CN110830415B - Network access control method and device - Google Patents

Network access control method and device Download PDF

Info

Publication number
CN110830415B
CN110830415B CN201810892727.3A CN201810892727A CN110830415B CN 110830415 B CN110830415 B CN 110830415B CN 201810892727 A CN201810892727 A CN 201810892727A CN 110830415 B CN110830415 B CN 110830415B
Authority
CN
China
Prior art keywords
terminal
authentication
controller
access
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810892727.3A
Other languages
Chinese (zh)
Other versions
CN110830415A (en
Inventor
李晶
徐霆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201810892727.3A priority Critical patent/CN110830415B/en
Publication of CN110830415A publication Critical patent/CN110830415A/en
Application granted granted Critical
Publication of CN110830415B publication Critical patent/CN110830415B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application provides a network access control method, relates to the technical field of communication, and is used for providing a scheme for separating an authentication point and a control point without directly controlling access equipment by authentication point equipment. The method comprises the following steps: the controller acquires terminal associated data from the access equipment in a remote login mode, wherein the terminal associated data comprises: the corresponding relation between the terminal and the interface of the access device connected with the terminal; then, the controller acquires the authentication result of the authentication server to the terminal; and if the authentication result of the terminal is that the authentication is passed, the controller instructs the access equipment to open an interface connected with the terminal in a remote login mode. The method and the device are suitable for the process that the terminal is accessed into the park network.

Description

Network access control method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a network access control method and apparatus.
Background
An Extensible Authentication Protocol (EAP) architecture includes a supplicant (supplicant), an authentication point (authenticator), and an authentication server (authentication server). Access to the campus network is typically controlled and managed by the access device as an authentication point. An access device is typically a device that is directly connected to the terminal, such as an access layer switch.
In the authentication point and control point separation scheme, the authentication point is transferred from the access device to a device (e.g., gateway device) that is further away from the terminal. After the terminal is authenticated, the authentication point device instructs the access device (as a control point that controls whether the terminal is allowed to access the network resource) to open an interface connected to the terminal to enable the terminal to access the network resource. However, if the authentication point device and the access device are not provided by the same vendor, the authentication point device cannot know which interface of the access device is connected to the terminal, and cannot control the state of the interface of the access device.
Disclosure of Invention
The application provides a network access control method and a network access control device, which are used for providing a scheme of separating an authentication point from a control point, wherein the authentication point does not need to directly control access equipment.
In order to achieve the above purpose, the present application provides the following technical solutions:
in a first aspect, a network access control method is provided, including: the controller acquires terminal associated data from the access device in a remote login mode, wherein the terminal associated data comprises: the corresponding relation between the terminal and the interface of the access device connected with the terminal; the controller acquires an authentication result of the authentication server to the terminal; and if the authentication result of the terminal is that the authentication is passed, the controller instructs the access equipment to open an interface connected with the terminal in a remote login mode.
Since the protocol associated with telnet is a public protocol, it is likely that the access device will support the protocol associated with telnet. In this way, the terminal association data, as well as information instructing the access device to open an interface with the terminal, may be retrieved from or sent to the access device by the controller in a telnet fashion. In this process, the controller can directly control the access device without the involvement of the authentication point device. Thus, in a scenario where the authentication point is separated from the control point, the campus network can control and manage access of the terminal even if the authentication point device and the access device are not provided by the same vendor.
In one possible design, the controller obtains the terminal association data from the access device in a telnet manner, including: the controller repeatedly obtains terminal association data from the access device in a telnet fashion. Therefore, the controller can timely know whether a new terminal is connected with the access equipment or not, and the controller can control the new terminal to be accessed into the park network.
In one possible design, the controller obtains the terminal association data from the access device in a telnet manner, including: the controller is connected with the access device through a Telnet protocol or a Secure Shell (SSH) protocol according to device data of the access device, wherein the device data comprises: a login mode, an address of access equipment, an account and/or a password; the controller executes the script file and obtains terminal associated data from the access device. Based on the technical scheme, the controller automatically acquires the terminal associated data from the access equipment by executing the script file.
In one possible design, the method further includes: the controller sends the identification of the terminal to the authentication point device based on the terminal association data. Therefore, in the process of authenticating the terminal, the authentication point device can judge whether the terminal is connected with the access device according to whether the identifier of the terminal is stored in advance, so as to improve the security.
In one possible design, the controller obtains an authentication result of the terminal by the authentication server, and includes: the controller acquires an authentication result of the terminal from the authentication point device; alternatively, the controller acquires an authentication result of the terminal from the authentication server.
In a second aspect, a network access control device is provided, which includes: the remote login module is used for acquiring terminal associated data from the access equipment in a remote login mode, wherein the terminal associated data comprises: the corresponding relation between the terminal and the interface of the access device connected with the terminal. And the authentication processing module is used for determining the authentication result of the authentication server to the terminal. And the remote login module is also used for indicating the access equipment to open an interface connected with the terminal in a remote login mode when the authentication result of the terminal is that the terminal passes the authentication.
In one possible design, the telnet module is configured to repeatedly obtain the terminal-associated data from the access device in a telnet fashion.
In one possible design, the Telnet module is configured to connect the access device via a Telnet protocol or an SSH protocol according to device data of the access device, where the device data includes: a login mode, an address of access equipment, an account and/or a password; and executing the script file and acquiring the terminal associated data from the access equipment.
In one possible design, the authentication processing module is further configured to send the identifier of the terminal to the authentication point device based on the terminal association data.
In one possible design, the authentication processing module is configured to obtain an authentication result of the terminal from the authentication point device; alternatively, the authentication result of the terminal is acquired from the authentication server.
In a third aspect, a controller is provided, comprising: a communication interface, a processor and a memory, the memory is used for storing computer-executable instructions, when the controller runs, the processor executes the computer-executable instructions stored in the memory, so as to enable the controller to execute the network access control method of any one of the first aspect.
In a fourth aspect, a computer-readable storage medium is provided, which stores instructions that, when executed on a computer, enable the computer to perform the network access control method of any one of the above first aspects.
In a fifth aspect, there is provided a computer program product containing instructions which, when run on a computer, enable the computer to perform the network access control method of any of the first aspects above.
In a sixth aspect, a chip system is provided, where the chip system includes a processor, and is configured to support a controller to implement the functions of the network access control method according to any one of the first aspect. In one possible design, the system-on-chip further includes a memory for storing program instructions and data necessary for the controller. The chip system may be formed by a chip, and may also include a chip and other discrete devices.
For technical effects brought by any one of the design manners in the second aspect to the sixth aspect, reference may be made to technical effects brought by different design manners in the first aspect, and details are not repeated herein.
Drawings
Fig. 1 is a schematic architecture diagram of a campus network according to an embodiment of the present disclosure;
fig. 2 is a schematic hardware structure diagram of a controller according to an embodiment of the present disclosure;
fig. 3 is a first flowchart of a network access control method according to an embodiment of the present application;
fig. 4 is a second flowchart of a network access control method according to an embodiment of the present application;
fig. 5 is a third flowchart of a network access control method according to an embodiment of the present application;
fig. 6 is a fourth flowchart of a network access control method according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a network access control apparatus according to an embodiment of the present application.
Detailed Description
The term "and/or" in this application is only one kind of association relationship describing the associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone.
In addition, the network architecture and the service scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not constitute a limitation to the technical solution provided in the embodiment of the present application, and it can be known by a person skilled in the art that the technical solution provided in the embodiment of the present application is also applicable to similar technical problems along with the evolution of the network architecture and the appearance of a new service scenario.
Fig. 1 is a schematic diagram of an architecture of a campus network according to an embodiment of the present disclosure. The campus network includes: a terminal, a Wireless Access Point (WAP), an access device, an authentication point device, a controller, and an authentication server. The campus network may also include other devices, such as portal servers.
The terminal can be various handheld devices, vehicle-mounted devices, wearable devices, computers and network devices with communication functions. For example, the handheld device may be a smartphone. The in-vehicle device may be an in-vehicle navigation system. The wearable device may be a smart bracelet. The computer may be a Personal Digital Assistant (PDA) computer, a tablet computer, and a laptop computer. The network devices may be a home gateway (RG), a WAP, and a switch. In this embodiment, the terminal may connect to the access device in a wired connection manner to access the campus network. Alternatively, the terminal connects to the access device in a wireless connection manner, for example, the terminal connects to the access device through WAP to access the campus network.
The access device is responsible for forwarding data from the terminal and has the function of controlling whether the terminal is allowed to access network resources. Alternatively, the access device may be an access layer switch.
The authentication point device is responsible for the authentication process of the terminal. Optionally, the authentication point device may be a convergence layer switch or a core layer switch. The aggregation switch is a switch arranged on an aggregation layer, is an aggregation point of a plurality of access layer switches, is used for processing data from the access layer equipment and provides an uplink to a core layer. The core switch is a switch arranged in a core layer (namely a network trunk part), namely a downlink aggregation switch, and has the capability of processing data forwarding at a high speed.
The authentication server provides an authentication service for the terminal. The authentication server pre-stores the account number and the password of the terminal and the network access authority of the terminal. Optionally, the Authentication server is a Remote Authentication Dial In User Service (RADIUS) Authentication server. In the embodiment of the present application, the authentication server may be integrated on the controller.
The controller is used for acquiring the terminal associated data from the access equipment in a remote login mode and instructing the access equipment to open an interface connected with the terminal in the remote login mode under the condition that the terminal passes the authentication, so that a scheme for separating the authentication point and the control point without directly controlling the access equipment by the authentication point equipment is provided. Optionally, the controller is an agile controller.
Fig. 2 is a schematic diagram of a hardware structure of a controller according to an embodiment of the present disclosure. The controller 200 includes at least one processor 201, a memory 202, and at least one communication interface 203.
The processor 201 may be a Central Processing Unit (CPU).
A communication interface 203 for communicating with other devices or communication networks, such as ethernet, Wireless Local Area Networks (WLAN), etc.
The memory 202 is, for example, a read-only memory (ROM), a Random Access Memory (RAM), an electrically erasable programmable read-only memory (EEPROM), an optical disk or other optical storage device, a magnetic disk or other magnetic storage device. The memory 203 may be separate or integrated with the processor 201.
Memory 202 is used to store, among other things, computer-executable instructions for performing aspects of the present application. The processor 201 is configured to execute the computer executable instructions stored in the memory 202, and control the communication interface 203 to implement the network access control method provided by the following embodiments of the present application.
The processor 201 may include one or more CPUs, such as CPU0 and CPU1 in fig. 2. Controller 200 may include multiple processors, such as processor 201 and processor 206 in FIG. 2. Each of these processors may be a single core processor or a multi-core processor.
The controller 200 may also include an output device 204 and an input device 205. For example, the output device 204 may be a Liquid Crystal Display (LCD), a Cathode Ray Tube (CRT) display, a projector (projector), or the like. For example, the input device 205 may be a mouse, a keyboard, a touch screen device, or a sensing device, among others.
Based on the architecture of the campus network shown in fig. 1, an embodiment of the present application provides a network access control method, which is suitable for a scenario where the campus network employs various authentication technologies, for example, a scenario where the campus network employs an EAP authentication technology, and for example, a scenario where the campus network employs a captive portal (captive portal) authentication technology.
The following describes in detail a network access control method provided in an embodiment of the present application, taking a scenario in which a campus network employs an EAP authentication technology as an example. As shown in fig. 3, a network access control method provided in the embodiment of the present application includes the following steps:
s101, the controller acquires terminal related data from the access equipment in a remote login mode.
Wherein the terminal associated data comprises: and the corresponding relation between the terminal and the interface of the access equipment connected with the terminal. The interface may be a physical interface or a logical interface. A logical interface refers to an interface that implements a data exchange function but does not physically exist and needs to be established through configuration. For example, the logical interfaces are controlled interfaces and uncontrolled interfaces defined by the 802.1X protocol. The uncontrolled interface is always in a bidirectional communication state and is used for receiving an authentication message sent by the terminal or sending the authentication message to the terminal. The controlled interface is in a bidirectional communication state in an authorization state and is used for transmitting a service message; and the controlled interface forbids receiving any message from the terminal in an unauthorized state.
The correspondence between the terminal and the interface of the access device for connecting to the terminal may be represented by a correspondence between an identifier of the terminal and an identifier of the interface of the access device. The identification of the terminal includes a Media Access Control (MAC) address and/or an Internet Protocol (IP) address of the terminal. The identification of the interface is an index of the interface. Or, the identifier of the interface is a combination of a Virtual Local Area Network (VLAN) identifier of the interface and a MAC address of the interface. Or the identifier of the interface is a combination of the virtual local area network identifier of the interface and the IP address of the interface.
In one implementation, the controller is connected to the access device through a Telnet protocol or an SSH protocol according to device data of the access device. The controller then executes the script file and obtains terminal-associated data from the access device.
Optionally, the device data of the access device includes: a login mode, an address of the access device, an account number and/or a password. The login method is used to indicate a protocol used for remote login, such as Telnet protocol or SSH protocol. In this embodiment of the present application, the device data of the access device is pre-stored by the controller, or the device data of the access device is input by the user on an entry page displayed by the controller.
Optionally, the script file is used to obtain terminal associated data from the access device. The script file may be written in python language or other computer languages, which is not limited in this embodiment of the present application. In the embodiment of the application, the script file is written by the controller according to a preset rule, or the script file is written by hand.
In the embodiment of the application, the controller repeatedly acquires the terminal associated data from the access device in a remote login manner, so that the controller can timely know whether a new terminal is connected with the access device, and the controller can control the new terminal to access the park network.
And S102, initiating an authentication process between the terminal and the authentication point equipment.
In one implementation, the terminal sends an authentication request message (e.g., EAPOL-start message) to the authentication point device to initiate an authentication procedure. Or, the authentication point device sends an authentication Request message (e.g., EAP-Request/Identity message) to the terminal to initiate an authentication procedure.
The interface to which the access device connects to the terminal is restricted until the terminal fails authentication. That is, the interface used by the access device to connect to the terminal is only used to transmit authentication messages, but not non-authentication messages (e.g., traffic messages) until the terminal fails authentication. For example, the access device sets an Access Control List (ACL) for an interface connected to the terminal, where the ACL is used to instruct the interface to discard the non-authentication packet. The ACL is provided with a deny (deny) rule matching a non-authenticated message, which is used to cause the message matching it to be discarded. In this way, in the message imported by the interface connected with the terminal, the non-authentication message is discarded by the access device, and the authentication message is forwarded by the access device.
Optionally, in this embodiment of the application, step S102 may be performed after step S101 is performed; alternatively, step S101 and step S102 are performed simultaneously.
S103, the terminal sends the authentication data to the authentication point equipment.
For example, the authentication data is an account number and a password. The authentication data is pre-stored by the terminal, or the authentication data is input by the user on an authentication client installed on the terminal.
For example, after initiating authentication, the authentication point device sends an EAP-Request/Identity message to the terminal through the access device to Request the user to enter an account on the authentication client of the terminal. The terminal responds to a request sent by the authentication point equipment and sends an EAP-Response/Identity message to the authentication point equipment, wherein the EAP-Response/Identity message carries an account number of the terminal. And the authentication point equipment sends an EAP-Request/MD5Challenge message to the terminal, wherein the EAP-Request/MD5Challenge message carries an encrypted word. The terminal encrypts the password by the encryption word, and then sends an EAP-Response/MD5Challenge message to the authentication point equipment through the access equipment, wherein the EAP-Response/MD5Challenge message carries the encrypted password.
The above-mentioned encrypted word is generated by the authentication point device or acquired from the authentication server by the authentication point device. Optionally, if the encrypted word is generated by the authentication point device, after the authentication point device receives the encrypted password, the authentication point device decrypts the encrypted password according to the encrypted word, and then sends the account and the decrypted password to the authentication server; or after the authentication point device receives the encrypted password, the authentication point device sends the account number, the encryption word and the encrypted password to the authentication server together, so that the authentication server can decrypt the encrypted password by using the encryption word to obtain the decrypted password. Therefore, the authentication server can authenticate the terminal according to the account and the decrypted password.
And S104, the authentication point equipment sends the authentication data to an authentication server.
For example, the authentication point device encapsulates authentication data into a RADIUS message and sends the RADIUS message to the authentication server. It should be noted that the RADIUS packet carries an address of the terminal, so that the authentication server obtains the terminal corresponding to the authentication data.
And S105, the authentication server authenticates the terminal according to the authentication data of the terminal.
For example, the authentication server compares the received authentication data with authentication data stored in a database. And if the received authentication data is consistent with the authentication data stored in the database, the authentication server passes the authentication of the terminal. Otherwise, the terminal fails authentication.
S106, the authentication server sends the authentication result to the authentication point equipment.
The message carrying the authentication result also contains the identifier of the terminal, so that the authentication point device can acquire the terminal corresponding to the authentication result.
Optionally, the message carrying the authentication result further includes a network access policy of the terminal. The network access policy is used for indicating network resources which the terminal has the right and/or has no right to access. The network access policy is searched from a database by the authentication server according to the authentication data of the terminal. As an example, the network access policy is implemented in the form of an ACL.
For example, if the authentication result of the terminal is that the terminal passes the authentication, the authentication server sends an EAP-Success message to the authentication point device, so that the authentication point device knows that the terminal passes the authentication. And if the authentication result of the terminal is that the authentication fails, the authentication server sends an EAP-Failure message to the authentication point equipment so that the authentication point equipment knows that the terminal authentication fails.
S107, the controller acquires an authentication result from the authentication point equipment.
In one implementation, the authentication point device actively sends the authentication result to the controller. Or the controller sends authentication result request information to the authentication point equipment; thereafter, the authentication point device transmits the authentication result to the controller in response to the authentication result request information.
Alternatively, step S107 may be replaced with step S108 described below.
S108, the controller obtains the authentication result from the authentication server.
In one implementation, the authentication server actively sends the authentication result to the controller. Or the controller sends authentication result request information to the authentication server; thereafter, the authentication server transmits the authentication result to the controller in response to the authentication result request message.
In this way, the controller can acquire the authentication result of the terminal from the authentication server or the authentication point device. If the authentication server is integrated with the controller, the controller may acquire the authentication result of the terminal from itself without executing step S107 or step S108.
And S109, if the authentication result of the terminal is that the authentication is passed, the controller instructs the access equipment to open an interface connected with the terminal in a remote login mode.
In one implementation manner, the controller determines the access device and an interface used by the access device to connect with the terminal according to the terminal association data and the identifier of the terminal included in the message carrying the authentication result. The controller thus instructs the access device to open an interface to the terminal in a telnet fashion.
In this embodiment, the access device opens the interface connected to the terminal, which means that the interface device allows the interface connected to the terminal to transmit a non-authentication packet (i.e., a service packet). Optionally, if the terminal passes the authentication, the interface device deletes the rejection rule matched with the non-authentication message in the ACL configured on the interface connected to the terminal.
Further, if the controller receives a network access policy corresponding to the terminal, the controller issues the network access policy to the access device in a remote login manner. Therefore, the access equipment controls the access of the terminal to the network resource according to the network access strategy.
It should be noted that the EAP authentication procedure shown in fig. 3 only illustrates some relevant steps of the network access control method provided in the embodiment of the present application, so as to illustrate an application scenario related to the technical solution provided in the embodiment of the present application. In practical applications, the EAP authentication procedure may also include other steps.
Based on the technical scheme, since the related protocol of the remote login is a public protocol, the access device is likely to support the related protocol of the remote login. Therefore, under the condition that the park network adopts the EAP authentication technology, the controller can acquire the terminal associated data from the access equipment in a remote login mode, and after the terminal passes the authentication, the controller can instruct the access equipment to open an interface connected with the terminal in the remote login mode. That is, in a scenario where the authentication point and the control point are separated, the controller can directly control the access device without participation of the authentication point device.
Optionally, in order to improve the security of the campus network, on the basis of the scheme shown in fig. 3, as shown in fig. 4, after step S101, the network access control method provided in this embodiment of the present application may further include step S110; after step S103, the network access control method provided in the embodiment of the present application may further include step S111.
S110, the controller sends the identification of the terminal to the authentication point equipment.
In one implementation, the controller sends the identifier of the terminal to the authentication point device by using a Network Configuration Protocol (NETCONF) based on the terminal-related data. After receiving the identifier of the terminal, the authentication point device stores the identifier of the terminal.
S111, the authentication point device detects whether the identification of the terminal which sends the authentication data is stored in advance.
In one implementation, if the authentication point device has the identifier of the terminal that has stored the authentication data in advance, the authentication point device can determine that the terminal has been connected to the access device, so that the authentication point device continues to execute the terminal authentication procedure, that is, the authentication point device executes step S104. If the identification of the terminal sending the authentication data is not pre-stored in the authentication point device, the authentication point device can determine that the terminal is not connected to the access device, so that the authentication point device stops the authentication process of the terminal, that is, the authentication point device does not execute step S104.
Therefore, the authentication point equipment can prevent the authentication process of the terminal which is not connected with the access equipment, and further forbids the terminal which is not connected with the access equipment to access the network resource of the park network, thereby improving the security of the park network.
The following describes in detail a network access control method provided in an embodiment of the present application, taking a scenario in which a captive portal authentication technology is adopted in a campus network as an example.
As shown in fig. 5, a network access control method provided in an embodiment of the present application includes the following steps:
s201, similar to step S101, details can be referred to the embodiment shown in fig. 3, and are not repeated herein.
S202, the terminal sends a hypertext Transfer Protocol (HTTP) request packet to the authentication point device.
In one implementation, a terminal obtains a website input by a user and sends a corresponding HTTP request message according to the website, where the HTTP request message is used to request access to the website input by the user.
It should be noted that the interface of the access device for connecting with the terminal is limited before the terminal fails to be authenticated. That is, before the terminal fails to be authenticated, the interface of the access device for connecting to the terminal is only used for transmitting the HTTP message and a preparation message (such as a Dynamic Host Configuration Protocol (DHCP) message, an Address Resolution Protocol (ARP) message, and the like) necessary before the HTTP message is sent, and cannot be used for transmitting a non-HTTP message. For example, the access device sets an ACL on an interface connected to the terminal, where the ACL is used to instruct the interface to discard non-HTTP messages. Specifically, the ACL is provided with a rejection rule matching the non-HTTP message, and the rejection rule is used to discard the message matching the ACL. In this way, in the message imported by the interface connected with the terminal, the non-HTTP message is discarded by the access device, and the HTTP message is forwarded by the access device.
It should be noted that, in the embodiment of the present application, the execution sequence of step S201 and step S202 is not limited, that is, step S201 may be executed first, and then step S202 may be executed; step S201 and step S202 may also be performed simultaneously.
S203, the authentication point equipment redirects the HTTP request message to the portal server.
In one implementation, the authentication point device intercepts an HTTP request packet sent by an unauthenticated terminal, and returns a redirection address to the terminal, so that the terminal sends the HTTP request packet to the portal server according to the redirection address. Wherein the redirection address comprises an address of a portal server.
S204, the portal server returns a page for the user to input the authentication data to the terminal.
In one implementation, the portal server returns an HTTP response packet to the authentication point device, where the HTTP response packet carries a page for the user to input authentication data. And the authentication point equipment sends the HTTP response message to the terminal.
S205, the terminal sends authentication data to the portal server.
Wherein the authentication data comprises: an account number and a password.
In one implementation, after receiving the HTTP response message, the terminal displays a page for the user to input authentication data. After the user inputs the authentication data, the terminal sends an HTTP request message carrying the authentication data to the authentication point equipment. And the authentication point equipment forwards the HTTP request message carrying the authentication data to the portal server.
It should be noted that the HTTP request packet carrying the authentication data includes an identifier of the terminal, so that other devices can obtain the terminal corresponding to the HTTP request packet carrying the authentication data.
S206, the portal server forwards the authentication data to the authentication point equipment.
In one implementation, the portal server sends an HTTP response packet carrying authentication data to the authentication point device to trigger the authentication process of the terminal.
S207-S211 are similar to steps S104-S108, and please refer to the embodiment shown in FIG. 3 for details, which are not repeated herein. On the premise of executing step S108, step S106 is optional, that is, the authentication server may execute step S106, or may not execute step S106.
In this embodiment of the application, after step S209, if the authentication point device learns that the terminal passes authentication, the authentication point device does not perform redirection operation on the packet sent by the terminal any more.
S212, if the authentication result of the terminal is that the authentication is passed, the controller instructs the access device to open an interface connected with the terminal in a remote login mode.
In one implementation manner, the controller determines the access device and an interface used by the access device to connect with the terminal according to the identifier of the terminal and the terminal associated data included in the message carrying the authentication result. The controller thus instructs the access device to open an interface to the terminal in a telnet fashion.
In this embodiment of the present application, the access device opening an interface connected to the terminal means that the interface device allows the interface connected to the terminal to transmit a non-HTTP message. Optionally, the interface device deletes a rejection rule matched with the non-authentication message in an ACL configured on the interface connected to the terminal.
Further, if the controller receives a network access policy corresponding to the terminal, the controller issues the network access policy to the access device in a remote login manner. Therefore, the access equipment controls the access of the terminal to the network resource according to the network access strategy.
And S213, the authentication point equipment sends the authentication result to the portal server.
In one implementation, the authentication point device sends an HTTP request packet carrying an authentication result to the portal server, so that the portal server obtains the authentication result of the authentication server for the terminal.
S214, the portal server returns an authentication result page to the terminal.
For example, if the terminal passes the authentication, the portal server returns an authentication success page to the terminal; if the terminal fails to pass the authentication, the portal server returns an authentication failure page to the terminal, and optionally, the authentication failure page includes a reason of the authentication failure.
It should be noted that the captive portal authentication flow shown in fig. 5 only illustrates some relevant steps of the network access control method provided in the embodiment of the present application, so as to illustrate an application scenario related to the technical solution provided in the embodiment of the present application. In practical applications, the captive portal authentication process may also include other steps.
Based on the technical scheme, since the related protocol of the remote login is a public protocol, the access device is likely to support the related protocol of the remote login. In this way, when the campus network employs the captive portal authentication technique, the controller can acquire the terminal-related data from the access device in a remote login manner, and after the terminal passes the authentication, the controller can instruct the access device to open an interface connected to the terminal in the remote login manner. That is, in a scenario where the authentication point and the control point are separated, the controller can directly control the access device without participation of the authentication point device.
Optionally, in order to improve the security of the campus network, on the basis of the scheme shown in fig. 5, as shown in fig. 6, after step S201, the network access control method provided in this embodiment of the present application may further include step S215; after step S202, the network access control method provided in the embodiment of the present application may further include step S216.
S215, similar to step S110, details can be taken into the embodiment shown in fig. 3, and are not repeated herein.
S216, the authentication point device detects whether the identifier of the terminal which sends the HTTP request message is stored in advance.
In one implementation, if the authentication point device has the identifier of the terminal that previously stores the HTTP request packet, the authentication point device can determine that the terminal is already connected to the access device, so that the authentication point device continues the authentication process of the terminal, that is, the authentication point device executes step S203. If the authentication point device does not pre-store the identifier of the terminal sending the HTTP request packet, the authentication point device can determine that the terminal is not connected to the access device, so that the authentication point device stops the authentication process of the terminal, that is, the authentication point device does not perform step S203.
Therefore, the authentication point equipment can prevent the authentication process of the terminal which is not connected with the access equipment, and further forbids the terminal which is not connected with the access equipment to access the network resource of the park network, thereby improving the security of the park network.
To sum up, the embodiment of the present application discloses a network access control method, which includes: the method comprises the following steps that a controller acquires terminal associated data from an access device in a remote login mode, wherein the terminal associated data comprise: the corresponding relation between the terminal and the interface of the access equipment connected with the terminal; the controller acquires an authentication result of the authentication server to the terminal; and if the authentication result of the terminal is that the authentication is passed, the controller instructs the access equipment to open an interface connected with the terminal in a remote login mode.
The scheme provided by the embodiment of the application is introduced mainly from the perspective of the controller. It is understood that the controller includes hardware structures or software modules for performing the respective functions in order to realize the functions. Those of skill in the art would readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
For example, in the case of dividing each functional module by each function, fig. 7 shows several schematic diagrams of a network access control device. As shown in fig. 7, the network access control apparatus includes: a telnet module 701 and an authentication processing module 702. The telnet module 701 is used to support the controller to perform steps S101 and S109 in fig. 3, steps S201 and S212 in fig. 5, and/or other processes for the techniques described herein. The authentication processing module 702 is used to support the controller to perform steps S107 or S108 in fig. 3, step S110 in fig. 4, step S210 or S211 in fig. 5, step S215 in fig. 6, and/or other processes for the techniques described herein.
All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again. As an example, in conjunction with the controller shown in fig. 2, the telnet module 701 and the authentication processing module 702 in fig. 7 may be implemented by a communication interface of the controller in fig. 2, which is not limited in this embodiment of the present application.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores computer instructions; when the computer readable storage medium runs on the controller shown in fig. 2, the controller is caused to execute the network access control method shown in fig. 3 to fig. 6 in the embodiment of the present application. The computer readable storage medium may be any medium that can be accessed by a computer or a data storage device including one or more integrated media, servers, data centers, and the like. The medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., compact disk), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others. In addition, the computer instructions may be stored in a computer readable storage medium and transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server or data center to another website, computer, server or data center by wire (e.g., coaxial cable, optical fiber, twisted pair) or wireless (e.g., infrared, wireless, microwave, etc.).
Embodiments of the present application further provide a computer program product containing computer instructions, which when run on a computer, enable the computer to execute the network access control method shown in fig. 3 to 6.
The controller, the computer storage medium, and the computer program product provided in the embodiments of the present application are all configured to execute the corresponding methods provided above, and therefore, the beneficial effects achieved by the controller, the computer storage medium, and the computer program product may refer to the beneficial effects in the corresponding methods provided above, and are not described herein again.
While the present application has been described in connection with various embodiments, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed application, from a review of the drawings, the disclosure, and the appended claims. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims (12)

1. A method for network access control, the method comprising:
the method comprises the following steps that a controller acquires terminal associated data from an access device in a remote login mode, wherein the terminal associated data comprise: the corresponding relation between the terminal and the interface of the access equipment connected with the terminal;
the controller acquires an authentication result of the authentication server to the terminal;
and if the authentication result of the terminal is that the authentication is passed, the controller instructs the access equipment to open an interface connected with the terminal in a remote login mode.
2. The network access control method of claim 1, wherein the controller obtains the terminal association data from the access device in a telnet manner, comprising:
the controller repeatedly obtains the terminal association data from the access device in a telnet fashion.
3. The network access control method of claim 1 or 2, wherein the controller obtains the terminal association data from the access device in a telnet manner, and comprises:
the controller is connected with the access equipment through a Telnet protocol or a Secure Shell (SSH) protocol according to equipment data of the access equipment, wherein the equipment data comprises: a login mode, an address of the access device, an account and/or a password;
and the controller executes the script file and acquires the terminal associated data from the access equipment.
4. The network access control method according to any one of claims 1 to 2, wherein the method further comprises:
and the controller sends the identifier of the terminal to authentication point equipment based on the terminal association data.
5. The network access control method according to any one of claims 1 to 2, wherein the controller obtaining the authentication result of the authentication server to the terminal includes:
the controller acquires an authentication result of the terminal from authentication point equipment; alternatively, the first and second electrodes may be,
the controller acquires an authentication result of the terminal from the authentication server.
6. A network access control apparatus, comprising:
a telnet module, configured to obtain terminal-related data from an access device in a telnet manner, where the terminal-related data includes: the corresponding relation between the terminal and the interface of the access equipment connected with the terminal;
the authentication processing module is used for acquiring the authentication result of the authentication server to the terminal;
and the remote login module is also used for indicating the access equipment to open an interface connected with the terminal in a remote login mode when the authentication result of the terminal is that the terminal passes the authentication.
7. The network access control device of claim 6,
the remote login module is used for repeatedly acquiring the terminal association data from the access equipment in a remote login mode.
8. The network access control device of claim 6 or 7,
the remote login module is configured to connect the access device through a Telnet protocol or a secure shell SSH protocol according to device data of the access device, where the device data includes: a login mode, an address of the access device, an account and/or a password; and executing the script file, and acquiring the terminal associated data from the access equipment.
9. The network access control device of any of claims 6 to 7,
and the authentication processing module is also used for sending the identifier of the terminal to authentication point equipment based on the terminal association data.
10. The network access control device of any of claims 6 to 7,
the authentication processing module is used for acquiring an authentication result of the terminal from an authentication point device; or, obtaining the authentication result of the terminal from the authentication server.
11. A controller, comprising: a communications interface, a processor and a memory, the memory for storing computer-executable instructions, the processor executing the computer-executable instructions stored by the memory when the controller is running to cause the controller to perform the network access control method of any one of claims 1 to 5.
12. A computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the network access control method of any one of claims 1 to 5.
CN201810892727.3A 2018-08-07 2018-08-07 Network access control method and device Active CN110830415B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810892727.3A CN110830415B (en) 2018-08-07 2018-08-07 Network access control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810892727.3A CN110830415B (en) 2018-08-07 2018-08-07 Network access control method and device

Publications (2)

Publication Number Publication Date
CN110830415A CN110830415A (en) 2020-02-21
CN110830415B true CN110830415B (en) 2021-02-12

Family

ID=69533925

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810892727.3A Active CN110830415B (en) 2018-08-07 2018-08-07 Network access control method and device

Country Status (1)

Country Link
CN (1) CN110830415B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104869123A (en) * 2015-06-03 2015-08-26 维融集团有限公司 Network access control method and server
CN106506439A (en) * 2015-11-30 2017-03-15 杭州华三通信技术有限公司 A kind of method and apparatus of certification accessing terminal to network
CN106936779A (en) * 2015-12-29 2017-07-07 北京网御星云信息技术有限公司 A kind of data connecting method, system and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160065575A1 (en) * 2013-04-28 2016-03-03 Zte Corporation Communication Managing Method and Communication System

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104869123A (en) * 2015-06-03 2015-08-26 维融集团有限公司 Network access control method and server
CN106506439A (en) * 2015-11-30 2017-03-15 杭州华三通信技术有限公司 A kind of method and apparatus of certification accessing terminal to network
CN106936779A (en) * 2015-12-29 2017-07-07 北京网御星云信息技术有限公司 A kind of data connecting method, system and device

Also Published As

Publication number Publication date
CN110830415A (en) 2020-02-21

Similar Documents

Publication Publication Date Title
US10523678B2 (en) System and method for architecture initiated network access control
US9729514B2 (en) Method and system of a secure access gateway
CN107534651B (en) Method and apparatus for communicating session identifier
US8589675B2 (en) WLAN authentication method by a subscriber identifier sent by a WLAN terminal
EP3138257B1 (en) Enterprise system authentication and authorization via gateway
US10375052B2 (en) Device verification of an installation of an email client
US9769172B2 (en) Method of accessing a network securely from a personal device, a personal device, a network server and an access point
WO2015101125A1 (en) Network access control method and device
US11489826B2 (en) Multi-factor authorization for IEEE 802.1x-enabled networks
US9344417B2 (en) Authentication method and system
EP2924944B1 (en) Network authentication
US11277399B2 (en) Onboarding an unauthenticated client device within a secure tunnel
CN109391937B (en) Method, device and system for obtaining public key
US10917406B2 (en) Access control method and system, and switch
CN104869121A (en) 802.1x-based authentication method and device
CN111031540B (en) Wireless network connection method and computer storage medium
CN110830415B (en) Network access control method and device
KR102132490B1 (en) Method and apparatus for trust network configurations of mobile devices in software-defined network
US20240114022A1 (en) System and method of imaged based login to an access device
CN112202799B (en) Authentication system and method for realizing binding of user and/or terminal and SSID
CN106534117B (en) Authentication method and device
CN115278660A (en) Access authentication method, device and system
JP2024525557A (en) Access control method, access control system, and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant