Enforcement of network-wide context aware policies

What is claimed is: 1. A method implemented in an edge router, the method comprising: receiving an authentication request from an application implemented on a device, wherein the request comprises context information including a device characteristic of the device or of a user of the device and an application characteristic of the application; forwarding the authentication request to an authentication and policy server; receiving an authentication response from the authentication and policy server, wherein the authentication response comprises an indication of a device tag selected based on the device characteristic and an indication of an application tag selected based on the application characteristic; forwarding the authentication response to the device; receiving a policy associated with the device tag or the application tag from the authentication and policy server; receiving a packet from the device; embedding the device tag and the application tag in the packet to form a tagged packet such that the tagged packet comprises the device tag and the application tag, wherein the application tag comprises the context information; executing the policy; and forwarding the tagged packet according to the policy associated with the device tag and the application tag. 2. The method of claim 1 , further comprising: receiving a second packet from an adjacent router in a network, wherein the second packet comprises a second device tag; and applying a second policy to the second packet according to the second device tag. 3. The method of claim 1 , further comprising: receiving a second packet from an adjacent router in a network, wherein the second packet comprises a second application tag; determining the second application tag by inspecting a field in the second packet; and determining access to a second application based on the second application tag. 4. The method of claim 1 , wherein the device characteristic comprises at least one of an Internet Protocol (IP) address, a Media Access Control (MAC) address, a port of the edge router that receives the packet, a type of access of the device, a location of the device, and a type of the device. 5. The method of claim 1 , further comprising: receiving a second packet from an adjacent router in a network, wherein the second packet comprises a second device tag; removing the second device tag from the second packet to generate a new packet; and forwarding the new packet to a different network. 6. A method implemented in an authentication and policy server configured to couple to a plurality of edge routers in a same domain, the method comprising: receiving a request for authentication from an application implemented on a device via an edge router in the plurality of edge routers, wherein the request comprises context information including a device characteristic device or of a user associated with the device and an application characteristic of the application; performing an authentication of the request, wherein the authentication comprises determining an identity of the user associated with the device; sending a message to the edge router, wherein the message indicates a device tag and an application tag to embed in packets received from the device, wherein the device tag is selected based on the device characteristic, and wherein the application tag is selected based the application characteristic; determining a policy to be applied to the packets comprising the device tag or the application tag; and communicating the policy to each of the edge routers in response to the determining. 7. The method of claim 6 , wherein the authentication and policy server manages a label space from which the device tag was selected. 8. The method of claim 7 , wherein the device characteristic comprises at least one of an Internet Protocol (IP) address, a Media Access Control (MAC) address, a port of the edge router that receives the packets, a type of access of the device, a location of the device, and a type of the device. 9. The method of claim 6 , wherein the policy is associated with the device tag or the application tag, and wherein the policy indicates a level of access to a network resource. 10. An apparatus comprising: a memory; at least one transceiver configured to: receive an authentication request from, an application implemented on a device, wherein the authentication request comprises context information including a device characteristic of the device or of a user of the device and an application characteristic of the application; forward the authentication request to an authentication and policy server; receive an authentication response from the authentication and policy server, wherein the authentication response comprises an indication of a device tag selected based on the device characteristic and an indication of an application tag selected based on the application characteristic; forward the authentication response to the device; receive a packet from the device; and receive a policy associated with the device tag or the application tag from the authentication and policy server; and a processor coupled to the memory, wherein the memory contains instructions that when executed by the processor cause the apparatus to: embed the device tag and the application tag in the packet to form a tagged packet such that the tagged packet coin vises the device tag and the application tag, wherein the application tag comprises the context information; and execute the policy, wherein the at least one transceiver is further configured to forward the tagged packet according to the policy. 11. The apparatus of claim 10 , wherein the device tag comprises a first defined constant number of bits in the tagged packet, and wherein the application tag comprises a second defined constant number of bits in the tagged packet. 12. The apparatus of claim 11 , wherein the application tag is embedded following a packet inspection to determine a corresponding application. 13. apparatus of claim 10 , wherein the at least one transceiver is further configured to receive a second packet from an adjacent router in a network, wherein the second packet comprises a second device tag, and wherein the processor is further configured to apply a second policy to the second packet according to the second device tag. 14. The apparatus of claim 10 , wherein the at least one transceiver is further configured to receive a packet from an adjacent router in a network, wherein the packet comprises a second application tag, and wherein the processor is further configured to determine the second application tag by inspecting a field in the packet; and determine access to a second application based on the second application tag. 15. The apparatus of claim 10 , wherein the device characteristic comprises at least one of an Internet Protocol (IP) address, a Media Access Control (MAC) address, a port of the apparatus that receives the packet, a type of access of the device, a location of the device, and a type of the device, wherein the device tag may be further based on a destination of the packet. 16. The apparatus of claim 11 , wherein the first define constant number of bits and the second defined constant number of bits are equal.