CN101540757A - Method and system for identifying network and identification equipment - Google Patents
Method and system for identifying network and identification equipment Download PDFInfo
- Publication number
- CN101540757A CN101540757A CN200810102193A CN200810102193A CN101540757A CN 101540757 A CN101540757 A CN 101540757A CN 200810102193 A CN200810102193 A CN 200810102193A CN 200810102193 A CN200810102193 A CN 200810102193A CN 101540757 A CN101540757 A CN 101540757A
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- user terminal
- authenticating device
- network equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a system for identifying a network, and identification equipment. When a user terminal accesses or crosses over a network device, the method comprises that: the network device acquires IP address transmitted by the user terminal, acquires an access policy corresponding to the user terminal from the identification equipment according to the IP address, and determines that whether the user terminal is connected to the accessed application or not according to the access policy. By the method, the user terminal can access or cross over a plurality of network devices, and establish connection with certain application on the network by only once identification rather than multiple identifications. Therefore, single sign-on can be realized, the user terminal can be accessed flexibly, and has convenient operation and use, thereby meeting the requirement of a network terminal in using multiple applications; and the access policy is configured according to user information, so a person in charge of execution of network behavior can be acquired.
Description
Technical field
The present invention is about the network authentication technology, especially in regard to a kind of method for network authorization, system and authenticating device.
Background technology
Along with the continuous development of network technology, because that the Internet has a cost is low, easy-to-use, network has been applied in every field such as finance, security, education, medical treatment, traffic and life.But network technology has also been brought a series of problem when promoting social progress, for example, utilizes network to carry out all illegal and improper activities, invades his robot system, issues behavior such as dummy message.
In correlation technique, for avoiding the problems referred to above, there are multiple technologies can prevent that we's network is by illegal invasion in each aspects such as network infrastructure, operating systems, also have multiple encryption technology to be used for ensureing safety simultaneously in the data of transmission over networks, strengthening the difficulty of illegally obtaining information, but its defective is to search the person liable of illegal act.
In relevant authentication method, provide the authentication service by authentication center, authentication mode comprises account number/cipher mechanism, enciphered data passage, data signature etc.If the user passes through the network equipment, when connecting as a certain application on fire compartment wall, switch or router and the network, need ask authentication to authentication center by this network equipment, authentication center authenticates this user according to the strategy that sets in advance, notify this network equipment with authentication result, this network equipment is according to the authentication result connection and refuse this user.
Fig. 1 is a Verification System structural representation in the correlation technique.As shown in Figure 1, this system comprises user terminal 101, the network equipment 102, certificate server 104 and at least one server 103, and certificate server 104 can be aaa server 104.
Wherein, when the network equipment 102 detected user terminal 101 accesses, the network equipment 102 sent the message of input username and password to it, and this message of demonstration (is seen step 1) on user terminal 101 display interfaces; User terminal 101 input username and passwords, and send this username and password to the network equipment 102 (seeing step 2); Then, this network equipment 102 (is seen step 3) with the aaa server 104 that the username and password information that obtains sends in the network; Aaa server 104 authenticates this user terminal 101 according to the username and password of receiving, find these user terminal 101 strategy corresponding according to this username and password and (see step 4), for example, whether the port numbers by, the user profile used, application and and the information such as authentication string of server 103; Aaa server 104 is issued to the network equipment 102 with this access strategy, and like this, this network equipment 102 is connected to the server 104 of needs visit with user terminal 101 or refuses this user terminal 101 according to this access strategy and connects.
Verification System shown in Figure 1 is based on the authentication mode of connection.When the user surfs the Net, entering different websites even entering same web site and when connecting on the servers that different services are provided,, often must be registered as different user names if determine the user of each network behavior, need once authenticate connecting each time, issue once strategy.Like this, concerning the network that has huge customer group, be difficult to bear such flow, and, adopt this mode still can't determine to implement the people of network behavior.
Increase along with the user uses the scope of network, the user name of registration is more and more, makes the user remember that these user names are difficult, therefore, and more impossible website and the service of remembeing correspondence.Like this, limited user terminal and used multiple demands of applications, used network to bring great inconvenience to the user.
Summary of the invention
The object of the present invention is to provide a kind of method for network authorization, by this method, make user terminal insert or passing through network equipment, when connecting, only need authentication once as some application on fire compartment wall, switch or router and the network, and do not need repeatedly to authenticate, like this, realize single sign-on, made user terminal insert flexibly, and operation and easy to use has been satisfied the network terminal and has been used multiple demands of applications; And dispose access strategy according to user profile, therefore, can know the person liable who implements network behavior.
