CN103731425A - Network wireless terminal access control method and system - Google Patents
Network wireless terminal access control method and system Download PDFInfo
- Publication number
- CN103731425A CN103731425A CN201310751640.1A CN201310751640A CN103731425A CN 103731425 A CN103731425 A CN 103731425A CN 201310751640 A CN201310751640 A CN 201310751640A CN 103731425 A CN103731425 A CN 103731425A
- Authority
- CN
- China
- Prior art keywords
- wireless terminal
- ssid
- access
- network
- reception device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a network wireless terminal access control method and system. The network wireless terminal access control method includes the steps that a wireless terminal selects an SSID to have access to a WLAN network, a wireless access device initiates AAA authentication, an AAA server can detect whether a wireless terminal MAC has already been bound with the SSID or not, if the wireless terminal MAC has been bound with the SSID, a user is allowed to have access to network resources, and if the wireless terminal MAC has been bound with another SSID, the user is not allowed to have access to the network resources. If the user conducts connection on the SSID for the first time, a user MAC and the SSID are bound and stored, and the user is allowed to have access to the network resources. The wireless terminal and the SSID which needs to have access to the network are bound or isolated through the AAA server, and therefore the wireless terminal can only have access to the network to which the wireless terminal has access for the first time, isolation is achieved, and security of the network is improved.
Description
Technical field
The invention belongs to communication technical field, specifically a kind of design of method and system of network wireless terminal binding isolation access control.
Background technology
Along with the develop rapidly of computer technology, information network has become the important guarantee of social development, have is much sensitive information, or even state secret, so can attract unavoidably the various artificial attack from all over the world, such as leakage of information, information are stolen, data tampering, data delete add, computer virus etc., meanwhile, network entity also will stand test aspects such as floods, fire, earthquake, electromagnetic radiation.
Traditional network insertion can arbitrarily be linked into by Network Access Point the network of zones of different, but can cause huge threat to the fail safe of network like this, make through the wireless terminal of authentication, not arbitrarily to be linked in network, cause the network information to reveal, and easily cause networking maintenance, management cost greatly to increase.
Summary of the invention
Technical problem to be solved by this invention is the not high defect of fail safe and propose a kind of network wireless terminal access controlling method and system when overcoming in prior art the access of network wireless terminal.
The technical scheme that the present invention solves its technical problem employing is: network wireless terminal access controlling method, comprises the steps:
A, wireless terminal are selected, after service set SSID, to be linked into the radio reception device in wlan network;
B, described radio reception device receive after the essential information of described wireless terminal, by aaa protocol, are linked into aaa authentication server;
C, aaa server check that whether described wireless terminal MAC has been tied to the SSID of described selection, in this way, enters aaa authentication flow process; Otherwise check whether user binds other SSID, if bind other SSID, refuse user's access; If do not bind other SSID, the SSID of user MAC and described selection is bound and preserved, enter aaa authentication flow process.
Further, in described step B, receive the essential information of described wireless terminal at described radio reception device before, also comprise that described wireless terminal sends access request information to described radio reception device, described radio reception device is replied information that accepts request of described wireless terminal after receiving access request information.
Further, in described step B, the essential information that described radio reception device receives described wireless terminal comprises user profile, the essential information of SSID and the MAC Address of described wireless terminal of wireless terminal.
Further, in described step C, the SSID that is checked through described wireless terminal and described selection when aaa server does not bind, and there is no the binding record with other SSID yet, need the SSID of described wireless terminal and described selection to bind, and the binding relationship of the SSID of described wireless terminal and described selection is stored in database.
The present invention also provides a kind of network wireless terminal binding isolation access control system, comprising: the radio reception device of wlan network, wireless terminal to be accessed and aaa authentication server,
Described wireless terminal to be accessed is used for, according to after the service set SSID that selects to need, and the wlan network that request access is corresponding;
The radio reception device of described wlan network, for receiving after the essential information of described wireless terminal, is linked into the binding module of aaa authentication server by aaa protocol;
Described aaa authentication server comprises binding module, and the binding module of described aaa authentication server is for checking that whether described wireless terminal MAC has been tied to the SSID of described selection, in this way, enters aaa authentication flow process; Otherwise check whether user binds other SSID, if bind other SSID, refuse user's access; If do not bind other SSID, the SSID of user MAC and described selection is bound and preserved, enter aaa authentication flow process.
Further, described radio reception device also for, before receiving the essential information of described wireless terminal, receive wireless terminal send access request information after, reply information that accepts request of described wireless terminal.
Further, the essential information that described radio reception device receives described wireless terminal comprises user profile, the essential information of SSID and the MAC Address of described wireless terminal of wireless terminal.
