CN102318314A - Method and devices for handling access authorities - Google Patents
Method and devices for handling access authorities Download PDFInfo
- Publication number
- CN102318314A CN102318314A CN2011800011960A CN201180001196A CN102318314A CN 102318314 A CN102318314 A CN 102318314A CN 2011800011960 A CN2011800011960 A CN 2011800011960A CN 201180001196 A CN201180001196 A CN 201180001196A CN 102318314 A CN102318314 A CN 102318314A
- Authority
- CN
- China
- Prior art keywords
- address
- terminal
- access
- status checkout
- pool
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method and devices for handling access authorities. The method includes receiving the first access request from terminal, which contains the first source internet protocol (IP) address and the first destination IP address, the former being the terminal address. Then based on preset correspondence between the terminal IP address and the terminal access authority, decisions will be made as for whether to allow the terminal to visit the first destination IP address. This invention aims at saving storage resources of NAD to ensure its control over terminal access authorities.
Description
Technical field
The embodiment of the invention relates to areas of information technology, particularly a kind of access right control method and equipment.
Background technology
Network access control (Network Admission Control; NAC) be the safeguard construction of a kind of " end-to-end "; Terminal and network access equipment (Network Access Device, NAD), for example: the information interaction between switch or the router; Carry out through EAPoU DP message, also can carry out through EAPo802.1X interface (supporting authentication) based on port.
In the prior art; The terminal is through the NAD access network; The authentication/authorization services device (can be (the Remote Authentication Dial In User Service of remote subscriber dialing authentication system; RADIUS) or terminal access controller access control system (Terminal Access Controller Access-Control System, TACACS)) to NAD issue the terminal of each ACL (Access Control List, ACL); Receive the access request of terminal transmission as NAD after, the ACL that searches this terminal confirms to accept or refuse the access request at terminal.Yet; Access point need be preserved the ACL at each terminal; And each terminal is when reaching the standard grade, rolling off the production line perhaps state change; The authentication/authorization services device needs again to issue or the ACL of new terminal more to NAD, possibly cause the inadequate resource of storage ACL among the NAD, and then NAD can't be controlled the visit at terminal.
Summary of the invention
The embodiment of the invention provides a kind of access right control method and equipment, solving in the prior art inadequate resource of storage ACL among the NAD, and then the problem that can't control the visit at terminal of NAD.
The embodiment of the invention provides a kind of access right control method, comprising:
First access request that receiving terminal sends; Carry the first source internet protocol IP address and the first purpose IP address in the said access request; The IP address that said first source IP address is said terminal, the IP address at said terminal is said terminal distribution by network access equipment from different address fields according to the residing different access states in said terminal;
According to the IP address at predefined terminal and the corresponding relation of terminal access authority, determine whether to allow the said first purpose IP address of said terminal access.
The embodiment of the invention also provides a kind of network access equipment, comprising:
Receiver; Be used for first access request that receiving terminal sends; Carry the first source internet protocol IP address and the first purpose IP address in the said access request; The IP address that said first source IP address is said terminal, the IP address at said terminal is said terminal distribution by network access equipment from different address fields according to the residing different access states in said terminal;
Processor is used for according to the IP address at predefined terminal and the corresponding relation of terminal access authority, determines whether to allow the said first purpose IP address of said terminal access.
The embodiment of the invention is through access right control method and equipment; NAD is terminal distribution IP address from different address fields according to the different access states at terminal; When making NAD receive the access request at terminal, can be according to the IP address at predefined terminal and the corresponding relation of terminal access authority, the access rights of control terminal; Realize practicing thrift the storage resources of NAD, guarantee that NAD controls the visit at terminal.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply; Obviously, the accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of an embodiment of access right control method provided by the invention;
Fig. 2 is the structural framing figure of network access control in the local area network (LAN);
Fig. 3 a is the terminal authentication flow chart before the accessing terminal to network provided by the invention;
Fig. 3 b is the SOT state of termination inspection flow chart in the accessing terminal to network process provided by the invention;
Fig. 3 c is the flow chart behind the accessing terminal to network provided by the invention;
Fig. 4 is the structural representation of an embodiment of network access equipment provided by the invention;
Fig. 5 is the structural representation of another embodiment of network access equipment provided by the invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer; To combine the accompanying drawing in the embodiment of the invention below; Technical scheme in the embodiment of the invention is carried out clear, intactly description; Obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
Fig. 1 is the flow chart of an embodiment of access right control method provided by the invention, and is as shown in Figure 1, and this method comprises:
First access request that S101, receiving terminal send; Carry the first source internet protocol IP address and the first purpose IP address in this first access request; The IP address that this first source IP address is the terminal, the IP address at terminal is terminal distribution by network access equipment from different address fields according to the residing different access states in terminal.
S102, according to the IP address at predefined terminal and the corresponding relation of terminal access authority, determine whether to allow the terminal access first purpose IP address.
The executive agent of above step is network access equipment NAD.
The present invention is applicable to various types of local area network (LAN)s such as enterprise network; Shown in Figure 2 is the structural framing figure of network access control in the local area network (LAN); Can comprise the server that multiple information is provided in the local area network (LAN) as shown in Figure 2; In the network architecture shown in Figure 2, information is divided into sensitive information district, core information district and general information district.Each information area can comprise one or more servers that information is provided.The terminal can be conducted interviews to the server that information is provided by the NAD control terminal through in the NAD access network.
During accessing terminal to network, can login portal server (portal server), on the portal server, import username and password, the username and password that the portal server is imported the terminal through the portal agreement sends to NAD.NAD can also directly be visited through the 802.1x agreement in the terminal, treats NAD after response is returned at the terminal, and the terminal can send to NAD with username and password.
