CN104767715A - Network access control method and device - Google Patents

Abstract

The invention discloses a network access control method and equipment, which aim to lower the access control difficulty of safe access of a conventional mobile terminal into a network. The method comprises the steps that network access equipment receives an access request message which carries an identifier of the mobile terminal and is sent by the mobile terminal; the network access equipment judges the registration state of the identifier of the mobile terminal; if the identifier is not registered, the network access equipment allocates an internet protocol (IP) address for the mobile terminal, and then sets an access control strategy corresponding to the IP address as a first authority strategy, which allows the IP address to visit an authenticated webpage; the network access equipment receives a webpage access request message sent by the mobile terminal through the IP address, redirects the webpage access request message to the authenticated webpage according to the access control strategy, or redirects to a registration webpage if confirming the success of the mobile terminal in authentication; if the network access equipment confirms the completion of registration of the mobile terminal, the network access equipment sends a configuration file and a digital certificate to the mobile terminal, wherein the configuration file and the digital certificate are used for access of the mobile terminal into an enterprise wireless network through extensible authentication protocol-transport layer security (EAP-TLS).

Description

Translated fromChinese

网络接入控制方法和设备Network access control method and device

技术领域technical field

本发明涉及网络通信技术领域，尤其涉及一种网络接入控制方法及一种无线访问接入点和无线接入控制器。The invention relates to the technical field of network communication, in particular to a network access control method, a wireless access point and a wireless access controller.

背景技术Background technique

随着移动终端技术的发展、制造工艺的提高以及销售价格的下降，最近几年移动终端获得了快速普及。目前，移动终端在销量上已经超过了个人计算机。携带自带设备办公（Bring your own device，简称BYOD）已经随之成为了一种被普遍接受的工作方式。出于降低固定资产投入和提高办公效率方面的考虑，越来越多的企业鼓励员工携带私人的移动终端接入企业网络进行日常办公。With the development of mobile terminal technology, the improvement of manufacturing technology and the decline of sales price, mobile terminals have gained rapid popularity in recent years. Currently, mobile terminals have surpassed personal computers in sales. Bringing your own device (BYOD for short) has become a generally accepted way of working. In order to reduce investment in fixed assets and improve office efficiency, more and more enterprises encourage employees to bring their personal mobile terminals to access the enterprise network for daily office work.

然而，由于接入企业无线网络的移动终端的类型、归属和接入位置的不确定性，也给企业信息安全管理提出了挑战：如何在移动终端接入企业无线网络时进行有效的接入控制，从而确保企业网络中的资源不被非法用户使用。However, due to the uncertainty of the type, ownership and access location of mobile terminals accessing enterprise wireless networks, it also poses a challenge to enterprise information security management: how to effectively control access when mobile terminals access enterprise wireless networks , so as to ensure that the resources in the enterprise network are not used by illegal users.

处于安全性方面的考虑，通常推荐采用较高安全等级的接入认证方式，例如电气和电子工程师协会（Institute of Electrical and Electronics Engineers，简称IEEE）802.1X可扩展认证协议-传输层安全（Extensible AuthenticationProtocol-Transport Layer Security，简称EAP-TLS）证书认证，对接入企业无线网络的移动终端进行接入控制。然而这种方式在实际应用中有一些不便之处：用户的移动终端需要预先获取数字证书，而且对于不同品牌型号的移动终端，在配置802.1X认证接入参数时有所不同，有的会较为复杂。如何实现自动化地将数字证书分发给移动终端，以及帮助移动终端的用户配置认证接入参数，成为一个需要解决的问题。In terms of security, it is usually recommended to use a higher security level access authentication method, such as the Institute of Electrical and Electronics Engineers (IEEE) 802.1X Extensible Authentication Protocol-Transport Layer Security (Extensible Authentication Protocol) -Transport Layer Security, referred to as EAP-TLS) certificate authentication, to control the access of mobile terminals accessing the enterprise wireless network. However, this method has some inconveniences in practical applications: the user's mobile terminal needs to obtain a digital certificate in advance, and for mobile terminals of different brands and models, the configuration of 802.1X authentication access parameters is different, and some will be more difficult. complex. How to automatically distribute digital certificates to mobile terminals and help users of mobile terminals configure authentication access parameters has become a problem to be solved.

发明内容Contents of the invention

本发明实施例提供一种网络接入控制方法，用以降低现有移动终端安全接入网络时的接入控制难度。An embodiment of the present invention provides a network access control method, which is used to reduce the difficulty of access control when an existing mobile terminal securely accesses a network.

对应地，本发明实施例还提供了一种无线接入点和无线控制器。Correspondingly, the embodiment of the present invention also provides a wireless access point and a wireless controller.

本发明实施例提供的技术方案如下：The technical scheme that the embodiment of the present invention provides is as follows:

第一方面，提供了网络接入控制方法，其特征在于，包括：In the first aspect, a network access control method is provided, which is characterized in that it includes:

网络接入设备接收移动终端发送的接入请求消息，所述接入请求消息用于请求接入企业的无线网络，所述接入请求消息携带所述移动终端的标识，所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端；The network access device receives the access request message sent by the mobile terminal, the access request message is used to request access to the wireless network of the enterprise, the access request message carries the identifier of the mobile terminal, and the identifier of the mobile terminal for uniquely identifying the mobile terminal within the range of the wireless network of the enterprise;

所述网络接入设备判断所述移动终端的标识对应的注册状态，所述注册状态用于标识所述移动终端是否已在企业的无线网络中注册；The network access device judges the registration status corresponding to the identification of the mobile terminal, and the registration status is used to identify whether the mobile terminal has registered in the wireless network of the enterprise;

若所述网络接入设备判断所述移动终端的标识对应的注册状态为未注册，所述网络接入设备为所述移动终端分配IP地址后，将所述IP地址对应的访问控制策略设置为第一权限策略，所述第一权限策略允许所述IP地址访问认证网页；If the network access device determines that the registration status corresponding to the identifier of the mobile terminal is unregistered, after the network access device assigns an IP address to the mobile terminal, set the access control policy corresponding to the IP address to A first authority policy, where the first authority policy allows the IP address to access the authentication webpage;

所述网络接入设备接收所述移动终端使用所述IP地址发送的网页访问请求消息，所述网络接入设备根据所述IP地址对应的所述第一权限策略将所述网页访问请求消息重定向到所述认证网页，如果所述网络接入设备确定所述移动终端通过所述认证网页认证成功，重定向到注册网页；The network access device receives the web page access request message sent by the mobile terminal using the IP address, and the network access device re-enables the web page access request message according to the first authority policy corresponding to the IP address. Directing to the authentication webpage, if the network access device determines that the mobile terminal is successfully authenticated through the authentication webpage, redirecting to the registration webpage;

如果所述网络接入设备确定所述移动终端通过所述注册网页完成在所述企业的无线网络中的注册，所述网络接入设备向所述移动终端发送配置文件和数字证书，所述配置文件和数字证书用于所述移动终端通过可扩展认证协议EAP-传输层安全TLS认证方式接入所述企业的无线网络。If the network access device determines that the mobile terminal has completed the registration in the wireless network of the enterprise through the registration webpage, the network access device sends the configuration file and digital certificate to the mobile terminal, and the configuration The file and the digital certificate are used for the mobile terminal to access the wireless network of the enterprise through the Extensible Authentication Protocol EAP-Transport Layer Security TLS authentication mode.

在第一方面的第一种可能的实现方式中，所述认证网页是所述企业的无线网络中的门户Portal服务器提供的，所述Portal服务器将所述移动终端在所述认证网页中输入的轻型目录访问协议LDAP域账号认证信息发送到拨号用户远程认证服务RADIUS服务器中进行网页认证；In a first possible implementation of the first aspect, the authentication webpage is provided by a Portal server in the wireless network of the enterprise, and the Portal server uses the mobile terminal input in the authentication webpage Lightweight Directory Access Protocol LDAP domain account authentication information is sent to the dial-up user remote authentication service RADIUS server for web page authentication;

所述如果所述网络接入设备确定所述移动终端通过所述认证网页认证成功，重定向到注册网页，包括：If the network access device determines that the mobile terminal is successfully authenticated through the authentication webpage, redirecting to the registration webpage includes:

所述网络接入设备接收到所述RADIUS服务器返回的网页认证结果；The network access device receives the web page authentication result returned by the RADIUS server;

如果所述网页认证结果指示所述移动终端通过网页认证，则所述网络接入设备将所述IP地址对应的访问控制策略设置为第二权限策略，所述第二权限策略允许所述IP地址访问所述注册网页；If the web page authentication result indicates that the mobile terminal has passed the web page authentication, the network access device sets the access control policy corresponding to the IP address as the second authority policy, and the second authority policy allows the IP address to access said registration web page;

所述网络接入设备根据所述IP地址对应的所述第二权限策略，将所述网页访问请求消息重定向到所述注册网页。The network access device redirects the webpage access request message to the registration webpage according to the second authority policy corresponding to the IP address.

在第一方面、或第一方面的第一种可能的实现方式中，还提供了第一方面的第二种可能的实现方式，还包括：若所述网络接入设备判断所述移动终端的标识对应的注册状态为已注册，所述网络接入设备向所述移动终端发送响应消息，所述响应消息中携带的认证算法字段设置为EAP-TLS认证指示符，用以指示所述移动终端按照EAP-TLS认证方式接入所述企业的无线网络；In the first aspect, or the first possible implementation of the first aspect, a second possible implementation of the first aspect is also provided, which further includes: if the network access device determines that the mobile terminal Identifying the corresponding registration state as registered, the network access device sends a response message to the mobile terminal, and the authentication algorithm field carried in the response message is set as an EAP-TLS authentication indicator to indicate that the mobile terminal Access to the wireless network of the enterprise in accordance with the EAP-TLS authentication method;

当所述网络接入设备确定所述移动终端与所述RADIUS服务器之间进行的EAP-TLS认证成功时，为所述移动终端开通受控端口，所述受控端口用于传输所述移动终端的业务数据。When the network access device determines that the EAP-TLS authentication between the mobile terminal and the RADIUS server is successful, it opens a controlled port for the mobile terminal, and the controlled port is used to transmit the mobile terminal business data.

在第一方面的第一种、或第二种可能的实现方式中，还提供了第一方面的第三种可能的实现方式，所述网络接入设备判断所述移动终端的标识对应的注册状态，包括：In the first or second possible implementation of the first aspect, a third possible implementation of the first aspect is also provided, wherein the network access device determines the registration information corresponding to the identity of the mobile terminal status, including:

所述网络接入设备从所述接入请求消息中获取所述移动终端的标识；The network access device acquires the identifier of the mobile terminal from the access request message;

根据所述移动终端的标识向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态；querying the registration status of the mobile terminal from a management server in the wireless network of the enterprise according to the identification of the mobile terminal;

接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。receiving the registration status of the mobile terminal in the network returned by the management server.

在第一方面的第三种可能的实现方式中，还提供了第一方面的第四种可能的实现方式，所述注册网页是所述管理服务器提供的，In the third possible implementation of the first aspect, a fourth possible implementation of the first aspect is also provided, the registration webpage is provided by the management server,

所述如果所述网络接入设备确定所述移动终端通过所述注册网页完成在所述企业的无线网络中的注册，所述网络接入设备向所述移动终端发送配置文件和数字证书，包括：If the network access device determines that the mobile terminal has completed the registration in the wireless network of the enterprise through the registration webpage, the network access device sends the configuration file and the digital certificate to the mobile terminal, including :

所述网络接入设备接收所述管理服务器发送的所述配置文件和所述数字证书，所述配置文件和所述数字证书是所述管理服务器在所述移动终端通过所述注册网页完成在所述企业的无线网络中的注册之后发送的；所述管理服务器发送所述配置文件和数字证书之后，所述移动终端在所述管理服务器中的注册状态被更新为已注册；The network access device receives the configuration file and the digital certificate sent by the management server, and the configuration file and the digital certificate are completed by the management server through the registration webpage at the mobile terminal. after the registration in the wireless network of the enterprise; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated as registered;

所述网络接入设备将所述配置文件和所述数字证书发送给所述移动终端。The network access device sends the configuration file and the digital certificate to the mobile terminal.

在第一方面的第四种可能的实现方式中，还提供了第一方面的第五种可能的实现方式，所述网络接入设备向所述移动终端发送配置文件和数字证书之后，还包括：In the fourth possible implementation of the first aspect, a fifth possible implementation of the first aspect is also provided, after the network access device sends the configuration file and the digital certificate to the mobile terminal, further includes :

所述网络接入设备接收所述RADIUS服务器发送的动态授权CoA消息，并在接收到所述CoA消息后指示所述移动终端重新发送所述接入请求消息；所述CoA消息是所述移动终端在所述管理服务器中的注册状态被更新为已注册后发送的。The network access device receives the dynamic authorization CoA message sent by the RADIUS server, and instructs the mobile terminal to resend the access request message after receiving the CoA message; the CoA message is the mobile terminal Sent after the registration status in the management server is updated to registered.

在第一方面的第五种可能的实现方式中，还提供了第一方面的第六种可能的实现方式，所述网络接入设备接收到所述CoA消息后，所述方法还包括：所述网络接入设备回收所述IP地址。In the fifth possible implementation manner of the first aspect, a sixth possible implementation manner of the first aspect is also provided, after the network access device receives the CoA message, the method further includes: The network access device reclaims the IP address.

第二方面，还提供了一种无线访问接入点AP，其特征在于，包括：In the second aspect, there is also provided a wireless access point AP, which is characterized in that it includes:

接收单元，用于接收移动终端发送的接入请求消息，所述接入请求消息用于请求接入企业的无线网络，所述接入请求消息携带所述移动终端的标识，所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端；The receiving unit is configured to receive an access request message sent by the mobile terminal, the access request message is used to request access to the wireless network of the enterprise, the access request message carries the identifier of the mobile terminal, and the mobile terminal's an identifier for uniquely identifying the mobile terminal within the range of the wireless network of the enterprise;

判断单元，用于判断所述接收单元接收的接入请求消息中移动终端的标识对应的注册状态，所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册；A judging unit, configured to judge a registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiving unit, where the registration status is used to identify whether the mobile terminal has registered in the wireless network of the enterprise;

资源分配请求单元，用于若所述判断单元判断出所述移动终端的标识对应的注册状态为未注册，请求控制所述无线AP的无线访问控制器AC为所述移动终端分配IP地址；A resource allocation request unit, configured to request the wireless access controller AC controlling the wireless AP to assign an IP address to the mobile terminal if the judging unit determines that the registration state corresponding to the identifier of the mobile terminal is unregistered;

策略设置单元，用于将所述IP地址对应的访问控制策略设置为第一权限策略，所述第一权限策略允许所述IP地址访问认证网页；A policy setting unit, configured to set the access control policy corresponding to the IP address as a first authority policy, and the first authority policy allows the IP address to access the authentication webpage;

所述接收单元，还用于接收所述移动终端使用所述IP地址发送的网页访问请求消息；The receiving unit is further configured to receive a web page access request message sent by the mobile terminal using the IP address;

重定向请求单元，用于根据策略设置单元设置的所述第一权限策略，向所述AC发送第一转发请求，用于请求将所述网页访问请求消息重定向到认证网页；以及如果确定所述移动终端通过所述认证网页认证成功，向所述AC发送第二转发请求，用于请求将所述网页访问请求消息重定向到注册网页；A redirection request unit, configured to send a first forwarding request to the AC according to the first authority policy set by the policy setting unit, for requesting that the webpage access request message be redirected to an authentication webpage; and if it is determined that the The mobile terminal successfully authenticates through the authentication webpage, and sends a second forwarding request to the AC, for requesting that the webpage access request message be redirected to the registration webpage;

所述接收单元，还用于接收来自所述无线AC的配置文件和数字证书；The receiving unit is further configured to receive configuration files and digital certificates from the wireless AC;

所述发送单元，还用于向所述移动终端转发所述配置文件和所述数字证书，所述配置文件和所述数字证书用于所述移动终端通过可扩展认证协议EAP-传输层安全TLS认证方式接入所述企业的无线网络。The sending unit is further configured to forward the configuration file and the digital certificate to the mobile terminal, the configuration file and the digital certificate are used for the mobile terminal to pass the Extensible Authentication Protocol EAP-Transport Layer Security TLS The authentication method accesses the wireless network of the enterprise.

在第二方面的第一种可能的实现方式中，所述接收单元，还用于接收来自拨号用户远程认证服务RADIUS服务器的网页认证结果，所述认证网页是所述企业的无线网络中的门户Portal服务器提供的，所述Portal服务器将所述移动终端在所述认证网页中输入的轻型目录访问协议LDAP域账号认证信息发送到所述RADIUS服务器中进行网页认证；In a first possible implementation manner of the second aspect, the receiving unit is further configured to receive a web page authentication result from a dial-up user remote authentication service RADIUS server, where the authentication web page is a portal in the wireless network of the enterprise Provided by the Portal server, the Portal server sends the Lightweight Directory Access Protocol LDAP domain account authentication information input by the mobile terminal in the authentication webpage to the RADIUS server for webpage authentication;

所述策略设置单元，还用于如果所述网页认证结果指示所述移动终端通过网页认证，则将所述IP地址对应的访问控制策略设置为第二权限策略，所述第二权限策略允许所述IP地址访问所述注册网页；The policy setting unit is further configured to set the access control policy corresponding to the IP address as a second authority policy if the webpage authentication result indicates that the mobile terminal has passed the webpage authentication, and the second authority policy allows all access the registration webpage through the above IP address;

所述重定向请求单元，具体用于根据所述IP地址对应的所述第二权限策略，向所述AC发送第一转发请求，用于请求将所述网页访问请求消息重定向到所述注册网页。The redirect request unit is specifically configured to send a first forwarding request to the AC according to the second authority policy corresponding to the IP address, for requesting that the web page access request message be redirected to the registered Web page.

在第二方面、或第二方面的第一种可能的实现方式中，还提供了第二方面的第二种可能的实现方式，所述发送单元，还用于若所述判断单元判断出所述注册状态为已注册，向所述移动终端发送响应消息，所述响应消息中携带的认证算法字段设置为EAP-TLS认证指示符，用以指示所述移动终端按照EAP-TLS认证方式接入所述企业的无线网络；In the second aspect, or the first possible implementation manner of the second aspect, a second possible implementation manner of the second aspect is also provided, the sending unit is further configured to if the judging unit judges that the The registration status is registered, and a response message is sent to the mobile terminal, and the authentication algorithm field carried in the response message is set as an EAP-TLS authentication indicator to indicate that the mobile terminal accesses the mobile terminal according to the EAP-TLS authentication method. the wireless network of the business;

所述无线AP还包括：The wireless AP also includes:

端口开放单元，用于当所述网络接入设备确定所述移动终端与所述RADIUS服务器之间进行的EAP-TLS认证成功时，为所述移动终端开通受控端口，所述受控端口用于传输所述移动终端的业务数据。A port opening unit, configured to open a controlled port for the mobile terminal when the network access device determines that the EAP-TLS authentication between the mobile terminal and the RADIUS server is successful, and the controlled port uses for transmitting service data of the mobile terminal.

在第二方面、或上述第二方面的任意一种可能的实现方式中，所述判断单元包括：In the second aspect, or any possible implementation manner of the above-mentioned second aspect, the judging unit includes:

获取子单元，用于从所述接入请求消息中获取所述移动终端的标识；an acquiring subunit, configured to acquire the identifier of the mobile terminal from the access request message;

查询子单元，用于根据所述获取子单元获取的所述移动终端的标识，向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态；The query subunit is configured to query the registration status of the mobile terminal from a management server in the wireless network of the enterprise according to the identifier of the mobile terminal obtained by the obtaining subunit;

接收子单元，用于接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。The receiving subunit is configured to receive the registration status of the mobile terminal in the network returned by the management server.

第三方面，提供了一种无线访问接入点AP，包括存储器、处理器、接收器和发送器；In a third aspect, a wireless access point AP is provided, including a memory, a processor, a receiver and a transmitter;

所述接收器，用于接收移动终端发送的接入请求消息，所述接入请求消息用于请求接入企业的无线网络，所述接入请求消息携带所述移动终端的标识，所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端；The receiver is configured to receive an access request message sent by a mobile terminal, the access request message is used to request access to a wireless network of an enterprise, the access request message carries an identifier of the mobile terminal, and the mobile The identifier of the terminal is used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise;

所述处理器，用于读取所述存储器中存储的程序代码，执行：判断所述移动终端的标识对应的注册状态，所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册；若判断出所述移动终端的标识对应的注册状态为未注册，请求控制所述无线AP的无线访问控制器AC为所述移动终端分配IP地址；将所述IP地址对应的访问控制策略设置为第一权限策略，所述第一权限策略允许所述IP地址访问认证网页；The processor is configured to read the program code stored in the memory, and execute: judge the registration status corresponding to the identification of the mobile terminal, and the registration status is used to identify whether the mobile terminal is already in the wireless network of the enterprise If it is judged that the registration status corresponding to the identification of the mobile terminal is unregistered, the wireless access controller AC that requests to control the wireless AP distributes an IP address for the mobile terminal; the access control corresponding to the IP address The policy is set to a first authority policy, and the first authority policy allows the IP address to access the authentication webpage;

所述接收器，还用于接收所述移动终端使用所述IP地址发送的网页访问请求消息；The receiver is further configured to receive a webpage access request message sent by the mobile terminal using the IP address;

所述发送器，用于根据所述IP地址对应的所述第一权限策略，向所述AC发送第一转发请求，用于请求将所述网页访问请求消息重定向到认证网页；以及如果确定所述移动终端通过所述认证网页认证成功，向所述AC发送第二转发请求，用于请求将所述网页访问请求消息重定向到注册网页；The sender is configured to send a first forwarding request to the AC according to the first authority policy corresponding to the IP address, for requesting that the webpage access request message be redirected to an authentication webpage; and if determined The mobile terminal successfully authenticates through the authentication webpage, and sends a second forwarding request to the AC, for requesting that the webpage access request message be redirected to a registration webpage;

所述接收器，还用于接收来自所述无线AC的配置文件和数字证书；The receiver is further configured to receive configuration files and digital certificates from the wireless AC;

所述发送器，还用于向所述移动终端转发所述配置文件和所述数字证书，所述配置文件和所述数字证书用于所述移动终端通过EAP-TLS认证方式接入所述企业的无线网络。The sender is further configured to forward the configuration file and the digital certificate to the mobile terminal, the configuration file and the digital certificate are used for the mobile terminal to access the enterprise through EAP-TLS authentication wireless network.

在第三方面的第一种可能的实现方式中，所述接收器，还用于接收来自拨号用户远程认证服务RADIUS服务器的网页认证结果，所述认证网页是所述企业的无线网络中的门户Portal服务器提供的，所述Portal服务器将所述移动终端在所述认证网页中输入的轻型目录访问协议LDAP域账号认证信息发送到所述RADIUS服务器中进行网页认证；In a first possible implementation of the third aspect, the receiver is further configured to receive a web page authentication result from a dial-up user remote authentication service RADIUS server, where the authentication web page is a portal in the wireless network of the enterprise Provided by the Portal server, the Portal server sends the Lightweight Directory Access Protocol LDAP domain account authentication information input by the mobile terminal in the authentication webpage to the RADIUS server for webpage authentication;

所述处理器，具体用于如果所述网页认证结果指示所述移动终端通过网页认证，则将所述IP地址对应的访问控制策略设置为第二权限策略，所述第二权限策略允许所述IP地址访问所述注册网页；根据所述IP地址对应的所述第二权限策略，向所述AC发送第一转发请求，用于请求将所述网页访问请求消息重定向到所述注册网页。The processor is specifically configured to set the access control policy corresponding to the IP address as a second authority policy if the webpage authentication result indicates that the mobile terminal has passed the webpage authentication, and the second authority policy allows the The IP address accesses the registration webpage; according to the second authority policy corresponding to the IP address, a first forwarding request is sent to the AC, for requesting that the webpage access request message be redirected to the registration webpage.

在第三方面、或第三方面的第一种可能的实现方式中，还提供了第三方面的第二种可能的实现方式，所述发送器，还用于若所述处理器判断出所述注册状态为已注册，向所述移动终端发送响应消息，所述响应消息中携带的认证算法字段设置为EAP-TLS认证指示符，用以指示所述移动终端按照EAP-TLS认证方式接入所述企业的无线网络；In the third aspect, or the first possible implementation manner of the third aspect, a second possible implementation manner of the third aspect is also provided, the transmitter is further configured to if the processor determines that the The registration status is registered, and a response message is sent to the mobile terminal, and the authentication algorithm field carried in the response message is set as an EAP-TLS authentication indicator to indicate that the mobile terminal accesses the mobile terminal according to the EAP-TLS authentication method. the wireless network of the business;

所述处理器，还用于当所述网络接入设备确定所述移动终端与所述RADIUS服务器之间进行的EAP-TLS认证成功时，为所述移动终端开通受控端口，所述受控端口用于传输所述移动终端的业务数据。The processor is further configured to open a controlled port for the mobile terminal when the network access device determines that the EAP-TLS authentication between the mobile terminal and the RADIUS server is successful, and the controlled The port is used to transmit service data of the mobile terminal.

在第三方面、或上述第三方面的任意一种可能的实现方式中，还提供了第三方面的第三种可能的实现方式，所述处理器，用于从所述接入请求消息中获取所述移动终端的标识；根据所述移动终端的标识向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态；接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。In the third aspect, or any possible implementation manner of the above-mentioned third aspect, a third possible implementation manner of the third aspect is also provided, the processor is configured to obtain the Obtaining the identification of the mobile terminal; querying the registration status of the mobile terminal from the management server in the wireless network of the enterprise according to the identification of the mobile terminal; receiving the information returned by the management server that the mobile terminal is in the network Registration status in .

第四方面，还提供了一种AC，包括：In the fourth aspect, an AC is also provided, including:

接收单元，用于接收移动终端发送的接入请求消息，所述接入请求消息用于请求接入企业的无线网络，所述接入请求消息携带所述移动终端的标识，所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端；The receiving unit is configured to receive an access request message sent by the mobile terminal, the access request message is used to request access to the wireless network of the enterprise, the access request message carries the identifier of the mobile terminal, and the mobile terminal's an identifier for uniquely identifying the mobile terminal within the range of the wireless network of the enterprise;

判断单元，用于判断接收单元接收的接入请求消息中移动终端的标识对应的注册状态，所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册；A judging unit, configured to judge a registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiving unit, where the registration status is used to identify whether the mobile terminal has registered in the wireless network of the enterprise;

资源分配单元，用于若所述判断单元判断所述移动终端的标识对应的注册状态为未注册，为所述移动终端分配IP地址；A resource allocation unit configured to allocate an IP address to the mobile terminal if the judging unit determines that the registration state corresponding to the identification of the mobile terminal is unregistered;

所述接收单元，还用于接收所述AC控制的无线访问接入点AP发送的第一转发请求；The receiving unit is further configured to receive a first forwarding request sent by the wireless access point AP controlled by the AC;

重定向单元，用于根据所述第一转发请求将所述移动终端使用所述IP地址发送的网页访问请求消息重定向到认证网页；A redirection unit, configured to redirect the webpage access request message sent by the mobile terminal using the IP address to an authentication webpage according to the first forwarding request;

所述接收单元，还用于接收所述AP发送的第二转发请求；The receiving unit is further configured to receive a second forwarding request sent by the AP;

所述重定向单元，还用于根据所述第二转发请求将所述网页访问请求消息重定向到注册网页；The redirection unit is further configured to redirect the webpage access request message to a registration webpage according to the second forwarding request;

所述接收单元，还用于接收所述企业的无线网络中的管理服务器发送的配置文件和数字证书，所述配置文件和所述数字证书用于所述移动终端通过可扩展认证协议EAP-传输层安全TLS认证方式接入所述企业的无线网络；所述管理服务器发送所述配置文件和数字证书之后，所述移动终端在所述管理服务器中的注册状态被更新为已注册；The receiving unit is further configured to receive a configuration file and a digital certificate sent by a management server in the wireless network of the enterprise, and the configuration file and the digital certificate are used for the mobile terminal to transmit via the Extensible Authentication Protocol EAP- Access to the wireless network of the enterprise in a layer-safe TLS authentication mode; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered;

发送单元，还用于将所述配置文件和所述数字证书发送给所述AP。The sending unit is further configured to send the configuration file and the digital certificate to the AP.

在第四方面的第一种可能的实现方式中，所述判断单元包括：In a first possible implementation manner of the fourth aspect, the judging unit includes:

获取子单元，用于从所述接入请求消息中获取所述移动终端的标识；an acquiring subunit, configured to acquire the identifier of the mobile terminal from the access request message;

查询子单元，用于根据获取子单元获取的移动终端的标识，向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态；The query subunit is configured to query the registration status of the mobile terminal from the management server in the wireless network of the enterprise according to the identifier of the mobile terminal acquired by the acquisition subunit;

接收子单元，用于接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。The receiving subunit is configured to receive the registration status of the mobile terminal in the network returned by the management server.

在第四方面的第二种可能的实现方式中，所述接收单元，还用于接收拨号用户远程认证服务RADIUS服务器发送的动态授权CoA消息，并在接收到所述CoA消息后指示所述移动终端重新发送所述接入请求消息；所述CoA消息是所述移动终端在所述管理服务器中的注册状态被更新为已注册后发送的。In a second possible implementation of the fourth aspect, the receiving unit is further configured to receive a dynamic authorization CoA message sent by a dial-up user remote authentication service RADIUS server, and after receiving the CoA message, instruct the mobile The terminal resends the access request message; the CoA message is sent after the registration status of the mobile terminal in the management server is updated to registered.

在第四方面的第二种可能的实现方式中，还提供了第四方面的第三种可能的实现方式，还包括：资源回收单元，用于在所述接收单元接收到所述CoA消息后，回收所述IP地址。In the second possible implementation manner of the fourth aspect, a third possible implementation manner of the fourth aspect is also provided, further comprising: a resource recovery unit configured to, after the receiving unit receives the CoA message , recycle the IP address.

第五方面，还提供了一种无线AC，AC包括存储器、处理器、接收器和发送器；In the fifth aspect, a wireless AC is also provided, and the AC includes a memory, a processor, a receiver, and a transmitter;

所述接收器，用于接收移动终端发送的接入请求消息，所述接入请求消息用于请求接入企业的无线网络，所述接入请求消息携带所述移动终端的标识，所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端；The receiver is configured to receive an access request message sent by a mobile terminal, the access request message is used to request access to a wireless network of an enterprise, the access request message carries an identifier of the mobile terminal, and the mobile The identifier of the terminal is used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise;

所述处理器，用于读取所述存储器中存储的程序代码，执行：The processor is configured to read the program code stored in the memory and execute:

判断接收器接收的接入请求消息中移动终端的标识对应的注册状态，所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册；若所述移动终端的标识对应的注册状态为未注册，为所述移动终端分配IP地址；Judging the registration status corresponding to the identification of the mobile terminal in the access request message received by the receiver, the registration status is used to identify whether the mobile terminal has registered in the wireless network of the enterprise; if the registration status corresponding to the identification of the mobile terminal For unregistered, assign an IP address for the mobile terminal;

所述接收器，还用于接收所述AC控制的AP发送的第一转发请求；The receiver is further configured to receive the first forwarding request sent by the AP controlled by the AC;

所述处理器，还用于根据所述接收器接收的所述第一转发请求将所述移动终端使用所述IP地址发送的网页访问请求消息重定向到认证网页；The processor is further configured to redirect the webpage access request message sent by the mobile terminal using the IP address to an authentication webpage according to the first forwarding request received by the receiver;

所述接收器，还用于接收所述AP发送的第二转发请求；The receiver is further configured to receive a second forwarding request sent by the AP;

所述处理器，还用于根据所述接收器接收的所述第二转发请求将所述网页访问请求消息重定向到注册网页；The processor is further configured to redirect the webpage access request message to a registration webpage according to the second forwarding request received by the receiver;

所述接收器，还用于接收所述企业的无线网络中的管理服务器发送的配置文件和数字证书，所述配置文件和所述数字证书用于所述移动终端通过EAP-TLS认证方式接入所述企业的无线网络；所述管理服务器发送所述配置文件和数字证书之后，所述移动终端在所述管理服务器中的注册状态被更新为已注册；The receiver is further configured to receive a configuration file and a digital certificate sent by a management server in the wireless network of the enterprise, and the configuration file and the digital certificate are used for the mobile terminal to access through EAP-TLS authentication The wireless network of the enterprise; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered;

发送器，用于将所述配置文件和所述数字证书发送给所述AP。a sender, configured to send the configuration file and the digital certificate to the AP.

在第五方面的第一种可能的实现方式中，所述处理器902判断接收器903接收的接入请求消息中移动终端的标识对应的注册状态时，具体用于：In the first possible implementation manner of the fifth aspect, when the processor 902 judges the registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiver 903, it is specifically used to:

从所述接入请求消息中获取所述移动终端的标识；根据获取的移动终端的标识，向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态；接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。Obtain the identifier of the mobile terminal from the access request message; query the registration status of the mobile terminal from a management server in the wireless network of the enterprise according to the acquired identifier of the mobile terminal; receive a return from the management server The registration status of the mobile terminal in the network.

在第五方面、或第五方面的第一种可能的实现方式中，还提供了第五方面的第二种可能的实现方式，所述接收器还用于接收所述RADIUS服务器发送的动态授权CoA消息，并在接收到所述CoA消息后指示所述移动终端重新发送所述接入请求消息；所述CoA消息是所述移动终端在所述管理服务器中的注册状态被更新为已注册后发送的。In the fifth aspect, or the first possible implementation of the fifth aspect, a second possible implementation of the fifth aspect is also provided, the receiver is further configured to receive the dynamic authorization sent by the RADIUS server CoA message, and instruct the mobile terminal to resend the access request message after receiving the CoA message; the CoA message is after the registration status of the mobile terminal in the management server is updated to registered sent.

在第五方面的第二种可能的实现方式中，还提供了第五方面的第三种可能的实现方式，In the second possible implementation of the fifth aspect, a third possible implementation of the fifth aspect is also provided,

所述处理器还用于在所述接收器接收到所述CoA消息后，回收所述IP地址。The processor is further configured to reclaim the IP address after the receiver receives the CoA message.

本发明实施例网络接入设备通过在移动终端请求接入网络时，判断所述移动终端的标识对应的注册状态，若所述网络接入设备判断所述移动终端的标识对应的注册状态为未注册，所述网络接入设备为所述移动终端分配IP地址后，将所述IP地址对应的访问控制策略设置为第一权限策略；并根据所述IP地址对应的访问控制策略将移动终端通过所述IP地址发送的网页访问请求消息重定向到认证网页，如果所述网络接入设备确定所述移动终端通过所述认证网页认证成功，重定向到注册网页；如果所述网络接入设备确定所述移动终端通过所述注册网页完成在所述企业的无线网络中的注册，所述网络接入设备向所述移动终端发送配置文件和数字证书。无需像现有技术一样在移动终端接入企业无线网络之前，需要人工为每个移动终端分配和分发数字证书，以及进行接入参数配置，降低了接入控制的实现难度。In the embodiment of the present invention, the network access device judges the registration status corresponding to the identifier of the mobile terminal when the mobile terminal requests to access the network, if the network access device judges that the registration status corresponding to the identifier of the mobile terminal is not Register, after the network access device assigns an IP address to the mobile terminal, set the access control policy corresponding to the IP address as the first authority policy; and according to the access control policy corresponding to the IP address, the mobile terminal passes The webpage access request message sent by the IP address is redirected to the authentication webpage, if the network access device determines that the mobile terminal is successfully authenticated by the authentication webpage, it is redirected to the registration webpage; if the network access device determines The mobile terminal completes registration in the wireless network of the enterprise through the registration webpage, and the network access device sends configuration files and digital certificates to the mobile terminal. There is no need to manually assign and distribute digital certificates to each mobile terminal and configure access parameters before the mobile terminal accesses the enterprise wireless network as in the prior art, which reduces the difficulty of implementing access control.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍，显而易见地，下面描述中的附图是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1为本发明实施例提供的移动终端的网络接入控制系统的一种部署场景示意图；FIG. 1 is a schematic diagram of a deployment scenario of a network access control system for a mobile terminal provided by an embodiment of the present invention;

图2为本发明实施例的主要实现原理流程图；Fig. 2 is the flow chart of the main realization principle of the embodiment of the present invention;

图3为本发明实施例提供的移动终端的网络接入控制方法的时序图；FIG. 3 is a sequence diagram of a network access control method for a mobile terminal provided by an embodiment of the present invention;

图4为本发明提供的一种无线AP的结构示意图；Fig. 4 is a schematic structural diagram of a wireless AP provided by the present invention;

图5为本发明提供的一种无线AP中判断单元的结构示意图；FIG. 5 is a schematic structural diagram of a judging unit in a wireless AP provided by the present invention;

图6为本发明提供的另一种无线AP的结构示意图；FIG. 6 is a schematic structural diagram of another wireless AP provided by the present invention;

图7为本发明提供的一种无线AC的结构示意图；FIG. 7 is a schematic structural diagram of a wireless AC provided by the present invention;

图8为本发明提供的一种无线AC中判断单元的结构示意图；FIG. 8 is a schematic structural diagram of a judging unit in a wireless AC provided by the present invention;

图9为本发明提供的另一种无线AC的结构示意图。FIG. 9 is a schematic structural diagram of another wireless AC provided by the present invention.

具体实施方式Detailed ways

本发明实施例提出了一种移动终端的网络接入控制方法，下面将结合多个实施例对该方案进行描述。An embodiment of the present invention proposes a method for controlling network access of a mobile terminal, and the solution will be described below in conjunction with multiple embodiments.

实施例一Embodiment one

附图1是本发明实施例提供的移动终端的网络接入控制系统的一种部署场景示意图。该系统包括移动终端，网络接入设备。本申请中的移动终端是指具备无线网络接口支持无线上网、且具有操作系统的便于携带的设备，包括但不限于笔记本电脑（Laptop）、个人数字助理（Personal Digital Assistant，简称PDA）、移动电话等等。网络接入设备包括无线访问接入点（Access Point，简称AP）和无线接入控制器（Access Controller，简称AC），当然也可以是具备有类似功能的其他设备。进一步地，该系统中还包括门户Portal服务器、拨号用户远程认证服务（Remote Authentication Dial In User Service，简称RADIUS）服务器和管理服务器。无线AP（在本申请中后续简称AP）、无线AC（在本申请中后续简称AC）、Portal服务器、RADIUS服务器和管理服务器之间可以通过交换机连接。可选地，还可以包括用于分配数字证书的证书服务器（图中未示出），证书服务器的功能也可以集成于RADIUS服务器或者管理服务器中。Figure 1 is a schematic diagram of a deployment scenario of a mobile terminal network access control system provided by an embodiment of the present invention. The system includes a mobile terminal and network access equipment. The mobile terminal in this application refers to a portable device with a wireless network interface to support wireless Internet access and an operating system, including but not limited to a notebook computer (Laptop), a personal digital assistant (Personal Digital Assistant, PDA for short), a mobile phone etc. The network access device includes a wireless access point (Access Point, referred to as AP) and a wireless access controller (Access Controller, referred to as AC), of course, it can also be other devices with similar functions. Further, the system also includes a Portal server, a Remote Authentication Dial In User Service (RADIUS for short) server and a management server. Wireless APs (hereinafter referred to as APs in this application), wireless ACs (hereinafter referred to as ACs in this application), Portal servers, RADIUS servers, and management servers can be connected through switches. Optionally, a certificate server (not shown in the figure) for distributing digital certificates may also be included, and the function of the certificate server may also be integrated into the RADIUS server or the management server.

下面结合附图1，对本发明实施例技术方案的主要实现原理、具体实施方式及其对应能够达到的有益效果进行详细的阐述。The main realization principles, specific implementation methods and corresponding beneficial effects of the technical solutions of the embodiments of the present invention will be described in detail below in conjunction with the accompanying drawing 1 .

如图2所示，本发明实施例的主要实现原理流程如下：As shown in Figure 2, the main implementation principle flow of the embodiment of the present invention is as follows:

步骤10，网络接入设备接收移动终端发送的接入请求消息，所述接入请求消息用于请求接入企业的无线网络，所述接入请求消息携带所述移动终端的标识，所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端。Step 10, the network access device receives the access request message sent by the mobile terminal, the access request message is used to request access to the wireless network of the enterprise, the access request message carries the identifier of the mobile terminal, and the mobile terminal The terminal identifier is used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise.

其中所述移动终端的标识包括但不限于移动终端的介质访问控制（Medium/Media Access Control，简称MAC）地址。The identifier of the mobile terminal includes, but is not limited to, a Medium/Media Access Control (MAC) address of the mobile terminal.

步骤20，所述网络接入设备判断所述移动终端的标识对应的注册状态，所述注册状态用于标识所述移动终端是否已在企业的无线网络中注册。Step 20, the network access device judges the registration status corresponding to the identification of the mobile terminal, and the registration status is used to identify whether the mobile terminal has registered in the wireless network of the enterprise.

可选地，在附图1中的管理服务器用于管理维护企业的无线网络中各移动终端的注册状态的情况下，网络接入设备判断所述移动终端的标识对应的注册状态具体包括：Optionally, when the management server in FIG. 1 is used to manage and maintain the registration status of each mobile terminal in the wireless network of the enterprise, the network access device judging the registration status corresponding to the identifier of the mobile terminal specifically includes:

所述网络接入设备从所述接入请求消息中获取所述移动终端的标识；The network access device acquires the identifier of the mobile terminal from the access request message;

根据所述移动终端的标识向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态；querying the registration status of the mobile terminal from a management server in the wireless network of the enterprise according to the identification of the mobile terminal;

接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。receiving the registration status of the mobile terminal in the network returned by the management server.

上述步骤20的执行主体可以是AP，也可以是AC，具体可以根据实际情况灵活设置，例如，如果AP所支持的功能和硬件条件有限（瘦无线AP），则可以由AC来执行。The execution subject of the above step 20 may be the AP or the AC, which can be flexibly set according to the actual situation. For example, if the functions and hardware conditions supported by the AP are limited (thin wireless AP), it can be performed by the AC.

如果是瘦无线AP，上述步骤10～20具体为：If it is a thin wireless AP, the above steps 10-20 are as follows:

AP接收移动终端发送的接入请求消息，将所述接入请求消息发送给AC，AC从所述管理服务器中查询所述移动终端的注册状态。The AP receives the access request message sent by the mobile terminal, and sends the access request message to the AC, and the AC queries the registration status of the mobile terminal from the management server.

如果是由AP执行，则上述步骤10～20具体为：If it is performed by the AP, the above steps 10-20 are as follows:

AP接收移动终端发送的接入请求消息，从所述管理服务器中查询所述移动终端的注册状态。The AP receives the access request message sent by the mobile terminal, and queries the registration status of the mobile terminal from the management server.

步骤30，若所述网络接入设备判断所述移动终端的标识对应的注册状态为未注册，所述网络接入设备为所述移动终端分配IP地址后，将所述IP地址对应的访问控制策略设置为第一权限策略。Step 30, if the network access device determines that the registration status corresponding to the identifier of the mobile terminal is unregistered, after the network access device assigns an IP address to the mobile terminal, set the access control corresponding to the IP address to The policy is set to the first permission policy.

可选地，如果是瘦无线AP，则AC从所述管理服务器中查询所述移动终端的注册状态后，确认所述移动终端的标识对应的注册状态为未注册后为所述移动终端分配IP地址；分配IP地址后，瘦无线AP将该IP地址对应的访问控制策略设置为第一权限策略。其中第一权限策略允许所述IP地址访问认证网页，是本申请涉及的三种权限策略中权限最低的权限策略，仅能访问认证网页或者其他很少量的资源，通过这种方式防止未认证的移动终端非法访问受保护的资源，提高了企业的无线网络中数据资源的安全性。Optionally, if it is a thin wireless AP, after the AC inquires the registration status of the mobile terminal from the management server, after confirming that the registration status corresponding to the identifier of the mobile terminal is unregistered, assign an IP to the mobile terminal Address: After assigning an IP address, the thin wireless AP sets the access control policy corresponding to the IP address as the first authority policy. Wherein the first authority policy allows the IP address to access the authentication webpage, which is the authority policy with the lowest authority among the three authority policies involved in this application, and can only access the authentication webpage or other very small amount of resources, in this way to prevent unauthenticated Mobile terminals illegally access protected resources, improving the security of data resources in enterprise wireless networks.

可选地，如果由AP执行查询移动终端的注册状态的步骤，AP从所述管理服务器中查询所述移动终端的注册状态，确认所述移动终端的标识对应的注册状态为未注册后，请求AC为所述移动终端分配IP地址；在AC分配IP地址后，AP将该IP地址对应的访问控制策略设置为第一权限策略。Optionally, if the step of querying the registration status of the mobile terminal is performed by the AP, the AP queries the registration status of the mobile terminal from the management server, and after confirming that the registration status corresponding to the identifier of the mobile terminal is unregistered, request The AC allocates an IP address to the mobile terminal; after the AC allocates the IP address, the AP sets the access control policy corresponding to the IP address as the first authority policy.

步骤40，所述网络接入设备接收所述移动终端使用所述IP地址发送的网页访问请求消息，所述网络接入设备根据所述IP地址对应的第一权限策略将所述网页访问请求消息重定向到认证网页，如果所述网络接入设备确定所述移动终端通过所述认证网页认证成功，则再将所述网页访问请求消息重定向到注册网页。Step 40, the network access device receives the web page access request message sent by the mobile terminal using the IP address, and the network access device sends the web page access request message according to the first authority policy corresponding to the IP address Redirecting to an authentication webpage, if the network access device determines that the mobile terminal is successfully authenticated through the authentication webpage, then redirecting the webpage access request message to a registration webpage.

具体地，移动终端获得AC分配IP地址后，当用户通过该移动终端上的网络浏览器尝试访问任意网页时，该移动终端都会发送网页访问请求消息。AP接收到网页访问请求消息后，会根据该网页访问请求消息的源IP地址查找对应的访问控制策略，并根据查找到的访问控制策略执行对应的处理。如果网页访问请求消息的源IP地址对应的访问控制策略是上述第一权限策略，则向AC发送第一转发请求，用于请求将所述网页访问请求消息重定向到认证网页。Specifically, after the mobile terminal obtains the IP address assigned by the AC, when the user tries to access any webpage through the web browser on the mobile terminal, the mobile terminal will send a webpage access request message. After receiving the web page access request message, the AP will search for the corresponding access control policy according to the source IP address of the web page access request message, and perform corresponding processing according to the found access control policy. If the access control policy corresponding to the source IP address of the webpage access request message is the above-mentioned first authority policy, then send a first forwarding request to the AC, for requesting that the webpage access request message be redirected to the authentication webpage.

可选地，所述认证网页是所述企业的无线网络中的门户Portal服务器提供的，所述Portal服务器将所述移动终端在所述认证网页中输入的轻型目录访问协议LDAP域账号认证信息发送到RADIUS服务器中进行网页认证。网页认证结果通过AC、AP被转发给移动终端。网页认证结果包括网页认证成功和网页认证失败。RADIUS服务器如何通过Portal服务器提供的网页对移动终端进行认证的过程属于现有技术，在这里不再详述。Optionally, the authentication webpage is provided by a Portal server in the wireless network of the enterprise, and the Portal server sends the Lightweight Directory Access Protocol LDAP domain account authentication information input by the mobile terminal in the authentication webpage Go to the RADIUS server for webpage authentication. The web page authentication result is forwarded to the mobile terminal through the AC and the AP. The webpage authentication result includes webpage authentication success and webpage authentication failure. The process of how the RADIUS server authenticates the mobile terminal through the webpage provided by the Portal server belongs to the prior art, and will not be described in detail here.

AP在所述网页认证结果指示所述移动终端网页认证成功的情况下，则将所述IP地址对应的访问控制策略设置为第二权限策略。其中第二权限策略允许所述IP地址访问所述注册网页，在本申请中是高于第一权限策略的权限策略，允许该策略对应的IP不仅能访问认证网页，还能访问注册网页，通过这种方式防止未认证的移动终端访问受保护的资源，提高了企业的无线网络中数据资源的安全性。If the web page authentication result indicates that the mobile terminal web page authentication is successful, the AP sets the access control policy corresponding to the IP address as the second authority policy. Wherein the second authority policy allows the IP address to access the registration webpage, which is a authority policy higher than the first authority policy in this application, allowing the IP corresponding to the policy not only to access the authentication webpage, but also to access the registration webpage, through This way prevents unauthenticated mobile terminals from accessing protected resources, and improves the security of data resources in an enterprise's wireless network.

如果所述网页认证结果指示所述移动终端网页认证失败，则退出接入控制流程。If the webpage authentication result indicates that the webpage authentication of the mobile terminal fails, exit the access control process.

AP在所述移动终端对应的访问控制策略被更新为第二权限策略后，向所述AC发送第二转发请求，用于请求将所述网页访问请求消息再次重定向到注册网页。After the access control policy corresponding to the mobile terminal is updated to the second authority policy, the AP sends a second forwarding request to the AC, for requesting that the webpage access request message be redirected to the registration webpage again.

其中注册网页可以是管理服务器提供的，移动终端的用户可以根据注册网页上的介绍和指引信息，输入个人信息，以及所述移动终端的一些设备参数，个人信息例如域账号、部门、职位等，设备参数例如设备制造商、型号等。Wherein the registration web page may be provided by the management server, and the user of the mobile terminal may input personal information and some device parameters of the mobile terminal according to the introduction and guidance information on the registration web page, personal information such as domain account number, department, position, etc., Device parameters such as device manufacturer, model, etc.

所述管理服务器根据移动终端的用户通过注册网页输入的上述信息，为所述移动终端生成配置文件、以及分配数字证书。配置文件中包括了接入所述企业的无线网络的一些配置参数，例如包括网络标识符的各种网络接入参数等等，所述移动终端接收到该配置文件后，通过替换原有的配置文件，可以方便的完成接入所述企业的无线网络所需的各种配置操作。The management server generates a configuration file and distributes a digital certificate for the mobile terminal according to the above information input by the user of the mobile terminal through the registration webpage. The configuration file includes some configuration parameters for accessing the wireless network of the enterprise, such as various network access parameters including network identifiers, etc. After receiving the configuration file, the mobile terminal replaces the original configuration file, which can conveniently complete various configuration operations required for accessing the wireless network of the enterprise.

上述分配数字证书的功能可以由RADIUS服务器执行，即移动终端的用户通过注册网页输入的上述信息后，管理服务器通知RADIUS服务器为所述移动终端分配数字证书。所述移动终端获得该数字证书后，可以根据该数字证书在RADIUS服务器上完成802.1X认证，如EAP-TLS认证，进而在认证成功之后安全地接入所述企业的无线网络。The above function of allocating digital certificates can be performed by the RADIUS server, that is, after the user of the mobile terminal enters the above information through the registration webpage, the management server notifies the RADIUS server to allocate digital certificates for the mobile terminal. After the mobile terminal obtains the digital certificate, it can complete 802.1X authentication on the RADIUS server according to the digital certificate, such as EAP-TLS authentication, and then securely access the wireless network of the enterprise after successful authentication.

步骤50，如果所述网络接入设备确定所述移动终端通过所述注册网页完成在所述企业的无线网络中的注册，所述网络接入设备向所述移动终端发送配置文件和数字证书，所述配置文件和数字证书用于所述移动终端通过EAP-TLS认证方式接入所述企业的无线网络。Step 50, if the network access device determines that the mobile terminal has completed registration in the wireless network of the enterprise through the registration web page, the network access device sends the configuration file and the digital certificate to the mobile terminal, The configuration file and the digital certificate are used for the mobile terminal to access the wireless network of the enterprise through EAP-TLS authentication.

具体的，所述管理服务器在生成上述配置文件、以及通知RADIUS服务器分配数字证书后，将所述移动终端在所述管理服务器中的注册状态更新为已注册。此后管理服务器将所述配置文件通过所述AP发送给所述移动终端，RADIUS服务器将所述数字证书通过所述AP发送给所述移动终端。Specifically, after the management server generates the configuration file and notifies the RADIUS server to distribute the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered. Thereafter, the management server sends the configuration file to the mobile terminal through the AP, and the RADIUS server sends the digital certificate to the mobile terminal through the AP.

所述AP接收到所述管理服务器发送的配置文件和RADIUS服务器发送的数字证书后，将接收到的配置文件和数字证书发送给所述移动终端。After receiving the configuration file sent by the management server and the digital certificate sent by the RADIUS server, the AP sends the received configuration file and digital certificate to the mobile terminal.

当然，在上述方案中，管理服务器也可以是将所述配置文件通过所述AP发送给所述移动终端之后，再将所述移动终端在所述管理服务器中的注册状态更新为已注册。Of course, in the above solution, the management server may also update the registration status of the mobile terminal in the management server to registered after sending the configuration file to the mobile terminal through the AP.

在步骤50之后，所述移动终端根据所述配置文件和数字证书通过EAP-TLS认证方式接入所述企业的无线网络，本实施例给出的一种触发移动终端以EAP-TLS认证方式接入所述企业的无线网络的机制包括：After step 50, the mobile terminal accesses the wireless network of the enterprise through the EAP-TLS authentication method according to the configuration file and the digital certificate, and a triggering mobile terminal is provided in this embodiment to access the wireless network through the EAP-TLS authentication method. Mechanisms for accessing the wireless network of the enterprise include:

所述RADIUS服务器所述移动终端在所述管理服务器中的注册状态被更新为已注册后，向所述AC发送CoA消息，所述AC将接收到CoA消息转发给所述AP；所述AP接收所述RADIUS服务器发送的动态授权CoA消息，并在接收到所述CoA消息后指示所述移动终端重新发送所述接入请求消息（例如，网络接入设备接收到所述CoA消息后，断开所述AP和所述移动终端已建立的网络连接，使得所述移动终端重新尝试接入网络，继而发送接入请求消息）。具体地，所述RADIUS服务器可以在分配数字证书并向所述移动终端发送该数字证书之后，向所述AC发送所述CoA消息，在这种情况下推荐发送数字证书和CoA消息之间可以间隔预定时间段，例如1秒，以保证AP和所述移动终端断开已建立的网络连接时，所述移动终端已接收到数字证书和配置文件，提高安全接入的成功率；另一种更稳妥的方式是所述管理服务器在将移动终端的注册状态更新为已注册后RADIUS服务器发送一个通知消息，所述RADIUS服务器接收到通知消息后，再所述AC发送所述CoA消息。The RADIUS server sends a CoA message to the AC after the registration status of the mobile terminal in the management server is updated to be registered, and the AC forwards the received CoA message to the AP; the AP receives The dynamic authorization CoA message sent by the RADIUS server, and instructs the mobile terminal to resend the access request message after receiving the CoA message (for example, after receiving the CoA message, the network access device disconnects The established network connection between the AP and the mobile terminal makes the mobile terminal retry to access the network, and then sends an access request message). Specifically, the RADIUS server may send the CoA message to the AC after allocating the digital certificate and sending the digital certificate to the mobile terminal. In this case, it is recommended that an interval between sending the digital certificate and the CoA message be sent A predetermined period of time, such as 1 second, to ensure that when the AP disconnects the established network connection with the mobile terminal, the mobile terminal has received the digital certificate and the configuration file to improve the success rate of secure access; another more A safe way is that the RADIUS server sends a notification message after the management server updates the registration status of the mobile terminal to registered, and the AC sends the CoA message after the RADIUS server receives the notification message.

可选地，为了提高网络地址资源的利用率，所述AC在接收到所述CoA消息后，还包括：回收所述IP地址。Optionally, in order to improve the utilization rate of network address resources, after receiving the CoA message, the AC further includes: reclaiming the IP address.

所述移动终端根据所述配置文件和数字证书通过EAP-TLS认证方式接入所述企业的无线网络时的具体接入方式为现有技术，在这里不再详述。在移动终端在RADIUS服务器上EAP-TLS认证成功时，AC重新为所述移动终端分配IP地址，该IP地址对应的访问控制策略为第三权限策略，AP为所述移动终端开通受控端口，所述受控端口用于传输所述移动终端的业务数据。其中，第三权限策略是较高的权限策略，可以访问企业的无线网络中的受保护资源。The specific access method when the mobile terminal accesses the wireless network of the enterprise through the EAP-TLS authentication method according to the configuration file and the digital certificate is the prior art, and will not be described in detail here. When the mobile terminal succeeds in EAP-TLS authentication on the RADIUS server, the AC redistributes an IP address for the mobile terminal, and the access control policy corresponding to the IP address is the third authority policy, and the AP opens a controlled port for the mobile terminal, The controlled port is used to transmit service data of the mobile terminal. Wherein, the third permission policy is a higher permission policy, which can access protected resources in the wireless network of the enterprise.

本发明实施例提供的移动终端的网络接入控制方法，在移动终端请求接入企业的无线网络时，根据所述移动终端在所述无线网络中的注册状态执行区别的处理，具体地：对于未注册的移动终端，网络接入设备为所述移动终端分配IP地址后，将所述IP地址对应的访问控制策略设置为第一权限策略，所述移动终端在根据该IP地址尝试浏览网页时，被重定位到认证网页进行认证，在认证成功后被再次重定向到注册网页进行注册，从而获得后续以EAP-TLS认证方式接入网络所需的配置文件和数字证书。通过该方法，大大简化了现有接入控制所需的配置和准备程序，提高了处理效率。In the network access control method of the mobile terminal provided by the embodiment of the present invention, when the mobile terminal requests to access the wireless network of the enterprise, different processing is performed according to the registration status of the mobile terminal in the wireless network, specifically: for For an unregistered mobile terminal, after the network access device assigns an IP address to the mobile terminal, the access control policy corresponding to the IP address is set as the first authority policy, and when the mobile terminal tries to browse the webpage according to the IP address , is relocated to the authentication webpage for authentication, and is redirected to the registration webpage for registration after successful authentication, so as to obtain the configuration files and digital certificates required for subsequent access to the network through EAP-TLS authentication. Through this method, the configuration and preparation procedures required by the existing access control are greatly simplified, and the processing efficiency is improved.

此外，上述方案不限定移动终端的操作系统的种类，无论何种操作系统的移动终端，无论是Windows操作系统还是Android操作系统，只要支持EAP-TLS认证方式的，均可以适用，具备良好的通用性。In addition, the above solution does not limit the type of operating system of the mobile terminal. No matter what kind of operating system the mobile terminal is, whether it is Windows operating system or Android operating system, as long as it supports EAP-TLS authentication mode, it can be applied and has good universal sex.

实施例二Embodiment two

本实施例以交互时序图的视角，对实施例一提供的移动终端的网络接入控制方法进行进一步的说明。This embodiment further describes the method for controlling network access of a mobile terminal provided in Embodiment 1 from the perspective of an interaction sequence diagram.

附图3为本发明实施例提供的移动终端的网络接入控制方法的时序图，该方法包括：Accompanying drawing 3 is the sequence diagram of the network access control method of the mobile terminal provided by the embodiment of the present invention, the method includes:

步骤301，移动终端向AP发送接入请求消息，即探测请求Probe request。In step 301, the mobile terminal sends an access request message, that is, a Probe request, to the AP.

步骤302，AP接收到接入请求消息后，从所述管理服务器中查询所述移动终端的注册状态，如果所述移动终端的标识对应的注册状态为未注册，则执行步骤303，如果注册状态为已注册，执行步骤323。Step 302. After receiving the access request message, the AP queries the registration status of the mobile terminal from the management server. If the registration status corresponding to the identification of the mobile terminal is unregistered, then perform step 303. If the registration status is If registered, go to step 323.

具体查询注册状态的过程请参照实施例一中的描述，在这里不再重复。For a specific process of querying the registration status, please refer to the description in Embodiment 1, which will not be repeated here.

步骤303，AP向所述移动终端发送探测响应Probe response，探测响应携带的认证算法字段设置为无认证指示符。Step 303, the AP sends a Probe response to the mobile terminal, and the authentication algorithm field carried in the probe response is set to no authentication indicator.

步骤304，移动终端向AP发送认证请求Authentication request。Step 304, the mobile terminal sends an Authentication request to the AP.

步骤305，AP向移动终端反馈认证响应Authentication response。In step 305, the AP feeds back an Authentication response to the mobile terminal.

步骤306，移动终端向AP发送关联请求Association request。Step 306, the mobile terminal sends an Association request to the AP.

步骤307，AP向移动终端反馈关联响应Association response。In step 307, the AP feeds back an Association response to the mobile terminal.

步骤308，AC通过动态主机配置协议（Dynamic Host Configuration Protocol,简称DHCP）为所述移动终端分配第一IP地址。在此过程中，AP将该第一IP地址对应的访问控制策略设置为第一权限策略。本实施例中第一权限策略、第二权限策略和第三权限策略的定义与实施例一相同，在这里不再重复。In step 308, the AC assigns the first IP address to the mobile terminal through a Dynamic Host Configuration Protocol (DHCP for short). During this process, the AP sets the access control policy corresponding to the first IP address as the first permission policy. The definitions of the first authority policy, the second authority policy and the third authority policy in this embodiment are the same as those in Embodiment 1, and will not be repeated here.

步骤309，移动终端根据步骤308中所述AC分配的第一IP地址，使用web浏览器访问任意网页时，发送网页访问请求消息。Step 309, according to the first IP address assigned by the AC in step 308, the mobile terminal sends a webpage access request message when using a web browser to access any webpage.

步骤310，AP接收到网页访问请求消息后，查询该网页访问请求消息的源IP地址对应的访问控制策略，在本实施例中查询得到的是第一权限策略。In step 310, after receiving the web page access request message, the AP queries the access control policy corresponding to the source IP address of the web page access request message, and in this embodiment, the query obtains the first authority policy.

步骤311，若查询到对应的访问控制策略是第一权限策略，则AP向AC发送第一转发请求，用于请求将所述网页访问请求消息重定向到认证网页。Step 311 , if the corresponding access control policy is found to be the first authority policy, the AP sends a first forwarding request to the AC for requesting that the webpage access request message be redirected to the authentication webpage.

步骤312，AC将所述网页访问请求消息重定向到Portal服务器提供的认证网页，所述Portal服务器将所述移动终端在所述认证网页中输入的LDAP域账号认证信息发送到RADIUS服务器中进行网页认证。Step 312, the AC redirects the webpage access request message to the authentication webpage provided by the Portal server, and the Portal server sends the LDAP domain account authentication information input by the mobile terminal in the authentication webpage to the RADIUS server for webpage authentication. certified.

步骤313，AP在所述网页认证结果指示所述移动终端网页认证成功的情况下，则将所述IP地址对应的访问控制策略设置为第二权限策略。Step 313, when the web page authentication result indicates that the mobile terminal web page authentication is successful, the AP sets the access control policy corresponding to the IP address as the second authority policy.

步骤314，AP在所述移动终端对应的访问控制策略被更新为第二权限策略后，向所述AC发送第二转发请求，用于请求将所述网页访问请求消息再次重定向到注册网页。Step 314: After the access control policy corresponding to the mobile terminal is updated to the second authority policy, the AP sends a second forwarding request to the AC, for requesting to redirect the webpage access request message to the registration webpage again.

步骤315，AC将所述网页访问请求消息再次重定向到注册网页。In step 315, the AC redirects the webpage access request message to the registration webpage again.

步骤316，如果所述移动终端通过所述注册网页完成在所述企业的无线网络中的注册，管理服务器为所述移动终端生成配置文件，并将该配置文件通过AP发送给移动终端。RADIUS服务器为所述移动终端分配数字证书，并将该数字证书通过AP发送给移动终端。Step 316, if the mobile terminal completes the registration in the wireless network of the enterprise through the registration webpage, the management server generates a configuration file for the mobile terminal, and sends the configuration file to the mobile terminal through the AP. The RADIUS server distributes a digital certificate to the mobile terminal, and sends the digital certificate to the mobile terminal through the AP.

步骤317，RADIUS服务器所述移动终端在所述管理服务器中的注册状态被更新为已注册后，向所述AC发送CoA消息。In step 317, the RADIUS server sends a CoA message to the AC after the registration status of the mobile terminal in the management server is updated to registered.

步骤318，AC接收到CoA消息后，指示AP断开和所述移动终端已建立的网络连接，使得所述移动终端重新尝试接入网络。此时，执行步骤320。Step 318, after receiving the CoA message, the AC instructs the AP to disconnect the established network connection with the mobile terminal, so that the mobile terminal re-attempts to access the network. At this time, step 320 is performed.

可选地，AC可以回收上述第一IP地址。Optionally, the AC may reclaim the above-mentioned first IP address.

步骤320，移动终端重新发送探测请求Probe request。Step 320, the mobile terminal resends the Probe request.

步骤321，AP接收到接入请求消息后，从所述管理服务器中查询所述移动终端的注册状态，此时的注册状态为已注册，执行步骤323。In step 321, after receiving the access request message, the AP queries the registration status of the mobile terminal from the management server, and the registration status at this time is registered, and step 323 is executed.

步骤323，AP向所述移动终端发送探测响应Proble response，探测响应携带的认证算法字段设置为安全等级较高的802.1X认证指示符，具体地，可以为EAP-TLS认证指示符。该认证算法字段用以指示所述移动终端按照EAP-TLS认证方式来接入所述企业的无线网络。In step 323, the AP sends a Proble response to the mobile terminal, and the authentication algorithm field carried in the probe response is set to an 802.1X authentication indicator with a higher security level, specifically, an EAP-TLS authentication indicator. The authentication algorithm field is used to instruct the mobile terminal to access the wireless network of the enterprise in an EAP-TLS authentication manner.

步骤324，移动终端向AP发送认证请求Authentication request。Step 324, the mobile terminal sends an Authentication request to the AP.

步骤325，AP向移动终端反馈认证响应Authentication response。In step 325, the AP feeds back an Authentication response to the mobile terminal.

步骤326，移动终端向AP发送关联请求Association request。Step 326, the mobile terminal sends an Association request to the AP.

步骤327，AP向移动终端反馈关联响应Association response。In step 327, the AP feeds back an Association response to the mobile terminal.

步骤328，所述移动终端与RADIUS服务器进行802.1X认证。在认证的过程中使用之前获得的数字证书。Step 328, the mobile terminal performs 802.1X authentication with the RADIUS server. The previously obtained digital certificate is used in the authentication process.

步骤329，如果802.1X认证成功，则所述移动终端根据所述配置文件中的参数接入企业的无线网络。RADIUS服务器在802.1X认证成功后，向AC发送授权报文，AC重新为所述移动终端分配第二IP地址，AP中第二IP地址对应的访问控制策略为第三权限策略。AP为所述移动终端开通受控端口，所述受控端口用于传输所述移动终端的业务数据。Step 329, if the 802.1X authentication is successful, the mobile terminal accesses the wireless network of the enterprise according to the parameters in the configuration file. After the 802.1X authentication succeeds, the RADIUS server sends an authorization message to the AC, and the AC reassigns the second IP address to the mobile terminal, and the access control policy corresponding to the second IP address in the AP is the third authority policy. The AP opens a controlled port for the mobile terminal, and the controlled port is used to transmit service data of the mobile terminal.

本发明实施例提供的移动终端的网络接入控制方法，通过AP、AC、Portal服务器、RADIUS服务器以及管理服务器的配合，在移动终端接入网络时，可以方便、高效地进行接入控制。简化了现有技术中管理员和用户所需执行的繁琐工作。The network access control method of the mobile terminal provided by the embodiment of the present invention can conveniently and efficiently perform access control when the mobile terminal accesses the network through the cooperation of the AP, AC, Portal server, RADIUS server and management server. The cumbersome work required to be performed by administrators and users in the prior art is simplified.

实施例三Embodiment three

本发明实施例提供了一种无线AP，如图4所示，该设备包括接收单元401、判断单元402、资源分配请求单元403、策略设置单元404、重定向请求单元405和发送单元406，具体如下：An embodiment of the present invention provides a wireless AP. As shown in FIG. 4 , the device includes a receiving unit 401, a judging unit 402, a resource allocation requesting unit 403, a policy setting unit 404, a redirection requesting unit 405, and a sending unit 406. as follows:

接收单元401，用于接收移动终端发送的接入请求消息，所述接入请求消息用于请求接入企业的无线网络，所述接入请求消息携带所述移动终端的标识，所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端；The receiving unit 401 is configured to receive an access request message sent by a mobile terminal, the access request message is used to request access to the wireless network of the enterprise, the access request message carries the identifier of the mobile terminal, and the mobile terminal The identifier of is used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise;

判断单元402，用于判断接收单元401接收的接入请求消息中所述移动终端的标识对应的注册状态，所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册；The judging unit 402 is configured to judge the registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiving unit 401, and the registration status is used to identify whether the mobile terminal has registered in the wireless network of the enterprise;

资源分配请求单元403，用于若所述判断单元402判断出所述移动终端的标识对应的注册状态为未注册，请求控制所述无线AP的无线访问控制器AC为所述移动终端分配IP地址；A resource allocation request unit 403, configured to request the wireless access controller AC controlling the wireless AP to assign an IP address to the mobile terminal if the judging unit 402 determines that the registration state corresponding to the identifier of the mobile terminal is unregistered ;

策略设置单元404，用于将所述IP地址对应的访问控制策略设置为第一权限策略，所述第一权限策略允许所述IP地址访问认证网页；A policy setting unit 404, configured to set the access control policy corresponding to the IP address as a first authority policy, and the first authority policy allows the IP address to access the authentication webpage;

所述接收单元401，还用于接收所述移动终端使用所述IP地址发送的网页访问请求消息；The receiving unit 401 is further configured to receive a webpage access request message sent by the mobile terminal using the IP address;

重定向请求单元405，用于根据策略设置单元404设置的所述IP地址对应的第一权限策略，向所述AC发送第一转发请求，用于请求将所述网页访问请求消息重定向到认证网页；以及如果确定所述移动终端通过所述认证网页认证成功，向所述AC发送第二转发请求，用于请求将所述网页访问请求消息重定向到注册网页；The redirect request unit 405 is configured to send a first forwarding request to the AC according to the first authority policy corresponding to the IP address set by the policy setting unit 404, for requesting that the web page access request message be redirected to the authentication webpage; and if it is determined that the mobile terminal is successfully authenticated through the authentication webpage, sending a second forwarding request to the AC for requesting that the webpage access request message be redirected to a registration webpage;

所述接收单元401，还用于接收来自所述无线AC的配置文件和数字证书；The receiving unit 401 is further configured to receive configuration files and digital certificates from the wireless AC;

所述发送单元406，还用于向所述移动终端转发所述配置文件和所述数字证书，所述配置文件和所述数字证书用于所述移动终端通过EAP-TLS认证方式接入所述企业的无线网络。The sending unit 406 is further configured to forward the configuration file and the digital certificate to the mobile terminal, the configuration file and the digital certificate are used for the mobile terminal to access the Enterprise wireless network.

可选地，所述接收单元401还用于接收来自RADIUS服务器的网页认证结果，所述认证网页是所述企业的无线网络中的门户Portal服务器提供的，所述Portal服务器将所述移动终端在所述认证网页中输入的LDAP域账号认证信息发送到所述RADIUS服务器中进行网页认证；Optionally, the receiving unit 401 is also configured to receive a webpage authentication result from a RADIUS server, the authentication webpage is provided by a Portal server in the wireless network of the enterprise, and the Portal server sends the mobile terminal to the The LDAP domain account authentication information input in the authentication webpage is sent to the RADIUS server for webpage authentication;

所述策略设置单元404，还用于如果所述网页认证结果指示所述移动终端通过网页认证，则将所述IP地址对应的访问控制策略设置为第二权限策略，所述第二权限策略允许所述IP地址访问所述注册网页；The policy setting unit 404 is further configured to set the access control policy corresponding to the IP address as a second authority policy if the webpage authentication result indicates that the mobile terminal has passed the webpage authentication, and the second authority policy allows The IP address accesses the registration webpage;

所述重定向请求单元405，具体用于根据所述IP地址对应的第二权限策略，向所述AC发送第一转发请求，用于请求将所述网页访问请求消息重定向到所述注册网页。The redirection request unit 405 is specifically configured to send a first forwarding request to the AC according to the second authority policy corresponding to the IP address, for requesting that the webpage access request message be redirected to the registration webpage .

为了使所述移动终端的用户能够获知网页认证结果，所述发送单元406还用于将所述网页认证结果转发给所述移动终端。In order to enable the user of the mobile terminal to know the webpage authentication result, the sending unit 406 is further configured to forward the webpage authentication result to the mobile terminal.

可选地，所述发送单元406还用于若所述判断单元402判断出所述注册状态为已注册，向所述移动终端发送响应消息，所述响应消息中携带的认证算法字段设置为EAP-TLS认证指示符，用以指示所述移动终端按照EAP-TLS认证方式接入所述企业的无线网络；Optionally, the sending unit 406 is further configured to send a response message to the mobile terminal if the judging unit 402 judges that the registration status is registered, and the authentication algorithm field carried in the response message is set to EAP -TLS authentication indicator, used to instruct the mobile terminal to access the wireless network of the enterprise according to the EAP-TLS authentication mode;

这种情况下，附图4所示的装置还包括：端口开放单元407，用于当所述网络接入设备确定所述移动终端与所述RADIUS服务器之间进行的EAP-TLS认证成功时，为所述移动终端开通受控端口，所述受控端口用于传输所述移动终端的业务数据。In this case, the apparatus shown in FIG. 4 further includes: a port opening unit 407, configured to, when the network access device determines that the EAP-TLS authentication between the mobile terminal and the RADIUS server is successful, Opening a controlled port for the mobile terminal, where the controlled port is used to transmit service data of the mobile terminal.

可选地，请参照附图5，附图4所示的装置中判断单元402具体包括：Optionally, please refer to accompanying drawing 5, the judging unit 402 in the apparatus shown in accompanying drawing 4 specifically includes:

获取子单元501，用于从接收单元401接收的所述接入请求消息中获取所述移动终端的标识；The acquiring subunit 501 is configured to acquire the identifier of the mobile terminal from the access request message received by the receiving unit 401;

查询子单元502，用于根据获取子单元501获取的所述移动终端的标识，向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态；The query subunit 502 is configured to query the registration status of the mobile terminal from the management server in the wireless network of the enterprise according to the identifier of the mobile terminal acquired by the acquisition subunit 501;

接收子单元503，用于接收所述管理服务器为响应查询子单元502返回的所述移动终端在所述网络中的注册状态。The receiving subunit 503 is configured to receive the registration status of the mobile terminal in the network returned by the management server in response to the query subunit 502 .

附图5所示的无线AP中各单元的工作流程，以及所述无线AP与附图1所示的系统中其他网络设备的交互过程请参照前面方法实施例中的描述，在这里不再一一详述。For the working process of each unit in the wireless AP shown in Figure 5, and the interaction process between the wireless AP and other network devices in the system shown in Figure 1, please refer to the description in the previous method embodiment, and will not repeat it here a detailed description.

附图6是本发明实施例提供的无线AP的结构示意图，所述AP包括存储器601、处理器602、接收器603和发送器604；所述接收器603和发送器604可以基于同一个通信芯片来实现。上述存储器601、处理器602、接收器603和发送器604可以通过总线相互连接。Accompanying drawing 6 is a schematic structural diagram of a wireless AP provided by an embodiment of the present invention, the AP includes a memory 601, a processor 602, a receiver 603 and a transmitter 604; the receiver 603 and the transmitter 604 may be based on the same communication chip to fulfill. The memory 601, processor 602, receiver 603, and transmitter 604 mentioned above may be connected to each other through a bus.

所述接收器603，用于接收移动终端发送的接入请求消息，所述接入请求消息用于请求接入企业的无线网络，所述接入请求消息携带所述移动终端的标识，所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端；The receiver 603 is configured to receive an access request message sent by a mobile terminal, the access request message is used to request access to the wireless network of the enterprise, the access request message carries the identifier of the mobile terminal, the The identifier of the mobile terminal is used to uniquely identify the mobile terminal within the range of the wireless network of the enterprise;

所述处理器602，用于读取所述存储器601中存储的程序代码，执行：判断所述移动终端的标识对应的注册状态，所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册；若判断出所述移动终端的标识对应的注册状态为未注册，请求控制所述无线AP的无线访问控制器AC为所述移动终端分配IP地址；将所述IP地址对应的访问控制策略设置为第一权限策略，所述第一权限策略允许所述IP地址访问认证网页；The processor 602 is configured to read the program code stored in the memory 601, and execute: judge the registration status corresponding to the identification of the mobile terminal, and the registration status is used to identify whether the mobile terminal has registered in the enterprise Register in the wireless network; If it is judged that the registration status corresponding to the identification of the mobile terminal is unregistered, request the wireless access controller AC controlling the wireless AP to distribute an IP address for the mobile terminal; The access control policy is set to a first authority policy, and the first authority policy allows the IP address to access the authentication webpage;

所述接收器603，还用于接收所述移动终端使用所述IP地址发送的网页访问请求消息；The receiver 603 is further configured to receive a web page access request message sent by the mobile terminal using the IP address;

所述发送器604，用于根据所述IP地址对应的所述第一权限策略，向所述AC发送第一转发请求，用于请求将所述网页访问请求消息重定向到认证网页；以及如果确定所述移动终端通过所述认证网页认证成功，向所述AC发送第二转发请求，用于请求将所述网页访问请求消息重定向到注册网页；The sender 604 is configured to send a first forwarding request to the AC according to the first authority policy corresponding to the IP address, for requesting that the webpage access request message be redirected to an authentication webpage; and if Determine that the mobile terminal is successfully authenticated through the authentication webpage, and send a second forwarding request to the AC, for requesting that the webpage access request message be redirected to a registration webpage;

所述接收器603，还用于接收来自所述无线AC的配置文件和数字证书；The receiver 603 is further configured to receive configuration files and digital certificates from the wireless AC;

所述发送器604，还用于向所述移动终端转发所述配置文件和所述数字证书，所述配置文件和所述数字证书用于所述移动终端通过EAP-TLS认证方式接入所述企业的无线网络。The sender 604 is further configured to forward the configuration file and the digital certificate to the mobile terminal, the configuration file and the digital certificate are used for the mobile terminal to access the Enterprise wireless network.

可选地，所述接收器603，还用于接收来自拨号用户远程认证服务RADIUS服务器的网页认证结果，所述认证网页是所述企业的无线网络中的门户Portal服务器提供的，所述Portal服务器将所述移动终端在所述认证网页中输入的轻型目录访问协议LDAP域账号认证信息发送到所述RADIUS服务器中进行网页认证；Optionally, the receiver 603 is also configured to receive a webpage authentication result from a dial-up user remote authentication service RADIUS server, the authentication webpage is provided by a Portal server in the wireless network of the enterprise, and the Portal server Send the Lightweight Directory Access Protocol LDAP domain account authentication information input by the mobile terminal in the authentication webpage to the RADIUS server for webpage authentication;

所述处理器602，具体用于如果所述接收器603接收到的所述网页认证结果指示所述移动终端通过网页认证，则将所述IP地址对应的访问控制策略设置为第二权限策略，所述第二权限策略允许所述IP地址访问所述注册网页；根据所述IP地址对应的所述第二权限策略，向所述AC发送第一转发请求，用于请求将所述网页访问请求消息重定向到所述注册网页。The processor 602 is specifically configured to set the access control policy corresponding to the IP address as the second authority policy if the webpage authentication result received by the receiver 603 indicates that the mobile terminal has passed the webpage authentication, The second authority policy allows the IP address to access the registered webpage; according to the second authority policy corresponding to the IP address, a first forwarding request is sent to the AC, for requesting that the webpage access request The message redirects to the registration web page.

可选地，所述发送器604，还用于若所述处理器602判断出所述注册状态为已注册，向所述移动终端发送响应消息，所述响应消息中携带的认证算法字段设置为EAP-TLS认证指示符，用以指示所述移动终端的按照EAP-TLS认证方式接入所述企业的无线网络；Optionally, the transmitter 604 is further configured to send a response message to the mobile terminal if the processor 602 determines that the registration status is registered, and the authentication algorithm field carried in the response message is set to The EAP-TLS authentication indicator is used to indicate that the mobile terminal accesses the wireless network of the enterprise according to the EAP-TLS authentication method;

所述处理器602，还用于当所述网络接入设备确定所述移动终端与所述RADIUS服务器之间进行的EAP-TLS认证成功时，为所述移动终端开通受控端口，所述受控端口用于传输所述移动终端的业务数据。The processor 602 is further configured to open a controlled port for the mobile terminal when the network access device determines that the EAP-TLS authentication between the mobile terminal and the RADIUS server is successful, and the controlled port is The control port is used to transmit service data of the mobile terminal.

可选地，所述处理器602判断所述移动终端的标识对应的注册状态，具体包括：所述处理器602从所述接入请求消息中获取所述移动终端的标识；根据所述移动终端的标识向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态；接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。Optionally, the processor 602 judging the registration state corresponding to the identifier of the mobile terminal specifically includes: the processor 602 acquiring the identifier of the mobile terminal from the access request message; query the registration status of the mobile terminal from the management server in the wireless network of the enterprise; and receive the registration status of the mobile terminal in the network returned by the management server.

附图6所示的无线AP中器件的工作流程，以及所述无线AP与附图1所示的系统中其他网络设备的交互过程请参照前面方法实施例中的描述，在这里不再一一详述。For the working process of the devices in the wireless AP shown in FIG. 6, and the interaction process between the wireless AP and other network devices in the system shown in FIG. detail.

本发明实施例提供了一种无线AP，该无线AP接收移动终端发送的接入请求消息，判断该接入请求消息中移动终端的标识对应的注册状态，若所述移动终端的标识对应的注册状态为未注册，请求控制所述无线AP的无线AC为所述移动终端分配IP地址；将所述IP地址对应的访问控制策略设置为第一权限策略；接收所述移动终端通过所述IP地址发送的网页访问请求消息；根据设置的所述IP地址对应的访问控制策略，向所述AC发送第一转发请求，用于请求将所述网页访问请求消息重定向到认证网页；以及如果确定所述移动终端通过所述认证网页认证成功，向所述AC发送第二转发请求，用于请求将所述网页访问请求消息重定向到注册网页；接收来自管理服务器和证书服务器的配置文件和数字证书；向所述移动终端转发所述配置文件和数字证书，所述配置文件和数字证书用于所述移动终端通过可扩展认证协议EAP-传输层安全TLS认证方式接入所述企业的无线网络。该无线AP与其他网络设备相互配合，在移动终端接入网络时，可以方便、高效地进行接入控制。简化了现有技术中管理员和用户所需执行的繁琐工作。An embodiment of the present invention provides a wireless AP. The wireless AP receives an access request message sent by a mobile terminal, and judges the registration status corresponding to the identification of the mobile terminal in the access request message. If the registration status corresponding to the identification of the mobile terminal is For unregistered, request the wireless AC controlling the wireless AP to assign an IP address to the mobile terminal; set the access control policy corresponding to the IP address as the first authority policy; receive the mobile terminal from sending through the IP address A webpage access request message; according to the set access control policy corresponding to the IP address, send a first forwarding request to the AC for requesting that the webpage access request message be redirected to an authentication webpage; and if it is determined that the The mobile terminal successfully authenticates through the authentication webpage, and sends a second forwarding request to the AC, for requesting that the webpage access request message be redirected to the registration webpage; receive configuration files and digital certificates from the management server and the certificate server; Forwarding the configuration file and the digital certificate to the mobile terminal, the configuration file and the digital certificate are used for the mobile terminal to access the wireless network of the enterprise through the Extensible Authentication Protocol EAP-Transport Layer Security TLS authentication mode. The wireless AP cooperates with other network devices, and when the mobile terminal accesses the network, access control can be performed conveniently and efficiently. The cumbersome work required to be performed by administrators and users in the prior art is simplified.

实施例四Embodiment four

本实施例提供了一种无线AC，如图7所示，包括接收单元701、判断单元702、资源分配单元703、重定向单元704和发送单元705，其中：This embodiment provides a wireless AC, as shown in FIG. 7 , including a receiving unit 701, a judging unit 702, a resource allocation unit 703, a redirection unit 704, and a sending unit 705, wherein:

接收单元701，用于接收移动终端发送的接入请求消息，所述接入请求消息用于请求接入企业的无线网络，所述接入请求消息携带所述移动终端的标识，所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端；The receiving unit 701 is configured to receive an access request message sent by a mobile terminal, the access request message is used to request access to the wireless network of the enterprise, the access request message carries the identifier of the mobile terminal, and the mobile terminal The identifier of is used to uniquely identify the mobile terminal within the scope of the wireless network of the enterprise;

判断单元702，用于判断接收单元701接收的接入请求消息中移动终端的标识对应的注册状态，所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册；The judging unit 702 is configured to judge the registration status corresponding to the identification of the mobile terminal in the access request message received by the receiving unit 701, and the registration status is used to identify whether the mobile terminal has registered in the wireless network of the enterprise;

资源分配单元703，用于若所述判断单元702判断所述移动终端的标识对应的注册状态为未注册，为所述移动终端分配IP地址；A resource allocation unit 703, configured to allocate an IP address to the mobile terminal if the determination unit 702 determines that the registration state corresponding to the identification of the mobile terminal is unregistered;

所述接收单元701，还用于接收所述AC控制的AP发送的第一转发请求；The receiving unit 701 is further configured to receive a first forwarding request sent by the AP controlled by the AC;

重定向单元704，用于根据所述第一转发请求将所述移动终端使用所述IP地址发送的网页访问请求消息重定向到认证网页；A redirection unit 704, configured to redirect the webpage access request message sent by the mobile terminal using the IP address to an authentication webpage according to the first forwarding request;

所述接收单元701，还用于接收所述AP发送的第二转发请求；The receiving unit 701 is further configured to receive a second forwarding request sent by the AP;

所述重定向单元704，还用于根据所述第二转发请求将所述网页访问请求消息重定向到注册网页；The redirection unit 704 is further configured to redirect the webpage access request message to a registration webpage according to the second forwarding request;

所述接收单元701，还用于接收所述企业的无线网络中的管理服务器发送的配置文件和数字证书，所述配置文件和所述数字证书用于所述移动终端通过EAP-TLS认证方式接入所述企业的无线网络；所述管理服务器发送所述配置文件和数字证书之后，所述移动终端在所述管理服务器中的注册状态被更新为已注册；The receiving unit 701 is also configured to receive a configuration file and a digital certificate sent by a management server in the wireless network of the enterprise, and the configuration file and the digital certificate are used for the mobile terminal to access through EAP-TLS authentication. Enter the wireless network of the enterprise; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered;

发送单元705，还用于将所述配置文件和所述数字证书发送给所述AP。The sending unit 705 is further configured to send the configuration file and the digital certificate to the AP.

可选地，请参照附图8，上述判断单元702具体包括：Optionally, please refer to accompanying drawing 8, the above-mentioned judging unit 702 specifically includes:

获取子单元801，用于从所述接入请求消息中获取所述移动终端的标识；An acquiring subunit 801, configured to acquire the identifier of the mobile terminal from the access request message;

查询子单元802，用于根据获取子单元801获取的移动终端的标识，向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态；The query subunit 802 is configured to query the registration status of the mobile terminal from the management server in the wireless network of the enterprise according to the identifier of the mobile terminal acquired by the acquisition subunit 801;

接收子单元803，用于接收所述管理服务器响应所述查询子单元802返回的所述移动终端在所述网络中的注册状态。The receiving subunit 803 is configured to receive the registration status of the mobile terminal in the network returned by the management server in response to the query subunit 802 .

可选地，附图7中的接收单元701，还用于接收所述RADIUS服务器发送的动态授权CoA消息，并在接收到所述CoA消息后指示所述移动终端重新发送所述接入请求消息；所述CoA消息是所述移动终端在所述管理服务器中的注册状态被更新为已注册后发送的。Optionally, the receiving unit 701 in FIG. 7 is also configured to receive the dynamic authorization CoA message sent by the RADIUS server, and instruct the mobile terminal to resend the access request message after receiving the CoA message ; The CoA message is sent after the registration status of the mobile terminal in the management server is updated to registered.

在这种情况下，附图7中的装置还包括资源回收单元706，用于在所述接收单元701接收到所述CoA消息后，回收所述IP地址。In this case, the device in FIG. 7 further includes a resource reclamation unit 706, configured to reclaim the IP address after the receiving unit 701 receives the CoA message.

附图7所示的无线AC中各单元的工作流程，以及所述无线AC与附图1所示的系统中其他网络设备的交互过程请参照前面方法实施例中的描述，在这里不再一一详述。For the working process of each unit in the wireless AC shown in Figure 7, and the interaction process between the wireless AC and other network devices in the system shown in Figure 1, please refer to the descriptions in the previous method embodiments, which will not be repeated here a detailed description.

附图9是本发明实施例提供的无线AC的结构示意图，该AC包括存储器901、处理器902、接收器903和发送器904；所述接收器903和发送器904可以基于同一个通信芯片来实现。上述存储器901、处理器902、接收器903和发送器904可以通过总线相互连接。Figure 9 is a schematic structural diagram of a wireless AC provided by an embodiment of the present invention, the AC includes a memory 901, a processor 902, a receiver 903, and a transmitter 904; the receiver 903 and the transmitter 904 can be based on the same communication chip accomplish. The above memory 901, processor 902, receiver 903 and transmitter 904 may be connected to each other through a bus.

所述接收器903，用于接收移动终端发送的接入请求消息，所述接入请求消息用于请求接入企业的无线网络，所述接入请求消息携带所述移动终端的标识，所述移动终端的标识用于在所述企业的无线网络的范围内唯一地标识所述移动终端；The receiver 903 is configured to receive an access request message sent by a mobile terminal, the access request message is used to request access to the wireless network of the enterprise, the access request message carries the identifier of the mobile terminal, the The identifier of the mobile terminal is used to uniquely identify the mobile terminal within the range of the wireless network of the enterprise;

所述处理器902，用于读取所述存储器901中存储的程序代码，执行：The processor 902 is configured to read the program code stored in the memory 901, and execute:

判断接收器903接收的接入请求消息中移动终端的标识对应的注册状态，所述注册状态用以标识所述移动终端是否已在企业的无线网络中注册；若所述移动终端的标识对应的注册状态为未注册，为所述移动终端分配IP地址；Judging the registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiver 903, the registration status is used to identify whether the mobile terminal has registered in the wireless network of the enterprise; if the registration status corresponding to the identifier of the mobile terminal The status is unregistered, and an IP address is assigned to the mobile terminal;

所述接收器903，还用于接收所述AC控制的AP发送的第一转发请求；The receiver 903 is further configured to receive the first forwarding request sent by the AP controlled by the AC;

所述处理器902，还用于根据所述接收器903接收的所述第一转发请求将所述移动终端使用所述IP地址发送的网页访问请求消息重定向到认证网页；The processor 902 is further configured to redirect the webpage access request message sent by the mobile terminal using the IP address to an authentication webpage according to the first forwarding request received by the receiver 903;

所述接收器903，还用于接收所述AP发送的第二转发请求；The receiver 903 is further configured to receive the second forwarding request sent by the AP;

所述处理器902，还用于根据所述接收器903接收的所述第二转发请求将所述网页访问请求消息重定向到注册网页；The processor 902 is further configured to redirect the webpage access request message to a registration webpage according to the second forwarding request received by the receiver 903;

所述接收器903，还用于接收所述企业的无线网络中的管理服务器发送的配置文件和数字证书，所述配置文件和所述数字证书用于所述移动终端通过EAP-TLS认证方式接入所述企业的无线网络；所述管理服务器发送所述配置文件和数字证书之后，所述移动终端在所述管理服务器中的注册状态被更新为已注册；The receiver 903 is further configured to receive a configuration file and a digital certificate sent by a management server in the wireless network of the enterprise, and the configuration file and the digital certificate are used for the mobile terminal to access through EAP-TLS authentication. Enter the wireless network of the enterprise; after the management server sends the configuration file and the digital certificate, the registration status of the mobile terminal in the management server is updated to be registered;

发送器904，用于将所述配置文件和所述数字证书发送给所述AP。The sender 904 is configured to send the configuration file and the digital certificate to the AP.

可选地，所述处理器902判断接收器903接收的接入请求消息中移动终端的标识对应的注册状态时，具体用于：Optionally, when the processor 902 judges the registration status corresponding to the identifier of the mobile terminal in the access request message received by the receiver 903, it is specifically used for:

从所述接入请求消息中获取所述移动终端的标识；根据获取的移动终端的标识，向所述企业的无线网络中的管理服务器查询所述移动终端的注册状态；接收所述管理服务器返回的所述移动终端在所述网络中的注册状态。Obtain the identifier of the mobile terminal from the access request message; query the registration status of the mobile terminal from a management server in the wireless network of the enterprise according to the acquired identifier of the mobile terminal; receive a return from the management server The registration status of the mobile terminal in the network.

可选地，所述接收器903还用于接收所述RADIUS服务器发送的动态授权CoA消息，并在接收到所述CoA消息后指示所述移动终端重新发送所述接入请求消息；所述CoA消息是所述移动终端在所述管理服务器中的注册状态被更新为已注册后发送的。Optionally, the receiver 903 is further configured to receive a dynamic authorization CoA message sent by the RADIUS server, and instruct the mobile terminal to resend the access request message after receiving the CoA message; the CoA The message is sent after the registration status of the mobile terminal in the management server is updated to registered.

所述处理器902还用于在所述接收器903接收到所述CoA消息后，回收所述IP地址。The processor 902 is further configured to reclaim the IP address after the receiver 903 receives the CoA message.

附图9所示的无线AC中器件的工作流程，以及所述无线AC与附图1所示的系统中其他网络设备的交互过程请参照前面方法实施例中的描述，在这里不再一一详述。For the working process of the devices in the wireless AC shown in FIG. 9, and the interaction process between the wireless AC and other network devices in the system shown in FIG. detail.

本发明实施例提供了一种无线AC，该无线AC接收移动终端发送的接入请求消息，判断所述接入请求消息中移动终端的标识对应的注册状态；若判断所述移动终端的标识对应的注册状态为未注册，为所述移动终端分配IP地址；接收所述AC控制的AP发送的第一转发请求；根据所述第一转发请求将所述移动终端通过所述IP地址发送的网页访问请求消息重定向到认证网页；接收所述AP发送的第二转发请求；根据所述第二转发请求将所述网页访问请求消息重定向到注册网页；接收所述企业的无线网络中的管理服务器发送的配置文件和数字证书，将所述配置文件和数字证书发送给所述AP。该无线AC与其他网络设备相互配合，在移动终端接入网络时，可以方便、高效地进行接入控制。简化了现有技术中管理员和用户所需执行的繁琐工作。An embodiment of the present invention provides a wireless AC. The wireless AC receives an access request message sent by a mobile terminal, and judges the registration status corresponding to the identifier of the mobile terminal in the access request message; The registration status is unregistered, assigning an IP address to the mobile terminal; receiving the first forwarding request sent by the AP controlled by the AC; accessing the webpage sent by the mobile terminal through the IP address according to the first forwarding request The request message is redirected to the authentication webpage; the second forwarding request sent by the AP is received; the webpage access request message is redirected to the registration webpage according to the second forwarding request; the management server in the wireless network of the enterprise is received The configuration file and the digital certificate are sent, and the configuration file and the digital certificate are sent to the AP. The wireless AC cooperates with other network devices, and when the mobile terminal accesses the network, access control can be performed conveniently and efficiently. The cumbersome work required to be performed by administrators and users in the prior art is simplified.

本申请中涉及到单数和/或复数术语的使用时，本领域的技术人员能够将复数转换为单数和/或将单数转换为复数，只要根据上下文和/或实际应用是合理的即可。为了清楚起见，本申请中没有逐一描述各种单数和/或复数的排列组合的情况。When the application involves the use of singular and/or plural terms, those skilled in the art can convert the plural to the singular and/or convert the singular to the plural, as long as it is reasonable according to the context and/or practical application. For the sake of clarity, various permutations and combinations of singular numbers and/or plural numbers are not described one by one in this application.

本领域普通技术人员将会理解，本发明的各个方面、或各个方面的可能实现方式可以被具体实施为系统、方法或者计算机程序产品。因此，本发明的各方面、或各个方面的可能实现方式可以采用完全硬件实施例、完全软件实施例(包括固件、驻留软件等等)，或者组合软件和硬件方面的实施例的形式，在这里都统称为“电路”、“模块”或者“系统”。此外，本发明的各方面、或各个方面的可能实现方式可以采用计算机程序产品的形式，计算机程序产品是指存储在计算机可读介质中的计算机可读程序代码。Those of ordinary skill in the art will understand that various aspects of the present invention, or possible implementations of various aspects, may be embodied as systems, methods or computer program products. Accordingly, aspects of the present invention, or possible implementations of various aspects, may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, etc.), or an embodiment combining software and hardware aspects, described in These are collectively referred to herein as "circuits," "modules," or "systems." In addition, aspects of the present invention, or possible implementations of various aspects, may take the form of computer program products, and computer program products refer to computer-readable program codes stored in computer-readable media.

计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质。计算机可读存储介质包含但不限于电子、磁性、光学、电磁、红外或半导体系统、设备或者装置，或者前述的任意适当组合，如随机存取存储器(RAM)、只读存储器(ROM)、可擦除可编程只读存储器(EPROM或者快闪存储器)、光纤、便携式只读存储器(CD-ROM)。The computer readable medium may be a computer readable signal medium or a computer readable storage medium. Computer-readable storage media include, but are not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices, or devices, or any suitable combination of the foregoing, such as random access memory (RAM), read-only memory (ROM), Erase Programmable Read-Only Memory (EPROM or Flash), Fiber Optic, Portable Read-Only Memory (CD-ROM).

计算机中的处理器读取存储在计算机可读介质中的计算机可读程序代码，使得处理器能够执行在流程图中每个步骤、或各步骤的组合中规定的功能动作；生成实施在框图的每一块、或各块的组合中规定的功能动作的装置。The processor in the computer reads the computer-readable program code stored in the computer-readable medium, so that the processor can execute the functional actions specified in each step in the flow chart, or a combination of steps; A device that performs functional actions specified in each block or a combination of blocks.

计算机可读程序代码可以完全在用户的本地计算机上执行、部分在用户的本地计算机上执行、作为单独的软件包、部分在用户的本地计算机上并且部分在远程计算机上，或者完全在远程计算机或者服务器上执行。也应该注意，在某些替代实施方案中，在流程图中各步骤、或框图中各块所注明的功能可能不按图中注明的顺序发生。例如，依赖于所涉及的功能，接连示出的两个步骤、或两个块实际上可能被大致同时执行，或者这些块有时候可能被以相反顺序执行。The computer readable program code may execute entirely on the user's local computer, partly on the user's local computer, as a separate software package, partly on the user's local computer and partly on a remote computer, or entirely on the remote computer or Execute on the server. It should also be noted that, in some alternative implementations, the functions noted at the steps in the flowcharts or blocks in the block diagrams may occur out of the order noted in the figures. For example, two steps, or two blocks shown in succession, may in fact be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.

显然，本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样，倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内，则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

Claims (15)

1. an access control method, is characterized in that, comprising:

The access request message that network access equipment mobile terminal receive sends, described access request message is for asking the wireless network accessing enterprise, described access request message carries the mark of described mobile terminal, and the mark of described mobile terminal is used for identifying described mobile terminal uniquely in the scope of the wireless network of described enterprise;

Described network access equipment judges the login state of the mark correspondence of described mobile terminal, and whether described login state is registered for identifying described mobile terminal in the wireless network of enterprise;

If described network access equipment judges that the login state of the mark correspondence of described mobile terminal is unregistered, described network access equipment is behind described mobile terminal distributing IP address, access control policy corresponding for described IP address is set to the first authorization policy, and described first authorization policy allows described IP address access registrar webpage;

Described network access equipment receives the web access requests message that described mobile terminal uses described IP address to send, described web access requests message is redirected to described certification webpage by described first authorization policy that described network access equipment is corresponding according to described IP address, if described network access equipment determines that described mobile terminal is by described certification webpage authentication success, is redirected to registration web page;

If described network access equipment determines the registration that described mobile terminal is completed in the wireless network of described enterprise by described registration web page, described network access equipment sends configuration file and digital certificate to described mobile terminal, and described configuration file and digital certificate are used for described mobile terminal accesses described enterprise wireless network by Extensible Authentication Protocol EAP-Transport Layer Security TLS authentication mode.

2. the method for claim 1, it is characterized in that, described certification webpage is that the door Portal server in the wireless network of described enterprise provides, and the Lightweight Directory Access Protocol LDAP territory account authentication information that described mobile terminal inputs by described Portal server in described certification webpage is sent in dial user's remote authentication service radius server and carries out webpage certification;

If described network access equipment determines that described mobile terminal is by described certification webpage authentication success, is redirected to registration web page, comprises:

Described network access equipment receives the webpage authentication result that described radius server returns;

If described webpage authentication result indicates described mobile terminal by webpage certification, then access control policy corresponding for described IP address is set to the second authorization policy by described network access equipment, and described second authorization policy allows described IP address to access described registration web page;

Described second authorization policy that described network access equipment is corresponding according to described IP address, is redirected to described registration web page by described web access requests message.

3. method as claimed in claim 1 or 2, is characterized in that, also comprise:

If described network access equipment judges that the login state of the mark correspondence of described mobile terminal is registered, described network access equipment sends response message to described mobile terminal, the identifying algorithm field of carrying in described response message is set to EAP-TLS authenticity indicator, accesses the wireless network of described enterprise in order to indicate described mobile terminal according to EAP-TLS authentication mode;

When described network access equipment determines the EAP-TLS authentication success carried out between described mobile terminal and described radius server, for described mobile terminal opens controlled ports, described controlled ports is for transmitting the business datum of described mobile terminal.

4. method as claimed in claim 2 or claim 3, it is characterized in that, described network access equipment judges the login state of the mark correspondence of described mobile terminal, comprising:

Described network access equipment obtains the mark of described mobile terminal from described access request message;

According to the mark of the described mobile terminal login state to mobile terminal described in the management server queries in the wireless network of described enterprise;

Receive the login state of described mobile terminal in described network that described management server returns.

5. method as claimed in claim 4, it is characterized in that, described registration web page is that described management server provides,

If described network access equipment determines the registration that described mobile terminal is completed in the wireless network of described enterprise by described registration web page, described network access equipment sends configuration file and digital certificate to described mobile terminal, comprising:

Described network access equipment receives the described configuration file and described digital certificate that described management server sends, and to be described management server send after described mobile terminal to complete in the wireless network of described enterprise registration by described registration web page for described configuration file and described digital certificate; After described management server sends described configuration file and digital certificate, the login state of described mobile terminal in described management server is updated to registered;

Described configuration file and described digital certificate are sent to described mobile terminal by described network access equipment.

6. method as claimed in claim 5, is characterized in that, described network access equipment, to after described mobile terminal sends configuration file and digital certificate, also comprises:

Described network access equipment receives the dynamic authorization CoA message that described radius server sends, and after receiving described CoA message, indicate described mobile terminal to resend described access request message; Described CoA message is that the login state of described mobile terminal in described management server is updated to registered rear transmission.

7. method as claimed in claim 6, it is characterized in that, after described network access equipment receives described CoA message, described method also comprises:

Described network access equipment reclaims described IP address.

8. a wireless access points AP, is characterized in that, comprising:

Receiving element, for the access request message that mobile terminal receive sends, described access request message is for asking the wireless network accessing enterprise, described access request message carries the mark of described mobile terminal, and the mark of described mobile terminal is used for identifying described mobile terminal uniquely in the scope of the wireless network of described enterprise;

Judging unit, for judging the login state of the mark correspondence of mobile terminal in the access request message that described receiving element receives, whether described login state is registered in order to identify described mobile terminal in the wireless network of enterprise;

Resource allocation request unit, if judge for described judging unit, the login state of the mark correspondence of described mobile terminal is unregistered, and the wireless access controller AC of wireless aps described in Request Control is described mobile terminal distributing IP address;

Strategy setting unit, for access control policy corresponding for described IP address is set to the first authorization policy, described first authorization policy allows described IP address access registrar webpage;

Described receiving element, also for receiving the web access requests message that described mobile terminal uses described IP address to send;

Redirect request unit, for described first authorization policy arranged according to strategy setting unit, sends the first Forward-reques to described AC, for request, described web access requests message is redirected to certification webpage; And if determine that described mobile terminal is by described certification webpage authentication success, sends the second Forward-reques to described AC, for request described web access requests message is redirected to registration web page;

Described receiving element, also for receiving configuration file from described wireless AC and digital certificate;

Described transmitting element, also for forwarding described configuration file and described digital certificate to described mobile terminal, described configuration file and described digital certificate are used for described mobile terminal accesses described enterprise wireless network by Extensible Authentication Protocol EAP-Transport Layer Security TLS authentication mode.

9. wireless aps as claimed in claim 8, is characterized in that,

Described receiving element, also for receiving the webpage authentication result from dial user's remote authentication service radius server, described certification webpage is that the door Portal server in the wireless network of described enterprise provides, and the Lightweight Directory Access Protocol LDAP territory account authentication information that described mobile terminal inputs by described Portal server in described certification webpage is sent in described radius server and carries out webpage certification;

Described strategy setting unit, if also indicate described mobile terminal by webpage certification for described webpage authentication result, then access control policy corresponding for described IP address is set to the second authorization policy, described second authorization policy allows described IP address to access described registration web page;

Described redirect request unit, specifically for described second authorization policy corresponding according to described IP address, sends the first Forward-reques to described AC, for request, described web access requests message is redirected to described registration web page.

10. wireless aps as claimed in claim 8 or 9, is characterized in that,

Described transmitting element, if also judge that described login state is registered for described judging unit, response message is sent to described mobile terminal, the identifying algorithm field of carrying in described response message is set to EAP-TLS authenticity indicator, accesses the wireless network of described enterprise in order to indicate described mobile terminal according to EAP-TLS authentication mode;

Described wireless aps also comprises:

Open-ended unit, for when described network access equipment determines the EAP-TLS authentication success carried out between described mobile terminal and described radius server, for described mobile terminal opens controlled ports, described controlled ports is for transmitting the business datum of described mobile terminal.

11. as arbitrary in claim 8 to 10 as described in wireless aps, it is characterized in that, described judging unit comprises:

Obtain subelement, for obtaining the mark of described mobile terminal from described access request message;

Inquiry subelement, for the mark of the described mobile terminal according to described acquisition subelement acquisition, to the login state of mobile terminal described in the management server queries in the wireless network of described enterprise;

Receive subelement, for receiving the login state of described mobile terminal in described network that described management server returns.

12. 1 kinds of wireless controller AC, is characterized in that, comprising:

Receiving element, for the access request message that mobile terminal receive sends, described access request message is for asking the wireless network accessing enterprise, described access request message carries the mark of described mobile terminal, and the mark of described mobile terminal is used for identifying described mobile terminal uniquely in the scope of the wireless network of described enterprise;

Judging unit, for judging the login state of the mark correspondence of mobile terminal in the access request message that receiving element receives, whether described login state is registered in order to identify described mobile terminal in the wireless network of enterprise;

Resource allocation unit, if judge for described judging unit, the login state of the mark correspondence of described mobile terminal is unregistered, is described mobile terminal distributing IP address;

Described receiving element, the first Forward-reques that the wireless access points AP also controlled for receiving described AC sends;

Be redirected unit, be redirected to certification webpage for the web access requests message using described IP address to send described mobile terminal according to described first Forward-reques;

Described receiving element, also for receiving the second Forward-reques that described AP sends;

Described redirected unit, also for described web access requests message being redirected to registration web page according to described second Forward-reques;

Described receiving element, also for receiving configuration file and the digital certificate of the management server transmission in the wireless network of described enterprise, described configuration file and described digital certificate are used for described mobile terminal accesses described enterprise wireless network by Extensible Authentication Protocol EAP-Transport Layer Security TLS authentication mode; After described management server sends described configuration file and digital certificate, the login state of described mobile terminal in described management server is updated to registered;

Transmitting element, also for described configuration file and described digital certificate are sent to described AP.

13. wireless AC as claimed in claim 12, it is characterized in that, described judging unit comprises:

Obtain subelement, for obtaining the mark of described mobile terminal from described access request message;

Inquiry subelement, for according to the mark obtaining the mobile terminal that subelement obtains, to the login state of mobile terminal described in the management server queries in the wireless network of described enterprise;

Receive subelement, for receiving the login state of described mobile terminal in described network that described management server returns.

14. wireless AC as claimed in claim 12, is characterized in that,

Described receiving element, also for receiving the dynamic authorization CoA message that dial user's remote authentication service radius server sends, and indicates described mobile terminal to resend described access request message after receiving described CoA message; Described CoA message is that the login state of described mobile terminal in described management server is updated to registered rear transmission.

15. wireless AC as claimed in claim 14, is characterized in that, also comprise:

Resource reclaim unit, after receiving described CoA message at described receiving element, reclaims described IP address.