Further, the binding module of described aaa authentication server also for, when the SSID that is checked through described wireless terminal and described selection does not bind, and there is no the binding record with other SSID yet, need the SSID of described wireless terminal and described selection to bind, and the binding relationship of the SSID of described wireless terminal and described selection is stored in database.
Beneficial effect of the present invention: the method and system of network wireless terminal of the present invention access control, by aaa authentication server, wireless terminal is bound with the SSID that needs access, and binding information is stored in database, then the proof procedure of binding, the network that wireless terminal is accessed is for the first time remembered, when upper once wireless terminal access, only need the relation information of storing in calling data storehouse, thereby make wireless terminal can only be linked into the network of access for the first time, realized binding isolation, improved the fail safe of network, reduced network administration cost.
Accompanying drawing explanation
Figure 1 shows that the FB(flow block) of the method for the network wireless terminal binding isolation access control of the embodiment of the present invention;
Figure 2 shows that the structural representation of the system of the network wireless terminal binding isolation access control of the embodiment of the present invention.
Embodiment
Below in conjunction with accompanying drawing and specific embodiment, the invention will be further elaborated.
The FB(flow block) that is illustrated in figure 1 the method for the network wireless terminal binding isolation access control of the embodiment of the present invention, it specifically comprises the steps:
A, WLAN (wireless local area network) WLAN is set, the wireless terminal of network to be accessed is placed in to WLAN, wireless terminal is selected service set SSID(Service Set Identifier, service set) after, be linked into the radio reception device in wlan network;
B, described radio reception device receive after the essential information of described wireless terminal, by aaa protocol, are linked into aaa authentication server;
C, aaa server check that whether described wireless terminal MAC has been tied to the SSID of described selection, in this way, enters aaa authentication flow process; Otherwise check whether user binds other SSID, if bind other SSID, refuse user's access; If do not bind other SSID, the SSID of user MAC and described selection is bound and preserved, enter aaa authentication flow process.
The present invention is by binding with the SSID that needs access wireless terminal, realized wireless terminal when upper once wireless terminal access, only need the relation information of storing in calling data storehouse, thereby make wireless terminal can only be linked into the network of access for the first time, realized binding isolation, the fail safe that has improved network, has reduced network administration cost.In the present invention, the wireless terminal of described network to be accessed can be: smart mobile phone, panel computer, PC, IPTV wireless terminal etc., described access device can adopt in actual applications: Ethernet switch, WAP (wireless access point), Radio Access Controller etc.
Wherein, the aaa protocol in described step B can be radius agreement, and corresponding aaa authentication server also adopts radius server, certainly also can change according to actual conditions, adopts Diameter or other agreements.
Radio reception device in described step B comprises wireless access point AP and wireless controller AC, first by described wireless terminal, to described AP, send request access information, described AP replys information that accepts request of described wireless terminal after receiving request access information, then by described AP, received the essential information of described wireless terminal, and essential information is transmitted to AC, by AC, received after essential information, by aaa protocol, be linked into the binding module of aaa authentication server, described essential information can comprise the user profile of wireless terminal, the essential information of SSID and the essential information of described wireless terminal etc.,
Whether the binding module of described aaa server judges described wireless terminal and needs the SSID of access for accessing for the first time, if access for the first time, need user profile to verify, described wireless terminal and the binding relationship of the SSID that needs access are stored in database, then the relation information of binding are sent to the binding authentication module of aaa authentication server; If not access for the first time, check whether user binds other SSID, if bind other SSID, refuse user's access; From database, find out described wireless terminal and the relation information bound of SSID that needs access, and described relation information is forwarded to aaa authentication server carries out aaa authentication.
Wherein, aaa authentication server is carrying out when user authenticates that some additional informations are bound to checking, for example, to reach stronger control object: after authentication, check the network whether user accesses from the AP specifying, if not refusing access.Binding module is that additional information configuration association is arrived to user, can be manual setting, also can be by system Lookup protocol.
Described AP and described AC set up tunnel by capwap agreement, and by the capwap tunnel of setting up, essential information are transmitted to AC.
For those skilled in the art can understand and implement technical solution of the present invention, below by specific embodiment, the method for network wireless terminal binding isolation access control of the present invention is elaborated, concrete steps are as follows:
1, user opens wlan network on wireless terminal, finds the SSID that needs access;
2, enter the SSID that needs access, input account and password, interconnection network;
3, wireless terminal IP understands the access point AP of finding nearby, and to AP, sends request the information of access, and AP receives after solicited message, returns to the information accepting request to wireless terminal;
4, wireless terminal sends to AP essential informations such as user profile, SSID, wireless terminals;
5, access point AP and wireless controller AC set up tunnel by capwap agreement, and AP is transmitted to AC by essential information by tunnel, and AC receives after information, by radius agreement, is all transmitted to aaa authentication server;
6, aaa authentication server is received after information, first information can be issued to inner binding module and verify, if access for the first time, after can verifying user identity, the binding relationship of wireless terminal and SSID is stored in database, and then result is issued to binding authentication module; If not access for the first time, check whether user binds other SSID, if bind other SSID, refuse user's access; ;
7, binding authentication module is received after information, can judge whether the wireless terminal MAC of access has been linked into the network of specifying, and as Intranet or outer net, if access correct situation, can authorize and allow access, otherwise not allow access; Accessing the network that successful wireless terminal can only be linked into appointment by this SSID conducts interviews.
