WO2012109854A1 - Procédé et dispositif de commande de permission d'accès - Google Patents

Procédé et dispositif de commande de permission d'accès Download PDF

Info

Publication number
WO2012109854A1
WO2012109854A1 PCT/CN2011/077781 CN2011077781W WO2012109854A1 WO 2012109854 A1 WO2012109854 A1 WO 2012109854A1 CN 2011077781 W CN2011077781 W CN 2011077781W WO 2012109854 A1 WO2012109854 A1 WO 2012109854A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
terminal
access
request
segment
Prior art date
Application number
PCT/CN2011/077781
Other languages
English (en)
Chinese (zh)
Inventor
唐鹏合
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201180001196.0A priority Critical patent/CN102318314B/zh
Priority to PCT/CN2011/077781 priority patent/WO2012109854A1/fr
Publication of WO2012109854A1 publication Critical patent/WO2012109854A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • the embodiments of the present invention relate to the field of information technologies, and in particular, to an access authority control method and device. Background technique
  • Network Admission Control is an "end-to-end" security structure.
  • the terminal interacts with a network access device (NAD), such as a switch or router, through EAPoUDP.
  • NAD network access device
  • the message is also carried out through the EAPO802.1X interface (supporting port-based authentication).
  • the terminal accesses the network through the NAD, and the authentication/authorization server (which may be a Remote Authentication Dial In User Service (RADIUS) or a terminal access controller access control system (Terminal Access Controller Access-Control) System, TACACS))
  • the access control list (ACL) of each terminal is sent to the NAD.
  • the NAD After receiving the access request sent by the terminal, the NAD searches for the ACL of the terminal to determine whether to accept or reject the access request of the terminal. .
  • the access point needs to save the ACL of each terminal, and the authentication/authorization server needs to re-issue or update the ACL of the terminal to the NAD when the terminal is online, offline, or the state changes, which may cause the ACL to be stored in the NAD. Insufficient resources make NAD unable to control access to the terminal. Summary of the invention
  • the embodiment of the present invention provides a method and a device for controlling access rights, so as to solve the problem that the resources of the ACL stored in the NAD are insufficient in the prior art, and the NAD cannot control the access of the terminal.
  • An embodiment of the present invention provides a method for controlling access rights, including:
  • the access request carries the first source Internet protocol
  • the IP address and the first destination IP address, the first source IP address is an IP address of the terminal, and the IP address of the terminal is from a different address segment by the network access device according to different access states of the terminal. Assigned to the terminal;
  • the embodiment of the invention further provides a network access device, including:
  • a receiver configured to receive a first access request sent by the terminal, where the access request carries a first source Internet Protocol IP address and a first destination IP address, where the first source IP address is an IP address of the terminal,
  • the IP address of the terminal is allocated by the network entry device from the different address segments to the terminal according to different access states of the terminal;
  • a processor configured to determine, according to a preset correspondence between the IP address of the terminal and the terminal access authority, whether the terminal is allowed to access the first destination IP address.
  • the access control method and the device are used.
  • the NAD allocates an IP address to the terminal from different address segments according to different access states of the terminal, so that when the NAD receives the access request of the terminal, the NAD can be configured according to the preset IP address of the terminal.
  • the correspondence between the address and the access rights of the terminal controls the access rights of the terminal, realizes the storage resource for saving NAD, and ensures that the NAD controls the access of the terminal.
  • FIG. 1 is a flowchart of an embodiment of an access authority control method provided by the present invention
  • FIG. 2 is a structural framework diagram of network admission control in a local area network
  • FIG. 3a is a flowchart of terminal authentication before a terminal accesses a network according to the present invention
  • FIG. 3b is a flowchart of terminal status check in a process of a terminal accessing a network according to the present invention
  • FIG. 3C is a flowchart of a terminal provided by the present invention after accessing a network
  • FIG. 4 is a schematic structural diagram of an embodiment of a network access device according to the present invention.
  • FIG. 5 is a schematic structural diagram of still another embodiment of a network access device according to the present invention. detailed description
  • FIG. 1 is a flowchart of an embodiment of an access authority control method according to the present invention. As shown in FIG. 1, the method includes:
  • the first access request sent by the receiving terminal where the first access request carries the first source Internet Protocol IP address and the first destination IP address, where the first source IP address is the IP address of the terminal, and the IP address of the terminal is
  • the network access device allocates the terminal from different address segments according to different access states of the terminal.
  • the execution body of the above steps is the network access device NAD.
  • FIG. 2 is a structural framework diagram of network admission control in a local area network.
  • the local area network shown in FIG. 2 may include a server that provides various information, as shown in FIG.
  • information is divided into sensitive information areas, core information areas, and general information areas.
  • Each information area may include one or more servers that provide information.
  • the terminal can access the network through the NAD, and the NAD control terminal accesses the server that provides the information.
  • the terminal When the terminal accesses the network, you can log in to the portal server (portal server), enter the user name and password on the portal server, and the portal server sends the username and password entered by the terminal to the NAD through the portal protocol.
  • the terminal can also directly access the NAD through the 802.1x protocol, waiting for the NAD. After returning a response to the terminal, the terminal can send the username and password to the NAD.
  • the terminal Before accessing the network, accessing the network, and accessing the network, the terminal is usually in different access states. Specifically, the NAD can send the username and password of the terminal to the authentication and authorization server (usually a RADIUS server). The authentication and authorization server authenticates and identifies the terminal. Therefore, before accessing the network, the access status of the terminal can be divided into: "authentication and identification before passing” and “authentication and identification after passing”; After the terminal passes the authentication and the identification, the status check server needs to check whether the terminal has a violation.
  • the authentication and authorization server usually Authenticates and identifies the terminal. Therefore, before accessing the network, the access status of the terminal can be divided into: "authentication and identification before passing" and “authentication and identification after passing"; After the terminal passes the authentication and the identification, the status check server needs to check whether the terminal has a violation.
  • the status check server triggers the client agent software on the terminal to scan the terminal, for example: whether the virus database of the scan terminal is not updated, and the terminal Whether the security software is not installed, whether the terminal does not have various patches installed, etc., after the client agent software scans the terminal, the scan result is sent to the status check server. If there is no violation in the terminal, the check result of the status check server is the check pass, and the terminal is in the access state of "status check pass". If the terminal has a violation, the terminal is in the access state of "status check violation"; After the status check is passed, the status check server can periodically trigger the terminal's client agent software to scan the terminal.
  • the terminal status is abnormal, for example: When the terminal is infected with a virus, if the abnormal status of the terminal threatens the network, you need to When the terminal is isolated and the terminal is prohibited from accessing the network, the terminal is in the access state of "state detection abnormality".
  • the terminal When the terminal is in different access states, it usually has different access rights. For example: When the terminal is in the access state before “authentication and identity pass", the terminal has the access right as public authority, and the terminal's IP address. Public authority is used to access shared resources on the LAN, for example: For any terminal in the enterprise network, it has the right to access the company's public resources; When the terminal is in "authentication and identification” After the "and" status check passes the previous "access status, the terminal has the access authority for the user group minimum authorization authority.
  • a LAN such as an enterprise network
  • it can usually be divided into multiple user groups, for example: A plurality of terminals of the R&D department can be divided into one user group, and a plurality of terminals of the company marketing department can be divided into one user group and the like.
  • the minimum authorization authority of the user group may be the public authority in the user group, and the terminal having the minimum authorization authority of the user group may access the server providing the shared resource in the user group;
  • the terminal When the terminal is in the "status check pass" access state, the terminal has the access right as the user group right, and the terminal having the user group right can access the user group in addition to the server providing the shared resource in the user group.
  • these specific resources may be some important information, or may be set by each user group; when the terminal is in the "status detection abnormal" access state, the terminal has access rights for the user group Isolating restricted permissions, where the terminal "state detection is abnormal", but the terminal does not pose a hazard to the network, the status of the terminal can be repaired by the state repair server; if the terminal poses a threat to the network, the terminal can have public rights .
  • the NAD can assign IP addresses to terminals from different address segments when the terminals are in different access states.
  • the NAD can pre-establish the correspondence between the IP address of the terminal and the access rights of the terminal, so that when receiving the access request of the terminal, the NAD can determine whether the terminal has the right to access the destination address according to the IP address of the terminal.
  • the NAD can locally divide the address pool (which may be all or part of the address segment managed by the NAD) into different address segments, and each address segment may correspond to an access state of the terminal, and further corresponding to the terminal. Access rights, when the terminal is in the access state, the NAD can assign an IP address to the terminal from the corresponding address segment. When the terminal accesses the network, the NAD can learn according to the IP address of the terminal after receiving the access request sent by the terminal. The access authority corresponding to the terminal determines whether the terminal is allowed to access the destination address according to the access right of the terminal.
  • the address pool (specifically, all or part of the address segments stored in the authentication and authorization server memory unit) may be divided into different address segments on the authentication and authorization server (RADIUS server), and each address segment may correspond to the terminal.
  • An access state which in turn corresponds to an access right of the terminal.
  • the authentication and authorization server can send an IP address from the corresponding address segment to the NAD, and the NAD will The IP address is assigned to the terminal.
  • the access status of the terminal such as "authentication and identification before passing”, “authentication and identification after passing”, “status check pass”, “state detection abnormal”, etc.
  • the access rights corresponding to the foregoing access states are as follows: public rights, user group minimum authorization rights, user group rights, and user group isolation restricted rights.
  • the present embodiment only gives the access rights that are extremely corresponding to the possible access states of the terminal.
  • the terminal is in the process of accessing the network, accessing the network, and accessing the network. It can be further refined into other access states.
  • the access control method and device are used.
  • the NAD allocates an IP address to the terminal from different address segments according to different access states of the terminal, so that when the NAD receives the access request of the terminal, the NAD can be configured according to the IP address of the terminal.
  • controlling the access rights of the terminal can save the storage resources of the NAD and ensure that the NAD controls the access of the terminal.
  • FIG. 3a-3c are flowcharts of still another embodiment of an access right control method according to the present invention.
  • this embodiment provides a process in which a terminal accesses a network, accesses a network, and accesses. After the network, the NAD allocates an IP address to the terminal from different address segments according to the access status of the terminal.
  • the method includes:
  • the terminal sends an access request to the NAD through the 802.1x protocol, and requests the access to access the local area network.
  • the 802.1X protocol is a commonly used terminal access mode in the NAC structure. It can be understood that the terminal can also access the local area network through other protocols or interfaces, which is not described in this embodiment.
  • the NAD returns an access request response to the terminal.
  • the terminal sends a username and password to the NAD.
  • the NAD sends the username and password of the terminal to the authentication and authorization server (usually a RADIUS server).
  • the authentication and authorization server usually a RADIUS server.
  • the authentication and authorization server authenticates and identifies the terminal according to the username and password of the terminal. At this time, the terminal is in the "authentication and identity pass” access state, and the terminal has the access right as the public authority.
  • the authentication and authorization server notify the terminal of the authentication and the identification, the access status of the NAD recording terminal is "authentication and identity passing".
  • the terminal is set up by the dynamic host (Dynamic Host Configuration)
  • DHCP Sends the first acquisition IP address request to the NAD.
  • the NAD may pre-set the correspondence between the IP address of the terminal and the access authority of the terminal, so that when the terminal is in different access states, the terminal allocates an IP address from different address segments in the address pool.
  • the NAD may pre-set the IP address of the first address segment in the address pool to correspond to the "user group minimum authorization authority", and when the terminal is in the "authentication and identity pass” access state, the NAD is from the first The IP address is assigned to the terminal in the address segment.
  • the NAD can pre-set the IP address of the second address segment in the address pool to correspond to the "user group permission”.
  • the NAD is from the second.
  • An IP address is assigned to the terminal in the address segment.
  • the NAD can pre-set the IP address of the third address segment in the address pool to correspond to the "user group isolation restricted permission".
  • the NAD assigns an IP address to the terminal from the third address segment.
  • the NAD allocates an IP address to the terminal from the first address segment in the address pool according to the “authentication and identity through” access status of the terminal.
  • the IP address assigned by the NAD to the terminal is usually a temporary address.
  • the status check server After the terminal obtains the temporary address, the status check server performs a status check on the terminal. If the status check passes, S210 is performed, otherwise, S212 is performed.
  • the status check server performs a status check on the terminal as follows:
  • the status check server triggers the client agent software on the terminal to scan the terminal, specifically whether a specific type of software is installed on the scan terminal, for example: antivirus software, etc. Whether the terminal's virus database is updated, and so on.
  • the NAD can set the terminal status check to pass or fail according to the actual needs in the LAN. For example, if the terminal virus database is not updated, the terminal status check will not pass; or, if the terminal does not install a specific type of software, the terminal status check will not pass, etc., and will not be enumerated here.
  • the client agent software After the client agent software finishes scanning the terminal, it sends the scan result to the status check server.
  • the status check server sends a terminal status check to the NAD through a dynamic authorization modification protocol (for example, a RADISU CoA message).
  • the NAD changes the access status of the recorded terminal to "status check pass".
  • the NAD allocates an IP address to the terminal from the second address segment in the address pool.
  • the IP address assigned by the NAD to the terminal is usually a temporary address, and the temporary address is generally only used to interact with the status server to check the access status of the terminal. Therefore, the address lease time of the temporary address can be generally set to A smaller value (for example: 1 minute), after the terminal status check is passed, the NAD receives the status check from the status check server through the RADIUS CoA message or the extended RADIUS attribute, etc. After the notification message is received, if the NAD receives The NAD may return a DHCP Negative Acknowledge (NAK) message to the terminal to trigger the terminal to initiate a second acquisition IP address request, so that the NAD can be the second address in the address pool.
  • NAK DHCP Negative Acknowledge
  • the segment assigns an IP address to the terminal, which is usually a normal IP address.
  • the NAD does not change the IP address of the terminal, and the state repair server repairs the terminal.
  • the client agent software of the terminal can interact with the state repair server, and the state repair server guides the terminal to complete the state repair process.
  • the state repair server After the terminal repair is completed, the state repair server notifies the state check server to perform a state check on the terminal. If the state check passes, the state check server sends a terminal state check notification message to the NAD, and the NAD slave is in the second address segment in the address pool. Assign an IP address to the terminal.
  • the status check server periodically checks the status of the terminal. When the status check server finds that the terminal status is abnormal, it determines whether the abnormal status is abnormal. Threat network security, if the abnormal state does not threaten the network, execute S215, and if the abnormal state threatens the network, execute S216.
  • the status check server can periodically interact with the client agent software of the terminal to periodically check the status of the terminal.
  • the state check server sends a terminal isolation notification message to the NAD through a dynamic authorization protocol (for example, RADIUS CoA (Change of Authorization Messages), and the NAD records the state change of the terminal.
  • a dynamic authorization protocol for example, RADIUS CoA (Change of Authorization Messages)
  • S217 is a feasible implementation manner for isolating the terminal
  • S218-S219 is another feasible implementation manner for isolating the terminal.
  • the status check server may send the access control list ACL of the terminal to the NAD through the RADIUS CoA protocol, so that the second access request carries the second source IP address and the second access request when the NAD receives the second access request sent by the terminal.
  • the destination IP address, the NAD can determine whether to allow the terminal to access the second destination IP address according to the ACL of the terminal.
  • the NAD sends an extended protocol EAP message to the terminal, to trigger the terminal to initiate the first release IP address request and initiate a third acquisition IP address request.
  • the IP address that the terminal requests to release is the IP address allocated by the NAD in the second address segment of the address pool.
  • the NAD allocates an IP address to the terminal from the third address segment in the address pool according to the third acquiring IP address request initiated by the terminal. After the status check is passed, the NAD assigns the IP address of the terminal to the normal IP address from the second address segment of the address pool. The lease period is longer.
  • the NAD device can be notified by the extended protocol. For example: The NAD device can be notified by the extended RADIUS attribute in the RADIUS CoA packet. The status of the NAD recording terminal is abnormal.
  • the NAD can notify the client agent software of the terminal to send a DHCP first release IP address request through the extended protocol, and initiate a third acquisition IP address request, and the NAD can be in accordance with the terminal in the state detection exception, the access state, from the address pool.
  • the third address segment allocates an IP address to the terminal, and the IP address is an isolated address.
  • the state repair server performs state repair on the terminal.
  • the client agent software can establish a connection with the state repair server to complete the terminal repair process.
  • the status repair server may instruct the status check server to send a terminal status repair completion notification to the NAD.
  • the NAD allocates an IP address to the terminal from the second address segment in the address pool.
  • the state check server After the terminal state repair is completed, the state check server notifies the NAD device terminal state repair completion through a dynamic authorization protocol (for example, for the RADIUS CoA protocol), and the NAD may send an EAP extended protocol message to the terminal to trigger the terminal to initiate the second release IP address. Requesting, and initiating a fourth obtaining IP address request. Specifically, the NAD may extend a custom field after the NULL character (0 character) following the name (name) in the data (data) of the EAP Request message. Instruct the terminal agent software to re-initiate the DHCP application process. The NAD allocates an IP address to the terminal from the second address segment in the address pool according to the fourth obtained IP address request initiated by the terminal, and the IP address is a normal IP address.
  • a dynamic authorization protocol for example, for the RADIUS CoA protocol
  • the NAD allocates an IP address to the terminal from different address segments according to different access states of the terminal, so that when the NAD receives the access request of the terminal, the NAD can be based on the preset IP address of the terminal.
  • the correspondence between the access rights of the terminal controls the access rights of the terminal, saves the storage resources of the NAD, and ensures that the NAD controls the access of the terminal.
  • the invention does not need to change the network architecture of the existing local area network, and does not need to add new network equipment and to existing network equipment. Upgrade.
  • the network access device includes: a receiver 11 and a processor 12;
  • the receiver 11 is configured to receive a first access request sent by the terminal, where the first access request carries a first source Internet Protocol IP address and a first destination IP address, where the first source IP address is an IP address of the terminal.
  • the IP address of the terminal is allocated by the network access device from the different address segments to the terminal according to different access states of the terminal;
  • the processor 12 is configured to determine, according to a preset correspondence between the IP address of the terminal and the access authority of the terminal, whether the terminal is allowed to access the first destination IP address.
  • FIG. 5 is a schematic structural diagram of still another embodiment of a network access device extended on the basis of FIG. 4, as shown in FIG. 5, the network access device includes: a receiver 11 and a processor 12;
  • the processor 12 determines, according to the preset correspondence between the IP address of the terminal and the access authority of the terminal, whether the terminal is allowed to access the first destination IP address, and the correspondence between the IP address of the preset terminal and the access authority of the terminal may be Includes:
  • the corresponding terminal access right is a public authority.
  • the IP address of the terminal is in the first address segment in the address pool, and the corresponding terminal access permission is the minimum authorization permission of the user group.
  • the IP address of the terminal is in the second address segment in the address pool, and the corresponding terminal access right is the user group permission.
  • the corresponding terminal access permission is the user group isolation restricted permission.
  • the receiver 11 provided in this embodiment may be further configured to: receive a first acquisition IP address request sent by the terminal, a terminal status check notification message sent by the status check server, a terminal isolation notification message sent by the status check server, and a status check.
  • a first acquisition IP address request sent by the terminal a terminal status check notification message sent by the status check server
  • a terminal isolation notification message sent by the status check server a terminal isolation notification message sent by the status check server
  • a status check One or more of the terminal status repair completion notifications sent by the server
  • the processor 12 is further configured to: allocate the IP address to the terminal from the first address segment in the address pool. address.
  • the IP address assigned by the processor 12 to the terminal is usually a temporary address, and the lease of the temporary address is shorter.
  • the processor 12 assigns an IP address to the terminal from the second address segment in the address pool.
  • the IP address assigned by the processor 12 to the terminal is a normal address.
  • the processor 12 assigns an IP address to the terminal from the third address segment in the address pool.
  • the IP address assigned by the processor 12 to the terminal is an isolated address.
  • the processor 12 assigns an IP address to the terminal from the second address segment in the address pool.
  • the first transmitter 13 is configured to: after receiving the terminal status check notification message sent by the status check server, the receiver 11 receives the lease renewal message sent by the terminal, and the lease renewal message Used to request to renew the temporary address, then send the dynamic host configuration protocol negative response DHCP to the terminal.
  • the NAK packet is used to trigger the terminal to initiate a second acquisition IP address request.
  • the retransmission message sent by the terminal received by the receiver 11 is a temporary address renewal request, and the first transmitter 13 sends a DHCP NAK " ⁇ message to the terminal to reject the temporary address renewal request of the terminal, and triggers The terminal initiates a second acquisition IP address request.
  • the processor 12 is further configured to: allocate a normal address to the terminal from the second address segment in the address pool according to the second acquired IP address request initiated by the terminal.
  • the second transmitter 14 is configured to: if the receiver 11 receives the terminal isolation notification message sent by the status check server, send an extended protocol EAP message to the terminal, to trigger the terminal to initiate the first release IP address request and initiate the third acquisition IP address.
  • the request, the first release IP address request is used to request to release the normal address.
  • the processor 12 is further configured to: allocate an isolated address to the terminal from the third address segment in the address pool according to the third acquired IP address request initiated by the terminal.
  • the third transmitter 15 is configured to: if the receiver 11 receives the terminal status repair completion notification sent by the status check server, send an extended protocol EAP message to the terminal, to trigger the terminal to initiate the second release IP address request and initiate the fourth acquisition IP address. Address request.
  • the request for the second release IP address initiated by the terminal is used to request to release the isolated address.
  • the processor 12 is further configured to: allocate a normal address to the terminal from the second address segment in the address pool according to the fourth acquired IP address request initiated by the terminal.
  • the receiver 11 is further configured to: receive an access control list ACL of the terminal delivered by the status check server;
  • the receiver 11 After receiving the ACL of the terminal sent by the state check server, the receiver 11 receives the second access request sent by the terminal, and the second access request carries the second source IP address and the second destination IP address, and the processor 12 can also be used to: determine whether to allow terminal access according to the ACL of the terminal Ask the second destination IP address.
  • the network access device provided in this embodiment corresponds to the access permission control method provided by the embodiment of the present invention.
  • the network access device is an execution device for implementing the access permission control method, and the specific process for the network access device to perform the access permission control may be Refer to the method embodiments provided by the present invention, and details are not described herein again.
  • the NAD allocates an IP address to the terminal from different address segments according to different access states of the terminal, so that when the NAD receives the access request of the terminal, the NAD can be based on the preset IP address of the terminal.
  • the correspondence between the access rights of the terminal controls the access rights of the terminal, saves the storage resources of the NAD, and ensures that the NAD controls the access of the terminal.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention se rapporte à un procédé et un dispositif de commande de permission d'accès. Le procédé inclut : la réception d'une première demande d'accès provenant d'un terminal, la demande d'accès transportant une première adresse source au protocole Internet (IP) et une première adresse de destination au protocole IP, la première adresse source au protocole IP étant l'adresse au protocole IP du terminal, et l'adresse au protocole IP du terminal étant allouée au terminal à partir de différents champs d'adressage par un dispositif d'accès au réseau en fonction de différents états d'accès du terminal (101) ; ainsi que la détermination de ce que le terminal est autorisé ou non à accéder à la première adresse de destination au protocole IP en fonction d'une correspondance prédéfinie entre l'adresse au protocole IP du terminal et la permission d'accès du terminal (102). Le procédé et le dispositif de commande de permission d'accès dans le mode de réalisation de la présente invention économisent les ressources de stockage du dispositif d'accès au réseau (NAD) et garantissent que l'accès du terminal est commandé par le dispositif NAD.
PCT/CN2011/077781 2011-07-29 2011-07-29 Procédé et dispositif de commande de permission d'accès WO2012109854A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201180001196.0A CN102318314B (zh) 2011-07-29 2011-07-29 访问权限控制方法和设备
PCT/CN2011/077781 WO2012109854A1 (fr) 2011-07-29 2011-07-29 Procédé et dispositif de commande de permission d'accès

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/077781 WO2012109854A1 (fr) 2011-07-29 2011-07-29 Procédé et dispositif de commande de permission d'accès

Publications (1)

Publication Number Publication Date
WO2012109854A1 true WO2012109854A1 (fr) 2012-08-23

Family

ID=45429446

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/077781 WO2012109854A1 (fr) 2011-07-29 2011-07-29 Procédé et dispositif de commande de permission d'accès

Country Status (2)

Country Link
CN (1) CN102318314B (fr)
WO (1) WO2012109854A1 (fr)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102685135B (zh) * 2012-05-17 2014-11-26 江苏中科梦兰电子科技有限公司 一种基于c/s架构下的软件权限验证方法
WO2014043416A1 (fr) * 2012-09-12 2014-03-20 Genesys Telecommunications Laboratories, Inc. Système et procédé de configuration dynamique de centres d'appels via des modèles
CN103312833B (zh) * 2013-05-29 2016-08-17 福建三元达网络技术有限公司 Dhcp预分配租约方法及其装置
CN104320384B (zh) * 2014-10-09 2019-04-26 深圳创维数字技术有限公司 一种无线路由设备控制方法与装置
CN105847287A (zh) * 2016-05-17 2016-08-10 中山大学 一种基于社区局域网的资源访问控制方法及系统
CN106060048A (zh) * 2016-05-31 2016-10-26 杭州华三通信技术有限公司 一种网络资源访问方法和装置
CN105939357A (zh) * 2016-06-13 2016-09-14 杭州迪普科技有限公司 获取用户ip地址与用户组信息对应关系的方法及装置
CN106254328B (zh) * 2016-07-27 2019-10-18 杭州华为数字技术有限公司 一种访问控制方法及装置
CN106131847B (zh) * 2016-08-30 2019-12-06 锐捷网络股份有限公司 一种无线移动终端安全接入控制方法、装置和设备
CN108881127B (zh) * 2017-05-15 2022-07-15 中兴通讯股份有限公司 一种控制远程访问权限的方法及系统
CN107820702B (zh) * 2017-07-03 2021-02-09 达闼机器人有限公司 一种管控方法、装置及电子设备
CN109937439A (zh) * 2017-09-29 2019-06-25 深圳市大疆创新科技有限公司 一种保护飞控系统的方法及电路
CN108092970B (zh) * 2017-12-13 2021-01-15 腾讯科技(深圳)有限公司 一种无线网络维护方法及其设备、存储介质、终端
CN108882240B (zh) * 2018-07-11 2021-08-17 奇安信科技集团股份有限公司 移动设备接入网络的实现方法及装置
CN110519404B (zh) * 2019-08-02 2022-04-26 锐捷网络股份有限公司 一种基于sdn的策略管理方法、装置及电子设备
CN113132326B (zh) * 2019-12-31 2022-08-09 华为技术有限公司 一种访问控制方法、装置及系统
CN113573316B (zh) * 2021-07-15 2024-02-20 中国人民解放军陆军工程大学 一种专用移动通信网络用户私有权限临时变更的方法
CN114301635B (zh) * 2021-12-10 2024-02-23 中国联合网络通信集团有限公司 访问控制方法、装置和服务器
CN114500395B (zh) * 2021-12-29 2023-10-31 联通智网科技股份有限公司 一种流量管控方法、装置和设备

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1630252A (zh) * 2003-12-16 2005-06-22 华为技术有限公司 宽带ip接入设备及在该设备中实现用户日志的方法
CN101056178A (zh) * 2007-05-28 2007-10-17 中兴通讯股份有限公司 一种控制用户网络访问权限的方法和系统

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1630252A (zh) * 2003-12-16 2005-06-22 华为技术有限公司 宽带ip接入设备及在该设备中实现用户日志的方法
CN101056178A (zh) * 2007-05-28 2007-10-17 中兴通讯股份有限公司 一种控制用户网络访问权限的方法和系统

Also Published As

Publication number Publication date
CN102318314B (zh) 2013-09-11
CN102318314A (zh) 2012-01-11

Similar Documents

Publication Publication Date Title
WO2012109854A1 (fr) Procédé et dispositif de commande de permission d'accès
US10678555B2 (en) Host identity bootstrapping
US7607021B2 (en) Isolation approach for network users associated with elevated risk
JP4327630B2 (ja) インターネット・プロトコルを用いたストレージエリア・ネットワーク・システム、セキュリティ・システム、セキュリティ管理プログラム、ストレージ装置
US8146137B2 (en) Dynamic internet address assignment based on user identity and policy compliance
US20090217346A1 (en) Dhcp centric network access management through network device access control lists
US7467405B2 (en) Method and apparatus for detecting an unauthorized client in a network of computer systems
US20180198786A1 (en) Associating layer 2 and layer 3 sessions for access control
WO2013163944A1 (fr) Procédé de partage de comptes d'informatique en nuage pour services iaas, plateforme de partage et dispositif de réseau
KR20150079740A (ko) 하드웨어-기반 디바이스 인증
JP2003218873A (ja) 通信監視装置及び監視方法
EP3545451B1 (fr) Transfert automatique de demandes d'accès et de réponses à ces dernières
US20100175115A1 (en) Management of credentials used by software applications
EP3876497A1 (fr) Évaluation actualisée de la conformité de points d'extrémité
WO2017000443A1 (fr) Procédé de gestion d'utilisateur de ligne dédiée, serveur d'accès à large bande et serveur de gestion
KR20110002947A (ko) 필수 프로그램 설치정보를 이용한 네트워크 접근 제어시스템 및 이의 방법
WO2020081237A1 (fr) Systèmes et procédés de gestion de privilèges de dispositif
KR101628534B1 (ko) 가상 802.1x 기반 네트워크 접근 제어 장치 및 네트워크 접근 제어 방법
CN110875923B (zh) 对网络提供增强型网络访问控制的方法和系统
US20240236092A1 (en) Correlations between private network addresses and assigned network addresses
JP3828557B2 (ja) 排他的ネットワーク管理システム及びその管理方法
US20230344798A1 (en) Roaming dns firewall
US12034769B2 (en) Systems and methods for scalable zero trust security processing
JP2003324457A (ja) アクセス制御装置、方法、プログラムおよび記録媒体
WO2023051131A1 (fr) Procédé et appareil de gestion et de commande de dispositif de stockage mobile

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201180001196.0

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11858688

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11858688

Country of ref document: EP

Kind code of ref document: A1