CN108243418A - A kind of connection of mobile terminal into network smooth-switching method and system - Google Patents

A kind of connection of mobile terminal into network smooth-switching method and system Download PDF

Info

Publication number
CN108243418A
CN108243418A CN201611209516.2A CN201611209516A CN108243418A CN 108243418 A CN108243418 A CN 108243418A CN 201611209516 A CN201611209516 A CN 201611209516A CN 108243418 A CN108243418 A CN 108243418A
Authority
CN
China
Prior art keywords
mobile terminal
terminal device
device information
list
added
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611209516.2A
Other languages
Chinese (zh)
Inventor
廖黄河
王志海
夏元松
喻波
张静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wondersoft Technology Co Ltd
Original Assignee
Beijing Wondersoft Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wondersoft Technology Co Ltd filed Critical Beijing Wondersoft Technology Co Ltd
Priority to CN201611209516.2A priority Critical patent/CN108243418A/en
Publication of CN108243418A publication Critical patent/CN108243418A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/16Performing reselection for specific purposes

Abstract

The invention discloses a kind of connection of mobile terminal into network smooth-switching method and system, which includes:Mobile terminal, mobile device management (MDM) system, Network access control (NAC) system, application server;The mobile device management system receives mobile terminal access request, mobile terminal handover request and the mobile terminal device certification request that the mobile terminal is initiated;The mobile device management system is authenticated mobile terminal device information, and authentication result and mobile terminal access request, mobile terminal handover request are sent to the network access control system;For the network access control system according to the authentication result of reception, the black and white lists and black and white lists management strategy control mobile terminal access request, mobile terminal handover request.By the scheme of the invention, user's use habit will not be changed, access control system load reduces, and stability improves.

Description

A kind of connection of mobile terminal into network smooth-switching method and system
Technical field
The present invention relates to data security arts, and in particular to a kind of connection of mobile terminal into network smooth-switching method and is System.
Background technology
At present, mobile terminal especially smart mobile phone and tablet computer is explosive increases, but the thing followed is each Growth is also presented in mobile network's safety problem of kind various kinds, needs to access terminal under some specific network environments Control, to ensure authorization terminal access and access application resource.In terminal actual use, since mobile terminal on-position is variable Property, cause its IP address of terminal that can be changed, it is this variation cause terminal access apply when can corresponding packet loss or Of short duration application is inaccessible, influences normal business and uses.
From the point of view of existing access control system, for the smoothing processing of IP switchings, can only by the buffer queue that largely wraps, If cost caused by this way is exactly great amount of terminals access, need to open up very big spatial cache, for the data of violation terminal It is also required to carry out queue caching, increases system load and unstability.
Attached drawing 1 is the process flow of normal access control gateway.
It needs first to carry out MDM certifications during terminal connection access control gateway.If certification success, allows terminal access application Resource;Access application resource is not allowed not if if certification.
Mobile terminal in real process can change location IP is caused to switch, new IP is needed to re-start certification and could be continued Access application resource.
The prior art has the following disadvantages:
IP handoff procedures can not be realized smoothly, cause loss of data.
Invention content
The present invention designs a complete mobile terminal network visiting control from the angle of actual demand and application Smoothing processing scheme when switching IP, mobile terminal is made, which not switch when converting change location because of IP address, to be prevented from causing The loss of data.
In order to solve the above technical problems, the present invention provides a kind of connection of mobile terminal into network smooth-switching method, including Following steps:
1) connection of mobile terminal into network or during handover network IP address, obtains the mobile terminal device information, and Initiate mobile terminal device certification request;
2) inquire whether the mobile terminal device information is located in white list, if so, allowing the mobile terminal accessing should With resource, step 3) is otherwise performed;
3) inquire whether the mobile terminal device information is located in gray list, if so, allowing the mobile terminal accessing should With resource, step 4) is otherwise performed;
4) inquire whether the mobile terminal device information is located in blacklist, if so, according to mobile terminal device certification Request results determine whether the mobile terminal accessing application resource, otherwise perform step 5);
5) mobile terminal device information is added to gray list.
Preferably, the step 2) -4) in, only in the mobile terminal device certification request by later, just allowing The mobile terminal accessing application resource.
Preferably, in the step 3), if the mobile terminal device information is located in the gray list, and by setting The mobile terminal device information is then added to the white list by standby certification request, while from the gray list and the black name The mobile terminal device information is deleted in list;
If do not asked by device authentication, which is added to the blacklist, while from The mobile terminal device information is deleted in the white list and the gray list.
Preferably, in the step 4), if the mobile terminal device information is located in the blacklist, and by setting The mobile terminal device information is then added to the white list by standby certification request, while from the gray list and the black name The mobile terminal device information is deleted in list, allows the mobile terminal accessing application resource;
If do not asked by device authentication, which is added to the blacklist, while from institute It states in white list and the gray list and deletes the mobile terminal device information, prevent the mobile terminal accessing application resource.
Preferably, after which is added to gray list by the step 5), judge that the mobile terminal is set Whether standby information is asked by device authentication, if it is, will the mobile terminal device information be then added to the white list, Allow application resource described in the mobile terminal accessing, and the mobile terminal device is deleted from the gray list and the blacklist Information;
If do not asked by device authentication, which is added to the blacklist, while from institute It states in white list and the gray list and deletes the mobile terminal device information.
Preferably, when mobile terminal newly accesses network, which includes:Mobile terminal device ID, IP address of mobile terminal.
Preferably, when mobile terminal handover network IP address, which includes:Mobile terminal device ID and switching before the old IP address of mobile terminal, switching after mobile terminal new IP address.
Preferably, when mobile terminal handover network IP address, if mobile terminal device information is located in white list, when Mobile terminal device certification by when, the mobile terminal new IP address is added to the white list, and delete the white name The corresponding old IP address of mobile terminal of mobile terminal device ID described in Dan Zhongyu.
Preferably, it is described to believe the mobile terminal device in the step 4) when mobile terminal handover network IP address Breath is added to the white list, specifically includes:The mobile terminal new IP address is added to the white list, while by described in The old IP address of mobile terminal is deleted from the gray list and the blacklist.
Preferably, it is described to believe the mobile terminal device in the step 5) when mobile terminal handover network IP address Breath is added to the blacklist, specifically includes:The mobile terminal new IP address is added to the blacklist, while by described in The old IP address of mobile terminal is deleted from the white list and the gray list.
In order to solve the above technical problems, the present invention provides a kind of connection of mobile terminal into network to take over seamlessly system, this is System includes:Mobile terminal, mobile device management (MDM) system, Network access control (NAC) system, application server;
The mobile device management system receives the mobile terminal access request of the mobile terminal initiation, mobile terminal is cut Change request and mobile terminal device certification request;
The mobile device management system is authenticated mobile terminal device information, and by authentication result and mobile terminal Access request, mobile terminal handover request are sent to the network access control system;
The network access control system preserves black and white lists, which includes:Blacklist, white list and ash List;
The network access control system is according to the authentication result of reception, the black and white lists and black and white lists pipe Reason strategy controls mobile terminal access request, mobile terminal handover request:
Inquire whether mobile terminal device information is located in white list, if so, allowing to answer described in the mobile terminal accessing With server, otherwise inquire whether mobile terminal device information is located in gray list, if so, allowing the mobile terminal accessing institute Application server is stated, otherwise inquires whether mobile terminal device information is located in blacklist, if so, according to mobile terminal device Certification request result determines whether application server described in the mobile terminal accessing, otherwise by the mobile terminal device information It is added to gray list.
Following technique effect is achieved by technical scheme of the present invention:
(1) user does not need to modification any programs of MDM.
(2) user's use habit will not be changed.
(3) access control system load reduces, and stability improves.
Description of the drawings
Fig. 1 is terminal access process figure in the prior art
Fig. 2 is terminal of the present invention access process figure for the first time
Fig. 3 is terminal switching flow figure of the present invention
Fig. 4 is present system composition frame chart
Specific embodiment
Explanation of nouns:
NAC:Network Access Control access control systems, it is a kind of for the access of mobile terminal and control system System.
MDM:Mobile Device Management, mobile device management refer mainly to smart mobile phone and tablet computer Management.
Terminal accesses NAC flows and sees attached drawing 2 for the first time:
Terminal accesses for the first time:
1) mobile terminal transmits packets to NAC, and whether NAC is first inquired this terminal iidentification and IP in white list, if In the presence of and MDM certifications success, allow this terminal access application;If MDM authentification failures, this new IP and terminal iidentification are added in Into blacklist and white list is deleted, blocks terminal access.
Whether 2) if there is no this terminal IP and terminal iidentifications in NAC white lists, inquiring in gray list has same terminal IP and terminal iidentification, if there is and MDM certifications success, this terminal IP and terminal iidentification are added in white list and delete ash List and blacklist (in order to ensure that end message is unique in all tables, so incidentally deleting blacklist) allow terminal access Using;If authentification failure is added in blacklist and deletes gray list and white list (deletes white list to ensure end herein End IP and terminal iidentification are unique), block terminal access application.
If 3) gray list and white list in NAC do not have, blacklist is inquired, if terminal authentication success, is added in white List simultaneously deletes blacklist and gray list, allows terminal access application;If authentification failure or time-out, block terminal access should With.
4) if black and white name is understood in list without terminal IP and terminal iidentification in NAC, terminal IP is added to NAC ash names Dan Zhong, and allow terminal access application;If time-out does not receive the authentication result of MDM, this terminal IP and terminal iidentification are added It is added in blacklist, and blocks terminal access;If MDM certifications success, allow terminal access application and by this terminal iidentification It is added in white list with IP, while deletes terminal in gray list information, permission terminal access application;If MDM authentification failures, This end message is added in into blacklist and deletes gray list information, and block terminal access.
Terminal IP switches, and sees attached drawing 3:
If 1) terminal IP switch, NAC inquiry white list in whether have terminal iidentification and terminal switching after IP (new IP, Former IP becomes old IP), if there are identical information in white list, and MDM certifications are successful, allow terminal access application, and delete Except IP old in white list;If MDM authentification failures, this new IP and terminal iidentification are added in blacklist, terminal is blocked to visit It asks.
2) if new IP is there is no in NAC white lists after terminal switching, whether have end message, such as if inquiring in gray list Fruit has and MDM certifications success, allows terminal access application, this terminal IP and terminal iidentification are added in white list and delete ash List and blacklist;If end message is added in blacklist and deletes gray list by authentification failure, block terminal access should With.
If 3) new IP is in NAC blacklists after terminal switching, if terminal authentication is successful, adds in white list and simultaneously delete black List and gray list allow terminal access application;If authentification failure or time-out, terminal access application is blocked.
4) if new IP is added in gray list, and allow terminal access by new IP there is no in any list of black-white-gray Using;If time-out does not receive the authentication result of MDM, this new IP and terminal iidentification are added in blacklist and delete grey name It is single, block terminal access;If MDM certifications success, allow terminal access application and be added to this terminal iidentification and new IP In white list, while terminal old IP in the new IP information of gray list and original white list is deleted, and allow terminal access application;Such as New IP is added in blacklist and deletes gray list information, and block terminal access by fruit MDM authentification failures.
The invention discloses a system, referring to attached drawing 4.The system includes:Mobile terminal (MDM clients), MDM services End, NAC servers and application server.Wherein application server provides the application resource of mobile terminal accessing.NAC servers Receive the MDM authentication results that MDM server-sides are sent.And there is network control module, and list management module, policy management module, Caching management module and memory management module.Wherein list management module includes a black and white lists, specifically includes:Blacklist, White list and gray list.
The mobile device management MDM systems receive the mobile terminal access request of the mobile terminal initiation, movement eventually Hold handover request and mobile terminal device certification request;
The mobile device management system is authenticated mobile terminal device information, and by authentication result and mobile terminal Access request, mobile terminal handover request are sent to the network access control system;
The Network access control NAC systems preserve black and white lists, which includes:Blacklist, white list And gray list;
The network access control system is according to the authentication result of reception, the black and white lists and black and white lists Management strategy controls mobile terminal access request, mobile terminal handover request:
Inquire whether mobile terminal device information is located in white list, if so, allowing to answer described in the mobile terminal accessing With server, otherwise inquire whether mobile terminal device information is located in gray list, if so, allowing the mobile terminal accessing institute Application server is stated, otherwise inquires whether mobile terminal device information is located in blacklist, if so, according to mobile terminal device Certification request result determines whether application server described in the mobile terminal accessing, otherwise by the mobile terminal device information It is added to gray list.
A flow during concrete application is opened for mobile terminal below:
1) mobile terminal is opening some in application, terminal IP is written in gray list access control system NAC, and permits Perhaps mobile terminal can directly access application
2) the MDM clients in mobile terminal can initiate certification request and give MDM server-sides
3) whether MDM server side authentications terminal closes rule, and authentication result is sent to NAC
4) access control system, if certification success, continues to allow terminal access should according to the authentication result of MDM server-sides With, and terminal IP and terminal iidentification are added in white list while delete gray list and blacklist;If authentification failure hinders Disconnected mobile access, and this IP and terminal iidentification are added in blacklist
5) mobile terminal switches IP when shifting one's position, and new IP is performed steps 1 and 2,3,4 by access control system according to this
6) access system is not received by the authentication result of MDM server-sides, and new IP is added in blacklist and deletes ash List blocks terminal access
7) user increases white list in access control system, and mobile terminal accessing is directly allowed as long as MDM certifications success; Authentification failure then directly blocks
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all Within the spirit and principles in the present invention, any modification, equivalent replacement and improvement for being made etc. should all protect the guarantor in the present invention Within the scope of shield.

Claims (11)

1. a kind of connection of mobile terminal into network smooth-switching method, includes the following steps:
1) connection of mobile terminal into network or during handover network IP address, obtains the mobile terminal device information, and initiate Mobile terminal device certification request;
2) inquire whether the mobile terminal device information is located in white list, if so, allowing mobile terminal accessing application money Otherwise source performs step 3);
3) inquire whether the mobile terminal device information is located in gray list, if so, allowing mobile terminal accessing application money Otherwise source performs step 4);
4) inquire whether the mobile terminal device information is located in blacklist, if so, according to mobile terminal device certification request As a result it determines whether the mobile terminal accessing application resource, otherwise performs step 5);
5) mobile terminal device information is added to gray list.
2. according to the method described in claim 1, the step 2) -4) in, only in the mobile terminal device certification request By later, just allowing the mobile terminal accessing application resource.
3. according to the method described in claim 2, in the step 3), if the mobile terminal device information is located at the grey name The mobile terminal device information is then added to the white list by Dan Zhong, and being asked by device authentication, while from the ash The mobile terminal device information is deleted in list and the blacklist;
If do not asked by device authentication, which is added to the blacklist, while from described The mobile terminal device information is deleted in white list and the gray list.
4. according to the method described in claim 2, in the step 4), if the mobile terminal device information is located at the black name The mobile terminal device information is then added to the white list by Dan Zhong, and being asked by device authentication, while from the ash The mobile terminal device information is deleted in list and the blacklist, allows the mobile terminal accessing application resource;
If do not asked by device authentication, which is added to the blacklist, while from described white The mobile terminal device information is deleted in list and the gray list, prevents the mobile terminal accessing application resource.
5. according to the method described in claim 2, after the mobile terminal device information is added to gray list by the step 5), sentence Whether the disconnected mobile terminal device information is asked by device authentication, if it is, will then add the mobile terminal device information The white list is added, allows application resource described in the mobile terminal accessing, and deleted from the gray list and the blacklist Except the mobile terminal device information;
If do not asked by device authentication, which is added to the blacklist, while from described white The mobile terminal device information is deleted in list and the gray list.
6. according to the method described in one of claim 3-5, when mobile terminal newly accesses network, the mobile terminal device information Including:Mobile terminal device ID, IP address of mobile terminal.
7. according to the method described in one of claim 3-5, when mobile terminal handover network IP address, the mobile terminal device Information includes:Mobile terminal device ID and switching before the old IP address of mobile terminal, switching after the new IP of mobile terminal Address.
8. according to the method described in claim 7, when mobile terminal handover network IP address, if mobile terminal device information In white list, when mobile terminal device certification by when, the mobile terminal new IP address is added to the white list, And delete the old IP address of mobile terminal corresponding with the mobile terminal device ID in the white list.
9. according to the method described in claim 7, when mobile terminal handover network IP address, in the step 4), it is described will The mobile terminal device information is added to the white list, specifically includes:The mobile terminal new IP address is added to described White list, while the old IP address of the mobile terminal is deleted from the gray list and the blacklist.
10. according to the method described in claim 7, when mobile terminal handover network IP address, in the step 5), it is described will The mobile terminal device information is added to the blacklist, specifically includes:The mobile terminal new IP address is added to described Blacklist, while the old IP address of the mobile terminal is deleted from the white list and the gray list.
11. a kind of connection of mobile terminal into network takes over seamlessly system, which includes:Mobile terminal, mobile device management (MDM) System, Network access control (NAC) system, application server;
The mobile device management system receives the mobile terminal access request of the mobile terminal initiation, mobile terminal switching is asked It asks and mobile terminal device certification request;
The mobile device management system is authenticated mobile terminal device information, and authentication result and mobile terminal are accessed Request, mobile terminal handover request are sent to the network access control system;
The network access control system preserves black and white lists, which includes:Blacklist, white list and grey name It is single;
The network access control system manages plan according to the authentication result of reception, the black and white lists and black and white lists Slightly mobile terminal access request, mobile terminal handover request are controlled:
Inquire whether mobile terminal device information is located in white list, if so, allowing described in the mobile terminal accessing using clothes Business device, otherwise inquires whether mobile terminal device information is located in gray list, if so, allowing to answer described in the mobile terminal accessing With server, otherwise inquire whether mobile terminal device information is located in blacklist, if so, according to mobile terminal device certification Request results determine whether application server described in the mobile terminal accessing, otherwise add the mobile terminal device information Into gray list.
CN201611209516.2A 2016-12-23 2016-12-23 A kind of connection of mobile terminal into network smooth-switching method and system Pending CN108243418A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611209516.2A CN108243418A (en) 2016-12-23 2016-12-23 A kind of connection of mobile terminal into network smooth-switching method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611209516.2A CN108243418A (en) 2016-12-23 2016-12-23 A kind of connection of mobile terminal into network smooth-switching method and system

Publications (1)

Publication Number Publication Date
CN108243418A true CN108243418A (en) 2018-07-03

Family

ID=62704439

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611209516.2A Pending CN108243418A (en) 2016-12-23 2016-12-23 A kind of connection of mobile terminal into network smooth-switching method and system

Country Status (1)

Country Link
CN (1) CN108243418A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895855A (en) * 2009-05-18 2010-11-24 中国移动通信集团公司 Mobile terminal access method, base station and access system
US20130163583A1 (en) * 2011-12-26 2013-06-27 Jaya MEGHANI Systems and methods for communication setup via reconciliation of internet protocol addresses
CN104506510A (en) * 2014-12-15 2015-04-08 百度在线网络技术(北京)有限公司 Method and device for equipment authentication and authentication service system
CN104994077A (en) * 2015-06-08 2015-10-21 北京奇虎科技有限公司 Wireless local area network access equipment identity marking method and device
CN105939519A (en) * 2015-08-27 2016-09-14 杭州迪普科技有限公司 Authentication method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895855A (en) * 2009-05-18 2010-11-24 中国移动通信集团公司 Mobile terminal access method, base station and access system
US20130163583A1 (en) * 2011-12-26 2013-06-27 Jaya MEGHANI Systems and methods for communication setup via reconciliation of internet protocol addresses
CN104506510A (en) * 2014-12-15 2015-04-08 百度在线网络技术(北京)有限公司 Method and device for equipment authentication and authentication service system
CN104994077A (en) * 2015-06-08 2015-10-21 北京奇虎科技有限公司 Wireless local area network access equipment identity marking method and device
CN105939519A (en) * 2015-08-27 2016-09-14 杭州迪普科技有限公司 Authentication method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
孙孺石 等: "《GSM数字移动通信工程》", 31 December 1996, 人民邮电出版社 *
张永杰: "联通移动接入网络安全技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Similar Documents

Publication Publication Date Title
CN113949573B (en) Zero-trust service access control system and method
CN108777699B (en) Application cross-domain access method based on Internet of things multi-domain collaborative architecture
US7024177B2 (en) Method and apparatus for authenticating users of mobile devices
US20060282540A1 (en) File server device, communication management server device, and network system including the file server device and the communication management server device
US6237037B1 (en) Method and arrangement relating to communications systems
US20060233144A1 (en) Mobility support apparatus for mobile terminal
CN109831548B (en) Virtual content delivery network vCDN node establishment method and server
CN102739664B (en) Improve the method and apparatus of safety of network ID authentication
CN111107176B (en) Data transmission method and device, computer equipment and storage medium
CN101656668A (en) Enhanced techniques for using core based nodes for state transfer
CN107566429A (en) Base station, the response method of access request, apparatus and system
KR20190051326A (en) Internet Of Things Device Control System and Method Based On Block Chain
WO2020083288A1 (en) Safety defense method and apparatus for dns server, and communication device and storage medium
CN101309279B (en) Control method, system and device for terminal access
CN106789937A (en) Application authentication method and its system in captive portals environment, wireless aps
CN101986598A (en) Authentication method, server and system
CN111200633A (en) Indirect access method and system for business system
WO2018095079A1 (en) Method and apparatus for switching voice service, mobile terminal and computer storage medium
CN114079933A (en) Network slice management system, application server and terminal equipment
KR100660701B1 (en) Apparatus of processing mobility for packet services
CN101867579A (en) Method and device for switching user network access authorities
CN108243418A (en) A kind of connection of mobile terminal into network smooth-switching method and system
US20090003268A1 (en) Client resource reservation in access networks for roaming
CN105848149A (en) Wireless local area network safety authentication method
CN111416815B (en) Message processing method, electronic device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180703