To prevent unauthorized access, it is often necessary for a network to authenticate its users to ensure that each user is who he or she claims to be. Conventional user authentication methods typically involve a brief interaction between a user and a network, wherein the user provides to the network a security identifier such as a secret password, a token device, a digital certificate, a biometric key, or a combination thereof. The network then verifies the security identifier against records of authorized users.
Conventional user authentication methods only produce a binary result—pass or fail. That is, if a user provides a security identifier that cannot be verified by the network, the user will be denied access completely. If the user's security identifier can be successfully verified, the user is often granted full access to the network. In some networks, each authorized user may have predetermined access privileges also known as a “role.” In this type of network, conventional user authentication methods still produce a binary result. That is, if the user is authenticated, he or she is assigned a predetermined role in the network. If the user is not authenticated, he or she will be completely locked out.
Except for a user-provided security identifier, conventional user authentication methods typically do not take into account any other factors in its decision to grant or deny access. That is, as long as a user enters a correct set of username and password, the user will be granted full access or a predetermined access privilege. In other words, conventional user authentication methods only care about who the user is, and do not pay attention to the circumstances in which the user accesses the network. Such conventional user authentication methods may make the network vulnerable to virus infections and/or malicious attacks. For example, a client device infected with virus may easily gain access to the network and put other devices at a greater risk of infection.
In addition, it is generally assumed that a network cannot trust client devices from which end-users access the network. Therefore, once a user disconnects from the network, the user's authentication with the network expires. The next time the user attempts to access the network, the user has to be re-authenticated. Even if the user does not leave the network but simply moves from one part of the network to another, the user may also have to go through a re-authentication process. To a network user, re-authentication can be inconvenient and sometimes annoying. For example, when roaming within a network, in each new location, a user may have to close some networked applications, get re-authenticated, and then restart the networked applications. As a result, in-network mobility may be burdened even for a legitimate user of the network.
Another problem with conventional user authentication methods lies in a general requirement that a client device requesting access to a network must be compatible with the authentication scheme supported by the network. A traditional network typically supports only one particular authentication scheme, which may be based on, for example, IEEE 802.1x standard, a Media Access Control (MAC) or Internet Protocol (IP) database, or Remote Authentication Dial In User Service (RADIUS) protocol. Such a network can only authenticate a client device that is pre-configured to work with the network's chosen authentication scheme. For example, a network that only supports the IEEE 802.1x standard may not be able to authenticate a client device that employs the RADIUS protocol. Some networks go even further by requiring trusted, proprietary client software to be pre-installed in client devices. These compatibility requirements tend to block otherwise legitimate users with incompatible devices and may cause frustration or dissatisfaction in network users.
In view of the foregoing, it would be desirable to provide a technique for authenticating network users which overcomes the above-described inadequacies and shortcomings.