CN111654464A - Access control method, authentication device and system - Google Patents

Abstract

The embodiment of the invention provides an access control method and authentication equipment, which are used for realizing dynamic access control on a terminal IP address. The method provided by the embodiment of the invention comprises the following steps: the authentication equipment acquires a Media Access Control (MAC) address and a current Internet Protocol (IP) address of the terminal; the authentication equipment sends an authentication request to a server, wherein the authentication request comprises the MAC address of the terminal and the current IP address; the authentication equipment receives an authentication response message sent by the server, wherein the authentication response message contains an access control strategy corresponding to the MAC address of the terminal and the current IP address; and the authentication equipment executes access control on the current IP address of the terminal according to the access control strategy. The dynamic access control of the terminal is realized, and the configuration process is very simple, thereby simplifying the operation and maintenance.

Description

Access control method, authentication device and system

technical field

The present invention relates to network communication technology, in particular to an access control method, authentication device and system.

Background technique

In existing computer networks, it is usually necessary to perform access control on terminals. Access control is a technology that restricts the user's access to certain information items or the use of certain control functions according to the user's identity and a defined group to which they belong. Access control is a technique that is required in almost all systems.

Common access control technologies include, for example, IEEE 802.1x technology. Once the terminal passes IEEE 802.1x authentication, the access device identifies the terminal with the MAC address of media access control, that is, the terminal's Internet Protocol IP address will no longer be controlled. IP addresses are generally controlled through access control lists (ACLs), which are used for configuration to restrict or allow access rights of certain IP addresses. ACLs are lists of directives on router and switch interfaces that control the incoming and outgoing packets of a port. After configuring an ACL, you can restrict network traffic, allow access to specific devices, specify to forward packets on specific ports, and so on. ACLs can be configured on routers or service software with the ACL function.

Because the ACL technology can only configure the IP address of the terminal through the mask, it is very inconvenient to configure scattered or continuous IP addresses. In addition, because ACL can only be configured statically, after the terminal IP or port changes, you need to modify the configuration through the network management or command line interface CLI, which cannot be dynamically adjusted. In addition, since an ACL needs to be configured on each protocol, each direction, and each interface, the ACL configuration is quite complicated.

SUMMARY OF THE INVENTION

Embodiments of the present invention provide an access control method and an authentication device, which are used to implement dynamic access control to a terminal IP.

In view of this, a first aspect of the embodiments of the present invention provides an access control method, the method includes: an authentication device obtains a MAC address and a current IP address of a terminal, and the IP address of the terminal may be an IP address of the IPv4 protocol, or It is the IP address of the IPv6 protocol, which is not limited here. The authentication device sends an authentication request including the terminal's MAC address and current IP address to the server. It should be noted that the authentication request not only carries the terminal's MAC address and IP address, but also the access information of the authentication device itself. Including the port information of the authentication device accessed by the terminal or the information of the VLAN to which the terminal belongs, such as the identifier of the VLAN to which the terminal belongs, as long as the server can know the address of the authentication device so that the authentication device can receive the server's information. Return information, which is not limited here. The authentication device receives an authentication response message sent by the server and includes an access control policy corresponding to the terminal's MAC address and current IP address, and the access control policy may also include an access control policy for the terminal's original IP address, You can also refer to the URL that the terminal needs to access, and you can also refer to the current time point. The access policy stored by the server matches different reference factors to find the corresponding matching access control policy, which is carried by the authentication response message and sent. to the authentication device, which is not limited here. The authentication device performs access control on the current IP address of the terminal according to the access control policy, and may also allow/forbid simultaneous access by the current IP address and the original IP address of the terminal on the premise of allowing/forbidding access from the current IP address network. In some feasible embodiments, if the terminal is a type that allows multiple IP addresses to access the network at the same time, such as a firewall device or a router device, it is not limited here.

Since the authentication device can obtain the IP address and MAC address of the terminal and send an authentication request to the server, and the access control policy for different IP addresses and MAC addresses of the terminal is set in the server, it is not necessary to perform a gateway device by IP address one by one. The configuration is performed on the terminal, that is, no static configuration is required, but the network access policy of the terminal returned by the server can be used to perform access control on the terminal based on the IP address, so as to achieve dynamic access control, and the configuration process is very simple. Simplified operations and maintenance.

Combined with the first aspect of the embodiments of the present invention, the first implementation manner of the first aspect of the embodiments of the present invention includes: when the access control policy needs to be adjusted, it can be modified on the server side, and the policy sent A modification message is sent to the authentication device, where the policy modification message includes an access control modification policy for the terminal; the authentication device performs access control on the current IP address of the terminal according to the access control modification policy.

When the network access policy needs to be changed, the policy can be modified on the server side, so there is no need to configure each IP address on each gateway device, so the process of modifying the network access policy is very simple, which simplifies the operation and maintenance. .

With reference to the first aspect of the embodiments of the present invention and the first implementation manner of the first aspect, the second specific implementation manner of the first aspect of the embodiments of the present invention includes: when the terminal accesses the network through the IEEE 802.1x protocol After that, the IP address can be obtained by sending a DHCP message to the authentication device. The DHCP message carries its own MAC address, and the authentication device selects an IP address from the reserved IP address segment according to the MAC address and assigns it to the terminal, and the terminal can use the IP to access the network.

Because the authentication device assigns an IP address to the terminal from the preset IP address segment through the DHCP message, it satisfies the requirement of the terminal that does not have a fixed IP address but needs to obtain the IP address dynamically.

In combination with the first aspect of the embodiments of the present invention, the first implementation of the first aspect, the second implementation of the first aspect, and the third implementation of the first aspect, in the first aspect of the embodiments of the present invention In the third implementation manner, the terminal may perform binding configuration on the MAC address and the IP address in advance. The MAC address can be bound to one or more IP addresses, and one or more of these IP addresses can be used to simultaneously access the network, such as firewall devices, router devices, and the like. After the terminal accesses the network through MAC authentication, since the terminal is bound with the MAC address and the IP address, the terminal does not need to obtain another IP address, and can directly use the IP address bound with the MAC address to access the network.

Because the authentication device configures an IP address segment for the terminal in advance, it satisfies the requirement of the terminal that needs to be configured with a static fixed IP address.

In combination with the first aspect of the embodiments of the present invention, the first implementation of the first aspect, the second implementation of the first aspect, and the third implementation of the first aspect, in the first aspect of the embodiments of the present invention The fourth embodiment includes: the terminal sends an ARP packet to the authentication device, where the ARP packet includes the IP address of the terminal, the MAC address of the terminal, and the IP address of the authentication device. When the authentication device receives the ARP packet, the authentication device adds the mapping relationship between the IP address and the MAC address of the terminal to the local ARP table.

Since the authentication device obtains the terminal's MAC address and the current IP address of the terminal by receiving the ARP message, the authentication device can generate an authentication request for access control of the terminal, thereby obtaining an authentication response message for the IP address.

A second aspect of the embodiments of the present invention provides an authentication device, including: an acquisition module, used for acquiring the MAC address and current IP address of the terminal, and may also include the original IP address, which is not limited here; a sending module, used for Send an authentication request to the server, where the authentication request includes the MAC address and the current IP address of the terminal obtained by the obtaining module, and may also include the original IP address, which is not limited here; the first receiving module is used to receive the transmission from the server. The authentication response message contains the access control policy corresponding to the MAC address and the current IP address of the terminal, and may also include the original IP address, which is not limited here; the first execution module is used for according to The access control policy performs access control on the current IP address of the terminal, and may also perform access control on the original IP address of the terminal, which is not limited here.

Since the obtaining module can obtain the IP address and MAC address of the terminal, and the sending module sends an authentication request to the server, and the first receiving module receives the access control policies for different IP addresses and MAC addresses of the terminal set in the server, it is not necessary to It is necessary to configure each IP address on each gateway device, that is, static configuration is not required, but the network access policy for the terminal returned by the server can be used. To dynamic access control, and the configuration process is very simple, which simplifies operation and maintenance.

With reference to the second aspect of the embodiments of the present invention, in the first implementation manner of the second aspect of the embodiments of the present invention, the method includes: a second receiving module receives a policy modification message sent by the server, where the policy modification message includes a The access control modification policy of the terminal, and the second execution module performs access control on the current IP address of the terminal according to the access control modification policy.

When the network access policy needs to be changed, the policy can be modified on the server side, so there is no need to configure each IP address on each gateway device, so the process of modifying the network access policy is very simple, which simplifies the operation and maintenance. .

Combined with the second aspect of the embodiments of the present invention and the first implementation of the second aspect, the second specific implementation of the second aspect of the embodiments of the present invention includes: a third receiving module receives the dynamic host sent by the terminal Configure a DHCP message, and the allocation module allocates an IP address to the terminal according to the DHCP message.

Because the authentication device assigns an IP address to the terminal from the preset IP address segment through the DHCP message, it satisfies the requirement of the terminal that does not have a fixed IP address but needs to obtain the IP address dynamically.

In combination with the second aspect of the embodiments of the present invention, the first implementation of the second aspect, the second implementation of the second aspect, and the third implementation of the second aspect, in the second aspect of the embodiments of the present invention In the third embodiment, the method includes: the allocation module configures an IP address segment for the terminal.

Because the authentication device configures an IP address segment for the terminal in advance, it satisfies the requirement of the terminal that needs to be configured with a static fixed IP address.

In combination with the second aspect of the embodiments of the present invention, the first implementation of the second aspect, the second implementation of the second aspect, and the third implementation of the second aspect, in the second aspect of the embodiments of the present invention The fourth embodiment includes: the first receiving module receives an ARP packet sent by the terminal, where the ARP packet carries the MAC address of the terminal and the current IP address of the terminal.

Since the authentication device obtains the MAC address of the terminal and the current IP address of the terminal by receiving the ARP message, the authentication device can generate an authentication request for access control of the terminal.

A third aspect of the present application provides a server, including: a transceiver, a memory, a processor, and a bus; the transceiver, the memory, and the processor are connected through a bus; the transceiver is used to obtain the MAC address and current IP address of the terminal, or Including the original IP address, which is not limited here, send an authentication request to the server. The authentication request includes the MAC address of the terminal and the current IP address, and can also include the original IP address, which is not limited here. Receive the authentication response message sent by the server. The authentication response message contains the access control policy corresponding to the MAC address of the terminal and the current IP address, and may also include the original IP address, which is not limited here; the memory is used to store the program and the MAC address of the terminal obtained by the transceiver. and the current IP address, the authentication request sent to the server, and the authentication response message sent by the server, which are not limited here; the processor is used to execute the program and access the current IP address of the terminal according to the access control policy when the authentication device is running. It is also possible to perform access control on the original IP address of the terminal, which is not limited here.

As can be seen from the above technical solutions, the embodiments of the present invention have the following advantages:

In this embodiment of the present invention, since the authentication device can obtain the IP address and MAC address of the terminal and send an authentication request to the server, and set access control policies for different IP addresses and MAC addresses of the terminal in the server, it is unnecessary to The IP address is configured on each gateway device, that is, static configuration is not required, but access control can be performed on the terminal based on the IP address through the network access policy returned by the server to the terminal, so as to achieve dynamic access control, and The configuration process is simple, simplifying operations and maintenance.

Description of drawings

1 is a schematic diagram of a framework of an access control system in an embodiment of the present invention;

FIG. 2 is a schematic diagram of an embodiment of an access control method in an embodiment of the present invention;

3 is a schematic diagram of an embodiment of an authentication device in an embodiment of the present invention;

4 is a schematic diagram of another embodiment of an authentication device in an embodiment of the present invention;

5 is a schematic diagram of another embodiment of an authentication device in an embodiment of the present invention;

6 is a schematic diagram of another embodiment of an authentication device in an embodiment of the present invention;

7 is a schematic diagram of another embodiment of an authentication device in an embodiment of the present invention;

FIG. 8 is a schematic diagram of another embodiment of an authentication device in an embodiment of the present invention;

9 is a schematic diagram of another embodiment of an authentication device in an embodiment of the present invention;

FIG. 10 is a schematic diagram of another embodiment of an authentication device in an embodiment of the present invention.

Detailed ways

Embodiments of the present invention provide an access control method and an authentication device, which are used to implement dynamic access control to a terminal IP.

In order to make those skilled in the art better understand the embodiments of the present invention, the following will clearly describe the technical solutions in the embodiments of the present invention with reference to the drawings in the embodiments of the present invention. Obviously, the described embodiments are only Embodiments are part of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

The terms "first", "second", "third", "fourth", etc. (if present) in the description and claims of the present invention and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that data so used may be interchanged under appropriate circumstances so that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising", "comprising" and "having", and any variations thereof, are intended to cover non-exclusive inclusion, for example, a process, method, system, product or device comprising a series of steps or units is not necessarily limited to the explicit Those steps or units are explicitly listed, but may include other steps or units not expressly listed or inherent to the process, method, product or apparatus.

As shown in Figure 1, it is a schematic diagram of the architecture of an access control system. In this embodiment of the present invention, the terminal may include a mobile terminal such as a mobile phone, a tablet computer, or a notebook computer, and may also be a desktop computer, a router device, or a firewall device, which is not limited here. In some feasible embodiments, the authentication device may be an Ethernet switch or a local area network switch, which is not limited here as long as it can connect to a terminal and a server and implement the functions of the access control method in the embodiment of the present invention. In some feasible embodiments, the server may be an AAA server (AAA: Authentication, Authorization, and Accounting), or may be another server that implements the functions of authentication, authorization, and accounting for the visiting terminal. Here Not limited. In the embodiment of the present invention, an AAA server is used as an example for description. After the authentication device obtains the terminal's MAC address and current IP address, it sends an authentication request including the terminal's MAC address and the terminal's current IP address to the server, and the server sends an authentication response packet to the authentication device. It includes an access control policy corresponding to the MAC address of the terminal and the current IP address of the terminal, and the authentication device performs access control on the current IP address of the terminal according to the access control policy.

In the field of network communication, almost all systems need to use access control. Access control is a technology that restricts the user's access to certain information items or the use of certain control functions according to the user's identity and a defined group to which they belong.

Common access control technologies include, for example, IEEE 802.1x authentication technology or MAC authentication technology. Once the terminal passes IEEE 802.1x authentication or MAC authentication, the access device identifies the terminal with its MAC address, that is, the IP address of the terminal will no longer be controlled. Restrict or release access to certain IP addresses.

Because the ACL technology can only configure the IP address of the terminal through the mask, it is very inconvenient to configure scattered or continuous IP addresses. In addition, because ACL can only be configured statically, after the IP address of the terminal or the port of the terminal changes, the configuration needs to be modified through the network management or CLI, and cannot be dynamically adjusted. In addition, since an ACL entry needs to be configured for each protocol, each direction, and each interface, the ACL configuration is quite complicated.

In this embodiment of the present invention, since access control policies for the IP addresses and MAC addresses of different terminals are set in the server, it is not necessary to configure each IP address on each gateway device, that is, static configuration is not required, but Based on the network access policy of the terminal returned by the server, it is judged how to perform access control on the terminal, so as to achieve dynamic access control, and the configuration process is very simple, thereby simplifying operation and maintenance.

For ease of understanding, the following describes the specific process in the embodiment of the present invention, referring to FIG. 2 , an embodiment of the access control method in the embodiment of the present invention includes:

201. The terminal obtains an IP address.

In some feasible embodiments, the terminal can access the network through the IEEE 802.1x protocol, that is, when the terminal accesses the network and the authentication device responds to this, the terminal needs to fill in the user name and password as information Send it to the authentication device. If the authentication device considers that the user name and password meet the requirements, it will release the access rights of the terminal's MAC address. After the terminal accesses the network through the IEEE 802.1x protocol, it can obtain an IP address by sending a dynamic host configuration protocol DHCP message to the authentication device. The DHCP message carries its own MAC address, and the authentication device selects an IP address from the reserved IP address segment according to the MAC address and assigns it to the terminal, and the terminal can use the IP to access the network. In this embodiment of the present invention, for a terminal that accesses the network through the above-mentioned IEEE 802.1x protocol, such as most personal computers and mobile terminals, the MAC address of the terminal does not have a fixed IP address, but needs to dynamically obtain an IP address, and the terminal has no fixed IP address. There can only be one IP address at a time. When a new IP address is used by a terminal, the original IP address of the terminal will be forbidden to access.

In some feasible embodiments, the terminal can authenticate access to the network through the MAC address, that is, when the terminal accesses the network, the authentication device only needs to determine whether to allow the access authority of the terminal through the MAC address of the terminal, and does not need to Fill in the user name and password in the terminal. In this embodiment of the present invention, the terminal may perform binding configuration on the MAC address and the IP address in advance. The MAC address can be bound to one or more IP addresses, and one or more of these IP addresses can be used to simultaneously access the network, such as firewall devices, router devices, and the like. After the terminal accesses the network through MAC address authentication, since the terminal is bound with a MAC address and an IP address, the terminal does not need to obtain another IP address, and can directly use the IP address bound with the MAC address to access the network .

202. The authentication device acquires the MAC address and IP address of the terminal.

In some feasible embodiments, the IP address of the terminal may be the IP address of the IPv4 protocol, or may be the IP address of the IPv6 protocol, which is not limited here. In the embodiment of the present invention, the process of the authentication device acquiring the MAC address and the IP address of the terminal is described by taking the IP address as an example of IPv4.

When the IP address of the terminal is IPv4 protocol, when the terminal accesses the network, it sends an ARP packet to the authentication device. The ARP packet includes the IP address of the terminal, the MAC address of the terminal, and the IP address of the authentication device. When the authentication device receives the ARP packet, it adds the mapping relationship between the IP address and the MAC address of the terminal to the local ARP table of the authentication device.

When the IP address of the terminal is the IP address of the IPv6 protocol, the ARP packet is not used, but the Neighbor Discovery ND packet is used. The specific working process of the terminal using the ND packet to obtain the MAC address of the authentication device is described for For convenience and simplicity, reference may be made to the corresponding process when the IP address is IPv4 in the foregoing method embodiments, which will not be repeated here.

203. The authentication device sends an authentication request to the server, where the authentication request includes the MAC address and IP address of the terminal.

In the embodiment of the present invention, after obtaining the MAC address and IP address of the terminal, the authentication device sends an authentication request carrying the MAC address and IP address of the terminal to the server to obtain the access control policy of the server to the terminal.

When the IP address of the terminal changes, the authentication request sent by the authentication device may carry the current IP address and the original IP address of the terminal, or may carry the current IP address of the terminal, which is not limited here. In some feasible embodiments, when the server receives the authentication request, it will obtain the original IP address of the terminal from the cached data, and return to the authentication device the access control corresponding to the current IP address of the terminal. The policy and the access control policy for the original IP address of the terminal, for example, the access control policy corresponding to the current IP address of the terminal may be "Allow access", and the access control policy for the original IP address of the terminal may be " No Access".

Optionally, after the authentication device obtains the MAC address of the terminal and the current IP address of the terminal, it will check whether the original IP address of the terminal exists from the table corresponding to the cached MAC address. The IP address is the same as the current IP address of the terminal, the authentication request sent by the authentication device to the server only carries the current IP address of the terminal, or the authentication device may not send the authentication request, which is not limited here; otherwise, if the authentication If the device determines that the original IP address of the terminal is different from the current IP address of the terminal, it may include the current IP address of the terminal and the original IP address of the terminal in the authentication request sent to the server, or the authentication device may not include the current IP address of the terminal and the original IP address of the terminal in the authentication request sent to the server. The original IP address is included in the authentication request sent to the server, which is not limited here, so as to obtain the access control policy for each IP address of the terminal in the server.

It should be noted that the authentication request not only carries the MAC address and IP address of the terminal, but also carries the access information of the authentication device itself. The access information of the authentication device itself includes the port information of the authentication device accessed by the terminal. , the access information of the authentication device itself includes the VLAN information of the virtual local area network to which the terminal belongs, such as the VLAN ID to which the terminal belongs. As long as the server can know the address of the authentication device so that the authentication device can receive the return information from the server, this There are no restrictions.

In some feasible embodiments, the authentication request can be sent once at a certain interval, for example, once every 20 minutes, or it can be sent by broadcasting a message once triggered, for example, when the authentication device receives an ARP message, it sends a message to the The server sends an authentication request, which is not limited here.

204. The authentication device receives an authentication response message sent by the server, where the authentication response message includes an access control policy corresponding to the MAC address and IP address of the terminal.

In some feasible embodiments, when the server searches for a matching access control policy in the stored access control policy according to the MAC address and IP address of the terminal, and sends the found and matching access control policy to the authentication device. In another feasible embodiment, it may also be assumed that such MAC address and IP address access is not allowed by default, which is not limited here.

Optionally, when the server searches for a matching access control policy, it may not only refer to the MAC address and IP address of the terminal, but also refer to the website that the terminal needs to access, and can also refer to the current time point, which is not limited here. The access policy stored by the server matches different reference factors, finds the corresponding matching access control policy, is carried in the authentication response message, and is sent to the authentication device. In the embodiment of the present invention, when the server searches for a matching access control policy, only the MAC address and IP address of the terminal are considered for illustration.

It should be noted that not all MAC addresses and IP addresses can find the corresponding access control policy. In some feasible embodiments, if the server cannot find the corresponding access control policy according to the MAC address and IP address of the terminal, the default is incorrect. The MAC address and the IP address are used for access control, and the MAC address and the IP address may not be allowed to access by default, which is not limited here.

205. The authentication device performs access control on the IP address of the terminal according to the access control policy.

In some feasible embodiments, the access control policy may be to allow/forbid the current IP address of the terminal to access, or may be to allow/forbid the current IP address of the terminal to access a specific website in the current time period, here Not limited.

In some other feasible embodiments, the current IP address and the original IP address of the terminal may also be allowed/prohibited to access the network at the same time under the premise of allowing the current IP address to access. In some feasible embodiments, if the terminal is a type that allows multiple IP addresses to access the network at the same time, such as a firewall device or a router device.

In some other feasible embodiments, the terminal can be most handheld terminals or personal computers, only one IP address can be used in a period of time, and the IP address is dynamic, then the current Under the premise that the IP address can access the network, the original IP address of the terminal is prohibited.

It should be noted that, optionally, the current time and a specific URL can also be considered as comprehensive reference factors, that is, the terminal's MAC address, current IP address, original IP address, current time period and current For the network that needs to be accessed, find a policy that matches the current IP address and the original IP address of the terminal to control the access, so as to indicate whether the current IP address and the original IP address of the terminal can access the current website at the moment.

In some feasible embodiments, not only the above-mentioned several access control policies, but also other types of access control policies, such as prohibiting the current IP address and the original IP address of the terminal, are not limited here. In this step, access control is performed on the IP address of the terminal according to the access control policy carried in the received authentication response message.

206. The authentication device receives a policy modification message sent by the server, where the policy modification message includes an access control modification policy for the terminal.

In some feasible embodiments, when the access control policy needs to be adjusted, it can be modified on the server side. After the modification is completed, the authentication device receives the policy modification message sent by the server, and the policy modification message includes the access control modification policy for the terminal. Optionally, after the modification is completed, the server may deliver to the authentication device a care-of address protocol COA message for the specific MAC address and IP address policy change, where the COA message includes the latest access control policy for the terminal instructing the authentication device.

207. The authentication device performs access control on the IP address of the terminal according to the access control modification policy.

In this embodiment of the present invention, the authentication device performs access control on the IP address of the terminal according to the access control modification policy. Optionally, the policy modification message may include the latest version of the policy for different MAC addresses and IP addresses, or may be Modifications to the restricted access of the terminal in different time periods and different specific webpages are not limited here.

In this embodiment of the present invention, since access control policies for the IP addresses and MAC addresses of different terminals are set in the server, it is not necessary to configure each IP address on each gateway device, that is, static configuration is not required, but Based on the network access policy of the terminal returned by the server, it is judged how to perform access control on the terminal, so as to achieve dynamic access control, and the configuration process is very simple, thereby simplifying operation and maintenance.

Referring to FIG. 3, an embodiment of the present invention further provides an authentication device 300, where the authentication device includes:

The obtaining module 301 is used for obtaining the MAC address and the current IP address of the terminal.

The sending module 302 is configured to send an authentication request to the server, where the authentication request includes the MAC address and the current IP address of the terminal obtained by the obtaining module 301 .

The first receiving module 303 is configured to receive an authentication response message sent by the server, where the authentication response message includes an access control policy sent by the sending module 302 and corresponding to the terminal's MAC address and the current IP address.

The first executing module 304 is configured to execute access control on the current IP address of the terminal according to the access control policy received by the first receiving module 303 .

Referring to FIG. 4, in some embodiments, the authentication device further includes:

The second receiving module 305 is configured to receive a policy modification message sent by the server, where the policy modification message includes an access control modification policy for the terminal.

The second execution module 306: The authentication device executes access control on the current IP address of the terminal according to the access control modification policy.

Referring to FIG. 5, in some embodiments, the authentication device further includes:

The third receiving module 307 is configured to receive the DHCP message sent by the terminal.

The allocation module 308 is configured to allocate an IP address to the terminal according to the DHCP message.

Referring to FIG. 6, in some embodiments, the authentication device further includes:

The configuration module 309 is configured to configure an IP address segment for the terminal.

Referring to FIG. 7, in some embodiments, the sending module 302 includes:

The first receiving unit 3011 is configured to receive an ARP packet sent by the terminal, where the ARP packet carries the MAC address and the current IP address of the terminal.

Referring to FIG. 8, in some embodiments, the sending module 302 includes:

The reading unit 3021 is configured to read the original IP address of the terminal from the local cache.

The sending unit 3022 is configured to send an authentication request to the server when the current IP address of the terminal obtained by the obtaining unit is different from the original IP address of the terminal read by the reading unit, and the authentication request includes the original IP address of the terminal and the current IP address of the terminal. IP address and MAC address of the terminal.

Referring to FIG. 9, in some embodiments, the first execution module 304 includes:

The executing unit 3041 is configured to execute access control respectively on the current IP address and the original IP address of the terminal according to the access control policy.

In this embodiment of the present invention, since access control policies for the IP addresses and MAC addresses of different terminals are set in the server, it is not necessary to configure each IP address on each gateway device, that is, static configuration is not required, but Based on the network access policy of the terminal returned by the server, it is judged how to perform access control on the terminal, so as to achieve dynamic access control, and the configuration process is very simple, thereby simplifying operation and maintenance.

The authentication device 300 may be the authentication device described in FIG. 1 or FIG. 2 , and may perform various steps performed by the authentication device in FIG. 2 .

The authentication device in the embodiment of the present invention is described above from the perspective of modular functional entities, and the authentication device in the embodiment of the present invention is described below from the perspective of hardware processing. Please refer to FIG. 10 , an embodiment of the present invention provides an authentication device Device 400, including:

Transceiver 401 , memory 402 , processor 403 and bus 404 .

The transceiver 401 , the memory 402 and the processor 403 are connected by a bus 404 .

The transceiver 401 is used to obtain the MAC address and current IP address of the terminal; send an authentication request to the server, where the authentication request includes the MAC address and current IP address of the terminal; receive an authentication response message sent by the server, and the authentication response message includes and Access control policy corresponding to the terminal's MAC address and current IP address.

Further, the transceiver 401 includes ZigBee, Wi-Fi, LTE (Long Term Evolution, long term evolution), RFID (Radio Frequency Identification, radio frequency identification technology), NFC (Near Field Communication, near field communication), infrared, UWB (Ultra Wideband) , ultra-wideband) one or more combinations, which are not limited here; may also include communication interfaces under the EIA-RS-232C standard, namely data terminal equipment (English: DataTerminal Equipment, abbreviation: DTE) and data communication equipment ( English: Data Circuit-terminating Equipment (abbreviation: DCE) is the communication interface of the serial binary data exchange interface technical standard, and may also include the communication interface under the RS-485 protocol, which is not limited here.

The memory 402 is used for storing the program and the MAC address and current IP address of the terminal acquired by the transceiver 401 , the authentication request sent to the server, and the authentication response message sent by the server.

The memory 402 may include a volatile memory (English: volatile memory), such as random-access memory (English: random-access memory, abbreviation: RAM); the memory 402 may also include a non-volatile memory (English: non-volatile memory) ), such as flash memory (English: flash memory), hard disk (English: hard diskdrive, abbreviation: HDD) or solid-state drive (English: solid-state drive, abbreviation: SSD); the memory 403 may also include the above-mentioned types of memory. Any combination is not limited here.

Optionally, the memory 402 may also be used to store program instructions, and the processor 403 may call the program instructions stored in the memory 402 to execute one or more steps in the embodiment shown in FIG. 2 , or optional implementations therein , so that the authentication device 400 implements the functions of the above method.

The processor 403 is configured to execute a program and perform access control on the current IP address of the terminal according to the access control policy when the authentication device 400 is running.

The processor 403 may be a central processing unit (English: central processing unit, abbreviation: CPU), a network processor (English: network processor, abbreviation: NP), or a combination of CPU and NP.

The processor 403 may further include a hardware chip. The above hardware chip may be an application-specific integrated circuit (English: application-specific integrated circuit, abbreviation: ASIC), a programmable logic device (English: programmable logic device, abbreviation: PLD) or any combination thereof. The above-mentioned PLD may be a complex programmable logic device (English: complex programmable logic device, abbreviation: CPLD), a field programmable gate array (English: field-programmable gate array, abbreviation: FPGA), a general array logic (English: generic arraylogic , abbreviation: GAL) or any combination thereof.

Optionally, the authentication device 400 may be any one of the authentication devices described in FIGS. 1 to 9 , and may perform various steps performed by the authentication device in FIG. 2 .

In this embodiment of the present invention, since access control policies for the IP addresses and MAC addresses of different terminals are set in the server, it is not necessary to configure each IP address on each gateway device, that is, static configuration is not required, but Based on the network access policy of the terminal returned by the server, it is judged how to perform access control on the terminal, so as to achieve dynamic access control, and the configuration process is very simple, thereby simplifying operation and maintenance.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the system, device and unit described above may refer to the corresponding process in the foregoing method embodiments, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.

The integrated unit, if implemented in the form of a software functional unit and sold or used as an independent product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention is essentially or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, removable hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes.

As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand: The technical solutions described in the embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (19)

1. an access control method, is characterized in that, comprises: The authentication device sends an authentication request to the server, where the authentication request includes the medium access control MAC address of the terminal and the first Internet Protocol IP address of the terminal, and the authentication device stores the first IP address corresponding to the MAC address address and a second IP address corresponding to the MAC address; receiving, by the authentication device, an authentication response message sent by the server, where the authentication response message includes an access control policy corresponding to the MAC address and the first IP address; Access control is performed on the first IP address according to the access control policy corresponding to the MAC address and the first IP address. 2 . The method according to claim 1 , wherein the authentication request further includes the second IP address, and the authentication response packet further includes an access control policy corresponding to the second IP address. 3 . 3. The method according to claim 1 or 2, wherein the authentication request further includes access information of the authentication device. 4 . The method according to claim 3 , wherein the access information of the authentication device includes port information of the authentication device accessed by the terminal. 5 . The method according to claim 3 or 4, wherein the access information of the authentication device includes information of the virtual local area network (VLAN) to which the terminal belongs. 6. The method according to any one of claims 2 to 5, characterized in that, The access control policy corresponding to the MAC address and the first IP address includes: allowing or prohibiting the first IP address from accessing the network; and / or The access control policy corresponding to the second IP address includes: allowing or prohibiting the second IP address from accessing the network. 7. The method according to any one of claims 2 to 5, wherein only the first IP address or the second IP address is allowed to access the network within a first time period. 8. The method according to any one of claims 1 to 7, wherein after the authentication device performs access control on the first IP address according to the access control policy, the method further comprises: receiving, by the authentication device, a policy modification message sent by the server, where the policy modification message includes an access control modification policy for the terminal; The authentication device performs access control on the first IP address according to the access control modification policy. 9. The method according to any one of claims 1 to 8, wherein acquiring the first IP address by the authentication device comprises: receiving, by the authentication device, a DHCP message sent by the terminal; The authentication device allocates an IP address to the terminal according to the DHCP message, and the allocated IP address is the first IP address. 10. The method according to any one of claims 1 to 9, before acquiring the MAC address and the first IP address, the method further comprises: the authentication device includes an IP address segment corresponding to the terminal . 11. The method according to any one of claims 1 to 8, wherein acquiring the MAC address and the first IP address by the authentication device comprises: The authentication device receives an Address Resolution Protocol ARP packet sent by the terminal, where the ARP packet carries the MAC address of the terminal and the first IP address. 12. The method according to any one of claims 1 to 8, wherein the authentication request sent by the authentication device to the server comprises: If it is determined that the current IP address of the terminal and the second IP address are different, the authentication device sends the authentication request to the server. 13. The method according to any one of claims 1 to 12, wherein the authentication device is a firewall device or a router device. 14. The method according to any one of claims 1 to 13, wherein the terminal is a firewall device or a router device. 15. The method according to any one of claims 1 to 14, wherein the first IP address is an IPv4 address or an IPv6 address. 16. The method according to any one of claims 1 to 15, wherein the authentication device is a gateway device. 17. An authentication device, characterized by comprising a processor for executing the program instructions to cause the authentication device to perform the method of any one of claims 1 to 16. 18. A network system, comprising the authentication device of claim 17. 19. A computer-readable storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1-16.

Images