1. Field of the Invention
This invention relates in general to the field of network security technology and, more particularly, to a NAC method to implement roaming, and to an authentication server and a security policy server for roaming.
2. Description of the Related Art
As network applications prevail and grow, network security becomes extremely important to corporations and enterprises. The NAC technology is mainly implemented based on access devices, authentication servers, and security policy servers. When attempting to access a network, the access terminal is led by the access device to the authentication server for authentication. After the access terminal passes authentication, the authentication server delivers a quarantine access policy and instructs the access device to apply the policy. At this time, the access terminal can only access a restricted network, called the quarantine network. The access terminal then sends a security check request to the security policy server. If the security policy server considers that the access terminal meets the requirements, it delivers a security access policy that is then applied by the access device. After that, the access terminal is allowed to access other network resources.
When NAC is introduced to the distributed network of a large-scale enterprise, public institution, or global corporation that contains a large number of branch organizations, each branch organization needs to be configured with an individual access device, authentication server, and security policy server. Each authentication server and security policy server store information about all the local users, including user authentication information and security policies, to perform authentication and security check on network users, and control their accesses to the network. Security policies comprise quarantine and secure access policies configured for the users, check items, and so on.
Enterprise users registered on other branch networks may enter the local branch network as required by the job, such as on a business trip or for a temporary transference. To implement roaming services, NAC usually needs cooperation from the home authentication server and home security policy server, because the local authentication server and security policy server does not store the authentication information and security policies of users from other branch networks. The home authentication server and home security policy server are located on the network where user services were registered. User authentication information and security policies are stored on the home network.
To implement NAC for roaming terminals, the local authentication server forwards the received authentication request from a roaming terminal to the home authentication server, and then delivers to the access device the quarantine access policy returned from the home authentication server; similarly, the local security policy server forwards the received security check request of a roaming terminal to the home security policy server, and then delivers the secure access policy returned from the home security policy server to the access device. The term roaming terminal used throughout this document can be a local terminal used by external network users, or an external network terminal used by external network users. The terminal is a network device such as a portable device or a desktop PC.
Although the preceding technical proposal can implement NAC for terminals accessing a visited network, implementations of such a solution have limitations. The access device is preconfigured with detailed contents of access policies that are to be applied, while the authentication server or security policy server is configured with access policy IDs only. The access device obtains the detailed access policy according to the ID delivered from the authentication server or security policy server, and then applies the obtained access policy.
Such a roaming technical proposal requires network-wide unified access policies and corresponding IDs that allow the access device on the visited network to identify the ID of the access policy sent from a home network device and to obtain corresponding access policies. Otherwise, the access device on the visited network cannot identify access policies sent from the home authentication server or home security policy server, and as a result, NAC for roaming terminals fails. To configure unified access policies on the network-wide authentication servers, security policy servers and access devices is a complex and tedious job, not to mention obvious impacts on the flexibility of configuring access policies, thus restricting the use of NAC. Therefore, widely applicable, easy-to-implement NAC for roaming is urgently needed.