WO2015101125A1 - Network access control method and device - Google Patents

Network access control method and device Download PDF

Info

Publication number
WO2015101125A1
WO2015101125A1 PCT/CN2014/092788 CN2014092788W WO2015101125A1 WO 2015101125 A1 WO2015101125 A1 WO 2015101125A1 CN 2014092788 W CN2014092788 W CN 2014092788W WO 2015101125 A1 WO2015101125 A1 WO 2015101125A1
Authority
WO
WIPO (PCT)
Prior art keywords
mobile terminal
webpage
authentication
access
network
Prior art date
Application number
PCT/CN2014/092788
Other languages
French (fr)
Chinese (zh)
Inventor
于丹
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2015101125A1 publication Critical patent/WO2015101125A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • the present invention relates to the field of network communication technologies, and in particular, to a network access control method and a wireless access point and a wireless access controller.
  • the embodiment of the invention provides a network access control method, which is used to reduce access control difficulty when an existing mobile terminal securely accesses a network.
  • an embodiment of the present invention further provides a wireless access point and a wireless controller.
  • a network access control method which includes:
  • the network access device receives an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, and the identifier of the mobile terminal Used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise;
  • the access control policy corresponding to the IP address is set to a first rights policy, the first rights policy allowing the IP address to access an authentication webpage;
  • the network access device determines that the mobile terminal completes registration in the wireless network of the enterprise through the registration webpage, the network access device sends a configuration file and a digital certificate to the mobile terminal, the configuration The file and the digital certificate are used by the mobile terminal to access the wireless network of the enterprise through an Extensible Authentication Protocol EAP-Transport Layer Secure TLS authentication mode.
  • the authentication webpage is provided by a portal portal server in a wireless network of the enterprise, where the portal server inputs the mobile terminal in the authentication webpage.
  • the light directory access protocol LDAP domain account authentication information is sent to the dial-up user remote authentication service RADIUS server for webpage authentication;
  • the network access device sets an access control policy corresponding to the IP address as a second privilege policy, and the second privilege policy allows the IP address Accessing the registration page;
  • the network access device redirects the webpage access request message to the registration webpage according to the second permission policy corresponding to the IP address.
  • the second possible implementation manner of the first aspect is further provided, if the network access device determines the mobile terminal And the network access device sends a response message to the mobile terminal, where the authentication algorithm field carried in the response message is set to an EAP-TLS authentication indicator, to indicate the mobile terminal. Accessing the wireless network of the enterprise according to the EAP-TLS authentication method;
  • the controlled terminal is used to transmit the mobile terminal, and the controlled port is used to transmit the mobile terminal.
  • Business data is used to transmit the EAP-TLS authentication performed between the mobile terminal and the RADIUS server.
  • a third possible implementation manner of the first aspect is further provided, where the network access device determines the registration corresponding to the identifier of the mobile terminal Status, including:
  • a fourth possible implementation manner of the first aspect is further provided, where the registration webpage is provided by the management server,
  • the network access device determines that the mobile terminal completes registration in the wireless network of the enterprise through the registration webpage, the network access device sends a configuration file and a digital certificate to the mobile terminal, including :
  • the network access device sends the configuration file and the digital certificate to the mobile terminal.
  • the fifth possible implementation manner of the foregoing aspect is further provided, after the network access device sends the configuration file and the digital certificate to the mobile terminal, :
  • the network access device Receiving, by the network access device, a dynamic authorization CoA message sent by the RADIUS server, and instructing the mobile terminal to resend the access request message after receiving the CoA message; the CoA message is the mobile terminal
  • the registration status in the management server is updated to be sent after being registered.
  • the sixth possible implementation manner of the first aspect is further provided, after the network access device receives the CoA message, the method further includes: The network access device reclaims the IP address.
  • a wireless access point AP including:
  • a receiving unit configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, where the mobile terminal Identifying that the mobile terminal is uniquely identified within a range of a wireless network of the enterprise;
  • a determining unit configured to determine a registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiving unit, where the registration status is used to identify whether the mobile terminal is registered in a wireless network of the enterprise;
  • a resource allocation requesting unit configured to: if the determining unit determines that the registration status corresponding to the identifier of the mobile terminal is unregistered, requesting the radio access controller AC that controls the wireless AP to allocate an IP address to the mobile terminal;
  • a policy setting unit configured to set an access control policy corresponding to the IP address as a first rights policy, where the first rights policy allows the IP address to access an authentication webpage;
  • the receiving unit is further configured to receive a webpage access request message sent by the mobile terminal by using the IP address;
  • a redirect request unit configured to: according to the first permission policy set by the policy setting unit, The AC sends a first forwarding request for requesting to redirect the webpage access request message to the authentication webpage; and if it is determined that the mobile terminal successfully authenticates through the authentication webpage, sending a second forwarding request to the AC, Used to request to redirect the webpage access request message to a registration webpage;
  • the receiving unit is further configured to receive a configuration file and a digital certificate from the wireless AC;
  • the sending unit is further configured to forward the configuration file and the digital certificate to the mobile terminal, where the configuration file and the digital certificate are used by the mobile terminal to perform an extended authentication protocol EAP-Transport Layer Security TLS
  • the authentication mode is connected to the wireless network of the enterprise.
  • the receiving unit is further configured to receive a webpage authentication result from a dial-up user remote authentication service RADIUS server, where the authentication webpage is a portal in a wireless network of the enterprise Provided by the portal server, the portal server sends the light directory access protocol LDAP domain account authentication information input by the mobile terminal in the authentication webpage to the RADIUS server for webpage authentication;
  • RADIUS server dial-up user remote authentication service
  • the policy setting unit is further configured to: if the webpage authentication result indicates that the mobile terminal passes the webpage authentication, set the access control policy corresponding to the IP address to a second privilege policy, where the second privilege policy allows The IP address is accessed to access the registration webpage;
  • the redirection requesting unit is configured to send, according to the second privilege policy corresponding to the IP address, a first forwarding request to the AC, to request to redirect the webpage access request message to the registration Web page.
  • the sending unit is further configured to: if the determining unit determines The registration status is registered, and the response message is sent to the mobile terminal, and the authentication algorithm field carried in the response message is set to an EAP-TLS authentication indicator, to indicate that the mobile terminal accesses according to the EAP-TLS authentication mode.
  • the wireless network of the enterprise
  • the wireless AP further includes:
  • a port open unit configured to: when the network access device determines that the EAP-TLS authentication between the mobile terminal and the RADIUS server is successful, open a controlled port for the mobile terminal, where the controlled port is used Transmitting the service data of the mobile terminal.
  • the determining unit includes:
  • Obtaining a subunit configured to acquire an identifier of the mobile terminal from the access request message
  • Querying a subunit configured to query, by the management server in the wireless network of the enterprise, the registration status of the mobile terminal according to the identifier of the mobile terminal acquired by the acquiring subunit;
  • a receiving subunit configured to receive a registration status of the mobile terminal returned by the management server in the network.
  • a wireless access point AP including a memory, a processor, a receiver, and a transmitter;
  • the receiver is configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of an enterprise, where the access request message carries an identifier of the mobile terminal, where the mobile The identifier of the terminal is used to uniquely identify the mobile terminal within a range of the wireless network of the enterprise;
  • the processor is configured to read the program code stored in the memory, and execute: determining a registration status corresponding to the identifier of the mobile terminal, where the registration status is used to identify whether the mobile terminal is in a wireless network of an enterprise If the registration status corresponding to the identifier of the mobile terminal is unregistered, requesting the radio access controller AC that controls the wireless AP to allocate an IP address to the mobile terminal; and access control corresponding to the IP address
  • the policy is set to a first rights policy, where the first rights policy allows the IP address to access an authentication webpage;
  • the receiver is further configured to receive a webpage access request message sent by the mobile terminal by using the IP address;
  • the sender configured to send, according to the first rights policy corresponding to the IP address, a first forwarding request to the AC, to request to redirect the webpage access request message to an authentication webpage; and if The mobile terminal successfully authenticates the authentication webpage, and sends a second forwarding request to the AC, requesting to redirect the webpage access request message to the registration webpage;
  • the receiver is further configured to receive a configuration file and a digital certificate from the wireless AC;
  • the transmitter is further configured to forward the configuration file and the digital certificate to the mobile terminal, where the configuration file and the digital certificate are used by the mobile terminal to access the enterprise by using an EAP-TLS authentication mode.
  • Wireless network Wireless network.
  • the receiver is further configured to receive a webpage authentication result from a dial-up user remote authentication service RADIUS server, where the authentication webpage is a portal in a wireless network of the enterprise Provided by the portal server, the portal server sends the LDAP directory authentication information of the light directory access protocol entered in the authentication webpage by the mobile terminal. Sending to the RADIUS server for webpage authentication;
  • the processor is configured to: if the webpage authentication result indicates that the mobile terminal passes the webpage authentication, set an access control policy corresponding to the IP address to a second permission policy, where the second permission policy allows the The IP address accesses the registration webpage; and sends a first forwarding request to the AC according to the second privilege policy corresponding to the IP address, for requesting to redirect the webpage access request message to the registration webpage.
  • the second possible implementation of the third aspect is further provided, where the transmitter is further configured to: if the processor determines The registration status is registered, and the response message is sent to the mobile terminal, and the authentication algorithm field carried in the response message is set to an EAP-TLS authentication indicator, to indicate that the mobile terminal accesses according to the EAP-TLS authentication mode.
  • the wireless network of the enterprise
  • the processor is further configured to: when the network access device determines that the EAP-TLS authentication performed between the mobile terminal and the RADIUS server is successful, open a controlled port for the mobile terminal, where the controlled The port is used to transmit service data of the mobile terminal.
  • the processor is configured to be used in the access request message Obtaining an identifier of the mobile terminal; querying, by the management server in the wireless network of the enterprise, a registration status of the mobile terminal according to the identifier of the mobile terminal; receiving the mobile terminal returned by the management server in the network Registration status in .
  • an AC including:
  • a receiving unit configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, where the mobile terminal Identifying that the mobile terminal is uniquely identified within a range of a wireless network of the enterprise;
  • a determining unit configured to determine a registration status corresponding to an identifier of the mobile terminal in the access request message received by the receiving unit, where the registration status is used to identify whether the mobile terminal is registered in a wireless network of the enterprise;
  • a resource allocation unit configured to allocate an IP address to the mobile terminal if the determining unit determines that the registration status corresponding to the identifier of the mobile terminal is unregistered;
  • the receiving unit is further configured to receive the first sent by the AC-controlled wireless access point AP a forwarding request
  • a redirecting unit configured to redirect, according to the first forwarding request, a webpage access request message sent by the mobile terminal by using the IP address to an authentication webpage
  • the receiving unit is further configured to receive a second forwarding request sent by the AP;
  • the redirecting unit is further configured to redirect the webpage access request message to the registration webpage according to the second forwarding request;
  • the receiving unit is further configured to receive a configuration file and a digital certificate sent by a management server in a wireless network of the enterprise, where the configuration file and the digital certificate are used by the mobile terminal to transmit through an Extensible Authentication Protocol (EAP)
  • EAP Extensible Authentication Protocol
  • the layered secure TLS authentication mode is used to access the wireless network of the enterprise; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered;
  • the sending unit is further configured to send the configuration file and the digital certificate to the AP.
  • the determining unit includes:
  • Obtaining a subunit configured to acquire an identifier of the mobile terminal from the access request message
  • Querying a subunit configured to query, by the management server in the wireless network of the enterprise, the registration status of the mobile terminal according to the identifier of the mobile terminal acquired by the acquiring subunit;
  • a receiving subunit configured to receive a registration status of the mobile terminal returned by the management server in the network.
  • the receiving unit is further configured to receive a dynamic authorization CoA message sent by a dial-up user remote authentication service RADIUS server, and indicate the mobile after receiving the CoA message.
  • the terminal resends the access request message; the CoA message is sent after the registration status of the mobile terminal in the management server is updated to be registered.
  • the third possible implementation manner of the fourth aspect is further provided, further comprising: a resource recovery unit, configured to: after receiving, by the receiving unit, the CoA message Recover the IP address.
  • a wireless AC includes a memory, a processor, a receiver, and a transmitter;
  • the receiver is configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of an enterprise, where the access request message carries a label of the mobile terminal
  • the identifier of the mobile terminal is used to uniquely identify the mobile terminal within a range of a wireless network of the enterprise;
  • the processor is configured to read program code stored in the memory, and execute:
  • the receiver Determining, by the receiver, the registration status corresponding to the identifier of the mobile terminal in the access request message, where the registration status is used to identify whether the mobile terminal is registered in the wireless network of the enterprise; and if the identifier of the mobile terminal corresponds to the registration status Assigning an IP address to the mobile terminal for unregistered;
  • the receiver is further configured to receive a first forwarding request sent by the AP controlled by the AC;
  • the processor is further configured to redirect, according to the first forwarding request received by the receiver, a webpage access request message sent by the mobile terminal by using the IP address to an authentication webpage;
  • the receiver is further configured to receive a second forwarding request sent by the AP;
  • the processor is further configured to redirect the webpage access request message to the registration webpage according to the second forwarding request received by the receiver;
  • the receiver is further configured to receive a configuration file and a digital certificate sent by a management server in a wireless network of the enterprise, where the configuration file and the digital certificate are used by the mobile terminal to access through an EAP-TLS authentication mode. a wireless network of the enterprise; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered;
  • a sender configured to send the configuration file and the digital certificate to the AP.
  • the processor 902 determines the registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiver 903, the processor 902 is specifically configured to:
  • the receiver is further configured to receive the dynamic authorization sent by the RADIUS server a CoA message, and after receiving the CoA message, instructing the mobile terminal to resend the access request message; the CoA message is that the registration status of the mobile terminal in the management server is updated to be registered Sent.
  • a third possible implementation manner of the fifth aspect is further provided.
  • the processor is further configured to recover the IP address after the receiver receives the CoA message.
  • the network access device determines the registration status corresponding to the identifier of the mobile terminal, and if the network access device determines that the registration status corresponding to the identifier of the mobile terminal is not After the network access device allocates an IP address to the mobile terminal, the access control policy corresponding to the IP address is set as the first privilege policy; and the mobile terminal is passed according to the access control policy corresponding to the IP address.
  • the webpage access request message sent by the IP address is redirected to the authentication webpage, and if the network access device determines that the mobile terminal successfully authenticates through the authentication webpage, redirects to the registration webpage; if the network access device determines The mobile terminal completes registration in the wireless network of the enterprise by using the registration webpage, and the network access device sends a configuration file and a digital certificate to the mobile terminal. There is no need to manually allocate and distribute digital certificates for each mobile terminal and perform access parameter configuration before the mobile terminal accesses the enterprise wireless network as in the prior art, which reduces the difficulty in implementing access control.
  • FIG. 1 is a schematic diagram of a deployment scenario of a network access control system of a mobile terminal according to an embodiment of the present disclosure
  • FIG. 3 is a sequence diagram of a network access control method for a mobile terminal according to an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of a wireless AP according to the present invention.
  • FIG. 5 is a schematic structural diagram of a determining unit in a wireless AP according to the present invention.
  • FIG. 6 is a schematic structural diagram of another wireless AP according to the present invention.
  • FIG. 7 is a schematic structural diagram of a wireless AC according to the present invention.
  • FIG. 8 is a schematic structural diagram of a determining unit in a wireless AC according to the present invention.
  • FIG. 9 is a schematic structural diagram of another wireless AC according to the present invention.
  • the embodiment of the invention provides a network access control method for a mobile terminal.
  • the solution will be described below in combination with various embodiments.
  • the system includes a mobile terminal, a network access device.
  • the mobile terminal in the present application refers to a portable device having a wireless network interface supporting wireless Internet access and having an operating system, including but not limited to a laptop, a personal digital assistant (PDA), and a mobile phone. and many more.
  • the network access device includes a wireless access point (AP) and an access controller (AC), and of course, other devices having similar functions.
  • the system further includes a portal portal server, a remote authentication dial in user service (RADIUS) server, and a management server.
  • AP wireless access point
  • AC access controller
  • the system further includes a portal portal server, a remote authentication dial in user service (RADIUS) server, and a management server.
  • RADIUS remote authentication dial in user service
  • a wireless AP hereinafter referred to as AP in this application
  • a wireless AC hereinafter referred to as AC in this application
  • a Portal server may be connected through a switch.
  • a RADIUS server may be connected through a switch.
  • a certificate server (not shown) for allocating a digital certificate may also be included, and the function of the certificate server may also be integrated into the RADIUS server or the management server.
  • the main implementation principle process of the embodiment of the present invention is as follows:
  • Step 10 The network access device receives an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, where the mobile The identity of the terminal is used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise.
  • the identifier of the mobile terminal includes, but is not limited to, a Medium Access Control (MAC) address of the mobile terminal.
  • MAC Medium Access Control
  • Step 20 The network access device determines a registration status corresponding to the identifier of the mobile terminal, where the registration status is used to identify whether the mobile terminal is registered in a wireless network of an enterprise.
  • the network access device determines that the identifier of the mobile terminal corresponds to The registration status specifically includes:
  • the executor of the foregoing step 20 may be an AP or an AC, and may be flexibly set according to actual conditions. For example, if the functions and hardware conditions supported by the AP are limited (thin wireless AP), the AC may be executed.
  • steps 10 to 20 are specifically as follows:
  • the AP receives the access request message sent by the mobile terminal, and sends the access request message to the AC, and the AC queries the management server for the registration status of the mobile terminal.
  • steps 10 to 20 are specifically:
  • the AP receives an access request message sent by the mobile terminal, and queries the management server for the registration status of the mobile terminal.
  • Step 30 If the network access device determines that the registration status corresponding to the identifier of the mobile terminal is unregistered, and after the network access device allocates an IP address to the mobile terminal, the access control corresponding to the IP address is performed.
  • the policy is set to the first permission policy.
  • the AC queries the management server for the registration status of the mobile terminal, and confirms that the registration status corresponding to the identifier of the mobile terminal is unregistered, and then assigns an IP address to the mobile terminal.
  • the first privilege policy allows the IP address to access the authentication webpage, and is the privilege policy with the lowest privilege among the three privilege policies involved in the present application, and can only access the authentication webpage or other small amount of resources, thereby preventing unauthentication.
  • the mobile terminal illegally accesses the protected resources and improves the security of the data resources in the wireless network of the enterprise.
  • the AP queries the management server for the registration status of the mobile terminal, and confirms that the registration status corresponding to the identifier of the mobile terminal is unregistered, requesting The AC allocates an IP address to the mobile terminal. After the AC assigns an IP address, the AP sets the access control policy corresponding to the IP address as the first permission policy.
  • Step 40 The network access device receives a webpage access request message sent by the mobile terminal by using the IP address, and the network access device according to the first permission policy corresponding to the IP address The webpage access request message is redirected to the authentication webpage, and if the network access device determines that the mobile terminal successfully authenticates through the authentication webpage, the webpage access request message is redirected to the registration webpage.
  • the mobile terminal After the mobile terminal obtains the AC assigned IP address, when the user attempts to access any webpage through the web browser on the mobile terminal, the mobile terminal sends a webpage access request message.
  • the AP After receiving the webpage access request message, the AP searches for the corresponding access control policy according to the source IP address of the webpage access request message, and performs corresponding processing according to the found access control policy. And if the access control policy corresponding to the source IP address of the webpage access request message is the first permission policy, sending a first forwarding request to the AC, requesting to redirect the webpage access request message to the authentication webpage.
  • the authentication webpage is provided by a portal portal server in the wireless network of the enterprise, and the portal server sends the lightweight directory access protocol LDAP domain account authentication information input by the mobile terminal in the authentication webpage. Go to the RADIUS server for web page authentication.
  • the webpage authentication result is forwarded to the mobile terminal through the AC and the AP.
  • Web page authentication results include web page authentication success and web page authentication failure.
  • the AP sets the access control policy corresponding to the IP address as the second permission policy.
  • the second privilege policy allows the IP address to access the registration webpage.
  • the privilege policy is higher than the first privilege policy, and the IP corresponding to the policy can not only access the authentication webpage but also access the registration webpage. This approach prevents unauthenticated mobile terminals from accessing protected resources and improves the security of data resources in the enterprise's wireless network.
  • the AP After the access control policy corresponding to the mobile terminal is updated to the second privilege policy, the AP sends a second forwarding request to the AC, requesting to redirect the webpage access request message to the registration webpage again.
  • the registration webpage may be provided by the management server, and the user of the mobile terminal may input personal information according to the introduction and guidance information on the registration webpage, and some device parameters of the mobile terminal, such as a domain account, a department, a position, and the like.
  • Equipment parameters such as equipment manufacturer, model Wait.
  • the management server generates a configuration file and assigns a digital certificate to the mobile terminal according to the above information input by the user of the mobile terminal through the registration webpage.
  • the configuration file includes some configuration parameters of the wireless network accessing the enterprise, for example, various network access parameters including a network identifier, and the like, after receiving the configuration file, the mobile terminal replaces the original configuration.
  • the file can conveniently complete various configuration operations required to access the wireless network of the enterprise.
  • the function of assigning the digital certificate may be performed by the RADIUS server, that is, after the user of the mobile terminal inputs the above information through the registration webpage, the management server notifies the RADIUS server to allocate the digital certificate to the mobile terminal.
  • the mobile terminal can perform 802.1X authentication, such as EAP-TLS authentication, on the RADIUS server according to the digital certificate, and then securely access the wireless network of the enterprise after the authentication succeeds.
  • Step 50 If the network access device determines that the mobile terminal completes registration in the wireless network of the enterprise by using the registration webpage, the network access device sends a configuration file and a digital certificate to the mobile terminal, The configuration file and the digital certificate are used by the mobile terminal to access the wireless network of the enterprise by using an EAP-TLS authentication mode.
  • the management server After the management server generates the configuration file and notifies the RADIUS server to allocate the digital certificate, the management server updates the registration status of the mobile terminal in the management server to be registered. Thereafter, the management server sends the configuration file to the mobile terminal through the AP, and the RADIUS server sends the digital certificate to the mobile terminal through the AP.
  • the AP After receiving the configuration file sent by the management server and the digital certificate sent by the RADIUS server, the AP sends the received configuration file and the digital certificate to the mobile terminal.
  • the management server may also update the registration status of the mobile terminal in the management server to be registered after the configuration file is sent to the mobile terminal through the AP.
