CN104767715A

CN104767715A - Network access control method and equipment

Info

Publication number: CN104767715A
Application number: CN201410003686.XA
Authority: CN
Inventors: 于丹
Original assignee: Huawei Technologies Co Ltd
Current assignee: XFusion Digital Technologies Co Ltd
Priority date: 2014-01-03
Filing date: 2014-01-03
Publication date: 2015-07-08
Anticipated expiration: 2034-01-03
Also published as: CN104767715B; WO2015101125A1

Abstract

The invention discloses a network access control method and equipment, which aim to lower the access control difficulty of safe access of a conventional mobile terminal into a network. The method comprises the steps that network access equipment receives an access request message which carries an identifier of the mobile terminal and is sent by the mobile terminal; the network access equipment judges the registration state of the identifier of the mobile terminal; if the identifier is not registered, the network access equipment allocates an internet protocol (IP) address for the mobile terminal, and then sets an access control strategy corresponding to the IP address as a first authority strategy, which allows the IP address to visit an authenticated webpage; the network access equipment receives a webpage access request message sent by the mobile terminal through the IP address, redirects the webpage access request message to the authenticated webpage according to the access control strategy, or redirects to a registration webpage if confirming the success of the mobile terminal in authentication; if the network access equipment confirms the completion of registration of the mobile terminal, the network access equipment sends a configuration file and a digital certificate to the mobile terminal, wherein the configuration file and the digital certificate are used for access of the mobile terminal into an enterprise wireless network through extensible authentication protocol-transport layer security (EAP-TLS).

Description

Access control method and equipment

Technical field

The present invention relates to network communication technology field, particularly relate to a kind of access control method and a kind of wireless access points and Radio Access Controller.

Background technology

Along with the decline of the development of mobile terminal technology, the raising of manufacturing process and selling price, recent years, mobile terminal obtained universal fast.At present, mobile terminal has exceeded personal computer on sales volume.Carry and become a kind of received working method from carrying device office (Bring your own device is called for short BYOD) thereupon.For the consideration reducing fixed assets investment and raising office efficiency aspect, increasing businesses encourage employee carries private mobile terminal access enterprise network and carries out routine office work.

But, owing to accessing the uncertainty of the type of mobile terminal of enterprise wireless networks, ownership and on-position, also challenge is proposed to enterprise information security management: how to carry out effective access control when mobile terminal access enterprise wireless networks, thus guarantee that the resource in enterprise network is not used by disabled user.

Be in the consideration of fail safe aspect, usual recommendation adopts the access authentication mode compared with high safety grade, such as Institute of Electrical and Electric Engineers (Institute of Electrical and Electronics Engineers, be called for short IEEE) 802.1X Extensible Authentication Protocol-Transport Layer Security (Extensible AuthenticationProtocol-Transport Layer Security, be called for short EAP-TLS) certificate verification, access control is carried out to the mobile terminal of access enterprise wireless networks.But this mode has some inconveniences in actual applications: the mobile terminal of user needs to obtain digital certificate in advance, and for the mobile terminal of different brands model, different when configuring 802.1X certification access parameter, some meetings are comparatively complicated.How to realize automatically digital certificate being distributed to mobile terminal, and help the user of mobile terminal to configure certification access parameter, become a problem needing to solve.

Summary of the invention

The embodiment of the present invention provides a kind of access control method, in order to reduce access control difficulty during existing mobile terminal safety access network.

Accordingly, the embodiment of the present invention additionally provides a kind of WAP (wireless access point) and wireless controller.

The technical scheme that the embodiment of the present invention provides is as follows:

First aspect, provides access control method, it is characterized in that, comprising:

The access request message that network access equipment mobile terminal receive sends, described access request message is for asking the wireless network accessing enterprise, described access request message carries the mark of described mobile terminal, and the mark of described mobile terminal is used for identifying described mobile terminal uniquely in the scope of the wireless network of described enterprise;

Described network access equipment judges the login state of the mark correspondence of described mobile terminal, and whether described login state is registered for identifying described mobile terminal in the wireless network of enterprise;

If described network access equipment judges that the login state of the mark correspondence of described mobile terminal is unregistered, described network access equipment is behind described mobile terminal distributing IP address, access control policy corresponding for described IP address is set to the first authorization policy, and described first authorization policy allows described IP address access registrar webpage;

Described network access equipment receives the web access requests message that described mobile terminal uses described IP address to send, described web access requests message is redirected to described certification webpage by described first authorization policy that described network access equipment is corresponding according to described IP address, if described network access equipment determines that described mobile terminal is by described certification webpage authentication success, is redirected to registration web page;

If described network access equipment determines the registration that described mobile terminal is completed in the wireless network of described enterprise by described registration web page, described network access equipment sends configuration file and digital certificate to described mobile terminal, and described configuration file and digital certificate are used for described mobile terminal accesses described enterprise wireless network by Extensible Authentication Protocol EAP-Transport Layer Security TLS authentication mode.

In the first possible implementation of first aspect, described certification webpage is that the door Portal server in the wireless network of described enterprise provides, and the Lightweight Directory Access Protocol LDAP territory account authentication information that described mobile terminal inputs by described Portal server in described certification webpage is sent in dial user's remote authentication service radius server and carries out webpage certification;

If described network access equipment determines that described mobile terminal is by described certification webpage authentication success, is redirected to registration web page, comprises:

Described network access equipment receives the webpage authentication result that described radius server returns;

If described webpage authentication result indicates described mobile terminal by webpage certification, then access control policy corresponding for described IP address is set to the second authorization policy by described network access equipment, and described second authorization policy allows described IP address to access described registration web page;

Described second authorization policy that described network access equipment is corresponding according to described IP address, is redirected to described registration web page by described web access requests message.

In the first possible implementation of first aspect or first aspect, additionally provide the implementation that the second of first aspect is possible, also comprise: if described network access equipment judges that the login state of the mark correspondence of described mobile terminal is registered, described network access equipment sends response message to described mobile terminal, the identifying algorithm field of carrying in described response message is set to EAP-TLS authenticity indicator, accesses the wireless network of described enterprise in order to indicate described mobile terminal according to EAP-TLS authentication mode;

When described network access equipment determines the EAP-TLS authentication success carried out between described mobile terminal and described radius server, for described mobile terminal opens controlled ports, described controlled ports is for transmitting the business datum of described mobile terminal.

In the implementation that the first or the second of first aspect are possible, additionally provide the third possible implementation of first aspect, described network access equipment judges the login state of the mark correspondence of described mobile terminal, comprising:

Described network access equipment obtains the mark of described mobile terminal from described access request message;

According to the mark of the described mobile terminal login state to mobile terminal described in the management server queries in the wireless network of described enterprise;

Receive the login state of described mobile terminal in described network that described management server returns.