The terminal is before access network, in the access network process and behind the access network; Usually be in different access states; Concrete: NAD can send to the username and password at terminal authorization services device (being generally radius server), by the authorization services device authentication and identification is carried out in the terminal, therefore; Before access network, the residing access state in terminal can be divided into: " authentication and identification are through preceding " and " authentication and identification are through the back "; The terminal is after authentication and identification are passed through; The status checkout server need check whether the terminal exists violations of rules and regulations; Specifically be that Client Agent software on the status checkout server triggers terminal scans the terminal; For example: whether the virus base of end of scan does not upgrade, whether the terminal does not install fail-safe software, whether the terminal does not install various patches or the like, behind the end of scan of Client Agent software to the terminal, scanning result is sent to the status checkout server.If there are not violations of rules and regulations in the terminal, then the check result of status checkout server is passed through for inspection, and the terminal is in the access state of " status checkout passes through ", if there are violations of rules and regulations in the terminal, then the terminal is in the access state of " status checkout in violation of rules and regulations "; After SOT state of termination inspection is passed through; The status checkout server regularly Client Agent software of triggering terminal scans the terminal, when detecting the SOT state of termination when unusual, for example: during the infective virus of terminal; If the abnormality at terminal threatens to network; Then need isolate the terminal, forbid accessing terminal to network, then the terminal is in the access state of " state-detection is unusual ".
And the terminal is when being in different access states; Usually have different access rights, for example: when the terminal was in the access state of " authentication and identification are through preceding ", the access rights that the terminal has were public authority; The IP address at terminal all has public authority when being any; Public authority is meant can visit the server that shared resource is provided in the local area network (LAN), for example: for any terminal in the enterprise network, all have the authority of visit our company public resource; When the terminal is in the access state of " authentication and identification are through the back " and " status checkout is through preceding "; The access rights that the terminal has are organized the minimum authorization authority for the user; In the local area network (LAN) of types such as enterprise network; Usually can be divided into a plurality of user's groups, for example: a plurality of terminals of the research and development department of company can be divided into user's group, and a plurality of terminals of market department of company can be divided into user's group or the like.The minimum authorization authority of user group can be the public authority in the user organizes, and has the server that the terminal of the minimum authorization authority of user's group provides shared resource in can the calling party group; When the terminal is in " status checkout passes through " access state; The access rights that the terminal has are organized authority for the user; Have the user and organize the terminal of authority,, can also visit this user some in organizing the server of specific resources is provided except providing the server of shared resource in the calling party group; These specific resources can be some important informations, also can be organized by each user and set; When the terminal is in " state-detection is unusual " access state; Then the access rights that have of terminal are organized the isolation restricted rights for the user, wherein, and when terminal " state-detection is unusual "; But when the terminal does not constitute harm to network, can repair the state at terminal through the state remediation server; When if the terminal constitutes a threat to network, then the terminal can have public authority.
Because the terminal has different access rights when being in different access state, therefore, when NAD can be in different access state at the terminal, is terminal distribution IP address from different address segment.NAD can set up the IP address at terminal and the corresponding relation of terminal access authority in advance, thereby makes NAD when receiving the access request at terminal, can judge whether the terminal has the authority of visit destination address according to the IP address at terminal.
Concrete; NAD can be in this locality be divided into different address segment with address pool (specifically can be all or part of address section of NAD management), a kind of access state that each address field can counterpart terminal, and then a kind of access rights of counterpart terminal; When the terminal is in this kind access state; NAD can be from corresponding address Duan Zhongwei terminal distribution IP address, when terminal access network, after NAD receives the access request of sending at the terminal; Can know the access rights that the terminal is corresponding according to the IP address at terminal, thereby determine whether to allow the terminal access destination address according to the access rights at terminal.Perhaps; Can also go up at authorization services device (radius server) address pool (specifically can be all or part of address section of storing in the authorization services device internal storage location) is divided into different address segment; Each address field can counterpart terminal a kind of access state; And then a kind of access rights of counterpart terminal; When the terminal was in this kind access state, authorization services device (radius server) can issue an IP address to NAD from the corresponding address section, and NAD gives the terminal with this IP address assignment.
Need to prove; Be that example describes only in the present embodiment with access states such as " authentication and identification are through preceding " at terminal, " authentication and identification are through the back ", " status checkout through ", " state-detection are unusual "; Corresponding, several kinds of corresponding access rights of access state were respectively more than present embodiment provided: public authority, user organize that minimum authorization authority, user are organized authority, the user organizes the isolation restricted rights.It is understandable that; Present embodiment only is the extremely corresponding access rights of several kinds of possible access states that provided the terminal, and in fact, the terminal is before access network, in the access network process and in the access network; Further refinement is divided into other access states; Accordingly, for other access states at terminal, corresponding access rights regulation is arranged also in the various local area network (LAN)s.Therefore, the terminal access state type that provides of the embodiment of the invention and corresponding access rights thereof do not cause restriction to the present invention.
The embodiment of the invention is through access right control method and equipment; NAD is terminal distribution IP address from different address fields according to the different access states at terminal; When making NAD receive the access request at terminal, can be according to the IP address at the terminal of setting and the corresponding relation of terminal access authority, the access rights of control terminal; Can practice thrift the storage resources of NAD, guarantee that NAD controls the visit at terminal.
Fig. 3 a-Fig. 3 c is the flow chart of another embodiment of access right control method provided by the invention; Shown in Fig. 3 a-Fig. 3 c; Before present embodiment provides accessing terminal to network, in the access network process and behind the access network, NAD is the complete method of terminal distribution IP address from different address segment according to the access state at terminal.This method comprises:
One, the terminal authentication flow process before the accessing terminal to network, referring to Fig. 3 a:
S201, terminal are sent the request of access through the 802.1x agreement to NAD, and request inserts in the access to LAN.
802.1x agreement is a terminal access mode commonly used in the NAC structure, it is understandable that, the terminal can also not given unnecessary details in the present embodiment through in other agreements or the interface access to LAN one by one.
S202, NAD return to the terminal and insert the request response.
Username and password is sent to NAD in S203, terminal.
S204, NAD send to authorization services device (can be radius server usually) with the username and password at terminal.
S205, authorization services device carry out authentication and identification according to the username and password at terminal to the terminal.
At this moment, the terminal is in " authentication and identification are through preceding " access state, and the access rights that the terminal has are public authority.
After S206, authorization services device notice terminal authentication and identification were passed through, the access state at NAD record terminal was " authentication and identification are passed through ".
(Dynamic Host Configuration Protocol DHCP) sends first to NAD and obtains the request of I P address through DHCP for S207, terminal.
In the embodiment of the invention, NAD can preestablish the IP address at terminal and the corresponding relation of terminal access authority, thereby when being in different access state at the terminal, the different address fields from address pool are terminal distribution IP address.
In the present embodiment; It is corresponding with " user organizes the minimum authorization authority " that NAD can preestablish the IP address of first address field in the address pool; When the terminal was in " authentication and identification are passed through " access state, NAD was terminal distribution IP address from first address field; It is corresponding with " user organizes authority " that NAD can preestablish the IP address of second address field in the address pool, and when the terminal was in " status checkout through " access state, NAD was terminal distribution IP address from second address field; The IP address that NAD can preestablish the three-address section in the address pool is corresponding with " user organizes and isolates restricted rights ", and when the terminal was in " state-detection is unusual " access state, NAD was from three-address Duan Zhongwei terminal distribution IP address.
S208, NAD are terminal distribution IP address in first address field from address pool according to terminal residing " authentication and identification are passed through " access state.
Need to prove that after the terminal was in " authentication and identification are passed through " access state, NAD was that the IP address of terminal distribution is generally the temporary address.
Two, the SOT state of termination in accessing terminal to network process inspection flow process, referring to Fig. 3 b:
After S209, terminal got access to the temporary address, the status checkout server carried out status checkout to the terminal, if status checkout passes through, then carried out S210, otherwise carried out S212.
Wherein, The process that the status checkout server carries out status checkout to the terminal is: the Client Agent software on the status checkout server triggers terminal scans the terminal; Specifically can be the software whether particular type is installed on the end of scan; For example: antivirus software etc., whether the virus base of end of scan upgrades or the like.NAD can according to actual demand setting terminal status checkout in the local area network (LAN) through or do not pass through.For example: can not upgrade by the setting terminal virus base, then SOT state of termination inspection is not passed through; Perhaps, can also setting terminal be installed by the software of particular type, then SOT state of termination inspection is not passed through etc., does not enumerate one by one at this.
Client Agent software sends to the status checkout server with scanning result after accomplishing the scanning to the terminal.
(for example: RADISU CoA message) send SOT state of termination inspection through notification message to NAD, NAD is revised as the access state at the terminal of record " status checkout passes through " through dynamic authorization modification agreement for S210, status checkout server.
Be terminal distribution IP address in S211, NAD second address field from address pool.
Wherein, among the S208, NAD is that the IP address of terminal distribution is generally the temporary address; And the temporary address generally only is used for carrying out alternately with state server; The access state at inspection terminal, therefore, the time in address rental period of temporary address can be set to a less value (for example: 1 minute) usually; After SOT state of termination inspection is passed through; NAD receives SOT state of termination inspection that the status checkout server sends through the message such as radius attribute of RADIUS CoA message or expansion through behind the notification message, sends DHCP and re-rents message message if NAD receives the terminal, and then NAD can return DHCP negative response (Negative Acknowledge to the terminal; NAK) message initiate second with triggering terminal and obtain the IP Address requests, thereby NAD can second address field from address pool be terminal distribution IP address that this IP address is generally normal IP address.
If be checked through the terminal in the S212 status checkout process in violation of rules and regulations, then NAD can not change the IP address at terminal, and the state remediation server is repaired the terminal.
Concrete, can be undertaken alternately by the Client Agent software and the state remediation server at terminal, instruct the terminal completion status to repair flow process by the state remediation server.
After S213, terminal are repaired and are accomplished; State remediation server notify status inspection server carries out status checkout to the terminal; If status checkout passes through; Then the status checkout server sends SOT state of termination inspection through notification message to NAD, is terminal distribution IP address in second address field of NAD from address pool.
The process that among the S213 in second address field of NAD from address pool is terminal distribution IP address can be referring to the associated description among the S211.
Three, the flow process behind the accessing terminal to network, referring to Fig. 3 c:
S214, SOT state of termination inspection through and obtain normal address after, the Internet resources in the user organized under the terminal can normally be used, the status checkout server regularly carries out state-detection to the terminal; When the status checkout discovering server SOT state of termination is unusual; Judge whether threaten network security of this abnormality,, then carry out S215 if abnormality can not threaten network; If abnormality can threaten network, then carry out S216.
Wherein, the status checkout server can be regularly mutual with the Client Agent software at terminal, regularly state-detection carried out at the terminal.
S215, the terminal is repaired through the state remediation server.
S216, status checkout server are through the dynamic authorization agreement (for example: RADIUS CoA (Change of Authorization Messages) message) send terminal quarantine notification message to NAD, the change of the NAD record SOT state of termination.
Unusual and can threaten network when the SOT state of termination, then need isolate the terminal, forbid accessing terminal to network, so that guarantee the safety of other-end.
Wherein, a kind of possible implementation of S217 for the terminal is isolated, the another kind of possible implementation of S218-S219 for the terminal is isolated.
S217, status checkout server can issue the access control list ACL at terminal through modes such as RADIUS CoA agreements to NAD; So that NAD is when second access request that receiving terminal sends; Carry second source IP address and the second purpose IP address in second access request, NAD can determine whether to allow the terminal access second purpose IP address according to the ACL at terminal.
S218, NAD send Extended Protocol EAP message to the terminal, initiate the first releasing IP addresses request and initiate the 3rd and obtain the IP Address requests with triggering terminal.
Among the S218, the IP address that terminal request discharges is for NAD second address field in address pool is the IP address of terminal distribution.
S219, NAD obtain the IP Address requests, the three-address Duan Zhongwei terminal distribution IP address from address pool according to the 3rd of terminal initiation.
Because after status checkout passes through; NAD is that the IP address of terminal distribution is normal IP address from second address field of address pool; Rental period is longer; After the status checkout server detects terminal abnormal, can be through Extended Protocol notice NAD equipment (for example: can notify NAD equipment) through the radius attribute of expanding in the RADIUS CoA message, the NAD record SOT state of termination is an abnormal state.NAD can send the DHCP first releasing IP addresses request through the Client Agent software at Extended Protocol notice terminal; And initiate the 3rd and obtain the IP Address requests; NAD can be in " state-detection is unusual " access state according to the terminal; Three-address Duan Zhongwei terminal distribution IP address from address pool, this IP address is for isolating the address.
S220, state remediation server carry out the state reparation to the terminal.
Concrete, Client Agent software can connect with the state remediation server, accomplishes the terminal and repairs flow process.
S221, after the SOT state of termination is repaired, the state remediation server can indicating status inspection server sends SOT state of termination reparation to NAD and accomplishes notice.
Be terminal distribution IP address in S222, NAD second address field from address pool.
After SOT state of termination reparation is accomplished; Accomplish through the reparation of dynamic authorization agreement (for example: be RADIUS CoA agreement) notice NAD device end state by the status checkout server; NAD can send EAP Extended Protocol message to the terminal; Initiate the second releasing IP addresses request with triggering terminal, and initiate the 4th and obtain the IP Address requests, concrete; NAD can ask NULL character (0 character) back of title (name) back in the data (data) of (Request) message to expand a self-defining field at EAP, and the indicating terminal agent software is initiated the DHCP application process again.NAD obtains the IP Address requests according to the 4th of terminal initiation, is terminal distribution IP address in second address field from address pool, and this IP address is normal IP address.
The access right control method that present embodiment provides; NAD is terminal distribution IP address from different address fields according to the different access states at terminal; When making NAD receive the access request at terminal, can be according to the IP address at predefined terminal and the corresponding relation of terminal access authority, the access rights of control terminal; Realize practicing thrift the storage resources of NAD, guarantee that NAD controls the visit at terminal.The present invention need not to change the network architecture of existing local area network (LAN), and need not to upgrade to the newly-increased network equipment with to conventional network equipment.
Need to prove: for aforesaid each method embodiment; For simple description; So it all is expressed as a series of combination of actions, but those skilled in the art should know that the present invention does not receive the restriction of described sequence of movement; Because according to the present invention, some step can adopt other orders or carry out simultaneously.
In the above-described embodiments, the description of each embodiment is all emphasized particularly on different fields, do not have the part that details among certain embodiment, can be referring to the associated description of other embodiment.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be accomplished through the relevant hardware of program command; Aforesaid program can be stored in the computer read/write memory medium; This program the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
Fig. 4 is the structural representation of an embodiment of network access equipment provided by the invention, and is as shown in Figure 4, and this network access equipment comprises: receiver 11 and processor 12;
Fig. 5 is the structural representation of another embodiment of network access equipment of on Fig. 4 basis, expanding, and as shown in Figure 5, this network access equipment comprises: receiver 11 and processor 12;
Wherein, processor 12 determines whether to allow in the terminal access first purpose IP address according to the IP address at predefined terminal and the corresponding relation of terminal access authority, and the IP address at predefined terminal and the corresponding relation of terminal access authority can comprise:
The IP address at terminal is an arbitrary address, and then corresponding terminal access authority is public authority;
The IP address at terminal is arranged in first address field of address pool, and then corresponding terminal access authority is organized the minimum authorization authority for the user;
The IP address at terminal is arranged in second address field of address pool, and then corresponding terminal access authority is organized authority for the user;
The IP address at terminal is arranged in the three-address section of address pool, and then corresponding terminal access authority is organized the isolation restricted rights for the user.
The receiver 11 that present embodiment provides can also be further used for: what receiving terminal sent first obtains SOT state of termination reparation that terminal quarantine notification message that SOT state of termination inspection that IP Address requests, status checkout server send sends through notification message, status checkout server and status checkout server send and accomplishes one or more in the notice;
Accordingly, if receiver 11 terminal authentication and identification through after receive that the terminal sends first obtain the IP Address requests, then processor 12 can also be used for: be terminal distribution IP address from first address field of address pool.At this moment, when the terminal was in the access state of " authentication and identification are through the back ", processor 12 was for the IP address of terminal distribution is generally the temporary address, and the rental period of temporary address is shorter.
Perhaps, if receiver 11 receives the SOT state of termination inspection of status checkout server transmission through notification message, be terminal distribution IP address in second address field of processor 12 from address pool then.When being in the access state of " status checkout passes through " at the terminal, processor 12 is a normal address for the IP address of terminal distribution.
Perhaps, if receiver 11 receives the terminal quarantine notification message that the status checkout server sends, then the three-address Duan Zhongwei terminal distribution IP address of processor 12 from address pool.When being in " status checkout is unusual " access state at the terminal, processor 12 is that the IP address of terminal distribution is the isolation address.
Perhaps, if receiver 11 receives the SOT state of termination reparation completion notice that the status checkout server sends, be terminal distribution IP address in second address field of processor 12 from address pool then.
The network access equipment that present embodiment provides can further include:
First transmitter 13; The SOT state of termination inspection that is used for receiving the transmission of status checkout server at receiver 11 is through behind the notification message; What receive that the terminal sends re-rents message message; This is re-rented message message and is used for asking to re-rent the temporary address, then sends DHCP negative response DHCP NAK message to the terminal, initiates second with triggering terminal and obtains the IP Address requests.Wherein, The message message of re-renting that send at the terminal that receiver 11 receives is that request is re-rented in the temporary address; First transmitter 13 sends DHCP NAK message to the terminal, re-rents request with the temporary address at refusal terminal, and the IP Address requests is obtained in triggering terminal initiation second.
Accordingly, processor 12 can also be used for: obtaining the IP Address requests according to second of terminal initiation, is the terminal distribution normal address in second address field from address pool.
The network access equipment that present embodiment provides can also comprise:
Second transmitter 14; Be used for if receiver 11 receives the terminal quarantine notification message that the status checkout server sends; Then send Extended Protocol EAP message to the terminal; Initiate the first releasing IP addresses request and initiate the 3rd and obtain the IP Address requests with triggering terminal, this first releasing IP addresses request is used for request and discharges said normal address.
Accordingly, processor 12 can also be used for: obtain the IP Address requests according to the 3rd of terminal initiation, the three-address Duan Zhongwei terminal distribution from address pool is isolated the address.
The network access equipment that present embodiment provides can also comprise:
The 3rd transmitter 15; Be used for if receiver 11 receives the SOT state of termination reparation completion notice that the status checkout server sends; Then send Extended Protocol EAP message, initiate the second releasing IP addresses request and initiate the 4th and obtain the IP Address requests with triggering terminal to the terminal.Wherein, the request of second releasing IP addresses of terminal initiation is used for request release and isolates the address.
Accordingly, processor 12 can also be used for: obtaining the IP Address requests according to the 4th of terminal initiation, is the terminal distribution normal address in second address field from address pool.
Further, receiver 11 can also be used for: the access control list ACL at the terminal that accepting state inspection server issues;
Receive the ACL at the terminal that the status checkout server issues at receiver 11 after; If receive second access request that send at the terminal; Carry second source IP address and the second purpose IP address in this second access request; Then processor 12 can also be used for: according to the ACL at terminal, determine whether to allow the terminal access second purpose IP address.
The network access equipment that present embodiment provides; Corresponding with the access right control method that the embodiment of the invention provides; Network access equipment is for realizing the actuating equipment of access right control method; The detailed process that network access equipment is carried out access rights control can repeat no more at this referring to method embodiment provided by the invention.
The embodiment of the invention is passed through network access equipment; NAD is terminal distribution IP address from different address fields according to the different access states at terminal; When making NAD receive the access request at terminal, can be according to the IP address at predefined terminal and the corresponding relation of terminal access authority, the access rights of control terminal; Realize practicing thrift the storage resources of NAD, guarantee that NAD controls the visit at terminal.
What should explain at last is: above embodiment is only in order to explaining technical scheme of the present invention, but not to its restriction; Although with reference to previous embodiment the present invention has been carried out detailed explanation, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these are revised or replacement, do not make the spirit and the scope of the essence disengaging various embodiments of the present invention technical scheme of relevant art scheme.
Claims (19)
1. an access right control method is characterized in that, comprising:
First access request that receiving terminal sends; Carry the first source internet protocol IP address and the first purpose IP address in the said access request; The IP address that said first source IP address is said terminal, the IP address at said terminal is said terminal distribution by network access equipment from different address fields according to the residing different access states in said terminal;
According to the IP address at predefined terminal and the corresponding relation of terminal access authority, determine whether to allow the said first purpose IP address of said terminal access.
2. method according to claim 1 is characterized in that, the IP address at said terminal and the corresponding relation of terminal access authority comprise:
The IP address at terminal is an arbitrary address, and then corresponding terminal access authority is public authority;
The IP address at terminal is arranged in first address field of address pool, and then corresponding terminal access authority is organized the minimum authorization authority for the user;
The IP address at terminal is arranged in second address field of said address pool, and then corresponding terminal access authority is organized authority for the user;
The IP address at terminal is arranged in the three-address section of said address pool, and then corresponding terminal access authority is organized the isolation restricted rights for the user.
3. method according to claim 2 is characterized in that, before first access request that said receiving terminal sends, also comprises:
If terminal authentication and identification through after receive first of said terminal transmission and obtain the IP Address requests, be said terminal distribution IP address in said first address field from said address pool then;
Perhaps, if the SOT state of termination inspection that receives the transmission of status checkout server is said terminal distribution IP address in said second address field from said address pool then through notification message;
Perhaps, if receive the terminal quarantine notification message that said status checkout server sends, the then said terminal distribution IP of the three-address Duan Zhongwei address from said address pool;
Perhaps, if receive the SOT state of termination reparation completion notice that said status checkout server sends, then in second address field from said address pool said terminal distribution IP address.
4. method according to claim 3; It is characterized in that; From said first address field, be the temporary address for the IP address of said terminal distribution; From said second address field for the IP address of said terminal distribution is a normal address, from the IP address of the said terminal distribution of said three-address Duan Zhongwei for isolating the address.
5. method according to claim 4 is characterized in that, and is said if the SOT state of termination inspection that receives the transmission of status checkout server through notification message, is said terminal distribution IP address in said second address field from said address pool then, is specially:
If the SOT state of termination inspection that receives said status checkout server transmission is through behind the notification message; What receive that said terminal sends re-rents message message; The said message message of re-renting is used for asking to re-rent said temporary address; Then send DHCP negative response DHCP NAK message, obtain the IP Address requests to trigger said terminal initiation second to said terminal;
Obtaining the IP Address requests according to said second of said terminal initiation, is the said normal address of said terminal distribution in said second address field from said address pool.
