The present disclosure relates generally to the deployment and administration of authenticated computer networks. A software access controller is typically used in networks to authenticate clients trying to get access to the network. These individual clients are typically paid subscribers wanting to access the Internet. The controller acts as a conduit to authenticate their credentials with a central server before granting that access.
A typical controller has three major network interfaces: a downlink interface for accepting connections from clients, a RADIUS interface (which may be a link to an authentication, authorization, and accounting (AAA) server) for authenticating clients, and an uplink interface for forwarding traffic to other networks (e.g., the Internet).
Authentication of clients is often performed by an external RADIUS server, wherein information about a client may be stored in either an authenticated or an unauthenticated state. If unauthenticated, web requests from the client are redirected to an authentication web server commonly known as a captive portal, whereby “captive” clients may obtain authentication by submitting authenticated user or device credentials that permit access to the web or other network.
In a typical application, unauthenticated clients are forwarded to a web server (i.e., the captive portal) and prompted for a username and password. The web server forwards these user credentials to the access controller by means of web browser redirects. From the access controller, authentication requests are forwarded to the RADIUS server. If authentication is successful, the state of the client is changed to authenticated, and the client is granted access to the network outside the captive portal by the access controller.
In these computer systems, the network path through which access control is performed (i.e., the “control path”) and the network path through which network traffic (e.g., website data) is transferred (i.e., the “data path”) are the same. This means that the access controller controls the flow of both the control path and the data path, and it is thus a single point of failure in the network. For this reason, the access controller needs to function as a router (or be part of a router) in the data path and must sustain high computing loads. Hardware requirements for the access controller are therefore high since it must handle multiple paths of traffic simultaneously. These requirements are burdensome to network operators by increasing costs and reducing options when an access controller malfunctions. Furthermore, client devices must be authenticated by the access controller every time information is exchanged through the access controller in such network configurations, so network performance is slowed to the detriment of the user experience.
When clients in the network are divided into sub-networks, each sub-network must be linked to a router by a dedicated access controller directing the control and data paths. It may be prohibitively expensive to provide a robust access controller at each of these sub-networks as the size of the overall network grows. Also, as the number of sub-networks grows, routers must handle ever-increasing loads imposed by the sub-networks' access controllers. Thus, the conventional model limits the total scalability of the system.
As these networks proliferate, customers and network providers have felt an increasing need for lower-cost and better-scaling solutions.