In the third possible implementation of first aspect, additionally provide the 4th kind of possible implementation of first aspect, described registration web page is that described management server provides,

If described network access equipment determines the registration that described mobile terminal is completed in the wireless network of described enterprise by described registration web page, described network access equipment sends configuration file and digital certificate to described mobile terminal, comprising:

Described network access equipment receives the described configuration file and described digital certificate that described management server sends, and to be described management server send after described mobile terminal to complete in the wireless network of described enterprise registration by described registration web page for described configuration file and described digital certificate; After described management server sends described configuration file and digital certificate, the login state of described mobile terminal in described management server is updated to registered;

Described configuration file and described digital certificate are sent to described mobile terminal by described network access equipment.

In the 4th kind of possible implementation of first aspect, additionally provide the 5th kind of possible implementation of first aspect, described network access equipment, to after described mobile terminal sends configuration file and digital certificate, also comprises:

Described network access equipment receives the dynamic authorization CoA message that described radius server sends, and after receiving described CoA message, indicate described mobile terminal to resend described access request message; Described CoA message is that the login state of described mobile terminal in described management server is updated to registered rear transmission.

In the 5th kind of possible implementation of first aspect, additionally provide the 6th kind of possible implementation of first aspect, after described network access equipment receives described CoA message, described method also comprises: described network access equipment reclaims described IP address.

Second aspect, additionally provides a kind of wireless access points AP, it is characterized in that, comprising:

Receiving element, for the access request message that mobile terminal receive sends, described access request message is for asking the wireless network accessing enterprise, described access request message carries the mark of described mobile terminal, and the mark of described mobile terminal is used for identifying described mobile terminal uniquely in the scope of the wireless network of described enterprise;

Judging unit, for judging the login state of the mark correspondence of mobile terminal in the access request message that described receiving element receives, whether described login state is registered in order to identify described mobile terminal in the wireless network of enterprise;

Resource allocation request unit, if judge for described judging unit, the login state of the mark correspondence of described mobile terminal is unregistered, and the wireless access controller AC of wireless aps described in Request Control is described mobile terminal distributing IP address;

Strategy setting unit, for access control policy corresponding for described IP address is set to the first authorization policy, described first authorization policy allows described IP address access registrar webpage;

Described receiving element, also for receiving the web access requests message that described mobile terminal uses described IP address to send;

Redirect request unit, for described first authorization policy arranged according to strategy setting unit, sends the first Forward-reques to described AC, for request, described web access requests message is redirected to certification webpage; And if determine that described mobile terminal is by described certification webpage authentication success, sends the second Forward-reques to described AC, for request described web access requests message is redirected to registration web page;

Described receiving element, also for receiving configuration file from described wireless AC and digital certificate;

Described transmitting element, also for forwarding described configuration file and described digital certificate to described mobile terminal, described configuration file and described digital certificate are used for described mobile terminal accesses described enterprise wireless network by Extensible Authentication Protocol EAP-Transport Layer Security TLS authentication mode.

In the first possible implementation of second aspect, described receiving element, also for receiving the webpage authentication result from dial user's remote authentication service radius server, described certification webpage is that the door Portal server in the wireless network of described enterprise provides, and the Lightweight Directory Access Protocol LDAP territory account authentication information that described mobile terminal inputs by described Portal server in described certification webpage is sent in described radius server and carries out webpage certification;

Described strategy setting unit, if also indicate described mobile terminal by webpage certification for described webpage authentication result, then access control policy corresponding for described IP address is set to the second authorization policy, described second authorization policy allows described IP address to access described registration web page;

Described redirect request unit, specifically for described second authorization policy corresponding according to described IP address, sends the first Forward-reques to described AC, for request, described web access requests message is redirected to described registration web page.

In the first possible implementation of second aspect or second aspect, additionally provide the implementation that the second of second aspect is possible, described transmitting element, if also judge that described login state is registered for described judging unit, response message is sent to described mobile terminal, the identifying algorithm field of carrying in described response message is set to EAP-TLS authenticity indicator, accesses the wireless network of described enterprise in order to indicate described mobile terminal according to EAP-TLS authentication mode;

Described wireless aps also comprises:

Open-ended unit, for when described network access equipment determines the EAP-TLS authentication success carried out between described mobile terminal and described radius server, for described mobile terminal opens controlled ports, described controlled ports is for transmitting the business datum of described mobile terminal.

In any one possible implementation of second aspect or above-mentioned second aspect, described judging unit comprises:

Obtain subelement, for obtaining the mark of described mobile terminal from described access request message;

Inquiry subelement, for the mark of the described mobile terminal according to described acquisition subelement acquisition, to the login state of mobile terminal described in the management server queries in the wireless network of described enterprise;

Receive subelement, for receiving the login state of described mobile terminal in described network that described management server returns.

The third aspect, provides a kind of wireless access points AP, comprises memory, processor, receiver and transmitter;

Described receiver, for the access request message that mobile terminal receive sends, described access request message is for asking the wireless network accessing enterprise, described access request message carries the mark of described mobile terminal, and the mark of described mobile terminal is used for identifying described mobile terminal uniquely in the scope of the wireless network of described enterprise;

Described processor, for reading the program code stored in described memory, perform: the login state judging the mark correspondence of described mobile terminal, whether described login state is registered in order to identify described mobile terminal in the wireless network of enterprise; If judge, the login state of the mark correspondence of described mobile terminal is unregistered, and the wireless access controller AC of wireless aps described in Request Control is described mobile terminal distributing IP address; Access control policy corresponding for described IP address is set to the first authorization policy, and described first authorization policy allows described IP address access registrar webpage;

Described receiver, also for receiving the web access requests message that described mobile terminal uses described IP address to send;

Described transmitter, for described first authorization policy corresponding according to described IP address, sends the first Forward-reques to described AC, for request, described web access requests message is redirected to certification webpage; And if determine that described mobile terminal is by described certification webpage authentication success, sends the second Forward-reques to described AC, for request described web access requests message is redirected to registration web page;

Described receiver, also for receiving configuration file from described wireless AC and digital certificate;

Described transmitter, also for forwarding described configuration file and described digital certificate to described mobile terminal, described configuration file and described digital certificate are used for described mobile terminal accesses described enterprise wireless network by EAP-TLS authentication mode.

In the first possible implementation of the third aspect, described receiver, also for receiving the webpage authentication result from dial user's remote authentication service radius server, described certification webpage is that the door Portal server in the wireless network of described enterprise provides, and the Lightweight Directory Access Protocol LDAP territory account authentication information that described mobile terminal inputs by described Portal server in described certification webpage is sent in described radius server and carries out webpage certification;

Described processor, if indicate described mobile terminal by webpage certification specifically for described webpage authentication result, then access control policy corresponding for described IP address is set to the second authorization policy, described second authorization policy allows described IP address to access described registration web page; Described second authorization policy corresponding according to described IP address, sends the first Forward-reques to described AC, for request, described web access requests message is redirected to described registration web page.

In the first possible implementation of the third aspect or the third aspect, additionally provide the implementation that the second of the third aspect is possible, described transmitter, if also judge that described login state is registered for described processor, response message is sent to described mobile terminal, the identifying algorithm field of carrying in described response message is set to EAP-TLS authenticity indicator, accesses the wireless network of described enterprise in order to indicate described mobile terminal according to EAP-TLS authentication mode;

Described processor, also for when described network access equipment determines the EAP-TLS authentication success carried out between described mobile terminal and described radius server, for described mobile terminal opens controlled ports, described controlled ports is for transmitting the business datum of described mobile terminal.

In any one possible implementation of the third aspect or the above-mentioned third aspect, additionally provide the third possible implementation of the third aspect, described processor, for obtaining the mark of described mobile terminal from described access request message; According to the mark of the described mobile terminal login state to mobile terminal described in the management server queries in the wireless network of described enterprise; Receive the login state of described mobile terminal in described network that described management server returns.

Fourth aspect, additionally provides a kind of AC, comprising:

Judging unit, for judging the login state of the mark correspondence of mobile terminal in the access request message that receiving element receives, whether described login state is registered in order to identify described mobile terminal in the wireless network of enterprise;

Resource allocation unit, if judge for described judging unit, the login state of the mark correspondence of described mobile terminal is unregistered, is described mobile terminal distributing IP address;

Described receiving element, the first Forward-reques that the wireless access points AP also controlled for receiving described AC sends;

Be redirected unit, be redirected to certification webpage for the web access requests message using described IP address to send described mobile terminal according to described first Forward-reques;

Described receiving element, also for receiving the second Forward-reques that described AP sends;

Described redirected unit, also for described web access requests message being redirected to registration web page according to described second Forward-reques;

Described receiving element, also for receiving configuration file and the digital certificate of the management server transmission in the wireless network of described enterprise, described configuration file and described digital certificate are used for described mobile terminal accesses described enterprise wireless network by Extensible Authentication Protocol EAP-Transport Layer Security TLS authentication mode; After described management server sends described configuration file and digital certificate, the login state of described mobile terminal in described management server is updated to registered;

Transmitting element, also for described configuration file and described digital certificate are sent to described AP.

In the first possible implementation of fourth aspect, described judging unit comprises:

Inquiry subelement, for according to the mark obtaining the mobile terminal that subelement obtains, to the login state of mobile terminal described in the management server queries in the wireless network of described enterprise;

In the implementation that the second of fourth aspect is possible, described receiving element, also for receiving the dynamic authorization CoA message that dial user's remote authentication service radius server sends, and after receiving described CoA message, described mobile terminal is indicated to resend described access request message; Described CoA message is that the login state of described mobile terminal in described management server is updated to registered rear transmission.

In the implementation that the second of fourth aspect is possible, additionally provide the third possible implementation of fourth aspect, also comprise: resource reclaim unit, after receiving described CoA message at described receiving element, reclaim described IP address.

5th aspect, additionally provides a kind of wireless AC, AC and comprises memory, processor, receiver and transmitter;

Described processor, for reading the program code stored in described memory, performs:

Judge the login state of the mark correspondence of mobile terminal in the access request message that receiver receives, whether described login state is registered in order to identify described mobile terminal in the wireless network of enterprise; If the login state of the mark correspondence of described mobile terminal is unregistered, it is described mobile terminal distributing IP address;

Described receiver, the first Forward-reques that the AP also controlled for receiving described AC sends;

Described processor, the web access requests message also using described IP address to send described mobile terminal for described first Forward-reques received according to described receiver is redirected to certification webpage;

Described receiver, also for receiving the second Forward-reques that described AP sends;

Described processor, described web access requests message is redirected to registration web page by described second Forward-reques also for receiving according to described receiver;

Described receiver, also for receiving configuration file and the digital certificate of the management server transmission in the wireless network of described enterprise, described configuration file and described digital certificate are used for described mobile terminal accesses described enterprise wireless network by EAP-TLS authentication mode; After described management server sends described configuration file and digital certificate, the login state of described mobile terminal in described management server is updated to registered;

Transmitter, for sending to described AP by described configuration file and described digital certificate.

In the first possible implementation in the 5th, when described processor 902 judges the login state of the mark correspondence of mobile terminal in the access request message that receiver 903 receives, specifically for:

The mark of described mobile terminal is obtained from described access request message; According to the mark of the mobile terminal obtained, to the login state of mobile terminal described in the management server queries in the wireless network of described enterprise; Receive the login state of described mobile terminal in described network that described management server returns.

In the first possible implementation in the 5th or in the 5th, additionally provide the implementation that the second of the 5th aspect is possible, described receiver also for receiving the dynamic authorization CoA message that described radius server sends, and indicates described mobile terminal to resend described access request message after receiving described CoA message; Described CoA message is that the login state of described mobile terminal in described management server is updated to registered rear transmission.

In the implementation that the second in the 5th is possible, additionally provide the third possible implementation of the 5th aspect,

Described processor also for after receiving described CoA message at described receiver, reclaims described IP address.

Embodiment of the present invention network access equipment is by when mobile terminal request access network, judge the login state of the mark correspondence of described mobile terminal, if described network access equipment judges that the login state of the mark correspondence of described mobile terminal is unregistered, described network access equipment is behind described mobile terminal distributing IP address, and access control policy corresponding for described IP address is set to the first authorization policy; And the web access requests message that mobile terminal is sent by described IP address is redirected to certification webpage by the access control policy corresponding according to described IP address, if described network access equipment determines that described mobile terminal is by described certification webpage authentication success, is redirected to registration web page; If described network access equipment determines the registration that described mobile terminal is completed in the wireless network of described enterprise by described registration web page, described network access equipment sends configuration file and digital certificate to described mobile terminal.Without the need to as prior art before mobile terminal access enterprise wireless networks, need be manually the distribution of each mobile terminal and distributes digital certificates, and carry out access parameter configuration, what reduce access control realizes difficulty.

Accompanying drawing explanation

In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.

A kind of deployment scenario schematic diagram of the network access control system of the mobile terminal that Fig. 1 provides for the embodiment of the present invention;

Fig. 2 is that the main of the embodiment of the present invention realizes principle flow chart;

The sequential chart of the access control method of the mobile terminal that Fig. 3 provides for the embodiment of the present invention;

Fig. 4 is the structural representation of a kind of wireless aps provided by the invention;

Fig. 5 is the structural representation of judging unit in a kind of wireless aps provided by the invention;

Fig. 6 is the structural representation of another kind of wireless aps provided by the invention;

Fig. 7 is the structural representation of a kind of wireless AC provided by the invention;

Fig. 8 is the structural representation of judging unit in a kind of wireless AC provided by the invention;

Fig. 9 is the structural representation of the wireless AC of another kind provided by the invention.

Embodiment

The embodiment of the present invention proposes a kind of access control method of mobile terminal, is described the program below in conjunction with multiple embodiment.

Embodiment one

Accompanying drawing 1 is a kind of deployment scenario schematic diagram of the network access control system of the mobile terminal that the embodiment of the present invention provides.This system comprises mobile terminal, network access equipment.Mobile terminal in the application refers to that possessing radio network interface support gets online without being tethered to a cable and the portable equipment with operating system, include but not limited to notebook computer (Laptop), personal digital assistant (Personal Digital Assistant is called for short PDA), mobile phone etc.Network access equipment comprises wireless access points (Access Point is called for short AP) and Radio Access Controller (Access Controller is called for short AC), can certainly be other equipment having similar functions.Further, door Portal server, dial user's remote authentication service (Remote Authentication Dial In User Service is called for short RADIUS) server and management server is also comprised in this system.Wireless aps (in this application follow-up abbreviation AP), wireless AC(follow-up abbreviation AC in this application), Portal server, can be connected by switch between radius server and management server.Alternatively, can also comprise the certificate server (not shown) for distribute digital certificate, the function of certificate server also can be integrated in radius server or management server.

Below in conjunction with accompanying drawing 1, the main of embodiment of the present invention technical scheme is realized principle, embodiment and be explained in detail the beneficial effect that should be able to reach.

As shown in Figure 2, it is as follows that the embodiment of the present invention main realizes principle process:

Step 10, the access request message that network access equipment mobile terminal receive sends, described access request message is for asking the wireless network accessing enterprise, described access request message carries the mark of described mobile terminal, and the mark of described mobile terminal is used for identifying described mobile terminal uniquely in the scope of the wireless network of described enterprise.

The mark of wherein said mobile terminal includes but not limited to medium access control (Medium/Media Access Control the is called for short MAC) address of mobile terminal.

Step 20, described network access equipment judges the login state of the mark correspondence of described mobile terminal, and whether described login state is registered for identifying described mobile terminal in the wireless network of enterprise.

Alternatively, when management server is in fig. 1 used for the login state of each mobile terminal in the wireless network of management maintenance enterprise, network access equipment judges that the login state of the mark correspondence of described mobile terminal specifically comprises:

The executive agent of above-mentioned steps 20 can be AP, also can be AC, specifically can arrange flexibly according to actual conditions, such as, if the function supported of AP and hardware condition limited (thin wireless aps), then can be performed by AC.

If thin wireless aps, above-mentioned steps 10 ~ 20 is specially:

The access request message that AP mobile terminal receive sends, described access request message is sent to AC, and AC inquires about the login state of described mobile terminal from described management server.

If performed by AP, then above-mentioned steps 10 ~ 20 is specially:

The access request message that AP mobile terminal receive sends, inquires about the login state of described mobile terminal from described management server.

Step 30, if described network access equipment judges that the login state of the mark correspondence of described mobile terminal is unregistered, described network access equipment is behind described mobile terminal distributing IP address, and access control policy corresponding for described IP address is set to the first authorization policy.

Alternatively, if thin wireless aps, then after AC inquires about the login state of described mobile terminal from described management server, confirm the login state of the mark correspondence of described mobile terminal be unregistered after for described mobile terminal distributing IP address; Behind distributing IP address, access control policy corresponding for this IP address is set to the first authorization policy by thin wireless aps.Wherein the first authorization policy allows described IP address access registrar webpage; it is the authorization policy that in three kinds of authorization policy relating to of the application, authority is minimum; only can access registrar webpage or other resources seldom measured; prevent the unverified shielded resource of mobile terminal unauthorized access in this way, improve the fail safe of data resource in the wireless network of enterprise.

Alternatively, if performed the step of the login state of enquiry mobile terminal by AP, AP inquires about the login state of described mobile terminal from described management server, confirm the login state of the mark correspondence of described mobile terminal be unregistered after, request AC be described mobile terminal distributing IP address; Behind AC distributing IP address, access control policy corresponding for this IP address is set to the first authorization policy by AP.

Step 40, described network access equipment receives the web access requests message that described mobile terminal uses described IP address to send, described web access requests message is redirected to certification webpage by the first authorization policy that described network access equipment is corresponding according to described IP address, if described network access equipment determines that described mobile terminal is by described certification webpage authentication success, be then redirected to registration web page by described web access requests message again.

Particularly, after mobile terminal obtains AC distributing IP address, when user attempts any webpage of access by the web browser on this mobile terminal, this mobile terminal all can send web access requests message.After AP receives web access requests message, corresponding access control policy can be searched according to the source IP address of this web access requests message, and perform corresponding process according to the access control policy found.If the access control policy that the source IP address of web access requests message is corresponding is above-mentioned first authorization policy, then send the first Forward-reques to AC, for request, described web access requests message is redirected to certification webpage.

Alternatively, described certification webpage is that the door Portal server in the wireless network of described enterprise provides, and the Lightweight Directory Access Protocol LDAP territory account authentication information that described mobile terminal inputs by described Portal server in described certification webpage is sent in radius server and carries out webpage certification.Webpage authentication result is forwarded to mobile terminal by AC, AP.Webpage authentication result comprises webpage authentication success and webpage authentification failure.The webpage how radius server is provided by Portal server belongs to prior art to the process that mobile terminal carries out certification, here no longer describes in detail.

Access control policy corresponding for described IP address when described webpage authentication result indicates described mobile terminal webpage authentication success, is then set to the second authorization policy by AP.Wherein the second authorization policy allows described IP address to access described registration web page; the authorization policy higher than the first authorization policy in this application; allow IP that this strategy is corresponding can not only access registrar webpage; registration web page can also be accessed; prevent the shielded resource of unverified mobile terminal accessing in this way, improve the fail safe of data resource in the wireless network of enterprise.

If described webpage authentication result indicates described mobile terminal webpage authentification failure, then exit access control flow process.

AP, after the access control policy that described mobile terminal is corresponding is updated to the second authorization policy, sends the second Forward-reques to described AC, for request, described web access requests message is redirected to registration web page again.

Wherein registration web page can be that management server provides, the user of mobile terminal can according to the introduction on registration web page and director information, input personal information, and some device parameters of described mobile terminal, personal information is territory account, department, position etc. such as, and device parameter is equipment manufacturers, model etc. such as.

The above-mentioned information that described management server is inputted by registration web page according to the user of mobile terminal is described mobile terminal generating configuration file and distribute digital certificate.Some configuration parameters of the wireless network accessing described enterprise are included in configuration file, various network access parameters such as comprising network identifier etc., after described mobile terminal receives this configuration file, by replacing original configuration file, the various configuration operations needed for the wireless network accessing described enterprise can be completed easily.

The function of above-mentioned distribute digital certificate can be performed by radius server, and after the above-mentioned information that namely user of mobile terminal is inputted by registration web page, management server notice radius server is described mobile terminal distribute digital certificate.After described mobile terminal obtains this digital certificate, 802.1X certification can be completed according to this digital certificate on radius server, as EAP-TLS certification, and then after authentication success, access the wireless network of described enterprise safely.

Step 50, if described network access equipment determines the registration that described mobile terminal is completed in the wireless network of described enterprise by described registration web page, described network access equipment sends configuration file and digital certificate to described mobile terminal, and described configuration file and digital certificate are used for described mobile terminal accesses described enterprise wireless network by EAP-TLS authentication mode.

Concrete, the login state of described mobile terminal in described management server, after the above-mentioned configuration file of generation and notice radius server distribute digital certificate, is updated to registered by described management server.After this described configuration file is sent to described mobile terminal by described AP by management server, and described digital certificate is sent to described mobile terminal by described AP by radius server.

The configuration file received and digital certificate are sent to described mobile terminal after receiving the configuration file of described management server transmission and the digital certificate of radius server transmission by described AP.

Certainly, in such scheme, management server also can be described configuration file is sent to described mobile terminal by described AP after, then the login state of described mobile terminal in described management server is updated to registered.

After step 50, described mobile terminal accesses the wireless network of described enterprise according to described configuration file and digital certificate by EAP-TLS authentication mode, and a kind of triggering mobile terminals that the present embodiment provides accesses the wireless network of described enterprise mechanism with EAP-TLS authentication mode comprises:

The login state of mobile terminal in described management server described in described radius server be updated to registered after, send CoA message to described AC, described AC will receive CoA message and be transmitted to described AP; Described AP receives the dynamic authorization CoA message that described radius server sends, and after receiving described CoA message, indicate described mobile terminal to resend described access request message (such as, after network access equipment receives described CoA message, disconnect described AP to be connected with the network that described mobile terminal has been set up, make described mobile terminal again attempt access network, then send access request message).Particularly, described radius server can at distribute digital certificate and to after described mobile terminal sends this digital certificate, described CoA message is sent to described AC, recommending in this case to send between digital certificate and CoA message can interval predetermined amount of time, such as 1 second, with ensure AP and described mobile terminal disconnect the network set up be connected time, described mobile terminal has received digital certificate and configuration file, improves the success rate of secure accessing; To be described management server send a notification message the login state of mobile terminal being updated to registered rear radius server to another kind of safer mode, and after described radius server receives notification message, more described AC sends described CoA message.

Alternatively, in order to improve the utilance of network address resources, described AC, after receiving described CoA message, also comprises: reclaim described IP address.

Concrete access way when described mobile terminal accesses the wireless network of described enterprise according to described configuration file and digital certificate by EAP-TLS authentication mode is prior art, here no longer describes in detail.At mobile terminal on radius server during EAP-TLS authentication success, AC is described mobile terminal distributing IP address again, access control policy corresponding to this IP address is the 3rd authorization policy, AP is that described mobile terminal opens controlled ports, and described controlled ports is for transmitting the business datum of described mobile terminal.Wherein, the 3rd authorization policy is higher authorization policy, can access the locked resource in the wireless network of enterprise.

The access control method of the mobile terminal that the embodiment of the present invention provides, when the wireless network of mobile terminal request access enterprise, the process of difference is performed according to the login state of described mobile terminal in described wireless network, particularly: for unregistered mobile terminal, network access equipment is behind described mobile terminal distributing IP address, access control policy corresponding for described IP address is set to the first authorization policy, described mobile terminal is when attempting browsing page according to this IP address, be relocated to certification webpage and carry out certification, again be redirected to registration web page after the authentication has been successful to register, thus obtain follow-up with the configuration file needed for EAP-TLS authentication mode access network and digital certificate.By the method, enormously simplify the configuration needed for existing access control and preparation routine, improve treatment effeciency.

In addition, such scheme does not limit the kind of the operating system of mobile terminal, no matter the mobile terminal of which kind of operating system, no matter be Windows operating system or Android operation system, as long as support EAP-TLS authentication mode, all can be suitable for, possess good versatility.

Embodiment two

The present embodiment, with the visual angle of mutual sequential chart, is further detailed the access control method of the mobile terminal that embodiment one provides.

The sequential chart of the access control method of the mobile terminal that accompanying drawing 3 provides for the embodiment of the present invention, the method comprises:

Step 301, mobile terminal sends access request message to AP, i.e. probe requests thereby Probe request.

Step 302, after AP receives access request message, inquires about the login state of described mobile terminal from described management server, if the login state of the mark correspondence of described mobile terminal is unregistered, then perform step 303, if login state is registered, perform step 323.

The process of concrete inquiry login state please refer to the description in embodiment one, here no longer repeats.

Step 303, AP sends probe response Probe response to described mobile terminal, and the identifying algorithm field that probe response is carried is set to without authenticity indicator.

Step 304, mobile terminal sends authentication request Authentication request to AP.

Step 305, AP is to mobile terminal feedback authentication response Authentication response.

Step 306, mobile terminal sends association request Association request to AP.

Step 307, AP is to mobile terminal feedback associated response Association response.

Step 308, AC is described mobile terminal distribution the one IP address by DHCP (Dynamic Host Configuration Protocol is called for short DHCP).In the process, access control policy corresponding for an IP address is set to the first authorization policy by AP.First authorization policy in the present embodiment, the second authorization policy are identical with embodiment one with the definition of the 3rd authorization policy, here no longer repeat.

Step 309, the IP address that mobile terminal distributes according to AC described in step 308, when using web browser to access any webpage, sends web access requests message.

Step 310, after AP receives web access requests message, inquires about the access control policy that the source IP address of this web access requests message is corresponding, and what inquiry obtained in the present embodiment is the first authorization policy.

Step 311, if inquiring corresponding access control policy is the first authorization policy, then AP sends the first Forward-reques to AC, for request, described web access requests message is redirected to certification webpage.

Step 312, described web access requests message is redirected to the certification webpage that Portal server provides by AC, and the LDAP territory account authentication information that described mobile terminal inputs by described Portal server in described certification webpage is sent in radius server and carries out webpage certification.

Step 313, access control policy corresponding for described IP address when described webpage authentication result indicates described mobile terminal webpage authentication success, is then set to the second authorization policy by AP.

Step 314, AP, after the access control policy that described mobile terminal is corresponding is updated to the second authorization policy, sends the second Forward-reques to described AC, for request, described web access requests message is redirected to registration web page again.

Step 315, described web access requests message is redirected to registration web page by AC again.

Step 316, if the registration that described mobile terminal is completed in the wireless network of described enterprise by described registration web page, management server is described mobile terminal generating configuration file, and this configuration file is sent to mobile terminal by AP.Radius server is described mobile terminal distribute digital certificate, and this digital certificate is sent to mobile terminal by AP.

Step 317, the login state of mobile terminal described in radius server in described management server be updated to registered after, send CoA message to described AC.

Step 318, after AC receives CoA message, instruction AP disconnects and being connected with the network that described mobile terminal has been set up, makes described mobile terminal again attempt access network.Now, step 320 is performed.

Alternatively, AC can reclaim an above-mentioned IP address.

Step 320, mobile terminal resends probe requests thereby Probe request.

Step 321, after AP receives access request message, inquires about the login state of described mobile terminal from described management server, and login state is now registered, performs step 323.

Step 323, AP sends probe response Proble response to described mobile terminal, and the identifying algorithm field that probe response is carried is set to the higher 802.1X authenticity indicator of safe class, particularly, can be EAP-TLS authenticity indicator.This identifying algorithm field is in order to indicate described mobile terminal according to EAP-TLS authentication mode to access the wireless network of described enterprise.

Step 324, mobile terminal sends authentication request Authentication request to AP.

Step 325, AP is to mobile terminal feedback authentication response Authentication response.

Step 326, mobile terminal sends association request Association request to AP.

Step 327, AP is to mobile terminal feedback associated response Association response.

Step 328, described mobile terminal and radius server carry out 802.1X certification.The digital certificate obtained before using in the process of certification.

Step 329, if 802.1X authentication success, then described mobile terminal is according to the wireless network of the parameter access enterprise in described configuration file.Radius server, after 802.1X authentication success, sends entitlement message to AC, and AC is that described mobile terminal distributes the 2nd IP address again, and the access control policy that in AP, the 2nd IP address is corresponding is the 3rd authorization policy.AP is that described mobile terminal opens controlled ports, and described controlled ports is for transmitting the business datum of described mobile terminal.

The access control method of the mobile terminal that the embodiment of the present invention provides, by the cooperation of AP, AC, Portal server, radius server and management server, when connection of mobile terminal into network, can facilitate, carry out access control efficiently.Simplify keeper and the required tedious work performed of user in prior art.

Embodiment three

Embodiments provide a kind of wireless aps, as shown in Figure 4, this equipment comprises receiving element 401, judging unit 402, resource allocation request unit 403, strategy setting unit 404, redirect request unit 405 and transmitting element 406, specific as follows:

Receiving element 401, for the access request message that mobile terminal receive sends, described access request message is for asking the wireless network accessing enterprise, described access request message carries the mark of described mobile terminal, and the mark of described mobile terminal is used for identifying described mobile terminal uniquely in the scope of the wireless network of described enterprise;

Judging unit 402, for judging the login state of the mark correspondence of mobile terminal described in the access request message that receiving element 401 receives, whether described login state is registered in order to identify described mobile terminal in the wireless network of enterprise;

Resource allocation request unit 403, if judge for described judging unit 402, the login state of the mark correspondence of described mobile terminal is unregistered, and the wireless access controller AC of wireless aps described in Request Control is described mobile terminal distributing IP address;

Strategy setting unit 404, for access control policy corresponding for described IP address is set to the first authorization policy, described first authorization policy allows described IP address access registrar webpage;

Described receiving element 401, also for receiving the web access requests message that described mobile terminal uses described IP address to send;

Redirect request unit 405, the first authorization policy that the described IP address for arranging according to strategy setting unit 404 is corresponding, sends the first Forward-reques to described AC, for request, described web access requests message is redirected to certification webpage; And if determine that described mobile terminal is by described certification webpage authentication success, sends the second Forward-reques to described AC, for request described web access requests message is redirected to registration web page;

Described receiving element 401, also for receiving configuration file from described wireless AC and digital certificate;

Described transmitting element 406, also for forwarding described configuration file and described digital certificate to described mobile terminal, described configuration file and described digital certificate are used for described mobile terminal accesses described enterprise wireless network by EAP-TLS authentication mode.

Alternatively, described receiving element 401 is also for receiving the webpage authentication result from radius server, described certification webpage is that the door Portal server in the wireless network of described enterprise provides, and the LDAP territory account authentication information that described mobile terminal inputs by described Portal server in described certification webpage is sent in described radius server and carries out webpage certification;

Described strategy setting unit 404, if also indicate described mobile terminal by webpage certification for described webpage authentication result, then access control policy corresponding for described IP address is set to the second authorization policy, described second authorization policy allows described IP address to access described registration web page;

Described redirect request unit 405, specifically for second authorization policy corresponding according to described IP address, sends the first Forward-reques to described AC, for request, described web access requests message is redirected to described registration web page.

In order to enable the user of described mobile terminal know webpage authentication result, described transmitting element 406 is also for being transmitted to described mobile terminal by described webpage authentication result.

Alternatively, if for described judging unit 402, described transmitting element 406 also judges that described login state is registered, response message is sent to described mobile terminal, the identifying algorithm field of carrying in described response message is set to EAP-TLS authenticity indicator, accesses the wireless network of described enterprise in order to indicate described mobile terminal according to EAP-TLS authentication mode;

In this case, device shown in accompanying drawing 4 also comprises: open-ended unit 407, for when described network access equipment determines the EAP-TLS authentication success carried out between described mobile terminal and described radius server, for described mobile terminal opens controlled ports, described controlled ports is for transmitting the business datum of described mobile terminal.

Alternatively, please refer to accompanying drawing 5, in the device shown in accompanying drawing 4, judging unit 402 specifically comprises:

Obtain subelement 501, for obtaining the mark of described mobile terminal in the described access request message that receives from receiving element 401;

Inquiry subelement 502, for according to the mark obtaining the described mobile terminal that subelement 501 obtains, to the login state of mobile terminal described in the management server queries in the wireless network of described enterprise;

Receiving subelement 503, is the login state of described mobile terminal in described network that response inquiry subelement 502 returns for receiving described management server.

The workflow of each unit in wireless aps shown in accompanying drawing 5, and in the system shown in described wireless aps and accompanying drawing 1, the reciprocal process of other network equipments please refer to the description in previous methods embodiment, here describes in detail no longer one by one.

Accompanying drawing 6 is the structural representations of the wireless aps that the embodiment of the present invention provides, and described AP comprises memory 601, processor 602, receiver 603 and transmitter 604; Described receiver 603 and transmitter 604 can realize based on same communication chip.Above-mentioned memory 601, processor 602, receiver 603 and transmitter 604 can be interconnected by bus.

Described receiver 603, for the access request message that mobile terminal receive sends, described access request message is for asking the wireless network accessing enterprise, described access request message carries the mark of described mobile terminal, and the mark of described mobile terminal is used for identifying described mobile terminal uniquely in the scope of the wireless network of described enterprise;

Described processor 602, for reading the program code stored in described memory 601, perform: the login state judging the mark correspondence of described mobile terminal, whether described login state is registered in order to identify described mobile terminal in the wireless network of enterprise; If judge, the login state of the mark correspondence of described mobile terminal is unregistered, and the wireless access controller AC of wireless aps described in Request Control is described mobile terminal distributing IP address; Access control policy corresponding for described IP address is set to the first authorization policy, and described first authorization policy allows described IP address access registrar webpage;

Described receiver 603, also for receiving the web access requests message that described mobile terminal uses described IP address to send;

Described transmitter 604, for described first authorization policy corresponding according to described IP address, sends the first Forward-reques to described AC, for request, described web access requests message is redirected to certification webpage; And if determine that described mobile terminal is by described certification webpage authentication success, sends the second Forward-reques to described AC, for request described web access requests message is redirected to registration web page;

Described receiver 603, also for receiving configuration file from described wireless AC and digital certificate;

Described transmitter 604, also for forwarding described configuration file and described digital certificate to described mobile terminal, described configuration file and described digital certificate are used for described mobile terminal accesses described enterprise wireless network by EAP-TLS authentication mode.

Alternatively, described receiver 603, also for receiving the webpage authentication result from dial user's remote authentication service radius server, described certification webpage is that the door Portal server in the wireless network of described enterprise provides, and the Lightweight Directory Access Protocol LDAP territory account authentication information that described mobile terminal inputs by described Portal server in described certification webpage is sent in described radius server and carries out webpage certification;

Described processor 602, if the described webpage authentication result received specifically for described receiver 603 indicates described mobile terminal by webpage certification, then access control policy corresponding for described IP address is set to the second authorization policy, described second authorization policy allows described IP address to access described registration web page; Described second authorization policy corresponding according to described IP address, sends the first Forward-reques to described AC, for request, described web access requests message is redirected to described registration web page.

Alternatively, described transmitter 604, if also judge that described login state is registered for described processor 602, response message is sent to described mobile terminal, the identifying algorithm field of carrying in described response message is set to EAP-TLS authenticity indicator, in order to indicate the wireless network accessing described enterprise according to EAP-TLS authentication mode of described mobile terminal;

Described processor 602, also for when described network access equipment determines the EAP-TLS authentication success carried out between described mobile terminal and described radius server, for described mobile terminal opens controlled ports, described controlled ports is for transmitting the business datum of described mobile terminal.

Alternatively, described processor 602 judges the login state of the mark correspondence of described mobile terminal, specifically comprises: described processor 602 obtains the mark of described mobile terminal from described access request message; According to the mark of the described mobile terminal login state to mobile terminal described in the management server queries in the wireless network of described enterprise; Receive the login state of described mobile terminal in described network that described management server returns.

The workflow of device in wireless aps shown in accompanying drawing 6, and in the system shown in described wireless aps and accompanying drawing 1, the reciprocal process of other network equipments please refer to the description in previous methods embodiment, here describes in detail no longer one by one.

Embodiments provide a kind of wireless aps, the access request message that this wireless aps mobile terminal receive sends, judge the login state of the mark correspondence of mobile terminal in this access request message, if the login state of the mark correspondence of described mobile terminal is unregistered, the wireless AC of wireless aps described in Request Control is described mobile terminal distributing IP address; Access control policy corresponding for described IP address is set to the first authorization policy; Receive the web access requests message that described mobile terminal is sent by described IP address; The access control policy corresponding according to the described IP address arranged, sends the first Forward-reques to described AC, for request, described web access requests message is redirected to certification webpage; And if determine that described mobile terminal is by described certification webpage authentication success, sends the second Forward-reques to described AC, for request described web access requests message is redirected to registration web page; Receive the configuration file from management server and certificate server and digital certificate; Forward described configuration file and digital certificate to described mobile terminal, described configuration file and digital certificate are used for described mobile terminal accesses described enterprise wireless network by Extensible Authentication Protocol EAP-Transport Layer Security TLS authentication mode.This wireless aps and other network equipments cooperatively interact, and when connection of mobile terminal into network, can facilitate, carry out access control efficiently.Simplify keeper and the required tedious work performed of user in prior art.

Embodiment four

Present embodiments provide a kind of wireless AC, as shown in Figure 7, comprise receiving element 701, judging unit 702, resource allocation unit 703, be redirected unit 704 and transmitting element 705, wherein:

Receiving element 701, for the access request message that mobile terminal receive sends, described access request message is for asking the wireless network accessing enterprise, described access request message carries the mark of described mobile terminal, and the mark of described mobile terminal is used for identifying described mobile terminal uniquely in the scope of the wireless network of described enterprise;

Judging unit 702, for judging the login state of the mark correspondence of mobile terminal in the access request message that receiving element 701 receives, whether described login state is registered in order to identify described mobile terminal in the wireless network of enterprise;

Resource allocation unit 703, if judge for described judging unit 702, the login state of the mark correspondence of described mobile terminal is unregistered, is described mobile terminal distributing IP address;

Described receiving element 701, the first Forward-reques that the AP also controlled for receiving described AC sends;

Be redirected unit 704, be redirected to certification webpage for the web access requests message using described IP address to send described mobile terminal according to described first Forward-reques;

Described receiving element 701, also for receiving the second Forward-reques that described AP sends;

Described redirected unit 704, also for described web access requests message being redirected to registration web page according to described second Forward-reques;

Described receiving element 701, also for receiving configuration file and the digital certificate of the management server transmission in the wireless network of described enterprise, described configuration file and described digital certificate are used for described mobile terminal accesses described enterprise wireless network by EAP-TLS authentication mode; After described management server sends described configuration file and digital certificate, the login state of described mobile terminal in described management server is updated to registered;

Transmitting element 705, also for described configuration file and described digital certificate are sent to described AP.

Alternatively, please refer to accompanying drawing 8, above-mentioned judging unit 702 specifically comprises:

Obtain subelement 801, for obtaining the mark of described mobile terminal from described access request message;

Inquiry subelement 802, for according to the mark obtaining the mobile terminal that subelement 801 obtains, to the login state of mobile terminal described in the management server queries in the wireless network of described enterprise;

Receiving subelement 803, responding for receiving described management server the login state of described mobile terminal in described network that described inquiry subelement 802 returns.

Alternatively, the receiving element 701 in accompanying drawing 7, also for receiving the dynamic authorization CoA message that described radius server sends, and indicates described mobile terminal to resend described access request message after receiving described CoA message; Described CoA message is that the login state of described mobile terminal in described management server is updated to registered rear transmission.

In this case, the device in accompanying drawing 7 also comprises resource reclaim unit 706, for after described receiving element 701 receives described CoA message, reclaims described IP address.

The workflow of each unit in wireless AC shown in accompanying drawing 7, and in described wireless AC and the system shown in accompanying drawing 1, the reciprocal process of other network equipments please refer to the description in previous methods embodiment, here describes in detail no longer one by one.

Accompanying drawing 9 is the structural representations of the wireless AC that the embodiment of the present invention provides, and this AC comprises memory 901, processor 902, receiver 903 and transmitter 904; Described receiver 903 and transmitter 904 can realize based on same communication chip.Above-mentioned memory 901, processor 902, receiver 903 and transmitter 904 can be interconnected by bus.

Described receiver 903, for the access request message that mobile terminal receive sends, described access request message is for asking the wireless network accessing enterprise, described access request message carries the mark of described mobile terminal, and the mark of described mobile terminal is used for identifying described mobile terminal uniquely in the scope of the wireless network of described enterprise;

Described processor 902, for reading the program code stored in described memory 901, performs:

Judge the login state of the mark correspondence of mobile terminal in the access request message that receiver 903 receives, whether described login state is registered in order to identify described mobile terminal in the wireless network of enterprise; If the login state of the mark correspondence of described mobile terminal is unregistered, it is described mobile terminal distributing IP address;

Described receiver 903, the first Forward-reques that the AP also controlled for receiving described AC sends;

Described processor 902, the web access requests message also using described IP address to send described mobile terminal for described first Forward-reques received according to described receiver 903 is redirected to certification webpage;

Described receiver 903, also for receiving the second Forward-reques that described AP sends;

Described processor 902, described web access requests message is redirected to registration web page by described second Forward-reques also for receiving according to described receiver 903;

Described receiver 903, also for receiving configuration file and the digital certificate of the management server transmission in the wireless network of described enterprise, described configuration file and described digital certificate are used for described mobile terminal accesses described enterprise wireless network by EAP-TLS authentication mode; After described management server sends described configuration file and digital certificate, the login state of described mobile terminal in described management server is updated to registered;

Transmitter 904, for sending to described AP by described configuration file and described digital certificate.

Alternatively, when described processor 902 judges the login state of the mark correspondence of mobile terminal in the access request message that receiver 903 receives, specifically for:

Alternatively, described receiver 903 also for receiving the dynamic authorization CoA message that described radius server sends, and indicates described mobile terminal to resend described access request message after receiving described CoA message; Described CoA message is that the login state of described mobile terminal in described management server is updated to registered rear transmission.

Described processor 902 also for after described receiver 903 receives described CoA message, reclaims described IP address.

The workflow of device in wireless AC shown in accompanying drawing 9, and in described wireless AC and the system shown in accompanying drawing 1, the reciprocal process of other network equipments please refer to the description in previous methods embodiment, here describes in detail no longer one by one.

Embodiments provide a kind of wireless AC, the access request message of AC mobile terminal receive transmission that this is wireless, judges the login state of the mark correspondence of mobile terminal in described access request message; If judge, the login state of the mark correspondence of described mobile terminal is unregistered, is described mobile terminal distributing IP address; Receive the first Forward-reques of the AP transmission that described AC controls; According to described first Forward-reques, the web access requests message that described mobile terminal is sent by described IP address is redirected to certification webpage; Receive the second Forward-reques that described AP sends; According to described second Forward-reques, described web access requests message is redirected to registration web page; Receive configuration file and the digital certificate of the management server transmission in the wireless network of described enterprise, described configuration file and digital certificate are sent to described AP.This is wireless AC and other network equipments cooperatively interact, and when connection of mobile terminal into network, can facilitate, carry out access control efficiently.Simplify keeper and the required tedious work performed of user in prior art.

When relating to the use of odd number and/or plural term in the application, complex conversion can be odd number and/or odd number is converted to plural number by those skilled in the art, if based on context and/or practical application be rational.For the sake of clarity, the situation of the permutation and combination of various odd number and/or plural number is not described in the application one by one.

One of ordinary skill in the art will appreciate that the possible implementation of various aspects of the present invention or various aspects can be embodied as system, method or computer program.Therefore, the possible implementation of each aspect of the present invention or various aspects can adopt complete hardware embodiment, completely software implementation (comprising firmware, resident software etc.), or the form of the embodiment of integration software and hardware aspect, is all referred to as " circuit ", " module " or " system " here.In addition, the possible implementation of each aspect of the present invention or various aspects can adopt the form of computer program, and computer program refers to the computer readable program code be stored in computer-readable medium.

Computer-readable medium can be computer-readable signal media or computer-readable recording medium.Computer-readable recording medium is including but not limited to electronics, magnetic, optics, electromagnetism, infrared or semiconductor system, equipment or device, or aforesaid appropriately combined arbitrarily, as random access memory (RAM), read-only memory (ROM), Erasable Programmable Read Only Memory EPROM (EPROM or flash memory), optical fiber, portable read-only memory (CD-ROM).

Processor in computer reads the computer readable program code be stored in computer-readable medium, makes processor can perform the function action specified in the combination of each step or each step in flow charts; Generate the device implementing the function action specified in the combination of each block of block diagram or each piece.

Computer readable program code can perform completely on the local computer of user, part performs on the local computer of user, as independent software kit, part on the local computer of user and part on the remote computer, or to perform on remote computer or server completely.Also it should be noted that in some alternate embodiment, in flow charts in each step or block diagram each piece the function that indicates may not according to occurring in sequence of indicating in figure.Such as, depend on involved function, in fact two steps illustrated in succession or two blocks may be executed substantially concurrently, or these blocks sometimes may be performed by with reverse order.

Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.

Claims

1. an access control method, is characterized in that, comprising:

2. the method for claim 1, it is characterized in that, described certification webpage is that the door Portal server in the wireless network of described enterprise provides, and the Lightweight Directory Access Protocol LDAP territory account authentication information that described mobile terminal inputs by described Portal server in described certification webpage is sent in dial user's remote authentication service radius server and carries out webpage certification;

3. method as claimed in claim 1 or 2, is characterized in that, also comprise:

If described network access equipment judges that the login state of the mark correspondence of described mobile terminal is registered, described network access equipment sends response message to described mobile terminal, the identifying algorithm field of carrying in described response message is set to EAP-TLS authenticity indicator, accesses the wireless network of described enterprise in order to indicate described mobile terminal according to EAP-TLS authentication mode;

4. method as claimed in claim 2 or claim 3, it is characterized in that, described network access equipment judges the login state of the mark correspondence of described mobile terminal, comprising:

5. method as claimed in claim 4, it is characterized in that, described registration web page is that described management server provides,

6. method as claimed in claim 5, is characterized in that, described network access equipment, to after described mobile terminal sends configuration file and digital certificate, also comprises:

7. method as claimed in claim 6, it is characterized in that, after described network access equipment receives described CoA message, described method also comprises:

Described network access equipment reclaims described IP address.

8. a wireless access points AP, is characterized in that, comprising:

9. wireless aps as claimed in claim 8, is characterized in that,

Described receiving element, also for receiving the webpage authentication result from dial user's remote authentication service radius server, described certification webpage is that the door Portal server in the wireless network of described enterprise provides, and the Lightweight Directory Access Protocol LDAP territory account authentication information that described mobile terminal inputs by described Portal server in described certification webpage is sent in described radius server and carries out webpage certification;

10. wireless aps as claimed in claim 8 or 9, is characterized in that,

Described transmitting element, if also judge that described login state is registered for described judging unit, response message is sent to described mobile terminal, the identifying algorithm field of carrying in described response message is set to EAP-TLS authenticity indicator, accesses the wireless network of described enterprise in order to indicate described mobile terminal according to EAP-TLS authentication mode;

Described wireless aps also comprises:

11. as arbitrary in claim 8 to 10 as described in wireless aps, it is characterized in that, described judging unit comprises:

12. 1 kinds of wireless controller AC, is characterized in that, comprising:

13. wireless AC as claimed in claim 12, it is characterized in that, described judging unit comprises:

14. wireless AC as claimed in claim 12, is characterized in that,

Described receiving element, also for receiving the dynamic authorization CoA message that dial user's remote authentication service radius server sends, and indicates described mobile terminal to resend described access request message after receiving described CoA message; Described CoA message is that the login state of described mobile terminal in described management server is updated to registered rear transmission.

15. wireless AC as claimed in claim 14, is characterized in that, also comprise:

Resource reclaim unit, after receiving described CoA message at described receiving element, reclaims described IP address.