CN101582891B - Wide area network endpoint access domination (EAD) authentication method, system and terminal - Google Patents

Wide area network endpoint access domination (EAD) authentication method, system and terminal Download PDF

Info

Publication number
CN101582891B
CN101582891B CN2009100873755A CN200910087375A CN101582891B CN 101582891 B CN101582891 B CN 101582891B CN 2009100873755 A CN2009100873755 A CN 2009100873755A CN 200910087375 A CN200910087375 A CN 200910087375A CN 101582891 B CN101582891 B CN 101582891B
Authority
CN
China
Prior art keywords
terminal
ead
imc
address
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009100873755A
Other languages
Chinese (zh)
Other versions
CN101582891A (en
Inventor
刘浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN2009100873755A priority Critical patent/CN101582891B/en
Publication of CN101582891A publication Critical patent/CN101582891A/en
Application granted granted Critical
Publication of CN101582891B publication Critical patent/CN101582891B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a wide area network endpoint access domination (EAD) authentication method, comprising: after that the specified restoration documents are needed to be downloaded by a terminalis determined by EAD security inspection, an iMC security certificate server sends P2P user information table to the terminal; the P2P user information table includes a user name corresponding to the terminal which downloads the specified restoration documents; then, the terminal inquiries a terminal IP address corresponding to the user name which belongs to a branch network in the P2P user infor mation table through an EAD control gateway of the branch network and receives a local IP address table returned by the EAD control gateway; the terminal is connected with the corresponding terminal according to the local IP address table, downloads the specified restoration documents and carries out self- restoration for EAD authentication again. The invention also discloses a wide area network EAD authentication system and the terminal. The technical proposal can save bandwidth of the wide area network and accelerates the speed of download.

Description

A kind of wide area network endpoint access domination (EAD) authentication method, system and terminal
Technical field
The present invention relates to the network authentication technical field, refer to a kind of wide area network endpoint access domination (EAD) authentication method, system and terminal especially.
Background technology
Terminal access control (EAD, Endpoint Access Domination) technology is whether network admission scheme, " authentication " when mainly solving accessing terminal to network and " safety inspection " problem of safety of a kind of terminal that is used to detect access network.
The EAD scheme is used the EAD control gateway of the network equipment as the terminal access, uses the portal protocol of expansion to carry out EAD authentication and safety inspection.Wherein, safety inspection includes but not limited to check state, the version of the anti-virus software at terminal, the software of inspection terminal operating, and whether the operating system patch at inspection terminal meets the requirements.In security check phase the terminal that does not meet the enterprise security strategy is forced to repair, for example, mandatory upgrade virus base, system mend or the like.The EAD scheme can be deployed as isolation mode, indicating mode or following ray mode; Generally be deployed as the pattern of " reminding+roll off the production line the time threshold values "; Be that back intelligent management center (iMC is passed through in authentication; Intelligent Management Center) the discovering server terminal does not meet the security strategy requirement, then gives the terminal certain hour and carries out self-regeneration, and surpassing during this period of time, the terminal does not still have self-regeneration just to force to roll off the production line.The iMC server be can supervising the network topology, realize alarm, realize the network equipment of functions such as authentication and EAD safety certification simultaneously with the Componentized mode.
Different according to enterprise network scale and networking; The EAD control gateway can be deployed in internet (Internet) outlet of enterprise network or the porch of the corresponding general headquarters of branch office network, realizes the network access control of local area network (LAN) scope and the network access control of wide area network scope respectively.
Fig. 1 is the network access control networking sketch map of local area network (LAN) scope of the prior art.As shown in Figure 1, the EAD control gateway is deployed in the exit, internet of intranet, carries out safety inspection for the terminal of wanting access internet, and the terminal that does not meet security strategy can be redirected to local reparation file server.The reparation file of repairing on the file server includes but not limited to system mend and virus base file etc.The terminal is downloaded corresponding system mend and virus base file etc. from Security Policy Server and is carried out self-regeneration, and reparation is carried out authentication after accomplishing again, meets the requirements and can normally use network.In above-mentioned self-regeneration process, all flows like patch, the download of virus base file etc., all occur in the local area network (LAN) scope.The local area network (LAN) bandwidth is often higher, does not therefore have the problem of bandwidth bottleneck.
The network size of group or large enterprises is huge, and often cross-region is disposed, and network is divided into the branch office network of main office network and One's name is legion, and main office network and branch office network are realized interconnected through the wide area network circuit of renting operator.
Fig. 2 is the network access control networking sketch map of wide area network scope of the prior art.As shown in Figure 2; IMC Security Authentication Service device is deployed in the main office network so that management with the reparation file server; The EAD control gateway is deployed in the exit of branch office network, when the terminal desire in the branch office network is visited the resource of main office network like this, at first passes through the EAD control gateway in the local branch office network; By this EAD control gateway with the compliance information uploading at the identity information at this terminal and terminal to general headquarters; IMC Security Authentication Service device by general headquarters is checked user's information, does not meet security strategy if find virus base or patch etc., then requires this terminal use to be connected to the reparation file server downloaded software of general headquarters earlier; Repair oneself, idiographic flow is as shown in Figure 3.
Fig. 3 is a wide area network EAD identifying procedure sketch map of the prior art.As shown in Figure 3, may further comprise the steps:
Step 301, the terminal in the branch office network was a predefined isolated area in the addressable main office network before carrying out authentication.Isolated area is meant the not limited logical resource of visit in the main office network, does not illustrate to come out among Fig. 2.
Step 302, when the limited resources of terminal access general headquarters, the SmartClient (iNode) that is installed in advance on the terminal is initiated authentication request.
Step 303, terminal are behind authentication success on the iMC Security Authentication Service device, and the notice terminal belongs to the EAD control gateway in the branch office network, and reaching the standard grade in said terminal, and issues Agent IP and port, and safety inspection is carried out at the notice terminal.
Step 304, terminal are asked safety inspection through iNode client upload log-on message.
Step 305, the EAD security policycomponents on the iMC Security Authentication Service device issue security strategy and other control informations at terminal.
Step 306, the iNode client software at terminal and third party software or customization plug-in unit link, and carry out security strategy inspection and other functions.
Step 307, the iNode client software at terminal carries out safety inspection to this terminal, and the safety inspection result is reported iMC Security Authentication Service device.
Step 308 '; EAD security policycomponents on the iMC Security Authentication Service device compares the safety inspection result of terminal to report with the security strategy that pre-sets; If the safety inspection result of terminal to report meets the requirement of security strategy; Then the EAD control gateway in the branch office network of terminal place issues ACL and vlan information, makes that the terminal can the normal access network, and this flow process finishes.
Step 308; EAD security policycomponents on the iMC Security Authentication Service device compares the safety inspection result of terminal to report with the security strategy that pre-sets; If the safety inspection result of terminal to report does not meet the requirement of security strategy, then to the comparing result that issues at terminal.Comprise the terminal in the comparing result and repair required reparation fileinfo, and these repair the chained address of fileinfo place server.
Step 309, terminal are downloaded the corresponding file of repairing according to the processing policy of comparing result enforcement security strategy from repairing file server, carry out self-regeneration.Wherein, will repair file server in the main office network as in the isolated area, file server carries out self-regeneration so that each terminal in the branching networks can directly link reparation.
After in step 309, accomplishing self-regeneration, execution in step 302 and subsequent step again, iMC Security Authentication Service device be through analyzing, if think that the terminal do not satisfy safety requirements, and verification process has surpassed the predetermined time limit.Then notify the iNode on the terminal client, the iNode client initiatively rolls off the production line.
Can find out that through above-mentioned flow process the terminal in the branch office network need connect that the reparation file server in the isolated area carries out self-regeneration in the main office network, and could normal online or access restricted resource after meeting preset security strategy.Because operating system and anti-virus manufacturer need frequent delivery system patch and virus characteristic storehouse; Therefore the terminal in the branching networks often needs the reparation file server in the visit main office network to download relevant system mend and virus characteristic storehouse etc., to repair oneself.This process can cause great burden to valuable and limited wide area network bandwidth, even normal service bandwidth can be occupied, influences the regular traffic communication of enterprise.
In order to address the above problem; Available technology adopting point-to-point (P2P; Peer to Peer) mode is repaired the download of file, is specially: on iMC Security Authentication Service device, preserve a P2P user message table, which reparation file that write down which terminal downloads in this table; When the terminal in the branch office network need be downloaded certain and repaired file and carry out self-regeneration, the terminal IP that iMC Security Authentication Service device will have been downloaded this reparations file according to the P2P user message table tabulated and sends to the terminal of needs reparation; File should be repaired according to a terminal IP tabulation selection peer (peer) terminal downloads in the terminal that needs to repair; If the equal failed download of each peer from terminal IP tabulation then notifies iMC Security Authentication Service device to download from the reparation file server of general headquarters.
But, above-mentionedly repair the scheme that file is downloaded with the P2P mode, still there is following shortcoming:
One, P2P is an application layer protocol, the upstream bandwidth that its standard of selecting peer is a peer, round trip delay time etc.In fact needs terminal of repairing can't judge that each peer in the terminal IP tabulation is whether in this branch organization network; Its standard according to selection peer such as upstream bandwidth, round trip delay times possibly cause selected peer in network site far away; And ignored local peer, therefore still can impact to the wide area network bandwidth.
For example; In Fig. 2; Terminal A-1 needs the download system patch, and iMC certificate server notice terminal A-1 has this patch on terminal A-2, B-1 and B-2, because A-1 can't judge the position according to the IP address; Therefore can select B-1 or B-2 to initiate to connect, and A-2 maybe be because problems such as upstream bandwidth or round trip delay time be left in the basket.The file load of this moment can take the wide area network bandwidth.
Two, the terminal that need repair is striden wide area network and download to be repaired file, and (therefore 2M~10M) and unstable needs the long time when downloading big file, this can cause the overtime failure of safety certification because the wide area network link bandwidth is less.
Summary of the invention
The invention provides a kind of wide area network EAD authentication method, this method can be saved the wide area network bandwidth, and improves the speed of repairing file of downloading.
The present invention also provides a kind of wide area network EAD authentication system, and this system can save the wide area network bandwidth, and improves the speed of repairing file of downloading.
The present invention also provides a kind of terminal, and the wide area network bandwidth can be saved in this terminal, and improves the speed of repairing file of downloading.
For achieving the above object, technical scheme of the present invention specifically is achieved in that
The invention discloses a kind of wide area network EAD authentication method, on the iMC Security Authentication Service device in the main office network corresponding record the pairing user name in online terminal of respectively repairing file identification and having downloaded corresponding reparation file, this method comprises:
Said iMC Security Authentication Service device receives the safety inspection result of the terminal to report in the branch office network; And confirming that said safety inspection result and preset security strategy are not inconsistent; When the specified restoration file need be downloaded in said terminal, issue point-to-point P2P user message table to said terminal; Said P2P user message table comprises the pairing user name in online terminal of having downloaded said specified restoration file;
The pairing IP address of terminal of the user name that belongs to this branch organization network in the said P2P user message table is inquired about to the EAD of this branch organization network control gateway in said terminal;
Said terminal receives the local ip address table that said EAD control gateway is returned, and connects according to this local ip address table and relevant terminal, downloads the specified restoration file, carries out self-regeneration and carries out the EAD authentication again.
The invention discloses a kind of wide area network EAD authentication system; This system comprises: the iMC Security Authentication Service device that belongs to main office network; The terminal and the EAD control gateway that belong to same branch office network; Communicate by letter with iMC Security Authentication Service device through the EAD control gateway in said terminal, on the iMC Security Authentication Service device corresponding record the pairing user name in online terminal of respectively repairing file identification and having downloaded corresponding reparation file; Wherein,
Said terminal is used for the safety inspection result of self is reported iMC Security Authentication Service device, receives the point-to-point P2P user message table that iMC Security Authentication Service device issues;
Said iMC Security Authentication Service device is used for not being inconsistent with preset security strategy in the safety inspection result who confirms terminal to report, after the specified restoration file need be downloaded in the terminal, issues the P2P user message table to the terminal; Said P2P user message table comprises each pairing user name in online terminal of having downloaded said specified restoration file;
Said terminal is used for inquiring about to the EAD of this branch organization network control gateway the pairing IP address of terminal of the user name that belongs to this branch organization network of said P2P user message table; Be used to receive the local ip address table that the EAD control gateway is returned, and connect, download the specified restoration file, carry out self-regeneration and carry out the EAD authentication again according to this local ip address table and relevant terminal;
Said EAD control gateway is used for the inquiry according to the terminal, sends the local ip address table to the terminal; Said local ip address table comprises the pairing IP address of terminal of the user name that belongs to this branch organization network in the said P2P user message table.
The invention also discloses kind of a terminal, this terminal belongs to branch office network, and this terminal comprises: EAD authentication module, enquiry module and download module, wherein,
The EAD authentication module is used for the safety inspection result at said terminal is reported the iMC Security Authentication Service device of main office network; Be used to receive the point-to-point P2P user message table that iMC Security Authentication Service device issues, and said P2P user message table is sent to enquiry module;
Wherein, Said P2P user message table is that iMC Security Authentication Service device is confirming that said safety inspection result and preset security strategy are not inconsistent; Said terminal need be downloaded and issued behind the specified restoration file, and said P2P user message table comprises each pairing user name in online terminal of having downloaded said specified restoration file;
Said enquiry module; Be used for inquiring about the pairing IP address of terminal of the user name that belongs to this branch organization network of said P2P user message table to the EAD of this branch organization network control gateway; Receive the local ip address table that said EAD control gateway is returned, and the local ip address tabulation is sent to download module;
Said download module is used for connecting according to local ip address table and relevant terminal, downloads the specified restoration file, after said terminal is repaired, notifies said EAD authentication module to carry out the EAD authentication again.
Visible by technique scheme, the present invention is this confirm that through the EAD safety inspection specified restoration file need be downloaded in the terminal after, iMC Security Authentication Service device issues the P2P user message table to the terminal; Said P2P user message table comprises the pairing user name in the terminal of having downloaded said specified restoration file; The pairing IP address of terminal of the user name that belongs to this branch organization network in the said P2P user message table is inquired about to the EAD of this branch organization network control gateway in the terminal then; And receive the local ip address table that the EAD control gateway is returned; Connect according to this local ip address table and relevant terminal, download the specified restoration file, carry out self-regeneration and carry out EAD authentication technology scheme again; Make any one repair link on the transmission primaries of file between branch office network and main office network; The wide area network bandwidth of therefore saving greatly, and following being loaded in the one's duty network of repairing file carry out, and improved speed of download greatly.
Description of drawings
Fig. 1 is the network access control networking sketch map of local area network (LAN) scope of the prior art;
Fig. 2 is the network access control networking sketch map of wide area network scope of the prior art;
Fig. 3 is a wide area network EAD identifying procedure sketch map of the prior art;
Fig. 4 is the flow chart of a kind of wide area network EAD authentication method of the embodiment of the invention;
Fig. 5 is the flow chart of the wide area network EAD authentication in the embodiment of the invention;
Fig. 6 is the composition structured flowchart of a kind of wide area network EAD authentication system of the embodiment of the invention;
Fig. 7 is the composition structured flowchart at a kind of terminal of the embodiment of the invention.
Embodiment
Fig. 4 is the flow chart of a kind of wide area network EAD authentication method of the embodiment of the invention.The iMC Security Authentication Service device that this method is applied in the main office network carries out in the process of EAD safety inspection to the terminal in the branch office network; And on the iMC Security Authentication Service device corresponding record the pairing user name in terminal of respectively repairing file identification and having downloaded corresponding reparation file; As shown in Figure 4, this method comprises:
Step 401; IMC Security Authentication Service device receives the safety inspection result of the terminal to report in the branch office network; And confirming that said safety inspection result and preset security strategy are not inconsistent; When the specified restoration file need be downloaded in said terminal, issue point-to-point P2P user message table to said terminal; Said P2P user message table comprises the pairing user name in the terminal of having downloaded said specified restoration file.
Step 402, the pairing IP address of terminal of the user name that belongs to this branch organization network in the said P2P user message table is inquired about to the EAD of this branch organization network control gateway in said terminal.
In this step; Because the EAD control gateway is responsible for the details of each authenticated in the minute book branch office network; Comprise user name and IP address; Therefore the EAD control gateway can be discerned the user name that belongs to this branch organization network in the P2P user message table, and the pairing IP address of terminal of these user names, and returns corresponding local ip address table.
Step 403, said terminal receive the local ip address table that said EAD control gateway is returned, and connect according to this local ip address table and relevant terminal, download the specified restoration file, carry out self-regeneration and carry out the EAD authentication again.
In this step, if comprise the IP address of a plurality of local terminals in the local ip address table, then said terminal can therefrom select one or more terminals to connect according to the Peer selection principle in the existing P 2P technology, downloads the specified restoration file.
In scheme shown in Figure 4, because it is inner at branch office network to download the P2P flow restriction of repairing file, thereby greatly reduced the bandwidth occupancy on the wide area network link, and increased the speed of download of repairing file.
Can find out from the described flow process of Fig. 4; On the iMC Security Authentication Service device corresponding record the pairing user name in terminal of respectively repairing file identification and having downloaded corresponding reparation file, promptly need to safeguard the P2P user message table of repairing file corresponding to each on the iMC Security Authentication Service device.Though this part content is identical with prior art, in order to make technical scheme of the present invention clearer, carry out brief description with reference to Fig. 2 here, be divided into two phase scenario:
First kind of stage: referring to Fig. 2, enterprise has disposed new reparation file A, and the new reparation file A that promptly repaired the file server deploy also has no terminal downloads this moment and this reparation file A is installed.Terminal A-2 is one and does not require to install the terminal of repairing file A according to enterprise.When terminal A-2 desires access network, initiate EAD authentication and EAD safety inspection to iMC Security Authentication Service device.After the EAD authentication is passed through, carry out the EAD safety inspection, terminal A-2 carries out safety inspection to self, and the safety inspection result is reported iMC Security Authentication Service device; IMC Security Authentication Service device is compared the safety inspection result who reports with the security strategy of configuration, find that terminal A-2 does not install reparation file A; Which user's download of P2P user profile list item that iMC Security Authentication Service device inspection is corresponding with reparation file A this document; Because being first application, terminal A-2 downloads the terminal of repairing file A; Therefore also do not write down user name corresponding in corresponding with the full strategy file A P2P user profile list item; Then the iMC Security Policy Server is redirected to terminal A-2 the reparation file server of general headquarters; So that terminal A-2 downloads and repairs oneself, the user name with terminal A-2 records in the P2P user profile list item of repairing file A correspondence simultaneously, has downloaded reparation file A to indicate terminal A-2.
An example of P2P user message table is as shown in table 1:
Figure G2009100873755D00091
Table 1
As shown in table 1, can also comprise one of user online status in the P2P user message table, whether the terminal of having downloaded specified file with expression is current online.IMC Security Authentication Service device can confirm whether a terminal is online according to existing scheme, for example can confirm whether a terminal is online according to verification process.
