The field relates to communications networks in which subnetworks are employed.
If the number of users of a network is very large, the performance may be degraded by broadcast traffic, such as ARP and DHCP requests. Each device on the network generates a certain amount of broadcast traffic, which every other device must receive and examine to at least some degree, whereby the burden of broadcast processing rises as the square of the number of devices on the network. The degradation due to this effect can become significant even when the network traffic is well within the capacity of the physical transmission medium.
A common solution, described by Mogul and Postel (RFC 950, which is incorporated by reference) is to divide the network into subnets. Subnets can be implemented physically by using separate local-area networks (LANs), or logically by partitioning into virtual LANs (VLANs) as in IEEE 801.1Q, or by a combination of the two techniques. Any particular user's impact is then limited to the specific subnetwork to which the user is assigned. However, in the context of administering a large network, this solution still poses problems, related to the method of assigning users to subnets.
A simple method would be to use the same technique for wireless users as has historically been used for wired users, namely, determining the subnet from the physical location or port through which the user accesses the network. A known disadvantage of this method is that a mobile user who moves across a subnet boundary will lose connectivity at the network layer (Layer 3 of the OSI model). This method may therefore not be optimal for applications that require continuous connectivity while a user moves, e.g. IP telephones. Even if the user is not in motion, location-based subnet assignment may not be optimal if the user is close to a boundary between two wireless coverage areas that use different subnets, because fluctuations in the radio signal could cause the user's equipment to alternate between the coverage areas, losing connectivity each time.
Although location-based subnet assignment can (with the above-noted disadvantages) accomplish one purpose of subnets by reducing the number of users per subnet, it thwarts another important purpose of subnets, namely the separation of traffic by access privilege.
An alternative to location-based subnet assignment is to base the subnet assignment on the user's identity. Identity-based VLAN assignment is implemented in current products from, e.g., Trapeze Networks. The user's VLAN assignment is considered to be an authorization attribute of the user, and so an administrator configures it as part of the user's AAA information in an AAA server, which is typically a Radius server. This administrative effort is justified, and identity-based authorization is especially advantageous, if there is a managerial or security motivation for placing particular users into particular subnets. However, if the number of users is so large as to motivate dividing the network into subnetworks, then the administrative burden of assigning a subnet to each user will also be proportionately large.
RFC 2904 due to Vollbrecht, et al., which is incorporated herein by reference, shows frameworks for authorization in the typical context of AAA (Authentication, Authorization, and Accounting) for a network. This authorization framework is applicable to wireless or wired users. However, in the case of wireless users, the operations described in RFC 2904 must be preceded by other operations specific to establishing a wireless connection. For instance, in 802.11 wireless networks, these preliminary operations include an 802.11 association request from the wireless client device, identifying the client device by hardware (MAC) address. Typically the user's name, password, and/or other AAA parameters are exchanged after the association request has been accepted.
The 802.11 association request also includes a Service Set ID (SSID) that names a wireless service to which the client wishes to connect. If the service equipment supports multiple subnets or VLANs, a common (although not mandatory) implementation choice is to identify an SSID with each VLAN. In that method, the user's request to associate through a given SSID implies that the subsequent authorization processing should connect the user to the VLAN corresponding to that SSID. In that case there is no explicit authorization request from the user, although again, authorization parameters can be obtained from the AAA server as a side effect of authentication.
These and other issues are addressed, resolved, and/or ameliorated using techniques described herein.