Patent Application
20160277929
In order to meet the needs that employees pursue new technology and personality, improve employee productivity, and reduce industry costs and investment, many industries consider permitting employees to bring their own user equipment to access a variety of network resources within the industries. This model is called as BYOD (Bring Your Own Device). The user equipment may be a Laptop computer, a cell phone, a Table PC, and so on.
Features of the present disclosure are illustrated by way of an example and not limited in the following figure(s), in which like numerals indicate like elements, in which:
For simplicity and illustrative purposes, a disclosure is described by referring mainly to an example thereof. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the disclosure. It will be readily apparent however, that the disclosure may be practiced without limitation to these specific details. In other instances, some methods and structures have not been described in detail so as not to unnecessarily obscure the disclosure. As used herein, the terms “a” and “an” are intended to denote at least one of a particular element, the term “includes” means includes but not limited to, the term “including” means including but not limited to, and the term “based on” means based at least in part on.
The present disclosure provides a network access control solution, wherein this solution is able to control the User Equipment's (UE) access to network resources based on cooperation between the access device and the management server. For example, when an industry employee uses a Personal Tablet PC in his office position, this employee can use internal mail server, access to travel management page, and use online project management system, but the employee cannot access to confidential documents stored in an online shared directories. However, when the employee uses an office PC to work, he can access to the abovementioned confidential documents stored in the shared directories. This dynamic access control mechanism can permit industry to obtain better security experience.
In an example,
Please refer to
Please refer to
Please refer to
As shown in
At block 412, the access device 12 parses the NDP packet to obtain equipment information of the UE 11 carried by the NDP packet.
At block 413, the access device 12 transmits a reporting message to the management server 13, wherein the reporting message carries the equipment information of the UE 11.
At block 414, after receiving a notification for identity authentication of the UE 11 from the management server 13, the access device 12 initiates an identity authentication invitation to the UE 11 and submits the identity authentication information of the UE 11 to the management server 13 for authentication.
At block 415, after the identity authentication of the UE 11 is permitted, the access device 12 stores a first access control entry for the UE 11 issued by the management server 13 in its own data plane to control the UE's 11 access to network resources.
As shown in
At block 422, the management server 13 determines whether to permit the identity authentication of the UE 11 based on the identity authentication information of the UE 11.
At block 423, after the identity authentication of the UE 11 is permitted, the management server 13 generates a first access control entry for the UE 11 based on the equipment information of the UE 11 and the user role.
At block 424, the management server 13 issues the first access control entry to the access device 12.
Please refer to
In an example, a wireless connection is built between the UE 11 and the Fit AP managed by the access device 12 (e.g., an AC), and preliminary network access work is completed after the authentication and association processes of the AC are completed. Before the block 411, the UE 11 may, for example, append its own equipment information to the NDP packet to the access device 12. In an example, the NDP packet can be a link layer discovery protocol (LLDP) packet or other similar protocol packets. Take the LLDP packet as an example, the UE 11 may write its own equipment information into the LLDP TLV, and then encapsulate the LLDP packet into 802.11 packet to be sent to the AP, such that the AP can transmit the packet through transparent CAPWAP tunnel to the AC. At blocks 411 and 412, the AC may parse the LLDP packet to obtain the equipment information of the UE 11 carried in the LLDP TLV.
Generally speaking, the equipment information of the UE 11 may include three types of information: software information of the UE 11, hardware information of the UE 11, and manufacturer information of the UE 11. Herein the software information may include software version information, and the software version information may include operating system (OS) version information (e.g., iOS 6.1.3) and may also include some application version information (e.g., IE 10). The hardware information may include hardware version information, such as baseband version information of a cell phone. It will be readily apparent however, that the equipment information of the UE 11 of the present disclosure is not limited to this only. In other instances, the equipment information of the UE 11 may still include the serial number of the UE 11, the module name of the UE 11, the asset identification word of the UE 11, and the like. The following description will take the OS version information of the UE, the hardware version information of the UE, and the manufacturer information of the UE as an example.
At block 413, the access device 12 carries the equipment information, obtained by parsing the packet, in the reporting message, and transmits the equipment information to the management server 13 via the connection between the management server 13. The type of the reporting message may be various predefined types, which should not be a limitation herein. At block 421, after the management server 13 obtains the equipment information of the UE 11, the management server 13 will issue an identity authentication of the UE 11. In an example, the management server 13 may issue the identity authentication right after the equipment information of the UE 11 is received. In another example, at block 421, before the notification for identity authentication is transmitted, the management server 13 may search the pre-configured rule management table (referring to the example of Table 1) based on the equipment information in advance; if the searched result is matched, then issue the identity authentication for the UE 11; if the searched result is not matched, then end processing. For example, according to the equipment information, it's found that the OS version of the UE is X2, the hardware version of the UE is Y2, and the manufacturer information is Z5, however, this combination does not exist in Table 1. This represents that Administrator does not want this UE to access corporate network resources, which may result in security issues. In other examples, there is no searching Table 1, the management server may immediately initiate identity authentication for the UE.
When the management server 13 determines to issue the identity authentication, the management server 13 transmits a notification for identity authentication to the access device 12. At block 414, after the access device 12 receives the notification for identity authentication, the access device 12 may initiate an identity authentication invitation to the UE 11. There are a variety of identity authentication methods, such as 802.1x or other similar identity authentication technologies. Take 802.1x as an example, the access device 12 may transmit EAP-Request packet to the UE 11 in order to issue a 802.1x authentication process. During the 802.1x authentication process, the access device 12 may act as a Proxy between the UE 11 and the management server 13, which may complete transmission of identity authentication information, such as user name and password, for assisting the UE 11 to successfully complete the authentication process. If the identity authentication information submitted by the UE 11 is illegal, for instance, wrong user name or wrong password, the identity authentication will fail. If the identity authentication information submitted by the UE 11 is legal, the management server 13 will determine the user role. At this time, the management server 13 may search a corresponding access rule by using the user equipment information and the user role, which is also called “security rule”.
Access rules define what network resources are accessible. According to an example, Table 2 shows concrete contents of access rules. As shown in Table 2, the Destination IP Address (DIP) and Protocol Type are used as characteristic elements of access rules. In Table 2, Rule 2 defines that: if a packet has the DIP Address belonging to this network segment 192.168.0.0/20, the access device 12 is permitted to be further processed, for example, forwarding process of the data packet can be continued. In other examples, more characteristic elements can be used in Table 2, such as packet source port or destination port, and so on.
After the access rule is searched, the management server 13, for example, may control the UE's 11 access to network resources based on the searched access rule. In practice, the UE's 11 packet for accessing network resources must pass through its access device 12, rather than pass through the management server 13 itself. The management server 13 needs the access device 12 to achieve controls of accessing network resources for the UE 11. The management server 13 may generate a first access control entry based on the access rule and the identification of the UE 11, since the access rule is focused on the UE 11. After the access device 12 obtains the first access control entry, the access device 12 may store it in the access control table of its own data plane, which is used as the basis for processing the UE's packets. Please refer to Table 3, herein the user equipment identification can be, for example, MAC address of the UE, virtual local area network identification (VLAN ID), or other identifications in the packets transmitted by the UE 11. As can been seen from Table 3, each of the first access control entries may include a source MAC address (SMAC, i.e., the MAC address of the UE 11), a destination IP address, and Action. The type of the access control entry can be, for example, access control list (ACL) entry.
When the data plan of the access device 12 is processing the packets transmitted from the UE 11, the access device 12 may control the UE's 11 access to network resources based on its own access control table. When the packets transmitted from the UE 11 arrives, the access device 12 may obtain Source MAC address (i.e., the MAC address of the UE 11) and Destination IP address of the packets, and then match in the access control table (such as, Table 3). If any one entry is matched, the access device 12 may perform corresponding processes based on the actions in the entry. If the action in the entry is permitted, the access device 12 may perform further processing. Please refer to Table 3. As can be known from the 1st entry shown in Table 3: if the source MAC address of a packet is 00-00-00-00-00-12 and the destination IP address of this packet belongs to a network segment of 192.168.0.0/24, for instance, this packet is allowed to be further processed. If this packet is a data packet, the access device 12 may forward this packet based on an internal forwarding entry. Similarly, as can be known from the 3rd entry shown in Table 3: if the source MAC address of a packet is 00-00-00-00-00-14 and the destination IP address of this packet belongs to a network segment of 192.168.0.0/20, for instance, this packet is allowed to be further processed.
Please refer to Table 4, according to an example, the access device 12 may be pre-configured with two default entries with lower matching priority, such as the (n−1)th entry and the nth entry, respectively. Herein the matching priority of the nth entry is configured to be the lowest and the matching priority of the (n−1)th entry is configured to be the second lowest, and their matching priorities are lower than the matching priority of the first access control entry from the management server 13. The so-called matching priority means the priority that the data plane is matched in the access control table, wherein reasonable configured matching priorities may obtain expected processing effects. In an example, the (n−1)th entry and the nth entry may be automatically delivered to the data plane by the access device 12 during its start up. If a packet transmitted by the UE 11 cannot be matched to the previous (n−1) entries, this packet will be matched to the nth entry and the Action of this nth entry is “Drop”, and thus this packet will be discarded. Another word for speaking, if the management server 13 does not generate the first access control entry for the UE 11 and does not transmit it to the corresponding access device 12, unless LLDP packets and 802.1x identity authentication packets of the UE 11 can be matched to the (n−1)th entry to permit further processing, all other packets will be discarded, and thus the user cannot access any network resources before authentication is completed.
Please refer to the 1st entry and the 2nd entry shown in Table 1, wherein the equipment information of these two entries are the same but their user roles are different, which results in different access rules (for example, the 1st entry corresponds to Rule 1 while the 2nd entry corresponds to Rule 2). Accordingly, the management server 13 may generate different first access control entries based on different access rules. Similarly, please refer to the 1st entry and the nth entry shown in Table 1, wherein the user roles of these two entries are the same but their equipment information are different, which may also result in different access rules, such that the management server 13 may generate different first access control entries to them.
Please refer to Table 1 in combination with Table 2. If the user equipment of two users are the same but their user roles are different, they may have different permissions to access network resources. According to an example, network resources in the network segment “192.168.0.0/24” can be some network resource that is allowed to be public to partners, such as some web sites of industry suppliers, some detailed requirements for introducing industry purchase, or some FTP sites allowing the partners to download related product/training documents. Such network resources can be randomly accessed by users with a visitor role, and such access behaviour won't cause trouble to information security of industry network. The network resources of the network segment “192.168.0.0/20” are obviously more than the network resources of the network segment “192.168.0.0/24”, and these additional network resources may not be allowed to be public to the users with a visitor role, such as industry's internal mail server, inquiry services for contacting staffs, and so on.
According to the examples described above, the management server 13 may search the corresponding access rule based on the equipment information and the user role shown in Table 1. According to other examples of the present disclosure, Table 1 may introduce more other information. Please refer to Table 5, the rule management table may further introduce the access device as the basis for searching the access rules. In an example, each entry of the rule management table can be configured with an access device cluster, wherein the content of the access device cluster may include one or more access device identifications. That is to say, one access rule may correspond to one or more access devices within the access device cluster. The access device identification may be an AC identification or an AP identification, wherein the identification itself can be MAC address. For example, as shown in the (n+1)th entry of Table 5, the access device cluster may include AC2 and AC3. Since each access device 12 is generally located at a fixed position, the management server 13 may determine the position of the access device based on the access device identification.
In an example, assuming that AC2 is located at the guest reception area of an industry building, and AC1 is located at the office area. As shown in Table 5, the equipment information and the user roles of the (n+1)th entry and the (n+2)th entry are consistent, but their access devices AC are different, which may result in different access rules. In this example, the (n+1)th entry corresponds to Rule n+1 while the (n+2)th entry corresponds to Rule n+2. At this time, Table 5 can be evolved into the example in Table 6. The management server 13 may generate the ith access control entry based on Rule n+1, and then transmit it to the access device AC2. An employee “A” may use the UE (00-00-00-00-00-15) to access network resources of this network segment “192.168.0.0/22” when the access device is AC2. The management server 13 may generate the jth access control entry based on Rule n+2, and then transmit it to the access device AC1. The employee “A” may use the UE (00-00-00-00-00-15) to access network resources of this network segment “192.168.0.0/16” when the access device is AC1.
As can been seen from the abovementioned descriptions, even if the same user uses the same UE but uses different access devices to access network, they may get different permissions to access network resources. For example, if the user accesses network through AC1, the user may obtain the permission to access network resources of this network segment “192.168.0.0/16”; however, if the user accesses network through AC2, the user may obtain the permission to access network resource of another network segment “192.168.0.0/22”. The network resources of the network segment “192.168.0.0/16” are obviously more than the network resources of the network segment “192.168.0.0/22”, for example, internal mail server may be configured in this network segment “192.168.0.0/22”, but confidential documents sharing are not in the network segment “192.168.0.0/22”, while it's in the network segment “192.168.0.0/16” except “192.168.0.0/22”. This means, when the user accesses network in the guest reception area, the access to network resources are more restrictive; however, when the user uses the same UE to access network in the office area, the restrictions for accessing network resources become smaller. Such a design can obviously protect access security of industry internal network resources, which can avoid confidential information being leaked intentionally or unintentionally.
According to another example, Table 1 or Table 5 may further include access time as the basis for searching access rules. For example, in Table 1, if the same user uses the same UE to access network resources at different access times, the Administrator may configure different access rules to these conditions. For example, if one user accesses network before dawn, his access priority is more restrictive. It's easy to understand that: the time period before dawn is usually not a working time and s security issue should be concerned at this time, and thus the corresponding access rule won't permit the user to access confidential documents stored in some shared directories. In contrast, if the same user uses the same UE to access network in the daytime, it may correspond to another access rule, wherein the access rule will permit the user to access the abovementioned confidential documents stored in some shared directories.
According to still another example, mobility features of the UE are taken into consideration, for example, the UE may roam from one access device to another access device. Please refer to
At block 701, after the corresponding access rule is searched by the management server 13, the user equipment identification is recorded in the access rule management entry corresponding to the searched access rule.
At block 702, after the destination access device 12 determines that a roaming event occurs, a roaming authentication is performed on the roaming UE 11; if the roaming authentication is permitted, go to block 703; otherwise, end of process.
At block 703, after the roaming authentication is permitted, the access device AC carries the identification of the UE 11 and the identification of the access device AC in a roaming event notification to be sent to the management server 13.
At block 704, after the roaming event notification is received by the management server 13, the management server 13 searches a corresponding access device cluster based on the user equipment identification carried in the notification.
At block 705, the management server 13 determines whether the access device belongs to the access device cluster based on the identification of the destination access device; if yes, go to block 706; otherwise, go to block 708.
At block 706, the management server 13 transmits a roaming permission notification to the roaming destination access device and transmits the first access control entry for the UE to the destination access device.
At block 707, the access device permits the UE 11 to roam locally, and stores the first access control entry in its own data plane.
At block 708, the management server 13 transmits an offline notification to the access device 12.
At block 709, the access device 12 makes the UE 11 offline.
In an example, in order to process the roaming event, the management server 13 will record the identification of the UE 11 in the rule management table after the corresponding access rule is searched. In an example, after such a process, Table 5 can be evolved into the example in Table 7.
Please refer to
Please keep referring to
The figures are only illustrations of an example, wherein the units or procedure shown in the figures are not necessarily essential for implementing the disclosure. The units in the device in the example can be arranged in the device in the examples as described, or can be alternatively located in one or more devices different from that in the examples. The units in the examples described can be combined into one module or further divided into a plurality of sub-units.
Although the flowcharts described show a specific order of execution, the order of execution may differ from that which is depicted. For example, the order of execution of two or more blocks may be changed relative to the order shown. Also, two or more blocks shown in succession may be executed concurrently or with partial concurrence. All such variations are within the scope of the disclosure.
Throughout the disclosure, the word “comprise”, or variations such as “comprises” or “comprising”, will be understood to imply the inclusion of a stated element, integer, block, or group of elements, integers, block, but not the exclusion of any other element, integer or block, or group of elements, integers or blocks.
Numerous variations and/or modifications may be made to the above-described embodiments, without departing from the broad general scope of the disclosure. The embodiments are, therefore, to be considered in all respects as illustrative and not restrictive.
| Number | Date | Country | Kind |
|---|---|---|---|
| 201310514171.1 | Oct 2013 | CN | national |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/CN2014/089103 | 10/21/2014 | WO | 00 |
