Enterprises and other organizations implement network access control in order to control the ability of endpoint devices to communicate on a computer network. For example, an enterprise may implement a computer network that includes an email server. In order to prevent unauthorized users from communicating with this email server, the enterprise may implement a network access control system that prevents unauthorized users from sending network communications on the computer network unless the users provide a correct username and password. In another example, an enterprise may wish to prevent devices that are infected with computer viruses from communicating with devices on a network of the enterprise. In this example, the enterprise may implement a network access control system that prevents devices that do not have current anti-virus software from communicating on the network.
Enterprises may, in some examples, use the 802.1X protocol to implement network access control. Three separate types of devices are typically present in networks that implement network access control using the 802.1X protocol. These devices typically include supplicant devices, policy decision points, and policy enforcement points. Supplicant devices are devices that are attempting to connect to the network and may be referred to as endpoint devices. Policy decision points evaluate information from the supplicant devices in order to decide whether to grant the supplicant devices access to a network. An example of a policy decision point may include an authentication server. Policy enforcement points enforce the decisions made by the policy decision points with regard to individual supplicant devices. One example of a policy enforcement point is layer two (L2) switch or access point.
To gain access to protected network resources, a client executing on an endpoint device may establish a network access session with a network access control server executing on a network access control device. To establish the network access session, the client may issue a request to establish a network session to the network access control server and/or issue a request for one or more protected network resources on the network. The network access control server may authenticate the identity of users (e.g., based on one or more security credentials (e.g., a username/password combination)) and grant access to authenticated users that satisfy the security policy implemented by the network access control server. In some cases, the security policy may grant access to all authenticated users. In other cases, the security policy may grant access to authenticated users that meet other security requirements, such as user role requirements and/or endpoint device security requirements (e.g., health requirements). The endpoint device security requirements may, for example, include information indicating whether a most current operating system patch is installed on the supplicant device, whether a most current version of anti-virus software has been installed on the supplicant device, and other information.
After the user has been authenticated and any other security policy criteria are satisfied, the network access control server may establish a network access session with the user. For example, the network access control server may issue one or more policies to one or more enforcement devices that allow the authenticated user to access one or more sets of protected resources on the network. After the network access session has been established with the user, the user may be able to request access to other protected network resources without providing further authentication credentials to the network access control server (although the user may still provide credentials to the network resources if requested by the resources).
To expand the range of software services provided by an enterprise network, an enterprise may use web-based resources (e.g. web-based applications) that are provided by third-party-managed servers which are external to the enterprise network. For example, an enterprise may use a web-based email and calendar program to provide email and calendar services for an organization. Such web-based resources typically require minimal overhead, if any, in terms of additional hardware, software and/or administration needed, thereby providing time and cost savings to the enterprise in comparison to installing and maintaining such resources on a network server or onto individual network devices.
To access such web-based resources, in some cases, a user may be required to submit authentication credentials to the web-based resource or to a third-party that provides identity services for the web-based resource even if the user has already submitted authentication credentials to establish the network access session with the network access server. Requiring the user to re-authenticate in such cases may increase the amount of time it takes for a user to access resources in the network, cause password fatigue for users, and/or increase information technology (IT) infrastructure costs in order manage multiple authentication sessions or multiple authentication credentials.