There is an increasing demand for flexible security features for controlling access to data communications networks. This is due, in large part, to an increase in the use of a wide variety of portable computing and communication devices such as laptop computers and Voice Over Internet Protocol (VOIP) telephones. These devices, which often use different protocols for access and security, can be easily moved from one network access point to another, or from one network to another network. While such mobility and ease of access may be desirable from an end user perspective, it creates significant concerns from the perspective of network access and security.
For wired networks, recent security solutions from network vendors have involved pushing authentication and access functions out to the layer 2 port, such as to a layer 2 switch. Typical solutions involve user authentication at the layer 2 switch in accordance with protocols defined by, for example, the IEEE 802.1x standard. However, at present, only a small percentage of portable computing devices provide 802.1x support (i.e., have embedded 802.1x client software). When a user device does not support the user authentication protocol, conventional layer 2 switches drop the offending device, and deny access to the network. In other words, conventional switches employ a binary protocol as a first step, wherein access depends on whether the user device supports a particular user authentication protocol, such as a user authentication protocol in accordance with the IEEE 802.1x standard.
This conventional method of authentication and access limits the flexibility of conventional layer 2 switches. For example, in a common enterprise scenario, a visitor to an organization attends a meeting in a conference room that is fully wired for access to the organization's local area network (LAN). A sophisticated user authentication protocol, such as a user authentication protocol in accordance with the IEEE 802.1x standard, allows authorized users access to one or more virtual local area networks (VLANs). However, if the visitor's laptop computer does not support the user authentication protocol, then conventional layer 2 switches will deny all access to the organization's LAN. As a result, the visitor would not be able to perform such basic functions as checking e-mail on the Internet, placing or receiving a VoIP telephone call, or availing herself of other online functions that would not otherwise compromise organizational security.
What is needed then is an access solution that improves upon and addresses the shortcomings of known access and authentication solutions.