A physical local area network (LAN) may include numerous network access devices (e.g., routers, switches, wireless access points, etc.) that communicate with one another (either directly or indirectly) to provide computing device(s) (e.g., laptop, smartphone, etc.) access to a wide area network (WAN). Thus, a network access device (NAD) is a piece of networking equipment, including hardware and software, which communicatively interconnects other equipment on the LAN (e.g., other network elements, computing devices). The WAN can include, for example, the Internet, where communication with the WAN is through an interface such as T1, T3, cable, Digital Subscriber Line (DSL), wireless (e.g., mobile cell tower), or the like.
The one or more of the network access devices within the LAN that are directly coupled to the WAN or directly coupled to an interface device (e.g., a DSL modem) act as a gateway node for the LAN (a gateway to the WAN) for the other network access devices and network computing devices in the LAN. Network access devices that rely on (communicate with) one or more other network access devices to reach the WAN act as intermediate nodes of the LAN.
Generally the access control rules must either be configured manually on each network access device (e.g. individual access points or switches), or if a controller based system is used then the rules are configured on the controller. Configuring access control rules manually on each network access device is cumbersome, time-consuming and error-prone. Using a controller-based system simplifies this somewhat, but controllers are expensive and can only support a limited number of network access devices each, after which additional controllers must be deployed and access control rules synchronized between them. Also, if many network access devices are located in geographically disparate locations, synchronizing the access control rules can be confusing.
Some network equipment manufacturers allow assignment of access policy based only on dynamic host configuration protocol (DHCP) fingerprinting of the networked computing device. Essentially, one can set rules so that a device that uses a particular set of DHCP options will be automatically assigned to a specific “role” (access policy). This configuration must be done manually using the command-line interface on the network access device controller. Such a configuration is complex and error-prone. In order to set a policy assignment rule, the user must know the “magic” DHCP fingerprint string for the device type they wish to assign policies for. They must then log into the controller via command-line interface and type commands to manually configure each rule. Policy assignment is based entirely upon DHCP fingerprint. This is not an entirely reliable way of determining device type, as sometimes a number of different types of devices may use the same combination of DHCP options. Policy assignment is fixed on low level details rather than a high level description that can be implemented differently over time. For instance, if Apple devices started using different DHCP options, it would be necessary to manually reconfigure the existing solutions.