摘要： IETF 的访问控制模型采用了集中管理策略，不能对IP-VPN 中的远程用户进行有效的认证和授权，更不能实现远程用户在不同域间的漫游，该文针对该问题作了如下工作：远程用户访问控制策略的分布式管理；远程用户漫游时的认证；分布式访问控制模型DACRU的实现。实践证明该模型能有效解决远程用户的访问控制策略的分布式管理和授权用户的漫游认证问题。

关键词: 安全；VPN；分布式访问控制；漫游

Abstract: The existing DAC models of IETF are centralized management and cannot realize remote users’ roaming on IP-VPN. The main contributions include: the distributed management of DAC policy; the authentication of remote users roaming; the implementation of distributed access coutrol model(DACRU). The results show that the model can securely solve the problem of the distributes management of DAC policy and remote users’ roaming in VPN.

Key words: Security; Virtual private networks (VPN); Distributed access control; Roaming