CN1889430A - Safety identification control method based on 802.1 X terminal wideband switching-in - Google Patents

Safety identification control method based on 802.1 X terminal wideband switching-in Download PDF

Info

Publication number
CN1889430A
CN1889430A CN 200610085545 CN200610085545A CN1889430A CN 1889430 A CN1889430 A CN 1889430A CN 200610085545 CN200610085545 CN 200610085545 CN 200610085545 A CN200610085545 A CN 200610085545A CN 1889430 A CN1889430 A CN 1889430A
Authority
CN
China
Prior art keywords
user
authentication
server
access
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 200610085545
Other languages
Chinese (zh)
Inventor
顾恺
顾杰
智勇
吴冬
宦林英
张宇斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Lianchuang Network Science & Technology Co Ltd
Original Assignee
Nanjing Lianchuang Network Science & Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Lianchuang Network Science & Technology Co Ltd filed Critical Nanjing Lianchuang Network Science & Technology Co Ltd
Priority to CN 200610085545 priority Critical patent/CN1889430A/en
Publication of CN1889430A publication Critical patent/CN1889430A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Small-Scale Networks (AREA)

Abstract

This invention relates to a safety authentication control method for terminal width band access based on 802.1X, usually, users are at the independent VLAN, when the 802.1X is accessed, the authentication server is the RADIUS server to store information of related users and takes the user binding of VLAN+MAC+IP as the logic port to set up an authentication flow of the user access network by the customer end, the authentication system and its server: 1, before the authentication, only 802.1X authentication messages of the EAPOL can pass the channel, 2, when the authentication is passed, the state of the channel is switched to authorized, this time, user information can be transmitted from a far end server, after the authentication, the flux of users will be monitored by said parameters and any messages can pass the channel and a DHCP process, the customer end should access the LAN, support the EAPOL protocol and operate the 802.1X software of the customer end, the authentication system is a network device supporting the 802.1X protocol and corresponding to different user ports.

Description

Safety identification control method based on the terminal broadband access of 802.1X
Technical field
The present invention relates to safety identification control method based on the terminal broadband access of 802.1X
Background technology
Broadband network is developed rapidly in recent years, and it is also very fast that number of users increases, and thing followed network security hidden danger is also very outstanding, and network also may transmitted virus when diffusing information, and this has become a more and more serious problem.The propagation of Control Network virus how effectively? generally believe and controlling effectively more from the near more position of user, promptly will effectively control virus and enter network.But still there are many problems at present:
Control provides solution at virus in some manufacturers, for example CISCO company proposes the notion from defending against network, but will adopt this defense system, and user's incoming end be unable to do without the equipment of CISCO, and the equipment of CISCO is used fewer and fewerily at incoming end at present, and home equipment is used more and more.
Microsoft also proposes the notion of territory management, and Microsoft is the pure software solution, though can realize certain authentification of user and strategy, has realized the unification of resource and the division of authority; But can't realize the isolation of user terminal, also be difficult to the control and the management of real realization network insertion.
Domestic also have many companies to release the desktop security system, but this software systems do not possess pressure effectiveness.The user does not install this safety system, has perhaps installed but keep to bring in constant renewal in subsequently, all can cause safe class to descend.
Existing safe practice can be network by residential gateway a comprehensive network security solution is provided, and comprises user rs authentication, mandate, data protection etc.The safe practice that residential gateway adopted comprises: many SSID and VLAN, 802.1X authentication, WEP and WPA, backup center, AAA, CA technology, packet filtering technology, address transition, VPN technologies, encryption and Internet Key Exchange, ASPF, safety management etc.
(1) many SSID and vlan technology
Wireless home gateway can carry out inner networking by 802.11X, and gateway supports many SSID can realize the virtual AP function.Different SSID can adopt different authentication modes and access rights, also can be mapped as different VLAN, realizes the Network Isolation between public hot spot and the household internal net
(2) WEP and WPA WEP are 802.11 standards, have defined link level security mechanism, support shared key mode authentication and MAC layer of data encryption, and key length is 40 or 104, use RC4 symmetric(al) flow cryptographic algorithm.A little less than the WEP fail safe was highly brittle, its key was easy to decode, and implements various attack such as DoS, playback etc. easily.WPAV1.0 adopts 802.1x authentication or shared key authentication, adopts the TKIP based on the WEP algorithm on cryptographic algorithm.TKIP has increased some new aided algorithm functions on the WEP basis, to support the encryption to MSDU, burst, functions such as the checking of data source and the anti-protection of replaying.
(3) aaa authentication
The high-end model home gateway of part has the function of authentication points, the function of can verifying, authorize and keep accounts the user who inserts the household internal network.
(4) packet filtering technology
Each territory of the IP header of IP message and upper-layer protocol (as the TCP) header that carried has comprised the information that can be handled by router.The following attribute of IP message is used in packet filtering usually:
● the source of IP, destination address and protocol domain;
● the source of TCP or UDP, destination interface;
● the type field of ICMP sign indicating number, ICMP;
● the mark domain of TCP;
● the independent SYN that the expression request connects;
● expression connects the SYN/ACK that confirms;
● the session connection that expression is being used;
● expression connects the FIN that cuts off.Time range allows the FTP message to enter to finish necessary service such as the 8:00~20:00 that can be provided with in the last example on every Mondays, and all the other times forbid that then FTP connects.Being provided with of time period, can adopt the absolute time section and cycle time section and continuous time section and the discrete time section be used, on using, have great flexibility.And such time period can offer other functional module easily and use, as address transition, IPSec etc.
(5) VPN technologies
Virtual Private Network (Virtual Private Network) abbreviates VPN as, is a kind of technology that develops rapidly along with the development of Internet in recent years.Mainly be divided into Access VPN and Intranet VPN.The long-distance user can insert home gateway by Access VPN, realizes safety remote access and control to home network.Home gateway can insert the vpn gateway of company by Intranet VPN, realizes Intranet.
(6) ASPF technology
ASPF is that a kind of high level communication filters.It checks that application layer protocol information and monitoring are based on the application layer protocol state that connects.For all connections, each connection state information all will be safeguarded by ASPF and be used for dynamically whether the determination data bag is allowed to by fire compartment wall or abandons.Home gateway provides the access control based on message content, and promptly ASPF can attack the part of application layer and be detected and take precautions against, and comprises for the detection of SMTP order, the detection of SYN flooding, Packet Injection.
(7) IDS technology
Intruding detection system (IDS) can remedy the deficiency of fire compartment wall, for network security provides real-time intrusion detection and takes corresponding preventive means, is used for following the tracks of, recovers, disconnects network connection etc. as taking of evidence.The intruding detection system full name is Intrus ion Detective System, its some key point acquisition of information from computer network system, and analyze these information, check whether behavior of violating security strategy and the sign that is attacked are arranged in the network.Intrusion detection is considered to the second road safety gate after the fire compartment wall.
Summary of the invention
The objective of the invention is:, proposed the strategy of employing terminal security gateway (TGATE) at above problem.Its basic thought is that 802.1x authentication and desktop security are bundled, and utilizes hardware device to conduct a compulsory examination user's safe class of user's control.
Safety identification control method based on the terminal broadband access of 802.1X, each user is among alone the VLAN at ordinary times, isolate each other, when the access of 802.1x, certificate server is a radius server, this server can be stored relevant user's information, such as the VLAN under the user, the CAR parameter, priority, user's Access Control List (ACL), the binding of VLAN+MAC+IP that it is characterized in that adopting the user is as logic port, utilize client (the PC/ network equipment), Verification System and certificate server are set up the identifying procedure of user access network: 1, before authentication was passed through, passage can only be by the 802.1X message identifying of EAPOL; When 2, authentication was passed through, the state of passage switched to authorized, and can transmit come user's information from the remote authentication server this moment, such as VLAN, CAR parameter, priority, user's Access Control List (ACL); 3, after authentication is passed through, user's flow just will be accepted the supervision of above-mentioned parameter, and this moment, this passage can pass through any message, and dhcp process is arranged; 4, client is that needs insert LAN, supports the EAPOL agreement, and operation 802.1X client software; Verification System is for supporting the network equipment of IEEE802.1x agreement, Verification System is corresponding to the port (physical port of different user, or the binding of the VLAN+MAC+IP