The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Network traffic streams in a Local Area Network (LAN) environment are typically identifiable by their associated network addresses, such as, for example, Internet Protocol (IP) addresses. In addition, some LAN environments provide mechanisms for authenticating client devices that originate such network traffic streams and/or users that may be accessing the LAN through the client devices.
For example, a LAN environment may be configured to operate over one or more protocols that conform to the Institute for Electrical and Electronics Engineers (IEEE) Standard 802.1X for port-based network access control. The latest version of the IEEE 802.1X standard, IEEE 802.1X™-2004, was published by the IEEE on 13 Dec. 2004, and its entire contents are hereby incorporated by reference for all purposes as if fully set forth herein. The IEEE 802.1X is an authentication specification for allowing a client device to connect to a wireless access point or to a wired edge device in a LAN, but preventing the client device from gaining access to the LAN resources until the client device and/or its user(s) provide credentials that are verified by a separate authentication server. The IEEE 802.1X specification supports a wide variety of authentication mechanisms for verifying client and/or user-supplied credentials, such as, for example, token cards, Kerberos, one-time passwords, certificates, and public key encryption. In addition, the port-based access control mechanisms provided in the IEEE 802.1X specification make use of the physical access characteristics of the LAN infrastructure in order to provide means for authenticating and authorizing client devices attached to a LAN port through point-to-point connections and means for preventing access to the LAN if the authentication and authorization process fails. (A LAN port, or network access port, in this context may refer to a physical port through which an edge device, such as a switch, provides access to a network for a client device, or to a logical port, such as an association between an end station and an access point in a wireless network.)
Even in LAN environments that provide for client device authentication, however, currently there are no mechanisms that allow for the resolution, in real-time, of network addresses associated with network traffic streams to the identity of the users and/or the client devices that originate these traffic streams and to the network topological locations through which such streams enter the network. As a result, client device communications transmitted to a network are effectively anonymous and untraceable in real-time, and network sessions through which authenticated client devices access network resources cannot be monitored to provide real-time network diagnostics such as, for example, network attack detection and network attack triangulation.
One past approach for a partial solution to the above problems is to provide a Dynamic Host Configuration Protocol (DHCP) server with a mechanism for keeping track of which IP addresses are assigned to which authenticated client devices. This approach, however, has numerous disadvantages when it comes to providing information that can be used for effective real-time network diagnostics. For example, a DHCP server enabled to implement this approach cannot provide any information regarding the network topological location of the edge device through which a particular client device is attached to the network even though the DHCP server may be able to determine the IP address of the device. In addition, a DHCP server in a multi-segment LAN typically can provide network address information only for client devices and servers in its own segment, and is oblivious to network addresses that are assigned by DHCP servers in other network segments.
Based on the foregoing, there is a clear need for techniques for creating and tracking network sessions that overcome the disadvantages of the past approach described above and that provide for real-time network diagnostics.