactly what type of attributes are used by the particular NAS vendor and device type. This complexity generally results in the network administrator creating unique policy rules and sets of return attributes for each and every NAS vendor and device type, making overall policy management operationally challenging. The techniques of this disclosure provide one or more technical advantages and practical applications. For example, the disclosed techniques enable creation of NAC policies based on network administrator intent (e.g., who can authenticate to the network, what kind of policies will be applied based on user or device identity and their state, etc.). An intent-based NAC policy comprises a set of normalized match rules with a corresponding set of abstracted policy results that are vendor-agnostic. In some examples, the set of normalized match rules of the intent-based NAC policy includes both authentication rules and authorization rules normalized to be vendor-agnostic. In this way, the disclosed techniques may merge or collapse multiple configuration phases, i.e., authentication policy configuration and authoriza