  • the mobile terminal accesses the wireless network of the enterprise by using the EAP-TLS authentication mode according to the configuration file and the digital certificate.
  • the triggering mobile terminal in the embodiment is connected by the EAP-TLS authentication mode.
  • the mechanisms for entering the wireless network of the enterprise include:
  • the RADIUS server After the registration status of the mobile terminal in the management server is updated to be registered, the RADIUS server sends a CoA message to the AC, and the AC forwards the received CoA message to the AP; Dynamically authorized CoA message sent by the RADIUS server, And after receiving the CoA message, instructing the mobile terminal to resend the access request message (for example, after the network access device receives the CoA message, disconnecting the AP and the mobile terminal from being established) The network connection causes the mobile terminal to re-attempt to access the network, which in turn sends an access request message).
  • the RADIUS server may send the CoA message to the AC after allocating the digital certificate and sending the digital certificate to the mobile terminal, in which case the interval between the recommended digital certificate and the CoA message may be separated. a predetermined period of time, for example, 1 second, to ensure that the mobile terminal has received the digital certificate and the configuration file when the AP and the mobile terminal disconnect the established network connection, thereby improving the success rate of the secure access;
  • the security mode is that the management server sends a notification message after updating the registration status of the mobile terminal to the registered state. After receiving the notification message, the RADIUS server sends the CoA message.
  • the AC further includes: recovering the IP address.
  • the specific access mode when the mobile terminal accesses the wireless network of the enterprise by using the EAP-TLS authentication mode according to the configuration file and the digital certificate is a prior art, and is not described in detail herein.
  • the EAP-TLS authentication of the mobile terminal is successful on the RADIUS server, the AC re-assigns the IP address to the mobile terminal, and the access control policy corresponding to the IP address is the third privilege policy, and the AP opens the controlled port for the mobile terminal.
  • the controlled port is configured to transmit service data of the mobile terminal.
  • the third privilege policy is a higher privilege policy that can access protected resources in the enterprise's wireless network.
  • the network access control method of the mobile terminal performs a process of distinguishing according to the registration state of the mobile terminal in the wireless network when the mobile terminal requests to access the wireless network of the enterprise, specifically:
  • the unregistered mobile terminal after the network access device allocates an IP address to the mobile terminal, sets an access control policy corresponding to the IP address as a first permission policy, and the mobile terminal attempts to browse the webpage according to the IP address. It is relocated to the authentication webpage for authentication. After the authentication succeeds, it is redirected to the registration webpage for registration, thereby obtaining the configuration files and digital certificates required for subsequent access to the network by EAP-TLS authentication.
  • the above solution does not limit the type of operating system of the mobile terminal, regardless of the operating system of the mobile terminal, whether it is the Windows operating system or the Android operating system, as long as support EAP-TLS authentication methods are applicable and have good versatility.
  • the network access control method of the mobile terminal provided in Embodiment 1 is further described in the perspective of the interaction timing diagram.
  • FIG. 3 is a sequence diagram of a network access control method for a mobile terminal according to an embodiment of the present invention, where the method includes:
  • Step 301 The mobile terminal sends an access request message to the AP, that is, the probe request Probe request.
  • Step 302 After receiving the access request message, the AP queries the management server for the registration status of the mobile terminal. If the registration status corresponding to the identifier of the mobile terminal is not registered, step 303 is performed, if the registration status is To be registered, go to step 323.
  • Step 303 The AP sends a probe response probe response to the mobile terminal, and the authentication algorithm field carried by the probe response is set to a non-authentication indicator.
  • Step 304 The mobile terminal sends an authentication request to the AP.
  • Step 305 The AP feeds back an authentication response to the mobile terminal.
  • Step 306 The mobile terminal sends an association request Association request to the AP.
  • Step 307 The AP feeds back the association response to the mobile terminal.
  • Step 308 The AC allocates a first IP address to the mobile terminal by using a Dynamic Host Configuration Protocol (DHCP).
  • DHCP Dynamic Host Configuration Protocol
  • the AP sets the access control policy corresponding to the first IP address as the first permission policy.
  • the definitions of the first privilege policy, the second privilege policy, and the third privilege policy in this embodiment are the same as those in the first embodiment, and are not repeated here.
  • Step 309 The mobile terminal sends a webpage access request message when accessing any webpage by using a web browser according to the first IP address assigned by the AC in step 308.
  • Step 310 After receiving the webpage access request message, the AP queries the access control policy corresponding to the source IP address of the webpage access request message. In this embodiment, the query obtains the first permission policy.
  • Step 311 If the corresponding access control policy is queried as the first privilege policy, the AP sends a first forwarding request to the AC for requesting to redirect the webpage access request message to the authentication webpage.
  • Step 312 The AC redirects the webpage access request message to the identity provided by the portal server. And the portal server sends the LDAP domain account authentication information input by the mobile terminal in the authentication webpage to the RADIUS server for webpage authentication.
  • Step 313 The AP sets the access control policy corresponding to the IP address as the second permission policy if the webpage authentication result indicates that the mobile terminal webpage authentication is successful.
  • Step 314 After the access control policy corresponding to the mobile terminal is updated to the second privilege policy, the AP sends a second forwarding request to the AC, requesting to redirect the webpage access request message to the registration webpage again.
  • Step 315 The AC redirects the webpage access request message to the registration webpage again.
  • Step 316 If the mobile terminal completes registration in the wireless network of the enterprise by using the registration webpage, the management server generates a configuration file for the mobile terminal, and sends the configuration file to the mobile terminal through the AP.
  • the RADIUS server allocates a digital certificate to the mobile terminal, and sends the digital certificate to the mobile terminal through the AP.
  • Step 317 After the registration status of the mobile terminal in the management server is updated to be registered, the RADIUS server sends a CoA message to the AC.
  • Step 318 After receiving the CoA message, the AC instructs the AP to disconnect the network connection established by the mobile terminal, so that the mobile terminal re-attempts to access the network. At this time, step 320 is performed.
  • the AC may recover the first IP address.
  • step 320 the mobile terminal resends the probe request Probe request.
  • Step 321 After receiving the access request message, the AP queries the management server for the registration status of the mobile terminal, and the registration status is registered, and step 323 is performed.
  • Step 323 The AP sends a probe response Proble response to the mobile terminal, and the authentication algorithm carries the authentication algorithm field set to an 802.1X authentication indicator with a higher security level.
  • the AP may be an EAP-TLS authentication indicator.
  • the authentication algorithm field is used to indicate that the mobile terminal accesses the wireless network of the enterprise according to an EAP-TLS authentication manner.
  • Step 324 The mobile terminal sends an authentication request to the AP.
  • step 325 the AP feeds back the authentication response to the mobile terminal.
  • Step 326 The mobile terminal sends an association request Association request to the AP.
  • step 327 the AP feeds back the association response to the mobile terminal.
  • Step 328 The mobile terminal performs 802.1X authentication with the RADIUS server. Use the previously obtained digital certificate during the certification process.
  • Step 329 If the 802.1X authentication succeeds, the mobile terminal accesses the wireless network of the enterprise according to parameters in the configuration file. After the 802.1X authentication succeeds, the RADIUS server sends an authorization packet to the AC. The AC re-assigns the second IP address to the mobile terminal. The access control policy corresponding to the second IP address in the AP is the third privilege policy. The AP opens a controlled port for the mobile terminal, and the controlled port is used to transmit service data of the mobile terminal.
  • the network access control method of the mobile terminal provided by the embodiment of the present invention can facilitate the access control when the mobile terminal accesses the network through the cooperation of the AP, the AC, the Portal server, the RADIUS server, and the management server. It simplifies the tedious work required by administrators and users in the prior art.
  • the embodiment of the present invention provides a wireless AP.
  • the device includes a receiving unit 401, a determining unit 402, a resource allocation requesting unit 403, a policy setting unit 404, a redirect requesting unit 405, and a sending unit 406. as follows:
  • the receiving unit 401 is configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, where the mobile terminal The identifier is used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise;
  • the determining unit 402 is configured to determine, in the access request message received by the receiving unit 401, a registration status corresponding to the identifier of the mobile terminal, where the registration status is used to identify whether the mobile terminal is registered in a wireless network of the enterprise;
  • the resource allocation requesting unit 403 is configured to: if the determining unit 402 determines that the registration status corresponding to the identifier of the mobile terminal is unregistered, request the wireless access controller AC that controls the wireless AP to allocate an IP address to the mobile terminal. ;
  • the policy setting unit 404 is configured to set an access control policy corresponding to the IP address as a first rights policy, where the first rights policy allows the IP address to access an authentication webpage;
  • the receiving unit 401 is further configured to receive a webpage access request message sent by the mobile terminal by using the IP address;
  • the redirection requesting unit 405 is configured to send a first forwarding request to the AC according to the first privilege policy corresponding to the IP address set by the policy setting unit 404, to request to access the webpage Retrieving the request message to the authentication webpage; and if it is determined that the mobile terminal successfully authenticates through the authentication webpage, sending a second forwarding request to the AC for requesting to redirect the webpage access request message to the registration webpage;
  • the receiving unit 401 is further configured to receive a configuration file and a digital certificate from the wireless AC;
  • the sending unit 406 is further configured to forward the configuration file and the digital certificate to the mobile terminal, where the configuration file and the digital certificate are used by the mobile terminal to access the EAP-TLS authentication mode. Enterprise wireless network.
  • the receiving unit 401 is further configured to receive a webpage authentication result from a RADIUS server, where the authentication webpage is provided by a portal portal server in a wireless network of the enterprise, where the portal server locates the mobile terminal
  • the LDAP domain account authentication information entered in the authentication webpage is sent to the RADIUS server for webpage authentication;
  • the policy setting unit 404 is further configured to: if the webpage authentication result indicates that the mobile terminal passes the webpage authentication, set an access control policy corresponding to the IP address to a second privilege policy, where the second privilege policy allows The IP address accessing the registration webpage;
  • the redirection requesting unit 405 is specifically configured to send, according to the second privilege policy corresponding to the IP address, a first forwarding request to the AC, to request to redirect the webpage access request message to the registration webpage. .
  • the sending unit 406 is further configured to forward the webpage authentication result to the mobile terminal.
  • the sending unit 406 is further configured to: if the determining unit 402 determines that the registration status is registered, send a response message to the mobile terminal, where an authentication algorithm field carried in the response message is set to EAP.
  • a TLS authentication indicator configured to indicate that the mobile terminal accesses the wireless network of the enterprise according to an EAP-TLS authentication manner;
  • the apparatus shown in FIG. 4 further includes: a port opening unit 407, configured to: when the network access device determines that the EAP-TLS authentication performed between the mobile terminal and the RADIUS server is successful, And a controlled port is opened for the mobile terminal, where the controlled port is used to transmit service data of the mobile terminal.
  • a port opening unit 407 configured to: when the network access device determines that the EAP-TLS authentication performed between the mobile terminal and the RADIUS server is successful, And a controlled port is opened for the mobile terminal, where the controlled port is used to transmit service data of the mobile terminal.
  • the determining unit 402 in the apparatus shown in FIG. 4 specifically includes:
  • the obtaining sub-unit 501 is configured to obtain an identifier of the mobile terminal from the access request message received by the receiving unit 401;
  • the query subunit 502 is configured to query, according to the identifier of the mobile terminal acquired by the obtaining subunit 501, a management status of the mobile terminal to a management server in a wireless network of the enterprise;
  • the receiving subunit 503 is configured to receive a registration status of the mobile terminal returned by the management server in response to the query subunit 502 in the network.
  • the AP includes a memory 601, a processor 602, a receiver 603, and a transmitter 604.
  • the receiver 603 and the transmitter 604 may be based on the same communication chip. to realise.
  • the above memory 601, processor 602, receiver 603, and transmitter 604 can be connected to each other through a bus.
  • the receiver 603 is configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, The identifier of the mobile terminal is used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise;
  • the processor 602 is configured to read the program code stored in the memory 601, and execute: determining a registration status corresponding to the identifier of the mobile terminal, where the registration status is used to identify whether the mobile terminal is in an enterprise Registering in the wireless network; if it is determined that the registration status corresponding to the identifier of the mobile terminal is unregistered, requesting to control the wireless access controller AC of the wireless AP to allocate an IP address to the mobile terminal;
  • the access control policy is set to a first rights policy, and the first rights policy allows the IP address to access the authentication webpage;
  • the receiver 603 is further configured to receive a webpage access request message sent by the mobile terminal by using the IP address;
  • the sender 604 is configured to send, according to the first rights policy corresponding to the IP address, a first forwarding request to the AC, to request to redirect the webpage access request message to an authentication webpage; and if Determining that the mobile terminal successfully authenticates through the authentication webpage, and sends a second forwarding request to the AC, requesting to redirect the webpage access request message to the registration webpage;
  • the receiver 603 is further configured to receive a configuration file and a digital certificate from the wireless AC;
  • the transmitter 604 is further configured to forward the configuration file and the digital certificate to the mobile terminal.
  • the configuration file and the digital certificate are used by the mobile terminal to access the wireless network of the enterprise by using an EAP-TLS authentication method.
  • the receiver 603 is further configured to receive a webpage authentication result from a dialup user remote authentication service RADIUS server, where the authentication webpage is provided by a portal portal server in a wireless network of the enterprise, the portal server Transmitting the light directory access protocol LDAP domain account authentication information input by the mobile terminal in the authentication webpage to the RADIUS server for webpage authentication;
  • the processor 602 is configured to: if the webpage authentication result received by the receiver 603 indicates that the mobile terminal passes the webpage authentication, set the access control policy corresponding to the IP address to a second permission policy, The second privilege policy allows the IP address to access the registration webpage; and the first forwarding request is sent to the AC according to the second privilege policy corresponding to the IP address, for requesting the webpage access request The message is redirected to the registration page.
  • the sender 604 is further configured to: if the processor 602 determines that the registration status is registered, send a response message to the mobile terminal, where an authentication algorithm field carried in the response message is set to An EAP-TLS authentication indicator, configured to indicate that the mobile terminal accesses the wireless network of the enterprise according to an EAP-TLS authentication manner;
  • the processor 602 is further configured to: when the network access device determines that the EAP-TLS authentication performed between the mobile terminal and the RADIUS server is successful, open a controlled port for the mobile terminal, where the The control port is configured to transmit service data of the mobile terminal.
  • the determining, by the processor 602, the registration status corresponding to the identifier of the mobile terminal specifically: the processor 602 acquiring an identifier of the mobile terminal from the access request message; The identifier is queried to the management server in the wireless network of the enterprise for the registration status of the mobile terminal; and the registration status of the mobile terminal returned by the management server in the network is received.
  • the working process of the device in the wireless AP shown in FIG. 6 and the interaction process between the wireless AP and other network devices in the system shown in FIG. 1 refer to the description in the foregoing method embodiment, and no longer one by one. Detailed.
  • the embodiment of the invention provides a wireless AP, and the wireless AP receives the access sent by the mobile terminal. And requesting a message, determining a registration status corresponding to the identifier of the mobile terminal in the access request message, and if the registration status corresponding to the identifier of the mobile terminal is not registered, requesting to control the wireless AC of the wireless AP to allocate an IP address to the mobile terminal And setting an access control policy corresponding to the IP address as a first permission policy; receiving a webpage access request message sent by the mobile terminal by using the IP address; and according to the set access control policy corresponding to the set IP address,
  • the AC sends a first forwarding request for requesting to redirect the webpage access request message to the authentication webpage; and if it is determined that the mobile terminal successfully authenticates through the authentication webpage, sending a second forwarding request to the AC, Retrieving the webpage access request message to the registration webpage; receiving a configuration file and a digital certificate from the management server and the certificate server; forwarding the configuration file and the digital certificate to the mobile terminal
  • This embodiment provides a wireless AC, as shown in FIG. 7, including a receiving unit 701, a determining unit 702, a resource allocating unit 703, a redirecting unit 704, and a sending unit 705, where:
  • the receiving unit 701 is configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of an enterprise, where the access request message carries an identifier of the mobile terminal, where the mobile terminal The identifier is used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise;
  • the determining unit 702 is configured to determine a registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiving unit 701, where the registration status is used to identify whether the mobile terminal is registered in the wireless network of the enterprise;
  • the resource allocation unit 703 is configured to allocate an IP address to the mobile terminal if the determining unit 702 determines that the registration status corresponding to the identifier of the mobile terminal is unregistered;
  • the receiving unit 701 is further configured to receive a first forwarding request sent by the AP controlled by the AC;
  • the redirecting unit 704 is configured to redirect, according to the first forwarding request, a webpage access request message sent by the mobile terminal by using the IP address to an authentication webpage;
  • the receiving unit 701 is further configured to receive a second forwarding request sent by the AP;
  • the redirecting unit 704 is further configured to redirect the webpage access request message to the registered webpage according to the second forwarding request;
  • the receiving unit 701 is further configured to receive a configuration file and a digital certificate sent by a management server in a wireless network of the enterprise, where the configuration file and the digital certificate are used by the mobile terminal to receive an EAP-TLS authentication mode. a wireless network of the enterprise; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered;
  • the sending unit 705 is further configured to send the configuration file and the digital certificate to the AP.
  • the determining unit 702 specifically includes:
  • the obtaining subunit 801 is configured to obtain an identifier of the mobile terminal from the access request message.
  • the query subunit 802 is configured to query, according to the identifier of the mobile terminal acquired by the obtaining subunit 801, the management server in the wireless network of the enterprise, the registration status of the mobile terminal;
  • the receiving subunit 803 is configured to receive a registration status of the mobile terminal returned by the management server in response to the query subunit 802 in the network.
  • the receiving unit 701 in FIG. 7 is further configured to receive a dynamic authorization CoA message sent by the RADIUS server, and after receiving the CoA message, instruct the mobile terminal to resend the access request message.
  • the CoA message is sent after the mobile terminal's registration status in the management server is updated to be registered.
  • the apparatus in FIG. 7 further includes a resource recovery unit 706 for reclaiming the IP address after the receiving unit 701 receives the CoA message.
  • FIG. 9 is a schematic structural diagram of a wireless AC according to an embodiment of the present invention.
  • the AC includes a memory 901, a processor 902, a receiver 903, and a transmitter 904.
  • the receiver 903 and the transmitter 904 may be based on the same communication chip. achieve.
  • the above memory 901, processor 902, receiver 903, and transmitter 904 may be connected to each other through a bus.
  • the receiver 903 is configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of an enterprise, where the access request message carries the mobile terminal Identifying that the identifier of the mobile terminal is used to uniquely identify the mobile terminal within a range of a wireless network of the enterprise;
  • the processor 902 is configured to read the program code stored in the memory 901, and execute:
  • the receiver 903 Determining, by the receiver 903, the registration status corresponding to the identifier of the mobile terminal in the access request message, where the registration status is used to identify whether the mobile terminal is registered in the wireless network of the enterprise; if the identifier of the mobile terminal corresponds to the registration The status is unregistered, and the mobile terminal is assigned an IP address;
  • the receiver 903 is further configured to receive a first forwarding request sent by the AP controlled by the AC;
  • the processor 902 is further configured to redirect, according to the first forwarding request received by the receiver 903, a webpage access request message sent by the mobile terminal by using the IP address to an authentication webpage;
  • the receiver 903 is further configured to receive a second forwarding request sent by the AP.
  • the processor 902 is further configured to redirect the webpage access request message to the registration webpage according to the second forwarding request received by the receiver 903;
  • the receiver 903 is further configured to receive a configuration file and a digital certificate sent by a management server in a wireless network of the enterprise, where the configuration file and the digital certificate are used by the mobile terminal to receive an EAP-TLS authentication mode. a wireless network of the enterprise; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered;
  • the sender 904 is configured to send the configuration file and the digital certificate to the AP.
  • the processor 902 determines the registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiver 903, the processor 902 is specifically configured to:
  • the receiver 903 is further configured to receive a dynamic authorization CoA message sent by the RADIUS server, and after receiving the CoA message, instruct the mobile terminal to resend the access request message; The message is sent after the mobile terminal's registration status in the management server is updated to be registered.
  • the processor 902 is further configured to reclaim the IP address after the receiver 903 receives the CoA message.
  • the embodiment of the present invention provides a wireless AC, where the wireless AC receives an access request message sent by the mobile terminal, and determines a registration status corresponding to the identifier of the mobile terminal in the access request message; The registration status is unregistered, and the mobile terminal is assigned an IP address; the first forwarding request sent by the AC-controlled AP is received; and the mobile terminal sends the webpage sent by the IP address according to the first forwarding request. Retrieving the request message to the authentication webpage; receiving the second forwarding request sent by the AP; redirecting the webpage access request message to the registration webpage according to the second forwarding request; and receiving the management server in the wireless network of the enterprise Sending the configuration file and the digital certificate, and transmitting the configuration file and the digital certificate to the AP.
  • the wireless AC cooperates with other network devices to perform access control conveniently and efficiently when the mobile terminal accesses the network. It simplifies the tedious work required by administrators and users in the prior art.
  • aspects of the present invention, or possible implementations of various aspects may be embodied as a system, method, or computer program product.
  • aspects of the invention, or possible implementations of various aspects may be in the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, etc.), or a combination of software and hardware aspects, They are collectively referred to herein as "circuits," “modules,” or “systems.”
  • aspects of the invention, or possible implementations of various aspects may take the form of a computer program product, which is a computer readable program code stored in a computer readable medium.
  • the computer readable medium can be a computer readable signal medium or a computer readable storage medium.
  • the computer readable storage medium includes, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing, such as random access memory (RAM), read only memory (ROM), Erase programmable read-only memory (EPROM or flash memory), optical fiber, portable read-only memory (CD-ROM).
  • a processor in a computer reads a computer readable program stored in a computer readable medium
  • the code enables the processor to perform the functional actions specified in each step or combination of steps in the flowchart; generating means for implementing the functional actions specified in each block of the block diagram or in a combination of blocks.
  • the computer readable program code can execute entirely on the user's local computer, partly on the user's local computer, as a separate software package, partly on the user's local computer and partly on the remote computer, or entirely on the remote computer or Executed on the server. It should also be noted that in some alternative implementations, the functions noted in the various steps in the flowcharts or in the blocks in the block diagrams may not occur in the order noted. For example, two steps, or two blocks, shown in succession may be executed substantially concurrently or the blocks may be executed in the reverse order.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed are a network access control method and device, which are used for reducing the access control difficulty when an existing mobile terminal accesses a network securely. The method comprises: receiving, by a network access device, an access request message which is sent by a mobile terminal and carries an identifier of the mobile terminal; judging a registration state corresponding to the identifier of the mobile terminal; if the registration state is unregistered, after an IP address is allocated to the mobile terminal, setting an access control policy corresponding to the IP address to be permitting the IP address to access an authentication webpage; receiving, by the network access device, a webpage access request message which is sent by the mobile terminal by using the IP address, according to the access control policy, redirecting the webpage access request message to the authentication webpage, and if it is determined that the mobile terminal is authenticated successfully, redirecting same to a registration webpage; and if the network access device determines that the mobile terminal completes the registration, sending to the mobile terminal a configuration file and a digital certificate which are used for accessing a wireless network of an enterprise via EAP-TLS.

Description

网络接入控制方法和设备Network access control method and device
本申请要求于2014年1月3日提交中国专利局、申请号为201410003686.X、发明名称为“网络接入控制方法和设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese Patent Application filed on Jan. 3, 2014, with the application number of 201410003686.X, and the invention is entitled "Network Access Control Method and Apparatus", the entire contents of which are incorporated herein by reference. In the application.
技术领域Technical field
本发明涉及网络通信技术领域,尤其涉及一种网络接入控制方法及一种无线访问接入点和无线接入控制器。The present invention relates to the field of network communication technologies, and in particular, to a network access control method and a wireless access point and a wireless access controller.
背景技术Background technique
随着移动终端技术的发展、制造工艺的提高以及销售价格的下降,最近几年移动终端获得了快速普及。目前,移动终端在销量上已经超过了个人计算机。携带自带设备办公(Bring your own device,简称BYOD)已经随之成为了一种被普遍接受的工作方式。出于降低固定资产投入和提高办公效率方面的考虑,越来越多的企业鼓励员工携带私人的移动终端接入企业网络进行日常办公。With the development of mobile terminal technology, the improvement of manufacturing processes and the decline in sales prices, mobile terminals have gained rapid popularity in recent years. At present, mobile terminals have surpassed personal computers in sales. Bring your own device (BYOD) has become a generally accepted way of working. In order to reduce the investment in fixed assets and improve office efficiency, more and more enterprises encourage employees to carry private mobile terminals to access the corporate network for daily office work.
然而,由于接入企业无线网络的移动终端的类型、归属和接入位置的不确定性,也给企业信息安全管理提出了挑战:如何在移动终端接入企业无线网络时进行有效的接入控制,从而确保企业网络中的资源不被非法用户使用。However, due to the uncertainty of the type, attribution and access location of mobile terminals accessing the enterprise wireless network, it also poses a challenge to enterprise information security management: how to implement effective access control when the mobile terminal accesses the enterprise wireless network. To ensure that resources in the corporate network are not used by unauthorized users.
处于安全性方面的考虑,通常推荐采用较高安全等级的接入认证方式,例如电气和电子工程师协会(Institute of Electrical and Electronics Engineers,简称IEEE)802.1X可扩展认证协议-传输层安全(Extensible Authentication Protocol-Transport Layer Security,简称EAP-TLS)证书认证,对接入企业无线网络的移动终端进行接入控制。然而这种方式在实际应用中有一些不便之处:用户的移动终端需要预先获取数字证书,而且对于不同品牌型号的移动终端,在配置802.1X认证接入参数时有所不同,有的会较为复杂。如何实现自动化地将数字证书分发给移动终端,以及帮助移动终端的用户配置认证接入参数,成为一个需要解决的问题。 For security reasons, it is generally recommended to use a higher security level of access authentication, such as the Institute of Electrical and Electronics Engineers (IEEE) 802.1X Extensible Authentication Protocol - Extensible Authentication. Protocol-Transport Layer Security (EAP-TLS) certificate authentication, which controls access to mobile terminals accessing enterprise wireless networks. However, this method has some inconveniences in practical applications: the user's mobile terminal needs to obtain a digital certificate in advance, and for different brands of mobile terminals, when configuring 802.1X authentication access parameters, some will be different. complex. How to realize the automatic distribution of digital certificates to mobile terminals and help users of mobile terminals to configure authentication access parameters becomes a problem to be solved.
发明内容Summary of the invention
本发明实施例提供一种网络接入控制方法,用以降低现有移动终端安全接入网络时的接入控制难度。The embodiment of the invention provides a network access control method, which is used to reduce access control difficulty when an existing mobile terminal securely accesses a network.
对应地,本发明实施例还提供了一种无线接入点和无线控制器。Correspondingly, an embodiment of the present invention further provides a wireless access point and a wireless controller.
本发明实施例提供的技术方案如下:The technical solution provided by the embodiment of the present invention is as follows:
第一方面,提供了网络接入控制方法,其特征在于,包括:In a first aspect, a network access control method is provided, which includes:
网络接入设备接收移动终端发送的接入请求消息,所述接入请求消息用于请求接入企业的无线网络,所述接入请求消息携带所述移动终端的标识,所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端;The network access device receives an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, and the identifier of the mobile terminal Used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise;
所述网络接入设备判断所述移动终端的标识对应的注册状态,所述注册状态用于标识所述移动终端是否已在企业的无线网络中注册;Determining, by the network access device, a registration status corresponding to the identifier of the mobile terminal, where the registration status is used to identify whether the mobile terminal is registered in a wireless network of an enterprise;
若所述网络接入设备判断所述移动终端的标识对应的注册状态为未注册,所述网络接入设备为所述移动终端分配IP地址后,将所述IP地址对应的访问控制策略设置为第一权限策略,所述第一权限策略允许所述IP地址访问认证网页;If the network access device determines that the registration status corresponding to the identifier of the mobile terminal is unregistered, and after the network access device allocates an IP address to the mobile terminal, the access control policy corresponding to the IP address is set to a first rights policy, the first rights policy allowing the IP address to access an authentication webpage;
所述网络接入设备接收所述移动终端使用所述IP地址发送的网页访问请求消息,所述网络接入设备根据所述IP地址对应的所述第一权限策略将所述网页访问请求消息重定向到所述认证网页,如果所述网络接入设备确定所述移动终端通过所述认证网页认证成功,重定向到注册网页;Receiving, by the network access device, a webpage access request message sent by the mobile terminal by using the IP address, where the network access device adds the webpage access request message according to the first permission policy corresponding to the IP address Directing to the authentication webpage, if the network access device determines that the mobile terminal successfully authenticates through the authentication webpage, redirects to the registration webpage;
如果所述网络接入设备确定所述移动终端通过所述注册网页完成在所述企业的无线网络中的注册,所述网络接入设备向所述移动终端发送配置文件和数字证书,所述配置文件和数字证书用于所述移动终端通过可扩展认证协议EAP-传输层安全TLS认证方式接入所述企业的无线网络。If the network access device determines that the mobile terminal completes registration in the wireless network of the enterprise through the registration webpage, the network access device sends a configuration file and a digital certificate to the mobile terminal, the configuration The file and the digital certificate are used by the mobile terminal to access the wireless network of the enterprise through an Extensible Authentication Protocol EAP-Transport Layer Secure TLS authentication mode.
在第一方面的第一种可能的实现方式中,所述认证网页是所述企业的无线网络中的门户Portal服务器提供的,所述Portal服务器将所述移动终端在所述认证网页中输入的轻型目录访问协议LDAP域账号认证信息发送到拨号用户远程认证服务RADIUS服务器中进行网页认证;In a first possible implementation manner of the first aspect, the authentication webpage is provided by a portal portal server in a wireless network of the enterprise, where the portal server inputs the mobile terminal in the authentication webpage. The light directory access protocol LDAP domain account authentication information is sent to the dial-up user remote authentication service RADIUS server for webpage authentication;
所述如果所述网络接入设备确定所述移动终端通过所述认证网页认证成 功,重定向到注册网页,包括:If the network access device determines that the mobile terminal is authenticated by the authentication webpage Redirect, redirect to the registration page, including:
所述网络接入设备接收到所述RADIUS服务器返回的网页认证结果;Receiving, by the network access device, a webpage authentication result returned by the RADIUS server;
如果所述网页认证结果指示所述移动终端通过网页认证,则所述网络接入设备将所述IP地址对应的访问控制策略设置为第二权限策略,所述第二权限策略允许所述IP地址访问所述注册网页;If the webpage authentication result indicates that the mobile terminal is authenticated by the webpage, the network access device sets an access control policy corresponding to the IP address as a second privilege policy, and the second privilege policy allows the IP address Accessing the registration page;
所述网络接入设备根据所述IP地址对应的所述第二权限策略,将所述网页访问请求消息重定向到所述注册网页。And the network access device redirects the webpage access request message to the registration webpage according to the second permission policy corresponding to the IP address.
在第一方面、或第一方面的第一种可能的实现方式中,还提供了第一方面的第二种可能的实现方式,还包括:若所述网络接入设备判断所述移动终端的标识对应的注册状态为已注册,所述网络接入设备向所述移动终端发送响应消息,所述响应消息中携带的认证算法字段设置为EAP-TLS认证指示符,用以指示所述移动终端按照EAP-TLS认证方式接入所述企业的无线网络;In a first aspect, or the first possible implementation manner of the first aspect, the second possible implementation manner of the first aspect is further provided, if the network access device determines the mobile terminal And the network access device sends a response message to the mobile terminal, where the authentication algorithm field carried in the response message is set to an EAP-TLS authentication indicator, to indicate the mobile terminal. Accessing the wireless network of the enterprise according to the EAP-TLS authentication method;
当所述网络接入设备确定所述移动终端与所述RADIUS服务器之间进行的EAP-TLS认证成功时,为所述移动终端开通受控端口,所述受控端口用于传输所述移动终端的业务数据。When the network access device determines that the EAP-TLS authentication performed between the mobile terminal and the RADIUS server is successful, the controlled terminal is used to transmit the mobile terminal, and the controlled port is used to transmit the mobile terminal. Business data.
在第一方面的第一种、或第二种可能的实现方式中,还提供了第一方面的第三种可能的实现方式,所述网络接入设备判断所述移动终端的标识对应的注册状态,包括:In a first or second possible implementation manner of the first aspect, a third possible implementation manner of the first aspect is further provided, where the network access device determines the registration corresponding to the identifier of the mobile terminal Status, including:
所述网络接入设备从所述接入请求消息中获取所述移动终端的标识;Obtaining, by the network access device, an identifier of the mobile terminal from the access request message;
根据所述移动终端的标识向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态;Querying, according to the identifier of the mobile terminal, a registration status of the mobile terminal to a management server in a wireless network of the enterprise;
接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。Receiving a registration status of the mobile terminal returned by the management server in the network.
在第一方面的第三种可能的实现方式中,还提供了第一方面的第四种可能的实现方式,所述注册网页是所述管理服务器提供的,In a third possible implementation manner of the first aspect, a fourth possible implementation manner of the first aspect is further provided, where the registration webpage is provided by the management server,
所述如果所述网络接入设备确定所述移动终端通过所述注册网页完成在所述企业的无线网络中的注册,所述网络接入设备向所述移动终端发送配置文件和数字证书,包括:If the network access device determines that the mobile terminal completes registration in the wireless network of the enterprise through the registration webpage, the network access device sends a configuration file and a digital certificate to the mobile terminal, including :
所述网络接入设备接收所述管理服务器发送的所述配置文件和所述数字证书,所述配置文件和所述数字证书是所述管理服务器在所述移动终端通过所述注册网页完成在所述企业的无线网络中的注册之后发送的;所述管理服 务器发送所述配置文件和数字证书之后,所述移动终端在所述管理服务器中的注册状态被更新为已注册;Receiving, by the network access device, the configuration file and the digital certificate sent by the management server, where the configuration file and the digital certificate are completed by the management server on the mobile terminal by using the registration webpage Transmitted after registration in the wireless network of the enterprise; the management service After the server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered;
所述网络接入设备将所述配置文件和所述数字证书发送给所述移动终端。The network access device sends the configuration file and the digital certificate to the mobile terminal.
在第一方面的第四种可能的实现方式中,还提供了第一方面的第五种可能的实现方式,所述网络接入设备向所述移动终端发送配置文件和数字证书之后,还包括:In a fourth possible implementation manner of the first aspect, the fifth possible implementation manner of the foregoing aspect is further provided, after the network access device sends the configuration file and the digital certificate to the mobile terminal, :
所述网络接入设备接收所述RADIUS服务器发送的动态授权CoA消息,并在接收到所述CoA消息后指示所述移动终端重新发送所述接入请求消息;所述CoA消息是所述移动终端在所述管理服务器中的注册状态被更新为已注册后发送的。Receiving, by the network access device, a dynamic authorization CoA message sent by the RADIUS server, and instructing the mobile terminal to resend the access request message after receiving the CoA message; the CoA message is the mobile terminal The registration status in the management server is updated to be sent after being registered.
在第一方面的第五种可能的实现方式中,还提供了第一方面的第六种可能的实现方式,所述网络接入设备接收到所述CoA消息后,所述方法还包括:所述网络接入设备回收所述IP地址。In a fifth possible implementation manner of the first aspect, the sixth possible implementation manner of the first aspect is further provided, after the network access device receives the CoA message, the method further includes: The network access device reclaims the IP address.
第二方面,还提供了一种无线访问接入点AP,其特征在于,包括:In a second aspect, a wireless access point AP is further provided, including:
接收单元,用于接收移动终端发送的接入请求消息,所述接入请求消息用于请求接入企业的无线网络,所述接入请求消息携带所述移动终端的标识,所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端;a receiving unit, configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, where the mobile terminal Identifying that the mobile terminal is uniquely identified within a range of a wireless network of the enterprise;
判断单元,用于判断所述接收单元接收的接入请求消息中移动终端的标识对应的注册状态,所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册;a determining unit, configured to determine a registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiving unit, where the registration status is used to identify whether the mobile terminal is registered in a wireless network of the enterprise;
资源分配请求单元,用于若所述判断单元判断出所述移动终端的标识对应的注册状态为未注册,请求控制所述无线AP的无线访问控制器AC为所述移动终端分配IP地址;a resource allocation requesting unit, configured to: if the determining unit determines that the registration status corresponding to the identifier of the mobile terminal is unregistered, requesting the radio access controller AC that controls the wireless AP to allocate an IP address to the mobile terminal;
策略设置单元,用于将所述IP地址对应的访问控制策略设置为第一权限策略,所述第一权限策略允许所述IP地址访问认证网页;a policy setting unit, configured to set an access control policy corresponding to the IP address as a first rights policy, where the first rights policy allows the IP address to access an authentication webpage;
所述接收单元,还用于接收所述移动终端使用所述IP地址发送的网页访问请求消息;The receiving unit is further configured to receive a webpage access request message sent by the mobile terminal by using the IP address;
重定向请求单元,用于根据策略设置单元设置的所述第一权限策略,向 所述AC发送第一转发请求,用于请求将所述网页访问请求消息重定向到认证网页;以及如果确定所述移动终端通过所述认证网页认证成功,向所述AC发送第二转发请求,用于请求将所述网页访问请求消息重定向到注册网页;a redirect request unit, configured to: according to the first permission policy set by the policy setting unit, The AC sends a first forwarding request for requesting to redirect the webpage access request message to the authentication webpage; and if it is determined that the mobile terminal successfully authenticates through the authentication webpage, sending a second forwarding request to the AC, Used to request to redirect the webpage access request message to a registration webpage;
所述接收单元,还用于接收来自所述无线AC的配置文件和数字证书;The receiving unit is further configured to receive a configuration file and a digital certificate from the wireless AC;
所述发送单元,还用于向所述移动终端转发所述配置文件和所述数字证书,所述配置文件和所述数字证书用于所述移动终端通过可扩展认证协议EAP-传输层安全TLS认证方式接入所述企业的无线网络。The sending unit is further configured to forward the configuration file and the digital certificate to the mobile terminal, where the configuration file and the digital certificate are used by the mobile terminal to perform an extended authentication protocol EAP-Transport Layer Security TLS The authentication mode is connected to the wireless network of the enterprise.
在第二方面的第一种可能的实现方式中,所述接收单元,还用于接收来自拨号用户远程认证服务RADIUS服务器的网页认证结果,所述认证网页是所述企业的无线网络中的门户Portal服务器提供的,所述Portal服务器将所述移动终端在所述认证网页中输入的轻型目录访问协议LDAP域账号认证信息发送到所述RADIUS服务器中进行网页认证;In a first possible implementation manner of the second aspect, the receiving unit is further configured to receive a webpage authentication result from a dial-up user remote authentication service RADIUS server, where the authentication webpage is a portal in a wireless network of the enterprise Provided by the portal server, the portal server sends the light directory access protocol LDAP domain account authentication information input by the mobile terminal in the authentication webpage to the RADIUS server for webpage authentication;
所述策略设置单元,还用于如果所述网页认证结果指示所述移动终端通过网页认证,则将所述IP地址对应的访问控制策略设置为第二权限策略,所述第二权限策略允许所述IP地址访问所述注册网页;The policy setting unit is further configured to: if the webpage authentication result indicates that the mobile terminal passes the webpage authentication, set the access control policy corresponding to the IP address to a second privilege policy, where the second privilege policy allows The IP address is accessed to access the registration webpage;
所述重定向请求单元,具体用于根据所述IP地址对应的所述第二权限策略,向所述AC发送第一转发请求,用于请求将所述网页访问请求消息重定向到所述注册网页。The redirection requesting unit is configured to send, according to the second privilege policy corresponding to the IP address, a first forwarding request to the AC, to request to redirect the webpage access request message to the registration Web page.
在第二方面、或第二方面的第一种可能的实现方式中,还提供了第二方面的第二种可能的实现方式,所述发送单元,还用于若所述判断单元判断出所述注册状态为已注册,向所述移动终端发送响应消息,所述响应消息中携带的认证算法字段设置为EAP-TLS认证指示符,用以指示所述移动终端按照EAP-TLS认证方式接入所述企业的无线网络;In a second aspect, or a first possible implementation of the second aspect, the second possible implementation of the second aspect is further provided, where the sending unit is further configured to: if the determining unit determines The registration status is registered, and the response message is sent to the mobile terminal, and the authentication algorithm field carried in the response message is set to an EAP-TLS authentication indicator, to indicate that the mobile terminal accesses according to the EAP-TLS authentication mode. The wireless network of the enterprise;
所述无线AP还包括:The wireless AP further includes:
端口开放单元,用于当所述网络接入设备确定所述移动终端与所述RADIUS服务器之间进行的EAP-TLS认证成功时,为所述移动终端开通受控端口,所述受控端口用于传输所述移动终端的业务数据。a port open unit, configured to: when the network access device determines that the EAP-TLS authentication between the mobile terminal and the RADIUS server is successful, open a controlled port for the mobile terminal, where the controlled port is used Transmitting the service data of the mobile terminal.
在第二方面、或上述第二方面的任意一种可能的实现方式中,所述判断单元包括:In a second aspect, or any one of the foregoing possible implementation manners, the determining unit includes:
获取子单元,用于从所述接入请求消息中获取所述移动终端的标识; Obtaining a subunit, configured to acquire an identifier of the mobile terminal from the access request message;
查询子单元,用于根据所述获取子单元获取的所述移动终端的标识,向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态;Querying a subunit, configured to query, by the management server in the wireless network of the enterprise, the registration status of the mobile terminal according to the identifier of the mobile terminal acquired by the acquiring subunit;
接收子单元,用于接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。And a receiving subunit, configured to receive a registration status of the mobile terminal returned by the management server in the network.
第三方面,提供了一种无线访问接入点AP,包括存储器、处理器、接收器和发送器;In a third aspect, a wireless access point AP is provided, including a memory, a processor, a receiver, and a transmitter;
所述接收器,用于接收移动终端发送的接入请求消息,所述接入请求消息用于请求接入企业的无线网络,所述接入请求消息携带所述移动终端的标识,所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端;The receiver is configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of an enterprise, where the access request message carries an identifier of the mobile terminal, where the mobile The identifier of the terminal is used to uniquely identify the mobile terminal within a range of the wireless network of the enterprise;
所述处理器,用于读取所述存储器中存储的程序代码,执行:判断所述移动终端的标识对应的注册状态,所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册;若判断出所述移动终端的标识对应的注册状态为未注册,请求控制所述无线AP的无线访问控制器AC为所述移动终端分配IP地址;将所述IP地址对应的访问控制策略设置为第一权限策略,所述第一权限策略允许所述IP地址访问认证网页;The processor is configured to read the program code stored in the memory, and execute: determining a registration status corresponding to the identifier of the mobile terminal, where the registration status is used to identify whether the mobile terminal is in a wireless network of an enterprise If the registration status corresponding to the identifier of the mobile terminal is unregistered, requesting the radio access controller AC that controls the wireless AP to allocate an IP address to the mobile terminal; and access control corresponding to the IP address The policy is set to a first rights policy, where the first rights policy allows the IP address to access an authentication webpage;
所述接收器,还用于接收所述移动终端使用所述IP地址发送的网页访问请求消息;The receiver is further configured to receive a webpage access request message sent by the mobile terminal by using the IP address;
所述发送器,用于根据所述IP地址对应的所述第一权限策略,向所述AC发送第一转发请求,用于请求将所述网页访问请求消息重定向到认证网页;以及如果确定所述移动终端通过所述认证网页认证成功,向所述AC发送第二转发请求,用于请求将所述网页访问请求消息重定向到注册网页;The sender, configured to send, according to the first rights policy corresponding to the IP address, a first forwarding request to the AC, to request to redirect the webpage access request message to an authentication webpage; and if The mobile terminal successfully authenticates the authentication webpage, and sends a second forwarding request to the AC, requesting to redirect the webpage access request message to the registration webpage;
所述接收器,还用于接收来自所述无线AC的配置文件和数字证书;The receiver is further configured to receive a configuration file and a digital certificate from the wireless AC;
所述发送器,还用于向所述移动终端转发所述配置文件和所述数字证书,所述配置文件和所述数字证书用于所述移动终端通过EAP-TLS认证方式接入所述企业的无线网络。The transmitter is further configured to forward the configuration file and the digital certificate to the mobile terminal, where the configuration file and the digital certificate are used by the mobile terminal to access the enterprise by using an EAP-TLS authentication mode. Wireless network.
在第三方面的第一种可能的实现方式中,所述接收器,还用于接收来自拨号用户远程认证服务RADIUS服务器的网页认证结果,所述认证网页是所述企业的无线网络中的门户Portal服务器提供的,所述Portal服务器将所述移动终端在所述认证网页中输入的轻型目录访问协议LDAP域账号认证信息发 送到所述RADIUS服务器中进行网页认证;In a first possible implementation manner of the third aspect, the receiver is further configured to receive a webpage authentication result from a dial-up user remote authentication service RADIUS server, where the authentication webpage is a portal in a wireless network of the enterprise Provided by the portal server, the portal server sends the LDAP directory authentication information of the light directory access protocol entered in the authentication webpage by the mobile terminal. Sending to the RADIUS server for webpage authentication;
所述处理器,具体用于如果所述网页认证结果指示所述移动终端通过网页认证,则将所述IP地址对应的访问控制策略设置为第二权限策略,所述第二权限策略允许所述IP地址访问所述注册网页;根据所述IP地址对应的所述第二权限策略,向所述AC发送第一转发请求,用于请求将所述网页访问请求消息重定向到所述注册网页。The processor is configured to: if the webpage authentication result indicates that the mobile terminal passes the webpage authentication, set an access control policy corresponding to the IP address to a second permission policy, where the second permission policy allows the The IP address accesses the registration webpage; and sends a first forwarding request to the AC according to the second privilege policy corresponding to the IP address, for requesting to redirect the webpage access request message to the registration webpage.
在第三方面、或第三方面的第一种可能的实现方式中,还提供了第三方面的第二种可能的实现方式,所述发送器,还用于若所述处理器判断出所述注册状态为已注册,向所述移动终端发送响应消息,所述响应消息中携带的认证算法字段设置为EAP-TLS认证指示符,用以指示所述移动终端按照EAP-TLS认证方式接入所述企业的无线网络;In a third aspect, or a first possible implementation manner of the third aspect, the second possible implementation of the third aspect is further provided, where the transmitter is further configured to: if the processor determines The registration status is registered, and the response message is sent to the mobile terminal, and the authentication algorithm field carried in the response message is set to an EAP-TLS authentication indicator, to indicate that the mobile terminal accesses according to the EAP-TLS authentication mode. The wireless network of the enterprise;
所述处理器,还用于当所述网络接入设备确定所述移动终端与所述RADIUS服务器之间进行的EAP-TLS认证成功时,为所述移动终端开通受控端口,所述受控端口用于传输所述移动终端的业务数据。The processor is further configured to: when the network access device determines that the EAP-TLS authentication performed between the mobile terminal and the RADIUS server is successful, open a controlled port for the mobile terminal, where the controlled The port is used to transmit service data of the mobile terminal.
