CN100428710C - Network mutual access controlling method - Google Patents
Network mutual access controlling method Download PDFInfo
- Publication number
- CN100428710C CN100428710C CNB031071945A CN03107194A CN100428710C CN 100428710 C CN100428710 C CN 100428710C CN B031071945 A CNB031071945 A CN B031071945A CN 03107194 A CN03107194 A CN 03107194A CN 100428710 C CN100428710 C CN 100428710C
- Authority
- CN
- China
- Prior art keywords
- user
- exchanging visit
- network
- exchanging
- visit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Abstract
The present invention discloses a control method for network mutual access. In the method, the network mutual access authority of users is divided into different grades, the corresponding relationships of user account numbers and the mutual access grades are set, and access control relationships among users with different mutual access authorities are set so that when the network mutual access of the users is controlled, the network mutual access authority grades of the users are obtained according to the user account numbers, and the network mutual access of the users is controlled by the access control relationships among the users according to the grades. The present invention is used for controlling the network mutual access of the users, and has high control precision and flexibility so that the present invention can meet the control requirement of multi-layer network mutual access.
Description
Technical field
The present invention relates to user's network exchanging visit control method.
Background technology
In the BAS Broadband Access Server (BAS) of present broadband network, to relate to control inevitably to subscriber network access, and the exchanging visit control problem between the user.With user's exchanging visit is example, because there are demands such as the sharing of resource, communication each other in the user, the user who is connected on the consolidated network needs and can visit mutually.For example often have requirement to be connected consolidated network in the reality, the user of the same company that disperses as the geographical position on the Internet can exchange visits; User of first department and the user of second department in the same company can exchange visits, and the first user of department can visit third department simultaneously, and third user of department can not visit first department or the like exchanging visit requirement.But because user of different nature has formed the network colony with different business scope and authority in the reality, and different groups also have specific requirement to user's exchanging visit authority, therefore to accomplish that the user to different groups isolates, just need on the network equipments such as BAS, implement exchanging visit control the user.
For realizing the exchanging visit control to the network user, two kinds of control methods of main at present employing: one is based on the control method of authentication.Whether this method is standard by network authentication with the user, and the user is divided into two parts, and the exchanging visit authority of the user by authentication is identical, can carry out almost unconfined exchanging visit usually, and unsanctioned user then mustn't carry out any network and exchange visits.Obviously, the control precision of above-mentioned control mode is too low, can not embody the exchanging visit authority of difference different user and the requirement controlled does not have flexibility in the control.
As substituting of above-mentioned method for network access control, second kind of method that is based on user port number and IP address, the network exchanging visit authority that this method is divided the user by user's port numbers and IP address is to realize the flexibility of user network exchanging visit control.In this control mode, user's port numbers is normally fixed, but may articulate a plurality of users under a port in the reality, and therefore the control precision of this method can only arrive port level at most; On the other hand, when the user when belonging to the dynamic IP addressing user, in its network insertion process, need utilize this IP address to carry out the visit of network and the exchanging visit between the user by IP address of DHCP (DHCP) application.Because the user is normally different by the IP address that dhcp process is obtained when surfing the Net at every turn, this just makes the user is carried out control that network the exchanges visits complexity and difficult that becomes.
Summary of the invention
The object of the present invention is to provide the higher network exchanging visit control method of a kind of control precision, use this method can make user's network exchanging visit control more flexible based on user account number.
For achieving the above object, the network exchanging visit control method based on user account number provided by the invention comprises:
With user's network exchanging visit delineation of power is different Permission Levels, and the corresponding relation of user account number and network exchanging visit Permission Levels is set, and the exchanging visit control relation between the heterogeneous networks exchanging visit Permission Levels user is set;
User network is being exchanged visits when controlling, obtaining user's network exchanging visit Permission Levels, according to described user's network exchanging visit Permission Levels and above-mentioned exchanging visit control relation user's network is being exchanged visits again and control according to user account number.
Described network exchanging visit delineation of power with the user is that the method for different Permission Levels comprises:
With user's network exchanging visit delineation of power is different grades or different user's exchanging visit groups.
Before exchanging visit was controlled to user network, described method also comprised:
Be provided with the access control of network exchanging visit authority corresponding user's exchanging visit group of user and different user's exchanging visit group and concern; Or,
Setting and user's the corresponding grade of network exchanging visit authority, and the relation of the access control between the different brackets user.
Describedly obtain user's network exchanging visit Permission Levels, according to described user's network exchanging visit Permission Levels and described exchanging visit control relation user's the network method of controlling of exchanging visits specifically comprised again according to user account number:
Determine user's exchanging visit group under the user according to user account number, go to judge whether to allow exchanging visit between the user according to the relation of the access control between described user's exchanging visit group again,, transmit the exchanging visit message between the user, otherwise abandon if allow; Or,
Determine user gradation according to user account number, judge whether to allow exchanging visit between the user according to the access control between described grade relation again,, transmit the exchanging visit message between the user, otherwise abandon if allow.
Described method also comprises: be provided for describing the user connection information UCIB table of the network linkage record that each online user sets up and be used to describe the exchanging visit control table of the access control relation between the exchanging visit group in network access equipment.
Described user connection information table comprises IP address, exchanging visit group field, is used to each online user to set up a network linkage record.
Described method also comprises: after the success of user's network access authentication, according to user account number the user is divided into corresponding exchanging visit group by the authentication end, the informing network access device is written to user's exchanging visit group information in the respective record of UCIB table simultaneously.
In the process of going to judge whether to allow to exchange visits between the user according to the relation of the access control between the described exchanging visit group, network access equipment is pressed the source IP address of user network exchanging visit message, obtain exchanging visit group number under the user by searching UCIB table, use the purpose IP address of exchanging visit message again, obtain exchanging visit group number under the purpose IP address user by searching UCIB table, by above-mentioned source IP address user's exchanging visit group number and purpose IP address user's exchanging visit group number, search the exchanging visit control table, judge whether to allow the purpose IP address user of user capture exchanging visit message appointment according to this table, if allow, transmit this message, otherwise abandon this message.
Because the present invention is different grade or exchanging visit groups with user's network exchanging visit delineation of power, and the authority of different brackets or the exchanging visit control relation between the exchanging visit group are set, and the corresponding relation that user account number and network exchanging visit grade or exchanging visit group are set, like this, when the user carries out access to netwoks, obtain user's network exchanging visit Permission Levels or exchanging visit group number according to user account number, can exchange visits to user's network and control; Obviously, this control method can control to user class, because the basis that concrete control is relied on is user's a account number, and account number has uniqueness, no matter which type of IP address the user obtains or is articulated to which port, can implement network exchanging visit control at concrete user, therefore, the present invention has high control precision and flexibility, can satisfy the control requirement of user network exchanging visit multi-stratification.
Description of drawings
Fig. 1 is typical user network login process schematic diagram;
Fig. 2 is the control principle figure of the method for the invention;
Fig. 3 is the control procedure first of the inventive method, promptly is used to form the flow chart of the control information of UCIB table;
Fig. 4 is the control procedure second portion of the inventive method, i.e. the flow chart that the concrete network of user is exchanged visits and controlled.
Embodiment
According to aforementioned analysis to existing subscriber network access control method, when user's network exchanging visit is controlled, the simplest control according to be exactly with authentication whether by being standard, but can not satisfy requirement of actual application because the control precision of this standard is too low.In fact, when the user being exchanged visits control, no matter be the certificate server authentication of adopting local authentication or adopting far-end, all store at authentication end the user is authenticated and information of managing, therefore, the user is in case by network authentication, and network will obtain this user's detailed CAMEL-Subscription-Information, as user account number (information that refers to unique identification users such as user name or password) etc.As seen, if user's network exchanging visit authority also can be kept at the authentication end of network as user's CAMEL-Subscription-Information, so authentification of user by after can make network access equipment (as BAS) utilize this authority that user's network is exchanged visits to control.In above-mentioned information, usersaccount information is unique information that can identify this user, and therefore the network exchanging visit authority with this information and user combines, and just can satisfy the high accuracy of user's network exchanging visit control, multi-level control requirement.
