CN102318314B - Method and devices for handling access authorities - Google Patents
Method and devices for handling access authorities Download PDFInfo
- Publication number
- CN102318314B CN102318314B CN201180001196.0A CN201180001196A CN102318314B CN 102318314 B CN102318314 B CN 102318314B CN 201180001196 A CN201180001196 A CN 201180001196A CN 102318314 B CN102318314 B CN 102318314B
- Authority
- CN
- China
- Prior art keywords
- address
- terminal
- access
- described terminal
- status checkout
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention relates to a method and devices for handling access authorities. The method includes receiving the first access request from terminal, which contains the first source internet protocol (IP) address and the first destination IP address, the former being the terminal address. Then based on preset correspondence between the terminal IP address and the terminal access authority, decisions will be made as for whether to allow the terminal to visit the first destination IP address. This invention aims at saving storage resources of NAD to ensure its control over terminal access authorities.
Description
Technical field
The embodiment of the invention relates to areas of information technology, particularly a kind of access right control method and equipment.
Background technology
Network access control (Network Admission Control, NAC) be the safeguard construction of a kind of " end-to-end ", terminal and network access equipment (Network Access Device, NAD), for example: the information interaction between switch or the router, undertaken by EAPoU DP message, also can be undertaken by EAPo802.1X interface (supporting the authentication based on port).
In the prior art, terminal is by the NAD access network, the authentication/authorization services device (can be (the Remote Authentication Dial In User Service of remote subscriber dialing authentication system, RADIUS) or terminal access controller access control system (Terminal Access Controller Access-Control System, TACACS)) issue Access Control List (ACL) (the Access Control List of the terminal of each to NAD, ACL), receive the access request of terminal transmission as NAD after, the ACL that searches this terminal determines to accept or refuse the access request of terminal.Yet, access point need be preserved the ACL of each terminal, and each terminal is being reached the standard grade, is being rolled off the production line or state when changing, the authentication/authorization services device needs again to issue or the ACL of new terminal more to NAD, may cause the inadequate resource of storage ACL among the NAD, and then NAD can't be controlled the visit of terminal.
Summary of the invention
The embodiment of the invention provides a kind of access right control method and equipment, solving in the prior art inadequate resource of storage ACL among the NAD, and then the problem that can't control the visit of terminal of NAD.
The embodiment of the invention provides a kind of access right control method, comprising:
First access request that receiving terminal sends, carry the first source internet protocol IP address and the first purpose IP address in the described access request, the IP address that described first source IP address is described terminal, the IP address of described terminal is described terminal distribution by network access equipment from different address fields according to the residing different access states of described terminal;
According to the IP address of predefined terminal and the corresponding relation of terminal access authority, determine whether to allow the described first purpose IP address of described terminal access.
The embodiment of the invention also provides a kind of network access equipment, comprising:
Receiver, be used for first access request that receiving terminal sends, carry the first source internet protocol IP address and the first purpose IP address in the described access request, the IP address that described first source IP address is described terminal, the IP address of described terminal is described terminal distribution by network access equipment from different address fields according to the residing different access states of described terminal;
Processor is used for according to the IP address of predefined terminal and the corresponding relation of terminal access authority, determines whether to allow the described first purpose IP address of described terminal access.
The embodiment of the invention is by access right control method and equipment, NAD is terminal distribution IP address from different address fields according to the different access states of terminal, when making NAD receive the access request of terminal, can be according to the IP address of predefined terminal and the corresponding relation of terminal access authority, the access rights of control terminal, realize saving the storage resources of NAD, guarantee that the visit of the terminal of NAD is controlled.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of an embodiment of access right control method provided by the invention;
Fig. 2 is the structural framing figure of network access control in the local area network (LAN);
Fig. 3 a is the terminal authentication flow chart before the accessing terminal to network provided by the invention;
Fig. 3 b is that the SOT state of termination in the accessing terminal to network process provided by the invention checks flow chart;
Fig. 3 c is the flow chart behind the accessing terminal to network provided by the invention;
Fig. 4 is the structural representation of an embodiment of network access equipment provided by the invention;
Fig. 5 is the structural representation of another embodiment of network access equipment provided by the invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
Fig. 1 is the flow chart of an embodiment of access right control method provided by the invention, and as shown in Figure 1, this method comprises:
First access request that S101, receiving terminal send, carry the first source internet protocol IP address and the first purpose IP address in this first access request, the IP address that this first source IP address is terminal, the IP address of terminal is terminal distribution by network access equipment from different address fields according to the residing different access states of terminal.
S102, according to the IP address of predefined terminal and the corresponding relation of terminal access authority, determine whether to allow the terminal access first purpose IP address.
The executive agent of above step is network access equipment NAD.
The present invention is applicable to various types of local area network (LAN)s such as enterprise network, Figure 2 shows that the structural framing figure of network access control in the local area network (LAN), can comprise the server that multiple information is provided in the local area network (LAN) as shown in Figure 2, in the network architecture shown in Figure 2, information is divided into sensitive information district, core information district and general information district.Each information area can comprise one or more servers that information is provided.Terminal can be conducted interviews to the server that information is provided by the NAD control terminal by in the NAD access network.
