The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Computer networks can use a combination of network access devices and authentication, access and accounting (AAA) servers to control access through the network. Such devices and servers determine whether to grant access to a particular user based in part on access control information. In many of devices and servers, the access control information is implemented as one or more access control lists (ACLs). For a particular user, an access control list identifies, by network address or other identifier, which network resources the user is permitted to access. The access control lists are either defined on each device, or defined in the AAA server and downloaded to the device when the user is successfully authenticated. Often, many devices or users have the same or overlapping sets of ACLs.
In one past approach, both ACLs and Dial Plans are established on a router or other device. Each user who may use the device is assigned to a particular Dial Plan. The Dial Plan is associated with an ACL on the device. When a particular user logs in, the device determines which Dial Plan contains the user, and then applies the ACL of that Dial Plan to access requests of the user.
In another approach, where ACLs are defined on the device, each ACL is given a name. A user successfully authenticates through use of a message exchange between the device and an authentication server using an agreed-upon authentication protocol, such as Remote Access Dial-In User Service (“RADIUS”). RADIUS is described in IETF Request for Comments (RFC) 1812. A RADIUS response received by the device from the authentication server contains the name of an ACL to associate with the user. This approach provides the advantage that the device only contains one copy of the ACL, even if multiple users reference or use the same ACL. Thus, ACL definition is normalized. However, a disadvantage of this approach is that the ACL associated with the user is defined inside the authentication server, and the body and meaning of the ACL are defined in numerous devices. This presents scalability issues, because updating an ACL requires updating numerous devices.
Currently, authentication servers address this problem by using ACL management applications that deploy ACLs to numerous devices with a single request. However, network administrators perceive this solution as undesirable, because security policy is not managed in a central location, which can lead to misunderstandings and mis-configuration of the ACLs.
In another approach, the authentication server contains a full and complete copy of all ACLs, and each ACL is downloaded in full every time a user logs in. This places responsibility for ACL assignment and definition in one place, but has several disadvantages. First, the device never knows if user A and user B share the same ACL, and thus keeps copies of the same ACL, or parts of the same ACL (aggregated ACL's). In certain switch devices and in other cases, this unnecessarily consumes optimized resources that are provided for ACL management, such as content addressable memory (CAM) provided in switches for accelerated ACL management. Second, significant network bandwidth is used to download each ACL when a user logs in. Third, in RADIUS implementations, the maximum RADIUS packet size is 4 Kbytes; consequently, no ACL can exceed 4 Kbytes in size, which is an undesirable limitation.
Based on the foregoing, there is a clear need in this field for a better way to provide network access information to network devices.
In particular, what is needed is a solution that provides central administration of network access information, including both definition and assignment to users, to ensure scalability. There is also a need for a solution that supports network access information, such as ACLs, that are larger than 4 Kbytes.
Further, there is a need for a way to deploy network access information on demand, and uniform ally across all devices. There is also a need for a solution that provides normalized definitions of network access information, to provide efficient use of device memory.