of subscriber equipment is as logic port, above-mentioned two logic ports: controlled ports and unconfined end mouth, the unconfined end mouth is in the diconnected state all the time, be mainly used to transmit the EAPOL protocol frame, can guarantee that client can send or accept authentication all the time; Controlled ports is only just opened under the state that authentication is passed through, and is used for delivery network resource and service; That controlled ports can be configured to is bi-direction controlled, only import controlled dual mode, to adapt to different applied environments.If by authentication, then controlled ports is not in un-authenticated state to the user, the then service that can't access authentication system provides of user; After the user was by authentication, certificate server can pass to Verification System to user's relevant information, makes up dynamic Access Control List (ACL) by Verification System, and user's follow-up flow just will be accepted the supervision of above-mentioned parameter; Communicate by the EAP agreement between certificate server and the radius server.Before access network, initiate authentication request with above-mentioned 802.1x.This moment, TGATE not only will authenticate user's identity, and also will check the safe class of terminal:
Do not pass through as authenticating user identification, then do not allow access network.
Pass through as authenticating user identification, but safe class is undesirable, the user can only visit a very limited coverage so, can only remove to install patch etc. to that coverage, goes to promote safe class.
All pass through as authentication and safe class inspection, can go to visit the resource that allows separately according to user's authority so.Structure of this programme and flow process are referring to accompanying drawing.
Characteristics of the present invention are: adopt terminal security authentication mechanism, not only solved the control of user access to netwoks based on 802.1x, and with the important indicator of terminal security as control.Work compound by hardware and software reaches flexibility, fail safe and validity.
Because the uniqueness of 802.1x, TGATE can be placed on the convergence-level of network, and disposing this scheme does not need network is done extensive the adjustment.The existing two-layer equipment of network there is not special requirement yet.
Description of drawings
Fig. 1 is a block diagram of the present invention
Fig. 2 is a terminal safety information transparent transmission flow chart of the present invention
Embodiment
1. user's agent client safe in utilization carries out the checking and the integrity checking of identity.The user inputs user name in client software, password authenticates, and contains user name password, client release number and safety inspection result in the EAP message that the TSM Security Agent client sends.
2. the user sends to access server (access way can be 802.1x) by the network insertion client with solicited message, and user security information transparent transmission flow process as shown in Figure 1.
3. access server sends to certification authority server with user's solicited message by standard Radius agreement
4. certification authority server is checked user profile and the security information in the user request information:
If user profile is incorrect, return authentication refusal information.
Figure A20061008554500062
If user profile is correct, the security information inspection is not passed through, and then adds limited domain name and patch download message in authentication by in responding.
Figure A20061008554500063
If corresponding user name has the network access authority configuration, then in response, add corresponding access control rule.
Certificate server to the inspection flow process of user profile as shown in Figure 2.
5. notice access client network inserts successfully/refuse information.
6. for the unsanctioned user of safety inspection, access server is forced its access security server by access control, and the notice client is opened corresponding security patch downloading page.
7. for the user who has disposed access rule, access server is by realizing corresponding access control rule, the network access authority of limited subscriber.
8. for normal user, allow its normal accesses network.
Embodiment:
● example 1: the subscription client version is lower than server requirement
Terminal configuration: security client is installed, and version is 0x00000001;
The certificate server configuration: requiring user's minimum version is 0x00000002, and configuration client release update service device is Http:// www.lianchuang.com/policv
The authentification of user result: the user can be by authentication, but normal accesses network, the client positive opening version updating page: Http:// www.lianchuang.com/policv
● example 2: the user terminal safety inspection is not passed through
Terminal configuration: lack on the PC of patch KB000001 security client is installed;
The certificate server configuration: configuration security patch Download Server is
http://www.lianchuang.com/ServicePack
The authentification of user result: the user can be by authentication, but normal accesses network, client positive opening patch downloading page, page URL is the concrete patch title of patch server URL+:
http://www.lianchuang.com/ServicePack.asp?id=KB000001
● example 3: server is to user's limiting access authority
Terminal configuration: the user uses user name example@internet to login the BAS configuration: configuration acl rule 1: disable access Ftp: // 202.102.24.35Certificate server configuration: user example@internet is specified access control rule 1 authentification of user result: the user can be by authentication, and the user can normally visit and remove Ftp: // 202.102.24.35Any service
802.1X authentication can realize security features such as two-way authentication, dynamic key management.IEEE 802.1x is a kind of authentication method based on port, and it has all defined a controlled subport and a uncontrolled subport for each port (physical port/logic port).Uncontrolled subport is mainly used in the authentication message bag, and controlled subport was closed before authentication success, only just open fully after authentication success, thereby the user can communicate by letter normally.802.1x what solve is authentication scheme problem between user and the network, 802.1x has also defined a cover dynamic key consultative management mechanism in addition, supports the dynamic negotiation of wireless mouth multicast and singlecast key.802.1x concrete authentication protocol is by the decision of EAP method, its architecture is very flexible, EAP-TTLS, and EAP-SIM, EAP-AKA, EAP methods such as PEAP are supported mechanism such as bi-directional authentification, the anonymous transmission of user account information, the dynamic key consultative management.Authentication modes such as EAP-MD5 are supported unidirectional authentication.
The present invention utilizes the access authentication method of 802.1x, (1) client is initiated the 802.1x authentication request message, be transparent to access control equipment (BAS) through double layer network, (2) BAS initiates authentication request by RADIUS CLIENT to radius server, (3) pass through if authenticate, BAS returns 802.1x authentication success message to client, (4) client is initiated the dhcp address allocation request message, (5) double layer network passes through BAS with dhcp message, (6) BAS distributes the address to client, the allocation strategy of client ip address is specified in authenticating by response message by the radius server, as radius server designated user address allocation policy not, then determine according to territory, user place; DHCP Server is according to user's address allocation policy, response user's DHCP request, finish the IP address assignment work of client, (7) BAS is according to the vlan number of the client that obtains, and MAC Address and distribute to user's IP address is set up the binding relationship between the VLAN-MAC-IP three, generate software VM1 clauses and subclauses and hardware flow control clauses and subclauses, and sending out charge information to the RADIU server, the user reaches the standard grade, and sets up the vmi binding relationship.

Claims (1)

1, based on the safety identification control method of the terminal broadband access of 802.1X, each user is among alone the VLAN at ordinary times, isolate each other, when the access of 802.1x, certificate server is a radius server, this server can be stored relevant user's information, the binding of VLAN+MAC+lP that it is characterized in that adopting the user is as logic port, utilize client, Verification System and certificate server to set up the identifying procedure of user access network: 1), before authentication passes through, the 802.1X message identifying that passage can only be by EAPOL; 2), the authentication by the time, the state of passage switches to authorized, this moment can transmit user's information from the remote authentication server, such as VLAN, CAR parameter, priority, user's Access Control List (ACL); 3, after authentication is passed through, user's flow just will be accepted the supervision of above-mentioned parameter, and this moment, this passage can pass through any message, and dhcp process is arranged; 4, client is that needs insert LAN, supports the EAPOL agreement, operation 802.1X client software; Verification System is for supporting the network equipment of IEEE 802.1x agreement, Verification System is corresponding to the port (physical port of different user, or the binding of the VLAN+MAC+IP of subscriber equipment is as logic port, above-mentioned two logic ports: controlled ports and unconfined end mouth, the unconfined end mouth is in the diconnected state all the time, be mainly used to transmit the EAPOL protocol frame, can guarantee that client can send or accept authentication all the time; Controlled ports is only just opened under the state that authentication is passed through, and is used for delivery network resource and service; That controlled ports can be configured to is bi-direction controlled, only import controlled dual mode, to adapt to different applied environments.If by authentication, then controlled ports is not in un-authenticated state to the user, the then service that can't access authentication system provides of user; After the user was by authentication, certificate server can pass to Verification System to user's relevant information, makes up dynamic Access Control List (ACL) by Verification System, and user's follow-up flow just will be accepted the supervision of above-mentioned parameter; Communicate by the EAP agreement between certificate server and the radius server.Before access network, initiate authentication request with above-mentioned 802.1x.This moment, TGATE not only will authenticate user's identity, and also will check the safe class of terminal:
Do not pass through as authenticating user identification, then do not allow access network;
Pass through as authenticating user identification, but safe class is undesirable, the user can only visit a very limited coverage so, can only remove to install patch etc. to that coverage, goes to promote safe class.
CN 200610085545 2006-06-21 2006-06-21 Safety identification control method based on 802.1 X terminal wideband switching-in Pending CN1889430A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200610085545 CN1889430A (en) 2006-06-21 2006-06-21 Safety identification control method based on 802.1 X terminal wideband switching-in