During accessing terminal to network, can login portal server (portal server), import username and password at the portal server, the username and password that the portal server is imported terminal by the portal agreement sends to NAD.Terminal can also directly be visited NAD by the 802.1x agreement, treat that NAD returns response to terminal after, terminal can send to NAD with username and password.
Terminal is before access network, in the access network process and behind the access network, usually be in different access states, concrete: NAD can send to the username and password of terminal authorization services device (being generally radius server), by the authorization services device terminal is authenticated and identification, therefore, before access network, the residing access state of terminal can be divided into: " authentication and identification are by preceding " and " authentication and identification are by the back "; Terminal is in authentication with after identification passes through, the status checkout server need check whether terminal exists violations of rules and regulations, specifically be that Client Agent software on the status checkout server triggers terminal scans terminal, for example: whether the virus base of end of scan does not upgrade, whether terminal does not install fail-safe software, whether terminal does not install various patches etc., behind the end of scan of Client Agent software to terminal, scanning result is sent to the status checkout server.If there are not violations of rules and regulations in terminal, then the check result of status checkout server is passed through for checking, terminal is in the access state of " status checkout passes through ", if there are violations of rules and regulations in terminal, then terminal is in the access state of " status checkout in violation of rules and regulations "; After the SOT state of termination inspection is passed through, the status checkout server regularly Client Agent software of triggering terminal scans terminal, when detecting SOT state of termination when unusual, for example: when terminal infects virus, if the abnormality of terminal threatens to network, then need terminal is isolated, forbid accessing terminal to network, then terminal is in the access state of " state-detection is unusual ".
And terminal is when being in different access states, usually have different access rights, for example: when terminal is in the access state of " authentication and identification are by preceding ", the access rights that terminal has are public authority, the IP address of terminal all has public authority when being any, public authority refers to visit the server that shared resource is provided in the local area network (LAN), for example: for any terminal in the enterprise network, all have the authority of visit our company public resource; When terminal is in the access state of " authentication and identification are by the back " and " status checkout is by preceding ", the access rights that terminal has are organized the minimum authorization authority for the user, in the local area network (LAN) of types such as enterprise network, usually can be divided into a plurality of user's groups, for example: a plurality of terminals of the research and development department of company can be divided into user's group, and a plurality of terminals of market department of company can be divided into user's group etc.The minimum authorization authority of user group can be the public authority in the user organizes, and has the server that the terminal of the minimum authorization authority of user's group provides shared resource in can the calling party group; When terminal is in " status checkout passes through " access state, the access rights that terminal has are organized authority for the user, has the terminal that the user organizes authority, except providing the server of shared resource in the calling party group, can also visit this user some in organizing the server of specific resources is provided, these specific resources can be some important informations, also can be organized to set by each user; When terminal is in " state-detection is unusual " access state, then the access rights that have of terminal are organized the isolation restricted rights for the user, wherein, and when terminal " state-detection is unusual ", but when terminal does not constitute harm to network, can repair the state of terminal by the state remediation server; When if terminal constitutes a threat to network, then terminal can have public authority.
Because terminal has different access rights when being in different access state, therefore, NAD can be terminal distribution IP address from different address fields when terminal is in different access state.NAD can set up the IP address of terminal and the corresponding relation of terminal access authority in advance, thereby makes NAD when receiving the access request of terminal, can judge whether terminal has the authority of visit destination address according to the IP address of terminal.
Concrete, NAD can be divided into different address fields with address pool (specifically can be all or part of address section of NAD management) in this locality, each address field can counterpart terminal a kind of access state, and then a kind of access rights of counterpart terminal, when terminal is in this kind access state, NAD can be from corresponding address Duan Zhongwei terminal distribution IP address, when terminal access network, after NAD receives the access request of terminal transmission, can know the access rights of terminal correspondence according to the IP address of terminal, thereby determine whether to allow the terminal access destination address according to the access rights of terminal.Perhaps, can also go up at authorization services device (radius server) address pool (specifically can be all or part of address section of storing in the authorization services device internal storage location) is divided into different address fields, each address field can counterpart terminal a kind of access state, and then a kind of access rights of counterpart terminal, when terminal is in this kind access state, authorization services device (radius server) can issue an IP address from the corresponding address section to NAD, and NAD gives terminal with this IP address assignment.
Need to prove, be that example describes with access states such as " authentication and identification by preceding " of terminal, " authenticate and identification by afterwards ", " status checkout by ", " state-detection are unusual " only in the present embodiment, corresponding, present embodiment provides the access rights of above several access state correspondences to be respectively: public authority, user organize that minimum authorization authority, user are organized authority, the user organizes the isolation restricted rights.Be understandable that, present embodiment only is the extremely corresponding access rights of several possible access state that provided terminal, in fact, terminal is before access network, in the access network process and in the access network, further refinement is divided into other access states, accordingly, for other access states of terminal, corresponding access rights regulation is arranged also in the various local area network (LAN)s.Therefore, the terminal access state type that provides of the embodiment of the invention and corresponding access rights thereof do not cause restriction to the present invention.
The embodiment of the invention is by access right control method and equipment, NAD is terminal distribution IP address from different address fields according to the different access states of terminal, when making NAD receive the access request of terminal, can be according to the IP address of the terminal of setting and the corresponding relation of terminal access authority, the access rights of control terminal, can save the storage resources of NAD, guarantee that the visit of the terminal of NAD is controlled.
Fig. 3 a-Fig. 3 c is the flow chart of another embodiment of access right control method provided by the invention, shown in Fig. 3 a-Fig. 3 c, before present embodiment provides accessing terminal to network, in the access network process and behind the access network, NAD is the complete method of terminal distribution IP address from different address fields according to the access state of terminal.This method comprises:
One, the terminal authentication flow process before the accessing terminal to network, referring to Fig. 3 a:
S201, terminal send the request of access by the 802.1x agreement to NAD, and request inserts in the access to LAN.
802.1x agreement is terminal access mode commonly used in the NAC structure, is understandable that, terminal can also not given unnecessary details in the present embodiment one by one by in other agreements or the interface access to LAN.
S202, NAD return to terminal and insert the request response.
S203, terminal send username and password to NAD.
S204, NAD send to authorization services device (can be radius server usually) with the username and password of terminal.
S205, authorization services device authenticate and identification terminal according to the username and password of terminal.
At this moment, terminal is in " authentication and identification are by preceding " access state, and the access rights that terminal has are public authority.
After S206, authorization services device notice terminal authentication and identification were passed through, the access state of NAD record terminal was " authentication and identification are passed through ".
(Dynamic Host Configuration Protocol DHCP) sends first to NAD and obtains the request of I P address by DHCP for S207, terminal.
In the embodiment of the invention, NAD can preestablish the IP address of terminal and the corresponding relation of terminal access authority, thereby when terminal was in different access state, the different address fields from address pool were terminal distribution IP address.
In the present embodiment, it is corresponding with " user organizes the minimum authorization authority " that NAD can preestablish the IP address of first address field in the address pool, when terminal was in " authentication and identification are passed through " access state, NAD was terminal distribution IP address from first address field; It is corresponding with " user organizes authority " that NAD can preestablish the IP address of second address field in the address pool, and when terminal was in " status checkout by " access state, NAD was terminal distribution IP address from second address field; The IP address that NAD can preestablish the 3rd address field in the address pool is corresponding with " user organizes and isolates restricted rights ", and when terminal was in " state-detection is unusual " access state, NAD was terminal distribution IP address from the 3rd address field.
S208, NAD are terminal distribution IP address in first address field from address pool according to terminal residing " authentication and identification are passed through " access state.
Need to prove that after terminal was in " authentication and identification are passed through " access state, NAD was that the IP address of terminal distribution is generally the temporary address.
Two, the SOT state of termination in the accessing terminal to network process checks flow process, referring to Fig. 3 b:
After S209, terminal got access to the temporary address, the status checkout server carried out status checkout to terminal, if status checkout passes through, then carried out S210, otherwise carried out S212.
Wherein, the process that the status checkout server carries out status checkout to terminal is: the Client Agent software on the status checkout server triggers terminal scans terminal, specifically can be the software whether particular type is installed on the end of scan, for example: antivirus software etc., whether the virus base of end of scan upgrades etc.NAD can according to actual demand setting terminal status checkout in the local area network (LAN) by or do not pass through.For example: can not upgrade by the setting terminal virus base, then the SOT state of termination inspection is not passed through; Perhaps, can also setting terminal be installed by the software of particular type, then the SOT state of termination inspection is not passed through etc., does not enumerate one by one at this.
Client Agent software sends to the status checkout server with scanning result after finishing scanning to terminal.
S210, status checkout server are revised agreement by dynamic authorization, and (for example: RADISU CoA message) send the SOT state of termination inspection by notification message to NAD, NAD is revised as the access state of the terminal of record " status checkout passes through ".
Be terminal distribution IP address in S211, NAD second address field from address pool.
Wherein, among the S208, NAD is that the IP address of terminal distribution is generally the temporary address, and the temporary address generally only is used for carrying out alternately with state server, check the access state of terminal, therefore, the time in address rental period of temporary address can be set to a less value (for example: 1 minute) usually, after the SOT state of termination inspection is passed through, NAD receives SOT state of termination inspection that the status checkout server sends by the message such as radius attribute of RADIUS CoA message or expansion by behind the notification message, DHCP re-rents message message if NAD receives the terminal transmission, and then NAD can return DHCP negative response (Negative Acknowledge to terminal; NAK) message initiate second with triggering terminal and obtain the IP Address requests, thereby NAD can second address field from address pool be terminal distribution IP address that this IP address is generally normal IP address.
