WO2014177106A1 - Network access control method and system - Google Patents

Network access control method and system Download PDF

Info

Publication number
WO2014177106A1
WO2014177106A1 PCT/CN2014/079248 CN2014079248W WO2014177106A1 WO 2014177106 A1 WO2014177106 A1 WO 2014177106A1 CN 2014079248 W CN2014079248 W CN 2014079248W WO 2014177106 A1 WO2014177106 A1 WO 2014177106A1
Authority
WO
WIPO (PCT)
Prior art keywords
identification information
unique identification
terminal device
network
network management
Prior art date
Application number
PCT/CN2014/079248
Other languages
French (fr)
Chinese (zh)
Inventor
卢安文
李锐
高为静
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2014177106A1 publication Critical patent/WO2014177106A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/40Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities

Definitions

  • the present invention relates to network access control technologies, and in particular, to a network access control method and system. Background technique
  • wireless base stations in the era of LTE (Long Term Evolution), will deploy large number of small base stations (Small Cell) on a large scale in order to improve coverage. ), the Backhaul network that Small Cell reaches the core network is mostly deployed in the enterprise and user's home. Instead of going through the carrier's proprietary bearer network, the public transport network is selected to connect to the carrier's core network. The access security requirements of the accessed Small Cell are very high, and unauthorized base stations are not allowed to access their own core network.
  • the 3rd Generation Partnership Project (3GPP) recommends the use of IPSec (IP Security) technology to secure communication between the base station and the core network, while the base station and security gateway (SeGW, Security Gateway) Identity authentication technology is generally based on digital certificate authentication.
  • IPSec IP Security
  • SeGW Security Gateway
  • IP Security IP Security
  • the base station and security gateway SeGW, Security Gateway
  • the IPSec protocol can solve the need for authentication and encryption of the two parties, it cannot solve the scenario where the digital certificate is stolen and then masqueraded as a legitimate user. In this way, if someone steals the digital certificate, the security gateway can be bypassed to access the core network. Authorized access or attack.
  • the main purpose of the embodiments of the present invention is to provide a network access control method and system, which can improve the security and legality of a terminal accessing a network, and is compatible with more key associations.
  • Negotiation can improve the security and legality of a terminal accessing a network, and is compatible with more key associations.
  • the embodiment of the present invention provides a network access control method, where the method includes: the security authentication device receives the unique identification information of the terminal device; the security authentication device performs the digital certificate authentication on the terminal device; after the digital certificate authentication is passed, the terminal is The unique identification information of the device is authenticated, and the access authority of the terminal is determined.
  • the method further includes: the network management device storing the unique identification information of each legal terminal device in batches, and establishing a unique identification information database.
  • the security authentication device receives the unique identification information of the terminal device, and includes: obtaining the unique identification information of the terminal device from the IKE message from the terminal device.
  • the authenticating the unique identification information of the terminal device, determining the access rights of the terminal includes:
  • the security authentication device parses the received IKE packet, obtains the unique identifier information of the terminal device in the IKE packet, and sends the obtained unique identifier information to the network management device; the network management device pre-stores the unique identifier information received by the network management device. The unique identification information of each legal terminal device is matched. After the matching is successful, it is confirmed that the terminal device is allowed to access the network.
  • the unique identification information is a device unique identifier (Device ID) and/or a source IP address.
  • the embodiment of the present invention further provides a network access control system, where the system includes: a terminal device, a security authentication device, and a network management device;
  • the terminal device is configured to send its unique identification information to the security authentication device;
  • the security authentication device is configured to perform digital certificate authentication on the terminal device;
  • the network management device is configured to authenticate the unique identification information of the terminal device and determine the access rights of the terminal device.
  • the security authentication device is further configured to receive and parse the unique identifier of the terminal device. After the digital certificate is verified, the unique identification information that is parsed is sent to the network management device.
  • the network management device is further configured to store the unique identification information of each legal terminal device in batches, and establish a database of unique identification information.
  • the network management device is further configured to retrieve a unique identifier information database according to the received unique identifier information, and match the received unique identifier information with the unique identifier information stored in the unique identifier information database, if the matching succeeds And determining to allow the terminal device to access the network; otherwise, determining to reject the terminal device from accessing the network.
  • Embodiments of the present invention also provide a computer storage medium in which computer executable instructions are stored, the computer executable instructions being used to perform the above method.
  • the terminal device sends its own unique identification information to the security authentication device, and the security authentication device performs digital certificate authentication on the terminal device; after the digital certificate authentication is passed, the terminal device The unique identification information is authenticated, and the access authority of the terminal is determined.
  • the terminal accessing the network has a valid identity, thereby improving the security and legality of the terminal accessing the network.
  • the IKE technology involved in the embodiment of the present invention can be compatible with the Internet Key Exchange Protocol version 2 (IKEv2). , Internet key exchange version 2 ), and compatible with Internet Key Exchange Protocol version 1 ( IKEvl , Internet key exchange version 1 ).
  • FIG. 1 is a schematic flowchart of a basic implementation of a network access control method according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a network access control method according to an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of a network access control system according to an embodiment of the present invention. detailed description
  • the terminal device sends the unique identification information of the terminal to the security authentication device; the security authentication device performs the digital certificate authentication on the terminal device; after the digital certificate authentication is passed, the unique identification information of the terminal device is authenticated, and the terminal is determined. Access rights to the device.
  • the terminal device can place its unique identification information in the internet key exchange.
  • IKE Internet key exchange
  • the IKE packet may be the IKEv2 version of the packet
  • Determining the unique identification information of the terminal device, and determining the access authority of the terminal device includes: the security authentication device parses the received IKE packet, obtains the unique identifier information of the terminal device in the IKE packet, and obtains the unique identifier information.
  • the identification information is sent to the network management device, and the network management device matches the unique identification information with the unique identification information of each legal terminal device that is pre-stored by the network management device. After the matching is successful, the terminal device is allowed to access the network.
  • the terminal device may be a small cell (Small Cell); the unique identifier information may be a device unique identifier (Device ID) and/or a source IP address of the terminal device; the security authentication device may be secure.
  • a gateway or a high-end router; the network management device can be a server or a computer having a network management function.
  • the network access control method includes:
  • Step 101 The terminal device sends its own unique identification information to the security authentication device.
  • the unique identifier information may include one or more types, and may be a Device ID and/or a source IP address.
  • the terminal device sends its own unique identification information to the security authentication device, specifically: the terminal device places its unique identification information in the IKE packet and sends the information to the security authentication device.
  • the IKE packet is actually The application can be an IKEv2 version of the packet. Either the IKEvl version of the message;
  • the method further includes: the network management device stores the unique identifier information of each legal terminal device in batches, and establishes a unique identifier information database, so as to subsequently access the terminal device requesting access. Perform a secure authentication of uniquely identified information.
  • the security authentication device may be a security gateway or a high-end router
  • the network management device may be a server or a computer having a network management function
  • the terminal device may be a Small CelL
  • Step 102 The security authentication device performs digital certificate authentication on the terminal device. After the digital certificate authentication is passed, the unique identification information of the terminal device is authenticated, and the access rights of the terminal device are determined.
  • the security authentication device performs the digital certificate authentication on the terminal device as follows: The security authentication device performs IKE negotiation with the terminal device, and first performs digital certificate authentication on the terminal device.
  • the device authenticates the unique identification information of the terminal device, and determines the access authority of the terminal device, which is: the security authentication device parses the received IKE packet, and obtains the unique identifier information of the terminal device in the IKE packet, and obtains the obtained
  • the unique identification information is sent to the network management device, and the network management device matches the unique identification information with the unique identification information of each legal terminal device that is pre-stored by the network management device. After the matching is successful, the terminal device is allowed to access the network.
  • the unique identifier information is a Device ID
  • the terminal device is a Small Cell
  • the security authentication device is a security gateway
  • Step 201 The network management device stores the Device ID of each legal Small Cell in batches, and establishes a unique identification information database.
  • the network management device may be a server or a computer having a network management function; this step is a pre-processing, and may be entered at any time before the terminal device accesses the network. Row.
  • Step 202 When the small cell needs to access the network, the device ID is filled in the IKE packet and sent to the security gateway.
  • the IKE packet is in the IKE packet.
  • Step 203 The security gateway performs IKE negotiation with the Small Cell, first performs digital certificate authentication on the Small Cell, and determines whether the authentication is passed. If the authentication passes, step 204 is performed; otherwise, step 208 is executed to end the current processing flow.
  • Step 204 The security gateway parses the Device ID from the IKE message, and parses the
  • the Device ID is sent to the network management device.
  • Steps 205 to 207 The network management device searches the unique identifier information database, and matches the received device ID with the unique identifier information stored in the unique identifier information database to determine whether the matching is successful. If the matching is successful, the access authority of the Small Cell is determined. To allow the Small Cell to access the core network; otherwise, determine the access right of the Small Cell to reject the Small Cell access to the core network, and perform step 208 to end the current processing flow.
  • FIG. 3 is a schematic flowchart of a network access control method according to another embodiment of the present invention.
  • the unique identifier information is a device ID and a source IP address
  • the terminal device is a Small Cell
  • the security authentication device is Security gateway;
  • the method for the network access control includes:
  • Step 301 The network management device stores the Device ID and the source IP address of each legal Small Cell in batches, and establishes a unique identification information database.
  • the network management device may be a server or a computer having a network management function. This step is a pre-processing, and may be performed at any time before the terminal device accesses the network. Step 302: When the small cell needs to access the network, the device ID and the source IP address are filled in the IKE packet and sent to the security gateway.
  • the device ID is filled in the IKE file: the Device ID is filled in the ID payload field in the IKE message according to the format recommended by the 3GPP; the source IP address is filled in the IKE message: according to the format recommended by the 3GPP The source IP address is in the source IP address field of the IKE packet.
  • the IKE packet can be the IKEv2 version.
  • Step 303 The security gateway performs IKE negotiation with the Small Cell, first performs digital certificate authentication on the Small Cell, and determines whether the authentication is passed. If the authentication is passed, step 304 is performed; otherwise, step 308 is performed to end the current processing flow.
  • Step 304 The security gateway parses the device ID and the source IP address from the IKE packet, and sends the resolved device ID and source IP address to the network management device.
  • Steps 305-307 The network management device searches the unique identifier information database, and matches the received device ID and the source IP address with the unique identifier information stored in the unique identifier information database to determine whether the matching is successful. If the matching is successful, determine the Small Cell. The access permission is to allow the Small Cell to access the core network; otherwise, the access right of the Small Cell is determined to be denied access to the core network by the Small Cell, and step 308 is executed to end the current processing flow.
  • embodiments of the present invention can be applied to, but not limited to, a plurality of communication scenarios of the Small Cell, and the same applies to an Asymmetric Digital Subscriber Line (ADSL) application scenario of the broadband access.
  • ADSL Asymmetric Digital Subscriber Line
  • the network access control system includes: a terminal device 40, a security authentication device 41, and a network management device 42;
  • the terminal device 40 is configured to send its own unique identification information to the security authentication device 41.
  • the sending is: filling the unique identification information of the user into the IKE packet;
  • the security authentication device 41 is configured as the terminal device. 40 certification of digital certificates;
  • the network management device 42 is configured to authenticate the unique identification information of the terminal device 40, and determine the access authority of the terminal device 40.
  • the security authentication device 41 is further configured to receive and parse the unique identification information of the terminal device 40, and send the parsed unique identification information to the network management device 42 after confirming that the digital certificate authentication is passed;
  • the security authentication device 41 is further configured to perform IKE negotiation with the terminal device 40.
  • the network management device 42 is further configured to store the unique identification information of each legal terminal device in batches, and establish a database of unique identification information.
  • the network management device 42 is further configured to retrieve the unique identifier information database according to the received unique identifier information, and match the received unique identifier information with the unique identifier information stored in the unique identifier information database, and if the matching is successful, determine Allowing the terminal device to access the network; No, it is determined that the terminal device is denied access to the network;
  • the unique identifier information may be a device ID and/or a source IP address; the security authentication device may be a security gateway or a high-end router; the network management device may be a server or a computer having a network management function; The device can be a Small Cell.
  • the embodiment of the present invention further provides a computer storage medium, wherein computer executable instructions are stored, and the computer executable instructions are used to execute the method described in the foregoing embodiments.
  • Each of the above units may be implemented by a central processing unit (CPU), a digital signal processor (DSP) or a Field-Programmable Gate Array (FPGA) in the electronic device.
  • CPU central processing unit
  • DSP digital signal processor
  • FPGA Field-Programmable Gate Array
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware aspects. Moreover, the invention can take the form of a computer program product embodied on one or more computer usable storage media (including but not limited to disk storage and optical storage, etc.) in which computer usable program code is embodied.
  • the present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG.
  • These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Abstract

The present invention embodiment provides a network access control method, comprising: a security authentication device receives terminal device unique identification information and the security authentication device engages in digital certificate authentication in regard to the terminal device; following the digital certificate authentication, the terminal device unique identification information is authenticated and terminal device access permissions are determined. The present invention additionally provides a network access control system, comprising: a terminal device, configured for sending its own unique identification information to a security authentication device; a security authentication device, configured for engaging in digital certificate authentication in regard to the terminal device; a network management device, configured for authenticating the terminal device unique identification information and for determining terminal device access permissions.

Description

一种网络接入控制方法和系统 技术领域  Network access control method and system
本发明涉及网络接入控制技术, 尤其涉及一种网络接入控制方法和系 统。 背景技术  The present invention relates to network access control technologies, and in particular, to a network access control method and system. Background technique
在有线和无线网络进一步融合的情形下, 无线基站尤其在第四代(4G, Fourth Generation )长期演进 ( LTE, Long Term Evolution )的时代, 为了提 高覆盖率会大规模部署众多小基站(Small Cell ), Small Cell到达核心网的 回传网络(Backhaul )大部分部署在企业和用户家中, 不再经过运营商专有 承载网, 而是选择公共传输网络连接到运营商的核心网, 这样, 运营商对 接入的 Small Cell的接入安全性要求就非常高,不允许未经授权的基站接入 到自己的核心网。  In the case of further integration of wired and wireless networks, wireless base stations, in the era of LTE (Long Term Evolution), will deploy large number of small base stations (Small Cell) on a large scale in order to improve coverage. ), the Backhaul network that Small Cell reaches the core network is mostly deployed in the enterprise and user's home. Instead of going through the carrier's proprietary bearer network, the public transport network is selected to connect to the carrier's core network. The access security requirements of the accessed Small Cell are very high, and unauthorized base stations are not allowed to access their own core network.
对于设备的安全认证,第三代合作伙伴计划(3GPP, The 3rd Generation Partnership Project )推荐使用 IPSec ( IP Security )技术保护基站到核心网之 间的通信安全, 而基站和安全网关( SeGW, Security Gateway )之间身份认 证技术一般基于数字证书的认证。 IPSec协议虽然能够解决通信双方认证加 密的需求, 但不能解决数字证书被盗用, 再伪装为合法用户接入的场景, 这样, 如果有人盗用数字证书, 则可以绕过安全网关访问核心网, 进行未 经授权的访问或者攻击。 发明内容  For device security certification, the 3rd Generation Partnership Project (3GPP) recommends the use of IPSec (IP Security) technology to secure communication between the base station and the core network, while the base station and security gateway (SeGW, Security Gateway) Identity authentication technology is generally based on digital certificate authentication. Although the IPSec protocol can solve the need for authentication and encryption of the two parties, it cannot solve the scenario where the digital certificate is stolen and then masqueraded as a legitimate user. In this way, if someone steals the digital certificate, the security gateway can be bypassed to access the core network. Authorized access or attack. Summary of the invention
有鉴于此, 本发明实施例的主要目的在于提供一种网络接入控制方法 和系统, 能提高终端接入网络的安全性和合法性, 还能兼容更多的密钥协 议。 In view of this, the main purpose of the embodiments of the present invention is to provide a network access control method and system, which can improve the security and legality of a terminal accessing a network, and is compatible with more key associations. Negotiation.
为达到上述目的, 本发明实施例的技术方案是这样实现的:  To achieve the above objective, the technical solution of the embodiment of the present invention is implemented as follows:
本发明实施例提供了一种网络接入控制方法, 所述方法包括: 安全认证设备接收终端设备的唯一标识信息; 安全认证设备对终端设 备进行数字证书的认证; 数字证书认证通过后, 对终端设备的唯一标识信 息进行认证, 确定所述终端的接入权限。  The embodiment of the present invention provides a network access control method, where the method includes: the security authentication device receives the unique identification information of the terminal device; the security authentication device performs the digital certificate authentication on the terminal device; after the digital certificate authentication is passed, the terminal is The unique identification information of the device is authenticated, and the access authority of the terminal is determined.
较佳的, 所述方法还包括: 所述网管设备批量存储各个合法终端设备 的唯一标识信息, 建立唯一标识信息数据库。  Preferably, the method further includes: the network management device storing the unique identification information of each legal terminal device in batches, and establishing a unique identification information database.
较佳的, 所述安全认证设备接收终端设备的唯一标识信息, 包括: 从 来自终端设备的 IKE报文获取终端设备的唯一标识信息。  Preferably, the security authentication device receives the unique identification information of the terminal device, and includes: obtaining the unique identification information of the terminal device from the IKE message from the terminal device.
较佳的, 所述对终端设备的唯一标识信息进行认证, 确定所述终端的 接入权限, 包括:  Preferably, the authenticating the unique identification information of the terminal device, determining the access rights of the terminal, includes:
所述安全认证设备解析收到的 IKE报文, 获取 IKE报文中终端设备的 唯一标识信息, 并将获得的唯一标识信息发送给网管设备; 网管设备将收 到的唯一标识信息与自身预先存储的各个合法终端设备的唯一标识信息进 行匹配, 匹配成功后, 确认允许所述终端设备接入网络。  The security authentication device parses the received IKE packet, obtains the unique identifier information of the terminal device in the IKE packet, and sends the obtained unique identifier information to the network management device; the network management device pre-stores the unique identifier information received by the network management device. The unique identification information of each legal terminal device is matched. After the matching is successful, it is confirmed that the terminal device is allowed to access the network.
较佳的, 所述唯一标识信息为设备唯一标识符( Device ID )和 /或源 IP 地址。  Preferably, the unique identification information is a device unique identifier (Device ID) and/or a source IP address.
本发明实施例还提供了一种网络接入控制系统, 所述系统包括: 终端 设备、 安全认证设备和网管设备; 其中,  The embodiment of the present invention further provides a network access control system, where the system includes: a terminal device, a security authentication device, and a network management device;
终端设备, 配置为将自身的唯一标识信息发送给安全认证设备; 安全认证设备, 配置为对终端设备进行数字证书的认证;  The terminal device is configured to send its unique identification information to the security authentication device; the security authentication device is configured to perform digital certificate authentication on the terminal device;
网管设备, 配置为对终端设备的唯一标识信息进行认证, 确定终端设 备的接入权限。  The network management device is configured to authenticate the unique identification information of the terminal device and determine the access rights of the terminal device.
较佳的, 所述安全认证设备, 还配置为接收并解析终端设备的唯一标 识信息, 并在确认数字证书认证通过后将解析出的唯一标识信息发送给网 管设备。 Preferably, the security authentication device is further configured to receive and parse the unique identifier of the terminal device. After the digital certificate is verified, the unique identification information that is parsed is sent to the network management device.
较佳的, 所述网管设备, 还配置为批量存储各个合法终端设备的唯一 标识信息, 建立唯一标识信息数据库。  Preferably, the network management device is further configured to store the unique identification information of each legal terminal device in batches, and establish a database of unique identification information.
较佳的, 所述网管设备, 还配置为根据收到的唯一标识信息检索唯一 标识信息数据库, 并将收到的唯一标识信息与唯一标识信息数据库中存储 的唯一标识信息进行匹配, 如果匹配成功, 则确定允许所述终端设备接入 网络; 否则, 确定拒绝所述终端设备接入网络。  Preferably, the network management device is further configured to retrieve a unique identifier information database according to the received unique identifier information, and match the received unique identifier information with the unique identifier information stored in the unique identifier information database, if the matching succeeds And determining to allow the terminal device to access the network; otherwise, determining to reject the terminal device from accessing the network.
本发明实施例还提供了一种计算机存储介质, 其中存储有计算机可执 行指令, 所述计算机可执行指令用于执行上述的方法。  Embodiments of the present invention also provide a computer storage medium in which computer executable instructions are stored, the computer executable instructions being used to perform the above method.
本发明实施例所提供的网络接入控制方法和系统, 终端设备将自身的 唯一标识信息发送给安全认证设备, 安全认证设备对终端设备进行数字证 书的认证; 数字证书认证通过后, 对终端设备的唯一标识信息进行认证, 确定所述终端的接入权限。 如此, 能保证接入网络的终端有有效身份, 从 而提高终端接入网络的安全性和合法性; 并且,本发明实施例所涉及的 IKE 技术, 既可以兼容网际密钥交换协议版本 2 ( IKEv2, Internet key exchange version 2 ), 又可以兼容网际密钥交换协议版本 1 ( IKEvl , Internet key exchange version 1 )。 附图说明  The network access control method and system provided by the embodiment of the present invention, the terminal device sends its own unique identification information to the security authentication device, and the security authentication device performs digital certificate authentication on the terminal device; after the digital certificate authentication is passed, the terminal device The unique identification information is authenticated, and the access authority of the terminal is determined. In this way, the terminal accessing the network has a valid identity, thereby improving the security and legality of the terminal accessing the network. Moreover, the IKE technology involved in the embodiment of the present invention can be compatible with the Internet Key Exchange Protocol version 2 (IKEv2). , Internet key exchange version 2 ), and compatible with Internet Key Exchange Protocol version 1 ( IKEvl , Internet key exchange version 1 ). DRAWINGS
图 1为本发明实施例网络接入控制方法的基本实现流程示意图; 图 2为本发明一实施例网络接入控制方法的实现流程示意图; 图 3为本发明另一实施例网络接入控制方法的实现流程示意图; 图 4为本发明实施例网络接入控制系统的组成结构示意图。 具体实施方式 1 is a schematic flowchart of a basic implementation of a network access control method according to an embodiment of the present invention; FIG. 2 is a schematic flowchart of a network access control method according to an embodiment of the present invention; FIG. 4 is a schematic structural diagram of a network access control system according to an embodiment of the present invention. detailed description
本发明实施例中: 终端设备将自身的唯一标识信息发送给安全认证设 备; 安全认证设备对终端设备进行数字证书的认证; 数字证书认证通过后, 对终端设备的唯一标识信息进行认证, 确定终端设备的接入权限。  In the embodiment of the present invention, the terminal device sends the unique identification information of the terminal to the security authentication device; the security authentication device performs the digital certificate authentication on the terminal device; after the digital certificate authentication is passed, the unique identification information of the terminal device is authenticated, and the terminal is determined. Access rights to the device.
具体的, 终端设备可以将自身的唯一标识信息放置在网际密钥交换 Specifically, the terminal device can place its unique identification information in the internet key exchange.
( IKE, Internet key exchange ) 艮文中发送给安全认证设备;其中,所述 IKE 报文可以是 IKEv2版本的报文; (IKE, Internet key exchange) is sent to the security authentication device; the IKE packet may be the IKEv2 version of the packet;
所述对终端设备的唯一标识信息进行认证, 确定终端设备的接入权限 包括: 安全认证设备解析收到的 IKE报文, 获取 IKE报文中的终端设备的 唯一标识信息, 并将获得的唯一标识信息发送给网管设备, 由网管设备将 该唯一标识信息与自身预先存储的各个合法终端设备的唯一标识信息进行 匹配, 匹配成功后, 确认允许该终端设备接入网络。  Determining the unique identification information of the terminal device, and determining the access authority of the terminal device includes: the security authentication device parses the received IKE packet, obtains the unique identifier information of the terminal device in the IKE packet, and obtains the unique identifier information. The identification information is sent to the network management device, and the network management device matches the unique identification information with the unique identification information of each legal terminal device that is pre-stored by the network management device. After the matching is successful, the terminal device is allowed to access the network.
其中, 所述终端设备可以是无线通讯小基站(Small Cell ); 所述唯一标 识信息可以是终端设备的设备唯一标识符(Device ID )和 /或源 IP地址; 所述安全认证设备可以是安全网关或高端路由器; 所述网管设备可以 良务器或具备网管功能的计算机。  The terminal device may be a small cell (Small Cell); the unique identifier information may be a device unique identifier (Device ID) and/or a source IP address of the terminal device; the security authentication device may be secure. A gateway or a high-end router; the network management device can be a server or a computer having a network management function.
下面结合附图及具体实施例对本发明再做进一步详细的说明。  The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
图 1为本发明实施例网络接入控制方法的基本实现流程图, 如图 1所 示, 该网络接入控制方法包括:  1 is a flowchart of a basic implementation of a network access control method according to an embodiment of the present invention. As shown in FIG. 1, the network access control method includes:
步骤 101: 终端设备将自身的唯一标识信息发送给安全认证设备; 这里, 所述唯一标识信息可以包括一种或多种, 可以为 Device ID和 / 或源 IP地址;  Step 101: The terminal device sends its own unique identification information to the security authentication device. Here, the unique identifier information may include one or more types, and may be a Device ID and/or a source IP address.
这里, 所述终端设备将自身的唯一标识信息发送给安全认证设备, 具 体为: 终端设备将自身的唯一标识信息放置在 IKE报文中发送给安全认证 设备; 其中, 所述 IKE报文在实际应用中可以是 IKEv2版本的报文, 也可 以是 IKEvl版本的报文; Here, the terminal device sends its own unique identification information to the security authentication device, specifically: the terminal device places its unique identification information in the IKE packet and sends the information to the security authentication device. The IKE packet is actually The application can be an IKEv2 version of the packet. Either the IKEvl version of the message;
所述终端设备将自身的唯一标识信息发送给安全认证设备之前, 该方 法还包括: 网管设备批量存储各个合法终端设备的唯一标识信息, 建立唯 一标识信息数据库, 以便后续对请求接入的终端设备进行唯一标识信息的 安全认证。  Before the terminal device sends the unique identifier information to the security authentication device, the method further includes: the network management device stores the unique identifier information of each legal terminal device in batches, and establishes a unique identifier information database, so as to subsequently access the terminal device requesting access. Perform a secure authentication of uniquely identified information.
这里, 所述安全认证设备可以是安全网关、 或高端路由器; 所述网管 设备可以是服务器、 或具备网管功能的计算机; 所述终端设备可以为 Small CelL  Here, the security authentication device may be a security gateway or a high-end router; the network management device may be a server or a computer having a network management function; the terminal device may be a Small CelL
步骤 102: 安全认证设备对终端设备进行数字证书的认证; 数字证书认 证通过后, 对终端设备的唯一标识信息进行认证, 确定终端设备的接入权 限;  Step 102: The security authentication device performs digital certificate authentication on the terminal device. After the digital certificate authentication is passed, the unique identification information of the terminal device is authenticated, and the access rights of the terminal device are determined.
这里, 所述安全认证设备对终端设备进行数字证书的认证为: 安全认 证设备与终端设备进行 IKE协商, 先对终端设备进行数字证书的认证。  Here, the security authentication device performs the digital certificate authentication on the terminal device as follows: The security authentication device performs IKE negotiation with the terminal device, and first performs digital certificate authentication on the terminal device.
所述对终端设备的唯一标识信息进行认证, 确定终端设备的接入权限, 具体为: 安全认证设备解析收到的 IKE报文, 获取 IKE报文中终端设备的 唯一标识信息, 并将获得的唯一标识信息发送给网管设备, 由网管设备将 该唯一标识信息与自身预先存储的各个合法终端设备的唯一标识信息进行 匹配, 匹配成功后, 确认允许该终端设备接入网络。  The device authenticates the unique identification information of the terminal device, and determines the access authority of the terminal device, which is: the security authentication device parses the received IKE packet, and obtains the unique identifier information of the terminal device in the IKE packet, and obtains the obtained The unique identification information is sent to the network management device, and the network management device matches the unique identification information with the unique identification information of each legal terminal device that is pre-stored by the network management device. After the matching is successful, the terminal device is allowed to access the network.
图 2为本发明一实施例网络接入控制方法的实现流程图, 本实施例中, 所述唯一标识信息为 Device ID,所述终端设备为 Small Cell,所述安全认证 设备为安全网关; 如图 2所示, 本实施例网络接入控制方法包括:  2 is a flowchart of an implementation of a network access control method according to an embodiment of the present invention. In this embodiment, the unique identifier information is a Device ID, the terminal device is a Small Cell, and the security authentication device is a security gateway; As shown in FIG. 2, the network access control method in this embodiment includes:
步骤 201 : 网管设备批量存储各个合法 Small Cell的 Device ID,建立唯 一标识信息数据库;  Step 201: The network management device stores the Device ID of each legal Small Cell in batches, and establishes a unique identification information database.
这里, 所述网管设备可以是服务器、 或具备网管功能的计算机; 本步骤为预先进行的处理, 可以在终端设备接入网络之前任何时刻进 行。 Here, the network management device may be a server or a computer having a network management function; this step is a pre-processing, and may be entered at any time before the terminal device accesses the network. Row.
步骤 202: Small Cell需要接入网络时,将自身的 Device ID填写在 IKE 报文中并发送给安全网关;  Step 202: When the small cell needs to access the network, the device ID is filled in the IKE packet and sent to the security gateway.
这里, 所述将 Device ID填写在 IKE 艮文中为: 按照 3GPP推荐的格式 将 Device ID填写到 IKE报文中的 ID载荷字段中, 其中, 所述 IKE报文在 可以是 IKEv2版本的报文。  The IKE packet is in the IKE packet.
步骤 203: 安全网关与 Small Cell进行 IKE协商, 先对所述 Small Cell 进行数字证书的认证, 并判断认证是否通过, 如果认证通过, 则执行步骤 204; 否则, 执行步骤 208, 结束当前处理流程。  Step 203: The security gateway performs IKE negotiation with the Small Cell, first performs digital certificate authentication on the Small Cell, and determines whether the authentication is passed. If the authentication passes, step 204 is performed; otherwise, step 208 is executed to end the current processing flow.
步骤 204: 安全网关从 IKE 艮文中解析出 Device ID, 并将解析出的 Step 204: The security gateway parses the Device ID from the IKE message, and parses the
Device ID发送给网管设备; The Device ID is sent to the network management device.
步骤 205 ~ 207:网管设备检索唯一标识信息数据库,将收到的 Device ID 与唯一标识信息数据库中存储的唯一标识信息进行匹配, 判断匹配是否成 功, 如果匹配成功, 则确定 Small Cell的接入权限为允许 Small Cell接入核 心网; 否则, 确定 Small Cell的接入权限为拒绝 Small Cell接入核心网, 并 执行步骤 208, 结束当前处理流程。  Steps 205 to 207: The network management device searches the unique identifier information database, and matches the received device ID with the unique identifier information stored in the unique identifier information database to determine whether the matching is successful. If the matching is successful, the access authority of the Small Cell is determined. To allow the Small Cell to access the core network; otherwise, determine the access right of the Small Cell to reject the Small Cell access to the core network, and perform step 208 to end the current processing flow.
图 3本发明另一实施例网络接入控制方法的实现流程示意图, 本实施 例中, 所述唯一标识信息为 Device ID和源 IP地址, 所述终端设备为 Small Cell, 所述安全认证设备为安全网关; 如图 3所示, 该网络接入控制的方法 流程包括:  FIG. 3 is a schematic flowchart of a network access control method according to another embodiment of the present invention. In this embodiment, the unique identifier information is a device ID and a source IP address, and the terminal device is a Small Cell, and the security authentication device is Security gateway; As shown in FIG. 3, the method for the network access control includes:
步骤 301: 网管设备批量存储各个合法 Small Cell的 Device ID和源 IP 地址, 建立唯一标识信息数据库;  Step 301: The network management device stores the Device ID and the source IP address of each legal Small Cell in batches, and establishes a unique identification information database.
这里所述网管设备可以是服务器、 或具备网管功能的计算机; 本步骤为预先进行的处理, 可以在终端设备接入网络之前任何时刻进 行。 步骤 302: Small Cell需要接入网络时, 将自身的 Device ID和源 IP地 址填写在 IKE报文中并发送给安全网关; The network management device may be a server or a computer having a network management function. This step is a pre-processing, and may be performed at any time before the terminal device accesses the network. Step 302: When the small cell needs to access the network, the device ID and the source IP address are filled in the IKE packet and sent to the security gateway.
这里, 所述将 Device ID填写在 IKE 艮文中为: 按照 3GPP推荐的格式 将 Device ID填写到 IKE 艮文中的 ID载荷字段中;将源 IP地址填写在 IKE 艮文中为:按照 3GPP推荐的格式将源 IP地址填写到 IKE 艮文中的源 IP地 址字段, 其中, 所述 IKE报文在可以是 IKEv2版本的报文。  Here, the device ID is filled in the IKE file: the Device ID is filled in the ID payload field in the IKE message according to the format recommended by the 3GPP; the source IP address is filled in the IKE message: according to the format recommended by the 3GPP The source IP address is in the source IP address field of the IKE packet. The IKE packet can be the IKEv2 version.
步骤 303: 安全网关与 Small Cell进行 IKE协商, 先对所述 Small Cell 进行数字证书的认证, 并判断是否认证通过, 如果认证通过, 则执行步骤 304; 否则, 执行步骤 308, 结束当前处理流程。  Step 303: The security gateway performs IKE negotiation with the Small Cell, first performs digital certificate authentication on the Small Cell, and determines whether the authentication is passed. If the authentication is passed, step 304 is performed; otherwise, step 308 is performed to end the current processing flow.
步骤 304: 安全网关从 IKE 艮文中解析出 Device ID和源 IP地址, 并 将解析出的 Device ID和源 IP地址发送给网管设备。  Step 304: The security gateway parses the device ID and the source IP address from the IKE packet, and sends the resolved device ID and source IP address to the network management device.
步骤 305~307:网管设备检索唯一标识信息数据库,将收到的 Device ID 和源 IP地址与唯一标识信息数据库中存储的唯一标识信息进行匹配,判断 是否匹配成功, 如果匹配成功, 则确定 Small Cell的接入权限为允许 Small Cell接入核心网; 否则, 确定 Small Cell的接入权限为拒绝 Small Cell接入 核心网, 并执行步骤 308, 结束当前处理流程。  Steps 305-307: The network management device searches the unique identifier information database, and matches the received device ID and the source IP address with the unique identifier information stored in the unique identifier information database to determine whether the matching is successful. If the matching is successful, determine the Small Cell. The access permission is to allow the Small Cell to access the core network; otherwise, the access right of the Small Cell is determined to be denied access to the core network by the Small Cell, and step 308 is executed to end the current processing flow.
需要说明的是,本发明实施例可以应用但不局限于 Small Cell的多种通 信场景, 对于宽带接入的非对称数字用户环路(ADSL, Asymmetric Digital Subscriber Line )应用场景等同样适用。  It should be noted that the embodiments of the present invention can be applied to, but not limited to, a plurality of communication scenarios of the Small Cell, and the same applies to an Asymmetric Digital Subscriber Line (ADSL) application scenario of the broadband access.
图 4为本发明实施例网络接入控制系统的组成结构示意图, 如图 4所 示, 该网络接入控制系统包括: 终端设备 40、 安全认证设备 41和网管设备 42; 其中,  4 is a schematic structural diagram of a network access control system according to an embodiment of the present invention. As shown in FIG. 4, the network access control system includes: a terminal device 40, a security authentication device 41, and a network management device 42;
终端设备 40, 配置为将自身的唯一标识信息发送给安全认证设备 41; 这里, 所述发送为: 将自身的唯一标识信息填写在 IKE报文中发送; 安全认证设备 41, 配置为对终端设备 40进行数字证书的认证; 网管设备 42, 配置为对终端设备 40的唯一标识信息进行认证, 确定终 端设备 40的接入权限。 The terminal device 40 is configured to send its own unique identification information to the security authentication device 41. Here, the sending is: filling the unique identification information of the user into the IKE packet; the security authentication device 41 is configured as the terminal device. 40 certification of digital certificates; The network management device 42 is configured to authenticate the unique identification information of the terminal device 40, and determine the access authority of the terminal device 40.
进一步的, 所述安全认证设备 41,还配置为接收并解析终端设备 40的 唯一标识信息, 并在确认数字证书认证通过后将解析出的唯一标识信息发 送给网管设备 42;  Further, the security authentication device 41 is further configured to receive and parse the unique identification information of the terminal device 40, and send the parsed unique identification information to the network management device 42 after confirming that the digital certificate authentication is passed;
所述安全认证设备 41, 还配置为与终端设备 40进行 IKE协商。  The security authentication device 41 is further configured to perform IKE negotiation with the terminal device 40.
所述网管设备 42, 还配置为批量存储各个合法终端设备的唯一标识信 息, 建立唯一标识信息数据库。  The network management device 42 is further configured to store the unique identification information of each legal terminal device in batches, and establish a database of unique identification information.
所述网管设备 42, 还配置为根据收到的唯一标识信息检索唯一标识信 息数据库, 并将收到的唯一标识信息与唯一标识信息数据库中存储的唯一 标识信息进行匹配, 如果匹配成功, 则确定允许终端设备接入网络; 否贝 'J, 确定拒绝终端设备接入网络;  The network management device 42 is further configured to retrieve the unique identifier information database according to the received unique identifier information, and match the received unique identifier information with the unique identifier information stored in the unique identifier information database, and if the matching is successful, determine Allowing the terminal device to access the network; No, it is determined that the terminal device is denied access to the network;
其中, 所述唯一标识信息可以为 Device ID和 /或源 IP地址; 所述安全 认证设备可以为安全网关、 或者高端路由器; 所述网管设备可以是服务器、 或具备网管功能的计算机; 所述终端设备可以为 Small Cell。  The unique identifier information may be a device ID and/or a source IP address; the security authentication device may be a security gateway or a high-end router; the network management device may be a server or a computer having a network management function; The device can be a Small Cell.
本发明实施例还提供了一种计算机存储介质, 其中存储有计算机可执 行指令, 所述计算机可执行指令用于执行上述实施例所述的方法。  The embodiment of the present invention further provides a computer storage medium, wherein computer executable instructions are stored, and the computer executable instructions are used to execute the method described in the foregoing embodiments.
上述各单元可以由电子设备中的中央处理器( Central Processing Unit, CPU ). 数字信号处理器 (Digital Signal Processor, DSP )或可编程逻辑阵 列 (Field - Programmable Gate Array, FPGA ) 实现。  Each of the above units may be implemented by a central processing unit (CPU), a digital signal processor (DSP) or a Field-Programmable Gate Array (FPGA) in the electronic device.
本领域内的技术人员应明白, 本发明的实施例可提供为方法、 系统、 或计算机程序产品。 因此, 本发明可采用硬件实施例、 软件实施例、 或结 合软件和硬件方面的实施例的形式。 而且, 本发明可采用在一个或多个其 中包含有计算机可用程序代码的计算机可用存储介质 (包括但不限于磁盘 存储器和光学存储器等)上实施的计算机程序产品的形式。 本发明是参照根据本发明实施例的方法、 设备(系统)、 和计算机程序 产品的流程图和 /或方框图来描述的。 应理解可由计算机程序指令实现流程 图和 /或方框图中的每一流程和 /或方框、以及流程图和 /或方框图中的流程和 /或方框的结合。 可提供这些计算机程序指令到通用计算机、 专用计算机、 嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器, 使得 通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现 在流程图一个流程或多个流程和 /或方框图一个方框或多个方框中指定的功 能的装置。 Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware aspects. Moreover, the invention can take the form of a computer program product embodied on one or more computer usable storage media (including but not limited to disk storage and optical storage, etc.) in which computer usable program code is embodied. The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理 设备以特定方式工作的计算机可读存储器中, 使得存储在该计算机可读存 储器中的指令产生包括指令装置的制造品, 该指令装置实现在流程图一个 流程或多个流程和 /或方框图一个方框或多个方框中指定的功能。  The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备 上, 使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机 实现的处理, 从而在计算机或其他可编程设备上执行的指令提供用于实现 在流程图一个流程或多个流程和 /或方框图一个方框或多个方框中指定的功 能的步骤。  These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。  The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention.

Claims

权利要求书 claims
1、 一种网络接入控制方法, 其中, 所述方法包括: 1. A network access control method, wherein the method includes:
安全认证设备接收终端设备的唯一标识信息; The security authentication device receives the unique identification information of the terminal device;
安全认证设备对终端设备进行数字证书的认证; The security authentication equipment authenticates the digital certificate of the terminal device;
数字证书认证通过后, 对终端设备的唯一标识信息进行认证, 确定所 述终端的接入权限。 After the digital certificate authentication is passed, the unique identification information of the terminal device is authenticated to determine the access permission of the terminal.
2、 根据权利要求 1所述方法, 其中, 所述方法还包括: 所述网管设备 批量存储各个合法终端设备的唯一标识信息, 建立唯一标识信息数据库。 2. The method according to claim 1, wherein the method further includes: the network management device stores the unique identification information of each legal terminal device in batches, and establishes a database of unique identification information.
3、 根据权利要求 1所述方法, 其中, 所述安全认证设备接收终端设备 的唯一标识信息, 包括: 3. The method according to claim 1, wherein the security authentication device receives the unique identification information of the terminal device, including:
从来自终端设备的 IKE报文获取终端设备的唯一标识信息。 Obtain the unique identification information of the terminal device from the IKE message from the terminal device.
4、 根据权利要求 3所述方法, 其中, 所述对终端设备的唯一标识信息 进行认证, 确定所述终端的接入权限, 包括: 4. The method according to claim 3, wherein said authenticating the unique identification information of the terminal device and determining the access permission of the terminal includes:
所述安全认证设备解析收到的 IKE报文, 获取 IKE报文中终端设备的 唯一标识信息, 并将获得的唯一标识信息发送给网管设备; 网管设备将收 到的唯一标识信息与自身预先存储的各个合法终端设备的唯一标识信息进 行匹配, 匹配成功后, 确认允许所述终端设备接入网络。 The security authentication device parses the received IKE message, obtains the unique identification information of the terminal device in the IKE message, and sends the obtained unique identification information to the network management device; the network management device pre-stores the received unique identification information with itself The unique identification information of each legal terminal device is matched. After the matching is successful, it is confirmed that the terminal device is allowed to access the network.
5、 根据权利要求 1至 4任一项所述方法, 其中, 所述唯一标识信息为 设备唯一标识符 ( Device ID )和 /或源 IP地址。 5. The method according to any one of claims 1 to 4, wherein the unique identification information is a device unique identifier (Device ID) and/or a source IP address.
6、 一种网络接入控制系统, 其中, 所述系统包括: 终端设备、 安全认 证设备和网管设备; 其中, 6. A network access control system, wherein the system includes: terminal equipment, security authentication equipment and network management equipment; wherein,
终端设备, 配置为将自身的唯一标识信息发送给安全认证设备; 安全认证设备, 配置为对终端设备进行数字证书的认证; The terminal device is configured to send its own unique identification information to the security authentication device; the security authentication device is configured to authenticate the digital certificate of the terminal device;
网管设备, 配置为对终端设备的唯一标识信息进行认证, 确定终端设 备的接入权限。 The network management device is configured to authenticate the unique identification information of the terminal device and determine the access permission of the terminal device.
7、 根据权利要求 6所述系统, 其中, 所述安全认证设备, 还配置为接 收并解析终端设备的唯一标识信息, 并在确认数字证书认证通过后将解析 出的唯一标识信息发送给网管设备。 7. The system according to claim 6, wherein the security authentication device is further configured to receive and parse the unique identification information of the terminal device, and send the parsed unique identification information to the network management device after confirming that the digital certificate authentication is passed. .
8、 根据权利要求 6所述系统, 其中, 所述网管设备, 还配置为批量存 储各个合法终端设备的唯一标识信息, 建立唯一标识信息数据库。 8. The system according to claim 6, wherein the network management device is further configured to store the unique identification information of each legal terminal device in batches and establish a unique identification information database.
9、 根据权利要求 8所述系统, 其中, 所述网管设备, 还配置为根据收 到的唯一标识信息检索唯一标识信息数据库, 并将收到的唯一标识信息与 唯一标识信息数据库中存储的唯一标识信息进行匹配, 如果匹配成功, 则 确定允许所述终端设备接入网络; 否则, 确定拒绝所述终端设备接入网络。 9. The system according to claim 8, wherein the network management device is further configured to retrieve the unique identification information database according to the received unique identification information, and compare the received unique identification information with the unique identification information stored in the unique identification information database. The identification information is matched, and if the matching is successful, it is determined that the terminal device is allowed to access the network; otherwise, it is determined that the terminal device is denied access to the network.
10、 根据权利要求 6至 9任一项所述系统, 其中, 所述唯一标识信息 为 Device ID和 /或源 IP地址。 10. The system according to any one of claims 6 to 9, wherein the unique identification information is Device ID and/or source IP address.
11、 一种计算机存储介质, 其中存储有计算机可执行指令, 所述计算 机可执行指令用于执行所述权利要求 1至 5任一项所述的方法。 11. A computer storage medium in which computer-executable instructions are stored, and the computer-executable instructions are used to execute the method described in any one of claims 1 to 5.
PCT/CN2014/079248 2013-09-26 2014-06-05 Network access control method and system WO2014177106A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310461292.4 2013-09-26
CN201310461292.4A CN104518874A (en) 2013-09-26 2013-09-26 Network access control method and system

Publications (1)

Publication Number Publication Date
WO2014177106A1 true WO2014177106A1 (en) 2014-11-06

Family

ID=51843180

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/079248 WO2014177106A1 (en) 2013-09-26 2014-06-05 Network access control method and system

Country Status (2)

Country Link
CN (1) CN104518874A (en)
WO (1) WO2014177106A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847234A (en) * 2016-03-11 2016-08-10 中国联合网络通信集团有限公司 Suspicious terminal access pre-warning method, gateway management platform and gateway device
CN115086085A (en) * 2022-08-19 2022-09-20 南京华盾电力信息安全测评有限公司 New energy platform terminal security access authentication method and system

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106454836B (en) * 2015-08-06 2021-12-31 中兴通讯股份有限公司 Method and device for enhancing use safety of equipment certificate
CN106603461A (en) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 Business authentication method, apparatus and system
CN109379354A (en) * 2018-10-10 2019-02-22 小雅智能平台(深圳)有限公司 A kind of methods, devices and systems for binding smart machine

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1863048A (en) * 2005-05-11 2006-11-15 中兴通讯股份有限公司 Method of internet key exchange consultation between user and cut-in apparatus
CN101064611A (en) * 2006-04-24 2007-10-31 维豪信息技术有限公司 Application integration method based on register and call control
WO2013109417A2 (en) * 2012-01-18 2013-07-25 Zte Corporation Notarized ike-client identity and info via ike configuration payload support

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN200941622Y (en) * 2006-06-19 2007-08-29 福建星网锐捷网络有限公司 Network authentication authorization system and used exchanger thereof
CN101656738B (en) * 2009-09-22 2012-10-03 中兴通讯股份有限公司 Method and device for verifying terminal accessed to network
CN102984173B (en) * 2012-12-13 2017-02-22 迈普通信技术股份有限公司 Network access control method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1863048A (en) * 2005-05-11 2006-11-15 中兴通讯股份有限公司 Method of internet key exchange consultation between user and cut-in apparatus
CN101064611A (en) * 2006-04-24 2007-10-31 维豪信息技术有限公司 Application integration method based on register and call control
WO2013109417A2 (en) * 2012-01-18 2013-07-25 Zte Corporation Notarized ike-client identity and info via ike configuration payload support

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847234A (en) * 2016-03-11 2016-08-10 中国联合网络通信集团有限公司 Suspicious terminal access pre-warning method, gateway management platform and gateway device
CN105847234B (en) * 2016-03-11 2018-11-20 中国联合网络通信集团有限公司 Suspicious terminal access method for early warning, gateway management platform and gateway
CN115086085A (en) * 2022-08-19 2022-09-20 南京华盾电力信息安全测评有限公司 New energy platform terminal security access authentication method and system

Also Published As

Publication number Publication date
CN104518874A (en) 2015-04-15

Similar Documents

Publication Publication Date Title
US10601594B2 (en) End-to-end service layer authentication
CN107079007B (en) Method, apparatus and computer-readable medium for the certification based on certificate
US10638321B2 (en) Wireless network connection method and apparatus, and storage medium
US9131378B2 (en) Dynamic authentication in secured wireless networks
US8694782B2 (en) Wireless authentication using beacon messages
JP4824813B2 (en) Application authentication
US20160134621A1 (en) Certificate provisioning for authentication to a network
EP3328108A1 (en) Authentication method, re-authentication method and communication apparatus
US11451959B2 (en) Authenticating client devices in a wireless communication network with client-specific pre-shared keys
TW201644291A (en) Apparatus and method for sponsored connectivity to wireless networks using application-specific network access credentials (1)
JP2013534754A (en) Method and apparatus for binding subscriber authentication and device authentication in a communication system
TW201644292A (en) Apparatus and method for sponsored connectivity to wireless networks using application-specific network access credentials (2)
JP2012503945A (en) HOMENODE-B device and security protocol
WO2014180198A1 (en) Access method, system, and device of terminal, and computer storage medium
KR20120091635A (en) Authentication method and apparatus in wireless communication system
CN107005534A (en) Secure connection is set up
CN110545252B (en) Authentication and information protection method, terminal, control function entity and application server
WO2014177106A1 (en) Network access control method and system
US20150249639A1 (en) Method and devices for registering a client to a server
WO2012171284A1 (en) Method and device for third-party authentication and smart card supporting bidirectional authentication
Matos et al. Secure hotspot authentication through a near field communication side-channel
WO2017020530A1 (en) Enhanced wlan certificate authentication method, device and system
WO2019196794A1 (en) Authentication method and device, and computer-readable storage medium
WO2017020546A1 (en) Network access device verifying method and apparatus
Kumar ISSUES AND CONCERNS IN ENTITY AUTHENTICATION IN WIRELESS LOCAL AREA NETWORKS (WLANS).

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14791892

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14791892

Country of ref document: EP

Kind code of ref document: A1