By top described, when specific implementation was of the present invention, at first network was different grades with user's network exchanging visit delineation of power, the user that the authority of different brackets is corresponding different.When each user opens an account or changes CAMEL-Subscription-Information, this user's network exchanging visit authority is arranged on the authentication end with out of Memory, so that authentication uses this information that the user is carried out the network control of exchanging visits by the back.For realizing above-mentioned control requirement, can be different grades or different user's exchanging visit groups (InterGroup) with the network exchanging visit delineation of power of different brackets, by can manage the user of a colony to the management of the management of exchanging visit group or exchanging visit grade with identical network exchanging visit authority.Like this, just can be when authentication end configure user information, the network exchanging visit authority of user registration is registered as Permission Levels or exchanging visit group number, makes these Permission Levels or exchanging visit group number and user's account number and other and subscriber-related information co-registered in authenticating the authorized user message of holding.Simultaneously, in the access device of network, in BAS, user connection information table (UCIB table) and the user control table of exchanging visits is set.The UCIB table is used to define the user of a certain account number and the corresponding relation of exchanging visit group; The exchanging visit control table is used to define the access control relation between the different exchanging visit groups, and access control relation described here just is meant whether allow between the exchanging visit group to exchange visits or unidirectional visit.Can realize requirement based on two control tables of in above-mentioned network access equipment, setting up based on the access to netwoks of user account number control.
Above-mentioned UCIB table is filled in by authentication end informing network access device by the back at authentification of user, is promptly filled in according to the authorization message of authentication end by network access equipment, and the exchanging visit control table then is provided with in network access equipment according to demand for control in advance.
The structure that is above-mentioned two tables is below given an example:
Table 1 (UCIB table):
| Port numbers | Vlan number | The IP address | MAC Address | The exchanging visit group | The UCL group |
| …… | …… | …… | …… | …… | …… |
| …… | …… | …… | …… | …… | …… |
| …… | …… | …… | …… | …… | …… |
Table 2 (exchanging visit control table):
| The source group the purpose group | 0 | 1 | 2 | 3 | 4 | … |
| 0 | √ | × | × | × | × | |
| 1 | × | √ | √ | √ | × | |
| 2 | × | √ | √ | √ | × | |
| 3 | × | × | √ | √ | × | |
| 4 | × | × | × | × | × | |
| … |
In above-mentioned table 1, the control information relevant with the present invention is " IP address " and " exchanging visit group " two fields, and all the other fields are other control information.In table 2, " √ " expression allows the purpose exchanging visit group of corresponding source exchanging visit group access correspondence, and " * " expression does not allow.
The present invention is described in further detail below in conjunction with accompanying drawing.
Suppose to adopt the mode of exchanging visit group to carry out, in table 1, when authentification of user passes through, can fill in the particular content of table to user's authorization message according to the authentication end to user's network exchanging visit.For example, on user shown in Figure 1 in the line process, suppose that network access equipment is BAS, for the server of user's distributing IP address is a Dynamic Host Configuration Protocol server, the authentication end is the radius server of far-end (can certainly be the local authentication module), then on the user in the line process, after the user utilizes dhcp process to get access to the IP address of oneself from Dynamic Host Configuration Protocol server through step 1 to step 3, for BAS equipment, in the UCIB table, distribute a record for the user in the A position, and write down some simple information, as the user by authentication before the exchanging visit group number (being assumed to be 255) of acquiescence and the IP address (being assumed to be 1.1.1.1) that the user obtains.After the IP address notification that process step 4 obtains the user was given the user, the user began authentication in step 5,6, and at this moment until before the B position, the user exchanges visits authority for giving tacit consent to the authority of not reaching the standard grade, irrelevant with account number, all users are the same; After authentification of user passes through, to the B position, the user passes through by a certain account number authentication, radius server sends over the authority of this user account number for BAS equipment, it is 100 exchanging visit group that exchanging visit group wherein is assumed to be group number, BAS these authority records in the record of the UCIB of correspondence table, at this moment user's IP address (1.1.1.1) is related with this record in the UCIB table, and exchange visits group number and other authorities of user of this record record distributed according to user account number in the UCIB table, different user account numbers has different exchanging visit groups, IP address is just related with the exchanging visit group number so, but this is related to be to work in this time inserting, that is, at this moment, IP address 1.1.1.1 and group number are that 100 exchanging visit group is corresponding.User offline then, BAS discharges this corresponding relation.
After having spent a period of time, user's reach the standard grade for the second time (logging in network), walk same flow process as shown in Figure 1 and applied for that is different from a previous IP address 1.1.1.2, although the IP address difference that this time obtains, but go authentication with same account number, obtain same mandate (the exchanging visit group number still is 100), so this time connect and in the UCIB table, to have a record, the corresponding relation of record IP address and group number, be that IP address 1.1.1.2 and group number are the corresponding relation of 100 exchanging visit group, access rights are constant.
As seen from the above, the IP address change of twice user's online, but the exchanging visit group of its correspondence is constant, its access rights just do not change yet so, exchanging visit group that Here it is (being equal to the exchanging visit authority) can not change with IP address, but can be based on account number and relatively stable constant.Like this, exchanging visit group by being recorded in table 2 and the exchanging visit corresponding relation between the exchanging visit group just can be realized based on the control of exchanging visits of the network of user account number.
With the example that is controlled to be of above-mentioned table 2, the user of the 0th exchanging visit group of first row can visit mutually, and does not allow to visit the exchanging visit group of other group number, and promptly not allowing to visit group number is 1,2,3 ... the exchanging visit group; And the 1st exchanging visit group group permission visit group number of second row is 1,2,3 exchanging visit group, or the like.
Concrete control principle is with reference to figure 2a, 2b.With reference to Fig. 2 b, when user network exchanging visit message process network access equipment, at first, press the source IP address classification of message, obtain user profile and further obtain exchanging visit group number under this user by searching UCIB table, classify with the purpose IP address of message again, by UCIB show the exchanging visit group number under the destination address, combination by source and destination exchanging visit group number, search in advance and pass through the exchanging visit control table that configuration generates, can determine whether source exchanging visit group user allows to visit purpose exchanging visit group user at network access equipment.
Concrete control procedure according to above-mentioned principle comprises two parts, be described respectively at Fig. 3,4, and suppose to adopt the network exchanging visit authority of user's exchanging visit group, also can adopt the mode of network exchanging visit priority to describe user's network access authority certainly in the reality as the user.First is with reference to figure 3, and this part is used to form the control information of UCIB table.According to Fig. 3, at first user's account number of obtaining the IP address and use oneself in step 11 online authenticates, the authentication end judges in step 12 whether this user's authentication is passed through then, if do not pass through, finish this user's network insertion operation, otherwise determine user's exchanging visit group according to user account number in step 13, and, in the UCIB table, set up and this subscriber-related record by network access equipment with this user's authorization message (the exchanging visit group number and the IP address information that comprise the user) informing network access device.
Fig. 4 is the flow chart that the present invention exchanges visits and controls the concrete network of user.According to Fig. 4, when the user after step 21 receives user network exchanging visit message, from described message, obtain user's source IP address and purpose IP address, press the source IP address classification of message then in step 22, search the UCIB table, obtain user profile and obtain source exchanging visit group number under this user by UCIB table, pressing the purpose IP address of message again classifies, search the UCIB table, by UCIB show the exchanging visit group number under the destination address, follow in step 23 source, purpose exchanging visit group number makes up, go to search the exchanging visit control table that generates by configuration in advance, can obtain the user by the exchanging visit control table and whether allow to visit the user that message purpose IP address limits, user's network is exchanged visits according to above-mentioned information in step 24 at last and control, that is, if allow the user of the described destination address of user capture, then normally carry out message forwarding, otherwise abandon this network exchanging visit message.
Need explanation, in concrete control procedure, because the pre-connection user is not (by authentication, just obtain the IP address user by dhcp process) there is not an account number, control to it can be more rough, promptly gives the exchanging visit group number of an acquiescence of all pre-connection users in advance, such as 255 groups, this time, all pre-connection users can unify to use 255 groups of all authorities that have been provided with to exchange visits, and this exchanging visit authority is often less in the reality certainly.
In a word, adopt user based on the user account number control method of exchanging visits can exchange visits to user's network effectively and carry out needed control, control precision has reached the control requirement of user class, can implement control as required at different users.For example, in the internal network of certain company, use the present invention to can be good at distinguishing external staff and the internal staff who mixes the work that sits together, make that the exchanging visit authority is inconsistent between them, produced cooperation and the effect of isolating and depositing.
Claims (8)
1, a kind of network exchanging visit control method is characterized in that, comprising:
With user's network exchanging visit delineation of power is different Permission Levels, and the corresponding relation of user account number and network exchanging visit Permission Levels is set, and the exchanging visit control relation between the heterogeneous networks exchanging visit Permission Levels user is set;
User network is being exchanged visits when controlling, obtaining user's network exchanging visit Permission Levels, according to described user's network exchanging visit Permission Levels and above-mentioned exchanging visit control relation user's network is being exchanged visits again and control according to user account number.
2, network exchanging visit control method according to claim 1 is characterized in that, described network exchanging visit delineation of power with the user is that the method for different Permission Levels comprises:
With user's network exchanging visit delineation of power is different grades or different user's exchanging visit groups.
3, network exchanging visit control method according to claim 2 is characterized in that, before exchanging visit was controlled to user network, described method also comprised:
Be provided with the access control of network exchanging visit authority corresponding user's exchanging visit group of user and different user's exchanging visit group and concern; Or,
Setting and user's the corresponding grade of network exchanging visit authority, and the relation of the access control between the different brackets user.
4, network exchanging visit control method according to claim 3, it is characterized in that, describedly obtain user's network exchanging visit Permission Levels, according to described user's network exchanging visit Permission Levels and described exchanging visit control relation user's the network method of controlling of exchanging visits specifically comprised again according to user account number:
Determine user's exchanging visit group under the user according to user account number, go to judge whether to allow exchanging visit between the user according to the relation of the access control between described user's exchanging visit group again,, transmit the exchanging visit message between the user, otherwise abandon if allow; Or,
Determine user gradation according to user account number, judge whether to allow exchanging visit between the user according to the access control between described grade relation again,, transmit the exchanging visit message between the user, otherwise abandon if allow.
5, network exchanging visit control method according to claim 4, it is characterized in that described method also comprises: in network access equipment, be provided for describing the user connection information UCIB table of the network linkage record that each online user sets up and be used to describe the exchanging visit control table of the access control relation between the exchanging visit group.
6, network exchanging visit control method according to claim 5 is characterized in that, described user connection information table comprises IP address, exchanging visit group field, is used to each online user to set up a network linkage record.
7, network exchanging visit control method according to claim 5, it is characterized in that, described method also comprises: after the success of user's network access authentication, according to user account number the user is divided into corresponding exchanging visit group by the authentication end, the informing network access device is written to user's exchanging visit group information in the respective record of UCIB table simultaneously.
8, network exchanging visit control method according to claim 5, it is characterized in that: in the process of going to judge whether to allow to exchange visits between the user according to the relation of the access control between the described exchanging visit group, network access equipment is pressed the source IP address of user network exchanging visit message, obtain exchanging visit group number under the user by searching UCIB table, use the purpose IP address of exchanging visit message again, obtain exchanging visit group number under the purpose IP address user by searching UCIB table, by above-mentioned source IP address user's exchanging visit group number and purpose IP address user's exchanging visit group number, search the exchanging visit control table, judge whether to allow the purpose IP address user of user capture exchanging visit message appointment according to this table, if allow, transmit this message, otherwise abandon this message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031071945A CN100428710C (en) | 2003-03-13 | 2003-03-13 | Network mutual access controlling method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031071945A CN100428710C (en) | 2003-03-13 | 2003-03-13 | Network mutual access controlling method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1531257A CN1531257A (en) | 2004-09-22 |
| CN100428710C true CN100428710C (en) | 2008-10-22 |
Family
ID=34282911
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031071945A Expired - Lifetime CN100428710C (en) | 2003-03-13 | 2003-03-13 | Network mutual access controlling method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100428710C (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101056178B (en) * | 2007-05-28 | 2010-07-07 | 中兴通讯股份有限公司 | A method and system for controlling the user network access right |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO1998045982A2 (en) * | 1997-04-08 | 1998-10-15 | Telefonaktiebolaget Lm Ericsson | Arrangement for improving security in a communication system supporting user mobility |
| US6105132A (en) * | 1997-02-20 | 2000-08-15 | Novell, Inc. | Computer network graded authentication system and method |
-
2003
- 2003-03-13 CN CNB031071945A patent/CN100428710C/en not_active Expired - Lifetime
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6105132A (en) * | 1997-02-20 | 2000-08-15 | Novell, Inc. | Computer network graded authentication system and method |
| WO1998045982A2 (en) * | 1997-04-08 | 1998-10-15 | Telefonaktiebolaget Lm Ericsson | Arrangement for improving security in a communication system supporting user mobility |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1531257A (en) | 2004-09-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100744213B1 (en) | Automated provisioning system | |
| CN100456739C (en) | Remote access vpn mediation method and mediation device | |
| CN101166173B (en) | A single-node login system, device and method | |
| CN101971184B (en) | Client/server system for communicating according to the standard protocol OPC UA and having single sign-on mechanisms for authenticating, and method for performing single sign-on in such a system | |
| CN101090324B (en) | Network system and server | |
| US7861283B2 (en) | User position utilization system | |
| DE60029217T2 (en) | METHOD AND DEVICE FOR INITIALIZING SAFE CONNECTIONS BETWEEN AND BETWEEN ONLY CUSTOMIZED CORDLESS EQUIPMENT | |
| CN102726069B (en) | The dynamic Service group of dialogue-based attribute | |
| US6912567B1 (en) | Broadband multi-service proxy server system and method of operation for internet services of user's choice | |
| CN101952830A (en) | Methods and systems for user authorization | |
| CN100539595C (en) | A kind of IP address assignment method based on the DHCP extended attribute | |
| CN104144167B (en) | User login authentication method of open intelligent gateway platform | |
| CN101488976B (en) | IP address allocation method, network appliance and authentication server | |
| CN100433750C (en) | Network access control method based onuser's account number | |
| CN101540757A (en) | Method and system for identifying network and identification equipment | |
| CN103039038A (en) | Method and system for efficient use of a telecommunication network and the connection between the telecommunications network and a customer premises equipment | |
| CN107040495A (en) | It is a kind of to be applied to industrial communication and the multi-stage combination identity identifying method of business | |
| CN103825901B (en) | A kind of method for network access control and equipment | |
| CN103414732A (en) | Application integration device and application integration processing method | |
| CN103069750A (en) | Method and system for efficient use of a telecommunications network and the connection between the telecommunications network and a customer premises equipment | |
| CN100365591C (en) | Network address distributing method based on customer terminal | |
| CN100568836C (en) | According to terminal type is the method and the server of terminal distribution local area network (LAN) resource | |
| CN1323516C (en) | Repeating controlling method for customer message | |
| CN100593300C (en) | Network system | |
| CN106454829A (en) | Authorized network access method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20081022 |
|
| CX01 | Expiry of patent term |