Token and device location-based automatic client device authentication

What is claimed is: 1 . A method, comprising: receiving credentials of a user of a client device; receiving an enrollment request from the client device, wherein the enrollment request includes a network address of the client device; generating a token comprising the network address and an identifier of the user; encrypting the token; sending the encrypted token to the client device; and receiving, when the client device attempts to access a protected resource or a network service, the encrypted token from the client device for authenticating the client device without further requiring the credentials of the user. 2 . The method of claim 1 , further comprising: generating a timestamp that indicates a time at which the token is being generated, wherein the token further comprises the generated timestamp. 3 . The method of claim 2 , further comprising: appending the timestamp, the identifier of the user, and the network address to one another to generate the token. 4 . The method of claim 1 , wherein the token further comprises a refresh timestamp that indicates a time at which the token expires. 5 . The method of claim 4 , further comprising: appending the refresh timestamp, the identifier of the user, and the network address to one another to generate the token. 6 . The method of claim 1 , further comprising: receiving a request to access the protected resource or the network service, wherein the request includes a current network address of the client device and the encrypted token. 7 . The method of claim 6 , further comprising: decrypting the encrypted token to produce a decrypted token; extracting the network address from the decrypted token; comparing the extracted network address with the current network address; and authenticating the client device based on the comparison without requiring the credentials of the user. 8 . The method of claim 7 , further comprising: extracting the identifier of the user from the decrypted token; and using, if the comparison indicates that the current network address and the extracted network address do not match, the identifier of the user to perform a database lookup to determine if the current network address belongs to the user. 9 . The method of claim 8 , further comprising: granting, if the comparison indicates that the current network address and the extracted network match, the client device access to the protected resource or network service. 10 . A network device, comprising: a communication interface connected to a network that: receives credentials of a user of a client device, and receives an enrollment request from the client device, wherein the enrollment request includes a network address of the client device; a processing unit that: generates a token comprising the network address and an identifier of the user, and encrypts the token, wherein the communication interface further: sends the encrypted token to the client device, and receives, when the client device attempts to access a protected resource or a network service, the encrypted token from the client device for authenticating the client device without further requiring the credentials of the user. 11 . The network device of claim 10 , wherein the processing unit further: generates a timestamp that indicates a time at which the token is being generated, and appends the timestamp, the identifier of the user, and the network address to one another to generate the token. 12 . The network device of claim 10 wherein the token further comprises a refresh timestamp that indicates a time at which the token expires, and wherein the processing unit further: appends the refresh timestamp, the identifier of the user, and the network address to one another to generate the token. 13 . The network device of claim 10 , wherein the communication interface further: receives a request to access the protected resource or the network service, wherein the request includes a current network address of the client device and the encrypted token. 14 . The network device of claim 13 , wherein the processing unit further: decrypts the encrypted token to produce a decrypted token; extracts the network address from the decrypted token; compares the extracted network address with the current network address; and authenticates the client device based on the comparison without requiring the credentials of the user. 15 . The network device of claim 14 , wherein the processing unit further: extracts the identifier of the user from the decrypted token, using, if the comparison indicates that the current network address and the extracted network address do not match, the identifier of the user to perform a database lookup to determine if the current network address belongs to the user, and granting, if the comparison indicates that the current network address and the extracted network match, the client device access to the protected resource or network service. 16 . A non-transitory storage medium storing instructions executable by a computational device, wherein the instructions comprise instructions to cause the computational device to: receive credentials of a user of a client device; receive an enrollment request from the client device, wherein the enrollment request includes a network address of the client device; generate a token comprising the network address and an identifier of the user; encrypt the token; send the encrypted token to the client device; and receive, when the client device attempts to access a protected resource or a network service, the encrypted token from the client device for authenticating the client device without further requiring the credentials of the user. 17 . The non-transitory storage medium of claim 16 , wherein the instructions further comprise instructions to cause the computational device to: generate a timestamp that indicates a time at which the token is being generated, and append the timestamp, the identifier of the user, and the network address to one another to generate the token. 18 . The non-transitory storage medium of claim 16 , wherein the token further comprises a refresh timestamp that indicates a time at which the token expires, and wherein the instructions further comprise instructions to cause the computational device to: appends the refresh timestamp, the identifier of the user, and the network address to one another to generate the token. 19 . The non-transitory storage medium of claim 16 , wherein the instructions further comprise instructions to cause the computational device to: receive a request to access the protected resource or the network service, wherein the request includes a current network address of the client device and the encrypted token; decrypt the encrypted token to produce a decrypted token; extract the network address from the decrypted token; compare the extracted network address with the current network address; and authenticate the client device based on the comparison without requiring the credentials of the user. 20 . The non-transitory storage medium of claim 19 , wherein the instructions further comprise instructions to cause the computational device to: extract the identifier of the user from the decrypted token, use, if the comparison indicates that the current network address and the extracted network address do not match, the identifier of the user to perform a database lookup to determine if the current network ad