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200610085545 CN1889430A (en) 2006-06-21 2006-06-21 Safety identification control method based on 802.1 X terminal wideband switching-in

Publications (1)

Publication Number Publication Date
CN1889430A true CN1889430A (en) 2007-01-03

Family

ID=37578691

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200610085545 Pending CN1889430A (en) 2006-06-21 2006-06-21 Safety identification control method based on 802.1 X terminal wideband switching-in

Country Status (1)

Country Link
CN (1) CN1889430A (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009097778A1 (en) * 2008-02-01 2009-08-13 Huawei Technologies Co., Ltd. A method, device and system for calling the security interface
WO2009155849A1 (en) * 2008-06-25 2009-12-30 华为技术有限公司 Method for monitoring and updating security status of terminal and system thereof
CN102014174A (en) * 2010-11-16 2011-04-13 中兴通讯股份有限公司 Network access method and network equipment
CN102158369A (en) * 2011-03-14 2011-08-17 杭州华三通信技术有限公司 Method and device for checking patch
CN101582891B (en) * 2009-06-19 2012-05-23 杭州华三通信技术有限公司 Wide area network endpoint access domination (EAD) authentication method, system and terminal
CN105472617A (en) * 2015-06-24 2016-04-06 巫立斌 Terminal access security certification method
CN105636029A (en) * 2015-06-30 2016-06-01 巫立斌 Wireless network safety protection method
CN106411673A (en) * 2016-11-08 2017-02-15 西安云雀软件有限公司 Network admission control management platform and management method
CN107426167A (en) * 2017-05-19 2017-12-01 深圳市元基科技开发有限公司 A kind of ephemeral terminations secure access control method and system
CN108882240A (en) * 2018-07-11 2018-11-23 北京奇安信科技有限公司 The implementation method and device of mobile device access network
CN109327462A (en) * 2018-11-14 2019-02-12 盛科网络(苏州)有限公司 A kind of MAC address authentication method based on L2VPN network
CN111953508A (en) * 2019-05-17 2020-11-17 阿里巴巴集团控股有限公司 Equipment control method and device, switch and electronic equipment
CN113612787A (en) * 2021-08-10 2021-11-05 浪潮思科网络科技有限公司 Terminal authentication method
CN115379008A (en) * 2022-07-12 2022-11-22 南京隆远电气技术有限公司 Data transfer station system based on network server
CN117118717A (en) * 2023-09-01 2023-11-24 湖北顺安伟业科技有限公司 User information threat analysis method and system
CN117118717B (en) * 2023-09-01 2024-05-31 湖北顺安伟业科技有限公司 User information threat analysis method and system

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009097778A1 (en) * 2008-02-01 2009-08-13 Huawei Technologies Co., Ltd. A method, device and system for calling the security interface
WO2009155849A1 (en) * 2008-06-25 2009-12-30 华为技术有限公司 Method for monitoring and updating security status of terminal and system thereof
CN101616034B (en) * 2008-06-25 2012-06-20 华为技术有限公司 Method and system for monitoring and updating terminal security status
CN101582891B (en) * 2009-06-19 2012-05-23 杭州华三通信技术有限公司 Wide area network endpoint access domination (EAD) authentication method, system and terminal
CN102014174A (en) * 2010-11-16 2011-04-13 中兴通讯股份有限公司 Network access method and network equipment
CN102158369A (en) * 2011-03-14 2011-08-17 杭州华三通信技术有限公司 Method and device for checking patch
CN105472617A (en) * 2015-06-24 2016-04-06 巫立斌 Terminal access security certification method
CN105636029A (en) * 2015-06-30 2016-06-01 巫立斌 Wireless network safety protection method
CN106411673A (en) * 2016-11-08 2017-02-15 西安云雀软件有限公司 Network admission control management platform and management method
CN107426167B (en) * 2017-05-19 2019-11-12 上海易杵行智能科技有限公司 A kind of ephemeral terminations secure access control method and system
CN107426167A (en) * 2017-05-19 2017-12-01 深圳市元基科技开发有限公司 A kind of ephemeral terminations secure access control method and system
CN108882240A (en) * 2018-07-11 2018-11-23 北京奇安信科技有限公司 The implementation method and device of mobile device access network
CN108882240B (en) * 2018-07-11 2021-08-17 奇安信科技集团股份有限公司 Method and device for realizing network access of mobile equipment
CN109327462A (en) * 2018-11-14 2019-02-12 盛科网络(苏州)有限公司 A kind of MAC address authentication method based on L2VPN network
CN111953508A (en) * 2019-05-17 2020-11-17 阿里巴巴集团控股有限公司 Equipment control method and device, switch and electronic equipment
CN111953508B (en) * 2019-05-17 2023-05-26 阿里巴巴集团控股有限公司 Equipment control method and device, switch and electronic equipment
CN113612787A (en) * 2021-08-10 2021-11-05 浪潮思科网络科技有限公司 Terminal authentication method
CN115379008A (en) * 2022-07-12 2022-11-22 南京隆远电气技术有限公司 Data transfer station system based on network server
CN115379008B (en) * 2022-07-12 2024-05-07 南京隆远电气技术有限公司 Data transfer station system based on network server
CN117118717A (en) * 2023-09-01 2023-11-24 湖北顺安伟业科技有限公司 User information threat analysis method and system
CN117118717B (en) * 2023-09-01 2024-05-31 湖北顺安伟业科技有限公司 User information threat analysis method and system

Similar Documents

Publication Publication Date Title
CN1889430A (en) Safety identification control method based on 802.1 X terminal wideband switching-in
US9210126B2 (en) Method for secure single-packet authorization within cloud computing networks
US7320143B2 (en) Method of gaining secure access to intranet resources
US7552323B2 (en) System, apparatuses, methods, and computer-readable media using identification data in packet communications
US9602485B2 (en) Network, network node with privacy preserving source attribution and admission control and device implemented method therfor
KR101585936B1 (en) System for managing virtual private network and and method thereof
CN108429730B (en) Non-feedback safety authentication and access control method
CA2437548A1 (en) Apparatus and method for providing secure network communication
WO2005024567A2 (en) Network communication security system, monitoring system and methods
US20180115520A1 (en) Dark virtual private networks and secure services
Boddapati et al. Assessing the security of a clean-slate internet architecture
CA2506418C (en) Systems and apparatuses using identification data in network communication
CN111770071A (en) Method and device for gateway authentication of trusted device in network stealth scene
WO2015174100A1 (en) Packet transfer device, packet transfer system, and packet transfer method
JP2012529795A (en) Access control method suitable for three-factor peer authentication trusted network access architecture
Younes Securing ARP and DHCP for mitigating link layer attacks
CN111416824B (en) Network access authentication control system
CN1225941C (en) Roaming access method of mobile node in radio IP system
Indukuri Layer 2 security for smart grid networks
CN102026160A (en) Method and system for security access to mobile backhaul network
Jiang et al. Security-Oriented Network Architecture
WO2024066059A1 (en) Industrial internet security system and method based on sdp and edge computing
Parthasarathy PANA threat analysis and security requirements
Sintaro et al. SDP And VPN For Remote Access: A Comparative Study And Performance Evaluation
Chen et al. An Enhanced Identity Authentication Security Access Control Model Based on 802.1 x Protocol.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Open date: 20070103