US Pat. No. 9,313,821

PREDICTIVE AND NOMADIC ROAMING OF WIRELESS CLIENTS ACROSS DIFFERENT NETWORK SUBNETS

Aerohive Networks, Inc., ...

1. A system comprising:
a home agent in a current network subnet configured to:
detect a neighboring wireless network access point in a first network subnet different than the current network subnet;
receive tunneling information from the neighboring wireless network access point, wherein the tunneling information establishes
a tunnel network connection between a first network device in the first network subnet and a second network device in the
current network subnet;

receive predictive roaming information identifying wireless clients connected with the neighboring wireless network access
point in the first subnet;

store the predictive roaming information;
the second network device in the current network subnet configured to:
connect with a first wireless client;
receive identifying information from the first wireless client;
compare the identifying information of the first wireless client with the stored predictive roaming information;
establish a first network connection, including a tunnel network connection, from the first wireless client to the first network
device in the first network subnet via the second network device in the current network subnet, wherein all network traffic
associated with the first wireless client passes through the tunnel network connection, wherein the tunnel network connection
enables the first wireless client to retain a network address associated with the current network subnet while connected with
the first network subnet, if it is determined that the identifying information matches at least a portion of the stored predictive
roaming information;

send a query message identifying a home network subnet associated with the first wireless client, if it is determined that
the identifying information does not match at least a portion of the stored predictive roaming information;

receive a response to the query message including additional tunneling information, wherein the additional tunneling information
establishes a network connection between a third network device in the home network subnet and the second network device in
the current network subnet;

establish a second network connection from the first wireless client to the third network device in the home network subnet
via the second network device in the current network subnet, wherein all network traffic associated with the first wireless
client passes through the third network device in the home network subnet via the second network connection.

US Pat. No. 9,143,466

INTELLIGENT SORTING FOR N-WAY SECURE SPLIT TUNNEL

Aerohive Networks, Inc., ...

1. A system for managing computer network traffic from a remote network location to at least three destinations, said destinations
including a central network location, a scanning service website, and websites with approved Internet protocol addresses,
wherein said computer network traffic travels to said destinations along a split virtual private network tunnel originating
at said remote network location, said system comprising:
means for sorting outgoing datagrams into one of at least three categories using a computer processor at said remote network
location, wherein a first category is datagrams addressed to said central network location, a second category is datagrams
addressed to any of said approved Internet protocol addresses, and a third category is datagrams addressed to any other Internet
protocol addresses;

means for sending datagrams in said first category directly to said central network location along said split virtual private
network tunnel, using said computer processor;

means for sending datagrams in said second category directly to said approved Internet protocol addresses along said split
virtual private network tunnel, using said computer processor;

means for sending datagrams in said third category to said scanning service website along said split virtual private network
tunnel, using said computer processor, the scanning service website configured to provide a first scrubbing service for HTTP
datagrams and a second scrubbing service for at least one of SMTP, POP, and IMAP datagrams.

US Pat. No. 9,143,498

INTERNETWORK AUTHENTICATION

Aerohive Networks, Inc., ...

1. A method comprising:
receiving a request for a policy-based identity routing service for a first network;
providing a local authoritative user datastore interface (LAUDI) to a network device of the first network;
obtaining a set of rules for identity routing to the first network;
establishing a secure persistent connection between the LAUDI on the network device of the first network and an online authentication
proxy;

wherein a successful authentication result, from the LAUDI for a station associated with a second network, is indicative of
the station being allowed access to services on the second network;

receiving an authentication request from the second network for the station;
routing the authentication request based on a rule of the set of rules to the LAUDI;
receiving an authentication result from the LAUDI; and
sending the authentication result to the second network;wherein the successful authentication result is indicative of the station being allowed access to services on the second network.

US Pat. No. 9,572,135

AIRTIME-BASED PACKET SCHEDULING FOR WIRELESS NETWORKS

Aerohive Networks, Inc., ...

1. A system comprising:
a processor;
memory storing instructions used by the processor to:
assign a first network packet to a quality of service category, the first network packet being directed to a network client;
determine a first cost value including a first numerical value based on an estimated time consumed to communicate the first
network packet to the network client over a wireless network interface;

determine an airtime allocation balance value assigned to the quality of service category, the airtime allocation balance
value representing an amount of a portion of unused network bandwidth assigned to the quality of service category for communicating
one or a plurality of packets assigned to the quality of service category over the wireless network interface;

monitor the communication of the first network packet to the network client to determine a second cost value including a second
numerical value based on an actual airtime consumed to communicate the first network packet to the network client over the
wireless network interface;

modify the airtime allocation balance value based on a difference between the first and second cost values;
in response to the first cost value being less than or equal to the airtime allocation balance value, forward the first network
packet to the network client via at least the wireless network interface and decrease the airtime allocation balance value
by the first cost value, thereby resulting in a modified airtime allocation balance value;

in response to the first cost value being greater than the airtime allocation balance value, queue the first network packet
until the airtime allocation balance value is increased such that the first cost value is less than or equal to the increased
airtime allocation balance value; and

in response to the first cost value being less than or equal to the increased airtime allocation balance value, forward the
first network packet to the network client via at least the wireless network interface.

US Pat. No. 9,282,018

CLIENT-INDEPENDENT NETWORK SUPERVISION APPLICATION

Aerohive Networks, Inc., ...

1. A method, comprising:
receiving a monitoring request, from a first network device associated with a first network user, to monitor the first network
device and a group of additional network devices, the first network device and the group of additional network devices being
associated with one or more network clients for network activity related to a network;

polling a plurality of wireless access points configured to provide access to the network in order to identify a first wireless
access point of the plurality of wireless access points, the first wireless access point being configured to monitor activity
of the group of additional network devices associated with the first network device;

configuring the first wireless access point to monitor the network activity of the group;
collecting network activity information for at least a first portion of the group of additional network devices, the network
activity information relating to network activity of the first portion of the group of additional network devices through
the first wireless access point;

providing instructions to the first wireless access point to provide the network activity information to the first network
device;

receiving, using the first wireless access point, a first network resource address from the first network device;
intercepting, using the first wireless access point, a second network resource request from at least one network device in
the group of additional network devices;

identifying a location of the at least one network device;
associating the at least one network device with the group of additional network devices in response to identifying the location
of the at least one network device;

in response to identifying the at least one network device as being associated with the group of additional network devices,
redirecting the at least one network device to the second network resource address by providing a location-specific redirection
response message including the second network resource address to the at least one network device, the location-specific redirection
response message being based, at least in part, on the location of the at least one network device.

US Pat. No. 9,578,144

LAYER 7 APPLICATION CLASSIFICATION

Aerohive Networks, Inc., ...

1. A method comprising:
receiving, at a first network device, one or more packets associated with a layer 7 application session of a client device;
storing at least a portion of each of the one or more packets received at the first network device in a layer 7 application
buffer;

sending at least a subportion of the portion of at least one of the one or more packets stored in the layer 7 application
buffer to a second network device;

determining application information for the layer 7 application from the at least a subportion of the portion of at least
one of the one or more packets;

classifying the layer 7 application using the application information to maintain layer 7 state when the client device roams
from the first network device to the second network device.

US Pat. No. 9,473,484

INTERNETWORK AUTHENTICATION

Aerohive Networks, Inc., ...

1. A method comprising:
receiving a request for a policy-based identity routing service for a first network;
providing a local authoritative user datastore interface (LAUDI) to a network device of the first network;
obtaining a set of rules for identity routing to the first network;
establishing a connection with the LAUDI on the network device of the first network;
filtering authentication requests received from at least one other network, including a second network, to resolve the authentication
requests with either on-network or off-network authentication;

wherein a successful authentication result, from the LAUDI, for a station associated with the second network, is indicative
of the station being allowed access to services on the second network including services provided by the first network and
the set of rules for identity routing to the first network are used, at least in part, in providing the services on the second
network.

US Pat. No. 9,338,816

PREDICTIVE AND NOMADIC ROAMING OF WIRELESS CLIENTS ACROSS DIFFERENT NETWORK SUBNETS

Aerohive Networks, Inc., ...

1. A system comprising:
a home agent in a current network subnet configured to:
detect a neighboring wireless network access point in a first network subnet different than the current network subnet;
receive tunneling information from the neighboring wireless network access point, wherein the tunneling information establishes
a tunnel network connection between a first network device in the first network subnet and a second network device in the
current network subnet;

receive predictive roaming information identifying wireless clients connected with the neighboring wireless network access
point in the first subnet;

store the predictive roaming information;
the second network device in the current network subnet configured to:
connect with a first wireless client;
receive identifying information from the first wireless client;
compare the identifying information of the first wireless client with the stored predictive roaming information;
establish a first network connection, including a tunnel network connection, from the first wireless client to the first network
device in the first network subnet via the second network device in the current network subnet, wherein all network traffic
associated with the first wireless client passes through the tunnel network connection, wherein the tunnel network connection
enables the first wireless client to retain a network address associated with the current network subnet while connected with
the first network subnet, if it is determined that the identifying information matches at least a portion of the stored predictive
roaming information;

send a query message identifying a home network subnet associated with the first wireless client, if it is determined that
the identifying information does not match at least a portion of the stored predictive roaming information;

receive a response to the query message including additional tunneling information, wherein the additional tunneling information
establishes a network connection between a third network device in the home network subnet and the second network device in
the current network subnet;

establish a second network connection from the first wireless client to the third network device in the home network subnet
via the second network device in the current network subnet, wherein all network traffic associated with the first wireless
client passes through the third network device in the home network subnet via the second network connection.

US Pat. No. 9,867,167

AIRTIME-BASED PACKET SCHEDULING FOR WIRELESS NETWORKS

Aerohive Networks, Inc., ...

1. A method comprising:
receiving a data packet as part of network traffic of a network destined for a wireless device accessing the network through
a wireless connection;

identifying airtimes to transmit previously sent data packets;
applying airtimes to transmit the previously sent data packets to corresponding data sizes of the previously sent data packets
to determine an average airtime consumed per data unit of data packet size;

determining an estimated airtime for transmitting the data packet to the wireless device through the wireless connection by
applying the average time consumed per data unit to a data size of the data packet;

identifying a token cost of transmitting the data packet, the token cost based on a size of the data packet and the estimated
airtime;

selecting a quality of service profile associated with the data packet;
determining a token balance of the quality of service profile associated with the data packet, the token balance being an
amount of network bandwidth of the network allocated to the quality of service profile;

comparing the token cost of transmitting the data packet with the token balance of the quality of service profile to determine
if the token cost is less than the token balance;

if it is determined that the token cost is less than the token balance, forwarding the data packet to the wireless device;
if it is determined that the token cost is greater than the token balance, refraining from forwarding the data packet to the
wireless device by queuing the data packet into a queue.

US Pat. No. 9,413,772

MANAGING ROGUE DEVICES THROUGH A NETWORK BACKHAUL

Aerohive Networks, Inc., ...

1. A method comprising:
detecting a rogue device in a network;
sending a rogue device message that includes an identification of the rogue device to a plurality of switches in a backhaul
of the network;

adding the identification of the rogue device into a rogue monitor table including a learned status field indicating whether
the rogue device is In-Net or Out-Of-Net;

determining whether the rogue device is In-Net or Out-Of-Net using forwarding tables of the plurality of switches in the backhaul
of the network and the rogue monitor table by removing entries in the forwarding tables that include a MAC address of the
rogue device and determining whether a new learned MAC address in the forwarding tables is the MAC address of the rogue device;

when it is determined that the rogue device is In-Net, performing mitigation of the rogue device using a nearest switch to
the rogue device of the plurality of switches in the backhaul of the network;

updating the rogue monitor table to indicate an identification of the nearest switch to the rogue device and updating the
learned status field to indicate that the rogue device is In-Net.

US Pat. No. 9,450,987

USER-BASED NETWORK ONBOARDING

Aerohive Networks, Inc., ...

1. A system comprising:
a first-level security profile engine;
a second-level security profile engine coupled to the first-level security profile engine;
a device selection engine coupled to the second-level security profile engine;
a device network configuration engine coupled to the device selection engine;
wherein, in operation:
the first-level security profile engine assigns a first-level security profile to a user of a first user device and a second
user device, the first user device and the second user device requesting access to a network;

the second-level security profile engine assigns a first second-level security profile to the first user device, the first
second-level security profile providing first network configuration information for the first user device;

the device selection engine identifies, through a web portal, an association of the second user device with the user;
the second-level security profile engine assigns a second second-level security profile to the second user device associated
with the first-level security profile, the second second-level security profile providing second network configuration information
for the second user device;

the device network configuration engine configures the first user device to access the network based on the first network
configuration information.

US Pat. No. 9,152,782

SYSTEMS AND METHODS FOR USER-BASED NETWORK ONBOARDING

Aerohive Networks, Inc., ...

1. A system comprising:
a first-level security profile engine;
a second-level security profile engine coupled to the first-level security profile engine;
a device selection engine coupled to the second-level security profile engine;
a device network configuration engine coupled to the device selection engine;
wherein, in operation:
the first-level security profile engine assigns a first-level security profile to a user of a first user device and a second
user device, the first user device and the second user device requesting access to a network;

the second-level security profile engine assigns a first second-level security profile to the first user device, the first
second-level security profile providing first network configuration information for the first user device;

the device selection engine receives a selection of the second user device associated with the first-level security profile,
the selection being based at least in part on a listing of one or more user devices, including at least the second user device,
entered into a web portal associated with network access management, the listing of one or more user devices being associated
with the first-level security profile of the user;

the second-level security profile engine assigns a second second-level security profile to the second user device, the second
second-level security profile providing second network configuration information for the second user device;

the device network configuration engine configures the first user device to access the network based on the first network
configuration information.

US Pat. No. 9,787,500

PREDICTIVE AND NOMADIC ROAMING OF WIRELESS CLIENTS ACROSS DIFFERENT NETWORK SUBNETS

Aerohive Networks, Inc., ...

1. A method comprising:
receiving home agent information at a first wireless network access point in a first network subnet from a second wireless
network access point in a second network subnet different from the first network subnet;

forwarding the home agent information to a first home agent in the first network subnet;
receiving predictive roaming information for a wireless client indicating that a home network subnet for the wireless client
is the second network subnet;

detecting that the wireless client is wirelessly connected at the first wireless network access point;
determining, using the predictive roaming information, that the home network subnet of the wireless client is the second network
subnet;

determining, using the home agent information, an identification of a second home agent that is a home agent of the second
network subnet;

establishing a network tunnel between the first wireless network access point and the second home agent for managing wireless
network access of the wireless client through the first wireless network access point.

US Pat. No. 9,503,354

VIRTUALIZATION OF NETWORKING SERVICES

Aerohive Networks, Inc., ...

1. A method of configuring a virtual network comprising:
running a user-interactive business requirements wizard from a server, said wizard collecting business requirements from a
user by querying the user with progressive questions in a language of the business requirements, said business requirements
used in configuring said virtual network;

translating said business requirements into technical requirements for said virtual network using said server, said virtual
network including a plurality of virtualized appliances;

automatically discovering local network characteristics using a physical network device, the physical network device including
a processor;

providing said local network characteristics to said server;
selecting a virtual network configuration for the plurality of virtualized appliances from a network configuration database
using said server, said selecting utilizing said technical requirements and the local network characteristics provided to
said server;

testing behavior of said virtual network configuration, using a processor of said server, by simulating said virtual network;
monitoring said testing and generating from said testing new facts regarding performance of said virtual network configuration,
using said processor of said server;

feeding back said new facts to said server for use by said server in said selecting;
repeating said selecting, testing, monitoring and generating, and feeding back, until said server determines a criterion for
virtual network stability has been reached;

managing the plurality of virtual appliances using virtualized network management.

US Pat. No. 9,473,489

PRIVATE SIMULTANEOUS AUTHENTICATION OF EQUALS

Aerohive Networks, Inc., ...

1. A method comprising:
assigning a passphrase to an end user device as part of a private simultaneous authentication of equals (SAE) scheme;
storing the passphrase in association with an identifier of the end user device;
determining the end user device is attempting to authenticate at a wireless network device;
receiving identifying information from the end user device over a wireless medium;
using the identifying information to obtain the passphrase;
generating a shared secret using the passphrase;
determining whether the end user device has generated the shared secret without transmitting the passphrase over the wireless
medium;

authenticating the end user device at a wireless network associated with the wireless network device if it is determined the
end user device has generated the shared secret;

generating first commitment data according to a commitment scheme during a commitment phase of the private SAE scheme;
sending the first commitment data to the end user device over the wireless medium;
receiving second commitment data from the end user device according to the commitment scheme, the second commitment data used
to generate the shared secret;

generating first confirmation data according to a confirmation scheme during a confirmation phase of the private SAE scheme;
receiving over the wireless medium second confirmation data from the end user device according to the confirmation scheme;
comparing the first confirmation data with the second confirmation data to determine if the end user device generated the
shared secret.

US Pat. No. 9,590,822

PREDICTIVE ROAMING BETWEEN SUBNETS

Aerohive Networks, Inc., ...

1. A method comprising:
selecting a first home agent in a first subnet including a first wireless access point associated with a wireless client;
detecting, by the first wireless access point, a second wireless access point;
determining if the second wireless access point is in a second subnet different from the first subnet;
if it is determined that the second wireless access point is in the second subnet:
sending home agent information to the second wireless access point in the second subnet different from the first subnet associated
with the wireless client, the home agent information including an address of the first home agent;

using predictive roaming information, the predictive roaming information including a first address suitable to uniquely identify
the wireless client within a network comprising the first subnet and the second subnet and a second address suitable to uniquely
identify the wireless client within the first subnet and to associate the wireless client with the first subnet, and the home
agent information to establish a tunnel network connection between the first subnet and the second subnet when the wireless
client roams from the first wireless access point in the first subnet to the second wireless access point in the second subnet.

US Pat. No. 9,479,540

USER-BASED NETWORK ONBOARDING

Aerohive Networks, Inc., ...

1. A system comprising:
a first-level security profile engine;
a second-level security profile engine coupled to the first-level security profile engine;
a device selection engine coupled to the second-level security profile engine;
a device network configuration engine coupled to the device selection engine;
wherein, in operation:
the first-level security profile engine assigns a first-level security profile to a user of a first user device and a second
user device, the first user device and the second user device requesting access to a network;

the second-level security profile engine assigns a first second-level security profile to the first user device, the first
second-level security profile providing first network configuration information for the first user device;

the device selection engine identifies, through a web portal, an association of the second user device with the user;
the second-level security profile engine assigns a second second-level security profile to the second user device associated
with the first-level security profile, the second second-level security profile providing second network configuration information
for the second user device;

the device network configuration engine configures the first user device to access the network based on the first network
configuration information.

US Pat. No. 9,762,442

VIRTUALIZATION OF NETWORKING SERVICES

Aerohive Networks, Inc., ...

1. A method comprising:
querying a user of business requirements to achieve desired network solutions of a network of the user by asking the user
questions in the language of the business requirements to achieve the desired network solutions of the network;

translating the business requirements into technical requirements in the language of network terminology for configuring the
network using answers by the user to the questions in the language of the business requirements;

selecting a network configuration to achieve the desired network solutions of the network according to the network terminology
generated based on the answers by the user to the questions in the language of the business requirements;

configuring the network to operate according to the network configuration determined using the network terminology generated
based on the answers by the user to the questions in the language of the business requirements;

selecting another network configuration to achieve the desired network solutions of the network according to the network terminology
generated based on the answers by the user to the questions in the language of the business requirements;

configuring the network to operate according to the another network configuration and the network configuration in parallel,
both the network configuration and the another network configuration determined using the network terminology generated based
on the answers by the user to the questions in the language of the business requirements;

monitoring operation of the network in operating in parallel according to the another network configuration and the network
configuration;

modifying the another network configuration and the network configuration based on the operation of the network in operating
in parallel according to the another network configuration until a proven configuration is identified;

configuring the network to operate according to the proven configuration in response to identification of the proven configuration;
discovering characteristics of the network; and
selecting the network configuration based on both the characteristics of the network and the network terminology generated
based on the answers by the user to the questions in the language of the business requirements.

US Pat. No. 9,812,791

SINGLE BAND DUAL CONCURRENT NETWORK DEVICE

Aerohive Networks, Inc., ...

1. A network device comprising:
a first single band dual concurrent radio module configured to transmit and receive first radio signals in a first frequency
band;

a first antenna array comprised of a first plurality of polarized antennas and configured to transmit and receive the first
radio signals for the first radio module in the first frequency band;

a second single band dual concurrent radio module configured to transmit and receive second radio signals in the first frequency
band concurrently with the first single band dual concurrent radio module;

a second antenna array comprised of a second plurality of polarized antennas and configured to transmit and receive the second
radio signals for the second radio module in the first frequency band;

a main printed circuit board, wherein the first plurality of polarized antennas are vertically polarized with respect to the
network device and are positioned at positions 30 mm out from edges of the main printed circuit board along a plane that extends
out from the edges of the main printed circuit board;

wherein, in operation, the first single band dual concurrent radio module and the second single band dual concurrent radio
module function concurrently using the first frequency band while at least 40 dB of antenna isolation is maintained between
the first antenna array and the second antenna array.

US Pat. No. 9,729,463

MULTICAST TO UNICAST CONVERSION TECHNIQUE

Aerohive Networks, Inc., ...

1. A method comprising:
receiving, through a network, downlink traffic of a multicast packet stream with a plurality of stations addressed as recipients
of the multicast packet stream;

allocating to stations of the plurality of stations a share of network resources for use by the plurality of stations in accessing
network services of the network;

enqueuing a multicast packet in the multicast packet stream into a backpressure-controlled multicast queue;
converting the multicast packet into a plurality of unicast packets for transmission to the stations of the plurality of stations;
selectively dropping at least one unicast packet of the plurality of unicast packets according to an amount of the share of
network resources consumed by the stations of the plurality of stations to maintain buffer fairness.

US Pat. No. 9,565,125

MULTICAST TO UNICAST CONVERSION TECHNIQUE

Aerohive Networks, Inc., ...

1. A method comprising:
identifying a subplurality of traffic identifier (TID) queues associated with a multicast packet;
converting the multicast packet into a multicast-to-unicast converted unicast packet for the subplurality of TID queues;
enqueueing the multicast-to-unicast converted unicast packet in available TID queues of the subplurality of TID queues, wherein
availability of the subplurality of TID queues is based on an amount of unused space in each TID queue of the subplurality
of TID queues;

dequeueing the multicast-to-unicast converted unicast packet from a TID queue of the available TID queues according to a token
bucket checking cycle applied to the subplurality of TID queues;

transmitting the multicast-to-unicast converted unicast packet to a destination.

US Pat. No. 9,762,541

INTELLIGENT SORTING FOR N-WAY SECURE SPLIT TUNNEL

Aerohive Networks, Inc., ...

1. A method comprising:
sorting outgoing datagrams into one of at least three categories, wherein the three categories include a first category of
datagrams addressed to a central network location, a second category of datagrams addressed to destinations on a white list,
and a third category of datagrams addressed to other destinations absent from the white list;

sending datagrams in the first category to the central network location along an N-way split virtual private network tunnel,
wherein N is a multiple of three;

sending datagrams in the second category to the destinations on the white list along the N-way split virtual private network
tunnel;

sending datagrams in the third category to a scanning service website along the N-way split virtual private network tunnel,
the scanning service website configured to provide a first scrubbing service for HTTP datagrams and a second scrubbing service
for SMTP, POP, and IMAP datagrams.

US Pat. No. 9,814,055

DISTRIBUTED CHANNEL SELECTION FOR WIRELESS NETWORKS

Aerohive Networks, Inc., ...

1. A method comprising:
identifying, by a wireless networking device, channel data of available wireless network channels;
identifying, by the wireless networking device, neighboring wireless networking devices;
determining neighborhood qualities of the neighboring wireless networking devices;
determining cost values for the available wireless network channels based on a cost function of at least one attribute of
the available wireless network channels from the channel data;

selecting a candidate wireless network channel of the available wireless network channels based on the cost values for the
available wireless network channels;

determining, by the wireless networking device, if at least one of the neighboring wireless networking devices is acting as
an arbiter network device;

if it is determined that at least one of the neighboring wireless networking devices is acting as the arbiter networking device:
sending a channel request to use the candidate wireless network channel to the arbiter networking device;
using the candidate wireless network channel to transmit data if channel approval is received from the arbiter networking
device,

if it is determined that all of the neighboring wireless networking devices are failing to act as the arbiter networking device,
determining whether to use the candidate wireless network channel based on the determined neighborhood qualities of the neighboring
wireless networking devices.

US Pat. No. 9,686,319

USER-BASED NETWORK ONBOARDING

Aerohive Networks, Inc., ...

1. A system comprising:
a device access notification engine configured to receive a request related to an access to a network by a first user device,
the first user device being included in a plurality of user devices associated with a first first-level security profile assigned
to a user;

an extension engine configured to access, in response to the request related to the access, an application extension to an
application executing on the first user device;

a network file connectivity transfer engine configured to provide a network connectivity file to the application extension,
the network connectivity file including network configuration information for the first user device, the network configuration
information being associated with a first second-level security profile assigned to the first user device and included in
a plurality of second-level security profiles, each one of the plurality of user devices associated with at least one of the
plurality of second-level security profiles;

a device network configuration engine configured to provide instructions to configure the plurality of user devices to access
the network using the plurality of second-level security profiles and the first user device to access the network based at
least in part on the network configuration information in the network connectivity file.

US Pat. No. 9,794,169

APPLICATION BASED DATA TRAFFIC ROUTING USING NETWORK TUNNELING

Aerohive Networks, Inc., ...

1. A method comprising:
receiving, at a first network gateway device configured to provide wireless access to network services, first data traffic
from a client device as part of providing wireless access to the network services;

analyzing, at the first network gateway device, the first data traffic to identify an application or an application type associated
with the first data traffic;

identifying, at the first network gateway device, a set of tunnels established between the first network gateway device and
a second network device that is a cloud-based virtual gateway (CVG);

selecting, at the first network gateway device, from the set of tunnels one or more select tunnels for the first data traffic
based on the application or the application type associated with the first data traffic according to a data traffic routing
policy residing locally at the first network gateway device;

tagging, at the first network gateway device using multiprotocol label switching tagging, the first data traffic with a network
flow tag associated with the application or the application type and used by the second network device to route return data
traffic in response to the first data traffic through the one or more select tunnels back to the first network gateway device;

generating application information associated with the first data traffic including the network flow tag and data traffic-to-tunnel
information including an n-tuple of network flow information;

sending the application information and the data traffic-to-tunnel information from the first network gateway device to the
second network device, wherein sending the application information to the second network device comprises sending application-to-tunnel
binding information to the second network device;

routing the first data traffic from the first network gateway device to the second network device using the one or more select
tunnels.

US Pat. No. 9,705,207

SINGLE BAND DUAL CONCURRENT NETWORK DEVICE

Aerohive Networks, Inc., ...

1. A network device comprising:
a first radio module configured to transmit and receive first radio signals in a first frequency band;
a first antenna array comprised of a first plurality of polarized antennas and configured to transmit and receive the first
radio signals for the first radio module in the first frequency band, the first plurality of polarized antennas including
a polarized antenna comprising:

a first conductive plate including a first antenna blade, a second antenna blade, and a third antenna blade;
a second conductive plate including a fourth antenna blade, a fifth antenna blade, and a sixth antenna blade;
the first conductive plate and the second conductive plate overlaying each other and coupled together at a central joint;
a second radio module configured to transmit and receive second radio signals in the first frequency band;
a second antenna array comprised of a second plurality of polarized antennas and configured to transmit and receive the second
radio signals for the second radio module in the first frequency band;

wherein, in operation, the first radio module and the second radio module function concurrently using the first frequency
band while at least 40 dB of antenna isolation is maintained between the first antenna array and the second antenna array.

US Pat. No. 9,674,892

EXCLUSIVE PRESHARED KEY AUTHENTICATION

Aerohive Networks, Inc., ...

1. A non-transitory computer-readable medium including instructions adapted to direct a computer to perform an operation,
the operation comprising:
receiving at an access point (AP) a parameter including a secret shared by the AP and a server, and derived by the server
from user credentials;

generating at the AP a set of cryptographic keys such that at least one cryptographic key in the set is generated as a function
of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device,
the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely
associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being
used with arbitrary client devices;

initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration
based on a client cryptographic key;

receiving at the AP a first message from the client device, wherein the first message includes a client cryptographic checksum
based on at least the client cryptographic key and data included in the first message;

selecting at the AP a candidate cryptographic key from the set of cryptographic keys;
determining a validation cryptographic checksum based on at least the candidate cryptographic key and data included in the
first message received from the client device;

determining if the candidate cryptographic key matches the client cryptographic key by comparing the validation cryptographic
checksum with the client cryptographic checksum and indicating that the candidate cryptographic key matches the client cryptographic
key if the validation cryptographic checksum matches the client cryptographic checksum;

in response to the determination that the candidate cryptographic key matches the client cryptographic key, establishing the
secure network connection with the client device using the selected candidate cryptographic key; and

in response to the determination that the candidate cryptographic key matches the client cryptographic key, associating a
client device identifier with the candidate cryptographic key in a roaming cache that is accessible to the AP and at least
one other access point not connected with the client device.

US Pat. No. 9,762,579

INTERNETWORK AUTHENTICATION

Aerohive Networks, Inc., ...

1. A method comprising:
providing an internetwork authentication service between a first network and a second network by establishing a connection
between a first network device of the first network and a second network device of the second network through a first local
authoritative user datastore interface at the first network device and an internetwork authentication proxy and a second local
authoritative user datastore interface at the second network device and the internetwork authentication proxy, the first and
second local authoritative user datastore interfaces associated with identity routing rules for routing to the first network;

receiving at the second network device, an authentication request for a station to access the first network;
determining if the authentication request matches a filtering rule of the identity routing rules specifying to remove identities
from authentication requests;

filtering the authentication request to remove an identity from the authentication request;
routing the authentication request according to the identity routing rules to the first network device through the first and
second local authoritative user datastore interfaces;

receiving at the second local authoritative user datastore interface from the first local authoritative user datastore interface
an authentication result indicating the station is authenticated to access the first network;

providing the station access to network services provided through the second network according to the authentication result.

US Pat. No. 9,774,593

PRIVATE SIMULTANEOUS AUTHENTICATION OF EQUALS

Aerohive Networks, Inc., ...

1. A method comprising:
assigning a passphrase to an end user device for authenticating the end user device to access network services of a network
through a private Simultaneous Authentication of Equals (SAE) scheme;

storing the passphrase at a network device on the network in association with an identifier of the end user device;
generating, at the network device, a shared secret as part of a commitment scheme during the private SAE scheme using the
passphrase;

creating, at the network device, a first confirmation value using the shared secret as part of a confirmation scheme during
the private SAE scheme by:

generating a confirmation key, as part of the confirmation scheme, using the shared secret and at least one of a first scalar
included as part of first commitment data generated at the network device, a first element included as part of the first commitment
data generated at the network device, a second scalar included as part of second commitment data generated at and received
from the end user device, and a second element included as part of the second commitment data generated at and received from
the end user device;

generating the first confirmation value, as part of the confirmation scheme, using the confirmation key and at least one of
the first scalar included as part of the first commitment data generated at the network device, the first element included
as part of the first commitment data generated at the network device, the second scalar included as part of the second commitment
data generated at and received from the end user device, and the second element included as part of the second commitment
data generated at and received from the end user device;

receiving, at the network device, a second confirmation value from the end user device;
comparing the first confirmation value with the second confirmation value to determine if the end user device possesses the
shared secret; and

if it is determined that the end user device possesses the shared secret, authenticating the end user device to access the
network services through the private SAE scheme.

US Pat. No. 9,762,679

PROVIDING STATELESS NETWORK SERVICES

Aerohive Networks, Inc., ...

1. A system comprising:
one or more processors;
memory configured to instruct the one or more processors to implement:
a network service request receiving engine, at a local network access device, configured to receive from a user device a request
for a network service;

a network service query formulation engine coupled to the network service request receiving engine and configured to formulate
a query for the network service, the formulating being in response to the request for the network service;

a network service query transfer engine coupled to the network service query formulation engine and configured to provide
an instruction to a remote network access device to interrogate remote network service provider devices coupled to the remote
network access device for capabilities in providing the network service;

a network service query response engine, at the local network access device, coupled to the network service query transfer
engine and configured to receive from at least one of the remote network service provider devices capable of providing the
network service, access parameters related to the network service in response to the interrogation, the access parameters
capable of being used to configure the user device to access the network service;

a user device configuration engine coupled to the network service query response engine and configured to configure the user
device to access the network service from the at least one of the remote network service provider devices capable of providing
the network service based on the access parameters without maintaining, at the local network access device, a state of the
user device in accessing the network service as the user device accesses the network service and a state of the at least one
of the remote network service provider devices in providing the network service to the user device.

US Pat. No. 9,826,479

HYBRID LOW POWER NETWORK DEVICE

Aerohive Networks, Inc., ...

1. A hybrid low power network device comprising:
a wave 1 radio configured to provide client devices wireless access to a network using single-user multi-input multi-output (SU-MIMO);

a wave 2 radio configured to provide the client devices wireless access to the network using multi-user multi-input multi-output (MU-MIMO);

a radio management system configured to assign the client devices to either the wave 1 radio or the wave 2 radio for communicating over wireless communication channels in accessing the network and steer MU-MIMO capable client devices
of the client devices to the wave 2 radio;

first and second Ethernet ports, wherein at least one of the first and second Ethernet ports are configured to provide power
to the hybrid low power network device and allow at least one of the wave 1 radio and the wave 2 radio to communicate with the network;

wherein in operation the hybrid low power network device is configured to operate at a power consumption level under 17 watts
(W) in providing the client devices wireless access to the network.

US Pat. No. 9,820,316

PREVENTING ASYMMETRIC ROUTING USING NETWORK TUNNELING

Aerohive Networks, Inc., ...

1. A method comprising:
receiving at a central gateway data traffic-to-tunnel information from a remote gateway device, wherein the remote gateway
device is configured to provide wireless access to services provided by an enterprise network to at least one client device
and the data traffic-to-tunnel information includes application-to-tunnel binding information including specific tunnels bound
to specific applications used in providing the services to the at least one client device through the remote gateway device,
the data traffic-to-tunnel information sent from the remote gateway device to the central gateway before data traffic from
the at least one client device is sent from the remote gateway device over the specific tunnels to the central gateway;

incorporating the data traffic-to-tunnel information in a data traffic-to-tunnel mapping of the specific tunnels bound to
the specific applications used in providing the services, wherein the specific tunnels are established between the remote
gateway device and a cloud virtual gateway (CVG) using one of a group consisting of Control and Provisioning of Wireless Access
Points (CAPWAP), Lightweight Access Point Protocol (LWAPP), Oplet Runtime Environment (ORE), Generic Routing Encapsulation
(GRE), and Secure Shell (SSH);

receiving first data traffic associated with a specific application of the specific applications from a server of the enterprise
network;

performing deep packet inspection on at least one of the first data traffic to identify the specific application;
identifying a specific tunnel of the specific tunnels associated with the specific application according to the data traffic-to-tunnel
mapping;

forwarding the first data traffic to the remote gateway device through the specific tunnel to reduce asymmetry of routing
to and from the remote gateway device.

US Pat. No. 9,813,862

PROXIMITY BEACON MANAGEMENT USING A NETWORK DEVICE

Aerohive Networks, Inc., ...

1. A method comprising:
generating operational characteristics for a proximity beacon transmitter coupled to a network device through a proximity
beacon transceiver hub physically connected to the network device through a wired connection, wherein the operational characteristics
include a signal power at which the proximity beacon transmitter transmits signals, wherein the proximity beacon transceiver
hub couples the proximity beacon transmitter to the network device to make the proximity beacon transmitter a network device-coupled
proximity beacon transmitter, wherein the network device is configured to provide stations wireless access to network services
of a network, and wherein the stations include proximity beacon receivers;

configuring the proximity beacon transmitter through the network device according to the operational characteristics;
determining if the proximity beacon transmitter is operating according to the operational characteristics in transmitting
proximity beacon signals to the proximity beacon receivers;

reconfiguring the proximity beacon transmitter according to the operational characteristics through the network device, if
it is determined the proximity beacon transmitter is operating in nonconformity with the operational characteristics.

US Pat. No. 9,769,056

GATEWAY USING MULTICAST TO UNICAST CONVERSION

Aerohive Networks, Inc., ...

1. A system comprising:
a multicast frame receiving engine configured to receive a multicast frame directed to a multicast group;
a destination unicast engine coupled to the multicast frame receiving engine and configured to identify a unicast address
of an intended recipient device and a unicast address of an unintended recipient device, wherein the intended recipient device
and the unintended recipient device are members of the multicast group;

a multicast frame expansion engine coupled to the destination unicast engine and configured to convert the multicast frame
into a first unicast frame directed to the intended recipient device by inserting a payload of the multicast frame into a
payload of the first unicast frame and the unicast address of the intended recipient device into a header of the first unicast
frame and convert the multicast frame into a second unicast frame directed to the unintended recipient by inserting the payload
of the multicast frame into a payload of the second unicast frame and the unicast address of the unintended recipient device
into a header of the second unicast frame;

an unintended recipient device frame removal engine coupled to the multicast frame expansion engine and to the intended recipient
device frame providing engine, the unintended recipient device frame removal engine configured to prevent the second unicast
frame from being transmitted to the unintended recipient device by dropping the second unicast frame;

an intended recipient device frame providing engine coupled to the multicast frame expansion engine and configured to provide
the first unicast frame to the intended recipient device.

US Pat. No. 9,948,626

SPLIT AUTHENTICATION NETWORK SYSTEMS AND METHODS

Aerohive Networks, Inc., ...

1. A system comprising:an authentication datastore;
a device presence engine coupled to the authentication datastore;
a traffic monitor engine coupled to the device presence engine;
an authentication presence monitor engine coupled to the traffic monitor engine;
an authentication server selection engine coupled to the authentication presence monitor engine, the authentication server selection engine being implemented by a processor embodied at least partially in hardware;
a traffic routing engine coupled to the authentication server selection engine;
wherein, in operation:
the device presence engine is configured to detect presence of a user device on a trusted network, network access to the trusted network being managed at least in part by a wireless access point;
the traffic monitor engine is configured to monitor, in response to the detection, traffic on the trusted network from the user device;
the authentication presence monitor engine is configured to extract device identifier information and onboarding information of the user device in response to the monitoring;
the authentication server selection engine is configured to:
evaluate the extracted device identifier information and the extracted onboarding information to determine at least two of an authentication protocol type associated with the user device, a device type of the user device, a type of request made by the user device, and a stage of authentication of the user device as part of onboarding characteristics of the user device;
match a specific configured authentication server of a plurality of configured authentication servers to the user device based on the onboarding characteristics of the user device including at least two of the authentication protocol type associated with the user device, the device type of the user device, the type of request made by the user device, the stage of authentication of the user device, and an onboarding scenario specifically dedicated to the specific configured authentication server by a network administrator, the onboarding scenario part of a plurality of different onboard scenarios each specifically dedicated to at least one of a plurality of configured authentication servers including the specific configured authentication server by the network administrator;
automatically select the specific authentication server to dynamically authenticate the user device to the trusted network, the automatically selecting being based on matching of the specific authentication server to the user device based on the onboarding characteristics and the onboarding scenario specifically dedicated to the specific configured authentication server by the network administrator;
the traffic routing engine is configured to route traffic from the user device to the specific configured authentication server.

US Pat. No. 9,690,676

ASSIGNING NETWORK DEVICE SUBNETS TO PERFORM NETWORK ACTIVITIES USING NETWORK DEVICE INFORMATION

Aerohive Networks, Inc., ...

1. A method for performing a network activity within a network, the method comprising:
determining network activities that need to be performed;
receiving network device information about network devices in one or more network device subnets;
assigning, by a network device subnet assignment engine, the one or more network device subnets that contain the network devices
to perform the network activities as one or more assigned subnets, each of the one or more assigned subnets physically located
within an assigned geographic region and assigned based on activity types of the network activities and the assigned geographic
region as indicated by the network device information;

assigning, by a primary network device assignment engine, a first network device in the one or more assigned subnets as a
primary network device, the first network device being within the assigned geographic region;

assigning, by a backup network device assignment engine, a second network device in the one or more assigned subnets as a
backup network device, the backup network device being within the assigned geographic region;

determining, by a network device activity engine, whether the primary network device is not capable of performing the network
activities;

configuring, by a network device configuration engine, the backup network device to perform the network activities if the
primary network device is not capable of performing the network activities.

US Pat. No. 9,853,967

PRIVATE SIMULTANEOUS AUTHENTICATION OF EQUALS

Aerohive Networks, Inc., ...

18. A system comprising:
at least one processor;
memory storing instructions configured to cause the at least one processor to perform:
assigning a passphrase to an end user device for onboarding the end user device to access network services of a network through
a private simultaneous authentication of equals (SAE) scheme;

storing the passphrase at a network side from the end user device in association with an identifier of the end user device;
generating, at the network side, a shared secret as part of a commitment scheme during the private SAE scheme using the passphrase;
determining an identification of the end user device;
associating the passphrase with the identification of the end user device;
updating a private SAE passphrase map to indicate an association between the passphrase and the identification of the end
user device;

creating, at the network side, a first confirmation value using the shared secret as part of a confirmation scheme during
the private SAE scheme;

receiving, at the network side, a second confirmation value from the end user device;
comparing the first confirmation value with the second confirmation value to determine if the end user device possesses the
shared secret;

authenticating, using the private SAE passphrase map, the end user device to access the network services of the network through
the private SAE scheme, if it is determined that the end user device possesses the shared secret.

US Pat. No. 9,699,055

CLIENT-INDEPENDENT NETWORK SUPERVISION APPLICATION

Aerohive Networks, Inc., ...

1. A method comprising:
receiving, from an administrator of a future gathering of attendees, a monitoring request for the gathering indicating to
monitor the attendees at the gathering in accessing a wireless network;

determining identifications of the attendees at the gathering and corresponding client devices;
selecting a wireless access point providing access to the wireless network to the attendees through the client devices based
on the identifications of the client devices;

collecting, through the wireless access point, network activity information indicating network activities performed by the
attendees in accessing the wireless network;

providing the network activity information to the administrator for use in monitoring the network activities performed by
the attendees in accessing the wireless network;

wherein the client devices are assigned to the attendees based on the gathering attended by the attendees.

US Pat. No. 10,033,112

ANTENNA PATTERN MATCHING AND MOUNTING

Aerohive Networks, Inc., ...

1. A device comprising:an antenna mounting structure having a center around which a circle is defined on a first plane;
a plurality of antenna devices mounted on the antenna mounting structure with a clearance from each other in interleaved subpluralities around the center of the antenna mounting structure, including:
a first subplurality of antenna devices having a first polarization and not having polarizations orthogonal to the first polarization, including:
a first antenna device with a first point defined thereon, wherein a first line perpendicular to the first plane intersects the first point and the circle;
a second antenna device with a second point defined thereon, wherein a second line perpendicular to the first plane intersects the second point and the circle;
wherein the second point is at a distance from the first point in a clockwise direction along the circle or a projection of the circle into a second plane parallel to the first plane, and a third point defined on a third antenna device is at a distance from the second point in the clockwise direction along the circle or the projection of the circle into the second plane;
a second subplurality of antenna devices having a second polarization different from the first polarization and not having polarizations orthogonal to the second polarization, including:
a fourth antenna device with a fourth point defined thereon, wherein a third line perpendicular to the first plane intersects the fourth point and the circle;
a fifth antenna device with a fifth point defined thereon, wherein a fourth line perpendicular to the first plane intersects the fifth point and the circle;
wherein the fifth point is a distance from the fourth point in a clockwise direction along the circle or a projection of the circle into the second plane, and a sixth point defined on a sixth antenna device is a distance from the fifth point in the clockwise direction along the circle or the projection of the circle into the second plane;
a board mounting device configured to attach the antenna mounting structure to a board.

US Pat. No. 9,628,467

WIRELESS DEVICE AUTHENTICATION AND SERVICE ACCESS

Aerohive Networks, Inc., ...

1. A method comprising:
authenticating a client device for a network;
receiving a service request from the client device at an authenticator network device;
receiving user credentials including a user ID, a user key, and a nonce for a user who initiated the service request;
generating a token using the user credentials;
modifying the service request to include the token and a user ID parameter that is the user ID to generate a modified service
request;

decoding the token included in the modified service request;
determining the user key from the user ID parameter included in the modified service request;
decrypting the token using the user key to extract a body in plain text;
determining the user ID and the nonce from the body in plain text;
determining a reference nonce from the user ID;
determining whether the reference nonce matches the nonce determined from the body in plain text extracted from the token;
if it is determined that the reference nonce matches the nonce determined from the body in plain text extracted from the token,
then determining that the user ID determined from the body in plain text extracted from the token is valid;

if it is determined that the user ID determined from the body in plain text extracted from the token is valid, using the user
ID determined from the body in plain text to provide single sign-on access to a service that is a subject of the service request.

US Pat. No. 9,992,619

NETWORK DEVICE BASED PROXIMITY BEACON LOCATING

Aerohive Networks, Inc., ...

1. A method comprising:receiving a proximity beacon signal from a network device-coupled proximity beacon transmitter located on a floor of a building at a proximity beacon transmitter hub coupled through a wired connection to a first network device configured to transmit data to and from a backhaul of a network for a client device in providing the client device access to network services, wherein the proximity beacon signal is transmitted in accordance with an applicable lower power short range wireless communication unsuitable for use in transmitting data from the backhaul of the network to the network device-coupled proximity beacon transmitter;
upon receiving the proximity beacon signal, generating and sending proximity beacon signal data from the proximity beacon transmitter hub, the proximity beacon signal data including a received signal strength indication (RSSI) value of the proximity beacon signal, an identification of the network device-coupled proximity beacon transmitter, and an identification of the proximity beacon transmitter hub;
maintaining, separate from the network device-coupled proximity beacon transmitter, proximity beacon transmitter operational parameters of the network device-coupled proximity beacon transmitter including a transmit power at which the network device-coupled proximity beacon transmitter is configured to transmit proximity beacon signals;
receiving the proximity beacon signal data at the first network device, and upon receiving the proximity beacon signal data, generating at and sending from the first network device a first RSSI reporting message including the RSSI value of the proximity beacon signal received from the network device-coupled proximity beacon transmitter over the applicable lower power short range wireless communication based on the proximity beacon signal data;
determining a position of the network device-coupled proximity beacon transmitter on the floor of the building with respect to the proximity beacon transmitter hub using the first RSSI reporting message by comparing the transmit power at which the network device-coupled proximity beacon transmitter is configured to transmit proximity beacon signals with the RSSI value of the proximity beacon signal received from the network device-coupled proximity beacon transmitter over the applicable lower power short range wireless communication, and using dimensions and characteristics of interior walls on the floor of the building;
determining a location of the proximity beacon transmitter hub using the first RSSI reporting message and network device map data for one or more floors of the building;
mapping a location, on the floor of the building, of the network device-coupled proximity beacon transmitter based on the position of the network device-coupled proximity beacon transmitter with respect to the proximity beacon transmitter hub and the location of the proximity beacon transmitter hub on the floor of the building indicated by the network device map data.

US Pat. No. 9,923,843

LAYER 7 APPLICATION CLASSIFICATION

Aerohive Networks, Inc., ...

1. A method comprising:
storing in a layer 7 application buffer at a first network device one or more packets received at the first network device
and associated with a layer 7 application session for executing a layer 7 application at a client device coupled to the first
network device as part of the client device accessing network services of a network through the first network device;

receiving at the first network device from a second network device one or more additional packets received at the second network
device and associated with the layer 7 application session for continued execution of the layer 7 application at the client
device as it roams and is coupled to the second network device as part of the client device accessing the network services
of the network through the second network device;

determining, at the first network device, application information associated with the layer 7 application from the one or
more packets received at the first network device and the one or more additional packets received at the second network device;

classifying the layer 7 application into a layer 7 application classification based on the application information associated
with the layer 7 application, the layer 7 application classification used by the second network device to maintain layer 7
state when the client device roams from the first network device to the second network device and accesses the network services
of the network through the second network device.

US Pat. No. 10,117,085

DEPLOYMENT OF PROXIMITY BEACON DEVICES

Aerohive Networks, Inc., ...

1. A system comprising:a network device, coupled to a network of an enterprise via a first communication interface, including a second communication interface and configured to provide wireless access to the network of the enterprise for wireless local area network (WLAN) stations;
a network device-coupled proximity beacon transmitter (PBT) device physically connected to the network device via the second communication interface, including a PBT configuration datastore storing PBT parameters, a beacon content datastore storing proximity beacon content, and a PBT;
wherein, in operation, the PBT transmits proximity beacons comprising proximity beacon content, including at least one value associated with a context defined by the enterprise or an entity acting on behalf of the enterprise, from the beacon content datastore in accordance with the PBT parameters from the PBT configuration datastore to form a personal area network (PAN) of the enterprise detectable by a proximity beacon receiver (PBR) device with a proximity beacon interpretation engine configured to interpret the proximity beacon content and the at least one value to indicate actual proximity to the network device in the context defined by the enterprise or the entity acting on behalf of the enterprise, and the network device establishes a direct wireless connection with the PBR device that received the proximity beacons from the PBT, and provides additional content associated with the proximity beacons to the PBR device through the direct wireless connection.

US Pat. No. 10,003,615

USER-BASED NETWORK ONBOARDING

Aerohive Networks, Inc., ...

1. A method comprising:receiving user information of a user requesting access to a network with a first user device of the user;
assigning a first-level security profile to the user based on the user information of the user;
assigning a first second-level security profile including first network configuration information to the first user device of the user;
configuring the first user device to access the network using the first network configuration information included in the first second-level security profile assigned to the first user device;
requesting a listing of user devices associated with the first-level security profile, the listing including a second user device of the user associated with the first-level security profile assigned to the user as part of user-based device onboarding;
presenting the listing of the user devices associated with the first-level security profile to the user;
selecting the second user device from the listing of the user devices based on input received from the user in response to presenting the listing of the user devices to the user;
assigning a second second-level security profile including second network configuration information to the second user device;
configuring the second user device to access the network using the second network configuration information included in the second second-level security profile assigned to the second user device.

US Pat. No. 9,965,366

ASSIGNING NETWORK DEVICE SUBNETS TO PERFORM NETWORK ACTIVITIES USING NETWORK DEVICE INFORMATION

Aerohive Networks, Inc., ...

1. A method comprising:determining network activities to be performed for a client device accessing network services through a network;
assigning, by a network device subnet assignment engine, one or more network device subnets to perform the network activities for the client device accessing the network services through the network based on the network activities to be performed;
receiving network device information of network devices in the one or more network device subnets including resource information of the network devices in providing network service access through the network;
assigning a first network device of the network devices in the one or more network device subnets to function as a primary network device in performing the network activities for the client device accessing the network services through the network based on the network device information including the resource information of the network devices in providing network service access through the network, the assigning of the first network device being based on the network device information indicating a region in which the first network device is located;
assigning a second network device of the network devices in the one or more network device subnets to function as a backup network device in performing the network activities for the client device accessing the network services through the network based on the network device information including the resource information of the network devices in providing network service access through the network, the assigning of the second network device being based on the network device information indicating the second network device is located in the region;
providing identification information of the second network device to the first network device, the identification information capable of being used by the first network device to route an execution log of the first network device in performing the network activities to the second network device for use by the second network device in resuming performance of the network activities at the second network device.

US Pat. No. 10,064,105

PREDICTIVE ROAMING BETWEEN SUBNETS

Aerohive Networks, Inc., ...

1. A method comprising:receiving at a first wireless access point predictive roaming information indicating a home subnet uniquely associated with a first wireless client from the home subnet, when the first wireless client is connected with a second wireless access point of the home subnet;
detecting at the first wireless access point a new wireless client attempting to access network services through the first wireless access point;
determining if the new wireless client is the first wireless client using the predictive roaming information;
if it is determined the new wireless client is the first wireless client using the predictive roaming information:
determining if the first wireless access point is in the home subnet using the predictive roaming information;
if it is determined the first wireless access point is out of the home subnet:
establishing a tunnel from the first wireless access point to a home agent in the home subnet;
using the tunnel to the home agent in the home subnet to provide the first wireless client access to the network services through the first wireless access point.

US Pat. No. 9,979,727

INTERNETWORK AUTHENTICATION

Aerohive Networks, Inc., ...

1. A method comprising:providing an internetwork authentication service between a first network and a second network by establishing a connection between a first network device of the first network and a second network device of the second network through a first local authoritative user datastore interface at the first network device and an internetwork authentication proxy and a second local authoritative user datastore interface at the second network device and the internetwork authentication proxy, the first and second local authoritative user datastore interfaces associated with identity routing rules for routing to the first network;
receiving at the second network device an authentication request for a station to access the first network;
determining whether the authentication request meets authentication proxy rules of the first network;
routing the authentication request according to the identity routing rules to the first network device through the first and second local authoritative user datastore interfaces, if it is determined that the authentication request meets the authentication proxy rules;
receiving at the second local authoritative user datastore interface from the first local authoritative user datastore interface an authentication result indicating the station is authenticated to access the first network;
providing the station access to network services provided through the second network according to the authentication result.

US Pat. No. 9,900,251

BANDWIDTH SENTINEL

AEROHIVE NETWORKS, INC., ...

1. A method for configuring a network connection, the method comprising:
identifying a wireless network connection of a network between a wireless network device and a client network device, the
wireless network connection having network congestion;

determining a quality score for the wireless network connection, the quality score based on at least two of receiving bit
rate usage, transmission bit rate usage, transmission retries, receiving retries, received signal strength indication, and
wireless network interface type of the wireless network connection;

analyzing the wireless network connection, based on the quality score, to determine the wireless network connection is a source
of the network congestion;

determining another quality score for an additional wireless network connection between the wireless network device and another
client network device based on at least two of receiving bit rate usage, transmission bit rate usage, transmission retries,
receiving retries, received signal strength it and wireless network interface type of the additional wireless network connection;

determining the additional wireless network connection is a high quality network connection based on the another quality score
for the additional wireless network connection;

allocating additional bandwidth and airtime to the additional wireless network connection based on the determination that
the additional wireless network connection is the high quality network connection in order to mitigate impact of the network
congestion at the wireless network connection on other network connections of the network;

using cooperative load balancing to allow other network devices to provide the client network device wireless access to the
network in order to mitigate impact of the network congestion at the wireless network connection on the client network device
accessing the network.

US Pat. No. 10,091,065

ZERO CONFIGURATION NETWORKING ON A SUBNETTED NETWORK

Aerohive Networks, Inc., ...

1. A method for managing service advertisement across a plurality of subnets comprising:collecting, by each of a plurality of designated network devices, service advertisements on a local network level from a corresponding subnet to which said designated network device belongs;
filtering, by each of the plurality of designated network devices, the service advertisements according to filtering rules of the plurality of subnets to generate one or more filtered listings of services;
obtaining, by a designated master network device, the one or more filtered listings of services generated by the plurality of designated network devices;
creating a table of filtered services for said plurality of subnets at said designated master network device using the obtained one or more filtered listings of services;
sending said table of filtered services for said plurality of subnets from said designated master network device to the plurality of designated network devices in the plurality of subnets;
creating, by each of the plurality of designated network devices that received the table of filtered services, a service discovery proxy table listing filtered service advertisements on the plurality of subnets other than the corresponding subnet connecting to said designated network device, based on the table of filtered services; and
transmitting, by each of the plurality of designated network devices that created the service discovery proxy table, the filtered service advertisements listed in said corresponding service discovery proxy table.

US Pat. No. 10,014,915

ANTENNA PATTERN MATCHING AND MOUNTING

Aerohive Networks, Inc., ...

1. A method comprising:grouping discrete antenna patterns into station antenna pattern profiles, wherein a station type is associated with a station antenna pattern profile of the station antenna pattern profiles, the station type being defined by at least one of a degree of multiple-input multiple-output (MIMO) capability, a spatial stream characteristic, and one or more antenna polarization values;
determining a station is of the station type;
selecting an antenna pattern group corresponding to the station type;
conducting an optimal antenna pattern search for the station using the antenna pattern group corresponding to the station type.

US Pat. No. 10,003,134

SINGLE BAND DUAL CONCURRENT NETWORK DEVICE

Aerohive Networks, Inc., ...

1. A network device comprising:a first radio module configured to transmit and receive first radio signals in a first frequency band;
a first antenna array comprised of a first plurality of polarized antennas and configured to transmit and receive the first radio signals for the first radio module in the first frequency band;
a second radio module configured to transmit and receive second radio signals in the first frequency band;
a second antenna array comprised of a second plurality of polarized antennas and configured to transmit and receive the second radio signals for the second radio module in the first frequency band;
a housing configured to contain the first radio module, the first antenna array, the second radio module, and the second antenna array;
wherein, in operation, the first radio module and the second radio module function concurrently within the housing using the first frequency band while at least 40 dB of antenna isolation is maintained between the first antenna array and the second antenna array, and at least one of the first radio module and the second radio module is wirelessly coupled through a Wi-Fi connection to an end user device acting as a station in accessing network services of a network over, at least in part, the Wi-Fi connection.

US Pat. No. 10,108,755

RF FLOOR PLAN BUILDING

Aerohive Networks, Inc., ...

1. A method comprising:receiving map data for a plurality of map images of an aerial or satellite view, each of the plurality of map images corresponding to a different zoom level of a specific location of the aerial or satellite view, the map data including the plurality of map images at the corresponding different zoom levels, the plurality of map images being dynamically generated as a user zooms in on the specific location of the aerial or satellite view;
providing a user with functionalities for generating a respective trace outline in each of the plurality of map images;
receiving a respective trace outline of a floor of a building in the plurality of map images, the respective trace outlines of the floor of the building in the plurality of map images generated by the user;
determining floor dimensions of the floor of the building from the respective trace outlines of the floor of the building in the plurality of map images and the corresponding different zoom levels of the plurality of map images, and by using a nesting function, the nesting function specifying one or more multi-dimensional nested shapes included in a multi-dimensional outer shape formed by at least one of the respective trace outlines, an area of the one or more multi-dimensional nested shapes being subtracted from an area of the multi-dimensional outer shape in determining the floor dimensions;
generating a blank floor plan using the floor dimensions based on the plurality of map images of the aerial or satellite view, wherein the blank floor plan is used in planning positioning of access points in the building;
generating a floor plan from the blank floor plan;
providing the user with functionalities for positioning access points within the floor plan;
providing the user with functionalities for selecting an access point type of access points positioned;
receiving access point position data from the user;
receiving access point type data from the user;
generating an RF floor plan based on the floor plan, the access point position data, and the access point type data;
determining client density data with respect to a specific access point of the access points in the building;
receiving client device data of client devices coupled to the specific access point;
receiving access point operational parameter data of the specific access point;
determining an average data rate for the specific access point based on the client density data and the client device data;
determining, as part of the RF floor plan, ideal operational parameters of the specific access point according to the average data rate and an amount of interference with the other of the access points in the RF floor plan;
operating the specific access point according to the determined ideal operational parameters.

US Pat. No. 10,027,703

MANAGING ROGUE DEVICES THROUGH A NETWORK BACKHAUL

Aerohive Networks, Inc., ...

1. A method comprising:receiving, by a network backhaul rogue device management system in a network backhaul from an originator switch, a rogue learned media access control (MAC) message including new learned device data, the new learned device data including a MAC address of a rogue device newly learned in a forwarding table of at least one switch by determining whether a learned MAC address in the forwarding table matches the MAC address of the rogue device in a rogue monitor table maintained at the originator switch;
determining, by the network backhaul rogue device management system, whether an entry in a rogue learning table maintained in the network backhaul rogue device management system matches the new learned device data;
when it is determined that the new learned device data is absent from the rogue learning table:
adding, by the network backhaul rogue device management system, the new learned device data into a new entry in the rogue learning table;
determining, by the network backhaul rogue device management system, an identification of a rogue access point (AP) associated with the new learned device data;
causing, by the network backhaul rogue device management system, a switch coupled to the rogue AP to perform mitigation of the rogue AP to prevent transfer of data to and from the rogue device,
wherein performing the mitigation includes:
sending a block port mitigation message to a nearest switch to the rogue device;
learning neighboring devices corresponding to ports of the nearest switch;
determining whether a neighboring device of the neighboring devices corresponding to a port of the ports of the nearest switch is the rogue device;
when it is determined that the neighboring device corresponding to the port is the rogue device:
determining whether the port is supplying power;
when it is determined that the port is supplying power, blocking traffic on the port.

US Pat. No. 10,148,770

PROVIDING STATELESS NETWORK SERVICES

Aerohive Networks, Inc., ...

1. A system comprising:one or more processors;
memory configured to instruct the one or more processors to implement:
a network service request receiving engine, at a local network access device, configured to receive from a user device a request for a network service;
a network service query formulation engine coupled to the network service request receiving engine and configured to formulate a query for the network service, the formulating being in response to the request for the network service;
a network service query transfer engine coupled to the network service query formulation engine and configured to provide an instruction to a remote network access device to interrogate remote network service provider devices coupled to the remote network access device for capabilities in providing the network service;
a network service query response engine, at the local network access device, coupled to the network service query transfer engine and configured to receive from at least one of the remote network service provider devices capable of providing the network service, access parameters related to the network service in response to the interrogation, the access parameters capable of being used to configure the user device to access the network service;
a user device configuration engine coupled to the network service query response engine and configured to configure the user device to access the network service from the at least one of the remote network service provider devices capable of providing the network service based on the access parameters without maintaining, at the local network access device, a state of the at least one of the remote network service provider devices in providing the network service to the user device;
a user device tagging engine coupled to the network service request receiving engine and to the network service query formulation engine, the user device tagging engine configured to tag the request with a network location of the user device, the network location of the user device comprising any of a level-2 address of the user device and a level-3 address of the user device, the tag facilitating the formulation of the query for the network service by the network service query formulation engine.

US Pat. No. 10,154,027

PRIVATE SIMULTANEOUS AUTHENTICATION OF EQUALS

Aerohive Networks, Inc., ...

1. A method comprising:receiving, at a user side, first commitment data, from a network device for authentication of an end user device based on a private simultaneous authentication of equals (SAE) scheme;
generating, at the user side, second commitment data based on a passphrase assigned to the end user device;
sending the generated second commitment data from the end user device to the network device;
generating, at the user side, a shared secret based on the passphrase and the first commitment data;
creating, at the user side, a second confirmation value based on the shared secret; sending the second confirmation value from the end user device to the network device,
such that the network device determines whether the end user device has the same shared secret based on comparison of a first confirmation value generated at a network side based on the second commitment data and the passphrase with the second confirmation value;
if it is determined that the end user device has the same shared secret, accessing network services of the network using a master key generated based on the shared secret, the master key being used to exchange data between the end user device and the network device for the network services, wherein the first commitment data includes a second scalar and a second element, and the shared secret is generated based on the second scalar and the second element of the first commitment data.

US Pat. No. 10,390,353

DISTRIBUTED CHANNEL SELECTION FOR WIRELESS NETWORKS

Aerohive Networks, Inc., ...

1. A method comprising:identifying, by a wireless networking device of neighboring wireless networking devices, channel data of available wireless network channels;
determining cost values for the available wireless network channels based on a cost function of at least one attribute of the available wireless network channels from the channel data, the at least one attribute of the available wireless network channels including one or a combination of whether the available wireless network channels overlap with another wireless network channel in use, whether the available wireless network channels use dynamic frequency selection, and whether the available wireless network channels are being used indoors or outdoors;
selecting a candidate wireless network channel of the available wireless network channels based on the cost values for the available wireless network channels;
determining, by the wireless networking device, if at least one of the neighboring wireless networking devices is acting as an arbiter network device;
if it is determined that at least one of the neighboring wireless networking devices is acting as the arbiter networking device:
sending a channel request to use the candidate wireless network channel to the arbiter networking device;
using the candidate wireless network channel to transmit data if channel approval is received from the arbiter networking device.

US Pat. No. 10,181,962

PREDICTIVE AND NOMADIC ROAMING OF WIRELESS CLIENTS ACROSS DIFFERENT NETWORK SUBNETS

Aerohive Networks, Inc., ...

1. A method comprising:receiving home agent information at a first wireless network access point in a first network subnet from a second wireless network access point in a second network subnet different from a current network subnet;
forwarding the home agent information to a first home agent in the first network subnet;
receiving predictive roaming information for a wireless client indicating that a home network subnet of the wireless client is the second network subnet;
detecting that the wireless client is wirelessly connected at the first wireless network access point;
determining, using the predictive roaming information, that the home network subnet of the wireless client is the second network subnet;
determining, using the home agent information, an identification of a second home agent that is a home agent of the second network subnet;
establishing a network tunnel between the first wireless network access point and the second home agent for managing wireless network access of the wireless client through the first wireless network access point.

US Pat. No. 10,123,168

NETWORK DEVICE BASED PROXIMITY BEACON LOCATING

Aerohive Networks, Inc., ...

1. A method comprising:receiving a proximity beacon signal from a network device-coupled proximity beacon transmitter located on a floor of a building;
generating, at a first network device configured to transmit data to and from a backhaul of a network for a client device in providing the client device access to network services, a first received signal strength indication (RSSI) reporting message based on the proximity beacon signal;
determining a position of the network device-coupled proximity beacon transmitter with respect to the first network device using dimensions and characteristics of interior walls on the floor of the building and the first RSSI reporting message;
determining a location of the first network device using the first RSSI reporting message and network device map data for one or more floors of the building;
determining a location of the network device-coupled proximity beacon transmitter based on the position of the network device-coupled proximity beacon transmitter with respect to the first network device and the location of the first network device.

US Pat. No. 10,116,624

INTELLIGENT SORTING FOR N-WAY SECURE SPLIT TUNNEL

Aerohive Networks, Inc., ...

1. A method comprising:sorting outgoing datagrams into one of at least three categories, wherein the at least three categories include a first category of datagrams addressed to a central network location, a second category of datagrams addressed to destinations on a white list, and a third category of datagrams addressed to other destinations absent from the white list;
sending datagrams in the first category to the central network location along an N-way split virtual private network tunnel, wherein N is an integer greater than or equal to three;
sending datagrams in the second category to the destinations on the white list along the N-way split virtual private network tunnel;
sending datagrams in the third category to a scanning service website along the N-way split virtual private network tunnel, the scanning service website configured to provide a first scrubbing service for HTTP datagrams and a second scrubbing service for SMTP, POP, and IMAP datagrams.

US Pat. No. 10,219,254

AIRTIME-BASED PACKET SCHEDULING FOR WIRELESS NETWORKS

Aerohive Networks, Inc., ...

1. A method comprising:receiving first and second data packets as part of network traffic of a network destined for one or more wireless devices accessing the network through a wireless connection;
determining a first quality of service profile associated with the first data packet and a second quality of service profile associated with the second data packet;
determining a first token cost of transmitting the first data packet and a second token cost of transmitting the second data packet based on estimated airtime for transmitting the first and second data packets, respectively;
determining a first token balance of the first quality of service profile and a second token balance of the second quality of service profile, the first and second token balances being an amount of network bandwidth of the network allocated to the first and second quality of service profiles, respectively;
determining whether the first and second token costs exceed the first and second token balances, respectively;
upon determining that the first token cost does not exceed the first token balance, deducting the first token cost from the first token balance and forwarding the first data packet to a wireless device;
upon determining that the second token cost does not exceed the second token balance, deducting the second token cost from the second token balance and forwarding the second data packet to a wireless device;
periodically performing increase of the first and second token balances, respectively, an increase rate of the first token balance being greater than an increase rate of the second token balance;
receiving a third data packet as part of network traffic of the network destined for a wireless device accessing the network through a wireless connection;
determining a third quality of service profile associated with the third data packet;
determining a third token cost of transmitting the third data packet based on estimated airtime for transmitting the third data packet;
deducting the third token cost from a third token balance of the third quality of service profile and forwarding the third data packet to a wireless device, irrespective of whether or not the third token cost exceeds the third token balance.

US Pat. No. 10,205,604

MULTICAST TO UNICAST CONVERSION TECHNIQUE

Aerohive Networks, Inc., ...

1. A method comprising:enqueuing a multicast packet of a multicast packet stream into a backpressure-controlled multicast queue;
converting the multicast packet into a plurality of unicast packets for transmission to stations of a plurality of stations;
enqueuing the plurality of unicast packets into a plurality of TID queues;
identifying a TID queue of the plurality of TID queues having a greatest token weight in a token bucket uniquely associated with the TID queue of a plurality of token buckets uniquely associated with and corresponding to each TID queue of the plurality of TID queues;
dequeuing one or more unicast packets from the TID queue for transmission to one or more clients;
deducting from a token weight of the token bucket uniquely associated with the TID queue an estimated amount based on an estimated packet transmission cost associated with transmitting the one or more unicast packets dequeued from the TID queue to the one or more clients.

US Pat. No. 10,193,239

SINGLE BAND DUAL CONCURRENT NETWORK DEVICE

Aerohive Networks, Inc., ...

1. A network device comprising:a first single band dual concurrent radio module configured to transmit and receive first radio signals in a first frequency band;
a first antenna array comprised of a first plurality of polarized antennas and configured to transmit and receive the first radio signals for the first radio module in the first frequency band;
a second single band dual concurrent radio module configured to transmit and receive second radio signals in the first frequency band concurrently with the first single band dual concurrent radio module;
a second antenna array comprised of a second plurality of polarized antennas and configured to transmit and receive the second radio signals for the second radio module in the first frequency band;
an antenna plate, wherein the first plurality of polarized antennas and the second plurality of polarized antennas are mounted to the antenna plate at positions at least 5 mm away from edges of the antenna plate;
wherein, in operation, the first single band dual concurrent radio module and the second single band dual concurrent radio module function concurrently using the first frequency band while at least 40 dB of antenna isolation is maintained between the first antenna array and the second antenna array.

US Pat. No. 10,243,956

INTERNETWORK AUTHENTICATION

Aerohive Networks, Inc., ...

1. A internetwork authentication method comprising:receiving, by an internetwork authentication proxy, an authentication request for a station in a first network to access a second network from a first local authoritative user datastore interface in the first network;
determining, by the internetwork authentication proxy, a second local authoritative user datastore interface in the second network as a destination of the authentication request, based on the authentication request and an authentication proxy rule;
upon determining the second local authoritative user datastore interface as the destination, routing, by the internetwork authentication proxy, the authentication request to the second local authoritative user datastore interface in the second network, such that internetwork authentication for the station in the first network is carried out in the second network;
receiving, by the internetwork authentication proxy, an authentication result of the internetwork authentication from the second local authoritative user datastore interface in the second network;
sending, by the internetwork authentication proxy, the authentication result of the internetwork authentication to the first local authoritative user datastore interface in the first network, such that the station in the first network gets access to the second network.

US Pat. No. 10,164,900

BUILDING AND MAINTAINING A NETWORK

Aerohive Networks, Inc., ...

1. A method for building and maintaining a network, the method comprising:operationally connecting an access point in a region that is connectable to one or more client devices in the region to an interregional redirector engine associated with a plurality of regions including the region;
receiving at the interregional redirector engine network device information of the access point, the network device information including geography information of the region and enterprise network information of the access point;
determining, by the interregional redirector engine, based on the network device information, a load balancer system uniquely associated with the region selectively from a plurality of load balancer systems that are uniquely associated with different regions and coupled to the interregional redirector engine associated with the plurality of regions;
assigning, by the interregional redirector engine, the access point to the load balancer system;
assigning, by the load balancer system, the access point to a regional network device management engine associated with the region based on the network device information, the regional network device management engine being determined selectively from a plurality of regional network device management engines that are associated with the region and coupled to different sets of one or more access points;
managing, by the load balancer system, a failure of the regional network device management engine in communication with the access point based on network device management engine failure information provided from the access point to the load balancer system without passing through the failed regional network device management engine;
managing, by the regional network device management engine, the access point in providing access to an enterprise network.

US Pat. No. 10,326,707

BUILDING AND MAINTAINING A NETWORK

Aerohive Networks, Inc., ...

1. A method for building and maintaining a network, the method comprising:operationally connecting an access point in a region that is connectable to one or more client devices in the region to an interregional redirector engine associated with a plurality of regions including the region;
receiving at the interregional redirector engine network device information of the access point, the network device information including geography information of the region and enterprise network information of the access point;
determining, by the interregional redirector engine, based on the network device information, a load balancer system uniquely associated with the region selectively from a plurality of load balancer systems that are uniquely associated with different regions and coupled to the interregional redirector engine associated with the plurality of regions;
assigning, by the interregional redirector engine, the access point to the load balancer system;
assigning, by the load balancer system, the access point to a regional network device management engine associated with the region based on the network device information, the regional network device management engine being determined selectively from a plurality of regional network device management engines that are associated with the region and coupled to different sets of one or more access points;
managing, by the load balancer system, a failure of the regional network device management engine in communication with the access point based on network device management engine failure information provided from the access point to the load balancer system without passing through the failed regional network device management engine;
managing, by the regional network device management engine, the access point in providing access to an enterprise network.

US Pat. No. 10,298,296

ANTENNA PATTERN MATCHING AND MOUNTING

Aerohive Networks, Inc., ...

1. A method comprising:grouping discrete antenna patterns, into groups of discrete antenna patterns, using a power set of one or more discrete polarized values;
receiving an antenna pattern predisposition indicator of a station;
determining an antenna pattern profile of the station based on the antenna pattern predisposition indicator;
searching for an optimal antenna pattern, matching an antenna configuration profile of the station from the groups of discrete antenna patterns;
communicating with the station using one or more antennas having the optimal antenna pattern.

US Pat. No. 10,237,129

INTELLIGENT NETWORK ACCESS MODE CONFIGURATION BASED ON USAGE CONDITIONS

Aerohive Networks, Inc., ...

1. A method performed by a wireless access device, the method comprising:gathering identifiers of one or more digital devices coupled to the wireless access device;
gathering an identifier of a wireless network usage condition of a first digital device of the one or more digital devices, the wireless network usage condition providing an indicator of data to be accessed by the first digital device over the wireless access device;
gathering an identifier of a power mode for the first digital device, the power mode being associated with the wireless network usage condition of the first digital device;
selecting a first wireless operating mode of a plurality of wireless operating modes, the plurality of wireless operating modes being related to a plurality of antenna configurations and a plurality of wireless radio frequencies, the selecting of the first wireless operating mode being based on the identified power mode of the first digital device, the first wireless operating mode being associated with a first antenna configuration of the plurality of antenna configurations, and a first wireless radio frequency of the plurality of wireless radio frequencies for the data to be accessed by the first digital device over the wireless access device;
providing instructions to configure the wireless access device to allow the first digital device to access the data in accordance with the first wireless operating mode;
wherein the plurality of wireless radio frequencies comprises a 5.0 Gigahertz (GHz) frequency and a 2.4 Gigahertz (GHz) frequency; and
wherein the plurality of wireless operating modes comprises: an Institute of Electrical and Electronics Engineers (IEEE) 802.11n wireless operating mode, and an IEEE 802.11ac wireless operating mode.

US Pat. No. 10,231,180

HYBRID LOW POWER NETWORK DEVICE

Aerohive Networks, Inc., ...

1. A hybrid low power network device comprising:a wave 1 radio configured to provide client devices wireless access to a network using single-user multi-input multi-output (SU-MIMO);
a wave 2 radio configured to provide the client devices wireless access to the network using multi-user multi-input multi-output (MU-MIMO);
a radio management system configured to assign the client devices to the wave 1 radio or the wave 2 radio for communicating over wireless communication channels in accessing the network;
first and second network ports, wherein at least one of the first and second network ports are configured to provide power to the hybrid low power network device and allow at least one of the wave 1 radio and the wave 2 radio to communicate with the network;
a power consumption determination engine configured to determine a power consumption level of the hybrid low power network device;
a power control engine configured to disable at least one component of the hybrid low power network device based on the power consumption level of the hybrid low power network device.

US Pat. No. 10,230,802

PROVIDING STATELESS NETWORK SERVICES

Aerohive Networks, Inc., ...

1. A system comprising:one or more processors;
memory configured to instruct the one or more processors to implement:
a network service request receiving engine, at a local network access device, configured to receive from a user device a request for a network service;
a network service query formulation engine coupled to the network service request receiving engine and configured to formulate a query for the network service, the formulating being in response to the request for the network service;
a network service query transfer engine coupled to the network service query formulation engine and configured to provide an instruction to a remote network access device to interrogate remote network service provider devices coupled to the remote network access device for capabilities in providing the network service;
a network service query response engine, at the local network access device, coupled to the network service query transfer engine and configured to receive from at least one of the remote network service provider devices capable of providing the network service, access parameters related to the network service in response to the interrogation, the access parameters capable of being used to configure the user device to access the network service;
a user device configuration engine coupled to the network service query response engine and configured to configure the user device to access the network service from the at least one of the remote network service provider devices capable of providing the network service based on the access parameters without maintaining, at the local network access device, a state of the at least one of the remote network service provider devices in providing the network service to the user device;
a user device tagging engine coupled to the network service request receiving engine and to the network service query formulation engine, the user device tagging engine configured to tag the request with a network location of the user device, the network location of the user device comprising any of a level-2 address of the user device and a level-3 address of the user device, the tag facilitating the formulation of the query for the network service by the network service query formulation engine.

US Pat. No. 10,219,151

CHROMEBOOK CREDENTIAL MANAGEMENT

Aerohive Networks, Inc., ...

1. A method comprising:installing a unique pre-shared key plug-in on a Chromebook client device;
receiving, from the unique pre-shared key plug-in through a Chromebook client management system API, identification data associated with the Chromebook client device;
assigning a unique pre-shared key to the Chromebook client device using the identification data;
sending the unique pre-shared key to the Chromebook client device;
configuring, using the unique pre-shared key plug-in, the Chromebook client device to seamlessly authenticate for a wireless network using the unique pre-shared key;
detecting a user's presence in interacting with the Chromebook client device;
generating authentication data using the unique pre-shared key at the Chromebook client device in response to detection of the user's presence;
receiving the authentication data from the Chromebook client device;
authenticating the Chromebook client device to access the wireless network if it is determined that the authentication data was generating using the unique pre-shared key assigned to the Chromebook client device.

US Pat. No. 10,341,320

BYOD CREDENTIAL MANAGEMENT

Aerohive Networks, Inc., ...

1. A method comprising:providing an identity platform system configured to authenticate a company-assigned device for accessing a first network using a first unique pre-shared key associated with the company-assigned device, a first media access control (MAC) address of the company-assigned device being bound to the first unique pre-shared key to associate the first unique pre-shared key with the company-assigned device, the first network comprising an enterprise network, the company-assigned device being assigned to a user by the company and being owned by the company;
providing a personal bring your own device (BYOD) credential management system configured to authenticate a personal BYOD for accessing a second network using a second unique pre-shared key associated with the personal BYOD, a second MAC address of the personal BYOD being bound to the second unique pre-shared key to associate the second unique pre-shared key with the personal BYOD, the second network comprising a guest network, the personal BYOD being owned by the user;
providing a network administrator interface configured to provide access to the identity platform system for a network administrator;
including a personal BYOD credential management system application program interface (API) as part of the identity platform system and configured to provide the identity platform system access to the personal BYOD credential management system as if the personal BYOD credential management system is embedded in the identity platform system;
allowing the network administrator to access the identity platform system through the network administrator interface and manage the personal BYOD credential management system through the personal BYOD credential management system API by accessing the identity platform system.

US Pat. No. 10,321,306

NETWORK DEVICE SELECTIVE SYNCHRONIZATION

Aerohive Networks, Inc., ...

1. A method comprising:assigning a unique private pre-shared key to a wireless device, a media access control (MAC) address of the wireless device being bound to the unique private pre-shared key;
determining network personas of a user of the wireless device;
mapping the user to a network group according to the network personas of the user;
maintaining synchronization policies for selectively synchronizing a plurality of network devices to authenticate wireless devices to access a network;
determining a network device of the plurality of network devices to which to send key data associated with the unique private pre-shared key in accordance with the synchronization policies and the network group and as part of selective synchronization of the plurality of network devices, the key data including the MAC address of the wireless device bound to the unique private pre-shared key;
sending the key data to the network device for storage in local storage of the network device for purposes of locally authenticating the wireless device to access the network.

US Pat. No. 10,536,803

PROXIMITY BEACON MANAGEMENT USING A NETWORK DEVICE

Aerohive Networks, Inc., ...

1. A method comprising:generating operational characteristics for a proximity beacon transmitter coupled to a network device through a proximity beacon transceiver hub physically connected to the network device, wherein the operational characteristics include a universally unique identifier uniquely associated with the proximity beacon transmitter, wherein the proximity beacon transceiver hub couples the proximity beacon transmitter to the network device to make the proximity beacon transmitter a network device-coupled proximity beacon transmitter, wherein the network device is configured to provide stations wireless access to network services of a network, and wherein the stations include proximity beacon receivers;
configuring the proximity beacon transmitter through the network device according to the operational characteristics;
determining if the proximity beacon transmitter is operating according to the operational characteristics in transmitting proximity beacon signals to the proximity beacon receivers;
reconfiguring the proximity beacon transmitter according to the operational characteristics through the network device, if it is determined the proximity beacon transmitter is operating in nonconformity with the operational characteristics.

US Pat. No. 10,348,372

ANTENNA PATTERN MATCHING AND MOUNTING

Aerohive Networks, Inc., ...

1. An antenna apparatus, comprising:an antenna mounting structure;
a plurality of antenna devices circularly arranged on the antenna mounting structure with a clearance from each other, the plurality of antenna devices including a first subplurality of antenna devices and a second subplurality of antenna devices arranged in an interleaved manner,
the first subplurality of antenna devices having a first polarization and not having polarizations orthogonal to the first polarization, and the second subplurality of antenna devices having a second polarization different from the first polarization and not having polarizations orthogonal to the second polarization;
wherein the plurality of antenna devices further includes a third subplurality of antenna devices and a fourth subplurality of antenna devices, the first, second, third and fourth subpluralities of antenna devices being cyclically arranged,
the third subplurality of antenna devices having a third polarization different from the first and second polarizations and not having polarizations orthogonal to the third polarization,
the fourth subplurality of antenna devices having a fourth polarization different from the first and second polarizations and not having polarizations orthogonal to the fourth polarization,
wherein the first polarization is orthogonal to the second polarization, and the third polarization is orthogonal to the fourth polarization.

US Pat. No. 10,320,847

USER-BASED NETWORK ONBOARDING

Aerohive Networks, Inc., ...

1. A method comprising:receiving user information of a user requesting access to a network with a first user device of the user;
assigning a first-level security profile to the user based on the user information of the user;
assigning a second-level security profile including first network configuration information to the first user device of the user;
providing a browser extension to the first user device and causing the first user device to install the provided browser extension in a web browser of the first user device;
after assigning the second-level security profile to the first user device, providing a network connectivity file containing the first network configuration information to the first user device and causing the first user device to load the network connectivity file into the browser extension installed in the web browser of the first user device;
enabling the first user device to access the network through the web browser using the first network configuration information included in the network connectivity file loaded into the browser extension.

US Pat. No. 10,277,571

BYOD CREDENTIAL MANAGEMENT

Aerohive Networks, Inc., ...

1. A method comprising:providing an identity platform system configured to authenticate a company-assigned device for accessing a first network using a first unique pre-shared key associated with the company-assigned device, a first media access control (MAC) address of the company-assigned device being bound to the first unique pre-shared key to associate the first unique pre-shared key with the company-assigned device, the first network comprising an enterprise network, the company-assigned device being assigned to a user by the company and being owned by the company;
providing a personal bring your own device (BYOD) credential management system configured to authenticate a personal BYOD for accessing a second network using a second unique pre-shared key associated with the personal BYOD, a second MAC address of the personal BYOD being bound to the second unique pre-shared key to associate the second unique pre-shared key with the personal BYOD, the second network comprising a guest network, the personal BYOD being owned by the user;
providing a network administrator interface configured to provide access to the identity platform system for a network administrator;
including a personal BYOD credential management system application program interface (API) as part of the identity platform system and configured to provide the identity platform system access to the personal BYOD credential management system as if the personal BYOD credential management system is embedded in the identity platform system;
allowing the network administrator to access the identity platform system through the network administrator interface and manage the personal BYOD credential management system through the personal BYOD credential management system API by accessing the identity platform system.

US Pat. No. 10,389,650

BUILDING AND MAINTAINING A NETWORK

Aerohive Networks, Inc., ...

1. A method for building and maintaining a network, the method comprising:operationally connecting an access point in a region that is connectable to one or more client devices in the region to an interregional redirector engine associated with a plurality of regions including the region;
receiving at the interregional redirector engine network device information of the access point, the network device information including geography information of the region and enterprise network information of the access point;
determining, by the interregional redirector engine, based on the network device information, a load balancer system uniquely associated with the region selectively from a plurality of load balancer systems that are uniquely associated with different regions and coupled to the interregional redirector engine associated with the plurality of regions;
assigning, by the interregional redirector engine, the access point to the load balancer system;
assigning, by the load balancer system, the access point to a regional network device management engine associated with the region based on the network device information, the regional network device management engine being determined selectively from a plurality of regional network device management engines that are associated with the region and coupled to different sets of one or more access points;
managing, by the load balancer system, a failure of the regional network device management engine in communication with the access point based on network device management engine failure information provided from the access point to the load balancer system without passing through the failed regional network device management engine;
managing, by the regional network device management engine, the access point in providing access to an enterprise network.

US Pat. No. 10,412,006

BANDWITH SENTINEL

Aerohive Networks, Inc., ...

1. A method for configuring a network connection, the method comprising:determining a first wireless network connection between a wireless network device and a client network device, as a congested wireless network connection;
determining a first quality score for the first wireless network connection based on one or more wireless network connection attributes of the first wireless network connection;
classifying the first wireless network connection as a first quality connection based on comparison of the first quality score with a first benchmark quality score;
determining a second quality score for a second wireless network connection between the wireless network device and another client network device based on one or more wireless network connection attributes of the second wireless network connection;
classifying the second wireless network connection as a second quality connection better than the first quality connection based on comparison of the second quality score with a second benchmark quality score that is different from the first benchmark quality score;
upon classification of the first wireless network connection as the first quality connection and the second wireless network connection as the second quality connection, allocating additional bandwidth to the second wireless network connection, and causing another wireless network device to provide a wireless network connection to the client network device.

US Pat. No. 10,397,211

SPLIT AUTHENTICATION NETWORK SYSTEMS AND METHODS

Aerohive Networks, Inc., ...

1. A method comprising:receiving one or more packets wirelessly transmitted from a user device through a wireless access point to access a trusted network;
determining a type of an extensible authorization protocol (EAP) associated with the user device based on the one or more packets;
upon determining that the type of EAP associated with the user device is a first EAP, routing the one or more packets to a first authentication server provided in the trusted network and associated with the first EAP, for authentication of the user device according to the first EAP;
upon determining that the type of EAP associated with the user device is a second EAP different from the first EAP, routing the one or more packets to a second authentication server provided in the trusted network and associated with the second EAP, for authentication of the user device according to the second EAP;
wherein the first EAP involves a server certificate and does not involve a self-signed user certificate for authentication, and the second EAP involves a server certificate and a self-signed user certificate for authentication.

US Pat. No. 10,542,035

MANAGING ROGUE DEVICES THROUGH A NETWORK BACKHAUL

Aerohive Networks, Inc., ...

1. The method performed by a switch in a network backhaul comprising:receiving from a network backhaul rogue device management system in the network backhaul, a rogue device message including a media access control (MAC) address of a rogue device;
providing the rogue device message to a plurality of switches in the network backhaul;
in response to the rogue device message, flushing entries of a forwarding table of a switch of the plurality of switches, the entries of the forwarding table associated with MAC addresses of devices in a network, respectively, for routing traffic;
in response to the rogue device message, adding an entry associated with the MAC address to a rogue monitor table, entries of the rogue monitor table associated with MAC addresses of devices in the network, respectively, for monitoring rogue devices;
monitoring the forwarding table and the rogue monitor table to determine whether a MAC address of an entry included in the rogue monitor table is aged out and whether a new MAC address newly included in an entry of the forwarding table is included in the rogue monitor table;
upon determining that a MAC address included in an entry of the forwarding table is aged out, sending a rogue aged MAC message including aged device data that contains the aged MAC address to the network backhaul rogue device management system, so as to cause the network backhaul rogue device management system to update a status of an access point (AP) associated with the aged device data as out-of-net;
upon determining that the new MAC address is included in the rogue monitor table, sending a rogue learned MAC message including new learned device data that contains the new MAC address to the network backhaul rogue device management system, so as to cause the network backhaul rogue device management system to update a status of an AP associated with the new learned device data as in-net;
performing mitigation of the rogue device using a nearest switch in the backhaul network to the rogue device;
further comprising:
receiving from the network backhaul rogue device management system, a rogue update message including a MAC address of a rogue device that has been determined to be valid;
in response to the rogue update message, removing an entry associated with the MAC address of the valid rogue device from the rogue monitor table.

US Pat. No. 10,355,977

GATEWAY USING MULTICAST TO UNICAST CONVERSION

Aerohive Networks, Inc., ...

1. A system comprising:a multicast frame receiving engine configured to receive a multicast frame directed to a multicast group;
a destination unicast engine coupled to the multicast frame receiving engine and configured to identify a unicast address of an intended recipient device and a unicast address of an unintended recipient device, wherein the intended recipient device and the unintended recipient device are members of the multicast group;
a multicast frame expansion engine coupled to the destination unicast engine and configured to convert the multicast frame into a set of unicast frames including a first unicast frame and a second unicast frame, the first unicast frame being directed to the intended recipient device using the unicast address of the intended recipient device, the second unicast frame being directed to the unintended recipient device using the unicast address of the unintended recipient device;
an unintended recipient device frame removal engine coupled to the multicast frame expansion engine, the unintended recipient device frame removal engine configured to prevent any of the multicast frame or the second unicast frame from being sent to the unintended recipient device by removing the second unicast frame from the set of unicast frames;
an intended recipient device frame providing engine coupled to the multicast frame expansion engine and the unintended recipient device frame removal engine and configured to provide the first unicast frame to the intended recipient device.

US Pat. No. 10,666,512

CURRENT CONFIGURATION STATE SPECIFIC DEVICE CONFIGURATION

Aerohive Networks, Inc., ...

1. A method, comprising:receiving, at a local state aware device manager, a data stream from a device in a network;
determining, at the local state aware device manager, a current configuration state of the device based on the data stream;
remotely identifying, at a state aware mediator, a desired configuration state of the device;
receiving, at the state aware mediator, current configuration state data indicating the current configuration state of the device;
generating, at the state aware mediator, desired configuration instructions for use in configuring the device to operate at the desired configuration state based on the current configuration state of the device indicated by the current configuration state data and the desired configuration state of the device;
providing the desired configuration instructions from the state aware mediator to the local state aware device manager; and
locally arranging the device to operate at the desired configuration state using the desired configuration instructions based on a control and provisioning of wireless access points.

US Pat. No. 10,666,653

INTERNETWORK AUTHENTICATION

Aerohive Networks, Inc., ...

1. A method comprising:receiving a request for a policy-based identity routing service for a first network;
providing a first local authoritative user datastore interface (LAUDI) to a first network device of the first network;
obtaining a set of rules for identity routing to the first network;
establishing a connection between the first LAUDI and an authentication proxy;
receiving, at the first LAUDI, an authentication request for a station;
determining, based on the set of rules, whether to analyze the authentication request at the first LAUDI or to route the authentication request to a second LAUDI of a second network device of a second network;
in response to determining that the authentication request matches a characteristic defined by the set of rules, analyzing the authentication request at the first LAUDI; and
in response to determining that the authentication request does not match the characteristic defined by the set of rules, routing the authentication request to the second LAUDI, wherein an authentication result from the second LAUDI indicates whether the station is approved to access services on the second network.

US Pat. No. 9,826,479

HYBRID LOW POWER NETWORK DEVICE

Aerohive Networks, Inc., ...

1. A hybrid low power network device comprising:
a wave 1 radio configured to provide client devices wireless access to a network using single-user multi-input multi-output (SU-MIMO);

a wave 2 radio configured to provide the client devices wireless access to the network using multi-user multi-input multi-output (MU-MIMO);

a radio management system configured to assign the client devices to either the wave 1 radio or the wave 2 radio for communicating over wireless communication channels in accessing the network and steer MU-MIMO capable client devices
of the client devices to the wave 2 radio;

first and second Ethernet ports, wherein at least one of the first and second Ethernet ports are configured to provide power
to the hybrid low power network device and allow at least one of the wave 1 radio and the wave 2 radio to communicate with the network;

wherein in operation the hybrid low power network device is configured to operate at a power consumption level under 17 watts
(W) in providing the client devices wireless access to the network.

US Pat. No. 9,473,489

PRIVATE SIMULTANEOUS AUTHENTICATION OF EQUALS

Aerohive Networks, Inc., ...

1. A method comprising:
assigning a passphrase to an end user device as part of a private simultaneous authentication of equals (SAE) scheme;
storing the passphrase in association with an identifier of the end user device;
determining the end user device is attempting to authenticate at a wireless network device;
receiving identifying information from the end user device over a wireless medium;
using the identifying information to obtain the passphrase;
generating a shared secret using the passphrase;
determining whether the end user device has generated the shared secret without transmitting the passphrase over the wireless
medium;

authenticating the end user device at a wireless network associated with the wireless network device if it is determined the
end user device has generated the shared secret;

generating first commitment data according to a commitment scheme during a commitment phase of the private SAE scheme;
sending the first commitment data to the end user device over the wireless medium;
receiving second commitment data from the end user device according to the commitment scheme, the second commitment data used
to generate the shared secret;

generating first confirmation data according to a confirmation scheme during a confirmation phase of the private SAE scheme;
receiving over the wireless medium second confirmation data from the end user device according to the confirmation scheme;
comparing the first confirmation data with the second confirmation data to determine if the end user device generated the
shared secret.