Device authentication is one tool used for network security purposes, typically intended to restrict network access to unauthorized users/devices. One authentication method, for example, is specified in the Institute of Electrical & Electronics Engineers (IEEE) 802.1x standard. Traditionally, the concept of device authentication is based on storing and presenting device “credentials” to obtain access to a network. Obtaining access to a network may include receiving an Internet protocol (IP) address, receiving an access channel assignment, etc. Credentials have typically been based on an account/password combination, or are based on a digital authentication certificate, for example, those specified in the International Telecommunication Union (ITU) X.509 standard Recommendation.
Assuming valid credentials are presented, authorization for accessing a network are traditionally provided. One problem associated with traditional authentication of credentials is that the mere fact that a system/device can present an identity and/or valid credentials does not necessarily mean the system/device is properly configured or is not infected with malware. Policy compliance provides a mechanism to evaluate a security of a system, even if the system presents valid credentials and/or the system has been authenticated. Enforcement of compliance to a policy, especially in the form of access restriction, may reduce the risk that a system having malware will be provided access that could result in attack on part or all of a network.
Additionally, access restriction is traditionally handled at an authenticating node, such as with Cisco System's Network Admission Control, where a specially configured server complying to the Remote Authentication Dial-In User Service (RADIUS) standard (the de facto industry standard created by Lucent), proposed as a standard by the Internet Engineering Task Force (IETF) and dynamic access control lists are used to enforce policy-based access restrictions. Such policy-based restrictions have typically been limited to enforcement at the router. One problem with traditional systems and methods is that all the work and complexity of enforcement sits on the network infrastructure. Additionally, in an environment such a as a subnet or a local area network (LAN), enforcement of access restriction does not isolate a device that violates the policy and prevent it from accessing other devices within the subnet.