Wireless multi-factor authentication with captive portals

What is claimed is: 1. A method of network access control, comprising: requesting a device credential in response to detecting an attempt by a device to access a wireless network; receiving the device credential from the device in response to the request; evaluating the device credential to determine whether the device is authenticated, wherein network traffic unrelated to the device credential is ignored until the device credential is received; triggering presentation of a captive portal on a display of the device after a determination that the device is authenticated, wherein the captive portal requests input of user credentials and employs a subnetwork to restrict network traffic unrelated to the user credentials; receiving the user credentials by way of the captive portal; evaluating the user credentials to determine whether a user is authenticated; and granting access to the network based on a determination that the device and user are authenticated. 2. The method of claim 1 , further comprising denying access to the network based on a determination that the device and user are not authenticated. 3. The method of claim 1 , further comprising granting access to the network based on the determination that the user is authenticated within a threshold number of attempts. 4. The method of claim 3 , further comprising granting access to the network based on the determination that the user is authenticated within the threshold number of attempts that varies based on one or more contextual factors. 5. The method of claim 1 , further comprising triggering presentation of the captive portal within a web browser of the device. 6. The method of claim 1 , further comprising requiring successful completion of one or more additional authentication challenges prior to granting access to the network. 7. The method of claim 1 , further comprising storing device and user credentials for a limited period of time and employing the device and user credentials to automatically reconnect after disconnection. 8. A system of network access control, comprising: a processor coupled to memory that includes instructions that, when executed by the processor, cause the processor to: request a device credential in response to detecting an attempt by a device to access a wireless network; receive the device credential from the device in response to the request; determine whether the device is authenticated based on the device credential, wherein network traffic unrelated to the device credential is ignored until the device credential is received; trigger presentation of a captive portal on a display of the device after a determination that the device is authenticated, wherein the captive portal requests user credentials and communicates by way of a subnetwork that restricts network traffic unrelated to request and receipt of the user credentials; receive the user credentials by way of the captive portal; determine whether a user is authenticated based on the user credentials; and grant access to the network based on a determination that the device and user are authenticated. 9. The system of claim 8 , the instructions further cause the processor to deny access to the network based on a determination that the device and user are not authenticated. 10. The system of claim 8 , the instructions further cause the processor to grant access to the network based on the determination that the user is authenticated within a threshold number of attempts. 11. The system of claim 10 , the instructions further cause the processor to grant access to the network based on the determination that the user is authenticated within the threshold number of attempts that varies based on one or more contextual factors. 12. The system of claim 8 , the instructions further cause the processor to trigger presentation of the captive portal within a web browser. 13. The system of claim 8 , wherein communication over the subnetwork associated with the captive portal is encrypted. 14. The system of claim 8 , the instructions further cause the processor to present and require successful completion of one or more additional authentication challenges prior to granting access to the network. 15. A method of network access control, comprising: attempting to connect to a wireless network; receiving a request for a device credential that identifies the device from an access controller; transmitting the device credential to the access controller; presenting a captive portal on the device in response to a transmission of an authenticated device credential, wherein the captive portal enables input of user credentials and communicates by way of a subnetwork that restricts network traffic unrelated to the user credentials; transmitting the user credentials identifying a user to the access controller; receiving a number of additional authentication challenges, wherein the number is based on at least one of the device or the user; transmitting a response to the number of additional authentication challenges; and receiving access to the wireless network in response to a determination that the user is authenticated based on the user credentials and successful completion of the number of additional authentication challenges. 16. The method of claim 15 , further comprising presenting the captive portal in a web browser. 17. The method of claim 15 , further comprising receiving a failure notification based on a determination that the user is unauthenticated.