CN103795708A - Terminal access method and system - Google Patents
Terminal access method and system Download PDFInfo
- Publication number
- CN103795708A CN103795708A CN201310741892.6A CN201310741892A CN103795708A CN 103795708 A CN103795708 A CN 103795708A CN 201310741892 A CN201310741892 A CN 201310741892A CN 103795708 A CN103795708 A CN 103795708A
- Authority
- CN
- China
- Prior art keywords
- terminal
- vlan
- port
- access
- switch
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000010586 diagram Methods 0.000 description 4
- 241000700605 Viruses Species 0.000 description 2
Images
Abstract
The invention provides a terminal access method and system. The method comprises steps that: a) a wiring state of each port of a switch is acquired, wherein the wiring state includes a connected state and a non-connected state; b) the wiring state is identified, and when the wiring state of one port of the switch is identified to change from the non-connected state to the connected state, a terminal of the one port gains access to visit a visitor VLAN; and c) identity authentication of the terminal accessing the visitor VLAN is carried out; and if the terminal passes the identity authentication, then the terminal obtains the access to a specified VLAN, and if the terminal does not pass the identity authentication, then the terminal only gains access to visit the visitor VLAN. The terminal access method and system provided by the invention can better realize the terminal access control, and is simple in realization and low in cost.
Description
Technical field
The present invention relates to a kind of terminal access method and system.
Background technology
Network admittance control can guarantee before user carries out access to netwoks that user's identity is trusting relationship, only had reliable computer ability access network, thereby prevented that the emerging hacking techniques such as virus and worm from working the mischief to enterprise security.By access control, client can only allow legal, credible terminal equipment access network, and does not allow miscellaneous equipment access.
Common admission technology comprises following several at present: 802.1x access, DHCP access, gateway type access and ARP access.
The advantage of the access control of 802.1x is that 802.1x can really accomplish the protection to network boundary when switch is supported 802.1x agreement.Shortcoming is incompatible old switch, the switch that must again more renew; Meanwhile, while connecing the switch of not enabling 802.1x function under switch, cannot carry out access control to terminal.
The advantage of the access control of DHCP is compatible old switch.Shortcoming is that the control dynamics not as 802.1x agreement is strong.
The access control of gateway type is not proper access control.The access control of gateway type is not controlled accessing terminal to network, controls and just terminal is gone out to outer net.Meanwhile, gateway type access control meeting causes the bottleneck effect that outlet breaks down.
ARP access control is cheated realization by ARP.ARP deception is actually a kind of covert virus.Easily cause network blockage.Due to the ARP fire compartment wall that increasing terminal is installed, ARP access control is running in this case, can not work.
As mentioned above, at present common admission technology is disposed performance difficulty, some need to install the access software of customization and need to specifically configure terminal on terminal computer, some needs switch or the gateway device of particular type, and access control is not inoperative by force or in some cases for some access control dynamics.And existing access system is in actual implementation process, the common implementation cycle is long, and cost is high.
Summary of the invention
For the above-mentioned problems in the prior art, the present invention proposes a kind of terminal access method and system, for not needing switch or the gateway device of particular type, also need to access software be installed in terminal in the situation that, realize low cost, access control that control dynamics is strong.
The invention provides a kind of terminal access method, wherein, comprise the following steps:
A) obtain the wiring state of each port of switch, this wiring state comprises connection status and not-connected status;
B) identify described wiring state, in the time recognizing the wiring state of a port of described switch and become connection status by not-connected status, make terminal that this port connects obtain the authority of access cisco-guest VLAN;
C) terminal of accessing described cisco-guest VLAN is carried out to authentication, if described terminal is by described authentication, make described terminal obtain the authority of access assigned vlan, if described terminal not by described authentication, makes described terminal only obtain the authority of the described cisco-guest VLAN of access.
Meanwhile, the present invention also provides a kind of terminal access system, and wherein, this terminal access system comprises:
State acquisition module, for obtaining the wiring state of each port of switch, this wiring state comprises connection status and not-connected status;
State recognition module, for identifying described wiring state, in the time recognizing the wiring state of a port of described switch and become connection status by not-connected status, makes terminal that this port connects obtain the authority of access cisco-guest VLAN;
Authentication module, for the terminal of accessing described cisco-guest VLAN is carried out to authentication, if described terminal is by described authentication, make described terminal obtain the authority of access assigned vlan, if described terminal not by described authentication, makes described terminal only obtain the authority of the described cisco-guest VLAN of access.
Terminal access method provided by the invention and system, possesses good network adaptability, do not need the switch of specific model, as long as switch possesses common network management function and VLAN supports, access software need to be installed simultaneously in terminal, also do not need terminal to carry out any configuration, just can realize network admittance function, it is simple and convenient that access is disposed enforcement.Utilize terminal access method provided by the invention and system, can effectively realize the access control to terminal, short implementation cycle, cost is low.
Accompanying drawing explanation
Fig. 1 is according to the flow chart of terminal access method of the present invention;
Fig. 2 is according to the schematic configuration diagram of terminal access system of the present invention;
Fig. 3 is according to the connection diagram between terminal access system of the present invention and switch and terminal computer.
Embodiment
Below in conjunction with accompanying drawing, describe embodiments of the present invention in detail.
Fig. 1 is according to the flow chart of terminal access method of the present invention.As shown in Figure 1, the invention provides a kind of terminal access method, wherein, comprise the following steps:
A) obtain the wiring state of each port of switch, this wiring state comprises connection status and not-connected status;
B) identify described wiring state, in the time recognizing the wiring state of a port of described switch and become connection status by not-connected status, make terminal that this port connects obtain the authority of access cisco-guest VLAN;
C) terminal of accessing described cisco-guest VLAN is carried out to authentication, if described terminal is by described authentication, make described terminal obtain the authority of access assigned vlan, if described terminal not by described authentication, makes described terminal only obtain the authority of the described cisco-guest VLAN of access.
In step a), each port of switch can connect each terminal.The wiring state of switch can comprise connection status and not-connected status, connection status represents that the terminal that this port connects has powered up startup, be linked in network, and not-connected status represents that the terminal that this port connects does not power up startup, does not need to be linked in network.In the time having new terminal to power up startup will to be linked in network, the wiring state of the port of the switch being connected with this terminal will become connection status from not-connected status, similarly, close while no longer needing to be linked in network when being linked into terminal power-off in network, the wiring state of the port of the switch being connected with this terminal will become not-connected status from connection status.
According to a kind of execution mode, can notify to obtain by receiving the snmptrp of described switch the wiring state of described each port of switch.According to another kind of execution mode, can obtain by ssh, telnet or snmp the wiring state of described each port of switch.
In step b), the wiring state of the port of identification switch, in the time recognizing the wiring state of a port of switch and become connection status by not-connected status, represent the terminal electrifying startup that this port connects, be linked into network, at this moment, make this terminal obtain access guestVLAN(cisco-guest VLAN) authority.Conventionally, the resource on guest VLAN is very limited, and the terminal only with the authority of access guest VLAN can only be accessed the limited resources in guest VLAN, can not access the resource in other assigned vlans.
Conventionally, determine the ID value of an ID value as guest VLAN.Like this, can be by the ID value of the VLAN ID of described port being configured to the ID value of described cisco-guest VLAN, make the terminal that this port connects obtain the authority of accessing cisco-guest VLAN.
In described step c), the terminal of authority that obtains access cisco-guest VLAN can log in and enter into authentication interface and carry out authentication, needs input information such as username and password, to carry out authentication in authentication interface.When described terminal is during by described authentication, just can make described terminal obtain the authority of access assigned vlan, thereby can access the resource in this assigned vlan.When described terminal is not during by described authentication, terminal just can only rest in guest VLAN, can not access other undelegated VLAN.
According to a kind of execution mode, can be configured to by the ID value of the VLAN ID of the port of switch that this terminal is connected to the ID value of described assigned vlan, to allow described terminal access assigned vlan.
Utilize terminal access method provided by the invention, do not need the switch of specific model, as long as switch possesses common network management function and VLAN supports, access software need to be installed in terminal simultaneously, do not need terminal to carry out any configuration, just can realize network admittance function yet.
Meanwhile, the present invention also provides a kind of end access system, referring to figs. 2 and 3, Fig. 2 is according to the schematic configuration diagram of terminal access system of the present invention; Fig. 3 is according to the connection diagram between terminal access system of the present invention and switch and terminal computer.
As shown in Figure 2, terminal access system according to the present invention comprises:
State acquisition module, for obtaining the wiring state of each port of switch, this wiring state comprises connection status and not-connected status;
State recognition module, for identifying described wiring state, in the time recognizing the wiring state of a port of described switch and become connection status by not-connected status, makes terminal that this port connects obtain the authority of access cisco-guest VLAN;
Authentication module, for the terminal of accessing described cisco-guest VLAN is carried out to authentication, if described terminal by described authentication, allows described terminal access assigned vlan, if described terminal not by described authentication, makes described terminal only can access cisco-guest VLAN.
Wherein, described state acquisition module is for obtaining the wiring state of each port of switch.The wiring state of switch can comprise connection status and not-connected status, connection status represents that the terminal that this port connects has powered up startup, be linked in network, and not-connected status represents that the terminal that this port connects does not power up startup, does not need to be linked in network.
According to a kind of execution mode, described state acquisition module can notify to obtain by receiving the snmptrp of described switch the wiring state of described each port of switch.According to another kind of execution mode, described state acquisition module can be obtained by ssh, telnet or snmp the wiring state of described each port of switch.
Wiring state described in described state recognition Module recognition, in the time recognizing the wiring state of a port of described switch and become connection status by not-connected status, represent the terminal electrifying startup that this port connects, be linked into network, at this moment, can make the terminal that this port connects obtain the authority of accessing guest VLAN.Conventionally, the resource on guest VLAN is very limited, and the terminal only with the authority of access guest VLAN can only be accessed the limited resources in guest VLAN, can not access the resource in other assigned vlans.
Described state recognition module can be by being configured to the ID value of the VLAN ID of the described port of switch the ID value of described cisco-guest VLAN, makes the terminal that this port connects obtain the authority of accessing cisco-guest VLAN.
Described authentication module is for carrying out authentication to the terminal of accessing described guest VLAN.For example, described authentication module provides authentication interface to the terminal of the authority that obtains access cisco-guest VLAN, in authentication interface, need described terminal to input information such as username and password, according to information such as this username and passwords, described terminal is carried out to authentication.When terminal is during by described authentication, authentication module just can make described terminal obtain the authority of access assigned vlan, thereby can access the resource in this assigned vlan.When described terminal is not during by described authentication, authentication module just makes terminal just can only rest in guest VLAN, can not access other undelegated VLAN.
According to a kind of execution mode, described authentication module can be in described terminal during by described authentication, the ID value of the VLAN ID of the port of the switch that this terminal is connected is configured to the ID value of described assigned vlan, to allow described terminal access assigned vlan.
Utilize terminal access system provided by the invention, do not need the switch of specific model, access software need to be installed in terminal yet and just can realize low cost, access control that control dynamics is strong.
Claims (10)
1. a terminal access method, wherein, comprises the following steps:
A) obtain the wiring state of each port of switch, this wiring state comprises connection status and not-connected status;
B) identify described wiring state, in the time recognizing the wiring state of a port of described switch and become connection status by not-connected status, make terminal that this port connects obtain the authority of access cisco-guest VLAN;
C) terminal of accessing described cisco-guest VLAN is carried out to authentication, if described terminal is by described authentication, make described terminal obtain the authority of access assigned vlan, if described terminal not by described authentication, makes described terminal only obtain the authority of the described cisco-guest VLAN of access.
2. terminal access method according to claim 1, wherein, in described step a), notifies to obtain the wiring state of described each port of switch by receiving the snmptrp of described switch.
3. terminal access method according to claim 1, wherein, in described step a), obtains the wiring state of described each port of switch by ssh, telnet or snmp.
4. terminal access method according to claim 1, wherein, in described step b), by the ID value of the VLAN ID of described port being configured to the ID value of described cisco-guest VLAN.
5. terminal access method according to claim 4, wherein, in described step c), if described terminal is by described authentication, the ID value of the VLAN ID of described port is configured to the ID value of described assigned vlan, to allow described terminal access assigned vlan.
6. a terminal access system, wherein, this terminal access system comprises:
State acquisition module, for obtaining the wiring state of each port of switch, this wiring state comprises connection status and not-connected status;
State recognition module, for identifying described wiring state, in the time recognizing the wiring state of a port of described switch and become connection status by not-connected status, makes terminal that this port connects obtain the authority of access cisco-guest VLAN;
Authentication module, for the terminal of accessing described cisco-guest VLAN is carried out to authentication, if described terminal is by described authentication, make described terminal obtain the authority of access assigned vlan, if described terminal not by described authentication, makes described terminal only obtain the authority of the described cisco-guest VLAN of access.
7. terminal access system according to claim 6, wherein,
Described state acquisition module is obtained the wiring state of described each port of switch by receiving the snmptrp of described switch.
8. terminal access system according to claim 6, wherein,
Described state acquisition module is obtained the wiring state of described each port of switch by ssh, telnet or snmp.
9. terminal access system according to claim 8, wherein,
Described state recognition module is by being configured to the ID value of the VLAN ID of described port the ID value of described cisco-guest VLAN.
10. terminal access system according to claim 6, wherein,
Described authentication module during by described authentication, is configured to the ID value of the VLAN ID of described port the ID value of described assigned vlan, to allow described terminal access assigned vlan in described terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310741892.6A CN103795708A (en) | 2013-12-27 | 2013-12-27 | Terminal access method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310741892.6A CN103795708A (en) | 2013-12-27 | 2013-12-27 | Terminal access method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103795708A true CN103795708A (en) | 2014-05-14 |
Family
ID=50670994
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310741892.6A Pending CN103795708A (en) | 2013-12-27 | 2013-12-27 | Terminal access method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103795708A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254495A (en) * | 2016-08-17 | 2016-12-21 | 杭州华三通信技术有限公司 | A kind of reorientation method and device |
| CN108833362A (en) * | 2018-05-23 | 2018-11-16 | 邱婧 | A kind of equipment access authority control method, apparatus and system |
| CN110611682A (en) * | 2019-09-27 | 2019-12-24 | 深信服科技股份有限公司 | Network access system, network access method and related equipment |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101068183A (en) * | 2007-06-28 | 2007-11-07 | 杭州华三通信技术有限公司 | Network invitation to enter controlling method and network invitation to enter controlling system |
| US20080089323A1 (en) * | 2006-10-13 | 2008-04-17 | At&T Knowledge Ventures, L.P. | System and method for assigning virtual local area networks |
| CN101222488A (en) * | 2007-01-10 | 2008-07-16 | 华为技术有限公司 | Method and network authentication server for controlling client terminal access to network appliance |
| CN101227477A (en) * | 2008-02-01 | 2008-07-23 | 中兴通讯股份有限公司 | Method for implementing subscriber terminal access authentication |
| CN101282254A (en) * | 2007-04-02 | 2008-10-08 | 华为技术有限公司 | Method, system and apparatus for managing household network equipment |
| CN101299694A (en) * | 2007-04-30 | 2008-11-05 | 华为技术有限公司 | Method and system for managing caller in household network, household gateway |
| CN101860551A (en) * | 2010-06-25 | 2010-10-13 | 神州数码网络(北京)有限公司 | Multi-user authentication method and system under single access port |
| CN102340526A (en) * | 2010-07-20 | 2012-02-01 | 中国联合网络通信集团有限公司 | Method and system for issuing directed information and home gateway |
| CN103475667A (en) * | 2013-09-24 | 2013-12-25 | 小米科技有限责任公司 | Method, device and system for controlling access router |
-
2013
- 2013-12-27 CN CN201310741892.6A patent/CN103795708A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080089323A1 (en) * | 2006-10-13 | 2008-04-17 | At&T Knowledge Ventures, L.P. | System and method for assigning virtual local area networks |
| CN101222488A (en) * | 2007-01-10 | 2008-07-16 | 华为技术有限公司 | Method and network authentication server for controlling client terminal access to network appliance |
| CN101282254A (en) * | 2007-04-02 | 2008-10-08 | 华为技术有限公司 | Method, system and apparatus for managing household network equipment |
| CN101299694A (en) * | 2007-04-30 | 2008-11-05 | 华为技术有限公司 | Method and system for managing caller in household network, household gateway |
| CN101068183A (en) * | 2007-06-28 | 2007-11-07 | 杭州华三通信技术有限公司 | Network invitation to enter controlling method and network invitation to enter controlling system |
| CN101227477A (en) * | 2008-02-01 | 2008-07-23 | 中兴通讯股份有限公司 | Method for implementing subscriber terminal access authentication |
| CN101860551A (en) * | 2010-06-25 | 2010-10-13 | 神州数码网络(北京)有限公司 | Multi-user authentication method and system under single access port |
| CN102340526A (en) * | 2010-07-20 | 2012-02-01 | 中国联合网络通信集团有限公司 | Method and system for issuing directed information and home gateway |
| CN103475667A (en) * | 2013-09-24 | 2013-12-25 | 小米科技有限责任公司 | Method, device and system for controlling access router |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254495A (en) * | 2016-08-17 | 2016-12-21 | 杭州华三通信技术有限公司 | A kind of reorientation method and device |
| CN106254495B (en) * | 2016-08-17 | 2020-11-06 | 新华三技术有限公司 | Redirection method and device |
| CN108833362A (en) * | 2018-05-23 | 2018-11-16 | 邱婧 | A kind of equipment access authority control method, apparatus and system |
| CN108833362B (en) * | 2018-05-23 | 2021-05-07 | 邱婧 | Equipment access authority control method, device and system |
| CN110611682A (en) * | 2019-09-27 | 2019-12-24 | 深信服科技股份有限公司 | Network access system, network access method and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106599694B (en) | Security protection manages method, computer system and computer readable memory medium | |
| CN108881308B (en) | User terminal and authentication method, system and medium thereof | |
| CN102349061B (en) | Method and system for authenticating a user | |
| CN102244867B (en) | Network access control method and system | |
| CN106302415A (en) | A kind of method verifying equipment validity and distribution automatic to legitimate device | |
| EP3490212B1 (en) | Actively identifying and neutralizing network hot spots | |
| CN106878139B (en) | Certification escape method and device based on 802.1X agreement | |
| US10244392B2 (en) | Over-the-air personalization of network devices | |
| US20160174072A1 (en) | Technologies for controlling network access based on electronic device communication fingerprints | |
| EP3506596A1 (en) | System and method for securing communication between devices on a network | |
| CN109302397B (en) | Network security management method, platform and computer readable storage medium | |
| CN101783795A (en) | Security level authentication method and system | |
| CN111953508B (en) | Equipment control method and device, switch and electronic equipment | |
| CN103795708A (en) | Terminal access method and system | |
| CN109150787A (en) | A kind of authority acquiring method, apparatus, equipment and storage medium | |
| CN112464213B (en) | Operating system access control method, device, equipment and storage medium | |
| CN105812364A (en) | Data transmission method and device | |
| CN100438446C (en) | Switch-in control equipment, Switch-in control system and switch-in control method | |
| CN109756899B (en) | Network connection method, device, computer equipment and storage medium | |
| WO2021143028A1 (en) | Internet of things equipment authentication method, electronic device and storage medium | |
| CN105391720A (en) | User terminal login method and device | |
| CN107800715B (en) | portal authentication method and access equipment | |
| CN106357607A (en) | Method and device for connection, security verification, communication, communication monitoring of electronic equipment | |
| CN106856471A (en) | AD domains login authentication method under 802.1X | |
| CN103312505B (en) | The construction method that a kind of easy-to-use single-sign-on realizes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 100085 Haidian District East Road, No. three, China control building, floor, floor, 1 Applicant after: BEIJING TOPSEC SOFTWARE CO., LTD. Applicant after: Beijing Topsec Network Safety Technology Co., Ltd. Applicant after: BEIJING TOPSEC TECHNOLOGY CO., LTD. Address before: 100085 Haidian District East Road, No. three, China control building, floor, floor, 1 Applicant before: BEIJING TOPSEC SOFTWARE CO., LTD. Applicant before: Beijing Topsec Network Safety Technology Co., Ltd. Applicant before: Beijing heaven melts letter Science Technologies Co., Ltd. |
|
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 100085 Haidian District East Road, No. three, China control building, floor, floor, 1 Applicant after: BEIJING TOPSEC SOFTWARE CO., LTD. Applicant after: Beijing Topsec Network Safety Technology Co., Ltd. Applicant after: Beijing heaven melts letter Science Technologies Co., Ltd. Address before: 100085 Haidian District East Road, No. three, China control building, floor, floor, 1 Applicant before: BEIJING TOPSEC SOFTWARE CO., LTD. Applicant before: Beijing Topsec Network Safety Technology Co., Ltd. Applicant before: BEIJING TOPSEC TECHNOLOGY CO., LTD. |
|
| CB02 | Change of applicant information |
Address after: 100085, room 306, north 3, building seven, 3 East Road, Haidian District, Beijing Applicant after: BEIJING TOPSEC SOFTWARE CO., LTD. Applicant after: Beijing Topsec Network Safety Technology Co., Ltd. Applicant after: BEIJING TOPSEC TECHNOLOGY CO., LTD. Address before: 100085 Haidian District East Road, No. three, China control building, floor, floor, 1 Applicant before: BEIJING TOPSEC SOFTWARE CO., LTD. Applicant before: Beijing Topsec Network Safety Technology Co., Ltd. Applicant before: Beijing heaven melts letter Science Technologies Co., Ltd. |
|
| COR | Change of bibliographic data | ||
| CB02 | Change of applicant information |
Address after: 100085 Beijing East Road, No. 1, building No. 306, building on the north side of the floor, room 3, room 3 Applicant after: BEIJING TOPSEC SOFTWARE CO., LTD. Applicant after: Beijing Topsec Network Safety Technology Co., Ltd. Applicant after: BEIJING TOPSEC TECHNOLOGY CO., LTD. Address before: 100085, room 306, north 3, building seven, 3 East Road, Haidian District, Beijing Applicant before: BEIJING TOPSEC SOFTWARE CO., LTD. Applicant before: Beijing Topsec Network Safety Technology Co., Ltd. Applicant before: BEIJING TOPSEC TECHNOLOGY CO., LTD. |
|
| COR | Change of bibliographic data | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140514 |
|
| WD01 | Invention patent application deemed withdrawn after publication |