在第三方面、或上述第三方面的任意一种可能的实现方式中,还提供了第三方面的第三种可能的实现方式,所述处理器,用于从所述接入请求消息中获取所述移动终端的标识;根据所述移动终端的标识向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态;接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。In a third aspect, or any one of the foregoing possible implementation manners, the third possible implementation manner of the third aspect is further provided, the processor is configured to be used in the access request message Obtaining an identifier of the mobile terminal; querying, by the management server in the wireless network of the enterprise, a registration status of the mobile terminal according to the identifier of the mobile terminal; receiving the mobile terminal returned by the management server in the network Registration status in .
第四方面,还提供了一种AC,包括:In a fourth aspect, an AC is also provided, including:
接收单元,用于接收移动终端发送的接入请求消息,所述接入请求消息用于请求接入企业的无线网络,所述接入请求消息携带所述移动终端的标识,所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端;a receiving unit, configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, where the mobile terminal Identifying that the mobile terminal is uniquely identified within a range of a wireless network of the enterprise;
判断单元,用于判断接收单元接收的接入请求消息中移动终端的标识对应的注册状态,所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册;a determining unit, configured to determine a registration status corresponding to an identifier of the mobile terminal in the access request message received by the receiving unit, where the registration status is used to identify whether the mobile terminal is registered in a wireless network of the enterprise;
资源分配单元,用于若所述判断单元判断所述移动终端的标识对应的注册状态为未注册,为所述移动终端分配IP地址;a resource allocation unit, configured to allocate an IP address to the mobile terminal if the determining unit determines that the registration status corresponding to the identifier of the mobile terminal is unregistered;
所述接收单元,还用于接收所述AC控制的无线访问接入点AP发送的第 一转发请求;The receiving unit is further configured to receive the first sent by the AC-controlled wireless access point AP a forwarding request;
重定向单元,用于根据所述第一转发请求将所述移动终端使用所述IP地址发送的网页访问请求消息重定向到认证网页;a redirecting unit, configured to redirect, according to the first forwarding request, a webpage access request message sent by the mobile terminal by using the IP address to an authentication webpage;
所述接收单元,还用于接收所述AP发送的第二转发请求;The receiving unit is further configured to receive a second forwarding request sent by the AP;
所述重定向单元,还用于根据所述第二转发请求将所述网页访问请求消息重定向到注册网页;The redirecting unit is further configured to redirect the webpage access request message to the registration webpage according to the second forwarding request;
所述接收单元,还用于接收所述企业的无线网络中的管理服务器发送的配置文件和数字证书,所述配置文件和所述数字证书用于所述移动终端通过可扩展认证协议EAP-传输层安全TLS认证方式接入所述企业的无线网络;所述管理服务器发送所述配置文件和数字证书之后,所述移动终端在所述管理服务器中的注册状态被更新为已注册;The receiving unit is further configured to receive a configuration file and a digital certificate sent by a management server in a wireless network of the enterprise, where the configuration file and the digital certificate are used by the mobile terminal to transmit through an Extensible Authentication Protocol (EAP) The layered secure TLS authentication mode is used to access the wireless network of the enterprise; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered;
发送单元,还用于将所述配置文件和所述数字证书发送给所述AP。The sending unit is further configured to send the configuration file and the digital certificate to the AP.
在第四方面的第一种可能的实现方式中,所述判断单元包括:In a first possible implementation manner of the fourth aspect, the determining unit includes:
获取子单元,用于从所述接入请求消息中获取所述移动终端的标识;Obtaining a subunit, configured to acquire an identifier of the mobile terminal from the access request message;
查询子单元,用于根据获取子单元获取的移动终端的标识,向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态;Querying a subunit, configured to query, by the management server in the wireless network of the enterprise, the registration status of the mobile terminal according to the identifier of the mobile terminal acquired by the acquiring subunit;
接收子单元,用于接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。And a receiving subunit, configured to receive a registration status of the mobile terminal returned by the management server in the network.
在第四方面的第二种可能的实现方式中,所述接收单元,还用于接收拨号用户远程认证服务RADIUS服务器发送的动态授权CoA消息,并在接收到所述CoA消息后指示所述移动终端重新发送所述接入请求消息;所述CoA消息是所述移动终端在所述管理服务器中的注册状态被更新为已注册后发送的。In a second possible implementation manner of the fourth aspect, the receiving unit is further configured to receive a dynamic authorization CoA message sent by a dial-up user remote authentication service RADIUS server, and indicate the mobile after receiving the CoA message. The terminal resends the access request message; the CoA message is sent after the registration status of the mobile terminal in the management server is updated to be registered.
在第四方面的第二种可能的实现方式中,还提供了第四方面的第三种可能的实现方式,还包括:资源回收单元,用于在所述接收单元接收到所述CoA消息后,回收所述IP地址。In a second possible implementation manner of the fourth aspect, the third possible implementation manner of the fourth aspect is further provided, further comprising: a resource recovery unit, configured to: after receiving, by the receiving unit, the CoA message Recover the IP address.
第五方面,还提供了一种无线AC,AC包括存储器、处理器、接收器和发送器;In a fifth aspect, a wireless AC is provided, where the AC includes a memory, a processor, a receiver, and a transmitter;
所述接收器,用于接收移动终端发送的接入请求消息,所述接入请求消息用于请求接入企业的无线网络,所述接入请求消息携带所述移动终端的标 识,所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端;The receiver is configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of an enterprise, where the access request message carries a label of the mobile terminal The identifier of the mobile terminal is used to uniquely identify the mobile terminal within a range of a wireless network of the enterprise;
所述处理器,用于读取所述存储器中存储的程序代码,执行:The processor is configured to read program code stored in the memory, and execute:
判断接收器接收的接入请求消息中移动终端的标识对应的注册状态,所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册;若所述移动终端的标识对应的注册状态为未注册,为所述移动终端分配IP地址;Determining, by the receiver, the registration status corresponding to the identifier of the mobile terminal in the access request message, where the registration status is used to identify whether the mobile terminal is registered in the wireless network of the enterprise; and if the identifier of the mobile terminal corresponds to the registration status Assigning an IP address to the mobile terminal for unregistered;
所述接收器,还用于接收所述AC控制的AP发送的第一转发请求;The receiver is further configured to receive a first forwarding request sent by the AP controlled by the AC;
所述处理器,还用于根据所述接收器接收的所述第一转发请求将所述移动终端使用所述IP地址发送的网页访问请求消息重定向到认证网页;The processor is further configured to redirect, according to the first forwarding request received by the receiver, a webpage access request message sent by the mobile terminal by using the IP address to an authentication webpage;
所述接收器,还用于接收所述AP发送的第二转发请求;The receiver is further configured to receive a second forwarding request sent by the AP;
所述处理器,还用于根据所述接收器接收的所述第二转发请求将所述网页访问请求消息重定向到注册网页;The processor is further configured to redirect the webpage access request message to the registration webpage according to the second forwarding request received by the receiver;
所述接收器,还用于接收所述企业的无线网络中的管理服务器发送的配置文件和数字证书,所述配置文件和所述数字证书用于所述移动终端通过EAP-TLS认证方式接入所述企业的无线网络;所述管理服务器发送所述配置文件和数字证书之后,所述移动终端在所述管理服务器中的注册状态被更新为已注册;The receiver is further configured to receive a configuration file and a digital certificate sent by a management server in a wireless network of the enterprise, where the configuration file and the digital certificate are used by the mobile terminal to access through an EAP-TLS authentication mode. a wireless network of the enterprise; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered;
发送器,用于将所述配置文件和所述数字证书发送给所述AP。And a sender, configured to send the configuration file and the digital certificate to the AP.
在第五方面的第一种可能的实现方式中,所述处理器902判断接收器903接收的接入请求消息中移动终端的标识对应的注册状态时,具体用于:In a first possible implementation manner of the fifth aspect, when the processor 902 determines the registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiver 903, the processor 902 is specifically configured to:
从所述接入请求消息中获取所述移动终端的标识;根据获取的移动终端的标识,向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态;接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。Acquiring the identifier of the mobile terminal from the access request message; querying, by the management server in the wireless network of the enterprise, the registration status of the mobile terminal according to the acquired identifier of the mobile terminal; receiving the management server to return The registration status of the mobile terminal in the network.
在第五方面、或第五方面的第一种可能的实现方式中,还提供了第五方面的第二种可能的实现方式,所述接收器还用于接收所述RADIUS服务器发送的动态授权CoA消息,并在接收到所述CoA消息后指示所述移动终端重新发送所述接入请求消息;所述CoA消息是所述移动终端在所述管理服务器中的注册状态被更新为已注册后发送的。In a fifth aspect, or a first possible implementation manner of the fifth aspect, the second possible implementation manner of the fifth aspect is further provided, the receiver is further configured to receive the dynamic authorization sent by the RADIUS server a CoA message, and after receiving the CoA message, instructing the mobile terminal to resend the access request message; the CoA message is that the registration status of the mobile terminal in the management server is updated to be registered Sent.
在第五方面的第二种可能的实现方式中,还提供了第五方面的第三种可能的实现方式, In a second possible implementation manner of the fifth aspect, a third possible implementation manner of the fifth aspect is further provided.
所述处理器还用于在所述接收器接收到所述CoA消息后,回收所述IP地址。The processor is further configured to recover the IP address after the receiver receives the CoA message.
本发明实施例网络接入设备通过在移动终端请求接入网络时,判断所述移动终端的标识对应的注册状态,若所述网络接入设备判断所述移动终端的标识对应的注册状态为未注册,所述网络接入设备为所述移动终端分配IP地址后,将所述IP地址对应的访问控制策略设置为第一权限策略;并根据所述IP地址对应的访问控制策略将移动终端通过所述IP地址发送的网页访问请求消息重定向到认证网页,如果所述网络接入设备确定所述移动终端通过所述认证网页认证成功,重定向到注册网页;如果所述网络接入设备确定所述移动终端通过所述注册网页完成在所述企业的无线网络中的注册,所述网络接入设备向所述移动终端发送配置文件和数字证书。无需像现有技术一样在移动终端接入企业无线网络之前,需要人工为每个移动终端分配和分发数字证书,以及进行接入参数配置,降低了接入控制的实现难度。When the network access device requests the access to the network, the network access device determines the registration status corresponding to the identifier of the mobile terminal, and if the network access device determines that the registration status corresponding to the identifier of the mobile terminal is not After the network access device allocates an IP address to the mobile terminal, the access control policy corresponding to the IP address is set as the first privilege policy; and the mobile terminal is passed according to the access control policy corresponding to the IP address. The webpage access request message sent by the IP address is redirected to the authentication webpage, and if the network access device determines that the mobile terminal successfully authenticates through the authentication webpage, redirects to the registration webpage; if the network access device determines The mobile terminal completes registration in the wireless network of the enterprise by using the registration webpage, and the network access device sends a configuration file and a digital certificate to the mobile terminal. There is no need to manually allocate and distribute digital certificates for each mobile terminal and perform access parameter configuration before the mobile terminal accesses the enterprise wireless network as in the prior art, which reduces the difficulty in implementing access control.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description of the drawings used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.
图1为本发明实施例提供的移动终端的网络接入控制***的一种部署场景示意图;FIG. 1 is a schematic diagram of a deployment scenario of a network access control system of a mobile terminal according to an embodiment of the present disclosure;
图2为本发明实施例的主要实现原理流程图;2 is a flowchart of a main implementation principle of an embodiment of the present invention;
图3为本发明实施例提供的移动终端的网络接入控制方法的时序图;FIG. 3 is a sequence diagram of a network access control method for a mobile terminal according to an embodiment of the present invention;
图4为本发明提供的一种无线AP的结构示意图;4 is a schematic structural diagram of a wireless AP according to the present invention;
图5为本发明提供的一种无线AP中判断单元的结构示意图;FIG. 5 is a schematic structural diagram of a determining unit in a wireless AP according to the present invention;
图6为本发明提供的另一种无线AP的结构示意图;FIG. 6 is a schematic structural diagram of another wireless AP according to the present invention; FIG.
图7为本发明提供的一种无线AC的结构示意图;FIG. 7 is a schematic structural diagram of a wireless AC according to the present invention; FIG.
图8为本发明提供的一种无线AC中判断单元的结构示意图;FIG. 8 is a schematic structural diagram of a determining unit in a wireless AC according to the present invention; FIG.
图9为本发明提供的另一种无线AC的结构示意图。 FIG. 9 is a schematic structural diagram of another wireless AC according to the present invention.
具体实施方式detailed description
本发明实施例提出了一种移动终端的网络接入控制方法,下面将结合多个实施例对该方案进行描述。The embodiment of the invention provides a network access control method for a mobile terminal. The solution will be described below in combination with various embodiments.
实施例一Embodiment 1
附图1是本发明实施例提供的移动终端的网络接入控制***的一种部署场景示意图。该***包括移动终端,网络接入设备。本申请中的移动终端是指具备无线网络接口支持无线上网、且具有操作***的便于携带的设备,包括但不限于笔记本电脑(Laptop)、个人数字助理(Personal Digital Assistant,简称PDA)、移动电话等等。网络接入设备包括无线访问接入点(Access Point,简称AP)和无线接入控制器(Access Controller,简称AC),当然也可以是具备有类似功能的其他设备。进一步地,该***中还包括门户Portal服务器、拨号用户远程认证服务(Remote Authentication Dial In User Service,简称RADIUS)服务器和管理服务器。无线AP(在本申请中后续简称AP)、无线AC(在本申请中后续简称AC)、Portal服务器、RADIUS服务器和管理服务器之间可以通过交换机连接。可选地,还可以包括用于分配数字证书的证书服务器(图中未示出),证书服务器的功能也可以集成于RADIUS服务器或者管理服务器中。1 is a schematic diagram of a deployment scenario of a network access control system of a mobile terminal according to an embodiment of the present invention. The system includes a mobile terminal, a network access device. The mobile terminal in the present application refers to a portable device having a wireless network interface supporting wireless Internet access and having an operating system, including but not limited to a laptop, a personal digital assistant (PDA), and a mobile phone. and many more. The network access device includes a wireless access point (AP) and an access controller (AC), and of course, other devices having similar functions. Further, the system further includes a portal portal server, a remote authentication dial in user service (RADIUS) server, and a management server. A wireless AP (hereinafter referred to as AP in this application), a wireless AC (hereinafter referred to as AC in this application), a Portal server, a RADIUS server, and a management server may be connected through a switch. Optionally, a certificate server (not shown) for allocating a digital certificate may also be included, and the function of the certificate server may also be integrated into the RADIUS server or the management server.
下面结合附图1,对本发明实施例技术方案的主要实现原理、具体实施方式及其对应能够达到的有益效果进行详细的阐述。The main implementation principles, specific implementation manners, and the corresponding beneficial effects that can be achieved by the technical solutions of the embodiments of the present invention are described in detail below with reference to FIG.
如图2所示,本发明实施例的主要实现原理流程如下:As shown in FIG. 2, the main implementation principle process of the embodiment of the present invention is as follows:
步骤10,网络接入设备接收移动终端发送的接入请求消息,所述接入请求消息用于请求接入企业的无线网络,所述接入请求消息携带所述移动终端的标识,所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端。Step 10: The network access device receives an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, where the mobile The identity of the terminal is used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise.
其中所述移动终端的标识包括但不限于移动终端的介质访问控制(Medium/Media Access Control,简称MAC)地址。The identifier of the mobile terminal includes, but is not limited to, a Medium Access Control (MAC) address of the mobile terminal.
步骤20,所述网络接入设备判断所述移动终端的标识对应的注册状态,所述注册状态用于标识所述移动终端是否已在企业的无线网络中注册。Step 20: The network access device determines a registration status corresponding to the identifier of the mobile terminal, where the registration status is used to identify whether the mobile terminal is registered in a wireless network of an enterprise.
可选地,在附图1中的管理服务器用于管理维护企业的无线网络中各移动终端的注册状态的情况下,网络接入设备判断所述移动终端的标识对应的 注册状态具体包括:Optionally, in the case that the management server in FIG. 1 is used to manage the registration status of each mobile terminal in the wireless network of the maintenance enterprise, the network access device determines that the identifier of the mobile terminal corresponds to The registration status specifically includes:
所述网络接入设备从所述接入请求消息中获取所述移动终端的标识;Obtaining, by the network access device, an identifier of the mobile terminal from the access request message;
根据所述移动终端的标识向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态;Querying, according to the identifier of the mobile terminal, a registration status of the mobile terminal to a management server in a wireless network of the enterprise;
接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。Receiving a registration status of the mobile terminal returned by the management server in the network.
上述步骤20的执行主体可以是AP,也可以是AC,具体可以根据实际情况灵活设置,例如,如果AP所支持的功能和硬件条件有限(瘦无线AP),则可以由AC来执行。The executor of the foregoing step 20 may be an AP or an AC, and may be flexibly set according to actual conditions. For example, if the functions and hardware conditions supported by the AP are limited (thin wireless AP), the AC may be executed.
如果是瘦无线AP,上述步骤10~20具体为:If it is a thin wireless AP, the above steps 10 to 20 are specifically as follows:
AP接收移动终端发送的接入请求消息,将所述接入请求消息发送给AC,AC从所述管理服务器中查询所述移动终端的注册状态。The AP receives the access request message sent by the mobile terminal, and sends the access request message to the AC, and the AC queries the management server for the registration status of the mobile terminal.
如果是由AP执行,则上述步骤10~20具体为:If it is performed by the AP, the above steps 10 to 20 are specifically:
AP接收移动终端发送的接入请求消息,从所述管理服务器中查询所述移动终端的注册状态。The AP receives an access request message sent by the mobile terminal, and queries the management server for the registration status of the mobile terminal.
步骤30,若所述网络接入设备判断所述移动终端的标识对应的注册状态为未注册,所述网络接入设备为所述移动终端分配IP地址后,将所述IP地址对应的访问控制策略设置为第一权限策略。Step 30: If the network access device determines that the registration status corresponding to the identifier of the mobile terminal is unregistered, and after the network access device allocates an IP address to the mobile terminal, the access control corresponding to the IP address is performed. The policy is set to the first permission policy.
可选地,如果是瘦无线AP,则AC从所述管理服务器中查询所述移动终端的注册状态后,确认所述移动终端的标识对应的注册状态为未注册后为所述移动终端分配IP地址;分配IP地址后,瘦无线AP将该IP地址对应的访问控制策略设置为第一权限策略。其中第一权限策略允许所述IP地址访问认证网页,是本申请涉及的三种权限策略中权限最低的权限策略,仅能访问认证网页或者其他很少量的资源,通过这种方式防止未认证的移动终端非法访问受保护的资源,提高了企业的无线网络中数据资源的安全性。Optionally, if it is a thin wireless AP, the AC queries the management server for the registration status of the mobile terminal, and confirms that the registration status corresponding to the identifier of the mobile terminal is unregistered, and then assigns an IP address to the mobile terminal. Address: After the IP address is assigned, the thin wireless AP sets the access control policy corresponding to the IP address as the first permission policy. The first privilege policy allows the IP address to access the authentication webpage, and is the privilege policy with the lowest privilege among the three privilege policies involved in the present application, and can only access the authentication webpage or other small amount of resources, thereby preventing unauthentication. The mobile terminal illegally accesses the protected resources and improves the security of the data resources in the wireless network of the enterprise.
可选地,如果由AP执行查询移动终端的注册状态的步骤,AP从所述管理服务器中查询所述移动终端的注册状态,确认所述移动终端的标识对应的注册状态为未注册后,请求AC为所述移动终端分配IP地址;在AC分配IP地址后,AP将该IP地址对应的访问控制策略设置为第一权限策略。Optionally, if the step of querying the registration status of the mobile terminal is performed by the AP, the AP queries the management server for the registration status of the mobile terminal, and confirms that the registration status corresponding to the identifier of the mobile terminal is unregistered, requesting The AC allocates an IP address to the mobile terminal. After the AC assigns an IP address, the AP sets the access control policy corresponding to the IP address as the first permission policy.
步骤40,所述网络接入设备接收所述移动终端使用所述IP地址发送的网页访问请求消息,所述网络接入设备根据所述IP地址对应的第一权限策略将 所述网页访问请求消息重定向到认证网页,如果所述网络接入设备确定所述移动终端通过所述认证网页认证成功,则再将所述网页访问请求消息重定向到注册网页。Step 40: The network access device receives a webpage access request message sent by the mobile terminal by using the IP address, and the network access device according to the first permission policy corresponding to the IP address The webpage access request message is redirected to the authentication webpage, and if the network access device determines that the mobile terminal successfully authenticates through the authentication webpage, the webpage access request message is redirected to the registration webpage.
具体地,移动终端获得AC分配IP地址后,当用户通过该移动终端上的网络浏览器尝试访问任意网页时,该移动终端都会发送网页访问请求消息。AP接收到网页访问请求消息后,会根据该网页访问请求消息的源IP地址查找对应的访问控制策略,并根据查找到的访问控制策略执行对应的处理。如果网页访问请求消息的源IP地址对应的访问控制策略是上述第一权限策略,则向AC发送第一转发请求,用于请求将所述网页访问请求消息重定向到认证网页。Specifically, after the mobile terminal obtains the AC assigned IP address, when the user attempts to access any webpage through the web browser on the mobile terminal, the mobile terminal sends a webpage access request message. After receiving the webpage access request message, the AP searches for the corresponding access control policy according to the source IP address of the webpage access request message, and performs corresponding processing according to the found access control policy. And if the access control policy corresponding to the source IP address of the webpage access request message is the first permission policy, sending a first forwarding request to the AC, requesting to redirect the webpage access request message to the authentication webpage.
可选地,所述认证网页是所述企业的无线网络中的门户Portal服务器提供的,所述Portal服务器将所述移动终端在所述认证网页中输入的轻型目录访问协议LDAP域账号认证信息发送到RADIUS服务器中进行网页认证。网页认证结果通过AC、AP被转发给移动终端。网页认证结果包括网页认证成功和网页认证失败。RADIUS服务器如何通过Portal服务器提供的网页对移动终端进行认证的过程属于现有技术,在这里不再详述。Optionally, the authentication webpage is provided by a portal portal server in the wireless network of the enterprise, and the portal server sends the lightweight directory access protocol LDAP domain account authentication information input by the mobile terminal in the authentication webpage. Go to the RADIUS server for web page authentication. The webpage authentication result is forwarded to the mobile terminal through the AC and the AP. Web page authentication results include web page authentication success and web page authentication failure. The process of how the RADIUS server authenticates the mobile terminal through the webpage provided by the portal server belongs to the prior art and will not be described in detail herein.
AP在所述网页认证结果指示所述移动终端网页认证成功的情况下,则将所述IP地址对应的访问控制策略设置为第二权限策略。其中第二权限策略允许所述IP地址访问所述注册网页,在本申请中是高于第一权限策略的权限策略,允许该策略对应的IP不仅能访问认证网页,还能访问注册网页,通过这种方式防止未认证的移动终端访问受保护的资源,提高了企业的无线网络中数据资源的安全性。When the webpage authentication result indicates that the mobile terminal webpage authentication is successful, the AP sets the access control policy corresponding to the IP address as the second permission policy. The second privilege policy allows the IP address to access the registration webpage. In this application, the privilege policy is higher than the first privilege policy, and the IP corresponding to the policy can not only access the authentication webpage but also access the registration webpage. This approach prevents unauthenticated mobile terminals from accessing protected resources and improves the security of data resources in the enterprise's wireless network.
如果所述网页认证结果指示所述移动终端网页认证失败,则退出接入控制流程。If the webpage authentication result indicates that the mobile terminal webpage authentication fails, the access control procedure is exited.
AP在所述移动终端对应的访问控制策略被更新为第二权限策略后,向所述AC发送第二转发请求,用于请求将所述网页访问请求消息再次重定向到注册网页。After the access control policy corresponding to the mobile terminal is updated to the second privilege policy, the AP sends a second forwarding request to the AC, requesting to redirect the webpage access request message to the registration webpage again.
其中注册网页可以是管理服务器提供的,移动终端的用户可以根据注册网页上的介绍和指引信息,输入个人信息,以及所述移动终端的一些设备参数,个人信息例如域账号、部门、职位等,设备参数例如设备制造商、型号 等。The registration webpage may be provided by the management server, and the user of the mobile terminal may input personal information according to the introduction and guidance information on the registration webpage, and some device parameters of the mobile terminal, such as a domain account, a department, a position, and the like. Equipment parameters such as equipment manufacturer, model Wait.
所述管理服务器根据移动终端的用户通过注册网页输入的上述信息,为所述移动终端生成配置文件、以及分配数字证书。配置文件中包括了接入所述企业的无线网络的一些配置参数,例如包括网络标识符的各种网络接入参数等等,所述移动终端接收到该配置文件后,通过替换原有的配置文件,可以方便的完成接入所述企业的无线网络所需的各种配置操作。The management server generates a configuration file and assigns a digital certificate to the mobile terminal according to the above information input by the user of the mobile terminal through the registration webpage. The configuration file includes some configuration parameters of the wireless network accessing the enterprise, for example, various network access parameters including a network identifier, and the like, after receiving the configuration file, the mobile terminal replaces the original configuration. The file can conveniently complete various configuration operations required to access the wireless network of the enterprise.
上述分配数字证书的功能可以由RADIUS服务器执行,即移动终端的用户通过注册网页输入的上述信息后,管理服务器通知RADIUS服务器为所述移动终端分配数字证书。所述移动终端获得该数字证书后,可以根据该数字证书在RADIUS服务器上完成802.1X认证,如EAP-TLS认证,进而在认证成功之后安全地接入所述企业的无线网络。The function of assigning the digital certificate may be performed by the RADIUS server, that is, after the user of the mobile terminal inputs the above information through the registration webpage, the management server notifies the RADIUS server to allocate the digital certificate to the mobile terminal. After obtaining the digital certificate, the mobile terminal can perform 802.1X authentication, such as EAP-TLS authentication, on the RADIUS server according to the digital certificate, and then securely access the wireless network of the enterprise after the authentication succeeds.
步骤50,如果所述网络接入设备确定所述移动终端通过所述注册网页完成在所述企业的无线网络中的注册,所述网络接入设备向所述移动终端发送配置文件和数字证书,所述配置文件和数字证书用于所述移动终端通过EAP-TLS认证方式接入所述企业的无线网络。Step 50: If the network access device determines that the mobile terminal completes registration in the wireless network of the enterprise by using the registration webpage, the network access device sends a configuration file and a digital certificate to the mobile terminal, The configuration file and the digital certificate are used by the mobile terminal to access the wireless network of the enterprise by using an EAP-TLS authentication mode.
具体的,所述管理服务器在生成上述配置文件、以及通知RADIUS服务器分配数字证书后,将所述移动终端在所述管理服务器中的注册状态更新为已注册。此后管理服务器将所述配置文件通过所述AP发送给所述移动终端,RADIUS服务器将所述数字证书通过所述AP发送给所述移动终端。Specifically, after the management server generates the configuration file and notifies the RADIUS server to allocate the digital certificate, the management server updates the registration status of the mobile terminal in the management server to be registered. Thereafter, the management server sends the configuration file to the mobile terminal through the AP, and the RADIUS server sends the digital certificate to the mobile terminal through the AP.
所述AP接收到所述管理服务器发送的配置文件和RADIUS服务器发送的数字证书后,将接收到的配置文件和数字证书发送给所述移动终端。After receiving the configuration file sent by the management server and the digital certificate sent by the RADIUS server, the AP sends the received configuration file and the digital certificate to the mobile terminal.
当然,在上述方案中,管理服务器也可以是将所述配置文件通过所述AP发送给所述移动终端之后,再将所述移动终端在所述管理服务器中的注册状态更新为已注册。Of course, in the above solution, the management server may also update the registration status of the mobile terminal in the management server to be registered after the configuration file is sent to the mobile terminal through the AP.
在步骤50之后,所述移动终端根据所述配置文件和数字证书通过EAP-TLS认证方式接入所述企业的无线网络,本实施例给出的一种触发移动终端以EAP-TLS认证方式接入所述企业的无线网络的机制包括:After the step 50, the mobile terminal accesses the wireless network of the enterprise by using the EAP-TLS authentication mode according to the configuration file and the digital certificate. The triggering mobile terminal in the embodiment is connected by the EAP-TLS authentication mode. The mechanisms for entering the wireless network of the enterprise include:
所述RADIUS服务器所述移动终端在所述管理服务器中的注册状态被更新为已注册后,向所述AC发送CoA消息,所述AC将接收到CoA消息转发给所述AP;所述AP接收所述RADIUS服务器发送的动态授权CoA消息, 并在接收到所述CoA消息后指示所述移动终端重新发送所述接入请求消息(例如,网络接入设备接收到所述CoA消息后,断开所述AP和所述移动终端已建立的网络连接,使得所述移动终端重新尝试接入网络,继而发送接入请求消息)。具体地,所述RADIUS服务器可以在分配数字证书并向所述移动终端发送该数字证书之后,向所述AC发送所述CoA消息,在这种情况下推荐发送数字证书和CoA消息之间可以间隔预定时间段,例如1秒,以保证AP和所述移动终端断开已建立的网络连接时,所述移动终端已接收到数字证书和配置文件,提高安全接入的成功率;另一种更稳妥的方式是所述管理服务器在将移动终端的注册状态更新为已注册后RADIUS服务器发送一个通知消息,所述RADIUS服务器接收到通知消息后,再所述AC发送所述CoA消息。After the registration status of the mobile terminal in the management server is updated to be registered, the RADIUS server sends a CoA message to the AC, and the AC forwards the received CoA message to the AP; Dynamically authorized CoA message sent by the RADIUS server, And after receiving the CoA message, instructing the mobile terminal to resend the access request message (for example, after the network access device receives the CoA message, disconnecting the AP and the mobile terminal from being established) The network connection causes the mobile terminal to re-attempt to access the network, which in turn sends an access request message). Specifically, the RADIUS server may send the CoA message to the AC after allocating the digital certificate and sending the digital certificate to the mobile terminal, in which case the interval between the recommended digital certificate and the CoA message may be separated. a predetermined period of time, for example, 1 second, to ensure that the mobile terminal has received the digital certificate and the configuration file when the AP and the mobile terminal disconnect the established network connection, thereby improving the success rate of the secure access; The security mode is that the management server sends a notification message after updating the registration status of the mobile terminal to the registered state. After receiving the notification message, the RADIUS server sends the CoA message.
可选地,为了提高网络地址资源的利用率,所述AC在接收到所述CoA消息后,还包括:回收所述IP地址。Optionally, in order to improve the utilization of the network address resource, after receiving the CoA message, the AC further includes: recovering the IP address.
所述移动终端根据所述配置文件和数字证书通过EAP-TLS认证方式接入所述企业的无线网络时的具体接入方式为现有技术,在这里不再详述。在移动终端在RADIUS服务器上EAP-TLS认证成功时,AC重新为所述移动终端分配IP地址,该IP地址对应的访问控制策略为第三权限策略,AP为所述移动终端开通受控端口,所述受控端口用于传输所述移动终端的业务数据。其中,第三权限策略是较高的权限策略,可以访问企业的无线网络中的受保护资源。The specific access mode when the mobile terminal accesses the wireless network of the enterprise by using the EAP-TLS authentication mode according to the configuration file and the digital certificate is a prior art, and is not described in detail herein. When the EAP-TLS authentication of the mobile terminal is successful on the RADIUS server, the AC re-assigns the IP address to the mobile terminal, and the access control policy corresponding to the IP address is the third privilege policy, and the AP opens the controlled port for the mobile terminal. The controlled port is configured to transmit service data of the mobile terminal. The third privilege policy is a higher privilege policy that can access protected resources in the enterprise's wireless network.
本发明实施例提供的移动终端的网络接入控制方法,在移动终端请求接入企业的无线网络时,根据所述移动终端在所述无线网络中的注册状态执行区别的处理,具体地:对于未注册的移动终端,网络接入设备为所述移动终端分配IP地址后,将所述IP地址对应的访问控制策略设置为第一权限策略,所述移动终端在根据该IP地址尝试浏览网页时,被重定位到认证网页进行认证,在认证成功后被再次重定向到注册网页进行注册,从而获得后续以EAP-TLS认证方式接入网络所需的配置文件和数字证书。通过该方法,大大简化了现有接入控制所需的配置和准备程序,提高了处理效率。The network access control method of the mobile terminal provided by the embodiment of the present invention performs a process of distinguishing according to the registration state of the mobile terminal in the wireless network when the mobile terminal requests to access the wireless network of the enterprise, specifically: The unregistered mobile terminal, after the network access device allocates an IP address to the mobile terminal, sets an access control policy corresponding to the IP address as a first permission policy, and the mobile terminal attempts to browse the webpage according to the IP address. It is relocated to the authentication webpage for authentication. After the authentication succeeds, it is redirected to the registration webpage for registration, thereby obtaining the configuration files and digital certificates required for subsequent access to the network by EAP-TLS authentication. Through this method, the configuration and preparation procedures required for the existing access control are greatly simplified, and the processing efficiency is improved.
此外,上述方案不限定移动终端的操作***的种类,无论何种操作***的移动终端,无论是Windows操作***还是Android操作***,只要支持 EAP-TLS认证方式的,均可以适用,具备良好的通用性。In addition, the above solution does not limit the type of operating system of the mobile terminal, regardless of the operating system of the mobile terminal, whether it is the Windows operating system or the Android operating system, as long as support EAP-TLS authentication methods are applicable and have good versatility.
实施例二Embodiment 2
本实施例以交互时序图的视角,对实施例一提供的移动终端的网络接入控制方法进行进一步的说明。In this embodiment, the network access control method of the mobile terminal provided in Embodiment 1 is further described in the perspective of the interaction timing diagram.
附图3为本发明实施例提供的移动终端的网络接入控制方法的时序图,该方法包括:FIG. 3 is a sequence diagram of a network access control method for a mobile terminal according to an embodiment of the present invention, where the method includes:
步骤301,移动终端向AP发送接入请求消息,即探测请求Probe request。Step 301: The mobile terminal sends an access request message to the AP, that is, the probe request Probe request.
步骤302,AP接收到接入请求消息后,从所述管理服务器中查询所述移动终端的注册状态,如果所述移动终端的标识对应的注册状态为未注册,则执行步骤303,如果注册状态为已注册,执行步骤323。Step 302: After receiving the access request message, the AP queries the management server for the registration status of the mobile terminal. If the registration status corresponding to the identifier of the mobile terminal is not registered, step 303 is performed, if the registration status is To be registered, go to step 323.
具体查询注册状态的过程请参照实施例一中的描述,在这里不再重复。For the process of querying the registration status, refer to the description in the first embodiment, which is not repeated here.
步骤303,AP向所述移动终端发送探测响应Probe response,探测响应携带的认证算法字段设置为无认证指示符。Step 303: The AP sends a probe response probe response to the mobile terminal, and the authentication algorithm field carried by the probe response is set to a non-authentication indicator.
步骤304,移动终端向AP发送认证请求Authentication request。Step 304: The mobile terminal sends an authentication request to the AP.
步骤305,AP向移动终端反馈认证响应Authentication response。Step 305: The AP feeds back an authentication response to the mobile terminal.
步骤306,移动终端向AP发送关联请求Association request。Step 306: The mobile terminal sends an association request Association request to the AP.
步骤307,AP向移动终端反馈关联响应Association response。Step 307: The AP feeds back the association response to the mobile terminal.
步骤308,AC通过动态主机配置协议(Dynamic Host Configuration Protocol,简称DHCP)为所述移动终端分配第一IP地址。在此过程中,AP将该第一IP地址对应的访问控制策略设置为第一权限策略。本实施例中第一权限策略、第二权限策略和第三权限策略的定义与实施例一相同,在这里不再重复。Step 308: The AC allocates a first IP address to the mobile terminal by using a Dynamic Host Configuration Protocol (DHCP). In this process, the AP sets the access control policy corresponding to the first IP address as the first permission policy. The definitions of the first privilege policy, the second privilege policy, and the third privilege policy in this embodiment are the same as those in the first embodiment, and are not repeated here.
步骤309,移动终端根据步骤308中所述AC分配的第一IP地址,使用web浏览器访问任意网页时,发送网页访问请求消息。Step 309: The mobile terminal sends a webpage access request message when accessing any webpage by using a web browser according to the first IP address assigned by the AC in step 308.
步骤310,AP接收到网页访问请求消息后,查询该网页访问请求消息的源IP地址对应的访问控制策略,在本实施例中查询得到的是第一权限策略。Step 310: After receiving the webpage access request message, the AP queries the access control policy corresponding to the source IP address of the webpage access request message. In this embodiment, the query obtains the first permission policy.
步骤311,若查询到对应的访问控制策略是第一权限策略,则AP向AC发送第一转发请求,用于请求将所述网页访问请求消息重定向到认证网页。Step 311: If the corresponding access control policy is queried as the first privilege policy, the AP sends a first forwarding request to the AC for requesting to redirect the webpage access request message to the authentication webpage.
步骤312,AC将所述网页访问请求消息重定向到Portal服务器提供的认 证网页,所述Portal服务器将所述移动终端在所述认证网页中输入的LDAP域账号认证信息发送到RADIUS服务器中进行网页认证。Step 312: The AC redirects the webpage access request message to the identity provided by the portal server. And the portal server sends the LDAP domain account authentication information input by the mobile terminal in the authentication webpage to the RADIUS server for webpage authentication.
步骤313,AP在所述网页认证结果指示所述移动终端网页认证成功的情况下,则将所述IP地址对应的访问控制策略设置为第二权限策略。Step 313: The AP sets the access control policy corresponding to the IP address as the second permission policy if the webpage authentication result indicates that the mobile terminal webpage authentication is successful.
步骤314,AP在所述移动终端对应的访问控制策略被更新为第二权限策略后,向所述AC发送第二转发请求,用于请求将所述网页访问请求消息再次重定向到注册网页。Step 314: After the access control policy corresponding to the mobile terminal is updated to the second privilege policy, the AP sends a second forwarding request to the AC, requesting to redirect the webpage access request message to the registration webpage again.
步骤315,AC将所述网页访问请求消息再次重定向到注册网页。Step 315: The AC redirects the webpage access request message to the registration webpage again.
步骤316,如果所述移动终端通过所述注册网页完成在所述企业的无线网络中的注册,管理服务器为所述移动终端生成配置文件,并将该配置文件通过AP发送给移动终端。RADIUS服务器为所述移动终端分配数字证书,并将该数字证书通过AP发送给移动终端。Step 316: If the mobile terminal completes registration in the wireless network of the enterprise by using the registration webpage, the management server generates a configuration file for the mobile terminal, and sends the configuration file to the mobile terminal through the AP. The RADIUS server allocates a digital certificate to the mobile terminal, and sends the digital certificate to the mobile terminal through the AP.
步骤317,RADIUS服务器所述移动终端在所述管理服务器中的注册状态被更新为已注册后,向所述AC发送CoA消息。Step 317: After the registration status of the mobile terminal in the management server is updated to be registered, the RADIUS server sends a CoA message to the AC.
步骤318,AC接收到CoA消息后,指示AP断开和所述移动终端已建立的网络连接,使得所述移动终端重新尝试接入网络。此时,执行步骤320。Step 318: After receiving the CoA message, the AC instructs the AP to disconnect the network connection established by the mobile terminal, so that the mobile terminal re-attempts to access the network. At this time, step 320 is performed.
可选地,AC可以回收上述第一IP地址。Optionally, the AC may recover the first IP address.
步骤320,移动终端重新发送探测请求Probe request。In step 320, the mobile terminal resends the probe request Probe request.
步骤321,AP接收到接入请求消息后,从所述管理服务器中查询所述移动终端的注册状态,此时的注册状态为已注册,执行步骤323。Step 321: After receiving the access request message, the AP queries the management server for the registration status of the mobile terminal, and the registration status is registered, and step 323 is performed.
步骤323,AP向所述移动终端发送探测响应Proble response,探测响应携带的认证算法字段设置为安全等级较高的802.1X认证指示符,具体地,可以为EAP-TLS认证指示符。该认证算法字段用以指示所述移动终端按照EAP-TLS认证方式来接入所述企业的无线网络。Step 323: The AP sends a probe response Proble response to the mobile terminal, and the authentication algorithm carries the authentication algorithm field set to an 802.1X authentication indicator with a higher security level. Specifically, the AP may be an EAP-TLS authentication indicator. The authentication algorithm field is used to indicate that the mobile terminal accesses the wireless network of the enterprise according to an EAP-TLS authentication manner.
步骤324,移动终端向AP发送认证请求Authentication request。Step 324: The mobile terminal sends an authentication request to the AP.
步骤325,AP向移动终端反馈认证响应Authentication response。In step 325, the AP feeds back the authentication response to the mobile terminal.
步骤326,移动终端向AP发送关联请求Association request。Step 326: The mobile terminal sends an association request Association request to the AP.
步骤327,AP向移动终端反馈关联响应Association response。In step 327, the AP feeds back the association response to the mobile terminal.
步骤328,所述移动终端与RADIUS服务器进行802.1X认证。在认证的过程中使用之前获得的数字证书。 Step 328: The mobile terminal performs 802.1X authentication with the RADIUS server. Use the previously obtained digital certificate during the certification process.
步骤329,如果802.1X认证成功,则所述移动终端根据所述配置文件中的参数接入企业的无线网络。RADIUS服务器在802.1X认证成功后,向AC发送授权报文,AC重新为所述移动终端分配第二IP地址,AP中第二IP地址对应的访问控制策略为第三权限策略。AP为所述移动终端开通受控端口,所述受控端口用于传输所述移动终端的业务数据。Step 329: If the 802.1X authentication succeeds, the mobile terminal accesses the wireless network of the enterprise according to parameters in the configuration file. After the 802.1X authentication succeeds, the RADIUS server sends an authorization packet to the AC. The AC re-assigns the second IP address to the mobile terminal. The access control policy corresponding to the second IP address in the AP is the third privilege policy. The AP opens a controlled port for the mobile terminal, and the controlled port is used to transmit service data of the mobile terminal.
本发明实施例提供的移动终端的网络接入控制方法,通过AP、AC、Portal服务器、RADIUS服务器以及管理服务器的配合,在移动终端接入网络时,可以方便、高效地进行接入控制。简化了现有技术中管理员和用户所需执行的繁琐工作。The network access control method of the mobile terminal provided by the embodiment of the present invention can facilitate the access control when the mobile terminal accesses the network through the cooperation of the AP, the AC, the Portal server, the RADIUS server, and the management server. It simplifies the tedious work required by administrators and users in the prior art.
实施例三Embodiment 3
本发明实施例提供了一种无线AP,如图4所示,该设备包括接收单元401、判断单元402、资源分配请求单元403、策略设置单元404、重定向请求单元405和发送单元406,具体如下:The embodiment of the present invention provides a wireless AP. As shown in FIG. 4, the device includes a receiving unit 401, a determining unit 402, a resource allocation requesting unit 403, a policy setting unit 404, a redirect requesting unit 405, and a sending unit 406. as follows:
接收单元401,用于接收移动终端发送的接入请求消息,所述接入请求消息用于请求接入企业的无线网络,所述接入请求消息携带所述移动终端的标识,所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端;The receiving unit 401 is configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, where the mobile terminal The identifier is used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise;
判断单元402,用于判断接收单元401接收的接入请求消息中所述移动终端的标识对应的注册状态,所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册;The determining unit 402 is configured to determine, in the access request message received by the receiving unit 401, a registration status corresponding to the identifier of the mobile terminal, where the registration status is used to identify whether the mobile terminal is registered in a wireless network of the enterprise;
资源分配请求单元403,用于若所述判断单元402判断出所述移动终端的标识对应的注册状态为未注册,请求控制所述无线AP的无线访问控制器AC为所述移动终端分配IP地址;The resource allocation requesting unit 403 is configured to: if the determining unit 402 determines that the registration status corresponding to the identifier of the mobile terminal is unregistered, request the wireless access controller AC that controls the wireless AP to allocate an IP address to the mobile terminal. ;
策略设置单元404,用于将所述IP地址对应的访问控制策略设置为第一权限策略,所述第一权限策略允许所述IP地址访问认证网页;The policy setting unit 404 is configured to set an access control policy corresponding to the IP address as a first rights policy, where the first rights policy allows the IP address to access an authentication webpage;
所述接收单元401,还用于接收所述移动终端使用所述IP地址发送的网页访问请求消息;The receiving unit 401 is further configured to receive a webpage access request message sent by the mobile terminal by using the IP address;
重定向请求单元405,用于根据策略设置单元404设置的所述IP地址对应的第一权限策略,向所述AC发送第一转发请求,用于请求将所述网页访问 请求消息重定向到认证网页;以及如果确定所述移动终端通过所述认证网页认证成功,向所述AC发送第二转发请求,用于请求将所述网页访问请求消息重定向到注册网页;The redirection requesting unit 405 is configured to send a first forwarding request to the AC according to the first privilege policy corresponding to the IP address set by the policy setting unit 404, to request to access the webpage Retrieving the request message to the authentication webpage; and if it is determined that the mobile terminal successfully authenticates through the authentication webpage, sending a second forwarding request to the AC for requesting to redirect the webpage access request message to the registration webpage;
所述接收单元401,还用于接收来自所述无线AC的配置文件和数字证书;The receiving unit 401 is further configured to receive a configuration file and a digital certificate from the wireless AC;
所述发送单元406,还用于向所述移动终端转发所述配置文件和所述数字证书,所述配置文件和所述数字证书用于所述移动终端通过EAP-TLS认证方式接入所述企业的无线网络。The sending unit 406 is further configured to forward the configuration file and the digital certificate to the mobile terminal, where the configuration file and the digital certificate are used by the mobile terminal to access the EAP-TLS authentication mode. Enterprise wireless network.
可选地,所述接收单元401还用于接收来自RADIUS服务器的网页认证结果,所述认证网页是所述企业的无线网络中的门户Portal服务器提供的,所述Portal服务器将所述移动终端在所述认证网页中输入的LDAP域账号认证信息发送到所述RADIUS服务器中进行网页认证;Optionally, the receiving unit 401 is further configured to receive a webpage authentication result from a RADIUS server, where the authentication webpage is provided by a portal portal server in a wireless network of the enterprise, where the portal server locates the mobile terminal The LDAP domain account authentication information entered in the authentication webpage is sent to the RADIUS server for webpage authentication;
所述策略设置单元404,还用于如果所述网页认证结果指示所述移动终端通过网页认证,则将所述IP地址对应的访问控制策略设置为第二权限策略,所述第二权限策略允许所述IP地址访问所述注册网页;The policy setting unit 404 is further configured to: if the webpage authentication result indicates that the mobile terminal passes the webpage authentication, set an access control policy corresponding to the IP address to a second privilege policy, where the second privilege policy allows The IP address accessing the registration webpage;
所述重定向请求单元405,具体用于根据所述IP地址对应的第二权限策略,向所述AC发送第一转发请求,用于请求将所述网页访问请求消息重定向到所述注册网页。The redirection requesting unit 405 is specifically configured to send, according to the second privilege policy corresponding to the IP address, a first forwarding request to the AC, to request to redirect the webpage access request message to the registration webpage. .
为了使所述移动终端的用户能够获知网页认证结果,所述发送单元406还用于将所述网页认证结果转发给所述移动终端。In order to enable the user of the mobile terminal to obtain the webpage authentication result, the sending unit 406 is further configured to forward the webpage authentication result to the mobile terminal.
可选地,所述发送单元406还用于若所述判断单元402判断出所述注册状态为已注册,向所述移动终端发送响应消息,所述响应消息中携带的认证算法字段设置为EAP-TLS认证指示符,用以指示所述移动终端按照EAP-TLS认证方式接入所述企业的无线网络;Optionally, the sending unit 406 is further configured to: if the determining unit 402 determines that the registration status is registered, send a response message to the mobile terminal, where an authentication algorithm field carried in the response message is set to EAP. a TLS authentication indicator, configured to indicate that the mobile terminal accesses the wireless network of the enterprise according to an EAP-TLS authentication manner;
这种情况下,附图4所示的装置还包括:端口开放单元407,用于当所述网络接入设备确定所述移动终端与所述RADIUS服务器之间进行的EAP-TLS认证成功时,为所述移动终端开通受控端口,所述受控端口用于传输所述移动终端的业务数据。In this case, the apparatus shown in FIG. 4 further includes: a port opening unit 407, configured to: when the network access device determines that the EAP-TLS authentication performed between the mobile terminal and the RADIUS server is successful, And a controlled port is opened for the mobile terminal, where the controlled port is used to transmit service data of the mobile terminal.
可选地,请参照附图5,附图4所示的装置中判断单元402具体包括:Optionally, referring to FIG. 5, the determining unit 402 in the apparatus shown in FIG. 4 specifically includes:
获取子单元501,用于从接收单元401接收的所述接入请求消息中获取所述移动终端的标识; The obtaining sub-unit 501 is configured to obtain an identifier of the mobile terminal from the access request message received by the receiving unit 401;
