CN104717062B - The method and device that a kind of visitor based on BYOD management systems quickly accesses - Google Patents

The method and device that a kind of visitor based on BYOD management systems quickly accesses Download PDF

Info

Publication number
CN104717062B
CN104717062B CN201310677018.0A CN201310677018A CN104717062B CN 104717062 B CN104717062 B CN 104717062B CN 201310677018 A CN201310677018 A CN 201310677018A CN 104717062 B CN104717062 B CN 104717062B
Authority
CN
China
Prior art keywords
visitor
management systems
access
user
terminal device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310677018.0A
Other languages
Chinese (zh)
Other versions
CN104717062A (en
Inventor
张丽娜
卢志坚
许文雨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201310677018.0A priority Critical patent/CN104717062B/en
Priority to PCT/CN2014/092564 priority patent/WO2015085872A1/en
Publication of CN104717062A publication Critical patent/CN104717062A/en
Application granted granted Critical
Publication of CN104717062B publication Critical patent/CN104717062B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Power Engineering (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention provides the method and apparatus that a kind of visitor based on BYOD management systems quickly accesses.This method includes:A default account is created for all visitors are unified, and the default account is bound with being set in advance in the access device of accessible area;Visitor's certification request from the accessible area is received, and judges whether the terminal device of the visitor binds existing user, if not, being authenticated to the visitor;Certification for default subscribers and allows the visitor to access the accessible area using default account by rear, by the visitor badge.The achievable visitor's of the present invention quickly accesses, while ensures the security of visitor's access.

