METHOD, SYSTEM AND DEVICE FOR NETWORK ACCESS CONTROL SUPPORTING QUARANTINE MODE
First Claim
1. A network access control method that supports quarantine mode on a network including one or more user terminals, a security policy server for terminal security checking, and an AAA server for terminal identity authentication, the method comprising:
- the security policy server sending to a terminal indication information of an access control strategy when it has need of assigning the access control strategy corresponding to a security checking result for the terminal;
the terminal, upon receiving the indication information, sending to the AAA server an identity authentication request that carries the indication information;
the AAA server processing the identity authentication request, and instructing an access device to apply the access control strategy according to the indication information carried in the identity authentication request.
1 Assignment
0 Petitions
Accused Products
Abstract
This invention discloses a network access control method supporting quarantine mode. Access devices can identify access control strategies identifications of which are returned from the AAA server during identity authentication processes. When the security policy server needs to assign an access control strategy to the access device for the terminal, the AAA server puts the identification of the required access control strategy into the identity authentication response to be sent to the access device, and then the access device recognizes and applies the access control strategy. Thus access devices from any vendors can cooperate with the security policy server in quarantine mode. This invention also discloses a network access control system supporting quarantine mode, and the system consists at least of a security policy server, an AAA server, and some user terminals.
-
Citations
36 Claims
-
1. A network access control method that supports quarantine mode on a network including one or more user terminals, a security policy server for terminal security checking, and an AAA server for terminal identity authentication, the method comprising:
-
the security policy server sending to a terminal indication information of an access control strategy when it has need of assigning the access control strategy corresponding to a security checking result for the terminal; the terminal, upon receiving the indication information, sending to the AAA server an identity authentication request that carries the indication information; the AAA server processing the identity authentication request, and instructing an access device to apply the access control strategy according to the indication information carried in the identity authentication request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A network access control system that supports quarantine mode, comprising:
-
one or more user terminals, a security policy server for terminal security checking, and an AAA server for terminal identity authentication; and the security policy server is used for sending to the terminal indication information of an access control strategy when it needs to assign the access control strategy corresponding to a security checking result for the terminal; the terminal is used for sending, upon receiving the indication information, to the AAA server an identity authentication request that carries the indication information; the AAA server is used for processing the received identity authentication request, and instructing an access device to apply the access control strategy according to the indication information carried in the identity authentication request. - View Dependent Claims (16, 17)
-
-
18. A security policy server that supports quarantine mode on a network including one or more user terminals and an AAA server for terminal identity authentication, wherein
the security policy server is used for terminal security checking, and comprises an execution unit and a transceiver unit; -
the execution unit is used to send through the transceiver unit to the terminal indication information of an access control strategy when the access control strategy corresponding to a security checking result is needed to be assigned for the terminal, for enabling the terminal to send an identity authentication request to the AAA server, wherein the identity authentication request is used to enable the AAA server to send the access control strategy to the access device; and the transceiver unit is used to send and receive data on behalf of the execution unit. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
-
25. A user terminal that supports quarantine mode on a network, the network including a security policy server for terminal security checking and an AAA server for terminal identity authentication;
- wherein
the user terminal includes a processing unit and a transceiver unit; the processing unit is used to receive through the transceiver unit indication information of an access control strategy from the security policy server, and send to the AAA server an identity authentication request carrying the indication information of the access control strategy in response, so as to drive the AAA server to assign the access control strategy to an access device with which it is connected; the transceiver unit is used to send and receive data on behalf of the processing unit. - View Dependent Claims (26, 27, 28, 29, 30, 31)
- wherein
-
32. An AAA server that supports quarantine mode on a network, the network including one or more user terminals and a security policy server for terminal security checking;
- wherein
the AAA server is used for terminal identity authentication, and comprises a control unit and a transceiver unit; the control unit is used to receive through the transceiver unit an identity authentication request that carries indication information of an access control strategy sent from a terminal, and instruct the access device to apply the access control strategy identified by the indication information through the transceiver unit; the transceiver unit is used to send and receive data on behalf of the control unit. - View Dependent Claims (33, 34, 35, 36)
- wherein
Specification