Location-based access control in a data network

摘要

A request for network access is received from a client device at a network entry device of a network infrastructure. The network infrastructure determines a physical location of the client device and determines authorization of the client device based on the physical location. The approach can include providing the physical location along with other user credentials to an authorizing device. The method can also include determining a level of service based on the physical location. Communication for the approach can make use of the IEEE 802.1X protocol.

主权项

1. A method comprising:
establishing a network connection with a network infrastructure by a client device; identifying location sensitive data which requires at least one access parameter to access the location sensitive data, wherein the location sensitive data is located on the client device, and wherein the at least one access parameter is based on a physical location and defines a region of allowed use; receiving location information of the client device from a source providing the location information, wherein the source providing the location information is separate from the client device; determining that a level of trustworthiness of the source providing the location information is below a predefined threshold; determining, at least in part by one or more packet relaying devices, a first physical location of the client device without trusting the location information provided by the source based upon, at least in part, determining that the level of trustworthiness of the source is below a threshold, and wherein the first physical location is within the region of allowed use; generating, by a network infrastructure device, a first set of access parameters based, at least in part, on the first physical location determined without trusting the location information provided by the source; transmitting the first set of access parameters to the client device, wherein the client device is at the determined first physical location; enabling the client device to access the location sensitive data by utilizing, at least in part, the first set of access parameters; receiving, at subsequent intervals of time, the location information of the client device from the source providing the location information; determining, at least in part by one or more packet relaying devices, one or more subsequent physical locations of the client device without trusting the location information provided by the source based upon, at least in part, determining that the level of trustworthiness of the source is below the threshold, and wherein the one or more subsequent physical locations are within the region of allowed use; generating, by a network infrastructure device, a second set of access parameters based, at least in part, on the one or more subsequent physical locations determined without trusting the location information provided by the source; transmitting the second set of access parameters to the client device, wherein the client device is at the one or more determined subsequent physical locations; enabling the client device to maintain access to the location sensitive data by utilizing, at least in part, the second set of access parameters; determining, at least in part by one or more packet relaying devices, whether the client device is outside the region of allowed use; and denying access to the location sensitive data on the client device, if the client device is determined to be outside the region of allowed use.