1. Field of the Invention
The invention relates to dynamically assigned addresses in a wire or wireless network environment, and more particularly to port based authentication in the network environment, and to administrator access to information created as a result of protocol exchanges involved in dynamic address assignment, authentication, and connection.
2. Background Art
The 802.1X standard is designed to enhance the security of wireless local area networks (WLANs) that follow the IEEE 802.11 standard. 802.1X provides an authentication framework for wireless LANs, allowing a user to be authenticated by a central authority. The actual algorithm that is used to determine whether a user is authentic is left open by the standard and multiple algorithms are possible.
802.1X uses an existing protocol, the Extensible Authentication Protocol (EAP, RFC 2284), that works on Ethernet, Token Ring, or wireless LANs, for message exchange during the authentication process.
In a wired or wireless LAN with 802.1X, a user (known as the supplicant) requests access to an access point (known as the authenticator). The access point forces the user (more precisely, the user's client software) into an unauthorized state that allows the client to send only an EAP start message. The access point returns an EAP message requesting the user's identity. The client returns the identity, which is then forwarded by the access point to the authentication server, which uses an algorithm to authenticate the user and then returns an “accept” or “reject” message back to the access point. Assuming an “accept” was received, the access point changes the client's state to authorized and normal traffic can now take place.
The authentication server may use the Remote Authentication Dial-In User Service (RADIUS), although 802.1X does not specify the tools or applications used by the authentication server.
As described above, in current connection protocols, such as 802.1X, the supplicant's (user's) MAC address (Media Access Control address), user ID, and user's unique secret, such as password and digital certificate, are supplied to an authentication server. The authentication server validates the user and returns a message to the switch indicating if the user is or should be connected to the network. One problem is that the user supplied information is not available to the server.
The user supplied information includes:    1) Authenticator information, such as the switch or wireless access point identification;    2) Physical authenticator (i.e., switch) port number;    3) MAC address or addresses of systems attached to the port.    4) IP addresses of systems attached to the port.    5) Authentication server identification.    6) Other administrator defined information about the authenticator, such as switch, or wireless access point.
Network administrators need access to the information created and exchanged as part of the authentication process with respect to a particular user attached to a particular authentication port. This information is needed for effective network administration, as well as for trouble resolution procedures.
One problem is that current standards, such as 802.1X, do not provide a method that can be used to obtain this information from the authenticator. Moreover there is no effective way that current protocols can provide this information.
These problems arise because Protocol 802.1X is a port based authentication protocol and not a database management system or protocol. That is, 802.1X is limited to identification and authentication of a device at an authenticator, for example a switch port.
FIG. 1 illustrates a typical network of the prior art using the 802.1X protocol to authenticate a device 101 upon insertion a network. As shown in FIG. 1, in a Local Area Network where 802.1X is enabled, the authenticator (switch) 103 challenges the client 101, step 1, for its identity. This is to validate that the user is authorized access to the network. The client 101 responds, 1, and the authenticator 103 sends the supplied supplicant's identity 2 to an authentication server 105, such as a Remote Authentication Dial-In User Service (“RADIUS”) server, for actual authentication, 3, of the client.
The authentication server 105 responds 3 to the authenticator 103 with a response. If the client 101 is authorized, the switch 103 puts the client's port in “authenticated” and forwarding state. The switch 103 relays the authentication result 4 to the client 101. Once the client is authenticated and the port is in the authorized state, the client 101 can access 5 the network and network resources 107.
If, however, the authentication is not successful, the switch 103 keeps the port closed and no traffic can go through the port.
One shortcoming of the prior art system is that is that current standards, such as 802.1X, do not provide a method that can be used to obtain information for network management and asset management from the authenticator 103 as authenticator information, switch or wireless access port, physical authenticator port number, MAC address, IP address, and authentication server, as well as time stamps.