Identity propagation

摘要

In one implementation, identity based security features and policies are applied to endpoint devices behind an intermediary device, such as a network address translation device. The access network switch authenticates an endpoint based on a user identity and a credential. A hypertext transfer protocol (HTTP) packet is generated or modified to include the user identity in an inline header. The HTTP packet including the user identity is sent to a policy enforcement device to look up one or more policies for the endpoint. The access switch receives traffic from the policy enforcement device that is filtered according the user identity. Subsequent TCP connections may also include identity information within the TCP USER_HINT option in a synchronization packet thus allowing identity propagation for other applications and protocols.

主权项

1. A method comprising:
authenticating an endpoint based on a user identity and a credential; generating a hypertext transfer protocol (HTTP) packet including the user identity in an inline header; sending the HTTP packet including the user identity in the inline header to a policy enforcement device through a network address translation (NAT) device and an edge router, wherein the NAT device does not modify or remove the user identity from the inline header, and wherein the edge router reads the user identity from the inline header and incorporates the user identity into a control portion of the HTTP packet; receiving traffic from the policy enforcement device, wherein the traffic is filtered according the user identity; and sending a subsequent connection request to the policy enforcement device, wherein the subsequent connection request includes a session identifier, wherein the session identifier is included in a user hint transmission control protocol (TCP) option in a synchronization packet as the subsequent connection request.