The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not admitted to be prior art by inclusion in this section.
A computer network typically includes computer processors or “hosts” that host software applications that provide or request services, or both. The hosts may be network terminals or end stations that do not perform network traffic routing or forwarding functions but merely produce or consume data. The hosts communicate with each other through network devices, also called intermediate devices, such as switches and routers, which do perform routing and forwarding functions. Some intermediate devices are themselves hosts for some routing or forwarding applications and services. Internet Protocol (IP) is often used for sending packets of information between processes running on hosts on a network. As used hereinafter, a server refers to a server process that provides a service and a client refers to a client process that requests a service, unless otherwise indicated to refer to the host or device on which the process executes. According to the Internet Protocol (IP), different hosts have different logical addresses, called IP addresses, which are used by the intermediate devices to route and forward data packets from one host to another.
A local area network (LAN) connects hosts in a relatively small geographic area for sharing resources. Resources shared on the LAN often include data files, devices such as printers, and applications such as word processors. LAN protocols function at the level of the physical connection between devices on the LAN, and the data link between the connection and the operating system on a device. In contrast, IP functions at a higher level where client and server processes send or receive data directed to each other. Intermediate devices that forward packets on the basis of their built-in, media access control (MAC) addresses are called switches. Intermediate devices that forward packets on the basis of administratively controlled, topologically relevant, logical addresses, such as IP addresses, are called routers.
Many LAN protocols give access to all resources on the LAN to every host physically connected to the LAN. In many circumstances, LAN administrators desire to control access to resources on the LAN by limiting physical connection to the LAN to certain authorized hosts.
An emerging LAN protocol for controlling access to LAN resources is defined by the Institute of Electrical and Electronics Engineers (IEEE) standard 802.1x. IEEE 802.1x provides LAN access control based on physical ports. In this context, a physical port is a single point physical connection, such as a single interface card, to an intermediate device on the LAN. A physical port may include a wireless interface that receives electromagnetic signals. Many intermediate devices, such as switches and routers, each have multiple interface cards. A physical port is an element of one of the interface cards on such an intermediate device. IEEE 802.1x provides a mechanism for authenticating and authorizing hosts attached to a LAN physical port, and of preventing access through that physical port in cases where the authentication and authorization process fail. The standard provides user-to-network authentication.
According to IEEE 802.1x, information is sent from a supplicant process, hereinafter called the supplicant, on the newly connected host to the intermediate device at the physical port. The information sent by the supplicant might be stored persistently on the host being connected; or the information might be received from a human user of the host, such as in response to prompts for user name and password; or some combination of stored and user-supplied information may be used. The intermediate device runs an authenticator process, hereinafter called the authenticator. The authenticator sends a request to an authorization, authentication and accounting (“AAA”) system based on the information from the supplicant. An example of an AAA system is a RADIUS (Remote Access Dial-In User Service protocol) server. The AAA system returns a response indicating whether the connection should succeed or fail. If the response indicates the connection fails, the intermediate device does not forward data communicated to the physical port from the host. If the response indicates the connection succeeds, the intermediate device does forward data communicated to the physical port from the host.
In addition to obtaining access to the network through the physical port, the host also must be configured for network operations. For example, a newly added host is assigned a logical network address for itself, a network address for the intermediate device that routes or forwards its traffic, and a network address of a domain name server (DNS), among other configuration information. The DNS converts unique names in a Universal Resource Locator (URL) address to one or more numeric, topologically relevant, IP addresses. Configuring a host is a tedious process to perform manually. The Dynamic Host Configuration Protocol (DHCP) provides a mechanism through which computers using IP can obtain network addresses and other configuration information automatically. The DHCP process is initiated after the physical connection is authorized using IEEE 802.1x.
According to a next generation Internet protocol packet format, also known as IP version 6 (“IPv6”), the number of different IP addresses, and the number of bits involved in specifying an IP address, are greatly expanded. IPv6 further allows each host to determine its own address to some degree. An intermediate device to which the host is connected advertises a range of contiguous addresses, called a subnet, from which the host may select an address. The host determines the last 64 bits of the address within the advertised subnet. Because the host determines its own address, it is said to “auto-configure” its address; and the address can be called an “auto-configured address.” According to IPv6, the host does not need to request an IP address or any other configuration information from a DHCP server before determining its address. The auto-configuration that proceeds without information about the state of the network from a DHCP server is sometimes said to be “stateless auto-configuration.”
In some circumstances, the host can be required to obtain configuration information, either including or excluding its IP address, from a DHCP server. Data included in the advertisements sent from the intermediate device indicates whether the host is required to obtain configuration information from a DHCP server.
After obtaining access through the physical port and receiving a configuration, a client on the user's host may request services from servers on the network using IP. In many circumstances, user authentication is also useful in IP communications. For example, based on the user of a client process, it is sometimes desirable to determine accounting information for billing purposes, to provide a minimum quality of service (QoS) according to a contract with the user, or to limit access by the user to certain servers, or to perform some combination of these functions. Many systems track such functions based on the IP address of the client. Intermediate devices serving as conventional gateways to the Internet, for example, control access to the Internet based on access control lists. Each access control list includes one or more entries consisting of source and destination IP addresses, a protocol or service identifier, and an action to perform on matching traffic, such as “permit” or “deny”. To utilize such systems, techniques for assigning IP addresses based on the user-to-network authentication process was developed, as described in Schnizlein et al.
A problem with this process arises when the IP address is a stateless auto-configured address allowed by IPv6. The stateless auto-configured address does not depend on information received from a server, such as a DHCP server. Therefore, the configuration server cannot produce an IP address assignment that is consistent with access policies defined by predetermined IP addresses.
For example, assume a hypothetical enterprise “ABC Corporation” has several employees with devices that connect to the corporate LAN. Some employees are allowed to connect to the Internet, and others are confined to the LAN. Under processes described in Schnizlein et al., the authentication information used to activate the connection under IEEE 802.1x is used to assign an IP address associated with the Internet access allowed to each employee. One set of IP addresses on the corporate network is used to assign addresses to employees allowed access to the Internet; another set of IP addresses on the corporate network is used to assign addresses to employees who are not allowed access to the Internet. When an employee confined to the LAN connects a device to an intermediate device under IPv6, however, the employee or device can select any IP address within a subnet. The selected IP address may not be within any set of IP addresses that are associated with the correct type of Internet access.
Based on the foregoing, there is a clear need for techniques that provide network controls per user when a host is allowed to define its own network address.
One approach is to require the user to provide information for the authentication and authorization system whenever requesting a network service. This approach would also modify all the network servers to send a request to the authorization and authentication system, such as the RADIUS server, based on the information from the user. Based on the response from the authorization and authentication system, the server would provide services associated with the privileges to be afforded to the user, such as accounting, QoS (Quality of Service) access to LAN resources, and access to the Internet.
However, this approach has numerous disadvantages. One disadvantage is that the user is subjected to entering the same identification and password information multiple times in response to prompts—once for the IEEE 802.1x process and again for each service with user based privileges, also called “per-user controls.” This multiplies the burden on the user, increases many times the chances of an entry mistake that causes the service to fail, decreases the quality of the user experience, and hinders the perceived utility of the network.
Another disadvantage is that a client process on the user's host, such as a DHCP client process, would have to be modified to prompt for the needed information. However, this approach is not practical because tens of millions of clients have already been deployed over the last decade without such a modification. It would be expensive and take many years to even replace a significant fraction of the deployed clients.
Based on the foregoing, there is a clear need for techniques that register auto-configured IP addresses, by associating them with user information, based on results from an authentication process. In particular, there is a need for a DHCP server that registers an auto-configured IP address based on results from processes following the IEEE 802.1x standard.