The object of the present invention is to provide a kind of network authentication system, by this system, make user terminal insert or passing through network equipment, when connecting as some application on fire compartment wall, switch or router and the network, user terminal only need authenticate once, and does not need repeatedly to authenticate, thereby realized single sign-on, make the network terminal insert flexibly, and operation and easy to use, satisfy the network terminal and used multiple demands of applications.And dispose access strategy according to user profile, therefore, can know the person liable who implements network behavior.The object of the present invention is to provide a kind of authenticating device.This authenticating device judges whether this user terminal is authenticated according to the user end certification situation that stores, if this user terminal is by authentication, then directly issue access strategy to the network equipment, like this, even user terminal is inserting or passing through network equipment, when connecting as some application on fire compartment wall, switch or router and the network, user terminal only need authenticate once, and does not need repeatedly to authenticate.Realize single sign-on, made user terminal insert flexibly, and operation and easy to use, satisfy user terminal and used multiple demands of applications.And dispose access strategy according to user profile, therefore, can know the person liable who implements network behavior.
For achieving the above object, the invention provides a kind of method for network authorization, when user terminal access or passing through network equipment, this method comprises: the described network equipment obtains the IP address that this user terminal transmits; Obtain strategy corresponding according to this IP address from authenticating device with the user terminal user; Determine whether described user terminal is connected to the application of being visited according to this access strategy.
For achieving the above object, the present invention also provides a kind of network authentication system, and this system comprises at least one network equipment and the application server that is connected by network, and this system also comprises authenticating device; Wherein,
The network equipment is used to obtain the IP address that user terminal transmits, and this IP address is sent to this authenticating device; Be used to receive the access strategy that described authenticating device transmits, and determine whether described user terminal is connected to described application server according to this access strategy;
Authenticating device, be connected with the described network equipment by network, be used to receive the IP address that the described network equipment transmits, judge that whether this IP address corresponding user terminal user is by authentication, if the result who judges is for being then this user terminal user strategy corresponding to be issued to the described network equipment; If judged result then authenticates this user terminal user for not, if authentication is passed through, then this authenticating device is issued to the described network equipment with this user terminal user strategy corresponding.
For achieving the above object, the present invention also provides a kind of authenticating device, and this authenticating device comprises receiving element, judging unit, policy distribution unit and authentication ' unit; Wherein,
Receiving element is used to receive the IP address that the described network equipment transmits;
Judging unit is connected with described receiving element, is used to judge this IP address corresponding user terminal user whether by authentication, if the result who judges is for being then this to be sent to described policy distribution unit by the judged result that authenticates; If judged result then is not sent to described authentication ' unit by the judged result of authentication with this for not;
Authentication ' unit is connected with described judging unit, is used for, then will authenticating by the result and being sent to the policy distribution unit if authentication is passed through according to by the judged result that authenticates the user terminal user not being authenticated that this judging unit transmits;
The policy distribution unit is connected with authentication ' unit with described judging unit, is used for according to the information of judging unit and authentication ' unit transmission this user terminal user strategy corresponding being issued to the described network equipment.
Beneficial effect of the present invention is, make user terminal insert or passing through network equipment, with network on some application when connecting, only need authentication once, and do not need repeatedly to authenticate, like this, realize single sign-on, made user terminal insert flexibly, and operation and easy to use has been satisfied the network terminal and has been used multiple demands of applications; And dispose access strategy according to user profile, therefore, can know the person liable who implements network behavior.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, does not constitute limitation of the invention.In the accompanying drawings:
Fig. 1 is a network authentication system structural representation in the correlation technique;
Fig. 2 is a network authentication flow chart in the correlation technique;
Fig. 3 is a network authentication system structural representation among the present invention;
Fig. 4 is the formation schematic diagram of authenticating device among Fig. 3;
Fig. 5 is a method for network authorization flow chart among the present invention;
Fig. 6 is that access strategy of the present invention upgrades schematic diagram;
Fig. 7 to Fig. 9 is that the present invention disposes access strategy display interface schematic diagram.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer,, the present invention is described in further details below in conjunction with embodiment and accompanying drawing.At this, illustrative examples of the present invention and explanation thereof are used to explain the present invention, but not as a limitation of the invention.
The invention provides a kind of method for network authorization, system and authenticating device.
Execution mode one
Fig. 3 is network authentication system structural representation among the present invention.As shown in Figure 3, this system comprises at least one network equipment 302 and the application server 303 that links to each other by network, and wherein, this system also comprises authenticating device 304; Wherein,
The network equipment 302 is used to obtain the IP address that user terminal 301 transmits, and this IP address is sent to this authenticating device 304;
Like this, the network equipment 302 also is used to receive the access strategy that authenticating device 304 transmits, and decide this user terminal 301 users' access according to this access strategy, promptly this user terminal 301 is connected to its application server that will visit 303 or refusal connects according to the access strategy that receives.
From the above, by the present invention, make user terminal insert or passing through network equipment, with network on some application when connecting, only need authentication once, and do not need repeatedly to authenticate, like this, realized user's single sign-on, make user terminal insert flexibly, and operation and easy to use, satisfy the network terminal and used multiple demands of applications; And the access strategy that authenticating device issues disposes according to user profile, therefore, can know the person liable who implements network behavior.
Fig. 4 is the formation schematic diagram of authenticating device among the present invention.As shown in Figure 4, this authenticating device comprises receiving element 401, judging unit 402, policy distribution unit 403 and authentication ' unit 404; Wherein,
Receiving element 401 is used to receive the IP address that the network equipment 302 transmits;
Authentication ' unit 404 is connected with judging unit 402, is used for, then will authenticating by the result and being sent to policy distribution unit 403 if authentication is passed through according to by the judged result that authenticates user terminal 301 users not being authenticated that this judging unit 402 transmits;
Whether wherein, in embodiments of the present invention, judging unit 402 is judged IP address corresponding user terminal 301 users whether by authentication, be according to the user profile that prestores, IP address and judge by the mapping table of authentication.
In addition, authenticating device 304 also comprises memory cell 405, and this memory cell 405 is connected with policy distribution unit 403 with judging unit 402, is used for stored user terminal use's access strategy, and above-mentioned mapping table.
From the above, by this Verification System, make user terminal 301 insert or passing through network equipment, with network on some application when connecting, only need authentication once, and do not need repeatedly to authenticate, like this, realized user's single sign-on, make user terminal insert flexibly, and operation and easy to use, satisfy user terminal and used multiple demands of applications; And the access strategy that authenticating device issues disposes according to user profile, therefore, can know the person liable who implements network behavior.
Execution mode two
With Verification System shown in Figure 3 is that example is elaborated to authentication method of the present invention.
The invention provides a kind of method for network authorization, wherein, when user terminal 301 accesses or passing through network equipment 302, this method comprises: the network equipment 302 obtains the IP address that this user terminal transmits; Obtain and this user terminal 301 user's strategy corresponding according to this IP address; Decide the access of user terminal 301 according to this access strategy.
By this cut-in method, make user terminal 301 insert or passing through network equipment, with network on some application when connecting, only need authentication once, and do not need repeatedly to authenticate, like this, realize user's single sign-on, made user terminal insert flexibly, and operation and easy to use has been satisfied the network terminal and has been used multiple demands of applications; And the access strategy that authenticating device issues disposes according to user profile, therefore, can know the person liable who implements network behavior.
In the present invention, the network equipment 302 obtains and this user terminal 301 user's strategy corresponding according to the IP address, comprising:
The network equipment 302 is sent to authenticating device 304 with the IP address; This authenticating device 304 judges that whether this IP address corresponding user terminal 301 users are by authentication; If the result who judges is for being that then this authenticating device 304 just directly is issued to the network equipment 302 with these user terminal 301 user's corresponding strategy, and needn't authenticate again.Like this, the network equipment 302 can be connected to the application that will visit with this user terminal 301 according to this access strategy, as application server 303, thereby has realized user's single sign-on, uses network to bring facility to the user.
Wherein, authenticating device 304 is judged this IP address corresponding user terminal user whether by authentication, can be in the following way: authenticating device 304 receives the IP address that the network equipments 302 transmit; In the user profile that prestores, corresponding IP address and whether search in the mapping table by access authentication; If exist the user corresponding with this IP address by the record of authentication in this mapping table, then this user is by authentication.
If this authenticating device 304 judges that this IP address corresponding user terminal 301 users are not by authentication, then this authenticating device 304 requires this user terminal 301 users are authenticated, and can be in the following way in the present embodiment: authenticating device 304 sends authentication request to the network equipment 302; The network equipment 302 obtains the user profile of this user terminal 301 and this user profile is sent to authenticating device 304; Wherein, this user profile can be user name and/or password; Authenticating device 304 authenticates this user terminal 301 users according to this user profile; If authentication is passed through, then these user terminal 301 user's corresponding strategy are issued to the network equipment 302.In addition, also this user terminal 301 users can be recorded user profile, corresponding IP address by authentication result and whether in the mapping table by authentication.
In the present embodiment, according to user profile configuration access strategy, and this access strategy is stored in the memory cell 405 of authenticating device 304.
Is that example describes above-mentioned cut-in method below in conjunction with accompanying drawing 3-5 with the computer management system of certain company or enterprise.
Present embodiment is based on user ID (ID) information and carries out network management.ID administration module (not shown) is set in authenticating device 304, this module comprises user profile, as first, second, third ID and classified information, such as: each employee is defined its grouping and identity respectively according to its department and position, and give its ID, as shown in table 1:
Table 1
| ID | Name | Department | Position |
| Bob | First | Research and development department | Minister |
| Alex | Second | Human Resources Department | Common employee |
| Jennifer | Third | Human Resources Department | Common employee |
Mapping relations memory module (not shown) is set, IP address or IP section that this memory module storage user uses respectively in this authenticating device 304.
In the present embodiment, can be according to different positions, name, department or its are combined as its definition IP section, and be as shown in table 2 as setting the IP address field according to department, according to the definition IP of department address field.
Table 2
| Department | The IP address field |
| Research and development department | 192.168.1.1-192.168.1.15 |
| Human Resources Department | 192.168.1.17-192.168.1.24 |
In addition, can also not define IP address field or IP address according to department, position or ID of user.Like this, as certain employee, when logining certain station terminal by ID as first, authenticating device is according to the ID of first, be that the table 1 of Bob and binding and the corresponding relation of table 2 come to first distributing IP address, give one of them that first distributing IP address can be 192.168.1.1-192.168.1.15, can be 192.168.1.15 as IP address allocated.But be not limited to aforesaid way, if consider that first is the minister of research and development department, non-common employee has higher authority for guaranteeing it, also can be for first defines the IP scope separately, as 192.168.1.16.
Like this, IP address allocated and user ID can be recorded in the IP-ID binding table, and whether first also is stored in this binding table by the record that authenticates, form the relation table whether IP-ID-passes through authentication like this.As shown in table 3, if Bob by authentication, can also write down the time of this user's login simultaneously.And this mapping table can deposit in the memory cell 405 of authenticating device 304.
Table 3
| ID | IP | Whether pass through authentication | Zero-time | Concluding time |
| Bob | 192.168.1.15 | Be | 2008-1-20 16:30 | 2008-1-20 17:00 |
| Alex | 192.168.1.20 | Not | 2008-1-20 8:00 | 2008-1-20 17:00 |
| Jennifer | 192.168.1.17 | Not | 2008-1-20 10:00 | 2008-1-20 12:00 |
In embodiment of the present invention, come collocation strategy, to obtain the corresponding relation of user profile and access strategy according to user profile.Wherein, user profile can comprise user name, position and/or department etc., can be used singly or in combination, but be not limited to above-mentioned information.
During access strategy, policy configurations personnel can pass through policy configurations terminal configuration and user profile strategy corresponding in configuration, and will dispose be sent to authenticating device 304 with the user profile strategy corresponding and store.
Can dispose access strategy in the following ways, but be not limited to aforesaid way, also can adopt alternate manner.
First kind of mode stores user profile, the network equipment 302 stores strategy corresponding in advance in the authenticating device 304.Like this, the policy configurations terminal is obtained described user profile by the network equipment 302 from authenticating device 304; Obtain and this user profile strategy corresponding from the network equipment 302 according to the user profile of obtaining; The access strategy that obtains is sent to authenticating device 304 by this network equipment to be stored.Wherein,
Policy configurations personnel can be the webmaster personnel, and the policy configurations terminal can be gateway personnel's terminal.This webmaster personnel can connect the network equipment 302 by its terminal, and like this, in the interface display information of this webmaster personnel terminal, this information comprises the information of configure user information and access strategy.
Like this, the webmaster personnel obtain user profile according to the user profile of this interface display from authenticating device 304.In addition, the information of the configuration access strategy that shows on the terminal interface can be " obtaining access strategy from the network equipment ", like this, can obtain and this user profile strategy corresponding from this network equipment 302 by " determining " button of pressing on the display interface, and this access strategy is sent in the memory cell 405 of authenticating device 304, in this authenticating device 304, there is the binding relationship of user profile and access strategy like this.
As shown in Figure 7, one of them is provided with access strategy with user profile, and for example this user profile is user name, i.e. ID, but be not limited thereto.For example, user name 1 is Bob, and its strategy corresponding is a strategy 1, as can be " can access originator code server "; Its user profile-access strategy binding relationship table is as shown in table 4:
Table 4
| User profile | Access strategy |
| User name 1 | Strategy 1 |
| User name 2 | Strategy 2 |
| ... | ... |
| User name n | Strategy n |
As shown in Figure 8, with user profile wherein two access strategy is set, for example this user profile is user name and position, but is not limited thereto.For example, user name 1 is Bob, and position 1 is minister, and its strategy corresponding is a strategy 1, as is " can access originator code server "; Its user profile-access strategy binding relationship table is as shown in table 5:
Table 5
| User profile 1 | User profile 2 | Access strategy |
| User name 1 | Position 1 | Strategy 1 |
| User name 2 | Position 2 | Strategy 2 |
| ... | ... | ... |
| User name n | Position n | Strategy n |
As shown in Figure 9, with user profile wherein three access strategy is set, for example this user profile is user name, position and department, but is not limited thereto.For example, user name 1 is Bob, and position 1 is a research and development department for minister, department, and its strategy corresponding be tactful 1, as is " can access originator code server ".Its user profile-access strategy binding relationship table is as shown in table 6:
Table 6
| User profile 1 | User profile 2 | User profile 3 | Access strategy |
| Department 1 | User name 1 | Position 1 | Strategy 1 |
| Department 2 | User name 2 | Position 2 | Strategy 2 |
| ... | ... | ... | ... |
| The n of department | User name 3 | Position n | Strategy n |
The second way: policy configurations personnel can utilize its policy configurations terminal directly to obtain user profile from authenticating device 304; Obtain and this user profile strategy corresponding from the network equipment 302 according to this user profile, be sent to authenticating device 304 with this user profile strategy corresponding by this network equipment 302 and store what obtain.
Wherein, do not lie in first kind of mode, this webmaster personnel can directly connect authenticating device 304 by its terminal, and and the disconnected network equipment 302.Like this, in the interface display information of this webmaster personnel terminal, this information comprises the information of configure user information and access strategy.
Like this, the webmaster personnel directly obtain user profile from authenticating device 304 according to the user profile of this interface display.In addition, the information of the configuration access strategy that shows on the terminal interface can be " obtaining access strategy from the network equipment ", like this, can obtain and this user profile strategy corresponding from this network equipment 302 by " determining " button of pressing on the display interface, and this access strategy is sent in the memory cell 405 of authenticating device 304, in this authenticating device 304, there is the binding relationship of user profile and access strategy like this.The similar first kind of mode of layoutprocedure repeats no more herein.
The third mode: policy configurations personnel can utilize its policy configurations terminal to obtain user profile from authenticating device 304; Obtain and this user profile strategy corresponding from authenticating device 304 according to this user profile, be sent to authenticating device 304 with this user profile strategy corresponding and store what obtain.
Wherein, do not lie in first and second kind mode, this webmaster personnel can directly connect authenticating device 304 by its terminal, directly obtain user profile and access strategy from authenticating device.Like this, in the interface display information of this webmaster personnel terminal, this information comprises the information of configure user information and access strategy.
Like this, the webmaster personnel directly obtain user profile from authenticating device 304 according to the user profile of this interface display.In addition, the information of the configuration access strategy that shows on the terminal interface can be " obtaining access strategy from authenticating device ", like this, can obtain and this user profile strategy corresponding from this authenticating device 304 by " determining " button of pressing on the display interface, and this access strategy is saved in the memory cell 405 of authenticating device 304, in this authenticating device 304, there is the binding relationship of user profile and access strategy like this.
From the above, no matter adopt which kind of configuration mode, all store the binding relationship table of user profile-access strategy in the memory cell 405 of this authenticating device 304, like this, this authenticating device 304 just can be according to the mapping table of table 5, table 6 or table 7, and table 1 to the corresponding relation of table 4 can issue and a certain Internet user's strategy corresponding.
After step 503, the network equipment 302 receive this IP address, this IP address is sent to authenticating device 304;
If in step 504, judged result is that Bob does not pass through authentication, and then execution in step 507;
Step 509,510, if authentication is passed through, then authenticating device 304 is issued to the network equipment 302 according to table 5,6 or 7 with these user terminal 301 user's strategy corresponding.Like this, the network equipment 302 can be controlled the access of this user terminal 301 according to this access strategy.
In addition, if after authentication is passed through, whether this user Bob can be recorded ID-IP-by in the binding relationship table 3 that authenticates by the information of authentication.
By above-mentioned execution mode as can be known, the network equipment can be access device and also can be online equipment, as switch, router or fire compartment wall.In this network, there are a plurality of network equipments, under the situation as the network equipment 302, the network equipment 302 ' etc.,, and, connect application server 303 by the network equipment 302 through after the authentication if Bob logins this user terminal 301 by ID for the first time; When Bob connects application server 303 ' by the network equipment 302 ' again, when whether authenticating device 304 judges that by the mapping table of authentication the user Bob of this IP address correspondence is by authentication according to this IP address and this network equipment 302 ' corresponding ID-IP-, then this authenticating device 304 directly issues access strategy to the network equipment 302 ', does not authenticate the back distributing policy and do not need to import once more username and password.Therefore, authentication method of the present invention only need be imported a username and password and authenticate, and does not need input repeatedly to authenticate, and can realize user's single sign-on, has simplified user's operation, uses network to offer convenience to the user.In addition, also can help network security according to definite person liable who implements network behavior of time started and concluding time of table 3.
But, in existing related techniques, when Bob connects application server 303 ' by the network equipment 302 ', also need to import once more username and password and authenticate, authentication by after reentry access strategy to be connected to application server 303 '.Like this, make user terminal repeatedly authenticate, complicated operation makes troubles to the user.
In addition, in the present embodiment, when changing with user's strategy corresponding, as the out of Memory that the webmaster personnel have revised access strategy or caused access strategy to change indirectly, then this method also comprises, as shown in Figure 6:
Step 601 is upgraded the access strategy on the authenticating device 304.Like this, when user terminal 301 re-accessing network equipment 302, the access strategy after this authenticating device 304 will upgrade is issued in the network equipment 302.
Above-described specific embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is specific embodiments of the invention; and be not intended to limit the scope of the invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (18)
1. a method for network authorization is characterized in that, when user terminal access or passing through network equipment, this method comprises:
The described network equipment obtains the IP address that this user terminal transmits;
Obtain strategy corresponding according to this IP address from authenticating device with the user terminal user;
Determine whether described user terminal is connected to the application of being visited according to this access strategy.
2. method according to claim 1 is characterized in that, describedly obtains the strategy corresponding with the user terminal user according to the IP address, comprising:
The described network equipment is sent to authenticating device with described IP address;
This authenticating device judges that whether this IP address corresponding user terminal user is by authentication;
If the result who judges is for being that then this authenticating device is issued to the described network equipment with this user terminal user corresponding strategy.
3. method according to claim 2 is characterized in that, described authenticating device judges that this IP address corresponding user terminal user whether by authentication, comprising:
Described authenticating device receives described IP address;
In the user profile that prestores, corresponding IP address and whether search in the mapping table by authentication record;
If there is the record that has passed through authentication with this IP address corresponding user terminal user in this mapping table, then this user is by authentication.
4. method according to claim 3 is characterized in that, if this authenticating device is judged this IP address corresponding user terminal user not by authentication, this method comprises:
Described authenticating device sends authentication request to the described network equipment;
The described network equipment obtains the user profile of described user terminal and this user profile is sent to described authenticating device;
Described authenticating device authenticates this user terminal user according to this user profile;
If authentication is passed through, then this user terminal user corresponding strategy is issued to the described network equipment.
5. method according to claim 4 is characterized in that, this method also comprises: this user terminal user is recorded user profile, corresponding IP address by authentication result and whether in the mapping table by the access authentication record.
6. method according to claim 2 is characterized in that, before accessing user terminal to network equipment, this method also comprises:
Policy configurations personnel are by policy configurations terminal configuration and user profile strategy corresponding;
Be stored to described authenticating device with what obtain with described user profile strategy corresponding.
7. method according to claim 6 is characterized in that, described configuration and user profile strategy corresponding comprise:
The policy configurations terminal is obtained described user profile by the described network equipment from described authenticating device;
Obtain and this user profile strategy corresponding from the described network equipment according to the described user profile of obtaining.
8. method according to claim 6 is characterized in that, described configuration and user profile strategy corresponding comprise:
The policy configurations terminal is obtained user profile from described authenticating device;
Obtain and this user profile strategy corresponding from the described network equipment according to described user profile.
9. method according to claim 6 is characterized in that, described configuration and user profile strategy corresponding comprise:
The policy configurations terminal is obtained user profile from described authenticating device;
Obtain and this user profile strategy corresponding from described authenticating device according to described user profile.
10. method according to claim 6 is characterized in that, this method also comprises: upgrade described access strategy.
11. method according to claim 10 is characterized in that, also comprises after upgrading this access strategy:
Described authenticating device is notified the access strategy after the described network equipment upgrades;
Described access strategy behind the described network equipment down loading updating;
The described network equipment changes original access strategy into after the renewal access strategy.
12. a network authentication system, this system comprises at least one network equipment and the application server that is connected by network, it is characterized in that, this system also comprises authenticating device; Wherein,
The network equipment is used to obtain the IP address that user terminal transmits, and this IP address is sent to this authenticating device; Be used to receive the access strategy that described authenticating device transmits, and determine whether described user terminal is connected to described application server according to this access strategy;
Authenticating device, be connected with the described network equipment by network, be used to receive the IP address that the described network equipment transmits, judge that whether this IP address corresponding user terminal user is by authentication, if the result who judges is for being then this user terminal user strategy corresponding to be issued to the described network equipment; If judged result then authenticates this user terminal user for not, if authentication is passed through, then this authenticating device is issued to the described network equipment with this user terminal user strategy corresponding.
13. system according to claim 12 is characterized in that, described authenticating device comprises receiving element, judging unit, policy distribution unit and authentication ' unit; Wherein,
Receiving element is used to receive the IP address that the described network equipment transmits;
Judging unit is connected with described receiving element, is used to judge this IP address corresponding user terminal user whether by authentication, if the result who judges is for being then this to be sent to described policy distribution unit by the judged result that authenticates; If judged result then is not sent to described authentication ' unit by the judged result of authentication with this for not;
Authentication ' unit is connected with described judging unit, is used for, then will authenticating by the result and being sent to the policy distribution unit if authentication is passed through according to by the judged result that authenticates the user terminal user not being authenticated that this judging unit transmits;
The policy distribution unit is connected with authentication ' unit with described judging unit, is used for according to the information of judging unit and authentication ' unit transmission this user terminal user strategy corresponding being issued to the described network equipment.
14. system according to claim 13, it is characterized in that described judging unit is according to the user profile, the IP address that prestore and whether judge by the mapping table of authentication record whether this IP address corresponding user terminal user has passed through access authentication.
15. system according to claim 14 is characterized in that, described authenticating device also comprises memory cell, and this memory cell is used for the access strategy and the described mapping table of stored user information of terminal user.
16. an authenticating device is characterized in that, this authenticating device comprises receiving element, judging unit, policy distribution unit and authentication ' unit; Wherein,
Receiving element is used to receive the IP address that the described network equipment transmits;
Judging unit is connected with described receiving element, is used to judge this IP address corresponding user terminal user whether by authentication, if the result who judges is for being then this to be sent to described policy distribution unit by the judged result that authenticates; If judged result then is not sent to described authentication ' unit by the judged result of authentication with this for not;
Authentication ' unit is connected with described judging unit, is used for, then will authenticating by the result and being sent to the policy distribution unit if authentication is passed through according to by the judged result that authenticates the user terminal user not being authenticated that this judging unit transmits;
The policy distribution unit is connected with authentication ' unit with described judging unit, is used for according to the information of judging unit and authentication ' unit transmission this user terminal user strategy corresponding being issued to the described network equipment.
17. authenticating device according to claim 16, it is characterized in that described judging unit is according to the user profile that prestores, IP address and whether judge that by the mapping table of authentication record whether this IP address corresponding user terminal user is by authentication.
18. authenticating device according to claim 17 is characterized in that, described authenticating device also comprises memory cell, and this memory cell is used for stored user terminal use strategy corresponding and described mapping table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810102193A CN101540757A (en) | 2008-03-19 | 2008-03-19 | Method and system for identifying network and identification equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810102193A CN101540757A (en) | 2008-03-19 | 2008-03-19 | Method and system for identifying network and identification equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101540757A true CN101540757A (en) | 2009-09-23 |
Family
ID=41123746
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810102193A Pending CN101540757A (en) | 2008-03-19 | 2008-03-19 | Method and system for identifying network and identification equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101540757A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102438019A (en) * | 2011-12-22 | 2012-05-02 | 中国电子科技集团公司第十五研究所 | Business information system access authority control method and system thereof |
| CN102546642A (en) * | 2012-01-16 | 2012-07-04 | 深圳市深信服电子科技有限公司 | Remote login method and device |
| CN102724172A (en) * | 2011-07-28 | 2012-10-10 | 北京天地互连信息技术有限公司 | System and method supporting rapid access authentication |
| CN103067348A (en) * | 2011-10-20 | 2013-04-24 | 安美世纪(北京)科技有限公司 | Hotel public network wired/wireless unified authentication roaming method |
| CN104468553A (en) * | 2014-11-28 | 2015-03-25 | 北京奇虎科技有限公司 | Method, device and system for login of public account |
| CN105592052A (en) * | 2015-09-10 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and device for configuring firewall rules |
| CN106357658A (en) * | 2016-09-30 | 2017-01-25 | 四川长虹电器股份有限公司 | User security access method |
| CN106559785A (en) * | 2015-09-30 | 2017-04-05 | 中国电信股份有限公司 | Authentication method, equipment and system and access device and terminal |
| CN106603257A (en) * | 2015-10-15 | 2017-04-26 | 北京艾科网信科技有限公司 | Method for determining association relationship between station and switch port |
| CN106936804A (en) * | 2015-12-31 | 2017-07-07 | 华为技术有限公司 | A kind of access control method and authenticating device |
| CN109347840A (en) * | 2015-11-30 | 2019-02-15 | 北京奇艺世纪科技有限公司 | A kind of method and apparatus of the configuration of business side's access rule |
| CN114070651A (en) * | 2022-01-11 | 2022-02-18 | 中国空气动力研究与发展中心计算空气动力研究所 | Single sign-on system and method |
-
2008
- 2008-03-19 CN CN200810102193A patent/CN101540757A/en active Pending
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102724172A (en) * | 2011-07-28 | 2012-10-10 | 北京天地互连信息技术有限公司 | System and method supporting rapid access authentication |
| CN103067348A (en) * | 2011-10-20 | 2013-04-24 | 安美世纪(北京)科技有限公司 | Hotel public network wired/wireless unified authentication roaming method |
| CN102438019A (en) * | 2011-12-22 | 2012-05-02 | 中国电子科技集团公司第十五研究所 | Business information system access authority control method and system thereof |
| CN102546642A (en) * | 2012-01-16 | 2012-07-04 | 深圳市深信服电子科技有限公司 | Remote login method and device |
| CN102546642B (en) * | 2012-01-16 | 2015-08-05 | 深圳市深信服电子科技有限公司 | The method of Telnet and device |
| CN104468553A (en) * | 2014-11-28 | 2015-03-25 | 北京奇虎科技有限公司 | Method, device and system for login of public account |
| CN105592052B (en) * | 2015-09-10 | 2019-06-07 | 新华三技术有限公司 | A kind of firewall rule configuration method and device |
| CN105592052A (en) * | 2015-09-10 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and device for configuring firewall rules |
| CN106559785A (en) * | 2015-09-30 | 2017-04-05 | 中国电信股份有限公司 | Authentication method, equipment and system and access device and terminal |
| CN106559785B (en) * | 2015-09-30 | 2020-02-14 | 中国电信股份有限公司 | Authentication method, device and system, access device and terminal |
| CN106603257A (en) * | 2015-10-15 | 2017-04-26 | 北京艾科网信科技有限公司 | Method for determining association relationship between station and switch port |
| CN109347840A (en) * | 2015-11-30 | 2019-02-15 | 北京奇艺世纪科技有限公司 | A kind of method and apparatus of the configuration of business side's access rule |
| CN109347840B (en) * | 2015-11-30 | 2021-09-24 | 北京奇艺世纪科技有限公司 | Method and device for configuring access rules of business party |
| CN106936804A (en) * | 2015-12-31 | 2017-07-07 | 华为技术有限公司 | A kind of access control method and authenticating device |
| CN106936804B (en) * | 2015-12-31 | 2020-04-28 | 华为技术有限公司 | Access control method and authentication equipment |
| CN111654464A (en) * | 2015-12-31 | 2020-09-11 | 华为技术有限公司 | Access control method, authentication device and system |
| CN106357658A (en) * | 2016-09-30 | 2017-01-25 | 四川长虹电器股份有限公司 | User security access method |
| CN114070651A (en) * | 2022-01-11 | 2022-02-18 | 中国空气动力研究与发展中心计算空气动力研究所 | Single sign-on system and method |
| CN114070651B (en) * | 2022-01-11 | 2022-04-12 | 中国空气动力研究与发展中心计算空气动力研究所 | Single sign-on system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101540757A (en) | Method and system for identifying network and identification equipment | |
| CN101647254B (en) | Method and system for the provision of services for terminal devices | |
| CN102143134B (en) | Method, device and system for distributed identity authentication | |
| CN102457507B (en) | Cloud computing resources secure sharing method, Apparatus and system | |
| KR101565828B1 (en) | Apparatus and method for sharing of user control enhanced digital identity | |
| CN108880822A (en) | A kind of identity identifying method, device, system and a kind of intelligent wireless device | |
| CN103262466A (en) | Authentication system, authentication server, service provision server, authentication method, and computer-readable recording medium | |
| WO2018021708A1 (en) | Public key-based service authentication method and system | |
| CN101453328A (en) | Identity management system and identity authentication system | |
| CN101506819A (en) | Network connected terminal device authenticating method, network connected terminal device authenticating program and network connected terminal device authenticating apparatus | |
| CN104702562B (en) | Terminal fused business cut-in method, system and terminal | |
| JP4607602B2 (en) | How to provide access | |
| CN109088890A (en) | A kind of identity identifying method, relevant apparatus and system | |
| CN101291220B (en) | System, device and method for identity security authentication | |
| US20170104748A1 (en) | System and method for managing network access with a certificate having soft expiration | |
| CN104052829A (en) | Adaptive name resolution | |
| KR101278926B1 (en) | Social verification login system being possible to verify user and providing method thereof | |
| CN101523366A (en) | Client-based pseudonyms | |
| KR20210095061A (en) | Method for providing authentification service by using decentralized identity and server using the same | |
| CN102083066A (en) | Unified safety authentication method and system | |
| KR102118556B1 (en) | Method for providing private blockchain based privacy information management service | |
| KR101996317B1 (en) | Block chain based user authentication system using authentication variable and method thereof | |
| KR102062851B1 (en) | Single sign on service authentication method and system using token management demon | |
| CN103118025A (en) | Single sign-on method based on network access certification, single sign-on device and certificating server | |
| KR102481213B1 (en) | System and method for login authentication processing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20090923 |