CN104618268A

CN104618268A - Network admission control method, authentication server and terminal

Info

Publication number: CN104618268A
Application number: CN201410844361.4A
Authority: CN
Inventors: 朱禄
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qianxin Technology Co Ltd
Priority date: 2014-12-30
Filing date: 2014-12-30
Publication date: 2015-05-13

Abstract

The invention provides a network admission control method, an authentication server and a terminal. The method comprises that the authentication server performs health examination on the terminal through access equipment when authentication of the authentication server towards the terminal is successful and determines to send admission control strategies for accessing the network to the terminal according to terminal health examination results. By the aid of the method, the terminal network admission safety can be protected effectively.

Description

Network access control method and certificate server, terminal

Technical field

The present invention relates to the communication technology, be specifically related to a kind of network access control method and certificate server, terminal.

Background technology

Trusted Computing Group (Trusted Computing Group is called for short TCG) establishment in 2003, member includes nearly all mainstream computer software, hardware and network equipment vendor.TCG is organized in and has set up trusted network connect grouping (Trusted NetworkConnection Sub Group in May, 2004, be called for short TNC-SG), trusted network connect (Trusted Network Connection is called for short TNC) framework and relevant standard are studied and formulated to primary responsibility.The main purpose of TNC framework is by providing a framework be made up of various protocols specification to realize a set of polynary network standard, it provides the functions such as terminal discriminating, terminal strategy mandate, access strategy, assessment-isolate-remedy, thus realizes credible networking and connect.

At present, a lot of network admittance system is all based on TNC flow scheme design, but, TNC flow process has only been formulated some functions of modules and has been described and some corresponding interfaces descriptions, cause in a particular application, each network equipment vendor needs self-defined proprietary protocol in implementation procedure, causes between the equipment of different vendor and lacks compatibility.For example, the network admittance based on 802.1x agreement needs to realize by EAP (Extensible Authentication Protocol is called for short EAP), thus can provide good autgmentability and adaptability.But 802.1x agreement does not do any inspection to the compliance entering network termination, causes user network to be damaged.Thus, majority of network instrument factory commercial city attempts to design oneself privately owned admission scheme to replace 802.1x agreement, causes between the equipment of different vendor and lacks compatibility.

Thus, the fail safe how improved based on the user network access of 802.1x agreement becomes the current technical issues that need to address.

In prior art, TNC flow process has only been formulated some functions of modules and has been described corresponding interfaces descriptions with some, does not provide concrete implementation to some key technologies (such as the transmission, terminal control etc. of network admittance agreement, health examination information).As each manufacturer can only utilize prior art or self-defined proprietary protocol to the realization of these technology, cause the equipment between different vendor to lack compatible, cause cost higher.

Health examination in the embodiment of the present invention realizes based on 802.1x standard agreement, can have nothing to do when network design with each manufacturer, simultaneously can compatible any network equipment that can realize 802.1x standard agreement, reduces the cost of network design.

Simple below 802.1x standard agreement to be introduced.

802.1x agreement is widely used in ethernet networks as a common access control mechanism of lan port, mainly solves the problem of certification and secure context in Ethernet.802.1x agreement is a kind of Network access control agreement based on port (Port Based Network AccessControl Protocol)." Network access control based on port " refers to and carries out certification and control in this one-level of port of LAN Gateway to accessed terminal.If the terminal be connected on port is by certification, the resource in local area network (LAN) just can be accessed; If not by certification, then cannot access the resource in local area network (LAN).

802.1x architecture:

802.1x system is typical Client/Server structure, as shown in Figure 1, comprises three entities: client (Client), equipment end (Device) and certificate server (Server).

Client is the entity being positioned at LAN one end, carries out certification by the equipment end of this link other end to it.Client is generally a subscriber terminal equipment, and user can initiate 802.1X certification by starting client software.Client must support the Extensible Authentication Protocol (Extensible Authentication Protocol over LAN is called for short EAPOL) on local area network (LAN).

Equipment end is another entity being positioned at LAN one end, carries out certification to connected client.Equipment end is generally the network equipment supporting 802.1x agreement, and it provides the port of access to LAN for client, and this port can be physical port, also can be logic port.

Certificate server is for equipment end provides the entity of authentication service.Certificate server is used for realizing carrying out authentication, authorization, accounting to user, is generally remote authentication dial-in user service (Remote Authentication Dial-In User Service is called for short RADIUS).

The certification triggering mode of 802.1x:

The verification process of 802.1x initiatively can be initiated by client, also can be initiated by equipment end.The certification triggering mode of equipment support comprises following two kinds:

Client is triggering mode and equipment end initiatively triggering mode initiatively.802.1x system supports that EAP trunking scheme and EAP termination mode and remote authentication server interaction complete certification.

It should be noted that, the terminal in any embodiment of the present invention all can be client, and the embodiment of the present invention is illustrated with terminal.

In the embodiment of the present invention, when the authentication success of certificate server to terminal, described certificate server carries out health examination by access device to described terminal, and the result of health examination according to described terminal, determines to send Admission control for access network to described terminal.Particularly, can be described in detail in conjunction with following Fig. 2 to Fig. 6.

In addition, the system architecture that network access control method in the embodiment of the present invention is applied, as shown in Figure 2, the system component of this system architecture can comprise NAC server, terminal/client and the network equipment, without the need to making any change to user network in network access control method implementation process.This network equipment can be the network equipment supporting IEEE802.1x agreement, can protect the fail safe of user network access thus easily and fast.

The network access control method that the present embodiment provides, by send Admission control after certificate server is to the authentication success of terminal before, health examination is carried out to terminal, and according to the result of terminal health examination, determine whether to think that terminal sends the prepare control strategy of access network, the fail safe of user network access can be improved thus preferably.

Fig. 3 A shows the schematic flow sheet of the network access control method that one embodiment of the invention provides, and as shown in Figure 3A, the network access control method of the present embodiment is as described below.

201, when certificate server is successful to the authentication of terminal, send a notification message to described access device, to make described access device that described notification message is forwarded described terminal, described notification message is used for notifying that described terminal carries out health examination.

In the present embodiment, access device can be switch, core switch as shown in Figure 2 etc., is mainly used in forwarding terminal and the mutual message of certificate server.

In addition, the authentication of certificate server to terminal successfully can be regarded as, and certificate server grants accessing terminal to network, and now, certificate server does not also send to access device the Admission control being used for control terminal access network.

202, receive the health examination message that described access device sends, described health examination message is that described terminal carries out health examination after the described notification message of reception, and the message comprising metric in terminal obtained.

203, according to the health examination message of described terminal, determine to send Admission control for access network to described terminal.

The network access control method of the present embodiment, after certificate server is to the authentication success of terminal, and before certificate server sends Admission control, by access device, health examination is carried out to terminal, according to the result adjustment Admission control of health examination, and then issue Admission control to access device, to realize control terminal access network, the fail safe of user network access can be improved preferably.

Fig. 3 B shows the schematic flow sheet of the network access control method that one embodiment of the invention provides, and as shown in Figure 3 B, the network access control method of the present embodiment is as described below.

301, when certificate server is successful to the authentication of terminal, certificate server sends a notification message to access device, and to make access device that notification message is forwarded described terminal, notification message is used for notification terminal and carries out health examination.

302, certificate server receives the handshake request that access device sends, described handshake request be described terminal according to described notification message to described certificate server send for representing that this terminal can carry out the request of health examination.

303, certificate server sends healthy inquiry request to described access device, and to make described access device that described healthy inquiry request is forwarded described terminal, described healthy inquiry request checks the metric in described terminal for asking.

304, certificate server receives the response message corresponding with healthy inquiry request that described access device sends, and described response message is the message comprising metric in this terminal that described terminal sends.

For example, if the data volume of metric is larger in terminal, send a response message cannot carry, then metric can be divided into multiple burst metric according to burst mechanism by terminal, and then send multiple sub-response message to certificate server, each sub-response message can carry at least one burst metric, and namely each sub-response message is the message comprising terminal inner indexing amount information.

That is, certificate server also can receive the multiple sub-response message corresponding with healthy inquiry request that described access device sends, and sub-response message described in each is the message comprising the part metric in this terminal that described terminal sends.

Will be understood that, if terminal transmission is sub-response message, in each sub-response message, carry the mark distinguishing every sub-response message, and whether sub-response message sends the mark all completed.

305, certificate server is according to the measure preset, and determines the metric of described response message vacuum metrics information.

Certainly, if certificate server reception is multiple sub-response messages, then certificate server according to the measure preset, can determine the metric of all metrics in all sub-response messages.

306, certificate server determines according to described metric the Admission control making this accessing terminal to network;

307, certificate server sends the Admission control of described terminal to described access device, controls according to described Admission control to make described access device to the network that described terminal accesses.

Further, the manufacturer of above-mentioned health examination process and arbitrary network equipment has nothing to do, and has good compatibility, without the need to revising the existing network environment of end side in implementation procedure, can save cost preferably.

In concrete implementation procedure, after abovementioned steps 304, the method shown in Fig. 3 also can comprise following not shown step 304a.

Described acknowledge message, to the acknowledge message of response message described in described access device transmission and reception, is sent described terminal to make described access device by 304a, certificate server.

In addition, if certificate server receives the sub-response message that access device forwards, then this certificate server can receive a sub-response message, is forwarded the acknowledge message of this sub-response message by access device to terminal, so that terminal knows that certificate server confirms to receive the sub-response message of transmission.

In addition, if certificate server needs to carry out MHC to terminal, the i.e. inspection of multinomial metric, now, method shown in Fig. 3 can before step 306, repeat the process of step 303 to step 305, and this repetition step 303 and step 305 are the metrics for obtaining another metric in terminal.

Correspondingly, abovementioned steps 306 can be specially: certificate server determines according to all metrics corresponding with this terminal the Admission control making this accessing terminal to network.

That is, in a particular application, if described certificate server needs the inspection described terminal being carried out to multinomial metric, then described certificate server is after determining described metric, repeat to send for asking the step of the healthy inquiry request checking another metric in described terminal namely to repeat above-mentioned step 303 to step 305 to described access device, to obtain multinomial metric;

Correspondingly, above-mentioned steps 306 can be the Admission control that all metrics corresponding according to described terminal determine making this accessing terminal to network.

Thus, certificate server can send the Admission control of this terminal to access device, control according to Admission control to make access device to the network that terminal accesses.

Below illustrate the example of the healthy inquiry request (Request-health) in abovementioned steps 303, xml form:

The healthy inquiry request of above-mentioned citing can be used for searching in terminal kills soft WMI inquiry, and wherein, body part is a sql statement, and AntiSpywareProduct is the table in WMI, is windows WMI self definition.

Healthy inquiry request in the present embodiment can be modify according to actual needs, and the present embodiment is only and illustrates.

The network access control method of the present embodiment can realize carrying out health examination to terminal flexibly, and can metric pellucidly in collection terminal, the fail safe of available protecting terminal network access.

Fig. 4 shows the signaling diagram of the network access control method that one embodiment of the invention provides, and as shown in Figure 4, the network access control method of the present embodiment is as described below.

Terminal is as follows to NAC Server Authentication process:

401, terminal sends an EAPoL-Start message (EAP protocol entry message) to access device (as switch), starts 802.1x certification access;

402, access device sends EAP-Request/Identity message (user name request message) to terminal, and this EAP-Request/Identity message requires that terminal sends the user name of this terminal for surfing the Net;

403, after terminal receives EAP-Request/Identity message, respond EAP-Response/Identity message (response message of user name request message) to access device, this EAP-Response/Identity message comprises the user name of terminal;

404, the EAP-Response/Identity message that access device will receive encapsulates, and sends to NAC server authentication authorization and accounting server;

405, NAC server is according to the encapsulation EAP-Response/Identity message received, and generates a Request Challenge message (access query message), by access device, Request Challenge message is sent to terminal;

406, access device is by Request Challenge transmitting terminal, carries out certification to make terminal according to Request Challenge;

407, after terminal receives Request Challenge message, generate the Response Challenge (response message) comprising password and send access device;

408, access device is according to Response Challenge, sends Response Challenge, carry out certification to make NAC server according to this terminal of the codon pair in the user name of terminal and ResponseChallenge to NAC server.

409, according to the username and password of terminal, NAC server determines that whether this terminal is legal.

If NAC server determines that this terminal is legal, then authentication success, perform step 410, otherwise authentification failure, identifying procedure terminates, and does not carry out the process of health examination below.

After the authentication has been successful, the health examination process of NAC server to terminal is as follows:

410, NAC server sends a notification message (Result) to described access device, and described notification message is used for notifying that described terminal carries out health examination;

411, described notification message is forwarded described terminal by access device;

412, after terminal receiving notice message, send handshake request (Health Handshark) according to notification message to access device, this handshake request is for representing that this terminal can carry out the request of health examination;

413, described handshake request is forwarded NAC server by access device;

414, after NAC server receives handshake request, send healthy inquiry request (Request Health) to access device, this healthy inquiry request checks the metric in described terminal for asking;

For example, this metric can be the information of the Xq.exe in inquiry registration table, or this metric can be the wooden horse information etc. in inquiry file folder, and the present embodiment is only and illustrates, does not limit the particular content of metric.

415, access device is by described healthy inquiry request transmitting terminal.

416, after terminal receives healthy inquiry request, obtain the metric in this terminal according to healthy inquiry request, and the response message (Response Health) of the metric comprising acquisition will be sent to access device.

For example, if the data volume of metric is very large, then the metric of acquisition can be divided into multiple burst metric according to burst mechanism by terminal, and each burst metric is generated a sub-response message, and then each sub-response message is sent access device.

417, response message is sent NAC server by access device.

418, after NAC server receives response message, the acknowledge message of response message is sent to access device, to make access device by this acknowledge message transmitting terminal.

419, NAC server is according to the measure preset, and determines the metric of described response message vacuum metrics information, and determines according to described metric the Admission control making this accessing terminal to network.

420, NAC server sends the Admission control of described terminal to described access device.

421, access device sends authentication success message to terminal, and then controls the network that described terminal accesses according to described Admission control.

For example, this Admission control needs the information being handed down to access device after can comprising aforementioned authentication success, as consultation parameter, and the related service attribute of terminal.

Network access control method in the present embodiment, after the login message of access device receiving terminal, is forwarded to NAC server; First NAC server carries out login authentication to terminal; When the authentication is successful, NAC server then can issue the health-check request of this terminal to terminal, obtain the metric in terminal, and then NAC server can carry out compliance inspection according to the health examination rule configured (measure as preset) to terminal, and issue corresponding Admission control according to check result to access device.By method disclosed in the present embodiment, flexibility and the convenience of health examination configuration can be improved; Ensure that network admittance compliance and user visit the fail safe of network.

Will be understood that, the network access control method of above-described embodiment is at the end of 802.1x user authentication, before certificate server issues authentication result, insert health examination process, thus, NAC server can preserve a metric to all health examination items of this terminal, then NAC server according to all metrics to terminal finally the request of networking judge and corresponding Admission control issued to access device.

Fig. 5 shows the schematic flow sheet of the network access control method that one embodiment of the invention provides, and as shown in Figure 5, the network access control method of the present embodiment is as described below.

501, when certificate server is successful to the authentication of terminal, access device receives the notification message that described certificate server sends, and described notification message is sent described terminal, and described notification message is used for notifying that described terminal carries out health examination;

502, access device receives the handshake request that described terminal sends according to described notification message; And described handshake request is sent described certificate server, described handshake request is represent that this terminal can carry out the request of health examination;

503, access device receives the healthy inquiry request that described certificate server sends, and described healthy inquiry request is sent described terminal, and described healthy inquiry request checks the metric in described terminal for asking;

504, access device receives the response message corresponding with described healthy inquiry request that described terminal sends, and described response message is sent described certificate server, and described response message comprises: the message of metric in this terminal.

Alternatively, access device also can receiving terminal send the multiple sub-response message corresponding with described healthy inquiry request, and multiple described sub-response message is sent described certificate server, described in each, sub-response message comprises: the message of the part metric in this terminal.

That is, when in terminal, the data volume of metric is very large, the metric in the described terminal obtained can be divided in every sub-response message according to burst mechanism by terminal.

505, access device receives the Admission control of the described terminal that described certificate server sends, and according to described prepare control strategy, the network that described terminal accesses is controlled, described Admission control is that described certificate server is determined according to the metric of described terminal, the metric of described terminal be described certificate server according to the measure preset, obtain the metric of described response message vacuum metrics information.

It should be noted that the metric that certificate server can be determined according to all metrics of this terminal.

Alternatively, in earlier figures 5 after step 504, before step 505, method also can comprise unshowned step 504a in Fig. 5:

504a, access device receive the acknowledge message that described certificate server sends according to described response message, and described acknowledge message is sent described terminal;

For example, access device receives the acknowledge message that described certificate server sends according to described sub-response message, and described acknowledge message is sent described terminal.

Network access control method in the present embodiment can available protecting terminal online safety, and terminal online compliance.

Fig. 6 A shows the schematic flow sheet of the network access control method that one embodiment of the invention provides, and as shown in Figure 6A, the network access control method of the present embodiment is as described below.

S01, when certificate server is to the authentication of terminal success, described terminal receives the notification message that access device sends, described notification message is that described certificate server is sent to described access device, for notifying that described terminal carries out the message of health examination;

S02, terminal carry out health examination according to the described notification message received, and obtain the health examination message comprising metric in terminal, and described health examination message is sent described certificate server by described access device.

For example, terminal can send handshake request according to described notification message to described access device, and to make described access device that described handshake request is forwarded described certificate server, described handshake request is represent that this terminal can carry out the request of health examination;

The healthy inquiry request that the described certificate server that described terminal receives the forwarding of described access device sends according to described handshake request, described healthy inquiry request checks the metric in described terminal for asking;

Described terminal obtains the metric in this terminal according to described health-check request, and sends the response message comprising described metric to described access device, to make described access device, described response message is sent described certificate server.

Or described terminal obtains the metric in this terminal according to described health-check request, be multiple burst metrics according to burst mechanism by described metric cutting; Send the sub-response message comprising described burst metric to described access device, sub-response message described in each comprises a described burst metric, to make described access device, described response message is sent described certificate server.

Fig. 6 B shows the schematic flow sheet of the network access control method that one embodiment of the invention provides, and as shown in Figure 6B, the network access control method of the present embodiment is as described below.

601, when certificate server is successful to the authentication of terminal, described terminal receives the notification message that access device sends, described notification message is that described certificate server is sent to described access device, for notifying that described terminal carries out the message of health examination;

602, terminal sends handshake request according to described notification message to described access device, and to make described access device that described handshake request is forwarded described certificate server, described handshake request is represent that this terminal can carry out the request of health examination;

603, the healthy inquiry request that the described certificate server that terminal receives the forwarding of described access device sends according to described handshake request, described healthy inquiry request checks the metric in described terminal for asking;

604, terminal obtains the metric in this terminal according to described health-check request, and sends the response message comprising described metric to described access device, to make described access device, described response message is sent described certificate server;

605, terminal receives the authentication success message that described access device sends, described authentication success message is send after described access device receives the Admission control of the described terminal that described certificate server sends, described Admission control is that described certificate server is determined according to the metric of described terminal, the metric of described terminal be described certificate server according to the measure preset, obtain the metric of described response message vacuum metrics information.