Second stage: referring to Fig. 2, terminal A-1 does not install and repairs file A, but this moment, terminal A-2, B-1 and B-2 have installed reparation file A.When terminal A-1 desires access network, initiate EAD authentication and EAD safety inspection to iMC Security Authentication Service device.After the EAD authentication is passed through, carry out the EAD safety inspection, terminal A-1 carries out safety inspection to self, and the safety inspection result is reported iMC Security Authentication Service device; IMC Security Authentication Service device is compared the safety inspection result who reports with the security strategy of configuration, find that terminal A-1 does not install the reparation file A that requires in the security strategy; Which user's download of P2P user profile list item that iMC Security Authentication Service device inspection is corresponding with reparation file A this document; Find that terminal A-2, B-1 and B-2 have installed reparation file A and current online; But iMC Security Authentication Service device is not known the physical location at these terminals, and the P2P user profile list item packing that therefore will comprise these pairing user names in terminal sends to terminal A-1.Repair the file success if terminal A-1 downloads, then send an acknowledge message to iMC Security Authentication Service device, iMC Security Authentication Service device will also record the IP address of terminal A-1 and repair in the P2P user profile list item of file A to usefulness.Be the terminal successfully download repair file after, send acknowledge message to iMC Security Authentication Service device, then iMC Security Authentication Service device corresponding record is sent user name and the reparation file identification that download at this terminal at the terminal of said acknowledge message.Perhaps, in other embodiments of the invention, iMC Security Authentication Service device at the terminal when the EAD authentication, one by one the corresponding record security strategy require that the terminal installs all repair the sign of files and the user name at terminal that should be through the EAD authentication.Therefore this be, if the EAD authentication that the terminal is passed through, this terminal must be to download and installed desired all the reparation files of EAD security strategy fully so, not so can not pass through the EAD authentication.
Safeguard the process of P2P user message table through the clear iMC Security Authentication Service device of above-mentioned two stage theories.According to scheme of the present invention; In above-mentioned second stage; After terminal A-1 receives the P2P user message table that iMC Security Authentication Service device packing sends, inquire about the pairing terminal of which user name in the said P2P user message table in local branch office network to the EAD control gateway A of self place branch office network A.Because EAD control gateway A is responsible for writing down the details of each authenticated among the branch office network A; Comprise user name and IP address; Therefore which terminal EAD control gateway A can distinguish according to the IP address and belong to branch office network A, and the IP address of the terminal A-2 that belongs to branch office network A in the P2P user message table is sent to terminal A-1 with the form of local ip address table.So terminal A-1 can connect according to this local ip address table and relevant terminal A-2, download the specified restoration file.Can avoid terminal A-1 terminal B-1 and B-2 file in download from afar like this, increase the burden of wide area network bandwidth.If the pairing terminal of user name is not all in this locality in the P2P user message table, then the EAD control gateway sends to terminal A-1 with the IP address of pre-configured general headquarters' reparation file server, and terminal A-1 directly downloads reparation file A from repairing file server.Can guarantee to have only on the link between branch office network A and the main office network a file A that repairs to transmit like this.
For make technical scheme of the present invention clearer, understand, below be the complete EAD identifying procedure that example realizes when providing according to scheme of the present invention with the terminal A-3 among Fig. 2.
Fig. 5 is the flow chart of the wide area network EAD authentication in the embodiment of the invention.As shown in Figure 5, may further comprise the steps:
Step 501, the terminal A-3 among the branch office network A was a predefined isolated area in the addressable main office network before carrying out authentication.
Step 502, when terminal A-3 visited the limited resources of general headquarters, the SmartClient (iNode) that is installed in advance on the A-3 of terminal was initiated authentication request.
Step 503; Terminal A-3 is behind authentication success on the iMC Security Authentication Service device, and iMC Security Authentication Service device notice terminal A-3 belongs to the EAD control gateway A among the branch office network A, and terminal A-3 reaches the standard grade; And issuing Agent IP and port, notice terminal A-3 carries out safety inspection.
Step 504, terminal A-3 asks safety inspection through the iNode client upload log-on message of self.
Step 505, the EAD security policycomponents on the iMC Security Authentication Service device issue security strategy and other control informations of terminal A-3.
Step 506, the iNode client software of terminal A-3 and third party software or customization plug-in unit link, and carry out security strategy inspection and other functions.
Step 507, the iNode client software of terminal A-3 carries out safety inspection to terminal A-3, and the safety inspection result is reported iMC Security Authentication Service device.
Step 508 '; EAD security policycomponents on the iMC Security Authentication Service device compares terminal A-3 safety inspection result who reports and the security strategy that pre-sets; If the safety inspection result that terminal A-3 reports meets the requirement of security strategy; Then the EAD control gateway A in the branch office network A of terminal A-3 place issues ACL and vlan information, makes that terminal A-3 can the normal access network, and this flow process finishes.
Above-mentioned steps 501~507,508 ' with Fig. 3 in step 301~307,308 ' identical.
Step 508; EAD security policycomponents on the iMC Security Authentication Service device compares terminal A-3 safety inspection result who reports and the security strategy that pre-sets; If the safety inspection result that terminal A-3 reports does not meet the requirement of security strategy; Need to download and install the reparation file of appointment; Then the EAD security policycomponents inquiry P2P user message table corresponding with the specified restoration file sends to terminal A-3 with the pairing user name tabulation in the terminal of having downloaded said specified restoration file and current online.
Step 509, terminal A-3 belongs to branch office network A according to the user name tabulation that iMC Security Authentication Service device issues to the EAD control gateway A inquiry pairing terminal of which user name wherein.
Step 510, EAD control gateway A sends to terminal A-3 with the pairing IP address of terminal of each user name that belongs to branch office network A in the user name tabulation.
Step 511, terminal A-3 connects with the corresponding terminal, IP address that the EAD control gateway is returned, and downloads the reparation file of said appointment.
Step 510 ', if finding the pairing terminal of user name in the user name tabulation, EAD control gateway A all do not belong to branch office network A, then the IP address with the reparation file server of pre-configured general headquarters sends to terminal A-3.
Step 511 ' the reparation file server of terminal A-3 and general headquarters connects, and downloads the reparation file of said appointment.
Terminal A-3 downloads the specified restoration file in step 511 or 511 ', carry out the installation self-regeneration then after, execution in step 502 and subsequent step again are until repairing successfully.
Can find out through the foregoing description; Technical scheme of the present invention has guaranteed link on the transmission primaries of any one reparation file between a branch office network and main office network; Reduced the wide area network link owing to download the shared bandwidth of reparation file; Guarantee the bandwidth of enterprise's regular traffic, and in this branch organization network, realized file load as much as possible, avoided on largely file to download overtime and the problem EAD authentification failure that causes.
Based on the foregoing description, below to a kind of wide area network EAD authentication system among main the present invention and a kind of composition structured flowchart of terminal.
Fig. 6 is the composition structured flowchart of a kind of wide area network EAD authentication system of the embodiment of the invention.As shown in Figure 6; This system comprises: the iMC Security Authentication Service device that belongs to main office network; The terminal and the EAD control gateway that belong to same branch office network; Communicate by letter with iMC Security Authentication Service device through the EAD control gateway in said terminal, on the iMC Security Authentication Service device corresponding record the pairing user name in terminal of respectively repairing file identification and having downloaded corresponding reparation file.
In Fig. 6, the terminal is used in the EAD of EAD authentication safety inspection process self being carried out safety inspection, and self safety inspection result is reported iMC Security Authentication Service device; Be used to receive the point-to-point P2P user message table that iMC Security Authentication Service device issues;
IMC Security Authentication Service device; Be used to contrast the safety inspection result of preset security strategy and terminal to report; And be not inconsistent with preset security strategy in the safety inspection result who confirms the terminal, after the specified restoration file need be downloaded in the terminal, issue the P2P user message table to the terminal; Said P2P user message table comprises the pairing user name in each terminal of having downloaded said specified restoration file;
Said terminal is used for inquiring about to the EAD of this branch organization network control gateway the pairing IP address of terminal of the user name that belongs to this branch organization network of said P2P user message table; Be used to receive the local ip address table that the EAD control gateway is returned, and connect, download the specified restoration file, carry out self-regeneration and carry out the EAD authentication again according to this local ip address table and relevant terminal;
The EAD control gateway is used for the inquiry according to the terminal, sends the local ip address table to the terminal; Said local ip address table comprises the pairing IP address of terminal of the user name that belongs to this branch organization network in the said P2P user message table.
In Fig. 6, when the EAD control gateway was found not have the user name that belongs to this branch organization network in the said P2P user message table, the EAD control gateway was used for returning to the terminal IP address of the reparation file server of main office network; The IP address of said reparation file server is arranged in the said EAD control gateway in advance; The terminal is used for connecting with said reparation file server, downloads the specified restoration file, carries out self-regeneration and carries out the EAD authentication again.
In Fig. 6, what iMC Security Authentication Service device comprised in the P2P user message table that the terminal issues is the pairing user name in each terminal of having downloaded said specified restoration file and current online.
In like Fig. 6, said terminal is used for after successfully downloading the reparation file, sending acknowledge message to iMC Security Authentication Service device; IMC Security Authentication Service device is used for user name and the reparation file identification that download at this terminal that corresponding record is sent the terminal of said acknowledge message.Perhaps, iMC Security Authentication Service device, when being used at the terminal through the EAD authentication, one by one the corresponding record security strategy require that the terminal installs all repair the sign of files and the user name at terminal that should be through the EAD authentication.
Fig. 7 is the composition structured flowchart at a kind of terminal of the embodiment of the invention.This terminal belongs to branch office network, and is as shown in Figure 7, and this terminal comprises: EAD authentication module 701, enquiry module 702 and download module 703.
In Fig. 7, EAD authentication module 701 is used for the safety inspection result at said terminal is reported the iMC Security Authentication Service device of main office network; Be used to receive the point-to-point P2P user message table that iMC Security Authentication Service device issues, and said P2P user message table is sent to enquiry module 702;
Wherein, Said P2P user message table is that iMC Security Authentication Service device is confirming that said safety inspection result and preset security strategy are not inconsistent; Said terminal need be downloaded and issued behind the specified restoration file, and said P2P user message table comprises the pairing user name at each terminal of having downloaded said specified restoration file;
Enquiry module 702; Be used for inquiring about the pairing IP address of terminal of the user name that belongs to this branch organization network of said P2P user message table to the EAD of this branch organization network control gateway; Receive the local ip address table that said EAD control gateway is returned, and the local ip address tabulation is sent to download module 703;
Download module 703 is used for connecting according to local ip address table and relevant terminal, downloads the specified restoration file, after said terminal is repaired, notifies said EAD authentication module 701 to carry out the EAD authentication again.
In Fig. 7, enquiry module 702 is further used for receiving the IP address of the reparation file server in the main office network that said EAD control gateway returns, and this IP address is sent to download module 702; The IP address of said reparation file server is that the EAD control gateway is returned when finding not have the user name that belongs to this branch organization network in the said P2P user message table; Download module 702 is used for connecting with said reparation file server, downloads the specified restoration file, after said terminal is repaired, notifies said EAD authentication module 701 to carry out the EAD authentication again.
In sum, the present invention is this confirm that through the EAD safety inspection specified restoration file need be downloaded in the terminal after, iMC Security Authentication Service device issues the P2P user message table to the terminal; Said P2P user message table comprises the pairing user name in the terminal of having downloaded said specified restoration file; The pairing IP address of terminal of the user name that belongs to this branch organization network in the said P2P user message table is inquired about to the EAD of this branch organization network control gateway in the terminal then; And receive the local ip address table that the EAD control gateway is returned; Connect according to this local ip address table and relevant terminal, download the specified restoration file, carry out self-regeneration and carry out EAD authentication technology scheme again; Make any one repair link on the transmission primaries of file between branch office network and main office network; The wide area network bandwidth of therefore saving greatly, and following being loaded in the one's duty network of repairing file carry out, and improved speed of download greatly.
The above is merely preferred embodiment of the present invention, is not to be used to limit protection scope of the present invention, all any modifications of within spirit of the present invention and principle, being made, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (8)