Description

The method and device that a kind of visitor based on BYOD management systems quickly accesses
Technical field
The present invention relates to communication technique field, more particularly to the side that a kind of visitor based on BYOD management systems quickly accesses Method and its corresponding device.
Background technology
With the fast development of network, increasing people is by from carrying device(Bring Your OwnDevice, BYOD)Check company information into corporate networks or obtain related data, so often having some visits in enterprise network Visitor.How visitor security when borrow enterprise network be one important the problem of is ensured.
Existing BYOD management systems can preferably ensure security when visitor's terminal device accesses enterprise network, and it leads If by the identification to terminal device, binding and audit, to realize quickly accessing for network, and refine to terminal device network The control of access rights.
The content of the invention
In view of this, the present invention provides the method and apparatus that a kind of visitor based on BYOD management systems quickly accesses, institute The method of stating includes:
Step A, a default account is created for all visitors are unified, and the default account is addressable with being set in advance in The access device binding in region;
Step B, visitor's certification request from accessible area is received, and judges whether the terminal device of the visitor is bound Existing user, if not, being authenticated to the visitor;
Step C, the visitor badge is default subscribers and allows the visitor to use described in default account access by certification by rear The network of accessible area.
Preferably, certification of the BYOD management systems to visitor be specially:MAC Address is carried out to the terminal device of visitor Certification.
Preferably, when carrying out the MAC address authentication, in addition to whether the user name of the detection visitor is legal MAC Address.
Preferably, when the BYOD management systems need to visitor's access control authority carry out further division or When visitor needs its terminal device being registered as the regular user in BYOD management systems, methods described also includes:
Step D, when visitor further accesses the enterprises registration page and complete to register.
Preferably, the enrollment page further comprises three user options:Pre-registration option, new registration option and binding Existing subscriber's option.
The present invention also provides the device that a kind of visitor based on BYOD management systems quickly accesses, and described device includes:
Creating unit, for creating a default account for all visitors are unified, and by the default account with pre-setting Bound in the access device of accessible area;
Authentication unit, for receiving visitor's certification request from the accessible area, and judge the terminal of the visitor Whether equipment binds existing user, if not, being authenticated to the visitor;
Access unit, for certification by rear, for default subscribers and the visitor is allowed to use default account the visitor badge Access the network of the accessible area.
Preferably, certification of the BYOD management systems to visitor be specially:MAC Address is carried out to the terminal device of visitor Certification.
Preferably, when carrying out the MAC address authentication, in addition to whether the user name of the detection visitor is legal MAC Address.
Preferably, when the BYOD management systems need to visitor's access control authority carry out further division or When visitor needs its terminal device being registered as the regular user in BYOD management systems, described device also includes:
Registering unit, for being that user completes registration when visitor further accesses the enterprises registration page.
Preferably, the enrollment page further comprises three user options:Pre-registration option, new registration option and binding Existing subscriber's option.
The present invention program for visitor is unified by creating a default account, by default account with being in advance visitor's division The network access equipment binding of accessible area;When receiving visitor's certification request from accessible area, the visitor is entered Row certification, after visitor is by certification, allows and accessible area is uniformly accessed using default account by the visitor of certification.The present invention Quickly accessing for visitor, fast registration can be achieved, while ensure the security of visitor's access.
Brief description of the drawings
Fig. 1 is the method that the visitor based on BYOD management systems quickly accesses in a kind of exemplary embodiment of the present invention Flow chart;
Fig. 2 is visitor's Quick access device based on BYOD management systems in a kind of exemplary embodiment of the present invention Building-block of logic.
Embodiment
BYOD(Bring Your Own Device, handled official business from carrying device)The core concept of technology is that employee can be at any time Any equipment, either the equipment access enterprise network that still enterprise provides of oneself are used everywhere, and this will give enterprise network Management bring more challenges.For example enterprise network needs to support further types of access way, such as:Wired, Wi-Fi, VPN Deng, it is necessary to support more device types and several operation systems etc..Especially, existing BYOD management systems connect in processing visitor It is fashionable, it is necessary first to open up different access accounts for each visitor, visitor is manually entered account and password and empirical tests pass through After could access network, this mode is comparatively laborious, and access visitor it is more, the workload of keeper is bigger, it has not been convenient to enters Row centralized management.Moreover, in face of the mobile intelligent terminal equipment of the various brands to emerge in an endless stream, existing BYOD management systems can not All terminal devices are all accurately identified, therefore unified access strategy can only be taken, but can so cause existing BYOD to manage Potential safety hazard be present in reason system.
Therefore, the present invention provides a kind of method that visitor based on BYOD management systems quickly accesses, by being united for visitor One creates a default account, and further divides accessible area in enterprise for visitor, by the default account and in advance The access device binding being arranged in visitor's accessible area;All visitors by certification use default account access enterprise network Network, it is achieved thereby that Guest User's quickly accesses, and it farthest ensure that visitor accesses the security of corporate networks.
For the objects, technical solutions and advantages of the present invention are more clearly understood, develop simultaneously embodiment referring to the drawings, right Scheme of the present invention is described in further detail.
Referring to Fig. 1, in a kind of exemplary preferred embodiment of the present invention, the present invention provides a kind of BYOD that is based on and managed The method that the visitor of reason system quickly accesses, this method perform following steps:
Step S101:A default account is created for all visitors are unified, and by the default account and is set in advance in visit The access device binding of objective accessible area.
Before the step is performed, keeper divides visitor's accessible area firstly the need of in enterprise for visitor. Such as:Hall, meeting room or the rest area of enterprise are selected as visitor's accessible area.And it is the visit of the regional access network network Objective user conducts interviews the control of authority.Such as:In visitor area, Guest User can access the region network access some The information of enterprise or enterprise are the related data that visitor provides, but cannot access the service of corporate intranet in visitor area user Device, the information such as the data of enterprises can not be obtained.
After visitor area has been divided for visitor, keeper further creates one by BYOD management systems for all visitors Default account, while the access device in the default account and visitor area is bound.Wherein, the username and password of default account Set and be managed collectively automatically by BYOD management systems, it is not necessary to which visitor is manually entered, in order to which visitor uses.In addition, visitor The network coverage in area can be wireless coverage or wired covering, or realize wireless coverage and wired covering simultaneously.When Visitor area is wireless coverage, and now the access device of network can be wireless aps(WAP)Deng when visitor area is wired Covering, now the access device of network can be a router or interchanger.When default account and visitor area are pre-set Access device binding after, in the network coverage in visitor area, the visitor only logged in using the default account can just connect Enter visitor area.
Step S102:Receive visitor's certification request from accessible area, and judge the visitor terminal device whether Existing user is bound, if it is, corporate networks are directly accessed, if it is not, then being authenticated to the visitor.
When visitor, which carries terminal device, needs to access the network in visitor area, will send automatically first a certification request to Network access equipment, after network access equipment receives the certification request, the certification request is reported into BYOD management systems.BYOD After management system receives the certification request, first determine whether the terminal device of the visitor has bound existing user, if tied up Fixed existing user, is directly accessed network and gives corresponding access control right according to the end message of the user;If not Existing user is bound, then needs to be authenticated the terminal device of the visitor.It should be noted that according to the present invention, work as visit When visitor attempts to access corporate networks in non-guest area, after BYOD management systems receive the certification request of the visitor, if the visit Visitor is not user bound, then refusal is authenticated to the visitor.That is, the certification request only from visitor area is considered as Legal, when strange visitor attempts access to network in non-guest area, system can be using this kind of access behavior as illegal access row For.
Further, in a kind of exemplary preferred embodiment of the present invention, visitor is authenticated to use Most general MAC address authentication mode.Wherein, MAC address authentication process also need to detect the visitor MAC Address whether It is legal, for example with the presence or absence of separator, capital and small letter etc., if the MAC Address of visitor is illegal, authentification failure, refuse the visit Visitor's access network.Certainly, it is authenticated mode for visitor and is not limited solely to MAC certifications, different enterprises accesses to user Security requirement is different, therefore authentication mode can also have many kinds.Such as in the prior art, can be by identifying visitor's end Digital signature in end equipment, digital certificate or encryption hardware carry out authentication, can also lead to even for mobile phone terminal Cross identification SIM card to be authenticated visitor, this is no longer going to repeat them.
Step S103:Certification for default subscribers and allows the visitor to be accessed using default account by rear, by the visitor badge The accessible area.
When visitor's certification by after, the visitor badge is default subscribers by BYOD management systems, now default account with Network access equipment binding in visitor area, then BYOD management systems are using as the MAC of visitor's terminal device of default subscribers The access device in visitor area is handed down in address, after the access device receives the MAC Address that BYOD management systems issue, will receive MAC Address add in the access white list that local terminal is safeguarded, it is quick using default account to then pass through visitor's can of certification Access visitor area and realize the access to corporate networks.
When the access control authority to visitor needs progress, further division or visitor are needed its terminal device When being registered as the regular user in BYOD management systems, in the present invention, it may also require that visitor arrives in access authentication after The enterprises registration page is registered.Wherein, in a kind of preferable illustrative embodiments of the present invention, enrollment page includes three User option:Pre-registration option, new registration option and binding existing subscriber's option.When visitor selects pre-registration option to succeed in registration Afterwards, the visitor obtains most basic access privilege, and it is offline when the visitor log-on message and user terminal information It is deleted, need to be re-registered when the visitor reaches the standard grade again.After visitor selects new registration option to succeed in registration, the visitor is forced It is offline, information and user terminal information are remained registered with after the visitor is offline, after the visitor is logged in again using login account, BYOD management systems are by the end message according to the visitor, the access control strategy being adapted to for visitor selection.Work as visitor Selection binding existing subscriber's option forces the visitor offline by after the user terminal of the visitor and already present user binding, when After the visitor is logged in again using binding account, the user terminal of the visitor obtains the corresponding authority of user bound.
Fig. 2 is referred to, in a kind of exemplary preferred embodiment of the present invention, the present invention also provides one kind and is based on The device 20 that the visitor of BYOD management systems quickly accesses.In the hardware structure that apparatus of the present invention are related to, CPU, interior is generally included Deposit, nonvolatile memory and other hardware.Exemplified by implemented in software, apparatus of the present invention 20 are it is generally understood that in internal memory Computer program, by the logic device that is formed afterwards of CPU operations, the device 20 includes:
Creating unit 21, for creating a default account for all visitors are unified, and by the default account with setting in advance Put the access device binding in accessible area;
Authentication unit 22, for receiving visitor's certification request from the accessible area, and judge the end of the visitor Whether end equipment binds existing user, if not, being authenticated to the visitor;
Access unit 23, for certification by rear, for default subscribers and the visitor is allowed to use default account the visitor badge The network of the accessible area is accessed at family.
In the present embodiment, certification of the BYOD management systems to visitor be specially:The terminal device of visitor is carried out MAC address authentication.
In the present embodiment, when carrying out the MAC address authentication, in addition to the detection visitor user name whether be Legal MAC Address.
In the present embodiment, when the BYOD management systems need further to draw visitor's access control authority Point or visitor when needing its terminal device being registered as the regular user in BYOD management systems, the device also includes:
Registering unit 24, for being that user completes registration when visitor further accesses the enterprises registration page.
In the present embodiment, the enrollment page further comprises three user options:Pre-registration option, new registration option With binding existing subscriber's option.
By the description of above example, it will be appreciated by those skilled in the art that the unit in embodiment in device can close And be a unit, multiple subelements can also be further split into.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention God any modification, equivalent substitution and improvements done etc., should be included within the scope of protection of the invention with principle.

Claims (10)

1. a kind of method that visitor based on BYOD management systems quickly accesses, it is characterised in that methods described includes:
Step A, a default account is created for all visitors are unified, and by the default account and is set in advance in accessible area Access device binding;
Step B, visitor's certification request from accessible area is received, and judges whether the terminal device of the visitor is bound and has deposited In user, if not, being authenticated to the terminal device of the visitor;
Step C, certification is by rear, by the visitor badge be default subscribers and allow the visitor using default account access described in can visit Ask the network in region.
2. the method as described in claim 1, it is characterised in that certification of the BYOD management systems to visitor be specially:It is right The terminal device of visitor carries out MAC address authentication.
3. method as claimed in claim 2, it is characterised in that when carrying out the MAC address authentication, in addition to described in detection Whether the user name of visitor is legal MAC Address.
4. the method as described in claim 1, it is characterised in that when the BYOD management systems are needed to visitor's access control When authority processed further divide or visitor needs its terminal device being registered as the regular user in BYOD management systems, Methods described also includes:
Step D, when visitor further accesses the enterprises registration page and complete to register.
5. method as claimed in claim 4, it is characterised in that the enrollment page further comprises three user options:In advance Register option, new registration option and binding existing subscriber's option.
6. the device that a kind of visitor based on BYOD management systems quickly accesses, it is characterised in that described device includes:
Creating unit, for creating a default account for all visitors are unified, and can with being set in advance in by the default account The access device binding of access region;
Authentication unit, for receiving visitor's certification request from the accessible area, and judge the terminal device of the visitor Whether existing user is bound, if not, being authenticated to the terminal device of the visitor;
Access unit, for certification by rear, for default subscribers and the visitor is allowed to be accessed using default account the visitor badge The network of the accessible area.
7. device as claimed in claim 6, it is characterised in that certification of the BYOD management systems to visitor be specially:It is right The terminal device of visitor carries out MAC address authentication.
8. device as claimed in claim 7, it is characterised in that when carrying out the MAC address authentication, in addition to described in detection Whether the user name of visitor is legal MAC Address.
9. device as claimed in claim 6, it is characterised in that when the BYOD management systems are needed to visitor's access control When authority processed further divide or visitor needs its terminal device being registered as the regular user in BYOD management systems, Described device also includes:
Registering unit, for being that user completes registration when visitor further accesses the enterprises registration page.
10. device as claimed in claim 9, it is characterised in that the enrollment page further comprises three user options:In advance Register option, new registration option and binding existing subscriber's option.
CN201310677018.0A 2013-12-11 2013-12-11 The method and device that a kind of visitor based on BYOD management systems quickly accesses Active CN104717062B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201310677018.0A CN104717062B (en) 2013-12-11 2013-12-11 The method and device that a kind of visitor based on BYOD management systems quickly accesses
PCT/CN2014/092564 WO2015085872A1 (en) 2013-12-11 2014-11-28 Method and device for access of guests

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310677018.0A CN104717062B (en) 2013-12-11 2013-12-11 The method and device that a kind of visitor based on BYOD management systems quickly accesses

Publications (2)

Publication Number Publication Date
CN104717062A CN104717062A (en) 2015-06-17
CN104717062B true CN104717062B (en) 2018-03-16

Family

ID=53370609

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310677018.0A Active CN104717062B (en) 2013-12-11 2013-12-11 The method and device that a kind of visitor based on BYOD management systems quickly accesses

Country Status (2)

Country Link
CN (1) CN104717062B (en)
WO (1) WO2015085872A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106375262B (en) * 2015-07-21 2020-03-13 株式会社理光 Access control method and device
CN107612888B (en) * 2017-08-23 2020-09-04 北京小米移动软件有限公司 Enterprise user space creation method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582769A (en) * 2009-07-03 2009-11-18 杭州华三通信技术有限公司 Authority setting method of user access network and equipment
CN102143165A (en) * 2011-01-24 2011-08-03 华为技术有限公司 Method, network switch and network system for authenticating terminals
CN102378175A (en) * 2011-10-08 2012-03-14 华为终端有限公司 Wireless local area network (WLAN) authentication method and mobile terminal
CN102594846A (en) * 2012-04-05 2012-07-18 北京网御星云信息技术有限公司 IP (Internet Protocol) header information based shared access management algorithm and system
US8392712B1 (en) * 2012-04-04 2013-03-05 Aruba Networks, Inc. System and method for provisioning a unique device credential
CN103079201A (en) * 2011-10-26 2013-05-01 中兴通讯股份有限公司 Fast authentication method, access controller (AC) and system for wireless local area network
CN103414709A (en) * 2013-08-02 2013-11-27 杭州华三通信技术有限公司 User identity binding and user identity binding assisting method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2557143C (en) * 2004-02-27 2014-10-14 Sesame Networks Inc. Trust inheritance in network authentication

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582769A (en) * 2009-07-03 2009-11-18 杭州华三通信技术有限公司 Authority setting method of user access network and equipment
CN102143165A (en) * 2011-01-24 2011-08-03 华为技术有限公司 Method, network switch and network system for authenticating terminals
CN102378175A (en) * 2011-10-08 2012-03-14 华为终端有限公司 Wireless local area network (WLAN) authentication method and mobile terminal
CN103079201A (en) * 2011-10-26 2013-05-01 中兴通讯股份有限公司 Fast authentication method, access controller (AC) and system for wireless local area network
US8392712B1 (en) * 2012-04-04 2013-03-05 Aruba Networks, Inc. System and method for provisioning a unique device credential
CN102594846A (en) * 2012-04-05 2012-07-18 北京网御星云信息技术有限公司 IP (Internet Protocol) header information based shared access management algorithm and system
CN103414709A (en) * 2013-08-02 2013-11-27 杭州华三通信技术有限公司 User identity binding and user identity binding assisting method and device

Also Published As

Publication number Publication date
CN104717062A (en) 2015-06-17
WO2015085872A1 (en) 2015-06-18

Similar Documents

Publication Publication Date Title
CN107005442B (en) Method and apparatus for remote access
JP6337642B2 (en) Method for securely accessing a network from a personal device, personal device, network server, and access point
CN103581184B (en) The method and system of mobile terminal accessing corporate intranet server
CN103329091B (en) Cross access login controller
CN104104516A (en) Portal authentication method and device
CN108900484B (en) Access right information generation method and device
EP2924944B1 (en) Network authentication
CN106982430B (en) Portal authentication method and system based on user use habits
CN106060072B (en) Authentication method and device
CN101986598B (en) Authentication method, server and system
CN104202338A (en) Secure access method applicable to enterprise-level mobile applications
CN104796383B (en) A kind of method and apparatus that end message is anti-tamper
CN108011873B (en) Illegal connection judgment method based on set coverage
CN107534664A (en) For the multifactor mandate for the network for enabling IEEE 802.1X
CN107528712A (en) The determination of access rights, the access method of the page and device
CN101895587A (en) Method, device and system for preventing users from modifying IP addresses privately
WO2016070611A1 (en) Method for processing data, server and terminal
CN105704094A (en) Application access authority control method and device
CN104717062B (en) The method and device that a kind of visitor based on BYOD management systems quickly accesses
CN107707560B (en) Authentication method, system, network access equipment and Portal server
CN111163063B (en) Edge application management method and related product
US20140189800A1 (en) Electronic Rendezvous-Based Two Stage Access Control for Private Networks
CN104168564A (en) Authentication method and device based on GPRS network and integrated identification network
CN106412904B (en) Method and system for preventing counterfeit user authentication authority
CN103685134A (en) WLAN (Wireless Local Area Network) resource access control method and WLAN resource access control device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Applicant before: Huasan Communication Technology Co., Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant