CN101741726A - Access control method for supporting multiple controlled ports and system thereof - Google Patents
Access control method for supporting multiple controlled ports and system thereof Download PDFInfo
- Publication number
- CN101741726A CN101741726A CN200910219573A CN200910219573A CN101741726A CN 101741726 A CN101741726 A CN 101741726A CN 200910219573 A CN200910219573 A CN 200910219573A CN 200910219573 A CN200910219573 A CN 200910219573A CN 101741726 A CN101741726 A CN 101741726A
- Authority
- CN
- China
- Prior art keywords
- terminal
- controlled ports
- ports
- controlled
- unauthorized state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides an access control method for supporting multiple controlled ports, which is characterized by comprising the following steps that: 1) a PAE of an end point A, a PAE of an end point B and an end point S interact authentication data; and 2) after the authentication process is finished, the end point A controls the authorized or unauthorized state of each controlled port in the control end point A according to the authentication result of the end point S, wherein the controlled port in the unauthorized state cannot use the service provided by the end point B; and the end point B controls the authorized or unauthorized state of each controlled port in the control end point B according to the authentication result of the end point S, wherein the controlled port in the unauthorized state cannot provide the service for the end point A. The invention provides the access control method for supporting the multiple controlled ports and a system thereof with good expansibility, applicability and forward compatibility.
Description
Technical field
The invention belongs to network safety filed, relate to a kind of access control method system that supports multiple controlled ports.
Background technology
The IEEE802.1x agreement is based on the access-control protocol of client (Client)/server (Server), and it can limit unwarranted user/equipment and visit cable LAN/WLAN (wireless local area network) by access interface.Before discriminating is passed through, IEEE 802.1x agreement only allow to expand authentication protocol (Extensible AuthenticationProtocol, EAP) data are by the uncontrolled port of FTP client FTP and discriminator system; After discriminating is passed through, service data can waltz through the controlled ports of FTP client FTP and discriminator system, the client of IEEE 802.1x agreement, discriminator and authentication server system as shown in Figure 1, wherein PAE (PortAccess Entity) is a port access entity.IEEE 802.1x agreement can be used for differentiating other any systems that is connected on this system controlled port by a system, and system can be router, terminal equipment, switch, WAP (wireless access point), wireless base station, gateway, application program etc.
Because only being fit to Client/Server, IEEE 802.1x differentiates framework, so IEEE 802.1x is not suitable for the tripartite framework of differentiating, as: the three parts in the Chinese WLAN standard differentiates framework.Therefore, a kind of suitable tripartite access control method of differentiating framework---(Access Controlmethod based on Tri-element Peer Authentication TePA-AC) is suggested a kind of access control method of differentiating based on ternary.Before discriminating is passed through, TePA-AC only allow ternary differentiate extensible protocol (Tri-element Authentication ExtensibleProtocol, TAEP) data are by requestor system with differentiate the uncontrolled port of access controller system; After discriminating was passed through, service data can waltz through requestor system and differentiate the controlled ports of access controller system.The requestor of TePA-AC, discriminating access controller and authentication server system are as shown in Figure 2.TePA-AC can be used for differentiating other any systems that is connected on this system controlled port by a system, and system can be router, terminal equipment, switch, WAP (wireless access point), wireless base station, gateway, application program etc.
Each physical port of system can be divided into controlled ports and two not controlled logic ports, and each frame that physical port is received all is sent to controlled ports and unconfined end mouth.Uncontrolled port can pass through the discrimination process data.To the visit of controlled ports, be subject to the licensing status of controlled ports.The PAE of discriminator and discriminating access controller controls the mandate or the unauthorized state of controlled ports according to the discrimination process result of authentication server.The controlled ports that is in unauthorized state can not pass through service data, and the controlled ports that is in licensing status will allow to pass through service data.
Above-mentioned service data may need further to control, as: control various service data.International (the Trusted Computing Group of credible computation organization, TCG) network based on reliable computing technology of formulating connects standard---and (Trusted Network Connect TNC) just needs control application service data and isolation service data in the trustable network connection.But, utilize IEEE 802.1x agreement and TePA-AC can not finish service data is further controlled.