1. wide area network terminal access control EAD authentication method; It is characterized in that; On the intelligent management center iMC Security Authentication Service device in the main office network corresponding record the pairing user name in online terminal of respectively repairing file identification and having downloaded corresponding reparation file, this method comprises:
Said iMC Security Authentication Service device receives the safety inspection result of the terminal to report in the branch office network; And confirming that said safety inspection result and preset security strategy are not inconsistent; When the specified restoration file need be downloaded in said terminal, issue point-to-point P2P user message table to said terminal; Said P2P user message table comprises the pairing user name in online terminal of having downloaded said specified restoration file;
The pairing IP address of terminal of the user name that belongs to this branch organization network in the said P2P user message table is inquired about to the EAD of this branch organization network control gateway in said terminal;
Said terminal receives the local ip address table that said EAD control gateway is returned, and connects according to this local ip address table and relevant terminal, downloads the specified restoration file, carries out self-regeneration and carries out the EAD authentication again.
2. the method for claim 1 is characterized in that, if when said EAD control gateway is found not have the user name that belongs to this branch organization network in the said P2P user message table, this method further comprises:
Said terminal receives the IP address of the reparation file server in the main office network that said EAD control gateway returns; The IP address of said reparation file server is arranged in the said EAD control gateway in advance;
Said terminal and said reparation file server connect, and download the specified restoration file.
3. according to claim 1 or claim 2 method is characterized in that,
Acknowledge message is sent to iMC Security Authentication Service device in said terminal after successfully downloading the reparation file; IMC Security Authentication Service device corresponding record is sent user name and the reparation file identification that download at this terminal at the terminal of said acknowledge message;
Perhaps, iMC Security Authentication Service device at the terminal when the EAD authentication, one by one the corresponding record security strategy require that the terminal installs all repair the sign of files and the user name at terminal that should be through the EAD authentication.
4. wide area network EAD authentication system; It is characterized in that; This system comprises: the iMC Security Authentication Service device that belongs to main office network; The terminal and the EAD control gateway that belong to same branch office network, communicate by letter with iMC Security Authentication Service device through the EAD control gateway in said terminal, on the iMC Security Authentication Service device corresponding record the pairing user name in online terminal of respectively repairing file identification and having downloaded corresponding reparation file; Wherein,
Said terminal is used for the safety inspection result of self is reported iMC Security Authentication Service device, receives the point-to-point P2P user message table that iMC Security Authentication Service device issues;
Said iMC Security Authentication Service device is used for not being inconsistent with preset security strategy in the safety inspection result who confirms terminal to report, after the specified restoration file need be downloaded in the terminal, issues the P2P user message table to the terminal; Said P2P user message table comprises each pairing user name in online terminal of having downloaded said specified restoration file;
Said terminal is used for inquiring about to the EAD of this branch organization network control gateway the pairing IP address of terminal of the user name that belongs to this branch organization network of said P2P user message table; Be used to receive the local ip address table that the EAD control gateway is returned, and connect, download the specified restoration file, carry out self-regeneration and carry out the EAD authentication again according to this local ip address table and relevant terminal;
Said EAD control gateway is used for the inquiry according to the terminal, sends the local ip address table to the terminal; Said local ip address table comprises the pairing IP address of terminal of the user name that belongs to this branch organization network in the said P2P user message table.
5. system as claimed in claim 4 is characterized in that, when said EAD control gateway is found not have the user name that belongs to this branch organization network in the said P2P user message table,
Said EAD control gateway is used for returning to the terminal IP address of the reparation file server of main office network; The IP address of said reparation file server is arranged in the said EAD control gateway in advance;
Said terminal is used for connecting with said reparation file server, downloads the specified restoration file, carries out self-regeneration and carries out the EAD authentication again.
6. like claim 4 or 5 described systems, it is characterized in that,
Said terminal is used for after successfully downloading the reparation file, sending acknowledge message to iMC Security Authentication Service device; IMC Security Authentication Service device is used for user name and the reparation file identification that download at this terminal that corresponding record is sent the terminal of said acknowledge message;
Perhaps, iMC Security Authentication Service device, when being used at the terminal through the EAD authentication, one by one the corresponding record security strategy require that the terminal installs all repair the sign of files and the user name at terminal that should be through the EAD authentication.
7. terminal, this terminal belongs to branch office network, it is characterized in that, and this terminal comprises: EAD authentication module, enquiry module and download module, wherein,
The EAD authentication module is used for the safety inspection result at said terminal is reported the iMC Security Authentication Service device of main office network; Be used to receive the point-to-point P2P user message table that iMC Security Authentication Service device issues, and said P2P user message table is sent to enquiry module;
Wherein, Said P2P user message table is that iMC Security Authentication Service device is confirming that said safety inspection result and preset security strategy are not inconsistent; Said terminal need be downloaded and issued behind the specified restoration file, and said P2P user message table comprises each pairing user name in online terminal of having downloaded said specified restoration file;
Said enquiry module; Be used for inquiring about the pairing IP address of terminal of the user name that belongs to this branch organization network of said P2P user message table to the EAD of this branch organization network control gateway; Receive the local ip address table that said EAD control gateway is returned, and the local ip address tabulation is sent to download module;
Said download module is used for connecting according to local ip address table and relevant terminal, downloads the specified restoration file, after said terminal is repaired, notifies said EAD authentication module to carry out the EAD authentication again.
8. terminal as claimed in claim 7 is characterized in that,
Said enquiry module is further used for receiving the IP address of the reparation file server in the main office network that said EAD control gateway returns, and this IP address is sent to download module; The IP address of said reparation file server is that the EAD control gateway is returned when finding not have the user name that belongs to this branch organization network in the said P2P user message table;
Said download module is used for connecting with said reparation file server, downloads the specified restoration file, after said terminal is repaired, notifies said EAD authentication module to carry out the EAD authentication again.
CN2009100873755A 2009-06-19 2009-06-19 Wide area network endpoint access domination (EAD) authentication method, system and terminal Expired - Fee Related CN101582891B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100873755A CN101582891B (en) 2009-06-19 2009-06-19 Wide area network endpoint access domination (EAD) authentication method, system and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100873755A CN101582891B (en) 2009-06-19 2009-06-19 Wide area network endpoint access domination (EAD) authentication method, system and terminal

Publications (2)

Publication Number Publication Date
CN101582891A CN101582891A (en) 2009-11-18
CN101582891B true CN101582891B (en) 2012-05-23

Family

ID=41364854

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100873755A Expired - Fee Related CN101582891B (en) 2009-06-19 2009-06-19 Wide area network endpoint access domination (EAD) authentication method, system and terminal

Country Status (1)

Country Link
CN (1) CN101582891B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101299142B1 (en) * 2011-08-05 2013-08-26 (주)네오위즈게임즈 Method and device for controlling outer traffic of local area network
CN102316122B (en) * 2011-10-21 2014-12-17 福建伊时代信息科技股份有限公司 Method for managing intranet security based on cooperative mode
CN103532999B (en) * 2012-07-05 2019-03-12 腾讯科技(深圳)有限公司 Data transmission method, mobile device and background service system
US10250698B2 (en) * 2014-08-25 2019-04-02 Futurewei Technologies, Inc. System and method for securing pre-association service discovery
CN108023802B (en) * 2016-11-01 2020-11-10 中国移动通信集团广东有限公司 Data transmission system and method
CN108901082B (en) * 2018-06-20 2020-11-20 新华三技术有限公司 Access method and device
CN109254727A (en) * 2018-08-20 2019-01-22 广东九联科技股份有限公司 A kind of self-regeneration method of embedded device
CN109167715A (en) * 2018-10-08 2019-01-08 北京爱普安信息技术有限公司 A kind of network management-control method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5481611A (en) * 1993-12-09 1996-01-02 Gte Laboratories Incorporated Method and apparatus for entity authentication
CN1889430A (en) * 2006-06-21 2007-01-03 南京联创网络科技有限公司 Safety identification control method based on 802.1 X terminal wideband switching-in
CN101232509A (en) * 2008-02-26 2008-07-30 杭州华三通信技术有限公司 Equipment, system and method for supporting insulation mode network access control

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5481611A (en) * 1993-12-09 1996-01-02 Gte Laboratories Incorporated Method and apparatus for entity authentication
CN1889430A (en) * 2006-06-21 2007-01-03 南京联创网络科技有限公司 Safety identification control method based on 802.1 X terminal wideband switching-in
CN101232509A (en) * 2008-02-26 2008-07-30 杭州华三通信技术有限公司 Equipment, system and method for supporting insulation mode network access control

Also Published As

Publication number Publication date
CN101582891A (en) 2009-11-18

Similar Documents

Publication Publication Date Title
CN101582891B (en) Wide area network endpoint access domination (EAD) authentication method, system and terminal
US11388005B2 (en) Connected gateway server system for real-time vehicle control service
CN101809519B (en) Method for establishing a secure connection from a service technician to a component of an automation environment that can be remotely diagnosed and/or maintained and is experiencing failure
CN107204873B (en) Method for switching target domain name resolution server and related equipment
CN106657259B (en) Routing server and routing service method for server cluster
CN102333081B (en) Authentication method, equipment and system
EP2408140B1 (en) Method, control point, apparatus and communication system for configuring access right
CN109474936A (en) Applied to the Internet of Things means of communication and system between multiple lora gateways
CN105472613B (en) Authentication request receiving method and system, user side and AP
CN102075339A (en) VPN management platform, and implementation method and system for VPN service
CN102916826A (en) Method and device for controlling network access
CN102695194A (en) Element management system and method and system for self-configuration of eNodeBs
CN113993137B (en) Monitoring system, method and device for configuration data, electronic equipment and medium
CN102170631B (en) Service information acquisition method, equipment and system
CN108366087B (en) ISCSI service realization method and device based on distributed file system
CN112910663B (en) Method, device, equipment and storage medium for message broadcasting and terminal registration
CN104244242A (en) Network number allocation method and corresponding authentication method of Internet-of-things equipment
CN102752752A (en) Method and device for base station maintenance
CN103888435A (en) Service admission control method, device and system
JP6470203B2 (en) COMMUNICATION SYSTEM, ITS SETTING METHOD, AND COMPUTER PROGRAM
CN110427759B (en) Network resource browsing control method and system supporting service security mark
CN103138961B (en) server control method, controlled server and central control server
CN109039752B (en) Unified gateway-based SOA architecture system management method
CN102333070A (en) Method and device for obtaining information
CN110635994B (en) Heterogeneous interconnection system and method based on self-adaptive detection

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.

CP03 Change of name, title or address
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120523

Termination date: 20200619

CF01 Termination of patent right due to non-payment of annual fee