The present invention relates to digital networks, and more particularly, to the problem of associating a user to the proper VLAN in a network.
Digital networks have rapidly become the backbone of many enterprises, small and large. As these networks become more vital to enterprise operation, their security and integrity also become more vital. A central issue involves just which network resources a user of the network should be allowed to access. One way of addressing access issues is to segregate network devices using virtual local area networks (VLANs). Different VLANs on the same physical network may offer different levels of access to resources. For example, one VLAN may be for guests, with filtered access to the Internet and no access to enterprise resources. Different enterprise VLANs may offer access to different groupings of enterprise resources.
The issue becomes, then, one of assigning network users to the proper VLAN. When a user device is connected to the network, it must be assigned to a VLAN and given an address through a DHCP server associated with that VLAN.
In wired networks, one approach is to associate all unused wired ports with a limited access VLAN such as a guest VLAN. When a client device connects to a port on a network device, the network device tries to recognize the client by its MAC address. If the client is recognized, it is connected to the VLAN associated with the MAC address. Further processing for DHCP, authentication, and the like will take place on that VLAN. If the client is not recognized, it stays with the limited access VLAN which may limit connections, for example, to a captive portal.
The network device snoops traffic on the port for this limited access VLAN looking for 802.1x authentication traffic. If 802.1x authentication packets are detected, they are forwarded by the device to the proper 802.1x authentication server. The network device also snoops return packets from the 802.1x authentication server. If the authentication succeeds, the network device picks out the new VLAN for the client.
The client device must now be transferred to the new VLAN and a new address assigned to it. This is commonly done using the artifice known as port flapping, where the port to which the client is connected is disabled or turned off, and then re-enabled or turned on.
This port flapping should cause a well-behaved client to disconnect and attempt to reconnect, restarting address acquisition through DHCP. The network device will now recognize the client's MAC address, assign it to the VLAN specified in the 802.1x authentication, and further processing including DHCP will proceed on the new VLAN.
Unfortunately, port flapping does not always work, or is not available. As an example, port flapping is not available over wireless LANs. Port flapping is not appropriate when multiple supplicants are involved. Some clients are not well behaved, as an example, beginning the 802.1x authentication process before an address has been resolved through DHCP, or not dealing with port flapping in a predictable manner.
What is needed is a way of reassigning clients to VLANs.