6. method according to claim 4 is characterized in that, and is said if receive the terminal quarantine notification message that said status checkout server sends, and the said terminal distribution IP of the three-address Duan Zhongwei address from said address pool then is specially:
If receive the terminal quarantine notification message that said status checkout server sends; Send Extended Protocol EAP message to said terminal; Initiate the first releasing IP addresses request and initiate the 3rd and obtain the IP Address requests to trigger said terminal, the said first releasing IP addresses request is used for request and discharges said normal address;
Obtain the IP Address requests, the said isolation of the said terminal distribution of the three-address Duan Zhongwei address from said address pool according to the said the 3rd of said terminal initiation.
7. method according to claim 4 is characterized in that, said is said terminal distribution IP address in second address field from said address pool then if receive the SOT state of termination reparation completion notice that said status checkout server sends, and is specially:
If receive the SOT state of termination reparation completion notice that said status checkout server sends; Then send Extended Protocol EAP message to said terminal; Initiate the second releasing IP addresses request and initiate the 4th and obtain the IP Address requests to trigger said terminal, the said second releasing IP addresses request is used for request and discharges said isolation address;
Obtaining the IP Address requests according to the said the 4th of said terminal initiation, is the said normal address of said terminal distribution in second address field from said address pool.
8. according to each described method of claim 3-7, it is characterized in that said receiving after the terminal quarantine notification message that the status checkout server sends also comprises:
Receive the access control list ACL at the said terminal that said status checkout server issues;
9. method according to claim 8 is characterized in that, after the access control list ACL at the said terminal that the said status checkout server of said reception issues, also comprises:
Receive second access request that send at said terminal, carry second source IP address and the second purpose IP address in said second access request;
According to the ACL at said terminal, determine whether to allow the said second purpose IP address of said terminal access.
10. a network access equipment is characterized in that, comprising:
Receiver; Be used for first access request that receiving terminal sends; Carry the first source internet protocol IP address and the first purpose IP address in the said access request; The IP address that said first source IP address is said terminal, the IP address at said terminal is said terminal distribution by network access equipment from different address fields according to the residing different access states in said terminal;
Processor is used for according to the IP address at predefined terminal and the corresponding relation of terminal access authority, determines whether to allow the said first purpose IP address of said terminal access.
11. network access equipment according to claim 10 is characterized in that, the IP address at said terminal and the corresponding relation of terminal access authority comprise:
The IP address at terminal is an arbitrary address, and then corresponding terminal access authority is public authority;
The IP address at terminal is arranged in first address field of address pool, and then corresponding terminal access authority is organized the minimum authorization authority for the user;
The IP address at terminal is arranged in second address field of said address pool, and then corresponding terminal access authority is organized authority for the user;
The IP address at terminal is arranged in the three-address section of said address pool, and then corresponding terminal access authority is organized the isolation restricted rights for the user.
12. network access equipment according to claim 11; It is characterized in that said receiver also is used for: first of receiving terminal transmission is obtained the SOT state of termination inspection of IP Address requests, the transmission of status checkout server through the terminal quarantine notification message of notification message, the transmission of status checkout server and the SOT state of termination reparation completion notice of status checkout server transmission.
13. network access equipment according to claim 12 is characterized in that, said processor also is used for:
If said receiver said terminal authentication and identification through after receive said first of said terminal transmission and obtain the IP Address requests, be said terminal distribution IP address in said first address field from said address pool then; Perhaps, if said receiver receives the SOT state of termination inspection of status checkout server transmission through notification message, be said terminal distribution IP address in said second address field from said address pool then; Perhaps, if said receiver receives the terminal quarantine notification message that said status checkout server sends, the then said terminal distribution IP of the three-address Duan Zhongwei address from said address pool; Perhaps, if said receiver receives the SOT state of termination reparation completion notice that said status checkout server sends, then in second address field from said address pool said terminal distribution IP address.
14. network access equipment according to claim 13; It is characterized in that; Said processor is the temporary address for the IP address of said terminal distribution from said first address field; For the IP address of said terminal distribution is a normal address, said processor is the isolation address from the IP address of the said terminal distribution of said three-address Duan Zhongwei to said processor from said second address field.
15. network access equipment according to claim 14 is characterized in that, also comprises:
First transmitter; Be used for if said receiver receives the SOT state of termination inspection of said status checkout server transmission through behind the notification message; What receive that said terminal sends re-rents message message; The said message message of re-renting is used for asking to re-rent said temporary address, then sends DHCP negative response DHCP NAK message to said terminal, obtains the IP Address requests to trigger said terminal initiation second;
Said processor also is used for: obtaining the IP Address requests according to said second of said terminal initiation, is the said normal address of said terminal distribution in said second address field from said address pool.
16. network access equipment according to claim 14 is characterized in that, also comprises:
Second transmitter; Be used for if said receiver receives the terminal quarantine notification message that said status checkout server sends; Then send Extended Protocol EAP message to said terminal; Initiate the first releasing IP addresses request and initiate the 3rd and obtain the IP Address requests to trigger said terminal, the said first releasing IP addresses request is used for request and discharges said normal address;
Said processor also is used for: obtain the IP Address requests, the said isolation of the said terminal distribution of the three-address Duan Zhongwei address from said address pool according to the 3rd of said terminal initiation.
17. network access equipment according to claim 14 is characterized in that, also comprises:
The 3rd transmitter; Be used for if said receiver receives the SOT state of termination reparation completion notice that said status checkout server sends; Then send Extended Protocol EAP message to said terminal; Initiate the second releasing IP addresses request and initiate the 4th and obtain the IP Address requests to trigger said terminal, the said second releasing IP addresses request is used for request and discharges said isolation address;
Said processor also is used for: obtaining the IP Address requests according to the said the 4th of said terminal initiation, is the said normal address of said terminal distribution in second address field from said address pool.
18. according to each described network access equipment of claim 13-17; It is characterized in that; Said receiver also is used for after receiving the terminal quarantine notification message that the status checkout server sends: the access control list ACL that receives the said terminal that said status checkout server issues;
19. network access equipment according to claim 18 is characterized in that, said receiver also is used for: receive second access request that send at said terminal, carry second source IP address and the second purpose IP address in said second access request;
Said processor also is used for: according to the ACL at said terminal, determine whether to allow the said second purpose IP address of said terminal access.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2011/077781 WO2012109854A1 (en) | 2011-07-29 | 2011-07-29 | Access permission control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102318314A true CN102318314A (en) | 2012-01-11 |
| CN102318314B CN102318314B (en) | 2013-09-11 |
Family
ID=45429446
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201180001196.0A Active CN102318314B (en) | 2011-07-29 | 2011-07-29 | Method and devices for handling access authorities |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102318314B (en) |
| WO (1) | WO2012109854A1 (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102685135A (en) * | 2012-05-17 | 2012-09-19 | 江苏中科梦兰电子科技有限公司 | Software authority verification method based on C/S (Client/Server) framework |
| CN103312833A (en) * | 2013-05-29 | 2013-09-18 | 福建三元达通讯股份有限公司 | DHCP (Dynamic Host Configuration Protocol) pre-allocation leasing method and device thereof |
| CN104320384A (en) * | 2014-10-09 | 2015-01-28 | 深圳创维数字技术有限公司 | Wireless router control method and device |
| CN104823157A (en) * | 2012-09-12 | 2015-08-05 | 格林伊登美国控股有限责任公司 | System and method for providing dynamic elasticity of contact center resources |
| CN105847287A (en) * | 2016-05-17 | 2016-08-10 | 中山大学 | Resource access control method based on community local area network and system based on community local area network |
| CN106060048A (en) * | 2016-05-31 | 2016-10-26 | 杭州华三通信技术有限公司 | Network resource access method and network resource access device |
| CN106131847A (en) * | 2016-08-30 | 2016-11-16 | 锐捷网络股份有限公司 | A kind of mobile radio terminal secure access control method, device and equipment |
| CN106254328A (en) * | 2016-07-27 | 2016-12-21 | 杭州华为数字技术有限公司 | A kind of access control method and device |
| CN107820702A (en) * | 2017-07-03 | 2018-03-20 | 深圳前海达闼云端智能科技有限公司 | A kind of management-control method, device and electronic equipment |
| CN108092970A (en) * | 2017-12-13 | 2018-05-29 | 腾讯科技(深圳)有限公司 | A kind of wireless network maintaining method and its equipment, storage medium, terminal |
| CN108881127A (en) * | 2017-05-15 | 2018-11-23 | 中兴通讯股份有限公司 | A kind of method and system of control remote access permission |
| CN108882240A (en) * | 2018-07-11 | 2018-11-23 | 北京奇安信科技有限公司 | The implementation method and device of mobile device access network |
| CN109937439A (en) * | 2017-09-29 | 2019-06-25 | 深圳市大疆创新科技有限公司 | A kind of method and circuit for protecting flight control system |
| CN110519404A (en) * | 2019-08-02 | 2019-11-29 | 锐捷网络股份有限公司 | A kind of policy management method based on SDN, device and electronic equipment |
| CN113132326A (en) * | 2019-12-31 | 2021-07-16 | 华为技术有限公司 | Access control method, device and system |
| CN113573316A (en) * | 2021-07-15 | 2021-10-29 | 中国人民解放军陆军工程大学 | Method for temporarily changing private authority of special mobile communication network user |
| CN114301635A (en) * | 2021-12-10 | 2022-04-08 | 中国联合网络通信集团有限公司 | Access control method and device and server |
| CN114500395A (en) * | 2021-12-29 | 2022-05-13 | 联通智网科技股份有限公司 | Flow control method, device and equipment |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105939357A (en) * | 2016-06-13 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for obtaining corresponding relation of user IP (Internet Protocol) address and user group information |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1630252A (en) * | 2003-12-16 | 2005-06-22 | 华为技术有限公司 | Broadband IP access equipment and method for realizing user log in same equipment |
| CN101056178A (en) * | 2007-05-28 | 2007-10-17 | 中兴通讯股份有限公司 | A method and system for controlling the user network access right |
-
2011
- 2011-07-29 CN CN201180001196.0A patent/CN102318314B/en active Active
- 2011-07-29 WO PCT/CN2011/077781 patent/WO2012109854A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1630252A (en) * | 2003-12-16 | 2005-06-22 | 华为技术有限公司 | Broadband IP access equipment and method for realizing user log in same equipment |
| CN101056178A (en) * | 2007-05-28 | 2007-10-17 | 中兴通讯股份有限公司 | A method and system for controlling the user network access right |
Cited By (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102685135B (en) * | 2012-05-17 | 2014-11-26 | 江苏中科梦兰电子科技有限公司 | Software authority verification method based on C/S (Client/Server) framework |
| CN102685135A (en) * | 2012-05-17 | 2012-09-19 | 江苏中科梦兰电子科技有限公司 | Software authority verification method based on C/S (Client/Server) framework |
| CN104823157A (en) * | 2012-09-12 | 2015-08-05 | 格林伊登美国控股有限责任公司 | System and method for providing dynamic elasticity of contact center resources |
| CN103312833A (en) * | 2013-05-29 | 2013-09-18 | 福建三元达通讯股份有限公司 | DHCP (Dynamic Host Configuration Protocol) pre-allocation leasing method and device thereof |
| CN103312833B (en) * | 2013-05-29 | 2016-08-17 | 福建三元达网络技术有限公司 | DHCP predistribution lease method and device thereof |
| CN104320384B (en) * | 2014-10-09 | 2019-04-26 | 深圳创维数字技术有限公司 | A kind of wireless routing device control method and device |