查询子单元502,用于根据获取子单元501获取的所述移动终端的标识,向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态;The query subunit 502 is configured to query, according to the identifier of the mobile terminal acquired by the obtaining subunit 501, a management status of the mobile terminal to a management server in a wireless network of the enterprise;
接收子单元503,用于接收所述管理服务器为响应查询子单元502返回的所述移动终端在所述网络中的注册状态。The receiving subunit 503 is configured to receive a registration status of the mobile terminal returned by the management server in response to the query subunit 502 in the network.
附图5所示的无线AP中各单元的工作流程,以及所述无线AP与附图1所示的***中其他网络设备的交互过程请参照前面方法实施例中的描述,在这里不再一一详述。The working process of each unit in the wireless AP shown in FIG. 5 and the interaction process between the wireless AP and other network devices in the system shown in FIG. 1 refer to the description in the foregoing method embodiment, and no longer here. A detailed description.
附图6是本发明实施例提供的无线AP的结构示意图,所述AP包括存储器601、处理器602、接收器603和发送器604;所述接收器603和发送器604可以基于同一个通信芯片来实现。上述存储器601、处理器602、接收器603和发送器604可以通过总线相互连接。6 is a schematic structural diagram of a wireless AP according to an embodiment of the present invention. The AP includes a memory 601, a processor 602, a receiver 603, and a transmitter 604. The receiver 603 and the transmitter 604 may be based on the same communication chip. to realise. The above memory 601, processor 602, receiver 603, and transmitter 604 can be connected to each other through a bus.
所述接收器603,用于接收移动终端发送的接入请求消息,所述接入请求消息用于请求接入企业的无线网络,所述接入请求消息携带所述移动终端的标识,所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端;The receiver 603 is configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, The identifier of the mobile terminal is used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise;
所述处理器602,用于读取所述存储器601中存储的程序代码,执行:判断所述移动终端的标识对应的注册状态,所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册;若判断出所述移动终端的标识对应的注册状态为未注册,请求控制所述无线AP的无线访问控制器AC为所述移动终端分配IP地址;将所述IP地址对应的访问控制策略设置为第一权限策略,所述第一权限策略允许所述IP地址访问认证网页;The processor 602 is configured to read the program code stored in the memory 601, and execute: determining a registration status corresponding to the identifier of the mobile terminal, where the registration status is used to identify whether the mobile terminal is in an enterprise Registering in the wireless network; if it is determined that the registration status corresponding to the identifier of the mobile terminal is unregistered, requesting to control the wireless access controller AC of the wireless AP to allocate an IP address to the mobile terminal; The access control policy is set to a first rights policy, and the first rights policy allows the IP address to access the authentication webpage;
所述接收器603,还用于接收所述移动终端使用所述IP地址发送的网页访问请求消息;The receiver 603 is further configured to receive a webpage access request message sent by the mobile terminal by using the IP address;
所述发送器604,用于根据所述IP地址对应的所述第一权限策略,向所述AC发送第一转发请求,用于请求将所述网页访问请求消息重定向到认证网页;以及如果确定所述移动终端通过所述认证网页认证成功,向所述AC发送第二转发请求,用于请求将所述网页访问请求消息重定向到注册网页;The sender 604 is configured to send, according to the first rights policy corresponding to the IP address, a first forwarding request to the AC, to request to redirect the webpage access request message to an authentication webpage; and if Determining that the mobile terminal successfully authenticates through the authentication webpage, and sends a second forwarding request to the AC, requesting to redirect the webpage access request message to the registration webpage;
所述接收器603,还用于接收来自所述无线AC的配置文件和数字证书;The receiver 603 is further configured to receive a configuration file and a digital certificate from the wireless AC;
所述发送器604,还用于向所述移动终端转发所述配置文件和所述数字证 书,所述配置文件和所述数字证书用于所述移动终端通过EAP-TLS认证方式接入所述企业的无线网络。The transmitter 604 is further configured to forward the configuration file and the digital certificate to the mobile terminal. The configuration file and the digital certificate are used by the mobile terminal to access the wireless network of the enterprise by using an EAP-TLS authentication method.
可选地,所述接收器603,还用于接收来自拨号用户远程认证服务RADIUS服务器的网页认证结果,所述认证网页是所述企业的无线网络中的门户Portal服务器提供的,所述Portal服务器将所述移动终端在所述认证网页中输入的轻型目录访问协议LDAP域账号认证信息发送到所述RADIUS服务器中进行网页认证;Optionally, the receiver 603 is further configured to receive a webpage authentication result from a dialup user remote authentication service RADIUS server, where the authentication webpage is provided by a portal portal server in a wireless network of the enterprise, the portal server Transmitting the light directory access protocol LDAP domain account authentication information input by the mobile terminal in the authentication webpage to the RADIUS server for webpage authentication;
所述处理器602,具体用于如果所述接收器603接收到的所述网页认证结果指示所述移动终端通过网页认证,则将所述IP地址对应的访问控制策略设置为第二权限策略,所述第二权限策略允许所述IP地址访问所述注册网页;根据所述IP地址对应的所述第二权限策略,向所述AC发送第一转发请求,用于请求将所述网页访问请求消息重定向到所述注册网页。The processor 602 is configured to: if the webpage authentication result received by the receiver 603 indicates that the mobile terminal passes the webpage authentication, set the access control policy corresponding to the IP address to a second permission policy, The second privilege policy allows the IP address to access the registration webpage; and the first forwarding request is sent to the AC according to the second privilege policy corresponding to the IP address, for requesting the webpage access request The message is redirected to the registration page.
可选地,所述发送器604,还用于若所述处理器602判断出所述注册状态为已注册,向所述移动终端发送响应消息,所述响应消息中携带的认证算法字段设置为EAP-TLS认证指示符,用以指示所述移动终端的按照EAP-TLS认证方式接入所述企业的无线网络;Optionally, the sender 604 is further configured to: if the processor 602 determines that the registration status is registered, send a response message to the mobile terminal, where an authentication algorithm field carried in the response message is set to An EAP-TLS authentication indicator, configured to indicate that the mobile terminal accesses the wireless network of the enterprise according to an EAP-TLS authentication manner;
所述处理器602,还用于当所述网络接入设备确定所述移动终端与所述RADIUS服务器之间进行的EAP-TLS认证成功时,为所述移动终端开通受控端口,所述受控端口用于传输所述移动终端的业务数据。The processor 602 is further configured to: when the network access device determines that the EAP-TLS authentication performed between the mobile terminal and the RADIUS server is successful, open a controlled port for the mobile terminal, where the The control port is configured to transmit service data of the mobile terminal.
可选地,所述处理器602判断所述移动终端的标识对应的注册状态,具体包括:所述处理器602从所述接入请求消息中获取所述移动终端的标识;根据所述移动终端的标识向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态;接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。Optionally, the determining, by the processor 602, the registration status corresponding to the identifier of the mobile terminal, specifically: the processor 602 acquiring an identifier of the mobile terminal from the access request message; The identifier is queried to the management server in the wireless network of the enterprise for the registration status of the mobile terminal; and the registration status of the mobile terminal returned by the management server in the network is received.
附图6所示的无线AP中器件的工作流程,以及所述无线AP与附图1所示的***中其他网络设备的交互过程请参照前面方法实施例中的描述,在这里不再一一详述。The working process of the device in the wireless AP shown in FIG. 6 and the interaction process between the wireless AP and other network devices in the system shown in FIG. 1 refer to the description in the foregoing method embodiment, and no longer one by one. Detailed.
本发明实施例提供了一种无线AP,该无线AP接收移动终端发送的接入 请求消息,判断该接入请求消息中移动终端的标识对应的注册状态,若所述移动终端的标识对应的注册状态为未注册,请求控制所述无线AP的无线AC为所述移动终端分配IP地址;将所述IP地址对应的访问控制策略设置为第一权限策略;接收所述移动终端通过所述IP地址发送的网页访问请求消息;根据设置的所述IP地址对应的访问控制策略,向所述AC发送第一转发请求,用于请求将所述网页访问请求消息重定向到认证网页;以及如果确定所述移动终端通过所述认证网页认证成功,向所述AC发送第二转发请求,用于请求将所述网页访问请求消息重定向到注册网页;接收来自管理服务器和证书服务器的配置文件和数字证书;向所述移动终端转发所述配置文件和数字证书,所述配置文件和数字证书用于所述移动终端通过可扩展认证协议EAP-传输层安全TLS认证方式接入所述企业的无线网络。该无线AP与其他网络设备相互配合,在移动终端接入网络时,可以方便、高效地进行接入控制。简化了现有技术中管理员和用户所需执行的繁琐工作。The embodiment of the invention provides a wireless AP, and the wireless AP receives the access sent by the mobile terminal. And requesting a message, determining a registration status corresponding to the identifier of the mobile terminal in the access request message, and if the registration status corresponding to the identifier of the mobile terminal is not registered, requesting to control the wireless AC of the wireless AP to allocate an IP address to the mobile terminal And setting an access control policy corresponding to the IP address as a first permission policy; receiving a webpage access request message sent by the mobile terminal by using the IP address; and according to the set access control policy corresponding to the set IP address, The AC sends a first forwarding request for requesting to redirect the webpage access request message to the authentication webpage; and if it is determined that the mobile terminal successfully authenticates through the authentication webpage, sending a second forwarding request to the AC, Retrieving the webpage access request message to the registration webpage; receiving a configuration file and a digital certificate from the management server and the certificate server; forwarding the configuration file and the digital certificate to the mobile terminal, the configuration file and the digital certificate For the mobile terminal to pass the scalable authentication protocol EAP-transport layer secure TLS authentication mode Into the corporate wireless network. The wireless AP cooperates with other network devices, and the access control can be conveniently and efficiently performed when the mobile terminal accesses the network. It simplifies the tedious work required by administrators and users in the prior art.
实施例四Embodiment 4
本实施例提供了一种无线AC,如图7所示,包括接收单元701、判断单元702、资源分配单元703、重定向单元704和发送单元705,其中:This embodiment provides a wireless AC, as shown in FIG. 7, including a receiving unit 701, a determining unit 702, a resource allocating unit 703, a redirecting unit 704, and a sending unit 705, where:
接收单元701,用于接收移动终端发送的接入请求消息,所述接入请求消息用于请求接入企业的无线网络,所述接入请求消息携带所述移动终端的标识,所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端;The receiving unit 701 is configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of an enterprise, where the access request message carries an identifier of the mobile terminal, where the mobile terminal The identifier is used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise;
判断单元702,用于判断接收单元701接收的接入请求消息中移动终端的标识对应的注册状态,所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册;The determining unit 702 is configured to determine a registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiving unit 701, where the registration status is used to identify whether the mobile terminal is registered in the wireless network of the enterprise;
资源分配单元703,用于若所述判断单元702判断所述移动终端的标识对应的注册状态为未注册,为所述移动终端分配IP地址;The resource allocation unit 703 is configured to allocate an IP address to the mobile terminal if the determining unit 702 determines that the registration status corresponding to the identifier of the mobile terminal is unregistered;
所述接收单元701,还用于接收所述AC控制的AP发送的第一转发请求;The receiving unit 701 is further configured to receive a first forwarding request sent by the AP controlled by the AC;
重定向单元704,用于根据所述第一转发请求将所述移动终端使用所述IP地址发送的网页访问请求消息重定向到认证网页;The redirecting unit 704 is configured to redirect, according to the first forwarding request, a webpage access request message sent by the mobile terminal by using the IP address to an authentication webpage;
所述接收单元701,还用于接收所述AP发送的第二转发请求; The receiving unit 701 is further configured to receive a second forwarding request sent by the AP;
所述重定向单元704,还用于根据所述第二转发请求将所述网页访问请求消息重定向到注册网页;The redirecting unit 704 is further configured to redirect the webpage access request message to the registered webpage according to the second forwarding request;
所述接收单元701,还用于接收所述企业的无线网络中的管理服务器发送的配置文件和数字证书,所述配置文件和所述数字证书用于所述移动终端通过EAP-TLS认证方式接入所述企业的无线网络;所述管理服务器发送所述配置文件和数字证书之后,所述移动终端在所述管理服务器中的注册状态被更新为已注册;The receiving unit 701 is further configured to receive a configuration file and a digital certificate sent by a management server in a wireless network of the enterprise, where the configuration file and the digital certificate are used by the mobile terminal to receive an EAP-TLS authentication mode. a wireless network of the enterprise; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered;
发送单元705,还用于将所述配置文件和所述数字证书发送给所述AP。The sending unit 705 is further configured to send the configuration file and the digital certificate to the AP.
可选地,请参照附图8,上述判断单元702具体包括:Optionally, referring to FIG. 8, the determining unit 702 specifically includes:
获取子单元801,用于从所述接入请求消息中获取所述移动终端的标识;The obtaining subunit 801 is configured to obtain an identifier of the mobile terminal from the access request message.
查询子单元802,用于根据获取子单元801获取的移动终端的标识,向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态;The query subunit 802 is configured to query, according to the identifier of the mobile terminal acquired by the obtaining subunit 801, the management server in the wireless network of the enterprise, the registration status of the mobile terminal;
接收子单元803,用于接收所述管理服务器响应所述查询子单元802返回的所述移动终端在所述网络中的注册状态。The receiving subunit 803 is configured to receive a registration status of the mobile terminal returned by the management server in response to the query subunit 802 in the network.
可选地,附图7中的接收单元701,还用于接收所述RADIUS服务器发送的动态授权CoA消息,并在接收到所述CoA消息后指示所述移动终端重新发送所述接入请求消息;所述CoA消息是所述移动终端在所述管理服务器中的注册状态被更新为已注册后发送的。Optionally, the receiving unit 701 in FIG. 7 is further configured to receive a dynamic authorization CoA message sent by the RADIUS server, and after receiving the CoA message, instruct the mobile terminal to resend the access request message. The CoA message is sent after the mobile terminal's registration status in the management server is updated to be registered.
在这种情况下,附图7中的装置还包括资源回收单元706,用于在所述接收单元701接收到所述CoA消息后,回收所述IP地址。In this case, the apparatus in FIG. 7 further includes a resource recovery unit 706 for reclaiming the IP address after the receiving unit 701 receives the CoA message.
附图7所示的无线AC中各单元的工作流程,以及所述无线AC与附图1所示的***中其他网络设备的交互过程请参照前面方法实施例中的描述,在这里不再一一详述。The working process of each unit in the wireless AC shown in FIG. 7 and the interaction process between the wireless AC and other network devices in the system shown in FIG. 1 refer to the description in the foregoing method embodiment, and no longer here. A detailed description.
附图9是本发明实施例提供的无线AC的结构示意图,该AC包括存储器901、处理器902、接收器903和发送器904;所述接收器903和发送器904可以基于同一个通信芯片来实现。上述存储器901、处理器902、接收器903和发送器904可以通过总线相互连接。FIG. 9 is a schematic structural diagram of a wireless AC according to an embodiment of the present invention. The AC includes a memory 901, a processor 902, a receiver 903, and a transmitter 904. The receiver 903 and the transmitter 904 may be based on the same communication chip. achieve. The above memory 901, processor 902, receiver 903, and transmitter 904 may be connected to each other through a bus.
所述接收器903,用于接收移动终端发送的接入请求消息,所述接入请求消息用于请求接入企业的无线网络,所述接入请求消息携带所述移动终端的 标识,所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端;The receiver 903 is configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of an enterprise, where the access request message carries the mobile terminal Identifying that the identifier of the mobile terminal is used to uniquely identify the mobile terminal within a range of a wireless network of the enterprise;
所述处理器902,用于读取所述存储器901中存储的程序代码,执行:The processor 902 is configured to read the program code stored in the memory 901, and execute:
判断接收器903接收的接入请求消息中移动终端的标识对应的注册状态,所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册;若所述移动终端的标识对应的注册状态为未注册,为所述移动终端分配IP地址;Determining, by the receiver 903, the registration status corresponding to the identifier of the mobile terminal in the access request message, where the registration status is used to identify whether the mobile terminal is registered in the wireless network of the enterprise; if the identifier of the mobile terminal corresponds to the registration The status is unregistered, and the mobile terminal is assigned an IP address;
所述接收器903,还用于接收所述AC控制的AP发送的第一转发请求;The receiver 903 is further configured to receive a first forwarding request sent by the AP controlled by the AC;
所述处理器902,还用于根据所述接收器903接收的所述第一转发请求将所述移动终端使用所述IP地址发送的网页访问请求消息重定向到认证网页;The processor 902 is further configured to redirect, according to the first forwarding request received by the receiver 903, a webpage access request message sent by the mobile terminal by using the IP address to an authentication webpage;
所述接收器903,还用于接收所述AP发送的第二转发请求;The receiver 903 is further configured to receive a second forwarding request sent by the AP.
所述处理器902,还用于根据所述接收器903接收的所述第二转发请求将所述网页访问请求消息重定向到注册网页;The processor 902 is further configured to redirect the webpage access request message to the registration webpage according to the second forwarding request received by the receiver 903;
所述接收器903,还用于接收所述企业的无线网络中的管理服务器发送的配置文件和数字证书,所述配置文件和所述数字证书用于所述移动终端通过EAP-TLS认证方式接入所述企业的无线网络;所述管理服务器发送所述配置文件和数字证书之后,所述移动终端在所述管理服务器中的注册状态被更新为已注册;The receiver 903 is further configured to receive a configuration file and a digital certificate sent by a management server in a wireless network of the enterprise, where the configuration file and the digital certificate are used by the mobile terminal to receive an EAP-TLS authentication mode. a wireless network of the enterprise; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered;
发送器904,用于将所述配置文件和所述数字证书发送给所述AP。The sender 904 is configured to send the configuration file and the digital certificate to the AP.
可选地,所述处理器902判断接收器903接收的接入请求消息中移动终端的标识对应的注册状态时,具体用于:Optionally, when the processor 902 determines the registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiver 903, the processor 902 is specifically configured to:
从所述接入请求消息中获取所述移动终端的标识;根据获取的移动终端的标识,向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态;接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。Acquiring the identifier of the mobile terminal from the access request message; querying, by the management server in the wireless network of the enterprise, the registration status of the mobile terminal according to the acquired identifier of the mobile terminal; receiving the management server to return The registration status of the mobile terminal in the network.
可选地,所述接收器903还用于接收所述RADIUS服务器发送的动态授权CoA消息,并在接收到所述CoA消息后指示所述移动终端重新发送所述接入请求消息;所述CoA消息是所述移动终端在所述管理服务器中的注册状态被更新为已注册后发送的。Optionally, the receiver 903 is further configured to receive a dynamic authorization CoA message sent by the RADIUS server, and after receiving the CoA message, instruct the mobile terminal to resend the access request message; The message is sent after the mobile terminal's registration status in the management server is updated to be registered.
所述处理器902还用于在所述接收器903接收到所述CoA消息后,回收所述IP地址。The processor 902 is further configured to reclaim the IP address after the receiver 903 receives the CoA message.
附图9所示的无线AC中器件的工作流程,以及所述无线AC与附图1所 示的***中其他网络设备的交互过程请参照前面方法实施例中的描述,在这里不再一一详述。The working flow of the device in the wireless AC shown in FIG. 9, and the wireless AC and FIG. For the interaction process of other network devices in the illustrated system, please refer to the description in the foregoing method embodiments, which will not be described in detail here.
本发明实施例提供了一种无线AC,该无线AC接收移动终端发送的接入请求消息,判断所述接入请求消息中移动终端的标识对应的注册状态;若判断所述移动终端的标识对应的注册状态为未注册,为所述移动终端分配IP地址;接收所述AC控制的AP发送的第一转发请求;根据所述第一转发请求将所述移动终端通过所述IP地址发送的网页访问请求消息重定向到认证网页;接收所述AP发送的第二转发请求;根据所述第二转发请求将所述网页访问请求消息重定向到注册网页;接收所述企业的无线网络中的管理服务器发送的配置文件和数字证书,将所述配置文件和数字证书发送给所述AP。该无线AC与其他网络设备相互配合,在移动终端接入网络时,可以方便、高效地进行接入控制。简化了现有技术中管理员和用户所需执行的繁琐工作。The embodiment of the present invention provides a wireless AC, where the wireless AC receives an access request message sent by the mobile terminal, and determines a registration status corresponding to the identifier of the mobile terminal in the access request message; The registration status is unregistered, and the mobile terminal is assigned an IP address; the first forwarding request sent by the AC-controlled AP is received; and the mobile terminal sends the webpage sent by the IP address according to the first forwarding request. Retrieving the request message to the authentication webpage; receiving the second forwarding request sent by the AP; redirecting the webpage access request message to the registration webpage according to the second forwarding request; and receiving the management server in the wireless network of the enterprise Sending the configuration file and the digital certificate, and transmitting the configuration file and the digital certificate to the AP. The wireless AC cooperates with other network devices to perform access control conveniently and efficiently when the mobile terminal accesses the network. It simplifies the tedious work required by administrators and users in the prior art.
本申请中涉及到单数和/或复数术语的使用时,本领域的技术人员能够将复数转换为单数和/或将单数转换为复数,只要根据上下文和/或实际应用是合理的即可。为了清楚起见,本申请中没有逐一描述各种单数和/或复数的排列组合的情况。In the context of the use of the singular and/or plural terms, those skilled in the art are able to convert the plural to the singular and/or the singular to the plural, as long as the context and/or practical application is reasonable. For the sake of clarity, the various singular and/or plural arrangement combinations are not described one by one in this application.
本领域普通技术人员将会理解,本发明的各个方面、或各个方面的可能实现方式可以被具体实施为***、方法或者计算机程序产品。因此,本发明的各方面、或各个方面的可能实现方式可以采用完全硬件实施例、完全软件实施例(包括固件、驻留软件等等),或者组合软件和硬件方面的实施例的形式,在这里都统称为“电路”、“模块”或者“***”。此外,本发明的各方面、或各个方面的可能实现方式可以采用计算机程序产品的形式,计算机程序产品是指存储在计算机可读介质中的计算机可读程序代码。Those of ordinary skill in the art will appreciate that various aspects of the present invention, or possible implementations of various aspects, may be embodied as a system, method, or computer program product. Thus, aspects of the invention, or possible implementations of various aspects, may be in the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, etc.), or a combination of software and hardware aspects, They are collectively referred to herein as "circuits," "modules," or "systems." Furthermore, aspects of the invention, or possible implementations of various aspects, may take the form of a computer program product, which is a computer readable program code stored in a computer readable medium.
计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质。计算机可读存储介质包含但不限于电子、磁性、光学、电磁、红外或半导体***、设备或者装置,或者前述的任意适当组合,如随机存取存储器(RAM)、只读存储器(ROM)、可擦除可编程只读存储器(EPROM或者快闪存储器)、光纤、便携式只读存储器(CD-ROM)。The computer readable medium can be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium includes, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing, such as random access memory (RAM), read only memory (ROM), Erase programmable read-only memory (EPROM or flash memory), optical fiber, portable read-only memory (CD-ROM).
计算机中的处理器读取存储在计算机可读介质中的计算机可读程序代 码,使得处理器能够执行在流程图中每个步骤、或各步骤的组合中规定的功能动作;生成实施在框图的每一块、或各块的组合中规定的功能动作的装置。A processor in a computer reads a computer readable program stored in a computer readable medium The code enables the processor to perform the functional actions specified in each step or combination of steps in the flowchart; generating means for implementing the functional actions specified in each block of the block diagram or in a combination of blocks.
计算机可读程序代码可以完全在用户的本地计算机上执行、部分在用户的本地计算机上执行、作为单独的软件包、部分在用户的本地计算机上并且部分在远程计算机上,或者完全在远程计算机或者服务器上执行。也应该注意,在某些替代实施方案中,在流程图中各步骤、或框图中各块所注明的功能可能不按图中注明的顺序发生。例如,依赖于所涉及的功能,接连示出的两个步骤、或两个块实际上可能被大致同时执行,或者这些块有时候可能被以相反顺序执行。The computer readable program code can execute entirely on the user's local computer, partly on the user's local computer, as a separate software package, partly on the user's local computer and partly on the remote computer, or entirely on the remote computer or Executed on the server. It should also be noted that in some alternative implementations, the functions noted in the various steps in the flowcharts or in the blocks in the block diagrams may not occur in the order noted. For example, two steps, or two blocks, shown in succession may be executed substantially concurrently or the blocks may be executed in the reverse order.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。 It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention

Claims (15)

  1. 一种网络接入控制方法,其特征在于,包括:A network access control method, comprising:
    网络接入设备接收移动终端发送的接入请求消息,所述接入请求消息用于请求接入企业的无线网络,所述接入请求消息携带所述移动终端的标识,所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端;The network access device receives an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, and the identifier of the mobile terminal Used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise;
    所述网络接入设备判断所述移动终端的标识对应的注册状态,所述注册状态用于标识所述移动终端是否已在企业的无线网络中注册;Determining, by the network access device, a registration status corresponding to the identifier of the mobile terminal, where the registration status is used to identify whether the mobile terminal is registered in a wireless network of an enterprise;
    若所述网络接入设备判断所述移动终端的标识对应的注册状态为未注册,所述网络接入设备为所述移动终端分配IP地址后,将所述IP地址对应的访问控制策略设置为第一权限策略,所述第一权限策略允许所述IP地址访问认证网页;If the network access device determines that the registration status corresponding to the identifier of the mobile terminal is unregistered, and after the network access device allocates an IP address to the mobile terminal, the access control policy corresponding to the IP address is set to a first rights policy, the first rights policy allowing the IP address to access an authentication webpage;
    所述网络接入设备接收所述移动终端使用所述IP地址发送的网页访问请求消息,所述网络接入设备根据所述IP地址对应的所述第一权限策略将所述网页访问请求消息重定向到所述认证网页,如果所述网络接入设备确定所述移动终端通过所述认证网页认证成功,重定向到注册网页;Receiving, by the network access device, a webpage access request message sent by the mobile terminal by using the IP address, where the network access device adds the webpage access request message according to the first permission policy corresponding to the IP address Directing to the authentication webpage, if the network access device determines that the mobile terminal successfully authenticates through the authentication webpage, redirects to the registration webpage;
    如果所述网络接入设备确定所述移动终端通过所述注册网页完成在所述企业的无线网络中的注册,所述网络接入设备向所述移动终端发送配置文件和数字证书,所述配置文件和数字证书用于所述移动终端通过可扩展认证协议EAP-传输层安全TLS认证方式接入所述企业的无线网络。If the network access device determines that the mobile terminal completes registration in the wireless network of the enterprise through the registration webpage, the network access device sends a configuration file and a digital certificate to the mobile terminal, the configuration The file and the digital certificate are used by the mobile terminal to access the wireless network of the enterprise through an Extensible Authentication Protocol EAP-Transport Layer Secure TLS authentication mode.
  2. 如权利要求1所述的方法,其特征在于,所述认证网页是所述企业的无线网络中的门户Portal服务器提供的,所述Portal服务器将所述移动终端在所述认证网页中输入的轻型目录访问协议LDAP域账号认证信息发送到拨号用户远程认证服务RADIUS服务器中进行网页认证;The method according to claim 1, wherein the authentication webpage is provided by a portal portal server in a wireless network of the enterprise, and the portal server inputs the lightweight input of the mobile terminal in the authentication webpage. The directory access protocol LDAP domain account authentication information is sent to the dial-up user remote authentication service RADIUS server for webpage authentication;
    所述如果所述网络接入设备确定所述移动终端通过所述认证网页认证成功,重定向到注册网页,包括: If the network access device determines that the mobile terminal successfully authenticates through the authentication webpage, redirecting to the registration webpage includes:
    所述网络接入设备接收到所述RADIUS服务器返回的网页认证结果;Receiving, by the network access device, a webpage authentication result returned by the RADIUS server;
    如果所述网页认证结果指示所述移动终端通过网页认证,则所述网络接入设备将所述IP地址对应的访问控制策略设置为第二权限策略,所述第二权限策略允许所述IP地址访问所述注册网页;If the webpage authentication result indicates that the mobile terminal is authenticated by the webpage, the network access device sets an access control policy corresponding to the IP address as a second privilege policy, and the second privilege policy allows the IP address Accessing the registration page;
    所述网络接入设备根据所述IP地址对应的所述第二权限策略,将所述网页访问请求消息重定向到所述注册网页。And the network access device redirects the webpage access request message to the registration webpage according to the second permission policy corresponding to the IP address.
  3. 如权利要求1或2所述的方法,其特征在于,还包括:The method of claim 1 or 2, further comprising:
    若所述网络接入设备判断所述移动终端的标识对应的注册状态为已注册,所述网络接入设备向所述移动终端发送响应消息,所述响应消息中携带的认证算法字段设置为EAP-TLS认证指示符,用以指示所述移动终端按照EAP-TLS认证方式接入所述企业的无线网络;If the network access device determines that the registration status corresponding to the identifier of the mobile terminal is already registered, the network access device sends a response message to the mobile terminal, and the authentication algorithm field carried in the response message is set to EAP. a TLS authentication indicator, configured to indicate that the mobile terminal accesses the wireless network of the enterprise according to an EAP-TLS authentication manner;
    当所述网络接入设备确定所述移动终端与所述RADIUS服务器之间进行的EAP-TLS认证成功时,为所述移动终端开通受控端口,所述受控端口用于传输所述移动终端的业务数据。When the network access device determines that the EAP-TLS authentication performed between the mobile terminal and the RADIUS server is successful, the controlled terminal is used to transmit the mobile terminal, and the controlled port is used to transmit the mobile terminal. Business data.
  4. 如权利要求2或3所述的方法,其特征在于,所述网络接入设备判断所述移动终端的标识对应的注册状态,包括:The method of claim 2 or 3, wherein the determining, by the network access device, the registration status corresponding to the identifier of the mobile terminal comprises:
    所述网络接入设备从所述接入请求消息中获取所述移动终端的标识;Obtaining, by the network access device, an identifier of the mobile terminal from the access request message;
    根据所述移动终端的标识向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态;Querying, according to the identifier of the mobile terminal, a registration status of the mobile terminal to a management server in a wireless network of the enterprise;
    接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。Receiving a registration status of the mobile terminal returned by the management server in the network.
  5. 如权利要求4所述的方法,其特征在于,所述注册网页是所述管理服务器提供的,The method of claim 4 wherein said registration web page is provided by said management server.
    所述如果所述网络接入设备确定所述移动终端通过所述注册网页完成在所述企业的无线网络中的注册,所述网络接入设备向所述移动终端发送配置文件和数字证书,包括:If the network access device determines that the mobile terminal completes registration in the wireless network of the enterprise through the registration webpage, the network access device sends a configuration file and a digital certificate to the mobile terminal, including :
    所述网络接入设备接收所述管理服务器发送的所述配置文件和所述数字证书,所述配置文件和所述数字证书是所述管理服务器在所述移动终端通过 所述注册网页完成在所述企业的无线网络中的注册之后发送的;所述管理服务器发送所述配置文件和数字证书之后,所述移动终端在所述管理服务器中的注册状态被更新为已注册;Receiving, by the network access device, the configuration file and the digital certificate sent by the management server, where the configuration file and the digital certificate are passed by the management server at the mobile terminal The registration webpage is sent after registration in the wireless network of the enterprise; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to registered;
    所述网络接入设备将所述配置文件和所述数字证书发送给所述移动终端。The network access device sends the configuration file and the digital certificate to the mobile terminal.
  6. 如权利要求5所述的方法,其特征在于,所述网络接入设备向所述移动终端发送配置文件和数字证书之后,还包括:The method of claim 5, wherein after the network access device sends the configuration file and the digital certificate to the mobile terminal, the method further includes:
    所述网络接入设备接收所述RADIUS服务器发送的动态授权CoA消息,并在接收到所述CoA消息后指示所述移动终端重新发送所述接入请求消息;所述CoA消息是所述移动终端在所述管理服务器中的注册状态被更新为已注册后发送的。Receiving, by the network access device, a dynamic authorization CoA message sent by the RADIUS server, and instructing the mobile terminal to resend the access request message after receiving the CoA message; the CoA message is the mobile terminal The registration status in the management server is updated to be sent after being registered.
  7. 如权利要求6所述的方法,其特征在于,所述网络接入设备接收到所述CoA消息后,所述方法还包括:The method according to claim 6, wherein after the network access device receives the CoA message, the method further includes:
    所述网络接入设备回收所述IP地址。The network access device reclaims the IP address.
  8. 一种无线访问接入点AP,其特征在于,包括:A wireless access point AP, characterized in that it comprises:
    接收单元,用于接收移动终端发送的接入请求消息,所述接入请求消息用于请求接入企业的无线网络,所述接入请求消息携带所述移动终端的标识,所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端;a receiving unit, configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, where the mobile terminal Identifying that the mobile terminal is uniquely identified within a range of a wireless network of the enterprise;
    判断单元,用于判断所述接收单元接收的接入请求消息中移动终端的标识对应的注册状态,所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册;a determining unit, configured to determine a registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiving unit, where the registration status is used to identify whether the mobile terminal is registered in a wireless network of the enterprise;
    资源分配请求单元,用于若所述判断单元判断出所述移动终端的标识对应的注册状态为未注册,请求控制所述无线AP的无线访问控制器AC为所述移动终端分配IP地址;a resource allocation requesting unit, configured to: if the determining unit determines that the registration status corresponding to the identifier of the mobile terminal is unregistered, requesting the radio access controller AC that controls the wireless AP to allocate an IP address to the mobile terminal;
    策略设置单元,用于将所述IP地址对应的访问控制策略设置为第一权限策略,所述第一权限策略允许所述IP地址访问认证网页; a policy setting unit, configured to set an access control policy corresponding to the IP address as a first rights policy, where the first rights policy allows the IP address to access an authentication webpage;
    所述接收单元,还用于接收所述移动终端使用所述IP地址发送的网页访问请求消息;The receiving unit is further configured to receive a webpage access request message sent by the mobile terminal by using the IP address;
    重定向请求单元,用于根据策略设置单元设置的所述第一权限策略,向所述AC发送第一转发请求,用于请求将所述网页访问请求消息重定向到认证网页;以及如果确定所述移动终端通过所述认证网页认证成功,向所述AC发送第二转发请求,用于请求将所述网页访问请求消息重定向到注册网页;a redirect requesting unit, configured to send, according to the first rights policy set by the policy setting unit, a first forwarding request to the AC, to request to redirect the webpage access request message to an authentication webpage; and if The mobile terminal successfully authenticates the authentication webpage, and sends a second forwarding request to the AC, requesting to redirect the webpage access request message to the registration webpage;
    所述接收单元,还用于接收来自所述无线AC的配置文件和数字证书;The receiving unit is further configured to receive a configuration file and a digital certificate from the wireless AC;
    所述发送单元,还用于向所述移动终端转发所述配置文件和所述数字证书,所述配置文件和所述数字证书用于所述移动终端通过可扩展认证协议EAP-传输层安全TLS认证方式接入所述企业的无线网络。The sending unit is further configured to forward the configuration file and the digital certificate to the mobile terminal, where the configuration file and the digital certificate are used by the mobile terminal to perform an extended authentication protocol EAP-Transport Layer Security TLS The authentication mode is connected to the wireless network of the enterprise.
  9. 如权利要求8所述的无线AP,其特征在于,The wireless AP of claim 8 wherein:
    所述接收单元,还用于接收来自拨号用户远程认证服务RADIUS服务器的网页认证结果,所述认证网页是所述企业的无线网络中的门户Portal服务器提供的,所述Portal服务器将所述移动终端在所述认证网页中输入的轻型目录访问协议LDAP域账号认证信息发送到所述RADIUS服务器中进行网页认证;The receiving unit is further configured to receive a webpage authentication result from a dial-up user remote authentication service RADIUS server, where the authentication webpage is provided by a portal portal server in a wireless network of the enterprise, and the portal server uses the mobile terminal The light directory access protocol LDAP domain account authentication information input in the authentication webpage is sent to the RADIUS server for webpage authentication;
    所述策略设置单元,还用于如果所述网页认证结果指示所述移动终端通过网页认证,则将所述IP地址对应的访问控制策略设置为第二权限策略,所述第二权限策略允许所述IP地址访问所述注册网页;The policy setting unit is further configured to: if the webpage authentication result indicates that the mobile terminal passes the webpage authentication, set the access control policy corresponding to the IP address to a second privilege policy, where the second privilege policy allows The IP address is accessed to access the registration webpage;
    所述重定向请求单元,具体用于根据所述IP地址对应的所述第二权限策略,向所述AC发送第一转发请求,用于请求将所述网页访问请求消息重定向到所述注册网页。The redirection requesting unit is configured to send, according to the second privilege policy corresponding to the IP address, a first forwarding request to the AC, to request to redirect the webpage access request message to the registration Web page.
  10. 如权利要求8或9所述的无线AP,其特征在于,A wireless AP according to claim 8 or 9, wherein
    所述发送单元,还用于若所述判断单元判断出所述注册状态为已注册,向所述移动终端发送响应消息,所述响应消息中携带的认证算法字段设置为EAP-TLS认证指示符,用以指示所述移动终端按照EAP-TLS认证方式接入所述企业的无线网络;The sending unit is further configured to: if the determining unit determines that the registration status is registered, send a response message to the mobile terminal, where an authentication algorithm field carried in the response message is set to an EAP-TLS authentication indicator. Instructing the mobile terminal to access the wireless network of the enterprise according to the EAP-TLS authentication mode;
    所述无线AP还包括: The wireless AP further includes:
    端口开放单元,用于当所述网络接入设备确定所述移动终端与所述RADIUS服务器之间进行的EAP-TLS认证成功时,为所述移动终端开通受控端口,所述受控端口用于传输所述移动终端的业务数据。a port open unit, configured to: when the network access device determines that the EAP-TLS authentication between the mobile terminal and the RADIUS server is successful, open a controlled port for the mobile terminal, where the controlled port is used Transmitting the service data of the mobile terminal.
  11. 如权利要求8至10任一所述的无线AP,其特征在于,所述判断单元包括:The wireless AP according to any one of claims 8 to 10, wherein the determining unit comprises:
    获取子单元,用于从所述接入请求消息中获取所述移动终端的标识;Obtaining a subunit, configured to acquire an identifier of the mobile terminal from the access request message;
    查询子单元,用于根据所述获取子单元获取的所述移动终端的标识,向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态;Querying a subunit, configured to query, by the management server in the wireless network of the enterprise, the registration status of the mobile terminal according to the identifier of the mobile terminal acquired by the acquiring subunit;
    接收子单元,用于接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。And a receiving subunit, configured to receive a registration status of the mobile terminal returned by the management server in the network.
  12. 一种无线控制器AC,其特征在于,包括:A wireless controller AC, comprising:
    接收单元,用于接收移动终端发送的接入请求消息,所述接入请求消息用于请求接入企业的无线网络,所述接入请求消息携带所述移动终端的标识,所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端;a receiving unit, configured to receive an access request message sent by the mobile terminal, where the access request message is used to request to access a wireless network of the enterprise, where the access request message carries an identifier of the mobile terminal, where the mobile terminal Identifying that the mobile terminal is uniquely identified within a range of a wireless network of the enterprise;
    判断单元,用于判断接收单元接收的接入请求消息中移动终端的标识对应的注册状态,所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册;a determining unit, configured to determine a registration status corresponding to an identifier of the mobile terminal in the access request message received by the receiving unit, where the registration status is used to identify whether the mobile terminal is registered in a wireless network of the enterprise;
    资源分配单元,用于若所述判断单元判断所述移动终端的标识对应的注册状态为未注册,为所述移动终端分配IP地址;a resource allocation unit, configured to allocate an IP address to the mobile terminal if the determining unit determines that the registration status corresponding to the identifier of the mobile terminal is unregistered;
    所述接收单元,还用于接收所述AC控制的无线访问接入点AP发送的第一转发请求;The receiving unit is further configured to receive a first forwarding request sent by the AC-controlled wireless access point AP;
    重定向单元,用于根据所述第一转发请求将所述移动终端使用所述IP地址发送的网页访问请求消息重定向到认证网页;a redirecting unit, configured to redirect, according to the first forwarding request, a webpage access request message sent by the mobile terminal by using the IP address to an authentication webpage;
    所述接收单元,还用于接收所述AP发送的第二转发请求;The receiving unit is further configured to receive a second forwarding request sent by the AP;
    所述重定向单元,还用于根据所述第二转发请求将所述网页访问请求消息重定向到注册网页; The redirecting unit is further configured to redirect the webpage access request message to the registration webpage according to the second forwarding request;
    所述接收单元,还用于接收所述企业的无线网络中的管理服务器发送的配置文件和数字证书,所述配置文件和所述数字证书用于所述移动终端通过可扩展认证协议EAP-传输层安全TLS认证方式接入所述企业的无线网络;所述管理服务器发送所述配置文件和数字证书之后,所述移动终端在所述管理服务器中的注册状态被更新为已注册;The receiving unit is further configured to receive a configuration file and a digital certificate sent by a management server in a wireless network of the enterprise, where the configuration file and the digital certificate are used by the mobile terminal to transmit through an Extensible Authentication Protocol (EAP) The layered secure TLS authentication mode is used to access the wireless network of the enterprise; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered;
    发送单元,还用于将所述配置文件和所述数字证书发送给所述AP。The sending unit is further configured to send the configuration file and the digital certificate to the AP.
  13. 如权利要求12所述的无线AC,其特征在于,所述判断单元包括:The wireless AC of claim 12, wherein the determining unit comprises:
    获取子单元,用于从所述接入请求消息中获取所述移动终端的标识;Obtaining a subunit, configured to acquire an identifier of the mobile terminal from the access request message;
    查询子单元,用于根据获取子单元获取的移动终端的标识,向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态;Querying a subunit, configured to query, by the management server in the wireless network of the enterprise, the registration status of the mobile terminal according to the identifier of the mobile terminal acquired by the acquiring subunit;
    接收子单元,用于接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。And a receiving subunit, configured to receive a registration status of the mobile terminal returned by the management server in the network.
  14. 如权利要求12所述的无线AC,其特征在于,The wireless AC of claim 12, wherein
    所述接收单元,还用于接收拨号用户远程认证服务RADIUS服务器发送的动态授权CoA消息,并在接收到所述CoA消息后指示所述移动终端重新发送所述接入请求消息;所述CoA消息是所述移动终端在所述管理服务器中的注册状态被更新为已注册后发送的。The receiving unit is further configured to receive a dynamic authorization CoA message sent by the dial-up user remote authentication service RADIUS server, and after receiving the CoA message, instruct the mobile terminal to resend the access request message; the CoA message It is sent after the registration status of the mobile terminal in the management server is updated to be registered.
  15. 如权利要求14所述的无线AC,其特征在于,还包括:The wireless AC of claim 14, further comprising:
    资源回收单元,用于在所述接收单元接收到所述CoA消息后,回收所述IP地址。 a resource recovery unit, configured to recover the IP address after the receiving unit receives the CoA message.
PCT/CN2014/092788 2014-01-03 2014-12-02 Network access control method and device WO2015101125A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410003686.XA CN104767715B (en) 2014-01-03 2014-01-03 Access control method and equipment
CN201410003686.X 2014-01-03

Publications (1)

Publication Number Publication Date
WO2015101125A1 true WO2015101125A1 (en) 2015-07-09

Family

ID=53493160

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/092788 WO2015101125A1 (en) 2014-01-03 2014-12-02 Network access control method and device

Country Status (2)

Country Link
CN (1) CN104767715B (en)
WO (1) WO2015101125A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105978933A (en) * 2016-04-25 2016-09-28 青岛海信电器股份有限公司 Webpage request method, webpage response method, terminal, server, and webpage request and response system
CN106713388A (en) * 2015-11-13 2017-05-24 阿里巴巴集团控股有限公司 Emergent business processing method and device
CN110971714A (en) * 2018-09-28 2020-04-07 贵州白山云科技股份有限公司 Enterprise export access request processing method, device and system
CN111262865A (en) * 2016-09-23 2020-06-09 华为技术有限公司 Method, device and system for making access control strategy
CN112118575A (en) * 2020-09-25 2020-12-22 国网江苏省电力有限公司 Wireless equipment authentication method and system
CN114338177A (en) * 2021-12-30 2022-04-12 天翼物联科技有限公司 Directional access control method and system for Internet of things
CN114915612A (en) * 2022-04-22 2022-08-16 绿盟科技集团股份有限公司 Host access method, host to be accessed and DHCP server

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106535176B (en) * 2015-09-14 2020-09-04 华为技术有限公司 Network access method and device
CN107026918B (en) * 2016-01-29 2020-06-09 ***通信集团广东有限公司 Web authentication charging method and system based on dynamic host configuration protocol
CN105848279B (en) * 2016-03-18 2019-08-06 深圳市万普拉斯科技有限公司 Data transmission method and relevant apparatus
CN108009165A (en) * 2016-10-31 2018-05-08 北京乐知行软件有限公司 A kind of Webpage access control method and device
CN108881103B (en) * 2017-05-08 2020-10-13 腾讯科技(深圳)有限公司 Network access method and device
GB2565864B (en) * 2017-05-11 2022-02-02 Pismo Labs Technology Ltd Methods and apparatus for processing data packets originated from a mobile computing device to destinations at a wireless network node
CN114978583A (en) * 2018-03-05 2022-08-30 上海可鲁***软件有限公司 Intelligent virtual private network system for industrial Internet of things
CN108933794B (en) * 2018-08-22 2021-08-10 广州视源电子科技股份有限公司 Method, device, equipment and server for joining enterprise policy
CN110087238B (en) * 2019-05-13 2022-09-23 商洛学院 Information security protection system of mobile electronic equipment
CN112449440B (en) * 2019-08-29 2023-05-23 深圳市优克联新技术有限公司 Wireless resource control method, device, electronic equipment and storage medium
CN110505357B (en) * 2019-09-06 2021-04-02 上海航天测控通信研究所 Management method of aerospace VOIP voice terminal
CN113972988A (en) * 2020-07-06 2022-01-25 西安西电捷通无线网络通信股份有限公司 Digital certificate acquisition method and device
CN115022980B (en) * 2022-06-07 2022-12-23 夏文祥 Method and device for randomly accessing terminal to network
CN117097573B (en) * 2023-10-19 2024-01-30 深圳竹云科技股份有限公司 Firewall dynamic access control method and device under zero-trust security system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101631331A (en) * 2009-08-10 2010-01-20 华为技术有限公司 Terminal management method and terminal management device
CN102571766A (en) * 2010-12-23 2012-07-11 微软公司 Registration and network access control
WO2013013040A2 (en) * 2011-07-21 2013-01-24 Intel Corporation Secure on-line sign-up and provisioning for wi-fi hotspots using a device-management protocol
US8392712B1 (en) * 2012-04-04 2013-03-05 Aruba Networks, Inc. System and method for provisioning a unique device credential

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101094061B (en) * 2006-06-24 2011-08-24 华为技术有限公司 Access method for authorizing and authenticating digital gateway system, devices, and network terminal devices
CN100571216C (en) * 2007-03-06 2009-12-16 中兴通讯股份有限公司 Method for network access control and system
CN101582769B (en) * 2009-07-03 2012-07-04 杭州华三通信技术有限公司 Authority setting method of user access network and equipment
US8578443B2 (en) * 2011-06-01 2013-11-05 Mobileasap, Inc. Real-time mobile application management
US8515488B2 (en) * 2011-07-29 2013-08-20 Mitel Networks Corporation System for dynamic assignment of mobile subscriber identities and methods thereof
US9143530B2 (en) * 2011-10-11 2015-09-22 Citrix Systems, Inc. Secure container for protecting enterprise data on a mobile device
CN103079201B (en) * 2011-10-26 2015-06-03 中兴通讯股份有限公司 Fast authentication method, access controller (AC) and system for wireless local area network
CN102647432B (en) * 2012-05-17 2016-04-20 湖南神州祥网科技有限公司 A kind of authentication information transmission method, device and certification middleware
CN103475751B (en) * 2013-09-18 2016-08-10 杭州华三通信技术有限公司 A kind of method and device of IP address switching

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101631331A (en) * 2009-08-10 2010-01-20 华为技术有限公司 Terminal management method and terminal management device
CN102571766A (en) * 2010-12-23 2012-07-11 微软公司 Registration and network access control
WO2013013040A2 (en) * 2011-07-21 2013-01-24 Intel Corporation Secure on-line sign-up and provisioning for wi-fi hotspots using a device-management protocol
US8392712B1 (en) * 2012-04-04 2013-03-05 Aruba Networks, Inc. System and method for provisioning a unique device credential

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106713388A (en) * 2015-11-13 2017-05-24 阿里巴巴集团控股有限公司 Emergent business processing method and device
CN105978933A (en) * 2016-04-25 2016-09-28 青岛海信电器股份有限公司 Webpage request method, webpage response method, terminal, server, and webpage request and response system
CN111262865A (en) * 2016-09-23 2020-06-09 华为技术有限公司 Method, device and system for making access control strategy
CN111262865B (en) * 2016-09-23 2021-03-30 华为技术有限公司 Method, device and system for making access control strategy
CN110971714A (en) * 2018-09-28 2020-04-07 贵州白山云科技股份有限公司 Enterprise export access request processing method, device and system
CN110971714B (en) * 2018-09-28 2023-10-27 贵州白山云科技股份有限公司 Enterprise exit access request processing method, device and system
CN112118575A (en) * 2020-09-25 2020-12-22 国网江苏省电力有限公司 Wireless equipment authentication method and system
CN112118575B (en) * 2020-09-25 2022-06-28 国网江苏省电力有限公司 Wireless equipment authentication method and system
CN114338177A (en) * 2021-12-30 2022-04-12 天翼物联科技有限公司 Directional access control method and system for Internet of things
CN114338177B (en) * 2021-12-30 2023-07-21 天翼物联科技有限公司 Directional access control method and system for Internet of things
CN114915612A (en) * 2022-04-22 2022-08-16 绿盟科技集团股份有限公司 Host access method, host to be accessed and DHCP server
CN114915612B (en) * 2022-04-22 2024-03-15 绿盟科技集团股份有限公司 Host access method, host to be accessed and DHCP server

Also Published As

Publication number Publication date
CN104767715A (en) 2015-07-08
CN104767715B (en) 2018-06-26

Similar Documents

Publication Publication Date Title
WO2015101125A1 (en) Network access control method and device
US11082839B2 (en) Mobile authentication in mobile virtual network
CN112997454B (en) Connecting to home local area network via mobile communication network
US9049184B2 (en) System and method for provisioning a unique device credentials
WO2019017840A1 (en) Network verification method, and relevant device and system
JP2019511141A5 (en)
KR20160114620A (en) Methods, devices and systems for dynamic network access administration
US9549318B2 (en) System and method for delayed device registration on a network
DK2924944T3 (en) Presence authentication
WO2009000206A1 (en) Method and system for access control of home node b
CN107534664B (en) Multi-factor authorization for IEEE802.1X enabled networks
EP3143780B1 (en) Device authentication to capillary gateway
JP7135206B2 (en) access authentication
WO2014180431A1 (en) Network management security authentication method, device and system, and computer storage medium
WO2020248368A1 (en) Intranet accessing method, system, and related device
Nguyen et al. An SDN-based connectivity control system for Wi-Fi devices
WO2016061980A1 (en) Wlan sharing method and system, and wlan sharing registration server
US11005816B2 (en) Adaptive and dynamic network provisioning
WO2016061981A1 (en) Wlan sharing method and system, and wlan sharing registration server
KR20170044835A (en) Dynamic host access control system and method based on ieee 802.1x
CA2829892C (en) System and method for delayed device registration on a network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14877376

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14877376

Country of ref document: EP

Kind code of ref document: A1