Vendor agnostic captive portal authentication
US-2022070168-A1 · Mar 3, 2022 · US
Enforcing conditional access to network services based on authorization statuses associated with network flows
US12401644B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12401644-B2 |
| Application number | US-202318453952-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 22, 2023 |
| Priority date | Aug 22, 2023 |
| Publication date | Aug 26, 2025 |
| Grant date | Aug 26, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
This disclosure describes techniques for enforcing conditional access to network services. In an example method, a first computing device detects a second device operating in a per-flow authorization mode. The first device receives a first request from a second computing device to communicate with a third computing device using a first network flow and determines that the first flow is authorized (e.g., because of an active past authentication and/or the third device's authentication exemption). Data associated with the first request is transmitted to the third device. The first device then receives a second request to communicate with a fourth computing device using a second network flow and determines that the second flow is not authorized (e.g., because it is not associated with an active past authentication and/or the fourth device is not exempt from authentication). Data associated with the second request is not transmitted to the fourth device.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: detecting, by a processor of a first computing device, that a second computing device is operating in a per-flow authorization mode; receiving, from the second computing device, a first request to communicate using a first network flow between the second computing device and a third computing device; determining that the first network flow is authorized, wherein determining that the first network flow is authorized comprises determining at least one of: (i) that the first network flow is associated with a past authentication that is active, or (ii) that the third computing device is exempt from an authentication requirement; based on determining that the first network flow is authorized, transmitting first data associated with the first request to the third computing device; receiving, from the second computing device, a second request to communicate using a second network flow between the second computing device and a fourth computing device; determining that the second network flow is unauthorized based on determining that the second network flow is independent of any active authentications and that the fourth computing device is subject to the authentication requirement; and based on determining that the first network flow is unauthorized, blocking transmission of second data associated with the second request to the fourth computing device. 2. The method of claim 1 , wherein: determining that the second network flow is independent of any active authentications comprises determining that the second request comprises a first domain name system (DNS) query, wherein the first DNS query comprises a hostname that is associated with the fourth computing device, and blocking transmission of the second data comprises transmitting a first DNS response to the first computing device, wherein the first DNS response comprises a canonical name (CNAME) record associated with a first inauthentic hostname that is independent of the fourth computing device. 3. The method of claim 2 , further comprising: receiving, from the second computing device, a second DNS query, wherein the second DNS query comprises the first inauthentic hostname; determining that the second network flow is still unauthorized; and based on determining that the second network flow is still unauthorized, transmitting a second DNS response to the second computing device, wherein the second DNS response comprises a second CNAME record associated with a second inauthentic hostname that is independent of the fourth computing device. 4. The method of claim 3 , further comprising: receiving, from the second computing device, a third DNS query, wherein the third DNS query comprises the second inauthentic hostname; determining that the second network flow is still unauthorized and that a threshold time has passed since a time associated with the first DNS query; and based on determining that the second network flow is still unauthorized and that the threshold time has passed since the time associated with the first DNS query, redirecting the first computing device to a block page. 5. The method of claim 2 , further comprising: receiving, from the second computing device, a second DNS query, wherein the second DNS query comprises the first inauthentic hostname; determining that the second network flow is authorized; and based on determining that the second network flow is authorized, determining that the second network flow is authorized, initiating resolution of the first DNS query. 6. The method of claim 1 , wherein: determining that the second network flow is independent of any active authentications comprises determining that the second request comprises a Transmission Control Protocol (TCP) handshake request with the fourth computing device; and blocking transmission of the second data comprises: transmitting a handshake acknowledgement response to the first computing device, wherein the handshake acknowledgement response establishes a two-party TCP connection between the first computing device and the second computing device, and preventing establishment of a three-party TCP connection between the first computing device, the second computing device, and the fourth computing device. 7. The method of claim 6 , wherein: receiving, from the second computing device, third data associated with the second network flow; determining that the second network flow is still unauthorized; and based on determining that the second network flow is still unauthorized, preventing transmission of the third data to the fourth computing device. 8. The method of claim 7 , further comprising: receiving, from the second computing device, fourth data associated with the second network flow; determining that the second network flow is still unauthorized and that a threshold time has passed since a time associated with the TCP handshake request; and based on determining that the second network flow is still unauthorized and that the threshold time has passed since the time associated with the TCP handshake request, redirecting the first computing device to a block page. 9. The method of claim 6 , further comprising: receiving, from the second computing device, third data associated with the second network flow; determining that the second network flow is authorized; and based on determining that the second network flow is authorized: establishing the three-party TCP connection, and transmitting the third data to the fourth computing device using the three-party TCP connection. 10. The method of claim 1 , wherein: the second request comprises a user datagram protocol (UDP) packet; and blocking transmission of the second data comprises preventing transmission of the second data to the fourth computing device. 11. A system comprising: one or more processors; and one or more computer-readable media storing computer-executable instructions that, when executed by a processor of a first computing device, cause the processor to perform operations comprising: detecting that a second computing device is operating in a per-flow authorization mode; receiving, from the second computing device, a first request to communicate using a first network flow between the second computing device and a third computing device; determining that the first network flow is authorized, wherein determining that the first network flow is authorized comprises determining at least one of: (i) that the first network flow is associated with a past authentication that is active, or (ii) that the third computing device is exempt from an authentication requirement; based on determining that the first network flow is authorized, transmitting first data associated with the first request to the third computing device; receiving, from the second computing device, a second request to communicate using a second network flow between the second computing device and a fourth computing device; determining that the second network flow is unauthorized based on determining that the second network flow is independent of any active authentications and that the fourth computing device is subject to the authentication requirement; and based on determining that the first network flow is unauthorized, blocking transmission of second data associated with the second request to the fourth computing device. 12. The system of claim 11 , wherein: determining that the second network flow is independent of any active authentications comprises determining that the second request comprises a first domain name system (DNS) query, wherein the first DNS query comprises a hostname that is associated with the f
Assignees
Inventors
Classifications
at the transport layer · CPC title
Filtering by information in the payload · CPC title
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
using domain name system [DNS] · CPC title
- H04L63/18Primary
using different networks or channels, e.g. using out of band channels (cryptographic mechanisms or cryptographic arrangements for key distribution involving distinctive intermediate devices or communication paths H04L9/0827; cryptographic mechanisms or cryptographic arrangements for authentication using a plurality of channels H04L9/3215) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12401644B2 cover?
- This disclosure describes techniques for enforcing conditional access to network services. In an example method, a first computing device detects a second device operating in a per-flow authorization mode. The first device receives a first request from a second computing device to communicate with a third computing device using a first network flow and determines that the first flow is authoriz…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/18. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 26 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).