If be checked through terminal in the S212 status checkout process in violation of rules and regulations, then NAD can not change the IP address of terminal, and the state remediation server is repaired terminal.
Concrete, can be undertaken alternately by Client Agent software and the state remediation server of terminal, instruct the terminal completion status to repair flow process by the state remediation server.
After S213, terminal reparation are finished, state remediation server notify status checks that server carries out status checkout to terminal, if status checkout passes through, then the status checkout server sends the SOT state of termination inspection by notification message to NAD, is terminal distribution IP address in second address field of NAD from address pool.
The process that among the S213 in second address field of NAD from address pool is terminal distribution IP address can be referring to the associated description among the S211.
Three, the flow process behind the accessing terminal to network, referring to Fig. 3 c:
S214, the SOT state of termination inspection by and obtain normal address after, Internet resources in the user organized under terminal can normally be used, the status checkout server regularly carries out state-detection to terminal, when status checkout discovering server SOT state of termination is unusual, judge whether threaten network security of this abnormality, if abnormality can not threaten network, then carry out S215, if abnormality can threaten network, then carry out S216.
Wherein, the status checkout server can be regularly mutual with the Client Agent software of terminal, regularly terminal carried out state-detection.
S215, by the state remediation server terminal is repaired.
S216, status checkout server are by the dynamic authorization agreement (for example: RADIUS CoA (Change of Authorization Messages) message) send terminal quarantine notification message to NAD, the change of NAD record SOT state of termination.
Unusual and can threaten network when SOT state of termination, then need terminal is isolated, forbid accessing terminal to network, in order to guarantee the safety of other-end.
Wherein, a kind of possible implementation of S217 for terminal is isolated, the another kind of possible implementation of S218-S219 for terminal is isolated.
S217, status checkout server can issue the access control list ACL of terminal by modes such as RADIUS CoA agreements to NAD, so that NAD is when second access request that receiving terminal sends, carry second source IP address and the second purpose IP address in second access request, NAD can determine whether to allow the terminal access second purpose IP address according to the ACL of terminal.
S218, NAD send Extended Protocol EAP message to terminal, initiate first with triggering terminal and discharge the IP Address requests and initiate the 3rd and obtain the IP Address requests.
Among the S218, the IP address that terminal request discharges is for NAD second address field in address pool is the IP address of terminal distribution.
S219, NAD obtain the IP Address requests according to the 3rd of terminal initiation, are terminal distribution IP address in the 3rd address field from address pool.
Because after status checkout passes through, NAD is that the IP address of terminal distribution is normal IP address from second address field of address pool, rental period is longer, after the status checkout server detects terminal abnormal, can notify NAD equipment (for example: can notify NAD equipment by the radius attribute of expanding in the RADIUS CoA message) by Extended Protocol, NAD record SOT state of termination is abnormal state.NAD can notify the Client Agent software of terminal to send the DHCP first release IP Address requests by Extended Protocol, and initiate the 3rd and obtain the IP Address requests, NAD can be in " state-detection is unusual " access state according to terminal, be terminal distribution IP address in the 3rd address field from address pool, this IP address is for isolating the address.
S220, state remediation server carry out the state reparation to terminal.
Concrete, Client Agent software can connect with the state remediation server, finishes terminal and repairs flow process.
S221, after SOT state of termination is repaired, the state remediation server can check that server sends the SOT state of termination reparation to NAD and finish notice by indicating status.
Be terminal distribution IP address in S222, NAD second address field from address pool.
After the SOT state of termination reparation is finished, finished by the reparation of dynamic authorization agreement (for example: be RADIUS CoA agreement) notice NAD device end state by the status checkout server, NAD can send EAP Extended Protocol message to terminal, initiate second with triggering terminal and discharge the IP Address requests, and initiate the 4th and obtain the IP Address requests, concrete, NAD can ask self-defining field of NULL character (0 character) back expansion of title (name) back in the data (data) of (Request) message at EAP, and the indicating terminal agent software is initiated the DHCP application process again.NAD obtains the IP Address requests according to the 4th of terminal initiation, is terminal distribution IP address in second address field from address pool, and this IP address is normal IP address.
The access right control method that present embodiment provides, NAD is terminal distribution IP address from different address fields according to the different access states of terminal, when making NAD receive the access request of terminal, can be according to the IP address of predefined terminal and the corresponding relation of terminal access authority, the access rights of control terminal, realize saving the storage resources of NAD, guarantee that the visit of the terminal of NAD is controlled.The present invention need not to change the network architecture of existing local area network (LAN), and need not to upgrade to the newly-increased network equipment with to conventional network equipment.
Need to prove: for aforesaid each method embodiment, for simple description, so it all is expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not subjected to the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.
In the above-described embodiments, the description of each embodiment is all emphasized particularly on different fields, do not have the part that describes in detail among certain embodiment, can be referring to the associated description of other embodiment.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
Fig. 4 is the structural representation of an embodiment of network access equipment provided by the invention, and as shown in Figure 4, this network access equipment comprises: receiver 11 and processor 12;
Fig. 5 is the structural representation of another embodiment of network access equipment of expanding on Fig. 4 basis, and as shown in Figure 5, this network access equipment comprises: receiver 11 and processor 12;
Wherein, processor 12 determines whether to allow in the terminal access first purpose IP address according to the IP address of predefined terminal and the corresponding relation of terminal access authority, and the IP address of predefined terminal and the corresponding relation of terminal access authority can comprise:
The IP address of terminal is arbitrary address, and then Dui Ying terminal access authority is public authority;
The IP address of terminal is arranged in first address field of address pool, and then Dui Ying terminal access authority is organized the minimum authorization authority for the user;
The IP address of terminal is arranged in second address field of address pool, and then Dui Ying terminal access authority is organized authority for the user;
The IP address of terminal is arranged in the 3rd address field of address pool, and then Dui Ying terminal access authority is organized the isolation restricted rights for the user.
The receiver 11 that present embodiment provides can also be further used for: what receiving terminal sent first obtains SOT state of termination reparation that terminal quarantine notification message that SOT state of termination inspection that IP Address requests, status checkout server send sends by notification message, status checkout server and status checkout server send and finishes one or more in the notice;
Accordingly, if receiver 11 terminal authentication and identification by after receive that terminal sends first obtain the IP Address requests, then processor 12 can also be used for: be terminal distribution IP address from first address field of address pool.At this moment, when terminal was in the access state of " authentication and identification are by the back ", processor 12 was for the IP address of terminal distribution is generally the temporary address, and the rental period of temporary address is shorter.
Perhaps, if receiver 11 receives the SOT state of termination inspection of status checkout server transmission by notification message, be terminal distribution IP address in second address field of processor 12 from address pool then.When being in the access state of " status checkout passes through " in terminal, processor 12 is normal address for the IP address of terminal distribution.
Perhaps, if receiver 11 receives the terminal quarantine notification message that the status checkout server sends, be terminal distribution IP address in the 3rd address field of processor 12 from address pool then.When being in " status checkout is unusual " access state in terminal, processor 12 is that the IP address of terminal distribution is the isolation address.
Perhaps, finishing notice if receiver 11 receives the SOT state of termination reparation of status checkout server transmission, is terminal distribution IP address in second address field of processor 12 from address pool then.
The network access equipment that present embodiment provides can further include:
Accordingly, processor 12 can also be used for: obtaining the IP Address requests according to second of terminal initiation, is the terminal distribution normal address in second address field from address pool.
The network access equipment that present embodiment provides can also comprise:
Second transmitter 14, be used for if receiver 11 receives the terminal quarantine notification message that the status checkout server sends, then send Extended Protocol EAP message to terminal, initiate first with triggering terminal and discharge the IP Address requests and initiate the 3rd and obtain the IP Address requests, this first discharges the IP Address requests and is used for request and discharges described normal address.
Accordingly, processor 12 can also be used for: obtaining the IP Address requests according to the 3rd of terminal initiation, is that terminal distribution is isolated the address in the 3rd address field from address pool.
The network access equipment that present embodiment provides can also comprise:
The 3rd transmitter 15, be used for finishing notice if receiver 11 receives the SOT state of termination reparation of status checkout server transmission, then send Extended Protocol EAP message to terminal, initiate second with triggering terminal and discharge the IP Address requests and initiate the 4th and obtain the IP Address requests.Wherein, second of the terminal initiation request that discharges the IP address is used for request release isolation address.
Accordingly, processor 12 can also be used for: obtaining the IP Address requests according to the 4th of terminal initiation, is the terminal distribution normal address in second address field from address pool.
Further, receiver 11 can also be used for: accepting state checks the access control list ACL of the terminal that server issues;
Receive the ACL of the terminal that the status checkout server issues at receiver 11 after, if receive second access request that terminal sends, carry second source IP address and the second purpose IP address in this second access request, then processor 12 can also be used for: according to the ACL of terminal, determine whether to allow the terminal access second purpose IP address.
The network access equipment that present embodiment provides, corresponding with the access right control method that the embodiment of the invention provides, network access equipment is for realizing the actuating equipment of access right control method, the detailed process that network access equipment is carried out access rights control can not repeat them here referring to method embodiment provided by the invention.
The embodiment of the invention is passed through network access equipment, NAD is terminal distribution IP address from different address fields according to the different access states of terminal, when making NAD receive the access request of terminal, can be according to the IP address of predefined terminal and the corresponding relation of terminal access authority, the access rights of control terminal, realize saving the storage resources of NAD, guarantee that the visit of the terminal of NAD is controlled.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (19)
1. an access right control method is characterized in that, comprising:
First access request that receiving terminal sends, carry the first source internet protocol IP address and the first purpose IP address in the described access request, the IP address that described first source IP address is described terminal, the IP address of described terminal is described terminal distribution by network access equipment from different address fields according to the residing different access states of described terminal;
According to the IP address of predefined terminal and the corresponding relation of terminal access authority, determine whether to allow the described first purpose IP address of described terminal access.
2. method according to claim 1 is characterized in that, the IP address of described terminal and the corresponding relation of terminal access authority comprise:
The IP address of terminal is arbitrary address, and then Dui Ying terminal access authority is public authority;
The IP address of terminal is arranged in first address field of address pool, and then Dui Ying terminal access authority is organized the minimum authorization authority for the user;
The IP address of terminal is arranged in second address field of described address pool, and then Dui Ying terminal access authority is organized authority for the user;
The IP address of terminal is arranged in the 3rd address field of described address pool, and then Dui Ying terminal access authority is organized the isolation restricted rights for the user.
3. method according to claim 2 is characterized in that, before first access request that described receiving terminal sends, also comprises:
If after terminal authentication and identification are passed through, and status checkout first obtains the IP Address requests by what receive preceding that described terminal sends, is described terminal distribution IP address in described first address field from described address pool then;
Perhaps, if the SOT state of termination inspection that receives the transmission of status checkout server is described terminal distribution IP address in described second address field from described address pool then by notification message;
Perhaps, if receive the terminal quarantine notification message that described status checkout server sends, then be described terminal distribution IP address in the 3rd address field from described address pool;
Perhaps, finishing notice if receive the SOT state of termination reparation of described status checkout server transmission, then is described terminal distribution IP address in second address field from described address pool.
4. method according to claim 3, it is characterized in that, from described first address field, be the temporary address for the IP address of described terminal distribution, from described second address field, for the IP address of described terminal distribution is normal address, be that the IP address of described terminal distribution is for isolating the address from described the 3rd address field.
5. method according to claim 4 is characterized in that, and is described if the SOT state of termination inspection that receives the transmission of status checkout server by notification message, is described terminal distribution IP address in described second address field from described address pool then, is specially:
If receive the SOT state of termination inspection of described status checkout server transmission by behind the notification message, what receive that described terminal sends re-rents message message, the described message message of re-renting is used for asking to re-rent described temporary address, then send DHCP negative response DHCP NAK message to described terminal, obtain the IP Address requests to trigger described terminal initiation second;
Obtaining the IP Address requests according to described second of described terminal initiation, is the described normal address of described terminal distribution in described second address field from described address pool.
6. method according to claim 4 is characterized in that, described is described terminal distribution IP address in the 3rd address field from described address pool then if receive the terminal quarantine notification message that described status checkout server sends, and is specially:
If receive the terminal quarantine notification message that described status checkout server sends, send Extended Protocol EAP message to described terminal, to trigger the described terminal initiation first release IP Address requests and to initiate the 3rd and obtain the IP Address requests, described first discharges the IP Address requests is used for the described normal address of request release;
Obtaining the IP Address requests according to the described the 3rd of described terminal initiation, is the described isolation of described terminal distribution address in the 3rd address field from described address pool.
7. method according to claim 4 is characterized in that, describedly finishes notice if receive the SOT state of termination reparation that described status checkout server sends, and is described terminal distribution IP address in second address field from described address pool then, is specially:
Finish notice if receive the SOT state of termination reparation of described status checkout server transmission, then send Extended Protocol EAP message to described terminal, to trigger the described terminal initiation second release IP Address requests and to initiate the 4th and obtain the IP Address requests, described second discharges the IP Address requests is used for the described isolation of request release address;
Obtaining the IP Address requests according to the described the 4th of described terminal initiation, is the described normal address of described terminal distribution in second address field from described address pool.
8. according to each described method of claim 3-7, it is characterized in that described receiving after the terminal quarantine notification message that the status checkout server sends also comprises:
Receive the access control list ACL of the described terminal that described status checkout server issues.
9. method according to claim 8 is characterized in that, after the access control list ACL of the described terminal that the described status checkout server of described reception issues, also comprises:
Receive second access request that described terminal sends, carry second source IP address and the second purpose IP address in described second access request;
According to the ACL of described terminal, determine whether to allow the described second purpose IP address of described terminal access.
10. a network access equipment is characterized in that, comprising:
Receiver, be used for first access request that receiving terminal sends, carry the first source internet protocol IP address and the first purpose IP address in the described access request, the IP address that described first source IP address is described terminal, the IP address of described terminal is described terminal distribution by network access equipment from different address fields according to the residing different access states of described terminal;
Processor is used for according to the IP address of predefined terminal and the corresponding relation of terminal access authority, determines whether to allow the described first purpose IP address of described terminal access.
11. network access equipment according to claim 10 is characterized in that, the IP address of described terminal and the corresponding relation of terminal access authority comprise:
The IP address of terminal is arbitrary address, and then Dui Ying terminal access authority is public authority;
The IP address of terminal is arranged in first address field of address pool, and then Dui Ying terminal access authority is organized the minimum authorization authority for the user;
The IP address of terminal is arranged in second address field of described address pool, and then Dui Ying terminal access authority is organized authority for the user;
The IP address of terminal is arranged in the 3rd address field of described address pool, and then Dui Ying terminal access authority is organized the isolation restricted rights for the user.
12. network access equipment according to claim 11, it is characterized in that described receiver also is used for: the first SOT state of termination inspection of obtaining IP Address requests, the transmission of status checkout server that receiving terminal sends is finished notice by the terminal quarantine notification message of notification message, the transmission of status checkout server and the SOT state of termination reparation that the status checkout server sends.
13. network access equipment according to claim 12 is characterized in that, described processor also is used for:
If described receiver is after described terminal authentication and identification are passed through, and status checkout described first obtains the IP Address requests by what receive preceding that described terminal sends, is described terminal distribution IP address in described first address field from described address pool then; Perhaps, if described receiver receives the SOT state of termination inspection of status checkout server transmission by notification message, be described terminal distribution IP address in described second address field from described address pool then; Perhaps, if described receiver receives the terminal quarantine notification message that described status checkout server sends, then be described terminal distribution IP address in the 3rd address field from described address pool; Perhaps, finishing notice if described receiver receives the SOT state of termination reparation of described status checkout server transmission, then is described terminal distribution IP address in second address field from described address pool.
14. network access equipment according to claim 13, it is characterized in that, described processor is the temporary address for the IP address of described terminal distribution from described first address field, for the IP address of described terminal distribution is normal address, described processor is that the IP address of described terminal distribution is the isolation address from described the 3rd address field to described processor from described second address field.
15. network access equipment according to claim 14 is characterized in that, also comprises:
First transmitter, be used for if described receiver receives the SOT state of termination inspection of described status checkout server transmission by behind the notification message, what receive that described terminal sends re-rents message message, the described message message of re-renting is used for asking to re-rent described temporary address, then send DHCP negative response DHCP NAK message to described terminal, obtain the IP Address requests to trigger described terminal initiation second;
Described processor also is used for: obtaining the IP Address requests according to described second of described terminal initiation, is the described normal address of described terminal distribution in described second address field from described address pool.
16. network access equipment according to claim 14 is characterized in that, also comprises:
Second transmitter, be used for if described receiver receives the terminal quarantine notification message that described status checkout server sends, then send Extended Protocol EAP message to described terminal, to trigger the described terminal initiation first release IP Address requests and to initiate the 3rd and obtain the IP Address requests, described first discharges the IP Address requests is used for the described normal address of request release;
Described processor also is used for: obtaining the IP Address requests according to the 3rd of described terminal initiation, is the described isolation of described terminal distribution address in the 3rd address field from described address pool.
17. network access equipment according to claim 14 is characterized in that, also comprises:
The 3rd transmitter, be used for finishing notice if described receiver receives the SOT state of termination reparation of described status checkout server transmission, then send Extended Protocol EAP message to described terminal, to trigger the described terminal initiation second release IP Address requests and to initiate the 4th and obtain the IP Address requests, described second discharges the IP Address requests is used for the described isolation of request release address;
Described processor also is used for: obtaining the IP Address requests according to the described the 4th of described terminal initiation, is the described normal address of described terminal distribution in second address field from described address pool.
18. according to each described network access equipment of claim 13-17, it is characterized in that, described receiver also is used for after receiving the terminal quarantine notification message that the status checkout server sends: the access control list ACL that receives the described terminal that described status checkout server issues.
19. network access equipment according to claim 18 is characterized in that, described receiver also is used for: receive second access request that described terminal sends, carry second source IP address and the second purpose IP address in described second access request;
Described processor also is used for: according to the ACL of described terminal, determine whether to allow the described second purpose IP address of described terminal access.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2011/077781 WO2012109854A1 (en) | 2011-07-29 | 2011-07-29 | Access permission control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102318314A CN102318314A (en) | 2012-01-11 |
| CN102318314B true CN102318314B (en) | 2013-09-11 |
Family
ID=45429446
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201180001196.0A Active CN102318314B (en) | 2011-07-29 | 2011-07-29 | Method and devices for handling access authorities |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102318314B (en) |
| WO (1) | WO2012109854A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105939357A (en) * | 2016-06-13 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for obtaining corresponding relation of user IP (Internet Protocol) address and user group information |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102685135B (en) * | 2012-05-17 | 2014-11-26 | 江苏中科梦兰电子科技有限公司 | Software authority verification method based on C/S (Client/Server) framework |
| US20140079207A1 (en) * | 2012-09-12 | 2014-03-20 | Genesys Telecommunications Laboratories, Inc. | System and method for providing dynamic elasticity of contact center resources |
| CN103312833B (en) * | 2013-05-29 | 2016-08-17 | 福建三元达网络技术有限公司 | DHCP predistribution lease method and device thereof |
| CN104320384B (en) * | 2014-10-09 | 2019-04-26 | 深圳创维数字技术有限公司 | A kind of wireless routing device control method and device |
| CN105847287A (en) * | 2016-05-17 | 2016-08-10 | 中山大学 | Resource access control method based on community local area network and system based on community local area network |
| CN106060048A (en) * | 2016-05-31 | 2016-10-26 | 杭州华三通信技术有限公司 | Network resource access method and network resource access device |
| CN106254328B (en) * | 2016-07-27 | 2019-10-18 | 杭州华为数字技术有限公司 | A kind of access control method and device |
| CN106131847B (en) * | 2016-08-30 | 2019-12-06 | 锐捷网络股份有限公司 | wireless mobile terminal security access control method, device and equipment |
| CN108881127B (en) * | 2017-05-15 | 2022-07-15 | 中兴通讯股份有限公司 | Method and system for controlling remote access authority |
| WO2019006595A1 (en) * | 2017-07-03 | 2019-01-10 | 深圳前海达闼云端智能科技有限公司 | Control method and apparatus, and electronic device |
| WO2019061336A1 (en) * | 2017-09-29 | 2019-04-04 | 深圳市大疆创新科技有限公司 | Method for protecting flight control system and circuit |
| CN108092970B (en) * | 2017-12-13 | 2021-01-15 | 腾讯科技(深圳)有限公司 | Wireless network maintenance method and equipment, storage medium and terminal thereof |
| CN108882240B (en) * | 2018-07-11 | 2021-08-17 | 奇安信科技集团股份有限公司 | Method and device for realizing network access of mobile equipment |
| CN110519404B (en) * | 2019-08-02 | 2022-04-26 | 锐捷网络股份有限公司 | SDN-based policy management method and device and electronic equipment |
| CN113132326B (en) * | 2019-12-31 | 2022-08-09 | 华为技术有限公司 | Access control method, device and system |
| CN113573316B (en) * | 2021-07-15 | 2024-02-20 | 中国人民解放军陆军工程大学 | Method for temporarily changing private authority of private mobile communication network user |
| CN114301635B (en) * | 2021-12-10 | 2024-02-23 | 中国联合网络通信集团有限公司 | Access control method, device and server |
| CN114500395B (en) * | 2021-12-29 | 2023-10-31 | 联通智网科技股份有限公司 | Flow control method, device and equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1630252A (en) * | 2003-12-16 | 2005-06-22 | 华为技术有限公司 | Broadband IP access equipment and method for realizing user log in same equipment |
| CN101056178A (en) * | 2007-05-28 | 2007-10-17 | 中兴通讯股份有限公司 | A method and system for controlling the user network access right |
-
2011
- 2011-07-29 WO PCT/CN2011/077781 patent/WO2012109854A1/en active Application Filing
- 2011-07-29 CN CN201180001196.0A patent/CN102318314B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1630252A (en) * | 2003-12-16 | 2005-06-22 | 华为技术有限公司 | Broadband IP access equipment and method for realizing user log in same equipment |
| CN101056178A (en) * | 2007-05-28 | 2007-10-17 | 中兴通讯股份有限公司 | A method and system for controlling the user network access right |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105939357A (en) * | 2016-06-13 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for obtaining corresponding relation of user IP (Internet Protocol) address and user group information |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102318314A (en) | 2012-01-11 |
| WO2012109854A1 (en) | 2012-08-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102318314B (en) | Method and devices for handling access authorities | |
| CN104717223B (en) | Data access method and device | |
| EP3552098B1 (en) | Operating system update management for enrolled devices | |
| CN101582769B (en) | Authority setting method of user access network and equipment | |
| CN102047262B (en) | Authentication for distributed secure content management system | |
| CN101247396B (en) | Method, device and system for distributing IP address | |
| WO2015096695A1 (en) | Installation control method, system and device for application program | |
| CN110912938A (en) | Access verification method and device for network access terminal, storage medium and electronic equipment | |
| CN101577908B (en) | User equipment verification method, device identification register and access control system | |
| CN102307114A (en) | Management method of network | |
| CN101355556A (en) | Authentication information processing device, authentication information processing method, storage medium, and data signal | |
| CN108022100B (en) | Cross authentication system and method based on block chain technology | |
| CN108881309A (en) | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform | |
| CN105260660A (en) | Monitoring method, device and system of intelligent terminal payment environment | |
| CN106686592B (en) | Network access method and system with authentication | |
| CN112950201A (en) | Node management method and related device applied to block chain system | |
| CN1601954B (en) | Moving principals across security boundaries without service interruption | |
| US9635017B2 (en) | Computer network security management system and method | |
| CN114244568B (en) | Security access control method, device and equipment based on terminal access behavior | |
| CN103778379A (en) | Managing application execution and data access on a device | |
| CN102291239A (en) | Remote authentication method, system, agent component and authentication servers | |
| CN114157438A (en) | Network equipment management method and device and computer readable storage medium | |
| CN112688899A (en) | In-cloud security threat detection method and device, computing equipment and storage medium | |
| WO2023273279A1 (en) | Network authentication system and method for robot | |
| CN101090318A (en) | Network safety system and method for managing network safety vulnerability |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |