Currently, when a client device connects to or is provisioned access to an IEEE 802.1x enabled network, the client device will transparently connect to the network on all subsequent authentication attempts. The transparent access may be delivered via techniques, such as cached credentials, device certificates, etc. For example, the client device that has been previously authenticated under IEEE 802.1x protocol may present the device credentials to the authentication server without the need for any additional user inputs.
However, there is no way for the network infrastructure to authorize a user behind the client device. Thus, the network access is only secured by the local password policy that prevents other users from misusing the client device and inappropriately accessing network resources. If an illegal user gains access to the client device before the client device is locked by local password, or if the illegal user steals the local password to the client device, the illegal user would be able to obtain the same access to network resources as the owner of the client device.
To address the above concern, a network administrator can configure the network policy to require network users change their network credentials at frequent intervals. As a result, the network infrastructure exposure can be limited to the extent of the password rotation policy. However, such network policy often applies to all network users and creates great inconvenience and burdens to the legitimate network users.
Therefore, it is desirable to have additional security protection in an IEEE 802.1x enabled network to fulfill at least two purposes. First, a user who illegally gains possession of a previously authenticated client device will not be able to receive authentication to the network resources. Second, the additional security protection adds no undue burden to the legitimate users of the properly authenticated client devices.