Access control servers, as broadly used herein, provide the ability to block illegitimate access requests for computer network resources, while providing legitimate requesters the appropriate access to network resources. Access control servers may respond to access requests from users, devices (such as routers, firewalls, access points, and dial gateways) and processes that request access to network resources. As broadly used herein, the term ‘access requester’ shall be used to describe any entity that issues an access request that may be serviced by an access control server. As broadly used herein, the term ‘access request’ shall be used to describe any request for a network resource, including a user transit session or a request to perform administration changes to a device. An access request may span several discrete network connections, devices, software servers, and in general, must be available and operational for a successful access request. A commercial example of an access server is Cisco Secure Access Control Server 3.0, available from Cisco Systems, Inc. of San Jose, Calif.
Access control servers perform authentication, authorization, and accounting for access requesters. Initially, in processing an access request, an access control server authenticates the access request. Authentication is the validation of credentials presented by the access requester. Next, the access control server typically authorizes the access requester. Authorization is the determination of what actions the access requester is permitted to perform. After an access requester has been authorized, an access control server may transmit information, called a session profile, which provisions various network session attributes and indicates the set of allowable actions that the access requester may perform. Examples of session profile attributes include rate limiting and quota restrictions, MPLS and VRF tunneling, VLAN and SSID segmentations, security and dynamic Access Control Lists (ACLs), security settings for IPSec or SSL tunnel establishment, and QOS parameters. Thereafter, the access control server performs accounting functionality for the access requester. Accounting is the creating and storing of records that describe what actions the access requester has performed.
In authenticating access requesters, access control servers may use a variety of different types of credentials. As used herein, a credential is any evidence that may be used by an access control server to accurately identify the identity or status of the access requester associated with the credential. A credential may be, although it need not be, a set of information stored electronically. A credential may include, e.g., a usernames and password combination, a single-use token password that is uniquely generated every minute, public and private keys as used in public key encryption, etc. An access control server may also perform authentication using a biometric credential, which is evidence that identifies a set of personally unique physical characteristics for a person, such as a fingerprint, a voice pattern, or a retinal scan.
In performing authentication, the access control server may either validate the requester's credentials locally, or the access control server may consult one or more external entities (“an external validation server”) to assist in the authentication of the access requester's credentials. For example, a particular access control server may consult with an external validation server to validate a person's username and password combination. An LDAP directory server or similar repository is an example of an external validation server.
Additionally, even if the access control server performs authentication locally, in the authentication step the access control server may consult one or more external validation servers in the performance of additional access or security functionality, e.g., to perform a determination that the access request from the access requester does not contain any computer viruses. In this fashion, even if the access requester's credentials are authenticated locally to the access control server, the access control server may still need to reach one or more external validation servers to authenticate the access requester.
Unfortunately, however, occasionally the external validation server may become inaccessible to the access control server. The external validation server may become inaccessible for a variety of reasons, e.g., problems with the external validation server or the network connection between the external validation server and the access control server. When the external validation server becomes inaccessible, then the access control server is unable to authenticate any credentials normally handled by the inaccessible external validation server. As the access control server is unable to authenticate the access requester's credentials, the access control server must deny access to the access requester. This is undesirable and can be a source of user frustration and unnecessary network downtime.
Similarly, occasionally the access control server itself may become inaccessible to a client of the access control server. The access control server may become inaccessible for a variety of reasons, e.g., problems with the access control server or the network connection between the access control server and the client. As the access control server is unable to authenticate the access requester's credentials, the access requester associated with the client is unable to gain access to the desired network resources because the access control server was unable to provide the required session profile to the client.
If an access requester's request is denied, the access requester is typically completely denied access; in other words, since the access control server may respond to an access request only by either completely granting the desired access or completely denying the access request, any problem the access control server encounters that prevents the granting of the access request results in complete denial of the access request.
Some access control servers, however, may issue “guest status” to certain access requesters, instead of completely denying their access request when problems reaching an external validation server arise, by providing the access requester with a default session profile that allows the access requester to access a scope of network resources commensurate with a “guest.” However, this is far from a satisfactory solution, because the scope of the access to network resources afforded to guests is traditionally relatively small and restricted to non-essential network resources, otherwise the security of the network may be compromised. Restricting the scope of access afforded to guests is necessary to maintain control over who is accessing network resources. As a result, if a legitimate access requester is denied access and merely granted guest status, typically the access requester is prohibited from performing the tasks on the network that the legitimate access requester would like to perform.
To avoid the undesirable implications of denying access to legitimate access requesters, some access control servers may use a form of caching. When either the access control server or a required external validation server is inaccessible, a session profile that is stored in a cache at the client of the access control server (when the access control server is inaccessible) or stored in the cache at the access control server (when a required external validation server is inaccessible) may be used.
This approach of using a simple cache to supply the session profile is problematic because caches, by their very nature, are not as secure as a centralized access control server, which may be deployed securely within the network. Additionally, the distribution of valid session profiles to a variety of locations increases the security risk to the network because control over the session profiles is decreased. Any latency between the removal of user account access provided by the access control server and the removal of access in each of the distributed caches raises an additional security risk that illegitimate access can be obtained. Moreover, blind reliance on the existence of a session profile in a cache may introduce unacceptable risk to the security of the network.
Since denying access to legitimate access requesters is clearly an undesirable result, it is desirable to improve the ability of an access control server to grant access to legitimate access requesters in balance with the concern of preventing illegitimate access requesters entry to the network and access to network resources. Currently, however, there is no effective mechanism for doing so.
The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.