[go: up one dir, main page]

CN101582891A - Wide area network endpoint access domination (EAD) authentication method, system and terminal - Google Patents

Wide area network endpoint access domination (EAD) authentication method, system and terminal Download PDF

Info

Publication number
CN101582891A
CN101582891A CNA2009100873755A CN200910087375A CN101582891A CN 101582891 A CN101582891 A CN 101582891A CN A2009100873755 A CNA2009100873755 A CN A2009100873755A CN 200910087375 A CN200910087375 A CN 200910087375A CN 101582891 A CN101582891 A CN 101582891A
Authority
CN
China
Prior art keywords
terminal
ead
network
imc
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2009100873755A
Other languages
Chinese (zh)
Other versions
CN101582891B (en
Inventor
刘浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN2009100873755A priority Critical patent/CN101582891B/en
Publication of CN101582891A publication Critical patent/CN101582891A/en
Application granted granted Critical
Publication of CN101582891B publication Critical patent/CN101582891B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a wide area network endpoint access domination (EAD) authentication method, comprising: after that the specified restoration documents are needed to be downloaded by a terminal is determined by EAD security inspection, an iMC security certificate server sends P2P user information table to the terminal; the P2P user information table includes a user name corresponding to the terminal which downloads the specified restoration documents; then, the terminal inquiries a terminal IP address corresponding to the user name which belongs to a branch network in the P2P user information table through an EAD control gateway of the branch network and receives a local IP address table returned by the EAD control gateway; the terminal is connected with the corresponding terminal according to the local IP address table, downloads the specified restoration documents and carries out self- restoration for EAD authentication again. The invention also discloses a wide area network EAD authentication system and the terminal. The technical proposal can save bandwidth of the wide area network and accelerates the speed of download.

Description

Wide area network terminal access control authentication method, system and terminal
Technical Field
The present invention relates to the field of network authentication technologies, and in particular, to a method, a system, and a terminal for controlling and authenticating access of a wan terminal.
Background
An end Access control (EAD) technology is a network Access scheme for detecting whether a terminal accessed to a network is safe, and mainly solves the problems of identity authentication and security check when the terminal is accessed to the network.
The EAD scheme uses network equipment as an EAD control gateway for terminal admission, and uses an expanded Portal protocol to carry out EAD authentication and security check. The security check includes, but is not limited to, checking the state and version of the antivirus software of the terminal, checking the software run by the terminal, and checking whether the operating system patch of the terminal meets the requirements. And performing forced repair on the terminals which do not conform to the enterprise security policy in the security check stage, for example, forcibly upgrading a virus library, a system patch and the like. The EAD scheme may be deployed as an isolation mode, a reminding mode or an offline mode, and is generally deployed as a mode of "reminding + offline time threshold", that is, after the identity authentication passes, if an Intelligent Management Center (iMC) server finds that the terminal does not meet the requirement of the security policy, the server gives the terminal a certain time for self-repairing, and if the terminal is still not self-repaired beyond the time, the terminal is forced to be offline. The iMC server is a network device which can manage network topology, realize alarm, and realize functions of identity authentication, EAD security authentication and the like in a componentization mode.
According to the difference of enterprise network scale and networking, the EAD control gateway can be deployed at an Internet (Internet) outlet of an enterprise network or an inlet of a corresponding headquarters of a branch network, and respectively realizes network access control in a local area network range and network access control in a wide area network range.
Figure 1 is a schematic diagram of a local area network wide network admission control networking in the prior art. As shown in fig. 1, the EAD control gateway is deployed at an internet exit of the enterprise lan, and when security check is performed on a terminal that accesses the internet, the terminal that does not conform to the security policy is redirected to a local repair file server. Repair files on the repair file server include, but are not limited to, system patches, virus library files, and the like. And the terminal downloads a corresponding system patch, a virus library file and the like from the security policy server for self-repairing, and after the self-repairing is completed, the authentication is performed, so that the network can be normally used according with the requirements. In the self-healing process, all traffic, such as patches, virus library file downloads, etc., occurs within the lan. The lan bandwidth tends to be high and thus there is no bandwidth bottleneck problem.
The network scale of a group or a large enterprise is huge, the network is often deployed across regions, the network is divided into a headquarter network and a plurality of branch networks, and the headquarter network and the branch networks are interconnected through a wide area network line of a leased operator.
Figure 2 is a diagram of a wide area network wide network admission control networking in the prior art. As shown in fig. 2, the iMC security authentication server and the repair file server are deployed in the headquarters network for management, the EAD control gateway is deployed at the exit of the branch office network, so that when a terminal in the branch office network wants to access the resources of the headquarters network, the EAD control gateway first uploads the identity information of the terminal and the compliance information of the terminal to the headquarters through the EAD control gateway in the local branch office network, the iMC security authentication server of the headquarters checks the information of the user, and if it is found that a virus library or a patch, etc., does not conform to the security policy, the terminal user is required to connect to the repair file server of the headquarters first to download software to repair itself, and the specific flow is shown in fig. 3.
Fig. 3 is a schematic diagram of an EAD authentication procedure in a wide area network in the prior art. As shown in fig. 3, the method comprises the following steps:
in step 301, a terminal in a branch network can access a predefined isolation area in a head office network before authentication. The quarantine partition refers to a logical resource whose access is not limited in the headquarters network, and is not illustrated in fig. 2.
Step 302, when the terminal accesses the limited resource of the headquarters, the intelligent client (iNode) pre-installed on the terminal initiates an authentication request.
Step 303, after the terminal successfully authenticates on the iMC security authentication server, the terminal notifies an EAD control gateway in a branch network where the terminal is located, the terminal is on line, and issues an agent IP and a port to notify the terminal to perform security check.
And step 304, the terminal uploads login information through the iNode client to request security check.
And 305, issuing the security policy and other control information of the terminal by an EAD security policy component on the iMC security authentication server.
And step 306, linking the iNode client software of the terminal with third-party software or a customized plug-in, and executing security policy check and other functions.
Step 307, the iNode client software of the terminal performs security check on the terminal, and reports the security check result to the iMC security authentication server.
And 308', comparing the security check result reported by the terminal with the preset security policy by an EAD security policy component on the iMC security authentication server, and if the security check result reported by the terminal meets the requirement of the security policy, issuing ACL and VLAN information to an EAD control gateway in a branch network where the terminal is located, so that the terminal can normally access the network, and ending the process.
And 308, comparing the security check result reported by the terminal with the preset security policy by the EAD security policy component on the iMC security authentication server, and issuing the comparison result to the terminal if the security check result reported by the terminal does not meet the requirement of the security policy. The comparison result includes the repair file information required by the terminal to repair and the link address of the server where the repair file information is located.
And 309, the terminal implements a processing strategy of the security strategy according to the comparison result, downloads a corresponding repair file from the repair file server, and performs self-repair. The repair file server is placed in the isolation area in the headquarter network, so that each terminal in the branch network can be directly linked with the repair file server to perform self-repair.
After completing the self-healing in step 309, re-executing step 302 and subsequent steps, the iMC security authentication server analyzes that if the terminal is deemed not to satisfy the security requirement, and the authentication process exceeds the predetermined time limit. Then the iNode client on the terminal is informed, and the iNode client is actively offline.
Through the process, the terminal in the branch network needs to be connected with the repair file server in the isolation area in the headquarter network for self-repair, and can normally surf the internet or access limited resources after meeting the preset security policy. Since the operating system and the antivirus vendor need to release the system patch and the virus feature library frequently, the terminal in the branch network needs to access the repair file server in the head office network frequently to download the relevant system patch and virus feature library, etc. to repair itself. The process can cause great burden to precious and limited wide area network bandwidth, and even normal business bandwidth can be occupied, thereby affecting normal business communication of enterprises.
In order to solve the above problem, in the prior art, a Peer-to-Peer (P2P, Peer-to-Peer) method is adopted to download the repair file, specifically: storing a P2P user information table on the iMC security authentication server, wherein the table records which terminals download which repair files; when a terminal in a branch network needs to download a certain repair file for self-repair, an iMC security authentication server sends a terminal IP list which downloads the repair file to the terminal needing to be repaired according to a P2P user information table; and the terminal needing to be repaired selects a peer terminal to download the repair file according to the terminal IP list, and if the downloading from each peer in the terminal IP list fails, the iMC security authentication server is notified to download from a repair file server of the headquarters.
However, the above scheme of downloading the repair file in the P2P mode still has the following disadvantages:
one, P2P is an application layer protocol, and the criteria for selecting peers are the upstream bandwidth, round trip delay, etc. of the peers. In fact, a terminal that needs to be repaired cannot determine whether each peer in the IP list of the terminal is in the branch office network, and the criteria for selecting peers according to uplink bandwidth, round-trip delay, etc. may cause the selected peer to be in a distant network location, but ignore the local peer, thus still causing impact on the bandwidth of the wide area network.
For example, in fig. 2, terminal a-1 needs to download a system patch, and the iMC authentication server notifies terminal a-1 that the patch exists on terminals a-2, B-1, and B-2, and since a-1 cannot determine the location according to the IP address, B-1 or B-2 may be selected to initiate a connection, and a-2 may be ignored due to problems such as upstream bandwidth or round-trip delay. The file loading at this time may occupy the wide area network bandwidth.
Secondly, a terminal needing to be repaired downloads a repair file across a wide area network, and because the bandwidth of a link of the wide area network is small (2M-10M) and unstable, a long time is needed when a large file is downloaded, which causes overtime failure of security authentication.
Disclosure of Invention
The invention provides an EAD authentication method for a wide area network, which can save the bandwidth of the wide area network and improve the speed of downloading a repair file.
The invention also provides an EAD authentication system of the wide area network, which can save the bandwidth of the wide area network and improve the speed of downloading the repair file.
The invention also provides a terminal which can save the bandwidth of the wide area network and improve the speed of downloading the repair file.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
the invention discloses an EAD authentication method of a wide area network, wherein each repair file identification and a user name corresponding to a terminal downloading a corresponding repair file are correspondingly recorded on an iMC security authentication server in a headquarters network, and the method comprises the following steps:
the iMC security authentication server receives a security check result reported by a terminal in a branch network, and when the security check result is determined to be inconsistent with a preset security policy and the terminal needs to download a specified repair file, the iMC security authentication server issues a point-to-point P2P user information table to the terminal; the P2P user information table contains the user name corresponding to the terminal that downloaded the specified repair file;
the terminal inquires a terminal IP address corresponding to the user name belonging to the branch mechanism network in the P2P user information table from an EAD control gateway of the branch mechanism network;
and the terminal receives the local IP address table returned by the EAD control gateway, establishes connection with the corresponding terminal according to the local IP address table, downloads the specified repair file, performs self-repair and performs EAD authentication again.
The invention discloses an EAD authentication system of a wide area network, which comprises: the system comprises an iMC security authentication server belonging to a headquarter network, a terminal belonging to the same branch network and an EAD control gateway, wherein the terminal is communicated with the iMC security authentication server through the EAD control gateway; wherein,
the terminal is used for reporting the self security check result to the iMC security authentication server and receiving a point-to-point P2P user information table issued by the iMC security authentication server;
the iMC security authentication server is used for issuing a P2P user information table to the terminal after the terminal determines that the security check result reported by the terminal does not accord with the preset security policy and the terminal needs to download the specified repair file; the P2P user information table contains user names corresponding to terminals that have downloaded the specified repair file;
the terminal is used for inquiring the EAD control gateway of the branch mechanism network about the terminal IP address corresponding to the user name belonging to the branch mechanism network in the P2P user information table; the system comprises a local IP address table used for receiving the local IP address table returned by the EAD control gateway, establishing connection with a corresponding terminal according to the local IP address table, downloading a specified repair file, performing self-repair and performing EAD authentication again;
the EAD control gateway is used for sending a local IP address table to the terminal according to the query of the terminal; the local IP address table contains the terminal IP address corresponding to the user name belonging to the branch office network in the P2P user information table.
The invention also discloses a terminal, which belongs to the branch network and comprises: an EAD authentication module, an inquiry module and a download module, wherein,
the EAD authentication module is used for reporting the security check result of the terminal to an iMC security authentication server of a headquarters network; the system comprises a query module, a point-to-point P2P user information table and a point-to-point P2P user information table, wherein the point-to-point P2P user information table is sent by an iMC security authentication server and is sent to the query module;
the P2P user information table is issued after the terminal needs to download a specified repair file after the safety check result is determined by the iMC security authentication server to be inconsistent with the preset security policy, and the P2P user information table contains user names corresponding to terminals that have downloaded the specified repair file;
the query module is used for querying the EAD control gateway of the branch mechanism network for the terminal IP address corresponding to the user name belonging to the branch mechanism network in the P2P user information table, receiving the local IP address table returned by the EAD control gateway and sending the local IP address table to the download module;
and the download module is used for establishing connection with a corresponding terminal according to the local IP address table, downloading the specified repair file, and informing the EAD authentication module to perform EAD authentication again after the terminal is repaired.
According to the technical scheme, after the fact that the terminal needs to download the specified repair file is determined through EAD security check, the iMC security authentication server issues the P2P user information table to the terminal; the P2P user information table contains the user name corresponding to the terminal that downloaded the specified repair file; then the terminal inquires the EAD control gateway of the branch mechanism network about the terminal IP address corresponding to the user name belonging to the branch mechanism network in the P2P user information table, receives the local IP address table returned by the EAD control gateway, establishes connection with the corresponding terminal according to the local IP address table, downloads the specified repair file, performs self-repair and re-performs EAD authentication, so that any repair file is transmitted only once on the link between the branch mechanism network and the headquarter network, thereby greatly saving wide area network bandwidth, and the repair file is downloaded in the branch network, thereby greatly improving the downloading speed.
Drawings
Figure 1 is a schematic diagram of a prior art local area network wide network admission control networking;
figure 2 is a diagram of a wide area network wide network admission control networking of the prior art;
FIG. 3 is a diagram illustrating an EAD authentication process in a wide area network according to the prior art;
FIG. 4 is a flowchart of an EAD authentication method for a wide area network according to an embodiment of the present invention;
FIG. 5 is a flow chart of wide area network EAD authentication in an embodiment of the present invention;
FIG. 6 is a block diagram of an EAD authentication system of a wide area network according to an embodiment of the present invention;
fig. 7 is a block diagram of a terminal according to an embodiment of the present invention.
Detailed Description
Fig. 4 is a flowchart of an EAD authentication method in a wide area network according to an embodiment of the present invention. The method is applied to the process that an iMC security authentication server in a headquarters network performs EAD security check on terminals in a branch mechanism network, and the iMC security authentication server correspondingly records the identifications of repair files and user names corresponding to the terminals downloading the corresponding repair files, as shown in FIG. 4, the method comprises the following steps:
step 401, an iMC security authentication server receives a security check result reported by a terminal in a branch network, and when it is determined that the security check result does not conform to a preset security policy and the terminal needs to download a specified repair file, the iMC security authentication server issues a point-to-point P2P user information table to the terminal; the P2P user information table contains the user name corresponding to the terminal that downloaded the specified repair file.
Step 402, the terminal queries the EAD control gateway of the branch mechanism network about the terminal IP address corresponding to the user name belonging to the branch mechanism network in the P2P user information table.
In this step, since the EAD control gateway is responsible for recording the detailed information of each authenticated user in the branch office network, including the user name and the IP address, the EAD control gateway can identify the user name belonging to the branch office network in the P2P user information table, and the terminal IP address corresponding to the user name, and return to the corresponding local IP address table.
And step 403, the terminal receives the local IP address table returned by the EAD control gateway, establishes connection with the corresponding terminal according to the local IP address table, downloads the specified repair file, performs self-repair and performs the EAD authentication again.
In this step, if the local IP address table includes IP addresses of a plurality of local terminals, the terminals may select one or more terminals to establish a connection and download a specified repair file according to a Peer selection principle in the existing P2P technology.
In the scheme shown in fig. 4, since the P2P traffic for downloading the repair file is limited inside the branch network, the bandwidth occupation on the wide area network link is greatly reduced, and the download speed of the repair file is increased.
As can be seen from the flow described in fig. 4, the iMC security authentication server correspondingly records the identifiers of the repair files and the user names corresponding to the terminals that downloaded the corresponding repair files, that is, the P2P user information table corresponding to the repair files needs to be maintained on the iMC security authentication server. Although the content of this part is the same as the prior art, in order to make the technical scheme of the present invention more clear, the description is briefly made with reference to fig. 2, and the two-stage case is divided into:
the first stage is: referring to fig. 2, the enterprise deploys a new repair file a, that is, the repair file server deploys the new repair file a, and at this time, no terminal downloads and installs the repair file a. The terminal A-2 is a terminal which does not install the repair file A according to the requirements of the enterprise. And when the terminal A-2 wants to access the network, the EAD identity authentication and the EAD security check are initiated to the iMC security authentication server. After the EAD identity authentication is passed, carrying out EAD security check, carrying out security check on the terminal A-2, and reporting a security check result to the iMC security authentication server; the iMC security authentication server compares the reported security check result with the configured security policy, and finds that the terminal A-2 is not provided with the repair file A; the iMC security authentication server checks whether a user downloads the file corresponding to the P2P user information entry corresponding to the repair file A, because the terminal A-2 is the first terminal applying for downloading the repair file A, no corresponding user name is recorded in the P2P user information entry corresponding to the full policy file A, the iMC security policy server redirects the terminal A-2 to the repair file server of the headquarters so that the terminal A-2 downloads and repairs itself, and simultaneously records the user name of the terminal A-2 in the P2P user information entry corresponding to the repair file A to indicate that the terminal A-2 has downloaded the repair file A.
An example of a P2P user information table is shown in table 1:
Figure A20091008737500141
TABLE 1
As shown in table 1, the P2P user information table may further include an item of user presence status to indicate whether the terminal downloading the specified file is currently online. The iMC security authentication server may determine whether a terminal is online according to existing schemes, for example, may determine whether a terminal is online according to an authentication procedure.
And a second stage: referring to FIG. 2, terminal A-1 does not have repair file A installed, but at this point, terminals A-2, B-1, and B-2 have repair file A installed. When the terminal A-1 wants to access the network, the EAD identity authentication and the EAD security check are initiated to the iMC security authentication server. After the EAD identity authentication is passed, carrying out EAD security check, carrying out security check on the terminal A-1 by the terminal A-1, and reporting a security check result to the iMC security authentication server; the iMC security authentication server compares the reported security check result with the configured security policy, and finds that the terminal A-1 does not install the repair file A required in the security policy; the iMC security authentication server checks the P2P user information entries corresponding to the repair file A, which users download the file, and finds that the terminals A-2, B-1 and B-2 have the repair file A installed and are currently online, but the iMC security authentication server does not know the physical positions of the terminals, so that the P2P user information entries containing the user names corresponding to the terminals are packaged and sent to the terminal A-1. If the terminal a-1 successfully downloads the repair file, a confirmation message is sent to the iMC security authentication server, and the iMC security authentication server records the IP address of the terminal a-1 into the P2P user information entry for the repair file a. That is, after the terminal successfully downloads the repair file, the terminal sends a confirmation message to the iMC security authentication server, and the iMC security authentication server correspondingly records the user name of the terminal that sends the confirmation message and the repair file identifier downloaded by the terminal. Or, in other embodiments of the present invention, when the terminal passes the EAD authentication, the iMC security authentication server records, in a one-to-one correspondence manner, the identifiers of all the repair files that the security policy requires to be installed on the terminal and the user name of the terminal that passes the EAD authentication. This is so that if a terminal passes the EAD authentication, the terminal must completely download and install all the repair files required by the EAD security policy, otherwise it cannot pass the EAD authentication.
The process of the iMC security authentication server maintaining the P2P user information table is explained by the two phases. According to the scheme of the invention, in the second stage, after receiving the P2P user information table sent by the iMC security authentication server in a packaged manner, the terminal A-1 queries the EAD control gateway A of the branch office network A where the terminal A is located, which terminals corresponding to user names in the P2P user information table are in the local branch office network. Since the EAD control gateway a is responsible for recording the detailed information of each authenticated user in the branch office network a, including the user name and the IP address, the EAD control gateway a can distinguish which terminals belong to the branch office network a according to the IP address, and sends the IP address of the terminal a-2 belonging to the branch office network a in the P2P user information table to the terminal a-1 in the form of a local IP address table. The terminal a-1 can then establish a connection with the corresponding terminal a-2 according to the local IP address table, downloading the specified repair file. This avoids terminal a-1 downloading files from distant terminals B-1 and B-2, increasing the burden of wide area network bandwidth. And if the terminals corresponding to the user names in the P2P user information table are not local, the EAD control gateway sends the pre-configured IP address of the headquarter repair file server to the terminal A-1, and the terminal A-1 directly downloads the repair file A from the repair file server. This ensures that only one repair file a is transmitted on the link between the branch network a and the head office network.
In order to make the technical solution of the present invention clearer and more obvious, a complete EAD authentication procedure implemented according to the solution of the present invention is given below by taking the terminal a-3 in fig. 2 as an example.
Fig. 5 is a flow chart of wide area network EAD authentication in an embodiment of the present invention. As shown in fig. 5, the method comprises the following steps:
step 501, a terminal a-3 in a branch office network a can access a predefined isolation area in a headquarters network before performing authentication.
Step 502, when the terminal a-3 accesses the restricted resource of the headquarters, the intelligent client (iNode) pre-installed on the terminal a-3 initiates an authentication request.
Step 503, after the terminal a-3 successfully authenticates on the iMC security authentication server, the iMC security authentication server notifies the EAD control gateway a in the branch office network a where the terminal a-3 is located, the terminal a-3 goes online, and issues an agent IP and a port, and notifies the terminal a-3 to perform security check.
Step 504, the terminal a-3 uploads login information through its own iNode client to request security check.
And 505, issuing the security policy and other control information of the terminal A-3 by the EAD security policy component on the iMC security authentication server.
Step 506, the iNode client software of the terminal A-3 is linked with third-party software or a customized plug-in to execute security policy check and other functions.
And 507, the iNode client software of the terminal A-3 performs security check on the terminal A-3 and reports the security check result to the iMC security authentication server.
And step 508', the EAD security policy component on the iMC security authentication server compares the security check result reported by the terminal A-3 with the preset security policy, and if the security check result reported by the terminal A-3 meets the requirement of the security policy, the EAD control gateway A in the branch network A where the terminal A-3 is located sends ACL and VLAN information to the EAD control gateway A, so that the terminal A-3 can normally access the network, and the process is finished.
The steps 501 to 507 and 508 'are the same as the steps 301 to 307 and 308' in FIG. 3.
And step 508, comparing the security check result reported by the terminal a-3 with a preset security policy by an EAD security policy component on the iMC security authentication server, if the security check result reported by the terminal a-3 does not meet the requirement of the security policy and a specified repair file needs to be downloaded and installed, querying a P2P user information table corresponding to the specified repair file by the EAD security policy component, and sending a user name list corresponding to the terminal which downloads the specified repair file and is currently online to the terminal a-3.
In step 509, the terminal a-3 queries, according to the user name list issued by the iMC security authentication server, the EAD control gateway a about which terminals corresponding to the user names belong to the branch network a.
Step 510, the EAD control gateway a sends the terminal IP address corresponding to each user name belonging to the branch network a in the user name list to the terminal a-3.
And 511, establishing connection between the terminal A-3 and a terminal corresponding to the IP address returned by the EAD control gateway, and downloading the specified repair file.
Step 510', if the EAD control gateway a finds that the terminals corresponding to the usernames in the username list do not belong to the branch office network a, the IP address of the repair file server of the headquarters configured in advance is sent to the terminal a-3.
Step 511' the terminal a-3 establishes a connection with the repair file server of the headquarters, downloading the specified repair file.
The terminal a-3 downloads the designated repair file in step 511 or 511', and then performs self-repair after installation is completed, and then re-executes step 502 and subsequent steps until the repair is successful.
It can be seen from the above embodiments that the technical scheme of the present invention ensures that any repair file is transmitted only once on a link between a branch office network and a head office network, reduces the bandwidth occupied by downloading the repair file in a wide area network link, ensures the bandwidth of normal business of an enterprise, and realizes file loading in the branch office network as much as possible, thereby largely avoiding the problem of failure of EAD authentication caused by file downloading overtime.
Based on the above embodiments, the following is a block diagram of a wide area network EAD authentication system and a terminal in the present invention.
Fig. 6 is a block diagram of a wide area network EAD authentication system according to an embodiment of the present invention. As shown in fig. 6, the system includes: the iMC security authentication server belongs to a headquarter network, and comprises terminals and an EAD control gateway which belong to the same branch network, wherein the terminals are communicated with the iMC security authentication server through the EAD control gateway, and the iMC security authentication server is correspondingly recorded with each repair file identifier and a user name corresponding to the terminal downloading the corresponding repair file.
In fig. 6, the terminal is configured to perform security check on itself in an EAD security check process of the EAD authentication, and report a security check result of itself to the iMC security authentication server; the system comprises a point-to-point P2P user information table used for receiving the user information table issued by the iMC security authentication server;
the iMC security authentication server is used for comparing a preset security policy with a security check result reported by the terminal, and issuing a P2P user information table to the terminal after the terminal determines that the security check result of the terminal does not accord with the preset security policy and the terminal needs to download a specified repair file; the P2P user information table contains user names corresponding to terminals that have downloaded the specified repair file;
the terminal is used for inquiring the EAD control gateway of the branch mechanism network about the terminal IP address corresponding to the user name belonging to the branch mechanism network in the P2P user information table; the system comprises a local IP address table used for receiving the local IP address table returned by the EAD control gateway, establishing connection with a corresponding terminal according to the local IP address table, downloading a specified repair file, performing self-repair and performing EAD authentication again;
the EAD control gateway is used for sending a local IP address table to the terminal according to the query of the terminal; the local IP address table contains the terminal IP address corresponding to the user name belonging to the branch office network in the P2P user information table.
In fig. 6, when finding that the user name belonging to the branch office network does not exist in the P2P user information table, the EAD control gateway is configured to return the IP address of the repair file server in the headquarters network to the terminal; the IP address of the repair file server is preset in the EAD control gateway; and the terminal is used for establishing connection with the repair file server, downloading the specified repair file, performing self-repair and performing EAD authentication again.
In fig. 6, the P2P user information table issued by the iMC security authentication server to the terminal includes user names corresponding to terminals that have downloaded the specified repair file and are currently online.
As shown in fig. 6, the terminal is configured to send a confirmation message to the iMC security authentication server after the repair file is successfully downloaded; and the iMC security authentication server is used for correspondingly recording the user name of the terminal sending the confirmation message and the repair file identifier downloaded by the terminal. Or the iMC security authentication server is used for recording the identifications of all the repair files required by the security policy to be installed on the terminal and the user names of the terminals passing the EAD authentication in a one-to-one correspondence manner when the terminals pass the EAD authentication.
Fig. 7 is a block diagram of a terminal according to an embodiment of the present invention. The terminal belongs to a branch network, and as shown in fig. 7, the terminal includes: an EAD authentication module 701, an inquiry module 702, and a download module 703.
In fig. 7, an EAD authentication module 701 is configured to report a security check result of the terminal to an iMC security authentication server of a headquarters network; the system is used for receiving a point-to-point P2P user information table sent by an iMC security authentication server, and sending the P2P user information table to a query module 702;
the P2P user information table is issued after the terminal needs to download a specified repair file after the safety check result is determined by the iMC security authentication server to be inconsistent with the preset security policy, and the P2P user information table contains user names corresponding to terminals that have downloaded the specified repair file;
the query module 702 is configured to query, to the EAD control gateway of the branch office network, the terminal IP address corresponding to the user name belonging to the branch office network in the P2P user information table, receive the local IP address table returned by the EAD control gateway, and send the local IP address table to the download module 703;
a downloading module 703, configured to establish a connection with a corresponding terminal according to the local IP address table, download a specified repair file, and notify the EAD authentication module 701 to perform EAD authentication again after repairing the terminal.
In fig. 7, the query module 702 is further configured to receive an IP address of a repair file server in the headquarters network returned by the EAD control gateway, and send the IP address to the download module 702; the IP address of the repair file server is returned when the EAD control gateway finds that the user name belonging to the branch mechanism network does not exist in the P2P user information table; and the downloading module 702 is configured to establish a connection with the repair file server, download the specified repair file, and notify the EAD authentication module 701 to perform EAD authentication again after the terminal is repaired.
In summary, after determining that the terminal needs to download the specified repair file through the EAD security check, the iMC security authentication server issues a P2P user information table to the terminal; the P2P user information table contains the user name corresponding to the terminal that downloaded the specified repair file; then the terminal inquires the EAD control gateway of the branch mechanism network about the terminal IP address corresponding to the user name belonging to the branch mechanism network in the P2P user information table, receives the local IP address table returned by the EAD control gateway, establishes connection with the corresponding terminal according to the local IP address table, downloads the specified repair file, performs self-repair and re-performs EAD authentication, so that any repair file is transmitted only once on the link between the branch mechanism network and the headquarter network, thereby greatly saving wide area network bandwidth, and the repair file is downloaded in the branch network, thereby greatly improving the downloading speed.
The above description is only exemplary of the present invention and should not be taken as limiting the scope of the present invention, and any modifications, equivalents, improvements and the like that are within the spirit and principle of the present invention should be included in the present invention.

Claims (10)

1. An EAD authentication method for access control of a wide area network terminal is characterized in that an intelligent management center iMC security authentication server in a headquarters network correspondingly records each repair file identification and a user name corresponding to a terminal downloading a corresponding repair file, and the method comprises the following steps:
the iMC security authentication server receives a security check result reported by a terminal in a branch network, and when the security check result is determined to be inconsistent with a preset security policy and the terminal needs to download a specified repair file, the iMC security authentication server issues a point-to-point P2P user information table to the terminal; the P2P user information table contains the user name corresponding to the terminal that downloaded the specified repair file;
the terminal inquires a terminal IP address corresponding to the user name belonging to the branch mechanism network in the P2P user information table from an EAD control gateway of the branch mechanism network;
and the terminal receives the local IP address table returned by the EAD control gateway, establishes connection with the corresponding terminal according to the local IP address table, downloads the specified repair file, performs self-repair and performs EAD authentication again.
2. The method of claim 1, wherein if the EAD control gateway finds that the username does not exist in the P2P user information table that belongs to the present branch office network, the method further comprises:
the terminal receives the IP address of the repair file server in the headquarters network returned by the EAD control gateway; the IP address of the repair file server is preset in the EAD control gateway;
and the terminal establishes connection with the repair file server and downloads the specified repair file.
3. The method according to claim 1, wherein the P2P user information table contains user names corresponding to online terminals that have downloaded the specified repair file.
4. The method according to any one of claims 1 to 3,
after the terminal successfully downloads the repair file, sending a confirmation message to an iMC security authentication server; the iMC security authentication server correspondingly records the user name of the terminal sending the confirmation message and the repair file identifier downloaded by the terminal;
or, when the terminal passes the EAD authentication, the iMC security authentication server records the identifications of all the repair files required by the security policy to be installed on the terminal and the user name of the terminal passing the EAD authentication in a one-to-one correspondence manner.
5. A wide area network, EAD, authentication system, the system comprising: the system comprises an iMC security authentication server belonging to a headquarter network, a terminal belonging to the same branch network and an EAD control gateway, wherein the terminal is communicated with the iMC security authentication server through the EAD control gateway; wherein,
the terminal is used for reporting the self security check result to the iMC security authentication server and receiving a point-to-point P2P user information table issued by the iMC security authentication server;
the iMC security authentication server is used for issuing a P2P user information table to the terminal after the terminal determines that the security check result reported by the terminal does not accord with the preset security policy and the terminal needs to download the specified repair file; the P2P user information table contains user names corresponding to terminals that have downloaded the specified repair file;
the terminal is used for inquiring the EAD control gateway of the branch mechanism network about the terminal IP address corresponding to the user name belonging to the branch mechanism network in the P2P user information table; the system comprises a local IP address table used for receiving the local IP address table returned by the EAD control gateway, establishing connection with a corresponding terminal according to the local IP address table, downloading a specified repair file, performing self-repair and performing EAD authentication again;
the EAD control gateway is used for sending a local IP address table to the terminal according to the query of the terminal; the local IP address table contains the terminal IP address corresponding to the user name belonging to the branch office network in the P2P user information table.
6. The system of claim 5, wherein when the EAD control gateway discovers that no username exists in the P2P user information table that belongs to the present branch office network,
the EAD control gateway is used for returning the IP address of the repair file server in the headquarters network to the terminal; the IP address of the repair file server is preset in the EAD control gateway;
and the terminal is used for establishing connection with the repair file server, downloading the specified repair file, performing self-repair and performing EAD authentication again.
7. The system of claim 5,
and the iMC security authentication server is used for issuing a P2P user information table containing user names corresponding to the online terminals downloading the specified repair files to the terminals.
8. The system according to any one of claims 5 to 7,
the terminal is used for sending a confirmation message to the iMC security authentication server after the repair file is successfully downloaded; the iMC security authentication server is used for correspondingly recording the user name of the terminal sending the confirmation message and the repair file identifier downloaded by the terminal;
or the iMC security authentication server is used for recording the identifications of all the repair files required by the security policy to be installed on the terminal and the user names of the terminals passing the EAD authentication in a one-to-one correspondence manner when the terminals pass the EAD authentication.
9. A terminal belonging to a branch network, comprising: an EAD authentication module, an inquiry module and a download module, wherein,
the EAD authentication module is used for reporting the security check result of the terminal to an iMC security authentication server of a headquarters network; the system comprises a query module, a point-to-point P2P user information table and a point-to-point P2P user information table, wherein the point-to-point P2P user information table is sent by an iMC security authentication server and is sent to the query module;
the P2P user information table is issued after the terminal needs to download a specified repair file after the safety check result is determined by the iMC security authentication server to be inconsistent with the preset security policy, and the P2P user information table contains user names corresponding to terminals that have downloaded the specified repair file;
the query module is used for querying the EAD control gateway of the branch mechanism network for the terminal IP address corresponding to the user name belonging to the branch mechanism network in the P2P user information table, receiving the local IP address table returned by the EAD control gateway and sending the local IP address table to the download module;
and the download module is used for establishing connection with a corresponding terminal according to the local IP address table, downloading the specified repair file, and informing the EAD authentication module to perform EAD authentication again after the terminal is repaired.
10. The terminal of claim 9,
the query module is further used for receiving the IP address of the repair file server in the headquarters network returned by the EAD control gateway and sending the IP address to the download module; the IP address of the repair file server is returned when the EAD control gateway finds that the user name belonging to the branch mechanism network does not exist in the P2P user information table;
and the downloading module is used for establishing connection with the repair file server, downloading the specified repair file, and informing the EAD authentication module to perform EAD authentication again after the terminal is repaired.
CN2009100873755A 2009-06-19 2009-06-19 Wide area network terminal access control authentication method, system and terminal Expired - Fee Related CN101582891B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100873755A CN101582891B (en) 2009-06-19 2009-06-19 Wide area network terminal access control authentication method, system and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100873755A CN101582891B (en) 2009-06-19 2009-06-19 Wide area network terminal access control authentication method, system and terminal

Publications (2)

Publication Number Publication Date
CN101582891A true CN101582891A (en) 2009-11-18
CN101582891B CN101582891B (en) 2012-05-23

Family

ID=41364854

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100873755A Expired - Fee Related CN101582891B (en) 2009-06-19 2009-06-19 Wide area network terminal access control authentication method, system and terminal

Country Status (1)

Country Link
CN (1) CN101582891B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102316122A (en) * 2011-10-21 2012-01-11 北京海西赛虎信息安全技术有限公司 Method for managing intranet security based on cooperative mode
CN102868625A (en) * 2011-08-05 2013-01-09 新游网络科技有限公司 Method and device for controlling outer traffic of local area network and computer-readable recording medium recording program embodying the method
CN103532999A (en) * 2012-07-05 2014-01-22 腾讯科技(深圳)有限公司 Data transmission method, mobile device and background service system
CN106664561A (en) * 2014-08-25 2017-05-10 华为技术有限公司 System and method for securing pre-association service discovery
CN108023802A (en) * 2016-11-01 2018-05-11 中国移动通信集团广东有限公司 Data transmission system and method
CN108901082A (en) * 2018-06-20 2018-11-27 新华三技术有限公司 A kind of cut-in method and device
CN109167715A (en) * 2018-10-08 2019-01-08 北京爱普安信息技术有限公司 A kind of network management-control method and system
CN109254727A (en) * 2018-08-20 2019-01-22 广东九联科技股份有限公司 A kind of self-regeneration method of embedded device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5481611A (en) * 1993-12-09 1996-01-02 Gte Laboratories Incorporated Method and apparatus for entity authentication
CN1889430A (en) * 2006-06-21 2007-01-03 南京联创网络科技有限公司 Safety identification control method based on 802.1 X terminal wideband switching-in
CN101232509A (en) * 2008-02-26 2008-07-30 杭州华三通信技术有限公司 Equipment, system and method for supporting insulation mode network access control

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102868625A (en) * 2011-08-05 2013-01-09 新游网络科技有限公司 Method and device for controlling outer traffic of local area network and computer-readable recording medium recording program embodying the method
CN102316122A (en) * 2011-10-21 2012-01-11 北京海西赛虎信息安全技术有限公司 Method for managing intranet security based on cooperative mode
CN102316122B (en) * 2011-10-21 2014-12-17 福建伊时代信息科技股份有限公司 Method for managing intranet security based on cooperative mode
CN103532999A (en) * 2012-07-05 2014-01-22 腾讯科技(深圳)有限公司 Data transmission method, mobile device and background service system
CN103532999B (en) * 2012-07-05 2019-03-12 腾讯科技(深圳)有限公司 Data transmission method, mobile device and background service system
CN106664561A (en) * 2014-08-25 2017-05-10 华为技术有限公司 System and method for securing pre-association service discovery
CN106664561B (en) * 2014-08-25 2019-12-24 华为技术有限公司 System and method for securing pre-association service discovery
CN108023802A (en) * 2016-11-01 2018-05-11 中国移动通信集团广东有限公司 Data transmission system and method
CN108023802B (en) * 2016-11-01 2020-11-10 中国移动通信集团广东有限公司 Data transmission system and method
CN108901082A (en) * 2018-06-20 2018-11-27 新华三技术有限公司 A kind of cut-in method and device
CN109254727A (en) * 2018-08-20 2019-01-22 广东九联科技股份有限公司 A kind of self-regeneration method of embedded device
CN109167715A (en) * 2018-10-08 2019-01-08 北京爱普安信息技术有限公司 A kind of network management-control method and system

Also Published As

Publication number Publication date
CN101582891B (en) 2012-05-23

Similar Documents

Publication Publication Date Title
CN101582891B (en) Wide area network terminal access control authentication method, system and terminal
CN101515927B (en) Isolation mode supportive internet access control method, system and equipment
CN101465856B (en) Method and system for controlling user access
EP4035327B1 (en) Template-based onboarding of internet-connectible devices
CN106878135B (en) Connection method and device
CN109413649B (en) Access authentication method and device
CN112187740B (en) Network access control method and device, electronic equipment and storage medium
WO2010003354A1 (en) An authentication server and a control method for the mobile communication terminal accessing the virtual private network
US20200076683A1 (en) Dynamic Cloud-Based Provisioning of Branch-Based Networking Devices
CN114389890B (en) User request proxy method, server and storage medium
CN111385180B (en) Communication tunnel construction method, apparatus, device and medium
CN111641607A (en) Proxy system and access request forwarding method
CN105553790A (en) Data processing method and policy server
CN101577645B (en) Method and device for detecting counterfeit network equipment
CN101616414A (en) Method, system and server for terminal authentication
CN105847234B (en) Suspicious terminal access method for early warning, gateway management platform and gateway
CN102624724B (en) Security gateway and method for securely logging in server by gateway
CN115549974B (en) Authentication method and device for private line service and electronic equipment
CN116962149A (en) Network fault detection methods and devices, storage media and electronic equipment
CN116389173B (en) Method, system, medium and equipment for realizing enterprise production network ad hoc network
CN102201951B (en) Source address repeatability detection method and equipment
CN109962831B (en) Virtual client terminal device, router, storage medium, and communication method
KR100626664B1 (en) Policy based quality control server device and quality control method using the same
CN116015692B (en) Network access control method, device, terminal and storage medium
CN112019374A (en) Network communication optimization method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120523

Termination date: 20200619