NAC MAC spoofing detection

By comparing MAC address profiles in real time within the network management system, MAC spoofing attempts can be identified and processed, solving the problem of MAC spoofing detection in existing technologies and improving network security.

CN122394827APending Publication Date: 2026-07-14JUNIPER NETWORKS INC

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
JUNIPER NETWORKS INC
Filing Date
2026-01-12
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing technologies struggle to effectively detect anomalies in MAC address profiles associated with devices, particularly in identifying MAC spoofing, leading to increased cybersecurity risks.

Method used

By using a cloud-based Network Management System (NMS) and Network Access Control (NAC) system, and employing fingerprinting and anomaly detection modules, the system compares the MAC address profiles of client devices with historical and concurrent profiles in real time, detects anomalies, generates notifications, and identifies MAC spoofing attempts.

Benefits of technology

It enables real-time identification and processing of MAC spoofing, improving network security and reducing the risk of malicious device access.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394827A_ABST
    Figure CN122394827A_ABST
Patent Text Reader

Abstract

The present disclosure relates to NAC MAC spoofing detection. Disclosed are techniques for a computing system that compares media access control (MAC) address profiles associated with MAC addresses of devices to detect anomalies between the MAC address profiles. In one example, the computing system obtains a current profile of a MAC address associated with a device requesting access to a network at a location. The computing system compares one or more of the following to the current profile of the MAC address: a historical profile of the MAC address over time, and concurrent profiles of the MAC address at other locations. The computing system detects an anomaly between at least one of the historical profile and the concurrent profiles of the MAC address and the current profile of the MAC address. The computing system generates a notification identifying the anomaly.
Need to check novelty before this filing date? Find Prior Art

Description

[0001] Cross-references to related applications

[0002] This application claims the benefit of U.S. Patent Application No. 19 / 410,903, filed December 5, 2025, and U.S. Provisional Patent Application No. 63 / 744,568, filed January 13, 2025, the entire contents of which are incorporated herein by reference. Technical Field

[0003] This disclosure relates generally to computer networks, and more specifically to the management of access to computer networks. Background Technology

[0004] Commercial locations or sites (such as offices, hospitals, airports, stadiums, or retail stores) typically install complex wireless network systems (including networks of wireless access points (APs)) throughout the premises to provide wireless network services to one or more client devices (or simply "clients"). An AP is a physical electronic device that enables other devices to wirelessly connect to a wired network using various wireless network protocols and technologies, such as one or more wireless LAN protocols compliant with the IEEE 802.11 standard (i.e., "WiFi"), Bluetooth / Bluetooth Low Energy (BLE), mesh networking protocols such as ZigBee, or other wireless network technologies.

[0005] Many different types of client devices—such as laptops, smartphones, tablets, wearables, appliances, and Internet of Things (IoT) devices—combine wireless communication technologies and can be configured to connect to a wireless access point when the device is within range of a compatible access point (AP). To access the wireless network, client devices may first need to authenticate with the AP. Authentication can occur via a handshake exchange between the client device, the AP, and the Authentication, Authorization, and Accounting (AAA) server used to control access at the AP. In enterprise networks, client devices can authenticate network access via Network Admission Control (PNAC) or Media Access Control Authentication Bypass (MAB) based on IEEE 802.1X ports. Summary of the Invention

[0006] Typically, this disclosure describes one or more techniques for detecting anomalies between the current profile of a Media Access Control (MAC) address associated with a device and a known profile of the MAC address, and determining whether the anomaly indicates MAC spoofing. Cloud-based Network Management Systems (NMS) and / or cloud-based Network Admission Control (NAC) systems can authenticate and authorize client devices to access networks, such as branch or campus enterprise networks. NAC systems can identify client devices and provide appropriate authorization or access policies to them based on their identity, for example, by assigning the client device to a Virtual Local Area Network (VLAN), applying certain Access Control Lists (ACLs), or directing the client device to certain registration portals. As part of the authentication and authorization process, the NMS compares the current MAC address profile with historical and / or concurrent MAC address profiles to detect anomalies that could indicate MAC spoofing.

[0007] The techniques disclosed herein provide one or more technical advantages and practical applications. For example, these techniques can provide anomaly detection between a current MAC address profile associated with a MAC address and a known MAC address profile of the same MAC address. Furthermore, these techniques can determine whether anomalies between MAC address profiles indicate MAC spoofing or a legitimate change to the MAC address profile. Using multiple data sources to fingerprint or profile client devices enables the system to identify MAC spoofing attempts that would be difficult to detect without diverse data sources. In some examples, the system can obtain fingerprint information from multiple data sources in real time, thereby enabling real-time identification of MAC spoofing attempts.

[0008] In the example, a system includes a memory and processing circuitry, the processing circuitry communicating with the memory and configured to: obtain a current profile of a Media Access Control (MAC) address associated with a device requesting access to a network at a location; compare one or more of the following with the current profile of the MAC address: a historical profile of the MAC address over time, and concurrent profiles of the MAC address at other locations; detect an anomaly between at least one of the historical and concurrent profiles of the MAC address and the current profile of the MAC address; and generate a notification identifying the anomaly.

[0009] In another example, a method includes: obtaining, by a computing system, a current profile of a Media Access Control (MAC) address associated with a device requesting access to a network at a location; comparing, by the computing system, one or more of the following with the current profile of the MAC address: a historical profile of the MAC address over time, and concurrent profiles of the MAC address at other locations; detecting, by the computing system, an anomaly between at least one of the historical and concurrent profiles of the MAC address and the current profile of the MAC address; and generating, by the computing system, a notification identifying the anomaly.

[0010] In yet another example, the non-transitory computer-readable medium includes instructions that, when executed, cause processing circuitry to perform the following operations: obtain a current profile of a media access control (MAC) address associated with a device requesting access to a network at a location; compare one or more of the following with the current profile of the MAC address: a historical profile of the MAC address over time, and concurrent profiles of the MAC address at other locations; detect an anomaly between at least one of the historical and concurrent profiles of the MAC address and the current profile of the MAC address; and generate a notification identifying the anomaly.

[0011] Details of one or more examples of the technology disclosed herein are illustrated in the following figures and description. Other features, objects, and advantages of these technologies will be apparent from the specification, figures, and claims. Attached Figure Description

[0012] Figure 1A This is a block diagram of an example network system including a network management system and a network access control system according to one or more technologies of this disclosure.

[0013] Figure 1B It is shown Figure 1A A block diagram showing further details of another example of a network system.

[0014] Figure 2 This is a block diagram of an example network access control system based on one or more technologies of this disclosure.

[0015] Figure 3 This is a block diagram of an example network management system based on one or more technologies disclosed herein.

[0016] Figure 4 This is a block diagram of an example access point device based on one or more technologies according to this disclosure.

[0017] Figure 5 This is a block diagram of an example edge device based on one or more technologies according to this disclosure.

[0018] Figure 6 This is a conceptual diagram illustrating example operations of fingerprint recognition and anomaly detection according to the technology disclosed herein.

[0019] Figure 7 This is a flowchart illustrating example operations for detecting anomalies according to one or more techniques of this disclosure. Detailed Implementation

[0020] Figure 1A This is a block diagram of an example network system 100 including a Network Admission Control (NAC) system 180A-180K and a Network Management System (NMS) 130, based on one or more technologies disclosed herein. The example network system 100 includes multiple sites 102A-102N, at which a network service provider manages one or more wireless networks 106A-106N, respectively. Although in Figure 1A In this document, each site 102A-102N is shown as comprising a single wireless network 106A-106N, but in some examples, each site 102A-102N may include multiple wireless networks, and this disclosure is not limited in this respect.

[0021] Each site 102A-102N includes multiple Network Access Server (NAS) devices 108A-108N, such as Access Points (APs) 142, switches 146, and routers 147. NAS devices can include any network infrastructure devices capable of authenticating and authorizing client devices to access the enterprise network. For example, site 102A includes NAS devices 108A, such as multiple APs 142A-1 to 142A-M, switches 146A, and routers 147A. Similarly, site 102N includes NAS devices 108N, such as multiple APs 142N-1 to 142N-M, switches 146N, and routers 147N. Each AP 142 can be any type of wireless access point, including but not limited to commercial or enterprise APs, routers, or any other device connected to a wired network and capable of providing wireless network access to client devices within the site. In some examples, each of APs 142A-1 through 142A-M at site 102A may be connected to one or both of switch 146A and router 147A. Similarly, each of APs 142N-1 through 142N-M at site 102N may be connected to one or both of switch 146N and router 147N.

[0022] Each site 102A to 102N also includes multiple client devices (also known as User Equipment (UE)) representing various wired and / or wireless-enabled devices within each site, typically referred to as UE or client device 148. For example, multiple UEs 148A-1 to 148A-N are currently located at site 102A. Similarly, multiple UEs 148N-1 to 148N-M are currently located at site 102N. Each UE 148 can be any type of wireless client device, including but not limited to mobile devices such as smartphones, tablets or laptops, personal digital assistants (PDAs), wireless terminals, smartwatches, smart rings, or other wearable devices. UE 148 may also include wired client-side devices, such as Internet of Things (IoT) devices, such as printers, projectors, security devices, environmental sensors, or any other device connected to a wired network and configured to communicate over one or more wireless networks 106.

[0023] To provide wireless network services to UE 148 and / or communicate via wireless network 106, AP 142 and other wired client-side devices at site 102 are directly or indirectly connected to one or more network devices (e.g., switches, routers, gateways, etc.) via physical cables (e.g., Ethernet cables). Although in Figure 1A The illustration appears to show each site 102 comprising a single switch and a single router; however, in other examples, each site 102 may include more or fewer switches and / or routers. Furthermore, two or more switches at a site may be interconnected with each other and / or connected to two or more routers, for example, via a mesh or partial mesh topology in a center-radial architecture. In some examples, interconnected switches 146 and routers 147 comprise a wired local area network (LAN) hosting wireless network 106 at site 102.

[0024] Example network system 100 also includes various network components for providing network services within a wired network. As an example, these network components include an NAC system 180 that includes or provides access to an authentication, authorization, and accounting (AAA) server for authenticating users and / or UE 148; a Dynamic Host Configuration Protocol (DHCP) server 116 for dynamically assigning network addresses (e.g., IP addresses) to UE 148 during authentication; a Domain Name System (DNS) server 122 for resolving domain names to network addresses; multiple servers 128A-128X (collectively referred to as "Server 128") (e.g., web server, database server, file server, etc.); and an NMS 130. Figure 1A As shown, various devices and systems of network 100 are coupled together via one or more networks 134 (e.g., the Internet and / or corporate intranets).

[0025] exist Figure 1A In the example, NMS 130 is a cloud-based computing platform for managing wireless networks 106A-106N at one or more sites 102A-102N. As further described herein, NMS 130 provides management tools and implements an integrated suite of various technologies disclosed herein. Typically, NMS 130 can provide a cloud-based platform for wireless network data acquisition, monitoring, activity logging, reporting, predictive analytics, network anomaly identification, and alarm generation. In some examples, NMS 130 outputs notifications (such as alarms, warnings, graphical indicators on dashboards, log messages, text / SMS messages, email messages, etc.) and / or suggestions regarding wireless network issues to site or network administrators (“administrators”) who interact with and / or operate administrator device 111. Furthermore, in some examples, NMS 130 operates in response to configuration input received from administrators who interact with and / or operate administrator device 111.

[0026] The administrator and administrator device 111 may include IT personnel and administrator computing devices associated with one or more sites 102. The administrator device 111 may be implemented as any suitable device for presenting output and / or accepting user input. For example, the administrator device 111 may include a display. The administrator device 111 may be a computing system, such as a mobile or non-mobile computing device operated by a user and / or an administrator. The administrator device 111 may, for example, represent a workstation, laptop or notebook computer, desktop computer, tablet computer, or any other computing device that can be operated by a user and / or present a user interface according to one or more aspects of this disclosure. The administrator device 111 may be physically separate from and / or located at a different location from the NMS 130, such that the administrator device 111 can communicate with the NMS 130 via network 134 or other communication methods.

[0027] In some examples, one or more NAS devices (e.g., AP 142, switch 146, or router) may be connected to edge devices 150A-150N via physical cables (e.g., Ethernet cables). Edge device 150 includes a cloud-managed wireless local area network (LAN) controller. Each edge device 150 may include a locally deployed device at site 102 that communicates with NMS 130 to extend certain microservices from NMS 130 to the locally deployed NAS device, while using NMS 130 and its distributed software architecture for scalable and resilient operation, management, troubleshooting, and analysis.

[0028] Each network device in network system 100 (e.g., NAC system 180, servers 116, 122 and / or 128, AP 142, switch 146, router 147, UE 148, edge device 150, and any other server or device attached to or forming part of network system 100) may include a system log or error log module, wherein each of these network devices records the status of the network device, including normal operation status and error status. Throughout this disclosure, one or more network devices in network system 100 (e.g., servers 116, 122 and / or 128, AP 142, switch 146, router 147, and UE 148) may be considered “third-party” network devices when owned and / or associated with an entity different from NMS 130, such that NMS 130 does not directly receive, collect, or otherwise access the status and other data recorded by the third-party network devices. In some examples, edge device 150 can provide a proxy through which the status and other data recorded by third-party network devices can be reported to NMS 130.

[0029] exist Figure 1A In the example, each NAC system 180 includes a cloud-based network access control service at multiple geographically distributed points of presence. Typically, network access control functionality is provided by locally deployed devices limited by processing power, memory, and maintenance and upgrade issues. Providing a cloud-based network access control service avoids these limitations and improves network management. However, centralized cloud-based deployments of network access control introduce latency- and fault-related problems that can prevent client devices from accessing the network.

[0030] According to the disclosed technology, NAC system 180 provides multiple points of presence or NAC clouds across several geographic regions. NMS 130 is configured to manage NAC configurations, including access policies for the enterprise network, and push appropriate NAC configuration data or files to the corresponding NAC systems 180A-180K. In this way, NAC system 180 provides the same benefits as centralized cloud-based network access control services, while offering lower latency and higher availability.

[0031] NAC system 180 provides a method for authenticating client devices 148 to access wireless network 106 (such as a branch or campus enterprise network). NAC system 180 may each include or provide access to authentication, authorization, and accounting (AAA) servers (e.g., RADIUS servers) to authenticate client devices 148 before providing access to the enterprise network via NAS device 108. In some examples, NAC system 180 may enable certificate-based authentication for client devices or enable interaction with a cloud directory service to authenticate client devices.

