CN108243418A - A kind of connection of mobile terminal into network smooth-switching method and system - Google Patents
A kind of connection of mobile terminal into network smooth-switching method and system Download PDFInfo
- Publication number
- CN108243418A CN108243418A CN201611209516.2A CN201611209516A CN108243418A CN 108243418 A CN108243418 A CN 108243418A CN 201611209516 A CN201611209516 A CN 201611209516A CN 108243418 A CN108243418 A CN 108243418A
- Authority
- CN
- China
- Prior art keywords
- mobile terminal
- terminal device
- device information
- list
- added
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
- H04W36/0033—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
- H04W36/0038—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/16—Performing reselection for specific purposes
Abstract
The invention discloses a kind of connection of mobile terminal into network smooth-switching method and system, which includes:Mobile terminal, mobile device management (MDM) system, Network access control (NAC) system, application server;The mobile device management system receives mobile terminal access request, mobile terminal handover request and the mobile terminal device certification request that the mobile terminal is initiated;The mobile device management system is authenticated mobile terminal device information, and authentication result and mobile terminal access request, mobile terminal handover request are sent to the network access control system;For the network access control system according to the authentication result of reception, the black and white lists and black and white lists management strategy control mobile terminal access request, mobile terminal handover request.By the scheme of the invention, user's use habit will not be changed, access control system load reduces, and stability improves.
Description
Technical field
The present invention relates to data security arts, and in particular to a kind of connection of mobile terminal into network smooth-switching method and is
System.
Background technology
At present, mobile terminal especially smart mobile phone and tablet computer is explosive increases, but the thing followed is each
Growth is also presented in mobile network's safety problem of kind various kinds, needs to access terminal under some specific network environments
Control, to ensure authorization terminal access and access application resource.In terminal actual use, since mobile terminal on-position is variable
Property, cause its IP address of terminal that can be changed, it is this variation cause terminal access apply when can corresponding packet loss or
Of short duration application is inaccessible, influences normal business and uses.
From the point of view of existing access control system, for the smoothing processing of IP switchings, can only by the buffer queue that largely wraps,
If cost caused by this way is exactly great amount of terminals access, need to open up very big spatial cache, for the data of violation terminal
It is also required to carry out queue caching, increases system load and unstability.
Attached drawing 1 is the process flow of normal access control gateway.
It needs first to carry out MDM certifications during terminal connection access control gateway.If certification success, allows terminal access application
Resource;Access application resource is not allowed not if if certification.
Mobile terminal in real process can change location IP is caused to switch, new IP is needed to re-start certification and could be continued
Access application resource.
The prior art has the following disadvantages:
IP handoff procedures can not be realized smoothly, cause loss of data.
Invention content
The present invention designs a complete mobile terminal network visiting control from the angle of actual demand and application
Smoothing processing scheme when switching IP, mobile terminal is made, which not switch when converting change location because of IP address, to be prevented from causing
The loss of data.
In order to solve the above technical problems, the present invention provides a kind of connection of mobile terminal into network smooth-switching method, including
Following steps:
1) connection of mobile terminal into network or during handover network IP address, obtains the mobile terminal device information, and
Initiate mobile terminal device certification request;
2) inquire whether the mobile terminal device information is located in white list, if so, allowing the mobile terminal accessing should
With resource, step 3) is otherwise performed;
3) inquire whether the mobile terminal device information is located in gray list, if so, allowing the mobile terminal accessing should
With resource, step 4) is otherwise performed;
4) inquire whether the mobile terminal device information is located in blacklist, if so, according to mobile terminal device certification
Request results determine whether the mobile terminal accessing application resource, otherwise perform step 5);
5) mobile terminal device information is added to gray list.
Preferably, the step 2) -4) in, only in the mobile terminal device certification request by later, just allowing
The mobile terminal accessing application resource.
Preferably, in the step 3), if the mobile terminal device information is located in the gray list, and by setting
The mobile terminal device information is then added to the white list by standby certification request, while from the gray list and the black name
The mobile terminal device information is deleted in list;
If do not asked by device authentication, which is added to the blacklist, while from
The mobile terminal device information is deleted in the white list and the gray list.
Preferably, in the step 4), if the mobile terminal device information is located in the blacklist, and by setting
The mobile terminal device information is then added to the white list by standby certification request, while from the gray list and the black name
The mobile terminal device information is deleted in list, allows the mobile terminal accessing application resource;
If do not asked by device authentication, which is added to the blacklist, while from institute
It states in white list and the gray list and deletes the mobile terminal device information, prevent the mobile terminal accessing application resource.
Preferably, after which is added to gray list by the step 5), judge that the mobile terminal is set
Whether standby information is asked by device authentication, if it is, will the mobile terminal device information be then added to the white list,
Allow application resource described in the mobile terminal accessing, and the mobile terminal device is deleted from the gray list and the blacklist
Information;
If do not asked by device authentication, which is added to the blacklist, while from institute
It states in white list and the gray list and deletes the mobile terminal device information.
Preferably, when mobile terminal newly accesses network, which includes:Mobile terminal device ID,
IP address of mobile terminal.
Preferably, when mobile terminal handover network IP address, which includes:Mobile terminal device
ID and switching before the old IP address of mobile terminal, switching after mobile terminal new IP address.
Preferably, when mobile terminal handover network IP address, if mobile terminal device information is located in white list, when
Mobile terminal device certification by when, the mobile terminal new IP address is added to the white list, and delete the white name
The corresponding old IP address of mobile terminal of mobile terminal device ID described in Dan Zhongyu.
Preferably, it is described to believe the mobile terminal device in the step 4) when mobile terminal handover network IP address
Breath is added to the white list, specifically includes:The mobile terminal new IP address is added to the white list, while by described in
The old IP address of mobile terminal is deleted from the gray list and the blacklist.
Preferably, it is described to believe the mobile terminal device in the step 5) when mobile terminal handover network IP address
Breath is added to the blacklist, specifically includes:The mobile terminal new IP address is added to the blacklist, while by described in
The old IP address of mobile terminal is deleted from the white list and the gray list.
In order to solve the above technical problems, the present invention provides a kind of connection of mobile terminal into network to take over seamlessly system, this is
System includes:Mobile terminal, mobile device management (MDM) system, Network access control (NAC) system, application server;
The mobile device management system receives the mobile terminal access request of the mobile terminal initiation, mobile terminal is cut
Change request and mobile terminal device certification request;
The mobile device management system is authenticated mobile terminal device information, and by authentication result and mobile terminal
Access request, mobile terminal handover request are sent to the network access control system;
The network access control system preserves black and white lists, which includes:Blacklist, white list and ash
List;
The network access control system is according to the authentication result of reception, the black and white lists and black and white lists pipe
Reason strategy controls mobile terminal access request, mobile terminal handover request:
Inquire whether mobile terminal device information is located in white list, if so, allowing to answer described in the mobile terminal accessing
With server, otherwise inquire whether mobile terminal device information is located in gray list, if so, allowing the mobile terminal accessing institute
Application server is stated, otherwise inquires whether mobile terminal device information is located in blacklist, if so, according to mobile terminal device
Certification request result determines whether application server described in the mobile terminal accessing, otherwise by the mobile terminal device information
It is added to gray list.
Following technique effect is achieved by technical scheme of the present invention:
(1) user does not need to modification any programs of MDM.
(2) user's use habit will not be changed.
(3) access control system load reduces, and stability improves.
Description of the drawings
Fig. 1 is terminal access process figure in the prior art
Fig. 2 is terminal of the present invention access process figure for the first time
Fig. 3 is terminal switching flow figure of the present invention
Fig. 4 is present system composition frame chart
Specific embodiment
Explanation of nouns:
NAC:Network Access Control access control systems, it is a kind of for the access of mobile terminal and control system
System.
MDM:Mobile Device Management, mobile device management refer mainly to smart mobile phone and tablet computer
Management.
Terminal accesses NAC flows and sees attached drawing 2 for the first time:
Terminal accesses for the first time:
1) mobile terminal transmits packets to NAC, and whether NAC is first inquired this terminal iidentification and IP in white list, if
In the presence of and MDM certifications success, allow this terminal access application;If MDM authentification failures, this new IP and terminal iidentification are added in
Into blacklist and white list is deleted, blocks terminal access.
Whether 2) if there is no this terminal IP and terminal iidentifications in NAC white lists, inquiring in gray list has same terminal
IP and terminal iidentification, if there is and MDM certifications success, this terminal IP and terminal iidentification are added in white list and delete ash
List and blacklist (in order to ensure that end message is unique in all tables, so incidentally deleting blacklist) allow terminal access
Using;If authentification failure is added in blacklist and deletes gray list and white list (deletes white list to ensure end herein
End IP and terminal iidentification are unique), block terminal access application.
If 3) gray list and white list in NAC do not have, blacklist is inquired, if terminal authentication success, is added in white
List simultaneously deletes blacklist and gray list, allows terminal access application;If authentification failure or time-out, block terminal access should
With.
4) if black and white name is understood in list without terminal IP and terminal iidentification in NAC, terminal IP is added to NAC ash names
Dan Zhong, and allow terminal access application;If time-out does not receive the authentication result of MDM, this terminal IP and terminal iidentification are added
It is added in blacklist, and blocks terminal access;If MDM certifications success, allow terminal access application and by this terminal iidentification
It is added in white list with IP, while deletes terminal in gray list information, permission terminal access application;If MDM authentification failures,
This end message is added in into blacklist and deletes gray list information, and block terminal access.
Terminal IP switches, and sees attached drawing 3:
If 1) terminal IP switch, NAC inquiry white list in whether have terminal iidentification and terminal switching after IP (new IP,
Former IP becomes old IP), if there are identical information in white list, and MDM certifications are successful, allow terminal access application, and delete
Except IP old in white list;If MDM authentification failures, this new IP and terminal iidentification are added in blacklist, terminal is blocked to visit
It asks.
2) if new IP is there is no in NAC white lists after terminal switching, whether have end message, such as if inquiring in gray list
Fruit has and MDM certifications success, allows terminal access application, this terminal IP and terminal iidentification are added in white list and delete ash
List and blacklist;If end message is added in blacklist and deletes gray list by authentification failure, block terminal access should
With.
If 3) new IP is in NAC blacklists after terminal switching, if terminal authentication is successful, adds in white list and simultaneously delete black
List and gray list allow terminal access application;If authentification failure or time-out, terminal access application is blocked.
4) if new IP is added in gray list, and allow terminal access by new IP there is no in any list of black-white-gray
Using;If time-out does not receive the authentication result of MDM, this new IP and terminal iidentification are added in blacklist and delete grey name
It is single, block terminal access;If MDM certifications success, allow terminal access application and be added to this terminal iidentification and new IP
In white list, while terminal old IP in the new IP information of gray list and original white list is deleted, and allow terminal access application;Such as
New IP is added in blacklist and deletes gray list information, and block terminal access by fruit MDM authentification failures.
The invention discloses a system, referring to attached drawing 4.The system includes:Mobile terminal (MDM clients), MDM services
End, NAC servers and application server.Wherein application server provides the application resource of mobile terminal accessing.NAC servers
Receive the MDM authentication results that MDM server-sides are sent.And there is network control module, and list management module, policy management module,
Caching management module and memory management module.Wherein list management module includes a black and white lists, specifically includes:Blacklist,
White list and gray list.
The mobile device management MDM systems receive the mobile terminal access request of the mobile terminal initiation, movement eventually
Hold handover request and mobile terminal device certification request;
The mobile device management system is authenticated mobile terminal device information, and by authentication result and mobile terminal
Access request, mobile terminal handover request are sent to the network access control system;
The Network access control NAC systems preserve black and white lists, which includes:Blacklist, white list
And gray list;
The network access control system is according to the authentication result of reception, the black and white lists and black and white lists
Management strategy controls mobile terminal access request, mobile terminal handover request:
Inquire whether mobile terminal device information is located in white list, if so, allowing to answer described in the mobile terminal accessing
With server, otherwise inquire whether mobile terminal device information is located in gray list, if so, allowing the mobile terminal accessing institute
Application server is stated, otherwise inquires whether mobile terminal device information is located in blacklist, if so, according to mobile terminal device
Certification request result determines whether application server described in the mobile terminal accessing, otherwise by the mobile terminal device information
It is added to gray list.
A flow during concrete application is opened for mobile terminal below:
1) mobile terminal is opening some in application, terminal IP is written in gray list access control system NAC, and permits
Perhaps mobile terminal can directly access application
2) the MDM clients in mobile terminal can initiate certification request and give MDM server-sides
3) whether MDM server side authentications terminal closes rule, and authentication result is sent to NAC
4) access control system, if certification success, continues to allow terminal access should according to the authentication result of MDM server-sides
With, and terminal IP and terminal iidentification are added in white list while delete gray list and blacklist;If authentification failure hinders
Disconnected mobile access, and this IP and terminal iidentification are added in blacklist
5) mobile terminal switches IP when shifting one's position, and new IP is performed steps 1 and 2,3,4 by access control system according to this
6) access system is not received by the authentication result of MDM server-sides, and new IP is added in blacklist and deletes ash
List blocks terminal access
7) user increases white list in access control system, and mobile terminal accessing is directly allowed as long as MDM certifications success;
Authentification failure then directly blocks
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Within the spirit and principles in the present invention, any modification, equivalent replacement and improvement for being made etc. should all protect the guarantor in the present invention
Within the scope of shield.
Claims (11)
1. a kind of connection of mobile terminal into network smooth-switching method, includes the following steps:
1) connection of mobile terminal into network or during handover network IP address, obtains the mobile terminal device information, and initiate
Mobile terminal device certification request;
2) inquire whether the mobile terminal device information is located in white list, if so, allowing mobile terminal accessing application money
Otherwise source performs step 3);
3) inquire whether the mobile terminal device information is located in gray list, if so, allowing mobile terminal accessing application money
Otherwise source performs step 4);
4) inquire whether the mobile terminal device information is located in blacklist, if so, according to mobile terminal device certification request
As a result it determines whether the mobile terminal accessing application resource, otherwise performs step 5);
5) mobile terminal device information is added to gray list.
2. according to the method described in claim 1, the step 2) -4) in, only in the mobile terminal device certification request
By later, just allowing the mobile terminal accessing application resource.
3. according to the method described in claim 2, in the step 3), if the mobile terminal device information is located at the grey name
The mobile terminal device information is then added to the white list by Dan Zhong, and being asked by device authentication, while from the ash
The mobile terminal device information is deleted in list and the blacklist;
If do not asked by device authentication, which is added to the blacklist, while from described
The mobile terminal device information is deleted in white list and the gray list.
4. according to the method described in claim 2, in the step 4), if the mobile terminal device information is located at the black name
The mobile terminal device information is then added to the white list by Dan Zhong, and being asked by device authentication, while from the ash
The mobile terminal device information is deleted in list and the blacklist, allows the mobile terminal accessing application resource;
If do not asked by device authentication, which is added to the blacklist, while from described white
The mobile terminal device information is deleted in list and the gray list, prevents the mobile terminal accessing application resource.
5. according to the method described in claim 2, after the mobile terminal device information is added to gray list by the step 5), sentence
Whether the disconnected mobile terminal device information is asked by device authentication, if it is, will then add the mobile terminal device information
The white list is added, allows application resource described in the mobile terminal accessing, and deleted from the gray list and the blacklist
Except the mobile terminal device information;
If do not asked by device authentication, which is added to the blacklist, while from described white
The mobile terminal device information is deleted in list and the gray list.
6. according to the method described in one of claim 3-5, when mobile terminal newly accesses network, the mobile terminal device information
Including:Mobile terminal device ID, IP address of mobile terminal.
7. according to the method described in one of claim 3-5, when mobile terminal handover network IP address, the mobile terminal device
Information includes:Mobile terminal device ID and switching before the old IP address of mobile terminal, switching after the new IP of mobile terminal
Address.
8. according to the method described in claim 7, when mobile terminal handover network IP address, if mobile terminal device information
In white list, when mobile terminal device certification by when, the mobile terminal new IP address is added to the white list,
And delete the old IP address of mobile terminal corresponding with the mobile terminal device ID in the white list.
9. according to the method described in claim 7, when mobile terminal handover network IP address, in the step 4), it is described will
The mobile terminal device information is added to the white list, specifically includes:The mobile terminal new IP address is added to described
White list, while the old IP address of the mobile terminal is deleted from the gray list and the blacklist.
10. according to the method described in claim 7, when mobile terminal handover network IP address, in the step 5), it is described will
The mobile terminal device information is added to the blacklist, specifically includes:The mobile terminal new IP address is added to described
Blacklist, while the old IP address of the mobile terminal is deleted from the white list and the gray list.
11. a kind of connection of mobile terminal into network takes over seamlessly system, which includes:Mobile terminal, mobile device management (MDM)
System, Network access control (NAC) system, application server;
The mobile device management system receives the mobile terminal access request of the mobile terminal initiation, mobile terminal switching is asked
It asks and mobile terminal device certification request;
The mobile device management system is authenticated mobile terminal device information, and authentication result and mobile terminal are accessed
Request, mobile terminal handover request are sent to the network access control system;
The network access control system preserves black and white lists, which includes:Blacklist, white list and grey name
It is single;
The network access control system manages plan according to the authentication result of reception, the black and white lists and black and white lists
Slightly mobile terminal access request, mobile terminal handover request are controlled:
Inquire whether mobile terminal device information is located in white list, if so, allowing described in the mobile terminal accessing using clothes
Business device, otherwise inquires whether mobile terminal device information is located in gray list, if so, allowing to answer described in the mobile terminal accessing
With server, otherwise inquire whether mobile terminal device information is located in blacklist, if so, according to mobile terminal device certification
Request results determine whether application server described in the mobile terminal accessing, otherwise add the mobile terminal device information
Into gray list.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611209516.2A CN108243418A (en) | 2016-12-23 | 2016-12-23 | A kind of connection of mobile terminal into network smooth-switching method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611209516.2A CN108243418A (en) | 2016-12-23 | 2016-12-23 | A kind of connection of mobile terminal into network smooth-switching method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108243418A true CN108243418A (en) | 2018-07-03 |
Family
ID=62704439
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611209516.2A Pending CN108243418A (en) | 2016-12-23 | 2016-12-23 | A kind of connection of mobile terminal into network smooth-switching method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108243418A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101895855A (en) * | 2009-05-18 | 2010-11-24 | 中国移动通信集团公司 | Mobile terminal access method, base station and access system |
US20130163583A1 (en) * | 2011-12-26 | 2013-06-27 | Jaya MEGHANI | Systems and methods for communication setup via reconciliation of internet protocol addresses |
CN104506510A (en) * | 2014-12-15 | 2015-04-08 | 百度在线网络技术(北京)有限公司 | Method and device for equipment authentication and authentication service system |
CN104994077A (en) * | 2015-06-08 | 2015-10-21 | 北京奇虎科技有限公司 | Wireless local area network access equipment identity marking method and device |
CN105939519A (en) * | 2015-08-27 | 2016-09-14 | 杭州迪普科技有限公司 | Authentication method and device |
-
2016
- 2016-12-23 CN CN201611209516.2A patent/CN108243418A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101895855A (en) * | 2009-05-18 | 2010-11-24 | 中国移动通信集团公司 | Mobile terminal access method, base station and access system |
US20130163583A1 (en) * | 2011-12-26 | 2013-06-27 | Jaya MEGHANI | Systems and methods for communication setup via reconciliation of internet protocol addresses |
CN104506510A (en) * | 2014-12-15 | 2015-04-08 | 百度在线网络技术(北京)有限公司 | Method and device for equipment authentication and authentication service system |
CN104994077A (en) * | 2015-06-08 | 2015-10-21 | 北京奇虎科技有限公司 | Wireless local area network access equipment identity marking method and device |
CN105939519A (en) * | 2015-08-27 | 2016-09-14 | 杭州迪普科技有限公司 | Authentication method and device |
Non-Patent Citations (2)
Title |
---|
孙孺石 等: "《GSM数字移动通信工程》", 31 December 1996, 人民邮电出版社 * |
张永杰: "联通移动接入网络安全技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113949573B (en) | Zero-trust service access control system and method | |
CN108777699B (en) | Application cross-domain access method based on Internet of things multi-domain collaborative architecture | |
US7024177B2 (en) | Method and apparatus for authenticating users of mobile devices | |
US20060282540A1 (en) | File server device, communication management server device, and network system including the file server device and the communication management server device | |
US6237037B1 (en) | Method and arrangement relating to communications systems | |
US20060233144A1 (en) | Mobility support apparatus for mobile terminal | |
CN109831548B (en) | Virtual content delivery network vCDN node establishment method and server | |
CN102739664B (en) | Improve the method and apparatus of safety of network ID authentication | |
CN111107176B (en) | Data transmission method and device, computer equipment and storage medium | |
CN101656668A (en) | Enhanced techniques for using core based nodes for state transfer | |
CN107566429A (en) | Base station, the response method of access request, apparatus and system | |
KR20190051326A (en) | Internet Of Things Device Control System and Method Based On Block Chain | |
WO2020083288A1 (en) | Safety defense method and apparatus for dns server, and communication device and storage medium | |
CN101309279B (en) | Control method, system and device for terminal access | |
CN106789937A (en) | Application authentication method and its system in captive portals environment, wireless aps | |
CN101986598A (en) | Authentication method, server and system | |
CN111200633A (en) | Indirect access method and system for business system | |
WO2018095079A1 (en) | Method and apparatus for switching voice service, mobile terminal and computer storage medium | |
CN114079933A (en) | Network slice management system, application server and terminal equipment | |
KR100660701B1 (en) | Apparatus of processing mobility for packet services | |
CN101867579A (en) | Method and device for switching user network access authorities | |
CN108243418A (en) | A kind of connection of mobile terminal into network smooth-switching method and system | |
US20090003268A1 (en) | Client resource reservation in access networks for roaming | |
CN105848149A (en) | Wireless local area network safety authentication method | |
CN111416815B (en) | Message processing method, electronic device and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180703 |