CN100563158C - Access control method and system - Google Patents
Access control method and system Download PDFInfo
- Publication number
- CN100563158C CN100563158C CNB2005101166382A CN200510116638A CN100563158C CN 100563158 C CN100563158 C CN 100563158C CN B2005101166382 A CNB2005101166382 A CN B2005101166382A CN 200510116638 A CN200510116638 A CN 200510116638A CN 100563158 C CN100563158 C CN 100563158C
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- network
- client
- user terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a kind of access control method and system, be used to realize to not with the access control of the user terminal of 802.1x client.Described method comprises: the user's of the page web authentication online of restricted passage door Portal server access rights make it can only visit the limited network resource; The user downloads security client by the Web page; When user capture protected network resource, use described security client that user terminal is carried out safety certification; User's free access protected network resource that safety certification is passed through.Described system comprises: by network continuous network access equipment, Portal server and aaa server.Utilize the present invention, can realize access control simply, safely, guarantee the user identity of access network and the fail safe of terminal, reduce the system maintenance cost, ensure that network is safe in utilization subscriber endpoints.
Description
Technical field
The present invention relates to the network insertion control technology, be specifically related to a kind of endpoint security admittance control method and system.
Background technology
Be accompanied by the fast development of network application technology, network information security problem also becomes increasingly conspicuous.Safe, the prevention that guarantee user terminal threaten the invasion network, user's access to netwoks behavior controlled effectively, and be the prerequisite that guarantees the enterprise network security operation, also be present enterprise network security is managed urgent problem.
At present, as the important technology and the management means that solve network security problem, the network access authentication technology is also popularized rapidly.Traditional user network access authentication mode mainly contains 802.1x (based on the access-control protocol of port) authentication, PPPoE (point-to-point protocol on the Ethernet) authentication and Portal (door) authentication.Network organizing mode difference, user's authentication mode are also different.802.1x mode and PPP over Ethernet need client usually; Web page logging in network is used in Portal authentication, is subjected to the user and welcomes because it is simple to operate, need not client, is widely used.
PPPoE is incorporated into broadband ethernet from the arrowband net based on ATM (asynchronous transfer mode), be applied to broadband ethernet, must have its limitation, though its mode is more flexible, more rich application experience is arranged, but its packaged type has also caused the variety of problems of broadband ethernet in the arrowband net.In PPPoE authentication, Verification System must be disassembled each bag whether could judge and discern the user legal, in case the user increases or the packet increase, package speed can influence network efficiency; Next a large amount of like this unpacking is separated packet procedures and must be finished by an expensive equipment of powerful in function while, this equipment is exactly traditional BAS (BAS Broadband Access Server), each packet BAS that each user sends must unpack and discern and encapsulate forwarded, implementation efficiency is low, and equipment cost is higher.
Traditional Web/Portal based on http (HTML (Hypertext Markup Language)) or https (Secure Hypertext Transfer Protocol) agreement authenticates the authentication that is based on type of service, do not need to install other client softwares, only need browser just can finish, comparatively convenient with regard to the user.The user is when online, and whether gateway detects initiates http/https requesting users terminal by authentification of user, if not by authentication, then forces to release certification page to user terminal, requires the authentification of user online.This authentication realizes based on IP (Internet Protocol) address of user terminal, the authentication gateway inspection is by the source IP address of gateway http/https protocol massages, if this IP address in the IP address list of authenticated user, does not think that then the terminal use who has this IP address is unverified.
This authentication mode can not be taken precautions against behaviors such as IP address spoofing, MAC (medium access control) address spoofing only by " usemame/password " authenticate user identity, can't realize the user identity binding information such as MAC and access device port that access terminal; And only respond the http/https access request, for non-http/htps visit, then can't force users authenticate; Also can't distinguish the resource that needs controlled access simultaneously at purpose IP address, port.
In order to realize the access control based on subscriber endpoints, the 802.1x agreement need adopt specific client.Its application architecture comprises as shown in Figure 1: client, access device and certificate server.802.1x client be installed on the user terminal usually; Certificate server resides in AAA (charging, the authentication and authorization) center of operator usually.When the user surfs the Net at every turn, initiate ID authentication request by the 802.1x client, access device is by transmitting this authentication request to certificate server, identifying user identity.
When being implemented the 802.1x authentication, network access user require in the network Access Layer or convergence-level switch to support the 1x function, at access interface or converge port and start the 1x authentication.The user is before finishing authentication, and the port of switch is a slave mode, has only the 1x message to be forwarded; After authenticating user identification was finished, controlled ports was opened, and the user is accesses network normally.In a single day the 1x function is activated, and the user can't carry out normal access to netwoks before authentication is passed through.There is following shortcoming in this authentication mode:
(1) needs particular clients, and need carry out necessary configuration, use complicated according to the user network environment;
(2) networking restriction.802.1x authentication need be carried out network insertion control at user access point, has only access-layer switch or the support of BAS equipment usually;
(3) can't carry out access control according to the safe condition access side point that accesses terminal.802.1x authentication mode uses EAP (PPP Extensible Authentication Protocol) protocol massages to carry user authentication information, can only finish authenticating user identification, can't obtain the user terminal safety state information, therefore also just can't control subscriber network access according to the user terminal installment state;
(4) can't carry out authority to access resources distinguishes.
Recently, fast development along with network technology, the demand of network access authentication no longer only has been confined to user's authentication, terminal use for access network, the network manager also wishes user's terminal is carried out the safe condition inspection, the butt joint access customer is according to the identity control of authority that conducts interviews, and state information, the visit behavior of supervisory user online in real time.Existing authentication mode can't satisfy this demand.
Summary of the invention
The purpose of this invention is to provide a kind of access control method, can not carry out the force users authentication to non-http/https protocol access to overcome under the existing web authentication mode, and the 802.1x authentication mode needs particular clients, and the shortcoming that can't carry out access control according to the safe condition access side point that accesses terminal, realize access control simply, safely, guarantee the user identity of access network and the fail safe of terminal subscriber endpoints.
Another object of the present invention provides a kind of network access control system, with the fail safe of control access subscriber endpoints effectively, reduces the system maintenance cost, ensures that network is safe in utilization.
For this reason, the invention provides following technical scheme:
A kind of access control method, by the visit of network access equipment control user terminal to Internet resources, described method comprises:
The user's of the page web authentication online of A, restricted passage door Portal server access rights make it can only visit the limited network resource;
B, user download and install security client by the Web page;
C, when user capture protected network resource, use described security client that user terminal is carried out safety certification;
D, user's free access protected network resource that safety certification is passed through.
Alternatively, described method further comprises:
E, in described safety certification process, user terminal uses described security client that described Portal server is carried out legitimate verification.
Preferably, described step e comprises:
E1, in described security client, preset cryptographic algorithm and encryption key;
E2, when user terminal is received the message of described Portal server, verify the legitimacy of this message by described cryptographic algorithm and encryption key.
Described steps A comprises:
A1, user are during by network access equipment accesses network resource, and network access equipment is checked user's identity state;
A2, to not passing through the user of authentication, force it to carry out authenticating user identification to the authentication Web page that the door Portal server provides;
After A3, authentication are passed through, control described user by access control list ACL and can only visit the limited network resource.
Alternatively, described steps A 2 comprises:
A21, network access equipment are initiated ID authentication request and are obtained subscriber identity information the user of not process authentication;
A22, send the subscriber identity information that obtains to certificate server;
A23, certificate server authenticate described subscriber identity information, and described ACL is carried in transmission in authentication success message.
Alternatively, before described steps A 1, also comprise step:
In described network access equipment, set in advance described ACL.
Described step B comprises:
B1, Portal server provide the security client download function for the user on the web authentication page;
B2, user download and install user terminal by the link that the client downloads function provides with described security client.
Described step C comprises:
C1, user are when the shielded Internet resources of visit, and network access equipment forces to initiate the access authentication of user request;
C2, described security client obtain the safety state information of user terminal, and forwarding it to network access equipment by Portal server, described safety state information comprises mac address information, IP address information, the operating system relevant information of described user terminal at least;
C3, network access equipment send described safety state information to certificate server;
C4, certificate server carry out safety certification according to described safety state information to described user terminal;
After C5, safety certification are passed through,, remove access authority limitation to this user by corresponding user's list item among the network access equipment change ACL.
Preferably, described method also comprises:
When Portal server is received the message of user terminal, use shared unsymmetrical key that described message is carried out legitimate verification.
A kind of network access control system is used to realize comprise not with the access control of the user terminal of 802.1x client: the network access equipment, Portal server and the certificate server that link to each other by network, wherein,
Network access equipment links to each other with user terminal, is used to control the visit of user to the heterogeneous networks resource;
Portal server is used for obtaining user's ID authentication information when user access network, and send it to certificate server by network access equipment, provide the security client link by the Web page to the user simultaneously, obtain the safety state information of user terminal, and send it to certificate server by network access equipment;
Certificate server is used for finishing authentication to user identity according to described user's ID authentication information, and finishes safety certification to user terminal according to the safety state information of described user terminal.
Described Portal server comprises:
Client link port is used for providing the security client link to the user;
Client memory links port with client and links to each other, and is used to store client application.
By above technical scheme provided by the invention as can be seen, the present invention is by merging the web authentication mode mutually with client certificate, authentication is expanded to conventional P ortal, realized under the web authentication mode non-http/https protocol access being carried out the authentication of force users identity, made things convenient for terminal use's use.The present invention has the following advantages:
(1) for only by the user of web authentication online, control its access rights, make the isolated area that it can only the calling party network, thereby guaranteed that user network is not subjected to the threat of dangerous terminal;
(2) by privately owned Portal+ agreement, solved the force users authentication of non-http/https protocol access protected network, make the user such as http, ftp (file transfer protocol (FTP)), telnet (telnet) etc., visit shielded Internet resources by any way;
(3) by downloading security client from the Web page, client safe in utilization is checked the user terminal safe condition, and initiate authentification of user again by security client, realize the strong authentication measure such as MAC binding, access device port binding of authentification of user, guaranteed the user identity of access network and the fail safe of access network terminal;
(4) adopt default asymmetric-key encryption to carry out the message validity checking by communication between client and Portal server, guaranteed the legitimacy of Portal server, thereby guaranteed the identity legitimacy of aaa server indirectly, further guaranteed the safety of network authentication;
(5) by web authentication page distribution security client, simplified the distribution and the deployment of client, and reduced the maintenance cost of system.
Utilize the present invention, can carry out the authentication management of subscriber endpoints access control simpler, effectively, guarantee network security.
Description of drawings
Fig. 1 is a 802.1x protocol application architectural block diagram;
Fig. 2 is the realization flow figure of the inventive method first embodiment;
Fig. 3 is the interaction flow between each network equipment in the inventive method implementation procedure;
Fig. 4 is the realization flow figure of the inventive method second embodiment;
Fig. 5 is a network access control system networking schematic diagram of the present invention.
Embodiment
Core of the present invention is the advantage of comprehensive conventional P ortal/Web authentication and client certificate, adopts the portal protocol of expansion under the web authentication mode non-http/https protocol access to be carried out the authentication of force users identity.By the user of web authentication online, control its access rights for only, make the isolated area that it can only the calling party network, that is to say the Internet resources that only allow this user capture limited, such as name server, patch server, virus server etc.; Provide the security client download link by the Web page for the user; And user terminal is carried out the safe condition inspection by this security client, in case of necessity, make products such as user terminal and patch server, anti-virus software Central Management Server carry out the safety interaction operation, user terminal is carried out operations such as virus base repairing, patch installation; The non-http/https agreement access of user is forced safety certification, user's free access protected network resource that safety certification is passed through.
In order to guarantee the legitimacy of aaa server, between client and Portal server, adopt default asymmetric-key encryption to carry out the message validity checking during communication.
In order to make those skilled in the art person understand the present invention program better, the present invention is described in further detail below in conjunction with drawings and embodiments.
With reference to Fig. 2, Fig. 2 shows the realization flow of first embodiment of the inventive method, may further comprise the steps:
Step 201: the user's of the page web authentication online of restricted passage door Portal server access rights make it can only visit the limited network resource.
Usually, user terminal need pass through the network access equipment access network, and network access equipment is switch or router.In the present invention, in order to support the user by any way, such as agreements such as http, ftp and telnet, the accesses network resource, need traditional portal protocol to expand, that is to say the employing proprietary protocol, therefore, correspondingly switch or the router as network access equipment also needs to support this agreement.
The present technique field personnel know, the basic process of traditional Portal authentication is: user terminal at first gets access to IP address (also can use static ip address) by DHCP (DHCP) agreement, but the user uses the IP address that gets access to can not climb up Internet (internet), the authentication by before can only visit the specific I P address, this address is the IP address of Portal server normally.Adopt the access device of Portal authentication must possess this ability.Generally can accomplish by the ACL (access control list) that revises access device.
After the user signs in to Portal server, can browse top content, such as free informations such as advertisement, news, the user can also import username and password on webpage simultaneously, they can be passed to Portal server by the Web client application, again by the authentication that realizes the user between Portal server and the NAS (network access server) alternately.
Portal server also can obtain user's IP address outside the username and password that obtains the user, be that index comes identifying user with it.Use the portal protocol direct communication then between Portal server and the NAS, and NAS finishes user's authentication and last line process with the direct communication of Radius (authentication) server.This authentication mode does not need special client software, can reduce the network operation workload, but its application is limited, only responds the http/https access request, and can not solve end points access problem.
Therefore, the present invention is on traditional Portal authentication infrastructure, portal protocol is expanded, make in Portal server and the user terminal reciprocal process, can obtain version information, the mac address information of subscription client, Portal server is forwarded to network access equipment with authentification of user relevant information (client release, user terminal MAC Address, user name, password etc.) with the portal protocol of expanding, and directly finishes authenticating user identification alternately by network access equipment and certificate server.After authentication is passed through, only allow some limited Internet resources of this user capture, such as; resources such as name server, patch server, virus server; like this, can avoid unsafe user terminal that network is exerted an influence, fully guarantee the fail safe of some protected network resources.
Be implemented as follows:
When the user passes through network access equipment accesses network resource, network access equipment is checked user's identity state, to not passing through the user of authentication, force it to carry out authenticating user identification to the web authentication page that Portal server provides, after authentication is passed through, control this user by ACL and can only visit the limited network resource.
The present technique field personnel know, ACL is a kind of access control technology, use the packet filtering technology, on router/switch, read the information in the 3rd layer and the 4th layer of packet header, as source address, destination address, source port, destination interface etc., according to the rule that pre-defines bag is filtered, thereby reach the purpose of access control.Utilize the ACL on the one hand can the resource conservation node, stop the visit of disabled user, limit the access rights that specific user node can possess on the other hand resource node.
Can be in network access equipment pre-configured ACL, this ACL is controlled ACL, its tabulation comprises the IP address or the network segment of limited network resources such as DNS (name server), patch server, virus server, after authenticating user identification passes through, make this user can only visit the listed Internet resources of ACL.
Can also in authentication success message, ACL be sent to network access equipment by certificate server, network access equipment is provided with user's ACL according to the ACL that receives, this ACL is the ACL that connects based on user network, in order to the control user network access authorities, this user's online is controlled by this ACL.
Step 202:Portal server provides the security client download function for the user on the web authentication page.
Security client can be kept on the Portal server, also can be kept on other servers of network, for the user provides download link, the user directly clicks peer link to Portal server on the web authentication page, downloads and install this security client to user terminal.
Step 203: the user downloads and installs user terminal by the link that the client downloads function provides with security client.
Step 204: when user capture protected network resource, client safe in utilization is carried out safety certification to user terminal.
After the client installation; the user is when the shielded Internet resources of visit; network access equipment forces to be directed to Portal server with user terminal; initiate the access authentication of user request by Portal server by client software; after user terminal is received this request; obtain the safety state information of user terminal by its client, comprising: whether the mac address information of user terminal, IP address information, operating system relevant information, terminal use two network interface cards, whether use information such as acting server.Then these information are forwarded to network access equipment by Portal server.User terminal and Portal server carry out when mutual, use the portal protocol of expansion.Network access equipment sends these safety state information to certificate server once more, and certificate server carries out safety certification according to these safety state information to this user terminal, finishes the user identity access authentication of enhancing.After safety certification is passed through, user terminal and certificate server are exchangeed subscriber terminal security status information supplying, comprise virus base definition information, system mend information etc., if desired, safety products such as user terminal and patch server, anti-virus software Central Management Server can also be carried out combined operation, finish the operation such as installation automatically of virus base upgrading, patch.
After certificate server confirmed that the user terminal safe condition is qualified, the informing network access device was revised user's list item corresponding among the ACL, removed the access authority limitation to this user.
Certainly, also can be by the SetPolicy order of Session Control (session control) message in the Radius agreement, send the user access control strategy to network access equipment, network access equipment is the open corresponding access rights of user according to corresponding user's list item among this strategy change ACL.
Step 205: user's free access protected network resource that safety certification is passed through.
Fig. 3 shows the interaction flow between each network equipment in the inventive method implementation procedure:
1. user terminal uses any IP message to carry out access to netwoks by network access equipment;
2. after network access equipment detects unverified IP address, send ID authentication request message to user terminal, the web authentication page that force users to Portal server provides carries out authenticating user identification;
3. user terminal is responded the ID authentication request message that comprises user name and password to Portal server;
4.Portal server sends to network access equipment with user name and the password of receiving;
5. network access equipment will send authentication request to certificate server, comprise the user name and the password of request authentication in this authentication request message;
Can adopt Radius (remote customer dialing authentication system) agreement to carry out communication between network access equipment and the certificate server.The basic functional principle of Radius: the user inserts NAS (network access server), NAS uses the Access-Require packet to submit user profile to the Radius server, comprise relevant informations such as user name, password, wherein user cipher is through md5 encryption, both sides use shared key, and this key is without Internet communication; Radius server is tested to the legitimacy of username and password, also can similarly authenticate NAS; If legal, return the Access-Accept packet to NAS, allow the user to carry out further work, otherwise return the Access-Reject packet, the refusing user's visit; If allow visit, NAS proposes charging request Account-Require to radius server, and radius server response Account-Accept begins user's charging, and the user can carry out the associative operation of oneself simultaneously.Radius server and nas server communicate by UDP (user datagram protocol) agreement, and 1812 ports of Radius server are responsible for authentication, and 1813 ports are responsible for charging work.
6. after the authenticating user identification success, certificate server sends authentication success message to network access equipment;
The 2011-21-26 attribute agency's safe to carry of the Access-Accept message by the Radius protocol definition URL (unified resource identifier), carry ACL information by 11 attributes, this ACL is controlled ACL, and its tabulation comprises the IP address or the network segment information of limited network resource;
7. network access equipment sends authentication success message to user terminal by Portal server;
8. download and install security client in the link that user terminal provides by Portal server;
9. once more user terminal is carried out security authentication process by security client by certificate server;
10. behind the authentication success, certificate server sends the message of changing ACL to network access equipment, can be by the order of the SetPolicy in the Session Control message, and announcement apparatus change user's ACL, releasing is to this user's restriction, and the ACL of this moment is generally not limited;
11. network access equipment sends authentication success message to user terminal.
By above flow process as can be seen, the present invention has realized under the web authentication mode, and non-http/https protocol access is carried out the authentication of force users identity, has solved authentication management, the client distribution problem of subscriber endpoints access control simply, effectively.
The present technique field personnel know, under traditional Portal authentication mode, therefore the legitimacy that the user can't the authentication verification server also just exists certain influence to user security.Because Portal service permission client and Portal server are directly mutual, therefore in the present invention, by in client, pre-seting cryptographic algorithm and encryption key, finish the checking of client to Portal server, the alternative client of the legitimate verification of Portal server identity is directly carried out authentication to certificate server, thereby can guarantee the legitimacy of certificate server, avoid the certificate server spoofing attack.
With reference to Fig. 4, Fig. 4 shows the realization flow of the inventive method second embodiment, may further comprise the steps:
Step 401: the user's of the page web authentication online of restricted passage door Portal server access rights make it can only visit the limited network resource.
Step 402:Portal server provides the security client download function for the user on the web authentication page.
Step 403: the user downloads and installs user terminal by the link that Portal server provides with security client, and whether default unsymmetrical key in this client is used for the message of the Portal server that receives is decrypted, legal to verify this message.
Step 404: user terminal client safe in utilization is carried out legitimate verification to Portal server.The message that Portal server sent uses default encrypted private key to generate the checking summary, and security client uses default PKI to realize the checking of message digest, if be proved to be successful, thinks that then Portal server is credible.
Step 405: when user capture protected network resource, client safe in utilization is carried out safety certification to user terminal.Can be mutual with safe client by Security Policy Server, check the user terminal safe condition, and determine user network access authorities according to security state of terminal.
Step 406: user's free access protected network resource that safety certification is passed through.
In this embodiment, use the pre-unsymmetrical key of sharing between client and the Portal server, realized the legitimate verification of communication packet, guaranteed Portal server identity safety, thereby guaranteed the legitimacy of certificate server identity.
Fig. 5 shows the networking schematic diagram of system of the present invention:
This system is used for not with the access control of the user terminal of 802.1x client.Wherein, network access equipment 51, Portal server 52 and certificate server 53 link to each other by network, and user terminal 50 links to each other with the net access device.
Portal server and network access equipment are all supported the portal protocol expanded.
In order to support to provide the client downloads function to the user, Portal server also provides: client link port 521 and client memory 522.Wherein, client link port 521 is used for providing the security client link to the user; Client memory 522 links port with client and links to each other, and is used to store client application.
Network access equipment can be switch or router, and certificate server can use common aaa server.
When the user when the network access equipment accesses network resource, network access equipment is checked user's identity state, to not passing through the user of authentication, forces it to carry out authenticating user identification to the web authentication page that Portal server provides; After Portal server obtains user's ID authentication information, subscriber identity information is sent to certificate server, finish authentication the user by certificate server by network access server.
After authentication was passed through, certificate server informing network access device is controlled this user can only visit the limited network resource, i.e. resource in the isolated area 54 is such as resources such as patch server, virus servers.
At the authentication Web page, Portal server provides the security client download function by client link port 521 to the user, and the user downloads and is installed on the local terminal by the security client that client link port 521 will be stored in the client memory 522.
After the client installation; the user is when the shielded Internet resources of visit; network access equipment forces to initiate the access authentication of user request by security client; after user terminal is received this request; obtain the safety state information of user terminal by its client, comprising: whether the mac address information of user terminal, terminal use two network interface cards, whether use information such as acting server.Then these information are forwarded to network access equipment by Portal server.User terminal and Portal server carry out when mutual, can use the portal protocol of expansion.Network access equipment sends these safety state information to certificate server once more, and certificate server carries out safety certification according to these safety state information to this user terminal, finishes the user identity access authentication of enhancing.
After certificate server confirmed that the user terminal safe condition is qualified, the informing network access device was removed the access authority limitation to this user, makes this user can visit shielded Internet resources.
Though described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, wish that appended claim comprises these distortion and variation and do not break away from spirit of the present invention.
Claims (10)
1, a kind of access control method by the visit of network access equipment control user terminal to Internet resources, is characterized in that described method comprises:
The user's of the Web page authentication online of A, restricted passage door Portal server access rights make it can only visit the limited network resource;
B, user download and install security client by the Web page;
C, when user capture protected network resource, use described security client that user terminal is carried out safety certification;
D, user's free access protected network resource that safety certification is passed through;
E, in described safety certification process, user terminal uses described security client that described Portal server is carried out legitimate verification.
2, access control method according to claim 1 is characterized in that, described step e comprises:
E1, in described security client, preset cryptographic algorithm and encryption key;
E2, when user terminal is received the message of described Portal server, verify the legitimacy of this message by described cryptographic algorithm and encryption key.
3, access control method according to claim 1 is characterized in that, described steps A comprises:
A1, user are during by network access equipment accesses network resource, and network access equipment is checked user's identity state;
A2, to not passing through the user of authentication, force it to carry out authenticating user identification to the authentication Web page that the door Portal server provides;
After A3, authentication are passed through, control described user by access control list ACL and can only visit the limited network resource.
4, access control method according to claim 3 is characterized in that, described steps A 2 comprises:
A21, network access equipment are initiated ID authentication request and are obtained subscriber identity information the user of not process authentication;
A22, send the subscriber identity information that obtains to certificate server;
A23, certificate server authenticate described subscriber identity information, and carry described ACL in authentication success message.
5, access control method according to claim 3 is characterized in that, also comprises step before described steps A 1:
In described network access equipment, set in advance described ACL.
6, access control method according to claim 1 is characterized in that, described step B comprises:
B1, Portal server provide the security client download function for the user on the web authentication page;
B2, user download and install user terminal by the link that the client downloads function provides with described security client.
7, access control method according to claim 1 is characterized in that, described step C comprises:
C1, user are when the shielded Internet resources of visit, and network access equipment forces to initiate the access authentication of user request;
C2, described security client obtain the safety state information of user terminal, and forwarding it to network access equipment by Portal server, described safety state information comprises mac address information, IP address information, the operating system relevant information of described user terminal at least;
C3, network access equipment send described safety state information to certificate server;
C4, certificate server carry out safety certification according to described safety state information to described user terminal;
After C5, safety certification are passed through,, remove access authority limitation to this user by corresponding user's list item among the network access equipment change ACL.
8, access control method according to claim 1 is characterized in that, described method also comprises:
When Portal server is received the message of user terminal, use shared unsymmetrical key that described message is carried out legitimate verification.
9, a kind of network access control system is used to realize it is characterized in that not with the access control of the user terminal of 802.1x client, comprising: the network access equipment, Portal server and the certificate server that link to each other by network, wherein,
Network access equipment links to each other with user terminal, is used to control the visit of user to the heterogeneous networks resource;
Portal server is used for obtaining user's ID authentication information when user access network, and send it to certificate server by network access equipment, provide the security client link by the Web page to the user simultaneously, obtain the safety state information of user terminal, and send it to certificate server by network access equipment;
Certificate server is used for finishing authentication to user identity according to described user's ID authentication information, and finishes safety certification to user terminal according to the safety state information of described user terminal.
10, network access control system according to claim 9 is characterized in that, described Portal server comprises:
Client link port is used for providing the security client link to the user;
Client memory links port with client and links to each other, and is used to store client application.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101166382A CN100563158C (en) | 2005-10-26 | 2005-10-26 | Access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101166382A CN100563158C (en) | 2005-10-26 | 2005-10-26 | Access control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1753364A CN1753364A (en) | 2006-03-29 |
| CN100563158C true CN100563158C (en) | 2009-11-25 |
Family
ID=36680057
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101166382A Active CN100563158C (en) | 2005-10-26 | 2005-10-26 | Access control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100563158C (en) |
Families Citing this family (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101064605B (en) * | 2006-04-29 | 2011-02-16 | 华为技术有限公司 | AAA framework of multi-host network and authentication method |
| CN100438446C (en) * | 2006-07-25 | 2008-11-26 | 杭州华三通信技术有限公司 | Switch-in control equipment, Switch-in control system and switch-in control method |
| EP2078382B1 (en) * | 2006-11-03 | 2017-06-07 | Network Box Corporation Limited | An administration portal |
| CN101400106A (en) * | 2007-09-27 | 2009-04-01 | 华为技术有限公司 | Method for household base station access control |
| CN101378358B (en) * | 2008-09-19 | 2010-12-15 | 成都市华为赛门铁克科技有限公司 | Method, system and server for safety access control |
| CN101442793B (en) * | 2008-12-30 | 2010-09-29 | 杭州华三通信技术有限公司 | Access method, apparatus and system for wireless network |
| US20110271330A1 (en) * | 2008-12-31 | 2011-11-03 | Nokia (China) Investment Co. Ltd. | Solutions for identifying legal user equipments in a communication network |
| CN101557406B (en) * | 2009-06-01 | 2012-04-18 | 杭州华三通信技术有限公司 | Authentication method, device and system of user terminal |
| CN101631312B (en) * | 2009-08-19 | 2011-12-21 | 北京傲天动联技术有限公司 | Portal authentication method based on thin AP framework |
| CN101621527B (en) * | 2009-08-21 | 2012-07-11 | 杭州华三通信技术有限公司 | Method, system and device for realizing safety certificate based on Portal in VPN |
| CN102075504B (en) * | 2009-11-20 | 2013-06-26 | 杭州华三通信技术有限公司 | Method and system for realizing two-layer Portal authentication and Portal server |
| CN101707620B (en) * | 2009-11-26 | 2013-07-17 | 迈普通信技术股份有限公司 | Method and system for detecting repeat login of Web authenticated user |
| CN102045398B (en) * | 2010-12-24 | 2013-08-28 | 杭州华三通信技术有限公司 | Portal-based distributed control method and equipment |
| CN102082733B (en) * | 2011-02-25 | 2013-06-26 | 杭州华三通信技术有限公司 | Portal system and access method thereof |
| CN102685743B (en) * | 2011-03-16 | 2015-10-07 | 中国移动通信集团北京有限公司 | A kind of method, system and equipment accessing wlan network |
| CN102271136A (en) * | 2011-08-16 | 2011-12-07 | 赛尔网络有限公司 | Access control method and equipment under NAT (Network Address Translation) network environment |
| CN104283848B (en) | 2013-07-03 | 2018-02-09 | 新华三技术有限公司 | Terminal access method and device |
| CN103796278A (en) * | 2014-02-27 | 2014-05-14 | 成都悟空科技有限公司 | Mobile terminal wireless network access control method |
| CN104080085B (en) * | 2014-07-15 | 2018-04-03 | 中国电建集团华东勘测设计研究院有限公司 | Wireless network access double authentication method, device and system |
| CN105025016A (en) * | 2015-06-30 | 2015-11-04 | 公安部第一研究所 | Internal-network terminal admission control method |
| CN105072198B (en) * | 2015-08-28 | 2018-10-12 | 携程计算机技术(上海)有限公司 | PC monitoring system and methods based on B/S patterns |
| CN105939401B (en) * | 2016-02-02 | 2019-11-08 | 杭州迪普科技股份有限公司 | Handle the method and device of message |
| CN105933900A (en) * | 2016-04-22 | 2016-09-07 | 上海斐讯数据通信技术有限公司 | Portal authentication page self-adaptive system based on operating system and method thereof |
| CN107332803A (en) * | 2016-04-29 | 2017-11-07 | 北京北信源软件股份有限公司 | A kind of admittance control method and system based on end host safe condition |
| CN107026772B (en) * | 2017-04-28 | 2020-06-16 | 北京北信源软件股份有限公司 | Test system, test bed and test method for network access control system |
| CN107241461B (en) * | 2017-07-14 | 2019-09-13 | 迈普通信技术股份有限公司 | MAC Address acquisition methods, gateway, network authentication apparatus and network system |
| CN107508822B (en) * | 2017-09-06 | 2020-06-12 | 迈普通信技术股份有限公司 | Access control method and device |
| US11973678B2 (en) | 2019-10-18 | 2024-04-30 | Gogo Business Aviation Llc | Captive portal pop up suppression |
| CN114944927B (en) * | 2022-03-17 | 2023-08-08 | 国网浙江省电力有限公司杭州供电公司 | Portal authentication-based client-free mutual exclusion access platform |
| CN116074099A (en) * | 2023-02-15 | 2023-05-05 | 西安热工研究院有限公司 | Method for providing double-factor authentication based on radius protocol |
-
2005
- 2005-10-26 CN CNB2005101166382A patent/CN100563158C/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN1753364A (en) | 2006-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100563158C (en) | Access control method and system | |
| US10356612B2 (en) | Method of authenticating a terminal by a gateway of an internal network protected by an access security entity providing secure access | |
| US8886934B2 (en) | Authorizing physical access-links for secure network connections | |
| CN101695022B (en) | Management method and device for service quality | |
| CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
| US20110107410A1 (en) | Methods, systems, and computer program products for controlling server access using an authentication server | |
| CN101127600A (en) | A method for user access authentication | |
| CN100512109C (en) | Access authentication system and method by verifying safety of accessing host | |
| CN109104475B (en) | Connection recovery method, device and system | |
| US8627423B2 (en) | Authorizing remote access points | |
| WO2023197942A1 (en) | Public cloud extension method, device, system and storage medium | |
| Hossain et al. | Survey of the Protection Mechanisms to the SSL-based Session Hijacking Attacks. | |
| CN100583759C (en) | Method for realizing synchronous identification between different identification control equipments | |
| CN101621503A (en) | Identity identification system and method being applied under virtual private network framework | |
| CN111416824B (en) | Network access authentication control system | |
| KR101047994B1 (en) | Network based terminal authentication and security method | |
| US8590031B2 (en) | Methods, systems, and computer program products for access control services using a transparent firewall in conjunction with an authentication server | |
| US7631344B2 (en) | Distributed authentication framework stack | |
| CN1297104C (en) | Method for realizing port based identification and transmission layer based identification compatibility | |
| CN100471167C (en) | Method and apparatus for managing wireless access-in wide-band users | |
| Cisco | Configuring Network Security | |
| JP4768547B2 (en) | Authentication system for communication devices | |
| EP2529329B1 (en) | Secure procedure for accessing a network and network thus protected | |
| WO2024066059A1 (en) | Industrial internet security system and method based on sdp and edge computing | |
| CN101179570A (en) | Method for binding link layer information based on network access authentication information carrying protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |