Enterprises and other organizations implement network access control in order to control the ability of endpoint devices to communicate on a computer network. For example, an enterprise may implement a computer network that includes an email server. In order to prevent unauthorized users from communicating with this email server, the enterprise may implement a network access control system that prevents unauthorized users from sending network communications on the computer network unless the users provide a correct username and password. In another example, an enterprise may wish to prevent devices that are infected with computer viruses from communicating with devices on a network of the enterprise. In this example, the enterprise may implement a network access control system that prevents devices that do not have current anti-virus software from communicating on the network.
Enterprises may use the 802.1X protocol to implement network access control. Three separate types of devices are typically present in networks that implement network access control using the 802.1X protocol. These devices typically include supplicant devices, policy decision points, and policy enforcement points. Supplicant devices are devices that are attempting to connect to the network and may be referred to as endpoint devices. Policy decision points evaluate information from the supplicant devices in order to decide whether to grant the supplicant devices access to a network. An example of a policy decision point may include an authentication server. Policy enforcement points enforce the decisions made by the policy decision points with regard to individual supplicant devices. One example of a policy enforcement point is layer two (L2) switch or access point.
An endpoint device may send a connection request in the 802.1X protocol to the L2 switch. This connection request may be comprised of a series of 802.1X messages that the L2 switch may forward to the authentication server. The authentication server may send responses back to the L2 switch and the L2 switch may forward these responses back to the endpoint device. These 802.1X messages may include security credentials (e.g., a username and password) and information about the “health” of the endpoint device. This health information may, for example, include information indicating whether a most current operating system patch is installed on the supplicant device, whether a most current version of anti-virus software has been installed on the supplicant device, and other information.
Enterprises may also use other strategies to implement network access control, such as inserting firewalls between endpoint devices and server or other network resources. In order to access the protected server resources, an endpoint device provides identity information and health information to an authentication server. If the identity information and health information conform to the authentication server's authentication policies, the authentication server may provision access to server resources for the endpoint device through firewalls (which may represent policy enforcement points in this strategy).
Typically, the authentication server may maintain the security credentials, health information and any other information relevant to properly authenticating the endpoint device in accordance with the network access control policies according to an authorization data model or authorization model, for short. That is, the authentication server may maintain various classes of data and store the information determined from the endpoint device to these various classes of data. This authorization model may be proprietary or specific to a vendor of the authentication server. The firewall may also maintain this authorization model using a proprietary or otherwise vendor-specific authorization model. The limitations of vendor-specific authorization models may force enterprises to adopt a single vendor to provide both the authentication server and the firewall in order to facilitate the above interaction and communication between the two devices and thereby provide a coherent network access control strategy. This single-vendor limitation may prohibit enterprises from adopting this network access control strategy and/or deter adoption of fledgling but potentially beneficial network access control technologies.