[0032] NAC system 180 can identify client device 148 and provide appropriate authorization or access policies to client device 148 based on the client device's identity, such as by assigning the client device to certain Virtual Local Area Networks (VLANs), applying certain Access Control Lists (ACLs), or directing the client device to certain registration portals. NAC system 180 can identify client device 148 by analyzing the client device's network behavior, a process known as fingerprinting. Identification of client devices and / or NAS devices can be performed based on Media Access Control (MAC) addresses, DHCP options used to request IP addresses, Link Layer Discovery Protocol (LLDP) packets, Hypertext Transfer Protocol (HTTP) user agent information, location information, DNS information, and / or device type and operating system information.

[0033] Client devices 148 may include multiple different categories of devices for a given enterprise, such as trusted enterprise devices, Bring Your Own Device (BYOD) devices, IoT devices, and customer devices. The NAC system 180 can be configured to subject each of these different categories of devices to different types of tracking, different types of authorization, and different levels of access privileges. In some examples, after a client device gains access to the enterprise network, the NAC system 180 can monitor the client device's activity to identify security issues and, in response, reassign the client device to an isolated VLAN or another VLAN with lower privileges to restrict the client device's access.

[0034] The NMS 130 is configured to operate based on an AI / machine learning-based computing platform that provides full automation, insight, and assurance (WiFi assurance, wired assurance, and WAN assurance) across from “clients” (e.g., client devices 148 connected to wireless networks 106 and wired local area networks (LANs) at site 102) to “cloud” (e.g., cloud-based application services that can be hosted by computing resources within a data center).

[0035] As described herein, the NMS 130 provides an integrated suite of management tools and implements various technologies disclosed herein. Typically, the NMS 130 can provide a cloud-based platform for wireless network data acquisition, monitoring, activity logging, reporting, predictive analytics, network anomaly identification, and alarm generation. For example, the NMS 130 can be configured to proactively monitor and adaptively configure network 100 to provide self-driving capabilities.

[0036] In some examples, the AI-driven NMS 130 also provides configuration management, monitoring, and automated supervision of a software-defined wide area network (SD-WAN) that operates as an intermediary network communicatively coupling wireless network 106 and wired LAN at site 102 to data centers and application services. Typically, SD-WAN provides seamless, secure, and traffic-engineered connectivity between “radiating” routers (e.g., router 147) hosting wireless network 106 (such as branch or campus enterprise networks) and a “central” router further up the cloud stack toward cloud-based application services. SD-WAN typically runs on and manages the overlay network on the underlying physical wide area network (WAN), which provides connectivity for geographically separated customer networks. In other words, SD-WAN extends software-defined networking (SDN) capabilities to the WAN and allows the network to decouple the underlying physical network infrastructure from virtualized network infrastructure and applications, enabling flexible and scalable network configuration and management.

[0037] In some examples, the AI-driven NMS 130 can enable intent-based configuration and management of network system 100, including the construction, presentation, and execution of intent-driven workflows for configuring and managing devices associated with wireless network 106, wired LAN network, and / or SD-WAN. For example, declarative requirements express the desired configuration of network components without specifying precise native device configurations and control flows. By utilizing declarative requirements, what should be done is specified, rather than how it should be done. Declarative requirements can contrast with necessary instructions that describe the exact device configuration syntax and control flow required to implement the configuration. By utilizing declarative requirements instead of imperative instructions, users and / or user systems alleviate the burden of determining the exact device configurations needed to achieve the user / system's desired results. For example, when utilizing various types of devices from different vendors, specifying and managing the exact necessary instructions for configuring each device in the network is often difficult and cumbersome. The types and kinds of devices in the network can change dynamically as new devices are added and devices fail. Managing various types of devices from different vendors with different configuration protocols, syntaxes, and software versions to configure a cohesive device network is often challenging. Thus, the management and configuration of network devices become more efficient by requiring only the user / system to specify declarative requirements (which specify the expected results applicable across various types of devices). Further examples of details and techniques of intent-based network management systems are described in the following patents: U.S. Patent No. 10,756,983 entitled "Intent-based Analytics" and U.S. Patent No. 10,992,543 entitled "Automatically generating anintent-based network model of an existing computer network," the entire contents of which are incorporated herein by reference.

[0038] NMS 130 can function as part of management network system 100 to coordinate authentication for client devices 148 and / or 149. NMS 130 can provide NAC system 180 with information about client device 148 and network access policies for its use. NAC system 180 can use this information and / or network access policies to process authentication requests and determine whether to authorize connection to one or more networks 160.

[0039] As an example, NAC system 180A may receive a request for access to networks 106, 134 (referred to herein as a "network access request" or "network admission request") from client device 148A-1 via at least one of NAS devices 108 (e.g., AP 142, switch 146A, router 147A). NAC system 180A may authenticate client device 148A-1 and initially apply a default or "full capture" authorization to provide limited network access to client device 148A-1, while NMS 130 performs fingerprinting or configuration of client device 148A-1. The generated fingerprint or profile may be stored and indexed using the MAC address associated with client device 148A-1 for later use by NMS 130 and / or NAC system 180. In another example, NAC system 180A receives a network access request from client device 149, where client device 149 has previously been connected to networks 106, 134. The NAC system 180A determines that the client device 149 is a known device based on a stored profile of the MAC address associated with the client device 149, and grants a connection to the networks 106 and 134 based on the authorization previously granted to the MAC address associated with the client device 149.

[0040] As described above, fingerprint identification information may include information specifying the network behavior and location information of the client device associated with the network access request. If client device 148A-1 is a new client device requesting access to networks 106 and 134 (e.g., the MAC address of client device 148A-1 is not recognized), then fingerprint identification module 156 may store the fingerprint identification information of client device 148A-1 mapped to the MAC address of client device 148A-1 in a database. The information stored in fingerprint information storage 158 may represent the fingerprint identification information of an authorized client device.

[0041] NMS 130 can provide fingerprint identification information from fingerprint information storage 158 to NAC system 180. NMS 130 can periodically, in response to requests from NAC system 180, and / or based on other factors, provide fingerprint identification information to one or more NAC systems 180. NMS 130 can provide or "push" fingerprint identification information from fingerprint information storage 158 to NAC system 180 for use in authenticating devices on network 106. In the example, NAC system 180A receives an authentication request from client device 149. NAC system 180A generates a request for fingerprint identification information associated with client device 149 and provides this request to NMS 130. NMS 130 receives the request and provides the fingerprint identification information associated with client device 149 to NAC system 180A. NAC system 180A uses this fingerprint identification information to determine whether to grant network connectivity to client device 149.

[0042] NAC system 180 can use fingerprint information stored by NAC system 180 to dynamically re-authenticate client devices requesting network access. NAC system 180 can use the stored fingerprint information to determine the client device's authentication policy (e.g., an authentication policy that grants relatively greater access rights / connectivity compared to the initial authentication policy). For example, after client device 149 initially authenticates using the default authentication policy, NAC system 180 can use a MAC address profile associated with the MAC address of client device 149 to determine an updated authentication policy for client device 149.

[0043] Typically, client devices in an enterprise network authenticate network access via Network Admission Control (PNAC) based on IEEE 802.1X ports. For example, an 802.1X-enabled client device can provide a certificate (e.g., username / password or digital certificate) to an authenticator (e.g., a switch or access point), which encapsulates the message and forwards it to an authentication server. However, many devices (e.g., IoT devices, headless devices, etc.) can use MAC Authentication Bypass (MAB). MAB uses port-based access control by using the client device's MAC address, and MAB can be less secure than 802.1X. For example, the use of MAB can increase the risk of malicious MAC spoofing.

[0044] According to the technology described in this disclosure, NMS 130 compares MAC address profiles associated with the MAC address of a device to detect anomalies between profiles. NMS 130 may use a fingerprinting module 156 configured to obtain a current MAC address profile associated with the MAC address of a client device and compare the current MAC address profile with known MAC address profiles associated with the MAC address of the client device. NMS 130 may compare known MAC address profiles (including historical and / or concurrent MAC address profiles) with the current MAC address profile associated with the client device to detect anomalies between MAC address profiles (e.g., MAC address profiles associated with the same MAC address). Fingerprinting module 156 may generate a notification identifying the anomaly between MAC address profiles based on the detected anomaly. By consistently fingerprinting known client devices and comparing new or current profiles with other profiles of the same MAC address associated with that known client device, the disclosed technology enables the detection of changes or anomalies in the profiles of known MAC addresses and also determines whether the detected changes or anomalies indicate MAC spoofing. In some scenarios, the disclosed techniques enable real-time identification of MAC spoofing and remediation of malicious devices (e.g., access removal and / or isolation). Although described within the context of NMS 130, NAC system 180 can provide similar anomaly detection capabilities between MAC address profiles as NMS 130. For example, NAC system 180 can generate MAC address profiles and detect anomalies between them.

[0045] The fingerprinting module 156 obtains a current profile of the MAC addresses associated with devices requesting access to networks 106 and 134 at a location. The fingerprinting module 156 may obtain a current profile of the MAC addresses associated with devices requesting access to networks 106 and 134 (referred to throughout as the "current MAC address profile"), wherein the current MAC address profile includes information about one or more attributes and / or other information associated with the MAC address and / or the device. The fingerprinting module 156 may obtain information from one or more sources, such as a DHCP server 116, the device itself, neighboring devices (e.g., network neighbors), and / or other information sources. In the example, the fingerprinting module 156 receives an indication that client device 149 has requested access to networks 106 and 134. The fingerprinting module 156 obtains a current profile of MAC addresses, including information associated with the device's MAC address and the device itself.

[0046] As part of obtaining the current MAC address profile of a device, fingerprinting module 156 can generate or construct a MAC address profile using data attributes obtained from one or more sources. Fingerprinting module 156 can obtain data attributes containing information associated with the device's MAC address, such as OS version, device type, subnet to which the device is connected, and / or other information from sources such as those described above (e.g., DHCP server 116). NAC system 180 can provide information to NMS 130 for fingerprinting module 156 to use when constructing the MAC address profile. In some examples, fingerprinting module 156 can use data attributes from multiple sources within network system 100 to construct a merged MAC address profile. Fingerprinting module 156 can aggregate data attributes associated with MAC addresses and construct the current MAC address profile. In an example, fingerprinting module 156 obtains data attributes associated with the MAC address of a client device, containing information about whether the device is a printer and the printer's OS version. Fingerprinting module 156 aggregates these data attributes and constructs a MAC address profile associated with the printer's MAC address, and this MAC address profile contains the aggregated data attributes. In some examples, one or more NAC systems 180 can build MAC address profiles independently of and / or in conjunction with NMS 130.

[0047] The fingerprint recognition module 156 can maintain historical MAC address profiles in the fingerprint information storage 158. The fingerprint recognition module 156 can store the current MAC address profile in the fingerprint information storage 158 for later use as a historical MAC address profile. In some examples, the fingerprint recognition module 156 can store the MAC address profile as a historical MAC address profile when obtaining and / or constructing the MAC address profile. For example, the fingerprint recognition module 156 can generate a MAC address profile for a device within site 102A and store the MAC address profile for later use as a historical MAC address profile. The fingerprint recognition module 156 can store the current MAC address profile as a historical MAC address profile after authenticating an associated device, after the associated device is disconnected from networks 106, 134, and / or in response to other events. In the example, the fingerprint recognition module 156 obtains the current MAC address profile associated with client device 149. The fingerprint recognition module 156 uses the current MAC address profile to authenticate client device 149 and stores the current MAC address profile in the fingerprint information storage 158 for later use as a historical MAC address profile.

[0048] The fingerprint recognition module 156 can obtain concurrent MAC address profiles of devices connected to and / or requesting access to networks 106, 134. The fingerprint recognition module 156 can obtain concurrent MAC address profiles as MAC address profiles associated with other instances of devices connected to and / or connected to networks 106, 134. In the example, the fingerprint recognition module 156 obtains the current MAC address profile of client device 149. The fingerprint recognition module 156 determines that the fingerprint storage of the NAC system 180A includes concurrent MAC address profiles associated with the same MAC address as client device 149, and retrieves the concurrent MAC address profiles. The fingerprint recognition module 156 can obtain concurrent MAC address profiles based on determining that the same device and / or devices with the same MAC address are simultaneously attempting to connect to or connect to networks 106, 134 (e.g., the same device connecting to networks 106, 134 at different sites 102, the same device connecting to different subnets within the same site, etc.). In the example, fingerprint recognition module 156 receives an authentication request from a first device located at site 102A and obtains the current MAC address profile of that first device. Fingerprint recognition module 156 determines that a second device located at site 102N, associated with the same MAC address as the first device, is also requesting authentication. Fingerprint recognition module 156 obtains a concurrent MAC address profile at site 102N to determine whether to authenticate the first device.

[0049] Anomaly module 166 can compare the current MAC address profile of the MAC address associated with the device with one or more known MAC address profiles (e.g., historical, concurrent) of the same MAC address. Anomaly module 166 can be a software component of NMS 130, configured to detect anomalies between MAC address profiles associated with the device's MAC address. Anomaly module 166 can compare at least one of historical and concurrent MAC address profiles with the current MAC address profile to identify anomalies between MAC address profiles, such as the same MAC address connected at multiple physical locations and / or using different subnets within a single location; a device associated with the MAC address previously profiled as one type of device and then profiled as a different type (e.g., a "printer" attempting to reconnect to networks 106, 134 is profiled as a "Linux workstation"); a device behaving in a manner inconsistent with its device type (e.g., a network camera sending network links); and / or other anomalies. For example, the anomaly module 166 can compare the current profile of the MAC address associated with UE 148A-1 at site 102A with the concurrent profile of the MAC address associated with UE 148A-M to identify anomalies. In some examples, the anomaly module 166 can determine that the existence of concurrent MAC address profiles is itself an anomaly (e.g., a client device should not have MAC address profiles from multiple physical locations).

[0050] As part of anomaly identification, fingerprinting module 156 can obtain MAC address profiles of devices within a device group (or alternatively, a "cluster"). Fingerprinting module 156 can obtain MAC address profiles (e.g., current profiles and / or known profiles) of devices identified as the same type and / or otherwise grouped together within a device group. Fingerprinting module 156 can associate the MAC address profiles of devices included in the device group to identify anomalies between devices within the group and determine whether the anomaly was caused by a legitimate change. For example, fingerprinting module 156 can generate a device cluster that includes devices of the same type or other categories and is associated with the MAC address profiles of devices in the cluster.

[0051] Anomaly module 166 can observe changes in the behavior of a group of devices using MAC address profiles associated with an individual device or subgroup of devices. Anomaly module 166 can determine changes in the MAC address profiles exhibited by the device group, such as certain types of changes in the MAC address profiles, and the behavior of individual devices / subgroups of devices. Anomaly module 166 can observe changes in MAC address profiles over time and / or in real time to detect anomalies in the MAC address profiles of devices within the device group.

[0052] Anomaly module 166 can compare changes to the MAC address profile associated with an individual device with changes to the profile exhibited by other devices. In some examples, anomaly module 166 can compare a device subgroup with a device group or device cluster. Anomaly module 166 can compare changes to the MAC address profile to detect differences in behavior within devices indicated by changes to the MAC address profile. In an example, anomaly module 166 compares changes to the MAC address profile associated with UE 148A-1 with changes to the MAC address profile associated with devices in a device group that includes UE 148A-1. Anomaly module 166 can determine one or more differences or deviations between changes to the MAC address profile of an individual device and / or a device subgroup and changes to the MAC address profile associated with other devices in the device group.

[0053] Anomaly module 166 can identify differences in MAC address profile changes among devices within a group. Based on these differences, anomaly module 166 can determine whether an anomaly associated with a MAC address profile change is legitimate or indicates a problem, such as MAC spoofing. Anomaly module 166 can use the comparison results of MAC address profiles to filter legitimate MAC address profile changes. For example, anomaly module 166 can determine that a MAC address profile change exhibited by a given device is also exhibited by most other devices in the group that include the given device, and that the exhibited change is unlikely to indicate MAC address spoofing (e.g., the change is more likely caused by a legitimate software update performed by a device in the group).

[0054] In some examples, the anomaly module 166 compares changes to the device's MAC address profile with those of other devices in the same device group, either in real-time or near real-time. The anomaly module 166 can obtain data regarding changes to the device's MAC address profile (e.g., newly generated MAC address profiles, changes to known MAC address profiles, etc.) and compares these changes with the MAC address profiles of other devices in the same group. In one example, the anomaly module 166 determines that the MAC address profile associated with UE 148A-1 has changed. The anomaly module 166 compares the MAC address profile of UE 148A-1 with the MAC address profiles of other devices in the same device group.

[0055] Anomaly module 166 can determine whether an anomaly indicates MAC spoofing. Anomaly module 166 can determine whether an anomaly indicates MAC spoofing based on one or more factors, such as whether a given device is connected to networks 106, 134 at multiple sites in site 102; whether the device exhibits behavior different from that of a group of devices; and / or other factors. For example, anomaly module 166 can determine that an anomaly associated with a device indicates MAC spoofing rather than for any other reason than an anomaly (e.g., a legitimate software update or other change to the device). For example, anomaly module 166 can determine the number of other devices of the same type as the given device that also experienced the anomaly exhibited by the given device. Based on the fact that the number of other devices does not meet a threshold (e.g., a predetermined threshold), anomaly module 166 can determine that the anomaly indicates MAC spoofing.

[0056] Anomaly module 166 can generate notifications that identify anomalies between MAC address profiles. Anomaly module 166 can determine whether to generate a notification and / or avoid generating one based on whether the anomaly indicates MAC spoofing. For example, anomaly module 166 can determine that a given anomaly does not indicate MAC spoofing and avoid generating a notification about that anomaly. Anomaly module 166 can generate notifications containing information about the device and associated anomalies, such as the device's MAC address, other identifiers of the device, a description of the anomaly, a timestamp of when the anomaly occurred, details of the anomaly, contextual information associated with the detection of the anomaly, evidence supporting that the anomaly indicates MAC spoofing, and / or other information. NMS 130 can provide notifications to one or more recipients of site 102 (such as administrators, e.g., administrator device 111). In some examples, anomaly module 166 can cause NMS 130 to provide notifications to one or more NAC systems 180 to cause NAC systems 180 to perform actions against devices suspected of MAC spoofing (e.g., blocking network access).

[0057] NMS 130 can push updates to fingerprint information stored by NAC system 180 to enable NAC system 180 to take one or more policy actions against the device. For example, NMS 130 can push updates to the MAC address profile to policy manager 144 of NAC system 180 to take enforcement action. NAC system 180 includes policy manager 144, which may be a software component of NAC system 180, and is configured to enforce authorization policies among other functions. Policy manager 144 can enforce one or more changes to the authorization level associated with the device based on notifications or instructions received from NMS 130. In the example, NAC system 180A receives an instruction from NMS 130 that UE 148A-1 will be isolated outside the network. Policy manager 144 applies the authorization policy to the fingerprint information, revokes the current authorization for UE 148A-1, and moves UE 148A-1 to an isolation area.

[0058] Although described in the context of NMS 130, one or more components in network system 100 may implement fingerprint recognition module 156 and / or other modules. NMS 130, NAC system 180 and / or other components may implement some or all of the techniques disclosed herein. For example, one or more NAC systems 180 may execute fingerprint recognition module 156 and / or anomaly module 166.

[0059] The techniques disclosed herein can provide one or more technical and practical advantages. In examples, these techniques can achieve anomaly detection using a current MAC address profile and a known MAC address profile for the same MAC address. In another example, the use of a device's MAC address profile enables an NMS to distinguish between legitimate changes to a device and MAC spoofing attempts. In yet another example, comparing MAC address profiles between devices within a device group also allows an NMS to differentiate between legitimate changes to the MAC address profile associated with a device's MAC address (e.g., software updates) and MAC spoofing within the device group. Furthermore, the use of different data sources enables an NMS to detect MAC spoofing in real time with relatively high accuracy, allowing the NAC system to take appropriate authentication actions.

[0060] Figure 1B It is shown Figure 1A A block diagram showing further details of another example of a network system. In this example, Figure 1B The logical connections 178A-178N, 182A-182N, and 184A-184K between the NAS device 108, NAC system 180, and NMS 130 at site 102 are shown. Furthermore, Figure 1BThe NMS 130 is shown. The NMS 130 is configured to operate based on an AI-based computing platform to provide configuration and management of one or more of the NAC system 180 and NAS device 108 at site 102 via logical connections.

[0061] In operation, NMS 130 observes, collects, and / or receives network data 137, which may take the form of data extracted from messages, counters, and statistics, such as data extracted from one or more of the AP 142, switch 146, router 147, edge device 150, NAC system 180, and / or other nodes within network 134. NMS 130 provides a management plane for network 100, including enterprise-specific configuration information 139 for one or more of the NAS devices 108 at management site 102 and NAC system 180. Each of the one or more NAS devices 108 and each of the NAC system 180 may have a secure connection to NMS 130, such as a WebSocket or another secure tunnel. Each of the NAS devices 108 and NAC system 180 can download the appropriate enterprise-specific configuration information 139 from NMS 130 and enforce that configuration. In some scenarios, one or more of the NAS devices 108 may be third-party devices or otherwise not support establishing a secure connection directly with the NMS 130. In these scenarios, the edge device 150 can provide a proxy, through which the NAS devices 108 can connect to the NMS 130.

[0062] In one specific implementation, the computing device is part of NMS 130. In other implementations, NMS 130 may include one or more computing devices, dedicated servers, virtual machines, containers, services, or other forms of environments for performing the techniques described herein. Similarly, computing resources and components implementing VNA 133 may be part of NMS 130, may run on other servers or execution environments, or may be distributed across nodes within network 134 (e.g., routers, switches, controllers, gateways, etc.).

[0063] In some examples, NMS 130 monitors network data 137 received from each site 102A-102N (e.g., one or more Service Level Expectations (SLE) metrics) and manages network resources (such as one or more of AP 142, switch 146, router 147, and edge device 150 at each site) to deliver a high-quality wireless experience to end users, IoT devices, and clients at the sites. In other examples, NMS 130 monitors network data 137 received from NAC system 180 and manages enterprise-specific configuration information 139 of NAC system 180 to implement unconstrained network access control services with low latency and high availability for client devices 148 at site 102.

[0064] like Figure 1B As shown, NMS 130 may include a Virtual Network Assistant (VNA) 133, which implements an event processing platform to provide real-time insights into IT operations and simplify troubleshooting, and automatically takes corrective actions or provides recommendations to proactively resolve network problems. VNA 133 may, for example, include an event processing platform configured to handle concurrent streams of network data 137 from sensors and / or agents associated with AP 142, switch 146, router 147, edge device 150, NAC system 180, and / or other nodes within network 134. For example, VNA 133 of NMS 130 may include a low-level analytics and network error detection engine and alerting system according to various examples described herein. The low-level analytics engine of VNA 133 can apply historical data and models to inbound event streams to calculate assertions, such as the predicted occurrence of identified anomalies or events constituting network error conditions. In addition, VNA 133 can provide real-time alerts and reports to notify site or network administrators of any predicted events, anomalies, or trends via administrator device 111, and can perform root cause analysis and automatic or assisted error remediation. In some examples, the VNA 133 of NMS 130 can apply machine learning techniques to identify the root causes of error conditions detected or predicted from the flow of network data 137. If the root cause can be resolved automatically, VNA 133 can invoke one or more corrective actions to correct the root cause of the error condition, thereby automatically improving underlying SLE metrics and also automatically improving the user experience.

[0065] Further examples of the operation implemented by the VNA 133 of the NMS 130 are described in the following patents: U.S. Patent No. 9,832,082, published November 28, 2017, entitled "Monitoring Wireless AccessPoint Events"; U.S. Publication No. US 2021 / 0306201, published September 30, 2021, entitled "Network System Fault Resolution Using a Machine Learning Model"; U.S. Patent No. 10,985,969, published April 20, 2021, entitled "Systems and Methods for a Virtual Network Assistant"; and U.S. Patent No. 10,985,969, published March 23, 2021, entitled "Methods and Apparatus for Facilitating Fault Detection and / or Predictive Fault Detection". The entire contents of all of these patents are incorporated herein by reference: U.S. Patent No. 10,958,585 entitled “Fault Detection”, U.S. Patent No. 10,958,537 entitled “Method for Spatio-Temporal Modeling”, published on March 23, 2021; and U.S. Patent No. 10,862,742 entitled “Method for Conveying AP Error Codes Over BLE Advertisements”, published on December 8, 2020.

[0066] In addition, such as Figure 1BAs shown, NMS 130 may include NAC controller 138 implementing a NAC configuration platform that provides a user interface for creating and assigning access policies to client devices 148 of the enterprise network 106 and providing appropriate enterprise-specific configuration information 139 to the respective NAC systems 180A-180K. NMS 130 may have secure connections 184A-184K with each of the NAC systems 180A-180K, such as WebSocket or another secure tunnel. Through secure connection 184, NAC controller 138 can receive network data 137, such as NAC event data, from each NAC system 180, and each NAC system 180 can download appropriate configuration information 139 from NMS 130. In some examples, NAC controller 138 may log or map which enterprise networks are served by which NAC systems 180. Furthermore, NAC controller 138 may monitor NAC systems 180 to identify failures in the primary NAC system and manage failover to a backup NAC system.

[0067] NAC system 180 provides network access control services for one or more NAS devices 108 at site 102 in the control plane. In operation, NAC system 180 authenticates client devices 148 to access wireless network 106 and can perform fingerprinting to identify client devices 148 and apply authorization or access policies to client devices 148 based on their identity. NAC system 180 includes multiple geographically distributed locations. For example, NAC system 180A may include a first cloud-based system located in a first geographical region (e.g., eastern United States), NAC system 180B (not shown) may include a second cloud-based system located in a second geographical region (e.g., western United States), and NAC system 180K may include a k-th cloud-based system located in a k-th geographical region (e.g., China).

[0068] Deploying multiple NAC clouds across several geographic regions enables the provision of network access control services with lower latency and higher availability to nearby NAS devices, while avoiding the processing limitations and maintenance issues experienced by locally deployed NAC devices. For example, NAS device 108A within enterprise network site 102A can connect to the physically nearest NAC system (e.g., NAC system 180A) to experience lower latency network access control services. In some examples, the physically nearest NAC system 180 may include the primary NAC system, and in the event of a primary NAC system failure, the NAS device can also connect to the next nearest NAC system 180 as a backup NAC system. For example, NAS device 108A within enterprise network site 102A can connect to both NAC system 180A and NAC system 108B (not shown) to experience high availability network access control services.

[0069] exist Figure 1B In the example shown, each NAS device 108 has a secure connection, directly or indirectly, to at least one NAC system 180. For example, each AP 142A within site 102A has a direct secure connection 182A to NAC system 180A, such as a RadSec (RADIUS over Transport Layer Security (TLS)) tunnel or another encrypted tunnel. Each of the switches 146A and routers 147A within site 102A is indirectly connected to NAC system 180A via edge device 150A. In this example, switches 146A and routers 147A may not support establishing a direct secure connection to NAC system 180A, and edge device 150A can provide a proxy through which switches 146A and routers 147A can connect to NAC system 180A. For example, each of switch 146A and router 147A has a direct connection 178A to edge device 150A, such as WebSocket, RADIUS, or other secure tunnels, and edge device 150A has a direct secure connection 182A to NAC system 180A. Similarly, for site 102N, each NAS device 108N is indirectly connected to NAC system 180K via edge device 150N. In this example, AP 142N, switch 146N, and router 147N may not support establishing a direct secure connection to NAC system 180K, and edge device 150N can provide a proxy through which NAS device 108N can connect to NAC system 180K. For example, each of AP 142N, switch 146N, and router 147N has a direct connection 178N to edge device 150N, such as WebSocket, RADIUS, or other secure tunnels, and edge device 150N has a direct secure connection 182N to NAC system 180K.

[0070] Through a secure connection 182, NAC system 180 can receive network access requests from client device 148 via NAS device 108 (and in some cases edge device 150) at a nearby site 102. In response to the network access request, NAC system 180 uses an AAA server to authenticate the requesting client device. NAC system 180 can perform fingerprinting to identify the authenticated client device, such as one or more aspects of the techniques described in this disclosure. NAC system 180 then enforces an appropriate access policy on the identity of the authenticated client device based on enterprise-specific configuration information 139 downloaded from NMS 130. According to one specific implementation, a computing device is part of each NAC system 180. According to other implementations, each of NAC systems 180A-180K may include one or more computing devices, dedicated servers, virtual machines, containers, services, or other forms of environment for performing the techniques described herein.

[0071] According to the technology described in this disclosure, NMS 130 can provide anomaly detection for improved network security of wired and / or wireless devices using MAB authentication. For example, NMS 130 may include a fingerprinting module 156 and an anomaly module 166, wherein the fingerprinting module 156 is configured to obtain a MAC address profile of the device, and the anomaly module 166 is configured to detect anomalies between MAC address profiles. The anomaly module 166 can compare MAC address profiles to detect anomalies, wherein at least some anomalies may indicate MAC spoofing. NAC system 180 can use the anomaly detection of NMS 130 to manage device authentication and take appropriate action in response to the detection of MAC spoofing.

[0072] For example, when a new device (e.g., client device 148 or NAS device 108) initially requests network access, the device sends a network access request to NAC system 180A to authenticate the device. For example, client device 148A-1 may send a network access request to an access point (if client device 148A-1 is wireless) or switch 146A (if client device 148A-1 is wired to switch 146A), and then the access point or switch 146A forwards the network access request to NAC system 180A to authenticate client device 148A-1.

[0073] In response to a received network access request, NAC system 180A can determine whether the device is a new device requesting network access (e.g., the MAC address specified in the network access request does not match the MAC address stored in NAC system 180A), and can obtain the client device's fingerprint information (such as a current MAC address profile), and store the client device's MAC address profile mapped to the client device's MAC address. In some examples, as part of processing an authentication request, NAC system 180A can request fingerprint information from NMS 130. NMS 130 can then provide the fingerprint information to NAC system 108A in response to this request.

[0074] The fingerprint recognition module 156 of the NMS 130 can obtain fingerprint recognition information from the device. The fingerprint recognition module 156 can obtain fingerprint recognition information via the NAC system 180 (e.g., via an agent executed on the device) and / or directly from other devices (e.g., such as...). Figure 1A The DHCP server 116 and / or DNS server 112 shown obtain information including one or more data attributes. In some examples, the fingerprinting module 156 may obtain data for generating a MAC address profile associated with the device's MAC address in response to a request received from the NAC system 180 (e.g., requested by the NAC system 180 as part of an authorized device).

[0075] In some examples, client device 148 can implement DHCP and send DHCP packets specifying one or more DHCP options that define the network services of the client device (e.g., such as in one or more Type-Length-Value (TLV) fields of the DHCP packet). As an example, client device 148A-1 can include DHCP option information in DHCP packets sent to DHCP server 116 on a path that includes at least one NAS device 108A capable of listening for DHCP packets. In this example, in response to receiving an initial network access request from client device 148A-1 to access the network, fingerprinting module 156 of NAC system 180A can obtain the DHCP option information sent by client device 148A-1 (e.g., receive a copy of the DHCP packet). Fingerprinting module 156 can obtain DHCP option information from one of the NAS devices 108A located on the path where the DHCP request was sent by client device 148A-1. This NAS device 108A can listen for DHCP requests to collect DHCP option information. Fingerprinting module 156 can store the DHCP option information mapped to the MAC address of client device 148A-1 as a MAC address profile in fingerprint information storage 158. Additional examples of DHCP options are described in the following literature: S. Alexander, “DHCP Options and BOOTP Vendor Extensions”, Network Working Group, Request for Comment 2132, March 1997, the entire contents of which are incorporated herein by application.

[0076] In some examples, client device 148 can implement LLDP and send Link Layer Discovery Protocol (LLDP) packets specifying the client device's capabilities, identity, and other information. The information specified in the LLDP packets may include system name and description, port name and description, VLAN name and identifier, IP network management address, device capabilities, MAC address and physical layer information, power information, and / or link aggregation information. As an example, client device 148A-1 can include LLDP information in LLDP packets sent to NAS device 108. In this example, in response to receiving an initial network access request from client device 148A-1, fingerprinting module 156 can obtain the LLDP information sent by client device 148A-1 (e.g., receive a copy of the LLDP packets). For example, fingerprinting module 156 can obtain LLDP information from the NAS device that received the LLDP packets sent by client device 148A-1. Fingerprinting module 156 can store LLDP information mapped to the MAC address of client device 148A-1 in fingerprint information storage 158. Additional examples of LLDP are described in the following document: "IEEE Standard for Local Area Networks and Metropolitan Area Networks - Station and Media Access Control Connectivity Discovery", IEEE 802.1AB-2005, May 6, 2005, the entire contents of which are incorporated herein by reference.

[0077] In some examples, client device 148 can implement Cisco. TM The discovery protocol (CDP) is used to send CDP packets containing the capabilities, identity, and other information of the specified device. The information specified in the CDP packets may include the hardware platform, hardware capabilities, the client device's Layer 3 address (IP address), the interface that generated the CDP packets, port ID, device type, client device name, and other client device information. As an example, client device 148A-1 may include CDP information in CDP packets sent to NAS device 108. In this example, in response to receiving an initial network access request from client device 148A-1, fingerprinting module 156 may obtain the CDP information sent by AP device 142A-1 (e.g., receive a copy of the CDP packets). Fingerprinting module 156 may store the CDP information mapped to the MAC address of AP device 142A-1 in fingerprint information storage 158 for inclusion in the MAC address configuration file.

[0078] In some examples, client device 148 can implement HTTP and can send HTTP packets with HTTP headers (referred to as "HTTP User Agent") used to identify the client device and its capabilities. As an example, client device 148A-1 can include HTTP User Agent information in HTTP packets sent to one or more NAS devices 108. In this example, in response to receiving an initial network access request from client device 148A-1 to access the network, fingerprinting module 156 can obtain the HTTP User Agent information sent by client device 148A-1 (e.g., receive a copy of the HTTP packet) and extract the HTTP User Agent information from the HTTP packet. In some examples, fingerprinting module 156 can obtain the HTTP User Agent information from one or more NAS devices 108. Fingerprinting module 156 can store the HTTP User Agent information mapped to the MAC address of client device 148A-1 in fingerprint information storage 158. Additional examples of HTTP user agents are described in the following literature: "Hypertext Transfer Protocol (HTTP / 1.1): Semantics and Content," edited by R. Fielding, Internet Engineering Task Force (IETF), Request for Comment 7231, June 2014, the entire contents of which are incorporated herein by reference.

[0079] In some examples, the fingerprinting module 156 can obtain location information associated with a device. In some examples, the location information can differ for client devices physically connected to a switch (referred to herein as "wired client devices") and client devices wirelessly connected to an access point (referred to herein as "wireless client devices"). For example, suppose client device 148A-1 has a physical connection to switch 146A (e.g., an Ethernet cable) and is therefore a "wired client device." In this example, the fingerprinting module 156 can, in response to receiving an initial network access request from client device 148A-1 to access the network, obtain location information from switch 146A specifying the port to which client device 148A-1 is connected. In this example, the fingerprinting module 156 can store the location information (e.g., port) mapped to the MAC address of client device 148A-1 in fingerprint information storage 158 for constructing a MAC address profile associated with the MAC address of client device 148A-1.

[0080] As another example, suppose client device 148A-N has a wireless connection to one or more of APs 142A-1 to AP 142A-M, and is therefore a "wireless client device". In this example, fingerprinting module 156 may, in response to receiving an initial network access request from client device 148A-1 to access the network, obtain location information (e.g., coordinates) of a specified geographic location of client device 148A-N from one or more of APs 142A-1 to AP 142A-M. The coordinates of client device 148A-N may be determined based on triangulation of Received Signal Strength Indication (RSSI) values ​​detected by one or more of APs 142A-1 to AP 142A-M, which detect wireless signals from client device 148A-N. In some examples, fingerprinting module 156 may obtain the geographic location of client device 148A-N determined from NMS 130. The fingerprint recognition module 156 can store location information (e.g., geographic location) of the MAC address mapped to the client device 148A-N in the fingerprint information storage 158.

[0081] In some examples, the fingerprinting module 156 can proactively obtain fingerprinting information for constructing a MAC address profile. For instance, the fingerprinting module 156 can perform a network mapper (NMAP) scan to identify used and / or unused ports of a network device, thereby identifying client devices connected to the network.

[0082] As described separately below, NAC system 180 can use information pushed from fingerprint information storage 158 to authenticate client devices requesting network access. NMS 130 can push information from fingerprint information storage 158 to enable NAC system 180 to authenticate devices. For example, client device 149 of unauthorized user 151 might spoof the MAC address of client device 148A-1 or a NAS device 108A and send a network access request to gain access to the network. NAC system 180A can receive the network access request from client device 149 with the same MAC address as client device 148A-1. In this example, NMS 130 can determine that client device 149 is not a new device (e.g., has an identified MAC address) based on a comparison of the current MAC address profile with historical MAC address profiles, and in response, determine whether the MAC address profile is abnormal in a manner indicating MAC spoofing. Based on the detection of an anomaly indicating MAC spoofing, NMS 130 can push the merged MAC address profile to NAC system 180A so that policy manager 144 can enforce appropriate policy actions (e.g., revoke access to client device 149 and / or isolate client device 149).

[0083] The fingerprint recognition module 156 can perform a lookup of known MAC address profiles (e.g., concurrent and / or historical MAC address profiles) associated with the device's MAC address. The fingerprint recognition module 156 can search the fingerprint information storage 158 to find MAC address profiles associated with the device. For example, the fingerprint recognition module 156 can use a MAC address search to determine whether the fingerprint information storage includes a known MAC address profile associated with that MAC address.

[0084] The anomaly module 166 can compare a known MAC address profile with the current MAC address profile of client device 149 and determine whether an anomaly exists between the current MAC address profile of client device 149 and the known MAC address profile of client device 148A-1 stored in fingerprint information storage 158. In some examples, the anomaly module 166 can determine whether the DHCP option information of client device 149 matches the DHCP option information of client device 148A-1. Alternatively or additionally, the anomaly module 166 can determine whether the LLDP information of client device 149 matches the LLDP information of client device 148A-1. Alternatively or additionally, the anomaly module 166 can determine whether the CDP information of client device 149 matches the CDP information of client device 148A-1. Alternatively or additionally, the anomaly module 166 can determine whether the HTTP user agent information of client device 149 matches the HTTP user agent information of client device 148A-1. Alternatively or additionally, the anomaly module 166 may determine whether any anomalies exist between the location information of client device 149 and the location information of client device 148A-1. For example, if client device 148A-1 is a wired client device, the anomaly module 166 may determine whether the port identifier of client device 149 differs from the port identifier of client device 148A-1. As another example, if client device 148A-1 is a wireless client device, the anomaly module 166 may determine whether the geographic location of client device 149 differs from the geographic location of client device 148A-1, or differs from the expected geographic location of client device 148A-1 based on its mobility pattern. For example, NMS 130 may include an artificial intelligence (AI) engine to analyze the location information to identify the mobility pattern of the wireless client device. The anomaly module 166 may use the mobility pattern to determine whether the geographic location of the client device is expected.

[0085] Anomaly module 166 determines whether an anomaly exists between the current MAC address profile and a known MAC address profile. Anomaly module 166 may consider location information between MAC address profiles when determining whether an anomaly exists. Anomaly module 166 may identify one or more types of anomalies between MAC address profiles, such as information about mismatches between MAC address profiles. Additionally or alternatively, anomaly module 166 may determine that the existence of concurrent MAC address profiles associated with a device's MAC address indicates MAC spoofing (e.g., two devices with the same MAC address simultaneously connecting at two different physical locations).

[0086] The exception module 166 can detect anomalies between the current MAC address profile and concurrent MAC address profiles, wherein the concurrent MAC address profiles are associated with the same MAC address but located at a different device location than the current MAC address profile. In the example, the exception module 166 detects anomalies between the current MAC address profile of client device 149 and the concurrent MAC address profile associated with client device 148A-1, wherein client device 148A-1 is associated with the same MAC address as client device 149.

[0087] NMS 130 can provide NAC system 180 with indications of detected anomalies. For example, NMS 130 can push fingerprint information to NAC system 180, where the fingerprint information contains indications of anomalies associated with MAC addresses. Based on the detected anomalies between MAC address profiles, policy manager 144 of NAC system 180 executes an access policy specifying whether to allow or deny client device 149 access to the network. Policy manager 144 executes the access policy and denies access to client device 149. Policy manager 144 can execute an access policy to deny client device 149 access based on MAC spoofing indications determined by NMS 130 associated with the MAC address of client device 149. In some examples, an administrator can configure one or more access policies and associated policy allocation criteria. For example, an administrator can configure an access policy to deny client device 149 access to the network in response to determining that any information in DHCP option information, LLDP information, CDP information, and / or HTTP user agent information deviates from the concurrent or historical MAC address profiles of client devices stored in fingerprint information storage 158 and indicating MAC spoofing. Alternatively, administrators can configure access policies to restrict client device access by isolating them to a segregated VLAN or another VLAN with lower privileges, in response to any deviation in concurrent or historical MAC addresses determined in DHCP option information, LLDP information, CDP information, and / or HTTP user agent information that indicates MAC spoofing. The NMS 130 can avoid sending notifications based on whether the anomaly has been determined to be legitimate. For example, the NMS 130 can avoid sending notifications to the NAC system 180 or changing authentication based on whether the anomaly has been determined to be legitimate.

[0088] In some examples, policy manager 144 may generate and send a notification to an administrator based on the implemented access policy. For example, if policy manager 144 implements an access policy to deny or isolate client device access to the network (e.g., based on determining an anomaly indicating MAC spoofing associated with the client device's MAC address profile), policy manager 144 may generate and send a notification. In some examples, the notification may include an indication of the severity level of the unauthorized client device's attempt to access the network. Although discussed in the context of NMS 130, one or more NAC systems 180 may perform the techniques of this disclosure. Further example details regarding fingerprinting of client devices are described in U.S. Patent Publication No. 2024 / 0179168, published May 30, 2024, entitled "Network Access Anomaly Detection and Mitigation," the contents of which are incorporated herein by reference in their entirety.

[0089] Figure 2 This is a block diagram of an example network admission control (NAC) system 280 according to one or more technologies of this disclosure. The NAC system 280 can be used to implement, for example... Figure 1A , Figure 1B Any of the NAC systems 180. In such an example, NAC system 280 is responsible for authenticating and authorizing one or more client devices 148 to access the wireless network 106 at a subset of nearby sites 102A-102N.

[0090] NAC system 280 includes a communication interface 230, one or more processors 206, a user interface, memory 212, and a database 218. The components are coupled together via a bus 214, through which they can exchange data and information. In some examples, NAC system 280... Figure 1A , Figure 1B NAS devices 108 (and in some cases edge devices 150) located at a subset of nearby sites 102 receive network access requests from one or more client devices 148. In response to the network access request, NAC system 280 authenticates the requesting client device. In some examples, NAC system 280 authenticates the client device based on the data received from... Figure 1A , Figure 1B The enterprise-specific configuration information 217 downloaded by NMS 130 enforces appropriate access policies on the authenticated client devices. In some examples, NAC system 280 may be... Figure 1A , Figure 1B This refers to a portion of another server or any other server shown in the diagram.

[0091] Processor 206 executes software instructions, such as software instructions for defining software or computer programs, which are stored in a computer-readable storage medium (such as memory 212). The computer-readable storage medium is a non-transitory computer-readable medium, such as including storage devices (e.g., disk drives or optical drives) or memories (such as flash memory or RAM) or any other type of volatile or non-volatile memory, which stores instructions to cause one or more processors 206 to perform the techniques described herein.

[0092] Communication interface 230 may include, for example, an Ethernet interface. Communication interface 230 couples NAC system 280 to a network and / or the Internet, such as... Figure 1A This refers to any network 134 and / or any local area network shown. Communication interface 230 includes receiver 232 and transmitter 234. NAC system 280 receives data from AP 142, switch 146, router 147, edge device 150, NMS 130, or servers 116, 122, 128, and / or forms networks such as... Figure 1A , Figure 1B Any other network node, device, or any other entity in the network system 100 shown may receive data and information or send data and information to such entity via transmitter 234.

[0093] The data and information received by the NAC system 280 may include, for example, configuration information 217 associated with one or more sites 102 downloaded from the NMS 130. Configuration information 217 may include enterprise-specific NAC configuration information, including access policies and associated policy allocation criteria. For example, configuration information 217 may define certain Virtual Local Area Networks (VLANs), Access Control Lists (ACLs), registration portals, etc., associated with certain categories of client devices. Configuration information 217 may also define different types of tracking, different types of authorization, and / or different levels of access permissions for each of the different categories of client devices. Furthermore, the data and information received by the NAC system 280 may include identification information of client devices 148 from the NAS device 108, which is used by the NAC system 280 to perform end-user device fingerprinting to enforce the access policies defined in policy information 267. Database 218 may include DHCP options for requesting IP addresses, information specified in LLDP packets, information specified in CDP packets, HTTP user agent information, location information and / or device type, and operating system information. The NAC system 280 can also send data and information, including NAC event data, to the NMS 130 via the communication interface 230. The NMS 130 can use this data and information to remotely monitor the performance of the NAC system 280.

[0094] Database 218 includes a MAC address profile store 264, which can be a data repository containing MAC address profiles or other types of data structures. NAC 280 can store MAC address profiles received from NMS 130 and / or other devices in MAC address profile store 264 for determining authorization of client devices. In the example, NAC 280 receives a MAC address profile associated with the MAC address of a client device, generated using fingerprint information. NAC 280 stores the MAC address profile in MAC address profile store 264.

[0095] Memory 212 includes one or more devices configured to store programming modules and / or data associated with the operation of NAC system 280. For example, memory 212 may include a computer-readable storage medium, which is a non-transitory computer-readable medium such as including storage devices (e.g., disk drives or optical drives) or memory (such as flash memory or RAM) or any other type of volatile or non-volatile memory, storing instructions to cause one or more processors 206 to perform the techniques described herein.

[0096] In this example, memory 212 includes API 220, authentication manager 240, policy manager 244, and NMS connector 250. NAC system 280 may also include any other programming modules, software engines, and / or interfaces configured for authentication and authorization of client device 148.

[0097] Authentication manager 240 implements authentication of client device 148 at NAS device 108 for access to wireless network 106 at a subset of sites 102 communicating with NAC system 280, such as a branch or campus enterprise network. Authentication manager 240 may perform the functions of an AAA server (e.g., a RADIUS server) or provide access to an AAA server to authenticate client device 148 before providing access to enterprise network 106 via NAS device 108. In some examples, authentication manager 240 may participate in a handshake exchange between the client device, NAS device, and NAC system 280 for controlling access at the NAS device. In other examples, authentication manager 240 may enable certificate-based authentication of client devices or enable interaction with a cloud directory service to authenticate client devices.

[0098] Policy Manager 244 can be like this Figures 1A to 1BThe example shown is of policy manager 144 and provides similar functionality. Policy manager 244 enables the enforcement of authorization or access policies based on the identity or category of the authenticated client device. For example, policy manager 244 can assign the authenticated client device to certain VLANs, apply certain ACLs, or direct the client device to certain registration portals based on the client device's corresponding enterprise configuration information 217, each operation associated with different types of tracking, different types of authorization, and / or different levels of access permissions. Policy manager 244 can use MAC address profiles provided by the NMS to determine the authorization type of the device according to one or more policies specified in policy information 267. In some examples, after a client device gains access to the enterprise network, policy manager 244 can monitor the client device's activity to identify security issues and, in response, reassign the client device to an isolated VLAN or another VLAN with lower privileges to restrict the client device's access.

[0099] Database 218 includes policy information 267, which may be a data repository containing policy information or other types of data structures. Policy information 267 may contain information specifying policies for authorized devices of the NAC 280. For example, policy information 267 may contain policies specifying authorization levels based on fingerprint information associated with the device.

[0100] like Figure 1B As shown, the NMS connector 250 manages the data and information exchanged between the NAC system 280 and the NMS 130, for example, via WebSocket or another secure tunnel 184. The NMS connector 250 can maintain logs or mappings of which enterprise networks are served by the NAC system 280 and their corresponding configuration information 217. The NMS connector 250 can also manage any updates or modifications to the configuration information 217 received from the NMS 130.

[0101] The NMS connector 250 can receive notifications or indications of anomalies associated with the device's MAC address from the NMS 130. The NMS connector 250 can receive MAC address profiles and other fingerprinting information, and store the MAC address profiles in the MAC address profile storage 264.

[0102] In some examples, the NAC system 280 obtains the current profile of the MAC address associated with the device after granting access permissions using the default access profile. When the device first requests network access, the NAC system 280 can grant access to the site (e.g., as...) using the default access policy. Figures 1A to 1BAccess permissions for the network at one of the sites 102 shown. The NAC system 280 can obtain the MAC address profile associated with the device for which access permissions have been granted using the default policy when determining whether to grant access permissions using an access policy that is different from and more lenient than the default access policy. In the example, the NAC system 280, in response to receiving an access request from a device, uses the default access policy to authenticate the device. As part of further authenticating the device, the NAC system 280 obtains the device's MAC address profile from the NMS 130.

[0103] NAC system 280 can use information in database 218 (e.g., MAC address profile storage 264) to authenticate client devices requesting network access. For example, in response to NAC system 280 receiving a subsequent network access request from a client device (e.g., client device 149), NAC system 280 can obtain fingerprint information associated with that subsequent network access request. NAC system 280 can determine whether the client device associated with the subsequent network access request is a new client device requesting network access by determining whether the MAC address of the requesting client device is known. In response to determining that the client device is not a new client device, NAC system 280 searches for the fingerprint information of the client device associated with the subsequent network access request in database 218 by comparing it with the fingerprint information of client devices previously obtained and associated with previous network access requests. For example, NAC system 280 can perform a fingerprint information lookup of the client device to determine that the client device is not a new client device and / or is using a known MAC address (e.g., the MAC address profiles stored in MAC address profile storage 264 include MAC address profiles associated with the MAC address of the client device).

[0104] Policy Manager 244 can determine the authorization level of a device based on a MAC address profile received via NMS connector 250. Policy Manager 244 can compare the MAC address profile with one or more authorization policies specified in policy information 267 and determine the authorization level. Policy Manager 244 can determine to revoke authorization for a device based on MAC address profiles indicating MAC spoofing. In some examples, Policy Manager 244 can determine the authorization level based on instructions from the NMS indicating that the device should be reauthorized based on a different profile and / or that the device should be isolated (e.g., when MAC spoofing is detected).

[0105] Although the technology described in this example is executed by NMS 130, the technology described herein can be executed by any other computing device, system, and / or server, and this disclosure is not limited thereto. One or more computing devices configured to perform the functions of the technology of this disclosure may reside in a dedicated server or be included in any other server besides NMS 130, or may be distributed throughout network 100, and may or may not be part of NMS 130. For example, NAC system 280 may be configured to provide at least some of the functions of NMS 130.

[0106] Figure 3 This is a block diagram of an example network management system (NMS) 300 according to one or more technologies of this disclosure. The NMS 300 can be used to implement, for example... Figure 1A , Figure 1B The NMS 130 is used in this example. In such an example, the NMS 300 is responsible for monitoring and managing one or more wireless networks 106A-106N at sites 102A-102N.

[0107] The NMS 300 includes a communication interface 330, one or more processors 306, a user interface 310, a memory 312, and a database 318. The various components are coupled together via a bus 314, through which they can exchange data and information. In some examples, the NMS 300 receives data from one or more of the following: client device 148, AP 142, switch 146, router 147, edge device 150, NAC system 180, and other network nodes (e.g., routers and gateway devices) within the network 134. This data can be used to calculate one or more SLE metrics and / or update network data 316 in the database 318. The NMS 300 analyzes this data for cloud-based management of the wireless network 106A-106N. In some examples, the NMS 300 may be... Figure 1A This refers to a portion of another server or any other server.

[0108] Processor 306 executes software instructions, such as software instructions for defining software or computer programs, which are stored in a computer-readable storage medium (such as memory 312). The computer-readable storage medium is a non-transitory computer-readable medium, such as including storage devices (e.g., disk drives or optical drives) or memories (such as flash memory or RAM) or any other type of volatile or non-volatile memory. The non-transitory computer-readable medium stores instructions to cause one or more processors 306 to perform the techniques described herein.

[0109] The communication interface 330 may include, for example, an Ethernet interface. The communication interface 330 couples the NMS 300 to a network and / or the Internet, such as... Figure 1A This refers to any network 134 and / or any local area network shown. Communication interface 330 includes receiver 332 and transmitter 334. NMS 300 receives data from client devices 148, AP 142, switch 146, router 147, edge device 150, NAC system 180, servers 116, 122, 128, and / or forms networks such as... Figure 1A Any other network node, device, or entity within the network system 100 shown may receive data and information / send data and information to or via transmitter 334. In some scenarios described herein, where network system 100 includes “third-party” network devices owned and / or associated with an entity different from NMS 300, and NMS 300 does not directly receive, collect, or otherwise access network data from these third-party network devices. In some examples, edge devices (such as those from…) Figure 1A , Figure 1B The edge device 150 can provide a proxy that can report network data from third-party network devices to the NMS300.

[0110] The data and information received by the NMS 300 may include, for example, telemetry data, SLE-related data, or event data received from one or more of the following: client device 148, AP 142, switch 146, router 147, edge device 150, NAC system 180, or other network nodes (e.g., routers and gateway devices) used by the NMS 300 for remotely monitoring the performance of the wireless network 106A-106N and application sessions from client devices to cloud-based application servers. The NMS 300 can also transmit data via communication interface 330 to any network device, such as client device 148, AP 142, switch 146, router 147, edge device 150, NAC system 180, or other network nodes within the network 134, to remotely manage portions of the wireless network 106A-106N and the wired network.

[0111] Memory 312 includes one or more devices configured to store programming modules and / or data associated with the operation of NMS 300. For example, memory 312 may include a computer-readable storage medium, which is a non-transitory computer-readable medium such as including storage devices (e.g., disk drives or optical drives) or memory (such as flash memory or RAM) or any other type of volatile or non-volatile memory, storing instructions to cause one or more processors 306 to perform the techniques described herein.

[0112] In this example, memory 312 includes API 320, SLE module 322, Virtual Network Assistant (VNA) / AI engine 350, Radio Resource Management (RRM) engine 360, and NAC controller 370. NMS 300 may also include any other programming modules, software engines, and / or interfaces configured for remote monitoring and management of wireless network 106A-106N and wired network portions, including remote monitoring and management of AP 142, switch 146, router 147, edge device 150, NAC system 180, and other network devices (e.g., routers and gateway devices).

[0113] SLE module 322 enables the establishment and tracking of thresholds for SLE metrics for each wireless network 106A-106N. SLE module 322 also analyzes SLE-related data collected by, for example, APs (such as any of AP 142) from UEs in each wireless network 106A-106N. For example, APs 142A-1 to 142A-M collect SLE-related data from UEs 148A-1 to 148A-N currently connected to wireless network 106A. APs 142A-1 to 142A-M send this data to NMS 300, which is executed by SLE module 322 to determine one or more SLE metrics for each UE 148A-1 to 148A-N currently connected to wireless network 106A. In addition to any network data collected by one or more APs 142A-1 to 142A-M in the wireless network 106A, one or more APs 142A-1 to 142A-M also send this data to the NMS 300 so that the NMS 300 can store this data as, for example, network data 316 in the database 318.

[0114] The RRM 360 monitors one or more metrics at each site 102A-102N to learn and optimize the RF environment at each site. For example, the RRM 360 can monitor the coverage and capacity SLE metrics of wireless network 106 at site 102 to identify potential SLE coverage and / or capacity issues in wireless network 106 and adjust the radio settings of the access points at each site to address the identified issues. For example, the RRM 360 can determine the channel and transmit power distribution among all APs 142 in each wireless network 106A-106N. For example, the RRM 360 can monitor events, power, channels, bandwidth, and the number of clients connected to each AP. The RRM 360 can also automatically change or update the configuration of one or more APs 142 at site 102 with the aim of improving coverage and capacity SLE metrics and thus providing an improved wireless experience for users. In some examples, the RRM can determine the geographic location of wireless client devices, for example, by triangulation of the client device's location based on RSSI values ​​obtained from one or more APs 142.

[0115] The VNA / AI engine 350 analyzes data received from network devices and its own data to identify when an unwanted or anomalous state is encountered at a network device. For example, the VNA / AI engine 350 can identify the root cause of any unwanted or anomalous state, such as any poor SLE metric indicating connectivity problems at one or more network devices. Furthermore, the VNA / AI engine 350 can automatically invoke one or more corrective actions designed to address the root cause of one or more identified poor SLE metrics. In some examples, the ML model 380 may include a supervised ML model, trained using training data including pre-collected, labeled network data received from network devices. The supervised ML model may include one of logistic regression, Naive Bayes, support vector machines (SVM), etc. In other examples, the ML model 380 may include an unsupervised ML model. Although not explicitly stated... Figure 3 As shown, in some examples, database 318 can store training data, and VNA / AI engine 350 or a dedicated training module can be configured to train ML model 380 based on the training data to determine appropriate weights for one or more features across the training data. For example, database 318 can store geolocation data of client devices to train ML model 380 based on the training data, thereby determining the client device's mobility patterns. VNA / AI engine 350 can provide an indication of whether the client device's geolocation information is within a mobility pattern.

[0116] Examples of corrective actions that can be automatically invoked by the VNA / AI Engine 350 may include, but are not limited to, invoking the RRM360 to restart one or more APs, adjusting / modifying the transmit power of a specific radio in a specific AP, adding an SSID configuration to a specific AP, changing the channel on an AP or a group of APs, etc. Corrective actions may also include restarting switches and / or routers, invoking the download of new software to APs, switches, or routers, etc. These corrective actions are given for illustrative purposes only, and this disclosure is not limited in this respect. If automatic corrective actions are unavailable or fail to adequately address the root cause, the VNA / AI Engine 350 may proactively provide notifications, including suggested corrective actions to be taken by IT personnel (e.g., a site administrator or network administrator using Administrator Device 111), to resolve the network error.

[0117] The NAC controller 370 implements the NAC configuration platform, which provides a means for configuring the NAC via... Figure 1A The administrator device 111 displays a user interface 310 to the enterprise network administrator, through which access policy information of the enterprise network is received. The NAC controller 370 creates enterprise-specific configuration information 317 stored in a database 318 based on the input received via the user interface 310. Configuration information 317 may include NAC configuration information for one or more enterprise networks managed by the NMS 300. For each enterprise, configuration information 317 may include access policies and associated policy allocation criteria. For example, configuration information 317 may define certain VLANs, ACLs, registration portals, etc., associated with certain categories of client devices, and may also define different types of tracking, different types of authorization, and / or different levels of access permissions for each of the different categories of client devices. Configuration information 317 may be substantially similar to... Figure 1B Configuration information 139.

[0118] like Figure 1B As shown, the NAC controller 370 manages the data and information exchanged between the NMS 300 and the NAC system 180, for example, via WebSocket or other secure tunnels 184. The NAC controller 370 can maintain logs or mappings of which enterprise networks are served by which NAC systems 180, and corresponding configuration information 317 for these enterprises. The NAC controller 370 can also manage any updates or modifications to the configuration information 317 pushed down to the NAC system 180. Furthermore, the NAC controller 370 can monitor the NAC system 180 to identify failures in the primary NAC system and manage failover to the backup NAC system.

[0119] NAC controller 370 can create configuration information 317, which defines one or more access policies based on fingerprint information. For example, if there is an anomaly between the fingerprint information of a client device associated with a subsequent network access request and the fingerprint information of a client device associated with a previous network access request, NAC controller 370 can receive specified access policy information via user interface 310 to deny the client device's access to the network. If there is an anomaly between the fingerprint information of a client device associated with a subsequent network access request and the fingerprint information of a client device associated with a previous network access request, the configuration information can define an isolated VLAN or another VLAN with lower privileges to restrict the client device's access. In some examples, if there is an anomaly between the geographic location information of a wireless client device associated with a subsequent network access request and the geographic location information of a wireless client device associated with a previous network access request, NAC controller 370 can receive specified access policy information via user interface 310 to allow the client device to access the network, and the geographic location information is determined to be within the mobility mode of the wireless client device associated with the previous network access request. In some examples, if there is an anomaly between the geographic location information of a wireless client device associated with a subsequent network access request and the geographic location information of a wireless client device associated with a previous network access request, and the geographic location information is determined to be outside the mobility mode of the wireless client device associated with the previous network access request, then the NAC controller 370 can receive specified access policy information via user interface 310 to deny the client device's input to access the network. The NAC controller 370 can push configuration information 317, including one or more access policies, down to the NAC system 180, which can then use this configuration information to configure the NAC system to implement one or more access policies based on fingerprint information.

[0120] In some examples, the NAC controller 370 may receive input of specified configuration information 317 via a user interface 310 to configure the NAC system 180, thereby generating a notification based on the implemented access policy and sending the notification to the administrator. For example, the configuration information 317 may include configuration information for configuring the fingerprint module 156, which generates and sends a notification if it implements an access policy for denying or isolating client devices from network access. In some examples, the notification may include an indication of the severity level of an unauthorized client device attempting to access the network.

[0121] The NMS 300 can receive signals from NAC systems (such as...) Figures 1A to 1BThe notification is generated by one or more NAC systems 180 shown. The NAC system 180 can generate a notification that identifies anomalies detected between MAC address profiles of the client device (e.g., current, historical, and concurrent MAC address profiles associated with the client device's MAC address) and provide the notification to the NMS 300. The NMS 300 can process the notification and determine one or more actions to be taken based on it.

[0122] The NMS 300 can take one or more actions based on notifications or indications received from one or more NAC systems 180. The NMS 300 takes one or more actions, such as generating an instance of the user interface 310 as a visual indication including a notification, instructing the NAC system to revoke the client device's access, and / or other actions. In the example, the NMS 300 receives a notification from the NAC system 180A including an indication that the client device is performing MAC spoofing, the client device's identifier, information supporting the determination that the client device is performing MAC spoofing, and other information. The NMS 300 determines that a notification should be sent to the administrator warning that the client device is performing MAC spoofing. The NMS 300 generates an instance of the user interface 310 containing the information included in the notification received from the NAC system 180A and outputs the user interface via a web browser.

[0123] According to the technology described in this disclosure, the NMS 300 can compare MAC address profiles associated with the device to detect anomalies. The fingerprinting module 356 of the NMS 300 can obtain the current MAC address profile. The anomaly module 366 can compare one or more of the following with the current profile: a historical profile, and / or a concurrent MAC address profile. The NMS 300 can detect one or more anomalies between the current MAC address profile and other MAC address profiles (e.g., concurrent, historical profiles) and generate a notification identifying the anomaly.

[0124] The fingerprinting module 356 can obtain a current profile of the MAC addresses associated with a device requesting network access at a location. As part of obtaining the current MAC address profile, the fingerprinting module 356 can obtain data attributes of the device associated with the MAC address from multiple sources, including a DHCP server, the device itself, an instance of the NAC system 180, and / or other sources, to be included in the current or merged MAC address profile. The fingerprinting module 356 can obtain data attributes from both sources with relatively high confidence and sources with relatively low confidence. Administrators, NMS 130, and / or another entity can assign confidence scores or tags to multiple sources. In the example, the fingerprinting module 356 receives an instruction from the NAC system to authenticate a client device. As part of constructing the client device's current MAC address profile, the fingerprinting module 356 aggregates the obtained data attributes into the client device's current MAC address profile.

[0125] The fingerprinting module 356 can aggregate data from multiple sources to construct a detailed client profile. The fingerprinting module 356 can obtain data from sources including: user agents and Organizational Unique Identifiers (OUIs), where the user agent string provides device family, model, and OS information, while the MAC OUI mapping identifies the manufacturer; DHCP options (55 / 60), which can be extracted from the request payload and provide OS and vendor details via mapping from a static database; an SDK that provides accurate and detailed device attributes directly from the client; LLDP packets, which provide additional neighbor information from managed switches and routers; a Mobile Device Management (MDM) system, which provides device-related information polled from an integrated mobile device management system; and / or other sources. As part of constructing a fingerprint and / or MAC address profile, the fingerprinting module 356 can aggregate data from one or more sources.

[0126] Fingerprint recognition module 356 can construct a merged fingerprint or MAC address profile by combining data from one or more sources. Fingerprint recognition module 356 may include: data attributes, including general categories of device type (e.g., laptop computer, printer, etc.); device model and OS attributes, including specific identifiers of the device model and / or OS version and type; manufacturer attributes based on MAC OUI and / or other identifiers; operating system and version attributes, identifying the operating system and version running on the client device; the IP address associated with the client; metadata, including the fingerprint's organization ID, site ID, and timestamps (creation, update) and / or MAC address profile and / or other types of attributes. For example, fingerprint recognition module 356 can construct a merged fingerprint including one or more attributes based on aggregated data from multiple sources.

[0127] The fingerprint recognition module 356 can obtain a current MAC address profile by acquiring data attributes associated with the MAC address (or by extending the device associated with the MAC address) from one or more sources. The fingerprint recognition module 356 can obtain data attributes associated with the MAC address from sources including DHCP servers (e.g., such as...). Figure 1A The DHCP server 116 shown), DNS server (e.g., as shown) Figure 1A The fingerprinting module 356 collects data attributes from multiple sources, including the DNS server 112, the NAC system, adjacent devices of the device (e.g., LLDP data), and / or data sources. The fingerprinting module 356 can use the collected data attributes and construct a current MAC address profile by aggregating the collected attributes. For example, the fingerprinting module 356 can construct the current MAC address profile by aggregating data attributes into a data structure or other type of record that includes the data attributes.

[0128] The fingerprint recognition module 356 can store the current MAC address profile in the fingerprint information storage 358, which can be a data repository, database, and / or other type of data storage device for storing MAC address profiles (e.g., historical and / or concurrent MAC address profiles). The fingerprint recognition module 356 can store the current MAC address profile in the fingerprint information storage 358 for use as historical MAC addresses and / or concurrent MAC addresses.

[0129] The fingerprint recognition module 356 can obtain a concurrent MAC address profile associated with the MAC address of the client device. The fingerprint recognition module 356 can obtain the current MAC address profile by performing a lookup within the fingerprint information storage 358, wherein the concurrent MAC address profile is a MAC address profile associated with the MAC address of a device located at a different site than the current MAC address profile. For example, the fingerprint recognition module 356 can obtain the concurrent MAC address profile associated with the client device's MAC address for anomaly detection (e.g., if a comparison of the current MAC address and concurrent MAC addresses indicates that the client device has connected to multiple sites within a short period of time, this could indicate MAC spoofing or other malicious activity by the device).

[0130] The Anomaly Module 366 can compare the current MAC address profile with historical MAC address profiles and / or concurrent MAC address profiles. The Anomaly Module 366 can compare MAC address profiles to identify one or more types of anomalies between them. The Anomaly Module 366 can compare MAC address profiles in one or more ways, such as directly comparing the attributes of the MAC address profiles, applying machine learning or AI models to the MAC address profiles, and / or other methods. For example, the Anomaly Module 366 can apply an ML model to the MAC address profiles to identify anomalies that might not be identifiable by direct comparison of attributes alone.

[0131] Anomaly module 366 can implement a detection mechanism around changes in tracking fingerprints (e.g., MAC address profiles) over time. Anomaly module 366 can implement a mechanism enabling the following operations: temporal analysis, including comparing fingerprints of a given MAC address at different points in time to identify significant changes; source reliability prioritization, including prioritizing high-confidence sources over relatively unreliable sources; group consistency analysis, including evaluating changes at the group level (e.g., printer group level) to identify blast radius scenarios where smaller software updates can explain anomalies across multiple devices; and / or other mechanisms. For example, the anomaly module can implement a mechanism to facilitate the detection of MAC anomalies by partially evaluating group-level changes to determine whether the changes were experienced by other devices in the same group and therefore are unlikely to indicate MAC spoofing.

[0132] In some examples, the Anomaly Module 366 serves incoming device data and outputs the merged fingerprint to a Kafka topic. By monitoring this stream, the Anomaly Module 366's detection logic can implement one or more types of functionality, including individual profiling. This involves tracking historical profiles for each MAC address and detecting sudden changes in key attributes such as device type, OS, or manufacturer. For example, the Anomaly Module 366 can detect a transition from "printer" to "Linux machine" and flag it as an anomaly. The Anomaly Module 366's detection logic can perform cross-source correlation, where it verifies profiles across multiple data sources. The Anomaly Module 366 can identify inconsistent data that raises suspicion of spoofing (e.g., DHCP indicating a printer while LLDP suggests a Linux device). The Anomaly Module 366's detection logic can perform group analysis, where it analyzes the behavior of similar devices. For example, if 100 printers are profiled, but only 5 printers show significant deviations, the Anomaly Module 366 can determine that these 5 printers may be spoofed. Conversely, the Anomaly Module 366 can determine that changes across all devices indicate legitimate updates.

[0133] The anomaly module 366 can detect anomalies between the current MAC address profile and known MAC address profiles (e.g., at least one historical MAC address profile or concurrent MAC address profile). The anomaly detection module 366 can detect one or more types of anomalies, including mismatches between data attributes, devices connecting to the network via more than one subnet (e.g., a first instance of a device connecting to a first subnet, while a second instance of a device connects to a second subnet), devices connecting to the network at more than one location (e.g., a device connecting to the network at both site 102A and site 102N), changes in device type (e.g., devices with the same MAC address being classified as different types of devices over time), devices behaving in a manner inconsistent with their device type (e.g., exhibiting behavior unrelated to their device type), and / or other types of anomalies. In the example, the anomaly module 366 compares the current MAC address profile of a laptop computer with the laptop computer's historical MAC address profiles. The anomaly module 366 determines that there is an anomaly in the DHCP information between the current MAC address profile and the historical MAC address profiles.

[0134] In some examples, the anomaly module 366 can verify the current MAC address profile based on detected anomalies. The anomaly module 366 can verify the current MAC address profile to determine whether the anomaly is consistent with MAC spoofing or is a harmless anomaly (e.g., an anomaly inconsistent with malicious activity). The anomaly module 366 can verify the current MAC address profile by comparing one or more data attributes from multiple data sources. For example, the anomaly module 366 can compare an attribute indicated by a first data source with the same attribute indicated by a second data source to determine whether the data for that attribute is inconsistent across multiple sources. The anomaly module 366 can compare attributes between data sources because inconsistent data between sources can indicate MAC spoofing of the device.

[0135] As part of using multiple sources to compare attributes, the exception module 366 can select sources based on a predetermined confidence level. The exception module 366 can select a source with relatively high confidence as a first data source and select one or more sources with relatively low confidence as a second data source. The exception module 366 can compare data attributes from a source with the same data attributes from a source with relatively low confidence. For example, the exception module 366 can select sources with relatively high confidence levels and sources with relatively low confidence levels (e.g., relatively unreliable sources) to compare attributes in the current MAC address profile.

[0136] Anomaly Module 366 can use blast radius considerations when determining whether an anomaly indicates MAC spoofing and / or other unwanted or potentially malicious activity. Anomaly Module 366 can detect spoofing by distinguishing between genuine anomalies affecting multiple devices and system changes. Anomaly Module 366 can apply one or more considerations, including: localized changes where a small subset of devices displaying profile changes increases the likelihood of spoofing; widespread changes where uniform changes across a group of devices may indicate legitimate firmware or software updates, thus reducing the likelihood of spoofing; and / or other considerations. By analyzing both individual and group-level behavior, Anomaly Module 366 can achieve a balance between sensitivity to anomalies and minimizing false positives.

[0137] Anomaly module 366 can determine whether an anomaly indicates MAC spoofing or a different event (such as a legitimate update to the device). Anomaly module 366 can use one or more techniques to determine whether an anomaly indicates MAC spoofing or another event, such as applying a machine learning model, comparing the device's behavior to known behaviors of MAC spoofing and / or other events, and / or other techniques. Anomaly module 366 can avoid generating notifications and / or taking other actions based on determining that the anomaly indicates an event other than MAC spoofing (such as a legitimate update (e.g., an update to a non-abnormal device)). In the example, anomaly module 366 determines that the anomaly indicates a legitimate update to the device. Anomaly module 366 avoids generating notifications based on determining that the anomaly indicates a legitimate update.

[0138] In some examples, the anomaly module 366 generates an event with one or more details when an anomaly is detected. The anomaly module 366 may generate an event containing details of the anomaly, including the affected MAC address, previous and current fingerprints, and attributes that triggered the detection (such as changes in device type, OS, or manufacturer), contextual information including metadata with a detection timestamp, contributing data sources (e.g., DHCP, user agent), and historical behavior of the MAC address used for verification. Alternatively or additionally, the anomaly module 366 may generate an event including supporting evidence, such as indications of cross-source inconsistencies (e.g., DHCP indicating a printer while LLDP suggests a Linux device) and group behavior insights (e.g., isolated changes versus widespread updates across similar devices).

[0139] Anomaly Module 366 can provide one or more benefits for anomaly detection, including: scalable detection, where Anomaly Module 366 runs on real-time data streams from existing infrastructure; comprehensive analysis, where Anomaly Module 366 utilizes multiple data sources for high-confidence detection; and adaptive logic, where Anomaly Module 366 distinguishes between spoofing attempts and legitimate updates, thereby reducing noise in the system. Anomaly Module 366 can use this framework to ensure robust detection of MAC spoofing scenarios, thereby enhancing the security posture of campus and branch networks while leveraging the capabilities of fingerprinting services.

[0140] In some examples, the exception module 366 may, for the wireless client device and in response to determining that there is no anomaly between the packet information of the client device associated with the subsequent network access request and packet information 261, determine whether the location information (e.g., geographic location) of the client device associated with the subsequent network access request deviates from the location information 262 in the fingerprint information storage 358. In these examples, the exception module 366 may obtain information from the NAC system or other sources indicating whether the geographic location information is not within the mobility mode of the client device. In response to determining that the geographic location information of the client device associated with the subsequent network access request is not within the mobility mode of the client device associated with the previous network access request, the exception module 366 may instruct the policy manager of the NAC system (e.g., policy manager 144) to enforce authorization or access policies to manage network access for the client device associated with the subsequent network access request.

[0141] In some examples, the exception module 366 can generate an instance of the user interface 310 as a visual indication of the exception. The exception module 366 can cause the NMS 300 to output the user interface 310 to the administrator for troubleshooting. For example, the exception module 366 causes the NMS 300 to output a user interface as a network interface that includes visual indications of an exception consistent with MAC spoofing.

[0142] Figure 4 This is a block diagram of an example access point (AP) device 400 according to one or more technologies of this disclosure. Figure 4 The example access point 400 shown can be used to implement the features described in this article. Figure 1A Any of the AP 142 shown and described. Access point 400 may include, for example, a Wi-Fi, Bluetooth and / or Bluetooth Low Energy (BLE) base station or any other type of wireless access point.

[0143] exist Figure 4 In the example, access point 400 includes a wired interface 430, wireless interfaces 420A-420B, one or more processors 406, memory 412, and input / output 410 coupled together via bus 414. The various components can exchange data and information via bus 414. Wired interface 430 represents a physical network interface and includes a receiver 432 and a transmitter 434 for sending and receiving network communications (e.g., data packets). Wired interface 430 directly or indirectly couples access point 400 to wired network devices within a wired network, such as Ethernet cables, via cables (e.g., Ethernet cables). Figure 1A , Figure 1B One of the switches 146 and router 147 in the system.

[0144] The first wireless interface 420A and the second wireless interface 420B represent wireless network interfaces and respectively include receivers 422A and 422B, each receiver including a receiving antenna. The access point 400 can receive wireless communication devices (such as wireless communication devices) via the receiving antenna. Figure 1A , Figure 1B The access point 400 (UE 148) receives wireless signals. The first wireless interface 420A and the second wireless interface 420B also include transmitters 424A and 424B, respectively. Each transmitter includes a transmitting antenna, and the access point 400 can transmit wireless signals to wireless communication devices (such as…) via the transmitting antenna. Figure 1A , Figure 1B (UE 148 in the example). In some examples, the first wireless interface 420A may include a Wi-Fi 802.11 interface (e.g., 2.4 GHz and / or 5 GHz), and the second wireless interface 420B may include a Bluetooth interface and / or a Bluetooth Low Energy (BLE) interface. As described above, the AP 400 can access nearby NAC systems (e.g., Figure 2 NAC system 280 or Figure 1A , Figure 1B A NAC system 180 requests network access from one or more UEs 148.

[0145] Processor 406 is a programmable, hardware-based processor configured to execute software instructions, such as software instructions for defining software or computer programs, which are stored in a computer-readable storage medium (such as memory 412). The computer-readable storage medium is a non-transitory computer-readable medium, such as including storage devices (e.g., disk drives or optical drives) or memories (such as flash memory or RAM) or any other type of volatile or non-volatile memory, which stores instructions to cause one or more processors 406 to perform the techniques described herein.

[0146] Memory 412 includes one or more devices configured to store programming modules and / or data associated with the operation of access point 400. For example, memory 412 may include a computer-readable storage medium, which is a non-transitory computer-readable medium such as including storage devices (e.g., disk drives or optical drives) or memory (such as flash memory or RAM) or any other type of volatile or non-volatile memory, storing instructions to cause one or more processors 406 to perform the techniques described herein.

[0147] In this example, memory 412 stores executable software, including an application programming interface (API) 440, a communication manager 442, configuration settings 450, a device status log 452, a data storage device 454, and a log controller 455. Device status log 452 includes a list of events specific to access point 400. Events can include logs of both normal and error events, such as, for example, memory status, reboot or restart events, crash events, cloud disconnection with self-recovery events, low link speed or link speed fluctuation events, Ethernet port status, Ethernet interface packet errors, upgrade failure events, firmware upgrade events, configuration changes, etc., along with the time and date stamp for each event. Log controller 455 determines the device's log level based on instructions from NMS 130. Data 454 can store any data used and / or generated by access point 400, including data collected from UE 148, such as data used to calculate one or more SLE metrics, which is sent by access point 400 for cloud-based management of wireless network 106A by NMS 130 / 300.

[0148] Input / output (I / O) 410 represents physical hardware components capable of interacting with a user, such as buttons, displays, etc. Although not shown, memory 412 typically stores executable software for controlling the user interface based on input received via I / O 410. Communication manager 442 includes program code, when executed by processor 406, that allows access point 400 to communicate with UE 148 and / or network 134 via interface 430 and / or any of 420A-420C. Configuration settings 450 include any device settings for access point 400, such as radio settings for each of the wireless interfaces 420A-420C. These settings can be configured manually or can be remotely monitored and managed by NMS 130 to periodically (e.g., hourly or daily) optimize wireless network performance.

[0149] As described herein, AP device 400 can measure network data and report it from status log 452 to NMS 130. Network data may include event data, telemetry data, and / or other SLE-related data. Network data may include various parameters indicating the performance and / or status of the wireless network. These parameters may be measured and / or determined by one or more UE devices and / or one or more APs in the wireless network. NMS 130 / 300 can determine one or more SLE metrics based on SLE-related data received from APs in the wireless network and store the SLE metrics as network data 137. Figure 1B ).

[0150] According to the technology described in this disclosure, AP device 400 can send fingerprint identification information associated with a client device to NMS 130 via NAC system 180. For example, data 454 may include fingerprint identification information collected from data packets sent by UE 148, DHCP information from DHCP data packets, LLDP information from LLDP data packets, CDP information from CDP data packets, HTTP user agent information from HTTP data packets, and / or other identification information sent by UE 148. In some examples, AP 400 may generate data 454 including copies of the various data packets sent by UE 148, the RSSI value of UE 148 that can be used to determine the geographical location of UE 148, and / or other information.

[0151] In some examples, the NAC system 180 and / or NMS 130 may send requests to the AP device 400 for data attributes of client devices connected to the AP device 400. The AP device 400 may provide copies of the data attributes and / or related information, such as DHCP packets, LLDP packets, CDP packets, HTTP packets, or any other packets containing information identifying the client device or its network behavior. The AP device 400 may send data attributes used by the NAC system or NMS 130 to construct a MAC address profile.

[0152] Figure 5 This is a block diagram illustrating an example edge device 500 according to one or more technologies of this disclosure. Edge device 500 includes a cloud-managed wireless local area network (LAN) controller. For example, edge device 500 can be used to implement... Figure 1A , Figure 1B Any edge device 150. In such an example, edge device 500 includes an NMS 130 at site 102 and one or more locally deployed NAS devices 108 (e.g., from...). Figure 1A , Figure 1B A locally deployed device that communicates with one or more APs 142, switches 146, or routers 147. An edge device 500 works in conjunction with an NMS 130, and the edge device can operate to extend certain microservices from the NMS 130 to the locally deployed NAS device 108, while using the NMS 130 and its distributed software architecture for scalable and resilient operation, management, troubleshooting, and analysis.

[0153] In this example, edge device 500 includes a wired interface 502 (e.g., an Ethernet interface), a processor 506, input / output 508 (e.g., a display, buttons, keyboard, keypad, touchscreen, mouse, etc.), and memory 512 coupled together via bus 514. The various components can exchange data and information via bus 514. The wired interface 502 couples edge device 500 to a network, such as... Figure 1A The network 134 and / or any local area network shown. Wired interface 502 includes receiver 520 and transmitter 522, through which edge device 500 receives data and information from NAS device 108 and NMS 130 and / or NAC system 180, and transmits data and information to them via transmitter 522. Although only one interface is shown as an example, edge device 500 may have multiple communication interfaces and / or multiple communication interface ports.

[0154] Memory 512 stores executable software applications 532, operating system 540, and data / information 530. Data 530 may include system logs and / or error logs of event data (including behavioral data) from storage edge device 500. Tunneling service 544 provides locally deployed tunnel termination from AP and other NAS devices. Tunneling service 544 also provides secure tunnel brokers to NMS 130 and / or NAC system 180. In one scenario, one or more NAS devices 108 (e.g., from...) Figure 1B The switch 146A may not support establishing secure tunnels (e.g., WebSocket or RadSec tunnels) directly with the NMS 130 and / or NAC system 180. In this scenario, the tunneling service 544 of the edge device 500 provides a tunneling proxy so that authentication requests received from the switch 146A via the secure tunnel 178A can be tunneled to the NAC system 180A using the RadSec tunnel 182A, as... Figure 1B As shown, and / or enable network data from switch 146A to be tunneled to NMS 130 using WebSocket.

[0155] According to the technology described in this disclosure, edge device 500 can send information including data attributes of a MAC address profile associated with a client device to NAC system 180. For example, data 530 may include data attributes derived from collected data packets sent by UE 148. For example, data 530 may include DHCP information from DHCP packets, LLDP information from LLDP packets, CDP information from CDP packets, HTTP user agent information from HTTP packets, and / or other identification information sent by UE 148. In some examples, data 530 may include copies of various data packets sent by UE 148. In some examples, data 530 may include port information (e.g., port identifiers) of UE 148 connected to one or more switches (e.g., switch 146A) coupled to edge device 500.

[0156] Edge device 500 can provide the collected information to NAC system 180. For example, NAC system 180 and / or NMS 130 can send a request to edge device 500 for fingerprint information of client devices connected to a switch coupled to edge device 500. Edge device 500 can provide fingerprint information, such as copies of DHCP packets, LLDP packets, CDP packets, HTTP packets, port information, or any other packets containing information identifying client devices or their network behavior.

[0157] Figure 6 This is a conceptual diagram illustrating example operations of fingerprint recognition and anomaly detection according to the technology disclosed herein. Figure 6 Includes network system 600, which can be connected to... Figures 1A to 1B The network system 100 shown is similar and provides similar functionality.

[0158] Network system 600 includes one or more MDM providers 686, which may be a mobile device manager configured to obtain data from and manage mobile devices 680. Network system 600 includes one or more mobile devices 680, which may include one or more types of devices, such as smartphones, tablets, laptops, desktop computers, and other types of client devices. Although described as "mobile," mobile devices 680 may include one or more fixed devices (e.g., desktop computers). MDM providers 686 may obtain one or more types of information from mobile devices 680, including device type (e.g., smartphone, tablet), device family, OS type, OS version, location, etc., and provide this information to NAC cloud 692. In the example, NAC cloud 692 generates a request for information from MDM provider 686 in response to an authentication request from a client device. MDM provider 686 receives the request and provides the information to NAC cloud 692.

[0159] Network system 600 includes a proxy SDK, which may be a data pipeline from an agent executed by one or more wireless devices 682. Wireless device 682 may include one or more devices wirelessly connected to the network in network system 600 via network access device 688 (e.g., an access point), and in some examples may overlap with mobile device 680. For example, wireless device 682 may include a desktop computer that executes an agent that reports information about a desktop computer via the proxy SDK. Wireless device 682 may execute an agent that can then provide information about wireless device 682 to network access device 688.

[0160] Network system 600 includes switch 690, which may be a network switch communicatively connected to wired device 684. Wired device 684 may include one or more devices connected to the network via wired connection, such as IoT devices, printers, cameras, etc. Wired device 684 may provide information to switch 690 for switch 690 to communicate with NAC cloud 692.

[0161] MDM provider 686, network access device 688, and / or switch 690 may provide information to NAC cloud 692 and / or NMS cloud 698. MDM provider 686, network access device 688, and switch 690 may provide information including: user agent and MAC OUI, wherein the HTTP user agent is processed to extract device family, model, and OS, and wherein the MAC OUI points to the manufacturer. MDM provider 686, network access device 688, and switch 690 may additionally or alternatively provide the following information: including information on DHCP request options 55 / 60, wherein the parameter request list (55) and DHCP vendor (60) are mapped to the client's device type, model, and OS; information from the SDK-Agent, which provides a comprehensive fingerprint directly pulled from the device and used as tagged data from other sources; LLDP neighbor information from managed switches and routers, which is used to derive the client model, manufacturer, and OS; and / or MDM lookup information, providing comprehensive fingerprint information polled from MDM vendors integrated with NAC.

[0162] Network system 600 includes NAC cloud 692, which may include one or more NAC systems, such as Figures 1A to 1B The NAC system 180 or shown Figure 2 The NAC system 280 is located within the NAC cloud 692. The NAC cloud 692 can be a cloud-based NAC system or a locally deployed NAC system. As part of determining whether to authenticate and authorize network devices, the NAC cloud 692 can obtain information from one or more sources such as MDM provider 686, network access device 688, and / or switch 690. For example, the NAC cloud 692 can obtain information about the device type from MDM provider 686. The NAC cloud 692 can provide information to the NMS cloud 698 for the NMS cloud to fingerprint the devices.

[0163] Network system 600 includes NMS cloud 698, which can be similar to... Figures 1A to 1B The NMS 130 or shown Figure 3 The NMS 300 in the example provides similar functionality. In some examples, the NMS cloud 698 may include one or more locally deployed systems. The NMS cloud 698 can acquire data received from the NAC cloud 692 and / or other sources (e.g., MDM provider 686, agent SDK executed by wireless device 682, and / or switch 690) to generate device fingerprint information.

[0164] The NMS Cloud 698 can use the fingerprint recognition module 656 (in... Figure 6The fingerprint module 656 (represented as "Fingerprint Service 656") processes the received information to generate fingerprint identification information for the device. As part of generating the fingerprint identification information, the fingerprint module 656 can aggregate data attributes associated with the device to construct a MAC address profile. The fingerprint module 656 can construct a MAC address profile that is a merged MAC address profile and includes one or more types of information, such as: an indication of the device type containing an identifier of the device category (e.g., printer, surveillance camera, workstation, access point, etc.); an identifier of the device family and model, identifying the device family (e.g., smartphone from a specific manufacturer, printer from a specific manufacturer, access point, etc.) and model (e.g., 12Pro, 9125e, AP41-US, etc.); a manufacturer identifier: (according to the OUI) identifying the manufacturer of the device or interface card; an identifier of the operating system and OS version, identifying the operating system and version running on the client device; an identifier of the IP address associated with the client; and / or metadata, including organization ID, site ID, and other types of information such as fingerprint timestamps (creation, update).

[0165] The fingerprint recognition module 656 can provide the device's MAC address profile to the NAC cloud 692 for inclusion in the fingerprint information storage 658. Figure 6 The fingerprint information storage 658 is shown as “DDB”. Although shown as a separate component of the NAC cloud 692, the fingerprint information storage 658 can be included in the NAC cloud 692 and / or the NMS cloud 698. In some examples, the fingerprint recognition module 656 can provide the device's MAC address profile to the NAC cloud 692. The NAC cloud 692 can store the MAC address profile in the fingerprint information storage 658.

[0166] The NAC Cloud 692 can determine the device's authorization level based on the MAC address profile received from the NMS Cloud 698. The NAC Cloud 692 can apply one or more policies to the fingerprint information to determine the device's authorization level. In some examples, the NAC Cloud 692 can perform policy enforcement actions, including revoking authorization for the device.

[0167] Exception module 666 (in) Figure 6The module 666 (illustrated as "MAC spoofing detection") can process the MAC address profile constructed by the fingerprinting module 656 to detect anomalies between the current MAC address profile and known MAC address profiles associated with the MAC address. The anomaly module 666 can compare the device's current MAC address profile (e.g., the MAC address profile generated by the fingerprinting module 656) with known MAC address profiles (e.g., historical and / or concurrent MAC address profiles). Based on the detected anomaly, the anomaly module 666 determines whether the anomaly indicates MAC spoofing by the device. The anomaly module 666 can detect the anomaly and determine whether it indicates MAC spoofing through methods such as time analysis, cross-source verification, and / or group analysis.

[0168] Anomaly module 666 can output a MAC spoofing indication to one or more receivers. Although shown as a separate component, "Alarm / Event Generation 697" can be performed by anomaly module 666 and / or another component in NMS cloud 698. In some examples, anomaly module 666 can provide NAC cloud 692 with a MAC address profile indicating MAC spoofing, allowing NAC cloud 692 to take appropriate authorization actions. Anomaly module 666 can provide a MAC spoofing indication to NMS dashboard 699 for display to the administrator.

[0169] Network system 600 includes an NMS dashboard 699 (shown as "UI dashboard 699"). Although shown as a separate component, NMS dashboard 699 can be a user interface output by NMS cloud 698 to one or more receiving devices (e.g., administrator devices). NMS dashboard 699 may include one or more visual elements displaying information about network system 600. For example, NMS dashboard 699 may include information about detected anomalies consistent with MAC spoofing for output to the administrator for review.

[0170] Figure 7 This is a flowchart illustrating an example operation 700 for detecting anomalies according to one or more techniques of this disclosure. Figure 7 The example operation is about Figure 1A and Figure 1B This is described using NMS 130. In other examples, Figure 3 NMS300 in Figure 1A and Figure 1B Any NAC system 180 or Figure 2 The NAC system 280 can perform some or all of the steps in operation 700.

[0171] A computing system such as NMS 130 obtains a current profile (702) of the MAC addresses associated with a device (such as client device 149) requesting access to the network. The NAC system can receive a request from client device 149 at a location (such as site 102) to access a network (such as one of networks 134) and provide an indication of that request to NMS 130. NMS 130 obtains the MAC address profile of client device 149 by acquiring data attributes from one or more sources and constructing the current MAC address using the aggregated data attributes.

[0172] NMS 130 compares one or more of the following with the current MAC address profile: the historical profile of the MAC address over time, and the concurrent profile of the MAC address at other locations (704). NMS 130 may obtain known MAC address profiles (e.g., historical and / or concurrent profiles) from one or more sources of data storage such as MAC address profiles. NMS 130 may compare MAC address profiles by comparing one or more data attributes included in the MAC address profiles. In the example, NMS 130 obtains the concurrent MAC address profile associated with client device 149 and compares it with the current MAC address profile. NMS 130 determines that the difference between the MAC address profiles is consistent with the situation where client device 149 reports as a printer at site 102A and as a network camera at site 102N.

[0173] The NMS 130 detects anomalies (706) between at least one of the historical and concurrent MAC address profiles and the current MAC address profile. The NMS 130 may detect anomalies in one or more ways, such as comparing MAC address profiles associated with the device, applying machine learning models, and / or other methods. In some examples, the NMS 130 determines whether the anomaly is consistent with MAC spoofing or is the result of a legitimate change (e.g., a software update to the device).

[0174] NMS 130 generates a notification (708) identifying the anomaly. NMS 130 can generate a notification containing information about the anomaly, such as information supporting the anomaly indicating MAC spoofing, the identifier of the device associated with the MAC spoofing, and / or other information. NMS 130 can provide this notification to one or more recipients, such as an administrator device. For example, NMS 130 can push a MAC address profile indicating MAC spoofing to the NAC system, causing the NAC system to enforce the authorization policy of the device associated with the MAC address profile (e.g., revoking or reducing authorization based on the detection of MAC spoofing).

[0175] The techniques described herein can be implemented in hardware, software, firmware, or any combination thereof. The individual features described as modules, units, or components can be implemented together in an integrated logic device or implemented individually as discrete but interoperable logic devices or other hardware devices. In some cases, the individual features of an electronic circuit can be implemented as one or more integrated circuit devices, such as integrated circuit chips or chipsets.

[0176] If implemented in hardware, this disclosure may refer to an apparatus, such as a processor or an integrated circuit device (such as an integrated circuit chip or chipset). Alternatively or additionally, if implemented in software or firmware, these techniques may be implemented at least in part by a computer-readable data storage medium including instructions that, when executed, cause the processor to perform one or more of the methods described above. For example, the computer-readable data storage medium may store such instructions for processor execution.

[0177] Computer-readable media can form part of a computer program product, which may include packaging material. Computer-readable media may include computer data storage media, such as random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), electrically erasable programmable read-only memory (EEPROM), flash memory, magnetic or optical data storage media, etc. In some examples, the article of manufacture may include one or more computer-readable storage media.

[0178] In some examples, computer-readable storage media may include non-transitory media. The term "non-transitory" can mean that the storage medium is not embodied in a carrier wave or propagating signal. In some examples, non-transitory storage media may store data that can change over time (e.g., in RAM or cache).

[0179] The code or instructions can be software and / or firmware executed by processing circuitry including one or more processors, such as one or more digital signal processors (DSPs), general-purpose microprocessors, application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other equivalent integrated or discrete logic circuits. Therefore, the term "processor" as used herein can refer to any of the foregoing structures or any other structure suitable for implementing the techniques described herein. Additionally, in some aspects, the functionality described in this disclosure can be provided within a software module or a hardware module.

Claims

1. A computer system, comprising: Memory; as well as The processing circuit communicates with the memory, and the processing circuit is configured to: Obtain the current profile of the Media Access Control (MAC) address associated with the device requesting network access at a location; Compare one or more of the following with the current profile of the MAC address: the historical profile of the MAC address over time, and the concurrent profile of the MAC address at other locations; Detect an anomalies between at least one of the historical configuration file and the concurrent configuration file of the MAC address and the current configuration file of the MAC address; and Generate a notification that identifies the anomaly.

2. The computer system according to claim 1, wherein, The processing circuit is configured as follows: Based on the detected anomaly, the number of other devices that also experienced the anomaly is determined, wherein these other devices are of the same type as the device stated in the report; and The anomaly is determined to be MAC spoofing based on the fact that the number of other devices does not meet the threshold.

3. The computer system according to claim 1, wherein, The processing circuit is configured to: verify the current configuration file of the MAC address based on the detected anomaly, wherein, in order to verify the current configuration file, the processing circuit is further configured to: The first attribute of the current profile of the MAC address indicated by the first data source is compared with the first attribute of the current profile of the MAC address indicated by one or more second data sources; and The anomaly is determined to be MAC spoofing based on the inconsistency between the data indicated by the first attribute of the current configuration file for the MAC address in the first data source and the one or more second data sources.

4. The computer system according to claim 3, wherein, In order to compare the first attribute from the first data source with the first attribute from the one or more second data sources, the processing circuit is configured to: A source with relatively high confidence is selected as the first data source, and one or more sources with relatively low confidence are selected as the one or more second data sources.

5. The computer system according to any one of claims 1 to 4, wherein, In order to obtain the current configuration file of the MAC address, the processing circuit is configured to: The data attributes of the device are obtained from multiple sources; and Based on the aggregated data attributes from the multiple sources, the current profile of the MAC address associated with the device is constructed.

6. The computer system according to any one of claims 1 to 4, wherein, In order to generate the notification that identifies the anomaly, the processing circuit is configured to: Determine whether the anomaly indicates a MAC spoofing or a different event; and The notification is generated based on the anomaly indicating MAC spoofing.

7. The computer system according to claim 6, wherein, The different events are legitimate updates, and the processing circuit is further configured to: The notification is avoided because the anomaly indicates a legitimate update.

8. The computer system according to any one of claims 1 to 4, wherein, The notification includes one or more of the following: Details of the anomaly Contextual information associated with the detection of the anomaly, and Evidence supporting the anomaly indicating the MAC spoofing.

9. A computer network method, comprising: The computing system obtains the current profile of the Media Access Control (MAC) address associated with the device requesting network access at a location; The computing system compares one or more of the following with the current profile of the MAC address: the historical profile of the MAC address over time, and the concurrent profile of the MAC address at other locations; The computing system detects anomalies between at least one of the historical configuration file and the concurrent configuration file of the MAC address and the current configuration file of the MAC address; as well as The computing system generates a notification that identifies the anomaly.

10. The computer network method according to claim 9, further comprising: The computing system determines, based on the detected anomaly, the number of other devices that also experienced the anomaly, wherein the other devices are of the same type as the device stated in the report; and The anomaly is determined to be MAC spoofing based on the fact that the number of other devices does not meet the threshold.

11. The computer network method according to claim 9, further comprising: The computing system verifies the current configuration file of the MAC address based on the detected anomaly, wherein verifying the current configuration file further includes: The first attribute of the current profile of the MAC address indicated by the first data source is compared with the first attribute of the current profile of the MAC address indicated by one or more second data sources; and The anomaly is determined to be MAC spoofing based on the inconsistency between the data indicated by the first attribute of the current configuration file for the MAC address in the first data source and the one or more second data sources.

12. The computer network method according to claim 11, wherein, Comparing the first attribute from the first data source with the first attribute from the one or more second data sources further includes: A source with relatively high confidence is selected as the first data source, and one or more sources with relatively low confidence are selected as the one or more second data sources.

13. The computer network method according to any one of claims 9 to 12, wherein, The current configuration file for obtaining the MAC address also includes: Obtain the data attributes of the device from multiple sources; and Based on the aggregated data attributes from the multiple sources, the current profile of the MAC address associated with the device is constructed.

14. The computer network method according to any one of claims 9 to 12, wherein, The notification that identifies the anomaly also includes: Determine whether the anomaly indicates a MAC spoofing or a different event; and The notification is generated based on the anomaly indicating MAC spoofing.

15. The method according to claim 14, wherein, The different events are legitimate updates, and the method further includes: The notification is avoided because the anomaly indicates a legitimate update.

16. The computer network method according to any one of claims 9 to 12, wherein, The notification includes one or more of the following: Details of the anomaly Contextual information associated with the detection of the anomaly, and Evidence supporting the anomaly indicating the MAC spoofing.

17. A computer-readable storage medium encoded with instructions for causing one or more programmable processors to be configured as a computer system according to any one of claims 1 to 8 or to be configured to perform a computer network method according to any one of claims 9 to 16.