Meanwhile, the present invention also provides a kind of network wireless terminal access control system, is illustrated in figure 2 the structural representation of system of the present invention, comprising: the radio reception device of wlan network, wireless terminal to be accessed and aaa authentication server,
Described wireless terminal to be accessed is used for, according to after the service set SSID that selects to need, and the wlan network that request access is corresponding; The radio reception device of described wlan network, for receiving after the essential information of described wireless terminal, is linked into the binding module of aaa authentication server by aaa protocol; Described aaa authentication server comprises binding module, and the binding module of described aaa authentication server is for checking that whether described wireless terminal MAC has been tied to the SSID of described selection, in this way, enters aaa authentication flow process; Otherwise check whether user binds other SSID, if bind other SSID, refuse user's access; If do not bind other SSID, the SSID of user MAC and described selection is bound and preserved, enter aaa authentication flow process.
Those of ordinary skill in the art will appreciate that, embodiment described here is in order to help reader understanding's principle of the present invention, should be understood to that protection scope of the present invention is not limited to such special statement and embodiment.Those of ordinary skill in the art can make various other various concrete distortion and combinations that do not depart from essence of the present invention according to these technology enlightenments disclosed by the invention, and these distortion and combination are still in protection scope of the present invention.
Claims (8)
1. network wireless terminal access controlling method, is characterized in that, comprises the steps:
A, wireless terminal are selected, after service set SSID, to be linked into the radio reception device in wlan network;
B, described radio reception device receive after the essential information of described wireless terminal, by aaa protocol, are linked into aaa authentication server;
C, aaa server check that whether described wireless terminal MAC has been tied to the SSID of described selection, in this way, enters aaa authentication flow process; Otherwise check whether user binds other SSID, if bind other SSID, refuse user's access; If do not bind other SSID, the SSID of user MAC and described selection is bound and preserved, enter aaa authentication flow process.
2. the method for claim 1, it is characterized in that, in described step B, receive the essential information of described wireless terminal at described radio reception device before, also comprise that described wireless terminal sends access request information to described radio reception device, described radio reception device is replied information that accepts request of described wireless terminal after receiving access request information.
3. the method for claim 1, is characterized in that, in described step B, the essential information that described radio reception device receives described wireless terminal comprises user profile, the essential information of SSID and the MAC Address of described wireless terminal of wireless terminal.
4. the method as described in claim 1-3 any one, it is characterized in that, in described step C, the SSID that is checked through described wireless terminal and described selection when aaa server does not bind, and there is no the binding record with other SSID yet, need the SSID of described wireless terminal and described selection to bind, and the binding relationship of the SSID of described wireless terminal and described selection is stored in database.
5. network wireless terminal access control system, is characterized in that, comprising: the radio reception device of wlan network, wireless terminal to be accessed and aaa authentication server,
Described wireless terminal to be accessed, for according to after the service set SSID that selects to need, is asked wlan network corresponding to access;
The radio reception device of described wlan network, for receiving after the essential information of described wireless terminal, is linked into the binding module of aaa authentication server by aaa protocol;
Described aaa authentication server comprises binding module, and the binding module of described aaa authentication server is for checking that whether described wireless terminal MAC has been tied to the SSID of described selection, in this way, enters aaa authentication flow process; Otherwise check whether user binds other SSID, if bind other SSID, refuse user's access; If do not bind other SSID, the SSID of user MAC and described selection is bound and preserved, enter aaa authentication flow process.
6. system as claimed in claim 5, is characterized in that, described radio reception device also for, before receiving the essential information of described wireless terminal, receive wireless terminal send access request information after, reply information that accepts request of described wireless terminal.。
7. system as claimed in claim 5, is characterized in that, the essential information that described radio reception device receives described wireless terminal comprises user profile, the essential information of SSID and the MAC Address of described wireless terminal of wireless terminal.
8. the system as described in claim 5-7 any one, it is characterized in that, the binding module of described aaa authentication server also for, when the SSID that is checked through described wireless terminal and described selection does not bind, and there is no the binding record with other SSID yet, need the SSID of described wireless terminal and described selection to bind, and the binding relationship of the SSID of described wireless terminal and described selection is stored in database.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310751640.1A CN103731425B (en) | 2013-12-31 | 2013-12-31 | Network wireless terminal connection control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310751640.1A CN103731425B (en) | 2013-12-31 | 2013-12-31 | Network wireless terminal connection control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103731425A true CN103731425A (en) | 2014-04-16 |
| CN103731425B CN103731425B (en) | 2016-08-24 |
Family
ID=50455352
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310751640.1A Active CN103731425B (en) | 2013-12-31 | 2013-12-31 | Network wireless terminal connection control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103731425B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105681352A (en) * | 2016-03-21 | 2016-06-15 | 深圳融腾科技有限公司 | Wi-Fi access security control method and system |
| CN107395785A (en) * | 2017-08-07 | 2017-11-24 | 福州市协成智慧科技有限公司 | A kind of acquisition methods and device of network equipment true address |
| CN112202799A (en) * | 2020-10-10 | 2021-01-08 | 杭州盈高科技有限公司 | Authentication system and method for binding user and/or terminal with SSID |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060104224A1 (en) * | 2004-10-13 | 2006-05-18 | Gurminder Singh | Wireless access point with fingerprint authentication |
| CN1842000A (en) * | 2005-03-29 | 2006-10-04 | 华为技术有限公司 | Method for realizing access authentication of WLAN |
| CN101895875A (en) * | 2010-07-29 | 2010-11-24 | 杭州华三通信技术有限公司 | Method and system of using gateway device to provide differentiated services in wireless network |
-
2013
- 2013-12-31 CN CN201310751640.1A patent/CN103731425B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060104224A1 (en) * | 2004-10-13 | 2006-05-18 | Gurminder Singh | Wireless access point with fingerprint authentication |
| CN1842000A (en) * | 2005-03-29 | 2006-10-04 | 华为技术有限公司 | Method for realizing access authentication of WLAN |
| CN101895875A (en) * | 2010-07-29 | 2010-11-24 | 杭州华三通信技术有限公司 | Method and system of using gateway device to provide differentiated services in wireless network |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105681352A (en) * | 2016-03-21 | 2016-06-15 | 深圳融腾科技有限公司 | Wi-Fi access security control method and system |
| CN105681352B (en) * | 2016-03-21 | 2019-03-19 | 深圳融腾科技有限公司 | A kind of wireless network access safety management-control method and system |
| CN107395785A (en) * | 2017-08-07 | 2017-11-24 | 福州市协成智慧科技有限公司 | A kind of acquisition methods and device of network equipment true address |
| CN112202799A (en) * | 2020-10-10 | 2021-01-08 | 杭州盈高科技有限公司 | Authentication system and method for binding user and/or terminal with SSID |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103731425B (en) | 2016-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11829774B2 (en) | Machine-to-machine bootstrapping | |
| CN102843682B (en) | Access point authorizing method, device and system | |
| CN105052184B (en) | Method, equipment and controller for controlling user equipment to access service | |
| US9197639B2 (en) | Method for sharing data of device in M2M communication and system therefor | |
| CN102215474B (en) | Method and device for carrying out authentication on communication equipment | |
| US9992673B2 (en) | Device authentication by tagging | |
| US10826945B1 (en) | Apparatuses, methods and systems of network connectivity management for secure access | |
| CN106465096B (en) | It accesses network and obtains method, terminal and the core net of client identification module information | |
| CN104780536B (en) | A kind of authentication method and terminal of internet of things equipment | |
| CN105981345B (en) | The Lawful intercept of WI-FI/ packet-based core networks access | |
| EP2924944B1 (en) | Network authentication | |
| US20200228981A1 (en) | Authentication method and device | |
| CN102685730B (en) | Method for transmitting context information of user equipment (UE) and mobility management entity (MME) | |
| CN101711022A (en) | Wireless local area network (WLAN) access terminal, WLAN authentication server and WLAN authentication method | |
| CN103874065A (en) | Method and device for judging user position abnormity | |
| EP3206422A1 (en) | Method and device for creating subscription resource | |
| CN103544752B (en) | A kind of wireless video access control system and its control method based on IGRS protocol | |
| CN204376941U (en) | Outer net middleware, inner net middleware and middleware system | |
| CN108293055A (en) | Method, apparatus and system for authenticating to mobile network and for by the server of device authentication to mobile network | |
| Zhang et al. | Group-based authentication and key agreement for machine-type communication | |
| CN103731425A (en) | Network wireless terminal access control method and system | |
| CN105873059A (en) | Joint identity authentication method and system for power distribution communication wireless private network | |
| CN104812019A (en) | Wireless network access method, wireless access equipment and wireless control equipment | |
| CN103581895B (en) | Triggering method and system based on MTC device group | |
| CN101800983B (en) | Access control method of configurable mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |