Computers and other devices are connected to a network in order to communicate with destinations available to that network. Destinations available to a network may include peripheral devices, such as storage, printers, fax communication devices and the like, an internal Intranet, and destinations on the Internet such as web sites and FTP sites and the like. Each of these destinations may be made available to the network via a computer system attached to the network, via a direct connection to the network, or via another network.
If a computer system or other device is connected to a conventional network, the computer system or device can be configured to easily access destinations available to users of the network. For example, a technician can configure a workstation that is being attached to an Ethernet network to allow a user of the workstation to easily access destinations such as printers and file servers to which that user is supposed to have access. Destinations may be configured by a network administrator to grant or deny access to that computer system. Although such configuration is a time-consuming and error prone task, because the configuration of the computer system and destinations is set up and then often not changed for many months or years, this time-consuming and error-prone method of configuration is tolerated in order to maintain the security of the network.
In many networks, configuration is accomplished by assigning a workgroup to the computer system, installing drivers that operate certain peripheral devices, and then assigning names to the locations of those devices for ease of use. This makes it cumbersome to allow guest access (e.g. temporary access to a user who does not have a username for the network) to a network. Because the guest could compromise the security of the network, the lack of easy network access by a guest was viewed as a feature of the network, not a problem. A party who wired a computer into a network could be an intruder, and so the configuration process served as a barrier to such intruders. The fact that the relatively few guests who had a legitimate need to access the network required significant configuration resources to do so was seen as a minor problem compared with the problems that could be unleashed by a malevolent party with access to the network. Because such a party could learn the proper workgroup identifier and other configuration information from studying another computer system already configured for network access, the technique of using the configuration process as a form of security is not truly secure. Instead, the process acts as a sort of an inexpensive door lock: it's only protection is the nuisance it causes. However, because a guest would have required physical access to a facility and would have to physically connect the computer system to the network, the relatively low amount of network security was seen as adequate for the circumstances because of the physical access requirement.
Recently, facilities have started providing more public-type access to a network at various locations via access points such as network hubs or switches. For example, jacks coupled to a network hub may be available in a conference room, allowing users to connect to the network a portable, mobile or other type of computer system. A properly configured computer system can remain configured no matter which jack is used to connect to the network, so that if a user disconnects a laptop from a jack in his or her office and plugs it into a conference room jack, the computer will perform just as it did when the computer was in the office.
Access to a computer network need not be via a jack. A network may provide wireless access to computer systems wishing to connect to the network. Wireless access allows a computer having the proper transceiver to access the network via wireless communication with a wireless access point, which is a transceiver that is in communication with the network. The computer and access point communicate via a wireless protocol such as the conventional IEEE 802.11 protocol. A user can bring his or her laptop into a conference room and the laptop will be connected to the network via the wireless access point serving the conference room without any physical connection.
However, there are several problems associated with providing public access to a network. First, organizations may not want to provide guests (e.g. users who do not have a user identifier identifying the user to the network) access to network destinations limited only by the configuration ability of the guest. Otherwise, a guest could connect to a network and then use facilities of that network such as printers or access sensitive material stored on network servers or other computers on the network. Another reason it is undesirable to allow a guest to connect to a network is the fact that many networks such as Ethernet broadcast their communications to all devices, and those devices must discard communications not intended for that device. A guest could connect a computer system to the network, and have access to all communications flowing over the network. If the guest recorded all such communications, the security of sensitive information could be compromised.
There are other problems for even legitimate users and authorized guests. First, access to the same destinations the user has at one location may not meet the user's needs at another location. For example, a user in a conference room on the other side of a corporate campus may wish to use a printer closer to the access point than the printer near his or her office that the user's computer is configured to easily use. Second, if guests wish to connect to a network a computer system or other device that is not properly configured, that computer system or device will be denied access to the entire network, and cannot use destination such as printers or the Internet that the operator of the network would otherwise readily grant the guest, but for the time consuming process of configuration. As a result, such configuration may be perceived to be not worth the effort due to the relatively short amount of time the user will be using the network and the configuration will not occur, or an inefficient use of a network administrator's resources will be used to configure the network and an inefficient use of a service technician's resources will be used to configure the guest's computer system to allow the guest to use certain capabilities of the network for a short period of time.
Another problem exists if the network access points use the 802.11 protocol. The 802.11 protocol does not provide transparent handoff from one access point to another if the access points are on different subnetworks. As a user moves from one access point to another access point, certain information transmitted to the user may never be received by the user.
Some network systems involved with providing access to a network utilize network address translation, or NAT. When a user sends a message to such network system, the network system intercepts the message, substitutes its own address and an assigned port number in place of the user's IP address and port number, and then forwards the message to the intended recipient. The network system maintains a table to allow it to match responses with its own IP address and the assigned port number to the original message sender's IP address and port number. When the response arrives, the network system performs the NAT process in reverse, and forwards the response to the IP source address specified in the original message. While this approach may be transparent to many users, it can interfere with the operation of certain software or mobile devices, for example, during certain sessions such as Telnet, virtual private networking (VPN) or IPSec sessions.
What is needed is a system and method that controls access to a network, allows guest access with only a limited amount of configuration, does not provide access to all communications being made over a network, allows simple access to location-related destinations such as nearby printers, allows a user to move between any set of access points without significant loss of communications, and can avoid network address translation interference.