For example, the response message comprising described metric to described access device transmission in abovementioned steps 604, is also specially:

Described metric cutting is multiple burst metrics according to burst mechanism by terminal; Send the sub-response message comprising described burst metric to described access device, sub-response message described in each comprises a described burst metric.

In a kind of possible implementation, before abovementioned steps 605, the method shown in Fig. 6 also comprises not shown step 604a:

604a, terminal receive the acknowledge message of the described response message that described access device sends, and described acknowledge message is send to described access device after described certificate server receives described response message.

Said method can be based on IEEE802.1x authentication protocol, and manufacturer has nothing to do with particular network device, and have the good network equipment compatible, implementation procedure has network environment without the need to revising user, can implement to save great amount of cost for user.Meanwhile, the fail safe of user network access can effectively be protected.

Fig. 7 shows the structural representation of the certificate server that one embodiment of the invention provides, and as shown in Figure 7, the certificate server of the present embodiment comprises: health examination unit 71 and determining unit 72;

Wherein, health examination unit 71, for when successful to the authentication of terminal, carries out health examination by access device to described terminal;

Determining unit 72, for the result according to health examination unit 71, is determined to send Admission control for access network to described terminal.

In a particular application, aforesaid health examination unit 71 can be specifically for, and send a notification message to described access device, to make described access device that described notification message is forwarded described terminal, described notification message is used for notifying that described terminal carries out health examination;

Receive the health examination message that described access device sends, described health examination message is that described terminal carries out health examination after the described notification message of reception, and the message comprising metric in terminal obtained.

In the example that another is concrete, health examination unit 71 specifically for, send a notification message to described access device, to make described access device that described notification message is forwarded described terminal, described notification message is used for notifying that described terminal carries out health examination;

Receive the handshake request that described access device sends, described handshake request be described terminal according to described notification message to certificate server send for representing that this terminal can carry out the request of health examination;

Send healthy inquiry request to described access device, to make described access device that described healthy inquiry request is forwarded described terminal, described healthy inquiry request checks the metric in described terminal for asking;

Receive the response message corresponding with healthy inquiry request that described access device sends, described response message is the message comprising metric in this terminal that described terminal sends; Or receive the multiple sub-response message corresponding with healthy inquiry request that described access device sends, sub-response message described in each is the message comprising the part metric in this terminal that described terminal sends.

Alternatively, aforesaid health examination unit 71 also can be used for, and to the acknowledge message of response message described in described access device transmission and reception, to make described access device, described acknowledge message is sent described terminal;

Or, to the acknowledge message of sub-response message described in described access device transmission and reception, to make described access device, described acknowledge message is sent described terminal.

In a kind of possible implementation, aforesaid determining unit 72 can be specifically for, according to the measure preset, determine the metric of described response message vacuum metrics information, or, determine the metric of all metrics in all sub-response messages, and determine according to described metric the Admission control making this accessing terminal to network;

Send the Admission control of described terminal to described access device, according to described Admission control, the network that described terminal accesses is controlled to make described access device.

If described certificate server needs the inspection described terminal being carried out to multinomial metric, then described certificate server is after determining described metric, the metric of the metric of the multiple terminal of repeated obtain, now, above-mentioned determining unit also can be specifically for, and all metrics corresponding according to described terminal determine the Admission control making this accessing terminal to network;

Certificate server in the present embodiment can perform the flow process in aforesaid embodiment of the method, and the present embodiment does not describe in detail at this.

The certificate server of the present embodiment can the safety of available protecting terminal online, and the compliance of terminal online.

Fig. 8 shows the structural representation of the access device that one embodiment of the invention provides, and as shown in Figure 8, the access device of the present embodiment comprises receiving element 81 and transmitting element 82:

Wherein, receiving element 81 is for when the authentication success of certificate server to terminal, and receive the notification message that described certificate server sends, described notification message is used for notifying that described terminal carries out health examination;

Transmitting element 82 sends described terminal for the described notification message received by receiving element;

Described receiving element 81 is also for receiving the handshake request that described terminal sends according to described notification message, and described handshake request is represent that this terminal can carry out the request of health examination;

Described transmitting element 82 is also for sending described certificate server by described handshake request;

Described receiving element 81 is also for receiving the healthy inquiry request that described certificate server sends, and described healthy inquiry request checks the metric in described terminal for asking;

Described transmitting element 82 is also for sending described terminal by described healthy inquiry request;

Described receiving element 81 is also for receiving the response message corresponding with described healthy inquiry request that described terminal sends;

Described transmitting element 82 is also for sending described certificate server by described response message, and described response message comprises: the message of metric in this terminal;

Described receiving element 81 is also for receiving the Admission control of the described terminal that described certificate server sends, and according to described prepare control strategy, the network that described terminal accesses is controlled, described Admission control is that described certificate server is determined according to the metric of described terminal, the metric of described terminal be described certificate server according to the measure preset, obtain the metric of described response message vacuum metrics information.

Alternatively, described acknowledge message also for receiving the acknowledge message that described certificate server sends according to described response message, and is sent described terminal by described receiving element 81.

Access device in the present embodiment can perform the flow process in aforesaid embodiment of the method, and the present embodiment does not describe in detail at this.

The access device of the present embodiment is combined with certificate server, can available protecting terminal online safety, and terminal online compliance.

Fig. 9 shows the structural representation of the terminal that one embodiment of the invention provides, and as shown in Figure 9, the terminal of the present embodiment comprises: receiving element 91 and health examination unit 92;

Wherein, receiving element 91 is for when the authentication success of certificate server to terminal, and receive the notification message that described certificate server sends, described notification message is that certificate server is sent to access device, carries out the message of health examination for notification terminal;

Health examination unit 92 carries out health examination according to the described notification message received, and obtains the health examination message comprising metric in terminal, and described health examination message is sent described certificate server by described access device.

In a particular application, health examination unit 92 specifically for, send handshake request according to described notification message to described access device, to make described access device that described handshake request is forwarded described certificate server, described handshake request is represent that this terminal can carry out the request of health examination;

The healthy inquiry request that the described certificate server receiving the forwarding of described access device sends according to described handshake request, described healthy inquiry request checks the metric in terminal for asking;

Obtain the metric in this terminal according to described health-check request, and send the response message comprising described metric to described access device, to make described access device, described response message is sent described certificate server.

In another object lesson, health examination unit 92 also can be specifically for, handshake request is sent to described access device according to described notification message, to make described access device that described handshake request is forwarded described certificate server, described handshake request is represent that this terminal can carry out the request of health examination;

Obtain the metric in this terminal according to described health-check request, and be multiple burst metrics according to burst mechanism by described metric cutting; Send the sub-response message comprising described burst metric to described access device, sub-response message described in each comprises a described burst metric; To make described access device, all sub-response messages are sent described certificate server.

Alternatively, aforesaid receiving element 91 is also for receiving the acknowledge message of the described response message that described access device sends, and described acknowledge message is send to described access device after described certificate server receives described response message.

Or, receiving element 91 is also for receiving the authentication success message that described access device sends, described authentication success message is send after described access device receives the Admission control of the described terminal that described certificate server sends, described Admission control is that described certificate server is determined according to the metric of described terminal, the metric of described terminal be described certificate server according to the measure preset, obtain the metric of described response message vacuum metrics information.

Terminal in the present embodiment can perform the flow process in aforesaid embodiment of the method, and the present embodiment does not describe in detail at this.

The terminal of the present embodiment, in verification process, carries out health examination by certificate server to this terminal, so can available protecting terminal online safety, and terminal online compliance.

Embodiments of the invention disclose:

A1, a kind of network access control method, comprising:

When certificate server is successful to the authentication of terminal, described certificate server carries out health examination by access device to described terminal;

According to the result of the health examination of described terminal, determine to send Admission control for access network to described terminal.

A2, method according to A1, described certificate server carries out health examination by access device to described terminal, comprising:

Described certificate server sends a notification message to described access device, and to make described access device that described notification message is forwarded described terminal, described notification message is used for notifying that described terminal carries out health examination;

Described certificate server receives the health examination message that described access device sends, and described health examination message is that described terminal carries out health examination after the described notification message of reception, and the message comprising metric in terminal obtained.

A3, method according to A2, described certificate server receives the health examination message that described access device sends, and comprising:

Described certificate server receives the handshake request that described access device sends, described handshake request be described terminal according to described notification message to described certificate server send for representing that this terminal can carry out the request of health examination;

Described certificate server sends healthy inquiry request to described access device, and to make described access device that described healthy inquiry request is forwarded described terminal, described healthy inquiry request checks the metric in described terminal for asking;

Described certificate server receives the response message corresponding with healthy inquiry request that described access device sends, and described response message is the message comprising metric in this terminal that described terminal sends.

A4, method according to A2, described certificate server receives the health examination message that described access device sends, and comprising:

Described certificate server receives the multiple sub-response message corresponding with healthy inquiry request that described access device sends, and sub-response message described in each is the message comprising the part metric in this terminal that described terminal sends.

A5, method according to A3 or A4, described acknowledge message, to the acknowledge message of response message described in described access device transmission and reception, is sent described terminal to make described access device by described certificate server;

Or described acknowledge message, to the acknowledge message of sub-response message described in described access device transmission and reception, is sent described terminal to make described access device by described certificate server.

A6, method according to A3 or A4, the result of the described health examination according to described terminal, determine to send Admission control for access network to described terminal, comprising:

Described certificate server is according to the measure preset, determine the metric of described response message vacuum metrics information, or, determine the metric of all metrics in all sub-response messages, and determine according to described metric the Admission control making this accessing terminal to network;

Described certificate server sends the Admission control of described terminal to described access device, controls according to described Admission control to make described access device to the network that described terminal accesses.

A7, method according to A6, if described certificate server needs the inspection described terminal being carried out to multinomial metric, then described certificate server is after determining described metric, repeats the step sending the healthy inquiry request for asking to check another metric in described terminal to described access device;

Correspondingly, determine according to described metric the Admission control making this accessing terminal to network, comprising:

The all metrics corresponding according to described terminal determine the Admission control making this accessing terminal to network.

B8, a kind of network access control method, comprising:

When certificate server is successful to the authentication of terminal, described terminal receives the notification message that access device sends, and described notification message is that described certificate server is sent to described access device, for notifying that described terminal carries out the message of health examination;

Described terminal carries out health examination according to the described notification message received, and obtains the health examination message comprising metric in terminal, and described health examination message is sent described certificate server by described access device.

B9, method according to B8, described terminal carries out health examination according to the described notification message received, and obtain the health examination message comprising metric in terminal, described health examination message is sent described certificate server by described access device, comprising:

Described terminal sends handshake request according to described notification message to described access device, and to make described access device that described handshake request is forwarded described certificate server, described handshake request is represent that this terminal can carry out the request of health examination;

B10, method according to B9, describedly send the response message comprising described metric to described access device, comprising:

Described metric cutting is multiple burst metrics according to burst mechanism by described terminal; Send the sub-response message comprising described burst metric to described access device, sub-response message described in each comprises a described burst metric.

B11, method according to B8 or B9, described method also comprises:

Described terminal receives the authentication success message that described access device sends, described authentication success message is send after described access device receives the Admission control of the described terminal that described certificate server sends, described Admission control is that described certificate server is determined according to the metric of described terminal, the metric of described terminal be described certificate server according to the measure preset, obtain the metric of described response message vacuum metrics information.

B12, method according to B11, before described terminal receives the authentication success message that described access device sends, described method also comprises:

Described terminal receives the acknowledge message of the described response message that described access device sends, and described acknowledge message is send to described access device after described certificate server receives described response message.

C13, a kind of certificate server, comprising:

Health examination unit, for when successful to the authentication of terminal, carries out health examination by access device to described terminal;

Determining unit, for the result according to health examination unit, determines to send Admission control for access network to described terminal.

C14, certificate server according to C13, described health examination unit, specifically for:

Send a notification message to described access device, to make described access device that described notification message is forwarded described terminal, described notification message is used for notifying that described terminal carries out health examination;

C15, certificate server according to C13, described health examination unit, specifically for:

Receive the response message corresponding with healthy inquiry request that described access device sends, described response message is the message comprising metric in this terminal that described terminal sends.

C16, certificate server according to C13, described health examination unit, specifically for:

Receive the multiple sub-response message corresponding with healthy inquiry request that described access device sends, sub-response message described in each is the message comprising the part metric in this terminal that described terminal sends.

C17, certificate server according to C15 or C16, described health examination unit, also for

To the acknowledge message of response message described in described access device transmission and reception, to make described access device, described acknowledge message is sent described terminal;

C18, certificate server according to C15 or C16, described determining unit, specifically for

According to the measure preset, determine the metric of described response message vacuum metrics information, or, determine the metric of all metrics in all sub-response messages, and determine according to described metric the Admission control making this accessing terminal to network;

C19, certificate server according to C18, described determining unit, specifically for

The all metrics corresponding according to described terminal determine the Admission control making this accessing terminal to network;

D20, a kind of terminal, comprising:

Receiving element, for when certificate server is successful to the authentication of terminal, receive the notification message that access device sends, described notification message is that described certificate server is sent to described access device, for notifying that described terminal carries out the message of health examination;

Health examination unit, the described notification message according to receiving carries out health examination, and obtains the health examination message comprising metric in terminal, and described health examination message is sent described certificate server by described access device.

D21, terminal according to D20, health examination unit, specifically for

Send handshake request according to described notification message to described access device, to make described access device that described handshake request is forwarded described certificate server, described handshake request is represent that this terminal can carry out the request of health examination;

D22, terminal according to D20, health examination unit, specifically for

D23, terminal according to D21 or D20, described receiving element, also for

Receive the authentication success message that described access device sends, described authentication success message is send after described access device receives the Admission control of the described terminal that described certificate server sends, described Admission control is that described certificate server is determined according to the metric of described terminal, the metric of described terminal be described certificate server according to the measure preset, obtain the metric of described response message vacuum metrics information.

D24, basis ask the terminal described in D23, described receiving element, before receiving described authentication success message, receive the acknowledge message of the described response message that described access device sends, described acknowledge message is send to described access device after described certificate server receives described response message.

Summary of the invention

For the defect of prior art, the invention provides a kind of network access control method and certificate server, terminal, solve the problem based on insecurity in the user network access flow process of 802.1x agreement in prior art.

First aspect, the invention provides a kind of network access control method, comprising:

Alternatively, described certificate server carries out health examination by access device to described terminal, comprising:

Alternatively, described certificate server receives the health examination message that described access device sends, and comprising:

Alternatively, described acknowledge message, to the acknowledge message of response message described in described access device transmission and reception, is sent described terminal to make described access device by described certificate server;

Alternatively, the result of the described health examination according to described terminal, determine to send Admission control for access network to described terminal, comprising:

Alternatively, if described certificate server needs the inspection described terminal being carried out to multinomial metric, then described certificate server is after determining described metric, repeats the step sending the healthy inquiry request for asking to check another metric in described terminal to described access device;

Correspondingly, determine according to described metric the Admission control making this accessing terminal to network, comprising: all metrics corresponding according to described terminal determine making the Admission control of this accessing terminal to network.

Second aspect, the invention provides a kind of network access control method, comprising:

Alternatively, described terminal carries out health examination according to the described notification message received, and obtains the health examination message comprising metric in terminal, described health examination message is sent described certificate server by described access device, comprising:

Alternatively, the described response message comprising described metric to described access device transmission, comprising:

Alternatively, described method also comprises:

Alternatively, before described terminal receives the authentication success message of described access device transmission, described method also comprises: described terminal receives the acknowledge message of the described response message that described access device sends, and described acknowledge message is send to described access device after described certificate server receives described response message.

The third aspect, the invention provides a kind of certificate server, comprising:

Health examination unit, for when the authentication success to terminal, carries out health examination by access device to described terminal;

Alternatively, described health examination unit, specifically for

Alternatively, described health examination unit, also for

Alternatively, described determining unit, specifically for

Fourth aspect, the invention provides a kind of terminal, comprising:

Alternatively, health examination unit, specifically for

Alternatively, described receiving element, also for

Alternatively, described receiving element, before receiving described authentication success message, receive the acknowledge message of the described response message that described access device sends, described acknowledge message is send to described access device after described certificate server receives described response message.

As shown from the above technical solution, network access control method provided by the invention and certificate server, terminal, by send Admission control after certificate server is to the authentication success of terminal before, health examination is carried out to terminal, and according to the result of terminal health examination, determine whether to think that terminal sends the prepare control strategy of access network, the fail safe of user network access can be improved thus preferably.

In specification of the present invention, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, to disclose and to help to understand in each inventive aspect one or more to simplify the present invention, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should not explained the following intention in reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.

It will be understood by those skilled in the art that adaptively to change the module in the equipment in embodiment and they are arranged and be in one or more equipment that this embodiment is different.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit is mutually exclusive part, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.

In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.

All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the equipment of a kind of browser terminal of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.

The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.

Last it is noted that above each embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to foregoing embodiments to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme, it all should be encompassed in the middle of the scope of claim of the present invention and specification.

Accompanying drawing explanation

In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these figure.

Fig. 1 is the architectural schematic of current 802.1x agreement;

Fig. 2 is the system architecture schematic diagram of the method application of the embodiment of the present invention;

The schematic flow sheet of the network access control method that Fig. 3 A and Fig. 3 B provides for one embodiment of the invention;

The signaling diagram of the network access control method that Fig. 4 provides for another embodiment of the present invention;

The schematic flow sheet of the network access control method that Fig. 5 provides for another embodiment of the present invention;

The schematic flow sheet of the network access control method that Fig. 6 A and Fig. 6 B provides for another embodiment of the present invention;

The structural representation of the certificate server that Fig. 7 provides for one embodiment of the invention;

The structural representation of the access device that Fig. 8 provides for one embodiment of the invention;

The structural representation of the terminal that Fig. 9 provides for one embodiment of the invention.

Embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.

Claims

1. a network access control method, is characterized in that, comprising:

2. method according to claim 1, is characterized in that, described certificate server carries out health examination by access device to described terminal, comprising:

3. method according to claim 2, is characterized in that, described certificate server receives the health examination message that described access device sends, and comprising:

4. method according to claim 2, is characterized in that, described certificate server receives the health examination message that described access device sends, and comprising:

5. the method according to claim 3 or 4, is characterized in that,

Described acknowledge message, to the acknowledge message of response message described in described access device transmission and reception, is sent described terminal to make described access device by described certificate server;

6. the method according to claim 3 or 4, is characterized in that, the result of the described health examination according to described terminal, determines to send Admission control for access network to described terminal, comprising:

7. method according to claim 6, it is characterized in that, if described certificate server needs the inspection described terminal being carried out to multinomial metric, then described certificate server is after determining described metric, repeats the step sending the healthy inquiry request for asking to check another metric in described terminal to described access device;

8. a network access control method, is characterized in that, comprising:

9. a certificate server, is characterized in that, comprising:

10. a terminal, is characterized in that, comprising: