WO2016206227A1 - Access control method and device - Google Patents

Access control method and device Download PDF

Info

Publication number
WO2016206227A1
WO2016206227A1 PCT/CN2015/091304 CN2015091304W WO2016206227A1 WO 2016206227 A1 WO2016206227 A1 WO 2016206227A1 CN 2015091304 W CN2015091304 W CN 2015091304W WO 2016206227 A1 WO2016206227 A1 WO 2016206227A1
Authority
WO
WIPO (PCT)
Prior art keywords
mac address
access
whitelist
white list
access control
Prior art date
Application number
PCT/CN2015/091304
Other languages
French (fr)
Chinese (zh)
Inventor
孟苑
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016206227A1 publication Critical patent/WO2016206227A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Definitions

  • This document relates to the field of wireless access control, and more particularly to an access control method and apparatus.
  • Infinity Fidelity (Wireless-Fidelity, WI-FI for short) is a network transmission standard for improving the interoperability between IEEE802.11-based wireless network products. It converts wired signals into high-frequency radio signals, and wirelessly connects terminals such as personal computers and handheld devices such as IPAD and MOBILE PHONE to each other. Although it has the advantages of fast transmission speed, low transmission signal power and no restrictions on wiring conditions, it meets the needs of social information, but it also has the disadvantages of poor transmission quality and low data security performance.
  • ARP Address Resolution Protocol
  • WEP Wired Equivalent Privacy
  • the technical problem to be solved by the present invention is to provide an access control method and apparatus to improve the usage rate of a wireless network.
  • An access control method includes:
  • the MAC address of the access request is matched with the MAC address in the static whitelist that has been set, when the MAC address is If the MAC address in the static whitelist matches, the MAC address is allowed to access; when the MAC address has no matching item in the static whitelist, the access request is blocked;
  • the step of setting temporary usage rights for the MAC address in the quasi-white list includes:
  • the maximum number of allowed access times and the maximum usage duration are set for the MAC address in the quasi-white list.
  • the storage format of the MAC address information in the quasi-white list may be expressed as: identifier + access time + disconnection time + access times + cumulative network access duration.
  • the method further includes: when the number of accesses of a MAC address reaches the maximum number of allowed accesses, or the usage duration reaches the maximum usage duration, or the access times reach the maximum number of allowed accesses, and When the usage duration reaches the maximum usage duration, the temporary use permission of the MAC address is canceled or the MAC address is directly deleted.
  • the method further includes: setting a minimum usage value of the access times;
  • the number of times the MAC address is used in the whitelist is monitored. When the number of accesses of a MAC address is less than the minimum usage value of the access number in a preset time, the temporary use permission of the MAC address is cancelled or the MAC address is directly deleted.
  • the method further includes: when a MAC address is canceled for temporary use permission, reporting to the administrator that the temporary use right of the MAC address is canceled, and the administrator activates the MAC address according to the usage of the MAC address, that is, The MAC address is set as a legitimate user, or the MAC address is continued as an illegal user.
  • the step of canceling the temporary use right of the MAC address includes:
  • An access control device comprising: a receiving unit, a determining unit, and a whitelist matching list Meta, quasi-white list processing unit and rights management unit, wherein
  • the receiving unit is configured to: receive an access request sent by a MAC address
  • the determining unit is configured to: determine whether the time when the receiving unit receives the access request is within a fixed time zone that has been set, and if not, notify the whitelist matching unit; if yes, notify the standard Whitelist processing unit;
  • the whitelist matching unit is configured to: match an access MAC address that sends the access request with a MAC address in a static whitelist that has been set, and match the MAC address in the static whitelist when the access MAC address is matched. Allowing the MAC address to be accessed; when the access MAC address has no match in the static whitelist, the access request of the MAC address is blocked;
  • the whitelist processing unit is configured to: filter out the MAC address without authority according to the static whitelist, and include all MAC addresses that are not authorized in the fixed time zone in the whitelist;
  • the rights management unit is configured to: set a temporary use right for the MAC address in the quasi-white list.
  • the rights management unit is configured to set a temporary use right for the MAC address in the quasi-white list according to the following manner: setting a maximum number of allowed access times and a maximum use time for the MAC address in the quasi-white list.
  • the rights management unit is further configured to: represent, in the whitelist, a storage format of the MAC address information as: identifier + access time + disconnection time + access times + cumulative network access time.
  • the rights management unit is further configured to: when the number of accesses of a MAC address reaches the maximum number of allowed accesses, or the usage duration reaches the maximum usage duration, or the access times reach the allowed access The maximum number of times, and when the usage duration reaches the maximum usage duration, cancel the temporary use permission of the MAC address or directly delete the MAC address.
  • the rights management unit is further configured to: set a minimum usage value of the access times;
  • the rights management unit monitors the number of times the MAC address is used in the whitelist. When the number of accesses of the MAC address is less than the minimum usage value of the access times in a preset time, the temporary use permission of the MAC address is cancelled or directly Delete the MAC address.
  • the rights management unit is configured to cancel the temporary use rights of the MAC address as follows:
  • the device may further include an unauthorized alarm unit, wherein
  • the unauthorized alarm unit is configured to: when a MAC address is cancelled, the temporary use right of the MAC address is cancelled.
  • a computer program comprising program instructions that, when executed by a computer, cause the computer to perform any of the above described access control methods.
  • the embodiment of the present invention only opens the right to the legitimate user during the working time period and the important time period, and sets the temporary open permission to the user other than the legitimate user in other time periods, so that the utilization rate of the network can be improved.
  • FIG. 1 is an overall architectural view of an embodiment of the present invention
  • FIG. 2 is a flowchart of an access control method according to an embodiment of the present invention.
  • FIG. 3 is a flowchart of processing for a quasi-white list according to an application example of the present invention.
  • FIG. 4 is a flowchart of a process after a MAC address in a quasi-white list is canceled for temporary use according to an application example of the present invention
  • FIG. 5 is a schematic structural diagram of an access control apparatus according to an embodiment of the present invention.
  • FIG. 1 is a schematic diagram of an overall architecture of a wireless access control system according to the present invention.
  • the method for processing the fixed list authority judgment, statistics, and sending the MAC address information data in the embodiment of the present invention is as follows:
  • Step 201 The wireless routing device receives an access request sent by the terminal MAC address.
  • Step 202 If the wireless routing device receives the access request, the access routing request sends the access MAC address of the access request to the MAC address in the static whitelist that has been set. Match, when the access MAC address matches the MAC address in the static whitelist, the MAC address is allowed to access, the access right of the MAC address is automatically recognized and its usage record is always ignored; when the access MAC address is If there is no match in the static whitelist, it is identified as an illegal MAC address in the blacklist, and the access request is blocked.
  • Step 203 If the wireless routing device receives the access request in the fixed time zone that has been set, the MAC address of the privileged MAC address is filtered according to the static whitelist, and the MAC address of the privileged MAC address is recorded and counted. Enter the information and all the MAC addresses without permissions in the fixed time zone will be listed in the whitelist.
  • the fixed time zone that has been set generally refers to a time period other than work or an unimportant time zone; otherwise, the fixed time zone that has been set refers to the working time zone or refers to an important time zone, during working hours. Segments and important time periods only open permissions for legitimate users, while in other time periods, temporary open permissions are set for users other than legitimate users, which can improve network utilization.
  • the method further includes: setting a temporary use right for the MAC address in the quasi-white list.
  • the step of setting a temporary use right for the MAC address in the quasi-white list includes: setting a maximum number of allowed access times and a maximum use duration for the MAC address in the quasi-white list.
  • the storage format of the MAC address information in the quasi-white list may be expressed as: identifier + access time + disconnection time + access times + cumulative network access duration.
  • the method further includes: when the number of accesses of a MAC address reaches the maximum number of allowed accesses, or the usage duration reaches the maximum usage duration, or the access times reach the maximum number of allowed accesses, and When the usage duration reaches the maximum usage duration, the temporary use permission of the MAC address is canceled or the MAC address is directly deleted.
  • the method further includes: setting a minimum usage value of the access times;
  • the number of times the MAC address is used in the whitelist is monitored. When the number of accesses of a MAC address is less than the minimum usage value of the access number in a preset time, the temporary use permission of the MAC address is cancelled or the MAC address is directly deleted.
  • the number of MAC address access times in a certain time range is smaller than a preset value of the permission change module, and the permission change module can automatically clear the MAC address to improve the use efficiency of the database.
  • the method further includes: when a MAC address is canceled for temporary use permission, reporting to the administrator that the temporary use right of the MAC address is canceled, and the administrator activates the MAC address according to the usage of the MAC address, that is, The MAC address is set as a legitimate user, or the MAC address is continued as an illegal user.
  • the step of canceling the temporary use permission of the MAC address includes:
  • the third step is to generate a relatively dynamic whitelist to facilitate temporary access to potential legitimate users.
  • the method for processing a quasi-white list in the embodiment of the present invention is as follows:
  • Step 301 According to the maximum number of allowed access times and the maximum duration value, the rights management unit determines whether there is a MAC address information record exceeding the preset limit in the whitelist, and the data of the access times and the maximum duration are preset.
  • the MAC address in the limit has temporary access rights. If one or two MAC addresses that exceed the preset limit will cancel the temporary use permission of the MAC address.
  • a MAC address access times and a single access time will gradually accumulate.
  • Step 302 When a MAC address in the quasi-white list is first granted temporary permission (permit.), the rights management unit considers the data of the access times to be 1, and as the data is continuously updated, The value will be closer and closer to the critical point monitored by the rights management unit, as will the cumulative network access time. At the same time, it can be set to a faster reading format when the unit reads the called data.
  • Step 303 When one of the two pieces of data reaches the preset value first, the rights management unit changes the identifier of the MAC address from permit. to deny., and temporarily prohibits the access request and the use permission of the MAC address.
  • the rights management unit may also monitor the number of times the MAC address is used. When the number of accesses of the MAC address is less than the minimum value of the preset access times in a predetermined time, the temporary use permission of the MAC address is cancelled or directly Delete the MAC address.
  • the active attack strategy is used to defend against the attacks of potential illegal users.
  • the loopholes of the network users and the access control system can be effectively found. Improvements in technical standards provide an opportunity.
  • the two units created in this process are connected to each other and the division of labor is clear.
  • the privilege identification module is used to determine and identify the privilege of the MAC address, and has the functions of data statistics and storage, and the privilege change module is responsible for monitoring the data and performing the action of changing the privilege and freezing the privilege, and automatically clearing the long-term non-use of the wireless service. The function of losing the MAC address information record.
  • the processing method is as follows:
  • Step 401 When the rights management unit changes the authority of the MAC address from permit. to deny., the unauthorized alarm unit is notified at the same time, and the unauthorized alarm unit can determine the status and location of the MAC address according to the received simple reminder, and go to the rights management unit.
  • the information of the MAC address required for the extraction can be expressed as an identifier /deny.
  • Step 402 The unauthorized alarm unit further sorts the extracted information, and the edit is sent to the administrator as a short message, and the format may be: freeze MAC address/freeze time+processing opinion (the short message reply number 1 indicates thaw, and the number 0 indicates mask) .
  • Step 403 If the administrator believes that the MAC address user is legal, the activation notification unit will receive a short message with a reply of 1. After receiving the instruction, the activation notification unit immediately deletes the unauthorized record of the MAC address and activates the access permission. . If the administrator believes that the MAC address user is still illegal, continue to use the MAC address as an illegal user.
  • the above three steps achieve the effect of the maneuvering permission change event, in order to determine the individual MAC
  • the question of address legitimacy provides evidence, choice, and time.
  • it also provides a quick way to reply to the short message and solve the problem of the legality of individual MAC addresses with one key, which greatly facilitates the actual operation and reduces the probability of misjudgment of the access control system.
  • FIG. 5 it is a schematic structural diagram of an access control apparatus according to an embodiment of the present invention.
  • the apparatus includes: a receiving unit 501, a determining unit 502, a whitelist matching unit 503, a whitelisting processing unit 504, and a rights management unit 505.
  • the receiving unit 501 is configured to: receive an access request sent by a terminal MAC address;
  • the determining unit 502 is configured to: determine whether the time when the receiving unit receives the access request is within a fixed time zone that has been set, and if not, notify the whitelist matching unit; if yes, notify the Whitelist processing unit;
  • the whitelist matching unit 503 is configured to match the access MAC address that sends the access request with the MAC address in the static whitelist that has been set, when the access MAC address is the same as the MAC address in the static whitelist. Matching, allowing the MAC address to be accessed; when the access MAC address has no match in the static whitelist, determining the MAC address as an illegal MAC address, and masking the access request of the MAC address;
  • the quasi-white list processing unit 504 is configured to: filter out the MAC address without the authority according to the static white list, record and count the access information of the MAC address without the authority, and all the MACs without the authority in the fixed time zone. The address is included in the quasi-white list;
  • the rights management unit 505 is configured to set a temporary use right for the MAC address in the quasi-white list.
  • the rights management unit 505 is configured to set a temporary use right for the MAC address in the quasi-white list according to the following manner: setting a maximum number of allowed access times and a maximum use time for the MAC address in the quasi-white list .
  • the rights management unit 505 is further configured to: represent, in the whitelist, the storage format of the MAC address information as: identifier/access time/disconnection time/access times/accumulated network access duration.
  • the rights management unit 505 is further configured to: when the number of accesses of a MAC address reaches the maximum number of allowed accesses, or the usage duration reaches the maximum usage duration, or access times When the number reaches the maximum number of allowed accesses and the usage duration reaches the maximum usage duration, the temporary use permission of the MAC address is cancelled or the MAC address is directly deleted.
  • the rights management unit 505 is further configured to: set a minimum usage value of the access times;
  • the rights management unit 505 monitors the number of times the MAC address is used in the whitelist. When the number of accesses of the MAC address is less than the minimum usage value of the access times within a preset time, the temporary use permission of the MAC address is cancelled or directly deleted. The MAC address.
  • the device may further include an override alarm unit 506.
  • the method further includes: after a MAC address is cancelled, the unauthorized use alarm unit 506 reports to the administrator that the temporary use right of the MAC address is canceled, and the administrator uses the MAC address according to the usage of the MAC address.
  • the address is set to a valid user, or the MAC address is continued as an illegal user.
  • the embodiment of the invention also discloses a computer program, comprising program instructions, which when executed by a computer, enable the computer to execute any of the above access control methods.
  • the embodiment of the invention also discloses a carrier carrying the computer program.
  • the embodiment of the present invention only opens the right to the legitimate user during the working time period and the important time period, and sets the temporary open permission to the user other than the legitimate user in other time periods, so that the utilization rate of the network can be improved. Therefore, the present invention has strong industrial applicability.

Abstract

An access control method and device, the method includes: receiving an access request sent by an MAC address; if receiving the access request out of a preset fixed time area, matching the MAC address sending the access request with the MAC addresses in a preset static white list; when the MAC address matches an MAC address in the static white list, permitting the MAC address to access; when there is no matching item for the MAC address in the static white list, shielding the access request; if receiving the access request in the preset fixed time area, filtering the MAC address without authority according to the static white list, and putting all MAC addresses without authority in the fixed time area into a quasi white list, and setting temporary use authority for MAC addresses in the quasi white list. The above technical solution improves utilization of a wireless network.

