METHOD, SYSTEM AND DEVICE FOR NETWORK ACCESS CONTROL SUPPORTING QUARANTINE MODE

US 20090217353A1
Filed: 02/23/2009
Published: 08/27/2009
Est. Priority Date: 02/26/2008
Status: Abandoned Application

First Claim

Patent Images

1. A network access control method that supports quarantine mode on a network including one or more user terminals, a security policy server for terminal security checking, and an AAA server for terminal identity authentication, the method comprising:

the security policy server sending to a terminal indication information of an access control strategy when it has need of assigning the access control strategy corresponding to a security checking result for the terminal;

the terminal, upon receiving the indication information, sending to the AAA server an identity authentication request that carries the indication information;

the AAA server processing the identity authentication request, and instructing an access device to apply the access control strategy according to the indication information carried in the identity authentication request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention discloses a network access control method supporting quarantine mode. Access devices can identify access control strategies identifications of which are returned from the AAA server during identity authentication processes. When the security policy server needs to assign an access control strategy to the access device for the terminal, the AAA server puts the identification of the required access control strategy into the identity authentication response to be sent to the access device, and then the access device recognizes and applies the access control strategy. Thus access devices from any vendors can cooperate with the security policy server in quarantine mode. This invention also discloses a network access control system supporting quarantine mode, and the system consists at least of a security policy server, an AAA server, and some user terminals.

Citations

36 Claims

1. A network access control method that supports quarantine mode on a network including one or more user terminals, a security policy server for terminal security checking, and an AAA server for terminal identity authentication, the method comprising:
- the security policy server sending to a terminal indication information of an access control strategy when it has need of assigning the access control strategy corresponding to a security checking result for the terminal;
  
  the terminal, upon receiving the indication information, sending to the AAA server an identity authentication request that carries the indication information;
  
  the AAA server processing the identity authentication request, and instructing an access device to apply the access control strategy according to the indication information carried in the identity authentication request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the AAA server processing the identity authentication request, and instructing an access device to apply the access control strategy according to the indication information comprises:
    - the AAA server authenticating the terminal upon receiving the identity authentication request; and
      
      after the terminal passing the authentication, the AAA server obtaining an identification of the access control strategy according to the indication information, and sending an identity authentication response carrying the identification to the access device, so that the access device can use the access control strategy for access control of the terminal.
  - 3. The method of claim 2, wherein assigning the access control strategy corresponding to a security checking result for the terminal comprises:
    - assigning a VLAN corresponding to the security checking result for the terminal.
  - 4. The method of claim 2, wherein assigning the access control strategy corresponding to a security checking result for the terminal comprises:
    - delivering an access control list (ACL) corresponding to the security checking result to the access device for the terminal.
  - 5. The method of claim 4, wherein the indication information is adapted to indicate the type of the ACL delivered to the access device;
    - andthe AAA server obtaining an identification of the access control strategy according to the indication information comprises;
      
      the AAA server obtaining the identification of the ACL from security policies of the terminal according to the type of the ACL, wherein identifications of security ACL and quarantine ACL applicable to the terminal are configured in the security policies.
  - 6. The method of claim 4, wherein the indication information is an identification of the ACL;
    - andthe security policy server sending to a terminal indication information of an access control strategy when it has need of assigning the access control strategy corresponding to a security checking result for the terminal comprises;
      
      the security policy server obtaining the identification of the ACL according to the security policies of the terminal when it has need of providing the ACL to the access device, and sending the obtained identification of the ACL to the terminal, wherein identifications of security ACL and quarantine ACL applicable to the terminal are configured in the security policies.
  - 7. The method of claim 5, wherein the security policies of the terminal are stored in a database, wherein the database is a database of the AAA server, or a database of the security policy server, or a database shared by the AAA server and the security policy server.
  - 8. The method of claim 4, further comprising:
    - when the access device has already applied a first ACL for the terminal, and the security policy server needs to assign to the access device a second ACL for the terminal, performing a process after the terminal receives the indication information of the second ACL and before the terminal sends an identity authentication request to the AAA server, the process including;
      
      the terminal sending a logoff request to the AAA server;
      
      the AAA server processing the logoff request and sending a logoff success notification to the terminal through the access device; and
      
      the access device canceling the application of the first ACL after receiving the logoff success notification.
  - 9. The method of claim 8, comprising:
    - the security policy server sending the indication information of a security ACL to the terminal when the security policy server needs to assign to the access device the security ACL for the terminal after the terminal has passed the security checking and when the access device has already applied a quarantine ACL for the terminal.
  - 10. The method of claim 9, further comprising:
    - the terminal, upon receiving an authentication success notification sent from the access device applying the security ACL, sending to the security policy server a security checking request that carries a security checking success identification; and
      
      the security policy server directly sending a security checking success notification to the terminal when determining that the security checking request received includes the security checking success identification.
  - 11. The method of claim 8, comprising:
    - the security policy server sending the indication information of the quarantine ACL to the terminal when the security policy server needs to assign to the access device a quarantine ACL for the terminal after the terminal has failed to pass the security checking and when the access device has already applied a security ACL for the terminal.
  - 12. The method of claim 11, further comprising:
    - the terminal, upon receiving an authentication success notification sent from the access device applying the quarantine ACL, sending to the security policy server a security checking request that carries a security checking failure identification; and
      
      the security policy server directly sending a security checking failure notification to the terminal when determining that the security checking request received includes the security checking failure identification.
  - 13. The method of claim 2, wherein the terminal, upon receiving the indication information, sending to the AAA server an identity authentication request comprises:
    - the terminal sending the identity authentication request based on an RADIUS protocol to the AAA server through the access device; and
      
      the AAA server and the access device performing identity authentication for the terminal based on the RADIUS protocol.
  - 14. The method of claim 13, wherein the identity authentication request sent by the terminal carries the indication information of the ACL in the USER-NAME attribute.

15. A network access control system that supports quarantine mode, comprising:
- one or more user terminals, a security policy server for terminal security checking, and an AAA server for terminal identity authentication; and
  
  the security policy server is used for sending to the terminal indication information of an access control strategy when it needs to assign the access control strategy corresponding to a security checking result for the terminal;
  
  the terminal is used for sending, upon receiving the indication information, to the AAA server an identity authentication request that carries the indication information;
  
  the AAA server is used for processing the received identity authentication request, and instructing an access device to apply the access control strategy according to the indication information carried in the identity authentication request.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein the AAA server is used for authenticating the terminal upon receiving the identity authentication request, obtaining an identification of the access control strategy according to the indication information after the terminal has passed the authentication, and sending to the access device an identity authentication response carrying the identification, so that the access device can use the access control strategy for access control of the terminal.
  - 17. The system of claim 16, wherein the terminal is used for sending a logoff request to the AAA server when the access device has already applied a first ACL for the terminal and the terminal receives indication information of a second ACL, and sending an identity authentication request to the AAA server after receiving a logoff success notification from the AAA server;
    - the AAA server is used for processing the logoff request and sending the logoff success notification to the terminal through the access device;
      
      the access device is used for canceling the application of the first ACL for the terminal after receiving the notification.

18. A security policy server that supports quarantine mode on a network including one or more user terminals and an AAA server for terminal identity authentication, whereinthe security policy server is used for terminal security checking, and comprises an execution unit and a transceiver unit;
- the execution unit is used to send through the transceiver unit to the terminal indication information of an access control strategy when the access control strategy corresponding to a security checking result is needed to be assigned for the terminal, for enabling the terminal to send an identity authentication request to the AAA server, wherein the identity authentication request is used to enable the AAA server to send the access control strategy to the access device; and
  
  the transceiver unit is used to send and receive data on behalf of the execution unit.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The security policy server of claim 18, wherein the execution unit is used to assign a VLAN corresponding to the security checking result for the terminal.
  - 20. The security policy server of claim 18, wherein the execution unit is used to deliver an access control list (ACL) corresponding to the security checking result to the access device for the terminal.
  - 21. The security policy server of claim 20, whereinthe execution unit is used to send through the transceiver unit to the terminal the indication information of a security ACL when the security ACL is needed to be assigned to the access device for the terminal after the terminal has passed the security check and when the access device has already applied a quarantine ACL for the terminal, so as to drive the terminal to send an identity authentication request to the AAA server.
  - 22. The security policy server of claim 21, whereinthe execution unit is further used to send a security checking success notification to the terminal directly through the transceiver unit upon receiving from the terminal the security checking request that carries the security checking success identification.
  - 23. The security policy server of claim 20, whereinthe execution unit is used to send through the transceiver unit to the terminal indication information of a quarantine ACL when the quarantine ACL is needed to be assigned to the access device for the terminal after the terminal has failed to pass the security check and the access device has already applied a security ACL for the terminal, so as to drive the terminal to send an identity authentication request to the AAA server.
  - 24. The security policy server of claim 23, whereinthe execution unit is used to send a security checking failure notification to the terminal directly through the transceiver unit upon receiving the security checking request that carries the security checking failure identification from the terminal.

25. A user terminal that supports quarantine mode on a network, the network including a security policy server for terminal security checking and an AAA server for terminal identity authentication;
- whereinthe user terminal includes a processing unit and a transceiver unit;
  
  the processing unit is used to receive through the transceiver unit indication information of an access control strategy from the security policy server, and send to the AAA server an identity authentication request carrying the indication information of the access control strategy in response, so as to drive the AAA server to assign the access control strategy to an access device with which it is connected;
  
  the transceiver unit is used to send and receive data on behalf of the processing unit.
- View Dependent Claims (26, 27, 28, 29, 30, 31)
- - 26. The terminal of claim 25, wherein the indication information of the access control strategy received by the processing unit is a VLAN corresponding to the security checking result assigned by the security policy server for the terminal.
  - 27. The terminal of claim 25, wherein the indication information of the access control strategy received by the processing unit is indication information of an access control list (ACL) corresponding to the security checking result assigned by the security policy server for the terminal.
  - 28. The terminal of claim 27, whereinthe processing unit is used to send a logoff request to the AAA server with the help of the transceiver unit after receiving the indication information of the ACL from the security policy server, and send an identity authentication request to the AAA server after receiving the logoff success notification returned from the AAA server.
  - 29. The terminal of claim 28, whereinthe processing unit is used to send through the transceiver unit a security checking request that carries the security checking success identification to the security policy server when receiving the identity authentication success notification and when the security checking success notification returned from the security policy server includes the indication information of the ACL;
    - orthe processing unit is used to send through the transceiver unit a security checking request that carries the security checking failure identification to the security policy server when receiving the identity authentication success notification and when the security checking failure notification returned from the security policy server includes the indication information of the ACL.
  - 30. The terminal of claim 27, whereinthe processing unit is used to send an identity authentication request based on an RADIUS protocol to the AAA server.
  - 31. The terminal of claim 30, whereinthe processing unit is used to encapsulate the indication information of the ACL in the USER-NAME attribute of the identity authentication request.

32. An AAA server that supports quarantine mode on a network, the network including one or more user terminals and a security policy server for terminal security checking;
- whereinthe AAA server is used for terminal identity authentication, and comprises a control unit and a transceiver unit;
  
  the control unit is used to receive through the transceiver unit an identity authentication request that carries indication information of an access control strategy sent from a terminal, and instruct the access device to apply the access control strategy identified by the indication information through the transceiver unit;
  
  the transceiver unit is used to send and receive data on behalf of the control unit.
- View Dependent Claims (33, 34, 35, 36)
- - 33. The AAA server of claim 32, whereinthe control unit is used to process the received identity authentication request, and obtain an identification of the access control strategy according to the indication information carried in the identity authentication request after the terminal passes the identity authentication, and send an identity authentication response carrying the identification to the access device through the transceiver unit.
  - 34. The AAA server of claim 33, wherein the identity authentication request received by the control unit sent from the terminal comprises indication information of a VLAN.
  - 35. The AAA server of claim 33, wherein the identity authentication request received by the control unit sent from the terminal comprises indication information of an access control list (ACL).
  - 36. The AAA server of claim 33, whereinthe control unit is used to send a RADIUS-based identity authentication response to the access device through the transceiver unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hangzhou H3C Technologies Co Ltd (Tsinghua Holdings Co., Ltd.)
Original Assignee
Hangzhou H3C Technologies Co Ltd (Tsinghua Holdings Co., Ltd.)
Inventors
ZHENG, Xiongkai

Application Number

US12/390,541
Publication Number

US 20090217353A1
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/101 Access control lists [ACL]

METHOD, SYSTEM AND DEVICE FOR NETWORK ACCESS CONTROL SUPPORTING QUARANTINE MODE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD, SYSTEM AND DEVICE FOR NETWORK ACCESS CONTROL SUPPORTING QUARANTINE MODE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links