Summary of the invention
In order to solve the above-mentioned technical problem that exists in the background technology, the invention provides a kind of access control method and system thereof with support multiple controlled ports of fine autgmentability, application and forward compatibility.
Technical solution of the present invention is: the invention provides a kind of access control method of supporting multiple controlled ports, its special character is: the access control method of described support multiple controlled ports may further comprise the steps:
1) PAE of the PAE of terminal A, terminal B and the mutual authentication data of end points S;
2) after discrimination process was finished, terminal A was according to the mandate or the unauthorized state of each controlled ports in the identification result of the end points S control terminal A, and the service that the controlled ports of unauthorized state can not use terminal B to provide is provided; Terminal B is according to the mandate or the unauthorized state of each controlled ports in the identification result control terminal B of end points S, and being in undelegated controlled ports can not provide service to terminal A.
Above-mentioned steps 2) terminal A only makes a controlled ports in the terminal A be in licensing status according to the identification result of end points S in.
Above-mentioned steps 2) terminal B only makes a controlled ports in the terminal B be in licensing status according to the identification result of end points S in.
A kind of access control system of supporting multiple controlled ports, its special character is: the access control system of described support multiple controlled ports comprises terminal A, terminal B and end points S; Described terminal A comprises two or more controlled ports, described each controlled ports uses a kind of service of terminal B, the PAE of described terminal A controls the mandate or the unauthorized state of each controlled ports according to the discrimination process result of end points S, the controlled ports that is in unauthorized state can not use the service of terminal B, and each controlled ports of described terminal A repels each other; Described terminal B comprises two or more controlled ports, described each controlled ports provides a kind of service to terminal A, the PAE of described terminal B controls the mandate or the unauthorized state of each controlled ports according to the discrimination process result of end points S, the controlled ports that is in unauthorized state can not provide service to terminal A, and each controlled ports of described terminal B repels each other.
Advantage of the present invention is:
1, has good expandability and application.Defined a plurality of controlled ports in the system provided by the present invention, and they are mutual exclusions, thereby can realize further control, have good expandability and application service data;
2, good forward compatibility.The present invention is identical to the controlled function of each controlled ports, thereby can realize the forward compatibility to IEEE 802.1x agreement and TePA-AC, has good forward compatibility.
Description of drawings
Fig. 1 is client, discriminator and the authentication server system configuration schematic diagram of IEEE 802.1x agreement in the prior art;
Fig. 2 is requestor, discriminating access controller and the authentication server system configuration schematic diagram of TePA-AC in the prior art;
Fig. 3 is a port controlling system configuration schematic diagram provided by the present invention.
Embodiment
Referring to Fig. 3, the invention provides a kind of access control system of supporting multiple controlled ports, this system comprises terminal A, it has defined two or more controlled ports, each controlled ports uses a kind of service of terminal B, the PAE of terminal A controls the mandate or the unauthorized state of each controlled ports according to the discrimination process result of end points S, and the controlled ports that is in unauthorized state can not use the service of terminal B.Each controlled ports of terminal A repels each other, and promptly at most only allows a controlled ports to be in licensing status.
When comprising terminal A, also comprise terminal B, it has defined two or more controlled ports, each controlled ports provides a kind of service to terminal A, the PAE of terminal B controls the mandate or the unauthorized state of each controlled ports according to the discrimination process result of end points S, and the controlled ports that is in unauthorized state can not provide service to terminal A.Each controlled ports of terminal B repels each other, and promptly at most only allows a controlled ports to be in licensing status.
When the present invention is based on IEEE 802.1x agreement when realizing, the terminal A among Fig. 3, terminal B and end points S be client, discriminator and the authentication server in the corresponding IEEE 802.1x agreement respectively, and its concrete steps are as follows:
1) the mutual EAP data of the PAE of the PAE of client, discriminator and authentication server, wherein discriminator only needs the EAP data that PAE sent of the PAE and the discriminator of transparent transmission client, realizes that authentication server is to the unidirectional discriminating of client or the two-way discriminating between authentication server and the client.
2) after discrimination process is finished, client is according to the mandate or the unauthorized state of each controlled ports in the identification result control client of authentication server, the service that the controlled ports of unauthorized state can not use discriminator to provide is provided, promptly can not pass through service data, the service that the controlled ports of licensing status can use discriminator to provide is provided, promptly can passes through service data; Discriminator is according to the mandate or the unauthorized state of each controlled ports in the identification result control discriminator of authentication server, be in undelegated controlled ports and can not provide service to client, promptly can not pass through service data, the controlled ports that is in licensing status can provide service to client, promptly can pass through service data.
Wherein in step 2) in, client only can make a controlled ports in the client be in licensing status.In step 2) in, discriminator only can make a controlled ports in the discriminator be in licensing status.
When the present invention is based on TePA-AC and realizes, the terminal A among Fig. 3, terminal B and end points S respectively the requestor in the corresponding IEEE 802.1x agreement, differentiate access controller and authentication server, its concrete steps are as follows:
1) PAE and the mutual TAEP data of authentication server of requestor's PAE, discriminating access controller, differentiate that wherein access controller need participate in discrimination process, promptly need resolve and handle the TAEP data that PAE sent of requestor's PAE and discriminating access controller, realize the two-way discriminating between requestor and the discriminating access controller.
2) after discrimination process is finished, the requestor is according to the mandate or the unauthorized state of each controlled ports among the identification result control request person of authentication server, the controlled ports that is in unauthorized state can not use the service of differentiating that access controller provides, promptly can not pass through service data, the controlled ports that is in licensing status can use the service of differentiating that access controller provides, promptly can pass through service data; Differentiate mandate or the unauthorized state of access controller according to each controlled ports in the identification result control discriminating access controller of authentication server, be in undelegated controlled ports and can not provide service to the requestor, promptly can not pass through service data, the controlled ports that is in licensing status can provide service to the requestor, promptly can pass through service data.
Wherein in step 2) in, the requestor only can make a controlled ports among the requestor be in licensing status.In step 2) in, differentiate that access controller only can make a controlled ports of differentiating in the access controller be in licensing status.
Claims (4)
1. access control method of supporting multiple controlled ports, it is characterized in that: the access control method of described support multiple controlled ports may further comprise the steps:
1) PAE of the PAE of terminal A, terminal B and the mutual authentication data of end points S;
2) after discrimination process was finished, terminal A was according to the mandate or the unauthorized state of each controlled ports in the identification result of the end points S control terminal A, and the service that the controlled ports of unauthorized state can not use terminal B to provide is provided; Terminal B is according to the mandate or the unauthorized state of each controlled ports in the identification result control terminal B of end points S, and being in undelegated controlled ports can not provide service to terminal A.
2. the access control method of support multiple controlled ports according to claim 1 is characterized in that: terminal A only makes a controlled ports in the terminal A be in licensing status according to the identification result of end points S described step 2).
3. the access control method of support multiple controlled ports according to claim 1 is characterized in that: terminal B only makes a controlled ports in the terminal B be in licensing status according to the identification result of end points S described step 2).
4. access control system of supporting multiple controlled ports, it is characterized in that: the access control system of described support multiple controlled ports comprises terminal A, terminal B and end points S; Described terminal A comprises two or more controlled ports, described each controlled ports uses a kind of service of terminal B, the PAE of described terminal A controls the mandate or the unauthorized state of each controlled ports according to the discrimination process result of end points S, the controlled ports that is in unauthorized state can not use the service of terminal B, and each controlled ports of described terminal A repels each other; Described terminal B comprises two or more controlled ports, described each controlled ports provides a kind of service to terminal A, the PAE of described terminal B controls the mandate or the unauthorized state of every controlled ports according to the discrimination process result of end points S, the controlled ports that is in unauthorized state can not provide service to terminal A, and each controlled ports of described terminal B repels each other.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102195732A CN101741726B (en) | 2009-12-18 | 2009-12-18 | Access control method for supporting multiple controlled ports and system thereof |
| PCT/CN2010/073252 WO2011072512A1 (en) | 2009-12-18 | 2010-05-26 | Access control method supporting multiple controlled ports and system thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102195732A CN101741726B (en) | 2009-12-18 | 2009-12-18 | Access control method for supporting multiple controlled ports and system thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101741726A true CN101741726A (en) | 2010-06-16 |
| CN101741726B CN101741726B (en) | 2012-11-14 |
Family
ID=42464635
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102195732A Active CN101741726B (en) | 2009-12-18 | 2009-12-18 | Access control method for supporting multiple controlled ports and system thereof |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101741726B (en) |
| WO (1) | WO2011072512A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102223636A (en) * | 2011-07-20 | 2011-10-19 | 广州杰赛科技股份有限公司 | Realization method and system for security access protocol of wireless metropolitan area network |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7447177B2 (en) * | 2003-08-26 | 2008-11-04 | Intel Corporation | Method and apparatus of secure roaming |
| EP1635528A1 (en) * | 2004-09-13 | 2006-03-15 | Alcatel | A method to grant access to a data communication network and related devices |
| US8607058B2 (en) * | 2006-09-29 | 2013-12-10 | Intel Corporation | Port access control in a shared link environment |
| CN101022340B (en) * | 2007-03-30 | 2010-11-24 | 武汉烽火网络有限责任公司 | Intelligent control method for realizing city Ethernet exchanger switch-in security |
| CN101572704B (en) * | 2009-06-08 | 2012-05-23 | 西安西电捷通无线网络通信股份有限公司 | Access control method suitable for tri-element peer authentication trusted network connect architecture |
-
2009
- 2009-12-18 CN CN2009102195732A patent/CN101741726B/en active Active
-
2010
- 2010-05-26 WO PCT/CN2010/073252 patent/WO2011072512A1/en active Application Filing
Non-Patent Citations (1)
| Title |
|---|
| 黄振海等: "三元对等鉴别及访问控制方法国际提案进展", 《信息技术与标准化》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102223636A (en) * | 2011-07-20 | 2011-10-19 | 广州杰赛科技股份有限公司 | Realization method and system for security access protocol of wireless metropolitan area network |
| CN102223636B (en) * | 2011-07-20 | 2013-10-23 | 广州杰赛科技股份有限公司 | Realization method and system for security access protocol of wireless metropolitan area network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101741726B (en) | 2012-11-14 |
| WO2011072512A1 (en) | 2011-06-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101150594B (en) | Integrated access method and system for mobile cellular network and WLAN | |
| EP1589703B1 (en) | System and method for accessing a wireless network | |
| CA2784664C (en) | Establishing connectivity between an enterprise security perimeter of a device and an enterprise | |
| EP2814273A1 (en) | Method of connecting an appliance to a WIFI network | |
| CN103139872B (en) | The cut-in method to wireless network based on shared communication and wireless terminal device | |
| EP2846586B1 (en) | A method of accessing a network securely from a personal device, a corporate server and an access point | |
| CN105594154B (en) | Method and system for controlling the access to wireless device | |
| CN105915550B (en) | A kind of Portal/Radius authentication method based on SDN | |
| WO2014107249A1 (en) | Authenticating a wireless dockee to a wireless docking service | |
| WO2015003527A1 (en) | Access point (ap) and system based on ap and access point controller (ac) architectures | |
| TWI462604B (en) | Wireless network client-authentication system and wireless network connection method thereof | |
| CN101841815A (en) | Cluster controlling method based on wireless router and network system | |
| CN101854732A (en) | Method for accessing wired Ethernet through WiFi wireless network | |
| US9961546B2 (en) | System and method for rapid authentication in wireless communications | |
| CN102638470B (en) | WIFI (wireless fidelity) internet surfing filtering method | |
| EP2442516A1 (en) | Access control method for tri-element peer authentication credible network connection structure | |
| WO2017084417A1 (en) | Method and apparatus for sending and receiving information in neighbour awareness networking | |
| CN110461024A (en) | Method, router and the smart machine that smart machine is connect automatically with router | |
| CN101860551B (en) | Multi-user authentication method and system under single access port | |
| EP2974355A2 (en) | A device, a system and a related method for dynamic traffic mirroring and policy, and the determination of applications running on a network | |
| CN105245545A (en) | Access authorization method based on user terminal and router | |
| CN106533894B (en) | A kind of instant messaging system of completely new safety | |
| WO2018113402A1 (en) | Method and device for joining access node group | |
| CN103081520A (en) | Network access | |
| CN101699893A (en) | Method and device for changing states of authentication service entities of certificate server cluster |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |