The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
It is often desirable to differentiate access to a network or resource in a network based on attributes of the user or device seeking access. For example, an engineering manager may be allowed access to a server having information related to engineering, as well as a server having personnel information. However, an engineer may not be allowed access to the personnel information. Similarly, a piece of laboratory equipment may be permitted access to other laboratory equipment, but not to servers performing business functions. Thus, it is desirable to control network traffic in order to control access to a resource, device, or network, based on one or more characteristics of a user or device. One technique for role-based access control is described by Ferraiolo and Kuhn in, “Role-Based Access Control” (Proceedings of the 15th National Security Computer Conference, 1992).
Access control lists are one way to control network traffic. Access control lists filter network traffic by controlling whether routed packets are forwarded or blocked, typically at a router interface, although other devices can filter packets. The router examines each packet to determine whether to forward or drop the packet, on the basis of the criteria specified within the access lists. An access control list criterion could be the source address of the traffic or the destination address of the traffic.
Internet Protocol (IP) addresses once served as invariable identifiers of the source device on an IP-based network. Access control lists were developed to allow differentiated access based on this IP identifier within the network. However, IP addresses are no longer tightly bound to either a device or a user. For example, at one point in time, entities were statically addressed. Moreover, laptops, PDAs, and other mobile devices did not exist. Today, with dynamic DHCP addressing and mobile devices seeking network access, the significance that can be placed on a given IP address over another for the purpose of identifying a user of device has declined significantly. As a result, ACLs in all but the broadest implementations have been far less useful.
There have been several attempts to address this problem. One technique inserts, into every frame sent on a network, a 16-bit tag defining the role associated with the traffic. However, this technique places a burden on the hardware to insert and interpret the tags. Other techniques use “tunneling,” e.g. IPSEC VPN tunneling, to identify the source of traffic as being associated with a given tunnel.
Other techniques constrain the assignment of IP addresses to follow the roles rather than the network topology. For example, one technique defines a subnet per-role and associates a VLAN per role on the access switch. When the user authenticates, the user's or device's role is determined, which results in a specific VLAN (and subsequent subnet) assignment.
Based on the foregoing, there is a clear need for an improved method for differentiating access to a resource or network, based on user or device identity.