CN101741726B - Access control method for supporting multiple controlled ports and system thereof - Google Patents
Access control method for supporting multiple controlled ports and system thereof Download PDFInfo
- Publication number
- CN101741726B CN101741726B CN2009102195732A CN200910219573A CN101741726B CN 101741726 B CN101741726 B CN 101741726B CN 2009102195732 A CN2009102195732 A CN 2009102195732A CN 200910219573 A CN200910219573 A CN 200910219573A CN 101741726 B CN101741726 B CN 101741726B
- Authority
- CN
- China
- Prior art keywords
- terminal
- controlled ports
- controlled
- ports
- end points
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Abstract
The invention provides an access control method for supporting multiple controlled ports, which is characterized by comprising the following steps that: 1) a PAE of an end point A, a PAE of an end point B and an end point S interact authentication data; and 2) after the authentication process is finished, the end point A controls the authorized or unauthorized state of each controlled port in the control end point A according to the authentication result of the end point S, wherein the controlled port in the unauthorized state cannot use the service provided by the end point B; and the end point B controls the authorized or unauthorized state of each controlled port in the control end point B according to the authentication result of the end point S, wherein the controlled port in the unauthorized state cannot provide the service for the end point A. The invention provides the access control method for supporting the multiple controlled ports and a system thereof with good expansibility, applicability and forward compatibility.
Description
Technical field
The invention belongs to network safety filed, relate to a kind of access control method system that supports multiple controlled ports.
Background technology
The IEEE802.1x agreement is based on the access-control protocol of client (Client)/server (Server), and it can limit unwarranted user/equipment through access interface visit cable LAN/WLAN.Before discriminating is passed through, IEEE 802.1x agreement only allow to expand authentication protocol (Extensible AuthenticationProtocol, EAP) data are through the uncontrolled port of FTP client FTP and discriminator system; After discriminating is passed through; Service data can waltz through the controlled ports of FTP client FTP and discriminator system; The client of IEEE 802.1x agreement, discriminator and authentication server system are as shown in Figure 1, and wherein PAE (PortAccess Entity) is a port access entity.IEEE 802.1x agreement can be used for differentiating other any systems that is connected on this system controlled port by a system, and system can be router, terminal equipment, switch, WAP, wireless base station, gateway, application program etc.
Because only being fit to Client/Server, IEEE 802.1x differentiates framework, so IEEE 802.1x is not suitable for the tripartite framework of differentiating, as: the three parts in the Chinese WLAN standard differentiates framework.Therefore, a kind of suitable tripartite access control method of differentiating framework---(Access Controlmethod based on Tri-element Peer Authentication TePA-AC) is suggested a kind of access control method of differentiating based on ternary.Before discriminating is passed through, TePA-AC only allow ternary differentiate extensible protocol (Tri-element Authentication ExtensibleProtocol, TAEP) data are through requestor system and the uncontrolled port of differentiating access controller system; After discriminating was passed through, service data can waltz through requestor system and the controlled ports of differentiating access controller system.The requestor of TePA-AC, discriminating access controller and authentication server system are as shown in Figure 2.TePA-AC can be used for differentiating other any systems that is connected on this system controlled port by a system, and system can be router, terminal equipment, switch, WAP, wireless base station, gateway, application program etc.
Each physical port of system can be divided into controlled ports and two not controlled logic ports, and each frame that physical port is received all is sent to controlled ports and unconfined end mouth.Uncontrolled port can pass through the discrimination process data.To the visit of controlled ports, be subject to the licensing status of controlled ports.Discriminator and the discrimination process result of the PAE that differentiates access controller according to authentication server, the mandate or the unauthorized state of control controlled ports.The controlled ports that is in unauthorized state can not pass through service data, and the controlled ports that is in licensing status will allow to pass through service data.
Above-mentioned service data possibly further controlled, as: control various service data.International Trusted Computing tissue (Trusted Computing Group; TCG) network based on reliable computing technology of formulating connects standard---and (Trusted Network Connect TNC) just needs control application service data and isolation service data in the trustable network connection.But, utilize IEEE 802.1x agreement and TePA-AC can not accomplish service data is further controlled.
Summary of the invention
In order to solve the above-mentioned technical problem that exists in the background technology, the invention provides a kind of access control method and system thereof with support multiple controlled ports of fine autgmentability, application and forward compatibility.
Technical solution of the present invention is: the invention provides a kind of access control method of supporting multiple controlled ports, its special character is: the access control method of said support multiple controlled ports may further comprise the steps:
1) PAE of the PAE of terminal A, terminal B and the mutual authentication data of end points S;
2) after discrimination process was accomplished, terminal A was according to the mandate or the unauthorized state of each controlled ports in the identification result control terminal A of end points S, was in the service that the controlled ports of unauthorized state can not use terminal B to provide; Terminal B is according to the mandate or the unauthorized state of each controlled ports in the identification result control terminal B of end points S, and being in undelegated controlled ports can not provide service to terminal A.
Above-mentioned steps 2) terminal A only makes a controlled ports in the terminal A be in licensing status according to the identification result of end points S in.
Above-mentioned steps 2) terminal B only makes a controlled ports in the terminal B be in licensing status according to the identification result of end points S in.
A kind of access control system of supporting multiple controlled ports, its special character is: the access control system of said support multiple controlled ports comprises terminal A, terminal B and end points S; Said terminal A comprises two or more controlled ports; Said each controlled ports uses a kind of service of terminal B; The PAE of said terminal A controls the mandate or the unauthorized state of each controlled ports according to the discrimination process result of end points S; The controlled ports that is in unauthorized state can not use the service of terminal B, and each controlled ports of said terminal A repels each other; Said terminal B comprises two or more controlled ports; Said each controlled ports provides a kind of service to terminal A; The PAE of said terminal B controls the mandate or the unauthorized state of each controlled ports according to the discrimination process result of end points S; The controlled ports that is in unauthorized state can not provide service to terminal A, and each controlled ports of said terminal B repels each other.
Advantage of the present invention is:
1, has good expandability and application.Defined a plurality of controlled ports in the system provided by the present invention, and they are mutual exclusions, thereby can realize further control, have good expandability and application service data;
2, good forward compatibility.The present invention is identical to the controlled function of each controlled ports, thereby can realize the forward compatibility to IEEE 802.1x agreement and TePA-AC, has good forward compatibility.
Description of drawings
Fig. 1 is client, discriminator and the authentication server system configuration sketch map of IEEE 802.1x agreement in the prior art;
Fig. 2 is requestor, discriminating access controller and the authentication server system configuration sketch map of TePA-AC in the prior art;
Fig. 3 is a port controlling system configuration sketch map provided by the present invention.
Embodiment
Referring to Fig. 3; The invention provides a kind of access control system of supporting multiple controlled ports; This system comprises terminal A, and it has defined two or above controlled ports, and each controlled ports uses a kind of service of terminal B; The PAE of terminal A controls the mandate or the unauthorized state of each controlled ports according to the discrimination process result of end points S, and the controlled ports that is in unauthorized state can not use the service of terminal B.Each controlled ports of terminal A repels each other, and promptly at most only allows a controlled ports to be in licensing status.
When comprising terminal A; Also comprise terminal B; It has defined two or above controlled ports; Each controlled ports provides a kind of service to terminal A, and the PAE of terminal B controls the mandate or the unauthorized state of each controlled ports according to the discrimination process result of end points S, and the controlled ports that is in unauthorized state can not provide service to terminal A.Each controlled ports of terminal B repels each other, and promptly at most only allows a controlled ports to be in licensing status.
When the present invention is based on IEEE 802.1x agreement when realizing, the terminal A among Fig. 3, terminal B and end points S be client, discriminator and the authentication server in the corresponding IEEE 802.1x agreement respectively, and its concrete steps are following:
1) the mutual EAP data of the PAE of the PAE of client, discriminator and authentication server; Wherein discriminator only needs the EAP data that PAE sent of the PAE and the discriminator of transparent transmission client, realizes that authentication server is to the unidirectional discriminating of client or the two-way discriminating between authentication server and the client.
