CN111654464A - Access control method, authentication device and system - Google Patents
Access control method, authentication device and system Download PDFInfo
- Publication number
- CN111654464A CN111654464A CN202010301170.9A CN202010301170A CN111654464A CN 111654464 A CN111654464 A CN 111654464A CN 202010301170 A CN202010301170 A CN 202010301170A CN 111654464 A CN111654464 A CN 111654464A
- Authority
- CN
- China
- Prior art keywords
- address
- terminal
- authentication
- access control
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 70
- 230000004044 response Effects 0.000 claims abstract description 24
- 238000011217 control strategy Methods 0.000 claims abstract description 20
- 238000012986 modification Methods 0.000 claims description 30
- 230000004048 modification Effects 0.000 claims description 30
- 230000008569 process Effects 0.000 abstract description 16
- 238000012423 maintenance Methods 0.000 abstract description 10
- 238000010586 diagram Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 9
- 230000003068 static effect Effects 0.000 description 9
- 230000006870 function Effects 0.000 description 6
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000013507 mapping Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The embodiment of the invention provides an access control method and authentication equipment, which are used for realizing dynamic access control on a terminal IP address. The method provided by the embodiment of the invention comprises the following steps: the authentication equipment acquires a Media Access Control (MAC) address and a current Internet Protocol (IP) address of the terminal; the authentication equipment sends an authentication request to a server, wherein the authentication request comprises the MAC address of the terminal and the current IP address; the authentication equipment receives an authentication response message sent by the server, wherein the authentication response message contains an access control strategy corresponding to the MAC address of the terminal and the current IP address; and the authentication equipment executes access control on the current IP address of the terminal according to the access control strategy. The dynamic access control of the terminal is realized, and the configuration process is very simple, thereby simplifying the operation and maintenance.
Description
Technical Field
The present invention relates to network communication technologies, and in particular, to an access control method, an authentication device, and an access control system.
Background
In an existing computer network, it is generally necessary to perform access control on a terminal. Access control is a technique for restricting a user's access to certain information items, or for restricting the use of certain control functions, per a defined set of user identities and to which they belong. Access control is a technique that is needed in almost all systems.
Common access control techniques include, for example, IEEE 802.1x techniques, in which once a terminal has been authenticated by IEEE 802.1x, the access device identifies the terminal by a medium access control MAC address, i.e. the internet protocol IP address of the terminal is no longer controlled, the control of its IP address typically being performed by means of an access control list ACL configured to restrict or grant access rights to certain IP addresses. The ACL is a list of instructions for router and switch interfaces that control the ingress and egress of packets to and from the ports. After the ACL is configured, network traffic can be restricted, specific devices can be allowed to access, specific port packets can be designated for forwarding, and the like. The ACL may be configured on the router or may be configured on the service software having the ACL function.
Since the ACL technique can only configure the IP address of the terminal through a mask, it is very inconvenient for the decentralized or continuous IP address configuration. Moreover, because the ACL can only be statically configured, the configuration needs to be modified through a network manager or a command line interface CLI after the terminal IP or the port is changed, and dynamic adjustment cannot be achieved. In addition, because an ACL needs to be configured for each protocol, each direction, and each interface, the configuration of the ACL is complicated.
Disclosure of Invention
The embodiment of the invention provides an access control method and authentication equipment, which are used for realizing dynamic access control on a terminal IP.
In view of this, a first aspect of the embodiments of the present invention provides an access control method, where the method includes: the authentication device obtains the MAC address and the current IP address of the terminal, where the IP address of the terminal may be an IP address of an IPv4 protocol or an IP address of an IPv6 protocol, and is not limited herein. The authentication device sends an authentication request including the MAC address and the current IP address of the terminal to the server, where it should be noted that the authentication request not only carries the MAC address and the IP address of the terminal, but also carries access information of the authentication device itself, including port information of the authentication device accessed by the terminal or information of a VLAN to which the terminal belongs, such as an identifier of the VLAN to which the terminal belongs, as long as the server can know the address of the authentication device so that the authentication device can receive return information of the server, and this is not limited here. The authentication device receives an authentication response message sent by the server and containing an access control policy corresponding to the MAC address of the terminal and the current IP address, where the access control policy may also include an access control policy for the original IP address of the terminal, may also refer to a website that the terminal needs to access, may also refer to the current time point, and the server matches different reference factors in the stored access policy to find a corresponding matching access control policy, and the authentication response message is carried and sent to the authentication device, which is not limited herein. The authentication device executes access control on the current IP address of the terminal according to the access control strategy, and can also allow/prohibit the current IP address and the original IP address of the terminal to access the network simultaneously on the premise of allowing/prohibiting the current IP address to access. In some possible embodiments, the terminal is a type that allows multiple IP addresses to access the network simultaneously, such as a firewall device or a router device, and is not limited herein.
Because the authentication device can obtain the IP address and the MAC address of the terminal and send an authentication request to the server, and the access control strategies for different IP addresses and MAC addresses of the terminal are set in the server, the gateway devices do not need to be configured one by one for the IP addresses, namely static configuration is not needed, but the access control can be executed for the terminal based on the IP address through the network access strategy returned by the server for the terminal, thereby realizing dynamic access control, and the configuration process is very simple, thereby simplifying operation and maintenance.
With reference to the first aspect of the embodiments, in a first implementation manner of the first aspect of the embodiments of the present invention, the method includes: when the access control strategy needs to be adjusted, the strategy can be modified at the server end, and the sent strategy modification message is sent to the authentication equipment, wherein the strategy modification message contains the access control modification strategy aiming at the terminal; and the authentication equipment executes access control on the current IP address of the terminal according to the access control modification strategy.
When the network access policy needs to be changed, the policy can be modified at the server end, so that the configuration of the gateway equipment one by one on the IP addresses one by one is not needed, the process of modifying the network access policy is very simple, and the operation and maintenance are simplified.
With reference to the first aspect of the embodiment of the present invention and the first implementation manner of the first aspect, in a second specific implementation manner of the first aspect of the embodiment of the present invention, the method includes: when the terminal accesses the network through the IEEE 802.1x protocol, the IP address can be obtained by sending a Dynamic Host Configuration Protocol (DHCP) message to the authentication equipment. The DHCP message carries the MAC address of the DHCP message, and the authentication equipment selects an IP address from the reserved IP address field according to the MAC address to allocate to the terminal, so that the terminal can use the IP to access the network.
Because the authentication equipment distributes an IP address to the terminal from the preset IP address field through the DHCP message, the requirement of the terminal which needs to dynamically acquire the IP address without a fixed IP address is met.
With reference to the first aspect of the example embodiments, the first implementation manner of the first aspect, the second implementation manner of the first aspect, and the third implementation manner of the first aspect, in a third implementation manner of the first aspect of the example embodiments of the present invention, the example embodiments include: the terminal may be configured to bind the MAC address and the IP address in advance. The MAC address may bind one or more IP addresses and may use one or more of these IP addresses to simultaneously access a network, such as a firewall device, a router device, and the like. After the terminal accesses the network through the MAC authentication, the terminal can directly access the network by using the IP address bound with the MAC address without additionally acquiring the IP address because the terminal binds the MAC address and the IP address.
The authentication device configures an IP address field for the terminal in advance, so that the requirement of the terminal needing to configure a static fixed IP address is met.
With reference to the first aspect of the example embodiments, the first implementation manner of the first aspect, the second implementation manner of the first aspect, and the third implementation manner of the first aspect, in a fourth implementation manner of the first aspect of the example embodiments of the present invention, the example embodiments include: the terminal sends ARP message to the authentication device, wherein the ARP message comprises the IP address of the terminal, the MAC address of the terminal and the IP address of the authentication device. When the authentication equipment receives the ARP message, the authentication equipment adds the mapping relation between the IP address and the MAC address of the terminal into a local ARP table.
Since the authentication device obtains the MAC address of the terminal and the current IP address of the terminal by receiving the ARP packet, the authentication device can generate an authentication request for access control of the terminal, and thus can obtain an authentication response packet for the IP address.
A second aspect of an embodiment of the present invention provides an authentication apparatus, including: an obtaining module, configured to obtain an MAC address and a current IP address of a terminal, and may also include an original IP address, which is not limited herein; a sending module, configured to send an authentication request to a server, where the authentication request includes the MAC address and the current IP address of the terminal acquired by the acquiring module, and may also include an original IP address, which is not limited herein; a first receiving module, configured to receive an authentication response packet sent by the server, where the authentication response packet includes an access control policy corresponding to the MAC address of the terminal and the current IP address, and may also include an original IP address, which is not limited herein; the first executing module is configured to execute access control on the current IP address of the terminal according to the access control policy, and may also execute access control on the original IP address of the terminal, which is not limited herein.
Because the obtaining module can obtain the IP address and the MAC address of the terminal and the sending module sends the authentication request to the server, and the first receiving module receives the access control strategies set in the server for different IP addresses and MAC addresses of the terminal, the gateway equipment does not need to be configured one by one for the IP addresses, namely static configuration is not needed, but the network access strategies for the terminal returned by the server can be used for executing access control on the terminal based on the first executing module of the IP address, thereby realizing dynamic access control, and the configuration process is very simple, thereby simplifying operation and maintenance.
In combination with the second aspect of the embodiments of the present invention, in a first implementation of the second aspect of the embodiments of the present invention, the method includes: the second receiving module receives a strategy modification message sent by the server, the strategy modification message contains an access control modification strategy aiming at the terminal, and the second executing module executes access control on the current IP address of the terminal according to the access control modification strategy.
When the network access policy needs to be changed, the policy can be modified at the server end, so that the configuration of the gateway equipment one by one on the IP addresses one by one is not needed, the process of modifying the network access policy is very simple, and the operation and maintenance are simplified.
With reference to the second aspect of the embodiment of the present invention and the first implementation manner of the second aspect, in a second specific implementation manner of the second aspect of the embodiment of the present invention, the method includes: and the third receiving module receives a Dynamic Host Configuration Protocol (DHCP) message sent by the terminal, and the allocation module allocates an IP address to the terminal according to the DHCP message.
Because the authentication equipment distributes an IP address to the terminal from the preset IP address field through the DHCP message, the requirement of the terminal which needs to dynamically acquire the IP address without a fixed IP address is met.
With reference to the second aspect of the example embodiments, the first implementation manner of the second aspect, the second implementation manner of the second aspect, and the third implementation manner of the second aspect, in a third implementation manner of the second aspect of the example embodiments, the method includes: the allocation module configures an IP address field for the terminal.
The authentication device configures an IP address field for the terminal in advance, so that the requirement of the terminal needing to configure a static fixed IP address is met.
With reference to the second aspect of the example embodiment, the first implementation manner of the second aspect, the second implementation manner of the second aspect, and the third implementation manner of the second aspect, in a fourth implementation manner of the second aspect of the example embodiment, the method includes: the first receiving module receives an Address Resolution Protocol (ARP) message sent by the terminal, wherein the ARP message carries the MAC address of the terminal and the current IP address of the terminal.
Since the authentication apparatus acquires the MAC address of the terminal and the current IP address of the terminal by receiving the ARP message, the authentication apparatus can generate an authentication request for access control of the terminal.
A third aspect of the present application provides a server comprising: a transceiver, a memory, a processor, and a bus; the transceiver, the memory and the processor are connected through a bus; the transceiver is used for acquiring the MAC address and the current IP address of the terminal, also can include the original IP address, which is not limited here, and sending an authentication request to the server, wherein the authentication request comprises the MAC address and the current IP address of the terminal, and also can include the original IP address, which is not limited here, and receiving an authentication response message sent by the server, wherein the authentication response message comprises an access control policy corresponding to the MAC address and the current IP address of the terminal, and also can include the original IP address, which is not limited here; the memory is used for storing the program, the MAC address and the current IP address of the terminal acquired by the transceiver, the authentication request sent to the server, and the authentication response message sent by the server, which is not limited herein; the processor is configured to execute the program and perform access control on the current IP address of the terminal according to the access control policy when the authentication device operates, and may also perform access control on the original IP address of the terminal, which is not limited herein.
According to the technical scheme, the embodiment of the invention has the following advantages:
in the embodiment of the invention, because the authentication equipment can acquire the IP address and the MAC address of the terminal and send the authentication request to the server, and the access control strategies for different IP addresses and MAC addresses of the terminal are set in the server, the gateway equipment does not need to be configured one by one, namely static configuration is not needed, but the access control can be executed on the terminal based on the IP address through the network access strategy returned by the server for the terminal, thereby realizing dynamic access control, and the configuration process is very simple, thereby simplifying operation and maintenance.
Drawings
FIG. 1 is a block diagram of an access control system in an embodiment of the invention;
FIG. 2 is a diagram of an embodiment of an access control method according to an embodiment of the present invention;
FIG. 3 is a diagram of an embodiment of an authentication device in an embodiment of the invention;
fig. 4 is a schematic diagram of another embodiment of the authentication device in the embodiment of the present invention;
fig. 5 is a schematic diagram of another embodiment of the authentication device in the embodiment of the present invention;
fig. 6 is a schematic diagram of another embodiment of the authentication device in the embodiment of the present invention;
fig. 7 is a schematic diagram of another embodiment of the authentication device in the embodiment of the present invention;
fig. 8 is a schematic diagram of another embodiment of the authentication device in the embodiment of the present invention;
fig. 9 is a schematic diagram of another embodiment of the authentication apparatus in the embodiment of the present invention;
fig. 10 is a schematic diagram of another embodiment of the authentication device in the embodiment of the present invention.
Detailed Description
The embodiment of the invention provides an access control method and authentication equipment, which are used for realizing dynamic access control on a terminal IP.
In order to make the technical solutions of the embodiments of the present invention better understood by those skilled in the art, the technical solutions of the embodiments of the present invention will be clearly described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Fig. 1 is a schematic diagram of an access control system. In the embodiment of the present invention, the terminal may include a mobile terminal such as a mobile phone, a tablet computer, or a notebook computer, or may also be a desktop computer, a router device, or a firewall device, which is not limited herein. In some possible embodiments, the authentication device may be an ethernet switch or a local area network switch, and is not limited herein as long as the terminal and the server can be connected and the function of the method for controlling access in the embodiments of the present invention is implemented. In some possible embodiments, the server may be an AAA server (AAA: Authentication, Authorization, Accounting), or other server that performs functions of authenticating, authorizing, and Accounting for the visiting terminal, and is not limited herein. In the embodiment of the present invention, an AAA server is taken as an example for description. The authentication equipment acquires the MAC address and the current IP address of the terminal, and then sends an authentication request containing the MAC address of the terminal and the current IP address of the terminal to a server, the server sends an authentication response message to the authentication equipment, the authentication response message contains an access control strategy corresponding to the MAC address of the terminal and the current IP address of the terminal, and the authentication equipment executes access control on the current IP address of the terminal according to the access control strategy.
In the field of network communications, access control is required in almost all systems. Access control is a technique for restricting a user's access to certain information items, or for restricting the use of certain control functions, per a defined set of user identities and to which they belong.
Common access control techniques include, for example, IEEE 802.1x authentication techniques or MAC authentication techniques. Once the terminal passes IEEE 802.1x authentication or MAC authentication, the access device identifies the terminal with the MAC address, i.e. the IP address of the terminal is no longer controlled, which is typically done through an ACL configured to restrict or pass access rights to certain IP addresses.
Since the ACL technique can only configure the IP address of the terminal through a mask, it is very inconvenient for the decentralized or continuous IP address configuration. Moreover, because the ACL can only be statically configured, the IP address of the terminal or the port of the terminal needs to be modified through the network management or the CLI after being changed, and dynamic adjustment cannot be achieved. In addition, because an ACL entry needs to be configured for each protocol, each direction, and each interface, the configuration of the ACL is complicated.
In the embodiment of the invention, because the access control strategies for the IP addresses and the MAC addresses of different terminals are set in the server, the IP addresses one by one do not need to be configured on gateway equipment one by one, namely static configuration is not needed, but the access control on the terminal can be judged by the network access strategy returned by the server to the terminal, thereby realizing dynamic access control, and the configuration process is very simple, thereby simplifying operation and maintenance.
For convenience of understanding, a specific flow in the embodiment of the present invention is described below, and referring to fig. 2, an embodiment of an access control method in the embodiment of the present invention includes:
201. the terminal obtains an IP address.
In some possible embodiments, the terminal may access the network through the IEEE 802.1x protocol, that is, when the terminal accesses the network, the authentication device responds thereto, and the terminal needs to fill in a user name and a password, and send the user name and the password as information to the authentication device, and if the authentication device considers that the user name and the password meet the requirements, the access right of the MAC address of the terminal is released. When the terminal accesses the network through the IEEE 802.1x protocol, the IP address can be obtained by sending a Dynamic Host Configuration Protocol (DHCP) message to the authentication equipment. The DHCP message carries the MAC address of the DHCP message, and the authentication equipment selects an IP address from the reserved IP address field according to the MAC address to allocate to the terminal, so that the terminal can use the IP to access the network. In the embodiment of the present invention, the terminal accessing the network through the IEEE 802.1x protocol, such as most of personal computers and mobile terminals, has no fixed IP address in the MAC address of the terminal, but needs to dynamically acquire the IP address, and the terminal only has one IP address in a time slot. When a new IP address is used by a terminal, the terminal's original IP address is prohibited from being accessed.
In some possible embodiments, the terminal may authenticate the access network through the MAC address, that is, when the terminal accesses the network, the authentication device only needs to determine whether to release the access right of the terminal through the MAC address of the terminal, and does not need the terminal to fill in a user name and a password. In the embodiment of the present invention, the terminal may perform binding configuration on the MAC address and the IP address in advance. The MAC address may bind one or more IP addresses and may use one or more of these IP addresses to simultaneously access a network, such as a firewall device, a router device, and the like. After the terminal accesses the network through the MAC address authentication, the terminal does not need to acquire an IP address additionally because the terminal binds the MAC address and the IP address, and can directly access the network by using the IP address bound with the MAC address.
202. The authentication device acquires the MAC address and the IP address of the terminal.
In some possible embodiments, the IP address of the terminal may be an IP address of an IPv4 protocol or an IP address of an IPv6 protocol, which is not limited herein. In the embodiment of the present invention, a process of acquiring a MAC address and an IP address of a terminal by an authentication device is described with respect to an example where the IP address is IPv 4.
When the IP address of the terminal is the IPv4 protocol and the terminal accesses the network, an ARP message is sent to the authentication equipment, and the ARP message comprises the IP address of the terminal, the MAC address of the terminal and the IP address of the authentication equipment. When the authentication equipment receives the ARP message, the mapping relation between the IP address and the MAC address of the terminal is added into a local ARP table of the authentication equipment.
When the IP address of the terminal is an IP address of an IPv6 protocol, the terminal does not use the ARP packet but uses the neighbor discovery ND packet, and the terminal uses the ND packet to obtain a specific working process of the MAC address of the authentication device.
203. The authentication device sends an authentication request to the server, the authentication request containing the MAC address and the IP address of the terminal.
In the embodiment of the invention, after the authentication device acquires the MAC address and the IP address of the terminal, the authentication device sends an authentication request carrying the MAC address and the IP address of the terminal to a server so as to acquire the access control strategy of the server to the terminal.
When the IP address of the terminal changes, the authentication request sent by the authentication device may carry the current IP address and the original IP address of the terminal, or may carry the current IP address of the terminal, which is not limited herein. In some possible embodiments, when the server receives the authentication request, the server may obtain the original IP address of the terminal from the cached data, and return an access control policy corresponding to the current IP address of the terminal and an access control policy corresponding to the original IP address of the terminal to the authentication device, for example, the access control policy corresponding to the current IP address of the terminal may be "access allowed", and the access control policy corresponding to the original IP address of the terminal may be "access prohibited".
Optionally, after the authentication device obtains the MAC address of the terminal and the current IP address of the terminal, it may check whether the original IP address of the terminal exists in a table corresponding to the cached MAC address, and if the original IP address of the terminal exists and is the same as the current IP address of the terminal, the authentication device sends an authentication request to the server, where the authentication request only carries the current IP address of the terminal, or the authentication device may not send the authentication request, which is not limited herein; otherwise, if the authentication device determines that the original IP address of the terminal is different from the current IP address of the terminal, the current IP address of the terminal and the original IP address of the terminal may be included in the authentication request sent to the server, or the authentication device may not include the original IP address in the authentication request sent to the server, which is not limited herein, so as to obtain the access control policy for each IP address of the terminal in the server.
It should be noted that, the authentication request not only carries the MAC address and the IP address of the terminal, but also carries access information of the authentication device itself, where the access information of the authentication device itself includes port information of the authentication device accessed by the terminal, and the access information of the authentication device itself includes VLAN information of a virtual local area network to which the terminal belongs, such as a VLAN identifier to which the terminal belongs, as long as the server can know the address of the authentication device so that the authentication device can receive return information of the server, which is not limited herein.
In some possible embodiments, the authentication request may be sent once at a certain time interval, for example, once every 20 minutes, or may be a broadcast sending message once triggered, such as sending the authentication request to the server when the authentication device receives the ARP message, which is not limited herein.
204. And the authentication equipment receives an authentication response message sent by the server, wherein the authentication response message contains an access control strategy corresponding to the MAC address and the IP address of the terminal.
In some possible embodiments, when the server searches for a matching access control policy from the stored access control policies according to the MAC address and the IP address of the terminal, the server sends the searched and matched access control policy to the authentication device. In other possible embodiments, such MAC address and IP address access may also be defaulted to not be allowed, and is not limited herein.
Optionally, when the server searches for the matched access control policy, it may refer to not only the MAC address and the IP address of the terminal, but also a website that the terminal needs to access, and may also refer to the current time point, which is not limited herein. The server matches the stored access strategy with different reference factors, finds out the corresponding matched access control strategy, is carried by the authentication response message and is sent to the authentication equipment. In the embodiment of the present invention, when the server searches for a matching access control policy, it will be described by taking only the MAC address and the IP address of the terminal as an example.
It should be noted that not all MAC addresses and IP addresses can find corresponding access control policies, and in some feasible embodiments, if the server cannot find corresponding access control policies according to the MAC address and IP address of the terminal, the server may default to not perform access control on the MAC address and IP address, or default to not allow access to such MAC address and IP address, which is not limited herein.
205. The authentication device performs access control on the IP address of the terminal according to the access control policy.
In some possible embodiments, the access control policy may be to allow/prohibit the current IP address access of the terminal, or may also allow/prohibit the current IP address of the terminal from accessing a specific website in a current time period, which is not limited herein.
In other possible embodiments, the current IP address and the original IP address of the terminal may be allowed/prohibited to access the network simultaneously on the premise that the current IP address is allowed to access. In some possible embodiments, the terminal is of a type that allows multiple IP addresses to access the network simultaneously, such as a firewall device or a router device.
In other possible embodiments, the terminal may be most handheld terminals or personal computers, only one IP address can be used in a period of time, and the IP address is dynamic, so that the original IP address of the terminal can be prohibited on the premise that the current IP address of the terminal is allowed to access the network.
It should be noted that, optionally, a factor that takes the current time and a specific website as a comprehensive reference may also be considered, that is, a matching policy for performing access control on the current IP address and the original IP address of the terminal may be found through the MAC address of the terminal, the current IP address, the original IP address, the current time period, and the current network that needs to be accessed, so as to indicate whether the current IP address and the original IP address of the terminal can currently access the current website.
In some possible embodiments, there may be other types of access control policies, such as, but not limited to, prohibiting the current IP address and the original IP address of the terminal. In this step, access control is performed on the IP address of the terminal according to the access control strategy carried in the received authentication response message.
206. The authentication equipment receives a strategy modification message sent by the server, wherein the strategy modification message contains an access control modification strategy aiming at the terminal.
In some possible embodiments, the modification may be performed on the server side when an adjustment to the access control policy is required. And after the modification is finished, the authentication equipment receives a strategy modification message sent by the server, wherein the strategy modification message contains an access control modification strategy aiming at the terminal. Optionally, after the modification is completed, the server may send a care-of address protocol COA message indicating that the MAC address and the IP address policy are changed to the authentication device, where the COA message includes an access control policy indicating that the authentication device is latest for the terminal.
207. And the authentication equipment executes access control on the IP address of the terminal according to the access control modification strategy.
In the embodiment of the present invention, the authentication device performs access control on the IP address of the terminal according to an access control modification policy, optionally, the policy modification packet may include the latest version of the policy for different MAC addresses and IP addresses, or may also be a modification that restricts access to the terminal at different time periods and different specific web pages, which is not limited herein.
In the embodiment of the invention, because the access control strategies for the IP addresses and the MAC addresses of different terminals are set in the server, the IP addresses one by one do not need to be configured on gateway equipment one by one, namely static configuration is not needed, but the access control on the terminal can be judged by the network access strategy returned by the server to the terminal, thereby realizing dynamic access control, and the configuration process is very simple, thereby simplifying operation and maintenance.
Referring to fig. 3, an embodiment of the present invention further provides an authentication apparatus 300, including:
an obtaining module 301, configured to obtain a MAC address and a current IP address of a terminal.
A sending module 302, configured to send an authentication request to the server, where the authentication request includes the MAC address of the terminal and the current IP address acquired by the acquiring module 301.
The first receiving module 303 is configured to receive an authentication response message sent by the server, where the authentication response message includes an access control policy corresponding to the MAC address of the terminal and the current IP address sent by the sending module 302.
A first executing module 304, configured to execute access control on the current IP address of the terminal according to the access control policy received by the first receiving module 303.
Referring to fig. 4, in some embodiments, the authentication apparatus further includes:
a second receiving module 305, configured to receive a policy modification message sent by the server, where the policy modification message includes an access control modification policy for the terminal.
And a second executing module 306, which executes access control on the current IP address of the terminal by the authentication device according to the access control modification policy.
Referring to fig. 5, in some embodiments, the authentication apparatus further includes:
and a third receiving module 307, configured to receive a DHCP message sent by the terminal.
The allocating module 308 is configured to allocate an IP address to the terminal according to the DHCP message.
Referring to fig. 6, in some embodiments, the authentication apparatus further includes:
a configuring module 309, configured to configure the IP address field for the terminal.
Referring to fig. 7, in some embodiments, the sending module 302 includes:
the first receiving unit 3011 is configured to receive an ARP packet sent by a terminal, where the ARP packet carries an MAC address of the terminal and a current IP address.
Referring to fig. 8, in some embodiments, the sending module 302 includes:
a reading unit 3021, configured to read an original IP address of the terminal from a local cache.
A sending unit 3022, configured to send an authentication request to the server when the current IP address of the terminal obtained by the obtaining unit is different from the original IP address of the terminal read by the reading unit, where the authentication request includes the original IP address and the current IP address of the terminal and the MAC address of the terminal.
Referring to fig. 9, in some embodiments, the first execution module 304 includes:
an executing unit 3041, configured to respectively execute access control on the current IP address and the original IP address of the terminal according to the access control policy.
In the embodiment of the invention, because the access control strategies for the IP addresses and the MAC addresses of different terminals are set in the server, the IP addresses one by one do not need to be configured on gateway equipment one by one, namely static configuration is not needed, but the access control on the terminal can be judged by the network access strategy returned by the server to the terminal, thereby realizing dynamic access control, and the configuration process is very simple, thereby simplifying operation and maintenance.
The authentication device 300 may be the authentication device described in fig. 1 or fig. 2, and may perform the steps performed by the authentication device in fig. 2.
In the above, the authentication device in the embodiment of the present invention is described from the perspective of a modular functional entity, and in the following, the authentication device in the embodiment of the present invention is described from the perspective of hardware processing, referring to fig. 10, an embodiment of the present invention provides an authentication device 400, including:
a transceiver 401, a memory 402, a processor 403, and a bus 404.
The transceiver 401, memory 402, and processor 403 are connected by a bus 404.
The transceiver 401 is configured to obtain a MAC address and a current IP address of the terminal; sending an authentication request to a server, wherein the authentication request comprises the MAC address of the terminal and the current IP address; and receiving an authentication response message sent by the server, wherein the authentication response message contains an access control strategy corresponding to the MAC address of the terminal and the current IP address.
Further, the transceiver 401 includes one or more combinations of ZigBee, Wi-Fi, LTE (Long Term Evolution), RFID (Radio Frequency Identification), NFC (Near field communication), infrared, and UWB (Ultra wide band), which are not limited herein; the communication interface under the EIA-RS-232C standard, that is, the communication interface under the technical standard of the serial binary Data exchange interface between the Data Terminal Equipment (DTE) and the Data Communication Equipment (DCE), may also include the communication interface under the RS-485 protocol, and is not limited herein.
The memory 402 is used for storing programs and MAC addresses and current IP addresses of the terminals acquired by the transceiver 401, authentication requests transmitted to the server, and authentication response messages transmitted by the server.
The memory 402 may include a volatile memory (RAM), such as a random-access memory (RAM); the memory 402 may also include a non-volatile memory (english: non-volatile memory), such as a flash memory (english: flash memory), a hard disk (english: hard disk drive, abbreviated: HDD) or a solid-state drive (english: SSD); memory 403 may also comprise any combination of the above types of memory and is not limited thereto.
Optionally, the memory 402 may also be used to store program instructions, and the processor 403 may call the program instructions stored in the memory 402 to execute one or more steps in the embodiment shown in fig. 2, or an alternative embodiment thereof, so that the authentication device 400 implements the functions of the above-described method.
The processor 403 is configured to execute a program and perform access control on the current IP address of the terminal according to the access control policy when the authentication apparatus 400 operates.
The processor 403 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP.
The processor 403 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or any combination thereof. The aforementioned PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.
Optionally, the authentication device 400 may be the authentication device described in any one of fig. 1 to 9, and may perform each step performed by the authentication device in fig. 2.
In the embodiment of the invention, because the access control strategies for the IP addresses and the MAC addresses of different terminals are set in the server, the IP addresses one by one do not need to be configured on gateway equipment one by one, namely static configuration is not needed, but the access control on the terminal can be judged by the network access strategy returned by the server to the terminal, thereby realizing dynamic access control, and the configuration process is very simple, thereby simplifying operation and maintenance.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (19)
1. An access control method, comprising:
the authentication method comprises the steps that authentication equipment sends an authentication request to a server, wherein the authentication request comprises a Media Access Control (MAC) address of a terminal and a first Internet Protocol (IP) address of the terminal, and the authentication equipment stores the first IP address corresponding to the MAC address and a second IP address corresponding to the MAC address;
the authentication equipment receives an authentication response message sent by the server, wherein the authentication response message contains an access control strategy corresponding to the MAC address and the first IP address;
and executing access control on the first IP address according to the access control strategy corresponding to the MAC address and the first IP address.
2. The method of claim 1, wherein the authentication request further comprises the second IP address, and wherein the authentication response message further comprises an access control policy corresponding to the second IP address.
3. The method according to claim 1 or 2, characterized in that the authentication request further comprises access information of the authentication device.
4. The method of claim 3, wherein the access information of the authentication device comprises port information of the authentication device accessed by the terminal.
5. A method as claimed in claim 3 or 4, characterized in that the access information of the authentication device comprises VLAN information to which the terminal belongs.
6. The method according to any one of claims 2 to 5,
the access control policy corresponding to the MAC address and the first IP address includes: allowing or prohibiting the first IP address from accessing the network;
and/or
The access control policy corresponding to the second IP address includes: the second IP address is allowed or prohibited from accessing the network.
7. The method of any of claims 2 to 5, wherein only the first IP address or the second IP address is allowed to access the network for a first period of time.
8. The method according to any one of claims 1 to 7, wherein after the authentication device performs access control on the first IP address according to the access control policy, the method further comprises:
the authentication equipment receives a strategy modification message sent by the server, wherein the strategy modification message contains an access control modification strategy aiming at the terminal;
and the authentication equipment executes access control on the first IP address according to the access control modification strategy.
9. The method of any one of claims 1 to 8, wherein the authentication device obtaining the first IP address comprises:
the authentication equipment receives a Dynamic Host Configuration Protocol (DHCP) message sent by the terminal;
and the authentication equipment allocates an IP address to the terminal according to the DHCP message, wherein the allocated IP address is the first IP address.
10. The method of any of claims 1 to 9, further comprising, prior to obtaining the MAC address and the first IP address: the authentication device includes an IP address field corresponding to the terminal.
11. The method of any of claims 1 to 8, wherein the authentication device obtaining the MAC address and the first IP address comprises:
and the authentication equipment receives an Address Resolution Protocol (ARP) message sent by the terminal, wherein the ARP message carries the MAC address of the terminal and the first IP address.
12. The method according to any one of claims 1 to 8, wherein the authentication device sending an authentication request to the server comprises:
and if the current IP address of the terminal is different from the second IP address, the authentication equipment sends the authentication request to the server.
13. The method of any of claims 1 to 12, wherein the authentication device is a firewall device or a router device.
14. The method according to any of claims 1 to 13, wherein the terminal is a firewall device or a router device.
15. The method of any one of claims 1 to 14, wherein the first IP address is an IPv4 address or an IPv6 address.
16. The method according to any of claims 1 to 15, wherein the authentication device is a gateway device.
17. An authentication device comprising a processor for executing the program instructions to cause the authentication device to perform the method of any of claims 1 to 16.
18. A network system comprising the authentication apparatus of claim 17.
19. A computer-readable storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1-16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010301170.9A CN111654464A (en) | 2015-12-31 | 2015-12-31 | Access control method, authentication device and system |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511032463.7A CN106936804B (en) | 2015-12-31 | 2015-12-31 | Access control method and authentication equipment |
| CN202010301170.9A CN111654464A (en) | 2015-12-31 | 2015-12-31 | Access control method, authentication device and system |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201511032463.7A Division CN106936804B (en) | 2015-12-31 | 2015-12-31 | Access control method and authentication equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111654464A true CN111654464A (en) | 2020-09-11 |
Family
ID=59443673
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201511032463.7A Active CN106936804B (en) | 2015-12-31 | 2015-12-31 | Access control method and authentication equipment |
| CN202010301170.9A Pending CN111654464A (en) | 2015-12-31 | 2015-12-31 | Access control method, authentication device and system |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201511032463.7A Active CN106936804B (en) | 2015-12-31 | 2015-12-31 | Access control method and authentication equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN106936804B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112363578A (en) * | 2020-11-13 | 2021-02-12 | 浪潮电子信息产业股份有限公司 | Server |
| CN114301731A (en) * | 2021-12-31 | 2022-04-08 | 德力西电气有限公司 | Address management method, master device and slave device |
| CN114374543A (en) * | 2021-12-20 | 2022-04-19 | 北京北信源软件股份有限公司 | Network security protection method, system, device, security switch and storage medium |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109391601B (en) * | 2017-08-10 | 2021-02-12 | 华为技术有限公司 | Method, device and equipment for granting terminal network permission |
| CN109803029B (en) | 2017-11-17 | 2020-11-06 | 华为技术有限公司 | Data processing method, device and equipment |
| CN109995738A (en) * | 2018-01-02 | 2019-07-09 | 中国移动通信有限公司研究院 | A kind of access control method, gateway and cloud server |
| CN108134858B (en) * | 2018-01-22 | 2020-02-14 | 珠海格力电器股份有限公司 | Networking method, server, client and network system |
| CN110933018B (en) * | 2018-09-20 | 2021-01-15 | 马上消费金融股份有限公司 | Network authentication method, device and computer storage medium |
| CN109347841B (en) * | 2018-10-26 | 2021-08-10 | 深圳市元征科技股份有限公司 | MAC address authentication method, device, terminal, server and storage medium |
| CN113132326B (en) * | 2019-12-31 | 2022-08-09 | 华为技术有限公司 | Access control method, device and system |
| CN114157475B (en) * | 2021-11-30 | 2023-09-19 | 迈普通信技术股份有限公司 | Equipment access method and device, authentication equipment and access equipment |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1437361A (en) * | 2002-02-07 | 2003-08-20 | 华为技术有限公司 | Network access control method based on network address |
| CN1625853A (en) * | 2002-04-23 | 2005-06-08 | Sk电信有限公司 | Authentication system and method having mobility in public wireless local area network |
| CN101465856A (en) * | 2008-12-31 | 2009-06-24 | 杭州华三通信技术有限公司 | Method and system for controlling user access |
| CN101540757A (en) * | 2008-03-19 | 2009-09-23 | 北京艾科网信科技有限公司 | Method and system for identifying network and identification equipment |
| CN102624744A (en) * | 2012-04-06 | 2012-08-01 | 北京星网锐捷网络技术有限公司 | Authentication method, device and system of network device and network device |
| CN102724172A (en) * | 2011-07-28 | 2012-10-10 | 北京天地互连信息技术有限公司 | System and method supporting rapid access authentication |
| CN103297967A (en) * | 2012-02-28 | 2013-09-11 | 中国移动通信集团公司 | Method, device and system for user authentication in access of wireless local area network |
| CN104468619A (en) * | 2014-12-26 | 2015-03-25 | 杭州华三通信技术有限公司 | Method and gateway for achieving dual-stack web authentication |
| US20150326528A1 (en) * | 2014-05-06 | 2015-11-12 | Futurewei Technologies, Inc. | Enforcement of Network-Wide Context Aware Policies |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1845491A (en) * | 2006-02-20 | 2006-10-11 | 南京联创通信科技有限公司 | Access authentication method of 802.1x |
| CN101436934B (en) * | 2008-10-20 | 2013-04-24 | 福建星网锐捷网络有限公司 | Method, system and equipment for controlling user networking |
| KR101034938B1 (en) * | 2009-11-26 | 2011-05-17 | 삼성에스디에스 주식회사 | System and method for managing ipv6 address and connection policy |
| CN101917398A (en) * | 2010-06-28 | 2010-12-15 | 北京星网锐捷网络技术有限公司 | Method and equipment for controlling client access authority |
| CN102739684B (en) * | 2012-06-29 | 2015-03-18 | 杭州迪普科技有限公司 | Portal authentication method based on virtual IP address, and server thereof |
| CN104104516B (en) * | 2014-07-30 | 2018-12-25 | 新华三技术有限公司 | A kind of portal authentication method and equipment |
| CN105141618A (en) * | 2015-09-15 | 2015-12-09 | 华为技术有限公司 | Authentication method of network connection and network access device |
-
2015
- 2015-12-31 CN CN201511032463.7A patent/CN106936804B/en active Active
- 2015-12-31 CN CN202010301170.9A patent/CN111654464A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1437361A (en) * | 2002-02-07 | 2003-08-20 | 华为技术有限公司 | Network access control method based on network address |
| CN1625853A (en) * | 2002-04-23 | 2005-06-08 | Sk电信有限公司 | Authentication system and method having mobility in public wireless local area network |
| CN101540757A (en) * | 2008-03-19 | 2009-09-23 | 北京艾科网信科技有限公司 | Method and system for identifying network and identification equipment |
| CN101465856A (en) * | 2008-12-31 | 2009-06-24 | 杭州华三通信技术有限公司 | Method and system for controlling user access |
| CN102724172A (en) * | 2011-07-28 | 2012-10-10 | 北京天地互连信息技术有限公司 | System and method supporting rapid access authentication |
| CN103297967A (en) * | 2012-02-28 | 2013-09-11 | 中国移动通信集团公司 | Method, device and system for user authentication in access of wireless local area network |
| CN102624744A (en) * | 2012-04-06 | 2012-08-01 | 北京星网锐捷网络技术有限公司 | Authentication method, device and system of network device and network device |
| US20150326528A1 (en) * | 2014-05-06 | 2015-11-12 | Futurewei Technologies, Inc. | Enforcement of Network-Wide Context Aware Policies |
| CN104468619A (en) * | 2014-12-26 | 2015-03-25 | 杭州华三通信技术有限公司 | Method and gateway for achieving dual-stack web authentication |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112363578A (en) * | 2020-11-13 | 2021-02-12 | 浪潮电子信息产业股份有限公司 | Server |
| CN114374543A (en) * | 2021-12-20 | 2022-04-19 | 北京北信源软件股份有限公司 | Network security protection method, system, device, security switch and storage medium |
| CN114374543B (en) * | 2021-12-20 | 2023-10-13 | 北京北信源软件股份有限公司 | Network security protection method, system, device, security switch and storage medium |
| CN114301731A (en) * | 2021-12-31 | 2022-04-08 | 德力西电气有限公司 | Address management method, master device and slave device |
| CN114301731B (en) * | 2021-12-31 | 2023-12-22 | 德力西电气有限公司 | Address management method, master device and slave device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106936804B (en) | 2020-04-28 |
| CN106936804A (en) | 2017-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106936804B (en) | Access control method and authentication equipment | |
| US20210385154A1 (en) | Multipath data transmission method and device | |
| US10129246B2 (en) | Assignment and distribution of network configuration parameters to devices | |
| EP1689206B1 (en) | Wireless network having multiple security zones | |
| US10932129B2 (en) | Network access control | |
| EP1317111B1 (en) | A personalized firewall | |
| US8605582B2 (en) | IP network system and its access control method, IP address distributing device, and IP address distributing method | |
| US10142159B2 (en) | IP address allocation | |
| EP2234343A1 (en) | Method, device and system for selecting service network | |
| KR20140072193A (en) | Architecture for virtualized home ip service delivery | |
| US9083705B2 (en) | Identifying NATed devices for device-specific traffic flow steering | |
| JP6909772B2 (en) | Infrastructure-based D2D connection configuration using OTT services | |
| EP2819363A1 (en) | Method, device and system for providing network traversing service | |
| KR101640209B1 (en) | Apparatus and method for supporting portable mobile VPN service | |
| KR20160122992A (en) | Integrative Network Management Method and Apparatus for Supplying Connection between Networks Based on Policy | |
| EP3562099A1 (en) | Scheduling method, system, controller and computer storage medium | |
| WO2017219748A1 (en) | Method and device for access permission determination and page access | |
| EP3672208A1 (en) | Data transmission method, pnf sdn controller, vnf sdn controller, and system | |
| US9730074B2 (en) | System, methods and apparatuses for providing network access security control | |
| JP2015507896A (en) | Access control method for WiFi device and WiFi device | |
| CN109120738B (en) | DHCP server and method for managing network internal equipment | |
| US9467932B2 (en) | Access control method for WiFi device and WiFi device | |
| CN114765601A (en) | Address prefix obtaining method and device | |
| CN113556337A (en) | Terminal address identification method, network system, electronic device and storage medium | |
| US11711691B2 (en) | Applying network policies on a per-user basis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |