As high-speed wired and wireless access to the Internet becomes more and more common, many people choose to access proprietary institutional networks using their mobile computing devices via the Internet instead of more traditional means of access and authentication, such as network-specific, pre-authenticated devices, or virtual private networks (VPNs). For example, in addition to accessing a company's private network from the office, employees may wish to access the company's private network from home, a coffee shop, an airport, a hotel room or even a vehicle. Likewise, students and professors may access a university network from school, home, or other off-campus locations. At the office or at school, the user may have a direct access to the private institutional network, but from other locations, the user first accesses the Internet, and then, via the Internet connection, accesses the private network.
Typically, only authenticated users are allowed to access a proprietary network. User authentication can be accomplished using methods such as password verification, time-based token verification, etc. Moreover, the network administrators generally require that a device such as a laptop or tablet computer used to access the private network be compliant with certain network policies. For example, the device may be inspected to determine if it is free of viruses and malware, if a token or certificate exists, and whether a required version of software is installed. These precautionary measures can mitigate the risk that an unauthorized user may gain access to computing resources and proprietary information and that such information may be accidentally or intentionally disclosed, modified and/or destroyed. A system that performs user authentication and the specified compliance checks is generally called a “network-access control” (NAC) system.
Some NACs also implement firewall functionality and enforce bandwidth and quality of service (QoS) requirements. A firewall typically provides security to the network by inspecting data packets received from an authenticated user and only allowing data packets from trusted sources to be received on certain ports. The enforcement of bandwidth and QoS specifications can ensure both that the authenticated user receives the allotted bandwidth and that the user does not exceed bandwidth constraints. These features can enhance the performance and security of computer networks.
Current systems for providing network access control include “central in-band” systems, “out-of-band” systems, and “distributed in-band” systems. In a typical central in-band system, a user's computer is connected via a switch to a private network. A dedicated in-line device, such as a server typically located higher up in the private network (e.g., at the aggregation switch or core layer of the network), manages user authentication and network policy enforcement. If the user's computer fails to meet one or more policy requirements, the dedicated device may perform corrective actions, or simply deny access. For example, the device may scan the computer for viruses and/or install a specific version of software.
A central in-band NAC usually allows for “seamless” connections to a private network as the user travels among different locations (referred to as “roaming”). When roaming, the user's computer connects to a switch other than the initial switch used to connect to the private network. However, because the dedicated device is still on the private network, the device can recognize that the user has been authenticated, and that the user's computer has been certified as meeting the network policy requirements. Therefore, the dedicated device allows the user to maintain access to the private network without requiring re-authentication or re-certification of the user's computer, even though the user's computer is now connected via a different switch. Seamless connectivity, as described above, can be beneficial to a user who roams frequently while staying connected to the private network, because user authorization and computer-compliance verification need not be repeated as the user moves around the network.
In a central in-band NAC system, however, the users may experience delays in data transfer (i.e., latency) because data from all users connecting to the private network must pass through the dedicated device. As the number of users attempting to access the private network increases, the latency also increases, and hence, the central in-band system is usually not scalable, i.e., it cannot support an unspecified, large number of users. In addition, the dedicated device is a single point of failure. If the dedicated device fails, no user may be allowed access to the private network until the device is repaired or replaced. Typically, the only solution is to add more dedicated devices, requiring significant capital expenditure and support.
One approach to solving the challenges of a central in-line device is the use of an “out-of-band” system in which a switch that is used to connect to the Internet can also perform user authentication and enforces certain network policies. Unlike a central in-band system, an out-of-band NAC system provides access-control functionality through multiple switches, and hence, the system does not have a single point of failure. Specifically, if one switch fails, the users attempting to connect to the Internet via the failed switch may not be able to access the private network. But other users connecting via other switches may be able to access the private network. Moreover, in the out-of-band system, a single switch is generally not burdened with providing the network-access functionality to all users because different users may gain access to the private network via different switches, each switch providing the network-access functionality only to a limited number of users. Therefore, the out-of-band system is usually more scalable.
FIGS. 1A and 1B illustrate two connection methods of an “out of band” NAC solution. In FIG. 1A, one or more wired users (also referred to as a “client” or “clients”) 12 are connected directly to an Ethernet switch 14. In FIG. 1B, one or more users (also referred to as a “client” or “clients”) 22 wirelessly connect to an autonomous access point (AP) 26, which is connected an Ethernet switch 24.
In FIGS. 1A and 1B, the Ethernet switch 14, 24 acts as the NAC enforcement point (i.e. it provides virtual LAN (VLAN) assignment using, for example, IEEE 802.1q VLAN tagging). An out-of-band NAC solution includes an out of band NAC element 52 that performs user authentication and communicates with the Ethernet switch 14 over logical connection 54. An out of band NAC element 58 performs user authentication and communicates with the Ethernet switch 24 over logical connection 56. However, the out of band NAC elements 52 and 58 do not process data transmitted and received by a “client,” such as wired user 12 or wireless user 22. The enforcement point (i.e., the switch 14 and the switch 24 in this example) stores the client's session information (e.g., access control list (ACL) and virtual local area network (VLAN) assignment) after the client completes the required authentication. The ACL is a list of devices that have been certified to have met the authorization and policy requirements. The VLAN identifies parts of the private network to which the authorized client may have access. As used herein, “client” may refer to a user seeking access to a private network, and also to the user's computing device (e.g., laptop or desktop computer, mobile device, smart phone, pad computer, gaming device, etc.).
FIG. 2 is a diagram further illustrating the “out of band” connection of FIG. 1B. In FIG. 2, a wireless client 32 initially connects wirelessly to a first autonomous access point AP1, 36. A first Ethernet switch, 34, to which autonomous AP1, 36 connects, is also logically connected to an “out of band” NAC element 60 over logical connection 64. The out of band NAC element 60 is physically connected to switch 48 over connection 59. The out of band NAC element 60 authenticates the client 32 and the client's session information (e.g., ACLs and VLAN) is configured and stored in the out of band NAC element 60. The autonomous AP1, 36 typically does not maintain the client's NAC session information. After authentication, the first Ethernet switch 34 forwards the client's traffic (i.e., data received from and sent to the client 32) based on policy enforcement rules.
If the authenticated wireless client 32 roams 38 to a different location, the client 32 may attempt to connect to the Internet via a second autonomous access point AP2, 46 which is connected to a second Ethernet switch 44. The first Ethernet switch 34 and the second Ethernet switch 44 are connected to a switch 48, which can be connected to a LAN 49 such as the Internet.
The Ethernet switches 34 and 44 generally cannot coordinate the session information pertaining to the client 32, and hence, the second Ethernet switch 44 does not know whether the client 32 has already been authorized. Accordingly, the second Ethernet switch 44 cannot route the client's traffic, and the client's data packets from any active TCP/UDP connections are dropped until the client 32 successfully re-authenticates using the second Ethernet switch 44. The second Ethernet switch 44 is also logically connected to the out of band NAC element 60 over connection 66. Only after the re-authentication is the client's session information available at the second Ethernet switch 44, enabling the second Ethernet Switch 44 to route client's data packets. Consequently, the wireless client 32 is not provided with seamless mobility (e.g., maintaining active TCP/UDP sessions as the user roams).
Nevertheless, out-of-band systems also have some disadvantages. For example, a switch is typically not configured to provide a firewall and enforce bandwidth and QoS requirements. Furthermore, when a user's computer connects to a switch in an out-of-band system, that switch performs user authentication and network-policy-compliance verification. As a user roams from one switch to another, each switch must repeat these steps, and hence, the out-of-band system cannot provide seamless connectivity to a roaming user.
Accordingly, there is a need for an improved method and apparatus for providing network-access control.