Client forwarding policies for zero trust access for applications
US-2021336959-A1 · Oct 28, 2021 · US
Dynamic user authentication and traffic steering
US12407677B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12407677-B2 |
| Application number | US-202217977343-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 31, 2022 |
| Priority date | Oct 31, 2022 |
| Publication date | Sep 2, 2025 |
| Grant date | Sep 2, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques for dynamically establishing, pausing, and/or terminating secure communication sessions. The techniques may include, detecting an occurrence of an authentication trigger event on a computing device and causing a user of the computing device to be authenticated for access to a resource that is to be accessed via a secure communication session. Based at least in part on authenticating the user for access to the resource, a token may be stored in a location that is accessible to a headend appliance associated with the secure communication session. The token may indicate that the user of the computing device is authenticated for access to the resource. In this way, at least partially responsive to detecting an occurrence of a networking trigger event, the secure communication session may be established between the computing device and the headend appliance to provide the computing device with access to the resource.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: based at least in part on detecting an occurrence of an authentication trigger event on a computing device, causing a user of the computing device to be authenticated for access to a resource, the resource to be accessed via a secure communication session; based at least in part on authenticating the user for access to the resource, storing, in a location that is accessible to a headend appliance associated with the secure communication session, a token indicating that the user of the computing device is authenticated for access to the resource; based at least in part on detecting an occurrence of a networking trigger event, establishing, based at least in part on the token, the secure communication session between the computing device and the headend appliance to provide access to the resource; and based at least in part on determining a lapse in a flow of traffic over the secure communication session between the computing device and the resource, causing the secure communication session to enter a standby state such that the headend appliance is less constrained for a computing resource. 2. The method of claim 1 , wherein the authentication trigger event is associated with the computing device being at least one of powered on or logged into. 3. The method of claim 1 , wherein the authentication trigger event is associated with the computing device joining a specific network. 4. The method of claim 1 , wherein the resource is an enterprise private resource and the authentication trigger event is associated with an attempt, by the computing device, to access the enterprise private resource or another enterprise private resource. 5. The method of claim 1 , wherein the secure communication session is at least one of a tunneled communication session or a proxied communication session. 6. The method of claim 1 , wherein the secure communication session is a tunneled communication session associated with at least one of a virtual private network (VPN) session or a zero-trust network access (ZTNA) session. 7. The method of claim 1 , wherein the resource is an enterprise private resource and the networking trigger event is associated with a domain name system (DNS) query for the enterprise private resource. 8. The method of claim 1 , wherein the resource is an enterprise private resource and the networking trigger event is associated with the computing device attempting to establish an internet protocol (IP) session with the enterprise private resource. 9. The method of claim 1 , further comprising: while the secure communication session is in the standby state, detecting another occurrence of the networking trigger event; and based at least in part on detecting the other occurrence of a networking trigger event, causing a transition of the secure communication session from the standby state to a connected state to allow traffic to flow over the secure communication session. 10. A system comprising: one or more processors; and one or more non-transitory computer-readable media storing instructions that, when executed, cause the one or more processors to perform operations comprising: storing, in a location that is accessible to a headend appliance associated with a secure communication session established between a computing device and a resource, a token indicating that a user of the computing device has been authenticated to access to the resource; based at least in part on determining a lapse in a flow of traffic over the secure communication session, causing the secure communication session to enter a standby state such that the headend appliance is less constrained for a computing resource; while the secure communication session is in the standby state, determining an occurrence of a networking trigger event; and causing a transition of the secure communication session from the standby state to a connected state to allow traffic to flow over the secure communication session between the computing device and the resource. 11. The system of claim 10 , the operations further comprising causing the user of the computing device to be authenticated for access to the resource based at least in part on detecting an occurrence of an authentication trigger event on the computing device, wherein storing the token is based at least in part on the user being authenticated. 12. The system of claim 11 , wherein the authentication trigger event is associated with at least one of: the computing device being powered on; the user logging into the computing device; the computing device joining a specific network; or an attempt, by the computing device, to access the resource, wherein the resource is an enterprise private resource. 13. The system of claim 10 , wherein the secure communication session is at least one of a proxied communication session or a tunneled communication session, the tunneled communication session comprising at least one of a virtual private network (VPN) session or a zero-trust network access (ZTNA) session. 14. The system of claim 10 , wherein the resource is an enterprise private resource and the networking trigger event is associated with at least one of: a domain name system (DNS) query for the enterprise private resource; or the computing device attempting to establish an internet protocol (IP) session with the enterprise private resource. 15. One or more non-transitory computer readable media storing instructions that, when executed, cause one or more processors to perform operations comprising: detecting an occurrence of an authentication trigger event on a computing device; based at least in part on detecting the occurrence of the authentication trigger event, causing a user of the computing device to be authenticated for access to a resource, the resource to be accessed via a secure communication session; storing, in a location that is accessible to a headend appliance associated with the secure communication session, a token indicating that the user of the computing device has been authenticated for access to the resource; based at least in part on detecting an occurrence of a networking trigger event, establishing, based at least in part on the token, the secure communication session between the computing device and the headend appliance to provide access to the resource; determining a lapse in a flow of traffic over the secure communication session between the computing device and the resource; and based at least in part on determining the lapse in the flow of traffic, causing the secure communication session to enter a standby state such that the headend appliance is less constrained for a computing resource. 16. The one or more non-transitory computer-readable media of claim 15 , wherein the secure communication session is at least one of a proxied communication session or a tunneled communication session, the tunneled communication session comprising at least one of a virtual private network (VPN) session or a zero-trust network access (ZTNA) session. 17. The one or more non-transitory computer-readable media of claim 15 , wherein the authentication trigger event is associated with at least one of: the computing device being powered on; the user logging into the computing device; the computing device joining a specific network; or an attempt, by the computing device, to access the resource, wherein the resource is an enterprise private resource. 18. The one or more non-transitory computer-readable media of claim 15 , wherein the resource is an enterprise private resource and the n
Assignees
Inventors
Classifications
- H04L63/0272Primary
Virtual private networks · CPC title
using tickets, e.g. Kerberos (cryptographic mechanisms or cryptographic arrangements for entity authentication using tickets or tokens H04L9/3213) · CPC title
providing single-sign-on or federations · CPC title
- H04L63/083Primary
using passwords (cryptographic mechanisms or cryptographic arrangements for entity authentication using a predetermined code H04L9/3226) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12407677B2 cover?
- Techniques for dynamically establishing, pausing, and/or terminating secure communication sessions. The techniques may include, detecting an occurrence of an authentication trigger event on a computing device and causing a user of the computing device to be authenticated for access to a resource that is to be accessed via a secure communication session. Based at least in part on authenticating …
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0272. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Sep 02 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).