Description

一种接入控制方法和装置Access control method and device 技术领域Technical field
本文涉及无线访问控制领域,更具体地说,涉及一种接入控制方法和装置。This document relates to the field of wireless access control, and more particularly to an access control method and apparatus.
背景技术Background technique
无限保真,即Wireless-Fidelity,简称WI-FI,是一种为了改善基于IEEE802.11的无线网络产品之间互通性的网路传输标准。它通过将有线信号转化成高频无线电信号,可以用无线方式使个人电脑、手持设备如IPAD和MOBILE PHONE等终端相互连接。虽然它具有传输速度快、发射信号功率低以及不受布线条件限制等优点,符合社会信息化需要,但是它同时也有传输质量差、数据安全性能低的缺点。Infinity Fidelity (Wireless-Fidelity, WI-FI for short) is a network transmission standard for improving the interoperability between IEEE802.11-based wireless network products. It converts wired signals into high-frequency radio signals, and wirelessly connects terminals such as personal computers and handheld devices such as IPAD and MOBILE PHONE to each other. Although it has the advantages of fast transmission speed, low transmission signal power and no restrictions on wiring conditions, it meets the needs of social information, but it also has the disadvantages of poor transmission quality and low data security performance.
客观地讲,由于当前标准疏忽了对无限管理帧的保护,公共场所无线链路安全性能很低。这种情况下,提供共享资源的无线路由器的访问控制系统很容易遭到伪造的地址解析协议,即Address Resolution Protocol,简称ARP的欺骗。ARP欺骗首先修改媒体访问控制地址,即Media Access Control,简称MAC地址,然后破解有线等效密码协议的密钥,即Wired Equivalent Privacy,简称WEP,通过这种方法,未授权的非法用户可使用ARP欺骗技术绕过MAC地址过滤的访问控制系统,非法获得无线子网络独立身份验证,成功进入访问控制系统的白名单,达到蹭网的目的。Objectively speaking, since the current standard neglects the protection of infinite management frames, the security performance of wireless links in public places is very low. In this case, the access control system of the wireless router that provides the shared resource is easily subject to the forged address resolution protocol, that is, the Address Resolution Protocol (ARP). ARP spoofing first modifies the media access control address, that is, the Media Access Control, which is referred to as the MAC address, and then cracks the key of the wired equivalent cryptographic protocol, namely Wired Equivalent Privacy (WEP). In this way, unauthorized unauthorized users can use ARP. The spoofing technology bypasses the MAC address filtering access control system, illegally obtains the wireless sub-network independent identity verification, and successfully enters the whitelist of the access control system to achieve the purpose of the network.
与其一味地控制非法用户的使用,不如为这些非法用户提供一定的使用“机会”。Instead of blindly controlling the use of illegal users, it is better to provide certain illegal users with "opportunities".
发明内容Summary of the invention
本发明要解决的技术问题是提供一种接入控制方法和装置,提高无线网络的使用率。The technical problem to be solved by the present invention is to provide an access control method and apparatus to improve the usage rate of a wireless network.
为了解决上述技术问题,采用如下技术方案: In order to solve the above technical problems, the following technical solutions are adopted:
一种接入控制方法,包括:An access control method includes:
接收MAC地址所发出的接入请求;Receiving an access request issued by a MAC address;
如果在已设置的固定时间区域外,接收到所述接入请求,将发出所述接入请求的MAC地址与已设置的静态白名单中的MAC地址进行匹配,当所述MAC地址与所述静态白名单中的MAC地址相匹配,则允许该MAC地址接入;当所述MAC地址在所述静态白名单中无匹配项,则屏蔽所述接入请求;If the access request is received outside the fixed time zone that has been set, the MAC address of the access request is matched with the MAC address in the static whitelist that has been set, when the MAC address is If the MAC address in the static whitelist matches, the MAC address is allowed to access; when the MAC address has no matching item in the static whitelist, the access request is blocked;
如果在已设置的固定时间区域内,接收到所述接入请求,根据所述静态白名单过滤出没有权限的MAC地址,将在该固定时间区域内所有没有权限的MAC地址列入准白名单,为所述准白名单中的MAC地址设置临时使用权限。If the access request is received in the fixed time zone that has been set, and the MAC address without permission is filtered according to the static whitelist, all MAC addresses without permission in the fixed time zone are included in the whitelist. , set temporary usage rights for the MAC address in the quasi-white list.
可选地,为所述准白名单中的MAC地址设置临时使用权限的步骤包括:Optionally, the step of setting temporary usage rights for the MAC address in the quasi-white list includes:
为所述准白名单中的MAC地址设置允许接入最大次数和最大使用时长。The maximum number of allowed access times and the maximum usage duration are set for the MAC address in the quasi-white list.
可选地,所述准白名单中MAC地址信息的存储格式可以表示为:标示符+接入时间+断开时间+接入次数+累计入网时长。Optionally, the storage format of the MAC address information in the quasi-white list may be expressed as: identifier + access time + disconnection time + access times + cumulative network access duration.
可选地,该方法还包括:当一MAC地址的接入次数达到所述允许接入最大次数,或者使用时长达到所述最大使用时长,或者接入次数达到所述允许接入最大次数,且使用时长达到所述最大使用时长时,取消该MAC地址的临时使用权限或直接删除该MAC地址。Optionally, the method further includes: when the number of accesses of a MAC address reaches the maximum number of allowed accesses, or the usage duration reaches the maximum usage duration, or the access times reach the maximum number of allowed accesses, and When the usage duration reaches the maximum usage duration, the temporary use permission of the MAC address is canceled or the MAC address is directly deleted.
可选地,该方法还包括:设置接入次数最小使用值;Optionally, the method further includes: setting a minimum usage value of the access times;
监控准白名单中MAC地址的使用次数,当一预设时间内一MAC地址的接入次数小于所述接入次数最小使用值,则取消该MAC地址的临时使用权限或直接删除该MAC地址。The number of times the MAC address is used in the whitelist is monitored. When the number of accesses of a MAC address is less than the minimum usage value of the access number in a preset time, the temporary use permission of the MAC address is cancelled or the MAC address is directly deleted.
可选地,该方法还包括:当一MAC地址被取消临时使用权限后,向管理员上报该MAC地址的临时使用权限被取消,管理员根据该MAC地址的使用情况将激活该MAC地址,即将该MAC地址设置为合法用户,或者继续将该MAC地址作为非法用户。Optionally, the method further includes: when a MAC address is canceled for temporary use permission, reporting to the administrator that the temporary use right of the MAC address is canceled, and the administrator activates the MAC address according to the usage of the MAC address, that is, The MAC address is set as a legitimate user, or the MAC address is continued as an illegal user.
可选地,所述取消该MAC地址的临时使用权限的步骤包括:Optionally, the step of canceling the temporary use right of the MAC address includes:
将该MAC地址的标示符由permit.修改为deny.。Change the identifier of the MAC address from permit. to deny.
一种接入控制装置,该装置包括:接收单元、判断单元、白名单匹配单 元、准白名单处理单元和权限管理单元,其中An access control device, comprising: a receiving unit, a determining unit, and a whitelist matching list Meta, quasi-white list processing unit and rights management unit, wherein
所述接收单元设置成:接收MAC地址所发出的接入请求;The receiving unit is configured to: receive an access request sent by a MAC address;
所述判断单元设置成:判断所述接收单元接收到所述接入请求的时间是否在已设置的固定时间区域内,如果否,通知所述白名单匹配单元;如果是,则通知所述准白名单处理单元;The determining unit is configured to: determine whether the time when the receiving unit receives the access request is within a fixed time zone that has been set, and if not, notify the whitelist matching unit; if yes, notify the standard Whitelist processing unit;
所述白名单匹配单元设置成:将发出所述接入请求的接入MAC地址与已设置的静态白名单中的MAC地址进行匹配,当接入MAC地址与静态白名单中的MAC地址相匹配,允许该MAC地址接入;当所述接入MAC地址在所述静态白名单中无匹配项,则屏蔽该MAC地址的接入请求;The whitelist matching unit is configured to: match an access MAC address that sends the access request with a MAC address in a static whitelist that has been set, and match the MAC address in the static whitelist when the access MAC address is matched. Allowing the MAC address to be accessed; when the access MAC address has no match in the static whitelist, the access request of the MAC address is blocked;
所述准白名单处理单元设置成:根据所述静态白名单过滤出没有权限的MAC地址,将在该固定时间区域内所有没有权限的MAC地址列入准白名单;The whitelist processing unit is configured to: filter out the MAC address without authority according to the static whitelist, and include all MAC addresses that are not authorized in the fixed time zone in the whitelist;
所述权限管理单元设置成:为所述准白名单中的MAC地址设置临时使用权限。The rights management unit is configured to: set a temporary use right for the MAC address in the quasi-white list.
可选地,所述权限管理单元设置成按照如下方式为所述准白名单中的MAC地址设置临时使用权限:为所述准白名单中的MAC地址设置允许接入最大次数和最大使用时长。Optionally, the rights management unit is configured to set a temporary use right for the MAC address in the quasi-white list according to the following manner: setting a maximum number of allowed access times and a maximum use time for the MAC address in the quasi-white list.
可选地,所述权限管理单元还设置成:将准白名单中MAC地址信息的存储格式表示为:标示符+接入时间+断开时间+接入次数+累计入网时长。Optionally, the rights management unit is further configured to: represent, in the whitelist, a storage format of the MAC address information as: identifier + access time + disconnection time + access times + cumulative network access time.
可选地,所述权限管理单元还设置成:当一MAC地址的接入次数达到所述允许接入最大次数,或者使用时长达到所述最大使用时长,或者接入次数达到所述允许接入最大次数,且使用时长达到所述最大使用时长时,取消该MAC地址的临时使用权限或直接删除该MAC地址。Optionally, the rights management unit is further configured to: when the number of accesses of a MAC address reaches the maximum number of allowed accesses, or the usage duration reaches the maximum usage duration, or the access times reach the allowed access The maximum number of times, and when the usage duration reaches the maximum usage duration, cancel the temporary use permission of the MAC address or directly delete the MAC address.
可选地,所述权限管理单元还设置成:设置接入次数最小使用值;Optionally, the rights management unit is further configured to: set a minimum usage value of the access times;
所述权限管理单元监控准白名单中MAC地址的使用次数,当一预设时间内一MAC地址的接入次数小于所述接入次数最小使用值,则取消该MAC地址的临时使用权限或直接删除该MAC地址。The rights management unit monitors the number of times the MAC address is used in the whitelist. When the number of accesses of the MAC address is less than the minimum usage value of the access times in a preset time, the temporary use permission of the MAC address is cancelled or directly Delete the MAC address.
可选地,所述权限管理单元设置成按照如下方式取消该MAC地址的临时使用权限:Optionally, the rights management unit is configured to cancel the temporary use rights of the MAC address as follows:
将该MAC地址的标示符由permit.修改为deny.。Change the identifier of the MAC address from permit. to deny.
可选地,该装置还可以包括越权告警单元,其中 Optionally, the device may further include an unauthorized alarm unit, wherein
所述越权告警单元设置成:当一MAC地址被取消临时使用权限后,向管理员上报该MAC地址的临时使用权限被取消。The unauthorized alarm unit is configured to: when a MAC address is cancelled, the temporary use right of the MAC address is cancelled.
一种计算机程序,包括程序指令,当该程序指令被计算机执行时,使得该计算机可执行上述任意的接入控制方法。A computer program comprising program instructions that, when executed by a computer, cause the computer to perform any of the above described access control methods.
本发明的实施例在工作时间段和重要的时间段只对合法用户开放权限,而在其他时间段则对合法用户之外的用户设置临时开放权限,这样就能提高网络的利用率。The embodiment of the present invention only opens the right to the legitimate user during the working time period and the important time period, and sets the temporary open permission to the user other than the legitimate user in other time periods, so that the utilization rate of the network can be improved.
附图概述BRIEF abstract
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图1是根据本发明实施例的整体构架图;1 is an overall architectural view of an embodiment of the present invention;
图2是根据本发明实施例的接入控制方法的流程图;2 is a flowchart of an access control method according to an embodiment of the present invention;
图3是根据本发明应用实例的对于准白名单的处理流程图;3 is a flowchart of processing for a quasi-white list according to an application example of the present invention;
图4是根据本发明应用实例的准白名单中的MAC地址被取消临时使用权限后的处理流程图;4 is a flowchart of a process after a MAC address in a quasi-white list is canceled for temporary use according to an application example of the present invention;
图5为本发明实施例的接入控制装置结构示意图。FIG. 5 is a schematic structural diagram of an access control apparatus according to an embodiment of the present invention.
本发明的较佳实施方式Preferred embodiment of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
以下结合附图对本发明作进一步地详细说明。下面结合附图对本发明技术进行说明。The invention will be further described in detail below with reference to the accompanying drawings. The technology of the present invention will be described below with reference to the accompanying drawings.
图1为本发明技术在无线访问控制系统中的整体架构示意图。 FIG. 1 is a schematic diagram of an overall architecture of a wireless access control system according to the present invention.
如图2所示,本发明实施例在处理固定名单权限判断、统计和发送MAC地址信息数据流程的方法如下:As shown in FIG. 2, the method for processing the fixed list authority judgment, statistics, and sending the MAC address information data in the embodiment of the present invention is as follows:
步骤201,无线路由装置接收到终端MAC地址所发出的接入请求;Step 201: The wireless routing device receives an access request sent by the terminal MAC address.
步骤202,如果在已设置的固定时间区域外,所述无线路由装置接收到所述接入请求,将发出所述接入请求的接入MAC地址与已设置的静态白名单中的MAC地址进行匹配,当接入MAC地址与静态白名单中的MAC地址相匹配,则允许该MAC地址接入,将自动认可MAC地址的接入权限并始终忽略其使用记录;当所述接入MAC地址在静态白名单中无匹配项,则标识为黑名单中的非法MAC地址,屏蔽所述接入请求;Step 202: If the wireless routing device receives the access request, the access routing request sends the access MAC address of the access request to the MAC address in the static whitelist that has been set. Match, when the access MAC address matches the MAC address in the static whitelist, the MAC address is allowed to access, the access right of the MAC address is automatically recognized and its usage record is always ignored; when the access MAC address is If there is no match in the static whitelist, it is identified as an illegal MAC address in the blacklist, and the access request is blocked.
步骤203,如果在已设置的固定时间区域内,所述无线路由装置接收到所述接入请求,根据所述静态白名单过滤出没有权限的MAC地址,记录、统计没有权限的MAC地址的接入信息,将在该固定时间区域内所有没有权限的MAC地址列入准白名单。Step 203: If the wireless routing device receives the access request in the fixed time zone that has been set, the MAC address of the privileged MAC address is filtered according to the static whitelist, and the MAC address of the privileged MAC address is recorded and counted. Enter the information and all the MAC addresses without permissions in the fixed time zone will be listed in the whitelist.
可选地,已设置的固定时间区域一般是指工作以外的时间段或者不重要的时间段,反之,已设置的固定时间区域外则是指工作时间段或者指重要的时间段,在工作时间段和重要的时间段只对合法用户开放权限,而在其他时间段则对合法用户之外的用户设置临时开放权限,这样就能提高网络的利用率。Optionally, the fixed time zone that has been set generally refers to a time period other than work or an unimportant time zone; otherwise, the fixed time zone that has been set refers to the working time zone or refers to an important time zone, during working hours. Segments and important time periods only open permissions for legitimate users, while in other time periods, temporary open permissions are set for users other than legitimate users, which can improve network utilization.
步骤203之后,该方法还包括:为所述准白名单中的MAC地址设置临时使用权限。After step 203, the method further includes: setting a temporary use right for the MAC address in the quasi-white list.
可选地,所述为所述准白名单中的MAC地址设置临时使用权限的步骤包括:为所述准白名单中的MAC地址设置允许接入最大次数和最大使用时长。Optionally, the step of setting a temporary use right for the MAC address in the quasi-white list includes: setting a maximum number of allowed access times and a maximum use duration for the MAC address in the quasi-white list.
可选地,所述准白名单中MAC地址信息的存储格式可以表示为:标示符+接入时间+断开时间+接入次数+累计入网时长。Optionally, the storage format of the MAC address information in the quasi-white list may be expressed as: identifier + access time + disconnection time + access times + cumulative network access duration.
可选地,该方法还包括:当一MAC地址的接入次数达到所述允许接入最大次数,或者使用时长达到所述最大使用时长,或者接入次数达到所述允许接入最大次数,且使用时长达到所述最大使用时长时,取消该MAC地址的临时使用权限或直接删除该MAC地址。Optionally, the method further includes: when the number of accesses of a MAC address reaches the maximum number of allowed accesses, or the usage duration reaches the maximum usage duration, or the access times reach the maximum number of allowed accesses, and When the usage duration reaches the maximum usage duration, the temporary use permission of the MAC address is canceled or the MAC address is directly deleted.
可选地,该方法还包括:设置接入次数最小使用值; Optionally, the method further includes: setting a minimum usage value of the access times;
监控准白名单中MAC地址的使用次数,当一预设时间内一MAC地址的接入次数小于所述接入次数最小使用值,则取消该MAC地址的临时使用权限或直接删除该MAC地址。The number of times the MAC address is used in the whitelist is monitored. When the number of accesses of a MAC address is less than the minimum usage value of the access number in a preset time, the temporary use permission of the MAC address is cancelled or the MAC address is directly deleted.
因为有的终端在接入过无线路由器后,在之后的很长时间范围内都不会再次接入,如果一直对这些用户进行存储的话,极大的浪费了数据库的存储空间和增加了数据的查找时间。本发明实施例通过统计一定时间范围内的MAC地址接入次数的数值小于权限变更模块的某预设值,权限变更模块可以自动清除该MAC地址,提高数据库的使用效率。Because some terminals are connected to the wireless router, they will not be accessed again for a long time. If they are stored for a long time, the storage space of the database and the data are greatly wasted. Find time. In the embodiment of the present invention, the number of MAC address access times in a certain time range is smaller than a preset value of the permission change module, and the permission change module can automatically clear the MAC address to improve the use efficiency of the database.
可选地,该方法还包括:当一MAC地址被取消临时使用权限后,向管理员上报该MAC地址的临时使用权限被取消,管理员根据该MAC地址的使用情况将激活该MAC地址,即将该MAC地址设置为合法用户,或者继续将该MAC地址作为非法用户。Optionally, the method further includes: when a MAC address is canceled for temporary use permission, reporting to the administrator that the temporary use right of the MAC address is canceled, and the administrator activates the MAC address according to the usage of the MAC address, that is, The MAC address is set as a legitimate user, or the MAC address is continued as an illegal user.
可选地,取消该MAC地址的临时使用权限的步骤包括:Optionally, the step of canceling the temporary use permission of the MAC address includes:
将MAC地址的标示符由permit.修改为deny.。Change the identifier of the MAC address from permit. to deny.
以上步骤,根据事先设置的静态白名单和固定时间,自动匹配、判断发出接入请求的MAC地址是否可能为固定的合法用户,同时甄别出不具有任何权限的非法用户,以便对其采取屏蔽措施。其中第三个步骤,作用是生成相对动态的准白名单,方便为潜在的合法用户提供临时接入权限。In the above steps, according to the static whitelist and fixed time set in advance, it automatically matches and determines whether the MAC address that sends the access request may be a fixed legal user, and at the same time identifies an illegal user who does not have any permission, so as to take shielding measures. . The third step is to generate a relatively dynamic whitelist to facilitate temporary access to potential legitimate users.
下面将通过两个具体的应用实例来说明本发明实施例中对于准白名单的处理和准白名单中的MAC地址被取消临时使用权限后的处理。The following is a description of the processing of the quasi-white list in the embodiment of the present invention and the processing after the MAC address in the quasi-white list is cancelled.
如图3所示,本发明实施例对于准白名单的处理方法如下:As shown in FIG. 3, the method for processing a quasi-white list in the embodiment of the present invention is as follows:
步骤301,根据已设置的允许接入最大次数和最大时长数值,权限管理单元判断准白名单中是否有超出预设限制的MAC地址信息记录,接入次数和最大时长两项数据都在预设限制内的MAC地址则拥有临时使用权限,有一项或两项超出了预设限制的MAC地址将会取消该MAC地址的临时使用权限。Step 301: According to the maximum number of allowed access times and the maximum duration value, the rights management unit determines whether there is a MAC address information record exceeding the preset limit in the whitelist, and the data of the access times and the maximum duration are preset. The MAC address in the limit has temporary access rights. If one or two MAC addresses that exceed the preset limit will cancel the temporary use permission of the MAC address.
一个MAC地址接入次数和单次接入时间等会逐渐累计。A MAC address access times and a single access time will gradually accumulate.
步骤302,当准白名单中的一个MAC地址被首次赋予临时使用权限(permit.)时,权限管理单元认为其接入次数的数据为1,随着数据不断更新, 数值将越来越接近权限管理单元所监控的临界点,累计入网时间也是如此。同时,可以在本单元读取所称数据时设置为较为快速的读取格式。Step 302: When a MAC address in the quasi-white list is first granted temporary permission (permit.), the rights management unit considers the data of the access times to be 1, and as the data is continuously updated, The value will be closer and closer to the critical point monitored by the rights management unit, as will the cumulative network access time. At the same time, it can be set to a faster reading format when the unit reads the called data.
步骤303,当上述的两项数据中一项先达到预设的数值,权限管理单元将该MAC地址的标识由permit.改为deny.,同时临时禁止该MAC地址的接入请求和使用权限。Step 303: When one of the two pieces of data reaches the preset value first, the rights management unit changes the identifier of the MAC address from permit. to deny., and temporarily prohibits the access request and the use permission of the MAC address.
步骤304,权限管理单元还可以监控MAC地址的使用次数,当一预设时间内一MAC地址的接入次数小于预设的接入次数最小使用值,则取消该MAC地址的临时使用权限或直接删除该MAC地址。In step 304, the rights management unit may also monitor the number of times the MAC address is used. When the number of accesses of the MAC address is less than the minimum value of the preset access times in a predetermined time, the temporary use permission of the MAC address is cancelled or directly Delete the MAC address.
以上四个步骤,根据对MAC地址接入次数和累计时长的限制预置,以主动进攻的策略防御潜在非法用户的攻击,在实际中,能有效找到蹭网者和访问控制系统的漏洞,为技术标准的改善提供契机。本流程中所创造的两个单元相互连通,分工明确。权限标识模块用于判断并标识MAC地址的权限,另外有数据统计和存储的功能,而权限变更模块负责监控数据并执行变更权限和冻结权限的动作,另外有自动清除长期不使用其无线服务的失联MAC地址信息记录的功能。In the above four steps, according to the preset of the MAC address access times and the accumulated duration, the active attack strategy is used to defend against the attacks of potential illegal users. In practice, the loopholes of the network users and the access control system can be effectively found. Improvements in technical standards provide an opportunity. The two units created in this process are connected to each other and the division of labor is clear. The privilege identification module is used to determine and identify the privilege of the MAC address, and has the functions of data statistics and storage, and the privilege change module is responsible for monitoring the data and performing the action of changing the privilege and freezing the privilege, and automatically clearing the long-term non-use of the wireless service. The function of losing the MAC address information record.
如图4所示,本发明实施例准白名单中的MAC地址被取消临时使用权限后的处理方法如下:As shown in FIG. 4, after the MAC address in the whitelist of the embodiment of the present invention is cancelled, the processing method is as follows:
步骤401,当权限管理单元将MAC地址的权限由permit.变更到deny.,会同时告知越权告警单元,越权告警单元可以根据收到的简单提醒判断MAC地址的状态和位置,并到权限管理单元中提取所需要的该MAC地址的信息,可以表示为标识符/deny.(临)。Step 401: When the rights management unit changes the authority of the MAC address from permit. to deny., the unauthorized alarm unit is notified at the same time, and the unauthorized alarm unit can determine the status and location of the MAC address according to the received simple reminder, and go to the rights management unit. The information of the MAC address required for the extraction can be expressed as an identifier /deny.
步骤402,越权告警单元进而对提取到的信息进行整理,编辑为短消息发送给管理员,格式可以为:冻结MAC地址/冻结时间+处理意见(短信回复数字1表示解冻,数字0表示屏蔽)。Step 402: The unauthorized alarm unit further sorts the extracted information, and the edit is sent to the administrator as a short message, and the format may be: freeze MAC address/freeze time+processing opinion (the short message reply number 1 indicates thaw, and the number 0 indicates mask) .
步骤403,如果管理员认为该MAC地址用户为合法,激活通知单元会收到回复为1的短信,接到该指令后,激活通知单元会立即删除该MAC地址的越权记录、激活其接入权限。如果管理员认为该MAC地址用户仍然为非法,继续将该MAC地址作为非法用户Step 403: If the administrator believes that the MAC address user is legal, the activation notification unit will receive a short message with a reply of 1. After receiving the instruction, the activation notification unit immediately deletes the unauthorized record of the MAC address and activates the access permission. . If the administrator believes that the MAC address user is still illegal, continue to use the MAC address as an illegal user.
以上三个步骤,实现了机动处理权限变更事件的效果,为判断个别MAC 地址合法性的问题提供了证据、选择和时间。同时,也提供了一个短信回复、一键解决个别MAC地址合法性问题的快速途径,大大方便了实际操作,并减少了访问控制系统误判的概率。The above three steps achieve the effect of the maneuvering permission change event, in order to determine the individual MAC The question of address legitimacy provides evidence, choice, and time. At the same time, it also provides a quick way to reply to the short message and solve the problem of the legality of individual MAC addresses with one key, which greatly facilitates the actual operation and reduces the probability of misjudgment of the access control system.
如图5所示,为本发明实施例的接入控制装置结构示意图,该装置包括:接收单元501、判断单元502、白名单匹配单元503、准白名单处理单元504和权限管理单元505。As shown in FIG. 5, it is a schematic structural diagram of an access control apparatus according to an embodiment of the present invention. The apparatus includes: a receiving unit 501, a determining unit 502, a whitelist matching unit 503, a whitelisting processing unit 504, and a rights management unit 505.
其中,所述接收单元501设置成:接收终端MAC地址所发出的接入请求;The receiving unit 501 is configured to: receive an access request sent by a terminal MAC address;
所述判断单元502设置成:判断所述接收单元接收到所述接入请求的时间是否在已设置的固定时间区域内,如果否,通知所述白名单匹配单元;如果是,则通知所述准白名单处理单元;The determining unit 502 is configured to: determine whether the time when the receiving unit receives the access request is within a fixed time zone that has been set, and if not, notify the whitelist matching unit; if yes, notify the Whitelist processing unit;
所述白名单匹配单元503设置成:将发出所述接入请求的接入MAC地址与已设置的静态白名单中的MAC地址进行匹配,当接入MAC地址与静态白名单中的MAC地址相匹配,允许该MAC地址接入;当所述接入MAC地址在所述静态白名单中无匹配项,则将该MAC地址确定为非法MAC地址,屏蔽该MAC地址的接入请求;The whitelist matching unit 503 is configured to match the access MAC address that sends the access request with the MAC address in the static whitelist that has been set, when the access MAC address is the same as the MAC address in the static whitelist. Matching, allowing the MAC address to be accessed; when the access MAC address has no match in the static whitelist, determining the MAC address as an illegal MAC address, and masking the access request of the MAC address;
所述准白名单处理单元504设置成:根据所述静态白名单过滤出没有权限的MAC地址,记录、统计没有权限的MAC地址的接入信息,将在该固定时间区域内所有没有权限的MAC地址列入准白名单;The quasi-white list processing unit 504 is configured to: filter out the MAC address without the authority according to the static white list, record and count the access information of the MAC address without the authority, and all the MACs without the authority in the fixed time zone. The address is included in the quasi-white list;
所述权限管理单元505设置成:为所述准白名单中的MAC地址设置临时使用权限。The rights management unit 505 is configured to set a temporary use right for the MAC address in the quasi-white list.
可选地,所述权限管理单元505设置成按照如下方式为所述准白名单中的MAC地址设置临时使用权限:为所述准白名单中的MAC地址设置允许接入最大次数和最大使用时长。Optionally, the rights management unit 505 is configured to set a temporary use right for the MAC address in the quasi-white list according to the following manner: setting a maximum number of allowed access times and a maximum use time for the MAC address in the quasi-white list .
可选地,所述权限管理单元505还设置成:将准白名单中MAC地址信息的存储格式表示为:标示符/接入时间/断开时间/接入次数/累计入网时长。Optionally, the rights management unit 505 is further configured to: represent, in the whitelist, the storage format of the MAC address information as: identifier/access time/disconnection time/access times/accumulated network access duration.
可选地,权限管理单元505还设置成:当一MAC地址的接入次数达到所述允许接入最大次数,或者使用时长达到所述最大使用时长,或者接入次 数达到所述允许接入最大次数,且使用时长达到所述最大使用时长时,取消该MAC地址的临时使用权限或直接删除该MAC地址。Optionally, the rights management unit 505 is further configured to: when the number of accesses of a MAC address reaches the maximum number of allowed accesses, or the usage duration reaches the maximum usage duration, or access times When the number reaches the maximum number of allowed accesses and the usage duration reaches the maximum usage duration, the temporary use permission of the MAC address is cancelled or the MAC address is directly deleted.
可选地,权限管理单元505还设置成:设置接入次数最小使用值;Optionally, the rights management unit 505 is further configured to: set a minimum usage value of the access times;
权限管理单元505监控准白名单中MAC地址的使用次数,当一预设时间内一MAC地址的接入次数小于所述接入次数最小使用值,则取消该MAC地址的临时使用权限或直接删除该MAC地址。The rights management unit 505 monitors the number of times the MAC address is used in the whitelist. When the number of accesses of the MAC address is less than the minimum usage value of the access times within a preset time, the temporary use permission of the MAC address is cancelled or directly deleted. The MAC address.
可选地,该装置还可以包括越权告警单元506。Optionally, the device may further include an override alarm unit 506.
可选地,该方法还包括:当一MAC地址被取消临时使用权限后,越权告警单元506向管理员上报该MAC地址的临时使用权限被取消,管理员根据该MAC地址的使用情况将该MAC地址设置为合法用户,或者继续将该MAC地址作为非法用户。Optionally, the method further includes: after a MAC address is cancelled, the unauthorized use alarm unit 506 reports to the administrator that the temporary use right of the MAC address is canceled, and the administrator uses the MAC address according to the usage of the MAC address. The address is set to a valid user, or the MAC address is continued as an illegal user.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求所述的保护范围为准。The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.
本发明实施例还公开了一种计算机程序,包括程序指令,当该程序指令被计算机执行时,使得该计算机可执行上述任意的接入控制方法。The embodiment of the invention also discloses a computer program, comprising program instructions, which when executed by a computer, enable the computer to execute any of the above access control methods.
本发明实施例还公开了一种载有所述的计算机程序的载体。The embodiment of the invention also discloses a carrier carrying the computer program.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
工业实用性Industrial applicability
本发明的实施例在工作时间段和重要的时间段只对合法用户开放权限,而在其他时间段则对合法用户之外的用户设置临时开放权限,这样就能提高网络的利用率。因此本发明具有很强的工业实用性。 The embodiment of the present invention only opens the right to the legitimate user during the working time period and the important time period, and sets the temporary open permission to the user other than the legitimate user in other time periods, so that the utilization rate of the network can be improved. Therefore, the present invention has strong industrial applicability.

Claims (15)

  1. 一种接入控制方法,包括:An access control method includes:
    接收MAC地址所发出的接入请求;Receiving an access request issued by a MAC address;
    如果在已设置的固定时间区域外,接收到所述接入请求,将发出所述接入请求的MAC地址与已设置的静态白名单中的MAC地址进行匹配,当所述MAC地址与所述静态白名单中的MAC地址相匹配,则允许该MAC地址接入;当所述MAC地址在所述静态白名单中无匹配项,则屏蔽所述接入请求;If the access request is received outside the fixed time zone that has been set, the MAC address of the access request is matched with the MAC address in the static whitelist that has been set, when the MAC address is If the MAC address in the static whitelist matches, the MAC address is allowed to access; when the MAC address has no matching item in the static whitelist, the access request is blocked;
    如果在已设置的固定时间区域内,接收到所述接入请求,根据所述静态白名单过滤出没有权限的MAC地址,将在该固定时间区域内所有没有权限的MAC地址列入准白名单,为所述准白名单中的MAC地址设置临时使用权限。If the access request is received in the fixed time zone that has been set, and the MAC address without permission is filtered according to the static whitelist, all MAC addresses without permission in the fixed time zone are included in the whitelist. , set temporary usage rights for the MAC address in the quasi-white list.
  2. 如权利要求1所述的接入控制方法,其中,所述为所述准白名单中的MAC地址设置临时使用权限的步骤包括:The access control method according to claim 1, wherein the step of setting a temporary use right for the MAC address in the quasi-white list comprises:
    为所述准白名单中的MAC地址设置允许接入最大次数和最大使用时长。The maximum number of allowed access times and the maximum usage duration are set for the MAC address in the quasi-white list.
  3. 如权利要求2所述的接入控制方法,其中,所述准白名单中MAC地址信息的存储格式可以表示为:标示符+接入时间+断开时间+接入次数+累计入网时长。The access control method according to claim 2, wherein the storage format of the MAC address information in the quasi-white list can be expressed as: identifier + access time + disconnection time + access times + cumulative network access time.
  4. 如权利要求2或3所述的接入控制方法,该方法还包括:当一MAC地址的接入次数达到所述允许接入最大次数,或者使用时长达到所述最大使用时长,或者接入次数达到所述允许接入最大次数,且使用时长达到所述最大使用时长时,取消该MAC地址的临时使用权限或直接删除该MAC地址。The access control method according to claim 2 or 3, further comprising: when the number of accesses of a MAC address reaches the maximum number of allowed accesses, or the usage duration reaches the maximum usage duration, or the number of accesses When the maximum number of allowed accesses is reached, and the usage duration reaches the maximum usage duration, the temporary use permission of the MAC address is cancelled or the MAC address is directly deleted.
  5. 如权利要求2或3所述的接入控制方法,该方法还包括:设置接入次数最小使用值;The access control method according to claim 2 or 3, further comprising: setting a minimum usage value of the access times;
    监控准白名单中MAC地址的使用次数,当一预设时间内一MAC地址的接入次数小于所述接入次数最小使用值,则取消该MAC地址的临时使用权限或直接删除该MAC地址。The number of times the MAC address is used in the whitelist is monitored. When the number of accesses of a MAC address is less than the minimum usage value of the access number in a preset time, the temporary use permission of the MAC address is cancelled or the MAC address is directly deleted.
  6. 如权利要求5所述的接入控制方法,该方法还包括:当一MAC地址被取消临时使用权限后,向管理员上报该MAC地址的临时使用权限被取消,管理员根据该MAC地址的使用情况将激活该MAC地址,即将该MAC地址设置为合法用户,或者继续将该MAC地址作为非法用户。 The access control method according to claim 5, further comprising: when a MAC address is canceled for temporary use permission, reporting to the administrator that the temporary use right of the MAC address is canceled, and the administrator uses the MAC address according to the use. The situation will activate the MAC address, ie, set the MAC address as a legitimate user, or continue to use the MAC address as an illegal user.
  7. 如权利要求6所述的接入控制方法,其中,所述取消该MAC地址的临时使用权限的步骤包括:The access control method according to claim 6, wherein the step of canceling the temporary use right of the MAC address comprises:
    将该MAC地址的标示符由permit.修改为deny.。Change the identifier of the MAC address from permit. to deny.
  8. 一种接入控制装置,该装置包括:接收单元、判断单元、白名单匹配单元、准白名单处理单元和权限管理单元,其中An access control device, comprising: a receiving unit, a judging unit, a white list matching unit, a quasi-white list processing unit, and a rights management unit, wherein
    所述接收单元设置成:接收MAC地址所发出的接入请求;The receiving unit is configured to: receive an access request sent by a MAC address;
    所述判断单元设置成:判断所述接收单元接收到所述接入请求的时间是否在已设置的固定时间区域内,如果否,通知所述白名单匹配单元;如果是,则通知所述准白名单处理单元;The determining unit is configured to: determine whether the time when the receiving unit receives the access request is within a fixed time zone that has been set, and if not, notify the whitelist matching unit; if yes, notify the standard Whitelist processing unit;
    所述白名单匹配单元设置成:将发出所述接入请求的接入MAC地址与已设置的静态白名单中的MAC地址进行匹配,当接入MAC地址与静态白名单中的MAC地址相匹配,允许该MAC地址接入;当所述接入MAC地址在所述静态白名单中无匹配项,则屏蔽该MAC地址的接入请求;The whitelist matching unit is configured to: match an access MAC address that sends the access request with a MAC address in a static whitelist that has been set, and match the MAC address in the static whitelist when the access MAC address is matched. Allowing the MAC address to be accessed; when the access MAC address has no match in the static whitelist, the access request of the MAC address is blocked;
    所述准白名单处理单元设置成:根据所述静态白名单过滤出没有权限的MAC地址,将在该固定时间区域内所有没有权限的MAC地址列入准白名单;The whitelist processing unit is configured to: filter out the MAC address without authority according to the static whitelist, and include all MAC addresses that are not authorized in the fixed time zone in the whitelist;
    所述权限管理单元设置成:为所述准白名单中的MAC地址设置临时使用权限。The rights management unit is configured to: set a temporary use right for the MAC address in the quasi-white list.
  9. 如权利要求8所述的接入控制装置,其中,所述权限管理单元设置成按照如下方式为所述准白名单中的MAC地址设置临时使用权限:为所述准白名单中的MAC地址设置允许接入最大次数和最大使用时长。The access control device according to claim 8, wherein the authority management unit is configured to set a temporary use right for the MAC address in the quasi-white list as follows: setting the MAC address in the quasi-white list Maximum number of accesses allowed and maximum duration of use.
  10. 如权利要求9所述的接入控制装置,其中,所述权限管理单元还设置成:将准白名单中MAC地址信息的存储格式表示为:标示符+接入时间+断开时间+接入次数+累计入网时长。The access control device according to claim 9, wherein the authority management unit is further configured to: express a storage format of the MAC address information in the quasi-white list as: identifier + access time + disconnection time + access Number of times + cumulative network access time.
  11. 如权利要求9或10所述的接入控制装置,其中,所述权限管理单元还设置成:当一MAC地址的接入次数达到所述允许接入最大次数,或者使用时长达到所述最大使用时长,或者接入次数达到所述允许接入最大次数,且使用时长达到所述最大使用时长时,取消该MAC地址的临时使用权限或直接删除该MAC地址。The access control device according to claim 9 or 10, wherein the authority management unit is further configured to: when the number of accesses of a MAC address reaches the maximum number of allowed accesses, or the usage duration reaches the maximum usage When the duration, or the number of accesses reaches the maximum number of allowed accesses, and the usage duration reaches the maximum usage duration, cancel the temporary use permission of the MAC address or directly delete the MAC address.
  12. 如权利要求9或10所述的接入控制装置,其中,所述权限管理单元还设置成:设置接入次数最小使用值; The access control device according to claim 9 or 10, wherein the rights management unit is further configured to: set a minimum usage value of the access times;
    所述权限管理单元监控准白名单中MAC地址的使用次数,当一预设时间内一MAC地址的接入次数小于所述接入次数最小使用值,则取消该MAC地址的临时使用权限或直接删除该MAC地址。The rights management unit monitors the number of times the MAC address is used in the whitelist. When the number of accesses of the MAC address is less than the minimum usage value of the access times in a preset time, the temporary use permission of the MAC address is cancelled or directly Delete the MAC address.
  13. 如权利要求12所述的接入控制装置,其中,所述权限管理单元设置成按照如下方式取消该MAC地址的临时使用权限:The access control device according to claim 12, wherein said authority management unit is configured to cancel the temporary use authority of the MAC address as follows:
    将该MAC地址的标示符由permit.修改为deny.。Change the identifier of the MAC address from permit. to deny.
  14. 如权利要求12所述的接入控制装置,该装置还可以包括越权告警单元,其中The access control device according to claim 12, further comprising an unauthorized alarm unit, wherein
    所述越权告警单元设置成:当一MAC地址被取消临时使用权限后,向管理员上报该MAC地址的临时使用权限被取消。The unauthorized alarm unit is configured to: when a MAC address is cancelled, the temporary use right of the MAC address is cancelled.
  15. 一种计算机程序,包括程序指令,当该程序指令被计算机执行时,使得该计算机可执行如权利要求1-7中任一项所述的接入控制方法。 A computer program comprising program instructions which, when executed by a computer, cause the computer to perform the access control method of any of claims 1-7.
PCT/CN2015/091304 2015-06-25 2015-09-30 Access control method and device WO2016206227A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510357139.6 2015-06-25
CN201510357139.6A CN106302373A (en) 2015-06-25 2015-06-25 A kind of connection control method and terminal

Publications (1)

Publication Number Publication Date
WO2016206227A1 true WO2016206227A1 (en) 2016-12-29

Family

ID=57584476

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/091304 WO2016206227A1 (en) 2015-06-25 2015-09-30 Access control method and device

Country Status (2)

Country Link
CN (1) CN106302373A (en)
WO (1) WO2016206227A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109586928A (en) * 2018-12-21 2019-04-05 杭州全维技术股份有限公司 A kind of internet behavior blocking-up method based on the network equipment
CN112910784A (en) * 2019-12-03 2021-06-04 华为技术有限公司 Method, device and system for determining route

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107517461B (en) * 2017-08-21 2021-08-27 上海掌门科技有限公司 Method and equipment for carrying out wireless connection pre-authorization on user equipment
CN107819768B (en) * 2017-11-15 2020-07-31 厦门安胜网络科技有限公司 Method for server to actively disconnect illegal long connection, terminal equipment and storage medium
CN108076500B (en) * 2017-12-13 2021-04-02 北京小米移动软件有限公司 Method and device for managing local area network and computer readable storage medium
CN110661744A (en) * 2018-06-28 2020-01-07 石悌君 Network access control method
CN110912788B (en) * 2018-09-18 2021-07-23 珠海格力电器股份有限公司 Networking control method and device, storage medium and processor
CN110087242B (en) * 2019-04-29 2020-08-21 四川英得赛克科技有限公司 Method for rapidly judging legality of wireless access equipment in industrial control environment
CN112052432A (en) * 2020-09-01 2020-12-08 禾麦科技开发(深圳)有限公司 Terminal device authorization method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7535880B1 (en) * 2005-01-13 2009-05-19 2Wire, Inc. Method and apparatus for controlling wireless access to a network
CN103442097A (en) * 2013-08-30 2013-12-11 烽火通信科技股份有限公司 System and method for controlling WiFi terminal access authority by home gateway
CN103619018A (en) * 2013-11-21 2014-03-05 北京奇虎科技有限公司 Method and device for detecting access right of wireless network and router
CN204145542U (en) * 2014-11-12 2015-02-04 厦门掌沃软件科技有限公司 One is anti-rubs network router

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7535880B1 (en) * 2005-01-13 2009-05-19 2Wire, Inc. Method and apparatus for controlling wireless access to a network
CN103442097A (en) * 2013-08-30 2013-12-11 烽火通信科技股份有限公司 System and method for controlling WiFi terminal access authority by home gateway
CN103619018A (en) * 2013-11-21 2014-03-05 北京奇虎科技有限公司 Method and device for detecting access right of wireless network and router
CN204145542U (en) * 2014-11-12 2015-02-04 厦门掌沃软件科技有限公司 One is anti-rubs network router

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109586928A (en) * 2018-12-21 2019-04-05 杭州全维技术股份有限公司 A kind of internet behavior blocking-up method based on the network equipment
CN112910784A (en) * 2019-12-03 2021-06-04 华为技术有限公司 Method, device and system for determining route

Also Published As

Publication number Publication date
CN106302373A (en) 2017-01-04

Similar Documents

Publication Publication Date Title
WO2016206227A1 (en) Access control method and device
JP7223022B2 (en) Method and apparatus for terminal (UE) management and control
Mantas et al. Security for 5G communications
KR102329493B1 (en) Method and apparatus for preventing connection in wireless intrusion prevention system
CN103442097B (en) A kind of home gateway controls the system and method for WiFi terminal access authority
WO2018080976A1 (en) Detection of vulnerable devices in wireless networks
EP3780688B1 (en) Method and apparatus for restricting access of terminal device
CN106130962B (en) Message processing method and device
WO2016086763A1 (en) Wireless access node detecting method, wireless network detecting system and server
CN102035793A (en) Botnet detecting method, device and network security protective equipment
US8145131B2 (en) Wireless ad hoc network security
US11250172B2 (en) Handling wireless client devices associated with a role indicating a stolen device
US20150082429A1 (en) Protecting wireless network from rogue access points
KR20160006915A (en) The Management Method and Apparatus for the Internet of Things
WO2013185709A1 (en) Call authentication method, device, and system
CN106559399A (en) A kind of the Internet mobile terminal synthesis managing and control system
US20140150069A1 (en) Method for distinguishing and blocking off network node
CN109995769A (en) A kind of trans-regional full actual time safety management-control method of multi-tier Heterogeneous
WO2016062113A1 (en) Wireless network access security detection method and terminal
CN106685843B (en) Method for safely strengthening router
CN106411852B (en) Distributed terminal access control method and device
JP6616733B2 (en) Network system and server device
CN105812338B (en) Data access control method and network management equipment
CN101631078B (en) Message control method and access equipment in endpoint admission defense
CN105681352B (en) A kind of wireless network access safety management-control method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15896120

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15896120

Country of ref document: EP

Kind code of ref document: A1