	US 12,069,051 B2
	Authentication and enforcement of differentiated policies for a bridge mode virtual machine behind a wireless host in a MAC-based authentication network
Roberto Mitsuo Kobo, Pleasanton, CA (US); Zheng Li, Santa Clara, CA (US); Gopala Krishna Andagunda, Karnataka (IN); Einar Nilsen-Nygaard, East Ayrshire (GB); Shree Murthy, San Jose, CA (US); and Parthiv Shah, Fremont, CA (US)
Assigned to Cisco Technology, Inc., San Jose, CA (US)
Filed by Cisco Technology, Inc., San Jose, CA (US)
Filed on May 13, 2022, as Appl. No. 17/743,758.
Prior Publication US 2023/0370453 A1, Nov. 16, 2023
Int. Cl. H04L 29/06 (2006.01); G06F 9/455 (2018.01); H04L 9/40 (2022.01); H04L 61/5014 (2022.01)

CPC H04L 63/0876 (2013.01) [G06F 9/45558 (2013.01); H04L 61/5014 (2022.05); H04L 63/101 (2013.01); H04L 63/20 (2013.01); G06F 2009/45587 (2013.01); G06F 2009/45595 (2013.01)]

20 Claims

1. A system comprising:

one or more processors; and

one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising:

authorizing a wireless host device to join a fabric enabled wireless network;

causing a virtual machine (VM) to execute in bridge mode on the wireless host device;

determining, at a fabric edge device, a source media access control (MAC) address of the VM;

creating, by the fabric edge device, a session between the VM and an authentication server;

authenticating, by the authentication server, the VM;

determining, at least partly by the authentication server, a policy for the VM;

assigning a source Internet Protocol (IP) address to the VM to create a MAC address-IP address (MAC-IP) binding for the VM;

programming a data-plane device in the fabric enabled wireless network to apply the policy to data-plane traffic communicated with the VM; and

applying, by the data-plane device, the policy for the VM based at least in part on the MAC-IP binding.