2) after discrimination process is accomplished; Client is according to the mandate or the unauthorized state of each controlled ports in the identification result control client of authentication server; Be in the service that the controlled ports of unauthorized state can not use discriminator to provide; Promptly can not pass through service data, be in the service that the controlled ports of licensing status can use discriminator to provide, promptly can pass through service data; Discriminator is according to the mandate or the unauthorized state of each controlled ports in the identification result control discriminator of authentication server; Be in undelegated controlled ports and can not service be provided to client; Promptly can not pass through service data; The controlled ports that is in licensing status can provide service to client, promptly can pass through service data.
Wherein in step 2) in, client only can make a controlled ports in the client be in licensing status.In step 2) in, discriminator only can make a controlled ports in the discriminator be in licensing status.
When the present invention is based on TePA-AC and realizes, the terminal A among Fig. 3, terminal B and end points S respectively the requestor in the corresponding IEEE 802.1x agreement, differentiate access controller and authentication server, its concrete steps are following:
1) PAE and the mutual TAEP data of authentication server of requestor's PAE, discriminating access controller; Differentiate that wherein access controller need participate in discrimination process; Promptly need resolve and handle requestor's PAE and the TAEP data that PAE sent of differentiating access controller, realize the requestor and differentiate the two-way discriminating between the access controller.
2) after discrimination process is accomplished; The requestor is according to the mandate or the unauthorized state of each controlled ports among the identification result control request person of authentication server; The controlled ports that is in unauthorized state can not use the service of differentiating that access controller provides; Promptly can not pass through service data, the controlled ports that is in licensing status can use the service of differentiating that access controller provides, promptly can pass through service data; Differentiate mandate or the unauthorized state of access controller according to each controlled ports in the identification result control discriminating access controller of authentication server; Be in undelegated controlled ports and can not service be provided to the requestor; Promptly can not pass through service data; The controlled ports that is in licensing status can provide service to the requestor, promptly can pass through service data.
Wherein in step 2) in, the requestor only can make a controlled ports among the requestor be in licensing status.In step 2) in, differentiate that access controller only can make a controlled ports of differentiating in the access controller be in licensing status.
Claims (2)
1. access control method of supporting multiple controlled ports, it is characterized in that: the access control method of said support multiple controlled ports may further comprise the steps:
1) PAE of the PAE of terminal A, terminal B and end points S differentiate alternately, and said terminal A and terminal B have defined two or above controlled ports respectively, and said controlled ports has only defined licensing status and unauthorized state;
2) after discrimination process is accomplished; Terminal A is according to the mandate or the unauthorized state of each controlled ports in the identification result control terminal A of end points S; Be in the service that the controlled ports of unauthorized state can not use terminal B to provide, said terminal A only allows to make a controlled ports in the terminal A to be in licensing status according to the identification result of end points S; Terminal B is according to the mandate or the unauthorized state of each controlled ports in the identification result control terminal B of end points S; Being in undelegated controlled ports can not provide service to terminal A, and said terminal B only allows to make a controlled ports in the terminal B to be in licensing status according to the identification result of end points S.
2. access control system of supporting multiple controlled ports, it is characterized in that: the access control system of said support multiple controlled ports comprises terminal A, terminal B and end points S; Said terminal A and terminal B comprise two or more controlled ports respectively, and said controlled ports has only defined licensing status and unauthorized state;
Said every controlled ports uses a kind of service of terminal B; The PAE of said terminal A controls the mandate or the unauthorized state of each controlled ports according to the discrimination process result of end points S; The controlled ports that is in not authorized state can not use the service of terminal B; Each controlled ports of said terminal A repels each other, and said terminal A only makes a controlled ports in the terminal A be in licensing status according to the identification result of end points S; Said terminal B comprises two or more controlled ports; Said every controlled ports provides a kind of service to terminal A; The PAE of said terminal B controls the mandate or the unauthorized state of every controlled ports according to the discrimination process result of end points S; The controlled ports that is in not authorized state can not provide service to terminal A, and each controlled ports of said terminal B repels each other, and said terminal B only makes a controlled ports in the terminal B be in licensing status according to the identification result of end points S.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102195732A CN101741726B (en) | 2009-12-18 | 2009-12-18 | Access control method for supporting multiple controlled ports and system thereof |
| PCT/CN2010/073252 WO2011072512A1 (en) | 2009-12-18 | 2010-05-26 | Access control method supporting multiple controlled ports and system thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102195732A CN101741726B (en) | 2009-12-18 | 2009-12-18 | Access control method for supporting multiple controlled ports and system thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101741726A CN101741726A (en) | 2010-06-16 |
| CN101741726B true CN101741726B (en) | 2012-11-14 |
Family
ID=42464635
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102195732A Active CN101741726B (en) | 2009-12-18 | 2009-12-18 | Access control method for supporting multiple controlled ports and system thereof |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101741726B (en) |
| WO (1) | WO2011072512A1 (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102223636B (en) * | 2011-07-20 | 2013-10-23 | 广州杰赛科技股份有限公司 | Realization method and system for security access protocol of wireless metropolitan area network |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572704A (en) * | 2009-06-08 | 2009-11-04 | 西安西电捷通无线网络通信有限公司 | Access control method suitable for tri-element peer authentication trusted network connect architecture |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7447177B2 (en) * | 2003-08-26 | 2008-11-04 | Intel Corporation | Method and apparatus of secure roaming |
| EP1635528A1 (en) * | 2004-09-13 | 2006-03-15 | Alcatel | A method to grant access to a data communication network and related devices |
| US8607058B2 (en) * | 2006-09-29 | 2013-12-10 | Intel Corporation | Port access control in a shared link environment |
| CN101022340B (en) * | 2007-03-30 | 2010-11-24 | 武汉烽火网络有限责任公司 | Intelligent control method for realizing city Ethernet exchanger switch-in security |
-
2009
- 2009-12-18 CN CN2009102195732A patent/CN101741726B/en active Active
-
2010
- 2010-05-26 WO PCT/CN2010/073252 patent/WO2011072512A1/en active Application Filing
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572704A (en) * | 2009-06-08 | 2009-11-04 | 西安西电捷通无线网络通信有限公司 | Access control method suitable for tri-element peer authentication trusted network connect architecture |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101741726A (en) | 2010-06-16 |
| WO2011072512A1 (en) | 2011-06-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2784664C (en) | Establishing connectivity between an enterprise security perimeter of a device and an enterprise | |
| CN103139872B (en) | The cut-in method to wireless network based on shared communication and wireless terminal device | |
| EP2814273A1 (en) | Method of connecting an appliance to a WIFI network | |
| US8601103B2 (en) | Method, apparatus and system for distributing and enforcing authenticated network connection policy | |
| EP2846586B1 (en) | A method of accessing a network securely from a personal device, a corporate server and an access point | |
| JP2005025739A5 (en) | ||
| CN101841815A (en) | Cluster controlling method based on wireless router and network system | |
| JP2005348397A (en) | Portable computing device and operating method for radio communication | |
| RU2010143265A (en) | INITIALIZING WIRELESS CONNECTIVITY FOR DEVICES USING CLUB | |
| WO2014026438A1 (en) | Mobile terminal for transmitting wifi hotspot key or certificate by using nfc | |
| CN106453376B (en) | A kind of stateless scanning filter method based on TCP packet feature | |
| EP2234438B1 (en) | Wireless personal area network accessing method | |
| CN101854732A (en) | Method for accessing wired Ethernet through WiFi wireless network | |
| EP2442516A1 (en) | Access control method for tri-element peer authentication credible network connection structure | |
| US9961546B2 (en) | System and method for rapid authentication in wireless communications | |
| US20120054359A1 (en) | Network Relay Device and Frame Relaying Control Method | |
| US20170339566A1 (en) | Wireless terminal | |
| CN104488302A (en) | Wireless connection authentication method and server | |
| US20180014355A1 (en) | Method and apparatus for data exchange between gateways | |
| CN110461024A (en) | Method, router and the smart machine that smart machine is connect automatically with router | |
| WO2014151591A2 (en) | A device, a system and a related method for dynamic traffic mirroring and policy, and the determination of applications running on a network | |
| CN106533894B (en) | A kind of instant messaging system of completely new safety | |
| CN101860551A (en) | Multi-user authentication method and system under single access port | |
| CN103081520A (en) | Network access | |
| CN101741726B (en) | Access control method for supporting multiple controlled ports and system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |