CN113098834A - Access control method, device, equipment and system - Google Patents

Access control method, device, equipment and system Download PDF

Info

Publication number
CN113098834A
CN113098834A CN202010018283.8A CN202010018283A CN113098834A CN 113098834 A CN113098834 A CN 113098834A CN 202010018283 A CN202010018283 A CN 202010018283A CN 113098834 A CN113098834 A CN 113098834A
Authority
CN
China
Prior art keywords
local area
terminal equipment
access point
virtual local
area network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010018283.8A
Other languages
Chinese (zh)
Other versions
CN113098834B (en
Inventor
蒋志刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nail Holding Cayman Co ltd
Original Assignee
Nail Holding Cayman Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nail Holding Cayman Co ltd filed Critical Nail Holding Cayman Co ltd
Priority to CN202010018283.8A priority Critical patent/CN113098834B/en
Publication of CN113098834A publication Critical patent/CN113098834A/en
Application granted granted Critical
Publication of CN113098834B publication Critical patent/CN113098834B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Abstract

The embodiment of the invention provides an access control method, a device, equipment and a system, wherein the method comprises the following steps: the AP establishes a first corresponding relation between the user identifier and the first VLAN identifier according to a configuration instruction issued by the server; receiving an access request sent by terminal equipment, wherein the access request comprises the user identification and the MAC address of the terminal equipment; if the terminal equipment is determined to have the connection authority according to the user identification, establishing communication connection with the terminal equipment; establishing a second corresponding relation between the MAC address and the first VLAN identification according to the first corresponding relation; and performing access control on the network access request of the terminal equipment according to the second corresponding relation, and realizing the method is simple and convenient.

Description

Access control method, device, equipment and system
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a method, an apparatus, a device, and a system for access control.
Background
Network isolation is a common means of ensuring information security. One common network isolation technique is logical isolation. In the logical isolation technology, the purpose of Network isolation may be achieved by defining a plurality of Virtual Local Area Networks (VLANs), for example, different VLANs may be configured to be isolated from each other, so that Network access cannot be achieved between devices belonging to different VLANs.
In some practical applications, such as in an enterprise, it may be necessary to allow employees in different departments to access different VLANs for the purpose of network isolation, so as to ensure information security. At present, a common implementation is: the method comprises the steps of dividing a wireless Access Point (Access Point, AP for short) into a plurality of Service Set Identifiers (SSIDs) and dividing each SSID into different VLANs, so that employees in different departments can connect different VLANs to achieve the purpose of network isolation, namely, the employees in different departments can only Access resources in the VLAN to which the employees belong. However, since the number of SSIDs that can be supported by the AP is limited, the number of VLANs that can be divided is limited.
Disclosure of Invention
The embodiment of the invention provides an access control method, device, equipment and system, which are used for achieving the purpose of network isolation.
In a first aspect, an embodiment of the present invention provides an access control method, which is applied to a wireless access point, where the method includes:
establishing a first corresponding relation between a user identifier and a first virtual local area network identifier according to a configuration instruction issued by a server;
receiving an access request sent by terminal equipment, wherein the access request comprises the user identification and the MAC address of the terminal equipment;
if the terminal equipment is determined to have the connection authority according to the user identification, establishing communication connection with the terminal equipment;
establishing a second corresponding relation between the MAC address and the first virtual local area network identification according to the first corresponding relation;
and performing access control on the network access request of the terminal equipment according to the second corresponding relation.
In a second aspect, an embodiment of the present invention provides an access control apparatus, which is applied to a wireless access point, and includes:
the first establishing module is used for establishing a first corresponding relation between the user identifier and the first virtual local area network identifier according to a configuration instruction issued by the server;
a receiving module, configured to receive an access request sent by a terminal device, where the access request includes the user identifier and an MAC address of the terminal device;
the connection module is used for establishing communication connection with the terminal equipment if the terminal equipment is determined to have the connection authority according to the user identification;
a second establishing module, configured to establish a second correspondence between the MAC address and the first vlan id according to the first correspondence;
and the control module is used for carrying out access control on the network access request of the terminal equipment according to the second corresponding relation.
In a third aspect, an embodiment of the present invention provides a wireless access point, including a first processor and a first memory, where the first memory stores executable code thereon, and when the executable code is executed by the first processor, the first processor is caused to execute the access control method in the first aspect.
An embodiment of the present invention provides a non-transitory machine-readable storage medium having stored thereon executable code, which, when executed by a processor of a wireless access point, causes the processor to perform the access control method in the first aspect.
In a fourth aspect, an embodiment of the present invention provides an access control method, which is applied to a terminal device, and the method includes:
sending an access request to a wireless access point, wherein the access request comprises a user identifier corresponding to the terminal equipment and an MAC (media access control) address of the terminal equipment, so that the wireless access point establishes a second corresponding relation between the MAC address and a virtual local area network identifier according to the established first corresponding relation between the user identifier and the virtual local area network identifier;
establishing communication connection with the wireless access point, wherein the wireless access point triggers the establishment of the communication connection when determining that the terminal equipment has the connection authority according to the user identification;
and sending a network access request to the wireless access point so that the wireless access point performs access control on the network access request according to the second corresponding relation.
In a fifth aspect, an embodiment of the present invention provides an access control apparatus, which is applied to a terminal device, and includes:
a sending module, configured to send an access request to a wireless access point, where the access request includes a user identifier corresponding to the terminal device and an MAC address of the terminal device, so that the wireless access point establishes a second correspondence between the MAC address and a virtual local area network identifier according to an established first correspondence between the user identifier and the virtual local area network identifier;
the connection module is used for establishing communication connection with the wireless access point, wherein the wireless access point triggers the establishment of the communication connection when determining that the terminal equipment has the connection authority according to the user identification;
the sending module is further configured to send a network access request to the wireless access point, so that the wireless access point performs access control on the network access request according to the second corresponding relationship.
In a sixth aspect, an embodiment of the present invention provides a terminal device, including a second processor and a second memory, where the second memory has stored thereon an executable code, and when the executable code is executed by the second processor, the second processor is caused to execute the access control method in the fourth aspect.
An embodiment of the present invention provides a non-transitory machine-readable storage medium, on which an executable code is stored, and when the executable code is executed by a processor of a terminal device, the processor is caused to execute the access control method in the fourth aspect.
In a seventh aspect, an embodiment of the present invention provides an access control system, including:
terminal equipment, a wireless access point and a server;
the server is used for sending a configuration instruction to the wireless access point, wherein the configuration instruction comprises a user identifier and a first virtual local area network identifier;
the terminal device is configured to send an access request to a wireless access point, where the access request includes the user identifier corresponding to the terminal device and an MAC address of the terminal device; establishing a communication connection with the wireless access point; sending a network access request to the wireless access point;
the wireless access point is used for establishing a first corresponding relation between the user identifier and a first virtual local area network identifier according to the configuration instruction; if the terminal equipment is determined to have the connection authority according to the user identification in the access request, establishing communication connection with the terminal equipment; establishing a second corresponding relation between the MAC address and the first virtual local area network identification according to the first corresponding relation; and performing access control on the network access request according to the second corresponding relation.
In the embodiment of the present invention, for a certain user, a first corresponding relationship between a user identifier of the user and a first VLAN identifier may be configured in an AP, where the user identifier reflects who the user is, and the first corresponding relationship describes that the user belongs to a first VLAN. Based on this, when the user initiates an access request to the AP through the terminal device based on the user identifier of the user, the AP may establish a communication connection with the terminal device when determining that the terminal device has the connection right based on the user identifier, and may query the first corresponding relationship based on the user identifier to know which VLAN, the first VLAN, the user belongs to. In the process of establishing the communication connection, the AP may obtain a Media Access Control (MAC) address of the terminal device, so that the AP may establish a second correspondence between the MAC address of the terminal device and the first VLAN identifier according to the first correspondence, where the second correspondence indicates that the terminal device having the MAC address belongs to the first VLAN. Furthermore, the network access request of the terminal device may be access-controlled according to the second correspondence, for example, the terminal device belonging to the first VLAN is controlled not to allow access to objects belonging to other VLANs.
In the scheme, the corresponding relation between the user identifier required when the terminal equipment of the user is connected with the AP and the VLAN to which the user belongs is configured in the background, so that when the terminal equipment of the user is connected with the AP, the AP can automatically establish the corresponding relation between the MAC address of the terminal equipment and the VLAN by taking the user identifier as a bridge, and the network access control, namely the network isolation, of the terminal equipment is carried out on the basis. Therefore, even if a user replaces a terminal device, the terminal device currently used by the user can be corresponding to the VLAN to which the user belongs because the user identification is not changed, and the effect of controlling the network access of the user is achieved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic workflow diagram of an access control system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a process of configuring a correspondence between a user and a VLAN according to an embodiment of the present invention;
fig. 3 is a schematic view of another work flow of the access control system according to the embodiment of the present invention;
fig. 4 is a schematic diagram of another process for configuring a correspondence between a user and a VLAN according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an access control process provided in an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an access control apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a wireless access point corresponding to the access control device provided in the embodiment shown in fig. 6;
fig. 8 is a schematic structural diagram of another access control device according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a terminal device corresponding to the access control apparatus provided in the embodiment shown in fig. 8.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and "a plurality" typically includes at least two.
The words "if", as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.
In addition, the sequence of steps in each method embodiment described below is only an example and is not strictly limited.
Fig. 1 is a schematic workflow diagram of an access control system according to an embodiment of the present invention, and as shown in fig. 1, the access control system includes: terminal equipment, AP, server. When the access control scheme is implemented based on the access control system, the following steps can be included:
101. and the server sends a configuration instruction to the AP, wherein the configuration instruction comprises the user identifier and the first VLAN identifier.
Taking an enterprise scenario as an example, the server may be an independent host or a host cluster located in the cloud or local.
The operation and maintenance personnel of the enterprise can configure on the server to trigger the configuration instruction to be issued to the AP. The configuration of the operation and maintenance personnel on the server is to be generalized to configure which employees of the enterprise belong to which VLANs, wherein the same employee only belongs to one VLAN.
It can be understood that the operation and maintenance personnel can set a plurality of VLANs according to actual needs, such as: VLAN1, VLAN2, VLAN 3. For implementing the multiple VLANs, it is also necessary to perform corresponding configuration on the relevant network devices, for example, perform corresponding configuration on a two-layer switch and a three-layer switch, so as to implement the multiple VLANs, where the configuration of the switch belongs to the prior art and is not described herein again.
The following describes an exemplary process of configuring the corresponding relationship between the employee and the VLAN by the operation and maintenance staff, with reference to fig. 2. As shown in fig. 2, the operation and maintenance personnel can configure three VLANs such as VLAN1, VLAN2 and VLAN3 in the configuration interface, and when the operation and maintenance personnel selects VLAN1, the employee selection interface can be popped up to complete the selection of the employee belonging to VLAN1 in the employee selection interface. In particular, all employee information within the enterprise, as well as the employee's organizational structure information, such as department information, may be presented in the employee selection interface. In FIG. 2, it is illustrated that in the employee selection interface: department A, department B, employee x, employee y. Assuming that the operation and maintenance personnel have selected department a and employee x, it means that all employees contained in department a and employee x belong to VLAN 1.
It is understood that the server maintains the employee information contained in each department, and assuming that employee a1, employee a2, employee a3, and employee a4 are included in department a, then it is true that employee a1, employee a2, employee a3, employee a4, and employee x belong to VLAN 1.
It should be noted that, in the above-mentioned employee selection interface, in order to facilitate the operation of the operation and maintenance personnel, the displayed employee information is often profile information such as the real name and the nickname of the employee. Based on the configuration operation of the operation and maintenance staff, the user identifier carried in the configuration instruction sent by the final server to the AP may be unique identifier information pre-assigned by the server to the corresponding staff, such as a user account consisting of a string of characters and numbers, and an access password for accessing the AP and assigned to the staff, where the access passwords assigned to different staff are different, and thus, the access password may also be used as the unique identifier information of the staff.
102. And the AP establishes a first corresponding relation between the user identifier and the first VLAN identifier according to the configuration instruction.
In this embodiment, it is assumed that the current configuration of the operation and maintenance staff is the staff information belonging to the first VLAN, and therefore, the configuration instruction issued by the server includes the first VLAN identifier and the user identifier of the staff belonging to the first VLAN.
After receiving a configuration instruction which is sent by a server and contains a user identifier and a first VLAN identifier, the AP establishes a first corresponding relation between the user identifier and the first VLAN identifier and stores the first corresponding relation locally.
In connection with the above example, assuming that the first VLAN identifier is VLAN1, and employee a1, employee a2, employee a3, employee a4, and employee x belong to VLAN1, it can be understood that the first correspondence includes the correspondence between the user identifiers corresponding to these employees and VLAN 1.
103. And the terminal equipment sends an access request to the AP, wherein the access request comprises the user identification corresponding to the terminal equipment and the MAC address of the terminal equipment.
Assuming that employee x initiates an access request to the AP, optionally, in practical applications, the process of initiating the access request by employee x may be: employee x operates the handset to search for a wireless network that exists around, i.e., to search for an SSID, and when finding the SSID corresponding to the AP, selects the SSID, at this time, a connection interface may be popped up, and employee x is prompted in the connection interface to input a user identifier assigned to him, which is assumed to be 123456789. After the employee x inputs the user identifier, the access request is triggered to be sent to the AP.
It should be noted that in the embodiment of the present invention, the AP has only one SSID.
104. And if the AP determines that the terminal equipment has the connection authority according to the user identification in the access request, establishing communication connection with the terminal equipment.
The AP may query the locally stored first corresponding relationship, and if a certain first corresponding relationship includes the user identifier carried in the access request, consider that the terminal device has a connection right, thereby establishing a communication connection with the terminal device.
105. And the AP establishes a second corresponding relation between the MAC address of the terminal equipment and the first VLAN identification according to the first corresponding relation.
Because the access request sent by the terminal device of employee x includes the user identifier of employee x and the MAC address of the terminal device, if the AP queries that a first correspondence corresponding to the user identifier exists locally, it can be known that employee x belongs to a first VLAN, namely VLAN1, based on the first correspondence. Thus, the AP can establish a correspondence between the MAC address of the terminal device and the VLAN1, and convert the first correspondence describing the correspondence between "person" and the VLAN into the second correspondence describing the correspondence between "device" and the VLAN.
Through the above process, when the terminal device accesses the AP, the AP can identify the VLAN to which the terminal device belongs.
106. The terminal device sends a network access request to the AP.
107. And the AP performs access control on the network access request according to the second corresponding relation.
In practical applications, the network access request sent by the terminal device may be to access a certain access object in the VLAN to which the terminal device belongs, or may be to access an access object in another VLAN. The main purpose of the AP controlling the network access request of the terminal device according to the correspondence between the MAC address of the terminal device and the first VLAN, namely VLAN1, is to: if the access object for the end device is VLAN1, then the network access request may be passed to the access object normally; if the access object of the end device does not belong to VLAN1, the network access request will not eventually be passed to the access object, thereby achieving the purpose of network isolated access control.
In summary, in the above-mentioned solution, by configuring the corresponding relationship between the user identifier required when the terminal device of the user connects to the AP and the VLAN to which the user belongs in the background, when the terminal device of the user connects to the AP, the AP can automatically establish the corresponding relationship between the MAC address of the terminal device and the VLAN by using the user identifier as a bridge, so as to perform network access control, that is, network isolation, of the terminal device based on the corresponding relationship. Therefore, even if a user changes a terminal device, the user identifier is not changed, so that the terminal device currently used by the user can be corresponding to the VLAN to which the user belongs, the effect of controlling network access to the user is achieved, and the method is simple and convenient to implement.
The embodiment shown in fig. 1 mainly introduces the core principle of the access control scheme provided herein, and in practical applications, a specific implementation of the access control scheme may refer to the embodiment shown in fig. 3.
Fig. 3 is another schematic workflow diagram of an access control system according to an embodiment of the present invention, and as shown in fig. 3, the access control system includes: terminal equipment, wireless access point, server, switch. The access control procedure may comprise the steps of:
301. and the server sends a configuration instruction to the AP, wherein the configuration instruction comprises the user identifier and the first VLAN identifier.
302. And the AP establishes a first corresponding relation between the user identifier and the first VLAN identifier according to the configuration instruction.
303. And the terminal equipment sends an access request to the AP, wherein the access request comprises the user identification corresponding to the terminal equipment and the MAC address of the terminal equipment.
304. And if the AP determines that the terminal equipment has the connection authority according to the user identification in the access request, establishing communication connection with the terminal equipment.
305. And the AP establishes a second corresponding relation between the MAC address of the terminal equipment and the first VLAN identification according to the first corresponding relation.
The execution process of the above steps can refer to the description in the foregoing embodiments, and is not described herein again.
306. And the terminal equipment sends an IP address acquisition request to the AP.
After the terminal device establishes communication connection with the AP, the terminal device may automatically trigger the IP address acquisition request to the AP to acquire an IP address required for subsequent network access.
In practical application, the terminal device may send the IP address acquisition request to the AP based on a Dynamic Host Configuration Protocol (DHCP).
307. And the AP associates the first VLAN identification with the IP address acquisition request according to the second corresponding relation.
It can be understood that the IP address obtaining request carries the MAC address of the terminal device, so that the AP queries the MAC address of the terminal device to obtain the first VLAN id corresponding to the terminal device, and associates the first VLAN id with the IP address obtaining request.
The association of the first VLAN identifier with the IP address acquisition request may be adding the first VLAN identifier to a header of a packet corresponding to the IP address acquisition request.
308. And the AP sends the IP address acquisition request associated with the first VLAN identification to the switch.
309. And the switch allocates a target IP address for the terminal equipment according to the first VLAN identifier.
The switch may also be referred to as a router. The switch is referred to as a three-tier switch.
When the switch allocates the IP address to the terminal device, the switch distinguishes the VLANs to which different terminal devices belong, that is, the switch allocates the IP addresses to different VLANs with different characteristics, for example, the value ranges of some fields of the IP addresses corresponding to different VLANs are different.
310. The switch feeds back the target IP address to the AP.
311. And the AP sends the target IP address to the terminal equipment.
312. And the terminal equipment sends a network access request to the AP by using the target IP address, wherein the network access request comprises the MAC address of the terminal equipment and the IP address of the access object.
313. And the AP associates the first VLAN identification for the network access request according to the second corresponding relation.
It can be understood that the network access request carries the MAC address of the terminal device, so that the AP queries the first VLAN id corresponding to the MAC address of the terminal device, and associates the first VLAN id with the network access request.
314. The AP sends a network access request associated with the first VLAN identification to the switch.
315. The switch determines a second VLAN identification corresponding to the access object according to the IP address of the access object, and determines whether the terminal equipment has the authority of accessing the access object according to the difference between the first VLAN identification and the second VLAN identification.
As described above, the assigned IP addresses of different VLANs have different characteristics, and therefore, the switch can know the VLAN to which the access object belongs according to the IP address of the access object. In practical applications, the access object may be a device such as a server.
In fact, if the switch finds that the first VLAN id corresponding to the terminal device is the same as the second VLAN id corresponding to the access object, it indicates that the terminal device accesses the object in the VLAN to which the switch belongs. On the contrary, if the first VLAN id corresponding to the terminal device is different from the second VLAN id corresponding to the access object, the switch will reject the network access request sent by the terminal device at this time because the purpose of setting different VLANs is to perform network isolation and not allow devices in different VLANs to access each other. And when the terminal equipment still does not receive the normal response of the access object within the set time, the terminal equipment determines that the access fails.
In some practical application scenarios, such as in an enterprise scenario, the enterprise may deploy its own communication network, such as instant messaging communication between employees via some instant messaging application. At this time, the access control scheme provided by the embodiment of the present invention may also be deployed and implemented in the scenario.
At this time, the aforementioned server is a server supporting the instant messaging application, the instant messaging application is also run in the terminal device (the instant messaging application on the terminal device side may be generally referred to as an instant messaging client), and a Software Development Kit (SDK) supporting the instant messaging application is also installed in the AP, and based on the SDK, the AP may perform communication interaction with the server and the terminal device through the instant messaging application.
In this scenario, the user identifier in the foregoing is a user account registered in the instant messaging application, or an access password allocated to the user account (i.e., an access password allocated to an access AP of each user), and the user account and the access password are in one-to-one correspondence, i.e., the access password allocated to each user is different.
For convenience of description, a server providing some instant messaging application will be referred to as an instant messaging server, the instant messaging application running on the terminal device side will be referred to as an instant messaging APP, and the AP installed with the above-described SDK will be referred to as an instant messaging AP.
How the operation and maintenance personnel configure the correspondence between the user (i.e. the employee in the enterprise) and the VLAN into the instant messaging AP will be described in the following with reference to fig. 4.
As shown in fig. 4, the configuration process may be: firstly, in the instant messaging APP of the operation and maintenance personnel, the operation and maintenance personnel selects a certain set VLAN identifier, which is assumed to be VLAN1, and further selects a department and an employee belonging to the VLAN1 in the enterprise address book, which is assumed to be department a. After the operation and maintenance personnel click the 'confirm' button, the instant messaging APP sends the configuration result of the operation and maintenance personnel to the instant messaging server. The instant messaging server queries all employees contained in acquisition department a, assumed to be employee x and employee y. Furthermore, the instant messaging server inquires the access passwords respectively allocated to employee x and employee y, and it is assumed that the access password allocated to employee x is KEY1 and the access password allocated to employee y is KEY 2. The KEY1 and the KEY2 are access passwords for accessing the instant messaging AP. Further, the instant messaging server issues a configuration command including KEY1, KEY2 and VLAN1 to the instant messaging AP. The instant messaging AP stores the correspondence of KEY1 and VLAN1 and the correspondence of KEY2 and VLAN 1.
Based on the configuration result of the embodiment shown in fig. 4, the network access execution process of employee x is briefly illustrated below in conjunction with fig. 5.
As shown in fig. 5, in step 501, employee x inputs KEY1 in instant messaging APP in the terminal device to connect to the instant messaging AP. In step 502, the instant messaging AP knows that employee x belongs to VLAN1 based on KEY1, and establishes a correspondence between the MAC address of its terminal device and VLAN 1. In step 503, the terminal device sends a network access request to the instant messaging AP to access a certain server belonging to VLAN 2. In step 504, the instant messaging AP determines that the terminal device belongs to VLAN1 based on the MAC address of the terminal device, and sends a network access request associated with VLAN1 to the switch. In step 505, the switch discovers that the visited server belongs to VLAN2 and rejects the network access request.
The process not illustrated in detail in fig. 5 can refer to the description in the embodiment shown in fig. 3, and is not described herein again.
An access control device of one or more embodiments of the present invention will be described in detail below. Those skilled in the art will appreciate that these access control devices can each be configured using commercially available hardware components through the steps taught in this scheme.
Fig. 6 is a schematic structural diagram of an access control apparatus according to an embodiment of the present invention, located in a wireless access point, as shown in fig. 6, the apparatus includes: the device comprises a first establishing module 11, a receiving module 12, a connecting module 13, a second establishing module 14 and a control module 15.
The first establishing module 11 is configured to establish a first corresponding relationship between the user identifier and the first vlan identifier according to a configuration instruction issued by the server.
A receiving module 12, configured to receive an access request sent by a terminal device, where the access request includes the user identifier and an MAC address of the terminal device.
And the connection module 13 is configured to establish a communication connection with the terminal device if it is determined that the terminal device has the connection right according to the user identifier.
A second establishing module 14, configured to establish a second correspondence between the MAC address and the first vlan id according to the first correspondence.
And the control module 15 is configured to perform access control on the network access request of the terminal device according to the second correspondence.
Optionally, the server is a server supporting an instant messaging application, and the configuration instruction is issued through the instant messaging application. The user identification is a user account registered in the instant messaging application program or an access password distributed to the user account, the access password is used for accessing the wireless access point, and the user account corresponds to the access password one by one.
Optionally, the user identifier is an access password assigned to the user account, and the connection module 13 is specifically configured to: and if the access password is determined to be correct, establishing communication connection with the terminal equipment.
Optionally, the control module 15 is specifically configured to: receiving a network access request sent by the terminal equipment, wherein the network access request comprises the MAC address and an IP address of an access object; associating the first virtual local area network identifier with the network access request according to the second corresponding relation; and sending the network access request associated with the first virtual local area network identifier to a switch, so that the switch determines a second virtual local area network identifier corresponding to the access object according to the IP address and determines whether the terminal equipment has the authority of accessing the access object according to the difference between the first virtual local area network identifier and the second virtual local area network identifier.
Optionally, the apparatus further comprises: an IP address obtaining module, configured to respond to an IP address obtaining request sent by the terminal device, and associate the first virtual local area network identifier with the IP address obtaining request according to the second correspondence; sending the IP address acquisition request associated with the first virtual local area network identifier to a switch so that the switch allocates a target IP address to the terminal equipment according to the first virtual local area network identifier; and feeding back the target IP address allocated by the switch to the terminal equipment so that the terminal equipment triggers the network access request by using the target IP address.
The apparatus shown in fig. 6 may perform the steps performed by the wireless Access Point (AP) in the foregoing embodiments, and reference may be made to related descriptions of the foregoing embodiments for parts not described in detail in this embodiment, which are not described herein again.
In one possible design, the structure of the access control device shown in fig. 6 described above may be implemented as a wireless access point. As shown in fig. 7, the wireless access point may include: a first processor 21, a first memory 22. Wherein the first memory 22 has stored thereon executable code which, when executed by the first processor 21, causes at least the first processor 21 to carry out the steps performed by the wireless access point in the previous embodiments.
The wireless access point may further include a first communication interface 23 for communicating with other devices or a communication network.
Additionally, embodiments of the present invention provide a non-transitory machine-readable storage medium having stored thereon executable code, which, when executed by a processor of a wireless access point, causes the processor to perform the steps performed by the wireless access point in the foregoing embodiments.
Fig. 8 is a schematic structural diagram of another access control apparatus according to an embodiment of the present invention, which is located in a terminal device, and as shown in fig. 8, the apparatus includes: a sending module 31 and a connecting module 32.
A sending module 31, configured to send an access request to a wireless access point, where the access request includes a user identifier corresponding to the terminal device and an MAC address of the terminal device, so that the wireless access point establishes a second correspondence between the MAC address and a virtual local area network identifier according to an established first correspondence between the user identifier and the virtual local area network identifier.
A connection module 32, configured to establish a communication connection with the wireless access point, where the wireless access point triggers the establishment of the communication connection when determining that the terminal device has a connection right according to the user identifier.
The sending module 31 is further configured to send a network access request to the wireless access point, so that the wireless access point performs access control on the network access request according to the second corresponding relationship.
Optionally, the sending module 31 is specifically configured to: and sending an access request to the wireless access point through an instant messaging application program running in the terminal equipment. At this time, the user identifier is a user account registered in the instant messaging application program or an access password allocated to the user account, the access password is used for accessing the wireless access point, and the user account corresponds to the access password one by one.
Optionally, the apparatus further comprises: and a receiving module.
At this time, the sending module 31 is configured to: and sending an IP address acquisition request to the wireless access point so that the wireless access point associates the virtual local area network identifier with the IP address acquisition request according to the second corresponding relationship, and sending the IP address acquisition request associated with the virtual local area network identifier to a switch. The receiving module is configured to receive a target IP address fed back by the wireless access point, where the target IP address is allocated to the terminal device by the switch according to the first virtual local area network identifier. The sending module 31 is configured to: sending a network access request to the wireless access point using the target IP address.
The apparatus shown in fig. 8 may perform the steps performed by the terminal device in the foregoing embodiments, and details of the parts not described in this embodiment may refer to the related descriptions of the foregoing embodiments, which are not described herein again.
In one possible design, the structure of the access control apparatus shown in fig. 8 described above may be implemented as a terminal device. As shown in fig. 9, the terminal device may include: a second processor 41, a second memory 42. Wherein the second memory 42 has stored thereon executable code, which, when executed by the second processor 41, causes at least the second processor 41 to carry out the steps performed by the terminal device in the previous embodiment.
The terminal device may further include a second communication interface 43 for communicating with other devices or a communication network.
In addition, an embodiment of the present invention provides a non-transitory machine-readable storage medium, on which executable code is stored, and when the executable code is executed by a processor of a terminal device, the processor is caused to execute the steps executed by the terminal device in the foregoing embodiments.
The above-described apparatus embodiments are merely illustrative, wherein the units described as separate components may or may not be physically separate. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by adding a necessary general hardware platform, and of course, can also be implemented by a combination of hardware and software. With this understanding in mind, the above-described aspects and portions of the present technology which contribute substantially or in part to the prior art may be embodied in the form of a computer program product, which may be embodied on one or more computer-usable storage media having computer-usable program code embodied therein, including without limitation disk storage, CD-ROM, optical storage, and the like.
The access control method provided in the embodiment of the present invention may be executed by one or more programs/software, where the programs/software may be provided by a network side, and the terminal device and the AP mentioned in the foregoing embodiments may download corresponding required programs/software into a local nonvolatile storage medium, and when it needs to execute the foregoing access control method, read the programs/software into a memory by a CPU, and then execute the programs/software by the CPU to implement the access control method provided in the foregoing embodiments, and an execution process may refer to the schematic diagrams in fig. 1 to 5.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (18)

1. An access control method applied to a wireless access point, the method comprising:
establishing a first corresponding relation between a user identifier and a first virtual local area network identifier according to a configuration instruction issued by a server;
receiving an access request sent by terminal equipment, wherein the access request comprises the user identification and the MAC address of the terminal equipment;
if the terminal equipment is determined to have the connection authority according to the user identification, establishing communication connection with the terminal equipment;
establishing a second corresponding relation between the MAC address and the first virtual local area network identification according to the first corresponding relation;
and performing access control on the network access request of the terminal equipment according to the second corresponding relation.
2. The method of claim 1, wherein the server is a server supporting an instant messaging application, and the configuration instruction is issued by the instant messaging application;
the user identification is a user account registered in the instant messaging application program or an access password distributed to the user account, the access password is used for accessing the wireless access point, and the user account corresponds to the access password one by one.
3. The method according to claim 2, wherein the user identifier is an access password assigned to the user account, and the establishing of the communication connection with the terminal device if the terminal device is determined to have the connection right according to the user identifier comprises:
and if the access password is determined to be correct, establishing communication connection with the terminal equipment.
4. The method of claim 1, wherein the performing access control on the network access request of the terminal device according to the second correspondence comprises:
receiving a network access request sent by the terminal equipment, wherein the network access request comprises the MAC address and an IP address of an access object;
associating the first virtual local area network identifier with the network access request according to the second corresponding relation;
and sending the network access request associated with the first virtual local area network identifier to a switch, so that the switch determines a second virtual local area network identifier corresponding to the access object according to the IP address and determines whether the terminal equipment has the authority of accessing the access object according to the difference between the first virtual local area network identifier and the second virtual local area network identifier.
5. The method according to any one of claims 1 to 4, further comprising:
responding to an IP address acquisition request sent by the terminal equipment, and associating the first virtual local area network identifier with the IP address acquisition request according to the second corresponding relation;
sending the IP address acquisition request associated with the first virtual local area network identifier to a switch so that the switch allocates a target IP address to the terminal equipment according to the first virtual local area network identifier;
and feeding back the target IP address allocated by the switch to the terminal equipment so that the terminal equipment triggers the network access request by using the target IP address.
6. An access control method, applied to a terminal device, the method comprising:
sending an access request to a wireless access point, wherein the access request comprises a user identifier corresponding to the terminal equipment and an MAC (media access control) address of the terminal equipment, so that the wireless access point establishes a second corresponding relation between the MAC address and a virtual local area network identifier according to the established first corresponding relation between the user identifier and the virtual local area network identifier;
establishing communication connection with the wireless access point, wherein the wireless access point triggers the establishment of the communication connection when determining that the terminal equipment has the connection authority according to the user identification;
and sending a network access request to the wireless access point so that the wireless access point performs access control on the network access request according to the second corresponding relation.
7. The method of claim 6, wherein sending an access request to a wireless access point comprises:
sending an access request to a wireless access point through an instant messaging application program running in the terminal equipment;
the user identification is a user account registered in the instant messaging application program or an access password distributed to the user account, the access password is used for accessing the wireless access point, and the user account corresponds to the access password one by one.
8. The method of claim 6, wherein sending the network access request to the wireless access point comprises:
sending an IP address acquisition request to the wireless access point so that the wireless access point associates the virtual local area network identifier with the IP address acquisition request according to the second corresponding relationship, and sending the IP address acquisition request associated with the virtual local area network identifier to a switch;
receiving a target IP address fed back by the wireless access point, wherein the target IP address is allocated to the terminal equipment by the switch according to the first virtual local area network identifier;
sending a network access request to the wireless access point using the target IP address.
9. An access control apparatus, applied to a wireless access point, the apparatus comprising:
the first establishing module is used for establishing a first corresponding relation between the user identifier and the first virtual local area network identifier according to a configuration instruction issued by the server;
a receiving module, configured to receive an access request sent by a terminal device, where the access request includes the user identifier and an MAC address of the terminal device;
the connection module is used for establishing communication connection with the terminal equipment if the terminal equipment is determined to have the connection authority according to the user identification;
a second establishing module, configured to establish a second correspondence between the MAC address and the first vlan id according to the first correspondence;
and the control module is used for carrying out access control on the network access request of the terminal equipment according to the second corresponding relation.
10. The apparatus of claim 9, wherein the control module is specifically configured to: receiving a network access request sent by the terminal equipment, wherein the network access request comprises the MAC address and an IP address of an access object; associating the first virtual local area network identifier with the network access request according to the second corresponding relation; and sending the network access request associated with the first virtual local area network identifier to a switch, so that the switch determines a second virtual local area network identifier corresponding to the access object according to the IP address and determines whether the terminal equipment has the authority of accessing the access object according to the difference between the first virtual local area network identifier and the second virtual local area network identifier.
11. A wireless access point, comprising: a memory, a processor; wherein the memory has stored thereon executable code which, when executed by the processor, causes the processor to perform the access control method of any one of claims 1 to 5.
12. An access control apparatus, applied to a terminal device, the apparatus comprising:
a sending module, configured to send an access request to a wireless access point, where the access request includes a user identifier corresponding to the terminal device and an MAC address of the terminal device, so that the wireless access point establishes a second correspondence between the MAC address and a virtual local area network identifier according to an established first correspondence between the user identifier and the virtual local area network identifier;
the connection module is used for establishing communication connection with the wireless access point, wherein the wireless access point triggers the establishment of the communication connection when determining that the terminal equipment has the connection authority according to the user identification;
the sending module is further configured to send a network access request to the wireless access point, so that the wireless access point performs access control on the network access request according to the second corresponding relationship.
13. A terminal device, comprising: a memory, a processor; wherein the memory has stored thereon executable code which, when executed by the processor, causes the processor to perform the access control method of any one of claims 6 to 8.
14. An access control system, comprising:
terminal equipment, a wireless access point and a server;
the server is used for sending a configuration instruction to the wireless access point, wherein the configuration instruction comprises a user identifier and a first virtual local area network identifier;
the terminal device is configured to send an access request to a wireless access point, where the access request includes the user identifier corresponding to the terminal device and an MAC address of the terminal device; establishing a communication connection with the wireless access point; sending a network access request to the wireless access point;
the wireless access point is used for establishing a first corresponding relation between the user identifier and a first virtual local area network identifier according to the configuration instruction; if the terminal equipment is determined to have the connection authority according to the user identification in the access request, establishing communication connection with the terminal equipment; establishing a second corresponding relation between the MAC address and the first virtual local area network identification according to the first corresponding relation; and performing access control on the network access request according to the second corresponding relation.
15. The system of claim 14, wherein the server is a server supporting an instant messaging application, and the configuration command is issued through the instant messaging application;
and the terminal equipment sends the access request to the wireless access point through an instant messaging application program operated in the terminal equipment.
16. The system according to claim 15, wherein the user identifier is a user account registered in the instant messaging application or an access password assigned to the user account, the access password is used for accessing the wireless access point, and the user account and the access password are in one-to-one correspondence.
17. The system of claim 14, further comprising:
a switch;
the network access request comprises the MAC address and an IP address of an access object;
in the process of performing access control on the network access request according to the second correspondence, the wireless access point is specifically configured to: associating the first virtual local area network identifier with the network access request according to the second corresponding relation, and sending the network access request associated with the first virtual local area network identifier to the switch;
the switch is used for determining a second virtual local area network identifier corresponding to the access object according to the IP address and determining whether the terminal equipment has the authority of accessing the access object according to the difference between the first virtual local area network identifier and the second virtual local area network identifier.
18. The system of claim 17, further comprising:
the terminal device is further configured to send an IP address acquisition request to the wireless access point, receive a target IP address fed back by the wireless access point, and send the network access request to the wireless access point by using the target IP address;
the wireless access point is further configured to associate the first virtual local area network identifier with the IP address acquisition request according to the second correspondence, and send the IP address acquisition request associated with the first virtual local area network identifier to the switch;
the switch is further configured to allocate the target IP address to the terminal device according to the first virtual local area network identifier, and feed back the target IP address to the wireless access point.
CN202010018283.8A 2020-01-08 2020-01-08 Access control method, device, equipment and system Active CN113098834B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010018283.8A CN113098834B (en) 2020-01-08 2020-01-08 Access control method, device, equipment and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010018283.8A CN113098834B (en) 2020-01-08 2020-01-08 Access control method, device, equipment and system

Publications (2)

Publication Number Publication Date
CN113098834A true CN113098834A (en) 2021-07-09
CN113098834B CN113098834B (en) 2023-04-07

Family

ID=76663298

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010018283.8A Active CN113098834B (en) 2020-01-08 2020-01-08 Access control method, device, equipment and system

Country Status (1)

Country Link
CN (1) CN113098834B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114531279A (en) * 2022-01-25 2022-05-24 中国联合网络通信集团有限公司 Private network access method, server and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1416239A (en) * 2001-10-31 2003-05-07 华为技术有限公司 Method for switching in virtual local area network of the access network with mixed optical fiber and coaxial line
US20100293250A1 (en) * 2009-05-14 2010-11-18 Avaya Inc. Method to allow seamless connectivity for wireless devices in dhcp snooping/dynamic arp inspection/ip source guard enabled unified network
CN102594818A (en) * 2012-02-15 2012-07-18 北京星网锐捷网络技术有限公司 Network access permission control method, device and related equipment
CN106412996A (en) * 2016-09-30 2017-02-15 杭州迪普科技有限公司 Message forwarding method and device
CN106878483A (en) * 2017-01-24 2017-06-20 新华三技术有限公司 A kind of IP address distribution method and device
CN109041086A (en) * 2018-09-28 2018-12-18 新华三技术有限公司 A kind of configuration method and device of OpenFlow example
CN110460684A (en) * 2019-07-10 2019-11-15 锐捷网络股份有限公司 The broadcast domain partition method and device of VXLAN same network segment

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1416239A (en) * 2001-10-31 2003-05-07 华为技术有限公司 Method for switching in virtual local area network of the access network with mixed optical fiber and coaxial line
US20100293250A1 (en) * 2009-05-14 2010-11-18 Avaya Inc. Method to allow seamless connectivity for wireless devices in dhcp snooping/dynamic arp inspection/ip source guard enabled unified network
CN102594818A (en) * 2012-02-15 2012-07-18 北京星网锐捷网络技术有限公司 Network access permission control method, device and related equipment
CN106412996A (en) * 2016-09-30 2017-02-15 杭州迪普科技有限公司 Message forwarding method and device
CN106878483A (en) * 2017-01-24 2017-06-20 新华三技术有限公司 A kind of IP address distribution method and device
CN109041086A (en) * 2018-09-28 2018-12-18 新华三技术有限公司 A kind of configuration method and device of OpenFlow example
CN110460684A (en) * 2019-07-10 2019-11-15 锐捷网络股份有限公司 The broadcast domain partition method and device of VXLAN same network segment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114531279A (en) * 2022-01-25 2022-05-24 中国联合网络通信集团有限公司 Private network access method, server and storage medium
CN114531279B (en) * 2022-01-25 2023-12-22 中国联合网络通信集团有限公司 Private network access method, server and storage medium

Also Published As

Publication number Publication date
CN113098834B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
US11381559B2 (en) Batch registration and configuration of devices
CN103580980B (en) The method and device thereof that virtual network finds and automatically configures automatically
EP2840743B1 (en) Method and system for realizing virtual network
JP4081472B2 (en) Cluster management method and apparatus for network device
CN107666419B (en) Virtual broadband access method, controller and system
EP0972381A1 (en) User-based binding of network stations to broadcast domains
US10892965B2 (en) Data network management
CN114070723B (en) Virtual network configuration method and system of bare metal server and intelligent network card
CN106878480B (en) DHCP service process sharing method and device
WO2017114363A1 (en) Packet processing method, bng and bng cluster system
CN112769965B (en) IP address management and distribution method, device and system
CN111865621A (en) Method and device for accessing gateway
US20210321253A1 (en) Virtual tenant for multiple dwelling unit
CN113098834B (en) Access control method, device, equipment and system
CN107343058B (en) IP address distribution system and working method thereof
US8289969B2 (en) Network edge switch configuration based on connection profile
EP3836487A1 (en) Internet access behavior management system, device and method
JP5937563B2 (en) Communication base station and control method thereof
CN111385324A (en) Data communication method, device, equipment and storage medium
WO2014084716A2 (en) A method for creating virtual links in a wireless mesh network
CN110809033B (en) Message forwarding method and device and switching server
CN113094719A (en) Access control method, device and equipment
US11863349B2 (en) Methods and systems for network segmentation
US20240098022A1 (en) Method and apparatus for providing multi virtual local area network service supporting device to device communication
CN114244695B (en) Terminal online configuration method and device of isolated network and network management system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant