Enterprises and other organizations implement network access control in order to control the ability of endpoint devices to communicate on a computer network. For example, an enterprise may implement a computer network that includes an email server. In order to prevent unauthorized users from communicating with this email server, the enterprise may implement a network access control system that prevents unauthorized users from sending network communications on the computer network unless the users provide a correct username and password. In another example, an enterprise may wish to prevent devices that are infected with computer viruses from communicating with devices on a network of the enterprise. In this example, the enterprise may implement a network access control system that prevents devices that do not have current anti-virus software from communicating on the network.
Enterprises may use the 802.1X protocol to implement network access control. Three separate types of devices are typically present in networks that implement network access control using the 802.1X protocol. These devices typically include supplicant devices, policy decision points, and policy enforcement points. Supplicant devices are devices that are attempting to connect to the network and may be referred to as endpoint devices. Policy decision points evaluate information from the supplicant devices in order to decide whether to grant the supplicant devices access to a network. An example of a policy decision point may include an authentication server. These policy decision points may also be referred to as network access control device in the sense that these device control or make the decisions regarding network access to the network by supplicant devices. Policy enforcement points enforce the decisions made by the policy decision points with regard to individual supplicant devices. One example of a policy enforcement point is layer two (L2) switch or access point.
An endpoint device may send a connection request in the 802.1X protocol to the L2 switch. This connection request may be comprised of a series of 802.1X messages that the L2 switch may forward to the authentication server. The authentication server may send responses back to the L2 switch and the L2 switch may forward these responses back to the endpoint device. These 802.1X messages may include security credentials (e.g., a username and password) and information about the “health” of the endpoint device. This health information may, for example, include information indicating whether a most current operating system patch is installed on the supplicant device, whether a most current version of anti-virus software has been installed on the supplicant device, and other information.
Enterprises may also use other strategies to implement network access control, such as inserting firewalls between endpoint devices and server or other network resources. In order to access the protected server resources, an endpoint device provides identity information and health information to an authentication server. If the identity information and health information conform to the authentication server's authentication policies, the authentication server may provision access to server resources for the endpoint device through firewalls (which may represent policy enforcement points in this strategy).
Often, in this network access control strategy, the firewalls or other policy enforcement points may detect malware or other malicious or spurious traffic originating from an authenticated endpoint device. In response to detecting this malicious traffic, the firewall may inform the authentication server that the responsible endpoint device originating this malicious traffic is in violation of current authentication policies. The authentication server, which again may represent one example of a network access control device, may then quarantine the infected endpoint device that is originating the malicious traffic often by moving this endpoint device to a quarantine virtual local area network (VLAN) that has limited or no access to any network resources. Yet, the process of informing the authentication server of the infected endpoint device and moving the infected endpoint device to the quarantine VLAN may not occur in sufficient time to prevent the infected endpoint device from infecting other endpoint devices, thereby resulting in spread of the malware throughout the entire enterprise network.