| CN104320384A (en) * | 2014-10-09 | 2015-01-28 | 深圳创维数字技术有限公司 | Wireless router control method and device |
| CN105847287A (en) * | 2016-05-17 | 2016-08-10 | 中山大学 | Resource access control method based on community local area network and system based on community local area network |
| CN106060048A (en) * | 2016-05-31 | 2016-10-26 | 杭州华三通信技术有限公司 | Network resource access method and network resource access device |
| CN106254328A (en) * | 2016-07-27 | 2016-12-21 | 杭州华为数字技术有限公司 | A kind of access control method and device |
| CN106131847A (en) * | 2016-08-30 | 2016-11-16 | 锐捷网络股份有限公司 | A kind of mobile radio terminal secure access control method, device and equipment |
| CN108881127B (en) * | 2017-05-15 | 2022-07-15 | 中兴通讯股份有限公司 | Method and system for controlling remote access authority |
| CN108881127A (en) * | 2017-05-15 | 2018-11-23 | 中兴通讯股份有限公司 | A kind of method and system of control remote access permission |
| CN107820702B (en) * | 2017-07-03 | 2021-02-09 | 达闼机器人有限公司 | Management and control method, device and electronic equipment |
| CN107820702A (en) * | 2017-07-03 | 2018-03-20 | 深圳前海达闼云端智能科技有限公司 | A kind of management-control method, device and electronic equipment |
| CN109937439A (en) * | 2017-09-29 | 2019-06-25 | 深圳市大疆创新科技有限公司 | A kind of method and circuit for protecting flight control system |
| CN108092970B (en) * | 2017-12-13 | 2021-01-15 | 腾讯科技(深圳)有限公司 | Wireless network maintenance method and equipment, storage medium and terminal thereof |
| CN108092970A (en) * | 2017-12-13 | 2018-05-29 | 腾讯科技(深圳)有限公司 | A kind of wireless network maintaining method and its equipment, storage medium, terminal |
| CN108882240A (en) * | 2018-07-11 | 2018-11-23 | 北京奇安信科技有限公司 | The implementation method and device of mobile device access network |
| CN108882240B (en) * | 2018-07-11 | 2021-08-17 | 奇安信科技集团股份有限公司 | Method and device for realizing network access of mobile equipment |
| CN110519404A (en) * | 2019-08-02 | 2019-11-29 | 锐捷网络股份有限公司 | A kind of policy management method based on SDN, device and electronic equipment |
| CN110519404B (en) * | 2019-08-02 | 2022-04-26 | 锐捷网络股份有限公司 | SDN-based policy management method and device and electronic equipment |
| CN113132326A (en) * | 2019-12-31 | 2021-07-16 | 华为技术有限公司 | Access control method, device and system |
| CN113132326B (en) * | 2019-12-31 | 2022-08-09 | 华为技术有限公司 | Access control method, device and system |
| CN113573316A (en) * | 2021-07-15 | 2021-10-29 | 中国人民解放军陆军工程大学 | Method for temporarily changing private authority of special mobile communication network user |
| CN113573316B (en) * | 2021-07-15 | 2024-02-20 | 中国人民解放军陆军工程大学 | Method for temporarily changing private authority of private mobile communication network user |
| CN114301635A (en) * | 2021-12-10 | 2022-04-08 | 中国联合网络通信集团有限公司 | Access control method and device and server |
| CN114301635B (en) * | 2021-12-10 | 2024-02-23 | 中国联合网络通信集团有限公司 | Access control method, device and server |
| CN114500395A (en) * | 2021-12-29 | 2022-05-13 | 联通智网科技股份有限公司 | Flow control method, device and equipment |
| CN114500395B (en) * | 2021-12-29 | 2023-10-31 | 联通智网科技股份有限公司 | Flow control method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102318314B (en) | 2013-09-11 |
| WO2012109854A1 (en) | 2012-08-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102318314B (en) | Method and devices for handling access authorities | |
| EP3552098B1 (en) | Operating system update management for enrolled devices | |
| CN104717223B (en) | Data access method and device | |
| CN102104592B (en) | Session migration between network policy servers | |
| WO2015096695A1 (en) | Installation control method, system and device for application program | |
| US8745223B2 (en) | System and method of distributed license management | |
| US20080183603A1 (en) | Policy enforcement over heterogeneous assets | |
| US20140095682A1 (en) | System and Method for Performing Administrative Tasks on Mobile Devices | |
| CN101355556A (en) | Authentication information processing device, authentication information processing method, storage medium, and data signal | |
| CN103416040A (en) | Terminal control method, apparatus and terminal | |
| JP2008097419A (en) | Application operation control system and application operation control method | |
| CN103647785A (en) | Security control method, device and system for mobile terminal | |
| CN102307114A (en) | Management method of network | |
| CN103532912A (en) | Browser service data processing method and apparatus | |
| CN105260660A (en) | Monitoring method, device and system of intelligent terminal payment environment | |
| CN101540755A (en) | Method, system and device for recovering data | |
| CN102291239B (en) | Remote authentication method, system, agent component and authentication servers | |
| CN106686592B (en) | Network access method and system with authentication | |
| CN1601954B (en) | Moving principals across security boundaries without service interruption | |
| CN114244568B (en) | Security access control method, device and equipment based on terminal access behavior | |
| CN103778379A (en) | Managing application execution and data access on a device | |
| KR20110002947A (en) | Network access control system using install information of mandatory program and method thereof | |
| WO2011162079A1 (en) | Confidential information leakage prevention system, confidential information leakage prevention method and confidential information leakage prevention program | |
| KR100615620B1 (en) | Control method of portable devices for downloading digital contents by policy management | |
| CN107396361A (en) | A kind of method and apparatus for being used to carry out user equipment wireless connection pre-authorization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |