Enterprises and other organizations implement network access control in order to control the ability of endpoint devices to communicate on a computer network. For example, an enterprise may implement a computer network that includes an email server. In order to prevent unauthorized users from communicating with this email server, the enterprise may implement a network access control system that prevents unauthorized users from sending network communications on the computer network unless the users provide a correct username and password. In another example, an enterprise may wish to prevent devices that are infected with computer viruses from communicating with devices on a network of the enterprise. In this example, the enterprise may implement a network access control system that prevents devices that do not have current anti-virus software from communicating on the network.
Enterprises may use the 802.1X protocol to implement network access control. Three separate types of devices are typically present in networks that implement network access control using the 802.1X protocol. These devices typically include: supplicant devices, policy decision points, and policy enforcement points. Supplicant devices are devices that are attempting to connect to the network. Policy decision points evaluate information from the supplicant devices in order to decide whether to grant the supplicant devices access to a network. Policy enforcement points enforce the decisions made by the policy decision points with regard to individual supplicant devices.
A supplicant device may send a connection request in the 802.1X protocol to the policy enforcement point. This connection request may be comprised of a series of 802.1X messages that the policy enforcement point may forward to the policy decision point. The policy decision point may send responses back to the policy enforcement point and the policy enforcement point may forward these responses back to the endpoint. These 802.1X messages may include security credentials (e.g., a username and password) and information about the “health” of the supplicant device.
The “health” information of the supplicant device may specify information that is relevant in determining whether the supplicant device is correctly configured. For example, the “health” information may specify whether a most current operating system patch is installed on the supplicant device, whether a most current version of anti-virus software has been installed on the supplicant device, and other information. Depending on the security credentials and the “health” information from the supplicant, the policy decision module may instruct the policy enforcement point to allow the supplicant device to communicate with resources on a network. For example, the policy decision module may instruct the policy enforcement module to associate communications from the supplicant with a particular virtual local area network (VLAN) that includes various resources.
Enterprises may also use other strategies to implement network access control, such as inserting firewalls between endpoint devices and server resources. In order to access the protected server resources, an endpoint device provides identity information and health information to a policy decision point. If the identity information and health information conform to the policy decision point's policies, the policy decision point may provision access to server resources for the endpoint device through firewalls (which are the policy enforcement points in this strategy).
Enterprises may combine multiple network access control strategies.